Whirlpool Spins New Address Scheme

New DNS address management tools help appliance maker wash away previous security woes

3 Min Read
Dark Reading logo in a gray background | Dark Reading

A year ago, the most frequent cause of network problems at Whirlpool wasn't hackers or disgruntled insiders. It was fat-fingered local network administrators.

"The problems were almost purely accidental," recalls Greg Fisbeck, lead network engineer for the appliance giant, which operates a global network of some 80,000 endpoints, including the Maytag business acquired last year.

"Some administrator would put in an extraneous character, or put a space in the middle of a host name, and the next thing you know, they'd bring down a whole [address] zone. And here in the data center, nobody knew about it until people started calling in to say they couldn't get into Whirlpool.com."

The problem, Fisbeck explains, was the company's address management system. The old system required a good deal of manual configuration, and many of the local administrators weren't familiar with the conventions of IP addressing. Worse, the old system didn't allow Whirlpool to restrict administrator access -- once they were in the system, untrained admins could make changes that might unintentionally affect whole address zones.

Whirlpool had been considering the purchase of a new IP address management system for years, but the functionality of earlier systems was limited, and it was difficult to explain the value of a DNS/DHCP administration tool to top-level managers who weren't familiar with addressing technology, Fisbeck recalls.

Then, in 2006, the stars began to align. Whirlpool acquired Maytag -- and all its IP addresses -- which made it easier to create a business case for an overarching management system. And Bluecat Networks was nearing completion of its Proteus 2.0 IP Address Management (IPAM) and Adonis 5.0 DNS/DHCP appliance lines, which answered many of Whirlpool's concerns about earlier address management systems.

With Proteus and Adonis, Whirlpool can now restrict administrators' access to addressing functions, so that they can make changes only to their own domains. Instead of several different systems, administrators make changes only in one central system, which reduces the likelihood of a mistake that takes down a whole zone of addresses. And the new systems offer templates for IP addressing, reducing the chances that an administrator will use the wrong format.

"With Proteus and Adonis, we've really reduced the chances of an administrator creating problems by accident," Fisbeck says.

The new appliances may also help Whirlpool avoid problems created by targeted attacks, Fisbeck says. For example, the Bluecat technology can manage heavy address requests created by a denial-of-service attack, and it can help Whirlpool's security team identify and quarantine bogus requests.

Fisbeck wouldn't say how much Whirlpool spent on the installation. Pricing for Adonis starts at $2,995; Proteus is $29,995. Whirlpool has five Adonis units in service and one Proteus.

Over the longer term, Whirlpool may also use Proteus and Adonis to help implement network admission control (NAC) at its endpoints. "Proteus has the ability to authenticate a user before we give them a permanent IP address, which would be one of the steps we need to take for NAC," Fisbeck says. The company still isn't completely sold on NAC, but the Bluecat products will allow Whirlpool to do some trials and test it out, he says.

In the meantime, Whirlpool is deploying Proteus and Adonis across its network, and expects to complete that deployment by the end of this month. "We think it's going to help a lot," Fisbeck says. "We won't have to worry anymore about losing a zone just because someone made a typo."

— Tim Wilson, Site Editor, Dark Reading

About the Author

Tim Wilson, Editor in Chief, Dark Reading

Contributor

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights