Monthly Archives: April 2015

Remote Access Policy

Given the proliferation of mobile devices and the “Anytime, Anywhere” mindset regarding company information, every company should at least be having a discussion about remote access.  The purpose of defining a policy is to:

  1. Define standards for connecting to the network from any host
  2. Minimize the potential exposure from damages which may result from unauthorized use of resources
  3. Set employee expectations for how and what they can connect
  4. Discover what is available for remote access

One of the first steps that needs to be done when determining a remote access policy is defining what needs to be made available remotely and through what method.  Review firewall rules, NAT policies and Client VPN or SSL-VPN settings to determine what is currently available.  Determine why those networks or applications are available, what their authentication levels are and how sensitive the information contained is.

When investigating what is available, keep in mind things like security cameras or applications that don’t necessarily contain company information, but may provide enough information to identify the company.  There is a website that is devoted entirely to security cameras that are publically available with the default passwords still set.  One would hate to have the view from their cameras for everyone to see.

When looking at our own infrastructure, our conversation about authentication levels revolved around two factor authentication.  If the application didn’t support two factor authentication, regardless of the sensitivity of the information, did we want access available directly from the Internet or did we want access to go through a device that supports two factor authentication?  Security comes at the expense of convenience, so keep in mind employee productivity when determining access methods.

Sensitivity of information can be defined many different ways.  Usually one thinks only of the leaking or confidential data, intellectual property or damage to critical internal systems.  Public image isn’t always thought of.  With the use of social media and how quickly information can spread, public image needs to be given a higher priority.

After looking at what services to publish, define how employees can connect and the requirements for connecting.

  • Are only company assets going to be allowed to connect?
  • Are employee owned assets (BYOD) going to be allowed to connect?
  • Are all device types going to have the same access?
  • Are requirements like Antivirus software going to be enforced on employee owned assets?
  • Are site-to-site VPN tunnels going to be allowed from home offices?

Each company has different requirements in regards to remote access, so there is not a one-size-fits-all policy that can be applied to everyone.  With careful planning, discussions with all affected stake holders and an understanding of requirements, a remote access policy can be crafted that can help keep the company secure while allowing employees to complete their job responsibilities.

Security Beyond the Firewall

Most companies take it as a given that firewalls, antivirus, and backups are minimum security controls for the standard business.  While it remains true that having a layer-7 aware firewall, solid endpoint protection and recoverable backups are controls every organization should have in place, there’s more to security than firewalls, endpoint protection and backups.

Central to any comprehensive security strategy is visibility of what is going on within the network.  This comes in two forms: network monitoring systems and log aggregation and alerting systems.  Network monitoring systems come in the form of SNMP monitoring systems and Flow monitoring software.  Log aggregation and alerting systems are most typically referred to as security information and event management systems (a.k.a. SIEM).

Systems that provide SNMP and Flow monitoring of the network give visibility into the packets traversing the network on a port-by-port and application basis.  Such information can be useful in identifying rogue PC’s on the network – such as those infected by a virus – or systems that are producing excessive volumes of traffic from one application type or another.   At the end of the day, this visibility gives insight into what constitutes a “normal” day on your network.

SIEM’s are another class of software altogether, designed to collect logs from various systems, to analyze those logs for anomalous events and alert on those events.  These alerts typically come in the form of emails or texts. The analysis that comes with those alerts is highly sophisticated to identify anomalies across all systems – not just the network, but across domain controllers, workstations, network appliances, switches, routers, antivirus solutions, data loss prevention systems, and any other variety of systems you send logs from to the SIEM.  Such systems can be quite powerful and insightful.

So, while state-of-the-art firewalls, antivirus, and backups provide protection against the myriad of threats that the average network may face, they are not sufficient to protect your network from the totality of threats that your network faces on a day-to-day basis.  To protect against the full range of attacks, you need security that extends beyond the firewall.

Rydell Data Center: The Finished Product

Ever wondered what HPN employees do on weekends? This is it. This spring, High Point Networks worked with Rydell Auto Center in Grand Forks, ND to design and build a new Data Center for their business, executing a twelve hour cutover on a Saturday night.

HPN engineers worked with Rydell to design their wiring, power, cooling and monitoring systems, approaching it from the standpoint of not only accommodating for their needs today, but also their needs for tomorrow.

After months of planning and twelve hours of cutover executed by two network engineers, a system engineer, and a cabling engineer, this is the finished product.

Why Veeam?

This is the second installment of a series by Systems Team Lead Matt Peabody to begin to answer a question he hears all the time: “Why vendor X?”

One of our account managers had been helping to look for a backup product as our primary offering.  He brought Veeam to us over 4 years ago and was really excited about the product.  I was one of the engineers installing Veeam for customers and was managing it internally for our own data protection once we verified it was a good fit for us. Over the years, our knowledge of the product continues to expand, and we have seen overwhelming success for our customers using the product.

Backup products are plentiful, and the list of companies offering backup continues to grow.  There are a few things, however, that separate Veeam from the competition:

1. Setup
Veeam’s install has always been extremely easy to walk through.  They continue to improve the process, and the latest install is nearly “Click install, next, next, finish.”  From there, it usually takes us a few minutes to configure where to back up, what to back up and when to back up the data.  There is much planning involved to get to this point, but once we have the information we need, the set up process is always a breeze.

2. Performance
Veeam’s scale out architecture allows it to grow into our largest customers.  We can easily add more repositories if we need more space and more proxies if we need more network or CPU throughput.  Since we can eliminate single points of failure and throughput bottlenecks, we have shrunk backup windows for many of our customers from hours to minutes or even multiple days to hours.  Many of our customers utilize iSCSI arrays, and tapping into the SAN fabric with a Veeam server for backups greatly decreases load on the network and production infrastructure, further lessening the impact of backups.

3. Backup Testing
Whenever we talk to customers about their backup solutions we always ask if they have ever tested their restores. The answer is usually that their backup product told them the backup was successful and they didn’t assume otherwise.  After working with many customers through many incidents, High Point Networks has adopted the mentality that a backup is not complete until a restore has been tested.  Veeam’s SureBackup automates the testing process and uses their Instant Restore feature to turn on a live VM from the backup file and test to make sure all the services start. This guarantees the recovery of the files in a backup.

4. Restore
Many backup products back data up easily enough, but Veeam excels at restoring data too.  They have multiple ways to restore data, ranging from an Instant Restore of the entire VM, to a single file, all the way down to item-level (email, calendar appointment) recovery for Exchange.  Their Explorer wizards greatly improve the experience of restoring advanced items in different scenarios, and the user experience is just like browsing the backup using Outlook or the SharePoint management interface.  The restores are quick to get data back into production, and Veeam continues to improve their user experience.

Veeam is an excellent product and is extremely easy to set up to demo for yourself.  We rely on it in our data protection plan internally at High Point Networks, and will continue to recommend it as a primary backup solution to our customers.   Next, I’ll be answering “Why VMware?”