All posts by Meagan McDougall

Remote Access Policy

Given the proliferation of mobile devices and the “Anytime, Anywhere” mindset regarding company information, every company should at least be having a discussion about remote access.  The purpose of defining a policy is to:

  1. Define standards for connecting to the network from any host
  2. Minimize the potential exposure from damages which may result from unauthorized use of resources
  3. Set employee expectations for how and what they can connect
  4. Discover what is available for remote access

One of the first steps that needs to be done when determining a remote access policy is defining what needs to be made available remotely and through what method.  Review firewall rules, NAT policies and Client VPN or SSL-VPN settings to determine what is currently available.  Determine why those networks or applications are available, what their authentication levels are and how sensitive the information contained is.

When investigating what is available, keep in mind things like security cameras or applications that don’t necessarily contain company information, but may provide enough information to identify the company.  There is a website that is devoted entirely to security cameras that are publically available with the default passwords still set.  One would hate to have the view from their cameras for everyone to see.

When looking at our own infrastructure, our conversation about authentication levels revolved around two factor authentication.  If the application didn’t support two factor authentication, regardless of the sensitivity of the information, did we want access available directly from the Internet or did we want access to go through a device that supports two factor authentication?  Security comes at the expense of convenience, so keep in mind employee productivity when determining access methods.

Sensitivity of information can be defined many different ways.  Usually one thinks only of the leaking or confidential data, intellectual property or damage to critical internal systems.  Public image isn’t always thought of.  With the use of social media and how quickly information can spread, public image needs to be given a higher priority.

After looking at what services to publish, define how employees can connect and the requirements for connecting.

  • Are only company assets going to be allowed to connect?
  • Are employee owned assets (BYOD) going to be allowed to connect?
  • Are all device types going to have the same access?
  • Are requirements like Antivirus software going to be enforced on employee owned assets?
  • Are site-to-site VPN tunnels going to be allowed from home offices?

Each company has different requirements in regards to remote access, so there is not a one-size-fits-all policy that can be applied to everyone.  With careful planning, discussions with all affected stake holders and an understanding of requirements, a remote access policy can be crafted that can help keep the company secure while allowing employees to complete their job responsibilities.

Security Beyond the Firewall

Most companies take it as a given that firewalls, antivirus, and backups are minimum security controls for the standard business.  While it remains true that having a layer-7 aware firewall, solid endpoint protection and recoverable backups are controls every organization should have in place, there’s more to security than firewalls, endpoint protection and backups.

Central to any comprehensive security strategy is visibility of what is going on within the network.  This comes in two forms: network monitoring systems and log aggregation and alerting systems.  Network monitoring systems come in the form of SNMP monitoring systems and Flow monitoring software.  Log aggregation and alerting systems are most typically referred to as security information and event management systems (a.k.a. SIEM).

Systems that provide SNMP and Flow monitoring of the network give visibility into the packets traversing the network on a port-by-port and application basis.  Such information can be useful in identifying rogue PC’s on the network – such as those infected by a virus – or systems that are producing excessive volumes of traffic from one application type or another.   At the end of the day, this visibility gives insight into what constitutes a “normal” day on your network.

SIEM’s are another class of software altogether, designed to collect logs from various systems, to analyze those logs for anomalous events and alert on those events.  These alerts typically come in the form of emails or texts. The analysis that comes with those alerts is highly sophisticated to identify anomalies across all systems – not just the network, but across domain controllers, workstations, network appliances, switches, routers, antivirus solutions, data loss prevention systems, and any other variety of systems you send logs from to the SIEM.  Such systems can be quite powerful and insightful.

So, while state-of-the-art firewalls, antivirus, and backups provide protection against the myriad of threats that the average network may face, they are not sufficient to protect your network from the totality of threats that your network faces on a day-to-day basis.  To protect against the full range of attacks, you need security that extends beyond the firewall.

Rydell Data Center: The Finished Product

Ever wondered what HPN employees do on weekends? This is it. This spring, High Point Networks worked with Rydell Auto Center in Grand Forks, ND to design and build a new Data Center for their business, executing a twelve hour cutover on a Saturday night.

HPN engineers worked with Rydell to design their wiring, power, cooling and monitoring systems, approaching it from the standpoint of not only accommodating for their needs today, but also their needs for tomorrow.

After months of planning and twelve hours of cutover executed by two network engineers, a system engineer, and a cabling engineer, this is the finished product.

Why Veeam?

This is the second installment of a series by Systems Team Lead Matt Peabody to begin to answer a question he hears all the time: “Why vendor X?”

One of our account managers had been helping to look for a backup product as our primary offering.  He brought Veeam to us over 4 years ago and was really excited about the product.  I was one of the engineers installing Veeam for customers and was managing it internally for our own data protection once we verified it was a good fit for us. Over the years, our knowledge of the product continues to expand, and we have seen overwhelming success for our customers using the product.

Backup products are plentiful, and the list of companies offering backup continues to grow.  There are a few things, however, that separate Veeam from the competition:

1. Setup
Veeam’s install has always been extremely easy to walk through.  They continue to improve the process, and the latest install is nearly “Click install, next, next, finish.”  From there, it usually takes us a few minutes to configure where to back up, what to back up and when to back up the data.  There is much planning involved to get to this point, but once we have the information we need, the set up process is always a breeze.

2. Performance
Veeam’s scale out architecture allows it to grow into our largest customers.  We can easily add more repositories if we need more space and more proxies if we need more network or CPU throughput.  Since we can eliminate single points of failure and throughput bottlenecks, we have shrunk backup windows for many of our customers from hours to minutes or even multiple days to hours.  Many of our customers utilize iSCSI arrays, and tapping into the SAN fabric with a Veeam server for backups greatly decreases load on the network and production infrastructure, further lessening the impact of backups.

3. Backup Testing
Whenever we talk to customers about their backup solutions we always ask if they have ever tested their restores. The answer is usually that their backup product told them the backup was successful and they didn’t assume otherwise.  After working with many customers through many incidents, High Point Networks has adopted the mentality that a backup is not complete until a restore has been tested.  Veeam’s SureBackup automates the testing process and uses their Instant Restore feature to turn on a live VM from the backup file and test to make sure all the services start. This guarantees the recovery of the files in a backup.

4. Restore
Many backup products back data up easily enough, but Veeam excels at restoring data too.  They have multiple ways to restore data, ranging from an Instant Restore of the entire VM, to a single file, all the way down to item-level (email, calendar appointment) recovery for Exchange.  Their Explorer wizards greatly improve the experience of restoring advanced items in different scenarios, and the user experience is just like browsing the backup using Outlook or the SharePoint management interface.  The restores are quick to get data back into production, and Veeam continues to improve their user experience.

Veeam is an excellent product and is extremely easy to set up to demo for yourself.  We rely on it in our data protection plan internally at High Point Networks, and will continue to recommend it as a primary backup solution to our customers.   Next, I’ll be answering “Why VMware?”

A Sales Guy’s Review of the ND Cyber Security Conference

North Dakota State University hosted the North Dakota Cyber Security Conference on Tuesday, March 17, 2015. Adam Martin, Business Development Manager at High Point Networks, was surprised by what he observed during his first time at this event.

I have gone to a variety of business conferences over the years. For the most part they are all the same – keynote, vendors and food. Recently, I went to the North Dakota Cyber Security Conference held at NDSU. What I had in mind for my expectations of the conference and what I observed were completely different.

When I think of security professionals, I think of Gilfoyle from the HBO show “Silicon Valley.” (If you are a security guy and reading this, you are probably offended. It’s ok, I’m in sales, you are supposed to be mad at me.) Gilfoyle is insanely smart and has a dark sense of humor. I thought when I walked into the conference, I was going to feel out of place and uncomfortable, and like everyone there would know I was not an engineer. For the most part, I was right – being that I’m not an engineer.

As I observed the conference taking place I noticed something I haven’t seen much of in other conferences. These people seemed like family. Everyone knew each other and seemed to be fond of one another. I’ve never heard so much laughter at a technology conference. As I sat at the tables during the breaks, people dove right into conversations they seemed to have been having for years about security. Better yet, they wanted to include everyone at the table. These were not sales people or vendors. These were security engineers that work at our local industries, schools and hospitals. Have I said how amazed I was?

The security classes that I attended were good – very thought out and presented well. But they didn’t catch my attention as much as what I saw after the presentations. As soon as one of the engineers was done presenting, they all gathered in the hallway. For a moment I thought I would see what I have observed at other conferences – debating technology and why the presenter was wrong. But I didn’t. What I saw was discussions, not debate. Even though these security people did not work together outside of this conference, they were working together in the overall picture. They know how important it is to be secure. If one of them has a problem, they all have a problem, and the discussion won’t stop until they have a solution. These people do not see company logos on each other’s shirts, they see people responsible for the safety of others. In a sense, they have created a bond like an army. Even though you are not of the same unit, you are of the same cloth.

They do not laugh when they hear of a company getting hacked, because in their view, “If one of us get hacked, we all get hacked.” So, they work together to make sure no one does. Their hearts and passion truly speak the motto of the Cyber Security Conference: “Cyber Security is Our Shared Responsibility.”

Third ‘High on ShoreTel’ Users Group gathering scheduled for May 6

We at High Point Networks firmly believe that the relationships with our customers extend far beyond the day a project is finished. Between projects, we strive to provide opportunities for our customers to learn more about the solutions they have in their environments. One way we have worked to ensure continued education for our unified communications customers is by creating and managing the High on ShoreTel (HOST) Users Group.

This group, powered by High Point Networks and ShoreTel, aims to help administrators and users learn more about ShoreTel’s capabilities, network with other users and provide a place for questions to be answered in an open forum. Past events have proven exceptionally successful and useful to attendees, and this one looks to be even better. Our ShoreTel representatives from Minneapolis will share new information from the annual ShoreTel One Champion Partner Conference, and our ShoreTel Technical Account Manager will speak on “Advanced Applications for your ShoreTel System.”

Are you interested in learning more about your ShoreTel phone system? Join in the conversation!

When:
Wednesday, May 6, 2015
8:00 am – 11:45 am (Includes free breakfast)

Where:
Cambria Hotels & Suites
West Fargo Conference Center
825 E. Beaton Drive
West Fargo, North Dakota

Website/Register:
Learn more and register at: www.HighOnShoreTel.com

HPN Guides School Districts Through E-Rate Process

For years, school districts and libraries have been augmenting their telecommunication budgets with funds provided by the Universal Service Fund through the E-Rate program.  In 2014, the program was modernized to include internal connections under Priority 2.  This modernization funds school districts’ and libraries’ efforts to modernize their wired and wireless connections in proportion to their free and reduced lunch (FRL) student population.

The new funding formula provides $150 per student over five years multiplied by the organization’s FRL ratio. For example, if a district’s FRL ratio is 8 out of 10 students – or 80% – and the district has 10,000 students, it is eligible for up to $120,000 over 5 years (10,000 X $150.00 X .80). The district will need to contribute $30,000 to receive the $120,000 in this example.  These funds are available one time during the five year period, either all at once or distributed over the course of five years. Most districts are applying for their portion in the first year due to uncertainties about the programs funding over the 5 years.

A district needs to begin the process by filing a Form 470 stating their intent to procure Priority 2 funds for an internal project. This form allows vendors to bid for that project. Because districts are only required to abide by their purchasing policies, this is not necessarily an RFP process. As school districts choose a preferred vendor, they submit a Form 471 by the E-Rate deadline, April 16, 2015.  Once the Universal Service Administrative Company returns an intent to fund letter, the work can be scheduled.

Most districts choose a consultant to help them navigate these new and complex waters. This program provides opportunity for districts that have traditionally not been able to upgrade their technology due to financial or staffing constraints.  It also presents a challenge in deciding on the new technology to be used and how to implement it.  This is where a Value Added Reseller (VAR) like High Point Networks comes in.  HPN has been helping school districts improve their infrastructures for over ten years.

We have both the experience and engineering staff to successfully design, implement and support a variety of internal installations. The new E-Rate rules allow for a dizzying array of options to help students make the best use of the technology. Our staff brings their many years of school district experience to bear in designing a solution tailored to each individual district’s needs. We then implement that solution, train staff in its day to day operation, and also back it up with our own support staff. Whether it involves wireless or wired networks, unified communications, server storage or security, High Point Networks is looking forward to partnering with more school districts to enable the success of students and staff in our communities.

Why Nimble?

This is the first installment of a series by Systems Team Lead Matt Peabody to begin to answer a question he hears all the time: “Why vendor X?”

I’m kicking off this series with a vendor we have been supporting since they had relatively low name recognition, Nimble Storage.  Nimble Storage is a hybrid SAN vendor that combines spinning disk for write capacity and flash for read acceleration.

Nimble Storage was brought to us by one of their sales engineers that had worked with us in the past.  He described their product as the next big thing in storage.  After discussing the architecture, feature set, roadmap, and history of Nimble Storage with that sales engineer, we were sold.

There were a few things that stood out for us and continue to be items that distance Nimble Storage from other vendors:

  1. CASL (Cache Accelerated Sequential Layout)
    Nimble Storage’s CASL architecture was built from the ground up to take advantage of the shift in CPU architectures to multiple cores and not rely on disk spindles for speed.  This is the first architecture we had seen where the array was not spindle-bound, but CPU bound.  This allows Nimble Storage to use slower spinning disks for writes and use all of the flash in their array for read performance.  The file system design also helps them to take extremely thin, non-impacting snapshots, migrate hot data to flash in real time, and use commodity hardware, all without sacrificing performance.  These all combine to make a very affordable and reliable array with extremely fast response times.
  2. InfoSight
    Infosight is a Big Data cloud that collects real time information and coalesces it into easy-to-read and understandable reports about the health of all the arrays that Nimble Storage has ever sold.  When customers ask how well the arrays actually perform, we can show people real-world performance statistics on existing installs and get them in touch with existing Nimble Storage customers.  We as partners rely on this data as much as our customers to recommend upgrades and ensure the health of our installs.
  3.  Support
    A recent customer had an issue with a failover during a new install.  Where other vendors may have quit citing an issue with the Fiber Channel infrastructure, Nimble had us pull logs and send that data to them.  After reading through the logs, they found the switches did not support the proper revision in Fiber Channel specification.  This was added to Nimble Storage’s code and will be addressed in the next firmware release.  Nimble Storage also aggregates the analytics from their entire install base into InfoSight to give customers proactive warnings if they will run into a known issue, and then recommends a fix for them.  Nimble Storage support continues to impress both our engineers and our customers.
  4.  Simplicity
    Nimble Storage keeps things simple.  Their pricing is array(s) + maintenance.  Maintenance is a simple percentage of the array and gets customers support, new firmware, hardware replacement, and any new features that come out in newer code versions.  Their arrays come in small configuration bundles that are easy to understand.   Nimble Storage’s GUI and command line management is intuitive and easy to use.  When we show most customers the GUI, they reply with “That’s it?” and that’s a question we like to hear.

Nimble Storage continues to be a strong partner for us at High Point Networks.  Now that I’ve answered “Why Nimble?” we’ll continue next time with “Why Veeam?”

HP to Acquire Aruba Networks; HPN ‘business as usual’

“HP to Acquire Aruba Networks to Create an Industry Leader in Enterprise Mobility” – this was the headline Monday. Seems like an interesting and bold move by a company who doesn’t exactly have the greatest track record with acquisitions (Tipping Point, 3Com, and Opsware to name a few). To be honest, when the rumblings of this event first hit my desk a week ago, I may or may not have let a few select words slip!

Upon taking a step back, we all have to realize that mergers and acquisitions are part of the world we live in, and the technology space is not immune. We like to refer to it as shaking things up a bit. The publicly available information related to the HP/Aruba deal sounds really good – the founder and all the upper management of Aruba plan to stay on long term, and ultimately intend to lead the combined wired and wireless business of HP. If these plans become the reality, the result could be good for everyone. At this time, High Point Networks has no plans to change direction, and is continuing to certify our staff on various components of the Aruba product line (Clearpass, Mobility Controllers, pre-sales design, post-sales support, etc). In fact, we will very soon have completed everything necessary to achieve the highest level in the Aruba Networks Partner Program.

Aruba Networks is hosting their “Atmosphere” Partner Community event this week in Las Vegas, where I’m sure we’ll hear all about the new plans as they stand today. We will keep you posted on what we hear! In the meantime, it’s business as usual.

 
Tom McDougall, President & CEO, with Justin Fetsch, Vice President of Sales

 
Read the full announcement here.

Simple, Comprehensive Network Access Control with Aruba ClearPass and Juniper Networks

Aruba ClearPass is a best-of-breed network access control platform built around open standards, with multi-vendor interoperability a primary design element. And, when paired with a Juniper Networks access layer? The power and flexibility is industry-leading. Juniper EX-series switches have several advantages over other vendors, such as device configuration simplicity, full user accounting, real-time threat detection, intercept and redirection, and a strong, growing partnership between Aruba and Juniper Networks.

Different equipment has different strengths for specific applications. In this scenario, we imagine a customer who requires very firm control of their access network. They need the following:

  •  Access to specific network resources controlled by role and user or device identity
  • Remediation networks so that workstations may be repaired before joining the corporate network
  • Full visibility into user- and machine-based authentication and login activities anywhere on the network
  • Simple, repeatable configuration across many access network devices, such as switches
  • Real-time detection and remediation of threats

The last two items are where Juniper EX-series switches shine. They make use of industry-standard authentication tools such as 802.1x and RADIUS Change of Authorization, giving them the ability to change port configuration in real time, programmatically, as any authorized, standards-compliant external system commands. For ClearPass access control, this means the included health monitor can cause immediate remediation and redirection on the network access equipment, thus protecting critical data and resources the moment a threat is detected. Switches lacking this feature require an authentication interval before access can be programmatically revoked. Depending on configuration, this is typically at least several hours, and sometimes a day or longer.

In today’s fast-paced threat environment, this is risky.

Full RADIUS accounting support also means ClearPass knows where a user is logged in at any time, on any port, for how long, how much data has been transferred, and so on. This means one can simply query ClearPass and instantly see where and how the user is accessing from. For other vendors lacking this data, ClearPass can only show login attempts. This also means ClearPass cannot direct a network port to close or redirect, because it cannot know if the user is actively logged in at the time a threat is detected.

Does your access network support this level of intelligence?

Configuration management is also another strong point of the EX-series. Most importantly, all the intelligence for a port configuration can be stored in ClearPass, meaning the individual switches need not be hand-configured for every user move, add, removal, etc. Further, EX-series switches share the Junos operating system with other enterprise- and carrier-grade hardware, and this extends down to configuration management. Junos supports templating and cloning and has since its inception. In ideal environments, the only thing that need be configured is the switch’s management identity. Everything else—including trunking uplinks, spanning tree, access profiles and more—can be configured with a single template and enforced and operated programmatically, be it on device, via SSH or NETCONF, or a management platform such as Junos Space.

Does your organization have a complex and highly dynamic access network? Would you like to gain control and visibility into who is connecting, where, when, how, and what they are doing? Would you like to ensure all connected entities are properly remediated, in real time and as threats are detected? And would you like to ensure they have access only to the network resources they need?

Aruba ClearPass provides the solution, and Juniper EX-series switches can enable the full capability with a programmatic, consistent, standards-based and adaptive platform.