Data today is more valuable than it has ever been. Mix that with the fact online date storage is growing exponentially and you have a potential nightmare. Security in today’s world is essential, but one doesn’t have to break the bank to get some basic protection and visibility. Here is a list of 5 easy steps to help you get some basic protection and visibility into your environment before it is too late:
- Use VPN for all non-public traffic – Today’s firewall almost always come with VPN capabilities. Take advantage of this technology. Your firewall should only be open up for services that are for public consumption. Utilizing the VPN for management traffic like FTP, SSH, RDP, etc., can be a huge jump in security hardening. Most people have dynamic IPs, so having to keep opening firewall ports for those IPs can lead to those old rules not being cleaned up or even opening those services up to everyone! Don’t take a chance and leave a hole open for potential hackers, use this method to help lock down the firewall.
- Limit external footprint of you servers – If you don’t need something, turn it off. If your servers are not running a service for public consumption, don’t allow it through the firewall. For example, Active Directory servers typically have IIS installed and working. But as there is no public need for that, don’t allow external connections. Default to deny, and only allow the essentials are good rules of thumb.
- Log….Log….Log… – Turn on firewall logging whenever possible. Logging is essential to helping detect any problems that are currently going on, or have been going on. Seeing a particular server getting strange requests, or a single IP address scanning your network could be an early indication of issues.
Read the full post »
High availability is a necessity for any high performing web application today. Consumers want access to their information anytime, and not having high availability means your potential clients will go somewhere else for their needs or experience frustration.
One of the first areas to consider for a high availability network is the firewall. After all, it is usually your first line of defense and when it doesn’t work, it leaves your business down. Many people think the way to fix this is to add a second firewall and call it a day, but there are many options within the configuration that can improve your client’s experience and site availability. Here are two important considerations:
Current Sessions
The first things to think about are your current sessions. Most firewalls can perform what is known as stateful failover. In a regular failover, all connections are dropped. Clients then need to re-establish their connections when the other firewall takes over. In a stateful failover, however, the active unit shares connection information with its peer, so in the event of a failover the other firewall already has the connection information. This may seem like a trivial issue, but it decides whether the client sees the failure or not.
Typically, entry level models do not have stateful failover, so this is a business decision that needs to be made before purchasing or upgrading firewalls. Also, you will need to make sure your application qualifies for stateful failover. HTTP is sometimes not enabled for stateful failovers by default, since they are typically not long lasting connections.
Redundant Links
Another item to think about is redundant links. Failover should only happen if the primary firewall is unresponsive, because the failover process takes some time to happen. Depending on firewall models, failover times can vary. I typically see Cisco ASA firewalls reliably failover in under 10 seconds with default settings, but that still leaves a window of downtime. Redundant links is a technology I setup for clients who want added HA by reducing the chance of failover. With redundant links, there are 2 cables used per interface rather than one.
So, picture a circumstance like this:
Read the full post »
Microsoft recently released their newest version in the Windows Server series. This new OS, Windows Server 2008 R2, isn’t simply a feature pack release for the current Windows Server 2008 OS, but is actually an entirely new version which that uses the same codebase as Windows 7. There are a number of new features included in this new release, and many of them are making the IT community very interested in how they can leverage them in their business. Here’s a brief run-down of some of the enhancements you can expect to see.
#1 – Hyper-V R2
The newest iteration of Microsoft’s virtualization offering includes a host of new features. The most intriguing feature we’ve seen so far is the added support for Live Migration Support through the use of Cluster Shared Volumes. This basically means that you can transfer live (read: running, powered on) virtual machines between cluster nodes without any perceived downtime. This feature, combined with improved support for up to 32 logical CPUs and dynamic memory allocation, shape up to make Hyper-V ready for prime-time. If you were considering getting your hands dirty with virtualization, now would probably be a good time to start.
What this means to you: You could run your web applications on virtual machines and be able to perform hardware maintenance without ever letting your users know. (HINT HINT, TWITTER)
#2 – Desktop Virtualization with Terminal Services…er…Remote Desktop Services?
In addition to a name change from Terminal Services to Remote Desktop Services (RDS), several real improvements have been made to Microsoft’s remote server management tools. New capabilities in the Remote Desktop Protocol suite aim to make a remote user’s experience nearly identical to that of a local user. Among these capabilities are:
Read the full post »
Recently INetU Labs put Dell’s low cost workgroup SAN through its paces to see how it compares to the more robust (and costly) Equallogic and EMC offerings. The results are in, and it seems that correctly configured, the MD3000i is great product with plenty of bang for your buck.
Configuration
For testing we used an MD3000i populated with a mix of 146GB SAS and 500GB SATA drives. The SAN shipped with a single controller but a second was added to test failover. A word of warning here – Dell configures the duplex mode based on how the SAN is ordered; if you add a second controller later you’ll need to use the command line tool to enable it, a process that’s not stated as a clear requirement and takes a little digging on the Internet to find documentation for. That being said, once you find the docs you’ll have it set in no time. Our test unit was a major firmware revision behind, and bringing it up to date took a good twenty minutes. Minor revision updates probably won’t take as long, but this is something to keep in mind if you’re striving for multiple nines of availability.
Once the hardware was configured and updated, the software install was a snap. The management software is somewhat cumbersome but gets the job done, and configuring the LUNs is a simple process. We were testing multipath (MPIO), and Dell requires a specific version of the iSCSI initiator on Windows servers, so be careful here, too. Fortunately, the supplied driver CD made sure the right version was installed.
Benchmarking
Read the full post »
