Can you protect the sweet information interior of your network once the crunchy candy firewall shell has been breached?

Posted on December 6, 2011 by admin

SecurityA modern hacker will rarely attack an updated strong firewall head on.  It is far easier to use the openings in the firewall to attack the systems and users in the Operational Zone (OZ, the part of your network where your users work and where your least sensitive information assets are held) behind the firewall.  The organizations targeted in Operation Aurora and Operation Shady RAT had strong firewalls in place.  The hackers who attacked those organizations, including two Government of Canada departments and one agency in the case of Operation Shady RAT, did so by using a Spear Phishing attack against the users in the OZ.   The targeted users inadvertently installed malware which made an outbound connection through the strong firewall to the hackers.  This outbound connection gave the hackers long term access to the OZ from which to launch the second stage of their attack against the servers in the OZ and the Security Zone (SZ, the part of your network where your more valuable information assets are held, where users normally don’t work directly, and which is separated from your other network zones by an internal firewall).

Most modern hacking attacks use this approach so it is essential to assume that you are no longer protecting your network from a hacker who is outside your firewall.  You must now concentrate on protecting your information assets from a hacker who is inside your network.  By far the most important aspect of this effort is to limit a hacker’s ability to move from their beach head within your network to the machines which house your sensitive or valuable information assets.  With the rise of hacktivism (politically or ideologically motivated hacking) and socialized hacktivism (which is coordinated using social media) it is also possible that one or more of your network users will be aware of and may even be sympathetic to or participate in the attack.

A strong border firewall is an essential element of any security posture and having a strong firewall is nearly infinitely better than not having one.  Once your border firewall is up, however, it does little more than to establish a border to your defendable network enclave.  A border firewall is simply a barrier that a hacker must get past to own your network and your information.  The border firewall, like everything else on your network, must be updated regularly and quickly to remain effective.

There are several things that you must do including deploying strong internal firewalls to separate your sensitive and valuable information assets from your network operational zone, patching network devices, workstations, and servers as quickly as possible, and testing continuously to ensure that your patched systems are in fact secure.

A good way to ensure that you understand the extent of your organizations vulnerability from both an external and an internal perspective is to employ an on-demand penetration testing tool. This is particularly important for companies which hold trade or national secrets, handle large amounts of money, or hold large amounts of personal information (defense contractors, financial institutions, law firms, etc.).   We have recommended and used  Core Security’s IMPACT Professional with great results.  Tools such as IMPACT Professional allow your risk management and operations teams to penetration test systems during Certification and Accreditation or following patches, installs, or restores and to test those systems again whenever necessary.

Impact’s big brother, CORE INSIGHT Enterprise, automates and schedules the penetration testing effort using the CORE IMPACT Pro engine.  Risk Management professionals provide basic network information, define what test are to be run, and define campaign parameters and INSIGHT Enterprise automatically tests your systems for open, exploitable vulnerabilities and reports when they are found.  Your Risk Managers can also define a goal, such as your most critical systems or those holding your most sensitive or valuable information assets and INSIGHT Enterprise will crawl your network looking for ways to reach and exploit those goals.   INSIGHT Enterprise will produce network maps showing attack vectors that it has found that give it access to those defined goals so that you can close those vectors.  INSIGHT Enterprise will then repeat those campaigns on the schedule that you define looking for new open exploitable vulnerabilities and vectors to reach its defined goals.

Both products take advantage of more than 2,500 exploits which can test more than 10,000 unique targets, with new exploits added automatically as they are discovered often at the rate of between 30 and 50 per month.  The highly sensitive results of these penetration tests stay within your organization, providing the highest level of confidentiality while providing insight to areas of increased risk.

Posted in IT Management | Tagged , , , , | Leave a comment

Blog Series! Part 3 of 3 – vSphere in a Box on the Cheap

Posted on November 29, 2011 by admin

This blog entry follows Parts 1 and 2, which took a look the components we would need to run a complete VMware vSphere environment on a single machine, and how to install these components under VMware Workstation 7.

In this third and final entry in this series, I’ll discuss how I configured the networking and storage options for my vSphere environment, and how to get a VM to run inside another VM. (If you haven’t read Parts 1 and 2 yet, just scroll down this page till you find them!)

Networking

As you may recall if you’ve read Parts 1 and 2 of this series, my two ESXi 4.1 servers are running as VMs under VMware Workstation 7.1.3.

VMware Workstation allows us to create 10 virtual NICs per ESXi server.  I chose to create 5 separate networks (port groups) for each ESXi server, with each network having 2 NICs per ESXi server. My port groups are named as follows:

  • Management Network
  • Storage Network
  • vMotion Network
  • Fault Tolerance Network
  • VM Network

To accomplish this without using VLAN tagging, I first went into VMware Workstation’s Virtual Network Editor, which is found under the Edit menu. This is how I configured the VMnets:

Continue reading

Posted in IT Management | Tagged , , , , , | Leave a comment

Blog Series! Part 2 of 3 – vSphere in a Box on the Cheap

Posted on November 29, 2011 by admin

This blog entry follows Part 1, which discussed the various components I used to build my home VMware lab, on the cheap. By on the cheap I mean having everything running on a single laptop under VMware Workstation 7, using as much free stuff as possible. And by everything I mean vCenter Server 4.1, two ESXi 4.1 servers and an open-source iSCSI storage appliance. If you haven’t read part 1 yet, just keep scrolling down till you reach it!

So if you haven’t read Part 1 none of this is likely to make much sense! So get on down there and read it first! This second part discusses putting the various components together to create a functional vSphere -in-a-box environment.

Putting it all Together

1.  ESXi 4.1

Install your first ESXi server as a VM in VMware Workstation. Choose the ESXi 4.1 ISO file when prompted for an installer disc image. Workstation will automatically detect the ISO file as ‘ESX Server 4’. (Yes, you will be running a VMware hypervisor inside another VMware hypervisor! Pretty neat, huh?)

Make sure that you give this server at least 2 processors, with 1 core per processor. (Or, if you prefer, 1 processor with 2 cores per processor.) The result is the same: you will have 2 processor cores on the ESXi server. (Your physical machine needs at least this many cores, as discussed in Part 1.) Give this VM 4 GB of memory. For now, use Host-Only Networking. Select an LSI Logic SCSI Controller.

The VM’s disk should be SCSI. To save on physical disk space, do not allocate all of the VM’s disk space now (i.e., use thin provisioning).

Before you finish the new VM wizard and start the ESXi installation, customize the hardware in order to add some more network interfaces. By default, there will be only one, which is not so useful. A great thing about virtualizing our ESXi servers is that we can add a total of 10 virtual interfaces per server, without spending any money on real interfaces. This allows us to follow VMware best practices in terms of having separate management, storage and vMotion networks, and play around with different networking combinations. Again, for now, set these to be the default Host-Only (VMnet1) network.

After you finish installing your first ESXi server, give the management interface a static IP address in the ‘Host-Only’ IP address range provided by VMware Workstation and test Web browser access to it. Download and install the vSphere Client on your laptop and use it to attempt to connect to the ESXi server. If everything looks good, repeat this process for your second ESXi server.

Continue reading

Posted in IT Management | Tagged , , , , , | Comments Off

Blog Series! Part 1 of 3 – vSphere in a Box on the Cheap

Posted on November 29, 2011 by admin

In this three-part blog series, I’ll discuss how you can implement your own private VMware vSphere environment on a single machine, with minimal cost. This blog entry is aimed towards technical professionals who already have some familiarity and experience with VMware and vSphere.

Why?

Why would you want to do this? As anyone who is striving towards their VCP (VMware Certified Professional) status knows, hands-on experience is essential. Most of us are not lucky (or wealthy) enough have access to a fully equipped vSphere-powered lab at work or home that can be modified, reconfigured and brought down at will. We need a private sandbox to test and learn about vSphere technology, without fear of bringing down lab, or worse, a production environment. If you are an existing VCP, then a sandbox environment is equally as important in order to keep your skills up to date.

There are numerous other blogs on the Web that discuss doing this type of thing using one or more dedicated physical servers. You can save a lot of money by building these machines yourself, termed “whiteboxes”, by buying individual components on eBay or other Web sites and putting them together to create your own home-based lab. This approach costs money and time to acquire and build the hardware, but may feel more “realistic” since you will be working with real hardware as you would in the real-world. Another cost to consider if choosing the hardware approach is the cost of electricity that one or more servers will add to your monthly power bill! (And for us married guys, we have to think about what our significant others will have to say about us turning the basement into a datacenter…)

If you’d like to try the hardware approach, one online source is http://ultimatewhitebox.com. A quick Google search will reveal several others.

This is not the approach I used.

Continue reading

Posted in IT Management | Tagged , , , | Comments Off

Selecting an APM solution – 5 Things to Ask Your Vendor

Posted on October 12, 2011 by admin

Introduction

The world of applications has changed, and a modern Application Performance Management (APM) solution needs to be designed for today’s distributed and complex environments. It should enable IT operations and infrastructure professionals to locate and resolve problems without necessarily calling in the development team for assistance. It must be extremely intuitive and far-ranging in its capability, and it should be able to speak the language of business—rather than the language of developers.

In particular, an APM solution must be selected with the five following things in mind.

Continue reading

Posted in IT Management | Tagged , , , , , | Leave a comment

Monitoring Critical Applications in the Cloud: A Look at Netflix

Posted on October 11, 2011 by admin

At a recent Silicon Valley Cloud Computing Meetup, Netflix presented their lessons learned from their migration to the Amazon Cloud for its revenue-critical applications.  Netflix is the leading online movie streaming service and not only is their business growth astonishing, but they may have the largest revenue-critical application running on Amazon AWS: it generates over $2 billion a year.

The presenter was Adrian Cockcroft , the chief cloud architect for Netflix.  He explained how they use the cloud and how they identify and resolve performance problems. He also explained how he uses AppDynamics as his preferred APM solution to monitor his cloud apps. Click here to watch the recording.

Below are some takeaways from the session.

Continue reading

Posted in IT Management | Tagged , , , | Leave a comment

World IPv6 Day, and Pragmatic Steps to IPv6

Posted on July 5, 2011 by rwatt

June 8th was World IPv6 Day – lots of handwaving, many predictions, endless articles published and speeches made.  But what does it all really mean?  Here’s a summary of what we’ve learned and what we feel it means to those looking into IPv6 Migration.

The Internet did not Break – Phew!

“The Internet did not break,” said Donn Lee, a senior network engineer at Facebook, to Computerworld near the end of World IPv6 Day. “As we expected, and as we’d hoped for, it was completely a non-event by technical standards … I talked to folks who have call centers and they said they had totally unchanged volume for any normal day. We have not noticed any difference in user tickets or stats that we track on folks using the site.”

It seems that only a few minor glitches were detected.  Others issues were anticipated and the subject of ongoing development.  Many dual-stack clients suffer when a choice of IPv4 and IPv6 paths is available.  Some will prefer an IPv6 path even if it’s slower, experimental, or doesn’t work.  Failing over quickly from IPv6 to IPv4, or from IPv4 to IPv6, can improve connection times.

IPv6 is here to Stay

Native IPv6 web traffic bumped up significantly in relative terms during World IPv6 Day, however it remained just a small fraction of total Internet traffic.  Most traffic growth was in IPv6 tunneling protocols, like free 6in4 tunnels, or Teredo, included with Windows Vista and Windows 7.

Key sites like Facebook, YouTube and Yahoo, and content delivery networks Akamai and Limelight – proclaimed World IPv6 Day a resounding success, and said they would continue support for IPv6 on key sites for developers.

IPv6 Adoption may be slow but it will happen

In the weeks since World IPv6 Day, we’ve come to share the view that “It’s going to be a long hard slog to IPv6-Land.“  Expect pressure to support IPv6 to build over time, from different perspectives.

You will need to support IPv6 within the 3-5 year lifecycle of anything you buy today.

  • Make support for IPv6 a mandatory requirement for all new equipment purchases.
  • Start validating claims of IPv6 support, and test what support is present on existing deployed equipment.
  • Equipment vendors, expect RFPs to get more specific on IPv6 support, and backed up with real testing. Empowered can help you expand your IPv6 functionality, conformance and performance testing.

Continue reading

Posted in Data Center, IT Management, Testing | Tagged , , , , , , , , , | Leave a comment

BlackBerry World’s High Performance Wi-Fi

Posted on June 24, 2011 by admin

Blackberry World 2011 – 5000+ attendees with all their Wi-Fi devices, plus 5000 new PlayBooks updating themselves at the same time – truly an IT nightmare in the making.

RIM knew that lightning fast 802.11n Wi-Fi connectivity at Blackberry World 2011 was essential to showcasing the power and agility of their new PlayBook.  For many, it was the first chance to see the PlayBook up close and personal.  Additionally, everyone – 5000+ attendees, media, registration, event staging and more – had some kind of mobile device that needed tethering to Wi-Fi and the Internet … if not two or more devices.

The event space for BlackBerry World was enormous – the Orlando World Center Marriott Resort & Convention Centre has over 450,000 square feet of event space on a single floor – more than 10 acres of space.  At last year’s event, Wi-Fi was a challenge, and a bottleneck.  Some 700 concurrent users got lack-lustre performance from a “typical” Wi-Fi network using 2-radio access points.

Event organizers at RIM turned to Empowered and Xirrus to deliver a high performance 802.11n Wi-Fi network, with support for all key Wi-Fi standards (802.11 a/b/g/n) and devices.  Empowered’s team, led by Matt Rose, performed an Active Site Survey of the facilities in advance of the event, and planned coverage, capacity and channel management to support a minimum of 2000 concurrent users – RIM’s stated requirements.

Onsite in Orlando, the design goals changed – the organizers now demanded support for 10,000 concurrent Wi-Fi users – a five-fold increase!  Undaunted, the team was able to stage, deploy, commission and install the Wi-Fi network, and to connect it to the backend network supporting the show in just 2 days.

Continue reading

Posted in IT Management, Mobility | Tagged , , , , , | Leave a comment

Physical to Virtual Migration – IT’s poor stepchild?

Posted on April 21, 2011 by admin

I am constantly surprised to learn how few organizations have a consistent approach to virtualizing applications or a defined method in place for Physical to Virtual (P2V) conversion.  Equally surprising is how often these are organizations who are otherwise quite mature in terms of how they manage the other aspects of their IT operations.

I suspect that this has a lot to do with the organic way that virtualization has grown within organizations over the past few years, growing from a mere mention on CIOs annual priorities list published by Gartner 4 years ago, to claiming the number 1 spot in this past year’s list.  A good deal of this meteoric rise has to do with the initial economic benefits of virtualization.  The typical IT organization has implemented virtualization initially as a better mousetrap for traditional application consolidation -  the practice of hosting more than one application on a common physical platform.  With virtualization, organizations get application consolidation without the conflict and complication of administration associated with traditional methods.  Consolidation by any method of course allows organizations to leverage their physical investment and achieve operational efficiencies in facilities and HVAC.

Continue reading

Posted in Cloud Computing, Data Center, IT Management, Virtualization | Tagged , , , , , | Leave a comment

Virtualization as the ITSM Gap Amplifier

Posted on March 3, 2011 by admin

In a traditional Data Center, as you acquire more IT assets, more and more controls are required to keep things running the way you meant them to be. If you don’t put these controls around your IT systems, you end up with gaps in your management strategy, and those gaps eventually (and almost inevitability) cause you unplanned downtime. I don’t think too many of you will argue this one, we’ve all seen it happen over and over again.

Now let’s move ahead to today’s data center, where companies are moving to virtualization. In our new virtual environment, suddenly we can create new Virtual Machines, Virtual Networks, and Virtual Storage in a fraction of the time it used to take us to do the equivalent in the physical world.  We can now move these around with the click of a mouse, or in a fully automated environment, create and then close down that virtual system even more quickly.  In our new reality, all we need to know is that resources are available (CPU, disk, memory) and voila, we are up and running.  At first glance, life sure got easier.

However, what people often miss is the impact of virtualization on our oh-so-critical management systems. Some people may feel that all that ITSM stuff goes away, but I have seen over and over again how not only is it more important than it ever was, but in fact virtualization has now become the ITSM Gap Amplifier.

Why?

Continue reading

Posted in Cloud Computing, Data Center, IT Management, Virtualization | Tagged , | Leave a comment