Posted on Thu, Apr 28, 2011
Cloud computing is here to stay, with many small to midsized enterprises either actively adopting or at least considering cloud computing at least in some form. One aspect of cloud computing that I see my clients constantly underestimating is bandwidth connection. We have become accustomed to LANs at 100Mbps and many of us even at 1Gbps for quite a while now. We connect to our servers at that high speed and the data moves across our LAN almost instantaneously.
Now we are moving our servers to the cloud and we forget that this means we are connecting to them via our Internet link, which is rarely fast, and almost never 100Mbps. This is especially true in the SMB, but can be valid for large enterprises as well. Although they may have much more bandwidth, they also have many more employees using it, and bandwidth saturation may actually be higher. So, one tip - when you move your servers to the cloud, consider how relevant access speed is for your users; if very relevant, keep the server in-house until you can guarantee very high bandwidth internet connection.
Another aspect of the same issue – continuity of service. We move to the cloud because this guarantees redundancy and continuity of service, but we forget to get a second Internet link for our own LAN. So if our ISP connection goes out and we lose connectivity to our servers “in the cloud” – how is our productivity impacted? Either get a secondary ISP, or don’t move to the cloud those servers that are fundamental for your users’ productivity.
There are several products that guarantee remote access to the cloud servers without the need for a VPN. I cringe every time I see that. None of these products can guarantee the same level of access security as a VPN. It is not only a matter of encryption; rather, it is a matter of identification, credentials, access control.
An SSL VPN connection requires a private certificate and key - that is strong authentication. An application like RDP simply requires a login ID on the server, and an open port in the firewall. Hence the security of your server at that point is only as strong as your weakest password. We have spent a decade improving our best practices to define how to control remote access; it is hard for me to believe how many companies are putting their data in the cloud and allowing access via RDP without source IP limitation, thus exposing their servers’ login to the entire world. Remember, hackers have all the time they want, and know all the tricks. You expose a login ID to them and sooner or later they’ll find a way in.
Networking in the cloud for SMBs is rather simple – usually it ends up being a small subnet with a handful of servers connected to a virtual switch, behind a virtual firewall, connected to a virtual router. One thing I would recommend – ensure your servers are not in any way accessible from any other subnet that doesn’t belong to you. This may come as a surprise, but there are hosting companies that do not properly enforce this elementary aspect of networking and lump many servers on one subnet even if they don’t belong to one customer!
Posted on Sun, Apr 10, 2011
UTM seems to have become a misused term; anyone who puts together something more than a firewall in the same box calls it a UTM.
So what are the key elements? Read on:
1) Firewall – of course you want this, but in light of the other features that you will want, a packet filtering and proxy will be very useful as well; so your firewall must be a hybrid.
2) IDS/IPS – this today is a must; you can’t have edge protection without proper IPS, and it is ridiculous to buy a separate one after you have spent all the money for a UTM device. This feature should be fully integrated with the firewall, to achieve a next generation firewall protection, and should be INLINE with the firewall.
3) Email protection – should be much more than just an AV product. Should be policy protection, to block unwanted attachments, hidden, compressed or otherwise. Should be protection for the server, integrated with the firewall and IPS. Should be protection from vulnerabilities that affect the protocols and the servers.
4) Antivirus – protocols to be protected are, at a minimum: SMTP, POP3, IMAP, FTP, and HTTP.
a. AV is too generic a term; one single AV is no longer acceptable as no one can really keep up; best is to have more than one
b. Real time AV – this is an emerging technology; we already have it. But if you want to hope to block emerging threats, you need zero day protection, you need a real time AV
5) Antispam. Hackers use all kinds of ways to get in; you need to have protection against all of them. Antispam should have a proven record of at least 98% protection, should not be using old spam lists but should be based on more modern techniques, such as SPF check and many others. We still see too many systems that use old methods that cause way too many false positives and yield poor overall results
6) Web access policy – a company must be able to control where its employees are allowed to go on the internet, and this in turn enhances protection as it prevents users from landing on dangerous websites.
7) VPNs – modern devices should support IPSEC for compatibility, but should also offer SSL as a full VPN, with roaming AND site-to-site solutions. PPTP is still there, as it is free and inexpensive, but not mandatory at this point.
8) Updates – the Internet moves too fast for updates to be PULLed from the devices. PUSH updates are now a must; Network Box has had this for 10 years.
9) Monitoring/management – this is important because expert configuration is 50% of the protection.
A true UTM device should be seamless - the final result is stronger than the sum of the parts. The antispam should be able to communicate with the IPS, so that a spammer attacking your device will be blocked before the email is even delivered. The antispam should also be able to use the categorization abilities of the web access policy to see if a URL in an email should be allowed or not. The IPS and the firewall should be fully integrated.
There are many other functions that a UTM device can do for you. For example, our device can host DNS records for the company. It can act as DHCP server and NTP server. It supports VLANs (256 per interface), it can automatically create a signature for any outbound email (for legal statements mostly). We support advanced routing, any type of packet mangling, Quality of Service; we can set up a load balancer in the firewall; we can support multiple internet connections either in high availability or in weighed load balance.
Our devices can be set up in high availability or in load balance or in cluster. New functions that are emerging as required on the UTM this year are DLP and Vulnerability Scanning. These functions thus far have been done using separate devices; more and more companies are demanding to see them integrated with the gateway protection.
Lastly, it’s important that the technology offered for small offices is the same provided for the main office. For example, you want the same AV protection, nothing less. -- viruses don’t treat small offices any better than they treat your headquarters. With Network Box, you get the same exact protection whether your office has 1 person or 10,000!
Check out our Security Options Whitepaper