|
Horse Sense #58
In this issue:
Protection for Mobile Computing
Three of the most important
considerations in security are visibility,
vulnerability, and value. As computing power increases
and users become more mobile, it becomes much harder to
keep information confidential and safe from disaster.
The value of information on laptops and external PCs may
be very great. As an extreme example, consider the
theft of the Veterans Administration laptop with
millions of Social Security Identification Numbers on
it.
There are a lot of ways Iron Horse
can help you protect your mobile computing environment.
Secure remote access to centralized databases would be
one example. On your own laptop, you might want
biometric scanners or software that tracks your computer
if it is stolen. However, here are a couple of REALLY
simple ways to protect your laptop. Get a chain to lock
down your laptop or projector. Buy a distinctive bag
for your laptop or use something like reflective tape on
it so you can easily distinguish it from others. Put
your business card in the business card ID slot in the
bag and on your laptop, if it has one. Go to your local
library or police station and get an etching tool and
etch return information onto your mobile computing
equipment, especially on items that are easily lost like
USB keychain drives. For corporations and governments,
I also recommend branding your USB devices with your
logo and return information. This branding can be done
when you order the equipment, if you order enough of it
(typically 100 pieces or more). Laser etching can be
done in much smaller lots.
We Will Let You Try It for FREE
What you cannot measure you cannot
manage. For example, do you know what is happening with
your critical link out to the Internet? Good management
is hard to describe, but easy to see. If
you qualify, we have a program with Barracuda (more on this appliance later in this issue)
where you can run their appliances for 30 days, and if
you don't like them, you can send them back for a refund
on your credit card or account. We are that sure of
these appliances. If you are worried that you don't
have the time or expertise needed to install or manage
such a device, we can provide those services as well for
a fixed cost. Call and ask us how one client used his
Cymphonix box and found a problem that paidfor it in one
day!
What is a Network Appliance?
Network appliances are hardware
bundled with custom software designed to perform a
specific task or tasks. Like toasters, network
appliances are designed to be reliable, easy to support,
and require little set up time or ongoing maintenance.
They usually replace existing customized solutions.
Microsoft would have you buy a fairly capable piece of
server hardware, then load and configure both Windows
Server and Exchange to have e mail. You would have to
maintain each software and hardware piece separately.
One vendor isn't responsible for the whole solution.
Network appliance vendors bundle together operating
system and application server software like e mail on
standardized hardware. By eliminating possible points
of failure and performing the integration tasks for you,
their initial and ongoing costs are lower than "roll
your own" solutions. Network appliances are often
specifically designed to be compatible with Windows
desktops, but can provide seamless connectivity to Macs
and UNIX boxes as well. You could replace a Windows
server without anyone knowing you had done so. Typical
examples of network appliances are multifunction
firewalls, anti-spam and antivirus e mail filters, and
spyware and objectionable web content filters. Are
appliances a cure all? Do they work in all
environments? Can a toaster cook a roast? Of course,
the answer is no. But where they can fit in, the
benefits and savings can be enormous.
Is it Really That Simple?
No. Like any server, we still
recommend professional installation and maintenance.
These appliances are unfamiliar to most people and the
inner workings of e mail servers, web servers, and other
Internet servers are unknown to many local area network
administrators. The key here is that appliance servers
require less professional maintenance, not no
professional maintenance. You could install your own
heating system in your house and maintain it, but
usually it's cheaper, easier, and safer to hire someone
who specializes in heating systems to do it. You just
want to stay warm and maybe make a few adjustments now
and then. Luckily, Iron Horse can set your appliance up
for you and show you how to manage it.
Network appliance hardware and
software are specifically designed to ensure high
reliability, but nothing is perfect. We recommend that
you buy an enhanced service plan. You should also let
Iron Horse help you maintain, install, and troubleshoot
your appliance via remote services, on site services,
and annual maintenance contracts. Iron Horse can even
provide for 24x7 customer support, monthly security
scans, hourly antivirus updates, software updates,
product trade in credits to protect against
obsolescence, and more, depending on the appliance. We
work with products like these all the time in many
different types of environments. Leverage our
knowledge.
Why do I Need an Appliance?
You don't have to use all of an
appliance's functions for it to be of value. Sometimes
people have something already in place that overlaps
with a feature on an appliance. In such cases, you will
often see that the other features justify getting the
appliance. In addition, you might later be able to
ditch your current solution and save even more money in
the future. Typically, appliances are sold because they
have one, two, or maybe three features that are
compelling. Usually the benefits of these features come
at a very low cost and any additional features are
"free." Most people use less than 10% of their word
processor's features. It isn't a bad value because of
that. If you ever need the other features, they are
there and it often won't cost you a cent.
Reasons to get a network appliance:
(1) One vendor means easier
support. Whether it is hardware or software, one vendor
is responsible.
(2) Tight integration of the
hardware and software means that it is easier to support
for both you and the manufacturer.
(3) You can typically get an
appliance on your network in a small fraction of the
time involved in setting up a server by yourself with
the necessary software running on it. Installation is
much less time consuming.
(4) Time demands on technical
support staff are low because appliances are made to
require little user intervention. Vendor support and
maintenance costs are predictable, fixed, and small.
Training costs are usually quite reasonable.
(5) Adding new features to your
network is quick and relatively easy. Vendors who have
software versions of appliances usually update the
appliance software first and often have functions
available that the software version does not.
(6) Because the functions are
limited in an appliance, security is enhanced.
Appliance vendors leave out software code and hardware
components not needed to run their device that might be
exploited by network crackers.
(7) Appliances are designed to be
more reliable than roll your own solutions. There is
less chance of a configuration error or other software
or hardware issue affecting an appliance.
(8) Maintenance and licensing costs
are much lower than solutions that require you to
license and install software on each desktop.
(9) Appliances are easy to manage.
Typically you can use a web interface from anywhere.
(10) Appliances are often less money
than the software and hardware they replace.
(11) The decreased administration
time will save a ton of money over the life of the
appliance versus a roll your own solution.
(12) Often an appliance has greater
capabilities and greater performance versus a roll your
own solution because they have been constructed to
perform specific tasks well.
(13) Moving some of your network
functions onto an appliance lowers your load on your
production servers and allows them to perform better.
For example, a spam and virus filtering appliance
removes unwanted messages before they hit your mail
server allowing it to perform better. Message stores
will be smaller as unwanted messages never make it to
the mail server or your desktop. Even if the filtering
server were to fail completely from a denial of service
attack, you would still have internal and outbound mail
through your production e mail server.
What is Spam?
Spam consists of unsolicited
commercial e mails (these are almost always of a
personal, not a business nature) and fraudulent e mails
designed to steal information so that money can then be
stolen from that person. The bad guys have gotten
smarter. They make it harder and harder to block their
mail and it can look pretty legitimate. Attacks from
the Internet have shifted. They are no longer about
simple vandalism, but making money off the unprepared.
Aside from the dangers of being caught unaware by some
scheme, the cost of just deleting spam can add up. At 1
minute/user/day for a $35,000 per year employee, $106
per year will be spent just to delete spam. If the
value of the employee to the organization is higher or
the time spent cleaning up is longer, these individual
figures will be much higher. This is why a typical new
antispam solution can pay for itself in three months.
The return on grief is very high as well. The best
thing about hitting your head against the wall is when
you stop!
Barracuda Networks and the Case
for an Antispam Appliance
Anti-spam solutions can operate at
various levels. Desktop solutions sort mail as it comes
in. This is very inefficient as the mail must first be
downloaded. You may also still have to delete it and
manage it on your e mail server. You can also filter
spam and viruses out by using an Internet service, but
they can be expensive, inflexible, and out of your local
control. You can filter messages at the message server
itself, but this puts an extra load on that server and
it must still handle all the messages. Finally, you can
add a filtering appliance, like the Barracuda Spam
Firewall, ahead of your e mail server. It can strip out
spam and viruses before they reach your mail system
while giving you very granular control over your
communications. Protected e mail servers will become
even more responsive.
Barracuda has the best selling
antispam appliance in the market for good reason. First
of all, it deals with spam and viruses in all possible
ways. It can block a message outright, quarantine the
message, forward it on somewhere else, place a tag on
the message, or just place it into your mailbox. It
uses a large number of methods to determine whether a
piece of mail is legitimate or not. Its quarantine
option keeps questionable mail out of your mailbox, but
still allows you the chance of recovering that mail on
the off chance it might be valid. Accuracy and the
ability to recover from a problem are a big deal when it
comes to a spam blocking appliance. Although you want
to keep people from burying your mailbox in spam, it is
even more important that critical mail is not lost.
Barracuda takes many steps in both hardware and software
to ensure that this doesnt happen.
Barracuda has different units
stratified by feature set, raw message handling
capability, reliability features, and, of course,
price. The units are web manageable and will handle
multiple domains and target e mail servers. They
integrate well into various types of networks and
support proprietary e mail servers like Microsoft
Exchange. There are many support options available from
both the manufacturer and Iron Horse (we are their
highest level Diamond Value Added Reseller). One key
differentiator is that Barracuda sells their boxes by
capability, not user count, so the boxes are easy to
license and deploy.
I call Barracuda Networks the
anti-company. They make anti-spam, anti-virus, anti-spyware,
and instant messaging control appliances. For more on
Barracuda, see: <http://www.barracudanetworks.com/>.
Better yet, call us! There are LOTS of security
solutions out there. We offer a lot of them, including a
number of services. Ask us what is right for you!
OK, Spam Blocking is a Good Idea, but How do I Justify this to the Boss?
(1) First, tell them the truth.
Start by telling them that security breaks stuff. You
need to manage expectations. . There will be bumps and
settle in time. Upper management must support the move.
(2) You will need professional help
in the integration and development of the new policies,
procedures, standards, notifications, management and
training that will be needed. Most project failures
occur not because of the technology, but because these
soft factorswerent appropriately addressed. . If you
don't make optimal use of your resources, you will
realize less in savings than you would expect. And who
wants to save LESS money? Tuning is as important in
spam blocking and antivirus efforts as it is to an
instrument in an orchestra.
(3) E mail spam and virus blocking
DOES NOT replace desktop antivirus programs which
protect against other threats as well. A car has
bumpers, crumple zones, seat belts, breakaway wheels,
air bags, and other methods of insuring your safety.
You want multiple layers of defense in your network as
well.
(4) Unwanted mail won't go to zero.
ROG-Return on Grief is very high, nonetheless. The
appliance cost is recouped in MONTHS for most
organizations. Productivity gains by end users are the
biggest benefit. You will have to pay for that with
increased complexity in your network, soft costs, and
some management attention.
(5) The strongest competitor to an e
mail filter is the idea that you can make due with what
you have, but that is very shortsighted. Even a small
amount of time lost per user per day works out to an
enormous cost over a short period of time. The
strongest real competition is a roll your own solution
because "we can make it work with what we have or can
get for free." This is shortsighted due to cost of
labor, time taken to integrate, huge amount of later
maintenance, no outside source of support, lack of
scalability, etcetera.
(6) An antispam/antivirus appliance
won't impact production servers, except from a positive
standpoint. It lowers the cost of supporting those
servers, and gives higher reliability, performance, and
security. An appliance runs with little babysitting,
but professional support is readily available.
|