Horse Sense #58
In this issue:
Protection for Mobile Computing
Three of the most important considerations in security are visibility, vulnerability, and value. As computing power increases and users become more mobile, it becomes much harder to keep information confidential and safe from disaster. The value of information on laptops and external PCs may be very great. As an extreme example, consider the theft of the Veterans Administration laptop with millions of Social Security Identification Numbers on it.
There are a lot of ways Iron Horse can help you protect your mobile computing environment. Secure remote access to centralized databases would be one example. On your own laptop, you might want biometric scanners or software that tracks your computer if it is stolen. However, here are a couple of REALLY simple ways to protect your laptop. Get a chain to lock down your laptop or projector. Buy a distinctive bag for your laptop or use something like reflective tape on it so you can easily distinguish it from others. Put your business card in the business card ID slot in the bag and on your laptop, if it has one. Go to your local library or police station and get an etching tool and etch return information onto your mobile computing equipment, especially on items that are easily lost like USB keychain drives. For corporations and governments, I also recommend branding your USB devices with your logo and return information. This branding can be done when you order the equipment, if you order enough of it (typically 100 pieces or more). Laser etching can be done in much smaller lots.
We Will Let You Try It for FREE
What you cannot measure you cannot manage. For example, do you know what is happening with your critical link out to the Internet? Good management is hard to describe, but easy to see. If you qualify, we have a program with Barracuda (more on this appliance later in this issue) where you can run their appliances for 30 days, and if you don't like them, you can send them back for a refund on your credit card or account. We are that sure of these appliances. If you are worried that you don't have the time or expertise needed to install or manage such a device, we can provide those services as well for a fixed cost. Call and ask us how one client used his Cymphonix box and found a problem that paidfor it in one day!
What is a Network Appliance?
Network appliances are hardware bundled with custom software designed to perform a specific task or tasks. Like toasters, network appliances are designed to be reliable, easy to support, and require little set up time or ongoing maintenance. They usually replace existing customized solutions. Microsoft would have you buy a fairly capable piece of server hardware, then load and configure both Windows Server and Exchange to have e mail. You would have to maintain each software and hardware piece separately. One vendor isn't responsible for the whole solution. Network appliance vendors bundle together operating system and application server software like e mail on standardized hardware. By eliminating possible points of failure and performing the integration tasks for you, their initial and ongoing costs are lower than "roll your own" solutions. Network appliances are often specifically designed to be compatible with Windows desktops, but can provide seamless connectivity to Macs and UNIX boxes as well. You could replace a Windows server without anyone knowing you had done so. Typical examples of network appliances are multifunction firewalls, anti-spam and antivirus e mail filters, and spyware and objectionable web content filters. Are appliances a cure all? Do they work in all environments? Can a toaster cook a roast? Of course, the answer is no. But where they can fit in, the benefits and savings can be enormous.
Is it Really That Simple?
No. Like any server, we still recommend professional installation and maintenance. These appliances are unfamiliar to most people and the inner workings of e mail servers, web servers, and other Internet servers are unknown to many local area network administrators. The key here is that appliance servers require less professional maintenance, not no professional maintenance. You could install your own heating system in your house and maintain it, but usually it's cheaper, easier, and safer to hire someone who specializes in heating systems to do it. You just want to stay warm and maybe make a few adjustments now and then. Luckily, Iron Horse can set your appliance up for you and show you how to manage it.
Network appliance hardware and software are specifically designed to ensure high reliability, but nothing is perfect. We recommend that you buy an enhanced service plan. You should also let Iron Horse help you maintain, install, and troubleshoot your appliance via remote services, on site services, and annual maintenance contracts. Iron Horse can even provide for 24x7 customer support, monthly security scans, hourly antivirus updates, software updates, product trade in credits to protect against obsolescence, and more, depending on the appliance. We work with products like these all the time in many different types of environments. Leverage our knowledge.
Why do I Need an Appliance?
You don't have to use all of an appliance's functions for it to be of value. Sometimes people have something already in place that overlaps with a feature on an appliance. In such cases, you will often see that the other features justify getting the appliance. In addition, you might later be able to ditch your current solution and save even more money in the future. Typically, appliances are sold because they have one, two, or maybe three features that are compelling. Usually the benefits of these features come at a very low cost and any additional features are "free." Most people use less than 10% of their word processor's features. It isn't a bad value because of that. If you ever need the other features, they are there and it often won't cost you a cent.
Reasons to get a network appliance:
(1) One vendor means easier support. Whether it is hardware or software, one vendor is responsible.
(2) Tight integration of the hardware and software means that it is easier to support for both you and the manufacturer.
(3) You can typically get an appliance on your network in a small fraction of the time involved in setting up a server by yourself with the necessary software running on it. Installation is much less time consuming.
(4) Time demands on technical support staff are low because appliances are made to require little user intervention. Vendor support and maintenance costs are predictable, fixed, and small. Training costs are usually quite reasonable.
(5) Adding new features to your network is quick and relatively easy. Vendors who have software versions of appliances usually update the appliance software first and often have functions available that the software version does not.
(6) Because the functions are limited in an appliance, security is enhanced. Appliance vendors leave out software code and hardware components not needed to run their device that might be exploited by network crackers.
(7) Appliances are designed to be more reliable than roll your own solutions. There is less chance of a configuration error or other software or hardware issue affecting an appliance.
(8) Maintenance and licensing costs are much lower than solutions that require you to license and install software on each desktop.
(9) Appliances are easy to manage. Typically you can use a web interface from anywhere.
(10) Appliances are often less money than the software and hardware they replace.
(11) The decreased administration time will save a ton of money over the life of the appliance versus a roll your own solution.
(12) Often an appliance has greater capabilities and greater performance versus a roll your own solution because they have been constructed to perform specific tasks well.
(13) Moving some of your network functions onto an appliance lowers your load on your production servers and allows them to perform better. For example, a spam and virus filtering appliance removes unwanted messages before they hit your mail server allowing it to perform better. Message stores will be smaller as unwanted messages never make it to the mail server or your desktop. Even if the filtering server were to fail completely from a denial of service attack, you would still have internal and outbound mail through your production e mail server.
What is Spam?
Spam consists of unsolicited commercial e mails (these are almost always of a personal, not a business nature) and fraudulent e mails designed to steal information so that money can then be stolen from that person. The bad guys have gotten smarter. They make it harder and harder to block their mail and it can look pretty legitimate. Attacks from the Internet have shifted. They are no longer about simple vandalism, but making money off the unprepared. Aside from the dangers of being caught unaware by some scheme, the cost of just deleting spam can add up. At 1 minute/user/day for a $35,000 per year employee, $106 per year will be spent just to delete spam. If the value of the employee to the organization is higher or the time spent cleaning up is longer, these individual figures will be much higher. This is why a typical new antispam solution can pay for itself in three months. The return on grief is very high as well. The best thing about hitting your head against the wall is when you stop!
Barracuda Networks and the Case for an Antispam Appliance
Anti-spam solutions can operate at various levels. Desktop solutions sort mail as it comes in. This is very inefficient as the mail must first be downloaded. You may also still have to delete it and manage it on your e mail server. You can also filter spam and viruses out by using an Internet service, but they can be expensive, inflexible, and out of your local control. You can filter messages at the message server itself, but this puts an extra load on that server and it must still handle all the messages. Finally, you can add a filtering appliance, like the Barracuda Spam Firewall, ahead of your e mail server. It can strip out spam and viruses before they reach your mail system while giving you very granular control over your communications. Protected e mail servers will become even more responsive.
Barracuda has the best selling antispam appliance in the market for good reason. First of all, it deals with spam and viruses in all possible ways. It can block a message outright, quarantine the message, forward it on somewhere else, place a tag on the message, or just place it into your mailbox. It uses a large number of methods to determine whether a piece of mail is legitimate or not. Its quarantine option keeps questionable mail out of your mailbox, but still allows you the chance of recovering that mail on the off chance it might be valid. Accuracy and the ability to recover from a problem are a big deal when it comes to a spam blocking appliance. Although you want to keep people from burying your mailbox in spam, it is even more important that critical mail is not lost. Barracuda takes many steps in both hardware and software to ensure that this doesnt happen.
Barracuda has different units stratified by feature set, raw message handling capability, reliability features, and, of course, price. The units are web manageable and will handle multiple domains and target e mail servers. They integrate well into various types of networks and support proprietary e mail servers like Microsoft Exchange. There are many support options available from both the manufacturer and Iron Horse (we are their highest level Diamond Value Added Reseller). One key differentiator is that Barracuda sells their boxes by capability, not user count, so the boxes are easy to license and deploy.
I call Barracuda Networks the anti-company. They make anti-spam, anti-virus, anti-spyware, and instant messaging control appliances. For more on Barracuda, see: <http://www.barracudanetworks.com/>. Better yet, call us! There are LOTS of security solutions out there. We offer a lot of them, including a number of services. Ask us what is right for you!
OK, Spam Blocking is a Good Idea, but How do I Justify this to the Boss?
(1) First, tell them the truth. Start by telling them that security breaks stuff. You need to manage expectations. . There will be bumps and settle in time. Upper management must support the move.
(2) You will need professional help in the integration and development of the new policies, procedures, standards, notifications, management and training that will be needed. Most project failures occur not because of the technology, but because these soft factorswerent appropriately addressed. . If you don't make optimal use of your resources, you will realize less in savings than you would expect. And who wants to save LESS money? Tuning is as important in spam blocking and antivirus efforts as it is to an instrument in an orchestra.
(3) E mail spam and virus blocking DOES NOT replace desktop antivirus programs which protect against other threats as well. A car has bumpers, crumple zones, seat belts, breakaway wheels, air bags, and other methods of insuring your safety. You want multiple layers of defense in your network as well.
(4) Unwanted mail won't go to zero. ROG-Return on Grief is very high, nonetheless. The appliance cost is recouped in MONTHS for most organizations. Productivity gains by end users are the biggest benefit. You will have to pay for that with increased complexity in your network, soft costs, and some management attention.
(5) The strongest competitor to an e mail filter is the idea that you can make due with what you have, but that is very shortsighted. Even a small amount of time lost per user per day works out to an enormous cost over a short period of time. The strongest real competition is a roll your own solution because "we can make it work with what we have or can get for free." This is shortsighted due to cost of labor, time taken to integrate, huge amount of later maintenance, no outside source of support, lack of scalability, etcetera.
(6) An antispam/antivirus appliance won't impact production servers, except from a positive standpoint. It lowers the cost of supporting those servers, and gives higher reliability, performance, and security. An appliance runs with little babysitting, but professional support is readily available.