Archives for it konsult

Tjänster jag kan hjälpa er med t.ex. IT säkerhet, backup restore, IT drift, projektledning, molntjänster och Syspeace

backup disaster recovey koninuitetsplaner IT säkerhet molntjänster syspeace

Jag tar även uppdrag som underkonsult till företag som vill inleda ett samarbete.

Den här sidan innehåller ett antal rubriker kring några av de saker jag kan hjälpa ert företag eller förening med.
Det är ett många saker och det är reultatet av 20 års erfarenhet som IT konsult.
Jag törs påstå att en stor del av min kompetens är just min breda erfarenhet och förståeälse för helheter i IT system och driftskritiska applikationer men även för affärprocesser och leda personal.

Backup restore, Disaster Recovery, kontinuitetsplaner och återstartstester

Backup restore är ett oerhört viktigt område som alla företag och föreningar måste tänka på . Hur länge kan ni vara utan ert datat och hur gammalt datat kan ni gåt tillbaka till ?

Efter att ha jobbat dagligen i 8 år som Disaster Recovery-tekniker och backup expert på SunGard Availabiliy Services kan jag vara mycket behjälplig med de flesta backuplösningar som finns på Windows, NetWare, Solaris samt Linux . Jag har unik kompetens på hur man återställer servrar, funktioner och nät.

Bland backuplösningar jag jobbat med både för återstarsttester och i dalig drift kan nämnas BackupExec, Symantec Netackup, VytalVault, Tivoli TSM BrighStor. Jag har troligen sett de flesta lösningar som finns på marknanden, både på små och stora företag.

Rutiner, dokumentation och incidenthantering

Utan en lättbegriplig men ändå detaljerad dokumentation och inventering kan det blir svårt att hantera IT miljön.
Jag kan hjälpa till med att skapa rutiner och dokumentation för att säkerställa en fungerande drift och ett fungerande tillvägagångsätt vid ett haveri. Här inåg även att ha en god inventering av hur miljön såg, övervakning och närliggande frågor.

Ingen kan planera för alla tänkbara avbrott men en god grundplan är en förutsättning för att snabbast möjligt kunna återkomma i produktion efter ett eventuellt haveri.
Frågan är enkel – Hur länge kan ni vara utan er IT och hur gammalt får data vara när det återläses?

Molntjänster

De senaste åren har jag varit mycket aktiv med molntjänster på Red Cloud IT där jag som molnarkitekt byggt, driftat och designat rCloud Office-lösning samt varit teknik-och konsultchef.
Jag är också delägare i Red Cloud IT men jag hjälper er att utvärdera även andra molntjänster och hjälper er att välja det som passar just er verksamhet.
Det finns många molntjänster och det gäller att välja precis rätt för just er verksamhet.
Jag kan även hjälpa er bygga en egen molnlösning, utvärdera andras eller hjälpa er migrera era applikationer från äldre servrar som t.ex. Windows Server 2003.

Verifiering, analyser och förbättringar av befinltiga lösningar och system

Jag kan hjälpa till med att verifiera befintliga lösningar , antingen genom gå igenom de lösningar ni har och föreslå förändringar eller göra fullständiga återläsningar av Era system för att säkerställa funktionalitet.
Jag är inte knuten till något företag eller produkt vilket gör mina analyser helt oberoende av andra leverantörer.
Jag hjälper er att planera era återstartstester och skriva återstartsplaner (s.k. DRP Disaster Recovery Planning) så de finns på plats när de behövs och ni kan minimera ert stillestånd. Jag kan också hjälpa er med praktiska återstartstester och backupövervakning.

Jag kan hjälpa till med planering och projektledning för installation och konfiguration av mailsystem, SQL, nätverk, brandväggar, VPN lösningar, övervakningar, DNSBlacklisting, antivirusskydd, affärssystem som Epicor Scala, Visma, Pyramid, CRM system .
All installation innehåller givetvis en god dokumentation och skulle behovet finnas kan jag hjälpa er att drifta systemen som second line.

IT drift, second och third line servertekniker

Då jag tidigare arbetat som konsult inom outsourcing är jag även kunnig inom drift, installation och support av företag och föreningar.
Jag har också varit del i driften av t,ex, SunGards online-backuptjänster där jag varit med om design, installation och drift.
Jag kan hjälpa till med er support och helpdesk på serversidan eller fungera som IT ansvarig /IT Chef / IT driftschef eller projektledare.

Hyr en IT chef , projektledare

Ibland behöver företag och organisationer någon som agerar IT Chef , projektledare eller IT ansvarig men behovet av att anställa någon är kanske inte så stort. Den ordinarie kan vara på semester, barnledig eller företaget är helt enkelt för litet för att anställa någon.
Lösningen är att hyra någon för ett antal timmar i veckan istället. Många saker kan göras på distans med moderna lösningar så var ni sitter geografiskt är kanske inte det viktigaste.

Skydda företagets identitet på Internet och SEO?

Jag hjälper er gärna med att se över hur ni syns på Internet och kommer med tips och råd om hur ni kan skydda ert varumärke och hur ni t.ex. kan använda Google Analytics för relevanta rapporter om besökare på er hemsida och får bättre leadsgenerering.
Jag hjälper er att sätta upp enkla verkyg för att få larm på om något förändras oväntat på er hemsida som kanske till följd av en hackerattack.
Jag hjälper er gärna också att övervaka detta och kommer med tips och förslag på hur ni kan synas bättre på t.ex. Google och t.ex. migrera er hemsida i HTML / PHP till en modernare, responsiv hemsida för mobila enheter.

IT säkerhet , analyser och intrångshantering

Grundläggande kontroller av nätverkssäkerheten, patchhantering, lösenordspolicies, intrångsförsök, backuprutiner o.s.v.

Hålla kurser och workshops

Jag har hållit kurser och workshops för externa företag om Disaster Recovery och backuper och kan även hålla kurser i t.ex. SEO (sökmotorpoptimering) och webövervakning.

Juha Jurvanen – Konsultprofil

En långt ifrån komplett CV / konsultprofil då en sån skulle bli orimligt lång efter 20 år som IT konsult men den ger ett hum om vad jag jobbat med innan.

Kontakta mig för ett möte

Dokumentation , övervakning och rutinbeskrivningar vid incidenter

Övervakning, incidenthantering och dokumentation av IT miljön

konsult inom backup It säkerhet molntjänster och infratruktur

NäÄTVERKET OCH KOMMUNKATIONDRNA ?

 

Hur ser nätet ut med IP adresser och IP planer? Topologi ?
Switchar och Routrar med VLAN och routing? Modem för failover ?
Vilka förbindelser finns in och ut ? Vad är kritiskt och behövs en redundant förbndelse?
Hur sätter man upp automatisk övervakning,  inventering och larmhantering ? Går dokumentation att automatisera ?
Behöver man se över manuella rutiner i händelse av ett IT stopp ?

SERVRARNA, NÄTET OCH MILJÖN ?

Vilka operativsystem används och vilka service packs och support packs? Vilka applikationer körs och hur hanterar vi licenserna?
Vilka tjänster / processer måste vara igång och vilka kan / bör man stänga av ?
Går det att enkelt få fram allting som behövs för inventering? Hur övervakas servrarna ?
Vad kan konsolideras till viruella miljöer t.ex. VMWare ESX/GSX server eller tilll molntjänster?
Leverantörer av hårdvara ? Ska data och servra de klassificeras för en restore och i vilken ordning måste de återställas ?
Hur hänger de olika systemen ihop och finns det relevanta systembeskrivningar?

ARBETSSTATIONERNA ?

Vilka operativsystem används, Windows, MAC, Linux , iPad ? Vilka applikationer körs och hur håller vi reda på icenserna?
Vem har kontroll över arbetstationerna och verktyg när BYOD trenden blir allt starkare ?

RIKTLINJER OCH IT POLICIES

Vilka finns de och hur följs de ? Vad har ledningen beslutat ? Hur hanteras ITIL och Change Management och Patch management som WSUS eller SCMM ? Hur hanterar ni sociala medier? Hur ska BYOD (Bring Your Own Device) trenden hanteras?

VILKA TJÄNSTER OCH APPLIKATIONER KÖRS EGENTLIGEN

Kan det vara vettigt att sätta upp automatiserade system för övervakning av servrar och nät?
Centraliserad applikationsinstallation eller är det dags att se om vissa system går att flytta till molnet?

HUR HANTERAS EN INCIDENT?

Finns det beskrivningar av hur t.ex. ett IT haveri ska hanteras eller vad man gör vid en  hacker attack ? Vilka är kosekvenserna för företaget ?

Kontakta mig här för möte

Kontakta JufCorp

Kontakta JufCorp

backup disaster recovey konituitetsplanering IT säkerhet molntjänster syspeace kontakta JufCorp

Kontakta JufCorp AB för frågor inom backup / restore , Disaster Recovery, IT säkerhet, molntjänster och frågor kring intrångssäkerhet.

Boka ett gratis möte för att se hur jag kan hjälpa er eller beställ licenser för Syspeace,   Fsecure eller Microsoft produkter?

Om formuläret av någon anledning inte sulel fungera, skicka mig ett mail på juha.jurvanen@jufcorp.com eller slå en signal på 0709 666 997

JufCorp på FaceBook

#Backuper, IT Drift och sommar

image

#konsultprofil för #itjobb #ituppdrag #konsultuppdrag JufCorp – Juha Jurvanen

Jufcorp hemsida

Till JufCorps hemsida

Ibland roar jag mig med att lägga upp den här , till stor del för jag är intresserad av hur Google indexerar saker och hur SEO fungerar, därav en del upprepningar av t.ex. CV.
För att få en bra och vettig statistik för sökmotoroptimerong måste man testa sig fram, precis som med allt annat inom IT egentligen.

1.Sätta sig in i hur det fungerar.
2 Planera.
3 Testa.
4.Testa igen.
5.Verifiera
6.Testa 🙂

Konsultprofil / CV IT konsult inom backup, IT säkerhet, IT drift och molntjänster – Juha Jurvanen

Juha Jurvanen

Juha är en seniorkonsult med 16 år erfarenhet inom IT branschen. Juha har både bredd och djup inom t.ex. backup, disaster recovery, serverdrift, IT säkerhet och molntjänster.
Juha har stor erfarenhet av drift och problemsökning i stora datamiljöer. Juha har specialistkompetens inom backup och restore området och serverdrift och är även initiativtagare till Syspeace samt molnarkitekt där han byggt en a Sveriges första molntjänster.
Juha skriver även om serverfrågor i bloggarna http://jufflan.wordpress.com samt http://syspeace.wordpress.com

Mycket kort urval av kompetenser

Backup / restore – Drift, utredningar, design, tester, onlinebackuper
 Serverdrift . second/third line främst inom Microsoft men även Linux, NetWare, Solaris
 IT säkerhet – intrångshantering, brandväggar, autentisering, antivrus, patch management och incident management, ITIL, kontinuitetsplaner för IT
 Molntjänster, integration, design, drift, hybridmolm
 Applikationsdrift och felsökning, installation och migrering som t.ex.Exchange, Lotus Domino, Sharepoint, Active Directory, Visma, Pyramid, SQL Server
 Övervakning av servernät och nätverk som t.ex. OP5, HP Insight Manager, SNMP o.s.v
 Helpdesk, first line och support för molntjänster samt Syspeace

Några uppdrag

Syspeace (http://www.syspeace.com)
Att utveckla och skapa en enkel och fungerande intrångshanterare för Windows servrar.

Drift an NetBackup lösning för c:a 2000 servrar hos svensk mydnighet

Drift av Citrix / XenAPP lösning för privat vårdföretag på c:a 600 anställda.

Design och lösning förslag för DR lösning för VMWare med hjälp av Legato för stort teknikföretag

Avancerad felsökning av felaktigt uppsatta Active Directory Trusts åt kund.

Behälplig vid drift av miljö på 200 Servrar åt kund. Windows Server 2003, Windows Server 2008 / R2 , Exchange, Citrix, VMWare.

IT arkitekt. projektledare samt konsultchef och teknikchef för molntjänsterna på Red Cloud IT

Oberoende konsult vid hjälp av upphandling av backupsystem för företa inom gruvnäringen
I uppdraget ingick att granska anbud och tekniska lösningar.

Migrering av Novell Netware miljö till Windows 2008 AD för olika kunder

Test och implementation av privat molntjänst åt en av AP Fonderna

Uppdrag att skapa en BCP (Business Coninuity Plan) och DR Plan (Disaster Recovery plan ) för en av AP fonderna.

Effektivisering av backupmiljö på företag för kontamhenatering

Effektivisering och genomgång av backupmijö inom Public Service

Utvärdera och implementera övervakningssystem hos SunGard.Till sist föll valet på Op5 som är baserat på Nagios

IT arkitekt och second line för SunGards online backuptjänst, VytalVault baserat på i365s InfoStage

Var behjälplig vid DR test av servermiljön på ett av våra större fackförbund.

Uppdrag att planera och genomföra migrering från Lotus Notes till Microsoft Exchange hos kund på c:a 50 användare.

Tekniskt ansvarig vid byte av Internet-leverantör för kund med kontor på 21 platser i landet. Second line och kontaktpoerson för kontoren och gentemot leverantören.

Anställningar / Eget

JufCorp

2007 –
Red Cloud IT 2009-2011
SunGard 1998 – 2007
Enator 1996-1998

Kontakta mig gärna för uppdrag? Antingen genom formuläret nedan eller klicka här

[contact-form to=’juha.jurvanen@jufcorp.com’ subject=’Kontakt från WordPress’][contact-field label=’Namn’ type=’name’ required=’1’/][contact-field label=’Email’ type=’email’ required=’1’/][contact-field label=’Företag’ type=’text’/][contact-field label=’Website’ type=’url’/][contact-field label=’Förfrågan’ type=’textarea’ required=’1’/][/contact-form]

IE not displaying HTTPS sites – page cannot be found 404

Hi.

Not everything in my everyday life is about Syspeace, sometimes I also do consultancy stuff 🙂

Here’s a weird thing about IE and certificate management  that took me a while to figure out actually.

A customer of mine suddenly couldn’t reach his webmail on his Lotus  Domino server. They don’t really use it very often so he didn’t really know when it stopped working.

After trying to reach the Lotus Domino Webmail both from the Internal LAN and outside the firewall with IE , .. nope. Nothing happened.

We could see the “This is not a valid certificate” warning but nothing happened when we clicked “Yes, we know are cheapscates and its a self issued certificate” .. ok.. it doesn’t actually say that but you know what I mean. When trying to reach from other IE installtion , I just got “The page could not be reached” like a network error.

Tried the old tricks with adding it to Trusted sites, decreasing security levels and so on.

I tried from Windows 7, Windows server 2008, 2008 R2, Vista with different IE7, IE8 IE9 and so on .

I tried it  with Google Chrome and .. everything worked fine…hmm..  the plot thickens ..

So, it’s a Internet Explorer problem then (and also the built in browser in at least Samsung Galaxy SII) I reckoned.Checked all the settings, SSL, TLS and so on and everything seemed fine . BTW, in teh Galaxy Sii there was a message about something with bad POST header or something.

Then “it hit me ..uhmm– like a two ton .. heavy thing ” .. (yes, that was a Queensrÿche – reference from the album Empire for all you music lovers out there) . What about the certificate on the Domino server. Didn’t I read something about a security patch for Windows and certificates a while back ?

Sure enough, after looking at the certificate (with Google Chrome, the upper left corner, Click the certificate and check properties) the certificate was only a 512 bit encryoted one which I think is the highest a Domino SelfIssued certificates can have,

So. Here’s the link to Microsoft about the issue and a few tips further down on what to do

http://technet.microsoft.com/en-us/security/advisory/2661254

Workaround / solutions.

If it’s you own website . Buy a valid, bonafide certificate that exceeds 1024 bit encryption. There’s no need to buy anything less than 2048 though.Or , stop using HTTPS (no, please don’t. Once upon a time you wanted it to secure your communications, I’m sure there was o good reason for it and surely nothing’s changed? )

If it’s not you own website, use Google Chrome or uninstall the Windows patch. I’d go for door number 1, use Google Chrome,

You could also fool around in the Windows registry according to this KB

http://support.microsoft.com/kb/2661254

Cheers and happy weekend to everyone.

 

Juha Jurvanen –

www.jufcorp.com

Securing server environments – part II – Networking

Juha Jurvanen’s thoughts on server security 
Second blog post about securing your server operations. Once, again, it’s not the gospel of all security issues but I guess it’s a start and possible checklist to use.
Now, if we are more or less satisfied with  the physical aspect of the data center it’s time to start thinking about the network design and firewalls.
Depending on your needs, say if you have various branch offices or if all your server and users are in the same location, the network design will vary.
First of all, make sure you have a decent firewall. It doesn’t have to be that expensive and you can even use some free  Linux distribution (such as Smoothwall) and set up a small server  to act a as the firewall. There are people out there stating that with IPv6 maybe firewalls will be unnecessary  but I highly doubt that. I have no idea how they’ve come to that conclusion so I’ll just leave it at that. Firewall will be around for a long time.
Just don’t use an old workstation because usually , you can’t set up RAD5 functionality on the disk volumes and you really want that because hard drives will eventually fail on that server also.
You could also have a firewall that’s actually installed on a DVD / CD ROM thus disabling the ability for any attacker  that has gained control to be able to modify the rules. The drawback is that if you want to reconfigure, you need to create a new DVDCD each time to have get the new rules in there.
You also want to have an extra power supply for redundancy  but that’s about it what you need to get a decent firewall up & running .
There are of course quite a few appliances out there with firewalls pre installed but that’s what they basically, small server with some kind of software to allow / deny network traffic on specific port.
The actual firewall rules aren’t that complicated to set and think through really, now days the GUI in the firewall software is usually quite self explanatory and even if you use the more high end firewalls such as Clavister or Firewall 1 and so on , it doesn’t take that long to understand them really.
You decide  which hosts (servers) on the inside of the firewall that should be reachable from the outside world basically and on what ports. Usually on TCP since UDP isn’t really used for communications  over the internet.  The difference  between two (TCP versus UDP)  is that a TCP connection is controlled and verified with a acknowledgment that it has reached to intended server that the server and the host/user trying to reach a service is actually communicating while UDP is basically the host/workstation sending off a network packet and hoping for the best that it reaches it’s destination without any response from the intended server.
Setting up the firewall rules should consist of a few things. Best practice is usually to have a DMZ (Demilitarized Zone ) where you basically put your server that should be reachable from the Internet (commonly this is mail servers, web servers, VPN (Virtual Private Network) servers and FTP (File Transfer Protocol) servers.
The rules are the set up so that the server on the DMZ are only allowed to communicate with the servers behind the firewall only the specific ports decided by you.
Unfortunately, some servers do require quite a few ports to be opened from the DMZ such as Microsoft Exchange server that need to validate with the Domain Controllers and stuff. .
There’s no law saying you actually must have a DMZ but the idea behind it is that if one of the servers on the DMZ would be hacked, the attacker wouldn’t reach the other servers . I’m not that convinced really. Once a hacker gains access to any  of your serves, I’m fairly convinced  that you used the same passwords you use on the server behind firewall somewhere in on the server thus giving the information on how to log in to rest of the system. People are people.
You just need to try as hard as possible not to have your servers hacked. I’ll get back to that topic further down the line in my little blog series.
So, regardless of if you decide to use a DMZ or not, you still not have backups of you servers and sometimes, setting servers on the DMZ can cause a bit of hassle on how to create good  backups.
One case I remember was, a large Swedish website that  took backups of their system to a local hard drive on the server on the DMZ with a script.
Usually, all kinds of scripts and backups need to have administrative rights and if your are using a scripts, most likely you’ll put the administrator / root password in the script file.
This is what they did and sure enough, someone found the script on the server from the Internet and they could gain access to the server simply by using the passwords in the script..
If I recall correctly, the script file was even indexed by Google actually so you should actually be a bit careful with what you allow Google and search engines to see on your servers. We’ll get back to that also further down the line.
Needless to say, once they were hacked they thought things through a bit more.
I’d say the having a backup server behind the firewall and pulling the backup from it with some kind of backup agents is a better solution instead of the server sending data to a behind the firewall.
Another  solution  is to have a look at some kind of online backup solution and thus sending the data outside your data center automatically, such as SunGard’s Vytal Vault, The  Online Backup Company or any of the online backup service providers really. Just take your pick
Just make sure that you use a good encryption password and that the backup services don’t require you to run them as a user. It’s better to be able to start the with a local system service that can’t be used for logins. If you have a backup software that requires user credentials, cerate a specific user for them and name the user something not that obvious as for instance “backup” Just create a user such as John Smith , a regular Joe and grant him only the necessary rights.
Have your servers on a backbone network by themselves and your workstations on anther, thus giving the servers the network bandwidth they need to communicate with each other and not being bothered with unnecessary broadcast traffic from your workstations,
Make sure all of your network cards in your servers are set to use maximum speed. Don’t trust the auto negotiation . Configure the specifically to use for instance 1 Gbit FULL Duplex and to use big frames (15000 packets size, just make sure that both your serevrs and switches support this ) .
If you have the configuration  ability also consider using teamed network thus teaming two (or more) network cards . The idea is that you get higher performance and should one of the network cards fail, the other ones would still be running and providing service to your users.  An easy way to create redundancy.
Speaking of redundancy, you should also use a number of switches and if possible, buy switches with two power supplies and the ability create redundant networks. You might also want to consider to configure your switch  ports to use 1 Gbits FULL Duplex with large frames , if supported and to have the switches monitored  with SNMP to a specific monitoring server.
Don’t use “public” as a SNMP community, name it something else and also be sure that SNMP traffic isn’t broadcasted all over the place, Have it sent to a dedicated monitoring service. NSMP is not a very secure protocol
Always have at least one spare switch in your data center, and if possible , a spare , pre confgured firewall. The more expensive firewalls also have the ability two cerate failovers and stuff but if you’re looking to create a fairly cost efficient networking environment, you probably won’t have that in your arsenal.
When it comes to the firewall rules, a few tips that might useful.
Decide for instance which server from he inside should be able to make DNS queries and have all of you workstations use that server as their DNS server. The drawback is of course that should that DNS server fail for some reason, no one will able to reach anything really but the upside is that you reduce the traffic through the firewall and gain better performance and a far better control of the network traffic for your workstations and get an easy and cheap way of blocking or redirecting traffic for your workstations to websites you don’t want them to visit.
In a Windows environment , you could also create a proxy setting and have all traffic flow through it and giving an excellent control of all traffic. Have a look at this link on how to accomplish that
http://www.tomshardware.co.uk/forum/194827-36-restrict-internet-access-group-policy
Some firewall administrator also block all kinds of outbound traffic to the outside world that isn’t explicitly required. This can be an administrative nightmare but in theory it would tighten your security and blocking for instance trojans  trying to communicate but now days, quite a the trojans do use standard ports so I’m not sure one really gains that much with such a configuration. Of curse some trojans would be blocked so it can’t hurt but there is always the risk of getting more administrative work if something need to be opened for a new software.
Never allow firewall administration from the outside world and you should even consider only to allow firewall administration from a specific workstation or even just localy. on the firewall.
Don’t have your firewall answering to PING traffic.
If your firewall has different settings for blocking port scans or SYN flooding  and so on, use them. They are there for a reason.
If you really want to think about network traffic and security, you might even consider setting up a network perimeter system such as SNORT .
It’s not that difficult really but it does require some skill and separate hardware  and the downside can be various performance issues
Here’s a link to a SNORT cheatsheet by Tim Kiery at Comparitech when looking at SNORT that I got as a tip by email tthe other day.
VPN is still widely used for letting youTr users connect to your internal resources and from time to time they work great. Unfortunately , performance is often an issue, DNS handling and sometimes, also licensing costs. Nowadays , there are other kinds of solutions such as Sharepoint server, RD Web and cloud solutions that actually (yes, I know, basically I am a Windows guy ) .
If you still want VPN and keep your costs down you could have a look at OpenVPN for instance. Iäve used at few customer sites and it works and it pretty fast really.
Wireless networks and access to networks should also be considered carefully.
  1. A few pointers, use WPA2 and do not use the EasySetup features that only require a simple PIN code. WEP and WPA are too easy to decrypt and the EasySetup features are basically only 8 numbers that an attacker needs to guess and two of them are just control numbers so  there’ actually only a 6 digit code to crack. That’s done in only a few hours.
  2. Hide the broadcast name. It can still be found but what you can’t see is more difficult to find, right ?
  3. You should separate the WiFi access from the rest of the network also and not have mobile phones on the same networks as servers and workstations.
  4. In 99,9 % of the times you allow WifI access to your end user mobile phones it’s to give them the ability to reach Internet services and not to reach anything  on your corporate network. If it’s for laptop access, have a separate WiFI network for them and one for mobile phones. It’s not that expensive to set up but it does give your laptop users all the bandwidth for work, not for Spotify.
  5. If you really want to restrict network access, most switches and wireless routers have the ability to set up MAC address for filtering and access but the downside is of course it’s an administrative nightmare if you many devices  and users. If you enable those features you’ll have to keep track of each MAC address on your network which can be time consuming. It does tighten your securiy of course.
  6. For external guests you should also have a separate  guest network that has no connection with your server  networks or the workstations network . Remember, even if the salesperson or consultant seems reliable , you have absolutely no way of know if their computers has been infected with a virus or if they are up to no good.
  7. Don’t have computers in the reception connected to the corporate network such as guest access systems. There  is absolutely no need for external visitors to be able to browse your internal network.
  8. If you have any kind of guest access system , make sure it is kiosk modes with no way to break out the application shell that you’ve decided for the guests. Plug all USB contacts and any other types of input mechanisms.
  9. Don’t have all of the network sockets plugged in just because of laziness. If some one plugs in a laptop or computer and you haven’t been informed about, they shouldn’t be able to start surfing or browsing your network unless you say so. Of course, there are always ways around that , for instance just borrow that ethernet cable from that other PC and son but it does make it a bit more difficult anyway.
  10. Always have a good monitoring software running and checking your network for new devices. If you start seeing devices with MAC addresses with 00-00-00-BE-50-00-DE-AD .. well. its too late . you’re toast. Personally I favor SpiceWorks but there are lots of monitoring software solutions out there. Take your pick. Basically, you need to have a clue of what’s going on your network  and , even mores so. You need to know why. You need to monitor bandwidth usage and also have monitoring points on your network , both from internal point and from external.
// Juha “Juffe” Jurvanen
Senior consultant in backup, IT security, server operations and cloud

By Juha Jurvanen @ JufCorp

Securing your server environment – part 1 – Physical environment

Securing your server environment – part 1 – Physical environment

Juha Jurvanen’s thoughts on server security 
This blog post is intended only as a basic guide to security. It is not intended to be the gospel of security since, let’s be honest, there is no such thing as absolute security.
As an example, in Sweden there was a case where a computer was locked in a vault, with no network access whatsoever and only a few people had access to it and still, it leaked information to foreign countries. Absolute computer security is a myth. That said, system administrators can still do a lot to make more difficult to access data and prevent DDOS attacks on their system
Let’s start off with physical aspects .
Where is your server actually located and who has physical access to it? 
Once you gain physical access to a sever, there are numerous way of accessing the data. The root password or Active Directory Domain Administrator password or NDS Admin password can be easily reset with a USB stick and booting the server. Have look a at for instance HIren’s Boot CD, Burglar for NDS or just play around with Google and search for terms such as “Reset administrator password”, “decrypt password” and so on .
You’ll be amazed when you realize how easy it actually is. Personally, I almost at all times carry with me some USB stick that I enables me to boot up any system and “have my way with it”
So, we need to secure the server from outside access. The data center must be protected with card keys, cameras and access control. We need to who and why they are in the data center in the first place.
For instance, a janitor or cleaning staff tends to have complete access due to what they do. Many companies hire outside help to get these kinds of jobs done.
If I wanted to gain access to server, I would try to infiltrate one of those subcontractors to get a job as a let’s say janitor, and try to gain access to the data center somehow and from there, I can basically do what ever I wanted with the servers.
Maybe my goal wouldn’t be to steal data but to kill the data operations by corrupting the filesystems on the servers, switch disks on RAID systems or just put small holes in all the networks cables to cause network errors, trigger an EMP in the data center and so on .
There would be numerous ways to disrupt the data operations, once i gained access to the data center or servers room.

If I’m out to steal data, I would probably not target the servers themselves but instead I’d start looking for backup tapes or backup disks. Far too many companies have their backups in the same location as the servers themselves and since the backups usually are not encrypted , I’d go for stealing a complete backup set, go home and start doing a scan of the tapes to figure out what backup software was used and then do a complete restore of it all.
The backups are most likely to contain the data I’m after, although probably a maximum of 24 hours old but from them I can gain access to all kinds of information about the operations and crack administrative passwords for the server systems and so on . In the comfort of my own data center. or my couch.

This way would of require some skill of Disaster Recovery scenarios and how to get data back from backups but I’m fairly sure I’m not he only one in the world who has the expertise in those matters.
Backups are always a weak point from several aspects.
You need to know who has access to them , at all times.
If you are company that for instance have your backups shipped to another location on a daily basis or weekly, you need to know that people handling them haven’t been compromised. It wouldn’t take that long for anyone with the proper skills do clone your tapes or disks en route to their destination and you would have no way of telling they’d been cloned. In that scenario, all of your critical data would be in the wild, without you actually knowing it.
If you are using any kind of online backup service, remember to choose your encryption password wisely and be extremely restrictive with who has the password. A lot of backup software do not let you change the encryption password without doing the first backup all over again, thus doubling your usage of space and your costs.
Still , I highly recommend you use an encryption password for several reasons.
If you don’t use it, it’s just pure laziness and fear of administrative hassle and that’s just not an excuse. The risk of people at your online backup provider being able to access your data is of course also an obvious risk. Do you know these people and how could you be absolutely certain that they aren’t poking around in your data and maybe giving it to your competitors?
If you are thinking about online backups there are a few very essential questions you should ask yourself but we’ll get back to that later in another post.
Do not use the same encryption password as you have for Root / Administrator / Admin . That´s just crazy talk. Use a password generator to create a unique password. This is also very much valid for tape backups or backups on NAS / disk. Always encrypt your backups with password and be very, very restrictive with who has the password.
If an employee quits your company or an outside consultant quits his project and he / she has had knowledge of the password, change it.
If you’re doing a planned Disaster Recovery test for instance, change the administrative passwords right after the DR test , thus not enabling anyone to reuse what they’ve found out during the test
During the actual DR test, you should be there and be the one that actually types in the encryption password for the backups, not any outside technicians or consultants , not even the online backup service provider or your Disaster Recovery Service Provider. You , and you alone should be the one that has those passwords.
I’ll will return to backup questions and stuff regarding DR plans and so further down the line in some upcoming blog post
So, the conclusion is, always know who and why people are in proximity of your servers and NEVER let anyone be there alone without supervision and here’s a few more pointers.
  1. Always have you data center locked and secured from unauthorized access, If you have the means, also have it secured against an EMP attack from the outside. Of course, I haven’t even touched the subjects but be sure your data center has all the necessary fire prevention/extinction equipment in place, UPS backups and , if possible, also an outside source for generating current in case the UPS or battery runs out of current. There should also be a system in place for protecting you servers against spikes in current. Be sure to know where water pipes are running in the building so you don’t place your server directly underneath one. Don’t keep cardboard or any other kind of flammable materials in the data center. Be sure to take them with you when you’ve set up a new server or switched disks. Don’t be lazy. The cost of laziness can be extreme. 
  2. In the data center, always have your servers locked in cabinets that requires keys and access card to gain physical access to keyboards and stuff. Also remember to protect the cabling and the back of the servers! Never have a server logged on the console. Be sure to have all cabling to the and from the firewall and the internet access secured. 
  3. If you’re “expecting company” i.e. external consultant and so on, be sure to think abut NOT having different kinds of network maps, administrative passwords and different kinds of information in plain sight for anyone to see. I’ve seen it hundreds of times, the IT department having their entire IT operations and information of their systems on white boards or on print on documents next to their workstations. 
  4. Sure , it makes their lives easier but as one might gather, it also makes the life of the attacker easier. Knowledge is a powerful weapon, especially when it comes to data protection 
  5. Don’t have software laying around in the data center with software keys and stuff on them . All it takes is a mobile phone for someone to coy your license keys thus possibly putting you in an awkard situation having to explain to Microsoftfor instance how come that your Volume License keys are a bit too easy to find on Piratebay, thus putting you n the risk of your licenses becoming invalid and bringing your server operations to a halt , or at least a shoer disruption. 
  6. Know where your backups are, at all times. Have them encrypted. If using online backup services, be sure to use an encryption key and , if possible, be sure to have restrictions on the online backup service providers end on to and from where backups and restores are allowed 
  7. Do not allow mobile phones in the data center due to the risk of people photographing your equipment or software license keys or using the mobile phones to copy data via USB cables and stuff. 
  8. If you are sharing a data center with others, there is no need for you to have your company logo or anything revealing the servers are yours. Keep it as anonymous as possible. There is also no need for you to tell anyone where your servers are physically located (although it can be fairly easy for anyone to fin out using traceroute commands and so on ), 
  9. Be sure to have a Disaster Recover Plan (DRP ) / Business Continuity Plan (BCP) if your site is compromised or an accident should occur. Also in this case, treats the secondary DR location as mission critical data. 
  10. Once again, do not underestimate the powers of social engineering. Although it’s not hacking in the usual sense, it’s merely  acting but it can still be as harmful as I’m trying to point out here
So, there’s a few tips anyway and that’s just the start really. It’s not a complete recipe for securing your physical environment and I’m sure I’ve missed out loads of stuff but it’s start anyways.
I hope you you liked this post and I’d love to hear you thoughts on it and if you want me to write a few others on the matters of securing your server  operations, I was thinking in the lines of brute force protection, change management, 0day attacks, certificate management , password policies,  protecting web servers and so on , You get the picture :-)  
// Juha “Juffe” Jurvanen
Senior consultant in backup, IT security, server operations and cloud

En av Sveriges mesta erfarna konsulter inom backup ?

Söker ni en av Sveriges mest erfarna IT konsulter inom backup, disaster recovery, IT, drift , säkerhet och molntjänster?

Besök  JufCorp och se vad ni kan få hjälp med.

KONSULTPRESENTATION

Juha Jurvanen

Titel Senior IT konsult inom backup, drift, säkerhet och cloud

Utbildningar Citrix Administration
Nätverksarkitekt/tekniker

Cisco router installation & administration

Solaris Administration 1 & 2

MIcrosoft SMS Server

Novell System Administrator

Etisk hacking och säkerhet

EVault InfoStage

Advanced TCP/IP Networking

Arbetslivserfarenhet

IT konsult PC LAN/WAN   Enator   1996-02 -01-1998-12-01

DR Specialist och drift online backuper SunGard  1998-12-01 – 2007-11-01 Fristående konsult     JufCorp  2008-04-15 –

Teknikchef, konsultchef, IT arkitekt och driftschef och delägare   Red Cloud IT  2010-01-01-

Initiativtagare och idéskapare för Syspeace

 

System  Operativsystem

Microsoft Windows 3.11

Microsoft Windows 95

Microsoft Windows 98

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows Vista

Microsoft Windows 7

Microsoft Windows 8 (Beta)

Linux (Red Hat, Ubuntu o.s.v)

BeOS

OpenSolaris

Microsoft Office 4.3

Microsoft Office 95

Microsoft Office 98

Microsoft Office 2000

Microsoft Office 2003

Microsoft Office 2007

Micorosft Office 2010

Vismas programsvit

Lotus Notes

All FTP   Server och system

Microsoft  Windows NT 3.51

Microsoft  Windows NT 4 Server

Microsoft Windows 2003 Server

Microsoft Windows 2008 Server

Microsoft Windows 2008 R2 Server

Citrix WinFrame / MetaFrame

Microsoft Active Directory

Novell NetWare 3.x – 6.5

Novell NDS

VMWare 3-5

XEN Server

AS400

Sun Solaris 7.x –

HP UX  AIX 4.x –

Linux (diverse)

Microsoft SMS Server

Lotus Notes Domino Server

Microsoft Exchange Server

EVault InfoStage

Legato NetWorker

Symantec BackupExec

IBM Tivoli

CA ArcServe/BrighStor

Micosoft SharePouint

Microsoft WSUS

Microsoft ISA/TNG

Micorsoft Exchange 5.5/2000/2003/2007/2010

Novell NAL  Novell GrouWise

Novell Netware 3.5-6.5

Novell Bordermanager

Diverse antiviruslösningar (F Secure, McAfee, Trend, Symanyec, Panda t.ex. )  Applikationsdistributionslösningar (NAL, SMS, AD MSI  t.ex.)

Protokoll  TCP/IP  IPX/SPXP   IGRP / eIGRP  Ethernet / Token Ring  LAN / WAN  WINS / DNS  Nätverk  Modem,

Installation och konfiguration  Planering LAN / WAN, installation, administration, felsökning  ISDN Modem,

Installation och konfiguration  Hub,

Installation och konfiguration  Switch (3COM, HP, Cisco),

Installation och konfiguration  ADSL Modem, ,

Installation och konfiguration  TCP / IP Planering

Uppsättning brandväggar (WatchGuard, Clavister, SmoothWall o.s.v)

Övervakning, inventering.

Installation och konfiguration  Trådlösa nätverk, ,

IInstallation och konfiguration  Brandävggar,

Installation, administration

Planera, implementera och dokumentera tekniska återstartsplaner och beskrivningar  (Disaster recovery planning)

GPO administration & installation

Avancerad felösökning av system och funktioner i LAN / WAN eller server miljö  Design av enklare eller avancerade backuplösningar

Sammanfattning  Juha  har som längst  arbetat som backup / restore expert på SunGard inom många olika serverplattformar och senare i sitt eget fristående bolag (JufCorp).

Han  har även under åren arbetat med bredare tjänster inom IT-Support, nätverksteknik, administration med mera. Han har haft roller som arbetsledare i projekt, agerat säkerhetsspecialist, LAN / WAN tekniker,systemtestare och designer av stora och små  IT miljöer. Juha har också jobbat mycket drift inom t.ex. resebranschen, IT branschen, finansiell sektor och statlig/kommunal sektor  Han har under åren jobbat med mycket brett och med många olika system och funktioner och har tack vare det en god och djup förståelse för IT i sin helhet och integrationsfrågor .  Bland de miljöer som Juha har varit arkitekt bakom kan nämnas Red Cloud ITs  molntjänst, rCloud. SunGards Online-backuptjänst , VytalVault samt han har varit delatkig i design av t.ex. stora LAN/WAN lösningar och  hjälpt till med upphandlingar och utvärderngar av både små och stora lösningar.  Virtuella miljöer har varit en natrurlig del av aretet, både som egen konsult där han varit delaktig i driften och implementationen av b.la. ALMI Företagspartners VMWare Cluster på 6 Noder och även använt mycket VMWare i t.ex. restore tester och i vanlig serverdrift.  På Red Cloud IT har Juha varit den som varit arkitekt bakom Red Cloud ITs molntjänst,  rCloud. Han har även agerat  tekniker, helpdesk och second – line .  Juha är styrelsordförande och har tidigare haft rollen som teknikchef och CTO och chef över flertalet konsulter.

Om Juha På fritiden umgås Juha med sin sambo och deras 4 katter och går gärna på konserter eller bio då musik och film är ett stort intresse.  Som person är han  lugn, positiv, trevlig och mycket målinriktad och alltid professionell i sitt agerande  med kund eller kundens externa kontakter.

 

Senior IT konsult inom backup, server drift, säkerhet och molbtjänster söker upodrag

Senior IT konsult söker uppdrag och samarbeten till JufCorp

Specialist inom backup, disaster recovery, IT drift och molntjänster