Mobile broadband.

August 22, 2009

Mobile broadband is the mobile phone networks’ current favourite product.  For them it’s incremental revenue with little or no infrastructure revenue. 

We’ve recently started looking at mobile broadband for business use, but it’s worth starting with a summary of why we’re so late to the party:

  • our network support team doesn’t get many calls about it
  • mobile broadband speeds are highly variable, and generally far less than the advertised top speed
  • mobile broadband support is usually installed directly from the “usb modem”, and there is a risk of it tussling with existing network support for, especially, wifi networks
  • for light use business mobile phones can often also be used for mobile broadband (though there there be terms of use restrictions which formally prohibit this)

The obvious business uses for mobile broadband are:

  • Email, particularly if you want to work with email attachments while out and about
  • Web, though arguably the current generation of smartphones are easier and quicker to use in most instance
  • Remote access to business systems

We plan to write about email later.  The gist though is that it is simple, but there are some security risks to consider.

Remote access to business systems needs to be secure, and this is generally achieved through a “vpn”. 

The details don’t really matter, but we tested with:

  • Orange mobile broadband
  • Huawei E160E usb modem
  • Cisco software vpn
  • security implemented so that the user has to provide their network username and password in order to gain access
  • Microsoft Terminal Server client

The mobile broadband connected using a 3G service.  This is the middle of the three types of service (GPRS/Edge; 3G, HSDPA) that are available.  The test was done on a Saturday, with one eye on England stepping on the Aussies. 

Perhaps as a reward for working Saturday the speed of the connection was roughly twice that during the working week.  Still nothing to cheer about though, at about 10% of the advertised maximum speed.

Connection was easy and quick, no different from connecting by landline broadband.  The good news is that the speed was ok, not great, but certainly good enough for emergency or light use. 

Although the connection was ok, if you plan regular or heavy use, then our experience suggests that you need to consider providing a web interface to your business systems.  Which is a whole other story.

There doesn’t seem to be much web based comment on mobile broadband for business use.  Colin DiPonio works in university IT and found that vpns were similarly easy to get working.  His experience is with Linux rather than Windows computers though.  It has to be said that this is an occasion where I’d happily trade the openness of Linux support (provided via NetworkManager and ConnMan) for the Windows experience of software being thrown willy nilly at our carefully maintained computers by the usb modems.

Barebones leaving process.

July 18, 2009

While most businesses have a collection of processes covering their IT infrastructure, one area that is often neglected is when staff leave. Its highly likely that most companies will have user accounts still active for staff that have left some time ago. This not only leads to administrative problems but can also be a security risk.

The most obvious course of action when a staff member leaves is to simply delete their account. While this is a quick process, and immediately gets around the security issues, it can often cause other problems. There are a number of things which should be considered when putting together a leaving process:

Is the user’s email data going to be needed going forward? Experience from our IT helpdesk tells us that you can guarantee that just after the account is deleted, a manager will ask you to check for something!

  • Does email still need to be received at the user’s address?
  • Is the user’s profile stored on a server and does it need to be kept?
  • Does the user’s profile or data need to be accessible on their old PC?

Bearing these points in mind, the following is a recommended process for when staff leave:-

  1. Log in to their account and export they email to a PST file. Copy this PST to a leavers’ area on a data drive, along with any other PSTs they may have. If other staff need access to their email, they can be given a copy of this PST.
  2. If they have a server based profile, move their profile to the leavers’ area and delete their local copy on their PC (this avoids whoever uses their PC afterwards potentially having access to data they shouldn’t).
  3. If they just have a local profile, copy this to the leavers’ area and then delete it from their PC.
  4. If they have a personal network drive, copy this to the leavers’ area and then delete.
  5. Amend their primary SMTP email address to be something generic (such as adding a zz at the start). Their previous address can then be assigned to another user if mail still needs to be received.
  6. Disable their Active Directory account, which also disables their mailbox and hides them from the GAL.
  7. After a period of time, such as 30 days, their account should be deleted (this covers them possibly changing their mind and coming back!).
  8. Periodically, the leavers’ area on the server can be archived to tape or DVD to recover disk space.

This process will ensure that leavers’ accounts are dealt with correctly but their user data is still available should it be required.

Online backup, paradise or perdition.

June 11, 2009

Online backup has become very popular over the last two or three years, with a large number of companies now offering a whole range of services.  This growth had been driven primarily by the increase in low cost, high speed internet access provided by DSL services.  While there are obvious benefits to using an online backup service, there are also a number of considerations that should be taken in to account when planning which service to use and how to use it.

Some of benefits of online backup services are quite obvious, whereas others are less so.  By giving your data to someone else to backup you are saving both the time and money of running your own backup infrastructure.  Additionally, many online backup services allow for continual backup during the day so rather than just being able to restore a file (or email - many services offer Exchange and SQL backup) from last night's backup, you can go back to 30 minutes or an hour ago.  They also normally keep multiple versions of backed up files so you can choose which to restore.  Lastly, the restoration process is usually very simple via either a web browser or a Windows Explorer like interface to the backup application.

However, there are a number of potential drawbacks which must also be considered when looking at these services.  The main point is that these services are generally geared to backing up your data, not your infrastructure.  This makes then great for recovering that accidently deleted file or email, but not much use when your Small Business Server crashes and you need to do a full restore.  While some companies do offer full server backup, would you really want to try and restore 50GB, 100GB or maybe even 500GB over your 8Mbps ADSL internet connection?

The costs of backup services can also vary widely, and its often quite difficult to estimate how much backup space will be needed.  Every company's data storage requirements increase over time and this will clearly lead to an increase in backup costs.  Additionally, once you start to backup files that change on a regular basis, such as you Exchange or SQL databases, the amount of online backup space used can grow quickly, along with the costs.

There are also Data Protection issues to be considered.  Does the online backup company you are using comply with the UK Data Protection legislation?  If you are backing up customer data or information offsite, are YOU complying with UK Data Protection legislation?  These areas will need to be clarified before using an online backup service to avoid potential problems.

Lastly, there are a very large number of companies now offering online backup services that didn't exist two years ago.  Online backup is still a relatively new technology and its highly likely that a number of these companies won't be around two years from now, especially considering the current economic climate.  If you're backing up your data online, you need to have the assurance that the service is still going to be available when you need to do a restore.  Some of the existing, established backup companies such as EMC and Symantec now offer online backup services.  Unfortunately, the Symantec Protection Network is currently only available in the USA and Canada and while EMC's Mozy is available in the UK, it still appears to be geared towards the US market.

Online backup certainly has a lot of benefits and, when used correctly, can be a very cost effective solution.  However, it clearly shouldn't be seen as a replacement for traditional onsite backup solutions, based on tape or disk, but instead be used to complement these solutions and provide an additional layer of protection for your business.

Password blues.

June 10, 2009

For the average computer user, password management often involves either their pet’s name or a selection of Post-It notes on their monitor.  While for some this may be the only way to remember their passwords, there are a number of guidelines that can be followed to ensure users create strong, secure passwords that are also easy to remember without having to write them down.

It’s a popularly held belief that the best passwords are those made up of random strings of upper and lower case letters, numbers, and other symbols.  While these are indeed the most difficult to crack via a brute force attack and tend to be impervious to dictionary attacks, they are also the most difficult to remember and therefore the most likely to be written done.  The most complex password becomes useless when its easily accessible by other people.

The complexity of a password increases exponentially as the password’s length increases.  There are over 10,000 more password combinations for a 15 character password using just lower case letters than there are for an 8 character password using upper and lower case letters, numbers, and all the symbols easily accessible on a normal keyboard.  Therefore, you don’t need to use every character available just to get a complex password.

Many people also don’t realise that Windows passwords can be up to 127 characters long and can also contain a space.  This makes it very easy to construct a complex password, which is in essence a pass phrase, which is easy to remember.  A good way to start is to take a simple phrase, such as “summer is” here and apply some standard rules to it.  For example, you could capitalise the second letter or each word, rather than the first, to make it more difficult to guess.  You could then add a specific symbol at the end of the password.  Lastly, you could substitute specific letters for symbols or numbers (such as “@” for “a” and “5″ for “s”).  This makes the password “5Ummer i5 hEre!” which is very complex and well protected from common password attacks.  If you keep the same set of standard rules, it’s also easy to remember.  Additionally, if you need to write anything down, you can write down the rules rather than the password itself which is a much lower risk.

When you need to change your password, you simply need to select a new phrase and apply the same rules – “now its autumn” would then become “nOw iT5 @Utumn!”, another complex yet easy to remember password.

One last point – there is always going to be a need at some point to write down a password.  Some passwords, such as the Windows Directory Services Restore Mode password, are designed to never be used except in an emergency.  These are therefore going to need to be recorded somewhere to ensure access when needed.  Writing these passwords down is not in itself a security risk – it’s what you do after they are written down that can cause the problem.  Locking the password is a safe with controlled access should present very little risk at all, and as the use of these passwords is very limited, it shouldn’t be a problem if accessing them takes time.