A recent Microsoft patch MS10-015, which requires a reboot to complete the install, is reported to be causing a number of Microsoft servers and workstations to fail to reboot at all; the reboot ends with the infamous “Blue Screen of Death” and renders the system unusable.

Putting aside for a moment that this patch fixes a security hole Microsoft has known about for seventeen years, we think this incident highlights the need for a multi-layered approach to security in the first instance.

Microsoft is claiming that a number of systems experiencing the Blue Screen of Death are doing so because the systems were already compromised. So, right away, that tells you that even applying patches quickly isn’t enough to keep systems safe.

Further, the risk with applying patches immediately when they are released is that you will bork your system. It doesn’t happen often, but when you consider how expensive downtime really is, even once every few years is very expensive. (As I write this post, I see that Microsoft has pulled the patch to avoid borking additional systems.)

Solid network perimeter protection has been a staple of our best practices for years. Smaller clients sometimes balk initially at spending hundreds of dollars for an enterprise-grade firewall, but these devices represent cheap insurance at worst and in many cases generate a positive return on investment.

End-user education and “safe-browsing” policies are also required to avoid security breaches. Malware these days (as we have blogged previously) is increasingly sophisticated and insidious. Firewalls and anti-virus/malware software will always be a few steps behind.

So, when you have good perimeter protection and careful, educated end-users, you have the luxury of time in which to evaluate new patches as they are issued. The benefits are you stay safer all the time, and reduce the risk of borking your production systems.

If you need help with your company’s patch management and security posture, please give us a call at (207) 772-5678.

Hope that helps,
Mark
CIO

We don’t play favorites here at Reliable Networks, and we think Exchange 2007 and Exchange 2010 are very good products, much improved over Exchange 2003 and earlier versions. We support Exchange at our clients as well as Zimbra; which platform they choose is based on each client’s unique needs.

VMware is now headed by Paul Maritz, who many pundits feel left Microsoft in a “three’s a crowd” situation nearly a decade ago.

Zimbra has been taking away some very big Exchange accounts from Microsoft since being acquired by Yahoo, and we expect that trend will accelerate with Zimbra now under the VMware umbrella.

So the good news for clients is that, when it comes time to upgrade your old Microsoft Exchange installation, you now have more interesting options than you did yesterday.

And watching the action as VMware and Microsoft compete on this new front, at least to techo-heads like us, is more entertaining than a new season of American Idol!

If you have questions about your email/collaboration choices, give us a call at (207) 772-5678. Zimbra isn’t for everyone, but neither is Exchange. We’ll help you make the choice that’s right for your company.

All the best,
Mark
CIO

The anti-virus software companies have raised the bar by bundling more protections into their traditional anti-virus products, in many cases releasing them as new products: Symantec Endpoint Protection for example has replaced Symantec Anti-Virus Corporate Edition. And although you can still buy products labeled as “anti-virus” from the majors, sales of these limited-use products have declined considerably of late.

As these new protection products have become more complex, sophisticated and bloated, their performance impact on older PCs has become more noticeable. Bargain PCs purchased as recently as two years ago can be too slow to be used efficiently with these full-suite protection products installed. Furthermore, the protection products are by nature always playing “catch-up” with the bad guys, so we have seen some companies forgo desktop protection software altogether in favor of strong network perimeter protection combined with policies limiting Internet access and prohibiting employees from bringing in cdroms, USB drives, outside laptops etc. into the office. (The more powerful servers still have protection software installed however.)

That’s one way to do it, but many companies can’t manage the politics associated with limiting or preventing employees from browsing the Internet. And some companies, like ad agencies and web developers, can’t really be restricted at all.

Further, we have seen a lot of malware that these protection products simply can’t protect against, because the malware looks and acts like legitimate software.

Switching to a Mac or a Linux PC can help, but these devices can become “carriers” for malware, bringing a whole host of new challenges. And most security pundits believe that as Macs and Linux PCs become more popular, it will only be a matter of time before malware for these machines starts appearing as well.

So if these big protection products can’t save us from ourselves reliably, what can be done?

Well, here is our list of the top four ways you can protect yourself.

1. Slow Down! We have seen malware come in via email looking like Hallmark e-cards, IRS W-2 form updates, PayPal and bank account alerts, etc. If a friend’s PC gets an infection, you will get an email from your friend, and the web link or attachment that looks so enticing (if not workplace safe) will be your downfall. So, before you click on anything, take a moment to scan it with your own brainpower and a skeptical eye.

2. Be Careful Where You Stick Your Browser. The San Fransisco bath house analogy notwithstanding, the majority of malware infections these days are installed via a web link. Staying away from those web sites you know you shouldn’t be frequenting anyway is a good start, but keep in mind that malware writers are very clever. They do things like buy ads on legitimate web sites to distribute their wares, so just because you are on cnn.com doesn’t mean you can click anywhere safely 100% of the time. When you get a popup or other prompt to take an action you weren’t expecting, apply Rule #1 and slow down before doing anything.

3. Be Proactive and Scan Your PC. Whether you use malware protection software or not, periodically being proactive and running scans on your PC at least once a month is a good thing. We like Malware Bytes a lot, but our favorite tool de jour is Combo Fix, available as of this writing here. Be careful when you search for these tools; the malware folks have bought look-alike domains and lots of Google AdWords! We have seen several folks with a minor infection wind up with a totally borked workstation because the web link they thought was malware removal software from the good guys was actually more malware from the bad guys. Remember Rules #1 and #2?

4. Keep Your PC Patched. The majority of patches coming out of Microsoft are security, not bug fixes. Making sure your PC is regularly updated is key. If you are running non-Microsoft products, like Adobe Acrobat Reader, Apple’s Quicktime, etc. you want to be sure those products are kept up to date as well. Acrobat products this week are being blasted in the trade press because the Javascript code in the product has been a valuable attack vector for malware developers. Adobe can’t or won’t “fix” this because the same Javascript code is used for filling in PDF forms, and Adobe doesn’t want to hinder that functionality.

So be safe out there! And if you have questions or get yourself in trouble, we are here to help. Don’t send us an infected email though, just give us a call at (207) 772-5678.

All the best,
Mark
CIO

Once the servers go off site however, the office’s connection to the Internet becomes the “weak link in the chain.” Some clients attacked that link by swapping out their current Internet connection for a more enterprise-grade connection (e.g. SDSL or bonded T-1s), but that still represents a single point of failure. Other clients upgraded their router/firewall to a device that can load balance or failover between two simultaneously active Internet connections. So when the cable modem service is down, the router automagically switches over to the DSL connection — totally seamlessly to the end users. Some router/firewalls even allow you to use one of those Sprint/Verizon Wireless PC Cards traveling laptop users have for the office’s secondary Internet connection. Which mix of redundant connections to use is a complex matter, requiring careful analysis of not only your bandwidth usage as a whole, but the workflow processes utilized by your employees, customers, vendors and others with whom you connect over the Internet, even if only by email.

As the Commonwealth of Virginia has discovered, not having any redundant Internet connectivity, even when using so-called “bulletproof” network connections, is just not acceptable. (You can read the story here.)

Consequently, we find our clients’ businesses increasingly require a conversation about the merits and costs of redundant Internet connectivity. For increasing numbers of clients, redundant Internet connectivity is no longer a luxury; rather, it is very cheap insurance if not a necessity.

If you need help deciding if redundant Internet connectivity is appropriate for your business, please feel free to give us a call at (207) 772-5678.

Mark
CIO

Now back to our regularly scheduled programming…

Zimbra 6 includes a number of document features already in Gmail and Google Docs, providing spreadsheet and Word-like document features.  Considering the price of Microsoft Office these days, Zimbra 6 and Gmail/Google Docs can be very cost-effective alternatives.

Unless of course the spreadsheets and documents you are creating you want to keep private.

You see, the Google Terms of Service give Google a perpetual and irrevocable right to use all of your Content pretty much any way they want, including republishing rights (It’s all in Section 11, here).  Sure, those same terms of service allow you to retain the copyrights in your works, but so what if Google can repurpose your content at will.

So, if you are using Gmail or Google Docs for anything confidential, well… it’s not.  If you are a bank, doctor, attorney, accountant or any other kind of professional with a fiduciary, regulatory or contractual responsibility to protect information and you have put any of that information in Gmail or Google Docs, you probably ought to speak with an attorney–fast.

Zimbra 6 on the other hand, has no such content licensing terms.  Nor do we (we are a Zimbra Premiere Hosting provider BTW); you not only retain full ownership of your data, you grant no Google-like licensing to us nor to Zimbra when you use Zimbra.

So if you are looking to avoid an expensive company-wide upgrade to Microsoft Office and/or Microsoft Exchange, while Gmail and Google Docs may look like good value for money, you’ll get what you pay for.  Talk to us about Zimbra (our system is very secure and  HIPAA-compliant out of the box.)

And the next time you speak to your own attorney, accountant or health professional, ask them if they are using Gmail or Google Docs, and if they answer yes, you may want to find a different attorney, accountant or health professional…

Mark Stone,

CIO

Since we are ourselves somewhat frugal, we have been using OpenOffice instead of Microsoft Office for several years now. Sure, we still have a few copies of Microsoft Office around when needed, but propeller heads like us get a big discount from Microsoft so the pain to our wallets has been minimal. (FWIW, Typically we exchange documents with others in Adobe Acrobat format, not Microsoft Office. OpenOffice includes a free pdf generator with a one-button click.)

Being open source, OpenOffice is both free and readily customizable by anyone who cares to. Novell (SuSE Linux), offers a version called Go Office which includes bits not included in the version available from OpenOffice.org, like better WordPerfect and Microsoft Office import filters. Sun offers a paid, supported version of OpenOffice and IBM’s Lotus division has a free, supported version of OpenOffice called Lotus Symphony.

Not widely reported, back in the Spring IBM made a decision that the OpenDocument format (a world standard supported by OpenOffice) would be the document interchange standard within IBM. The deadline for all 360,000 IBM’ers to start using Symphony (OpenOffice) instead of Microsoft Office is September 22. Already, 330,000 IBM’ers are using Symphony, according to Linux Magazine (http://www.linux-magazine.com/Online/News/IBM-Throws-Out-Microsoft-Office).

Of course, this doesn’t mean the end of Microsoft Office, but it is a nice reminder that we all do have choices, and that if IBM can cut the cord, then maybe we can do it too.

If you would like to learn if OpenOffice is for you (because it isn’t for everybody), call us at (207) 772-5678.

Mark Stone
CIO

Since we had some behind-the-home-page links in our browser’s history, we could see that only the home page had been defaced. So, we called the vendor and they immediately took the entire site down to fix things.

While it might seem a little ironic (if not somehow darkly entertaining) that a company selling firewalls for a living got hacked, there are a few old-school lessons here worth repeating:

1. A great firewall, even correctly configured, isn’t enough to protect you entirely from external threats.
2. A great firewall, even when configured with gateway anti-virus, anti-malware, intrusion prevention and a bunch of other propeller-head acronyms, isn’t enough to protect you entirely from external threats.
3. All of the applications exposed to the Internet (web, email, ftp servers etc.) need to be kept up date with security patches too.
4. Automated monitoring–of web sites and log files–would have given the company’s system administrator a near-immediate heads up that something was wrong.  As it was, the hacker had put a visitor counter on the hacked home page, and 18,402 unique visitors had already been to the site before we arrived (and before the company was aware they had been hacked).

None of these protections cost much in the way of system administration resources or hardware/software costs, (though they do require a fair amount of expertise to implement properly) and very well might have prevented this hack.

Damage to a hacked company’s reputation can cost a lot more than a new firewall for sure. When you take credit card payments, the legal requirements for dealing with a breach can result in astronomical costs.

All of which is a long way of saying that if you haven’t looked over your company’s security posture recently, now might be a good time to give us a call.

Take care,
Mark

We have seen some clients resist enforcing these kinds of policies. Let’s face it, it’s hard for an IT Director to march into the owner’s office and demand s/he change their password to something totally indecipherable. A few months ago, our last holdout client found their business at a standstill when they couldn’t send email any longer. Turns out, someone from Poland (the country, not Maine…) had guessed/cracked correctly a user’s Exchange email password, and had spent the weekend sending out tens of thousands of spam messages from their Exchange server, which was now blacklisted. We got that fixed, shared with them our best practices for “strong” passwords and password rotation, and Bob’s your uncle…

What most people don’t realize is that “strong” or complex passwords can be very easy to remember AND be very difficult to hack–all at the same time. First, the scary part: what is a good “strong” password policy?

Our view is that a good “strong” password policy should require that passwords have a minimum of eight characters, and at least one each of an uppercase character, a lowercase character, a numeral, and a punctuation mark.

If your name is John Doe, an easy-to-remember strong password might be “j0hN;d0e55″ where the letter “o” is replaced by a zero.

If you are feeling particularly clever, you can use a phrase as a password, like “2mUch!cE” (“Too much ice”).

Although these are easy to remember, different sites will have different policies, requiring you to use different passwords. At some, point, you won’t be able to remember them all, so using a good password manager (protected by a strong password please!) will be needed. Our favorite password manager at the moment is KeePassX, which runs on Windows, Linux, Macs and Blackberries.

What is not a good idea is to allow your browser to remember your passwords for you, especially if you use a laptop. In the first instance, the encryption the browser uses isn’t all that strong, and if your PC/laptop is stolen or swapped out, you’ve not only lost your passwords, you’ve effectively just given them away.

Similarly, using an unencrypted spreadsheet for passwords isn’t a great idea either.

One dirty little secret is that the overwhelming majority of corporate security breaches these days are perpetrated by insiders, not outside hackers. As a result, many sites are requiring users to change their passwords every few months as well too.

Using easy-to-remember but strong passwords goes a long way to protecting your personal and your company’s valuable data. When things get too complex, a good cross-platform password manager can help keep things straight as well.

If you have any questions about your company’s password policies, please call us at (207) 772-5678.

Your servers have redundant power supplies and with separate 30amp feeds from the two UPSs,  you carefully plug one power supply into one of the two feeds and the other power supply into the other feed.  Great, you are now protected if/when one of the UPSs goes offline.

But what about your switches and firewalls and those few remaining legacy servers, all of which have only one power supply? How can you get the benefits of the data center’s redundant UPSs and separate power feeds when you have devices with only one power cord?

Easy!  You just need a PDU (Power Distribution Unit) that plugs in to two separate power feeds, uses one feed as the primary, the other as secondary, and automatically fails over and back between the two.  Recall that we are not a reseller for any hardware or software, but we have been using the Tripp-Lite PDUMH20AT device in our own rack space now with good success.  This unit has 20amp plugs and receptacles; there is also a 15amp model.  The 20amp model costs about $360.

For really remote data center management, there is an optional SNMP card you can use to manage each of the power receptacles, program sequenced power up, etc.

Attentive engineers will note that this device introduces a new single point of failure, which is true.  Our experience however has been that data centers with redundant UPSs will, perhaps every two years or so, cycle offline the UPSs for major maintenance. Using a device like this enables your gear to stay up during UPS maintenance (or a single UPS failure).

One way to overcome this PDU’s new single point of failure, for example in the case of a pair of failover firewalls, would be to plug one of the firewalls into this device and the other firewall into one of the standard PDUs already in the rack.

Everything comes with tradeoffs, but our view is that a PDU with an automatic transfer switch represents a terrific way to provide devices with single power supplies in a data center rack the benefits from fully redundant power feeds.

If you have any questions regarding your data center configuration, please give us a call at (207) 772-5678.

But, we have seen too many companies deploy VoIP, be disappointed with the sound quality, and then face thousands of dollars of unplanned costs to make things right.  So, here is how we typically advise our clients considering a VoIP deployment:

Most importantly, whether you use a hosted VoIP solution (the VoIP servers belong to the VoIP company) or a premises-based solution (you buy, host,  maintain and life-cycle your own VoIP servers), the infrastructure challenges are the same: you need a top-notch internal network and solid connectivity to the Internet.

Internal Network Infrastructure Checklist

Look at the cabling in the wall where it comes out to attach to the patch panel, and look for the labeling on the side of the cable.  You will see something like “Cat3″ (traditional telephone patch cable), “Cat5″, “Cat5e” or “Cat6″.  Generally speaking, you’ll need Cat5e or Cat6 to have a satisfactory VoIP experience.  If you only have Cat5 cable, although technically VoIP could work, this has generally not been our experience and you should budget for new/replacement network cabling at anywhere from $50 to $150 per drop, depending on the type of wall construction and other factors.  Network cabling is a bit of a black art, so we can recommend several excellent cable installers for your situation.

If you want to have the VoIP phones share the same network cable as your PCs (the network cable coming out of the wall plugs in to the VoIP phone, and then another network cable connects the VoIP phone to the PC), you will need to have network switches that do what is called “QoS” (Quality of Service).  QoS essentially prioritizes voice traffic over data traffic, so that your call is not interrupted just because someone else on the network is downloading a big file or printing a big job.

Another term you will hear with switches is “PoE” (Power over Ethernet), which enables VoIP phones to run on power sent down the network cable.  While this reduces cable clutter on employees’ desks, PoE switches can be very expensive, and less expensive PoE switches sometimes don’t have enough joice to power all of their ports at the same time.

What many companies do who have perfectly good Cat5 data cabling in the walls is to run new Cat6 cabling just for the VoIP network.  The cable installer adds a second jack to each wall plate in every office, color coded with one color for PCs and another color coded for phones.  Since building codes no longer allow companies to abandon old network cabling in place, this can be much cheaper than doing a wholesale replacement of all of your network cabling.  And if you decide to use PoE, this separate VoIP/data network scheme can same you money on the number of new switches you need to buy.  You also don’t need expensive switches that do QoS; since voice and data are on two separate networks, there is no need to prioritize traffic.

Internet Connectivity

Regardless of whether your internal network is configured with separate VoIP and data paths, the VoIP traffic now has to get out to the phone system.  Large companies with their own VoIP servers will connect via telco drops right in their own offices, but smaller companies will generally route VoIP traffic out through the Internet.

Our experience has been that the most reliable way of doing this is to have a separate Internet connection for VoIP traffic.  How big an Internet connection is dependent on how many simultaneous calls you expect, but for a small office, a DSL connection (even with a hosted VoIP provider) often works best.

If you insist on using one Internet connection for both VoIP and data traffic, you’ll need a router/firewall that does QoS like the switches we described above, and… you’ll need to confirm with your Internet Service Provider that their network “respects”  your router/firewall QoS tagging.

Cable modems are a special case: cable modem service typically comes with a lot of bandwidth, but the operating system on the cable modems doesn’t do well with both VoIP and data traffic.  If you are using a hosted VoIP solution and have more than five VoIP phones, you will almost assuredly find you will need a separate Internet connection for VoIP and data.

Bottom Line

VoIP in principle can help companies save money, enhance productivity, and better connect multiple offices seamlessly.  But, like any house, it is only as solid as the foundation, and a VoIP system built on a marginal network backbone, or with marginal Internet connectivity will dissapoint.

Careful planning, with input from several specialists is key to a successful, cost-effective VoIP deployment.  If you would like help quarterbacking your VoIP deployment, or help deciding whether VoIP is right for your company, just give us a call at (207) 772-5678.