Thursday, August 27, 2015

“You Can’t Have Your Cake and Eat It Too!”

Executive: I’ll be at an offsite meeting with the head of Human Resources and Accounting for the next couple days to go over our staffing strategy for the next year. Can you get the personnel information for everyone in the department, compensation plans, and the performance reviews from the past year and put them into Dropbox for me?

Assistant:  I can, but at the company briefing last week the gal from security said that, with all of the data breaches lately, if there was going to be any sensitive data leaving the company site that they’re providing a USB encrypted drive for transporting the data. Would you like me to do that instead?

Executive: I was hoping to travel light on the tech since I’m going to be taking my golf clubs to go shoot a few rounds after the meeting. Besides, I’ve already got my USB mouse, the extra laptop battery, and the power brick for the laptop, on top of my phone charger and the USB cable.  All the different ends on the cables get confusing and who needs the hassle of another device to lug around? Just put them into Dropbox please. They’ll be fine. The only people with my Dropbox account info is me, you, and my wife. She likes to upload pictures of the kids and share them with people sometimes. Anyway, it’ll be a lot more convenient for me since I can just pull them down from the cloud whenever I need them and not have to worry about it.

Assistant: I’ll have them uploaded. Enjoy your meeting!
There’s an old adage that I feel describes the relationship between security and convenience quite well. The adage that I’m referring is the good ‘ole, “You can’t have your cake and eat it too!” saying that has been around since well, before the time of technology. In essence, the adage is supposed to demonstrate that you can’t have it both ways, since if you were to eat your cake, you would no longer have it as a possession, and if you were to keep it as a possession, you wouldn’t be able to eat it. It’s one or the other. On top of that, when you look at what security and convenience mean at their most basic and fundamentals level, you’ll realize that they’re almost the exact opposite of each other. By nature, the principal of security is to make something more difficult, whereas convenience is going to make something easier.

While one might think the situation above to be an exaggeration just to illustrate a point; I can honestly say that it is not. In fact, the situation that was described has actually occurred.  One of the most common reasons that situations like this occur is because in many organizations, security only applies when it’s convenient for a user or group of users. In most of these types of situations, the user groups that tend to have the least regard for the company’s security policies are the ones that wield some sort of decision-making power.

On the flip side, the organizations that I’ve found that don’t look at security from the “when it’s convenient” perspective are those where security is an initiative that flows from the CEO on down and they take also tend to take security very seriously. This means that the CEO adheres to the same security policies as the common end user. It just goes to illustrate the power of leading by example. At the end of the day, security will not be the major inconvenience that it is sometimes painted to be if expectations are managed and flow from the top down.

Thursday, August 20, 2015

VMware vSphere ESXi Host Web Client

Not everyone is a fan of the current VMware vSphere Web Client provided with vCenter Server, but, one thing is for sure, it’s here to stay. I was not always a fan of the vSphere Web Client, but as improvements were made and my exposure grew, I have become quite fond of it (less reliance on Microsoft Windows? No complaints here).

Unfortunately, one thing still holds me back from ditching the Windows laptop for my Mac or a Linux distribution: ESXi host management. Thanks to Etienne Le Sueur and George Estebe (apologies to others that have contributed, I am going from the list of engineers), we now have a VMware Fling that brings browser based management to our vSphere ESXi hosts.

Warning! Flings are experimental and VMware recommends that they not be run on production systems.

Description from the Fling:
This version of the ESXi Embedded Host Client is written purely in HTML and JavaScript, and is served directly from your ESXi host and should perform much better than any of the existing solutions. Please note that the Host Client cannot be used to manage vCenter. Currently, the client is in its development phase, but we are releasing this Fling to elicit early feedback from our users to help guide the development and user experience that we are creating.

Features available at the time of posting:

• VM operations (Power on, off, reset, suspend, etc.).
• Creating a new VM, from scratch or from OVF/OVA (limited OVA support)
• Configuring NTP on a host
• Displaying summaries, events, tasks, and notifications/alerts
• Providing a console to VMs
• Configuring host networking
• Configuring host advanced settings
• Configuring host services

I am not sure if I am more excited for the ability to manage vSphere ESXi hosts without the need for a Windows installable client, or for a preview of what the vSphere Web Client could be without the dependence on Adobe Flash…

I recommend all virtualization engineers and administrators check it out and contribute feedback.

Note: When using with an ESXi host that was upgraded from ESXi 5.x, a workaround is required to resolve a browser 503 error. William Lam has detailed the workaround on his blog at New HTML5 Embedded Host Client for ESXi (

Wednesday, August 12, 2015

Is 802.11ac Wave 2 the Real Deal?

As the demand for corporate traffic is ever-growing, the demand for infrastructure is growing with it.  So, the question remains, why haven’t you upgraded to 802.11ac Wave 2 yet?  Well, more than likely, it’s because you are hesitant, just upgraded, or feel your Wi-Fi is running fine.  Whatever the reason, it’s probably time to at least think about utilizing Wave 2.  Let’s be honest, data is not going to stop.  In fact, users are only going to consume more!  Can your infrastructure handle the demand?

Making sure your environment can handle the demand, whether it’s wired or wireless, can sometimes feel like a daunting task.  With the first go around of 802.11ac (Wave 1), it was possible to reach speeds of up to 1.3Gpbs, and for most that may have been a stretch, as loads on the access point (AP) and environment come into play.  This doesn’t even start to take into account dense environments - which are where Wave 2 can level the playing field. 

So, how does Wave 2 differ from its predecessor?  Primarily, there are two factors at play: four spatial streams and, more significantly, the support of MU-MIMO or Multi-User Multiple Input Multiple Output.  This should prove to be extremely beneficial to very dense environments.  As APs will have the ability to utilize multiple streams that can reach multiple clients simultaneously, this will greatly improve data transmit times, not to mention freeing up our beloved bandwidth.

In order to accommodate the improved bandwidth and functionality, a 4th spatial stream (i.e. an additional antenna) must be used.  That bundled with the use of the 160 MHz band allows for double the channel bandwidth, completing the package for Wave 2. 

The reality is clients currently are not able to utilize the benefits of Wave 2 just yet. Devices that will have the Wave 2 technology are expected to be released some time in 2016.  If you’re thinking of replacing or upgrading your current wireless infrastructure, now may be a great time.  Typically, the replacement cycle on a wireless infrastructure is 18 to 24 months.  Wave 2 APs will cost about 10% more than Wave 1 and investing in this extra cost now will allow you to skip the next cycle - increasing the ROI and your bottom line. 

Planning your wireless infrastructure is also a crucial step for optimal performance in your wireless network.  A wireless site survey will provide you with several pieces of information, ranging from AP orientation, channel utilization, and power adjustments to name a few.  This information greatly improves overall wireless performance and can have long lasting effects on your wireless environment.  Even if you are not looking to upgrade your wireless infrastructure in the near future, a wireless site survey can provide detailed information regarding your wireless network so you can provide an optimal configuration for your users.  The combination of the advancements offered by Wave 2 and the information provided by a wireless site survey will enable your organization to provide your users with a high performing wireless network now and into the future.

Thursday, August 6, 2015

‘Doveryai, no Proveryai’: Why Corporate Networks Need to Verify First, Trust Later

Firewalls are often thought of as being used to protect your network from bad people and things on the Internet.  While this is technically true, we need to change the way we think about where a firewall should be deployed and how.  With the proliferation and evolution of threats like Malware and Advanced Persistent Threats (APT), the Internet is no longer the only source of malicious issues.  Think about this for a second - when you deploy a firewall, there are two basic security zones that are preconfigured on the box: there’s an Internet or untrusted zone / interface, and there’s an Inside / Internal or trusted interface.  Therein lies the fundamental issue with network security. 

Just because your machine is physically connected to the network and behind the corporate firewall doesn’t mean you should be trusted.  Attackers put malicious code on websites, distribute via email, and find other various ways to get their application onto your machine.  Corporations spend a lot of time and money making sure their Internet Edge is secure so that the attackers can’t get through their corporate firewall, but they focus far less on making sure that user devices can’t access systems that aren’t necessary to perform their job function.  If an attacker were able to install Malware on the Financial Controller’s PC, what servers and systems does that PC have access to?  On what ports?  99% of the time, those answers are very simple.  That particular PC usually has access to ALL of the Corporate Financial systems and will usually have unfettered access to the Internet as well.


If we’re thinking about this from a logical standpoint, there is absolutely no reason to trust devices inside the firewall any more than we trust unknown machines on the Internet.  After all, our Corporate PCs connect to those unknown machines on the internet every day.  Sure, we use the latest anti-virus, make sure to turn on the Windows firewall when we’re on a public network, and maybe even use a host inspecting Network Access Control (NAC) or Unified Access Control (UAC) solution in the office to run a posture assessment on mobile devices to make sure they are clean before we allow them access to our Corporate Network.  But those systems have flaws.  One of the biggest flaws is that they are all signature-based in nature.

Securing your datacenter is as much about having the right systems in the right place as it is about visibility into the communications between those systems.  Knowing what calls your web server is making to your SQL database server can help identify known and expected traffic patterns.  Ideally, every device would be segmented from every other device on your network with all of that traffic running through a datacenter firewall to determine which traffic to allow or drop.  End user devices, especially mobile ones, should be treated the same as Internet-based hosts.  They should not be allowed to access ANYTHING on your network without sending that traffic through a datacenter firewall first.

Ronald Reagan used the phrase “Doveryai, no proveryai” frequently during his term in office. This old Russion proverb translates in English to, “Trust, but verify.” In today’s always-on, instant access, networking ecosystem, we need to adopt a different phrase:

“Proverai to doveryai“ or “Verify to trust.”