Daily Archives: November 21, 2011

To be truly effective, you must cover all three “vectors” of backup. These three areas are
first, Classic Data Backup (documents, email, databases, etc.), second, Imaging or
Snapshots of physical or virtual machines, and finally, an Off-Site component in order to
get you started on the road to business continuity and disaster recovery.

Classic Data Backup
This is the “classic” backup that many of you actually are performing today. Whether you
have automated backups to tape through software like Backup Exec, a Windows Backup job
to USB drive, something running to an off-site location or perhaps even a combination of the
above, you are probably backing up at least some of your data.

Are your backups “granular” enough to restore just one email message? Can you roll back
to earlier versions of your files? Do you have ability to backup data from one server to the
tape or hard drive(s) connected to your primary server? Do you have the time (backup
windows) to get it all done? Even the simple stuff can be complex.

Imaging or Snapshots
So now let’s talk about getting backups of the actual installation and configuration of your
network. That means your Windows Servers and Active Directory, Exchange, SQL, and
other servers. This includes the configuration of your network (users, groups, shares,
permissions), and other site specific details that make your network yours.

There are many further details to consider as well. Do you have frequent enough image
backups? Where are these backups located; if they are only on the drive of the server
backed up, what happens if it is gone? And will they restore to “dissimilar” hardware, so
that they will work on the new server you will need to buy after that fire?

Off-Site
Let’s assume you have a complete data backup and configuration or imaging solution in
place and that you can count on it when you need. So what happens when the entire server
and its connected USB backup drive has been stolen? Or if the building has been soaked by
the sprinkler system that put out the server room fire?

It all comes down to off-site data, be it on tapes, drives or that Internet based remote backup
you do. Tapes are easy in this sense, as they can simply be transported on a regular
schedule off-site. Disc and other strategies generally require you to replicate data off-site to
another site or to an Internet based service.

Device Questions
Of course, you have to have some sort of device as a backup “target” to start. Tape is still a
good option for small business, despite what you may have heard. Tape is faster than most
disc-based options (up to 250G/hour) and cheaper ($50/Terabyte) than most other options.
Being removable and tough, tapes are easier to transport off-site as well.

Backing up to disc does offer some nice advantages. Hard drives are cheaper than tape
drives, though NAS (network attached storage) can be pricey. Disc backup is easier and
faster to use once you actually have to perform that critical restore. And finally, disc backup
provides some features (data deduplication, for example) that tape does not.

Three Needs, One Strategy
There is no one answer to all of these questions, but with a little help, you can stitch together
a full solution. Symantec’s Backup Exec SBS Suite includes the ability to execute data
backup to disc or tape, including Exchange, SQL, and Sharepoint. Also included in the
package is the imaging capability to capture the configuration of your network and servers
with imaging and recovery to different server hardware.

Complemented with an off-site strategy, this gives you the basic tools you need. But tools
alone are not a plan. If you are far enough along to be considering such things as
communicating with employees in the case of disaster, or locating a secondary business site,
you need a plan for that. Business Continuity and Disaster recovery planning comprises
much more than just a backup strategy.

Details and More
Is your data encrypted or password protected on the media you backup to in case of loss or
theft? How often do you do your imaging and can you use it to bring up different servers if
you lose your existing ones? How about restores; are you testing them? How do you
manage your backup media, secure it and make sure it is available when you need it? And
how do you monitor all of these backups to make sure they get done?

Over the past few years, newer options such as continuous data protection (CDP) and
business disaster recovery (BDR) devices have arrived as well. CDP provides continuous
backups of your data right as it changes; no more scheduled backups. BDR devices can
virtualize your existing server(s) and keep you going in the event of a loss of one or more of
your servers. These BDR devices can reside at your site or be hosted off-site as well.

Planning and executing a truly effective and comprehensive backup strategy is just one of
the many services that Net Sciences provides our customers. We can help you make sure
that you have all the bases covered and work with you to design and refine your disaster
recovery planning. Meet with us and discuss your backup, business continuity and disaster
recovery strategy. At Net Sciences, we watch over your data so that you don’t have to.

Introduction
I speak with business owners all the time that say things like, “but my data isn’t valuable to
anyone.” This usually leads me to ask them whether they think that vandals that “key” cars
do it because they need the paint. The bottom line is that your network is always under
attack, whether it be targeted or more commonly, simple Internet vandalism. The answer is
to implement a “layered” defense scheme at the perimeter, server(s) and desktop.

Secure the Front Door (Firewalling)
Every Internet connected network needs good perimeter defenses. In other words, you
need to cover the front door. Firewalls serve as the first layer of your defense system and
stand between you and the outside world of the Internet. For many years, firewalls simply
performed SPI, or stateful packet inspection. This means that each data packet’s header is
examined to verify its validity. Unfortunately, this is roughly akin to asking people at the
front door if they are carrying a weapon of any sort before allowing them in the door,
without verifying the response in any way. Your network needs better protection than that.

That is where DPI, or deep packet inspection, comes into play. Unlike SPI, where just the
packet header is examined, DPI scans the entire packet (each of the billions of them that
comprise a day’s work) for “signatures” of known attacks of every kind. Since virtually all
attacks are identifiable in this manner, DPI firewalls are capable of searching packets for
viruses, spyware, trojans, and many other network attacks. Their traffic scanning abilities
are vastly superior to that of old school SPI firewalls. The downside to this is performance.
As anyone who has spent time in airline security lines knows, thorough examinations take
longer. Fortunately, fast DPI firewalls are now affordable for every business. Ask Net
Sciences for more information about the Sonicwall line of DPI firewall/UTM devices.

Secure the Back Door (Antivirus)
The next layer of your defense functions at the server. It probably goes without saying that
every network requires comprehensive antivirus protection nowadays. This means running
antivirus at the server and at the desktop. Any truly effective network antivirus software
will include spyware and other “malware” protection as well. Network managed antivirus
software can also alert you to problems and produce status reports on demand as well. This
is what you want protecting your network.

Networked antivirus stands as a second line of defense against front attacks, but also covers
intrusions from within. Networked antivirus can stop attacks that do not originate from
outside the firewall. Desktop AV clients, managed and updated regularly by the server
(any AV solution is only as good as its updates) can also guard against viruses introduced
by users (on USB keys, checking their personal email, etc.). Just remember, a locked front
door really cannot protect your business from attacks that come in through a missing back
door. Ask Net Sciences for more information on networked antivirus for your network.

Secure the Windows (Patching)
The third layer of your complete network defense is at the operating system and application
level. It is probably not a surprise any more that Windows itself (and nearly all other
software) requires patching to keep it secure. They are vital to your network’s security
though. Even with the other layers in place, many of today’s most effective attacks happen
at this level and without successful patch deployment and management, you will end up
with bank vault doors front and rear, but screen doors everywhere else!

There are many tools on the market to handle patch management, but one of the simplest
and most effective is a freebie known as WSUS (Windows Software Update Services).
WSUS provides a good, basic level of patch management and distribution for all Microsoft
products, including Windows Servers, Exchange and SQL Servers, Windows XP, Vista and
Windows 7, Office applications and many others. WSUS is just one of many such options,
of course. Ask Net Sciences for more information on Patch Management for your network.

The Keys to the Kingdom (People)
This is the final key to securing your network. We are talking here of the most difficult to
manage and potentially threatening component of any network; the people that actually use
the systems. Educating your end users is the single most important measure you can take
and is probably the most overlooked of all security measures. Remember, security is a
process that hinges upon user education, so schedule an hour of basic security training at
least once a year for your employees, and more often if you can.

Learning how to avoid becoming victims of “social engineering” is paramount. One day,
standing at the front desk of a small law firm here in town waiting to come in to work on
their firewall, I heard a receptionist say to a caller on the phone that she would be right back
with the network password. I asked to whom she was talking and she replied that it was
“the guy that does our network,” which she suddenly realized, was actually me. She was a
moment away from handing out the keys to the kingdom, all because someone politely
asked. And again, there is no security without periodic user training.

And Beyond
In addition to the above, there are other security products out there (such as antispam
software and hardware, critical file protection products, and more). The issue is what level
of commitment you can afford to make (in terms of both money and time). Security can be
thought of as a continuum. Imagine Fort Knox at one end; very secure, but you probably
can’t get a pizza delivered. At the other extreme you find typical small business networks,
maybe yours; easy for anyone to access anything, which is not really ideal. Ask Net Sciences
to help you figure out how much security is right for your business and how to get there.

Net Sciences, Inc.
Since 1995, Net Sciences has been building reliable, secure networks for our New
Mexico customers. On networks of three to 300 computers, supporting law firms,
architects, engineers, scientists, accountants and nearly every other profession, Net
Sciences is the complete solution to your business network equation. Net Sciences
designs, builds and supports networks, keeping them running smoothly, and
protecting your data so that you can focus on taking care of business!