What We’re Reading, Week of 11/9

PC World…
Google’s Free Airport Wi-Fi: Five Ways to Protect Yourself
Writer, Jeff Bertolucci shares with us Google’s generous gift of free Wi-Fi in 47 airports. While it may seem like a thoughtful idea it unfortunately opens users up for potential hacks if they are not careful. Jeff provides us with some helpful tips—an important one to highlight is no. 3—use a VPN, especially if you are accessing the Internet for business.

Computerworld…
Update: H1N1 Drives Demand For Secure Remote Access
In this article Jaikumar Vijayan discusses how the H1N1 pandemic is motivating companies to upgrade their secure remote access capabilities. In case of an emergency, employees will be able to work from their homes and other remote locations. This has led to vendors of remote access technologies seeing an increase in demand for their products. As part of an effort to help companies support more teleworkers quickly, RSA has introduced an on-demand authentication system for companies to use to enable workers to securely log in from remote locations. Instead of hardware-based tokens, workers get one-time passwords sent to their mobile phones. Has your company invested in more remote access technology because of H1N1?

CNNMoney…
Independent “SMB IT Pulse” Benchmark Survey Shows SMB Workforce Mobility on the Rise
A recent study of small businesses by Logmein shows that 63 percent of non-IT managers say remote access services make their staff more productive. This proves that administrators need a simple management solution that is not complicated or expensive to maintain.

Rethink Remote Access Planning: Dave Dennis’s Advice

To gain more insight for our how to rethink remote access series, we turned to IT expert Dave Dennis. He shared his thoughts on rethinking remote access planning with us. Dave is currently the Network Manager at Buckhorn Inc., a supplier of reusable industrial containers and pallets throughout the Western hemisphere.

How can you lessen the end user’s burden of managing remote communications? The key is to design your data/applications to be simple. Here are some things to consider:

1. What is the “shape” of your data and applications? Is your data stored in a lot of places? Do you need several applications to access it? Do you need applications requiring specialized installation and configuration? Or can they be accessed through simple tools like browsers? Fewer, simpler tools will work better remotely.

2. How much of your data is stored on servers versus individual workstations? Data on laptops is great for mobile users, but not for coworkers who might need access to it. It’s also bad for security–not just someone stealing it, but it’s actually more likely that data might be just lost (hardware theft, crashed hard drive, etc.). I like to ask decision makers how the company would be affected if their computer were lost–that gets their attention.

3. What is the business need for remote access? And what security levels are required? Occasional work on weekends or evenings has different requirements than people who are always on the road. Industry regulations (HIPAA, SOX) may also require certain security access and practices as well.

Lately, I’ve been gravitating toward simple devices that VPN into the network and connect to either a Terminal Server or even the user’s own desktop computer. Once the user connects, everything is where he usually finds it. The mobile devices also tend to be cheaper and simpler to configure. This is a great configuration for people with simple or occasional remote needs. It is harder to do this with people who travel a lot and have a lot of complex data/application needs.

If your data/applications can accommodate it, go with a single remote connectivity method. Easy to use, easy to support. And the more like their familiar desktop, the better.

Actually the last point might be a good technology planning goal. As virtual desktop technology matures, we may find even in-house users “remoting” into their virtual desktops on a server.

Options for 64-bit Windows 7 VPN

Big news today from Cisco as reported by Network World:

 

“Cisco (NASDAQ: CSCO) is warning customers of its unified communicationsWindows 7 will be supported.” products that support for Windows 7 won’t be forthcoming until the product’s 8.0 release scheduled for the first quarter of 2010. About a dozen more UC products will not support Windows 7 until version 8.5, in the third quarter of 2010 and at that time, only the 32-bit version of.”

 

For customers who need IPsec 64-bit support, NCP engineering can help you out. The “beta” version of the client is scheduled to go release candidate any day now too.

Rethink Remote Access Planning: Joerg Gerschuetz’s Advice

We are now starting with the next installment of our how to rethink remote access series, focusing on planning. We spoke with networking, security and remote access specialist, Joerg Gerschuetz. Joerg is a Senior Systems Architect at Siemens IT Solutions and Services.

I believe the human factor can never be removed from any technology, not only remote access! Working in the remote access business for more than 10 years now, I always encounter users who are:
- wittingly or unwittingly able to overcome all the implemented measures
- incapable of finding that single button they were presented in the UI and trained a dozen times to hit

And I want to stress another very important aspect: we are only thinking about the remote access user being the “biggest pain.” But what about the other side of the fence? There is the human factor, too… and I think the pain here is as big as on the simple user´s side!

Just a few examples:

1) The best user interface, the best physical firewall, the best remote access protocols – they are all designed and coded by humans, and therefore prone to errors! There is no error-free source code, there is no error-free hardware. With all these solutions we always have possible security issues due to these intrinsic errors!

2) The best remote access overall environment is always designed and implemented by humans, and therefore prone to errors! There is no error-free implementation, because of different interpretations/understandings of the same topic, not reading/understanding documentation or using technology not the way it was intended/designed to just to achieve cheap or fast solutions! … or simply because of its complexity: Nobody can be a specialist with all jigsaw pieces necessary to get the picture complete, and even if we team up, there are still the interfaces and connections between the single pieces!

3) And as a final thought – there are always administrative errors, again wittingly or unwittingly. With the best firewall in place and a well settled documentation of its rule-set… I suppose there is nearly always a discrepancy between this documentation and the implemented rule-set. With the best processes in place you will always find “cadavers” in your remote access user´s database.

From my perspective there is an apprehensive tendency in absolute believe in technology and neglect of the fact, that this technology is man-made and in some (most?) cases so complex that it is not possible any more to overlook all its attributes, features and interfaces and their interaction!

What We’re Reading, Week of 11/2

The Globe and Mail…
Businesses Big and Small Weigh Windows 7 Potential
Lynn Greiner discusses some of the features that Microsoft has incorporated in Windows 7 for businesses. One of those features is DirectAccess, which not only allows VPN-free access to the corporate network, it lets the administrator manage those client systems remotely any time they are connected to the Internet. Administrators should know that since DirectAccess requires IPv6, there needs to be a DNS server that supports AAAA records (which is likely a Windows Server 2008). If users want to connect to older servers on the network that can only cope with IPv4, a device supporting NAT-PT is required to bridge the gap. If you use a standard VPN, it will be enhanced by VPN Reconnect. It automatically and transparently restores a VPN connection after its Internet connection briefly drops.

Information Week…
Wolfe’s Den Podcast: Windows 7 Virtually Speaking
In this post, Alexander Wolfe looks at some of the ways Windows 7 affects virtual private networks. Alexander feels DirectAccess has a strong usability angle in that it makes administration much easier on a lot of levels, in terms of making sure users are properly audited and are running what they’re supposed to. He also notes that many people do not believe DirectAccess is “connecting” them to their corporate network, which is interesting in terms of overall Internet usage. He suggests what is does is effectively break down the probably false separation most of us make between the “personal” (or non-work) Web and one’s business network.

Tech Republic…
What Windows 7 Means to Windows Server Administrators
Scott Lowe shares 10 items that Windows server administrators need to know in order to adequately support Windows 7 clients. The list includes New Remote Server Administration Tools, DirectAccess, VPN Reconnect, Offline Domain Join, BranchCache, New Group Policy capabilities, AppLocker, Windows XP Mode adds patching challenges, Domain Name System Security Extensions (DNSSEC) and Windows Deployment Services supports Windows 7 deployments. Scott offers his take on each of these items.