From Faraday's Desk - The Onega Blog — Onega Ltd - Vita Iter Est

onega

, ,

The Big Difference a New Firewall Can Make

, ,

We have just returned from London's West End having finished swapping out a client's older firewall for a 'latest and greatest' Watchguard Firebox M200

This all went very smoothly with only a few minutes downtime while the old firewall was taken out of the rack and the new one mounted and connected. We timed this at 3 minutes and 21 seconds which is not bad considering the new firewall needed to boot as well once plugged in. Normally we aim for about 6 seconds disruption if we can mount the new firewall alongside the old unit in the rack ready for switchover (which was not possible in this case). Given that the old firewall (a venerable Watchguard X750e) had served since 2008 or 2009, it had very much done its time. Despite the office being a nice clean, light and airy environment, the amount of dust that had accumulated in the legacy firewall reminded us of the pictures you are shown at school of the inside of a smoker's lungs.  

The old firewall was still working though so why did we recommend swapping it out and why is our client glad that we did? 

Technology has come along a fair bit in the 6 years between 2008 and 2015 and as ever, machines get quicker and more capable. The most important things in our eyes (and from long experience in support) that made this worthwhile were: 

1) UTM services at full speed. UTM stands for 'Unified Threat Management' and basically means one box doing many jobs. It used to be that you had one box for web filtering, another for gateway antivirus, another again for anti-spam, one for your SSL VPN (if you had one) and of course one for your router and one for your firewall. With the current generation of hardware, and leveraging 'The Cloud' one box can do it all. This saves cost, space, power, money etc. and makes everything easy to manage from one place.

The difference between the current mainstream firewalls in the wild and the very latest is that with the Watchguard M200, M300 and its cousins higher up the line, the UTM functionality all works close to wire speed for the rated number of users supported by the device. This contrasts with the previous status quo whereby you would accept that when you turn on a new feature, you implicitly trade off some response time. Thus you had to find the right balance of how secure the firewall (and hence your network) was set to be and how this would deliver on user expectations as to web page load times etc. We like turning the whole UTM suite on as, when configured correctly, it will more than pay for the cost of the firewall over time. It does this by helping reduce instances of (for example) staff accidentally loading malware onto their PCs as every page is virus scanned, checked against a good reputation database and regularly updated blacklists, to ensure that the risk of loading something bad onto your machine is minimised. This saves staff time from lost productivity while their machine is down, saves time and cost in IT support for the company, and reduces risk of data loss through a Trojan getting into the system. If it all works as it should (it does) then IT gets to sleep easier over systems and the only problem you are then faced with is that as it works so well, management might question if a firewall is needed as 'we don't have any network security problems'. The answer to this is of course that it is partly thanks to the firewall that this is the case (and of course your efficient patch schedule, up to date endpoint antivirus, secure DNS and careful network privilege management etc.).

2) SSL-VPN - This is not a new feature to Watchguard, but it is one that was not available on the older firewall that was in place at our client site, and something that many may have available on their firewalls but not be currently using. While the world is moving to the cloud, and the latest Watchguard firewalls are very 'Cloud Connected', there are still plenty of times when you need to connect from a laptop or home office PC back to your office network. One of the very best ways to do this is with an SSL VPN (as opposed to an IPSEC or PPTP VPN) - if these TLA's (Three Letter Acronyms! - and yes there are 4 or 5 here) are confusing then suffice to say that PPTP is generally regarded as weak and obsolete, IPSEC can be secure but also complex, cumbersome and liable to blocking, but SSL VPN connections will allow you to connect to your office anywhere you can get a secure web page from (i.e. hotels, airports, anywhere really). Now you can have a reliable and robust VPN that works from nearly anywhere with minimal hassle.  The M200 makes this easy and with a few clicks it is configured, and the corresponding client software setup is a Click Next Click install. Bottom line is less frustration as a business user when travelling, in terms of getting online from wherever work takes you.

We only had two points here, but actually have covered many areas. When you invest in IT, you need to consider not only cost but benefit, ROI, TCO etc. which pale the dollar cost of the machines into insignificance over time.

To sum it up, we like the new M200 series fireboxes as they really do let you have your firewall UTM cake and eat it. 

,

Are you logged in with admin level credentials on your computer right now?

,

If you are reading this then there is a fair chance that you're categorised as a 'power user' or a full administrator on your IT systems. There is also a fair chance that right now, you may be logged in with an account that has admin rights to your local machine.

If you ask someone: 'Do you need admin rights on your computer?'; the answer, 90% of the time, is: 'Yes, I could not work without this'. Psychologically, we all like to have the power of full admin control to our own computers all the time. If you are used to having full admin rights to a local machine then this is hard to give up, and giving this up can be akin to giving up smoking, gambling, etc. Admin rights are addictive!

There is a strong case for best practice (basically not disputed) for having permissions set on the basis of least required permissions. Part of this is making sure that you only use the login / admin / access rights that you need at the time. For normal day to day use, we should only be logging into a computer with 'user level' access.

The reasons for this are many and whilst you probably already know these, the key ones are worth reiterating:

1) Reduced Malware Surface and Risk - By using a user level permission account in day to day use, you minimise the impact of any malware that you may inadvertently come across while browsing the web etc. Whilst there may be some malware that can very cleverly bypass permissions on a computer, or exploit zero day flaws, assuming your computer is up to date, then you reduce the attack surface (and hence risk of contracting malware, Viruses and APTs (Advanced Persistent Threats) on your computer by about 95% by using user level rights most of the time.

2) Regulatory Compliance- Nearly every IT security and relevant industry regulation standard specifies that organisations should adopt the principle of 'Least Privilege' . This includes UK PCI DSS standards, ISO27001, Sarbanes Oxley, UK Financial Conduct Authority (FCA was FSA) etc. This covers not only compliance from the security stand point, but also in compliance with company IT policies - for example, with company software licencing and authorised software. If a user does not have admin rights then they can't install a bit of software which is not approved or licenced. Thus, administrators and company managers can be confident that there are not any hidden liabilities around and that change control is maintained. We've seen many occasions when a user might install a piece of software that either 1) has a hidden (and very undesirable payload) or 2) causes unexpected repercussions if, for example, it installs DLLs that then cause other software to run less reliably - which may not be easy to diagnose as the problems might not appear straight away and sometimes are only cured by a restore from image backup or at worst require complete PC rebuild.

3) Evidence Proves the Point - Analysts such as Gartner have proven that statistically, if you remove admin rights from most users, then you reduce security breach incidences, but also save money and wasted time in IT support. Having least privilege makes for a more supportable, reliable, productive and hassle free environment, and with lower support cost through both reduction in direct support costs, and lost time in productivity if a user is unable to work for a while..

If you want a second, third or fourth opinion on this, Google 'IT security best practice for least permission' or look at other blog entries like http://blogs.gartner.com/neil_macdonald/2011/08/23/the-single-most-important-way-to-improve-endpoint-security/  - who make the point well also.

So how do we address this practically?

The first thing is to admit that we have a problem and accept that you may be an 'adminrightsoholic' personally or indeed even suffer from endemic CEPS - Corporate Elevated Permission Syndrome to coin a phrase or two.  You know you have admin rights, that others have full admin rights, and that you should give these up in every day use - you could give them up but you choose not to. Maybe you should stand up right now and state to the office that 'I'm an adminrightsoholic and I'm admitting this as the first step to changing my ways. I know it is not going to be easy and I'm going to ask for your support as trusted colleagues in getting through this tough time for the benefit of myself and the company. Will you join with me in this righteous journey?'

The key is to take things one step at a time, and learn to live with user permissions one day at a time.

The first steps:

We can address this personally and across a company. In taking Gandhi's words to heart that you should 'be the change you want to happen' the first place to start is on your own desktop or laptop computer.

If you are an administrator in a company, or genuinely (in this word is a world of debate and access to regression) need access to admin functions on your computer, then the best thing will be to create (if you don't have one already) a separate local admin account on your computer e.g. if you are BobP and this is your normal login, then you could perhaps create an account called 'bobpadmin' or suchlike. Both your new and normal accounts should have secure (complex passwords which are not easy to guess or Password123 etc.). Give the new admin account full local machine admin rights. Then log out of your normal account and log in with the admin account. Remove admin rights from your normal user account (on the local machine, such that you are only a User (or any other special groups you need). Then log out of the admin account and back in with your now only regular user level account. Congratulations; you just went cold turkey on desktop admin access on your Windows PC. Continue to work as normal and you can feel smug that you've given up your full admin permissions in day to day use. If and when you need to install software on your machine then you can;  but run the installer as your admin account.

You'll find that actually everything works fine. In reality we don't install software very often so you'll only rarely need to enter the higher level account details for elevated permissions. If you're still considering all this, ask yourself when you (knowingly) last installed a piece of software on your computer.

As I type this I can admit that 'I used to be an adminrightsoholic' and now I've turned a leaf. It was hard to do it but now I'm glad I have and like many things, this is something I should have done long ago. I can now be the most annoying type of reformed addict who can evangelise to the world about the benefits of giving up.

At the wider corporate level though, it is important that users and rights are documented and set on the principle of least permission. Some users may genuinely need admin rights but best if the dual account method is used here to minimise use of elevated rights, which includes for very senior network admins who should likely also have both a user level and an admin account so that things are done the right way and in the right place. If you are an Onega client then you'll have access to our Policies and Procedures Wiki Site where you can see formal policies for some of these. see http://intwiki.onega.net and the relevant section on this. If you don't have access to this and are a current client then feel free to contact us by any means at http://www.onega.net/contact.  If you're not a current client, we'd love to chew the fat and talk IT and about you becoming one :-)

Some advanced solutions exist to manage elevated permissions and remove various back door risks and human risks including  Avecto and  ViewFinity. However, beginning with the simple steps above is a good start. If there is enough demand, we'd be happy to run support group sessions for recovering adminrightoholics where you'll be amongst friends.

Wishing you happy and safe computing but bear in mind that, just like all the best fictional characters, IT superheroes should remember that whilst it is great to have superpowers, you should: only use them when you really need to, only use them for good and keep them hidden at all other times.

, ,

Onega provide subsidised Internet connections with Connection Vouchers

, ,

Onega Ltd are fully registered as an accredited supplier for the UK Government's SuperConnected Cities Connection Voucher Scheme. This allows us to provide (for qualifying companies) free fibre and other fast business grade broadband service installations. The subsidy here covers up to £3,000 of install costs and is designed to help kick-start the next phase of the UK's digital economy.

Having enjoyed 100Mbps and gigabit Internet speeds here at Trinity Buoy Wharf for the last couple of years, we can attest to the benefits of very high speed broadband. The Internet just works and downloads, video calls etc. are all smooth and seamless which is how they are meant to be. If you are currently on ADSL, ADSL 2+ etc. then you'll benefit from a big improvement here.

If you are located in London or Docklands and want to experience how Gigabit Internet feels, then bring a laptop and visit us and we can plug you in :-) The SuperConnected cities project now includes areas in the UK from Newcastle-upon-Tyne to Chelmsford and Southend (and many other cities).

It is important to remember that the subsidy is only on the install costs and that you have to pay for ongoing costs, but you also reap the benefits at the same time.

Based on a postcode and phone number, we can check quickly which providers cover your area, and what the best deals are based on your requirements. Please do thus contact us for a quote with no obligation.

To further reduce the costs, if you have some neighbours who are also interested, you can split the costs and the benefits with them, so that you only pay for a portion of the ongoing costs but benefit from all the speed available. We've done this a number of times and can help to broker 'good neighbour' agreements on the lines. Sharing an Internet connection is still secure as you'll have your own firewall (something else we can help with if needs be).

See https://www.connectionvouchers.co.uk/cities/ for details of the cities that are covered. We can help you get quotes and fill in the paperwork (all electronic forms now) to apply for your voucher. Then call us on 020 7536 6350 to see how we can help or drop us a line via http://www.onega.net/contact .

Insource, OutSource, Co-Source or Tomato Sauce?

When it comes to managing IT in a small to medium (or even large for that matter) organisation; there can sometimes seem to be too many choices as to how to do things.

The tough job of the IT Director (or board level member or team) is to work out which is the best path for a given company. There are many conflicting options and vendor advice is often tainted by sales pitch and ulterior motive.

Before any decisions can be made, it makes sense to think about what decision is to be taken and why this is to be taken. Here some impartial outside advice can help. At Onega, we like to be highly ethical and recognise that if we are asked to help in these strategy decisions, there may be a conflict of interest given that we are a provider of IT services ourselves. To be blunt, we'd obviously stand to gain much more if a company was to choose to outsource all their IT to us than if they chose to manage it all in house. However, we also know that what is in the client's best interests is also in our own best interest in the long run and the most efficient mutual engagement will also be the one that endures the longest as it will be most advantageous all-round.

Onega are also willing to exclude ourselves from an Outsourcing tendering competition if it would mean a conflict of interest at the consultancy level. There is a lot of value in having an impartial partner on board to 'keep the other guys straight' and ensure you are getting what you pay for in service.

So do you insource, outsource or do things jointly. Here are some bits of advice we have and factors to consider in deciding what is right for your organisation:

  • How much resilience do you need in a service? - i.e. do you need a team to cover a role to allow for peaks in demand or would it not matter so much if a service was not provided for a particular period of time.  For example,  if only a single member of staff knows a particular process, then there may be problems if they go on holiday or are ill etc. A team may also be better able to spread the load when everything happens at once which it invariably does from time to time where a single person only has so much resource and capacity.
  • How much is absolute lowest cost an issue vs greatest value? As a rule, if you have enough work to keep a directly employed individual productively engaged the whole time, then this will be best done with direct employment. An outsourced provider and direct employer would (all things being equal) offer the staff member a competitive market salary, pension, taxes, benefits etc. However an outsourced provider also has to make some profit from the arrangement and contribute towards their operational overheads (rent, admin expenses etc.) where a larger organisation would also have to pay these but is already likely committed to paying the rent and HR etc. in any case. 
  • Do you need to formalise processes? In a small internal IT organisation, it can be a perennial problem to instill the discipline to implement full management reporting, job ticketing, ITIL processes (or subsets) etc. Internally this will always be hard as when the phones are ringing (or email pinging in) the urgent matter of helping people with problems will always trump the not so glamorous formal process of documentation and formal process.   Adding an element of external support can help to embed some formal process as it becomes an inherent part of communications with and inside a client where the inside and partner organisations need to collaborate on matters. This can help get to optimal process adoption efficiency.

These are just a few factors. While the fashion is to outsource, it can be smart to do this selectively for projects and services that are outside the normal skill base of internal staff but to keep core resources in-house. There is also the motivation and allegiance of a member of staff to consider.  If an individual is working directly for an employer, then their allegiance will be to themselves, their family and then their employer; whereas an outsourced worker will have allegiance to themselves, their family, their direct employer and then their client, although as the outsourced services provider succeeds when the client is happy, this should be aligned. In some cases this might not be such a clear line.

Onega work in multiple forms of engagement with clients depending on what their needs are and what is right in the circumstances. If and where it is right though, we've had a number of successful and fruitful long term engagements with clients where our IT service desk staff augment the client's in-house resources. This can include providing overflow when it is very busy, an ear to sound ideas off (chances are that we'll already have done and learned lessons from a project you might be considering) and to provide cover when someone is off. By having the skills and engagement from a couple of Onega team members at a client site, the costs for the client are minimal (typically a reasonable minimal number of committed engagement hours per month may be agreed and beyond this we are available flexibly for your service.). This approach typically works for in-house IT staff as well as for company Finance as this helps with keeping the balance of cost / benefit without the need for drastic offshoring which a company may come to regret.

If such an arrangement might work for you then please do feel free to give us a call and we'll be happy to meet and discuss.

Title image kindly from https://www.flickr.com/photos/calliope/439238208
,

Lotus Update - Combustion Conundrum

,

Readers with long memories will be aware that Onega is the owner of a 1969 Lotus Europa Series 2 Car, which is currently up with Banks Service Station (Europa Services) under Richard Winter.

2015 will hopefully be the year that the car returns to the road. When it went up to Banks some years ago, it was in a fairly sorry state - being original and much loved over the years, but also in less than perfect condition. Okay, in quite a poor state all-round.

The original intention was to make the repairs needed to the bodywork, renew the sub frame and to replace the engine, which was strong but thirsty with a Fiat 1.2 Diesel Turbo engine from a donor vehicle. The reasoning behind this was that it would make the car reliable (not that the original Renault engine was any trouble) and economical as well as reducing performance to a level that should be still be fun but also reasonably non life threatening.

At the time of writing, which is January 2015, I've had a good catch up chat with Richard this week and we have a joint resolution to get the project through and completed. Things have changed over the time since Onega acquired the vehicle and classic car values are on the increase which means we have to revisit the originally intended path of the diesel conversion.

The diesel engine is a transverse unit (fits across the body), whereas the original engines in the cars were longitudinal (engine at 90 degrees with the body and in line with the central shaft of the sub frame). Thus to fit the diesel engine in, a number of modifications to the frame are needed and possibly the bodywork also. These would likely need to be quite substantial changes which would inevitably detract from the originality of the car.

We are less worried about originality and purity of the vehicle, but it does seem sensible to maintain a good degree of originality if it agrees with logic; although we're committed to features like modern brakes which have improved substantially over time.

For anyone that is not familiar with them, the Lotus Europa was an early mid engine sports car (the third mid engine car design in the world after the Lamborghini Miura and the Ford GT40). Our car, UNG 135G was one of the original white UK launch cars from when these were introduced into the UK in 1969 - the Series 1 having been export only.  

So now we have to make a choice on what engine to put in the car; this is a fairly key decision as it dictates the course of the rest of the work to be done.

The main choices are:

1. Keep the original Renault engine - This would be ideal for originality and it sounded good & ran well but averaged about 20 something mpg; which was the main reason for considering the diesel option as we want to make good use of the car.

2. Go for the diesel engine as originally envisioned, with the changes to bodywork etc. that might be needed. The chances are that this would cause us to need to also swap out items like the Smith's instruments on the dash and other original features we rather like that add to the ambience and spirit of the car.

3. Consider a Vauxhall 1600 engine - This would work with the original sub frame, give performance of approx. 0-60 in 4.5 seconds and about 170Mph tops we gather, as well as 30 something MPG. The performance here is more than we need, but this could be restricted a little if needs be.

4. Think of something else - Electric, hybrid, hydrogen, a longitudinal diesel perhaps?

Choices, choices... but something important to consider.

Our criteria are:

  • Operational efficiency (MPG or equivalent)
  • Reliability - ideally this power plant will have a good long life in service.
  • Engineering compatibility with the car body (i.e. engine has to fit, made to turn the wheels and work).
  • Cost - we have to be able to afford the engine and the fitting in the first place.
  • Forthcoming changes to London ultra low emissions zone and congestion charging zone requirements and pricing.

Right now we are doing some quick research into the options. One benefit of the Europa is that it is of lightweight construction; Colin Chapman's mantra and design philosophy was to 'simplify and add lightness' and this benefits us being around 650Kg, which compares for example with the Telsa Model S at 2,108 Kg and power to weight ratios make for big performance differences (or correspondingly lower power requirements). The Tesla does have a lower drag coefficient than the Europa at 0.24 vs 0.3, but the Lotus is now 46 years old and much slippier than most modern cars still. Actually a single Tesla motor might be a nice solution if the good folks at Tesla have one to spare :-) .

We hope to have a decision as to direction within a couple of weeks in this matter and in the meantime are looking at the other elements of work needed, such as re-chroming where needed etc.

Watch this space - photos and updates will follow..