Someone I know came to me the other day about a consulting project that may or may not happen.   What essentially he wants done is an overhaul of IT infrastructure.   They want more automation to their operation and they deal with physical goods.  So from receiving to shipping, to everything in between they are looking to streamline.    They want to do more with less, less equipment if possible, less people if possible, less stress if possible.   In other words they want what every other company in the world wants.

Currently they have a software package that does some of this, but it doesn’t do everything they want it to be able to do.   I don’t have implicit knowledge of the package, other then I’ve created firewall rules when I was consulting with Symantec to pass the traffic.   So my first question is the scope of the project.   The person I was talking to didn’t exactly no what I meant by that.   They were more worried about the big picture ideal instead of what a consultant would need to work with.  A vision of the end goal is great, but without specific tasks to get there it definitely puts an implementer at a disadvantage.   He stated that we would have to do a sit down and discuss the issue and layout of the business process.   This is a good step, but part of why I’m writing this is to help others know the answer they should have when going into something of this magnitude.

Easy, Hard and Correct

The first question is why do you want to do this?  There are easy answers, there are hard answers, and there is correct answers to this question.    Some of the easy answers include – I want everything to work together better, we want to build to the future, and I have to spend my budget before the end of the fiscal cycle and want to try out this product.    Hard answers include we want something more manageable for our IT staff, we want it to run faster in our environment, we want something we can understand.

There are reasons that these are the easy answers and hard answers.  The first and foremost thought is to remember to sit down with a consultant or someone who understands the technology thoroughly enough before ever sitting down with a salesperson.   To sales people, these are all easy and correct answers.   They will tell you your toast can be used to transport computer network traffic with the right purchase, they are there to get your money.  It’s the one reason I can never be a salesperson.  I like people using the correct solution, not necessarily the solution that I am selling.   Even when I worked at Symantec, I knew Symantec products were not the best products for all customers.   Some customers only changed products because they had money to spend and ended up worse off for it.    Salespeople are tricky creatures that guard their bonuses like Disney guards it’s copyrights.

Easy answers are normally very vague,  they tell a salesperson of consultant that you haven’t really though to much about the problem.  You have a basic idea of what you want, but you don’t know any specifics.  The problem with the easy answers is that they are also the most expensive answers – this allows those that are implementing something to sell you what they think is best, regardless of how it will fit into your business six months down the road when they are gone.  You will have to make some decisions on your own, and this should not be listening to the best sales pitch from two competing vendors.  The best sales pitch does not necessarily equate into the best product.

Why are the hard answers difficult?  What that’s because everything is relative.   Going back to my examples can show you this.  We want something more manageable by our IT staff, well how trained is your IT staff?   Do your employees know alternative operating systems?  Does your staff only run Microsoft products?  Is this faster for your environment?  What about a year down the road and the nightmare efficient system breaks because of infrastructure changes you were forced to make?  Everything comes down to you knowing your environment and your plans for the future.   A consultant only gets a glimpse of time into your configuration and is not going to be the full time employee running this stuff.   They won’t know how your future plans could be effected if you don’t tell them your future plans.

The correct answer?  That include being as specific as possible.  Let’s say this is to implement an Exchange Server migrating from a Lotus Notes architecture.   Why would I want to do this?   Lotus Notes has been long in the process of being a headache for us.   The administrator that runs it is retiring in six months and we have other employees that could scale up quicker to learn  Exchange then Lotus Notes.   The collaborative features in exchange work in Outlook, which our company already loads on all the desktop since we have a full Microsoft Office License on all of the desktops.  About 30% of our users already use outlook to retrieve their e-mail, even though they all have the Notes client installed on their desktops also.   Being able to consolidate this would save us thousands a year since we would no longer need a support contract or license fees paid to IBM to support the old Lotus infrastructure.    The more complete and specific the answer, the better the consultant can answer your questions.

Do You Listen To Alternatives?

Even in the Exchange scenario seems complete.  How rigid are you to suggestions?  What if the consultant offers up other alternatives such as a web based e-mail solution that would still allow Exchange to connect and retrieve e-mail? While a Linux/Apache approach may be cheaper, you could also implement it on top of IIS.   Building with some other technologies you could gain all the collaborative powers of Exchange for thousands of dollars less.   Those who didn’t want to use Outlook could use a browser.  If you combine this with a secure remote access solution this would allow for a possible quicker and less bandwidth connection for telecommuters if that is where your company is going.

Knowing what your plans and how rigid they need to be help a consultant decide what avenues may be the best approach for you.  While I offered up a free solution, another consultant may offer ways to augment your current Notes infrastructure to fit your needs.  The best consultants will offer alternatives to your current line of thinking.   You do not have to listen to them, you can stay focused, but hearing how open you are is important.

Timeline

A timeline is something you should have in mind sitting down with the consultant.  He needs to know deadlines and what your expectations are.   Does this need to be done in a week or a year?  How are your current employees going to ramp up on the new solution?  While a consultant may reset your timelines to something more realistic, knowing what type of time frame you are trying to achieve is important to the success of the project.   It also tells the consultant if they are going ot need to bring in more outside help.

Breakdown of Tasks

Have you compartmentalized your tasks?  The person that contacted me was looking for a complete end to end solution, is this what best?   In a solution like that how are you going to handle the transition time?   You don’t want to migrate the whole solution at the touch of a button, since any big architecture change can effect your business continuity.  For some businesses any downtime at all is lost revenue.   A consultant wants to make this impact as minimal as possible.   Even when you do the best planning and compartmentalizing sometimes you will get stuck on a twenty-three hour conference call working through the issues of down time.   When this happens I can tell you it’s not fun.  That was also with a staged migration.

What segments of your business can be down for hours at a time?   When you can answer that you can start staging your tasks.  The tasks that can be down the longest generally should be the first ones migrated, since they should give you expectations for later tasks, and allow you to plan accordingly.   Do not re-architect the design so the whole system (no matter how small) to be done in one night if there are multiple groups effected in the transition.   Design the impact to be as small as possible.   Yes, this may increase time – which in turn increases expense, but without proper planning it may cost you more in the long run.

Cost

The question that no likes asking or giving, what is your budget for this task.  You can wait for the consultant to make a cost estimate pitch first if you like – but at some point in the conversation cost is going to come up.   Do your homework ahead of time to see how much you expect it to cost and budget accordingly.   What are you going to do if things go over budget?  If your three quarters way through a project and haev no more money to finish it, how is that going to impact you?

In Closing

This may seem like a list of things that I want as a consultant.   These are however fairly common truths on what a consultant needs to start a project properly instead of spinning their wheels.   In the next week or so I’m going to follow this up with how to spot a good consultant versus a bad one.

]]> http://creeva.com/2009/02/10/things-you-should-be-able-before-to-answer-contacting-a-consultant/feed/ 3 http://creeva.com/2008/12/23/money-isnt-everything/ http://creeva.com/2008/12/23/money-isnt-everything/#comments Tue, 23 Dec 2008 15:49:50 +0000 Creeva http://creeva.com/?p=3817

Picture from here

Money isn’t everything.   We treat it like is though.   Some people can’t understand when I say I don’t necessarily want more though.   I of course do want more money, but at the same time I don’t.   What I truly want is more freedom, more time, and more enjoyment from what I do.

I’ve had a couple jobs that I enjoyed more then anything else.   The first was working at a small PC shop.  It was my first break into the IT industry, in which I’ve done well climbing the ladder.   I interacted with people, I was a problem solver.  I was one of hte go to people that could fix almost anything.   I’m the type of guy that you throw problems at and I’ll swat them away like annoying insects.   It was my forte, the only thing I was really lacking at the time was high end networking.   I could make computers talk, but as I learned in my next favorite job I truly knew nothing.

The next job I can say now that I truly loved was working at Symantec’s enterprise firewall support call center.   Like the small PC shop after a year or so I came into my own and had my own groove.   After three years being on the team I had closed more tickets then anyone else in level one and level two support (I left being the team lead).    I also held the record for the most calls handled in one day.   The irony about having the most tickets closed is that 30-40% of the time I didn’t even open a ticket for the call.   Our call center software was so slow that it took 5-7 minutes to actually open and write up a ticket.  I made a deal with my managers (I’m sure some higher ups wouldn’t be happy) – that if I could handle the call in under five minutes and be almost positive that they wouldn’t be calling in on the same issue that I could just skip the ticket process.   So for volume, by the time I left I handled far above and beyond what everyone else had ever handled.    Symantec has since dicontinued the product, it lasted about another year and half after I migrated into consulting that it went kaput.  I wonder if anyone caught up to me in the call record or number of handled cases before it was gone.

This isn’t about bragging rights, I’m sure it sounds like it though.   What did both of these jobs have in common though?  They were both hectic chicken running with it’s head cut off problem squashing affairs.   I work best where I have a new issue every fifteen minutes or a nagging issue that would keep me up at night trying to solve.   As you move up the ladder you loose that.  You are working on long and engaging projects where the problem takes five minutes to engineer, yet in turn takes six months to implement.   I’m still good at what I do, but it’s not exactly the best fit for my skill set.   This in turn leads me into a spiral or more money versus more enjoyment.

Me and my Grandfather (Not a Recent Picture)

I had a conversation with my grandfather a few weeks ago, he told me how lucky it was that I had a job in today’s economy (I am), and that it would be difficult to move up in the area I lived.  I started to explain to him that I could more then likely finding a better paying job, but it may not be as stable in the long term as my current one.   I also said for the right job I would work for less then I currently do.  Somehow in his mind that didn’t compute.   In an abstraction of what he said, essentially he thought climbing the ladder should be what is important.   I told him with the right job, I would take a 20% pay reduction.  Granted that wasn’t my end goal, but for the right job in the right environment I would take my family down to the bare level where we could maintain everything.   Why?  I would be happier.

We are taught early that you need to learn so you can better then”random example”.   So you can go to college and maintain that edge and not be a janitor.   So you can get the huge house and be better then your neighbors.   If you neighbor buys a Lexus you are taught that you should buy a BMW.  It’s a mad dash to prove that your better then everyone else.   To prove that capitalism runs the world.  If we are not working to that we are either considered un-American, stupid, or lazy.   Granted I am a bit lazy, but I can work.    I was born July 4, 1976 so I don’t consider myself un-American (I’m a Constitutionalist).   I’m not stupid either.

I think this mindset first hit my family when I wanted to go to college for music performance and creative writing.   They always said I wouldn’t make any money with that.  I was seventeen and brave enough to say that if I was happy I could be living on a street corner in a box as long I was writing and playing music.   They never understood that.  If I didn’t have my wife, and a love for electronics (I didn’t have that love back then), I could probably still do it.   My life hasn’t greatly changed at the core in the last decade though when I was first with my wife.   We live essentially the same way, we have a few nicer things, a house, a car payment – but our basic lives are still the same.  I’d say the greatest difference is that we can not stand hamburger helper anymore.   I still eat the occasional cheap ass boil it  ramen, and she enjoys Kraft Macaroni and Cheese still.

Too many people in this world work for money.   Money is needed to survive (I have a friend that would argue that), but at the same time it shouldn’t be your singular goal.   When I was younger I had a certain goal financially I wanted to make, I did through different means.   I’m not at that level right now (I have no stock options to sell anymore), but it didn’t make it me any happier.   These days I write more, I play in two bands, I’m learning new instruments, and I have a baby that should arrive in the next couple months.   I’m juggling the things that make me happy with work, what if I could be blissful with my job too?  Some days I hate my job, most the time I’m just meh.   If I could get the hair pulling problem solving hectic life going again it would be great (must be my undiagnosed ADD).  If I could do it at the same pay level or better, that would be awesome.

I really need to get some more recent pictures of myself

Going further into my reviews of kiosk systems we acquired the Surferquest system here at work.   Unlike my piece on SteadyState I’m not going to have a bunch of screen shots to show you this time.   However I will give you my analysis and what I’ve found out.

The Surferquest system is an off the shelf software with minimal customization.  We ordered an evaluation unit and I was tasked to try it out.   I can say for our needs as a company that requires centralized management and control of machines in our environment that the Surferquest system was not quite a correct fit for us.

In our environment we don’t normally place a machine on our network until it is fully tested and verified secure, but this product is pretty much useless until it has a network connection.   I had to contact support and they gave me an unlock code that would allow me to make changes to installed software.  The unlock code lasted only 24 hours, but they sent me a utility later on that would allow me generate unlock codes for myself.

Almost all of the customization that can be done is performed remotely by Surferquest.  This means if there is a major application change that needs to be completed you need to contact them.   Do you wish to customization your login screen?  You must contact them or upload the images to their server.    You can not perform these changes locally on the box or locally within your environment.  Wish to change the active desktop they used?  Same steps apply as changing the login screen.

Restrictions applied to the software:

Disable Windows Updates
Remove from Start Menu:
My Music
My Pictures
Favorites
Recent Documents
Frequently Used Programs
Recent Network Docs
Network Places
Help
Run
My Documents
Configure Programs
Disable Windows Keys
Lock Taskbar
Disable Control Panel
Disable Balloon Tips
Remove OEM Link
Disable Task Manager
Disable Registry
Disable Find Files with F3 in Explorer
Prevents Control Panel, Printers, and Network and Dial-up Connections from running, and removes the corresponding menu items.
Removes Shut Down from the Start menu and disables the Shut Down button in the Windows Security dialog box.
Disable System Restore
Clears Recent Documents on Exit
Disable access to Recent Network Documents
CTRL key disabled

As you can see, though they use a different product to achieve the same goal, it has similar technology to the Microsoft Steadystate product I reviewed in part 3.

You can put the software within you domain, but the software will still be phoning home to the Surferquest company. While I’m positive that there is nothing sensitive being pushed across, like any company that you would have do remote assistance make sure you trust them in case of any possible data leakage.  The official answer is that it only sends out IP address information and the last time connected.  You can view this information on the stat web page they provide you

If the drive in the unit should fail or there is a hardware issue in need of support, no software is supplied.   You must receive new hardware from the vendor and return your old unit.  They state that turn around time is usually 24 hours.   Any remote management or patching must be performed by the vendor and is done via remote monitoring software that they have access to.    The software is caused Netsupport and it sneaks out your firewall on port 22 – now all you admins that left it open for SSH can feel silly (actually that’s how the firewall support team snuck out the corporate firewall there and back to their home computers when I worked at Symantec on that team).

Quick Notes

• Idle timeouts can be configured, but they default at 10 minutes.
• They use the Deep Freeze product to maintain their disk image
• When we received the unit PXE booting was enabled (and we didn’t have a BIOS password – they stated this was a mistake)
• The unit we received had PowerDVD installed, ironically no DVD drive (another oversight they admit)
• Unlock Steadystate there is no method for restricting USB drive usage

Box the unit shipped in

Front of the unit

Top of the unit

Rear of the unit

If you deploying this in your environment you need to make certain you can accept the security and loss of control you have over this unit compared to other machine in your environment.   I see this fitting more in the public space kiosk scenarios suchs as libraries or hotels.   Because they do lack the centralized control that you would normally deploy in corporate environments I say give this one a pass or at least look hard at what you are trying to accomplish.   For the public space this is a great product, extremely low maintenance, the ability to monetize but charging a fee (customized through the stat page),  and extremely well versed and fast techinical support.   If you want to deploy an Internet Cafe in your area this is the product for you.

The Kiosk Series:

The Kiosk Series – Part One – Choices For Your Environment

The Kiosk Series – Part Two – Management Considerations For Your Environment

The Kiosk Series – Part Three – Microsoft SteadyState vs Group Policies

Personal writing:

• Holy Cross Posting Web Integration Life Caching Nirvana
• Gnome Conduit – Oh How I Hate to Love You
• coComment and Why It’s Important to Your Life Caching Needs
• Slashdot – Not Really Ready For Data Portability
• Bypassing Your Corporate Firewall Filtering or How to Torture The Firewall Admin
• Feedwordpress – De-Duplication Possible?
• Virtualizing Your Training Environment For Quick Restoration With VMware
• The GFQ5 Story About Creeva
• My Great Internet Data Clean-Up
• Why Can’t We Get Past Race and Gender

Links:

• Creeva’s Daily Link List 02/08/08
• Creeva’s Daily Link List 02/09/08
• Creeva’s Daily Link List 02/10/08
• Creeva’s Daily Link List 02/12/08
• Creeva’s Daily Link List 02/13/08
• Creeva’s Daily Link List 02/14/08

Posts on other Web Services:

• Twitter Updates for 2008-02-08
• Twitter Updates for 2008-02-09
• All Consuming: Creeva 02/10/08
• links for 2008-02-11
• Twitter Updates for 2008-02-10
• coComments by Creeva
• All Consuming: Creeva 02/11/08
• Twitter Updates for 2008-02-11
• coComments by Creeva 02/12/08
• Twitter Updates for 2008-02-12
• coComments by Creeva 02/13/08
• Photos from Creeva 02/13/08
• links for 2008-02-14
• Twitter Updates for 2008-02-13
• links for 2008-02-15
• coComments by Creeva 02/14/08
• Twitter Updates for 2008-02-14
• Twitter Updates for 2008-02-15

I will first start off a couple disclaimers. I don’t do this at work, I don’t need to. I respect my corporate policies and completely recognize why they are there. This being a mental exercise that stemmed out of a misconception on how our local firewall works. I love the mental exercises on how I would do something and then drop it since I’ve essentially completed my goal and do not need to test it. If however you do feel the need to test this at your school or work I take no responsibilty for your actions. You are on your own and responsible for your own actions.

I’m also too lazy to give explicit step by step instructions on setting

Step 1.

You have two choices you need to decide on depending on your capabilities, either setting up your home computer to proxy for you while your at work or buying a cheap hosted website online. It all depends on if your ISP allows you to get to your home machine or if they block it. (Yes with a hosted it will cost you money but the link I gave you gives you your first domain for free). I would use a hosted solution personally.
Step 2.

At this point I hope you have decided on which solution you are going to go with. Essentially the steps are going to be the same either way, configuration is on your head though. You are going to setup your web server to allow you to connect to it via SSL. This allows your communication to what your network administrator to see as a random web host to be encrypted. This means they will not be able to look inside the packets. The steps depending on operating system and web server capabilities is different in each scenario, so please Google to find how to setup an HTTPS web server for your desired operating system/hosting capabilities. You may need to setup a dynamic dns solution to get back to your home PC if you choose that route.

Step 3.

At this point you should have nice web setup that you can login into via SSL. What to host on the site? You need a site that can go out and fetch pages for you acting as a proxy within the web browser. Their are multiple solutions for this, and this is really is another step I’m not going to walk you through. This is the point where you are committed and going to violate corporate or school policy. If someone wants to right directions for it in the comments I won’t censor them, I’m just not going to be the one that explicitly tells you.

Step 4.

If you can figure it out now what you have is a random SSL that you can use to browse anything your network administrator doesn’t want you to. Sure you could have just used Google’s Cache, but then filtering software still could get contextual information about what your surfing based upon the words in the HTML code. This allows you encrypted anonymity.

What if the network administrator blocks access to my SSL site?

Well this shouldn’t happen unless you share the site with people. If you want your own private surfing enjoyment I would suggest keeping it to yourself. If however you kept it to yourself and you still get blocked there are a couple options to check.

Can you still get anywhere or has your Internet Access been removed?

If your Internet access has been removed do not pass go, do not collect 200.00, within the scope of this article I can’t help you.

Is it blocked by DNS name?

If it’s blocked by DNS name meaning that it’s checking to see if your going to www.bobssecretsslsite.com then you will have to use a new domain name with your hosting provider or a new dynamic DNS name. Yes this might cost you 6.95 (look for coupons through GoDaddy or another cheap hosting registrar, but you really want the Internet your way unfiltered right? If not why are you still reading this, commitment and freedom are not free.

Is it blocked by IP Address?

Well if it is your almost screwed, you need to either get another hosting provider or hope your home computer (if you using that approach) has a random DHCP that will reset when you power cycle your modem.

What if you looks at my Internet Cache?

This is really how they will catch you. There are a few choices you can do. The first is set your browser to clear your Internet Cache every time you log out. This will leave behind file traces if they use undelete utilities on you, but these steps is for the overly paranoid. If you are worried the your network administrator is browsing your temporary Internet Files looking for porn.jpg or some such you have two solutions. The first is using a USB drive and firefox portable installed on that USB drive. This allows you to take your browser whenever you leave your desk.

If your company has a policy banned USB device and you don’t want to break a second policy on top of the one you have already broken, download truecrypt. Follow truecrypt’s step on setting up an encrypted partition. Install firefox portable into the encrypted partition. Now your whole browsing history is saved into an encrypted partition that only you have the password to decrypt.

For bonus points use a combination of truecrypt and the USB key. Encrypted data you can take with you that allows you access to your own web site that can allow you access past any web filtering software.

Warning

Your images are still theoretically stored in your computers memory so , if you computer generates a memory dump you could still get caught.  Also some companies track the flow of information across their networks, theoretically this type of software can also see what you have in memory.  These are the only real flaws I find in this scenario.

Bonus Round

For bonus points on annoying your network administrator who is overly happy about his web filtering solution. Create a new igoogle theme with a bit flesh you crop from a picture you have of someone’s arm and name it porn.job. Have this has the background in your igoogle theme. Double bonus points for making two more jpg’s, one for each corner of your igoogle them. A picture of Richard Nixon named d-ck.jpg and a picture of your cat name p-ssy.jpg. You’ll set of his filtering software everytime you go to google.

Have fun.

P.S.

If this sounds too geeky, too techinical, too complex, or pain in the butt……..then you don’t deserve this solution.

The IETF has maintained the RFC database which defines Internet protocols into the nitty gritty sections that allows other individuals to implement them.  This is all great in theory the problem is some protocols out live their usefulness.  The problem is the insecurity and unfeasibility of these protocols remaining in existence compromises design that should be far more streamlined and elegant.    Without further ado here is my top 10.

1.  FTP

Yes even I use ftp since my hosting provider has made this the only efficient method of getting groups of files on to my hosting page.   A better scenario would be an SSH tunnel or a full webDAV implementation that allowed me access.   Back when I was doing firewall tech support FTP and explaining to people the difference between active FTP and passive FTP.  Here is part of the snippet I used to send to customer to understand at a high level:

In passive mode the computer sends out two data streams – one to request which data to download and another to actually download the data on a random port.   In active mode the computer sends out a data stream requesting the data – then the remote computer connects in on a random port to the requester.

Now  FTP has a bit of usefulness left in since I myself admitted to using it, so where is the complaint?  My complaint a modern protocol should be able to make a connection and transfer files without requiring two ports, a data port and a control port.   This causes havoc on a firewall especially in active mode.   They have tried to shoehorn in encryption as an after thought but this has issues traversing proxy firewall since the proxy firewall has no idea what the data port is going ot be since the connection is encrypted.   Please move on to HTTP for downloading across the web, or bittorrent, or WebDAV – lot’s of modern protocols could be used to address this instead of trying to fix FTP.

2. NFS

I wrote my diatribe about NFS here – I have no reason to rehash it twice in one day.

3.  Gopher

Gopher was the protocol that predated modern web browsers.   Granted I had a grand old time on gopher hosts back in my college days and later crawling through the Internet from the library’s card catalog computers, but enough is enough.  Gopher has no relevance or usefulness in todays internet.    I still see a strong point for the lynx web browser compared to what I could ever fathom using gopher again – HTTP won get over it.

The seminar is scheduled to be 1 hour and 15 minutes – unless it’s a really short seminar and its only 1 minute 15 seconds – in that case I guess this is a hug waste of time.

Waiting for the moderator – we just got a message that the seminar will start in 3 minutes – 2 minutes late btw.

The presenter according to the slide is Kevin Haley, Director of Technical Product Management in the Endpoint Security Group.

Since my understanding is that replaces Symantec Anti-virus there is a drastic change as they consolidate all the products they have purchased in the past trying to get them to work cohesively.

The seminar just started only 4 minutes late.

Kevin is responsible for Symantec End Point protection.

Agenda:
Goals of the seminar
Overview of the product
Migration and Migration issues
Additional tools

Goals:

They’ve muted the participants for our own anonymity *roll eyes* – I know from experience that this is solely to not get stopped by possible trigger points that listeners may have.

We have options of typing in questions and getting them answered in real time.

Product Overview:

Symantec Endpoint Protection 11.0 and Symantec Multi-tier protections 11.0

Multi tier is the new version of SAV Enterprise Edition 8, 9, 10 – customer with upgrade protection and support with Symantec will get a free upgrade. This also includes SAV for Mac OSX.

Endpoint protection 11.0 – is the upgrade for SAV CE, SCS, Symantec Sygate Enterprise Protection, and Whole Confidence online for corporate PC’s get this in their upgrade contract

They now took a poll if we entered the beta test for Symantec Endpoint Protection – 9% did public – 20% did external and 69% did not (this was a seminar poll for the participants.

They are talking about the reasons for integrating everything

Parts

Antispyware – Leads in root kit detection and removal *unless they are keeping quiet for Sony
Antivirus

Firewall technology – taken from Symantec Client Security and Sygate

Intrusion Prevention – Behavior Based Threat protection – SONAR whole security – network traffic protection

Device Control/ Application Control

Network Access Control – add on client

New client is all bubbly and vista like – take that how you want. New help and support button allows some basic troubleshooting info in one spot. Access to windows accounts info, disk space, log files, and version information. You can also import or export policies from the client. Any client installed by default from the CD are initially self managed – if you want them to be managed by default you need to create an installation package on your management server.

You can change all policies not just the firewall based on location.

The file that tells if the client is managed or unmanaged is located in the file sylink.xml – contains also server list, certificate info, heartbeat, and communications. There is a tool to auto edit the file included on the cd for easy managed to unmanaged deployment. You could also edit this manually and the file is said to be documented.

Intrusion prevention capability – network based intrusion prevention tied into the tcp stack – generic exploit blocking from SCS and Sygate IDS which supports custom signatures – signature format is similar to Snort. Behavior blocking – proactive threat scan from whole security – innovative behavior based analysis – uniquely accurate low .004% false positive rate (testing for 2 years) via the web site and the consumer product (your enterprise beta testers) – enables broad deployment on endpoints. 20 million installations during the test – so 40 false positives for every 1 million PC’s – can also do white listing so false positives only show up once.

Stupid picture of a cookie jar with a digital camera and video camera – cookies disappear in the night and you want to catch who is doing this used camera for random images or camcorder you can review the film later but the camcorder solution is more expensive – so proactive threat scanning takes a picture of all the processes every 15 minutes and analyzes it. *is this seriously the best analogy?????????

Application Control – you can disable certain application

Device protection – block devices by type – trying to stop items like USB, infrared, Bluetooth, serial , parallel , firewire, scsi, PCMCIA – can block read/write execute on burnable media drives – can block all USB except keyboard and mouse – *I would just use a browser

Features overview
email report distribution on a schedule
centralized event logging
customizable reports
real time event viewing
notifications view
event export to SSIM or 3rd part
Embedded and MS SQL support
Client install package builder
patch and update
remote installation
import and sync with Ad
authenticate with AD
customized agent package installation
Migration from SAV, SCS, SSEP,& SNAC
Centralized Web Based console
Simplified interface for SMB and enterprise
Role Based Access
Administrative domains
Assign rights by user or group
User defined multi tier groups
RSA SecurID
Integrated management of all agent components
single console for management of AV, FW, NAC and other policies
Group based polices
- I missed the last two.

Migration

Standard migration steps so far – document, design, install architecture, migrate existing groups and policies, configure reporting, configure server/site (policies, groups, Admins, notifications etc. , create and test client packages,

Java based Management – talk to it on HTTPS (admin and client) clients can be configured for HTTP if you want unencrypted traffic- SQL database for storage.

Database contains
Group structure
policies
patches
logs
content

only replicates
Group Policies/Logs/Content

SQL can be separate from the management sever – many management servers can use a single database. Numbers are to be determined but there is basic info in the documentation – hard numbers will not be available in FCS (First Customer Shipment)

Distributed environment – multiple management servers and databases – Management servers always replicate policies and group information between them – so they will all know about ALL the clients and policies – any client can check into any server – but you can restrict that by server or server group – you can also setup a order it checks in. Logging replication is optional and they call it filtering – if you have a current architecture where all information rolls up to a master server you can still do that – or you can replicate all logs to all servers.

Supports migration from SAV, SCS, and SSEP – clients upgrade to SAV 11.0 will automatically connect to new SESM

Look and feel for reporting data is the same

First use wizard simplifies initial setup

SEPM can run on the save server as a SAV management server since they are designed to coexist since they use different executables.

Migration 1 – on same server as your SAV server
Install SEPM
Move Group and Policy info from SSE
Install SAV 11
Decommission original Parent server

Migration 2 – different server
Policies can migrate with first use wizard – other steps very similar

Reporting migration

Sav 10.1 – you can redirect clients to the new SEP 11 database for reporting.

Client installation – support to install over SAV 9-10.1, SCS 3-3.1, SEP 5.1, SPA 5.1 (don’t have to uninstall these products)

Already rolled out internally at Symantec with 5000 users

First use wizard – which will enable you to migrate your groups, policies, users to your new management server – they will not install the client automatically on a management server-so this will have to be done manually. They warn about installing the client firewall on the servers install – LOL – I can see why but I wonder how many administrators actually did that.

Content distribution

SEPM gets client updates and content from Symantec live update – clients can be patched from management server using only a small difference file that can be pushed down.

Still can get content from central internal live update server or rapid release definitions

Clients send events, operation state, and command status to the SEPM server – commands are sent to client from server, profiles, content, updates sent to client – content and updates only the different micro definitions they don’t’ have are sent instead of all the definitions each time.

Clients with a group update provider – will go to the group update provider for content (av defs, etc.)

The group update providers caches information from the SEPM server – designed for low bandwidth architectures.

Unmanaged clients can still go to live update on their own

Additional tools

http://edm.symantec.com/endpointsecurity/

http://www.symantec.com/endpointsecurity/migrate – migration information
Consulting Services and support

Goodbyes and that’s the end

Questions and Answer from the text box:+

Question: Sorry missed what said… Did you mention Macintosh would be included?
Answer: Yes, MAC will be included

Question: Will the Multi-Tier console server handle Macintosh clients?
Answer: MAC will not be managed by the SEPM console this release

Question: Will it be Vista compliant?
Answer: Yes

Question: Will the Symantec Multi-tier Protection for MAC be able to utilize the Parent Servers for Windows?
Answer: No. MAC has its own console as it stands today.

Question: Asking about the console. Will there still be a seperate console server for Macs?
Answer: Yes

Question: So there won’t be a Mac solution if we’re a SEPM customer?
Answer: MAC is included in the Multi-Tier Protection but it is managed by a seperate console and server structure

Question: What is the upgrade from SAVCE
Answer: Symantec Endpoint Protection 11.0

Question: is the full endpoint suite required, or can you still purchase products separately?
Answer: You get everything as long as you are current on maintenance.

Question: Assuming no more console?
Answer: MAC will be managed by its own console. SEPM will manage all windows clients

Question: Can you turn off various components?
Answer: Yes, you can enable and disable the features as needed.

Question: Will it have built in reporting capabilities or do we need to continue with SAV reporter?
Answer: SEPM has reporting built in.

Question: Will the SEP v11 console be able to managed legacy clients (SAV10, etc)
Answer: No. It will not manage legacy SAV clients

Question: Will this all still be in a single agent?
Answer: Yes, Single Client with all the mentioned technologies

Question: Will these products be Vista logo’d or just Vista compliant? Also will you be providing both 32bit and 64bit clients?
Answer: Yes, we will be providing both 32 and 64 bit versions of the client. Vista compliant.

Question: What? We will need to run multiple consoles? Will they all feed into SSIM?
Answer: SEPM will manage the windows clients only with this release. Yes, we will have a collector for SSIM

Question: Will we go over migrating an existing Reporting Server to the built-in reporting in SEPM?
Answer: There is a white paper that will be available as well as a migration wizard

Question: would this be red if I disabled it from management side?
Answer: Yes

Question: does the user need admin rights to execute a FIX
Answer: The fix can be run as system by the client

Question: Are there different levels of users provided in the SEPM?
Answer: Yes, administrators can have different functions and rights as configured. There is limited administration.

Question: Will the 64-bit client differ by processor type, or will the 64-bit client be universal?
Answer: Universal

Question: Current installation from CD presents you an option to choose the management server if you want to install managed. Why has that been removed?
Answer: You can create packages that are “unmanaged” still it is just a different process.

Question: can it be locked so a cleint can’t remove from a server?
Answer: Yes

Question: In previous versions, we could specify management server. This is not possible

now?
Answer: Yes. It still is possible to specify the server that will manage the client.

Question: Will the client upgrade handle all current individual components that may be installed on the desktop (SSEP, SAV10, etc.)?
Answer: Yes, absolutely

Question: Does the new policy import/export replace the usage of GRC.dat and the need to at times manually implement it.
Answer: Yes. Sylink.xml is the new file used.

Question: Will the SPEM have the ability to set security access for other users/groups to manage their servers or sites?
Answer: Yes

Question: So the sylink.xml replaces the grc.dat except it doesnt disappear once processed by the client?
Answer: Yes, exactly

Question: When will this release be available?
Answer: End of the month

Question: can you import SNORT signaturs?
Answer: No, we support REGEX and have a language similiar to snort

Question: Is there a maximum network latency value between a policy sevrer andf end client that we should consider when determine the count and location of policy servers on our global network?
Answer: We will have a scalability document for distro

Question: Does the current license also include the signature subscription for IDS?
Answer: Yes

Question: Has the port range for communication between SErvers and Clients decreased? Or will it still range from 1024-4999?
Answer: It will be SSL

Question: Will this presentation be available for download so we can share with upper management?
Answer: Via email

Question: Does the client upgrade require a reboot from version 10.x
Answer: to start the firewall but not for AV protection

Question: We currently install the SAVCE client on Windows Server OS managed by a Parent server. Which product is recommended for Windows Server OS or which components are recommeded to be disabled on Server OS?
Answer: SEP can be run on servers and clients. All technologies are portable

Question: is the management console still MMC based?
Answer: No

Question: Is there a reporting server for this similar to the SAV 10 reporting server?
Answer: No, it is integrated now.

Question: When will training be available for SEP 11?
Answer: At release

Question: will we be able to customize the white list
Answer: Yes

Question: Does Behavior blocking handle rogue keyloggers?
Answer: Yes

Question: Will the new console be able to communicate with “legacy’ SSEP agents (or, can we upgrade the SSEP-PM without requiring the SSEP agents to upgrade at the same time)?
Answer: It will support legacy SSEP clients but not SAV.

Question: so just 443 and 80
Answer: Exactly!

Question: Can specific applications be “black listed”?
Answer: Yes

Question: what are the functionality differences between Sym Endpoint Protection and Sym Multi-tier Protection?
Answer: Same technologies SMP includes email protection and MAC/linux

Question: will the clients listen on a port for server initiated communication, or is the communication only initiated by the client?
Answer: no client listen port. Client initiates all communication to the server

Question: Will SEP require SQL?
Answer: You can use SQL but the embedded (included) DB is Sybase

Question: Will mobile devices be supported? If so, what devices?
Answer: Seperate product

Question: Will the Q&A be made available after the call?
Answer: Yes

Question: any chance of getting a copy all the slides to review after the meeting?
Answer: Yes

Question: Is there an estimate available of the resource impact on a host machines due to the proactive threat scanning?
Answer: We will have this documented and available in a whitepaper
Question: Will SMS5 – Symantec Mobile Security Suite 5 integrate into SEP?
Answer: No.

Question: Do the antivirus capabilities within SEP 11 use less resources on a typical client and server? We have many problems with SAV 10 chewing up too much memory and CPU utilization, especially on virtual servers.
Answer: Yes, lower memory footprint

Question: Is there an override for the USB blocking?
Answer: Yes

Question: Can devices be blocked based on Manufacturer / Model?
Answer: No- windows class ID, not vendor class ID…..coming in the future though

Question: can usb thumb drives be blocked but other usb devices, ie scanner, printer be allowed?
Answer: Absolutely!

Question: is patch/maintenance release management going to be simplified over previous versions? (i.e. all inclusive rollups not requiring previous upgrades to a base version)?
Answer: Definitely

Question: so SMP includes the sygate firewall technology?
Answer: Yes!

Question: A new version of packager come with this – I am aware its unsupported but if new version does come with it will it be supported? If not any idea when?
Answer: Packager is gone. The packaging mechanism is the Sygate technology

Question: Will the schema be available for the database, so we can query it?
Answer: Definitely!!!

Question: Will SMSDOM (Mail Security for Domino) Still be supported as well as Premium Anti-Spam? How about for Exchange?
Answer: Yes

Question: Are the INTEL portions from previous NAV/SAV versions been eliminated altogether?
Answer: Yep

Question: Are the policies for the client available to be pushed via Group Policy in AD?
Answer: Yes

Question: can you restrict file types allowed to write to USB drives? i.e. allow MP3, but not DOC or XLS?
Answer: Yes.
Question: Can the Class ID blocking be managed by OUs, say the Director level can use usb drives, regular sales cannot?
Answer: Yes, using grouping

Question: Can individual components – say, the firewall portion – be disabled selectively? For example, we may want AV on a server but not necessarily firewall (even more specifically, for performance savings?).
Answer: YES!

Question: What version of java?
Answer: Local version

Question: how much space is required for the sql ie per machine?
Answer: DB size will vary by client count

Question: Does this version get away from storing client information in the registry?
Answer: Yep

Question: Can the management server be installed on VM?
Answer: Yep!

Question: Did he say the client port is 80?
Answer: Or 443 depending on selection by administrator

Question: is a certificate server required?
Answer: no

Question: In the current version of SAV10 Reporting, there is a vulnerability of the PHP component. Will SEPv11 provide better response to layered components that have known vulnerabilities?
Answer: Absolutely!

Question: the client/server traffic is based on port 80/443 correct? How is that going to affect clients running websites using port 80/443?
Answer: There should not be a conflict but the ports are configurable

Question: from the remediation aspect, will SAFE mode be required for a 100% detection and cleaning?
Answer: Depends on the threat. SEP 11 will clean better than SAV 10 though

Question: For replication what type of nbandwidth does it use over a WAN?
Answer: All documented in the scalability doc

Question: Since the client information is no longer in the registry how can we check AV status through scripts? Is there a WMI interface?
Answer: Some status can still be checked via the registry
Question: Since this is running on 80 or 443 is it using some type of web server underneath for communication (e.g. Tomcat/Apache/etc.)?
Answer: on the manager yes. There is a tomcat server and IIS

Question: We have encountered issues with the volume of network traffic generated by corrupted defs. How does the 11.x version address this issue?
Answer: corrupt defs should be a thing of the past.

Question: are there any JRE versions that are not supported or are recommended for the management console? Will the client itself require JRE to be installed for SEP to work?
Answer: CLient does not require JRE. The version installed is a local version specific to SEPM.

Question: will registry still use intel\landesk\virusprotect6 structure?
Answer: Nope. All intel technologies for management are gone and the registry has been changed as far as structure

Question: How can we obtain the scalability document?
Answer: It will be posted at release

Question: has sepm been certified for vm
Answer: We support VM environments. Not sure if it is certified by VM

Question: Why is this not backwards capable with SAV 10 or 9? Upgrading an entire enterprise can take a while.
Answer: Completely different management architecture.

Question: is there a method for users to alter administrative scan schedule (but not any other option)?
Answer: Yes

Question: what about Sygate 4.1?
Answer: no

Question: Will you be able to save all the old data from the SAV 10.1?
Answer: yes, migration wizard will cover this

Question: no over intall for 7.x is that correct
Answer: right

Question: OVerinstall of 10.2 for Vista supported?
Answer: yes

Question: he said that scalability doc will be available about a month after SEP 11.0 release
Answer: probably sooner
Question: when you overinstall does this require a reboot on the endpoint
Answer: Yes, but not for AV, just for the FW

Question: Will the overinstall work even if the previous client is password protected? Or will it still require a registry hack to remove?
Answer: It will work

Question: can SAV10 client groups be migrated, or is there granularity to support that type of group?
Answer: Migration wizard will allow this

Question: Does SEP support NT4.0 clients?
Answer: no
Question: does it work on vm . Currently version 10 I have on vm
Answer: Yes

Question: Is the upgrade to SAV 11 more reliable than the upgrade to SAV 10? We were forced to use NONAV to pre-clean the SAV 8 and SAV 9 systems before going to SAV 10
Answer: Yes.

Question: What is the SEPM blog URL?
Answer: https://forums.symantec.com/syment?category.id=endpoint

Question: Is the installer follow standard MSI best practices?
Answer: Yes

Question: will management server install require reboot (windows server 2003)?
Answer: no

Question: This includes central management and reporting for the FW?
Answer: Yes

Question: Any problems creating an SMS package for installing to clients?
Answer: no

Question: to install over 4.1 do you need to uninstall 4.1, reboot and install SEP or can you uninstall 4.1, install SEP and reboot?
Answer: Yes

Question: Can our TAM answer questions regarding SEP 11 yet? Or do we have to wait until the release?
Answer: Yes

Question: We run Symantec Mail Security for Exchange. If we run SEPv11 on the same box, are the defs compatible? Can they co-exist?
Answer: They can co-exist

Question: you mentioned earlier that the client initiates all contact with the server. What about Virus sweeps, updates that you want to push, do you have to wait til the next time the client checks in
Answer: No

Question: does the patch require a reboot? We have lots a 24×7 servers.
Answer: no

Question: Will the dif patch require reboots on the clients?
Answer: no

Question: No problem to run in a mixed environment, e.g. legacy clients reporting to previous management console, newer clients reporting to newer management console?
Answer: no problem with a parallel environment

Question: We are going to have a lot of language requirements (Thai, German, French, Russian, Swedish, Japannesse, Chinesse). Is there a link on your web page to the supported language versions?
Answer: It will be posted but is not right now. Should be at release time. We are localizing alot of languages

Question: For definition distribution, what is the approx size of the diff-defs? If a client has been off the network for a week or longer, what is the approx size of the diff-def?
Answer: will vary

Question: Thanks for the GUP!!
Answer: :)

Question: If a client goes to a GUP and then that client goes to another group will it still look for the GUP group A
Answer: no

Question: With ver9 and > Symantec expanded the feature set to combat spyware and malware, many customers complained of CE being bloated, memory-intensive, and causing issues with many line-of-business applications. With all these added features in this new product release can you point to any documentation related to this version benchmarks and/or performance specs compared to previous releases?
Answer: Its all documented. Check the portal

Question: will rapid release definitions be available for the Liveupdate server?
Answer: yes with LUA 2.5

Question: Not sure if this was asked. But when a client connects to a 11.0 server does it use a certificate like in the past for communications?
Answer: no

Question: Can the gups be configured as Primary, secondary, and can the clients recognize that
Answer: no

Question: when will this be available for download from the platinum site?
Answer: end of the month

Question: Thank You
Answer: You are welcome

The first step in minimizing your organization’s exposure to a phishing attack is to educate users and have policies they can refer back to. The best approach to this is to train them when you first adopt them as users. If you are a bank you post your policies on password and account policies when they first sign up for online service. If you are a private web site send them a blurb of information in the verification email (users will glaze over at long privacy agreements so have a summary prepared for the email body and append any policies after the main text). If you are an organization/company you educate the users when they are in their new hire orientation. For companies there should be a follow up yearly or bi-yearly on policy changes and a short training session may be required depending on the amount of education you need to impart on entrenched employees.

Companies should have a corporate website that states if there is a time where the IT needs to request your password how this will be handled. It is inadvisable to have users to respond to any password request with their username and or password in email form. This trains the users to accept this type of reply no matter if it’s a real request or a phishing attack. The same holds true for attempting to collect or update their password information on an internal website.

Some companies to alleviate helpdesk calls have setup a password reset web site internally. Users should be taught to verify they are going to the correct URL before entering any information. To secure these configuration users should login while they know their passwords and have 2-3 challenge/response questions before it will allow you to change their password. To make this more secure allow your users to make up their own questions, since they will recognize the questions they have written themselves and make it harder for attackers to just spoof the site and auto accept answers to things that are industry default questions such as “Mother’s Maiden Name:”.

Unfortunately since all authentications are tied together you normally would not want to send a verification email before resetting the password, since the user probably isn’t able to get into email either. You can however make the change temporary for 24-hours unless they click the verification email to confirm they did this make this change. If they do not click the email the account automatically locks and users then have to call the help desk. Inform users of this behavior before implementing this and have it state so implicitly on the password reset page.

We have discussed how to raise user awareness and minimize the chance of users unwittingly entering in their information but how do we minimize exposure to the users on these attacks? The easiest approach is to handle this at your border infrastructure. For simplification I am going to lump the email infrastructure together in my explanations, these parts are your border firewall, any internal firewalls, your anti-spam solutions, and your internal mail server. I am grouping these together because depending on which product you use for these functions different options are available to you.

The first step for locking this down is to have all of your internal users authenticate before sending mail. Authentication requirements may include authenticated SMTP or IMAP sessions, VPN to the internal network, Webmail, or any other options that give you some sort of confidence level that the user you are responsible for is who they say they are. It will also make the next step a lot easier to implement depending on your current corporate policies.

The next thing you do is disallow any mail from outside your organization allow a “Sent From:” address. For example if your domain is “mydomain.com” your mail server will not except mail from bob@mydomain.com going to sally@mydomain.com unless they have been authenticated via one of the earlier proscribed methods or through a desktop email client internally. Make sure that your external firewall does not perform NAT on incoming packets or otherwise your mail server will think all the mail is from an internal source.

Implement a policy to disallow your internal mail server to accept mail connections via telnet. This can be done by smarter firewalls that inspect layer 7 packets and some mail servers. These devices can distinguish the difference between a mail server or client sending the mail by packet length and activity type compared to manually typing in the message by telnetting to port 25 on your mail server and sending mail via telnet.

For phishing and other reasons your organizations should develop or subscribe to a real time blackhole list (RBL). Anytime an individual attempts to your internal mail server in an attempt to spam or perform a phishing operation unsuccessfully against your mail server they can be added to the RBL database. This allows you to track and block attempts from the same IP over and over again and reduce overhead on your internal mail server.

To reduce rogue mail servers on your internal network and enforce traffic to traverse the internal mail server the best methods for performing this is to block port 25 on all of your internal routers unless the traffic is destined for your internal mail server. Include another rule that allows only your mail server to send email to the internet on port 25 on your firewall. This helps against internal users that may attempt a targeted phishing attack against another internal user.

The next step depends on how smart your mail filtering software is. Have a queue where suspect email is forwarded if they include strings similar to your own domain (example bob@my-domain.com, bob@mydomian.com, or bob@mydomain.com.com) this is all dependent on how well your mail filtering software can detect these misspellings. From this queue have a trusted administrator verify if that these mailing are not spam (if so implement appropriate filters) or not a phishing attack (add IP address to your RBL). Since in the scope of this document I can not scope out how similar your domain is to another domain that may be sending you mail I suggest this as a last resort if you are under a heavy load of phishing attempts. I would not recommend outright blocking this type of mails since it may interfere with legitimate business.

If you discover a phishing attack that has bypassed your border and made it directly to the user the recommended approach is to immediately send a mail to all the effected users as soon as this is detected. When sending the email alert about this include your standard policy on if, how, and when you will collect passwords or usernames from them when it is a legitimate email. This informs the users that you are paying attention; they can gain confidence that you are monitoring for this type of attack, and they are reinforced when and where to give out their private information.

Phishing attacks will never be stopped one hundred percent, but repetition and education can greatly minimize it’s impact on your organization.

Going through my DHCP server I managed to track down the IP address it obtained and managed to log in via the normal Linksys default tight security – username admin password admin. After this point I managed to change the device to use a static IP address.

After this I signed up for the vonage service and had phone calls delivered through the home phone line. We do not usually use the home phone line and off the top of my head I can not even tell you the phone number it uses. So here is how we are going to wire the house.

From the main phone junction box there is going to be a working jack – from this jack we will place a DSL line filter – from here we will place the DSL modem on the non-filtered side and a stand alone non wireless phone and an answering machine just in case. Behind the modem lies a linksys firewall that handles PPPoe dialing and behind here lies the Linksys PAP2.

From the PAP2 we filter the other main phone line to the house into from the wiring closet I started in the basement. and from here all the phone wiring in the house will filter through to provide whole house phone coverage through the Vonage device.

Whew.

The advantages of having a central wiring area in your house is the biggest benefit you can ever have especially for instances like this.

Ever find that the equipment manuals are terrible or you just can not find a ye or no answer on how somehting functions?

That i my problem.

Buried in a closet downstairs is a wireless router that is not being used. In my new network design – I want to use it, but I need it to have NAT disabled so I can go between both segments with their real IP addresses. So I need it to act as a true wireless router and the manual says nothing about this type of function.

The router is a MN-700 Wireless b/g router by Microsoft. When I lived in Oregon it served the purpose for a couple years but got replaced when I moved back to Ohio. With my new network design though I’m going to have at least 2 wireless zones (2 more planned in the future when I have cash) . So I’m stuck on that question until I have time later to hook it all up and configure it. But the manual should have this information.

But what else am I going to do with it beyond complain about the lack of of text in the manual?

Well let’s look at the rest of the purpose of this machine (other machines mentioned we will go into detail in a later examinging equipment.

The MN-700 will ideally be put into a configuration such as the folllowing off the firewall

Wired Clients <----> MN-700 <---wired---> Firewall
|
Wireless Clients <------
|
Wireless Bridge <------

I will be uing WPA encryption on the Clients and the wireless bridge as this wireless network is going to be behind my main firewall (which has 4 interfaces) I want natting disabled since I’ll be coming through the firewall to the wired clients at the very least – and would like to be able to reach all the computers.

Why do I need to reach all the computers?

Remember the mantra to follow is central management and ease of use – while my network setup when we get through this whole series may not be the easiest to understand nor to configure. When we get to the end users they should not be able to see any impact on their normal usage and it should make everything easy and transparent. Hopefully it will also make everything more functional where the users are interacting with services they didn’t know existed on the network.

Being able to reach all the computers means that I can VNC (covered in a later article) across the network to any machine form any other machine I’m on (as long as I know the password.) This fulfills centralized management and since most my servers run headless (without a monitor attached) it allows me to administrate them without have the electric bill compounded by the electricity that a monitor would use.

I also have at least one computer on that segment where VNC communication is imperative and there is a file share on that same computer. The reason for this will be covered in a later article when I get to that computer.

What other functions will this router provide?

This router on top of his WPA encryption will be filtering client by mac address and not all of the clients will have a static IP address. So the router will also be the DHCP that services this network segment ( for the record there will be 2 other DHCP servers on the network and no I don’t want to go DHCP repeater services so I can have a central one). The DHCP pool is going to be wide enough for 20 addresses in case I get other remote device that need access via the secured wireless segment.

The router will allow for external managment so from my central desktop or laptop I can adjust or make any configuration changes necessary in a future adjustment.

I’m fairly sure this covers my working with this wireless router – I’ll have a follow up later on the MN-700 which will include screenshots of the interface.

I wrote this document for a customer back in 2005 when I was a Symantec Consultant – posting it from 2008 in the right time period.

Solutions Guide for Load Balanced NAT Issues

These are solutions to possible load balancing issue you may encounter with the Symantec Firewall load balancing methods. The assumption is problems you would encounter going from an internal network to an Internet host or network. These problems also rarely occur and are usually an issue depending on the security of the remote host.

Scenario: Multiple TCP connections on the same port leaving with different outside NAT addresses causes the remote server to reject the connection.

Example: HTTPS connections that do not use a client side cookie.

Solutions:

1. We can use stateful failover for the TCP traffic and all traffic would leave as the VIP address. The downside is some increased load on all the firewalls in the cluster.
2. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
3. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
4. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
5. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
6. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
7. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: A connection that requires multiple TCP destination ports.

Example: Passive mode FTP (which the FTP daemon can handle this without modification; lack of a more common protocol as an example is not immediately available.)

Solutions:

1. We can use stateful failover for the TCP traffic and all traffic would leave as the VIP address. The downside is some increased load on all the firewalls in the cluster.
2. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
3. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
4. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
5. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
6. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
7. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: A mixture of UDP and TCP traffic.

Example: This is usually seen in custom applications such as streaming media where the connection starts on TCP and migrates over to UDP for media delivery.

Solutions:

1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: TCP and IP traffic mixture.

Example: Microsoft’s PPTP VPN. This product uses port 1723 TCP and IP type 47 to pass traffic.

Solutions:

1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: UDP connections using multiple ports

Example: No known examples available for reference.

Solutions:

1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: UDP and IP traffic mixture.

Example: This traffic would mostly be associated with IPSEC VPN traffic.

Solutions:

1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: Multiple IP types only connections.

Example: No known examples available for reference.

Solutions:

1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: A connection using TCP, UDP, and IP types all in conjunction.

Example: Older VPN connections that did not adhere to the IPSEC standard.

Solutions:

1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

1. What DNS is whether they know how to use it or not
2. If they have been an ongoing firewall administrator, they should know if they host DNS or not
3. How to use attrib
4. Know how to Alt-Tab
5. Know how to browse a drive
6. Know that double clicking opens a folder
7. How to Ping