X

An Oracle blog about Security

Recent Posts

Engineered Systems

Engineered Systems Family

Engineered System Family Oracle has an entire family of engineered systems that are pre-integrated to reduce the cost and complexity of enterprise wide IT infrastructures while increasing productivity and performance. Only Oracle can innovate and optimize at every layer of  our Red Stack to simplify data center operations, drive down costs, and accelerate business innovation.   Let this serve as a quick introduction to Oracle's Engineered Systems Family; Exadata, Exalogic, SuperCluster, Exalytics, Private Cloud Appliance  (OPCA), Big Data Appliance (BDA), Database Appliance, and now the Zero Data Loss Recovery Appliance (ZDLRA). Oracle Exadata Database Machine Engineered to be the highest performing and most available platform for running Oracle Database. Exadata runs all types of database workloads including Online Transaction Processing (OLTP), Data Warehousing (DW) and consolidation of mixed workloads Oracle Exalogic Elastic Cloud Hardware and software engineered together to provide extreme performance, reliability and scalability for Oracle, Java, Weblogic, and other applications, while delivering low TCO, reduced risk, higher user productivity and one-stop support. Oracle SuperCluster Oracle's fastest and most scalable engineered systems, ideal for consolidating databases and applications, private cloud deployments, and Oracle software solutions. Oracle Exalytics In-Memory Machine An engineered system of hardware, in-memory database software, and networking, which is fully leveraged by an optimized business intelligence platform to provide advanced visualizations and analytics. Oracle Private Cloud ApplianceThis Engineered System simplifies the way customers install, deploy, and manage converged infrastructures for Linux, Windows, or Oracle Solaris applications.  It provides an easy-to-use platform to run all of your Oracle and third-party applications using the same technology as Oracle's Public Cloud. Oracle Big Data Appliance An engineered system that provides a high-performance, secure platform for running diverse workloads on Hadoop and NoSQL systems, while integrating tightly with Oracle Database and Oracle Exadata Machine. Oracle Database Appliance An engineered system of software, servers, storage and networking that offers a simple, reliable, low-cost package for small to mid-range database workloads in a true turn key form factor. Oracle Zero Data Loss Recovery Appliance A groundbreaking data protection solution that's completely integrated with Oracle Database and eliminates data loss exposure for all databases without impacting mission critical production environments. In SummaryAs you can see Oracle has developed a full family of Engineered Systems which deliver mission critical solutions at the same time cutting complexity and costs for our customers.  For more information on any of these platforms you can go to http://www.oracle.com/engineered-systems/index.html .Be Secure!--Frank

Engineered System Family Oracle has an entire family of engineered systems that are pre-integrated to reduce the cost and complexity of enterprise wide IT infrastructures while increasing productivity...

Engineered Systems

Zero Data Loss Recovery Appliance (ZDLRA)

Now Introducing the Oracle Zero Data Loss Recovery ApplianceA groundbreaking data protection solution that's completely integrated with Oracle Database and eliminates data loss exposure for all databases without impacting mission critical production environments.   What is the Zero Data Loss Recovery Appliance Oracle’s Zero Data Loss Recovery Appliance (ZDLRA) or the Recovery Appliance (RA) is a new cloud-scale engineered system designed to dramatically eliminate data loss and reduce data protection overhead for all Oracle databases in the enterprise.  Integrated with Oracle Enterprise Manager (OEM) and Recovery Manager (RMAN), it enables a centralized, incremental forever backup strategy for hundreds to thousands of databases in the enterprise, using cloud-scale, fully fault-tolerant hardware and storage. The appliance provides databases with sub-second recovery point objectives and continuously validates backups for assured recoverability of Oracle data. Oracle Enterprise Manager enables "single pane of glass" control of all administrative operations on the appliance, providing complete, end-to-end visibility of the Oracle backup lifecycle. Key features and benefits have been detailed.The key components and workflow within the environment are shown below:Key FeaturesReal time redo transport Secure replication to a local or remote ZDLRA Autonomous tape archival End-to-end data validation, eliminating corruption of database backups Incremental forever backup strategy Storage space efficient virtual full backups Backup operations offload and managed by ZDLRA Flexibility and SLAs with database level protection policies Database-aware space management Cloud-scale Architecture Unified management and control via RMAN and Oracle Enterprise Manager Key BenefitsEliminate Critical Data Loss, Shorter RPO Minimal Impact Backups, shorter backup windows Database Level Recoverability, Shorter RTO Cloud-scale Data Protection Additional Resources I have included some additional resources for you to review at your leisure.  They include a variety of sources.What are the Industry Analysts Saying about the ZDLRA The Business Case for Zero Data Loss Recovery Appliance, Business Benefits for Data Protection (PDF)ZDLRA data sheet (PDF)Technical Guide to Oracle's Recovery Appliance (PDF)Oracle Help CenterOracle Support  How will it fit into your existing IT architectureThe ZDLRA is integrated with Recovery Manager (RMAN) - at the heart of the system is an embedded Oracle Database, running Oracle Real Application Clusters (RAC), that serves as the centralized RMAN Recovery Catalog for all the protected databases. The catalog maintains all backup metadata in Automatic Storage Management (ASM) disk groups running on High Capacity disks in high redundancy mode. The backup data itself is also kept in ASM disk groups, in normal redundancy. The ZDLRA can be expanded by adding compute and storage capacity to a base configuration or adding additional racks. Backup connectivity into and out of the system is provided through standard 10GigE and InfiniBand ports. For tape archival operations, the appliance comes with pre-installed Oracle Secure Backup (OSB) media management software and a 16 Gb Fibre Channel Card on each compute server to connect directly to tape hardware. Alternatively, other vendors’ tape backup agents may be deployed on the ZDLRA for integration with an organizations existing enterprise tape backup software and processes. In this configuration, the agents must connect to their specialized media servers that are deployed external to the appliance. Be Secure!--Frank

Now Introducing the Oracle Zero Data Loss Recovery Appliance A groundbreaking data protection solution that's completely integrated with Oracle Database and eliminates data loss exposure for all...

Security

Key Facts about Disaster Recovery

IntroductionFrom time to time I have had discussions about high availability (HA),  disaster recovery (DR), and continuity of operations programs (COOP).  Sometimes we dive deep into the topic without communicating several key high level messages that will guide the conversation forward.  To what degree do we implement a DR program  Many organizations have made the determination that they do not need any protection at all.  They have evaluated the trade off between having some type of protection and not.  Most organizations do not provide for a full DR.   They have determined that not all of their organizational processes require DR.  They typically have set a "Service Level Agreement" (SLA) that provides for their environment's services to be available at a specific time.  They have determined what services are most critical and set a time plan to restore those services.  Non critical services would follow as time permitted and the length of time a specific disaster lasts.Levels of Disaster RecoverBelow is a chart that details the specifics and trade off of the different levels of a disaster recover plan. This shows how relative costs and complexity increases as the time to restore operations decreases.Getting the correct timing is critical for service availability.SummaryBackup, recovery, high availability, disaster recovery, and a solid COOP are all very important for the protection and security of your data.  It safeguards your organization's data from corruption, hardware failures, and data failures.  The protection of your environment is one of the most important aspects of being a successful IT professional.ReferencesThere are many resources available to assist you.  Several have been listed below.Oracle Maximum Availability Architecture (MAA) Site Oracle Maximum Availability Architecture Blog Disaster Recovery Guide: A to ZBe Secure!--Frank

Introduction From time to time I have had discussions about high availability (HA),  disaster recovery (DR), and continuity of operations programs (COOP).  Sometimes we dive deep into the topic without...

Security

“Physical Security, Meet Information Security . . . . ”

On a recent trip to visit family I hada revelation related to security. It's obvious but as I thoughtabout it more It sure was much deeper than my first look. Physicalsecurity does track very closely.  Lets look deeper at how they relate. Monitoring = Dedicated entranceroad/parking lot Monitoring = Visitor parking area Firewall = Guard booth Internal Firewall = additional guardbooth, building reception desk, one building entrance and exit DMZ = dedicated off site meeting space/ conference room in the lobby Logging = Video surveillance / log book Logging = Checking vehicle registration Authorization = Background checking Authorization = Check ID's Defense in Depth = Internal officeaccess / production floor access / data center access / control room Authorization = Escorted or unescorted(trusted) Encryption = Locked file cabinets /secure storage / shredding Desk Top Virtualization = SharedOffice Space Some the analogies can be debated but I think you get the idea.   As you now see physical securityparallels very closely IT security. No wonder why, physicalsecurity has been around for centuries.   IT security is relativelynew.  Use history to see what might be the next big threat to IT security.  Be Secure! --Frank

On a recent trip to visit family I had a revelation related to security. It's obvious but as I thought about it more It sure was much deeper than my first look. Physicalsecurity does track very...

Enterprise Architecture

Effective Management of Next Steps (Code for Action Items)

At the end of a business meeting, architecture review, or technical presentation there are typically some next steps or action items that need to be delivered on.  Here are a few tips to assist in making sure the next steps get the proper followup in a timely manor.  There are a few key pieces of information that need to recorded and tracked in order to get positive results.  The group should agree to them before the conclusion of the specific event.  They may be used as a starting point at the next meeting or specific event with this same group.  Here they are: Summarized description of the action item Outline why it is important. Define the owner(s) Set a priority Provide a time line for completion I have provided a template in MS Excel and Powerpoint to assist in collecting and communicating the "next steps".  Here are few links to help you get started to better collect the "must have" information related to "next steps" or "action items". ProjectConnections TechRepublic Bright Hub This may be an odd starting point on a discussion about enterprise architecture but it was an issue on several recent projects.   So that's what is on my mind this Monday morning. Be Secure! --Frank

At the end of a business meeting, architecture review, or technical presentation there are typically some next steps or action items that need to be delivered on.  Here are a few tips to assist...

Customers

Oracle Magazine - SPARC Torches Benchmark

If you have not had a chance to review the latest "Oracle Magazine" I  encourage you to review the article "SPARC Torches Benchmark" in the March/April 2011issue.   It mentions the TPC-C benchmark where we beat IBM by three to one and HP by seven to one.  All of the actual numbers are listed at the benchmark link at the end of this article. This the link to the "SPARC Torches Benchmark" article. http://www.oracle.com/technetwork/issue-archive/2011/11-mar/o21news-305743.html The online version of "Oracle Magazine" is located at: http://www.oracle.com/oraclemagazine Links to other useful information related to the article: - Watch the launch event Webcast  http://www.oracle.com/us/corporate/events/sparcsolaris/index.html?ssSourceSiteId=otnen Learn more about - Sun SPARC Enterprise Servers http://www.bit.ly/ejwHTN - Oracle Exalogic Elastic Cloud http://www.oracle.com/us/products/middleware/exalogic/index.html?ssSourceSiteId=otnen See the SPARC SuperCluster benchmark results   http://www.tpc.org/tpcc/results/tpcc_perf_results.asp I would encourage all you to sign up for a free subscription of Oracle Magazine along with other interesting publications from Oracle. Be Secure! --Frank

If you have not had a chance to review the latest "Oracle Magazine" I  encourage you to review the article "SPARC Torches Benchmark" in the March/April 2011issue.   It mentions the TPC-C benchmark...

General

Protect What Belongs to You!

This week I am on Holiday at the sea shore. A place called Long Beach Island, New Jersey. I would normally not be adding to my blog but my family suggested I do so. There was much discussion on this topic by family and friends this week. It seems to be human nature to lose or misplace our personal items. Was talking to Vikie the manager of a L.A.'s Restaurant in Manahawkin, NJ.  She indicated that there is no shortage of items left behind at this establishment. Credit cards, drivers licenses, cell phones, coats, hats, cameras, and even a US Passport. LA's is a stopping point between Philadelphia and the New Jersey Shore on Route 72. This is also the case at a place far from the New Jersey Sea Shore called the Half Mile Ranch  in Lake Luzerne, New York.  The owner Mark can point out the collection of no less then ten shirts and coats left behind at his establishment.  That's not all he has to show.  He has a rack set aside just for glasses and sun glasses.   It amazes him how many people will leave their cell phone and never call it or come back for it.   As far as the clothing he will collect it up for six months or more.   If it goes unclaimed he makes sure they are put to good use by sending them to an organization that distributes them to the less fortunate in the community.  As far as L.A's Restaurant in Manahawkin they tag the items and hold them for a year.   If unclaimed at that point they are given away. So what's my tip today?  It happens to be two fold. It you have an item of value make sure it's labeled with your name. your phone number or email address. Some people will use one of those return address labels they get in the US Mail.  This process is good for glasses, cameras, and cell phones as well.  It also works for cell phone chargers and laptop computer chargers left behind when traveling.  Many hotels and motels have an entire box devoted to chargers left by their guests.  Most hotels will attempt to return them if marked with contact information. Mr. Thomas Jones, Jr.226 Any StreetHome Town, Your State 12345USA The second suggestion is to make sure your smart phones, PDA's, Blackberrys, Treo's, etc are password protected if they contain sensitive corporate or personal information. Information such is username password combinations, credit card numbers, or corporate email.   Your employer has entrusted you with access to "organization only" information.  Please keep it that way.  Some organizations require your smart device to be password protected if setup to receive corporate email and calendar services.  So my advise to you today is lock them down.  Turn on the safeguards that come with the device and set a "strong" password. Hope this was helpful and entertaining.    Enjoy your Summer! -- Frank

This week I am on Holiday at the sea shore. A place called Long Beach Island, New Jersey. I would normally not be adding to my blog but my family suggested I do so. There was much discussion on this...

Security

Questions to Ask - Disaster Recovery

Common DefinitionsLet us look at Disaster Recovery (DR) and Business Continuity Planning (BCP).  Disaster Recovery is the process, policies and procedures of restoring operations critical to the resumption of business, including regaining access to data, records, hardware, software, and  communications (incoming, outgoing). Business Continuity Planning (BCP) is an interdisciplinary concept used to create and validate a practiced logistical plan for how an organization. Two other terns that seem to turn up when discussing  Disaster Recovery are the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Recovery Time Objective (RTO) is the duration of time and a service level within which a business processmust be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity . The business continuity timeline usually runs parallel with an incident management timeline and may start at the same, or different, points. Recovery Point Objective  (RPO) describes the acceptable amount of data loss measured in time. The RPO is the point in time to which you must recover data as defined by your organization. This is generally a definition of what an organization determines is an "acceptable loss " in a disaster situation. If the RPO of a company is 2 hours and the time it takes to get the data back into production is 5 hours, the RPO is still 2 hours. Based on this RPO the data must be restored to within 2 hours of the disaster.   The definitions for the above terms have been provided by WikipediaiIntroduction At several recent meetings the topic of disaster recovery has come up.  In one case it was a meeting dedicated to detailing an organization's current plans and procedures.  Another meeting to explore different alternatives that an organization may consider.  This is the basis for this document.Let us first define a few key terms as they relate to our topic so we are all on the same page.  They have been detailed on the left border of this page for your reference.What essential questions do you need to ask when your customer wants to talk about disaster recovery? It may be as simple as guidance with a disaster recovery plan to the more intense task of implementation of a DR site.  This is no definitive list.  It seems that the answer to each question can lead to three more questions.As can be imagined most IT staff don't want to openly discuss this topic if they haven't planned for it. If they have planned and have tested they freely discuss and complain about the process. But they have a "tested" process. Here are a list of questions I collected in preparation for a discussion with one of our larger customers.Questions to AskDo you have a business continuity plan? Do you have a technology DR plan today? What kind of disaster is being anticipated that would require a recovery? Does the organization have the ability to financially support a technology DR plan in their budget? Are regular backups of data preformed at least daily? Are regular backups of the applications and operating environment preformed at least daily? Backups kept off-site? Are at lease three versions being retained? What backup technology is employed? Has a complete local recovery of key services been tested? Where is  the DR site?  Planned site? What is the distance between the two locations? What are the critical applications and services which would require DR?  What is the expected recovery time, the "Recovery Time Objective" for specific services? What is an acceptable amount of data loss, the "Recovery Point Objective" for specific services? What percentage of the application usage needs to be supported by the DR site?  What is the size of the disk storage that needs to be replicated? What percentage of the data changes daily?  How often will the data need to be replicated? How far out of date can the data be?  4 hours?, 8 hours? 24 hours? How is the DR site funded? Could the DR site be a co-location facility?  What type of access do you have to the DR site? How do you get essential staff to the DR facility and sustain/support them while working there. Will the DR facility allow access to your essential staff members?  How is access determined/limited? Can the existing networking and security infrastructure support the switchover or failover to a DR site? Can the existing client devices support the switchover or failover to a DR site? Do written procedures for computer operation exist to bring up the DR site?The Basic Components of a Disaster Recovery PlanDefine what is an acceptable loss both in terms of services provided as well as financially. Then look at the potential costs to fund the development and implementation of a plan. Everything needs to be backed up .How much of your electronic information is not being backed up and why? Organize the services and information by how critical it is to the organization.  Determine their priority. Determine how long the organization can live without them?  Protect against disasters. Most people think of natural disasters when creating a disaster recovery plan. There are nine other types of disasters .  Protect against all of them.  Document what you have done. Put it in writing.  Have it reviewed by whomever you can get to read it. Ensures that the documentation is available during and after a disaster.  Review it frequently. Repeatedly test you plan.  Most DR plans are not successful because they have not been tested. Start with a table top exercise.   Think about that. Testing the plan without leaving your office.SummaryThe main components of a DR plan are rooted with people, process, procedure, politics, and last of all technology. I have included several pointers for more information related to this topic:Architecting Availability and Disaster Recovery Solutions, Tim Read, Sun N1 Availability Engineering Sun BluePrint April 2007 Part No 817-5783-11 http://www.sun.com/blueprints/0406/819-5783.pdf TIL - Continuity Management & BCP http://www.itil-itsm-world.com/itil-8.htm Business Continuity Planning http://www.business-continuity-and-disaster-recovery-world.co.uk Disaster Recovery World   http://www.disasterrecoveryworld.com IBM System Storage Business Continuity Solutions Redbook http://www.redbooks.ibm.com/redbooks/pdfs/sg246684.pdfI would like to thank my peers for their input and review if this document.   Be Secure!--Frank

Common Definitions Let us look at Disaster Recovery (DR) and Business Continuity Planning (BCP).   Disaster Recovery is the process, policies and procedures of restoring operations critical to the...

Security

Sun Ray 270 with Wireless VPN Access

We were challenged recently to demonstrate the capabilities of our Sun Ray 2 technology with the embedded VPN feature to several customers that required wireless networking.  So here is what was done to showcase this technology. We had on hand a Sun Ray 270 thin client which had the latest firmware that allows configuration of the integrated VPN.  We employed the help of a LinkSys Wireless-G Access Point  model number WAP54G revision 3.1 with firmware version  V3.04, dated December 27, 2007.  The WAP was configured via the web interface to function as a "access point client" prior to connection to the Sun Ray 270.   By doing so it allows a hard wired Ethernet device to plug in and participate on a wireless network.  To put the WAP in "access point client" mode a MAC address of the remote access point is required.  The LinkSys WAP web interface has the facility to conduct a site survey to determine existing access points and allows for the selection of a remote access point. Here are the steps taken to get connected. Insure you have a Sun Ray 2 or 270 thin client with the latest firmware with VPN capabilities. Get and configure a wireless access point (WAP) via another computer. Verify connection to the wireless network with that computer.  Connect the WAP to the Sun Ray. Power on the Sun Ray.  If previously configured to access a VPN you will be prompted for a username and a one time password generated via a secure id device. Your internal login screen will be displayed. If you have deployed smart cards insert it at this point. If a previous session exists you will be displayed a lock screen, Enter your password. The Sun Ray should come to life and your desktop through the VPN should be displayed with the applications you had previously started. -- Frank

We were challenged recently to demonstrate the capabilities of our Sun Ray 2 technology with the embedded VPN featureto several customers that required wireless networking.  So here is what was done to...

Customers

University at Albany Deploys New Sun Blade 6000 Systems

A few weeks ago I had a chance to visit one of our new Sun Blade 6000 System customers,  the University at Albany which is part of the State University of New York or SUNY  System.  A little background on the University at Albany  They are an internationally recognized institution, with a mission of undergraduate and graduate education.   More than 17,000 students are enrolled in nine schools and colleges.  The University at Albany's location, in the capital of New York State, provides a rich environment for collaboration with NYS government, other educational institutions, and private industry.  University at Albany is part of the the State University of New York system which is the parent agency. The   SUNY consists of 64 campuses with 427,398 total students enrolled during the 2007 school year. The newly installed Sun Blade 6000 System is located in their datacenter on the uptown campus at 1400 Washington Ave.  It is equipped with (4) AMD processor-based server modules and (2) Intel Xeon processor-based server modules with (4) open slots for future expansion.  The Sun Blade 6000 System is protected by a APC UPS which is mounted in the lower quarter of the cabinet.  The system is being used to consolidate their existing Microsoft Windows/Exchange infrastructure servers.  This project followed a major redesign of their datacenter with the placement of interconnect cabling in overhead trays  and system cabinets positioned for optimal air flow. IMG, an Albany, NY based Sun Microsystems partner, was instrumental in the university's deployment of the Sun Blade 6000 System. -- Frank

A few weeks ago I had a chance to visit one of our new Sun Blade 6000 System customers,  the University at Albany which is part of the State University of New York or SUNY  System.  A little...

Security

Sun Ray 270 with VPN Access

I just received a brand new Sun Ray 270 thin client.  I have been using one at home since January 2007.   I have had one on my desk since 2000 and have used them in many of the Sun Offices across the US.   The purpose of this new unit is to replace an aging Sun Ray 150 which had been used for years to show off Sun Microsystems thin client technology at various marketing events.   We also use a  Sun Ray 150 in our conference room for customer meetings and product briefings. One of the new features of the  Sun Ray 270 is the built in VPN capabilities. It is enabled through the latest firmware release.  To deploy a remote Sun Ray used for access into Sun's internal network a CISCO 831 router with VPN access was required.  With the latest firmware the VPN client is now integrated into the Sun Ray platform.  No longer is the costly external CISCO 831 router required.The unit arrived without the latest firmware so the hunt was on to locate the commands to apply it.   I realized my new unit was down a revision by the absence of the advanced commands such as STOP-S, STOP-M, or ALT-V.  They are the new Sun Ray Hot Keys.Sun Ray 270 Hot Keys  STOP-S  Bring you to theconfiguration menu STOP-M  Bring you to theconfiguration menu ALT-V or Control+Pause+V  Displays the firmware version    (CoronaP2. . . . .)  Control+Pause+C  Clears all configuration data stored in the DTU.  I was able to install the firmware via the /opt/SUNWut/lib/utload command.  The Sun Ray Server must be running version 4.0 or greater.  Once the latest firmware was installed the advanced STOP-S keys now work.  I checked the version number of the firmware with the ALT-v keys.  It included the string VPN in the version number so I must have the correct firmware installed.  Now it's on to configuring the Sun Ray 270 to be a VPN client.  First I checked to see that it would still work as a Sun Ray client before enabling the VPN.   It still worked just fine.   To start the process of VPN configuration the STOP-S keys are depressed.  A configuration menu is displayed.  The main menu consists of the following selections:Servers: To set the names of the Sun Ray Servers (more then oneis suggested), firmware download server, and log server.  TCP/IP:  To set IP addressingDNS:  To set the domain name, the name servers, and search path.VPN/IPsec:  To enable the VPN client and identify a VPN gateway.  A group name, group key, username and password Authentication:  To set an authentication type, HTTP or none.  Security: Lets you set a password to secure the firmware configuration.Status: Displays the firmware version number.Advanced Settings (bandwidth, video and save configuration): Bandwidth may be limited if needed.  The "Video” feature allows you to force a screen blank if the screenlock isn't doing it properly. You can  store all the configuration in a file and retrieve it via  tftp.  This is a  way to streamline the configuration of many units  at a time.  I configured it for my specific environment in a mater of minutes.  Inserted my smart card (Sun ID) and entered my password.   Jazz music started to play from KKJZ 88.1 FM of Long Beach, California and my email client with several unread messages appeared.  All of this information can be found in the Sun Ray Server Software Collection located on Sun's Online Documentation site http://docs.sun.com Don't overlook the power savings of a Sun Ray 270.  See Clay's World for a recent blog entry on power savings in a lab environment. --Frank  

I just received a brand new Sun Ray 270 thin client.  I have been using one at home since January 2007.   I have had one on my desk since 2000 and have used them in many of the Sun Offices across the...

Security

Recent Trends in Video Surveillance

One of the up and coming computer based solutions in the security space is video surveillance.  You may say to yourself "hey video surveillance isn't new".  Well it's not.  It's what is being done with the video after it leaves the camera that is new.  Commonly call CCTV or Closed Circuit Television these cameras have been analog based.  The cameras are connected to a central location via coax cable.  One cable per camera to the central location.  The cameras also require electric power to function.  Far more than 90% of the surveillance systems installed today are analog based.  Similar to the VCR technology rather tan DVR technology. Technology in this space is changing vary rapidly.A new breed of camera is available by nearly ten vendors which offer  IP connectivity with many other advanced features. IP being "Internet Protocol" which is commonly spoken between computers on a network.  These new cameras include low light adjusting, infrared, remote control pan and zoom.  They can be set to record only when motion is detected.   These new video cameras are even powered by the Ethernet network that they are connected to.  That translates into lower wiring costs.   Some based on a small internal PC board can store up video and send it as requested.  Some hove wireless network interfaces too. When the total cost of a solution is examined analog cameras cost $2K to $3K each while a similar digital solution would cost $1.5 to $2K per camera.  The initial purchase costs are higher then traditional CCTV cameras but the new features are extensive.I have found that the market space is young but the players in the space are in some cases very mature.  Many have existing analog based solutions.    For more information on  Sun Microsystems Video Surveillance Solutions follow the link. -- Frank  

One of the up and coming computer based solutions in the security space is video surveillance.  You may say to yourself "hey video surveillance isn't new".  Well it's not.  It's what is being done with...

Virtualization

Back to Basics

As the IT world is moving at a rapid pace towardsome level of virtualization we, as solution architects, must notforget the basics that we have learned to protect our computingresources. All of the same principles still apply if we are deployingsingle systems or a virtualized environment with several differentguest operating systems. Over the past few weeks I haveundertaken a "homework assignment" to become more familiarwith SunxVM Server technology. I have gotten my hands on an AMD based SunFire X4200 Server with two internal 73 GB disks.  Once Ifired up the system I quickly noticed that the BIOS, ILOM, andhardware controller firmware levels were several revisions back fromthe current release.  In the case of the ILOM it lacked some ofthe functionally I was familiar with from a previous project.  Iupgraded the BIOS, ILOM, and hardware controller firmware via theILOM's web interface.  It was much easier than I thought itwould be.   The required files were downloaded from the SunDownload Site on Sun.com.  This exercise got me thinking about security in the virtualizedworld. Just because we would architect asolution at a "higher" level, a virtual level, we must beas vigilant as we would with a single system.  We must still beconcerned with the basics.  I have noted several basichousekeeping tasks that can serve as a starting point to keep yourvirtualized environment a little more secure. Secure the ILOM with analternate unique set of user names and passwords.  Set strongpasswords that include numbers, symbols, upper and lower casecharacters.  If deploying into a large environment integrateinto the existing LDAP naming infrastructure for authorization tothe ILOM.Connect the ILOM to a privatemanagement network used for functions such as system administration,device management, and backup.Physically secure the systemsin a locked data center quality environment.Secure passwords on the guestoperating environments as if they are standalone systems. Avoid using generic, default and well know account names foradministration functions. Use virus protection andfirewalls as if they are individual systems.Use caution when connecting to networks andSANS.Continue to implement SANSecurity.Patch the base hypervisorplatform and guest operating environments as needed.  This mayrequire a controlled patch process.   Patch them as if they areindividual systems or a whole sale replacement of the guestenvironment which include the newly applied patches.Use non wire IP traffic between guest operating environments for more secure communications.Deploy a separate NIC rather than sharing a NIC between guest operating environments. Implement hypervisor andguest operating environment best practices for hardening.Adjust your corporate securitypolicy as needed to accommodate virtualization technologies beingdeployed in your specific environments. This is an active work in progress.   Please check back for more details.-- Frank

As the IT world is moving at a rapid pace toward some level of virtualization we, as solution architects, must not forget the basics that we have learned to protect our computingresources. All of the...

General

Holiday Blog -- Keeping your digital photos safe for years to come

I have been asked this question several times this past week so I will formalize my response as a Christmas Gift to you all. Well you are now on your second or third generation digital camera. You have 3000 to 5000 photos on the hard disk of you home computer or laptop. If you are like myself you have been taking digital photos since the late 1990's. You now have a digital camera built into you phone. Sure hope all of these priceless photos are backed up someplace! My recommendation to you all is to go out and get some high quality write once CD-ROM media that can be found at places like CompUSA or Wal-Mart. Divide your photos into some logical grouping. I like filing by year and then by activity or event. If I don't have a specific activity or event but have several disparate photos, I just file them in a directory/folder named month_year, like Feb_06 (usually a slow month). This way I can archive an entire year at a time. So far I have not hit the maxium size of a CD-ROM in a given year. I burn two copies. One I keep in my computer CD-ROM collection at home. The other I put in a safe place such as a bank safety deposit box or fire proof safe. Preferably someplace other than where you are keeping your first copy. I archive my photos yearly. I backup my photos on hard disk every few weeks. Now for a great Christmas gift for that owner of that digital camera. Get them a USB thumb drive or memory card/stick to keep their most recent photos on. This will allow them to bring their most recent photos with them to show off at family gatherings and other various social events that typically take place here in the United States at this time of the year. Happy Holidays! --Frank

I have been asked this question several times this past week so I will formalize my response as a Christmas Gift to you all. Well you are now on your second or third generation digital camera. You have...

General

I printed it, where did it print?

I can't make this stuff up. This is real world conversations. Was in the office several days ago and one employee hands another some pages which had been on the printer since the weekend. The recipient states it must have been when he was connected to the VPN from home and tried to print this document. Nothing came out at home so he reprinted, this time selecting his local printer. An employee travels to his corporate offices in New York City and is conducting business on one of the computers in this office. Since their IT staff is forward thinking the employee can login to the computers in the NYC office and use his profile as if he is back in his local office. He sets his default printer to the NYC office printer. This individual returns home. Several days later he prints some sensitive corporate information but the output did not come out of his printer. It went to the printer in NYC. You guessed it, the chase is on to find someone he trusts that can grab the output before he gets in hot water. Also this past week I hear a story about how someone attempted to print some off color output from an adult web site on their printer from their company owned laptop. Nothing printed on his/her home HP Inkjet, but must have forgot they printed it. Several weeks later at the office, after plugging in his/her laptop, a coworker on a witch hunt is running around trying to track down who just printed some very offensive material at work. So be careful when printing something that is not for public consumption. -- Frank

I can't make this stuff up. This is real world conversations. Was in the office several days ago and one employee hands another some pages which had been on the printer since the weekend. The recipient...

Security

Passwords and Human Nature

Today I had to reset my password on two of my web based accounts. Managing these all to familiar accounts has become a real chore for me. The root of the problem is that I refuse to write them down on a post-it note and my memory isn't as sharp as it once was. Like most of you I too will use several variations of the same word or words. Now these new Web 2.0 based systems have started to report back that I have used this password once before, it is too similar to the current password, or has to have more then one symbol in addition to alphanumerics. I have also found it isn't always my failing memory that has denied me access. Each time I needed to access one of my employee health benefit accounts the password I had set at last use was not excepted and had to be reset. To my surprise my wife had been using the same account and would have the password reset each time she would need to access it. How could this be? At home recently we had a problem with the monitor on our personal computer. As I was troubleshooting the problem I moved the monitor to find my wife's own post-it note with more then a half dozen username password combinations stuck under the monitor base. So it's not just me having problems. When confronted she commented that most of the time she couldn't find her list of passwords. So good luck to some specificly looking for them. Extremely perplexed by the situation I turned to Google for advice and to my surprise here is what the Microsoft and Oracle security experts had to say: Microsoft's Jesper Johansson (blog) Microsoft's Jesper Johansson (cnet article) Well the experts say it's ok to write them down? -- Frank

Today I had to reset my password on two of my web based accounts. Managing these all to familiar accounts has become a real chore for me. The root of the problem is that I refuse to write them down...