A medley

Sometimes when working in IT, we must accept it's not a question of just playing with new technologies and learning the trade but rather that all systems must be configured and geared towards the realisation of business goals. That CEOs don't encourage mindful downtime in the pursuit of which command line argument works best, which network topology works most efficiently and what DMZ arrangement seems most sexy is a bitter pill we have to swallow. Whatever of this, the introduction of world the pain enjoyed by a business minded technologist can be fraught with frustration. Some weeks back I was requested to ensure all licenses in use in the office were valid in order that we could represent to our partners that we were fully compliant. This compliance is in terms of licensing, security auditing, rationalisation of full backups of company data, preparation for disaster recovery and maintenance of correct intrusion detection systems. The thought 'fun' didn't cross my mind even once when considering the enormity of this task.

Firstly: Licensing
Getting a straight and definitive answer from anyone about how to license MS products is well-nigh impossible. According to Microsoft, if you use their product you have to have a license to do so. Some of these licenses can be purchased on a per processor basis while others are client access dependent. For example, if you have a SQL server serving a million hit per day website, it's certainly better to license the processor and not per client access which may work out rather expensive. Additionally, transferring installs between servers renders your OEM license invalid which means you've to purchase another license? The mind boggles :-) for current MS license considerations for virtualisation please see : http://www.vmware.com/solutions/whitepapers/new_msoft_policies.html

Security Auditing
This is an interesting one. MS Server 2003 logs all logon attmpts and failures as well as recording changes made to Active Directory. Additionally, using persistent session data in database access applications facilitates selective recording of who accesses data in sensitive tables. Restricting such access by means of group membership also reduces log writing, thereby reducing size and ultimately facilitating log analsyis. My difficulty comes with the PCI requirement to be able to recreate a hackers journey through the network. If someone gains access, data forensic analysts should be able to recreate their journey through our systems showing what they accessed with timestamps at every point. A great idea but hugely expensive in terms of tools available - consideration given here to Tripwire and LT Auditor.

Rationalisation of backups with a view to Disaster Recovery
We have backups, we take them off site and we're very pleased with ourselves. When we have to recover files it's usually not too tedious a proces and we've managed to recreate those systems that have failed when such has (and ineveitably does) come to pass. Synchronisation of important data between primary site and colocation has also been a good move. Recreating a fully working system in another location should our building go up in flames is a bit more difficult. Managing the replication of data between primary site and colocation can be managed without too much problem. Additionally, manual remapping of drives and applciation settings can easily be done for users should the comms room in the primary site fallover. The difficulty we face is that it won't be fully up to date and if the primary site goes down (where remote user VPN access is based), enabling user access to the colocation site and introducing additional backup scenarios, redundancy and chronological backups for this location become, once again, a matter of lots of money. Fortunately, this company has offices in 3 locations meaning staff can't easily be relocated and roaming profiles will continue to be operational once a few logon scripts have been edited a little.

Intrusion Detection Systems
Apparently this is more than someone looking through the log files of firewall servers from time to time; tedious at the best of times. Intrusion detection and alert systems are great and I've grown to like the VMware appliance NST (Network Security Tracker) which features Snort, Nessus, Base etc.
I suppose the moral of my story is that you can work in IT with the systems and have a bit of fun from time to time or you can become an architect and Director and ensure the work gets done but as a project manager for certain aspects of compliance, there are new lessons to learn. You may be a jack of all trades but these times require the management of many masters.

Cheap Document Versioning

All documentation should employ versioning methodologies and template mechanisms. This refers to the use of timestamps and comments whereby editors declare what changes they have made to documents and peers or senior management sign off on each alteration. Document preparation can be an iterative process from draft form to the final published document yet, at each level, similar methodologies should be employed and discipline should be maintained in any organisation to ensure the final product truly reflects business requirements. 

All documents should be formatted using a common typeface. that employed by Company X is as follows:

Headers

• Style: Arial
• Size: 14

Normal paragraph

• Style: Arial
• Size: 12

Headers should display document name (bit not path)

Footers should contain page numbers at the bottom centre

While a document is in draft mode, editors should employ the use of Track Changes in MS Word. A reference guide is available at http://office.microsoft.com/en-us/word/HA012186901033.aspx

The first page of a draft document should display : 

• Document name
• Document description/ summary
• A chronology of editor names and brief description of changes made on given dates

The above facilitates increased process transparency and accountability.

Once a document has been completed, a signed off copy of the final draft should be stored as well as the published copy.

PCI Compliance

I've recently been looking at PCI DSS (Payment Card Industry Data Security Standards) compliance for a client. For details see: https://www.pcisecuritystandards.org/

From a business perspective it makes perfect sense. If you hold cardholder data those companies responsible for the cards (Visa, Mastercard et al) need to know that you're holding the data securely. By being compliant, both your customers and the banks can trust your company. Additionally, you show you're staying within the law. PCI compliance stipulates you cannot store all the card data. You can store credit card type, card number, cardholder name, start and expiry dates. You cannot, however, store the 3 digit code on the back of the card.

The amount of work you will need to do in order to become PCI compliant depends on your network infrastructure topology and security standards and policies already in place. If you need to accept payments via your site, you can use paypal or set up a merchant account and get an SSL certificate for secure online transactions.

If you need to hold credit card data you need to ensure the presentation layer (GUI) and data layer (database) are separated by a firewall. Your presentation layer also needs to be separated from the rest of your network by firewall. Credit card data stored in the database must be encrypted as do the passwords of users who may have access and ultimately be able to view the card details in clear text. Authentication should also be complex. The recommendation is a username, strong password and a security token (think RSA).

In order to do the above in a secure and logical fashion, this author recommends the use of VLANs for logical separation of various functional aspects of the network. Additionally by employing a DMZ and some intelligent routing, you can continue to update and patch your servers anti-virus and OS.

All traffic in and out of your network should be monitored. This may be done using a proxy server. My choice would be Squid as it's open source (and free, fast and reliable). My client has favoured Microsoft's ISA server (simple integration with the domain and fully supported). Both will do the jobs required.

Finally (for this post at least), your network requires a serious amount of logging. Should your network security be breached and credit card details be stolen, forensic data analysts will need to pore over your logs (dull for them and very costly for you). They should be able to trace all user activity - login time, folders opened and closed etc and timestamps for everything. Along with this you require network intrusion detection tools.

Working in IT in DRC

Since I was a young lad watching Live Aid and the famine in Kenya I always dreamed of one day working in development. In 2003 I got my opportunity. Rather than venturing out as an ascetic Mother Teresa type I was going to work as Information and Communications Technology Officer, initially with an Irish NGO and later with an organisation within the United Nations.

 

I was originally tasked with managing, supporting and upgrading ICT infrastructure in 3 locations around the country, training staff in each location and identifying individuals in each location who could support the systems during my absence. Later this grew to 12 locations as ICT officer and my final year was spent as an Information Management Officer tracing information flows and business processes and designing systems correspondingly such as a website, an intranet and a document management system with appropriate metadata and taxonomies. I also consulted with UNDP on the communications strategy for elections this year.

 

In 2003 I left my offices in Ireland where I’d been surrounded by servers and test PCs, broadband connections and memories of late nights troubleshooting and writing code. Some weeks later I arrived in Kinshasa, Democratic Republic of Congo, a city of between six and ten million people (according to estimates), a city with no phone lines, although mobile phones are abundant in the cities, and a country where an estimated 4.5 million people have died as a direct result of war in the previous 9 years.

 

The first task I undertook was to upgrade the communications systems in two remote locations – Goma and Kasongo. The Kasongo office was the more challenging of the two. Kasongo is in the centre of DRC. The population is about 800,000 and there are 6 cars. The only way to travel around DRC is by plane as the infrastructure has been destroyed by war. Staff used laptops as power was only provided for a couple of hours a day. We used UPS (uninterrupted power supplies) until the batteries were depleted and surge protection for unexpected power spikes which could fry equipment in seconds. Instead of using satellite phones which cost £2 per minute to download emails in field offices with no internet access I wanted to install VSATs (satellite dishes) to provide always-on internet connections. Use of satellite phones for 10-15 minutes per day worked out at almost £1000 per month. Bandwidth rental on a dish would cost £200 with all the benefits internet access would bring thereby saving almost £10,000 per year. It was strange going from a phone line connection to the internet at home in Ireland to setting up a broadband connection with a wireless local area network in a remote village with no power in the middle of DRC but it was the best and most inexpensive solution. And all this in a place where there is not even running water. It felt great to connect this village (or at least this office) to the world, to search for ‘Kasongo’ on the web and show the staff their village and images of their administrators. Sometimes I think I was the more excited by it as I didn’t feel so remote and removed from the rest of the world anymore.

 

The systems put in place must be sustainable. A VSAT’s reliability and uptime is 99.5%. This meant I could do my work, leave and not have to do constant checkups. If there were problems in the future a technician would have to be flown in. This is a costly exercise. On another occasion while building a website using PHP with a mySQL backend database I scaled back my plans, deleted the database and used flat text files for backend data. This sacrificed the flexibility within the project but had I not done this, there was no one to change the database or rewrite the code. Ease of use and maintenance always won out in the end but I also always tried to keep scalability in mind.

 

 

Offices in DRC need the same systems as anywhere else. Staff Word and Excel, desktops or laptops(I preferred laptops for mobility, the built in battery, the weight for international delivery and the fact that, in my experience, desktops seem to crash more), offices need networks, people need email and file storage space. This is managed the same way as anywhere else. The digital divide is not about different systems as these are the same anywhere. The digital divide is another example of the vast differences between the developed world and the developing world, the rich and the poor. Such divides exist in so many levels of our own societies but the way in which digital technology has become a mainstay in our everyday lives in the past decade makes us increasingly aware of other divides, much greater divides. The prosperity that came with the dotcom bubble was a phenomenon of the West and, in general, the profits of so much more have been ours alone.

 

I could talk ad nausea about networks, VPNs, different operating systems, licensing issues, standardisation and attempts to coordinate strategies between Kinshasa and field offices with Dublin, Geneva and New York but it meant more to me than that. I met wonderful people and had incredible experiences. I saw happiness and sadness and experience both. I witnessed a nation of beautiful people and struggled hard to reconcile that with what I read in newspapers about events in the country and in neighbouring countries before them. I worked in Rwanda and saw a country scarred by its history, DRC tormented by its colonial history and heritage. I travelled to South Africa and saw a beautiful country trying to heal the wounds of its past. I learned about the politicisation of development and the trials and tribulations of successes and failures in the field, the sadness of those who care when they see their work destroyed before them but above all the pain of the victims of war and the remains they are left with to struggle by on day by day. I am more grateful now for my own background yet continue hope and pray for change for those less fortunate than ourselves and that I may contribute to such in my future. DRC has had a transitional government in place since 2003 and recently held its first elections since independence in 1960. The seeds are being sown for a better future.

 

Overall I spent almost 3 years in DRC.  It was difficult to travel everywhere in vehicles, more often than not with a driver, travelling from one guarded compound to another looking out the windows at life going by in the city, a life that was not mine but that I looked upon as a voyeur. I lived within this as an expat, within a different community, a community and society most of these people would never know yet I have to believe that my contribution to communications made a difference to the organisations I worked for and improved their ability to coordinate and respond to humanitarian needs. Now I live in London but I know I’ll go back, maybe not to DRC but I’ll go back.

ESXi, VMware, winscp for backup

All the clients I work with primarily use Microsoft products. I realise it's very difficult to get away from working with MS software because of interoperability and the extent to which most enterprises have become entrenched with their software over the past 15 years. Although I'd love to see companies universally adopt Open Source software, porting various aspects of industry applications would be unseemly expensive. In saying all this, however, the advent of free ESXi means that everyone can build a server and try out all manner of configurations.

Up until recently, convincing someone to move to anything Open Source could be difficult. Let me explain how ESXi has made this so much easier. 

Let's take a server and install ESXi (you can download the .iso from here - you need to register)

I set this up on a 2u HP server using a 2 disk mirrored RAID1 for the OS and 3 disk RAID5 for adding VMs. I also have a hot-swappable disk in there for a rainy day. 

ESXi runs on a VMware version of Linux. As far as I can gather, ESX runs on a modified version of Red Hat though ESXi is simpler than this. A tip after installing ESXi is to enable SSH as using the Virtual Infrastructure client later won't provide you access to the base OS. Believe me, this can simplify your future!

Enable SSH as follows (from this site)

• Alt-F1 and then type in ‘unsupported’
  
• edit /etc/inetd.conf (using vi)
  
• remove the # (remark) sign in front of the SSH line
  
• kill and restart the inetd process (or just reboot your server) - if you already have VMs on there you don't want to stop running so can't reboot your server do the following (unfortunately restarting services doesn't restart inet so you need to find and restart the specific process. 
  
• At command prompt enter to get process id: ps -a |grep inetd
  
• Once you've the pid enter: kill -HUP
  

SSH was a bit of a lifesaver for me. There are precious few free ways of backing up your virtual infrastructure using ESXi. By enabling SSH, you can create scheduled backups using winscp or you can synchronise your virtual machines with another file store using the winscp switch -keepuptodate

Once you've got VMware ESXi up and running you can create and install a multitude of Operating Systems and software configuration to play with. The VMs will be installed in the datastore on the ESXi machine and there will be 1 folder per vm. These can be uploaded to another location on your network or to disk. If you're using winscp, the VMs are in VMFS/volumes/datastore1/

Confirming interoperability of various systems and software means you can experiment with your clients systems at home. The ability to save your virtual machine to USB key means you can run it in your clients environment (with minor or no reconfiguration) on VMware server or player and work away!

python-soappy, fpconst, and a new package

This was driving me crazy. i'm setting up SOAPpy for the Windows Live Contacts Python API and fpconst wouldn't work for me. The error in the console was that it wouldn't find fpconst.py even though it was in the folder. I moved the file up a level and it installed. To explain:

I'm in site-packages in django. fpconst is a child folder of site-packages. I moved fpconst.py into site-packages folder and ran
d:\python25\lib\site-packages>d:\python25\python.exe fpconst-0.7.3/setup.py install

This finally worked for me!!!

Good luck

Backup Exec 12 on Debian

Installed Backup Exec 12 RALUS - Remote Agent for Linux and Unix Servers - on my debian (v.4) server yesterday and when starting the service using

/etc/rc2.d/S99VRTSralus start

This is based on the HowTo guide I read at http://www.apodis.net/kb/index.php?view=ViewArticle&id=80&set=all so thanks to Jelle for that.

The service kept failing at start up so I added the following package

apt-get install libstdc++5

and the service started successfully.

My Linux server showed up in my Unix/Linux servers in Backup Exec 12 on Windows and I was off!