FoxTalk

The South Australian Department of Education and Children's Services have recently announced the “Dual ISP” program. This means that schools can choose to use a secondary ISP at their school for redundancy or performance reasons.

DECS has also announced that schools must use the same filtering system as mandated centrally and cannot use alternative filtering products. They have also stated that schools must use the standard infrastructure ISA Proxy appliances provided by DECS to manage access to a second ISP.

What are the problems with this?

When managing student activities at the school a range of tools are required. While the DECS solution may provide schools with good levels of Internet filtering, there are several other issues that must be dealt with and the following systems should be put in place.

• Internet Quota Control or Billing systems
• Detailed and effective Internet Reporting
• Auditing for student Internet access
• Auditing for staff Internet access

How can NetFox help?

If you are using NetFox currently, or are looking at doing so in the future, the above issues can be addressed. Furthermore, NetFox can be implemented to work with the DECS guidelines and ensure that you are following the correct practices.

How can NetFox be implemented to work with DECS?

There are two options for implementing NetFox with the standard DECS infrastructure.

Using the NetFox Appliance

The NetFox applicance can be placed in your network as an “intermediate” proxy server. It will perform billing and reporting as normal and can also offer additional filtering to the DECS solution. NetFox provides more filtering options than the DECS solution for example, forcing the use of safe google searches.

When implemented, NetFox will connect to the your school's ISA proxy as an upstream proxy. You will need to create a “netfox” user on your ISA server and use the “single user” upstream option in the NetFox configuration. You can also set NetFox to choose an upstream proxy depending on the site that is requested.

Using NetFox Business Online

The NetFox Business Online service will be available in South Australia around the end of August. Schools will be able to use it for reporting on staff and student Internet usage from their DECS ISA Proxy server without the need for any additional hardware. An agent is installed on the ISA proxy server which sends all logs to the NetFox Business Online servers. See our product page for more details.

Soon after launch we will be adding billing capabilities and a portal designed specifically for teaching staff to manage their students on-line.

How do I find out more?

Send us an email or give us a call if you need assistance or have questions you need answered. Our details are here.

The Game

Information services are critical to modern business. Email has has become ubiquitous and most communication on which business relies would be impossible without it. Providing at least email and web access is mandatory to business nowadays.

Managing information services in your enterprise is difficult. One must make trade-offs between security and usability. Your users (and probably the boss) want usability, while common sense and (in many sensitive industries) the law requires high security.

How can you hope to make the best trade-off between the two?

The Players

The users want an unlimited network experience. They want to be able to access online collaboration tools, they want to take their laptop and work from anywhere; and they want wireless access in the office so they can work from the couch on occasion. The user has become technologically clued up and will use online tools to help with every aspect of his job – usually with little thought to privacy and security.

You, as the network administrator you want security. You want to block access to external mail providers, instant messaging, VoIP, file sharing and social networking sites. Why wouldn’t you? Once sensitive company information is on a web service you don’t control you’ve lost control of the sensitive information; how can you tell who is reading it?

The Myth

• Blocking everything non work related (Facebook, Hotmail, etc) will make my users more productive

This is not actually correct. If you take the time to block these sites your users will take the time to find ways around your blocks. This may range from as harsh as cracking your systems to circumvent the block to something as trivial as coming to work late or taking longer lunches in order to sit at a cafe with their laptop on wireless and catch up with their personal sites.

It is more beneficial to allow (but monitor) use of these sites. If users are aware they are being monitored they will keep their use to a reasonable amount and focus on work.

The Blow By Blow

Achieving balance requires providing users with the resources they want and need. Retaining control of the resources mitigates the risk of information leakage and security breaches. Simple tools such as a web mail server and wiki which are accessible outside the company can make all the difference. You will be able to protect these tools with SSL and require authentication to use them – something that a lot of free online providers can’t or won’t do.

Moving further, providing a single sign on tool can make a huge difference; users could have a dozen weak, easy to remember passwords or a single strong, slightly difficult to remember password. Microsoft provides this through Active Directory and NTLM on most of their products. Software from other vendors supports at least LDAP, and many can be rigged to speak NTLM if required. It’s possible to get most *NIX machines authenticating against NTLM or Windows talking to LDAP if needed.

More advanced services may be provided if the users have enhanced needs. A VPN can make a huge difference for road warriors. Make sure the VPN server is highly secured and ensure it can route directly into the company network – without NAT – and the company routers can route back to the VPN. Your firewall can then open up the services that are needed over the VPN.

Making a VoIP extension of your PBX available over the VPN will allow users to place and receive calls as easily and cheaply as when they are in the office, without resorting to running up huge mobile or hotel phone bills or using their kinky_kitty69 screen name to communicate with business contacts.

Wireless network access is a vital tool of late. Provide good wireless coverage in your organisation. Tie it into your company’s central authentication database so the user’s regular login will allow them to authenticate their wireless connection. If you fail to provide or make wireless too difficult then users will resort to plugging their own (usually unsecured) access points into the network.

In many cases users will download and try tools to improve their work. This can be mitigated by granting only the permissions needed for the user to do their job. The downfall of this is that it’s rather limiting, and in a lot of industries where interfacing to hardware (electronics, manufacturing machines, robotics, etc) is required the user may need to run as an Administrator on the machine to talk to the hardware and this also grants them the ability to install software on their machine.

The SNAITG (Sensitive New Age IT Guy)

The IT admin should regularly engage the users and be aware of their changing needs. An open door policy to getting things done is the easiest way to ensure your users don’t go behind your back and do things themselves. If you are approachable and willing to help the users with their needs then they are more likely to come and see you rather than hacking it together themselves.

Staying aware of what tools the users are finding useful is also vital to this strategy. If there is talk of a particular service being trialled, it pays to go and learn the basics. If it looks like the service is gaining traction preempt the users and configure it on a server you control rather than trusting a user to run it from his or her desktop PC. Being seen to be proactive and helpful will keep the users coming to you to ask rather than doing it themselves.

The Post-Mortem

Being proactive about monitoring is also important. Some users will invariably go against you no matter if you indulge their needs or not. Being able to identify detrimental activity on your network useful. Being made aware as soon as something bad happens allows rapid action to be taken. Being able to identify who did what is beneficial when it comes to rapping knuckles for inappropriate behaviour.

A good proxy server can filter inappropriate material and log users web browsing activity in real time. This reduces the tendency to perform non-work related tasks on the Internet, and allows accounting for those times when it may be required.

Network monitoring software can scan your network looking for new services, verifying the availability of known services and ensuring that no unauthorised software is installed in the user’s desktop PC.

NetFox provides both of these services and more. Please see http://www.netfox.com for more information.

Most people in the IT industry have heard of virutalisation, and many undertand how it can benefit their organisation.

There are several virutalisation technologies which operate on X86 hardware. VMWare, Parallels and Microsoft Virtual Server are commercial examples. Open Source technologies include Xen, KVM (now part of the Linux kernel), QEMU and Virtual Box. Each technology has its advantages and disadvantages, and should be assessed against the needs of the organisation.

NetFox has employed the Xen hypervisor for virtualisation. Xen provides hardware assisted full virtualisation (to run unpatched guests like Windows if needed) and para-virtualisation. The para-virtualisation approach utilises a lean OS called a hypervisor to create and control guest operating systems. The total overhead in this approach is typically around 1%, so guests run at near native speeds while wasting very little processing power on running the host OS.

What most people don’t think about is the green factor of virtualisation.

An average server-type machine will consume more than 50% of its full rated power when sitting idle. Power saving technologies such as suspend to RAM and CPU frequency throttling can only go so far in reducing that figure and are often detrimental to performance.

Every watt consumed in the data centre must be matched by at least one watt of cooling. Any savings realised in server power consumption are realised doubly as cooling costs are reduced by the same amount.

Server consolidation also requires less server hardware. This requires less natural resources to produce and less waste to dispose of / recycle at the end of the server lifecycle. This is beneficial because of reduced capital outlay on server hardware, but also in reduced space requirements to house the servers.

Using Xen and Linux hosts NetFox are able to achieve a consolidation ratio of better than 16:1 for most services. Working at these consolidation ratios, NetFox has been able to reduce electricity consumption in our data centre by more than 70%.

This is great for business, but it’s even better for the environment.