Rapid Recovery and Backup for Virtual Environments

May 21, 2008

The benefits of virtual environments are beginning to be realized. Companies intent on cashing in on the advantages of virtualization technologies are eager to reduce the financial and physical footprint associated with racks of computers.

While many elements of the IT environment are relatively unchanged by virtualization, others are impacted more dramatically. For example, organizations with expanding virtual infrastructures now find backup and recovery a proximate and pressing concern. Challenged with meeting recovery time objectives (RTO) and recovery point objectives (RPO), even as backup windows and storage space shrink, organizations must be able to quickly back up their virtual environments and recover not just an entire virtual machine but individual files on that machine.

To that end, a growing number of companies are opting for technologies that offer dual restore capabilities from a single backup. With these tools, organizations can restore a single file or an entire image from just one backup pass. This more efficient and flexible approach to protecting virtual environments dramatically reduces server, network, and storage requirements for data protection while providing significant improvement in recovery time and reliability.

Better Backups, Better Recovery
With off-host backups of virtual machines now possible, the impact of backup processing on the server and hosted virtual machines is significantly reduced. This allows for more frequent backups.

Yet, traditional backup solutions either back up only at the vmdk level—that is, the entire virtual machine—or require two backup passes to be able to restore single operating system file restores as well as vmdk restores. Recognizing the benefits of being able to perform either type of restore, organizations prefer to have ultimate restore options when things go wrong.

For example, if a virtual machine is infected with a virus or inadvertently damaged due to user error, a single file restore is of little use; the entire virtual machine needs to be restored. However, if the user deletes and needs to recover a single file—the most common type of restore operation—restoring the entire virtual machine is not only excessive but also requires downtime.

At the same time, aggressive RPOs and RTOs remain a requirement for keeping mission-critical applications constantly available. Meeting those objectives requires tight integration of the backup and recovery process with the applications and databases they are protecting, whether in physical or virtual environments. It also requires granular recovery to improve recovery time, instant recovery options from online images, and complete system recoveries of operating environment, application, and data in minutes.

Consequently, new backup and recovery tools are making possible either type of restore while retaining the performance advantages of an off-host backup and a single backup pass. At the foundation of these capabilities is technology that backs up at the vmdk level and then maps, catalogs, and backs up individual files as well.

Particularly useful for larger virtual installations based on shared storage, the integration of this backup technology with the virtual server technology enables organizations to manipulate and control virtual snapshots just as they would array or software-based snapshots. Snapshots of virtual machines are created and then mounted to the backup proxy for backup. This approach almost completely removes the backup processing overhead from the primary virtual server and allows for rapid backup of virtual machines.

What’s more, when such backup capabilities are combined with deduplication, additional benefits emerge. By deduplicating backup data prior to transmission, the processor, network, and storage resources required for the backup process are reduced by one or more orders of magnitude, according to some studies. This comprehensive approach enables fast, low-impact virtual infrastructure backups with dramatically reduced backup windows and recovery times. It also makes virtual client backup feasible for lower-scale virtual deployments that do not employ SAN technologies

Integration and Automation
It is no surprise that backup technologies with tighter integration with virtual server technologies offer additional benefits to organizations. For example, the integration of a snapshot wizard with the virtual server can ease backup policy configuration. Also, the direct integration of a configuration wizard with the virtual infrastructure can help ensure that IT administrators have a straightforward and easy-to-use graphical interface from which to configure and manage their virtual machines. With such a GUI, administrators can quickly provide login credentials, define other types of virtual servers, and more.

A number of tools also provide for automatic discovery of virtual servers and machines. This capability is often offered as part of the backup policy to make it easier for administrators to select specific or all virtual machines associated with an enterprise-level virtual server.

Virtual Evolution
Virtualization not only provides redundancy for mission-critical applications and data, but it is also effective as a tool that enables IT to extend limited resources within overcrowded computing environments. Its use will likely continue, even as a growing number of organizations deploy virtualization not simply in test or development environments but in production environments as well. Indeed, many enterprises have virtual servers running both business and production applications today. Furthermore, enterprises that deploy virtualization are recognizing that it is not a one-time ROI-based project but an ongoing strategy for operational efficiency.

As the adoption of virtual technologies increases, businesses must take a critical look at the tools and technologies for backing up and restoring these virtual systems and their data. While traditional approaches to backup and recovery in the physical world do not translate well in virtual infrastructures, many of the requirements remain the same. Organizations must be able to continue to increase the efficiency and cost-effectiveness of their IT operations through the use of virtual technologies while also delivering on strict RTOs and RPOs.

Consequently, a growing number of enterprises are leveraging innovative backup and recovery technologies that deliver granular file-level and image-level recovery from a single backup operation. When used together with data deduplication and tight integration of backup technologies with virtual technologies, these tools enable fast, low-impact virtual backups that dramatically reduce the challenges of data protection while offering measurable improvements in reliability as well as recovery time.

Securing wireless connections

May 20, 2008

Wireless networking is easy to set up, and it’s convenient, especially if you like to move around the house or office without your portable computer while staying connected. But because they use the airwaves, wireless communications are more vulnerable to interception and attack than a wired connection. Here are some tips for securing your wireless network.

1. User Encription. - Encryption is the number one security measure, but many wireless access points (WAPs) don’t have encryption enabled by default. Although most WAPs support the Wired Equivalent Privacy (WEP) protocol, it’s not enabled by default. WEP has a number of security flaws, and a knowledgeable hacker can crack it, but it’s better than no encryption at all. Be sure to set the WEP authentication method for “shared key” rather than “open system.” The latter does not encrypt the data; it only authenticates the client. Change the WEP key frequently and use 128-bit WEP rather than 40 bit.

2. Use Strong Encription. – Because of WEP’s weaknesses, you should use the Wi-Fi Protected Access (WPA) protocol instead of WEP if possible. To use WPA, your WAP must support it (you may be able to add support to an older WAP with a firmware upgrade);your wireless network access cards (NICs) must support it (again, a firmware update may be necessary); and your wireless client software must support it. Windows XP Service Pack 2 installs the WPA client. SP1 machines can be updated to support WPA by installing the Windows WPA client with the Wireless Update Rollup Package (see http://support.microsoft.com/kb/826942/). Another encryption option is to use IPsec, if your wireless router supports it.

3. Change the default administrative password. – Most manufacturers use the same default administrative password for all their wireless access points (or at least, all those of a particular model). Those default passwords are common knowledge among hackers, who can use them to change your WAP settings. The first thing you should do when you set up a WAP is change the default password to a strong password (eight characters or more in length, using a combination of alpha and numeric characters, not using words that are in the dictionary).

4. Turn Off SSID Broadcasting. – The Service Set Identifier (SSID) is the name of your wireless network. By default, most WAPs broadcast the SSID. This makes it easy for users to find the network, as it shows up on their list of available networks on their wireless client computers. If you turn off broadcasting, users will have to know the SSID to connect. Some folks will tell you that turning off SSID broadcasting is useless because a hacker can use packet sniffing software to capture the SSID even if broadcasting is turned off. That’s true, but why make it easier for them? That’s like saying burglars can buy lockpicks, so locking the door is useless. Turning off broadcasting won’t deter a serious hacker, but it will protect from the casual “piggybacker” (for example, a next door neighbor who notices the new network and decides to try connecting “just for fun”).

5. Turn off the WAP when not in use. – This one may seem simplistic, but few companies or individuals do it. If you have wireless users connecting only at certain times, there’s no reason to run the wireless network all the time and provide an opportunity for intruders. You can turn off the access point when it’s not in use—such as at night when everyone goes home and there is no need for anyone to connect wirelessly.

6. Change the default SSID. – Manufacturers provide a default SSID, often the equipment name (such as Linksys). The purpose of turning off SSID broadcasting was to prevent others from knowing the network name, but if you use the default name, it’s not too difficult to guess. As mentioned, hackers can use tools to sniff the SSID, so don’t change the name to something that gives them information about you or your company (such as the company name or your physical address).

7. Use MAC Filtering. – Most WAPs (although not some of the cheapest ones) will allow you to use media access control (MAC) address filtering. This means you can set up a sort of “white list” of computers that are allowed to connect to your wireless network, based on the MAC or physical addresses assigned to their network cards. Communications from MAC addresses that aren’t on the list will be refused. The method isn’t foolproof, since it’s possible for hackers to capture packets transmitted over the wireless network and determine a valid MAC address of one of your users and then spoof the address. But it does make things more difficult for a would-be intruder, and that’s what security is really all about

8. Isolate the wireless network from the rest of the LAN. - To protect your wired internal network from threats coming over the wireless network, create a wireless DMZ or perimeter network that’s isolated from the LAN. That means placing a firewall between the wireless network and the LAN. Then you can require that in order for any wireless client to access resources on the internal network, he or she will have to authenticate with a remote access server and/or use a VPN. This provides an extra layer of protection. For instructions on how to allow VPN access to your network from a wireless DMZ created with Microsoft’s ISA Server firewall, see http://techrepublic.com.com/5100-6350_11-5807148.html. [You'll need a TechProGuild subscription to access this content.]

9. Control the wireless signal. – The typical 802.11b WAP transmits up to about 300 feet. However, this range can be extended by a more sensitive antenna. By attaching a high gain external antenna to your WAP, you can get a longer reach but this may expose you to war drivers and others outside your building. A directional antenna will transmit the signal in a particular direction, instead of in a circle like the omnidirectional antenna that usually comes built into the WAP. Thus, through antenna selection you can control both the signal range and its direction to help protect from outsiders. In addition, some WAPs allow you to adjust signal strength and direction via their settings.

10. Transmit on a different frequency. – One way to “hide” from hackers who use the more common 802.11b/g wireless technology is to go with 802.11a instead. Since it operates on a different frequency (the 5 GHz range, as opposed to the 2.4 GHz range in which b/g operate), NICs made for the more common wireless technologies won’t pick up its signals. Sure, this is a type of “security through obscurity”—but it’s perfectly valid when used in conjunction with other security measures. After all, security through obscurity is exactly what we advocate when we tell people not to let others know their social security numbers and other identification information. A drawback of 802.11a, and one of the reasons it’s less popular than b/g, is that the range is shorter: about half the distance of b/g. It also has difficulty penetrating walls and obstacles. From a security standpoint, this “disadvantage” is actually an advantage, as it makes it more difficult for an outsider to intercept the signal even with equipment designed for the technology.