What I have Learned Being an IT Security Professional

I have been working in IT security for a few years now. At my current company, I am responsible for North America IT security and am part of a small security team on a global scale. Before I started there, information security was handled by the infrastructure team. Let me tell you that this is not really a good way to handle security as that team tends to think differently. But how should information security be handled?

Information security should not be about saying no to everything. For instance, I can make any computer completely safe from malware and completely safe from being hacked. To do so, I just need to remove the network connection, keyboard, mouse, monitor… really any other input and output mechanism. Of course, that makes it completely unusable. Just like this unusable computer, security should not be about removing things. Rather, it should be about applying proper controls to mitigate the risks.

It is the responsibility of the Information Security professional to mitigate the risks of the bad actors getting something out of companies. One of the concepts of information security is the CIA Triad, which stands for confidentiality, integrity, and availability. Going back to that ultra-secure computer, the information is definitely still confidential and since it has not been used the data integrity is great but it is not available so it does not work with the triad.

I have found that groups like IT Operations tend to not think about security first. This is where the information security professional comes in by reviewing the company’s processes to make sure the data is both usable and secure. There are plenty of tools out there to help with this process. For instance, multi-factor authentication (MFA) is great because it offers more than the simple user ID & password combination. This is especially important since some people will use easy to remember passwords or even write their passwords down somewhere. By adding MFA, you can even relax the time between password changes. In fact, the latest recommendations is to not force password changes except when there is a possible account compromise.

Of course, IT does not get an unlimited budget and security tends to get only a small portion of that budget. So how does the security professional decide where to spend money? One simple method is to look at the risk versus reward scenario. For instance, putting all your budget into a really secure firewall may not be the best way to go now that employees can bring their computers on the go. If employees get their computers infected with malware while out of the office, the malware goes around the firewall when the laptop is plugged back into the corporate network. It would be better to invest in anti-malware on the endpoints so that they are protected even when not in the office. There are other products out there that can help the endpoints including antivirus, email security, and web browsing solutions.

Email is probably the most used attack vector I have seen. Why is this? Because the employee tends to be seen as the weakest part of the security chain. This is why security training is important. There are companies that sell security training and they can be really good purchases. They tend to have newsletters, games, and email packages that can be given to employees. Plus, a good internal phishing campaign can be used to test your employees. One thing I have added to my security training is a monthly newsletter I send to the employees. It is something that I write up so it costs my company nothing but my time. This does not have to be anything huge. In fact, it is better if it is short and covers only one or two topics as people tend to not have time to read something too long. For instance, I have done a few newsletters on phishing, especially what to look out for in a phishing email. I even add on a picture or two to catch the eye. I use Google to find the images. If you do that, just make sure to change the usage rights filter to Reuse. You can do this by clicking on the Tools option to find the Usage Rights menu.

Security is extremely important for companies. While it is everyone’s responsibility to keep company data secure, it is the IT security professional’s role to make sure things are secure. Tools can help but the security professional needs to be aware where to spend the budget dollars. Security training is a great way to help the end-users with being secure. There are plenty of other parts of being an IT security professional. This post is just about some of the tidbits that I have found while working in IT security. If there is anything you want me to go over, feel free to reach out and maybe I will write a blog post about the topic.

Posted in Phishing, Security, Work | Tagged , | Comments Off on What I have Learned Being an IT Security Professional

Security Can’t Keep Up, or Can It?

Not too long ago I was asked to be on a roundtable to discuss security. We had a good conversation about why it is important and if enterprises are doing enough to fight the bad guys. Gestalt IT hosted the conversation and you can listen to it below or from their site (https://gestaltit.com/podcast/rich/security-cant-keep-up-the-on-premise-it-roundtable/). For the most part, my colleagues were taking the side that the bad guys are always finding ways in and it is the enterprises that are playing catch up. However, I disagree with this premise.

Security has not always been at the forefront of the conversation. This is evident in the products that are used by companies. Products like Windows, Office, and Quickbooks were built originally to offer a solution. For instance, financial people needed a way to chart calculations and products like Lotus 123 and Microsoft Excel were created. But security was not designed in from the beginning. Eventually software companies started catching on and added security but it seems to be more of an add-on usually.

In the past few years, I have seen many companies change this discussion. Companies that I have worked with have started taking the security discussion seriously. This includes hiring a person to concentrate on Information Security. Why is this? Put simply, the cost of that one person is far less than a single breach and C-suites are starting to understand this. For instance, back in 2017 the Pharmaceutical company Merck was hit with a Cybersecurity incident that cost them well over $150 million dollars. While this is an extreme example, it is a really good one to other companies. No C-level staff member wants to explain to shareholders a loss even a fraction of that size that could have been mitigated.

It is now 2019 and I am seeing many companies listening to examples like Merck’s Cybersecurity incident. They are hiring Information Security staff to help find the holes in networks . Simple concepts like patching and closing firewall holes help. But that is not all that is being done. Tools like antimalware agents on end-user computers help to find malicious software when they are launched accidentally. Additionally, companies are spending money on training end-users to identify security events so they never get in even accidentally. Training is not a panacea but it definitely  helps. Plus, as companies make the move the cloud, security becomes even more important.

Information security is not perfect and bad events can still occur. But companies are recognizing that they need to spend money on security. In fact, some companies even use their security programs as a selling point. Additionally, governments are starting to mandate security (i.e. regulations like GDPR) so it will become more prevalent. In the future, I expect all companies to either have a good security program or no longer be in business. As always, let me know if you think differently.

Posted in Security, Security Field Day | Tagged , | Comments Off on Security Can’t Keep Up, or Can It?

Cisco’s Global Networking Technology Report

Being a Cisco Champion has some privileges. Recently, I was given an early glimpse of Cisco’s Global Networking Technology Report. This is a new report from Cisco that explains the current state of networking technologies and where networking is heading. Cisco interviewed a good number of IT leaders and network strategists around the world and correlated the responses into this report. While you should go read it for yourself, here are my thoughts.

Cisco’s 2020 Network Trends Report

I have been working in networking for many years. One of the newest changes in networking that I have worked on is called Intent Based Networking (IBN). This is adding security directly into the networking stack. Deploying IBN is definitely NOT quick and easy as it tries to determine the intent of every device connected to your network. From there, security controls are applied to each connection so that devices can perform the tasks that are needed and nothing more. According to the report, IBN is something that IT leaders are pushing. It states that 28% of the respondents already have it deployed and 78% plan to be there within 2 years. This is extremely important for security as a basic network (just connectivity) will allow problems to grow easily. Take for instance a ransomware outbreak: companies that get really impacted have simple networks that allow a payload to find other infect-able devices turning a simple mistake by an end user into a financial draining incident for the company.

I do want to add that the report did not really quantify the level of deployment for that 28%. Personally, I am on my second deployment of Cisco’s Identity Services Engine (ISE). It is a complex installation and, when done wrong, can take down network communications. When done right, it makes it easy to add security controls into the network. The first part of my first deployment was getting ISE to handle wireless authentications. It is a very small part of IBN but is that enough to put me in that 28%? I guess that comes down to the IT leaders that responded to the survey.

Another concept the report discussed was artificial intelligence (AI) in networks. While the concept of AI has been around for quite some time (I am thinking of Mary Shelly’s Frankenstein), Hollywood has really helped to define what I imagine AI to be: think of Tony Stark’s Jarvis as true AI. However, this is not what the report is referring to with AI. It is about adding decision trees into the network for applying controls. Let’s go back to the ransomeware example: if AI determines there is a dangerous uptick in traffic, alerts could be generated to administrators or new security rules can be applied automatically to halt the traffic while the administrator determines why the new traffic started. This action can allow the administrator to go directly into determining the problem. It’s like a shield getting applied automatically to a fire – the problem may have started but it is contained right away before it can grow into a raging inferno.

The last concept I want to mention is the change coming to the IT workforce. Just looking at the concepts previously mentioned illustrates the need for transformation in network administration. My deployments of ISE have shown me that applications developers need to understand networks when deploying new applications. It used to be easy enough for developers to claim that a server needs to be accessible. With IBN, it is better to understand what the actual network flow needs to be. For instance, if a web server needs to communicate with a SQL server then it may only need TCP 1433. Of course, this means that developers need to understand the network flows to have good conversations. Really, new roles, like network orchestrator, will emerge: someone that understands how applications communicate and can define the network flows. Additionally, the report talks about business integration. IT people that can communicate with the business are becoming even more important. For instance, the business and IT people need to work together to deploy new applications. With a good deployment of IBN, a new application will not work until the security rules are setup, hence the need to discuss what rules are needed as part of the deployment.

Operations Readiness Model

This leads to the Operations Readiness Model for networks. It ranges from Reactive (simple network connectivity) to Business Optimized, which is when IBN, AI, and Machine Learning (ML) is deployed fully within the network. A business optimized network helps the administrator to get away from constant troubleshooting of problems as it will make automated adjustments to help the business flows. It is not a true Network Jarvis (one that you can have a conversation with) but it makes the network help with the mundane tasks almost like another employee. A Business Optimized network is “dynamic end-to-end policy changes based on business intent” as stated in the report. Personally, it would allow people like myself to spend more time with business development – it moves IT from a cost center to a true business enabler.

Cisco’s Global Networking Technology Report is not ground breaking in anyway. It describes what IT leaders are seeing in the industry including where networks are going. There are some other concepts in the report that I did not include so go check it out for yourself. You can download the report from https://www.cisco.com/c/en/us/solutions/enterprise-networks/networking-technology-trends.html. Let me know if you see anything more important in the report. For companies to grow, they need to embrace these changes since staying with simple networks will be detrimental when (not if) a problem breaks out. Plus, it allows the IT department to help with the growth of business.

Posted in Cisco | Tagged , | Comments Off on Cisco’s Global Networking Technology Report

My time at Palo Alto Networks

Not too long ago, I was invited to a unique experience: Security Field Day 2. This was a great experience in which I got to interact with different vendors as they explained their products and services. To learn more about this event, including links to the videos that were made, head on over to https://techfieldday.com/event/xfd2/.

In the afternoon of the first day, we were brought to Palo Alto Networks (PANW) – https://www.paloaltonetworks.com/. Up until that time, all I knew about this company was that they had application aware firewalls that were making inroads into the market; however, I really had no experience with their products. I have worked on many firewalls during my career: Cisco, Juniper, Watchguard, Checkpoint. They were all similar in that rules were created based on ports. For instance, a rule could allow packets if they are going to a particular IP address over TCP port 80 (HTTP). The one thing I did know about PANW firewalls is that they went further than this – their firewalls could determine the actual application that was running over that port. This was important as malicious parties could just change their attack to a known port like TCP 80 to get through a firewall. This type of firewall is called next generation firewall or NGFW. Of course, other companies have their own NGFW models so I never really saw their firewall as being a particular advantage.

Then came a session with Nir Zuk, a co-founder of PANW and current Chief Technology Officer. Being a founder and current C-level officer, I knew he would be highlighting why PANW is a great company albeit through his own views. When he started, he had no slide deck (there was even a question if the black screen behind him would be ok on camera) so I knew I had to strap in for an interesting ride. What I was not ready for was his passion on why PANW took off and why they are one of the major Cybersecurity companies today.

Zuk started PANW for a simple reason: to try to unscrew the network community. There was a viewpoint that packet inspection firewalls were not good enough. While this was back in 2005, it is really obvious in today’s networking that they were correct especially when cloud services are brought into the mix. He referred to PANW as a Cybersecurity vendor, not a firewall company. In fact, he claimed that PANW is the largest Cybersecurity vendor in the world. I cannot back that up myself and a quick Google search questions the use of the word “largest.” However, after hearing their product strategy, I can tell you that PANW is a company that understands the direction of security and I expect them to play an integral role in keeping companies safe.

For the next couple of hours, I got to hear and see details about Palo Alto Network’s products from other PANW employees. For instance, Varun Badhwar spoke on extending security from on-premises to cloud, which is an extremely important concept in my opinion. He introduced us to Prisma, which is a security service from PANW. Today’s large cloud providers (AWS, Azure, etc.) have some great offerings around services. Personally, I work with Azure a lot and I can tell you that their security offerings are good but not great. Take a listen as to why Prisma is a product to consider:

PANW is not just a firewall company. They helped change the security landscape and I expect they will continue to enhance security stances for companies. If you have not already done so, check out this company’s products. Their leadership has the right mindset and the products they are introducing could be instrumental in helping to secure companies as they transition to cloud services.

DISCLAIMER: Tech Field Day is run by Gestalt IT (https://gestaltit.com/). They paid for my flight, hotel room, most food, and the transportation. PANW paid them to get myself (and the rest of the delegates) to visit; however, I was not financially compensated by PANW to be there or for this this blog post. PANW did give me a t-shirt, some chocolate, homemade beef jerky (really good), and some water while I was onsite. This blog post was written because of PANW message – this post was my own opinion and no one asked me to write it.

Posted in Security Field Day | Tagged , , | Comments Off on My time at Palo Alto Networks

My Tech Field Day Experience

Recently, I was invited to a unique experience called Tech Field Day. I really had a good time while given a great learning experience. This is something I can recommend to others – I really hope that I get the opportunity to do it again.

What is Tech Field Day?

It is a one-of-a-kind service offered by Gestalt IT (https://gestaltit.com). They bring together a small group of people in the technology field, that they call delegates. The delegates interact with different companies in a presentation style event. It is both live-streamed and recorded for later viewing. The companies that come to the event are the ones paying since they can use it as a marketing tool. However, the delegates are not paid by the companies as that keeps them independent. I put out less than $100 total for my time, which was for food outside of the event (really during travel time) and parking at the airport – everything else was picked up by Gestalt IT.

What happened before?

I was offered the opportunity less than two months before the event. At that point, all I knew was that I was going and Gestalt IT would be paying for the “flight and hotel and a drink or two along the way.” Shortly afterwards, I get an email that gave me the overall description of the event time. It included a link to an online form that asked questions about my professional life. This included my Twitter handle, Web Site, LinkedIn URL, and a professional/personal description. This was used to create web pages that they could use to advertise the delegates. Mine can be found at https://techfieldday.com/people/evan-mintzer/.

A few days later, I received another email with a link to answer some questions. These questions were about both professional and personal information. It is the same questions for all the delegates and they use it to create web pages that offer further details. Mine can be found at https://gestaltit.com/exclusive/zuramel/meet-field-day-delegate-evan-mintzer/. This is where creativity helps. Answers should be a little complex; definitely more than a simple yes or no. I really liked the question on ice cream since it offers a quick viewpoint of the person.

Not too long after that, their travel agency reached out to me to setup my travel. The actual presentations were three days but they wanted me to travel the day before and allowed me to travel back the day after. That makes 5 days that were mostly paid for by Gestalt IT. The hotel is the same for everyone because most of the presentations are there. There is no direct flight for me to San Jose, CA, so I booked a flight to San Francisco and they took care of getting me down to the event hotel. With travel arranged, I waited patiently, although anxiously, for my next communication. In the meantime, I could go to https://techfieldday.com and see each delegate that was getting added.

About 3 weeks before the event was when I received the next email. It was addressed to a mailing list that included all of the delegates for my event. The email described that it was a closed mailing list and it should be used for us to communicate with each other for non-public communication like asking questions to the other delegates. Gestalt IT made it clear that any discussion about presenters or event content should be done in public as they would prefer the transparency. They made it clear that we should remain independent of the companies and that included negative comments when they are deserved. Also, the email included links to the delegate pages for the group – this allowed me to see what the other delegates wrote about themselves. Ok – so now it is getting real but still a few weeks to go.

The week before the event was the next email. It provided a list of the companies presenting, with links to their web sites, and a detailed agenda of when each presentation occurs and where. Remember I wrote that most of the presentations are at the hotel? Well, a couple may be at offsite locations. For instance, we were traveling to Palo Alto Networks on Wednesday and VMWare on Thursday. One thing I noticed was how busy the agenda felt – we were starting at 7AM each day and there did not seem to be any time to rest till after dinner. Another thing mentioned was the meals plus a comment that we needed to bring a gift (about $30-$50) for a swap during our first dinner. Personally, I went to Amazon and searched for “geek gifts” until I found one I liked. With gift in hand, I packed Tuesday morning and got on the plane to start my adventure.

What about during the event?

I was lucky enough to ride down from San Francisco with another delegate so we talked about different things, which made the ride go quicker. We checked into the hotel and got ready for dinner. Before dinner, each of us was given a welcome bag with different snacks and some drinks like water, soda, and Red Bulls. However, there was a hidden agenda with the bags. They told us that they were forced to use the hotel food service for any food and that it was not cheap. However, they could not stop delegates from bringing in food.

Dinner that night was really nice – I had a great steak with a fried egg on top. In addition to drinks, appetizers, and desert, we got to know each other using the gift swap. There was even a round of stealing gifts before they were opened – each gift was wrapped differently so it was interesting to see why some were stolen. After a couple of hours of getting to know each other, we went back to the hotel to get a good night’s rest.

My meal at Farmer’s Union

Wednesday was three presentations with one being off-site. There was a get-together that night that included some of the vendors (including ones yet to present) and some friends from the area. Thursday started with an offsite presentation and then another back at the hotel. Since we arrived back at the hotel with some time before the last presentation, I was able to be part of a podcast panel. This was something that gets recorded and we discuss a topic – my topic was if security was improved as companies move to the cloud. We were able to do two of these during the week but they will not get posted till sometime after the event.

After that, we went to a fun dinner and then a team building experience. They told us that they have had different experiences in the past such as laser tag and bowling. They chose an escape room for us. I was on the team with the CEO, Stephen Foskett. He is a really nice guy but competitive – he named us the Winning Team before we even arrived. Unfortunately, we had the hardest room and did not finish in time; however, we all agreed that we had a fun time, even Stephen. It was a good way to recharge our brains for the last day.

The “Winners Team”

Friday was another two presentations in the morning. Once they were done, our responsibilities were over but Gestalt IT was not done with us. We had some time to discuss the presentations before getting whisked away to the Apple campus. After spending some time there, we came back to the hotel and had an informal dinner. We then said goodbyes and left on different planes to rejoin our normal lives.

Recommendations

For starters, go to https://www.techfieldday.com to learn more. If you would like to be a delegate, find an event that you think you would be good fit and there should be a link to apply. Here are some other tips if you go:

  • Do some research before you go. The Tech Field Day site has videos for all the previous events. Review some to see how they go but realize that there are other things happening.
  • Check out the blogs and postings about the other attendees. It helps to see how their viewpoints can add to the conversations. People are different.
  • Realize that you may not be the smartest person in the room but that is not what they are looking for – they want people that can add value. If you have a question during a recording, there is a good probability that someone else is curious. Ask the question.
  • Sometimes a vendor shows up and acts like it is just another presentation. Do not be rude to the vendor!! It is better to ask questions to try to help them. If it gets too bad, someone from Gestalt IT will handle it.
  • There is a private Slack room setup for the event. Use it during the presentations to talk to other delegates. Do NOT actually talk to other delegates as it will get picked up by the microphones.
  • Tom Hollingsworth (@NetworkingNerd) will probably be your emcee and main point of contact. He is a CCIE and runs a lot of the event – kind of an important guy. However, during the filming he will act as a gopher so if you need anything just reach out using Slack. You want coffee? He will get you a coffee. You want tea? He will get you a tea. You want a mocha cappuccino frappe with a half twist of non-fat soy milk? He will get you a coffee. You just have to ask.

I recommend this experience highly. If you have any other questions about it, please feel free to reach out to me about my time doing Security Field Day. Also, check out #XFD2 on Twitter to see our tweets during the event.

***Disclaimer – Gestalt IT paid for my airfare, hotel, and most of my meals. Some of the vendors gave me some small gifts like t-shirts, pens, and a solar charger. I was not paid to write this post and it was based completely on my experiences during the event.

Posted in Security Field Day | Tagged , , | Comments Off on My Tech Field Day Experience

CiscoLive and Security Field Day

This past week was Cisco’s yearly conference that they do in the US: CiscoLive, also known as CLUS. This is a conference that I like to go to but have not been able to for the last two years. Last year was due to my previous employer and changes that occurred when a new C-level manager came in. This was one of the reasons that I left. If you want to hear more, find me and we can discuss but it is not something I want to write about here.

While I did not get to go, I did try to stay involved over social media and watch the conference from a far. It is not the same as being there but at least I did not have to fill out an expense report. I guess my social media interaction was plenty because I was named best remote attendee for a second year in a row. It is a pretty cool honor to be named the best. Next year will be different as I have already discussed going with my new company. I am looking forward to seeing all my friends that I have not been able to see in person for 2 years.

While I had to miss CLUS, next week I get to go on a brand new adventure. I have been invited to Security Tech Field Day, or XFD2. This is an event hosted by Gestalt IT and brings together some tech companies, like VMWare and and Palo Alto, together with independent technical influencers (like me). The event I am going to is specific to security, which is my IT specialty. There is going to be some technical presentations from each of the vendors and they will be interactive. These will be recorded and anyone can watch. For further information, head over to https://techfieldday.com/event/xfd2/ to see more details. While you are there, you can look at past videos of the events. Also, tune in next week to see me in the security videos.

Posted in CiscoLive, Security Field Day | Tagged , , , | Comments Off on CiscoLive and Security Field Day

Management and why we need it

Management can be considered the hierarchy in a company. Everyone in a company has some form of manager. Even a CEO answers to someone. Ultimately, it is the people that purchase a company’s product that manages where that company is going because those people are the ones that deliver the sales. Without sales, the company is destined for failure.

Some people need more management than others, not that there is anything wrong with that. As we progress up the proverbial corporate ladder, there is an expectation that we need less hands on management. For the few that make it to the C-level, management is more around reading the corporate tea leaves and steering the company accordingly.

But what does it mean to manage people correctly? A good manager will communicate with reports (in both directions) and understand how much management downward reports actually need. It is extremely important to give people some level of freedom as micro-management rarely ever works. Alternatively, people need direction and understanding how much direction is one of the keys of managing appropriately.

Respecting people is incredibly important. When management does not respect staff then they tend to not want to work as much. If there is someone that does the bare minimum of work, then that is usually a person that does not feel respected. The ones that go above and beyond are the ones that feel worthiness in their roles. They feel that their actions help the company and will want to work harder to see the company succeed. Therefore, one sign of good management is when there are valued employees that work hard and are willing to do more than their regular job duties.

How does management get to a point in which employees want to work harder? Having one-on-one conversations is a great way to hear what employees have to say. These should be on-going meetings where the employees should feel empowered to discuss the good, bad, and ugly about their jobs. Management should listen and offer constructive criticism where appropriate – never berate an employee during these meetings. Another way is to show the value of the employees. Management will need to learn what motivates each person and it is not always financial. For instance, calling out the positive actions of employees (giving kudos) can cost no money. It is an illustration that their actions are seen and respected.

People want some level of structure and this is where management needs to step in. Listen to the employees and try to understand how much structure each one needs to be given. The more senior employees will want to understand the overall direction of the company so there can be a conversation around projects that can help the success of that direction. Management should meet with the senior employees regularly to discuss their work so that it aligns with the overall direction. A horrible feeling is to spend a lot of time on a project only to be told that it does not align with the overall direction – all that work is considered worthless.

Overall, it is work by employees that allow a company to move forward. Employees that feel valued will want to work harder. Management has a responsibility to show that employees’ work is valued. This will help a company to excel. I wrote this because of my own experiences with both good and bad management. I have left a few roles due specifically to some bad managers. If you have had any experiences that you want to share, please let me know.

Posted in Work | Tagged | Comments Off on Management and why we need it

Catalyst 9600 Inside Scoop

Not too long ago, Cisco invited me to San Jose to get an early review of some pretty cool new products. The main products they showcased were wireless related including some new access points to coincide with a Wifi6 product launch. However, I was more interested in their new switch: the Catalyst 9606. One of my experiences was a roundtable discussion on the Catalyst 9600 with Shawn Wargo. Below is a picture I took with Shawn and the switch – the one on the left is a display model and is not for sale.

Shawn Wargo and the new Catalyst 9600

Cisco has a great modular switch with the Catalyst 6500 series, but it is now around 20 years old. I have been running this switch for a while and I can tell you it is a true workhorse. However, it is limited by internal bandwidth. With some companies using 10, 25, 40, and even 100Gb network connections, the 2Tb bandwidth limit on the 6500 becomes a bottleneck. Now, the 6500 is still orderable as there are some features (mainly for service providers) that are available on the 6500. However, as someone that works for an enterprise, I can tell you that these features are not what I am looking for.

So, what do companies do when they want a modular corporate switch that can handle those higher speed connections to the access switches? Cisco now has that answer in the new Catalyst 9600 series. This is not an upgraded 6500; it is truly a full redesign. For instance, in the 6500 each line card has processing capabilities to offload from the supervisor card. Alternatively, the 9600 has three processors on the supervisor card. This means that the supervisor card is pushing the traffic with an added bonus that the line cards are cheaper, relatively speaking. Additionally, the 9600 supervisor has an X86 processor, RAM, and an SD hard drive so it can run a virtual machine. Theoretically, it could run a virtual Viptela SD-WAN router or support servers like an AD controller for a branch site.

The physical features of the 9600 really show the design process that went into the switch. Anyone that has installed a 6500 into a rack knows how hard the task is, partially due to the small, metal handles on each side that can dig into your hands while two (or more) people try to get it loaded into the rack. The 9600 has four beefy handles that retract into the top of the switch. The eject handles on the line cards are definitely better than the 6500 – I cannot count how many times I have pulled on the eject arms accidentally. The 9600 line cards have solid handles that have a button on the inside to initiate the ejection process. I really do not see how anyone could accidentally start the ejection process on these new line cards. Finally, the 9600 has a bunch of fans that are all located on a single fan module. This module can be installed in either direction – eject out the front or back of the chassis. You just have to move the fan backplane module to change the eject direction. If you have to replace this module, you have about 2 minutes before you start getting thermal degradation.

Above is the video of the roundtable that I mentioned previously. In this video, we discussed some of the features in the Catalyst 9600. Hopefully, it gives you some idea on why this new switch is a great one to look into. Also, you get to see me in action so let me know if I am ready for Hollywood.

Posted in Cisco | Comments Off on Catalyst 9600 Inside Scoop

MS Intune Security Migration

I have been to a few Microsoft events that highlight how to secure company date on mobile devices. For Android devices, Android for Work allows you to segment company data while allowing the phone OS to interact with the data. For iOS devices, you can access company data through applications like Outlook but can still configure those same applications to access personal data, if you wish. The best part, is that when the company is done with the device (such as employees leaves and the devices go with them) then the company can retire them, which removes company data while keeping personal data (pictures, notes, their Angry Birds app, etc.) intact. It all looks and sounds great during those demos at Microsoft.

The problem I found is that my deployment was not as easy as advertised. Microsoft has documentation but I found it to be lacking. So, I am going to document my configuration to help someone else get it done quickly. There are some things to know before starting. People will need to use the Microsoft approved apps for accessing company data – you can find the list at https://aka.ms/supportedmamapps. For iOS, the built-in apps cannot be used as they copy data to the device – disabling the user account would mean only new data would not be accessible and that is not good enough. Because of this, contact sync needs to be handled by Outlook, which is a one-way sync so any contact updates have to be handled within Outlook. One thing to note is that this breaks the security rules as contacts are copied to the local phone store; however, this needs to be done if you want to see names instead of numbers when getting a call or text. I have worked directly with Microsoft on this and could not find a way around it. Also to note is that the iOS device needs to be on version 12 or later but this should already be the case as there are other security reasons to be on the latest code.

There are two places this configuration was performed: Intune and Azure Conditional Access (CA). Let’s start with the CA policies as a few are needed.

Custom Configuration Policies
  • Create a new policy and give it a name – this one is for enforcing the modern authentication apps and Intune. I applied this to a specific group as not all of my users are allowed to enroll mobile devices.
    • Cloud Apps: choose Office 365 Exchange Online and Office 365 SharePoint Online – you should see notes on the bottom that this will include other apps once those are chosen.
    • Conditions: choose Android and iOS under device platforms and Modern Authentication Clients under Client Apps.
    • Access Controls: choose Grant Access and check both “Require device to be marked as complaint” and “Require approved client app.” Make sure to choose “Require all the selected controls.”
  • Create a new policy and give it a name – this one is for blocking any ActiveSync clients as these copy data to the device. Assign it to the same users. This needs to be a separate policy or it will not work as expected.
    • Cloud Apps: choose Office365 Exchange Online.
    • Conditions: choose Android and iOS under device platforms and Exchange ActiveSync Clients under Client Apps.
    • Access Controls: Block Access
  • Create a new policy and give it a name – this one is for blocking any other applications. Assign it to the same users. Once again, this needs to be a separate policy or it will not work as expected.
    • Cloud Apps: choose Office 365 Exchange Online and Office 365 SharePoint Online.
    • Conditions: choose Android and iOS under device platforms and Other Clients under Client Apps.
    • Access Controls: Block Access.

These have to be three different rules because Azure conditional access policies do not work well when trying to be combined. From a logical standpoint, this does not make sense to me other than to say that you need to keep your policies simple. Of course, I have a concern that too many policies will eventually cause issues but that is a different topic.

Let’s move on to the Intune configuration. I am going to assume that you already have the basic configuration completed and can register your mobile devices as that would take up too much space. The first configuration policy needed is for the device restrictions.

iOS Device Configuration Policies
  • Create a Device Restrictions policy for Android Enterprise. Give it a name and assign it to the same users as before.
    • Work Profile Settings: Block copy and paste between work and personal profiles. Under Data Sharing Between Work and Personal Profiles, choose Apps in work profile can handle sharing requests from personal profile.
    • Device Password: these settings should coincide with your company’s configuration. My preference is to use a minimum 6 character password and 10 failed attempts before wiping devices.
  • Create a Device Restrictions policy for iOS devices. Give it a name and assign it to the same users as before.
    • Password: these settings should match the Android Enterprise one you just created. However, there are some extra settings so take a look.
    • App Store, Doc Viewing, Gaming: set Viewing corporate documents in unmanaged apps to Block.
    • Cloud and Storage: set Managed Apps Sync to Cloud to Block.
  • Create a Custom policy for iOS. Give it a name and assign it to the same users as before.
    • You will need to create an Intune Custom Profile Settings XML file to upload to this policy. See below on how to do this.

Refer to https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Use-Intune-custom-profile-settings-with-the-iOS/ba-p/298453 on how to create the Profile Settings XML. Here is a picture of mine – notice the highlighted line where you should enter the company name.

Custom Configuration XML

Make sure you have your compliance policies setup. I am not including this configuration as it is part of the basic setup. There are still a couple of items left. First is the App Protection Policy that you can find under Client Apps.

  • Create a policy for Android and name it. Target all app types and assign to the same users as before.
    • Target Apps: Check all the apps your company uses. If you are unsure then check the app – better to be safe than sorry.
    • Properties
      • Data Protections: Block Backing Org Data to Android Backup Services. Choose Policy Managed Apps for Send Org Data to other apps. Choose All Apps for Receive Data from other apps (unless you want to block this). Block Save Copies of Org Data. Choose Policy managed apps with past in for Restrict, Cut, Copy and Paste between apps. Disable Screen capture and Google Assistant. Require Encrypt Org Data and Encrypt Org Data on Enrolled Devices. Enable App Sync with Native Contact App. Set any other settings that you like.
      • Conditional Launch: Block access to Jailbroken Devices. Set the minimum OS version to 8.0 (or later if preferred). Change your offline grace period if you like.
  • Create a policy for iOS and name it. Target all app types and assign to the same users as before.
    • Target Apps: Check all the apps your company uses. If you are unsure then check the app – better to be safe than sorry.
    • Properties
      • Data Protection: Block Backup Org Data to iTunes and iCloud Backup. Choose Policy Managed Apps with OS sharing for Send Org Data to other apps. Choose All Apps for Receive Data from other apps (unless you want to block this). Block Save Copies of Org Data. Choose Policy managed apps with past in for Restrict, Cut, Copy and Paste between apps. Require Encrypt Org Data. Enable Sync App with Native Contacts App. Set any other settings that you like.
      • Conditional Launch: Block access to Jailbroken Devices. Set the minimum OS version to 12.0 (or later if preferred). Change your offline grace period if you like.

The last thing you will need is an Application Configuration Policy. Assign this to the same users as before and target the Outlook application. Make the following settings under Configuration. Spelling is key for these entries so it is easy so feel free to copy from this table (Note: a couple of lines wrapped here but they should not in your configuration):

Name Value
IntuneMAMUPN {{UserPrincipalName}}
IntuneMAMAllowedAccountsOnly Enabled
com.microsoft.intune.mam.AllowedAccountUPNs {{userprincipalname}}
com.microsoft.outlook.ContactSync.AddressAllowed True
com.microsoft.outlook.ContactSync.EmailAllowed False

Now, go ahead and enroll devices. Use the Microsoft apps so your users can access company data while you feel a little more secure that the same data is secured better.

Posted in Microsoft | Comments Off on MS Intune Security Migration

Daylight Saving Time (DST) in 2019

It has been a couple of weeks since we sprung forward in time. On March 10, 2019, we “lost” one hour of sleep because at 2:00am on that day we moved our clocks forward 1 hour – it suddenly became 3:00am. This was the start of Daylight Saving Time (DST) for 2019.

Why do we have Daylight Saving Time? I have heard different reasons for this. The one story that stands out the most is that it was an attempt to “shift” time so that there would be less need for gas during the first World War. By shifting time towards daylight, there would be less need for artificial light. This first happened in Germany but it followed quickly in other countries. The US started using DST only a couple of years after Germany. The second story I heard is that Ben Franklin suggested it as a way to get more daylight for farming but there is no real history of the use of DST prior to the first World War.

Less than a year after it was introduced here in the US, it was repealed. Some cities continued to use it but the official US policy was that it was no longer in use. During World War II, DST was re-introduced for the same reason as before – to shift time so there would be less need for artificial light. But there was no established rules around the use of DST. This changed later under the Uniform Time Act of 1966. It established a framework for DST with a uniform, synchronized schedule across the US. It set the last Sunday of April as the start of DST and the last Sunday of October as the end. More recently, the US passed the Energy Policy Act of 2005. This moved the start time up three weeks and the end time back one week.

While I was not around for most of the history of DST, I was working in IT during this last change to DST from the Energy Policy Act. While this Act seemed simple, it added a lot of work to implement on systems. Any new system tended to just need a patch installed to make that change. But the older systems had to have code created to make the change. For instance, at that time I still had some NT 4.0 servers – we were trying hard to get rid of them but most IT people understand that it takes time to do so. Of course, Microsoft was no longer supporting that operating system by then. When we asked Microsoft, they offered to write the code change for us for a very large fee – it started at $40k but went down to $10k. Personally, I found this to be outrageous so I created my own change. It worked but still had to be installed manually on all the NT 4.0 servers.

So, why did I write about this history? The week after the start of DST this year (especially on Monday), I heard a lot of opinions asking why we are still changing time. The recommendation from a lot of people was to just stay with the DST time year round. One thing I found in common with most of the people that had this opinion was that they did not like losing that hour of sleep. However, this is not a good reason to change time.

Personally, I say do not make any changes to DST and here are my reasons. For starters, the same people that were complaining about losing that hour of sleep have already recovered and probably have forgotten their opinion. Secondly, I remember the work I had to do last time DST was changed and I really do not want to go through it again. However, my biggest reason is the domino effect from switching to DST time year round. It would start in the US and have to work its way around the world as the US only governs time for itself. Plus, places like Arizona would either need to change or remain aligned with another time zone.

It would be easiest to just leave time alone and deal with the short time of losing that one hour. Agree with me? Let me know. Think I am absolutely wrong? Go ahead and tell me why. 

Posted in Patching, Time | Tagged , , | Comments Off on Daylight Saving Time (DST) in 2019