Joe has been posting a nice buyer’s guide about the features available on various SAN storage products. But it doesn’t really address the question of why move from direct attached storage (DAS) to a SAN. What benefits does a SAN bring to an organization?

To answer the question, we have to look at how storage is purchased and provisioned without SAN based storage.

Say you have an older File Server which currently has 500GB of data but can’t take any more drives.  Performance is fine but you decide you need to upgrade to a new server to add more capacity. You want the new server to have room to grow, so you spec out and order a server with 1TB of disk space. You also have Mail Server. It’s a pretty new server, but you recently merged with another company and the mail store size doubled overnight.  It needs storage and fast, but not a lot as you don’t anticipate the mail store growing so quickly in the future. You have 500GB of storage sitting on the new File Server, but you can’t use any of it to host the mail store.  So you order an external tray with just a couple drives and still end up with more storage than you need.  

Ten months later you look and see that file server data is growing rapidly and the free space is already gone.  You have an external tray attached the mail server, but you can’t use that to attach it to both servers. So you have to purchase a separate tray for the file server.

This example is over simplified, but it highlights three problems of direct attached storage:

·         Poor scalability

·         Poor Utilization

·         Silos of storage

Poor Scalability

It is not uncommon for an entire server to be replaced just to increase capacity. Not only is this expensive, but if the old server was performing fine you are buying additional resources (processing power and RAM) that you don’t really need. Adding external trays allows you to add large chunks of capacity, but what if you only need a bit more space. 

Poor Utilization

Data growth is dynamic which makes calculating your future needs difficult. The lack of flexibility in DAS discussed above and the fact that adding capacity frequently involves downtime or complete server migration leads organization to buy much more storage upfront than they need.  The result is servers with considerable amounts of unused storage.

Silos of storage

Because of the two problems above you end up with servers with spare capacity, but it is unavailable if another server needs it.  You have storage you’ve paid for but can’t use. Organizations respond in two ways, they either accept this inefficiency or start adding multiple services to servers that have space even if it violates best practices.  An example would be adding high usage file shares to your mail server.

How a SAN helps

A properly designed and deployed SAN addresses each of these problems.  SAN based storage is scalable, flexible, and allows storage to be shared between servers.  The end result can be better storage utilization meaning you only buy the storage you need and can easily add more as needed.  SAN based storage is also a critical element that enables organization to effectively utilize advanced technologies like clustering and virtualization.

Hopefully you now understand the benefits of SAN based storage and have decided it’s time to add it to your organization.  As you can tell by the number of features Joe has in his buying guide, there are many more options and decisions to make. Like any new technology deployment, good guidance can mean the difference between a successful deployment and failure. In future posts I’ll break down:

·         What is a SAN? Or more accurately what components make up a SAN?

·         How should a SAN be used and how should it not be used?  There are many ways to deploy a SAN can limit its utility and seem to be more expensive and troublesome than it works.

In my last posting I promised to explain the concept of Application Whitelisting. But before we get to that there is another reactive aspect of computer security I failed to mention...software vulnerabilities.

Viruses and malware don't just take advantage for trusting users to infect systems. Frequently these programs exploit vulnerabilities in your computer's operating system and applications.  And once infected other vulnerabilities can be used to spread the infection on your network. 

Security researchers work tirelessly to find these flaws and alert the software makers before the bad guys figure out how to use them.  But even if a flaw is discovered and disclosed before an exploit is developed, it takes time for the software vendors to build patches to fix the problem. A patch does not help until it is actually applied which falls on users and IT shops.  Even the best IT shops struggle to keep their systems patched. It is a never ending battle and as this reactive cycle plays out, your computers are left vulnerable.

As the number of bad programs grows, the reactive process of detecting, processing and tracking them becomes more inefficient. So what is an organization to do? Application whitelisting is a change of approach in computer security from the ways of antivirus.  Instead of trying to figure out all the programs in existence you don't want to run on your computer, you specify what programs you DO want to run.  And more advanced whitelisting applications can go a step further and prevent the programs you allow to run from doing things they aren't supposed to when a vulnerability is exploited.

There are many different approaches to tracking what software is approved.

·     Simple whitelisting programs use the file name and/or path to determine if a program is allowed to run. These systems can be bypassed by changing the name of a file or move it to a different directory. 

·     A more advanced method is to use a hash of the file, a string of characters generated by processing the file through a mathematical algorithm. If even a single bit of the file is changed the hash will no longer match. The problem with this method is that if a program is updated the hash must also be updated. 

·     More reputable software vendors now "sign" their programs with digital certificates very similar to those used to secure web pages.  This allows you to verify that the program was actually released by that company. Instead of using one of the above methods to approve of software, you can tell your whitelisting software to approve of any program signed by a particular vendor’s certificate.  Unfortunately not all code is signed.

Frequently a combination of the above methods is required to build a whitelist. Once a whitelist has been created and applied to a computer it will prevent any program not specifically listed will be prevent from executing.  This should prevent any malware from running, but if not done correctly it can also prevent legitimate software from running. The ability to manage a whitelist is almost as important as the ability to enforce it. 

In the next post on this subject I’ll introduce a couple application whitelisting products and explore the differences in how they work.

Running antivirus has become standard practice on home computers and corporate desktops alike. It is required by a number of security certifications and most IT security policies.  Yet I’m willing to bet that almost every company has still seen an increase in the number of computers infected with some form of malware.  And cleaning up the havoc malware reeks is becoming more and more difficult. It would seem antivirus is letting us down when we need it most. This is backed up by recent research that shows that of 10,000 computers infected with a common Trojan virus, 55% were running fully updated, fully functional AV software.  

So, if you are running antivirus why doesn’t that protect your computer?  In my view the problem with antivirus is that it is far too reactive and not proactive.  To explain, let’s look at how antivirus works:

·         Antivirus companies scour the internet looking for new malware. The problem with this is that some poor soul is already infected at this point.

·         The antivirus company then has to build a signature of this particular malware. This takes time during which your computer is potentially vulnerable.

·         The signature is than packaged and pushed out to the antivirus client.  While this is a proactive action, any IT admin will tell you that keep AV signatures up to date is a hassle with the best products out there.

·         Now your computer thinks it knows what to look for. The problem is that if the malware is modified, the signature can become worthless and the process has to react again.

·         Even if you have the right signature, many AV products won’t find an infected file until they perform a scan of your computer. It then tries to quarantine and clean the infection. Again, this is reactive. Real-time scanning might catch some malware before it lands on your computer, but if this method is reliable than why do AV companies still advise full scans on a regular basis.

There was time when user education could do as much to prevent an infection as the best antivirus.  But when high profile, trusted sites become compromised, and drive-by downloads can infect your computer without any user interaction the ability of end-users to protect themselves diminishes greatly.

So, what is the solution? Home users will probably just have to hope for improved antivirus products and fewer vulnerabilities in their software. But to business the pain and expense of dealing with malware infection has made the concept of Application Whitelisting an attractive way to keep computers clean.   In my next post I’ll explain exactly what this is and talk about a few of the options out there.

Back in August, I introduced the various components of the System Center family. I also pointed out that the cost would of licensing each product, or even licensing a single product for multiple virtual machines, would be prohibitive for most smaller organizations. However, Microsoft has responded with the Systems Center Management Suite license that includes the licenses to manage multiple virtual machines using the full System Center family for a far more approachable price.  Here is what is included:

·         A license to run the Virtual Machine Manager server.

·         Management license for:

o   Data Protection Manager (DPM)

o   Operations Manager

o   Configuration Manager

o   Virtual Machine Manager (VMM)

This license is sold in two flavors:

·         The Enterprise flavor is licensed per physical server and allows you to manage 4 virtualized operating systems on that server. 

·         The Datacenter flavor is licensed per CPU (a minimum of 2 processors) but allows you to manage an UNLIMITED number of virtualized operating systems on a physical server.  When licensed for two CPU’s the Datacenter license is only about 25% more than Enterprise, and most likely if you have more than 4 VM’s you’ll have two CPU’s and will save money by going with the Datacenter edition.

But for small environments the biggest value of the license comes when using DPM for backup. But to explain the benefit let’s use a small virtual environment example. 

We have a Hyper-V server with 4 virtual machines:

·          A domain controller/file server

·         An Exchange 2007 server

·         A SQL server

·         A SharePoint server

The DPM protection agent also comes in two flavors:

·         Standard Data Protection which allows you to perform basic file level protection of a server.

·         Enterprise Data Protection which is required to provide protection for advanced applications like Exchange, SQL, SharePoint and Hyper-V

One of the benefits that drove this small organization was the ability to backup an entire virtual machine, which means we would need an enterprise DPM license for the Hyper-V server. When a Hyper-V server is protected with the enterprise license you are also permitted to deploy a standard DPM license inside any of its virtual machines. This allows us to backup the domain controller and file server, but the other servers would each require their own Enterprise protection license. So we would need 4 enterprise licenses.  Similarly, to properly protect all these servers with alternate backup products would require a special Hyper-V agent, SQL Agent, SharePoint Agent and Exchange Agent.

But, if this company was to purchase the Enterprise Server Management Suite they would be entitled to all the Enterprise DPM licenses they needed. And because of the new pricing, they would pay less.  Just 3 enterprise DPM licenses would cost more than the enterprise suite license. And on top of that you get management licenses for all the other System Center products.

There are two gotchas with this management suite:

·         The only System Center Server license included is the VMM server license. So you still need to purchase the server licenses for DPM, Operations Manager and Configuration Manager to take advantage of the management licenses included in the suite.

·         Despite all being part of the same product family, the System Center server product cannot all run on the same server.  Only VMM and DPM can coexist.

Because of these limitations it is likely that smaller environments will only take advantage of the VMM and DPM components of the suite, but it still offers a compelling value to consider.

SonicWALL has recently refreshed it's successful TZ line of network security devices, aka firewalls, for the small office marked segment. For those unfamiliar with SonicWALL's network security devices, the term firewall is a misnomer. Beyond simple packet inspection and port forwarding these devices are capable of performing realtime anti-virus, anti-spyware and intrusion protection which SonicWALL refers to as Unified Threat Management or UTM.  

The new generation is made up of three devices: the TZ100, TZ200 and TZ210.  Despite the numerical decrease the entry level TZ100 is a step up from the TZ180 and TZ190, capable of over two times more UTM processing throughput.  Beyond performance improvements the new generation is now capable of:

• SSL VPN remote access (more on SSL VPNs in a future post)
• WAN (or Internet Access) and VPN failover standard. (Note: The 5.5 firmware release will support up to 4 WAN connections)
• Hardware failover (TZ200 and TZ210 only)
• Support for 3G mobile broadband USB modems as either the primary or a backup internet connection. (TZ200 and TZ210 only)
• Also, TZ210 offers an application firewall capable of blocking or throttling specific types of network traffic over allowed protocols. For instance, limiting the bandwidth that can be used to view YouTube.

In addition to the functional improvements, SonicWALL has made significant changes to how these devices are sold.

• First, SonicWALL no longer uses licensing to restrict the number of nodes that can pass through the device. All devices will allow an unlimited number of nodes. However, that doesn't mean these devices can actually support an unlimited number of users, they still need to be appropriately sized for the environment. But, this is a great change as the previous version would start to block internet access if the number of nodes exceed the license, such as when guest laptops were using the network.
• Second, The Enhanced SonicOS firmware is now standard in all devices. The "standard" SonicOS, which had limited funcationality, has been eliminated.

Both of these changes greatly simplify the purchasing process and reduce the need for a customer to add licenses to fully utilize the device. Still, some features such as Gateway Anti-Virus and Anti-Spyware still require subscriptions that must be renewed.

Like the TZ180 all the new models are available with or without built-in wireless. However, the wireless versions of these devices support the new wireless N standard capable of up to 300MB/s of wireless traffic, nearly 6 times the throughput of the wireless G standard.  Or instead of purchasing the integrated wireless, the new TZ series also support centrally managing between 1 (TZ100) and 16 (TZ210) SonicPoint wireless access points.  When combined with power over ethernet, SonicPoint wireless access points can be easily placed in the optimal location based on the layout of your office, rather than being forced to place it in the server closet because it's integrated into your firewall.

Finally, another new feature in the TZ series is called Comprehensive Anti-Spam Service (CAS).  CAS is designed to be a hybrid between device and cloud based spam filtering, and is positioned to be an alternative to Postini, MXlogic and Microsoft's cloud email filtering services.  Basically,  when CAS is enabled and the TZ device receives an email through SMTP it sends the message up to SonicWALLs spam engine "cloud" which performs the spam analysis with the latest possible signatures and then forwards the good messages back down to the TZ. The TZ then sends the message to the email server for final delivery. This process offloads the spam analysis processing from the device and doesn't require storing and updating signatures on the TZ. While I find this to be an interesting new service it doesn't provide all the features provided by the other cloud filtering services. For instance, because the other cloud filtering vendors are the initial point of contact for all external emails they can queue up messages if your email server is down. CAS is also inbound only for the TZ devices which means your IP address could still be blacklisted.  Still this is a promising new feature and it will be interesting to see where SonicWALL takes it as it develops further.

Last week Microsoft published the first release candidate of the new Exchange Server 2010. This is one of the final milestones in the roadmap for final release early next year. As with any new update the biggest question is what is in the upgrade that makes the expense and hassle of an upgrade worthwhile. This is especially true for users that have recently upgraded to Exchange 2007.  I’m pleased to say that while there are numerous improvements in Exchange 2010, there are several that standout and make a compelling argument for upgrade.

At the top of the list are the improvements made for high availability.  Exchange 2007 offered a number of different high availability (HA) options (SCR, CCR, and SCC).  Standby Continuous Replication offered relatively inexpensive DR functionality for Exchange, but failover was a manual process. CCR, or Cluster Continuous Replication, and SCC, or Single Copy Cluster, allowed for automatic failover within a single site but required installing only the mailbox role inside the cluster. This meant a minimum of three Exchange licenses to achieve high availability, four if you wanted redundancy for the other Exchange roles. In addition to that expense, the configuration was a very manual process that required a great deal of time.

In Exchange 2010, Microsoft has eliminated many of the prior HA configuration in favor of a new concept called database availability groups (DAG).  DAG allows for a fully redundant configuration with onsite or offsite replication. Microsoft has changed the architecture of Exchange so that the mailbox database is no longer tied to a specific server. DAG permits a mailbox database to be replicated to up 16 different servers. What’s more the configuration has been highly simplified and can be fully managed from the Exchange Management Console.  You can even configure a single server for DAG and then add a second server at a later date without reconfiguring.

In addition to DAG Microsoft has improved the consistency of mail delivery with the concept of Shadow Redundancy.  Where DAG applies to the availability of mailbox database, Shadow Redundancy handles providing redundancy for messages during the transportation process. Basically each server in the transportation process holds onto a copy of a message until it receives confirmation that the message was received by the next “hop” in the process.  If confirmation isn’t received the message can be resubmitted to the next server or an alternate server if one is available. Unfortunately, Shadow Redundancy can only be used up to the point the mail is forwarded to a server that doesn’t support this functionality. But, it is a big step forward in ensuring consistent mail delivery within the Exchange routing environment.

Aside from high availability, there are numerous other improvements built into Exchange 2010. Some highlights include optimization for handling large individual mailboxes (10GB and larger), further improvements to Outlook Web Access (now known as Outlook Lite), and new message archiving and compliance functionality out of the box.  These are valuable improvements that I’ll expand on at a later date. But, email has become a mission critical application in organization large and small these improvements to increase the uptime of Exchange are by far the most compelling.

When small and midsize businesses find the need to invest in a storage area network solution they are faced with lots of options.  The modular, clustered, iSCSI SAN products offered by EqualLogic (Dell) and LeftHand (HP) have become highly attractive solutions for organizations moving into virtualization that need robust solutions with integrated replication.  But, these are complicated solutions and gathering information to compare these offerings can be a challenge.

The Info Tech research group has posted a great PDF (registration required to view) comparing these two product lines and explaining what make clustered SANs different from the more traditional model.  For even more information, check out the blog equallogicversuslefthand.blogspot.com.

Microsoft has long offered a number of system management products. Recently these products have been grouped into the System Center family of products.   The founding members of the family were SCOM and SCCM.

·         System Center Operations Manager (SCOM) is a highly extensible monitoring system. Because of its expandability SCOM can be configured to monitor an entire environment from network and server hardware to detailed monitoring of applications.

·         System Center Configuration Manager (SCCM), formerly known as SMS, is a powerful system management product capable for end to end management of both servers and client.

Historically these products have been targeted at medium to large environments. While smaller environments could benefit from the enhanced management capabilities, they could rarely justify dedicating servers to host these products or the cost of the server software. However, newer additions to the System Center family combined with virtualization have altered the playing field to a point that smaller environments should re-evaluate the potential of System Center.

Virtualization is probably the biggest game changer for the small environment. On the one hand virtualization gives smaller environments the flexibility to host additional isolated servers, like system center servers, without requiring additional expensive hardware.  The downside to this freedom is the increase in the number of systems that need to be managed.  If virtualization is added to a small environment without additional systems management capabilities the potential for problems and poorly designed environments increases drastically.

Data Protection Manager (DPM) and Virtual Machine Manager (VMM) are the newer members of the System Center family.

·         DPM is Microsoft’s foray into the backup software market. More than just another multipurpose backup solution, DPM is designed by Microsoft specifically to backup Microsoft systems and applications using the new concept of continuous data protection.

·         VMM allows IT professionals enhanced management capabilities and centralized management of virtualized environments large and small. VMM can be combined with SCOM for even more functionality to ensure optimal placement of virtual workloads.

As smaller environments begin to build virtualized infrastructures, DPM and VMM can become powerful, indispensible tools. But the cost of licensing of these products individually would seem to keep them out of reach for these environments.  Microsoft has release a new license called System Center Server Management Suite that addresses this issue, puts System Center within reach of small environments, and will be the focus on the next post in this series.