More critical issues to consider when choosing browser based tools or applications

Browser based applications seem like a good idea. You deploy a server with an application and users simply use a web browser to access it. No installation, patching, or maintenance of the end user’s workstation is required. What could be more simple?

As I wrote previously, this isn’t entirely true. On my Windows machines, it is common for me to have apps that require different versions of Internet Explorer or FireFox. It is hard to manage PCs when one application requires IE9 and another requires IE10. Some work on FireFox but only new versions while other won’t work with anything news that something that was released two years ago.

Sadly, it is still the big names in the business causing most of this havoc.

I recently discovered that the transition from Windows 7 to Ubuntu Linux was easier than the transition from Windows 7 to Windows 8. I still believe that but I ran into new complications.

Adobe Flash is no longer supported under Linux. Java is no longer supported in Chrome on Linux and OS-X. Imagine what that will do to your management capabilities! The vSphere 5.5 web client requires a new version of Flash and thus cannot be managed via Linux. Most of my Dell servers have management cards requiring Java. They are difficult to manage under Linux. I don’t even want to talk about the complexities of using a browser to manage my Cisco gear. Put simply, Linux is awesome but incompatible with many of the web applications available today.

It’s getting so complicated I am tempted to run a bunch of terminal or Citrix servers with specific browser versions so that when a user launches an app, I can launch it in the correct browser and version. What a pain.

If you are a web developer, I beg you, please do not write code that requires a specific browser or version of Java, Flash, etc. The overlapping requirements quickly combine to make it impossible to use every web application we have from a single machine. This is a real problem.

In theory, HTML 5 will save the day but I suspect it will take a decade for people to convert legacy applications to it and by then something else will be the new thing which breaks our applications.

Think carefully about using browser based applications. If you have more than two, you may have to have multiple machines just to be able to use them.

Is Linux or Windows 8 easier to use?

I have been using the original Surface as my laptop since it was released. To mu surprise iy has worked out very well. All of my applications, including odd ones like NMAP, work great. The only thing I dislike is the lack of ports. One USB port makes working with external devices a pain. I have purchased USB adapters so I can connect to devices via serial ports. The one things I have not purchased and that kills me is a USB to Ethernet cable. There are times I cannot be plugged into a docking station and need an Ethernet port. All things considered though, the Surface is a great laptop.

The one thing I still struggle with is Windows 8. (Yes, I updated to Windows 8.1 but it is still a pain to work with.) I open a PDF and it goes into tiles mode. Switching between the desktop and tiles is an insane design at best. Running on the desktop only seems like trying to avoid the inevitable. I have really tried to get comfortable with Windows 8 but the UI is just bad. It is by far the worst UI ever designed simply because you basically are using to operating systems at once.

I needed a laptop with a bunch of ports so I took an abondoned Windows 8 laptop and loaded Ubuntu Linux. (It was harder to delete Windows than it was to load Linux.) To my great surprise the load went well. The laptop had a touch screen which Ubuntu detected. Everything just worked. Installing software and hardening the OS was simple for an IT guy. What amazed me though was the interface.

When I use Linux, I typically don’t even load the GUI. What can I say, I love text only CLI interfaces on Linux. (I hate the Cisco CLI though.)  This was the first time I loaded a GUI on Linux in years. Frankly, the GUI was stunning

In all fairness, the Windows 7 interface is probably easier to use because it is about the same as every other version of Windows going back to 98. I realized that the change from Windows 7 to Ubuntu was minimal while the change form Windows 7 to Windows 8 was gut wrenching.

I am considering doing some A/B testing with users. I believe that if I were to have one group use Ubuntu and another use Windows 8 I would find the Ubuntu crowed more efficient. I might concede that they would be equally proficient but for the cost savings Linux would bring, why not use Linux?

I won’t inflict anything on end user that I won’t inflict on myself. I decided to go rouge and use Ubuntu as my only work laptop.

  • Email: Evolution seems to be a fine Outlook replacement. It does everything I need. I don’t know if it will work with Office 365 or newer version of Exchange though. If it doesn’t work, I can live with email on my phone and OWA.
  • Web Browsing: Everything but Internet Explorer. If you have to have IE, Linux won’t work.
  • JAVA: I have yet to get websites that use JAVA to work on Chrome. I will eventually but that seems to be a pain. (Hints are welcome.)
  • Security Tools: NMAP, Wire.Shark, and all my other favorite tools work better on Ubuntu than Windows. I run these on Linux anyway.
  • Visio: I love Visio but DIA seems to work well enough for me to diagram everything I need to diagram.
  • Office: LibreOffice does everything I need. I have yet to try to load a bunch of my Office docs in Linux but I suspect they will work. If not, I am willing to convert them all over time. I don’t use Office much anyway. I would prefer to use the web apps in either Office 365 or Google Apps anyway.
  • RDP: Yep, I can remote control all my servers.
  • Putty: I can remote control everything else
  • Printing: Paper is dead. I never print. I’ll have to test it at some point though.
  • Patching: We use Dell’s KACE system for patching. It works on some flavors of Linux. I still need to test this. If it doesn’t work, I can use the built in patching engine to keep everything updated.
  • Encryption: You can encrypt the hard drive during installation making laptop theft less of an issue. Password management might be a pain but so is data loss.

I don’t know if I would throw Ubuntu into production but if Windows 9 isn’t significantly easier to use, it may be hard to justify the cost of Windows anymore.

Are you listening Microsoft?

One critical issue to consider before using a cloud or browser based application

I used to believe that browser based applications would significantly reduce the time and effort required to deploy and manage applications. I am almost ready to ask my vendors for a fat client, meaning one I have to install on every PC.

The ugly truth

I have been dealing with two products from Oracle. The first is JD Edwards and the Second is Hyperion Financial Management. They are both browser based meaning I don’t need to install any applications on the end user PCs. I just send them a link and they can use the application … except that they can’t.

Today is June 18th, 2014. Internet Explorer 11, Firefox 30, and Windows 8.1 are the most current versions available today. (Firefox ESR 24 is available as well.)

Here are the browsers supported by Oracle for one of the products:

Oracle Supported Browser Versions

You may have noticed Internet Explorer and Firefox are the only two browsers supported. You will also notice that Firefox won’t work without an add-on and even then won’t work in every module. So, to use this product, I have to use Internet Explorer 9 or earlier.

I also have PCs running Windows XP, 7, 8 , & 8.1. A little research shows that I am in trouble.

Windows and IE versions

  • Windows XP: IE 8 is supported! Maybe I’m glad I waited to upgrade?
  • Windows 7: IE 8 was installed out of the box but most users upgraded to IE 10. I will have to downgrade them all back to IE 9.
  • Windows 8 & 8.1: Can’t run anything less than IE 10. No Oracle products for you!

It get’s worse! Major version upgrades are now automatic.

Starting with IE 10, the browser will automatically upgrade major versions when they are released. So IE 10 users will automatically move to IE 11, 12, 13, etc. You can disable the feature through group policy but you also have to prevent the user from installing newer versions themselves. I am not against automatic browser upgrades but in this case it will break my business critical applications.

It get’s worse! Not all products have the same requirements.

This is only one of the systems I manage that have draconian browser requirements. Other Oracle applications have different browser requirements. Some won’t run on older browsers while others won’t run on newer. It is getting difficult to keep everyone on a browser version that will work. It would be less complicated to push out a client application than to manage this nightmare.

Shame on Oracle … and everyone else.

If you are going to write a web based application, keep it up to date. You are essentially writing an application that shares the same “display application” as other applications and staying years behind the update curve causes problems for everyone. I understand this means we might have to upgrade the Oracle applications themselves but that isn’t even an option right now. Keep current or write your own client. That should be a law.

Cloud applications tend to be the opposite.

Most cloud applications are browser based. The difference is, they are updating their application all the time. Most cloud applications like Salesforce, Office 365, or Dropbox support the current and one older broswer version. Older than that and they won’t promise their application will work. I would much rather work at keeping my system up to date than keeping them years behind. They also tend to work with many browsers which makes life better.

So, browser based applications are NOT the  solution I had hoped for. I would spend less time supporting them if I simply had to install an application.

IT Security Tip: When not to be helpful

If you manage IT and have a phone you probably get dozens of calls a day from sales people and researchers. Most of them are very good at keeping you on the phone. They have all learned a technique that is designed to keep us on the phone.

It is in our nature to want to help people.

The calls always start with a very chipper person introducing themselves and their company. Researchers often add that they are not trying to sell anything.

This is followed up by a question like “What are you using for storage?”

It is difficult not to answer. We want to be helpful. Why shouldn’t I answer?

Giving out information about your network is a security risk.

I suspect I could call 10 IT people and get critical configuration information from five of them by pretending to be a salesperson, researcher, or peer. “What firewall are you using?” “What VPN solution do you have?” “Do you have any issues with it you would like to see fixed?” “Do you struggle with patch management?” “What log management system are you using?”

All of this information can be used to design an attack against network. A few phone calls to a few people in IT and a complete list of vulnerabilities can be created.

Ask yourself who needs to know this information?

Nobody outside your organization needs to know how your network is configured.

What happens if the vendor or researcher gets hacked?

If I were a hacker, I would want to get hold of any vendor’s CRM database. That could contain a significant amount of information about a potential target’s networks. How secure is the data you provide to vendors? Why take the risk?

What to say when someone calls and asks “What product do you use for xyz?”

I’m not allowed to provide that information.

Repeat that as often as needed. You can add that you are constrained by policy and cannot provide them any information about  the network, software, or anything else.

Bonus tip: How to get a vendor off the phone

Unless this is a vendor you want to talk to, simply tell them you are not soliciting new vendors at this time. Don’t tell them you do or do not have a solution, that is a security risk. Just tell them you are not looking for new vendors, thank them, and hang up.

I even added a short blurb at the end of my voice mail message that says “If you are a vendor, we are not soliciting new vendors at this time. Messages will not be returned.” I am polite but it is a way of letting them know I don’t want to keep getting calls. If I am looking for new vendors I might say “If you are a vendor for XYZ products, please leave a message. We are not soliciting other vendors at this time.”

Some people think that is rude. I find the decrease in SPAM voice-mail a relief.

Bonus bonus tip: Decrease unsolicited email messages

I must gOutlook Junk Buttonet 20 email messages a day from vendors asking me to meet with them to discuss how they can save me money, time, etc. I save more time by not reading their email. (Yes, I am a little bitter at the massive amount of junk mail I have to wade through.)

Outlook has a feature which many people overlook. Simply click on the Junk button and select, “Block Sender.” You will never get an email from that person again.

 

 

 

 

 

Why you should check your firewall configuration … now.

When was the last time you checked your firewall configuration? Well … that’s too long.

If you are a firewall administrator, you probably live in your configuration files. Everyone else looks at them when they need to make a change.  This leads to the ever common problem of “Why is that there?

Every time I start a new job, I eventually have to look into the firewall and see what lives there and why. Many of the rules make sense. Here is one for an email server. Here is another for remote access to some application. Here is one for some system … to do something … for some reason. Firewall rules without a documented purpose are a problem waiting to happen.

Imagine finding rules in firewalls that allow access for vendors that were fired years ago or  administrators long departed. Firewall configurations never seem to shrink. We add new rules when we need them but deleting a rule … well … that’s terrifying.

Do I delete the rule? What will break? How long will it take to break? Do I risk it?

Manage your firewall

Managing the firewall is a process that never ends. It is also very easy to forget to do. Here’s a program that works well for most companies without a dedicated firewall administrator:

  1. Backup your config file. Seriously, back it up to a secure location where you can store it for at least a year.
  2. Change your password. It should be changed once a year.
  3. Go through your rules. Most firewalls have a hit counter that shows how many times a rule is used. Reset the counter and wait a day or so. You will quickly see which rules are important.
  4. Delete any disabled rules unless you just disabled them. No reason to keep old disabled rules in the config file for a decade or more.
  5. Label everything. Don’t use rules like “Allow 25 to 10.0.0.1 from 0.0.0.0.” Try to use names when you can. Rules should be human readable if possible. “Allow  SMTP (email) to CorpSpamFilter from TheInternet” is much easier to read.
  6. If you don’t know what it is and nobody else does either, disable the rule. You can always enable it within seconds but it would be better to know why a rule is there than to let unknown traffic through. In all fairness, be very careful. Do lots of research. Just turning a rule off can be a disaster so cross your Ts and dot your Is before disabling a rule.  Do NOT delete the rules yet.
  7. Schedule your next firewall audit. If you rarely make rule changes, you may only need to check the firewall every year. If you are on the firewall every week, you may need monthly audits. Put this on your calendar even if it is a year away.
  8. Smile, you just made your network a safer place. Repeat this process every month, quarter, or year.

Know what you know and when to say NO!

I know my way around a firewall. I have been configuring them for 15 years. Access control lists are something I can do in my sleep. But on a Cisco firewall, I don’t touch the VPN settings. I call in an expert to keep me from breaking my own network.

I audit my VPN configuration at the same time as my firewall configuration. My Cisco consultant works across from me looking through VPN config files for things we no longer use or could use better. I look through the firewall rules. In the event I need help with something, I have help.

Since I am a generalist in my job, I cannot know everything there is to know about every system I manage. When I know I am over my head, I get an expert. Firewalls are too important to tinker with.

Save your work

Don’t forget that some firewalls have a running configuration that is lost every time you reboot. That’s great when you fry the config and need it back the way it was before you started. That’s terrible when all the changes you made last month got lost when you updated the firmware. Remember to save the running config to the startup config once you know everything works as it should. (Put an event on your calendar to remind you if you need to.)

Take you time but it does get easier

The first time you do this it will be a slow process. There will be lots of research and issues. The second time will be easier. You will remember why most of the rules are there. You will be able to read them. After a few years, firewall maintenance will be a simple task.

 

Is it too late for Microsoft Office for iPad?

Microsoft Office has been THE application for Word Processing, Spreadsheets, and Email for business for many years. I’ll save a lot of time by stating that I don’t think there is a better product on the market. So with the rumors of Microsoft planning to release Office for iPad you would think I would be jumping for joy?  I’m not … and I wonder who is.

Microsoft Office used to be for everyone

When I was young(er) everyone wanted a copy of Microsoft Office. You had to have it for school, work, or anything else you did. Scaled down versions came on every PC. Office was expensive but most people could find a way to own a copy. (If not, there was always Microsoft Works.)

Then it got expensive. As Office grew in complexity and businesses finally stopped using Word Perfect and Lotus Notes, the price of Office went up … and up … and up. Frankly, it got to the point where it was simply too expensive to buy a copy of Office. The non-profit and education companies I worked for could afford it because Microsoft gave generous price breaks but the small for-profit businesses started to struggle to pay when it became necessary to update from one version to the next.

Alternatives were born

Google Docs, when it started, had to be one of the worst word processors I had ever used. The spreadsheet was adequate but not awesome like Excel. GMail was frustrating because it wasn’t Outlook. Then the iPhone came out and Mac was popular again. Then the iPad comes out and the tablet revolution started. PC sales immediately dried up and tablet sales skyrocketed. Add Android phones and tablets to the picture and suddenly most people are using non-Microsoft systems for most of their non-work computing. I knew the world had changed when I saw more Macbooks at IT conferences than Windows laptops.

Microsoft Office did not work on any of these new devices. People started using alternatives. Google Docs, Evernote, Dropbox, Pages, etc. Suddenly there are hundreds of alternatives to Microsoft Office and people used them and have grown used to them.

Good enough is good enough

Microsoft Word is the best application for creating a printable document. But who does that anyway? Who creates memos to print and distribute? I don’t even own a printer anymore at home. At work, I find it almost insulting when I am asked to print something. Paper is SO last century. Word was designed for paper. Most of the alternatives were designed to work in the digital world … and they work just fine for most people.

Excel is still the best spreadsheet application out there but Google Sheets is catching up. I can do anything I need for home or work with it. Apple’s Numbers is frankly terrible but it works in a pinch. Only the accountants I work with need Excel. Everyone else is happy with whatever they can get on their iPad or Android device. People seem to have found that a free or very inexpensive application does everything they need as opposed to a $200 application that does everything.

Have people already moved on?

I admit, I have grown hostile to Microsoft over the years. They seemed to focus on Enterprise sized customers at the expense of the smaller companies I work for. I don’t like buying from businesses that don’t seem to value my business. So for me, I know I have moved on. I can live without Microsoft Office.

What about everyone else? Have we gotten so used to the apps we use as alternatives that we no longer need or want Microsoft Office? If Microsoft comes out with very inexpensive mobile versions of Office will people flock to it or will they stick with what they know?

If Office for iPad had come out five years ago, I think it would have been one of the most used apps today. As it stands, it is just another application in the long list of applications. Unless Microsoft can do something to win people back, I wonder if anyone outside of corporate old-timers will use it.

VMWare Site Recovery Manager reprotect step fails with EqualLogic PS storage

I am using VMWare Site Recovery Manager (SRM) at two locations. One is my primary data center (PDC) and one is my disaster recover (DR) data center.  I have two EqualLogic PS 4110 arrays at each location. The EqualLogic arrays have many volumes which replicate on a schedule to the DR site.

In all but one test, SRM failed during the reprotect step.

Error on reprotect:

Failed to reverse replication for device ‘iqn.2001-05.com.equall-ogic:0-af1ff6-xxxxxxxxx-xxxxxxxxx-xxxxxx-xxxx.1′.

I would also see problems with the array pair in the SRM Dashboard:

SRM Broken Replication

SRM Error: Device Test cannot be matched to a remote peer device

This all makes sense once you understand what went wrong.

Understand the limits of the Storage Replication Adapter (SRA)

The SRA acts as a middle man between SRM and the EqualLogic Array. It does not do a good job of producing an error a human can understand or even find. What you are left with is the vague errors you see in SRM which are not helpful. They key is in the message “Device ‘XXXX’ cannot be matched to a remote peer device.

The SRA will only work with one storage pool. I had two storage pools at PDC and one at DR.  It wasn’t the mismatch that mattered, it was the fact that I had two pools. I could have had two pools at both sites and received the same error.

How it fails

I created a volume on Pool B (The second pool) at PDC and replicated it to DR. When I clicked reprotect in SRM, the SRA tried to find the volume on Pool A. The volume didn’t exist, because it was in Pool B, and this SRM barfed the dreaded “Failed to reverse replication for device ‘iqn.2001-05.com.equall-ogic:0-af1ff6-xxxxxxxxx-xxxxxxxxx-xxxxxx-xxxx.1′” error.

You can however reprotect any VM on a volume from Pool A without error.

How to fix it

In my case the solution was simple. I merged the two pools. My next test of SRM worked. The other option is to only protect VMs in Pool A.

This is an annoying issue which I hope Dell fixes in future versions of the SRA. If I were to buy another array I would be unable to use SRM to protect my VMs because I would have multiple pools.  

If you are considering buying a Dell EqualLogic array, consider this limitation carefully if you are going to use SRM. Your ability to grow over time will be limited by the SRAs inability to deal with multiple pools.