Rules to Better Internet and Networks

​​​Networks are the lifeblood of any business. This is why we have developed a few rules for better Internet and ​Networks.​​

Hold on a second! How would you like to view this content?
Just the title! A brief blurb! Gimme everything!
  1. Do you use a secure Remote-Access VPN?

    It is important to ensure that if you have a Remote-Access VPN that the tpye of VPN you are using is secure. Previously PPTP was a popular method, but this is now a depricated service as it can be hacked very quickly using online tools.

    It is recommended to go with a provider such as OpenVPN or Cisco AnyConnect.
  2. Do you assume catastrophic failure before touching a server?

    ​​If you are going to install a service pack on a machine, moving a virtual server to another drive or doing any critical system level changes, make sure you back up your machine first. For virtualized machine, make sure you back up all related files, including vhd, avhd etc.​

    You should already assume there could be catastrophic failure after these kind of operations and you should always be prepared for them by having a full backup somewhere. This is especially important when you are working your production or critical servers.​

  3. Do you check your DNS settings?

    w3dt.net supplies a DNS report tool which can help administrator to troubleshoot DNS issues with domains, name servers, SOA, and other information. We need to get all green ticks except for:

    • Missing (stealth) nameservers
    • Missing nameservers 2
  4. Do you check your teams backup status?

    The goal is: No one is stressed thinking their backup is not working.

    Follow up your team to back up their PCs, then their mobile phones.

  5. Do you enable automatic Windows Update Installations?

    ​M​icrosoft Update is a service that allows for the periodic patching of system files to address known issues with Microsoft products. Originally called Windows Update, it was specifically focused on Operating System patches for Windows but has been expanded to include all Microsoft products and the name has changed to Microsoft Update, allowing the automated patching of non-OS software such as Internet Explorer and Microsoft Office. 

    It is important to keep your machine up-to-date, but Windows Update Automatic installation can be somewhat intrusive to your work flow. There is nothing worse than getting Windows Updates installing during important presentation. You should set Windows Updates to be installed manually.

    ​NOTE: This is only for client machines, Windows Update for Servers should be handled differently see: Do you use Group Policy to manage your Windows Update Policy?

    Go to Start | Windows Update Settings | Advanced Options and set Restart this device as soon as possible... to Off and Update Notifications to ​On.


    WindowsUpdateBadExample.jpg
    Figure: Bad example – Install updates automatically

    Windows Update Good Example.jpg
    Figure: Good example – Download updates but let user choose whether to install them

    If you have a system administrator who manages your organization’s infrastructure, it is recommended to get you system administrator to push this setting via group policy.​​


    Figure: Better example – Windows Updates setting is pushed to *ALL* users via group policy


  6. Do you have a consistent naming convention for each machine?

    When we configure networks we give all computers in the company a naming theme like Buildings, Cars, Countries, Colours, Fruits, or Vegetables. 

    At SSW we have adopted the animal kingdom.


    Figure: We na​​​me the PCs and label them​ - this one is "Great Pyrenees"

    While you are attaching the label, it is also a good idea to affix a business card to the underside of the computer. ​​​​​This way if you lose your machine, anyone who finds it can easily contact you. 

  7. Do you have servers around the world and use CDN?

    ​​​​Having a very popular website is great. The only problem is where to host it. If you host it in your local country then it is very fast for your local market but what about the market on the other side of the world? The solution to this is to use a Content Delivery Network (CDN)

    The solution is to have an origin server (can be multiple for loadbalancing) and Content Delivery Nodes in locations that have many users accessing the website. Users will be delivered content from the closest Node. This is possible with the help of Bind DNS server and a list of IP addresses and the country of origin.​

    ​CDN is provided by many cloud providers such as WPEngine, Azure, CloudFlare but can also be achieved by using opensource software such as​ JSDelivr​, Cdnjs and many others​.


    It can also be achieved using IIS Outbound Rewrite rules. For example https://ssw.com.au/ could be change to https://us.ssw.com.au/ and be directed to another IIS server.

  8. Do you know how to add a printer?

    ​​When you are connected to the SSW network, you may complete the following procedure.

    Go to \\printer

    add-printer-1.png
    Figure: Printers listed in Printer Server

    Double click on Printer to connect/add the printer. Follow prompt to finish adding printer (printer driver installation).

    Available Printers are:

    1. Printer_HP3390 (Mono laser printer)
    2. Printer_HPCM2320 (Colour laser printer)

    Congratulations, you have now successfully added the printer. You may now begin to print.

    add-printer-2.png
    Figure: Printers successfully added and shown in Devices and Printers
  9. Do you know not to delete expired domain users?

    When an employee leaves or a domain account expires, disable the account, never delete it, as:

    • Some LOB application such as CRM maintain a reference to the AD domain user GUID
    • During the migration or restoration of CRM, users stored in the database are verified against AD and problems may occur if they no longer exist
  10. Do you know not to login as Administrator on any of the networks machines?

    We've seen this happen too many times - a user wants to do something on a network server machine, and because the user hasn't got a profile setup on that machine, he end up using the Administrator password to log on as administrator. 

    ​This is not a good thing because:​

    1. We cannot tell who currently is logged in remotely, so if another developer wants to change something on the server, we can't work out who is on it.
    2. This is particularly the case where a lot of the servers don't allow multiple concurrent users, so we need to know who to disconnect or kick to free up a remote connection license.
    3. A lot of applications are installed as 'administrator', and no one end up remembering what they installed, and thus the administrator profile is loaded with applications that most people don't use.
    4. If you check in/check out files from Source Safe, it may end up using the administrator account - which means we can't work out who made a change in source safe.

    So log on using your own domain account.

  11. Do you know what to do when running out of disk space?

    This is how you free up more disk space on servers:​
    1. Check sql backups
    2. Check sql logs
    3. Use TreeSizePRO to find disk spaces issues
    4. Use ​CCleaner to automatically clean any temporary or junk files on the server
  12. Do you know when to scale out your servers and when to keep it as a standalone server?

    You should use virtualized standalone servers because:

    • If one server goes down it does not affect other servers (e.g. a centralized SQL server fails and brings down: CRM, TFS, Reports, Web Server)
    • You can just copy the VPC to another computer and it just works, no need to worry about reconfiguring the SQL connection string or web services
    • You can just backup the VPC

    However, you should scale out your servers if:

    • You want the best performance (e.g. A different server for SQL backend and Web frontend)
    ​​
  13. Do you send notification if you cannot access essential services?

    Some of the network services, like TFS/Exchange/Database are essential for our business and people will not be able to work if any of these services is down or inaccessible.
    When such thing happens, the first thing you need to do is to send notification to SysAdmins so they can start investigating the problem, and you should cc your project manager because those issues will stop you getting tasks done.

  14. Do you use ANAME record?

    What is ANAME record? ANAME record (also known as A record) is an alias record that allows you to map the apex record or any other record within your domain to a target host name, essentially a CNAME record for the apex record. ANAME record is especially useful for when you have multiple domain names and your website is hosted by a provider that changes it's IP Address, this does happen quite regularly with WPEngine. Many DNS service provider does not support ANAME record, however, DNSMadeEasy has made this service available.

    Configuring ANAME is as easy as configuring CNAME. Let's have a look at DNS records for adamcogan.com.au, DNS records contains apex record for adamcogan.com.au and a www.adamcogan.com.au. The apex record uses ANAME, while CNAME for www.adamcogan.au - now we will never have to worry about updating these records, they will follow the DNS records of adamcogan.com. ​2018-08-01_14-41-32.jpg

    Figure: Example DNS entry from Azure DNS
    ​​​​

    Read more about Do you use ANAME record?
  15. Do you create your own IP Blacklist?

    Cisco's FirePower module is able to automatically get a list of suspicious IPs from Cisco, however the IPs that are attempting to break into your network may not be the same as Cisco's recommended Blacklist. That is why it is important to have your own IP Blacklist.

    ​This needs to be an internally accessible webpage that the FirePower module can access and use as it's Blacklist. An example script for this can be found on GitHub. ​

    This script gathers IP Addresses from failed login attempts and compares them against multiple IP reputation sites. If it looks suspicious on 3 or more site this will be added into a text document that is then accessible by the Cisco FirePower module.​

  16. Do you keep your network hardware reliable?

    ​When purchasing new network hardware you should always choose the most reliable option. ​​

    ​​​​At SSW,​ we have discovered that:​​

    ​​​Firewalls

    1. Cisco ASA is the best. Cisco has built a lot of trust and a large community of backers over the years by providing an extremely solid product. Finding support and assistance with Cisco devices is much easier than most vendors due to the sheer size of the community. Also pushing it to the lead are advanced features like:

    • Mal​Ware Protection

    • Application Control

    • FirePOWER Threat Defence

    • Centralised Firewall Management Center

    ASA.jpg

    2. pfSense is the second best. One of the most used firewalls and for good reason. This Open Source firewall offers similar features to the leading providers of firewalls but comes in at a fraction of the price since the software is free and only requires you to purchase the hardware to run it. This gives you the ability to have an extremely good firewall at a fraction of the price.​

    Netgate.jpg


    Switches

    1. HPE is the best. HPE Switches now rebranded as Aruba Switches have provided a strong product for many years. The feature that really pushes this ahead of the game is the reliability of the hardware as well as a lifetime warranty on hardware with next day replacement at no additional cost.​


    HP Switch.jpg

    2. Cisco is the second best. A leading product for many years however comes at a much larger cost than HPE/Aruba and usually contains ongoing license fees for support. But is a very reliable and feature rich product.

    Cisco Switch.jpg

    Access Points

    1. Ubiquity is the best. Quickly becoming the leading AP used in the industry it offers a rich cloud management software allowing ease of management over multiple sites and countries. Unifi Access Points are easy to manage and install and can be upgraded and provisioned with the touch of a button. With new features being released regularly and prices much lower than Cisco and Aruba it is hard to not see why this is the best.

    ​​UAP-AC-LITE.jpg

    2. Cisco/Aruba is the second best. Offering many features and used on many large projects such as the University of Wollongong for Cisco and KFC for Aruba they offer truly tried and tested hardware. These products do come at a higher cost and requires a lot more skill and time to manage and really only come into the spotlight on large scale projects.

    Aruba.jpgAruba.jpg


  17. Do you know how to find your mac address?

    ​To help with automation you can use the MAC address of your mobile device to match when it joins the company wifi. This allows you to:

    Here is how to find your MAC address:

    ​​iPhone

    1. Open the Settings app
    2. Navigate to General | About
    3. Look for WiFi Address
      iphone-mac.png

    Android Phone

    1. On the Home screen, tap the Menu button and go to Settings
    2. Tap About Phone
    3. Tap Status/Hardware information
    4. Scroll down to see your WiFi/MAC address
      android-mac-address.jpg

    Windows Phone

    1. From the Windows Phone home screen, swipe left to reveal more icons. Then, scroll down and tap Settings
    2. Scroll down and tap About
    3. In the About screen, tap More info​

  18. Do you use Network Intrusion Prevention Systems?

    Network Intrusion Prevention Systems (IPS) can assist with network security by automatically detecting network attacks and stopping them before they become an issue.

    ​​Most business firewalls have some sort of IPS/IDS system built into them. Cisco has FirePower and PfSense has Snort​. Both will assist in watching for suspicious activity and DDoS attacks, blocking traffic where necessary.


    Both FirePower and Snort ​can get automatic updates from the internet so they remain at the forefront of new emerging attack strategies, so it is important to ensure that the associated module has internet access to remain up to date​​.


    ​Depending on your environment you may want to enable inspection of all traffic, however this may slow data transfer, but it may be important depending on the data your company is dealing with. Otherwise it is recommended that WAN to LAN traffic is being inspected only.