ISP Security
Any active Internet connection for a computer can make that computer a target for malicious activity. Malware, or malicious software such as a computer virus, worm, or spyware, can arrive in an email or be downloaded from a website. Problems that cause large scale failures in service provider networks often originate from unsecured desktop systems at the ISP customer locations.
If the ISP is hosting any web or e-commerce sites, the ISP may have confidential files with financial data or bank account information stored on their servers. The ISP is required to maintain the customer data in a secure way.
ISPs play a big role in helping to protect the home and business users that utilize their services. The security services that they provide also protect the servers that are located at the service provider premise. Service providers are often called upon to help their customers secure their local networks and workstations to reduce the risks of compromise.
There are many actions that can be taken both at the local site and the ISP to secure operating systems, as well any data stored on operating systems, and any data transmitted between computer systems.
If an ISP is providing web hosting or email services for a customer, it is important that the ISP protect that information from malicious attack. This can be complicated because often an ISP will use a single server, or cluster of servers, to maintain data that belongs to more than one customer.
To help prevent attacks on these vulnerabilities, many ISPs provide managed desktop security services for their customers. An important part of an on-site support technician’s job is to implement security best practices on client computers. Some of the security services that an ISP support technician can provide include:
Helping clients to create secure passwords for devices
Securing applications using patch management and software upgrades
Removing unnecessary applications and services that can create vulnerabilities
Ensuring applications and services are available to the users that need them and no one else
Configuring desktop firewalls and virus checking software
Performing security scans on software and services to determine vulnerabilities that the technician must protect from attack
Best Practise For Security
If an ISP is providing web hosting services, or email services for a customer, it is important that the ISP protect that information from malicious attack. This can be complicated because often an ISP will use a single server, or cluster of servers, to maintain data that belongs to more than one customer.
Common data security features and procedures include:
Encrypting data stored on server hard drives
Using permissions to secure access to files and folders
Permit or deny access based on the user account or group membership
If access is permitted, assign various levels of access permissions based on a the user account or on group memberships
When assigning permissions to files and folders, a security best practice is to apply permissions based on the principle of least privilege. This means giving a user access to only those resources that are required for the user to be able do their job. It also means giving the appropriate level of permission, for example read only access or write access. Additional permissions that the user does not require are not required.
Authentication, authorization, and accounting (AAA) is a three-step process used by network administrators to make it difficult for attackers to gain access to a network.
Authentication
Requires users to prove their identity using a username and password. Authentication databases are typically stored on servers called RADIUS or TACACS.
Authorization
Gives a user rights to use specific resources and perform specific tasks.
Accounting
Tracks which applications are used and length of time they are used.
For example, Authentication acknowledges that a user named student exists and is able to log on. Authorization services specify that user student can access host serverXYZ using Telnet. Accounting tracks that user student accessed host serverXYZ using Telnet on a specific day for 15 minutes.
AAA can be used on various types of network connections. AAA requires a database to keep track of user credentials, permissions, and account statistics. Local authentication is the simplest form of AAA and keeps a local database on the gateway router. If an organization has more than a handful of users authenticating with AAA, the organization must use a database on a separate server.
Data Encryption
ISPs must also be concerned with securing data that is transmitted to and from their servers. By default, data sent over the network is unsecured and transmitted in clear text. Unauthorized individuals can intercept unsecured data as it is being transmitted. Capturing data in transit bypasses all file system security that is set on the data. There are methods available to protect against this security issue.
Digital encryption is the process of encrypting all transmitted data between the client and the server. Many of the protocols used to transmit data offer a secure version that uses digital encryption. As a best practice, use the secure version of a protocol whenever the data being exchanged between two computers is confidential.
For example: If a user must submit a username and password to log onto an e-commerce web site, a secure protocol is required. This protects the username and password information from being captured. Another example is any time a user must submit a credit card or bank account information.
When surfing the Internet and viewing publicly accessible web sites, securing the transmitted data is not necessary. Using a secure protocol in this situation can lead to slower response times and additional computational overheads.
There are many network protocols used by applications. Some offer secure versions and some do not.
Web Servers
Web servers use the HTTP protocol by default. This is not a secure protocol. Switching to HTTPS enables the exchange of data to be done securely.
Email Servers
Email servers use several different protocols, including SMTP, POP3 or IMAP. When a user logs on to an email server, POP3 and IMAP require a username and password for authentication. By default, this submission is sent without security and can be captured. POP3 can be secured by using Secure Socket Layer (SSL). SMTP and IMAP can use either SSL or Transport Layer Security (TLS) as a security protocol.
Telnet Servers
Using telnet to remotely log into a Cisco router or Cisco switch creates an unsecure connection. Telnet sends authentication information, as well as any commands a user types across the network in basic clear text. Use SSH to authenticate and work with the router or switch securely.
FTP Server
The FTP protocol is also an unsecure protocol. When logging in to an FTP server, authentication information is sent in clear text. FTP can use SSL to securely exchange authentication and data. Some versions of FTP can also use SSH.
File Servers
File servers can use many different protocols to exchange data, depending on the computer’s operating system. In most cases, file server protocols do not offer a secure version.
Another security protocol exists called IP security (IPSEC). IPSEC is a network layer security protocol that can be used to secure any Application Layer protocol used for communication. This includes file server protocols that do not offer any other security protocol version.
Access List And Port Filtering
In spite of AAA and the use of encryption, there are many different types of attacks that an ISP must protect against. ISPs are especially vulnerable to Denial of Service attacks, because the ISP may host sites for many different registered domain names that may or may not require authentication. Currently there are three key types of denial of service attacks.
DoS
A standard denial-of-service (DoS) attack takes place when a server or service is attacked to prevent legitimate access to that service. Some examples of standard DoS attacks are SYN flood, ping flood, LAND attack, bandwidth consumption attacks, and buffer overflow attacks.
DDoS
A distributed denial-of-service (DDoS) attack occurs when multiple computers are used to attack a specific target. In DDoS attacks, the attacker has access to many compromised computer systems, usually on the Internet. Because of this, the attacker can remotely launch the attack. DDoS attacks are usually the same kinds of attacks as standard DoS attacks, except that DDoS attacks are run from many computer systems simultaneously.
DRDoS
A distributed reflected denial-of-service (DRDoS) attack occurs when an attacker sends a spoofed, or mock, request to many computer systems on the Internet, with the source address modified to be the targeted computer system. The computer systems that receive the request will respond. When the computer systems respond to the request, all of the requests are directed at the target computer system. Due to the reflection of the attack, it is very difficult to determine the originator of the attack.
The ISP must be able to filter out network traffic, such as Denial of Service attacks, that can be harmful to the operation of the ISP network or servers. This can be done using port filtering and access lists to control traffic to servers and networking equipment.
Port Filtering
Port filtering is the ability to control the flow of traffic based on a specific TCP or UDP port. Many server operating systems provide options to restrict access using port filtering. In this way, the server can provide the needed services while still being protected. Port filtering is also used by network routers and switches to help control traffic flow and to secure access to the device.
Access Lists
Access lists are used to define traffic that is permitted or denied through the network based on the source and/or destination IP addresses. Access Lists can also permit or deny traffic on the source and/or destination port of the protocol being used. Administrators create access lists on network devices, such as routers, to control whether or not traffic is forwarded or blocked.
Access lists are only the first line of defense and are not enough to secure a network. Access lists only prevent access to a network; they do not protect the network from all types of malicious attacks.
Firewall
A firewall is network hardware or software that defines what traffic can come into and go out of sections of the network, as well as how traffic is handled.
Access-lists are one of the tools used by firewalls. Using access-lists, the type of traffic that is allowed to pass through the firewall is controlled. In addition, the direction the traffic is allowed to travel is also controlled. In a medium-sized network, the amount of traffic and networking protocols needing to be controlled is quite large and firewall access lists can become very complicated.
Firewalls use access lists to control which traffic is passed or blocked. They are constantly evolving as new capabilities are developed and new threats are discovered.
Different firewalls offer different types of features. For example, a dynamic packet filter firewall or stateful firewall keeps track of the actual communication process occurring between the source and destination devices. It does this by using a state table. Once a communication stream is approved, only traffic that belongs to one of these communication streams is permitted through the firewall. The Cisco IOS Firewall software is embedded in Cisco IOS software and allows the user to turn a router into a network layer firewall with dynamic or stateful inspection.
The more functionality of the firewall, the more time it takes for packets to be processed.
Firewalls can provide perimeter security for the entire network, as well as for internal local network segments, such as server farms.
Within an ISP network or a medium-sized business, firewalls are typically implemented in multiple layers. Traffic that comes in from an untrusted network first encounters a packet filter on the border router. Permitted traffic goes through the border router to an internal firewall to route traffic to a demilitarized zone (DMZ). A DMZ is used to store servers that users from the Internet are allowed to access. Only traffic that is permitted access to these servers is permitted into the DMZ. Firewalls also control what kind of traffic is permitted into the protected, local network itself. The traffic that is allowed into the internal network is usually traffic that is being sent due to a specific request by an internal device. For example, if an internal device requests a web page from an external server, the firewall will permit the web page to enter the internal network.
Some organizations can choose to implement internal firewalls to protect sensitive areas. Internal firewalls are used to restrict access to areas of the network that need to have additional protection. Internal firewalls separate and protect business resources on servers from users inside the organization. Internal firewalls prevent external and internal hackers, as well as unintentional internal attacks and malware.
IDS And IPS
ISPs also have a responsibility to prevent, when possible, intrusions into their networks and the networks of customers who purchase managed services. There are two tools often utilized by ISPs to accomplish this.
An intrusion detection system (IDS) is a software- or hardware-based solution that passively listens to network traffic. Network traffic does not pass through an IDS device. Instead, the IDS device monitors traffic through a network interface. When the IDS detects malicious traffic, it sends an alert to a preconfigured management station.
An intrusion prevention system (IPS) is an active physical device or software feature. Traffic travels in one interface of the IPS and out the other. The IPS examines the actual data packets that are in the network traffic and works in real time to permit or deny packets that want access into the network
IDS and IPS technologies are deployed as sensors. An IDS or an IPS sensor can be any of the following:
A router configured with Cisco IOS version IPS
An appliance (hardware) specifically designed to provide dedicated IDS or IPS services
A network module installed in an adaptive security appliance (ASA), switch, or router
IDS and IPS sensors respond differently to incidences detected on the network, but both have roles within a network.
IDS
IDS solutions are reactive when it comes to detecting intrusions. They detect intrusions based on a signature for network traffic or computer activity. They do not stop the initial traffic from passing through to the destination, but react to the detected activity.
When properly configured, the IDS can block further malicious traffic by actively reconfiguring network devices such as security appliances or routers, in response to malicious traffic detection. It is important to realize that the original malicious traffic has already passed through the network to the intended destination and cannot be blocked. Only subsequent traffic will be blocked. In this regard, IDS devices cannot prevent some intrusions from being successful.
IDS solutions are often used on the untrusted perimeter of a network, outside of the firewall. Here the IDS can analyze the type of traffic that is hitting the firewall and determine how attacks are executed. The firewall can be used to block most malicious traffic. An IDS can also be placed inside the firewall to detect firewall misconfigurations. When the IDS sensor is placed here, any alarms that go off indicate that malicious traffic has been allowed through the firewall. These alarms mean that the firewall has not been configured correctly.
IPS
Unlike IDS solutions, which are reactive, IPS solutions are proactive. They block all suspicious activity in real time. An IPS is able to examine almost the entire data packet from Layer 2 to Layer 7 of the OSI model. When the IPS detects malicious traffic, the IPS can block the malicious traffic immediately. The IPS is then configured to send an alert to a management station about the intrusion. The original and subsequent malicious traffic is blocked as the IPS proactively prevents attacks.
An IPS is an intrusion detection appliance, not software. It is most often placed inside the firewall. This is because the IPS can examine the entire data packet and can therefore be used to protect server applications. The firewall typically does not examine the entire data packet, whereas the IPS does. The firewall will drop most of the packets that are not allowed, but may still allow some malicious packets through. The IPS will have a smaller number of packets to examine, but will examine the entire packet. This allows the IPS to immediately drop new attacks that the firewall cannot stop or could not be configured to stop.
Wireless Security
Some ISPs offer services to create wireless hot spots for customers to log onto Wireless Local Area Network (WLANs). A wireless network is easy to implement, but is vulnerable when not properly configured. Since the wireless signal travels through walls, it can be accessed outside the business premises. The following ways are used to secure a wireless network:
MAC Address Filtering
MAC Address Filtering prevents unwanted computers from connecting to your network by restricting MAC addresses. It is possible however, to clone a MAC address; therefore, other security measures should be implemented along with MAC Address Filtering.
WEP
Wired Equivalent Privacy (WEP) provides data security by encrypting data that is sent between wireless nodes. WEP uses a 64, 128 or 256 bit pre-shared hexadecimal key to encrypt the data. There are many WEP cracking tools available on the Internet. WEP should only be used with older equipment that does not support newer wireless security protocols.
WPA
Wifi Protected Access (WPA) is a newer wireless encryption protocol that uses an improved encryption algorithm called Temporal Key Integrity Protocol (TKIP). TKIP generates a unique key for each client and rotates the security keys at a configurable interval. WPA provides a mechanism for mutual authentication and since both the client and the access point have the key, the key is never transmitted.
WPA2
Wifi Protected Access 2 (WPA2) is a new, improved version of WPA. WPA2 uses the more secure Advanced Encryption Standard (AES) encryption technology.
Host security
Regardless of the layers of defense that exist on the network, all servers are still susceptible to attack if they are not properly secured. ISP servers are especially vulnerable because they are generally accessible from the Internet. New vulnerabilities for servers are discovered every day so it is critical for an ISP to protect its servers from known and unknown vulnerabilities whenever possible. One way they accomplish this is through the use of host-based firewalls.
A host-based firewall is software that runs directly on a host operating system. It protects the host from malicious attacks that might have made it through all other layers of defense. Host-based firewalls control inbound and outbound network traffic. These firewalls allow filtering based on a computer’s IP address and port, therefore offering additional protection over regular port filtering.
Host-based firewalls typically come with predefined rules that block all incoming network traffic. Exceptions are added to the firewall rule set to permit the correct mixture of inbound and outbound network traffic. When enabling host-based firewalls, it is important to balance the need to allow network resources required to complete job tasks, with the need to prevent applications from being left vulnerable to malicious attacks. Many server operating systems are preconfigured with a simple host-based firewall with limited options. More advanced third party packages are available.
ISPs use host-based firewalls to restrict access to the specific services a server offers. By using a host-based firewall, the ISP protects their servers and their customers’ data, by blocking access to the extraneous ports that are available.
ISP servers that utilize host-based firewalls are protected from a variety of different types of attacks and vulnerabilities.
Known Attacks
Host-based firewalls recognize malicious activity based on updatable signatures or patterns. They detect a known attack and block traffic on the port used by the attack.
Exploitable Services
Host-based firewalls protect exploitable services running on servers by preventing access to the ports that the service is using. Some host-based firewalls can also inspect the contents of a packet to see if it contains malicious code. Web and email servers are common targets for service exploits, and can be protected if the host-based firewall is capable of performing packet inspection. This inspection confirms whether or not the packet contains malicious code.
Worms and Viruses
Worms propagate by exploiting vulnerabilities in services and other weaknesses in operating systems. Host-base firewalls prevent worms from gaining access to servers. They can also help prevent the spread of worms and viruses by controlling outbound traffic originating from a server.
Back Doors and Trojans
Back doors or Trojans allow hackers to remotely gain access to servers on a network. The software typically works by sending a message to let the hacker know of a successful infection. It then provides a service that the hacker can use to gain access to the system. Host-based firewalls can prevent a Trojan from sending a message by limiting outbound network access. It can also prevent the attacker from connecting to any services.
In addition to host-based firewalls, Anti-X software can also be installed on the host. Anti-X software is software that protects computer systems from viruses, worms, spyware, malware, phishing, and even spam. Many ISPs offer customers Anti-X software as part of their comprehensive security services. Not all Anti-X software protects against the same threats. The ISP should constantly review what threats the Anti-X software actually protects against and make recommendations based on a threat analysis of the company.
Many Anti-X software packages allow for remote management. This includes a notification system that can alert the administrator or support technician about an infection, via email or pager. Immediate notification to the proper individual can drastically reduce the impact of the infection. Using Anti-x software does not diminish the number of threats to the network but reduces the risk of being infected.
Occasionally infections and attacks will still occur and can be very destructive. It is important to have an incident management process to track all incidences and the corresponding resolutions, to help prevent that infection from re-occurring. Incident management is required by ISP’s that manage and maintain customer data, because the ISP has committed to the protection and the integrity of the data they host for their customers. For example, if the ISP network was the target of a hacker and, as a result, thousands of credit card numbers that were stored in a database that the ISP manages were stolen, the customer would need to be notified so they could notify the card holders.
Service Level Agreement
An ISP and a user typically have a contract known as a service level agreement (SLA). It clearly documents the expectations and obligations of both parties. The parts of a typical SLA include:
Service Description
Costs
Tracking and Reporting
Problem Management
Security
Termination
Penalties for Service Outages
Availability, Performance, and Reliability
The SLA is an important document that clearly outlines the management, monitoring, and maintaining of a network.
Monitoring Network Line Performance
The ISP is responsible for monitoring and checking device connectivity. This would include any equipment that belongs to the ISP, as well as equipment at the customer end that the ISP agreed to monitor in the SLA. Monitoring and configuration can be performed either out-of-band with a direct console connection, or in-band using a network connection.
Out-of-band management is useful in initial configurations, if the device is not accessible via the network, or if a visual inspection of the device is necessary.
Most ISPs are not able to visually inspect or have physical access to all devices. An in-band management tool allows for easier administration because the technician does not require a physical connection. For this reason, in-band management is preferred over out-of-band management for managing servers that are accessible on the network. Additionally, conventional in-band tools can provide more management functionality than may be possible with out-of-band management, such as an overall view of the network design. Traditional in-band management protocols include Telnet, SSH, HTTP, and simple network management protocol (SNMP).
There are many embedded tools, commercial tools, and shareware tools available that utilize these management protocols. For example, HTTP access is through a web browser. Some applications, such as Cisco SDM, use this access for in-band management.
Selecting In-Band And Out-Of-Band Tools
SNMP is a network management protocol that enables network administrators to gather data about the network and corresponding devices. SNMP management system software is available in tools such as CiscoWorks. There are free versions of CiscoWorks available for download on the Internet. SNMP management agent software is often embedded in operating systems on servers, routers, and switches.
SNMP is made up of four main components:
Management station - computer, with the SNMP management application loaded, is used by the administrator to monitor and configure the network.
Management agent - software installed on a device managed by SNMP
Management information base (MIB) - a database that a device keeps about itself concerning network performance parameters
Network management protocol - the communication protocol used between the management station and the management agent.
The management station would contain the SNMP management applications that the administrator uses to configure devices on the network. It would also store data about those devices. The management station collects information by polling the devices. A poll occurs when the management station requests specific information from an agent.
The agent’s task is to report to the management station by responding to the polls. When the management station polls an agent, the agent will call on statistics that have accumulated in the MIB.
Agents can also be configured with traps. A trap is an alarm-triggering event on an agent. Certain areas of the agent are configured with thresholds, or maximums, that must be maintained, such as the amount of traffic that can access a specific port. If the threshold is exceeded, the agent sends an alert message to the management station. This frees the management station from continuously polling network devices.
Management stations and managed devices are identified by a community ID, called a community string, that permits access to the devices.
Storing device logs and reviewing them periodically is an important part of network monitoring. Syslog is the standard for logging system events. Like SNMP, Syslog is an Application Layer protocol that enables devices to send information to a Syslog Daemon that is installed and running on a management station.
A Syslog system is composed of Syslog servers and Syslog clients. These servers accept and process log messages from Syslog clients. Clients are the devices that are monitored. A Syslog client generates and forwards log messages to Syslog servers.
Log messages normally consist of a log message ID, type of message, a time stamp (Date, Time), which device has sent the message, and the message text. Depending on which network equipment is sending the Syslog messages, a Syslog message can contain more items than those listed.
Backup Media
Network management and monitoring helps ISPs and businesses identify and correct network issues. This software can also help to correct the causes of network failures. This includes failures caused by malware and malicious activity, network functionality and other issues such as failed devices.
Regardless of the cause of failure, an ISP that hosts web sites or email for customers must protect the web and email content from being lost. Losing the data stored on a web site could mean hundreds, or even thousands, of man hours recreating the content, not to mention the lost business that will result from the downtime while the content is being recreated.
Losing email messages that were stored on the ISP’s email server could potentially be crippling for a business that relies on the data within the emails. Some businesses are legally required to maintain records of all email correspondence, so losing that email data would not be acceptable.
Data backup is essential. An IT professional’s job is to try to reduce the risks of data loss and provide mechanisms for quick recovery of any data that is lost.
When an ISP needs to backup its data, the cost of a backup solution and its effectiveness must be balanced. The choice of backup media can be complex since there are many factors that affect the choice.
Some of the factors include:
Amount of data
Cost of media
Performance of media
Reliability of media
Ease of offsite storage
There are many types of backup media available, including the use of tape media, optical media, hard disk media, and solid state media.
Tape Media Backup
Tape remains one of the most common types of backup media available. Tapes have large capacities and remain the most cost-effective media on the market. For data volumes in excess of a single tape, tape autoloaders and libraries can swap tapes during the backup procedure, allowing the data to be stored on as many tapes as required. These devices can be expensive and are not typically found in small to medium-sized businesses. However, depending on the volume of data, there may be no alternative other than an autoloader or library.
Tape media is prone to failure, and tape drives require regular cleaning to maintain functionality. Tapes also have a high failure rate as they wear through use. Tapes should only be used for a fixed amount of time before removing them from circulation. Some of the different types of tapes are
Digital data storage (DDS)
Digital audio tape (DAT)
Digital linear tape (DLT)
Linear tape-open (LTO)
These all have different capacities and performance characteristics.
Optical
Optical media is a common choice for smaller amounts of data. CDs have a storage capacity of 700MB, DVDs can support up to 8.5GB on a single-sided dual layer disk, and HD-DVD and Blu-Ray disks can have capacities in excess of 25GB per disk. ISPs may use optical media for transferring web content data to their customers. Customers may also use this media to transfer web site content to the ISP web hosting site. Optical media can easily be accessed by any computer system with a CD or DVD drive built in.
Hard Disk
Hard disk-based backup systems are becoming more and more popular due to the low cost of high capacity drives. However, hard disk-based backup systems make offsite storage difficult. Large disk arrays such as Direct Attached Storage (DAS), Network Attached Storage (NAS), and Storage Area Networks (SANs) are not transportable.
Many implementations of hard disk-based backup systems work in conjunction with tape backup systems for offsite storage. Using both hard disks and tapes in a tiered backup solution can give you a quick restore time with the data available locally on the hard disks, as well as a long term archival solution.
Solid State
Solid state storage refers to all non-volatile storage media that does not have any moving parts. Examples of solid state media range from small postage-stamp sized drives holding 1GB of data, to router-sized packages capable of storing 1000GB (1TB) of data.
Solid state storage is ideal for storage of data when fast storage and retrieval is important. Applications for solid state data storage systems include database acceleration, high definition video access and editing, data retrieval, and SANS. High capacity solid state storage devices can still be extremely expensive, but as the technology matures, the prices will come down.
Methode Of File Backup
Once a backup solution is chosen, a decision must be made on how to perform the backups. There are three methods choose from.
Normal (full)
A normal (or full) backup copies all selected files and marks each file as having been backed up. With normal backups, only the most recent backup is required to restore all files, speeding up and simplifying the restore process. However, since all data is being backed up, a full backup takes the most amount of time.
Differential
A differential backup copies only the files that have been changed since the last full backup. With differential backups, a normal full backup on the first day of the backup cycle is necessary. Only the files that are created or changed since the time of the last full backup are saved. The differential backup process continues until another full backup is run. This reduces the amount of time required to perform the backup. When it is time to restore data, the last normal backup is restored and the latest differential backup restores all changed files since the last full backup.
Incremental
An incremental backup differs from a differential backup on one important point. Whereas a differential backup saves files that were changed since the last full backup, an incremental backup only saves files that were created or changed since the last incremental backup. This means that if an incremental backup is run every day, the backup media would only contain files created or changed on that day. Incremental backups are the quickest backup. However, they take the longest time to restore because the last normal backup and every incremental backup since the last full backup must be restored.
Backup systems require regular maintenance to keep them running properly. Some steps to ensure the successful completion of backup include:
Swap Media
Many backup scenarios require daily swapping of media to maintain a history of backed up data. Data loss could occur if the tape or disk is not swapped daily. Since swapping the tapes is a manual task, it is prone to failure. Users need to use a notification method, such as calendar or task scheduling.
Review Backup Logs
Virtually all backup software produces backup logs. Regularly review backup logs. These logs report on the success of the backup, specifying where the backup failed. Regular monitoring of backup logs allows for quick identification of any backup issues that require attention.
Perform Trial Restores
Monitoring backup logs regularly does not mean that the procedure was successful. To verify that backup data is usable and that the restore procedure works, periodically perform a trial restore of data. This ensures the backup procedures work.
Perform Drive Maintenance
Many backup systems require special hardware to perform the backups. Tape backup systems use a tape backup drive to read and write to the tapes. Tape drives can become dirty from use and can lead to mechanical failure. Perform routine cleaning of the tape drive using designated cleaning tapes. Hard drive-based backup systems can benefit from an occasional defragmentation to improve the overall performance of the system.
Best ractice For Disaster Recovery
Data backup is an important part of any disaster recovery plan. A disaster recovery plan is a comprehensive document that describes how to restore operation quickly and keep a business running during or after a disaster occurs. The objective of the disaster recovery plan is to ensure the business can smoothly adapt to the physical and social changes a disaster causes. The disaster can include anything from natural disasters that affect the network structure to malicious attacks on the network itself.
The disaster recovery plan can include information such as offsite locations where services can be moved, information on switching out network devices and servers, as well as backup connectivity options. It is important when building a disaster recovery plan to fully understand the services that are critical to maintaining operation. Services that might need to be available during a disaster include:
Database
Application servers
System management servers
Web
Data stores
Directory
When designing a disaster recovery plan, it is important to understand the needs of the organization. It is also important to gain the support necessary for a disaster recovery plan. The steps to accomplish this include:
Vulnerability Assessment
A study should be done that assesses how vulnerable the critical business processes and associated applications are to common disasters.
Risk Assessment
The risk of a disaster occurring and the associated effects and costs to the business should also be analyzed. Part of risk assessment is creating a top ten potential disasters and effect list, including the scenario of the business being completely destroyed.
Management Awareness
The study should be used to get senior management approval on the disaster recovery project. Maintaining equipment and locations in the event of a possible disaster recovery could be expensive. Senior management must understand the possible effect of any disaster situation.
Establish a Planning Group
A planning group should be established to manage the development and implementation of the disaster recovery strategy and plan. When a disaster occurs, be it small or large scale, it is important that individuals understand their roles and responsibilities.
Prioritize
For each disaster scenario, assign a priority of Mission Critical, Important, or Minor for the business network, applications, and systems.
The disaster recovery planning process should first engage the top managers, and then eventually include all personnel that work with critical business processes. Everyone must be involved and support the plan in order for it to be successful.
Once the need for a disaster recovery plan is agreed upon, along with the services and applications that are most critical, it is time to actually create the plan. Steps to creating the plan include:
Network Design Recovery Strategy
Analyze the network design. Some aspects of the network design that should be included in the disaster recovery are:
Is the network designed to survive a major disaster? This includes the use of backup connectivity options and redundancy in the network design
Availability of off-site servers that can support applications such as email and database services
Availability of backup routers, switches, and other network devices should they fail
Location of services and resources the network needs. Are they spread over a wide geography?
Inventory and Documentation
An inventory should be done of all locations, devices, vendors, used services, and contact names. Verify cost estimates that are created in the Risk Assessment step.
Verification
Create a verification process to prove that the disaster recover strategy works. Practice disaster recovery exercises to ensure that the plan is up-to-date and workable.
Approval and Implementation
Obtain senior management approval and obtain a budget to implement the disaster recovery plan.
Review
After the disaster recovery plan has been implemented for a year, review the plan.