Tag Archives: want

Azure Bastion brings convenience, security to VM management

Administrators who want to manage virtual machines securely but want to avoid complicated jump server setup and maintenance have a new option at their disposal.

When you run Windows Server and Linux virtual machines in Azure, you need to configure administrative access. This requires communicating with these VMs from across the internet using Transmission Control Protocol (TCP) port 3389 for Remote Desktop Protocol (RDP), and TCP 22 for Secure Shell (SSH).

You want to avoid the configuration in Figure 1, which exposes your VMs to the internet with an Azure public IP address and invites trouble via port scan attacks. Microsoft publishes its public IPv4 data center ranges, so bad actors know which public IP addresses to check to find vulnerable management ports.

The problem with the network address translation (NAT)/load balancer method is your security team won’t like it. This technique is security by obfuscation, which is to say it does not make things more secure. It’s more of a NAT protocol hack.

port scan attacks
Figure 1. This setup exposes VMs to the internet with an Azure public IP address that makes an organization vulnerable to port scan attacks.

Another remote server management option offers illusion of security  

If you have a dedicated hybrid cloud setup with site-to-site virtual private network or an ExpressRoute circuit, then you can interact with your Azure VMs the same way you would with your on-premises workloads. But not every business has the money and staff to configure a hybrid cloud.

Another option, shown in Figure 2, combines the Azure public load balancer with NAT to route management traffic through the load balancer on nonstandard ports.

NAT rules
Figure 2. Using NAT and Azure load balancer for internet-based administrative VM access.

For instance, you could create separate NAT rules for inbound administrative access to the web tier VMs. If the load balancer public IP is 1.2.3.4, winserv1’s private IP is 192.168.1.10, and winserv2’s private IP is 192.168.1.11, then you could create two NAT rules that look like:

  • Inbound RDP connections to 1.2.3.4 on port TCP 33389 route to TCP 3389 on 192.168.1.10
  • Inbound RDP connections to 1.2.3.4 on port TCP 43389 route to TCP 3389 on 192.168.1.11

The problem with this method is your security team won’t like it. This technique is security by obfuscation that relies on a NAT protocol hack.

Jump servers are safer but have other issues

A third method that is quite common in the industry is to deploy a jump server VM to your target virtual network in Azure as shown in Figure 3.

jump server configuration
Figure 3. This diagram details a conventional jump server configuration for Azure administrative access.

The jump server is nothing more than a specially created VM that is usually exposed to the internet but has its inbound and outbound traffic restricted heavily with network security groups (NSGs). You allow your admins access to the jump server; once they log in, they can jump to any other VMs in the virtual network infrastructure for any management jobs.

Of these choices, the jump server is safest, but how many businesses have the expertise to pull this off securely? The team would need intermediate- to advanced-level skill in TCP/IP internetworking, NSG traffic rules, public and private IP addresses and Remote Desktop Services (RDS) Gateway to support multiple simultaneous connections.

For organizations that don’t have these skills, Microsoft now offers Azure Bastion.

What Azure Bastion does

Azure Bastion is a managed network virtual appliance that simplifies jump server deployment in your virtual networks.

Azure Bastion is a managed network virtual appliance that simplifies jump server deployment in your virtual networks. You drop an Azure Bastion host into its own subnet, perform some NSG configuration, and you are done.

Organizations that use Azure Bastion get the following benefits:

  • No more public IP addresses for VMs in Azure.
  • RDP/SSH firewall traversal. Azure Bastion tunnels the RDP and SSH traffic over a standard, non-VPN Transport Layer Security/Secure Sockets Layer connection.
  • Protection against port scan attacks on VMs.

How to set up Azure Bastion

Azure Bastion requires a virtual network in the same region. As of publication, Microsoft offers Azure Bastion in the following regions: Australia East, East U.S., Japan East, South Central U.S., West Europe and West U.S.

You also need an empty subnet named AzureBastionSubnet. Do not enable service endpoints, route tables or delegations on this special subnet. Further in this tutorial you can define or edit an NSG on each VM-associated subnet to customize traffic flow.

Because the Azure Bastion supports multiple simultaneous connections, size the AzureBastionSubnet subnet with at least a /27 IPv4 address space. One possible reason for this network address size is to give Azure Bastion room to auto scale in a method similar to the one used with autoscaling in Azure Application Gateway.

Next, browse to the Azure Bastion configuration screen and click Add to start the deployment.

Azure Bastion deployment setup
Figure 4: Deploying an Azure Bastion resource.

As you can see in Figure 4, the deployment process is straightforward if the virtual network and AzureBastionSubnet subnet are in place.

According to Microsoft, Azure Bastion will support client RDP and SSH clients in time, but for now you establish your management connection via the Connect experience in Azure portal. Navigate to a VM’s Overview blade, click Connect, and switch to the Bastion tab as shown Figure 5.

Azure Bastion setup
Figure 5. The Azure portal includes an Azure Bastion connection workflow.

On the Bastion tab, provide an administrator username and password, and then click Connect one more time. Your administrative RDP or SSH session opens in another browser tab, shown in Figure 6.

Windows Server management
Figure 6. Manage a Windows Server VM in Azure with Azure Bastion using an Azure portal-based RDP session.

You can share clipboard data between the Azure Bastion-hosted connection and your local system. Close the browser tab to end your administrative session.

Customize Azure Bastion

To configure Azure Bastion for your organization, create or customize an existing NSG to control traffic between the Azure Bastion subnet and your VM subnets.

Secure access to VMs with Azure Bastion.

Microsoft provides default NSG rules to allow traffic among subnets within your virtual network. For a more efficient and powerful option, upgrade your Azure Security Center license to Standard and onboard your VMs to just-in-time (JIT) VM access, which uses dynamic NSG rules to lock down VM management ports unless an administrator explicitly requests a connection.

You can combine JIT VM access with Azure Bastion, which results in this VM connection workflow:

  • Request access to the VM.
  • Upon approval, proceed to Azure Bastion to make the connection.

Azure Bastion needs some fine-tuning

Azure Bastion has a fixed hourly cost; Microsoft also charges for outbound data transfer after 5 GB.

Azure Bastion is an excellent way to secure administrative access to Azure VMs, but there are a few deal-breakers that Microsoft needs to address:

  1. You need to deploy an Azure Bastion host for each virtual network in your environments. If you have three virtual networks, then you need three Azure Bastion hosts, which can get expensive. Microsoft says virtual network peering support is on the product roadmap. Once Microsoft implements this feature, you can deploy a single Bastion host in your hub virtual network to manage VMs in peered spoke virtual networks.
  2. There is no support for PowerShell remoting ports, but Microsoft does support RDP, which goes against its refrain to avoid the GUI to manage servers.
  3. Microsoft’s documentation does not give enough architectural details to help administrators determine the capabilities of Azure Bastion, such as whether an existing RDP session Group Policy can be combined with Azure Bastion.

Go to Original Article
Author:

What are the Azure Stack HCI features?

IT shops that want tighter integration between the Windows Server OS and an HCI platform have a few choices in the market, including Azure Stack HCI.

Microsoft offers two similarly named but different offerings. Microsoft markets Azure Stack as a local extension to the cloud, essentially Azure in a box that runs in the data center. The company positions Azure Stack HCI, announced in March 2019, as a highly available, software-defined platform for local VM workload deployments. Organizations can also use Azure Stack HCI to connect to Azure and use its various services, including backup and site recovery.

Azure Stack HCI is fundamentally composed of four layers: hardware, software, management and cloud services.

Who sells the hardware for Azure Stack HCI?

Azure Stack HCI capitalizes on the benefits associated with other HCI offerings, such as high levels of software-driven integration, and common and consistent management. OEM vendors, including Dell, Fujitsu, HPE and Lenovo, sell the Azure Stack HCI hardware that Microsoft validates. The hardware is typically integrated and modular, combining portions of compute, memory, storage and network capacity into each unit.

What OS does Azure Stack HCI use?

The Azure Stack HCI platform runs on the Windows Server 2019 Datacenter edition. Using this server OS provides the familiar Windows environment, but also brings core components of the HCI software stack, including Hyper-V for virtualization, Storage Spaces Direct for storage, and enhanced software-defined networking features in Microsoft’s latest server OS.

How is Azure Stack HCI managed?

Azure Stack HCI capitalizes on the benefits associated with other HCI offerings, such as high levels of software-driven integration, and common and consistent management.

A critical part of an HCI platform is the ability to provision and monitor every element, which means management is a crucial component of Azure Stack HCI. Organizations have several management options such as Windows Admin Center, System Center, PowerShell and numerous third-party tools. Management in Azure Stack HCI emphasizes the use of automation and orchestration, allowing greater speed and autonomy in provisioning and reporting.

What role does the Azure cloud play?

Organizations that purchase Azure Stack HCI have the option to connect to a wide range of Azure services. Some of these services include Azure Site Recovery for high availability and disaster recovery, Azure Monitor for comprehensive monitoring and analytics, Azure Backup for data protection, and Azure File Sync for server synchronization with the cloud.

What’s the primary use for Azure Stack HCI?

When exploring whether to purchase Azure Stack HCI, it’s important to understand its intended purpose. Unlike Azure Stack, Azure Stack HCI is not explicitly designed for use with the Azure cloud. Rather, Azure Stack HCI is an HCI platform tailored for on-premises virtualization for organizations that want to maximize the use of the hardware.

The decision to buy Azure Stack HCI should be based primarily on the same considerations involved with any other HCI system. For example, HCI might be the route to go when replacing aging hardware, optimizing the consolidation of virtualized workloads, and building out efficient edge or remote data center deployments that take up minimal space.

IT decision-makers should view the ability to utilize Azure cloud services that, while useful, are not the primary motivation to use Azure Stack HCI.

Go to Original Article
Author:

DerbyCon panel discusses IT mistakes that need to stop

A panel of experts at DerbyCon discussed common IT mistakes that they don’t want to see happen anymore and offered some suggestions on how to avoid risks.

The talk broke down the IT mistakes the panelists thought needed to stop, ranging from basic security issues to more technical problems. The panelists included Lesley Carhart, principal threat analyst at Dragos Inc.; Chelle Clements, web content developer at Online Marketing and Publishing; April Wright, an application security architect; and Amanda Berlin, senior security architect at Blumira and CEO of Mental Health Hackers.

As the discussion went on, themes began to surface around education, communication and empowering users. Wright and Clements were advocates for not just better educating users, but finding ways to make that education more personal.

Wright focused on IT mistakes like oversharing on social media. She said oversharing can easily become a problem for enterprises, because all of that data can be used to spear-phish users and potentially gain access to a company network. 

“One thing that can be done to curb oversharing is to train users how to protect their families and themselves outside of work. Users need to understand what they’re doing and how it impacts others,” Wright said. “Learning to protect themselves will make them more aware and better advocates. If security isn’t personal to them, they won’t care, because they don’t care about your data; they care about their data.”

Clements agreed and cautioned users against oversharing on social media, as it “eventually comes back to bite them in the ass.”

She also added that basic security concerns are still an issue, including using bad passwords, visiting shady websites, opening email messages from unknown senders and clicking links within those messages.

Clements said finding better training methods is a must. She described security training that she set up over the years, including one-on-one sessions when possible, because “you may need a unique language to explain something. The way you explain something to a physicist will be different than a chemist.”

Wright added that there needs to be better training around the limitations of security products, because IT mistakes can come from users trusting products too much.

“A lot of people feel like they’re more protected than they really are. We [need to] teach them about the failings of what the technology is that’s designed to protect them,” Wright said. “The blinky boxes are great, but it’s really education that’s going to solve the problems of the users. It’s not putting in a bunch of things to protect them, like putting them in a rubber room. It’s teaching them that things are sharp and things are hot, and they shouldn’t touch them.”

Berlin added that these types of IT mistakes can happen with administrators, as well, who might not understand that a security product is “not a magic solution that you can just install and you’re done,” including not configuring products after installing them.

“It’s an ongoing process that you have to keep revisiting. If you have an MSSP [managed security services provider] or you’re doing it internally, that’s going to be someone’s full-time job. It’s something that you need to treat less of a project and more of an ongoing thing,” Berlin said. “Work closer with your security vendors and all your other vendors. They’re usually there to help you, and you are paying them. Keep them accountable. Actually work through the implementation, and make sure they’re continuously working on it and they don’t install it and forget it, as well.”

Beyond educating users, Carhart said IT staff needs to stop expecting security products to be perfect, because they are all just deterrents and, “ultimately, everybody is going to be vulnerable to phishing or a breach.”

“If you have a house, you put a door on that house, and that deters neighborhood kids from walking in. You put on a deadbolt, and that deters the casual thief. Then, maybe you put in an alarm system, and that deters the more dedicated [thieves]. But if someone is paying $10,000 to hire a hit man to kill you? Guess what that hit man is doing? He’s coming in and killing you. You’re going to die. I’m sorry,” Carhart said. “Security is like that. We add defense in depth, and we deter and deter, but people have to understand that you have to plan for that worst-case scenario.”

Empowering users

Carhart noted that many IT mistakes stem from users not feeling empowered to speak up, especially if they feel embarrassed after making a mistake. She said users need to be comfortable demanding better security and privacy from vendors, and be sure to speak up when the IT staff is asking for too much.

“We have all these tropes that we keep using over and over again, like, ‘Use a strong password, use a password manager,’ and stuff. And, sometimes, those are really tricky things to do,” Carhart said. “Have you ever tried to convert all of your passwords saved in a bunch of browsers to a password manager? That’s not an intuitive process. That’s really, really hard to do. So, I would like to see more end users tell their security people to go F themselves. Tell us when something is too hard.”

One reason users might not speak up, according to Wright, comes from social norms and users trying to be polite. This can lead to IT mistakes, because users aren’t willing to put themselves “in an uncomfortable situation” and ask questions regarding potential security incidents. 

“This is a very hard thing to fix. It’s a culture thing; it’s an education thing; it’s a training thing, where you have to make sure that people understand they have the power to make or break the security controls that you have in place,” Wright said.

She added later that this can happen because users don’t listen to their instincts. “If you don’t listen to that voice [in your head] … you might notice things, but you’re not going to pay attention them.”

Carhart added that even those with no security expertise should feel empowered to speak up and “realize that security isn’t magic. It’s something they can learn about.”

“I’m in industrial control systems now, and I’m dealing with a lot of eclectic legacy systems from the ’70s and ’80s. The people who know those systems the best are the guys or girls who have been there for 30 years. They might not know everything about security, but they could be very interested in it,” Carhart said. “I’d like, as a solution to that problem, to have users remember that they can contribute to security, and there are elements of knowledge that they bring to the table that we don’t have.”

Berlin noted that communication issues can also be a problem with red and blue teams, especially if those teams aren’t paired up.

“It’s a really big problem when it comes to doing defensive stuff, because we can’t fix what we don’t know is broken, especially when you’re a contractor or an MSSP, because you don’t know the networks and everything that they have internally, as well as the red teamer that broke in or their internal team,” Berlin said.

Go to Original Article
Author:

Wanted – StarTech 40 Pin Male IDE to SATA Adapter Converter

I have exactly what you want , at least appearance- and brand-wise. Not used for a while now, not sure if it is working but definitely from a quickly failed project on a TV recorder. Comes with power cables. £10 (?) posted with RM 1st class once you confirm they’re working?

EDIT: “they” as in TWO of them. Sorry, a little like London busses…?

Click to expand…

AI, data analytics, recruiting tech among HR priorities, leaders say

LAS VEGAS — HR leaders at top national companies want tech that delivers insights and improves talent management. The top HR priorities included boosting candidate and employee experience through stellar technology. That was the message to vendors and attendees at the 2018 HR Technology Conference & Expo from a panel on what it takes to create top-notch HR. Improved recruiting platforms, AI, data analytics and user-driven learning platforms were all listed as important.

The HR chiefs from Accenture, BlackRock, Delta Air Lines, Johnson & Johnson and The Walt Disney Co., who appeared on a panel, discussed their technology priorities and interests. They weren’t picking and choosing vendors, and they made a point of avoiding mentioning any of the vendors at the conference.

But this group of global HR leaders had a clear idea of what they thought was important to conference attendees and vendors. It was a strategic, but pointed, overview of how they are using technology and what their firms want from it.

Stellar HR requires a candidate-focused recruiting system

Johnson & Johnson interviews a million people a year to hire 28,000 individuals. “So, how do you make sure that they [the candidates] have visibility [into] how they’re tracking through the process, like you would track a Domino’s pizza or a UPS or a FedEx package?” asked Peter Fasolo, executive vice president and chief human resources officer (CHRO) at Johnson & Johnson, based in New Brunswick, N.J.

At BlackRock, talent is an ongoing executive board-level discussion, said Matt Breitfelder, managing director and chief talent officer. The New York-based company is using technology to help improve the diversity of its hiring.

The firm wants diversity on its teams, so its employees are “challenging each other to think more clearly about what they’re seeing in markets,” Breitfelder said.

BlackRock is using tools in its hiring process to make sure it is “not just replicating an industry that has tended to have one way of thinking,” Breitfelder said. “We know it’s about teams, not about individual stars.”

Data analytics makes us more human

We democratized all of our learning.
Ellyn Shookchief leadership and human resource officer at Accenture

“Data analytics makes us more human, because our own data analytics shows there’s a lot of liberal arts majors who make great investors, which is very counterintuitive,” Breitfelder said. 

Delta Air Lines has begun using machine learning and AI technologies to help discover “good predictors of success” in its hiring, said Joanne Smith, the company’s executive vice president and CHRO. “That’s going to help us get smarter and smarter and smarter about hiring,” she said.

Learning and a focus on employee experience

Learning technology was also mentioned as a priority, and Accenture explained why that is. In response to the competition in the labor market, the firm decided to go big on training employees on entirely new skills.

“We democratized all of our learning,” said Ellyn Shook, chief leadership and human resource officer at Accenture, based in Dublin. Learning “is now in real time, on demand and available to our people anytime, anywhere, any device,” she said.

Some 300,000 of Accenture’s 450,000 employees have taken advantage of it in the last two years, which includes some “leading-edge technical areas that there would be no way we could have hired at that scale,” Shook said.

A common theme for the conference panel was the need for consumer-like HR technologies.

“Help me do what I’m doing. Help my employees be better at what we’re doing. But have a consumer mindset to it,” said Jayne Parker, senior executive vice president and CHRO of Disney.

Wanted – StarTech 40 Pin Male IDE to SATA Adapter Converter

I have exactly what you want , at least appearance- and brand-wise. Not used for a while now, not sure if it is working but definitely from a quickly failed project on a TV recorder. Comes with power cables. £10 (?) posted with RM 1st class once you confirm they’re working?

EDIT: “they” as in TWO of them. Sorry, a little like London busses…?

Click to expand…

For Sale – Asrock Deskmini Mini PC, G4600, 2x4gb Ram, 120gb SSD

Decided to sell HTPC as want to go other routes. Mint condtion, boxes, warranty.

This little PC is very powerful and can be easily used as main PC, obviously perfect for HTPC. All drivers/updates/bios are installed.
In case you don’t know, g4600 is basically 99% of i3 7100.
There is 2 x 2.5″ hdd/ssd slot and 1 x m.2 2280 but it has to be pci-e.

Asrock Deskmini
G4600 with intel stock cooler
2x4gb 2133Mhz Samsung DDR4
120gb Kingston A400 SSD
Intel AC WIFI card with antennas
Windows 10 Pro

Price and currency: 210
Delivery: Delivery cost is not included within my country
Payment method: BT/PPG/Cash on collection
Location: London
Advertised elsewhere?: Advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Asrock Deskmini, G4600, 2x4gb Ram, 120gb SSD

Decided to sell HTPC as want to go other routes. Mint condtion, boxes, warranty.

This little PC is very powerful and can be easily used as main PC, obviously perfect for HTPC. All drivers/updates/bios are installed.
In case you don’t know, g4600 is basically 99% of i3 7100.
There is 2 x 2.5″ hdd/ssd slot and 1 x m.2 2280 but it has to be pci-e.

Asrock Deskmini
G4600 with intel stock cooler
2x4gb 2133Mhz Samsung DDR4
120gb Kingston A400 SSD
Intel AC WIFI card with antennas
Windows 10 Pro

Price and currency: 200
Delivery: Delivery cost is not included within my country
Payment method: BT/PPG/Cash on collection
Location: London
Advertised elsewhere?: Advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

Wanted – StarTech 40 Pin Male IDE to SATA Adapter Converter

I have exactly what you want , at least appearance- and brand-wise. Not used for a while now, not sure if it is working but definitely from a quickly failed project on a TV recorder. Comes with power cables. £10 (?) posted with RM 1st class once you confirm they’re working?

EDIT: “they” as in TWO of them. Sorry, a little like London busses…?

Click to expand…