Aruba VIA VPN

In the past VPN Solutions were limited to connecting to an enterprise network, nowadays the requirements are changing. Diverse profiles matching specific use cases per user group and above all mobility have brought an increase to the requirements to VPN solutions.

In general, VPN Clients make your primary connection to the Internet a transport media by which a encrypted data barrier is established with the other end of the communication. If any of the peers in the communication does not agree with the authentication parameters the “data barrier” or tunnel is not established. When a tunnel is successfully established, the communication inside of it becomes encrypted and any attempt to tamper with the data is identified.

 

Most VPN Software clients are IPSec or SSL with SSL being the preferred method because it is a protocol normally allowed to communicate in the network. The VPN Client depends on the flavor of firewall the organization utilizes. Fortinet firewalls use fortigate clients, Cisco has their Cisco Anyconnec client, Palo-Alto has their Global Protect Client, etc.

The majority of us in IT and our end-users have experience anomalies or difficulties running this software clients. The reason for the difficulties some times boils down to the user having to manually establish a connection and interact with a piece of software that may be too abstract for them to understand.

In the past, the answer for making the end-used interaction with the VPN easier was to use automated logon scripts to have the VPN software establish the connection without the need for the user to open the client. This becomes problematic when corporations don’t have a standardized remote device policy and with BYOD clients.

The first VPN Client I am going to talk about is VIA from Aruba/HP.

The Aruba/HP VIA offering appears to be exactly what a lot of people in my field have been looking for, a Zero-Touch user experience. The end-user does not have to know he needs to establish a tunnel, what a tunnel is, what client version he is running, what type of internet connection he is using. It is all pre-configure and managed by a centralized controller. The user simply powers on the workstation and begins to work, helping them focus on their job and not on troubleshooting a VPN connection. The client even automatically selects the best Internet connection to use to establish the tunnel.

VIA is multi platform, supporting IOS, Android, Windows and MacOS. VIA also offers a hybrid IPSec/SSL tunnel with military based encryption, this means that whenever forming an IPSec tunnel fails due to connection restrictions, the tunnel uses SSL as a transport method to establish the IPSec tunnel.

The architecture is simple requiring services already present in an Aruba/HP network such as Airwave, Clearpass and a Mobility Controller.

VIA as many other VPN clients recognize if it is in the enterprise network or outside in an untrusted network. Based on the network type VIA determines how it should connect. This can all be made transparent to the user and for them the experience is as if they were always on the enterprise network.

In comparison with Cisco Anyconnect, Palo Alto Global Protect the client offers a very easy to use interface.

Below you can see the connected client, a big green(connected) or gray (disconnected) indicator and underneath the type of connection that is being used.

One of the trade-offs from having a Zero Touch client is the lack of additional features such as Malware protection and Local Web Inspection but this may be consolidated by a Policy Controller and a Centralized traffic management approach.

In summary the VIA solutions has been well liked by our end-users due to the simplicity of the the interface. With clearpass it has offered a very easy to navigate method of troubleshooting authentication events. In combination with an Aruba/HP network the client makes the experience to the end-user a very good one.

For more information visit:

HP Aruba VPN Services

Cisco AnyConnect VPN

Palo Alto Global Protect

Categories of Work in IT

I recently found myself listening to the audio book “The Phoenix Project” by George Spafford, Gene Kim and Kevin Behr. The plot of the book takes you on the journey an IT Operations Manager has to endure as he is gets abruptly promoted to VP of IT Operations. In his new role, the main character identifies IT procedural weaknesses and also observes how the demands from the business make The IT Department seem like a business roadblock.

Part of the book introduces a board member who provides a lot of insight and compares IT to a manufacturing production line, mentioning concepts such a the “Theory of Constraints” and “WIP (Work in Progress) “. This is my very favorite part in the book because it defines the four categories of IT Work and the comparison to manufacturing is very accurate.

By no means I claim to be an expert on any of the management procedures explained in the book but I have been a first hand witness of the four types of work and how they impact a business:

1. Business Projects are the ones with a direct link to the business. These projects get the highest priority since they are revenue regenerating for the organization in most cases.

2. Internal Projects are the ones handled by IT Internally, driven by IT Initiatives. These are for example a network equipment refresh or remediation, the migration to a new email platform or the installation of a new datacenter.

3. Operational Changes are the kind of work done to keep systems running or to enable/disable functionality based on changes in business requirements. The Novel defines Changes as follows:

a ‘change’ is any activity that is physical, logical, or virtual to applications, databases, operating systems, networks, or hardware that could impact services being delivered.

4. Finally the number one enemy of productivity, Unplanned Work. This type of work takes all other work and puts it in the back burner, it results in heroic battles to “fight fires” due to outages and loss of productivity in other areas of the organization. In general, this is recovery work, taking IT away from meeting its goals.

In my experience, when IT work is not “in tempo” meaning the production line has a backlog or it is not flowing properly, problems and outages happen. Once the constraint or bottleneck is identified, the pace is recovered, although in some cases this takes halting all projects to focus on freeing up the bottleneck. Not handling the issues with the constraint results on more unplanned work and more load on the constraint.

When IT is not a solution’s provider it is seen as the organizational constraint. If IT does not get in front of the business identifying current and future technological needs, the other business units will. Unfortunately when the other business units are determining the IT solutions, in a lot of cases they don’t fit supported models and/or are incompatible.  IT Must be providing solutions to the business, not problems. IT can do this through engaged leaders, working as a team with the other business units to identify areas of opportunity and to scale systems according to the business demands. When IT leaders focus on single minded solutions not inline with business needs they generate unplanned work which delays Business Projects resulting in more unplanned work. This can also also give the false impression of IT capacity issues.

IT can also be it’s own worst enemy. In the spirit of improvement and in an effort to be cutting edge, IT elements move forward with unplanned implementations, deviating form the predetermined growth plan. When this happens antiwork rears it’s ugly head in the form of unplanned tasks, unplanned remediation and unplanned scaling to facilitate poor service operation. An IT organization should have a growth plan, put together to meet current and future demands of the Business. Any changes to the overall architecture of this plan must be carefully reviewed and the changes communicated.

As you have seen, my perspective always puts emphasis on Business Needs and Business Requirements. Technology for Technology’s sake can create a lot of unplanned work which will reflect in missed business objectives. This applies when IT is a service to an organization. When the business IS technology, then Technology for  Technology’s sake in the form of innovation works, but this is a very specific case. For most cases, IT is a service an organization needs to create business outcomes.

In my experience when IT Develops a work flow control mechanism it becomes more efficient and an effective business service. This in turn lets the organization focus in growth and new opportunities.

“We can’t work on the strategic when we haven’t mastered the tactical, we can’t work on the tactical when we haven’t mastered the operational”

I highly recommend this book to anyone in IT. The book also gives anyone outside of IT a good level of perspective on what challenges are encountered by IT teams almost universally.

It appears at Interop 2017 there was a discussion precisely about how IT works and how it must change from comparing data centers to factories instead of museums.  I found this on an a blogpost on Packetpushers. The comparison and the image presented reveal how for IT to move fasts and react quickly to business needs, it needs to move to an Industrial model for the data center operations.

The goal of any factory is to operate a production system with the following characteristics:

1. Speed
2. Controlled costs  (predictable cost is a key factor)
3. Consistent quality (preferably high quality, but consistency is key)

Link to the blogpost on PacketPushers.net