configuring symantec antivirus corporate edition phần 9 pps

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12 577Using Virus Sweeps If AMS2 reports several client computers on your network with virus infections,you’ll be quite thankf

Trang 1

574 Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

no sign of slowing In the following sections, we’ll go over the process of nizing and taking action against virus activity on your network

recog-Identifying Computer Virus Outbreaks

Under most circumstances, the alerts provided by AMS2 will provide sufficientwarning of any virus problems on your network However, this becomes less effec-tive in the case of new or polymorphic viruses that are not covered within thelatest antivirus definitions (Some viruses even go one step further by attempting

to block access to the major antivirus Web sites, Symantec’s included, to preventadministrators from obtaining the appropriate virus signatures.) So, how do yourecognize a virus if NAVCE doesn’t recognize the virus? Experience, instinct, and

a good dose of common sense If you notice severely degraded server mance, a sudden surge in network traffic, or a rash of unresponsive or malfunc-tioning PCs, you should begin to suspect virus or worm activity

perfor-Responding to Computer Virus Outbreaks

We’re fairly certain that most system administrators have encountered a situationsimilar to the antivirus commercials you see on television Specifically, the onewhere the notoriously uneducated user stops the network administrator in thehallway and says “Hey, I just opened that e-mail virus like you told me not to.”The help desk switchboard lights are flickering like fireworks, response timesacross your network have dropped considerably, and your e-mail server has appar-ently decided to take off and not leave any forwarding information.The main

www.syngress.com

Figure 12.21 Viewing Virus History after Exporting to CSV Format

Trang 2

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12 575

receptionist is transferring calls to you left and right, the sales department ishaving a collective coronary, Bill from corporate finance keeps sticking his headinto your office door asking if you’ve fixed the problem yet, and you’re justtrying to get down the hall to the server room without being waylaid with morereports of an outage you’re already aware of Relax, you’re not the first personthis has happened to, and heaven knows you won’t be the last

It’s best to think of virus outbreaks in terms of three simple (yet infinitelyimportant) concepts that we refer to as “The Three Cs.”The Three Cs of virusresponse are as follows:

■ Containment

■ Cleanup

■ Communication

Communicating the Outbreak

“But wait,” you say “You listed communication as the last of the Three Cs Why are

we talking about it first?” Despite our best efforts to effectively manage the nology under our purview, sometimes something out of our control takes place

tech-And while you may be working furiously to correct the situation, you shouldnever forget that you have an entire network of people—not just machines—

who need to understand what is happening with the computer on their desktop

End-User Communication

End-user communication can also help to alleviate virus outbreaks, or

even prevent them before they start A real-world example: I walked into

work early one morning and was stopped en route to my office (by an even earlier riser than myself) with the following sentence “Hey, Laura,

I had about 15 messages in my Inbox this morning with ILOVEYOU

as the subject line It really didn’t look right to me, so I didn’t open any

of them Do you want to take a look?” Did I ever…a quick visit to Symantec’s Web site indicated that there was a new e-mail-borne virusNotes from the Underground…

Continued

Trang 3

Does your organization have any sort of disaster recovery procedure in place,

or any parallel or spare systems you can bring online to keep your business tioning? If not, now would be a great time to start planning against a rainy day,

func-because it will most certainly be simpler to generate such a plan before it starts

“raining,” rather than in the midst of a computer-virus-induced typhoon Makesure to involve all segments of your user base in developing these procedures, asthe input you receive will be nothing short of invaluable

Containing a Virus Outbreak

Now that we’ve discussed the more customer-service oriented factors of handling

a virus outbreak, let’s get down to the actual mechanics of getting your users andnetwork services back online with a minimum of disruption and downtime.Thefirst step in containing a virus outbreak is to identify any and all virus-infectedPCs on your network Hopefully you’ve already configured the Alert

Management Server (AMS2) to provide Windows Messaging, e-mail, and pageralerts of virus infections (For specific information on how to configure theAMS2, please refer to Chapter 3.) In the following sections, we’ll discuss the use

of NAVCE’s Virus Sweep function, as well as how to respond to a virus outbreak

on your network

making the rounds It was a nasty bugger that had already brought eral major corporations’ networks to a standstill, and an updated virus signature was not yet available However, even without new antivirus definitions, it became clear that the virus was transmitting itself via a VBS attachment Twenty minutes of reconfiguring the mail server to reject VBS attachments, and ILOVEYOU managed to sail right on past

sev-my network and users But if I hadn’t been made aware of the problem, the situation could certainly have played out much differently To take this story back a step, the early-morning ILOVEYOU recipient would not have known to alert me to anything out of the ordinary had I not provided end-user training on how to recognize potentially hazardous e- mail attachments I know we all think of “training” as a bunch of folks sitting in a classroom trying desperately not to doze off, but the training

in this case was a simple e-mail memo It doesn’t have to be anything grandiose: circulate a memo, hang a flyer by the coffee machine, whatever will get the message across

Trang 4

Using Virus Sweeps

If AMS2 reports several client computers on your network with virus infections,you’ll be quite thankful for NAVCE’s Virus Sweep function Using the SSC con-sole, you can quickly launch a virus sweep of your entire system, a server group,

or all client computers connecting to a single server With a single click from theSSC console, you will know within minutes which of your client and server PCsare virus-infected (Virus sweeps have the additional advantage of being a type ofscan that cannot be cancelled by the end user.)

To launch a virus sweep of your entire system, open the SSC console window Right-click System Hierarchy, then select All Tasks | Norton

Antivirus | Start Virus Sweep.To sweep a specific server or server group,right-click the appropriate item within the System Hierarchy and follow thesame steps, as shown in Figure 12.22

Using the SSC console, you can view the results of a virus sweep by selecting All Tasks | Logs | View Virus Sweep History from the appropriate

server or server group See the window shown in Figure 12.23

Figure 12.22 Launching a Virus Sweep of a Server Group

Trang 5

WARNING

Depending on the size of your LAN/WAN, a virus sweep can cause siderable network traffic Also important to remember is that once started, a sweep cannot be cancelled If the situation is not an emergency, make sure you take these performance considerations into account before you launch a virus sweep of your network.

con-From Figure 12.23, you can do the following:

■ Start a new virus sweep

■ View the results of a prior sweep

■ Delete the results of a sweep

Select the virus sweep whose results you want to see, then click View

Results.You’ll see the date and time that the scan finished on each PC (this fieldwill be blank if the scan is still in progress), the total number of files scanned and

the total number infected, as shown in Figure 12.24.You can click the

floppy-disk iconto export the scan results to a text file for archiving or reporting

Figure 12.23 Viewing Virus Sweep History

Figure 12.24 Viewing the Results of a Virus Sweep

Trang 6

If at all feasible, we highly recommend disconnecting the infected PCs from your

LAN until the virus infection can be removed, since allowing these machinescontinued network and Internet access will only serve to further propagate thevirus to your network and those of others.This is especially the case with wormslike Code Red and Nimda, where an infected machine will actively seek out(port scan) other vulnerable machines to infect In certain extreme cases wherethe virus infestation has spread beyond a manageable point, you may wish to dis-connect your company’s Internet connection and/or the inbound Simple MailTransfer Protocol (SMTP) traffic to your e-mail server.This will provide the ulti-mate “quarantined” environment to prevent further virus infections while youwork to restore order to your network

NOTE

Here are two useful definitions to be familiar with when dealing with virus outbreaks:

■ Simple Mail Transfer Protocol (SMTP)Th is protocol is designed

to do exactly what it sounds like: provide for the timely and cient delivery of electronic mail SMTP transfers messages

effi-between clients and servers, as well as effi-between servers, but it does not concern itself with the specifics of client mailboxes or downloading of messages The SMTP protocol is fully defined by Request for Comment (RFC) 821, available from the Internet Engineering Task Force homepage at www.ietf.org.

■ Port Scan A process of connecting to TCP and UDP ports on a

given system to determine which services are running While this

is not an attack, per se, port scanning is the first step in mining what operating system and software applications are in use on a target system, enabling the attacker to formulate an effective plan of attack Viruses such as Nimda use port scans to discover other machines that are vulnerable to infection.

deter-www.syngress.com

Trang 7

Cleaning up a Virus Outbreak

Once you have identified the infected PCs on your network, the next step is torestore the compromised machines to a working (and virus-free) state.You willneed to decide on a case-by-case basis how best to address virus infections Somecan be fixed with simple file quarantining and deletion, while more insidiousinfections can require measures as extreme as reformatting and reinstalling aworkstation from scratch In this section, we’ll discuss several tools that NAVCEoffers to accomplish this task, including the Alert Management Server, Built-inNotifications and viewable virus histories, as well as other options available fromthe Symantec Web site

Understanding Alert Management Server2

Alert Management Server2 (AMS2) is a separate snap-in that can be installed foruse with the SSC Console.This snap-in alerts an on-call administrator to a virusproblem via pager, e-mail, an so forth (Configuration of AMS2 is covered exten-sively in Chapter 3.) The Alert Management Server should act as your first line ofdefense in detecting a virus outbreak

Using Built-in Notifications

NAVCE also offers two notification methods that can operate in place of, or inaddition to, AMS2; the Alert Management Server does not necessarily need to beinstalled in order for these notifications to run.These alert methods are as follows:

■ Customizable message boxes that can be displayed in an e-mail message

or on the infected computer’s desktop

■ Virus histories maintain a log of all virus activity found wheneverNAVCE performs any type of antivirus scan

Displaying Notification Messages to End Users

When configuring a manual, scheduled, or real-time scan, you can use the

Messagebutton to display a pop-up window that immediately alerts the user tothe situation Using the variables listed next, you can customize what is displayed

to the user when NAVCE finds an infected file.The default warning uses bothsystem variables and plain text, as shown in Figure 12.25

Items contained within brackets (such as [Logged by]) are variables, while

any-thing entered outside of the brackets displays as-is.The full list of variables andtheir descriptions are explained in Table 12.2

Trang 8

Table 12.2 Understanding Symantec’s E-mail Notification Variables

What You Enter What Is Displayed

[ActionTaken] Action taken on the infected file (Cleaned, Quarantined,

Deleted, Left Alone) [Computer] NetBIOS or DNS workstation name of the target computer [DateFound] Date and time that the virus alert was generated

[Event] Type of event: “Virus Found,” and so on [Location] Drive letter containing the infected file [Logged by] Type of scan that flagged the virus: real-time, manual, or

scheduled [PathandFilename] Full directory path to the infected file [Status] Current state of the infected file (Infected, Not Infected,

Deleted) [User] Network login name of the user logged in at the time the

alert is generated [VirusName] Name of detected virus

Alternatively, you can simply display a generic message to your user withoutnoting specific file information, similar to the one shown in Figure 12.26

NOTE

The field containing NAVCE message information handles plain text only.

You cannot include things like text formatting, embedded HTML, or MAILTO: links.

Figure 12.25 Displaying a Message on the Client Computer

Figure 12.26 Creating a New Message to Display on a Client Computer

Trang 9

Using the Virus History Feature

From any server group, right-click All Tasks | Logs | Virus History to view a

detailed description of any recent virus activity on the clients and servers attached

to that group.You can also select Scan History to view the results of the latest scheduled scan run against the server group, and Event History to view other

information that may not specifically relate to a virus infection (For example, thelast time the antivirus service was restarted, or when the newest antivirus defini-tions were downloaded.) You can view any of these items in the following timeframes:

Taking Actions Against Infected Files

If NAVCE flags a file containing a virus that it was unable to repair, you can usethe Virus History screen to take further actions against any infected files, particu-larly if you just downloaded a newer set of antivirus definitions From the VirusHistory screen, right-click any listed file to perform any of the actions we’ve cov-ered in this chapter, such as cleaning, deleting, or quarantining a file (An example

of this function is shown in the following section.) You can also undo whateveraction NAVCE performed against the file.This is useful if you want to remove afile from quarantine so it can be repaired with newer virus definitions

Recovering from Boot Sector Viruses

If you suspect that a hard drive has become infected with a boot sector virus (forexample, you are unable to start the computer in question), you can use theNorton AntiVirus Rescue Disk Set to correct the situation (Detailed instructions

on creating the Rescue Disk Set can be found in Chapter 3.) The followingdescribes the steps necessary to repair a boot sector virus on a hard drive

NAVCE can detect and repair a floppy disk boot sector virus by simply forming a manual scan

per-www.syngress.com

Trang 10

NOTE

A boot sector virus resides on a portion of the computer drive that is only read when the computer is powered up, at which point the virus loads into memory They typically spread via floppy disks, which also have a boot sector that can become infected If an infected floppy disk is present in the disk drive when a computer is booted up, the virus will be loaded into the computer’s memory and can spread to other computers and floppies.

Cleaning the Hard Drive Boot Sector

1 Power the computer down completely Wait approximately 30 seconds,

or until all hard drive activity has stopped (This prevents unnecessarywear-and-tear on the physical components of the hard drive.)

2 Place the Norton AntiVirus Rescue Boot Disk into your floppy (A:)drive, then power the computer on

3 Wait until the PC has fully booted and the screen displays the A:\ prompt

4 Remove the Rescue Boot from the A:\ drive, and insert the NortonAntiVirus Program Disk

5 Type Go and press Enter to begin.

6 Follow the instructions that appear on the screen in order to clean theboot sector virus

7 When you’re finished, remove all floppy disks and reboot normally

Restoring a Hard Drive Boot Sector

If your hard drive’s boot sector cannot be repaired using the preceding steps, youcan restore a copy of the boot sector from the Rescue Disks.This will over-writethe infected boot sector with a clean backup copy, thus preventing the virus fromspreading any further Follow these steps to restore the boot sector from backup

1 Restart the computer using the Norton AntiVirus Rescue Boot Disk (asdescribed in Steps 1 and 2 in the previous section)

2 From the A: prompt, type Rescue and then press Enter.

Trang 11

3 Press the Tab key until the flashing cursor appears in the Boot Records menu option Press the Spacebar to expand the menu.

4 Press the Tab key again until the cursor reaches the Partition Tables menu, then press the Spacebar again to expand the menu.

5 Press the Tab key until the cursor appears under Restore, then press Enter

6 Follow the on-screen instructions to restore a clean copy of the harddrive boot sector

7 When done, remove the Rescue Disk from the A: drive and reboot the

PC as you normally would

When All Else Fails…

So what happens when a system has become irreparably compromised? While NAVCE’s quarantining and cleaning functions can handle most of the virus infections, there are some circumstances in which your only 100-percent-sure option is to reinstall the PC from scratch So what are some useful points to keep in mind when restoring a machine from a virus infection? Here’s a basic overview of the process:

1 Install a clean version of your operating system

If a machine is compromised by a virus or worm,

remember that anything on that system could have been

modified This includes the operating system files, any work services running on the machine, as well as information stored in cache memory At that point, the only way to be really sure that a computer is free from intruder modifications is to reinstall the operating system from a trusted copy

net-of original media—install from read-only media like a ROM rather than a potentially compromised file share on a server hard drive Make sure that you install all available security fixes from the vendor Web site before reconnecting the machine to your network, lest the cycle of virus propagation begin once again Only addressing the vulnerability thatDamage & Defense…

CD-Continued

Trang 12

Managing the Virus Outbreak Process

In Figure 12.27, you’ll see a synopsis of the steps involved in responding to a virusoutbreak within your network (Details on each step of the workflow can be seen

in Table 12.3.) Use this workflow as a reference as you work through the varioussteps in restoring your network services.The most often overlooked piece of theequation is the final one, that of documenting the incident and analyzing the stepstaken in handling the restoration While the specific threats presented by newviruses will undoubtedly change and expand over time, many of the trou-bleshooting steps involved in addressing them will not As such, an analysis of whatdid and did not work as planned will assist you in being better prepared for the

next incident Maybe a virus outbreak occurred while you were on vacation, and

you did not assign a backup pager number in AMS2.These are the sorts of lessons

that we think we’ll never forget, but unless they are documented will become a

distant memory sooner than you imagine.Take the time now to preserve yourthoughts, observations, and recommendations for handling future virus incidents

initially compromised the machine in question may not be enough to ensure a secure environment.

2 Disable any unnecessary services

Configure your system (especially server systems) to offer only those services you specifically intend to use, and no others The most conservative approach is to disable all services and then reenable them one by one as they are needed.

(Obviously you’ll want to test this configuration before placing the server into production.)

3 Install all vendor security patches

At the risk of sounding redundant, make absolutely certain you install the full set of security patches for each of your systems This is the fundamental step in defending your systems from further attack Check with your vendor regularly for any updates or new patches that relate to your systems—

many vendors offer e-mail bulletins whenever a new update

is released You can also consult third-party and external security awareness sites such as www.cert.org and others.

Trang 13

Table 12.3 Virus Outbreak Workflow Tasks and Appropriate Actions

Workflow Task Actions

notify administrators of known virus threats via e-mail, pager or Windows pop-up message Use the Virus Sweep function to quickly scan your entire network.

A new or unreported virus may manifest itself

in unusually high network traffic, poor or sponsive workstation or server performance.

network to prevent further propagation of the virus If your network connection is becoming overloaded, consider disconnecting your Internet connection or external e-mail until the situation is resolved Depending on the situation, another less drastic option could be to block traffic on a specific network port, or block e-mail attachments with a specific file extension

or “FROM:” address.

last, and everything in-between Your clients and users need to be informed about what’s going on, if for no other reason than so that they don’t continue to propagate the virus infection through lack of information or prepa- ration Virus and security awareness should be

an ongoing project for any serious computer administrator.

Figure 12.27 Managing a Computer Virus Outbreak

Recognize the Threat

Take Preventative Actions

Notify End Users

Clean Infected PCs, Restore Service

Documentation and Analysis

Continued

Trang 14

available for removing the infection Beginning with your servers, remove the infected PC from the network while performing the cleanup so that it does not become re-infected before the cleanup process manages to complete Perform

a full scan of all drives and ensure that realtime scanning is fully functional before returning the computer to the network Repeat for all

infected servers, then move onto individual workstations.

what went right and what went wrong and

write it down What quirky little nuance of that

network application gave you trouble? What additional resources would have helped you?

What would you do differently next time?

Table 12.3 Virus Outbreak Workflow Tasks and Appropriate Actions

Workflow Task Action

Trang 15

Summary

Scanning for viruses and managing virus outbreaks are two of the primary tions of any antivirus offering, and Symantec’s AntiVirus is no exception In pre-vious chapters we went over the steps in planning and installing NAVCE forservers and clients; here, we discuss the daily use of its functions.The variousscanning options available—real-time, scheduled, and manual—provide us with aplethora of tools to keep our networks virus-free

func-The various NAVCE virus scans can be customized in any number of ways

to best serve your users and network environment If you are supporting legacy

or budget hardware configurations, you can lower the total CPU time used byNAVCE during a scan to avoid impeding normal use of the machine, or usescheduled scans to perform virus monitoring during off-hours when the PC maynot be in use at all.You can choose one of three levels of protection withinSymantec’s Bloodhound Heuristics function in order to reach the best possibletrade-off between security and usability If desired, you can even exclude, enmasse, entire folders or groups of file extensions from the NAVCE scans And asalways, a configuration that works for one administrator may not work for

another A healthy dose of horse sense, combined with the use of monitoringtools, like Windows 2000 Performance Monitor, will help you determine the bestcourse of action for your situation Dealing with a virus outbreak can be one ofthe more frustrating aspects of an administrator’s life; luckily, Symantec offers sev-eral tools to make the job a bit easier Correctly configuring the Alert

Management Server plug-in will provide immediate alerts via e-mail, pager, and

so on, in the event of any virus infections on your network All such activity isalso recorded in Virus History logs on the NAVCE parent server: these logs pro-vide your first step in determining what sort of virus threat you’re facing

Once you’ve determined that your network is facing an outbreak, virussweeps allow you to quickly determine the level of virus infection on your net-work, while NAVCE quarantining and cleaning functions will eliminate most ofthe virus types you’ll encounter For those viruses that are so new that a specificdetection signature hasn’t yet been developed, you’re still protected by Symantec’sheuristic technology, as well as by NAVCE’s default monitoring for virus-likebehaviors All of these tools should go a long way towards keeping your networkvirus-free and your users up and running, even in the face of continuing andevolving virus threats

Trang 16

Solutions Fast Track

Virus Scanning Methods

; Use manual scans for a quick, ad-hoc scan of a single computer or smallgroup of PCs Especially useful for troubleshooting, or if somethingabout a machine just doesn’t feel right

; Scheduled scans will automate ongoing scans of any or all machines onyour network Remember that a virus scan will create processor andhard drive activity while it is underway, so make sure you keep yourusers informed about scanning schedules

; Real-time scanning checks every file on a hard drive when a user or anapplication accesses them.This functionality is enabled by default, andcan also examine e-mail files for the most recent versions of Lotus Notesand Microsoft Outlook

Configuring Computer Virus Scans

; You can scan the entire contents of a hard drive, or select specific filesbased on their three-letter extension or file type

; When NAVCE encounters an infected file, it can take any of thefollowing actions: clean the infected file, send it to quarantine, delete thefile, or leave it alone

; Use NAVCE scanning options to fine-tune CPU utilization to keepyour end users happy and productive while performing a virus sweep orscheduled scan of your entire network, as this can produce quite ademand on network bandwidth and PC response time

Analyzing Results of Virus Scans

; NAVCE Virus logs provide a count of the number of files scanned on agiven client or server, as well as how many (if any) are infected If thevirus is covered in the latest anti-virus definitions, you’ll also see thename of the infection(s) in question

Trang 17

; If a file is flagged with a “Bloodhound.something” virus, it means that

Symantec’s Bloodhound Heuristics have flagged this file as beingpotentially virus-infected, though the virus signature is not included inthe newest definitions Forward the file to SARC for examination assoon as possible

; Depending on how you configured NAV’s actions and backup actionswhen responding to a virus-infected file, clean or delete any flagged files

as appropriate

; If you chose Leave Alone as the default action (or inaction, in this case)

for NAVCE to take upon finding an infection, it is imperative that youaddress the situation as quickly as possible Until you take manual action,the user of the infected PC can access and execute the virus like anynormal file, potentially spreading the virus to other computers on yournetwork

; Virus sweeps provide a “one-click” means of scanning your entire

network for viral infections

; Remember the three Cs of handling virus outbreaks: Contain, Clean,

and Communicate though the “Communicate” portion should be part

of the entire process from start to finish

Trang 18

Q: We’ve just been slammed by a virus It has propagated through e-mail, and wecan’t obtain the latest signature files because the antivirus vendors’ Webservers are all overloaded How do I contain this virus?

A Some of the more recent e-mail-borne viruses (ILOVEYOU and Sircamspring immediately to mind) have blocked access to the major antivirus soft-ware vendors’ Web sites in an attempt to stop users from downloading neces-sary virus updates.Your best bet in this situation is to use a completely cleanand virus-free PC (build one from scratch if you have to) and use it to obtainthe newest virus definitions, as well as any removal utilities that Symantec hasmade available to combat a specific threat Start with your NAV servers andany other mission-critical machines—again, unplug them from the LAN ifnecessary—and begin to update definitions, run full scans and verify real-timesystem protection Only return these machines to the LAN environmentwhen you are certain all vulnerabilities have been patched, otherwise themachines could become reinfected as soon as you plug the network cableback in

Q: How can I configure my users’ e-mail software so they will be less likely toinfect their computer and my network?

A: Within Norton AntiVirus, your best bet is to simply follow the best practiceswe’ve been discussing throughout the chapter: ensure that real-time scanning(especially of messaging systems) is enabled, that antivirus definitions areupdated on a regular basis, and that you schedule regular scans of your entirenetwork

Apart from that, many major vendors offer options for e-mail filteringbased on content and/or file extensions.The decision to implement such asolution is obviously specific to your business needs, but it’s useful to note thatmany e-mail-based viruses are transmitted via file types that most business

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts To have your questions about this chapter answered by the author, browse to

www.syngress.com/solutions and click on the “Ask the Author” form.

Trang 19

users would not need to send or receive during the course of a normal ness day (VBS, SHS, and so on)

busi-Q: What are some good resources for making sure that my network computersstay secure and virus-free?

A: The best place to start are the vendor Web sites for all of your systems andsoftware: Symantec, Microsoft, Apple, Cisco, you name it Most offer e-mailnotifications of new updates and bulletins Other third-party and independentWeb sites offer excellent cross-platform security information Here are a few

to get you started

A: Instant messaging applications have become the latest craze for hackers intent

on stealing personal information or otherwise wreaking havoc on unsuspectingusers Industry analysts have estimated that over 200 million people were using

IM technology as of 2001, and other industry leaders are predicting that

corpo-rate users particularly will grow to as much as 300 million within the next

three years As IM technologies become more and more complex, offeringrich new features, such as file transfer and voice-over-IP, the potential forexposure increases dramatically (Consider, if you will, the potential of a CodeRed–style worm that targets not just Internet-connected PCs, but corporateIM-enabled devices such as Palms, PDAs, and “smart” cellular phones.) Luckily,similar to e-mail borne viruses like Klez and ILOVEYOU, the new wave ofInstant Messaging viruses and worms can be best avoided by preventativemaintenance, user awareness, and a healthy dose of common sense

The early threats against Instant Messaging are quite similar to the earlieste-mail borne viruses.You see, in the beginning, there was text With older IM

Trang 20

clients who only pass ASCII text back and forth across the Internet, thelargest hacking risk was simply that of social engineering or accidental disclo-sure: an unwitting user would disclose confidential information during thecourse of an otherwise benign conversation But the latest versions of AIM,Yahoo, ICQ, and the like have begun to allow file sharing, and that’s wherehackers have begun to drool.Today, rather than just trying to stop the latestversion of Elf-Bowling from overrunning your e-mail server (and wasn’t thathard enough?), you now have to worry about it being tossed back and forthover AIM and ICQ And, of course, the inherent risk of users exchangingexecutable programs becomes a question of “What if there is a virus inthere?” If I’m a corporate e-mail administrator and somebody e-mails me avirus, I have an e-mail virus scan on my system But without managed andup-to-date client anti-virus protection, by the time it comes down to a laptop

or desktop you’re back to depending on individual users to keep their tions up-to-date (But then, that’s why you’re reading this book, isn’t it?)First the bad news: At present, there exists no security software thatspecifically monitors Instant Messaging programs However, most generallyaccepted security measures, including (but not limited to) properly configuredand managed antivirus software will do pretty nicely to monitor IM Andthough it should go without saying, always maintain (and teach your users tomaintain) a healthy dose of paranoia when it comes to accepting files viaInstant Messaging from people you don’t know.You want to be as careful ofIM-transferred files as you are with e-mail attachments—the next Klez couldvery easily originate from your Buddy List instead of Microsoft Outlook

defini-www.syngress.com

Trang 22

Backup and Disaster Recovery

Solutions in this chapter:

■ Basic Principles of Backup and Disaster Recovery

■ Designing a Disaster Recovery Plan

■ Implementing a Backup Strategy

■ Defining Support and Service Levels for Your Organization

■ Backing Up Dedicated NAVCE 7.6 Servers

■ Restoring Dedicated NAVCE 7.6 Servers

Chapter 13

595

; Summary

; Solutions Fast Track

; Frequently Asked Questions

Trang 23

596 Chapter 13 • Backup and Disaster Recovery

Introduction

Most of the topics addressed in this book discuss the use of Norton AntivirusCorporate Edition (NAVCE) to prevent network outages or data losses caused byvirus outbreaks However, the best laid plans of mice, men, and network adminis-trators often go awry, and the formulation of a proactive backup plan and disasterrecovery strategy is essential to ensure that your network is protected Whetheryou are protecting a single Small Office/Home Office (SOHO) server or a largecorporate enterprise, there are some basic principles of computer backups andbusiness continuity planning (BCP) that are common to all network installations.We’ll begin this chapter by exploring some of these concepts, such as assessingpotential risks to your information services, defining your critical data and pro-cesses, and procuring offsite recovery locations We’ll then discuss the morehands-on details of developing a backup plan: selecting hardware and software,creating a viable schedule to perform your backups, and creating a tape rotationscheme that will provide the most complete coverage for your data

This chapter concludes with a step-by-step walk-through of performing abackup of a dedicated NAVCE Windows server, and even more importantly,using the built-in Microsoft backup utility to restore your information.TheWindows 2000 Backup Utility (NTBACKUP) has an easy-to-use GUI interfacethat will walk you through the backup process step-by-step, or for more granularcontrol you can use command-line switches to automate the process on multipleservers and machines.The exercises included in the final section will illustratethat even if you don’t have the funds to invest in a third-party backup solution,this integrated utility will allow you to perform a full or partial backup of yourNAVCE server

Basic Principles of Backup

and Disaster Recovery

Planning for disaster recovery is inherently similar to creating a strategy antivirus

protection: it’s less a question of if, but rather when you’ll need the benefits

pro-vided by an effective plan In preparing for that inevitable moment when thethings that can go wrong, do… here are a few principles to keep in mind:

■ Create a baseline of your network

■ Leave room for growth

Trang 24

■ Plan for data retention

■ Create a workable backup schedule

■ Provide an offsite storage location

■ Strike a balance between cost and convenience

■ Train your staff

■ Involve your users in the disaster recovery process

■ Test your backupsEach of these golden rules is detailed in the sections that follow

Creating a Baseline of Your Network

Even though we know that you’ll want to start backing up your critical data rightaway (especially if you don’t already have a backup mechanism in place), youshould still take the time to ensure that your backup plan is, in fact, the right one

to meet your needs In order to ascertain this, you’ll need to create a baseline of

your network services and applications A baseline is one part system inventory, one

part performance snapshot: you’ll not only create a list of which applications and services are running, but also determine how they operate in terms of overall net-

work traffic and storage needs Establish an inventory of all applications in use onyour network, then monitor those applications using the Windows NT/2000 per-formance monitor or a third-party utility to determine how much disk space theyuse on a daily, weekly, and monthly basis (If you’ve followed the topics discussed inChapter 9, you may have completed at least some of this inventory already.)

NOTE

Make sure you monitor the performance and disk usage on your network over an extended period of time: you’re not only concerned with how

your network is performing today, but also how its performance and

storage needs change over time.

Creating this baseline of your network will assist you in determining yourtotal backup requirements by answering some important questions First, howmuch data really exists on your network? Is it housed on a single server, on mul-tiple servers in a single subnet or building, or on many different servers and

Backup and Disaster Recovery • Chapter 13 597

Trang 25

workstations throughout an enterprise WAN? Next, how much does your datachange on a daily basis? For example, a static data archive that is accessed fre-quently but rarely altered will call for a different backup strategy than an interac-tive database that processes hundreds of transactions daily Finally, does yournetwork rely on any specialized applications like Exchange, Oracle, or SQL?These typically require additional considerations in creating a backup strategy,usually in terms of a specific software package or add-on

Don’t forget to include antivirus protection when inventorying your network

Is NAVCE running on one or more dedicated servers on your network, or is itrunning as an additional service on a server that’s performing other functions?Make sure you include all NAVCE directories and services (for instance, AMS2,Quarantine, and so forth) in your list of services that need to be backed up

In the final analysis, a network baseline is critical in determining what you

need to back up on your network Whether you use built-in Windows or Novellmonitoring tools or a third-party performance analyzer, this step cannot be over-looked if you want to create a successful backup and disaster recovery strategy foryour network

Leaving Room for Growth

With ever-increasing dependence on data storage and the corresponding decrease

in prices of high capacity hard drives and other storage media, your network’sdisk usage and corresponding backup plan will almost certainly need to be

revised and expanded as time goes on.This expansion can also potentially affectyour NAVCE installation, requiring you to bring a new parent server online toprotect additional clients, for example It’s important to revisit the baseline dis-cussed in the previous section on a regular basis to see what has changed on thenetwork that needs to be included with your backup strategy Because of this,make sure your selection of backup software, hardware, and media will allow suf-ficient room for growth so that you won’t be forced to abandon the entire systemand buy a completely new one six months down the road

Planning for Data Retention

With the corporate scandals of the world tramping across the CNN news tickerevery day, data retention schedules have become an essential component of anybackup plan It is absolutely critical that your company complies with all federal,state, and/or industry-specific regulations regarding how long data should bemaintained Consult your legal department or whomever else you need for

Trang 26

assistance in this matter, because like everything else in this venture, it’s certainlybest to get it right the first time Don’t forget to consider client workstations inthis equation either: if your corporate data retention calls for maintaining e-maildata for twelve months, but some users have copies of every item they’ve sent orreceived in the last five years, that information could easily come back to hauntyou in a legal proceeding

Creating a Workable Backup Schedule

Unless you invest in a software agent designed to handle open files, your data andapplications will be unavailable during the time it takes to perform your backups

Full backups take the longest amount of time to back up but are the quickest torestore Integrating incremental or differential backups into your backup strategywill reduce the time that nightly backups require, but will add to the timeneeded in the event a file restore is necessary As with everything else, you need

to find a comfortable balance between data protection and usability

NOTE

See the section on “Creating a Backup Schedule” later in this chapter for

a detailed explanation of the difference between incremental and ential backups, and how they can benefit your network backup strategy.

differ-Creating a Tape Rotation Scheme

Simply establishing a backup schedule is not enough to provide protection foryour network data; you also need to delineate a media rotation scheme that pro-vides a deep history of file versions.This is especially critical if you need torestore from a virus outbreak, as you may need to go back more than merely aday or two in order to restore an uninfected copy of a file or directory It is alsohandy if you need to roll back to a previous version of NAVCE antivirus defini-

tions for any reason.Two popular rotation schedules are the Tower of Hanoi and the Grandfather-Father-Son.You can choose the one that works for you, or use

them as a template to customize one that fits your needs Whichever rotationscheme you choose, be sure to put it in place at all of your business locations

Trang 27

The Grandfather-Father-Son Rotation Scheme

The Grandfather-Father-Son scheme begins with daily backups.You’ll label threesets of four “Son” tapes, Monday through Thursday, for use on its labeled day Inthis scenario, the daily “Son” tapes will not be overwritten for three weeks.Thesenightly backups can be full backups, incremental, or differential, depending onwhatever time constraints you’re under

The weekly “Father” backups follow a similar pattern: a set of five weeklybackup media is labeled “Week1,” “Week 2,” and so forth Full backups are

recorded weekly, on the day that you don’t use “Son” media (Following theexample in the previous paragraphs, these would be the “Friday” tapes, thoughthat is certainly not set in stone.) You’ll re-use the “Father” tape monthly

The last set of media is the “Grandfather” set that you’ll use for monthlybackups, typically on the final business day of each month.This monthly backupwill vary throughout the year, replacing a daily or weekly tape depending onwhere it falls on the calendar.Typically, you’ll overwrite “Grandfather” tapes on aquarterly or yearly basis, depending on version history and data retention require-ments.The GFS backup scheme is illustrated in Table 13.1

Table 13.1 Grandfather-Father-Son Tape Rotation

1

30

The Tower of Hanoi Rotation Scheme

The Tower of Hanoi rotation scheme is more complex, and is typically managed

by the backup software itself, rather than manually by an administrator Media set

“A” is used every other backup session—in this example, for daily backups Begin

on Day 1 with “A” and repeat every other backup (every other day).The next

Trang 28

media set “B” starts on the first backup day that doesn’t use an “A” tape (in thiscase, Day2), and repeats every fourth backup session Media set “C” starts on thefirst non-“A” or non-“B” backup day and repeats every eighth session Media set

“D” starts on the first non-“A,” non-“B,” or non-“C” backup day and repeatsevery sixteenth session Media set “E” alternates with media set “D.”You can seethis illustrated in Table 13.2

Table 13.2 Sample Tower of Hanoi Schedule

Providing an Offsite Storage Location

No matter what size your network, you can’t claim to have created a viable aster recovery plan without providing for some sort of remote data storage.Take

dis-a lesson from the following dis-anecdote: dis-as the story goes, dis-a rdis-andom networkadministrator was walking past their office building at about 9P.M on aweeknight.There had been some sort of after-hours seminar in one of the con-ference rooms, and someone had pulled the fire alarm So there was our hero,staring at four fire engines parked in front of his building with their lightsflashing His first thought was, “Will I be risking my life if I go in there to grabthe backup tapes that are in my desk drawer?”Though it ought to go withoutsaying, don’t let this happen to you Keep a small amount of backup media onsite,and move the rest to an alternate location.The choice of locale is up to you, but

I would certainly recommend that you store them at the very least in another

building, so that a major disaster will not be able to affect your servers and your

backup media If your company does business in multiple offices or cities, someelements of your choice in offsite locations will become much simpler—you can

Trang 29

store backup tapes from the Princeton, New Jersey servers at the New York Cityoffice, and so on But even a configuration such as this should still make someprovisions for a wholly separate site in case of an emergency that affects theentire enterprise

WARNING

When choosing a site for your offsite data storage, don’t give in to overkill: Your backup media shouldn’t be so far away that it can’t be accessed within a reasonable time frame Backup tapes that are inacces-

sible for any reason will do you and your company no good whatsoever.

When choosing a remote site, there are several possibilities:

■ Mutual aid agreement This is a reciprocal agreement with anothercompany or service provider in which you agree to assist each other inthe event of an emergency.This can take the form of simple backupstorage—swapping tapes with the other company’s network adminis-trator on a regular basis to store them at each others’ sites—all the way

to providing actual workspace and computing resources to allow thepartner company to continue functioning through a disaster While thisidea seems valid (and a bringer of good karma, to boot), on closer exam-ination it has several apparent flaws It first assumes that the two organi-zations possess sufficiently comparable computing environments suchthat one could support the processes of another Second, a disaster ofsufficient magnitude to affect both organizations would render theagreement meaningless Finally, there is the matter of security: withoutsome official agreement such as bonding or security clearances, mostcompanies would not be comfortable leaving their backup tapes andcritical data in the hands of another, possibly competing, location

■ Cold site This is the least expensive option for hosting an alternatebusiness location It simply consists of a room or an area that’s ready forPCs and servers to be installed into It possesses electrical and

heating/cooling services, but no preconfigured equipment or servers Inthe event of a service outage, computer equipment and communicationslinks will need to be brought in, and all data and applications will need

to be restored or reinstalled before business processes can continue.This

Trang 30

is obviously a labor-intensive process, but it provides an alternate site for

a company that may not have the budget for a more comprehensiveplan If you opt for this type of offsite location, be sure to includeNAVCE in your list of applications and servers that need to be restored

to the cold site

■ Warm site One step up from a cold site, warm sites will have the essary computer equipment and network services (such as T-1 or ISDNlines) already installed In a warm site, you need only perform datarestores and update NAVCE to the most current antivirus signatures toreturn your company to at least temporary working order.This increase

nec-in recovery speed comes nec-in return for the nec-increased cost of manec-intanec-innec-ingredundant equipment and connectivity

■ Hot site This is the most involved (and expensive) option in establishing

an alternate processing site.The level of expense associated with a hot site

is quite extensive, as it requires installing two complete sets of IT structure: servers, software, and so on, requiring a great deal of staffinvolvement in keeping the alternate site up-to-date.The advantage of ahot site is that all necessary communications, hardware, and software will

infra-be almost immediately available for use during an emergency, and can port your network’s business processes even during an extended outage

sup-NOTE

Many hot sites use a process called “remote journaling,” where all data modifications made on production servers are immediately replicated to their hot-site counterparts This removes from the recovery process the time required to restore from the most recent backup, allowing your users to resume work right away.

Whether you establish a fully functional hot site to allow your business tocontinue functioning, maintain a simple offsite storage location for your backuptapes so that your data can still be restored following a disaster, or any step in-between, designating an offsite storage or processing location should be a part ofany good disaster recovery plan

Trang 31

Striking a Balance

Between Cost and Convenience

We are all in a time of belt-tightening and making do with less than we’d wise like So, when determining your disaster recovery plans, meet with all ofyour decision-makers and department heads to figure out how much downtime

other-is, if not acceptable, at least tolerable If they’re not willing to drop five figures on

a Gigabit-Ethernet storage area network, for example, then be prepared to offer a

“down-sell.” Before you leave the room, make sure they understand what they’repaying for and what it’s getting them If your company doesn’t use service levelagreements (SLAs), this might be a good time to develop one (We’ll talk aboutSLAs in the “Defining Support and Service Levels for Your Organization” sectionlater in the chapter.)

Training Your Staff

Depending on the size of your organization, every member of your IT staff (or atleast a sizable portion thereof ) should be able to restore a file or directory uponrequest.Think about it: do you want to be the one to tell a vice president thatshe can’t get their spreadsheet back until the “backup guy” returns from lunch?Remember always to keep your users happy and productive—it’s the biggest part

of our job, after all

Involving Your Users in the

Disaster Recovery Process

What plans, if any, do you have for backing up your users’ workstation harddrives? If users are expected to save their data to the LAN in order for it to beincluded in the nightly backups, have they been made aware of this? When wasthe last time you reminded them? And did anyone tell the new accountant whostarted last week? Consider adding a ten-minute “Welcome to your Help Desk”presentation to your company’s employee orientation—you can extend this totouch on backup issues, antivirus awareness, and NAVCE usage; whatever youfeel is necessary Issue friendly reminders via e-mail or a printed memo circulatedevery quarter or so Do a little, do a lot, as your environment dictates, but makesure your users know enough to get into the game

Trang 32

Testing Your BackupsThe importance of this simply cannot be overstated, since your backups are only

as good as how well they perform when you actually need a file restored Don’tbecome another network administrator who runs backups faithfully for monthsand months only to discover too late that your tapes contain no useful informa-tion Build some time into your weekly schedule to perform test restores of var-ious files and directories to verify that your tapes are functioning properly Alsotake the time to test a full restore of your major applications and services: docu-menting the steps to take if your e-mail server suffers a failed motherboard andyou need to rebuild a new machine from scratch, for example

Making Sure Your NAVCE Servers Can Be Restored

The best way to ensure that your NAVCE server is being backed up erly is to perform a test restore on a regular basis You can use a dedicated workstation for this purpose, or simply restore the information to

prop-a test directory on the production NAVCE server The bprop-ackup hprop-ardwprop-are and software that you’re using will largely dictate your options in performing a test restore—you may be limited to performing a restore on the machine that physically contains the backup device, for example.

The most critical file to restore is the grc.dat file, as this contains all tinent configuration information for your NAVCE clients However, you should attempt to restore all NAVCE-specific files in the ~\Program Files directory structure, including such default locations as ~\Program Files\NAV and ~\Program Files\Symantec Shared.

per-Once you have performed a test restore, use Windows Explorer to compare the size, date, and version number of the test files against those in the production environment (Make sure to check the “Date created” field rather than the “Date Modified” field, as the latter will change on a daily basis in the case of most NAVCE program files and DLLs.) For text files—such as grc.dat and others—open the files in Notepad to compare their contents—they should be identical Finally, for a true litmus test, manually copy the restored files directly into the production locations to verify that NAVCE will continue to function using your restored files.

Notes from the Underground…

Continued

Trang 33

Designing a Disaster Recovery Plan

Designing a disaster recovery plan falls into two conceptual halves:

1 Define the critical processes and potential liabilities faced by your

orga-nization (“What needs to be protected?”)

2 Detail the actual steps required to ensure that your business functions

(“How are we going to protect these processes?)

NOTE

You’ll often hear the term Business Continuity Plan (BCP) used within the context of disaster recovery The key difference between a BCP and a disaster recovery plan is one of timing: A BCP is primarily concerned with

The grc.dat file becomes especially important if you need to install

or re-create your NAVCE installation on a machine with a different puter name—NAVSERVER2.test.com instead of NAVSERVER1.test.com, for example You’ll need to manually edit the grc.dat file to point to the new NAVCE server name using the following syntax:

com-Parent=S<ServerName>

You’ll then use a batch file or login script to push the modified grc.dat to your NAVCE clients Otherwise, your clients will continue to look for update information from the old server name, and will no longer receive antivirus definition updates and the like The grc.dat file resides, by default, in the following locations on your NAVCE clients:

■ Windows 9x/ME: C:\Program Files\Norton AntiVirus

■ Windows NT: C:\WINNT\Profiles\All Users\Application Data\

Symantec\Norton Antivirus Corporate Edition\7.x, where x is

the version number of the NAVCE software you are running

■ Windows 2000/XP: C:\Documents and Settings\All Users\

Application Data\Symantec\Norton Antivirus Corporate

Edition\7.x

Once you’ve copied the modified grc.dat file to your clients, they will begin to look to the new NAVCE server for update information after they’ve been rebooted.

Trang 34

the preliminary steps of identifying the critical processes and the tial losses to prepare against—the first half of the process A disaster recovery plan deals with the second half of the equation, or the actual steps needed to protect corporate data and processes in the event of an actual incident.

poten-Defining Mission-Critical Criteria for Your OrganizationProperly determining which files, services, and applications need to be included

in the disaster-recovery strategy is a step whose importance cannot be overstated

In Chapter 9, we discussed inventorying your company’s business processes andnetwork applications in conjunction with developing a security strategy: we’ll usethe same process here to determine an appropriate backup strategy

A properly formulated disaster recovery plan needs to address all areas ofinformation technology within your company, including (but not limited to):

1 LAN and WAN network infrastructure, including routers, hubs, switches,and wiring

2 User workstations, including all locally installed applications

3 File and application servers, including any internally hosted Web or e-mail servers

4 Storage of archive and backup data and media

5 Personnel duties and responsibilitiesSubsequent to identifying the services and applications that need to beaddressed by your disaster recovery plan, your next step will be to prioritize thembased on the potential impact that would be created by the loss of that service

This phase can prove to be the toughest needle to thread, since every singledepartment manager will insist that his or her process is the most critical to theoverall survival of the business (What makes this even tougher is that, more often

than not, every single one of them will be right.) This kind of prioritization is one

that cannot be made by the IT staff alone—similar to the network security plandiscussed in Chapter 9 Formulating a disaster recovery plan will require involve-ment and buy-in from all facets of your organization While there are no hardand fast rules for prioritizing your company’s network services, here are a fewthings to keep in mind:

Trang 35

■ Time-sensitive and legally mandated processes should be prioritizedahead of those services that are not.The most common example of this

is payroll, but it can also include ordering of inventory and supplies, orfiling financial reports with an agency such as the Securities andExchange Commission (SEC) Solicit the involvement of your legaldepartment or corporate counsel if there are any doubts or gray areas

■ Determine the maximum downtime that a network service or tion can sustain before the damage to the company becomes absolutely

applica-irrevocable Obviously, in a perfect world we’d like to say that zero

downtime is tolerable—however, that goal is simply unattainable

■ When examining your NAVCE configuration, keep in mind that whilethe availability of the NAVCE server may not seem to directly affectyour users’ productivity, some form of antivirus protection needs to beavailable to your users as quickly as possible, especially if the outageyou’re recovering from was caused by a virus outbreak in the first place.Reestablishing your NAVCE configuration as a major priority will pre-vent your clients and servers from becoming virus infected (or re-infected) while you perform data and service restorations

NOTE

Would you say that 99.99 percent uptime is an impressive number? I tainly would But think about this: an application with 99.99 percent uptime will sustain an average of 525 minutes (or just short of nine hours) of downtime each year That might mean ten minutes of unavail- ability every Saturday night, or nine hours of continuous downtime due

cer-to an extended network outage.

■ Assuming that some downtime is going to occur, at some point you’ll

want to factor in the resources necessary to restore a particular service toworking order For example, let’s say you decide the payroll applicationhas the highest priority on your network, but restoring that applicationwill only take one person 20 minutes to perform On the basis of thatinformation, you can plan to allocate additional staff to a more labor-intensive process like physically setting up end-user workstations in analternate location

Trang 36

■ The number one priority of any disaster recovery plan is that of

per-sonnel safety.You can talk about preserving capital and assets and thecorporate image until you’re blue in the face, but your largest concern

must be ensuring and maintaining the safety of your people.

Identifying Vulnerabilities

Once you’ve determined your organization’s critical processes and established itsrelative priorities, you’ll need to determine the actual impact that would occur inthe event of a service disruption.The potential losses in a service interruptioncome in two varieties:

■ Quantitative losses These are losses that can be expressed in concretefigures, usually financial ones.This can include direct effects such as lostsales resulting from an outage of your e-commerce application

However, financial losses can also result from a “trickle-down” effect likeadditional monies paid to contractors during an outage, fines assessedafter a regulatory violation or contract violation created by an outage,and so forth

■ Qualitative losses While not the kind of shortfall that can be recorded

in a bank account register, can be as devastating to an organization as astraightforward financial loss Especially in an age of instant newsreporting, public image and credibility can be more important to a com-pany’s stability than anything else—a highly publicized disaster incidentcan shake your customer’s confidence in an instant Other such damagescan extend to the loss of market share resulting from a data loss

NOTE

Make sure that your disaster recovery plan addresses communication needs—not just to keep internal staff apprised of the current network status, but to inform other appropriate parties like shareholders or media contacts This will prevent unfounded rumors from taking root and adversely affecting your customers’ perceptions of the situation.

Trang 37

Implementing a Backup Strategy

Once you’ve determined which data needs to be included in your organization’sbackup and disaster recovery strategies, you’ll next turn to more practical matters

of selecting an appropriate backup technology.You’ll need to select an priate hardware and software combination to meet your data storage needs (We’lldiscuss various options for this in an upcoming section.) Finally, you’ll create abackup schedule that’s suited to the needs of your network environment, using acombination of full backups with differential or incremental backups to speed thenightly backup process.These three considerations will complete the “How,”

appro-“Where,” and “When” pieces of your backup puzzle

Choosing Backup Software

Similar to any other PC or server utility, there are innumerable choices in backupsoftware on the market today While the final choice of a backup software vendor

is beyond the scope of this book, there are a few key factors that should be sent in any software choice Keep the following checklist in mind while evalu-ating and selecting backup software for your network:

pre-■ Hardware requirements Determine what sort of hardware resourcesyour backup software will need to run properly As you are well aware,there are “recommended” requirements, and then there are “operating”requirements In other words, the stated minimum on a vendor Web sitemay not be a practical reality within your network environment Mostvendors will provide a limited-time evaluation copy of their software foryou to test: perform some reasonably intensive backups while moni-toring your server and network performance metrics—processor time,hard disk usage, bandwidth utilization, and the like Make sure thatwhatever package you select will be able to perform backups withinyour necessary time frames without bringing the rest of your system ser-vices to a grinding halt

■ Software compatibility Aside from the obvious “Will this run on myoperating system?” question, many applications like Microsoft Exchange,SQL Server, and Oracle require special software plug-ins (commonly

referred to as agents) in order to be backed up properly.The reason for this is that these applications keep certain files open for use at all times,

and many “vanilla” backup software packages are unable to process them

Trang 38

correctly Make sure you include any of these agents in the testing phasedescribed in the previous bullet, as they will certainly create additionalhardware and bandwidth demands on your network Also, determinehow the backup software will interoperate with NAVCE’s real-timescanning function: some packages may require you to disable real-timescanning during the backup process, providing their own built-in virusscanning before a file is copied to tape or other backup media

■ Security Backup tapes are an often overlooked vulnerability in anysecurity plan Since most backup software packages are available com-mercially, a disgruntled employee could simply slip a backup tape intohis or her briefcase, and then use another computer to restore and accessyour company’s confidential data While physically protecting yourbackup tapes is more a human and administrative function than anythingelse, your backup software should provide some built-in security mecha-nisms.You should be able to encrypt and password-protect the contents

of your backup tapes, ensuring that even if the tapes leave your physicalcontrol, a would-be attacker would find them useless Additionally, makesure that the network traffic created as the files are copying is alsoencrypted, in order to circumvent any damage from network sniffers orcapture utilities

Selecting Hardware and MediaAlong with selecting the software that you’ll use to back up the data on yournetwork, you’ll also need to decide what type of media you’ll use to store thatdata.You should base this decision on your overall network structure, as well asthe total amount of data that you’ll be contending with In this section, we’llcover the different types of media available, from simple floppy disks to auto-loading tape and optical jukeboxes We’ll first discuss each item individually, andprovide a summary of the backup capacity of the various media options in Table13.3 Each option is discussed further in the following sections

Định dạng
Số trang	76
Dung lượng	1,03 MB