One of the best parts of working both with and for Deft is the sheer amount of advanced technical knowledge you have access to. To illustrate that aspect and to offer another avenue for our clients and friends to communicate with us, we are hosting a monthly Q and A series called Ask the Expert.
The first virtual event focused on networks. Deft’s VP of Marketing, Chris Rechtsteiner, moderated viewer questions for Lead Network Architect Chris Haun and Network and Automation Engineer Charles Rumford. Here’s what was covered.
Security solutions: IPv6, WAN and blocking specific traffic
As cyber-security threats become more common every day, it’s no surprise that network security came up in a few questions during our discussion. One of the big picture questions for our experts was:
What’s one thing I should start paying more attention to regarding network management and security?
“IPv6 is something people need to start adopting,” said Haun. “The best time to have done that was five years ago and the second best time is today.”
Utilizing IPv6 can simplify a lot of the system’s architecture and — as long as your team has meticulous architecture documentation — can make troubleshooting and asset management easier. The benefit of switching to IPv6 now is that it gives your system access to an unending amount of IP addresses.
“Every regional internet registry that hands out IP addresses for v4 are all out,” said Haun.
“Make sure you haven’t unknowingly turned on v6,” added Rumford. “I’ve seen this a lot more with home networks than business networks, but people don’t realize that their systems could be completely open to the internet via v6.”
Watch the full answer here.
What security-related solutions are available or recommended to support WAN to client and WAN to public cloud?
Taking a layered approach is best practice for routing these data pieces. “Don’t just look at the network encryption. Make sure you’re looking at your application layer for security,” said Rumford. “Don’t rely on VPN tunnels for transmitting data between applications and from applications to clients.”
If data leaks in this process, you will have a big, big problem. See more about this question in the full video answer here.
Can you block IP traffic by country of origin? What is the most efficient way to do this?
One of the benefits to modern firewalls is that they have the ability to block traffic from specific countries via IP address. However, there can be limitations.
“Those lists aren’t always accurate,” said Haun. “The internet is the internet, so people can still find out ways to get to you if they want to.”
The full answer can be seen here.
The bigger network picture: network redundancy and load balancers
The question that got the widest array of answers from our experts was this one:
What are the best practices for network redundancy?
“There’s so many ways to handle network redundancy,” said Haun.
Here are just a few:
- Utilize dual uplinks in your colocation facility.
- Use a Versatile Routing Platform (VRP) to funnel data into a switch. This lets your upstream provider do upgrades and lets you not worry about network connectivity.
- With larger spaces, using border gateway protocols (BGP) can bring up multiple links to a provider to source redundancy.
- Get a big whiteboard and draw out the network and the data flows. Start crossing off links with a marker to simulate failures and verify that traffic still flows.
- Make sure your backup is as big as your primary data storage. If your primary is ten gigs, your backup should be at least that big as well.
- Buy redundant hardware and build redundant configurations. A good goal is to be able to cut 50% of the network configurations and still be up.
- Try to keep your other data centers a few hours away from your primary location. You don’t want emergency weather to hit both data centers at the same time.
These suggestions are just the beginning when it comes to maximizing network redundancy. The necessary tweaks and changes for your specific business needs are something our experts can handle when they get a close up look at your system.
Watch the full answer here.
What are the right and wrong ways to implement network load balancers?
One of the more important questions according to our experts is if your network architecture needs a load balancer.
“More than once I’ve seen a load balancer configured to deliver every request to every server,” said Haun. “I don’t understand why someone would make that choice. All it does is increase the load on your pool instead of decrease the load on your server.”
Rumford has also experienced less-than-optimal load balancer configs.
“If you’re using a load balancer to transition between public IP space and a private server, just put that server on a public IP address,” said Rumford. “Otherwise, you are increasing your complexity and decreasing your security posture. It then becomes harder to audit and overall just harder to figure out what’s going on.”
See the full expert answer here.
There are additional security measures that can be taken depending on the specifics of your business. Let’s talk about what the best solution for your team will be.
