Virtual replica and backup

One of the fantastic things about using a virtualized environment for your key servers is that you get Disaster Recovery, Ransomware resilience and Backup in one solution

I have used Hyper-V as the virtualization platform but VMware, Virtualbox, KVM and others can also be used.

Replication involves maintaining a live copy of the virtual machines on a second physical server. The capability is built into Windows Server. The replica server is updated at intervals as short as 30s. In the event of a physical failure of one server, failover to the replica server is quick and easy.

You can also run backups of the virtual machines on the main server so that you can restore a machine to a particular (last good) point in time in the event that the files are corrupted – for example by Ransomware. Veeam and Altaro and others provide good products for this.

The easiest way to use Microsoft Hyper-V is to purchase 2 licenses for Windows Server 2019 standard and deploy this on two computers – the primary server and the replica server. The replica server can be lower spec hardware and is to be used temporarily if there is a physical fault in the primary server. This also gives the right to have two virtual installations of windows 2019 for say domain controller and main medical software server.

This is a relatively expensive solution – the two licenses together are over AUD 3000. If you have an existing domain controller there is a cheaper but much more difficult way to do it.

Microsoft Hyper-V server is a free product which runs on the bare metal and it is possible to configure replication on the platform.

Remote File Systems

One feature of computer networks we use at the office is access to files that are on a remote server. This might be a shared drive, a networked attached storage or similar. The capability is also used by much medical and imaging software. Software on the client computer accesses files on a remote computer via a share. Underpinning this capability is a brilliant invention – the remote file system.

Although there are a number of these systems including AFS and NFS, almost all such communication is now done through the Microsoft Server Message Block (SMB) file sharing system. The system offers great flexibility including strong authentication of users, authorization of rights to those users and the ability to lock all or part of the file to prevent two users simultaneously accessing the file making incompatible changes.

In a Windows Active Directory, the system is even more powerful with the Domain controller performing authentication of users with a powerful encryption system known as Kerberos.

Unfortunately, the power of SMB file sharing also yields its key vulnerability to ransomware. Malware that runs within the context of a logged on user can use the credentials to traverse the network, finding network shares on all computers on the domain. Worse, for computers running Windows 8 or earlier, the malware can actually extract username and password from memory. If that user has domain administrator privileges, the malware can destroy the whole network. The malware can also run a dictionary attack within the domain to try to crack the “Administrator” account giving it supreme power within the domain – even able to lock out all existing users

Using SMB file sharing as the method between client and imaging server constitutes and unacceptable security risk by design. Software and hardware vendors should be strongly discouraged from using this technology – convenient though it is

The other consideration is that backups created using this technology are also extremely vulnerable to ransomware which will seek them out. It is much safer to send the backups to a remote location by a technology other than SMB file sharing

It is precisely the fact that the ransomware targets and often succeeds in destroying backups before or at the same time as attacking the primary files that makes paying the ransom often the only option

The way back – Static routes

Our recommendation is to segment part of the network behind a routed firewall to protect backups and virtual hosts. The problem is that computers on our general network cannot find the secure network segment.

Our general network, including our virtual servers (not hosts) are on the network 192.168.0.0/24 with a gateway of 192.168.0.1 Consider a computer on the network C2 with an ip address of 192.168.0.77

Our secure segment is behind a routed firewall. That network segment is 192.168.10.0/24 with a gateway of 192.168.10.1 Consider our host server H1 at 192.168.10.55

Our routed firewall F1 has two interfaces – one in each network. These are 192.168.0.2 and 192.168.10.2

So C2 tries to communicate with the H1. C2 determines that the address of H1 is outside of its subnet so it sends the frame to its default gateway. The gateway sends the packet out to the internet and not to F1. The communication does not find H1.

The solution to this problem is to add a route to the gateway router. In Cisco IOS this would be

ip route 192.168.10.0 0.0.0.255 192.168.0.2

With Cisco ASA it can be configured through the web interface

with a Fortigate it can also be done through the web interface

This complexity is difficult but necessary to maximally protect the secure network from a compromise of the office network segment.

Firewalls

A firewall is a device that separates two network segments and filters the flow of packets between them.

In general, firewalls are routers (routed firewall) but they can be between separate physical parts of the same subnet. This is known as a transparent firewall. In this scenario, you would have two switches, each connected to different interfaces on the transparent firewall. The advantage of this is that the firewall can be removed and the two switches connected together if necessary. This won’t work for a routed firewall because the two parts are in different subnets and still need a router. Either type of firewall is much slower than a network switch and most routers when they are not firewalled

A simple firewall will track outgoing requests (for example an http request for a webpage) and will allow the return traffic – this is known as a stateful firewall. It will also allow specified traffic to pass from the unsafe to the safe interface if it conforms to certain rules (port, protocol, source IP address etc)

This sort of firewall is good for the segment boundary but is inadequate for the interface to the internet. For that, a next generation firewall (NG firewall) is required. This will check each packet against regularly updated lists of threats. NG firewalls need an annual subscription. Popular models include Cisco, Fortinet and PaloAlto

Network Address Translation (NAT)

In thIe previous example, we had a router connecting our two private networks – the office network 192.168.0.0/24 (the /24 means a subnet mask of 255.255.255.0) and 192.168.10.0/24

So C1 sends the data to an interface on R1, R1 determines the destination is via its other interface and send the data on to O1. O1 needs to send the reply back to C1. It sends the reply to its gateway – the interface on R1 which sends it back out the other interface back to C1. This all works fine.

When C1 wants to send a message to gmail for example, it finds the address of the server by DNS. (you can do this yourself by typing nslookup at a command prompt).

gmail.com resolves to the IP 216.58.200.101 This is not in the subnet so the frame is sent to the router for the next hop.

The modem/router will have an IP address on the interface that faces the internet. This is known as the public IP address. You can find yours out by going to the website

What Is My IP?

without NAT, the return ip address for gmail will be the internal address of our computer C1 192.168.0.55 gmail has no way of sending a reply to that address and it won’t work.

What NAT does is that the router will change the return (source) address from C1’s address to its own public IP address (which gmail can find) and then when the return comes in to change the IP addresses again to C1’s address. It does this by maintaining a table of translations and manipulating ports. Ports are a feature of some level 4 protocols (above level 3) such as TCP and UDP. They are important to be aware of because firewall filtering can be done by port. Protocols that have no port cannot be processed by NAT. An example of this includes some of the protocols underpinning Virtual Private Networks (VPN). NAT will also make a mess of some other protocols including the Voice over IP protocol SIP

Routers

A router connects subnets. To do this it takes an ethernet frame, unpacks the IP (layer 3) packet within it, works out what to do with it, repackages it up into a new ethernet frame and sends it out another interface to the “next hop”. This consumes a fair amount of computing resources – routing is much slower than switching. An important point is that a router, even with gigabit physical interfaces, cannot perform the routing at anywhere near this speed.

Imagine that your practice is segmented with 2 switches:

  • The main network : Computers and the server connected together with a 10 port switch. Network address 192.168.0.0 255.255.255.0 (devices IP addresses between 192.168.0.1 and 192.168.0.254

    The default gateway is the router R1 at 192.168.0.1

    consider a computer C1 at 192.168.0.10

  • The imaging network : The OCT machine and other imaging devices connected together with a second 10 port switch. This network 192.168.10.0 255.255.255.255

    The default gateway is a second port on the router with address 192.168.10.1

    consider the OCT machine O1 at 192.168.10.77

So if C1 wants to see O1, it first checks whether the device is in the same subnet. It isn’t in this case so it sends the frame to the default gateway R1. R1 knows about both subnets so it routes the frame to O1 on the second subnet. Replys from O1 back to C1 do the same process in reverse.

We have now segmented the network. We have not yet made it much more secure though. If we had an insecure device – say a telnet client O2 at 192.168.10.55 , it could still be reached from an intrusion (eg virus) on the other network segment at 192.168.0.5 . The router will send our information from one network to the other and back again. All we have stopped is a virus scanning for open services on the other network. For this to be a security measure, we need to filter (or firewall) what goes from one network to the other.

Most people think of a router as synonymous with a modem. Indeed, the internet connection we have at home or office is in fact both a router and a modem. The router routes the packets from our private network to the outside world. The difference between this and the previous example above is that it does something special as well called network address translation or NAT.

The IP network

Recall that the MAC address was (usually) set by the manufacturer and should be globally unique for a device. But where does the IP address of a device come from?

The IP address of a device is set by the user or network administrator.  There are a number of key elements

  • IP address : 4 8 bit bytes for example 192.168.8.77
  • Subnet mask : 4 8 bit bytes that together with the IP address defines the network address of the device.  Each bit of the IP address are combined with the corresponding bit of the subnet mask in an AND operation.  eg the network address of 192.168.8.77 with subnet mask 255.255.255.0 gives 192.168.8.0

    there are online tools for this eg https://mxtoolbox.com/SubnetCalculator.aspx

    When an endpoint tries to contact another device on the ip network it needs to first work out if the destination is in the same subnet.  If not  the frame must be sent to the default gateway
  • Default gateway: This is the device where frames are sent if the destination ip address is not in the same subnet.  This is usually the internet router or firewall
  • DNS server: This is the ip address of the device that translates names eg google.com or spectralis.local to the IP address.  In a home network this will usually be the ISPs DNS server or Google’s server (8.8.8.8).  In a business network, it will usually be the domain controller (Windows server)
  • DHCP server: This is the IP address of the  device that automatically allocates IP addresses.  In a home network this is usually also the internet router.  In a business network, it is normally the domain controller.

On a windows machine, you can retrieve the current information from a workstation or server by typing ipconfig /all at a command prompt

Network Switches

The network switch is like a powerboard for the network.  Each device is plugged in and it facilitates communication.  Devices might be

  • workstations
  • printers
  • network attached storage
  • OCT machine

and so on

They are essentially layer 2 devices – they work on Ethernet frames and MAC addresses.  The physical interface (the part where the network cables is plugged in) has a speed rating – now almost always 1Gb/s .  Thus the device is called a Gigabit Switch.  The number of ports can vary from 4 up to 48

An ethernet frame has within it the source address (where the frame comes from) and the destination address (where it is going ) Fundamentally, when a frame arrives on an interface on a switch it needs to very quickly decide whether to do one of 3 things to the frame based on the source and destination address

  • Flood it.  If the switch does not know which interface to send it to it will send it out all interfaces except for the one on which it arrived
  • Forward it.  If the switch knows (based on previous frames) which interface the destination is connected to, it will send the frame out only that interface
  • Drop it.  Under certain circumstances the switch will drop the frame.  It will then be up to higher layers of the network to detect this and ask for retransmission (or not)

A typical medical business might need up to 24 devices on the network.  There are a wide range of switch models available that are gigabit and 24 ports.  For example

a very economical switch $129 new
a much more expensive switch – up to $2000

The difference is not obvious at first – both switches are “Gigabit”.  There are significant differences though

  • Higher end switches are “managed” that is they have an interface at layer 3 so the user can log in and configure the switch.  They often have layer 3 (IP) functions as well such as performing some of the tasks of a router
  • Higher end switches have faster dedicated memory and hardware.  Although the interfaces may be rated at 1Gb, it does not mean that the switch can switch the frames at that speed.  That is dependent on other hardware within the switch
  • Higher end switches will have more reliability when connected to other devices

For a medical business, there is often just one core switch.  It is a false economy to use a cheap unmanaged switch for this task

Switches, Routers and Firewalls

These devices are the hardware that connects the endpoints on the network

A switch is essentially a layer 2 Ethernet device

A router is a path between two subnets

A firewall is a device that controls the traffic between two network segments

The small office network

The typical medical office will have a network. Usually this will be a Windows Active Directory network with a domain controller.

It is useful to consider networks at various layers:

  • Layer 1 – the physical network – cat6 cabling and/or wireless (bits)
  • Layer 2 – the data-link layer – ethernet or 802.1 wireless (frames)
  • Layer 3 – the network layer – IP (packets)
  • Layer 4 – the transport layer – TCP, UDP etc

Each device (printer, computer, network switch etc) has a Layer 2 address (the MAC address) and a layer 3 address (the IP address). The MAC address is usually set by the manufacturer and the IP address is set by the user as part of the network setup

All devices connected together at layer 2 form what is known as the broadcast domain. Typically this would be all of the devices on the office network. They are linked together by a layer 2 switch or wireless access point

Every IP address (layer 3) is a member of a subnet. The subnet is defined by a combination of the IP address and the subnet mask. A typical office network has a maximum of 254 IP addresses on a subnet for example :

the addresses between 192.168.0.1 and 192.168.0.254 with a subnet of 255.255.255.0

If a device tries to communicate with one at a different subnet – for example the Google DNS server at 8.8.8.8 the layer 2 frame needs to be sent to a device within the subnet that can forward the layer 3 packet out of the network towards the destination. That device is known as the gateway or router.