How we switched to udalenka six months ago due to chopped optics

Next to our two buildings, between which was 500 meters of dark optics, we decided to dig a large hole in the ground. For the improvement of the territory (as the final stage of laying the heating main and the construction of the entrance to the new metro). For this you need an excavator. Since those days, I can’t calmly look at them. In general, something happened that inevitably happens when an excavator and optics meet at one point in space. We can say that this is the nature of the excavator and he could not miss.

In one building was our main server platform, and in another, half an kilometer away, an office. The backup channel was the Internet via VPN. We didn’t put the optics between the buildings for security reasons, not because of banal economic efficiency (this way traffic was cheaper than through the provider’s services), and then just because of the connection speed. And simply because we are the very people who can and can put optics to banks. But banks make rings, and with the second link, the whole project economy would have crumbled with a different route.

Actually, it was at the time of the cliff that we switched to the remote site. In your own office. More precisely, in two at once.

Before the cliff

For a number of reasons (including a plan for future development), it became clear that it would be necessary to transfer the server room in a few months. We began to leisurely explore possible options, including considering a commercial data center. We had excellent container diesel engines, but when a residential complex appeared on the territory of the plant, we were asked to remove them, as a result of which we lost the guaranteed power supply and, as a result, the ability to transfer computing equipment from a remote building to the server one on the office premises.

When the excavator crept up to the building, we as a company continued to work in full (but with a deterioration in the level of internal services due to lags). And they forced to transfer the server to the data center and laying optics between offices. More recently, all of our distributed infrastructure was on provider VPN stars. Once it was so built historically. The project was designed so that the optics in any section between different nodes did not end up in the same cable duct. Literally this February was completed: the main equipment was transported to a commercial data center.

Then, almost immediately, a mass removal began for biological reasons. VPN existed before, access methods, too, no one specifically developed anything new. But never before was the task of going through a VPN at the same time for everyone with a full set of resources. Fortunately, moving to the data center just made it possible to greatly expand Internet access channels and connect the entire state without restrictions.

That is, logically, I should have thanked this excavator. Because without him we would have moved much later, and we would not have been ready for certified and verified solutions for closed segments.

Day x

Part of the staff lacked only laptops, because there was already the entire infrastructure for remote work. Then everything is simple: we were able to issue several hundred laptops before starting remote work. But it was our reserve fund: replacement for repairs, old cars. They did not try to buy, because at that moment small anomalies started on the market. Interfax March 31 wrote:

The transfer of employees of Russian companies to remote work led to mass purchases of laptops and their depletion in the warehouses of system integrators and distributors. It may take two to three months to supply new equipment.

Due to urgency, stocks of distributors were sold out. According to rough estimates, new deliveries should have arrived only in July, and it is not clear what was happening, because around the same time, leapfrog with the ruble exchange rate began.

Laptops

We have lost devices. The official reason most often is the low responsibility of employees. This is when a person forgets them in an electric train, taxi. Sometimes devices are stolen from cars. We looked at different variants of anti-theft solutions – they all had a drawback in that, in fact, it was impossible to prevent loss.

A Windows laptop in itself, of course, is valuable as a tangible asset, but it is much more important that it is not compromised and that the data on it does not go somewhere to the left.

From a laptop, you can go to the terminal server through two-factor authentication. On the device itself, in theory, only local personal files of the employee will be stored. Everything critical lies on the desktop in the terminal. All accesses are thrown through it. The end-user operating system is not important – with us people quietly go to the Win-table with MacOS.

From some devices, you can establish a direct VPN connection to resources. And there is also software that is tied to hardware in terms of performance (for example, AutoCAD) or something that requires a flash token and Internet Explorer at least version 6.0. Factories still use this often. In this case, of course, we set access to the local machine.

For administration, we use domain policies and Microsoft SCCM
plus Tivoli Remote Control for remote connection with user permission. The administrator can connect when the end user explicitly authorized himself. Windows updates themselves go through the internal update server. There is a pool of machines that are primarily installed and run there – it looks like there are no problems in our software stack with a new update and that the new update has no problems with new bugs. After manual confirmation, a rolling command is issued. When the VPN does not work, we use the Time Viewer to help the user. Almost all production units have admin rights on local machines, but they are also officially notified that it is impossible to install pirated software and store various prohibited materials. The personnel, sales department and accounting do not have admin rights due to the lack of need. The main problem is the self-installation of software, and not so much in pirated software, but in the fact that new software can ruin our stack. The pirate story is standard: even if a pirate Photoshop is found on the user’s personal laptop, who was for some reason at the workplace, a fine that the company receives. Even if the laptop is not on the balance sheet, and next to it on the table is the desktop, standing on the balance sheet, and in the documents recorded by the user. We were warned about this at a security audit taking into account Russian law enforcement practice.

We do not use BYOD, of which the important for phones is the Lotus Domino platform for workflow and mail. We recommend that users with high levels of access use the standard IBM Traveler solution (now HCL Verse). During installation, it gives rights to clear the device data and clear mail profiles. We take advantage of this in case of theft of mobile devices. IOS is more complicated, there are only built-in tools.

Repairs outside the “change the RAM, power supply or processor” replacement, and the repaired device usually does not return. During normal work – employees quickly bring a laptop to support engineers, they quickly diagnose. It is very important that there is always an assortment of hot-swappable laptops of the same performance, otherwise users will upgrade this way. And repairs will increase dramatically. To do this, you need to keep a stock of old models. Now it was him who was used for distribution.

VPN

VPN up to work resources – Cisco AnyConnect, works on all platforms. In general, we are satisfied with the decision. We disassemble into one or two dozen profiles for different user groups with different accesses at the network level. First of all, separation by access list. The most massive is access from personal devices and from a laptop to standard internal systems. There are extended accesses for administrators, developers and engineers with internal laboratory networks, where test-development systems for solutions are also on the ACL.

In the early days of the mass transition to remote work, they faced an increase in the flow of calls to the service desk due to the fact that users do not read the instructions sent.

General work

I did not see the deterioration in my unit associated with the lack of discipline or some kind of relaxation, about which so much is written.

Igor Karavay, Deputy Head of Information Support.

Similar Posts

Leave a Reply