Next to our two buildings, between which there were 500 meters of dark optics, they decided to dig a large hole in the ground. For landscaping the territory (as the final stage of laying the heating main and building the entrance to the new metro). For this you need an excavator. Since those days I have not been able to look at them calmly. In general, something happened that inevitably happens when an excavator and optics meet at one point in space. We can say that this is the nature of the excavator and he could not miss.
Our main server site was located in one building, and the office was located in another half a kilometer away. The backup channel was the Internet via VPN. We placed optics between buildings not for security reasons, not for banal economic efficiency (this way the traffic was cheaper than through the services of the provider), but then simply because of the connection speed. And simply because we are the same people who can and know how to put optics into cans. But banks make rings, and with a second link via a different route, the entire economics of the project would crumble.
Actually, it was at the moment of the break that we switched to remote work. In your own office. More precisely, in two at once.
Before the cliff
For a number of reasons (including the future development plan), it became clear that it would be necessary to move the server room in a few months. We began to slowly explore possible options, including a commercial data center. We had excellent containerized diesel engines, but when a residential complex appeared on the territory of the plant, we were asked to remove them, as a result of which we lost guaranteed power supply and, as a result, the ability to transfer computing equipment from a remote building to a server room on the office premises.
When the excavator approached the building, we as a company continued to work in full (but with a deterioration in the level of internal services due to lags). And they were forced to transfer the server room to the data center and lay optics between offices. Until recently, we had all our distributed infrastructure on provider VPN stars. Once it was so built historically. The project was worked out so that the optics in any section between different nodes did not end up in the same cable duct. Just this February we completed the project: the main equipment was transported to a commercial data center.
Then, almost immediately, mass remote work began for biological reasons. VPN existed before, access methods too, no one specifically deployed anything new. But never before has the task been set for everyone with a full set of resources to use a VPN at the same time. Fortunately, the move to the data center just made it possible to greatly expand Internet access channels and connect the entire staff without restrictions.
So, logically, I should thank this excavator. Because without it, we would have moved much later, and we would not have certified and proven solutions for closed segments.
Day X
The only thing missing was laptops for some employees, because the entire infrastructure for remote work was already in place. Then everything is simple: we were able to issue several hundred laptops before starting remote work. But this was our reserve fund: replacements for repairs, old cars. They did not try to buy, because at that moment small anomalies began in the market. On March 31 he wrote:
The transfer of employees of Russian companies to remote work led to massive purchases of laptops and the depletion of their stocks in the warehouses of system integrators and distributors. The delivery of new equipment may take two to three months.
Because of the urgency, the distributors' stocks were sold out. According to rough estimates, new supplies should have arrived only in July, and it is not clear what was happening, because at about the same time the leapfrog with the ruble exchange rate began.
Laptops
We have lost devices. The official reason is most often the low responsibility of employees. This is when a person forgets them on a train or taxi. Sometimes devices are stolen from cars. We looked at different options for anti-theft solutions - they all had the drawback that, in fact, loss cannot be prevented.
The Windows laptop itself is, of course, valuable as a material asset, but it is much more important that it is not compromised and that the data on it does not go somewhere else.
From a laptop you can go to the terminal server using two-factor authentication. In theory, only local personal files of the employee will be stored on the device itself. Everything critical is on the desktop in the terminal. All access is passed through it. The operating system of the end user is not important - in our country people can easily use a Win desktop with MacOS.
From some devices, you can establish a direct VPN connection to resources. And then there is software that is tied to hardware in terms of performance (for example, AutoCAD) or something that requires a token flash drive and Internet Explorer version 6.0 or higher. Factories still use this often. In this case, of course, we set access to the local machine.
For administration we use domain policies and Microsoft SCCM plus Tivoli Remote Control for remote connection with user permission. The administrator can connect when the end user himself has explicitly allowed it. Windows updates themselves go through an internal update server. There is a pool of machines on which they are primarily installed and tested there - it looks like there are no problems in our software stack with the new update and that the new update has no problems with new bugs. After manual confirmation, a command is given to roll out. When the VPN does not work, we use Teamviewer to help the user. Almost all production departments have administrative rights on local machines, but at the same time they are officially notified that they cannot install pirated software or store various prohibited materials. HR, sales and accounting departments do not have admin rights due to lack of need. The main problem with installing software yourself, and not so much with pirated software, but with the fact that new software can destroy our stack. The story about piracy is standard: even if pirated Photoshop is found on a userβs personal laptop, which for some reason was at the workplace, the company receives a fine. Even if the laptop is not on the balance sheet, but there is a desktop next to it on the table that is on the balance sheet, and in the documents recorded for the user. We were warned about this during the security audit, taking into account Russian law enforcement practice.
We don't use BYOD, the Lotus Domino platform for workflow and mail is important for phones. We recommend that high-security users use the standard IBM Traveler solution (now HCL Verse). In it, during installation, rights are given to clear the device data and clear the profiles of the mail itself. We use this in case of theft of mobile devices. With iOS it is more difficult, there are only built-in tools.
Repairs beyond βchange the RAM, power supply or processorβ are replacements, and the repaired device is usually not returned. During normal work, employees quickly bring the laptop to support engineers, they quickly diagnose it. It is very important that there is always an assortment of hot-swappable laptops of the same performance, otherwise users will upgrade like that. And repairs will increase dramatically. To do this, you need to keep a stock of old models. Now it is used for distribution.
VPN
VPN to work resources - Cisco AnyConnect, works on all platforms. Overall we are happy with the decision. We disassemble into one or two dozen profiles for different user groups with different accesses at the network level. First of all, separation by access list. The most massive is access from personal devices and from a laptop to standard internal systems. There are extended accesses for administrators, developers and engineers with internal laboratory networks, where solution testing and development systems are also on ACL.
In the first days of the mass transition to remote work, we encountered an increase in the flow of requests to the service desk due to the fact that users did not read the instructions sent out.
General work
I did not see any deterioration in my unit due to indiscipline or some kind of relaxation, which is so much written about.
Igor Karavai, deputy head of the information support department.
Source: habr.com