If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Tech News World)   Remember way back in ancient computer history when we used to have this thing called a "firewall"? Good times   (technewsworld.com) divider line 102
    More: Scary, virtual environments, VPN, computers, physical environment  
•       •       •

7975 clicks; posted to Geek » on 06 Jul 2012 at 11:35 AM (2 years ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



102 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread

First | « | 1 | 2 | 3 | » | Last | Show all
 
2012-07-06 02:01:09 PM
I worked for an ASP that was 5 9's of uptime. That's 99.999%. 99.999% of SCHEDULED uptime. Scheduled outages for maintenance were OK.

shiat still happened and SLA's were still broken on occasion.
 
2012-07-06 02:04:07 PM

friday13: unicron702: friday13: unicron702: s1ugg0: dognose4: s1ugg0:
Brother, I just spent 2 hours trying to explain to a guy that a T1 cross over cable is not an Ethernet cross over cable. And he was the Director of IT for a multi-million dollar company. First round is on me.


Who uses T1 lines anymore? In a multi-million dollar company? Fiber & ether.

You'd be surprised. Anything with a 4 hour commit for repair looks real appealing to customers who value up time. And you can do all sorts of fun things with them.

I saw a commercial for a co-location facility that promised 100% up time. I'm in IT and unless I'm missing something, I can't see how that is possible. Unless they're rocking multiple redundancies for every client across multiple physical servers can anyone tell me how that's possible? For that matter, you'd have to have multiple redundancies across many forms of tech. UPS devices, being served by multiple ISP's simultaneously, etc. I guess reading back on this now it is TECHNICALLY possible, but you'd have to double or triple up on your ENTIRE setup to guarantee that. And even then, it's not 100%.

I'd think at that point it'd be prohibitvely expensive.

Thinking the same thing. Also, imagine doing all of that and your failover system doesn't work when needed?

Admittedly, that'd be a rare occurence, but when it DID happen, you'd be down for days, if not weeks, trying to find exactly what happened.


Also, the beauty of this "Well, we meant 100% up time, we meant unscheduled. We can still take you down for 6 hours to apply patches if it's scheduled!":
 
2012-07-06 02:10:17 PM

unicron702: s1ugg0: dognose4: s1ugg0:
Brother, I just spent 2 hours trying to explain to a guy that a T1 cross over cable is not an Ethernet cross over cable. And he was the Director of IT for a multi-million dollar company. First round is on me.


Who uses T1 lines anymore? In a multi-million dollar company? Fiber & ether.

You'd be surprised. Anything with a 4 hour commit for repair looks real appealing to customers who value up time. And you can do all sorts of fun things with them.

I saw a commercial for a co-location facility that promised 100% up time. I'm in IT and unless I'm missing something, I can't see how that is possible. Unless they're rocking multiple redundancies for every client across multiple physical servers can anyone tell me how that's possible? For that matter, you'd have to have multiple redundancies across many forms of tech. UPS devices, being served by multiple ISP's simultaneously, etc. I guess reading back on this now it is TECHNICALLY possible, but you'd have to double or triple up on your ENTIRE setup to guarantee that. And even then, it's not 100%.


Methinks it's the same way an ISP offers unlimited* "bandwidth". You see, their definition of 100% is a number less than 100%.
 
2012-07-06 02:34:48 PM
The Cloud and BYOD are both huge middle fingers to IT. Soak 'em up, y'all earned 'em.

It started with SOAP. RPC over http was invented to get past the grouchy network admins who refused to allow DCOM or CORBA messages through the firewall. Port 80 was allowed, so port 80 is what we used. No more requests to IT to open up a port.

Then the Cloud, so that managers were free to expense their IT costs directly on their expense reports, rather than going down the months-long road of consuming the "services" of provisioning, sizing, installing and deploying hardware, only to have to do it all over again when needs changed. IT couldn't figure out how to streamline this process and do it accurately, so now we use the Cloud to automate away all the guesswork and get things done.

Next: BYOD. Hot on the heels of Bring Your Own Phone, people interested in getting things done began to bring their home machines into work so they could have something reliable and productive to use. Once again, IT presented itself as an obstacle, and they were overcome like an obstacle.

Now enterprise IT is so dependent on the productivity offered by these paradigms, they couldn't cope with things the way they were. Enterprise IT will be automated away, piece by piece, until the only ones left are happy, friendly, competent and eager to guide users through difficult and novel problems. If I were in IT, I would stop asking why my customers want to do something and argue with them over whether it's a good idea, and start helping them achieve their goals. Otherwise they'll turn to Amazon, Microsoft, Apple or some other organization to get the services they need.
 
2012-07-06 03:05:31 PM
Have fun hanging out at the "genius bar" mcallcl. ha!

Sorry you've had bad experiences with IT. I got out of that end of shiat a LOOOONG time ago for the reasons you listed above.

I don't deal with end users anymore and it's great. I just simply don't care to remove the farked up spyware your 10 year old installed on your company owned laptop YET AGAIN.

BYOD sounds great in a perfect world, but all of those devices have to be patched, managed, secured, etc. So what happens if you're a developer at Widget corp and your machine is comprimised because it's YOUR machine and is thusly not set up securely? IP gets sucked away. Corporate secrets get stolen and worse. Also, are you going to pay to train your IT drones to service EVERY SINGLE piece of gear that comes in? They generally don't have time to dick around with every type of hardware out there to learn it enough to properly support you. When you or your kid or whatever fark up that shiny new tablet you picked up at Microcenter, you're not going to take it to them to have it worked on. Or worse, you just might.

No. Just go through the proper channels and do it right. If your request is actually valid, businesswise, your manager should have no issue getting it pushed through.

What do I know, though? I've only been at this about 21 years. Funny, how regardless of how much House MD you've watched you don't try to tell an ER doctor how to do his job. You've seen Home Improvement but are you trying to tell the electrician that comes to fix stuff at your house how to do his job?
 
2012-07-06 03:10:09 PM
First rule of IT: The client should be treated with the same attitude that one gives a mentally disabled child for not soiling themselves.
 
2012-07-06 03:14:22 PM

socodog: Have fun hanging out at the "genius bar" mcallcl. ha!

Sorry you've had bad experiences with IT. I got out of that end of shiat a LOOOONG time ago for the reasons you listed above.

I don't deal with end users anymore and it's great. I just simply don't care to remove the farked up spyware your 10 year old installed on your company owned laptop YET AGAIN.

BYOD sounds great in a perfect world, but all of those devices have to be patched, managed, secured, etc. So what happens if you're a developer at Widget corp and your machine is comprimised because it's YOUR machine and is thusly not set up securely? IP gets sucked away. Corporate secrets get stolen and worse. Also, are you going to pay to train your IT drones to service EVERY SINGLE piece of gear that comes in? They generally don't have time to dick around with every type of hardware out there to learn it enough to properly support you. When you or your kid or whatever fark up that shiny new tablet you picked up at Microcenter, you're not going to take it to them to have it worked on. Or worse, you just might.

No. Just go through the proper channels and do it right. If your request is actually valid, businesswise, your manager should have no issue getting it pushed through.

What do I know, though? I've only been at this about 21 years. Funny, how regardless of how much House MD you've watched you don't try to tell an ER doctor how to do his job. You've seen Home Improvement but are you trying to tell the electrician that comes to fix stuff at your house how to do his job?


I said it above, but as an IT worker I know other people in other fields have skill sets I don't, and I never will. I respect the knowledge and skills people have in other professions. But I'm not asking them to hack their registry to solve their problem. When I'm remoted into their machine and tell them to choose a password with 7 or 8 characters only, no more, no less, and I directly emphasize this then watch as they type out a 15 character password monstrosity this isn't me asking them to hax0r teh gibson, it's me asking them to understand the concept of counting to 8. Yeah, you're an ER doctor or the best electrician on Earth. That's great. Apparently simple counting just escaped you though, so fark you.
 
2012-07-06 03:15:13 PM

Honest Bender: H31N0US: What is the difference between a firewall and a router?

Price.

Go back to your cubicle and leave the computer stuff to the professionals...


Yeah, ok.
 
2012-07-06 03:22:34 PM

unicron702: I guess reading back on this now it is TECHNICALLY possible, but you'd have to double or triple up on your ENTIRE setup to guarantee that. And even then, it's not 100%.


I cut my teeth being an ops tech in a major NYC colo that promised this very thing. Read the fine print. 100% up time on what specifically? And if you do have an outage you don't get like the full month free. If your down for 1 hour (a life time for some people) your getting 1 hour of credit. So if your paying like $4000 per month for a cabinet. If there are 30 days in a month (720 hours a month) then your credit is $5.56.

That's why they are so cavalier about the 100% uptime. Sounds awesome and gets people in. Then if there is a significant outage of like say 10 hours. You get $55.60. It's all marketing.
 
2012-07-06 03:30:49 PM
any corporation that allows byod is just stupid and probably doesn't have a clue about infosec. so much wrong with this article.

/security engineer
//amused
 
2012-07-06 03:32:57 PM

s1ugg0: unicron702: I guess reading back on this now it is TECHNICALLY possible, but you'd have to double or triple up on your ENTIRE setup to guarantee that. And even then, it's not 100%.

I cut my teeth being an ops tech in a major NYC colo that promised this very thing. Read the fine print. 100% up time on what specifically? And if you do have an outage you don't get like the full month free. If your down for 1 hour (a life time for some people) your getting 1 hour of credit. So if your paying like $4000 per month for a cabinet. If there are 30 days in a month (720 hours a month) then your credit is $5.56.

That's why they are so cavalier about the 100% uptime. Sounds awesome and gets people in. Then if there is a significant outage of like say 10 hours. You get $55.60. It's all marketing.


The colo I worked for what essentially and intermediary for banks to transfer money between each other. We outsourced data processing for banks. A million people and businesses a day, transferring money. Some of it VERY large single transfers. You're gonna re-reimburse us $55.60? That's awesome, we failed to transfer 50 million during those 10 hours.

So yeah, sound like marketing, and criminal at that.
 
2012-07-06 03:39:01 PM

mccallcl: If I were in IT...


You don't really need to point out that you're not in IT. The fact that you can never manage to post anything that's even remotely like reality, and that everything you post is obviously just meaningless technobabble you picked up from trade magazines and Wired articles, makes it painfully obvious.
 
2012-07-06 03:43:18 PM

socodog: Have fun hanging out at the "genius bar" mcallcl. ha!


I don't "hang out" there, I drop my computer off and walk away. Later, they call me and it's fixed. Nobody talks down to me, scolds me for doing something or asks me why I need my computer fixed before next month. It's awesome and it's free with the Apple computer I bought.

IT should model itself this way. Instead of being an obstacle to getting your work done, they should be an even-more-convenient version of the genius bar. Why would I go to the Apple store when I have a cadre of helpful IT pros just down the hall?

socodog: So what happens if you're a developer at Widget corp and your machine is comprimised because it's YOUR machine and is thusly not set up securely?


Just because it's MY machine doesn't mean it won't be set up securely. In fact, I prefer not to have to give the keys to MY kingdom over to someone who has no idea what my business function is and cannot be trusted to have the self-discipline not to snoop on my communications. I've had a lot more computing environments ruined by IT than prevented from being so.

On the other hand, what if poor IT service makes your company run so slowly that any new idea takes much longer than it should to implement, and thusly the competition eats your lunch and everyone at the company loses their job? What value is all that security, when there's padlocks on the doors?

If IT ran smoothly and politely, no one would ever bother looking for another way to get their work done. Who brings in their own copier or coffee machine?

socodog: If your request is actually valid, businesswise, your manager should have no issue getting it pushed through.


The web and especially mobile space move very very quickly. No one should be "pushing through" requests. It's not the job of the business to teach IT the business value of an asset. It is the job of IT to acquire and provision that asset faster and easier than the user could do with their own funds and an expense sheet. As a bonus, if IT sets up the device, they get to make it secure and stable, so they have less work to do down the road. But if they can't win the business from Amazon or Google, they are not needed and should vanish.

The artificial barriers to productivity set up by IT keep them in the critical path, serving as the arbiter of business value. Users need to get their work done, so they make a run around this dysfunctional department. So IT cries "security! ooga-booga!". Show me the results of some scans. Show me how much more secure my desktop is under IT governance and I will gladly submit to the process. Until then, add value or step aside.

socodog: What do I know, though? I've only been at this about 21 years.


And? I don't need to wave computer dicks with you, but I also have decades of experience in systems under my belt. In my experience, the ones doing IT the longest were the worst to work with. The 80s-90s attitude of forcing your users to justify their work to you, and handing down judgment from on high is why users are giving their personal credit cards to Amazon to get their work done.

Realize that if you entice your users to do business with you, you would have an opportunity to sanitize and control the devices that house corporate IP. If you drive them away, they will go away, and into the arms of whoever they please, and you lose the control you were trying to hold on to.

Someone who ships an iPhone app to the store is simply not going to get fired for it. Ever. No matter what policy you think they've violated in doing so. Get on their team, and be a part of the action, or you risk being outsourced or otherwise left behind.

/oh, and learn how to support Macs, they are not going away
 
2012-07-06 03:45:46 PM

unicron702: The colo I worked for what essentially and intermediary for banks to transfer money between each other. We outsourced data processing for banks. A million people and businesses a day, transferring money. Some of it VERY large single transfers. You're gonna re-reimburse us $55.60? That's awesome, we failed to transfer 50 million during those 10 hours.

So yeah, sound like marketing, and criminal at that.


High end customers will work out their own SLAs with the sales force. When you buying millions of dollars in services you kind of write your own contracts.
 
2012-07-06 03:45:57 PM
i.imgur.com

IT PWNS TEH ZONEALARMS LOL

/hey what year is this?
 
2012-07-06 03:47:55 PM

s1ugg0: ProfessorOhki: "Yesterday, I saw a guy trying to air up his own tires! Ahaha, can you believe it? He wasn't even an expert!"

Let's put a real world spin on your example. The next 75 people try to put in air in their tires through by blowing it up the tail pipe. And when you tried to help them half of them go "But it looked so easy" and the other half replied "I know about computers and stuff I own an iPad". And 100% of them are belligerent in their ignorance and will be damned to hell before they'll actually admit to you what they were trying to do.

Want to get pleasant, helpful answers out of a NOC tech do the following:
-Explain what you were trying to do.
-Explain what you expected to happen.
-Explain what actually happened.

Do that every time and you'll get an honest answer and more times than not a solution within 5 to 10 minutes. Lie in anyway and it just adds time and frustration to the troubleshooting.


Don't forget:

-Actually perform the troubleshooting steps asked of you in the manner they were asked and not how you think they should be done

/former broadband NOC at (unnamed) large telco
 
2012-07-06 03:49:19 PM

socodog: Anybody who thinks a firewall and a router are the same thing has never worked on either of those two types of gear that are of a respectable scale.

Sure, you can take a router and put some ACL's on it, but that's not even a percentage of what an actual firewall does.

I mean, you bought a 4 port Linksys router/switch. That's JUST like working on a Cisco 6513 or a Juniper 8126, right?

Most days, I REALLY wish network engineering required a state license. You have to get a license to push the cuticles back on people's toe nails, but any random buttfarker can legally work on mission critical systems like the cell phone network.


To be fair, though, Cisco isn't really helping that perception. Their old PIX firewalls were exactly that: a router where you could set ACLs. Even their newer ASA firewalls are pretty much the same thing, by default. If you want any of the features that separate firewalls from routers, like IPS, etc., you have to buy an add-on card.
 
2012-07-06 03:49:37 PM

socodog: Anybody who thinks a firewall and a router are the same thing has never worked on either of those two types of gear that are of a respectable scale.

Sure, you can take a router and put some ACL's on it, but that's not even a percentage of what an actual firewall does.

I mean, you bought a 4 port Linksys router/switch. That's JUST like working on a Cisco 6513 or a Juniper 8126, right?

Most days, I REALLY wish network engineering required a state license. You have to get a license to push the cuticles back on people's toe nails, but any random buttfarker can legally work on mission critical systems like the cell phone network.


I was being cavalier but there is truth there.

My first job in tech was an in house wall street colo. We had a mandated two tier architecture with a FEFW, web and app servers behind that, BEFW with data behind that. Pretty standard for 2001 (might still be the way but I've been out of tech since 2005).

We used Checkpoints and Cisco (3306's and 5509s I believe...with L3 boards) with some BigIP load balancers.

While I would probably not forego the Checkpoints and BigIPs on the front end, I came to realize that for very specific appserver to database communication, an ACL on one of the routers was fine...and allow any to any on the BEFW between those clusters. Helped performance a little in some cases.

YMMV. As I said I've not been in that game for several years so I have no idea how the kids do it these days.
 
2012-07-06 03:53:05 PM

s1ugg0: unicron702: The colo I worked for what essentially and intermediary for banks to transfer money between each other. We outsourced data processing for banks. A million people and businesses a day, transferring money. Some of it VERY large single transfers. You're gonna re-reimburse us $55.60? That's awesome, we failed to transfer 50 million during those 10 hours.

So yeah, sound like marketing, and criminal at that.

High end customers will work out their own SLAs with the sales force. When you buying millions of dollars in services you kind of write your own contracts.


Yeah but their are limits. Say we failed a company we got $25k in commissions daily from decided to go somewhere else. Are they going to start kicking us $25k a day to make up for their service failures? You get to a point, quite easily, where no SLA will matter. And that's just the financial factor, when you start getting into reputation and rumor-mill our losses could skyrocket. It sounds ridiculous and extravagant but at what point does the SLA state "You fail us, and we'll own you"?
 
2012-07-06 03:56:03 PM

Dadoo:

To be fair, though, Cisco isn't really helping that perception. Their old PIX firewalls were exactly that: a router where you could set ACLs. Even their newer ASA firewalls are pretty much the same thing, by default. If you want any of the features that separate firewalls from routers, like IPS, etc., you have to buy an add-on card.


Not true at all. I've worked on both for the last 10 years. Both can do stateful packet inspection, failover, anti-spoofing, layer 7 content inspections and IPS and much more. You just get more signatures to monitor when you purchase the SSM card for the ASA and all that does is IDS/IPS.
 
2012-07-06 03:56:51 PM

socodog: What do I know, though? I've only been at this about 21 years. Funny, how regardless of how much House MD you've watched you don't try to tell an ER doctor how to do his job. You've seen Home Improvement but are you trying to tell the electrician that comes to fix stuff at your house how to do his job?


Ah yes. Just shutup and don't ask questions or make demands. Is that the takeaway you get from watching House?

To be fair IT is constrained by management's budgets and then burdened by its bureaucracy, then given the unenviable task of having to deliver the seemingly impossible with these constraints. It's no wonder where the crankiness comes from. But for the reasons listed above I can see why everyone non-IT can't wait to see it go away.

/disclaimer: I'm IT too
 
2012-07-06 04:05:28 PM

mccallcl: The Cloud and BYOD are both huge middle fingers to IT. Soak 'em up, y'all earned 'em.


Yeah, okay. I guess that's the thanks we get for trying to protect you from yourselves. Someone has to stand up to the experts, though, right?

It started with SOAP. RPC over http was invented to get past the grouchy network admins who refused to allow DCOM or CORBA messages through the firewall. Port 80 was allowed, so port 80 is what we used. No more requests to IT to open up a port.

Yup, and when you get a virus, because you're circumventing security measures, who gets blamed? IT people.

Then the Cloud, so that managers were free to expense their IT costs directly on their expense reports, rather than going down the months-long road of consuming the "services" of provisioning, sizing, installing and deploying hardware, only to have to do it all over again when needs changed. IT couldn't figure out how to streamline this process and do it accurately, so now we use the Cloud to automate away all the guesswork and get things done.

Yeah, that'll be great, when your Internet connection is down for a few hours, and you can't do any business, or your cloud provider's down, and you can't do any business, or your cloud provider screws up your virtual image, and you can't do any business... It'll be even better when you're a small customer and you find out how much someone like Amazon cares about you.

Next: BYOD. Hot on the heels of Bring Your Own Phone, people interested in getting things done began to bring their home machines into work so they could have something reliable and productive to use. Once again, IT presented itself as an obstacle, and they were overcome like an obstacle.

Meanwhile, all your proprietary data will be leaking our of your network.

Now enterprise IT is so dependent on the productivity offered by these paradigms, they couldn't cope with things the way they were. Enterprise IT will be automated away, piece by piece, until the only ones left are happy, friendly, competent and eager to guide users through difficult and novel problems. If I were in IT, I would stop asking why my customers want to do something and argue with them over whether it's a good idea, and start helping them achieve their goals. Otherwise they'll turn to Amazon, Microsoft, Apple or some other organization to get the services they need.

We'll see how long that lasts. Fortunately, management at my company is smart. We have several options, as far as outsourcing our IT, but we'll never take them. Why? Because we want control of our data, and the only way to get that is to actually control your data. By sending it off-site and allowing it to be sent over the air, you give up control.
 
2012-07-06 04:07:46 PM

unicron702: It sounds ridiculous and extravagant but at what point does the SLA state "You fail us, and we'll own you"?


You're not paying your underlying carrier or colo provider for the profits you may or may not make over that line. You're paying for a specific connection or service for a set rate per month.

The honest truth is no carrier gives a rat's ass if your making $100,000 per second off a circuit. If your service drops it's their responsibility to fix it within the SLA. Not reimburse you for your lost revenue. That's your problem.

Do you sue the power company when your lights go out and you can't work to make money? Same thing applies here.

That is why you have multiple site back ups. I work for a phone company that has complete site replication in two different states. If you blow the building up in one, call traffic will fail over the other site so fast active phone calls won't even drop and users don't even notice. And despite all the 99.99999% uptime guarantees it's happened twice in 5 years. Yes it's bad luck but we live in an imperfect world where screws fall out all the time. And yes it's expensive but like anything else in life you get what you pay for.

You get uptime or you get cheap. You don't get both.
 
2012-07-06 04:13:12 PM

deeeznutz: Not true at all. I've worked on both for the last 10 years. Both can do stateful packet inspection, failover,


So can a router. Heck, I could set up a Linux machine to do that, for 1/10th the price.

anti-spoofing,

I'll give you that one.

layer 7 content inspections and IPS and much more.

If you're saying a PIX can do that, I'll need a citation.

You just get more signatures to monitor when you purchase the SSM card for the ASA and all that does is IDS/IPS.

I'd have to question how useful an IPS is, if it only has a subset of the possible signatures.
 
2012-07-06 04:15:57 PM

mccallcl: The Cloud and BYOD are both huge middle fingers to IT. Soak 'em up, y'all earned 'em.

It started with SOAP. RPC over http was invented to get past the grouchy network admins who refused to allow DCOM or CORBA messages through the firewall. Port 80 was allowed, so port 80 is what we used. No more requests to IT to open up a port.

Then the Cloud, so that managers were free to expense their IT costs directly on their expense reports, rather than going down the months-long road of consuming the "services" of provisioning, sizing, installing and deploying hardware, only to have to do it all over again when needs changed. IT couldn't figure out how to streamline this process and do it accurately, so now we use the Cloud to automate away all the guesswork and get things done.

Next: BYOD. Hot on the heels of Bring Your Own Phone, people interested in getting things done began to bring their home machines into work so they could have something reliable and productive to use. Once again, IT presented itself as an obstacle, and they were overcome like an obstacle.

Now enterprise IT is so dependent on the productivity offered by these paradigms, they couldn't cope with things the way they were. Enterprise IT will be automated away, piece by piece, until the only ones left are happy, friendly, competent and eager to guide users through difficult and novel problems. If I were in IT, I would stop asking why my customers want to do something and argue with them over whether it's a good idea, and start helping them achieve their goals. Otherwise they'll turn to Amazon, Microsoft, Apple or some other organization to get the services they need.


Dood, I can barely call myself an AMATEUR at this, and even I don't know where to start telling you just how wrong you are. Fortunately, there are people on here who know way better than I do who already are, so I'll just pile on and say that CLOUD services were a BOON to IT departments who had to deal with internal servers. It took a good bit of data off of the servers, easing the workload. IT isn't just being all smug because you know how to install a damned program.

mccallcl: socodog: Have fun hanging out at the "genius bar" mcallcl. ha!I don't "hang out" there, I drop my computer off and walk away. Later, they call me and it's fixed. Nobody talks down to me, scolds me for doing something or asks me why I need my computer fixed before next month. It's awesome and it's free with the Apple computer I bought.IT should model itself this way. Instead of being an obstacle to getting your work done, they should be an even-more-convenient version of the genius bar. Why would I go to the Apple store when I have a cadre of helpful IT pros just down the hall?


IT DOES model itself that way. But spend a day answering "My computer won't turn on" calls and see how long YOU can keep a smile on your face.

The only reason that the "genius bar" doesn't talk down on you is because they don't constantly get those calls.

/Three a day. THREE. A. DAY. And that was just ME.

mccallcl: socodog: So what happens if you're a developer at Widget corp and your machine is comprimised because it's YOUR machine and is thusly not set up securely?Just because it's MY machine doesn't mean it won't be set up securely. In fact, I prefer not to have to give the keys to MY kingdom over to someone who has no idea what my business function is and cannot be trusted to have the self-discipline not to snoop on my communications. I've had a lot more computing environments ruined by IT than prevented from being so.On the other hand, what if poor IT service makes your company run so slowly that any new idea takes much longer than it should to implement, and thusly the competition eats your lunch and everyone at the company loses their job? What value is all that security, when there's padlocks on the doors?If IT ran smoothly and politely, no one would ever bother looking for another way to get their work done. Who brings in their own copier or coffee machine?


You're not giving the keys to your kingdom, you're boarding an international flight. You have to go through TSA and customs. Your business function doesn't matter if you get a damned virus and infect the rest of the network. Your "security measure" amounts to taking a gun on that plane and yelling about it when TSA stops you.

Also, I brought in my own coffee machine. those damned K-cups are farking terrible.

Why yes, I usually DO buy whole beans and grind them myself.


mccallcl: socodog: If your request is actually valid, businesswise, your manager should have no issue getting it pushed through.The web and especially mobile space move very very quickly. No one should be "pushing through" requests. It's not the job of the business to teach IT the business value of an asset. It is the job of IT to acquire and provision that asset faster and easier than the user could do with their own funds and an expense sheet. As a bonus, if IT sets up the device, they get to make it secure and stable, so they have less work to do down the road. But if they can't win the business from Amazon or Google, they are not needed and should vanish.The artificial barriers to productivity set up by IT keep them in the critical path, serving as the arbiter of business value. Users need to get their work done, so they make a run around this dysfunctional department. So IT cries "security! ooga-booga!". Show me the results of some scans. Show me how much more secure my desktop is under IT governance and I will gladly submit to the process. Until then, add value or step aside.


You have the roles reversed. IT has to teach the businessmen the business value of a device before the management will even consider the request. They can't because they're overwhelmed with those aforementioned "my computer won't turn on" calls, or the network has gone down for a section of the building, or a server has crashed, or some BYOD dumbass brought in an infected machine, or a whole bunch of other possible problems. IT can't move to aquire until management approves, and management can't approve until IT can write up the report. But IT can't write up the report until people LEARN TO CHECK THE FARKING WIRES BEFORE THEY CALL.

Also, it's not just YOUR desktop that needs to be secure. IT could barely give less of a damn about your desktop. IT cares more about the NETWORK AS A WHOLE. Hence the restrictions, and why you have to jump through so many hoops to BYOD.

/Yes, that is a sore spot for me.
 
2012-07-06 04:17:42 PM

H31N0US: YMMV. As I said I've not been in that game for several years so I have no idea how the kids do it these days.


The big deal now is more payloads buried inside packets than it is the packets themselves. A firewall is still important, at least for the purposes of preventing probing that can open up a bigger attack, but an IDS capable of deep packet inspection is the way to go if you have a large perimeter. And if you have a really complex setup you can even get monitoring services or more complex devices that will handle the inspection for you and make adjustments to footprints and access rules on-the-fly based on what they're seeing happening to other customers or what they see coming through your gateways.

Dadoo: Yeah, okay. I guess that's the thanks we get for trying to protect you from yourselves. Someone has to stand up to the experts, though, right?


There's no real point arguing with him. He clearly hasn't even the slightest idea what he's talking about and he never has. He's rather infamous on this tab for being strongly opinionated about things he can't clearly explain if you corner him.

I've long suspected he's some upset cubicle jockey doing Classic ASP development in some small software shop in the middle of nowhere and he just takes his frustrations out on Fark by regurgitating semi-technical buzzwords all over geek tab articles instead of putting in the effort required to get some real skills and decent job.

Just pat him on the head and smile, then move on.
 
2012-07-06 04:19:42 PM

friday13: Dood, I can barely call myself an AMATEUR at this, and even I don't know where to start telling you just how wrong you are. Fortunately, there are people on here who know way better than I do who already are, so I'll just pile on and say that CLOUD services were a BOON to IT departments who had to deal with internal servers. It took a good bit of data off of the servers, easing the workload. IT isn't just being all smug because you know how to install a damned program.


Of course, as Dadoo pointed out, an on-site backup of that data would not be a bad idea.
 
2012-07-06 04:19:50 PM

Dadoo: mccallcl: Then the Cloud, so that managers were free to expense their IT costs directly on their expense reports, rather than going down the months-long road of consuming the "services" of provisioning, sizing, installing and deploying hardware, only to have to do it all over again when needs changed. IT couldn't figure out how to streamline this process and do it accurately, so now we use the Cloud to automate away all the guesswork and get things done.

Yeah, that'll be great, when your Internet connection is down for a few hours, and you can't do any business, or your cloud provider's down, and you can't do any business, or your cloud provider screws up your virtual image, and you can't do any business... It'll be even better when you're a small customer and you find out how much someone like Amazon cares about you.


Oh, and here's a surprisingly relevant link my co-worker just sent me:

http://www.cnn.com/2012/07/06/opinion/rushkoff-online-monitoring/inde x .html?hpt=hp_bn7

Have fun outsourcing your business.
 
2012-07-06 04:21:23 PM

Dadoo: I'd have to question how useful an IPS is, if it only has a subset of the possible signatures.


Unless you turn the feature off, it updates with new signatures automatically. An IPS is essential. The biggest concern now is "legitimate" traffic, especially sourced from port 80, getting to clients and then releasing illegitimate application data that attacks services on the client that can't be protected by an ASA or PIX device.
 
2012-07-06 04:22:14 PM

Splinshints: There's no real point arguing with him. He clearly hasn't even the slightest idea what he's talking about and he never has. He's rather infamous on this tab for being strongly opinionated about things he can't clearly explain if you corner him.I've long suspected he's some upset cubicle jockey doing Classic ASP development in some small software shop in the middle of nowhere and he just takes his frustrations out on Fark by regurgitating semi-technical buzzwords all over geek tab articles instead of putting in the effort required to get some real skills and decent job.Just pat him on the head and smile, then move on.


So he's the Geek tab equivalent of the Politics tab's SkinnyHead, tenpoundsofcheese, and Bevets? Works for me.
 
2012-07-06 04:33:43 PM
Dadoo: deeeznutz: Not true at all. I've worked on both for the last 10 years. Both can do stateful packet inspection, failover,

So can a router. Heck, I could set up a Linux machine to do that, for 1/10th the price.
yeah , that may be true, but can it run with 99.9% uptime and be called an enterprise solution? Why is it that all Tier1 ISP use Cisco, Juniper and Checkpoint firewall not IPtables with High Availability then?

anti-spoofing,

I'll give you that one.

layer 7 content inspections and IPS and much more.

If you're saying a PIX can do that, I'll need a citation.


anything running above version 7.0 that is a pix can do that with an custom inspection class-map. It's on Cisco's site too..though PIX has been phased out years ago by the asa.

You just get more signatures to monitor when you purchase the SSM card for the ASA and all that does is IDS/IPS.

I'd have to question how useful an IPS is, if it only has a subset of the possible signatures.


that's pretty much all IPS, unless you have full packet capture capabilities on your network and a team available to monitor those packets 24/7/365 for anomalies.
 
2012-07-06 04:34:28 PM
And why are you guys talking aboit PIX anyway? That's the old shiat.
 
2012-07-06 04:37:39 PM

socodog: And why are you guys talking aboit PIX anyway? That's the old shiat.


yeah, old indeed..just talking about how PIX can do a lot of the same things an ASA can do on the right software release
 
2012-07-06 04:41:15 PM

Splinshints: cted by an ASA or PIX device.


and there's where an web application firewall comes into play..imperva makes a good enterprise level waf
 
2012-07-06 05:21:31 PM

socodog: BYOD sounds great in a perfect world, but all of those devices have to be patched, managed, secured, etc. So what happens if you're a developer at Widget corp and your machine is comprimised because it's YOUR machine and is thusly not set up securely? IP gets sucked away. Corporate secrets get stolen and worse. Also, are you going to pay to train your IT drones to service EVERY SINGLE piece of gear that comes in? They generally don't have time to dick around with every type of hardware out there to learn it enough to properly support you. When you or your kid or whatever fark up that shiny new tablet you picked up at Microcenter, you're not going to take it to them to have it worked on. Or worse, you just might.


Well, you could use a VPN with a client checks for appropriate AV, patch versions, etc before building up the tunnel. Then they remote into a machine that's actually a VM sitting with a few hundred others in a closet somewhere. IT only has to administer the server, you get all the bonuses of virtualization, a large chunk of your network is reduced to a few machines, and the end user gets the same experience at home or in the office. Hell, then firewall all traffic that's not the appropriate remote desktop client and you don't really even need to worry that much about rogue apps on the user's machine poking around your network. If the user's device is stolen or broken, you're out nothing and hardware upgrades aren't your problem anymore. Not to mention you can make regular backups of every single user's machine w/o co-mingling their work and personal files.

Am I missing some reason why that's not a good idea? I mean other than "they still ask for help when they can't get the VPN app installed." Alright, I'll give you the "can't do work at locations with bad/non-existent connectivity," but I'm sure there's some sort of local checkout/merge mechanism for those fancy VMs, right?
 
2012-07-06 05:34:16 PM

ProfessorOhki: socodog: BYOD sounds great in a perfect world, but all of those devices have to be patched, managed, secured, etc. So what happens if you're a developer at Widget corp and your machine is comprimised because it's YOUR machine and is thusly not set up securely? IP gets sucked away. Corporate secrets get stolen and worse. Also, are you going to pay to train your IT drones to service EVERY SINGLE piece of gear that comes in? They generally don't have time to dick around with every type of hardware out there to learn it enough to properly support you. When you or your kid or whatever fark up that shiny new tablet you picked up at Microcenter, you're not going to take it to them to have it worked on. Or worse, you just might.

Well, you could use a VPN with a client checks for appropriate AV, patch versions, etc before building up the tunnel. Then they remote into a machine that's actually a VM sitting with a few hundred others in a closet somewhere. IT only has to administer the server, you get all the bonuses of virtualization, a large chunk of your network is reduced to a few machines, and the end user gets the same experience at home or in the office. Hell, then firewall all traffic that's not the appropriate remote desktop client and you don't really even need to worry that much about rogue apps on the user's machine poking around your network. If the user's device is stolen or broken, you're out nothing and hardware upgrades aren't your problem anymore. Not to mention you can make regular backups of every single user's machine w/o co-mingling their work and personal files.

Am I missing some reason why that's not a good idea? I mean other than "they still ask for help when they can't get the VPN app installed." Alright, I'll give you the "can't do work at locations with bad/non-existent connectivity," but I'm sure there's some sort of local checkout/merge mechanism for those fancy VMs, right?


It'd have to be written in C# or some other coding language that doesn't need to be re-compiled for each OS that could connect, but that would work, I think.

Of course, that's assuming I'm remembering right that languages like C++ have to be recompiled differently for both Windows and Mac...which I'm probably not...
 
2012-07-06 05:47:52 PM

ProfessorOhki: socodog: BYOD sounds great in a perfect world, but all of those devices have to be patched, managed, secured, etc. So what happens if you're a developer at Widget corp and your machine is comprimised because it's YOUR machine and is thusly not set up securely? IP gets sucked away. Corporate secrets get stolen and worse. Also, are you going to pay to train your IT drones to service EVERY SINGLE piece of gear that comes in? They generally don't have time to dick around with every type of hardware out there to learn it enough to properly support you. When you or your kid or whatever fark up that shiny new tablet you picked up at Microcenter, you're not going to take it to them to have it worked on. Or worse, you just might.

Well, you could use a VPN with a client checks for appropriate AV, patch versions, etc before building up the tunnel. Then they remote into a machine that's actually a VM sitting with a few hundred others in a closet somewhere. IT only has to administer the server, you get all the bonuses of virtualization, a large chunk of your network is reduced to a few machines, and the end user gets the same experience at home or in the office. Hell, then firewall all traffic that's not the appropriate remote desktop client and you don't really even need to worry that much about rogue apps on the user's machine poking around your network. If the user's device is stolen or broken, you're out nothing and hardware upgrades aren't your problem anymore. Not to mention you can make regular backups of every single user's machine w/o co-mingling their work and personal files.

Am I missing some reason why that's not a good idea? I mean other than "they still ask for help when they can't get the VPN app installed." Alright, I'll give you the "can't do work at locations with bad/non-existent connectivity," but I'm sure there's some sort of local checkout/merge mechanism for those fancy VMs, right?


All fine and dandy until one of them unloads a rootkit onto the VM they're sitting on that burrows into the hypervisor and sets up shop.
 
2012-07-06 06:18:19 PM

BumpInTheNight: All fine and dandy until one of them unloads a rootkit onto the VM they're sitting on that burrows into the hypervisor and sets up shop.


Sure, that's a risk. But if a piece of malware can get through the OS on a VM IT created and maintains, then break out of the virtualization environment (which is current and patched) and THEN install itself into machine running the hypervisor (which is current and patched)...

I can't help but think you wouldn't have had much better luck with company-mandated workstations in the same situation. Because at part one of "rootkit" it would have compromised any given machine in your network and happily spread itself to all the others. Which is more trustworthy? Your network gear at catching infections as they travel the LAN, or a hypervisor at maintaining isolation? I honestly don't know; I'm not an IT guy.

I'm just saying that BYOD doesn't necessarily imply BYO OS and software.
 
2012-07-06 06:31:36 PM

ProfessorOhki: BumpInTheNight: All fine and dandy until one of them unloads a rootkit onto the VM they're sitting on that burrows into the hypervisor and sets up shop.

Sure, that's a risk. But if a piece of malware can get through the OS on a VM IT created and maintains, then break out of the virtualization environment (which is current and patched) and THEN install itself into machine running the hypervisor (which is current and patched)...

I can't help but think you wouldn't have had much better luck with company-mandated workstations in the same situation. Because at part one of "rootkit" it would have compromised any given machine in your network and happily spread itself to all the others. Which is more trustworthy? Your network gear at catching infections as they travel the LAN, or a hypervisor at maintaining isolation? I honestly don't know; I'm not an IT guy.

I'm just saying that BYOD doesn't necessarily imply BYO OS and software.


I'd put more weight on the network gear, because it's just a bit harder to hack into, IIRC. Of course, both scenarios assume there's someone paying attention well enough to actually catch the damn thing...
 
2012-07-06 07:59:39 PM
Using the TSA as an analogy is way better than I could have done myself. Bravo!
 
2012-07-06 09:34:22 PM

s1ugg0: Want to get pleasant, helpful answers out of a NOC tech do the following:
-Explain what you were trying to do.
-Explain what you expected to happen.
-Explain what actually happened.


Or... you'll call in to say that you're a remote worker trying to synchronize Siebel Remote through the VPN, and it is filtering out the connection request.
-You will tell them that the VPN authenticates properly
-You will tell them you have access to the internet
-You will tell them you have access to the intranet
-You will tell them you have read-write access to shared drives
-You will tell them you have terminated and re-authenticated the VPN client
-You will tell them you have cleared the cache and temp directories
-You will tell them you have rebooted the PC
-You will tell them that the Siebel synchronization connection is the ONLY thing being refused, and that the VPN client is the only difference between synchronizing at home and synchronizing from an office.

They will dick around for 30 minutes, asking you to repeat everything you have already done BEFORE calling them, and then ask you what Siebel is...
 
2012-07-06 10:08:23 PM
Firewall... something about Harrison Ford's family getting kidnapped? Or was that the other one.
 
2012-07-06 11:16:13 PM

ProfessorOhki: BumpInTheNight: All fine and dandy until one of them unloads a rootkit onto the VM they're sitting on that burrows into the hypervisor and sets up shop.

Sure, that's a risk. But if a piece of malware can get through the OS on a VM IT created and maintains, then break out of the virtualization environment (which is current and patched) and THEN install itself into machine running the hypervisor (which is current and patched)...

I can't help but think you wouldn't have had much better luck with company-mandated workstations in the same situation. Because at part one of "rootkit" it would have compromised any given machine in your network and happily spread itself to all the others. Which is more trustworthy? Your network gear at catching infections as they travel the LAN, or a hypervisor at maintaining isolation? I honestly don't know; I'm not an IT guy.

I'm just saying that BYOD doesn't necessarily imply BYO OS and software.


The entry point thought is at least predictable without BYOD in place, otherwise you're trying to anticipate *any* device's potential vulnerability, which in terms of smartphones is about the same as trying to counter viruses circus '97.
 
2012-07-06 11:33:20 PM
We have 30 or ports on our Juniper firewalls. Every device has its own port in its own zone. Jr Admin comes to me two weeks ago and said he had a great idea for reducing the complexity of the firewall rules by putting everything in a trusted, untrusted or DMZ zone and dumping the 60 or so zone we already have. Did the 80s call and want their firewall design back?

The last thing we found doing a random port scan was on a development virtual machine that had been VPNed to a client's development network. My "trust" level of the developers network is lower than the trust level of the Internet and they keep proving to me how correct that decision is.
 
2012-07-06 11:35:43 PM
i272.photobucket.com
 
2012-07-07 12:23:53 AM
Remember back in the day (which was a Tuesday, BTW) when they called it "The Internet"? When did they change the name to "The Cloud"?
 
2012-07-07 12:45:48 AM

DON.MAC: We have 30 or ports on our Juniper firewalls. Every device has its own port in its own zone. Jr Admin comes to me two weeks ago and said he had a great idea for reducing the complexity of the firewall rules by putting everything in a trusted, untrusted or DMZ zone and dumping the 60 or so zone we already have. Did the 80s call and want their firewall design back?

The last thing we found doing a random port scan was on a development virtual machine that had been VPNed to a client's development network. My "trust" level of the developers network is lower than the trust level of the Internet and they keep proving to me how correct that decision is.


i'm a fan of folks that take the time to segment everything to just put in ip/any rules..can't count how many times I've seen that
 
2012-07-07 01:09:00 AM
Firewalls are straight BS. The only reason for a hardware firewall is because your hosts are accepting untrusted connections in the first place when they should not, and not validating their inputs - which means you fail IT. The network is not trusted. One compromised host inside your firewall and you're PWN3D.

For an added bonus, hardware firewalls are hosts and can be compromised too.
 
2012-07-07 01:17:46 AM

symbolset: Firewalls are straight BS. The only reason for a hardware firewall is because your hosts are accepting untrusted connections in the first place when they should not, and not validating their inputs - which means you fail IT. The network is not trusted. One compromised host inside your firewall and you're PWN3D.

For an added bonus, hardware firewalls are hosts and can be compromised too.


Translation - "I don't know what a firewall is."
 
2012-07-07 03:38:23 AM

FrAnKiE!!!!: Translation - "I don't know what a firewall is."


Oh, I know what it is. I was schooled in that cult. I'm just reformed.

A hardware firewall was originally just a router that prevented hosts in the untrusted zone from connecting on their own initiative to hosts in the trusted zone, sometimes doing NAT translation as well. Modern hardware firewalls can inspect outbound sessions also, limiting connections to a whitelist or proscribing a blacklist, or using deep packet inspection in both directions to prohibit certain information from being passed - and these are probably good things. The featureset has expanded quite a bit to include web proxies and cache, VPN access, DNS restrictions and a number of other things. Firewalls can be used to segments business divisions as well, and compartmentalize an enterprise from excess information leakage or the spread of malware.

The base fallacy of such technology as a protector of hosts in the trusted zone from the evil influence of hosts in the untrusted zone is that such a thing as a "trusted zone" exists when it does not. It's in the name: "firewall", i.e. a barrier to protect one side with vulnerable parts from the potentially burning side - taken I believe from automotive or aviation nomenclature for the barrier between the place where people sit and the place where fuel is used.

Any host with Internet access can be compromised - and quite a few that are even air-gapped (see Iran's recent issues, not just one but three: "stuxnet", "duqu" and "flame"). Once it's compromised if it's on a network that believes in trusted zones it can compromise all the hosts in that zone - even hosts that are not normally considered hosts: firewalls, iSCSI SAN devices, FC SAN devices (yes, it's true!), routers, intelligent switches, relatively "dumb" industrial control devices, printers and so on. Sometimes the host moves outside the "trusted zone" to be compromised and then comes back in to ruin your day: see "road warrior," "CIO's laptop" and "BYOD" for examples.

Since there is in practice no such farking thing as a "trusted zone" there is no need for a device to separate it from the "untrusted zone". The network is not trusted, ever, by any device - unless you have no secrets whatsoever.

Also please review the military definition of trust: the level of access you grant another to do you harm.
 
Displayed 50 of 102 comments

First | « | 1 | 2 | 3 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report