120 posts • joined Thursday 21st October 2010 12:04 GMT
Re: The scary bit
This has actually happened to me. I got the job so never sued but when I asked to see the background check that two HR ladies were laughing about I saw that I had been arrested in Alabama for theft, grand larceny, skipping out on numerous phone bills and apartment leases, and identity theft. The reason I got the job anyway, and why they were laughing, is that the mugshot was very apparently not me. HR knew this because I had been working as a contractor and they knew what I looked like. How could they get this so wrong when there are actual mug shots of me in the world.
Bonus for me: found out my identity had been stolen.
Come on, who is this clown?
If this article had not used the word "iPad" and been written in 1995 I maybe could have taken it seriously. As written it seems to come from a petulant upstart of an intern who just finished uni.
The fact of the matter is 7-nines is easy to architect though not always easy to fund. If the business truly requires it they will fund it at which point you'd better have all your system wide MTBF and MTTR calculations well and truly complete.
How do I know this is easy? Been designing 24x7x365 architectures for datacenters and manufacturing operations since 1996. In fact, I just recently found out that a office/factory network I designed in 1999 for the world's largest private ice cream maker has had less than 4 hours of unscheduled downtime in 13 years. (and the only days for scheduled downtime are Thanksgiving, Xmas-eve and Xmas so you can guess how we often spent our holidays)
It would have been nice to know this before my WebEx with customers yesteday...
So many problems. First I upgraded to Mountain Lion recently and suddenly all my ASDM applets to my Cisco ASA firewalls stopped working, instead prompting me with the "you must install the new Java 6" blah blah blah. Even trying to load the old Java control panel caused this. Damn. upgraded to Java 6 and the ASDM still doesn't work because it's not compatible. Double Damn.
Then I tried to enter a WebEx session and found out I had no Java plugins. WTF?!? so I clicked the link to Oracle's site. Needed it now so downloaded and found our two more problems:
It's Java 7 and it totally disabled Java 6 on my mac. More compatibility problems. Triple Damn. Oh, and the plugin is 64-bit only so it won't work on Chrome, only Safari and FF. Quad-Damn, treble damage, game over.
Re: Big Fish
Word in security circles is that the sheer volume of these attacks, in excess of 6 Gbps, coupled with the fact that they are multivector attacks makes them very difficult to defend against. Certainly it can be done, but at what cost? Is it really worth €50,000,000 to prevent the occasional 24 hours downtime for single customer web access? For a gambling website, each and every transaction generates revenue and is their primary source of revenue. For banks, web access is a cost center, not a revenue generator.
The last place I worked we would throw a funeral wake for anyone promoted from front lines to management to mourn the IQ points they were going to be lost.
Um, no. SDN is a concept wherein all the network parts are stupid and the brains/control are centralized. OpenFlow is an implementation of SDN. Various switch/router vendors have implemented (at least parts of) the OpenFlow client specification. Some vendors have created devices or softwares which implement the controller specification Clients are dumb boxes with lots if ports and get all of their configuration from from the controller. Both controller and client are required for a working installation.
If you are familiar with WLAN evolution it is very similar. At one point, all wireless LANs were made up of stand-alone access points where each AP had to be configured independently. As you can imagine, this scales very poorly in environments with hundreds of APs. Nowadays you can still deploy that way or you can use the newer methods where the actual APs are just dumb radios which load their configuration from the WLAN controller. Here the radios are non-functional without the controller; in OpenFlow the switches are equally useless without a controller.
Of course there are variations to this theme, but you get the general idea.
I don't recall SNMP being sold as the end of all management but I won't argue it either. But SDN isn't just about device management, it's also about traffic management. Right now you have to design layer 1, 2 and 3 for any enterprise scale design. When doing that you have to take into account redundant pathing, spanning-tree topologies, routing topologies and convergence time of all of these protocols in a failure situation.
With SDN you can actually slap your switches together any way that works with your physical topology (rings, stars, daisy chains, triangles, etc). You can string as many lines between devices as you would care to and you can create as many loops as you want. The SDN controller manages flows so that all paths from A to B can be utilized and load shared. Even better you don't have blocked or unused links a la STP, you don't have to set up port LAGs on each pair of devices with multiple links, and this is the best part: no convergence time ever! Just like there's no convergence time on a LAG group when a link fails, with OpenFlow there's no routing or STP convergence time for node or link failure.
That bears repeating: no convergence time. That's huge. Many a career was built by engineers who knew how to tweak routing protocols an STP down to a gnat's ass in order to get lowest possible convergence times. With SDN that special skill is no longer required.
Oh, and you can ignore STP, or TRILL or whatever the new loop correction protocol of the day is.
At least that's how I see it.
This this this this this!
I run two datacenters with equipment from Dell, HP, Cisco, Extreme, 3Com (redundant, I know), A10, Brocade, Palo Alto and juniper. Plus I'm responsible for the networks in a number of small SMBs locally. This adds up to tens of thousands of touch points for configuration. Reducing this to 1 or even 20 touch point would majorly impact my bottom line. Heck, plug this into OpenStack and the cloud operators will be doing network stuff without even knowing it since the local SDN controller will do their bidding, but under my conditions and constraints. I may not have as much billable time per client, but I will have a lot more time for clients I currently turn away.
All good from my pov.
Everything old is new again..
So, they take some modular computing (blades), modular storage (hot swap drives in blade form), modular network, drop it all in a single box and make it all remote access only and this is somehow new? Can you say "mainframe"? Good, I knew you could.
now get off my lawn...
So the baked in VM security and networking is on par with Cisco, Tipping Point, Big5, SourceFire, Palo Alto and the like? And server admins are going to be able to build highly secure hosting infrastructures just by clicking a few buttons? What are you smoking because I want some too.
Somehow this greybeard networking and security professional is not shaking in his proverbial boots.
reachable from? perhaps no. Reachable to? Most certainly. I work for a very small hosting company and while we have only 2 /24s worth of publicly reachable hosts, we have at least twice as many internal devices supporting these hosts that occasionally need to download virus updates, OS updates, code files, database backups, NTP. etc. Think switches, routers, internal firewalls, database servers, NAS components, SAN components, monitors, smart PDUs and UPSes, NTP disbursers, user machines etc.
Should GE and HP and Apple have to give up unused space? Maybe. Will it make a difference? no.
Re: @Kirbini - @Lee: close but not quite
Complexity in anything is an avenue to mistakes. Mistakes lower security and so yes, NAT is bad. NAT isn't complex for me, but it might be for the guy who comes up behind me. These "idiotic" protocols were not broken before NAT and many a manhour was wasted trying to rewrite them to accomodate NAT. NAT is the problem here, not the solution. Just because all this work happened while you were still suckling mommy's teat doesn't make the current state of affairs the correct one.
And no, imbedding an IP into a data portion of the packet is not breaking it. It is only broken in the face of NAT which does not inspect the data. If all endpoints IPs are visible end to end, it doesn't matter what's imbedded in the packet, they still arrive at their destination unmolested.
I will give one accedence to FTP, it's strange goose anyway but only broken for stateless firewalls; all the NAT in the world will not fix this.
My original point stands: NAT does not improve security, it merely adds a level of obscurity and to beat a dead horse, security through obscurity is nothing in the face of persistent threats.
Re: @AC 14:52
I'm afraid you're confusing firewallness with NATness. Pray tell, how is "preventing external hosts directly connecting to inside hosts" a function of NAT at all? NAT simply creates a temporary ACL that says: a trusted host sent a packet to host A on port Z; allow return traffic from that host and port; drop everything else. Once the connection is torn down that temporary ACL goes away. How is that different than a reflexive or stateful ACL other than there's NAT to muck things up.
Give me a stateful packet filter and I can do everything your NAT can do and then some. Give you a NAT only box, even with packet filtering, and you can't come close unless you include fixes for IPSEC, FTP, RSTP, SIP, IM, etc..
Re: @Steve: try again
It's nice you can do cool stuff with NAT and IPS. Tell me, in a network with enough public IPs for every internal need, what can you do with NAT that I can't do with stateful ACLs?
Relevant note: I've been building packet filters since the late '80s. I had a hand in developing the early ip masquerade code in Linux-386 and worked closely with a large firewall vendor on their early NAT implementations. Some believe this qualifies me as a subject matter expert. ymmv
@Lee: close but not quite
I deply IPv6 for a living. I do not deploy NAT. Why? NAT breaks protocols and introduces unnecessary complications in what can be very confusing security policies. If I deploy a good firewall that prevents inbound connections to my IP (v4 or v6) address, then who gives a rats ass if you know my IP or not? You still can't reach it. NAT does nothing to improve this posture.
NAT translates addresses; period. Firewalls prevent inbound connections; period. The two may dance but saying NAT is security is like saying a towel over your head is effective protection from a ravenous lion. (Ravenous Bugblatter Beasts are another matter and outside of this discussion)
The only reason I have ever deployed IPv4 NAT was because there weren't enough public addresses available to use internally. Transparent is the only way to go. Everything else is doctrine you'd be best off forgetting.
@Steve: try again
Even in your very specific example it is not NAT that is providing the security: it is the firewall that is preventing an inbound connection just like the lock on my front door (mostly) prevents you from entering my flat. NAT is not the security, the firewall is. Any firewall will provide this exact same level of security whether or not NAT is being employed. (ever hear of transparent mode: no NAT, same security)
What NAT does do is allow you to obscure your assigned IP from the heathens at large. However as everyone on this board knows, there is no security through obscurity.
I'll confirm it
Seriously, they can't afford something more secure than WordPress? I work for a hosting company and 98% of all successful compromises we see come through WP. I'll give 10 to 1 odds to anyone who can show that WorstPress was not the vector for this compromise..
... commas are your friend.
Re: sorry UK readers
I would change that title to "sorry all non-US readers except Canadians"
Cause, you know, fuck Canada.
I've only 3 followers...
Does that make me even more authentic than you?
No STP, eh?
Pray tell, how is it you design large scale, highly available and redundant ethernet infrastructures without STP these days?
I agree STP is the bane of any networkers existence, but a thorough understanding of it has literally built my career. Can't wait to start using some sort of SDN or TRILL or something else, though. (too bad my clients are all cheap bastards)
Koch brothers takeover of IEEE?
The IEEE article sounds like the sort of rubbish the Tea Party would issue against the president if he was a coder and they were smart enough to know what an operating system is.
Re: Also, Reg, if you have time
And you would be incorrect.
You are correct in noticing that there is no such thing as Sanford University (el Reg, please note) but there is also no single University attached to the lab. The Independant lab is named after its primary backer T. Denny Sanford who donated $70 million to create it. The principle researcher is from Berkley and the second researcher in command is from the South Dakota School of Mines and Technology.
As an aside, T. Denny made his money in the credit card business selling 79% interest rate credit cards to those in need (South Dakota is notorious for lax laws regarding credit). Just about everything in SD has had his name attached to it in the last decade as he likes to give his money away in startlingly large sums. $400 million to local medical/hospital group (which promptly renamed to Sanford Health and instantly became the big kid on the block in local clinics, hospitals and the like), $45 million for a health facility/arena, $50 million to build clinics in South America, $20 million to expand hospitals in Aberdeen, SD population 26,000 (approximately $10,000 per person within a 100 miles). You get the picture.
Re: the attorney betrayed the trust of his employer?
Huawei are a reputable company trusted to supply core network equipment (voice and data) to almost all the world's biggest telcos
Thanks. You just gave me the best laugh of the week.
Pentalobe screws are not proprietary, they're just uncommon. Torx screws were once in that same category but are now as common as dirt. If you need you can source all sizes of drivers for them online and at some tool shops for a few pence.
You do realize that you're bitchin' about not being able to upgrade your 6 year old laptop. I dare you to find my a windows laptop that old from any vendor that can run Windows 7 without puking rainbows out its DVD drive.
...spread like gossip, for as anyone knows, nothing travels faster.
(Kudos to Jim Henson and The Storyteller for that one)
Re: @Bob and lower IQ
@Peter, I'm afraid you're the one who comes off as outdated. When's the last time you actually used OSX?
Like this: "What's more, at least MS don't have the habit of orphaning tech with each new release, forcing users to upgrade to stay current like Apple do". You've got that completely backwards. Apple has done this exactly ONE time since OSX debuted and that was the switch to Intel processors. But even then I didn't have to abandon any printers, external drives or other peripherals. My old PowerPC iMac (10 years old and still used daily) and my new PowerBook still run ALL of my hardware, old and new. How many times have you had to abandon some piece of hardware because there was no Win7 (or vista, or XP) driver for it? I guarantee it's more than "none".
On laptop sleep, you too are ignorant of the facts. I have had a new, top of the line Windows laptop issued to me every 18 months since the late 90s. I have NEVER had one that I could reliably close and re-open more than ten times in a row without a reboot, which is usually less than a day for me. However, my PowerBook can go months (or longer, never really tried to measure) with the same closing ten ore more times per day without ever needing a reboot.
I'm a network engineer. I carry a windows laptop because I'm required to. I carry a Mac laptop because it allows me to be more productive. Don't get me wrong, I'm not saying there is no place for Windows machines, it's just that your argument holds no relationship to my, and man other's, reality.
Sign of the apocalypse?
If we need to rely on MS for SSO help then all is lost...
Re: A fool and their data @Meik
Bikes are not different per se, just the ability to ride them.
We are Americans; we drive big cars. Bicycles simply slow things down and get in the way. Bicyclists are namby-pamby PETA-loving hippies and not to be trusted. Indeed we take every opportunity to run them off the road should we encounter one. If it has 2 wheels it better have one damn big-and-loud motor or be a trailer hauling some form of large-motored recreational vehicle.
I'm not sure how you missed that.
ps. next time I'll remember to use the joke icon.
Screw the technology
Where's my pangalactic gargle blaster?
Full speed ahead
If this is what we should expect, then more posts from the pub please.
Re: Probably 95%...
As I sit in my office on the Northern Great Plains and watch the first inch of (a predicted) 7 blow horizontally past my window, I am pleasantly reminded by Mr. Naismith that indeed, there are places in the world where winter is not 6 months long.
I shall keep visions of your warmer climes in my head while I shovel myself out of a ditch later today.
Nest for me
If your read about the Nest thermo controller you'd find that all these new gadgets are just the sam old thermos with som fancy new access methods. The Nest pays attention to your schedule, how many people are in the house, and a bunch of other stuff and automatically adjusts temps to your preferred time and temp. Pretty ingenuous really.
But I'm getting the impression that you in the UK are tied boilers and radiators still. That true? Is that why @Nigel says he wont get a Nest until it supports "mains switching"? (I don't even know what that is.)
Us Yanks tend to use natural gas fired forced air furnaces or electric baseboards for heat. These be be somewhat less fiddly than proper boilers and such. Anyone care to illuminate?
I've asked this before but here I go again...
What's the big deal here? So what if they're hypervisor is not supported. Aren't their operating systems supported on XenServer and KVM already? And I thought Hyper-V was a give away anyway. So, unless I'm wrong (that'd be a first ;-), MS can still sell Windows into OpenStack clouds even without Hyper-V support.
RE: STP, RSTP, TRILL et al...
Doesn't OpenFlow networking make all the loop prevention protocols obsolete? I was under the impression that software defined networking could create dynamic, loop-free forwarding paths across any network topology thereby eliminating the need for loop control.
Ok, I guess I forgot to knock on wood before I posted. I just had my first crash. In the middle of a stupid Zynga game (Scramble With Friends) so the blame could go to them as well.
Completely locked up and had to to a hard reset. Not fun. Not happy. I formally withdraw my previous comment (but will leave it up so all and sundry can witness my humiliation).
I hear this all the time too
but never have experienced it.
I bought a 4S on release day and use it heavily. I don't think I've ever even force rebooted it let alone had anything ever crash on me. I've also never experienced any battery draining issues; there's usually 1/4 to 1/2 battery left when I dock it next to the bed at night.
Personally I've never been happier with a phone. So I guess there's that.
hit that nail with a sledge hammer
Bandwidth has become so cheap that the original purposes of WAN optimizers is passing away. So you know, they gotta reach for something.
But how many have been returned?
I know 5 people who bought Kindles for Jebus Day and to a person they've all been returned. Too small, too slow, not enough features, not an iPad, etc. But mostly it was down to dashed expectations.
So in my (admittedly small) experience, that's 100% return rate. I'm guessing that's not what Amazon were going for.
I don't follow...
Ok, Windows operating systems can run on top of 64-bit XEN and KVM hypervisors, no? And OpenStack can manage these hypervisors, correct? So what's to prevent me from running Windows servers in an OpenStack cloud with either of those?
Hyper-V is certainly important to MS's ambitions but I fail to see how losing support for it keeps MS out of OpenStack clouds...
I don't trust any of the bastards so we went one better and built our own multi-site *anycast* dns (there's no such thing as multicast DNS). Multi server clusters in geographically dispersed locations.
Of course, we own the datacenters so it was really a no brainer.
Crap, I forgot about that part...
My ISP does indeed block outgoing port 25 requests. Makes it quite difficult to test whether or not a member of our email bank is functioning properly. Usually have to VPN somewhere else to do that. I suppose I could set up a permanent tunnel and route email that way.
Less interference? Don't think so.
"The standard has other tricks up its sleeve to boost throughput. It widens the 5GHz band's sub-channels from 802.11n's 40MHz to 80MHz and 160MHz, reducing the data-slowing impact of interference from other networks on other channels."
Ok, let me get this straight. You widen the channels thereby creating even more channel overlap and that's supposed to decrease interference? Um, that's not really how it works.