1. OCAU Merchandise now available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion here.
    Dismiss Notice

Consolidated Business & Enterprise Computing Rant Thread

Discussion in 'Business & Enterprise Computing' started by elvis, Jul 1, 2008.

  1. itsmydamnation

    itsmydamnation Member

    Joined:
    Apr 30, 2003
    Messages:
    10,640
    Location:
    Canberra
    that's why you have more then one zone, position your ADC's inline in between the outer and inner firewalls and bob's your uncle. I have never seen an application that requires more then 4 DMZ's ( in 10 years, and i have done work for a lot of clients). You then use private vlans's for isolation of hosts within each DMZ.





    There so many differences between the two at the most fundamental levels. CBF explaining really. im sure ICA can, if he CBF
     
  2. greebs

    greebs Member

    Joined:
    Dec 30, 2001
    Messages:
    958
    Location:
    Melbourne
    OF course they let it out. Enforces the message that some people out there are bad and need to be dealt with.
     
  3. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,246
    Location:
    Brisbane
    As long as you don't put all your eggs in the network segmentation basket with regard to attackers pivoting that's okay.
     
  4. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    9,160
    Location:
    Briz Vegas
    Yeah but is your uptime on your Linux servers affected by minor patches? ;)
     
  5. cyclobs

    cyclobs Member

    Joined:
    Nov 12, 2010
    Messages:
    561
    Location:
    Wee Waa, NSW
    It's probably not even effected by kernal patches ;)
     
  6. itsmydamnation

    itsmydamnation Member

    Joined:
    Apr 30, 2003
    Messages:
    10,640
    Location:
    Canberra
    my responsibility is network security, that's what i do, so while its easy to say don't put all your eggs in the network segmentation basket. That basket itself is layered and ideally reaches up into layer 7. Big fan of F5 for consolidating that function and they are expecting the CC NDPP for LTM/APM/AFM any day now. I have read the TOE and actually looking forward to it, unlike most TOE's that make admin of a product a nightmare. but now im getting off track.

    but here is my big call, if ACI takes off it will be perfect for Gateways, certification of the underlay and control plane will be a bitch, but the fabric is default deny, and by decoupling Ip address/vlan/vrf/etc with location it is massively powerful for complex dataflow environments.
     
  7. tobes

    tobes Member

    Joined:
    Dec 23, 2001
    Messages:
    3,934
    Location:
    Melbourne
    DISA needs a little more work too. I was getting something off their site yesterday and the SSL certificates are all incorrect!

    Also, my DSL router crashed 3 minutes after accessing the site.......
     
    Last edited: Feb 13, 2015
  8. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    I think the difference of comments is basically restrictied to definition of terms. because I agree with what you have said.

    If a host is screwed, and has inter-connectivity generally, you start them all to the bit bucket of doom.
    If they are isolated as you say, i can't imagine anyone wiping them all.
     
  9. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg

    No its u that is incorrect :)

    The DISA system runs their own CA, they issue their own certs, and use internal certs to authorise their users to their site (mutual auth).

    You do not trust their Root, hence it looks bad. But in reality, they are trusted, and they trust themselves, which is really all they care about.
     
  10. malbert

    malbert Member

    Joined:
    Sep 19, 2009
    Messages:
    206
    Location:
    Canberra
    You guys are doing it wrong, everyone knows that the security of a DMZ is calculated by 2^n where n is the number of firewall chassis. This is especially true when they allow the same ports/IPs in, you can never have too many bumps in the wire. Only use Tier 1 vendors, only they shield sufficiently from cosmic radiation based outages.
     
  11. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    42,502
    Location:
    Brisbane
    Yes, as we reboot to apply new kernels frequently.

    Also when APT patches binaries and libraries belonging to, it restarts them as part of the process. So service uptime is affected.
     
  12. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,227
    I don't trust any of the 'trusted' CA's... but my users browsers do, and I needs the green tick/bar/padlock etc...

    The whole system feels horribly broken to me when the trust is seemingly arbitrary.
     
  13. itsmydamnation

    itsmydamnation Member

    Joined:
    Apr 30, 2003
    Messages:
    10,640
    Location:
    Canberra
    its the same for a lot of ADF sites, the defence CA is in the Microsoft cert store but not apples.
     
  14. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    42,502
    Location:
    Brisbane
    A kind co-worker just revealed to me what happens when I turn my weekly "Command Line Interface Training" into an acronym. :lol:
     
  15. HyRax1

    HyRax1 ¡Viva la Resolutión!

    Joined:
    Jun 28, 2001
    Messages:
    7,922
    Location:
    At a desk
    Time to get some Special High Intensity Training into you then. ;)
     
  16. j3ll0

    j3ll0 Member

    Joined:
    Jul 13, 2005
    Messages:
    4,768
  17. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    13,946
    Location:
    Canberra
    I love Tuesday scheduled meetings.

    C U Next Tuesday
     
  18. cbb1935

    cbb1935 Guest

    Don't you love it when the marketing department of a company doesn't speak to the technical department, and yet promote something that doesn't technically exist??

    So this industry standard program we use has just released a Filestream feature to shrink down databases. They made a lot of noise about it in a recent newsletter as a new feature in (for example) v8 of their software, and also gloated about the new features v8.1 will bring out when it's released.

    Last week I get another newsletter that v8.1 is being beta tested by certain clients and will be released Q1 or early Q2 in 2015.

    We run v8 of the software.

    So I go to run the Filestream Wizard / conversion, and the first step in their documentation.

    Ermmm okay. So I go to the download portal for the latest publically available version, and v8 is the latest.

    Called tech support and they confirmed that whilst the feature DOES technically exist in v8, it will not work unless you are using v8.1, and INFACT it is not recommended to run Filestream on v8, as customers that had done it already had corrupted their databases.

    *slow clap*

    Wow .. just ... W O W
     
  19. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,246
    Location:
    Brisbane
    That whole trust system is crazy broken, you can (with a fake identity) buy a code signing certificate and go crazy.

    You forgot to include the symantec end point update compliance :)
     
  20. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,227
    Reminds me of the Churchill quote

    What do you replace it with?
     

Share This Page

Advertisement: