Slashdot Mirror

From the piece of drivel written

In other words, the internet economy simply isn’t ready for a scenario where IPv6 is used everywhere and NAT is abandoned. We are stuck with what we have.

That is exactly the crap I hear that stops IPv6 migration. This person literally is the reason why they are lamenting IPv6's slow adoption. But that said, so we have this technical argument for why the "web" is dying, even though it's an Internet argument. But let's backtrack to this little gem.

The advent of NAT routers also allowed for that intermediate computer to become a guardian and protect other computers from some dangers of the open internet.

If that's what you are doing, you are doing it mostly wrong. That's not a function of NAT, that's a flipping function of *routing*. You can literally have all kinds of globally addressable IP addresses on systems, connect them, and then have 100% of them respond to 0% of the incoming requests. You literally do not need NAT for that and if that's the sole reason you are using NAT (to be more secure), you more than likely shouldn't have your job. That's not saying NAT doesn't have a place or anything, but that is me saying that if your rationale is solely for security, you will find lots of folks that will tell you otherwise. Again, NAT has a place, time, and use, but this person writing the piece is missing every single point of that. Now I know everyone is going to foam or spout with their opinion on NAT, but you have to snap out of it because, remember these are "Internet" issues not "web" issues and as you keep reading, if you aren't keeping that point in your head, you'll just get sucked into this argument of "NAT is awesome v. F*** NAT!" So I digress, let's actually continue.

It also meant that some computers were first-class citizens on the internet, while other computers were subordinates. In addition, the scarcity of IP addresses caused them to be considered valuable assets, and so it became a business opportunity. IP addresses are being sold so that some computers can become first-class citizens on the internet.

I had no actual problem with this point until that last part I highlighted. That's when my brain snapped out of it and was like, "Wait, this has absolutely nothing to do with why Facebook, Google, et al are these massive black holes." This person is literally making this overly complicated, but weak attempt to dumb down an argument about the web, on technical merits that have nothing to do with what reasonable people would call "the web". And that point became even more clear here.

As a consequence, the internet has allowed intermediate computers to rule. These are like parasites that have grown too large to remove without killing the host. The technical flaw that favored intermediate computers prefigured a world where middlemen business models thrive. Google and Facebook connect consumers with advertisement publishers and charge fees for each ad.

Oh Mother of Stars that's eight hundred times pi radians of all kinds of wrong!! IPv4's short comings have **NOTHING** to do with why the big boys on the Internet are who they are. It is at this point your brain should be saying, "This person has about as much clue as to what they are saying as a canine on the ISS has of managing the station." I assure you it does not get better as it goes.

Novel peer-to-peer protocols such as IPFS and Dat help replace HTTP and make the web a content-centered cyberspace. This way the link to an image can be something like QaPdNnDWRLF1b — a so-called hash of the image, summarizing it — instead of mywebsite.com/pic.jpeg so that even if mywebsite.com servers are removed,

The only way to get around a bunch of these major attacks is by requesting new IPs for your servers and trying to mask those from being leaked.

If you use Akamai, you can turn on the G2O feature and configure your servers to check for it. Apache, Nginx, F5 load-balancers, IIS, and Varnish all have extensions to support it (though the last one is not, unfortunately, open-sourced — for purely bureaucratic reasons, I might add).

Then, even if the enemies find your origin, all their hits will cost you is computing a digest of the requested URI and issuing a 403 or whatever — no file-lookups, no database-lookups, very little bandwidth. I suppose, your server can still be punished, but it certainly raises the bar quite a bit for any attacker.

The only way to get around a bunch of these major attacks is by requesting new IPs for your servers and trying to mask those from being leaked.

If you use Akamai, you can turn on the G2O feature and configure your servers to check for it. Apache, Nginx, F5 load-balancers, IIS, and Varnish all have extensions to support it (though the last one is not, unfortunately, open-sourced — for purely bureaucratic reasons, I might add).

Then, even if the enemies find your origin, all their hits will cost you is computing a digest of the requested URI and issuing a 403 or whatever — no file-lookups, no database-lookups, very little bandwidth. I suppose, your server can still be punished, but it certainly raises the bar quite a bit for any attacker.

Or here: https://f5.com/

F5 has been doing this for some time now.

A part of their Application Firewall will inject a javascript into HTTP requests if it suspects the access pattern is suspicious for any website it is protecting.

This javascript will then check for mouse movements and a few other things.

Browsers and servers almost all use persistent connections these days and have since at least the early 2000's. SPDY doesn't claim to do anything with this (the summary above is incorrect). Speedy does however implement several features of "pipelining" but in a more elegant manner. There are a host of issues with pipelining on the server side (it is a security risk, a description of why is here). SPDY effectively implements pipelining but without the associated security risks. It also implements more advanced features that allow the server to push data to the client without the client requesting it.

Just googled it - if Amazon were using F5, F5 don't know about it. And even if the original design was just using spare capacity, that simply is not the case now (after all, that would imply that if Amazon itself needed to ramp up demand it could - and would - simply annex the entire EC2 capacity to cover it. This is, obviously, not the case).

There are a number of tools available to analyze how NAS is being used. Here's one free tool--I'm sure there are others, too. http://www.f5.com/products/data-manager/

She wouldn't be 'walking' for very long if I or a great number of other people

I can see why you couldn't beat up a woman on your own.

I use one of these devices that establish a SSL VPN connection. It does install some components onto your computer through IE (also I believe it requires IE). These devices also let you log into the interface and then can present a Terminal Services session to any computer inside the web page of the Firepass device.

When I get this question, I usually suggest and f5 link controller ( http://www.f5.com/products/big-ip/product-modules/link-controller.html ) This is a pricy solution, but I would say it is best of breed for load balancing multiple internet links.

It works fine for me ... just tested it agai, but don't bother trying to ping it. It's sitting behind one of these.

Who knows - maybe they're blocking access from certain countries/IP blocks?

A geographical load balancing solution, such as Coyote Point's Envoy or F5's Global Traffic Manager. Very expensive though.

I don't understand why this is being portrayed as something "new" to IT. I work for a medium sized company, and we have been doing this for nearly 5 years. There are a slew of vendors in this space including F5 Networks, Citrix, Sun, and Microsoft. The technology works be installing the SSL certificate onto the appliance rather than the server. If designed correctly, this is no less secure than the conventional model, and can save significant processing load on web servers.

I am sorry, I deal with web developers where I work, xNIX and Microsoft. I just finished an argument with a Microsoft web developer of why DNS could not change the port numbers in a URL. I get this all the time. Some of these developers are dumb as nails.

You so need one of these. I've been able to pull miracles using Big-IPs (mainly fixing the mistakes of our Windows-loving web developers and product teams). If you've got it fronting all of your services, you can even change the port numbers in your URLs...

E.g., Cisco's AVS (formerly Fineground): http://www.cisco.com/en/US/products/ps6492/product s_white_paper0900aecd80321a32.shtml

• implements the multiple DNS name solution suggested by Mr Hopkins
• has a clever way of eliminating browser cache validation requests
• has a mechanism to transparently measure actual (not simulated) user page load times

• Juniper's DX series (formerly Redline): http://www.juniper.net/solutions/literature/white_ papers/200142.pdf
• The same is true for F5's web accelerator (formerly Swan).: http://f5.com/solutions/technology/pdfs/smartcachi ng_wp.pdf

I just checked their specs (warning - pdf) and their current bottom of the line box is a pure PC. No ASICs. I don't think they had any ASICs 7 years ago, although I cannot confirm that.

... basic tech news feeds and somewhat insightful analysis/gems posted by the commenters. Even after moderation was added and the site grew, you would still see a vast majority of commenters posting things like

"The Internet treats censorship as damage and routes around it."
or
"The Internet is founded on peer sharing arrangements and it's technically difficult and economically impossible to implement a different system and have anything beyond Compuserve circa 1991."

Or perhaps some detailed links on why bandwidth restriction costs more. Like Andrew Odlyzko's paper...
http://www.dtc.umn.edu/~odlyzko/doc/privacy.econom ics.pdf

or these other ones which may also help people gain understanding of the issue.
http://www.sobco.com/presentations/ngn.09.12.05.pd f
http://www.f5.com/solutions/technology/bandwidth_m yth_wp.html

But we didn't get that here. Instead, we got a bunch of people yelling at each other about things they simply have no understanding of. This goes for the lawmakers, the journalists, and almost every single comment posted here.

Unless you have a copy of W. Richard Steven's TCP/IP Illustrated on your shelf and understand the difference between a Tier 1 ISP and a Tier 2 ISP, it is simply impossible for you to understand what this supposed "debate" is about. Stop posting on here about it and do some basic RESEARCH! You know... the thing you do when you are reading something not written by a journalist or political hack from either US party?

To those rare comments that helped, keep up the good fight!

To the rest, know this. If you feel compelled to talk to a lawmaker, just tell them to stay out of these pissing matches that have been going on for a LOOOOOONG time now. Lawmakers are simply not smart enough to understand the problem or help in any meaningful way.

Its expensive, complex, and will take at least a week to set up, but one of these will scrub all traffic for things like SSNs and other pattern-matchable data inside HTTP packets and other TCP traffic.

I would recommend RadWare http://radware.com/ or f5 http://f5.com/ to load balance the traffic to multiple IMAP and/or POP back end servers.

You can even cluster the load balancers...

http://www.f5.com/products/TrafficShield/

App Security

TrafficShield® is a web application firewall that provides comprehensive, proactive, network and application-layer protection from generalized and targeted attacks by understanding the user interaction with the application firewall. TrafficShield employs a positive security model ('deny all unless allowed') to permit only valid and authorized application transactions, while automatically protecting critical web applications from attacks such as Google hacking, cross-site scripting, and parameter tampering.

I can pretty much guarentee that no freeware developer or OSS project can or will support a $500/year certificate that has to remain secret or be revoked.

There are many OSS projects that can pay $500/year for a cert. It just seems stupid to pay that. Linux, apache, freebsd, tons of other OSS projects can and would pay for it if it were worthwhile.

Remaining secret? Public keys are public, all of public/private keys are basically the same, you keep your private key private, preferably on a hardware tamperproof hardware device that zeros out the data on intrusion. Something like this, or some other FIPS compliant device.

Cheers!

If I understand you correctly you you are looking for a F/OSS project to do what you are after.

However if you do actaully have a budget to spend have a look at the 3DNS product from F5 Networks. it does the failover you describe and although it works better if it is intereacting with F5's server load balancing product, it can still monitor and react to standard web servers becoming unavailable.

If you are looking for software to create a cluster, there are several, depending upong what type of cluster you are trying to create. If you are creating a service-based cluster, check out TurboLinux Cluster Server, Linux Virtual Servers, PolyServe Understudy, and Legato. There are many others available, including hardware solutions from Cisco, F5, and Alteon. I'm not too familiar with Beowulf-type clusters.

If you are looking for software to manage groups of systems, that's a whole different story. You might look into Enlighten DSM, Tivoli, or OpenNMS. I'm sure there's a lot of competition in that field as well, but I don't have any experience with those products.

There's a company by the name of F5. They have a box called BigIP which will do load balancing and failover. It will even failover an active telnet (ssh) session!

Pretty sweet, and you don't have to have two cards chained together as one and whatnot. Each box has its own, and you have one live and one hot-backup, or you can load-balance between the two, whatever.

The bigip boxes are based on BSD so that's deffinitely a plus.

-Diggem

There's a company by the name of F5. They have a box called BigIP which will do load balancing and failover. It will even failover an active telnet (ssh) session!

Pretty sweet, and you don't have to have two cards chained together as one and whatnot. Each box has its own, and you have one live and one hot-backup, or you can load-balance between the two, whatever.

The bigip boxes are based on BSD so that's deffinitely a plus.

-Diggem

For case 1, let's assume complete a complete linux front to back solution, with as much free (or mostly free) software as possible:

Needed Software Components:

1. Favourite Distro of Linux
2. MySQL or Postgres Database (personal pref is for MySQL... not going to get into the pros and cons here...)
3. Dynaminc Web-Scripting Language (PHP, Perl, whatever... personal pref for this kind of thing is PHP... again, I'm not debating at the moment...)
4. Linux Vitrual Server Project - very solid load-balancing from my experience. Don't know how it compares with the appliances on the market... but it's still solid.
5. HA/Redundancy software (Linux HA project isn't quite there... but they're getting close... there are some commercial packages available - one that's free for non-profit use - http://www.high-availability.com

Hardware:

NB: For maximum up-time I recommend systems with redundant hardware (backup power supplies, dual NICs, and RAID arrays)

1. Firewall/Load-balancer - preferably using HA/Redundancy software on two machines... Mirrored (RAID 1, right?) boot/system hot-plug drives are a good idea.
2. Web-farm - up to X systems (where X+1 breaks your budget... ;) ) load balanced with Virtual Server Project. For a reasonably heavy duty method of doing this relatively cheaply, see Cubix and their "density" series... up to 8 servers in a single box... with hot plug everything. RAID isn't as necessary here... as the systems themselves are effective your RAID...
3. Database system - again preferably an HA/Redundancy cluster for maximum availability. I recommend a mirrored boot/system disk again, with a RAID 5 array (or RAID 5+5 - mirrored RAID arrays) for speed and maximum availability... highest RPM drives you can afford can help here a lot for speed, too.
4. 100 BaseT Switch for maximum through-put. Personal preference is for Cisco but your budget dollars may vary.
5. I've mentioned RAID a couple of times... you can get SCSI and IDE raid these days (SCSI being more common)... the cheapest/fastest one I've see is from Raidzone - very nice, check them out (up to 15 - 40 GIG hot-plug IDE drives in one array, with a very high through-put). You can also do software RAID, taking a performance hit, but saving coin...

Case 2 assumes that you don't mind using some commercial stuff... and have a bigger budget:

1. Replace Virtual Server with an appliance. (Alteon, F5 and Cisco all make good products... presently my preference is with F5's BigIP.
2. Replace in born Linux firewall with Checkpoint's firewall-1 running under linux - or an appliance firewall, a Cisco PIX is very nice, and has very high though-put. The Nokia appliance running Checkpoint and a BSD bastardisation is quite nice.