Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Setup Behind Microsoft.com

Posted by kdawson on from the matter-of-scale dept.

Toreo asesino writes "Jeff Alexander gives an insight into how Microsoft runs its main sites. Interesting details include having no firewall, having to manage 650 GB of IIS logs every day, and the use of their yet unreleased Windows Server 2008 in a production environment.

5 of 412 comments (clear)

  1. They do use firewall by zukinux · · Score: 0, Redundant

    "In terms of how we protect the sites, we utilize (starting at the outside edge of the network and working in):
    1. Cisco Guards for DoS detection and automated response
    2. Router ACLs are in place to block unnecessary ports
    ..."
    That's what a firewall does... and the funniest thing that this guy doesn't know the definition of a firewall.

    --
    Read and Comment at my BLOG
    !!!
  2. A router can be a firewall too by was+kroepoek · · Score: 0, Redundant
    From TFA:

    At this point we still don't use firewalls for MS.COM sites[...] 1. We don't handle HBI data so we don't have the need for external logging capabilities. If we did handle HBI, we'd have firewalls.
    Can someone explain this please? HBI?

    2. [...] Just IIS logs are a challenge without trying to parse another ~650GB of firewall logs.
    That's a non-argument. I use iptables without the LOG target; why would i want to log packets before dropping them? This would make no sense to me. If i want a NIDS, i'll install a NIDS.

    2. Router ACLs are in place to block unnecessary ports
    Wait a minute, ACLs you say?! Isn't this *exactly* what firewalls are for? Blocking/allowing IP ranges and incoming connections on certain ports...
  3. Re:But generally.. by AmaDaden · · Score: 0, Redundant

    First generation - packet filters... it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, which comprises most internet communication, the port number).

    Second generation - "stateful" filters...
    Thats form http://en.wikipedia.org/wiki/Firewall. So basically what you and MS are saying is that because the firewall system they have is so out dated you can't even call it a firewall anymore? So is a car with out an Air conditioner not a car? What about a laptop with no wireless?
  4. Re:Microsoft brainwashing by AK+Marc · · Score: 0, Redundant

    I read it as "We had to turn them off when we installed everything"

    That's correct. However, something intended to be secure, like a firewall, comes out of the box unable to work at all (well, most of the high-end ones). 100% of all functionality may be installed when delivered/setup, but until manually activated, nothing actually works. I haven't tried the most recent version of IIS, but I'm used to it opening up the services upon install, then giving default "not configured" web pages. That is functionally no better than leaving the services off and is less secure than leaving them off. If it is intended to be "secure" at all, everything would start off (including DHCP client) until someone got on it and configured it. But then, people would complain that it doesn't work out of the box. If you buy a Cisco access point, you'll see that they have big stickers all over the device telling you that it doesn't work. But that was a change from the enabled-as-an-insecure-bridge configuration they came in initially.

    --
    Learn to love Alaska
  5. Re:But generally.. by cheater512 · · Score: 0, Redundant

    Hmm...Is it worth buying Windows 2008 solely to put it on the net without a firewall (as they brag about doing) and then suing them for false advertising when it has porn popups on it 15 mins later?