The Network Appliance also has a large DRAM Cache from 512MB 1 or 2GB on their latest released products.
The benefit of having an NVRAM write cache is that there is no requirement for a backup power source in the event of a loss of power. One can also cluster NetApp filers as well as have synced read-only volumes on other filers.
I wouldn't like to get into a heavy debate of EMC vs. Network Appliance other than to say that one can run a database application doing I/O over a network. One has to have a really good network though. Your Symmetrix is going to be FC connected to your hosts. In my application the Network Appliances are connected to the hosts via Gigabit Ethernet. The max speed of both media is 1Gbps. Granted there's going to be protocol overhead with the NetApp that would cause one to get less performance all other things being equal, except maybe cost. The EMC is going to cost 3x more.
Network Appliance has been doing this on their filers for many years now and it works very well. Although I would question using DRAM for the purpose. How would one know when their battery has failed? NetApp uses 32MB of NVRAM and a lot of other fairly commonplace technology in an interesting fashion that results in a very very fault-tolerant piece of hardware. I have a 600GB Filer (limited to 200GB volumes for back expediency) that I can pull the plug on at any time without damaging the filesystem. As a matter of fact, I have done this on occasion. Boots take a few minutes regardless of how the filer was downed.
"...they have a list a mile long of people to take your place."
I would recommend not taking employment as a ditch digger. Are you familiar with the concept of supply and demand? It's a fairly simple capitalist concept, it works like this: The more things are in demand, the greater the cost. The less things are in supply, the greater the cost. People with skillsets that are in small supply and great demand have an easy time of it when looking for a job. It is the responsibility of the individual to develop his skills such that they are a salable product in a capitalist environment.
For myself, I could be on the verge of death with some highly communicable disease and still wouldn't have a problem finding employment in today's market.
As an employee at a large corporation and also a potential employer I only have one thing to say to this, "huh?" I just don't see this as being a problem. The article uses statements like, "A 1999 survey by the American Management Association found that 30 percent of large and midsize companies sought some form of genetic information about their employees, and 7 percent used that information in awarding promotions and hiring. " I'm wondering what they consider to be "some form of genetic information"? I would imagine it would be questions about race, or gender.
To be honest, based on the evidence presented, I really don't see this as an issue. One lady believes she was discriminated against because of her genetic condition. This may be true but a single instance is not really a cause for concern. The evidence pointing towards genetic discrimination is anecdotal and unconvincing. How would an employer benefit from discriminating against a person based on some predilection for genetic disorder? What possible financial benefit would an employer see by denying himself the opportunity to hire a potentially productive individual? The only possible explanation could be employee turnover. Granted, employee death is one cause of turnover, but I would imagine it is far less likely to occur, even in the face of a possible genetic disorder, then other causes of turnover.
Please explain to me why a company in the business of developing software is a "scumbag company" for charging money for software that they've funded the development of? The possibility that they might give a product away for free seems counterintuitive. This is a fairly common thing within a capitalist system. A company makes something, and then they sell it at a profit and make money. Seems logical, eh? Especially if you want that thing to continue to be made. I like that a whole lot better than, "company makes something, gives that thing away for free and then goes out of business because they didn't make any profit."
If one looks at the past history of Miramax one will realize that they exhibit some semblance of concern about the "art" that they produce. I think that it's less about money and what the customers want and more about artistic value. I believe that in this case someone convinced them, and it shouldn't have been hard, that the film would have more artistic value if it came with the Japanese language track.
Harvey Weinstein and his brother have done a fine job with Miramax. They've released a lot of good material and have fought against corporatism. Unfortunately Disney bought Miramax and I imagine that they probably regret it after all the problems that Harvey has caused them. In the case of Kevin Smith's "Dogma" they lost to Disney, so the Weinstein's put the film out with money out of their own pockets. In my opinion, the change by Miramax is nothing more than a testament to the attitude and culture that the Weinstein's have fostered within the organization. For more of a taste of Harvey Weinstein's attitude read this 1999 Interview by Roger Ebert.
1. 3ivx is not Open Source yet, but they hope to make the decoder OSS eventually.
How do you know this? Do you have some sort of information that we don't?
Have you checked the site? There is no source, therefore the product is not open source. They can trumpet and wave their hands in the air all day long claiming to be OSS, but until the release the source, they aren't.
The same goes for Project Mayo being vaporware. Announcing a piece of software that doesn't exist yet is vapor. They may fully intend to eventually release a piece of software, but there are many cliche's that tell you the value of good intentions.
I became excited when I saw this story, I became disappointed when I went the the site and couldn't find source code. Maybe someday there will be a good OSS MPEG4 Codec.
Right, and I don't know of any tier 1 ISP that would be actually implement this. There is just too many ways that this could hurt the ISP. I can believe that above.net used MAPS to block spam by implementing the RBL on their mail servers, but I just don't think there's anyway they would've blackholed this traffic, particularly to their transit customers. Their customers would be paying them to give them the whole Internet and probably wouldn't be too pleased to learn that they were blackholing traffic on the advice of some third party.
IIRC Theo was contracted to do the mvme68k port. Some commercial entity needed *nix for their industrial computers and funded the development. So, I imagine that if feature "foo" was interesting enough, it could be paid for. Theo has stated himself that many people are using OpenBSD for commercial applications, particulary embedded systems and such. I know for a fact that Network Flight Recorder uses OpenBSD. I've seen very little anti-commercial attitude among the developers on the mailing lists. However, Theo has expressed his displeasure at the corporatism and market hype revolving around FreeBSD and Linux and how the design goals and development of OpenBSD will continue without corporate influence.
Earlier in the year it was announced that SMP support was being developed. On the web site it states, "SMP (Symmetric MultiProcessor) support is not yet in OpenBSD, but there exists a project, started in February 2000, to bring said support to at least the i386 and sparc platforms." What is the current status of SMP and are you targeting a specific release for it?
When did human life become so precious in the first place? You make a fine logical deduction, "Whenever that embryo becomes a human being, logically ending that life after that point becomes murder." I support your deduction and will suggest a fine point for separation. An embryo becomes a human being once it is born and is merely an embryo that relies on the host for survival up to that point. That solved the argument. I think I'm going to go get an abortion now.
I would happily let you plug a box into my network and put it into promiscuous mode. You would see broadcast and multicast traffic only. Shared media is obsolete, which is why this concerns me so greatly. If there is a requirement to have *all* the traffic at an ISP pass by this one box that will seriously limit the ability of that ISP to scale their network. I would hazard a guess at this point in time and say that it only monitors the traffic bound for the MTA for that particular ISP. That being the case, I would recommend only forwarding mail through a trusted MTA.
In spite of this announcement, the people at Sun aren't brain-dead. They purchased Cobalt to gain an entry into a specific market. That market being low-priced rack-mounted servers. What would be the point of buying yourself into a market and then raising prices to push yourself right back out. Sun already has a high-priced 1u rack-mounted server, it's called a Netra T1. Properly configured they go for about $10k.
Also, I challenge you to show me how Sun could possibly "close" the architecture of these boxes? Linux binaries wouldn't run on the same box with Solaris, but that's about it. Most Linux binaries aren't compiled for ARM architecture anyway, so back when the raq was ARM you couldn't run x86 binaries then either. Nothing's stopping you from getting gcc and compiling your own versions of any of the great software out there that comes in source form. I run several Solaris boxen and there's not much good about Solaris beyond the kernel. When I get a new box, I put gcc on it, and replace most of what comes with Solaris with the equivalent gnu alternatives that just happen to be much better (I like tar xvfz!).
An another note, can someone explain to my why xfree86 supports solaris x86 as well as linux on sun hardware with creator 3d cards but *not* solaris on sparc? That's just innane. Even more so is Xsun, man that X server blows goats.
IANAL but I am a network engineer at a "Tier 1" ISP. This article is a joke. It's very clear that the author doesn't understand what he's writing and is most likely simply regurgitating marketing materials being fed to him from the company that is the subject of the article. They are bleeding money and would probably like their stock price to go up.
The most obvious error is that OC-3 is not 622Mbps, it is 155Mbps. OC-12 is 622Mbps.
How do you think InterNAP gets the 11 major backbones to honor BGP local prefs? Very simply, InterNAP establishes a BGP peering session between its router and one of the routers of the ISP that it is purchasing service from.
Is the software they use revolutionary? Perhaps, but I also know of a major Tier-1 provider that uses some clever software to re-compute static routes for every router on their network every single night rather than use a proper IGP like OSPF or IS-IS. Unfortunately this software is so clever that no one completely understands how it all works. Except for that guy that did the clever bits, and he's long gone.
In the end, InterNAP is very simply a hosting provider that instead of being multi-homed to a couple of ISPs is multi-homed to 11 ISPs. They are doing nothing different than anyone else on the network. Hell, if they convinced all those backbone providers to use MPLS and used that to shunt the traffic to them, I would be impressed. They're just using the same old BGP4 that everyone else is using (Cisco's).
It is a secure server, what you missed was hlds_l (half-life dedicated server for linux) running on port 27015. Nmap doesn't scan that high by default. Hlds_l is not running as root and is as secure as I can make it in this environment. The point that I'm trying to make is that I'm only explicitly running the services that are needed, I understand what services are needed, and what the security implications are by running those services.
from http://www.ietf.org/i nternet-drafts/draft-manning-dsua-03.txt 169.254.0.0/16 has been ear-marked as the IP range to use for end node
auto-configuration when a DHCP server may not be found. As such, network
operations and administrators should be VERY aggressive in ensuring that
neither route advertisements nor packet forwarding should occur across
any media boundaries. This is true for the Internet as well as any
private networks that use the IP protocols. End node administrators
should be aware that some vendors will auto-configure and add this
prefix to the nodes forwarding table. This will cause problems with
sites that run router discovery or deprecated routing protocols such as
RIP.
Definitely not geek enough. My girlfriend and I have roughly 8 computers on fast ethernet with a DSL connection. A couple of Windows boxes, a G3 Mac, an old Mac running OpenBSD, an x86 running OpenBSD, an x86 running Linux, an x86 laptop running Linux, another x86 laptop dual-booting linux and windows, a sparc5 and a dual-processor sparc10 running Solaris, there's also the HP LJ5 with an ethernet port and it's all on 100BaseTX switched. Oh, and there's some fddi too. All that might be somewhat geek enough. I have a friend that needs 3-phase power for his IBM ES9000 Mainframe that I suspect he'll put right next to his Dec PDP-8. That, my friend, is geek enough.
Ok, admittedly, I'm not all that up on MIPS hardware. However I am quite aware of how badly both sparc and alpha architecture suck when compared directly with P3s at high speeds. I know a p3/500 smokes an ultrasparc 440 when it comes to server web pages (similarly configured machines, similar amounts of memory, same drive hardware). And Network Appliance went with x86 in their new F840 and apparently doubled their performance with a P3/800 over an Alpha AXP21264@750Mhz in the F740.
Well, I had a user at one of my sites today get DDoS'd of the Internet. As a matter of fact, we were receiving so much traffic my firewall at that site choked. I got a couple of packet traces. Basically it was a bunch of tcp syn packets going to random port numbers. I started nmapping the source addresses to determine if they were real or spoofed (spoofed source addresses typically consist of a lot of invalid addresses that don't actually exist on the Internet). It turns out that 80% of the source addresses in question responded to ping. After nmapping a few of them I came to realize that they were all Linux boxes. Here's the results of one:
turmoil# nmap -sS -O 216.17.xxx.xxx
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on xxx.dsl.frii.net (216.17.xxx.xxx):
(The 1506 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
79/tcp open finger
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
113/tcp open auth
143/tcp open imap2
511/tcp open passgo
514/tcp open shell
515/tcp open printer
1023/tcp open unknown
1024/tcp open kdm
3306/tcp open mysql
TCP Sequence Prediction: Class=random positive increments
Difficulty=1200108 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 54 seconds
Now, I don't know how you would assess the skills of this particular administrator, but as for me, I would say that he is a completely and totally ignorant and most likely stupid to boot. What kind of kneebiter actually puts a box like this in the wild? Ok, here's a little contrast. I'm running a counterstrike server on a generic install of Redhat 6.2. Here's the results of an nmap:
turmoil# nmap -sS -O 206.173.xxx.xxx
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on ahl (206.173.xxx.xxx):
(The 1522 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
TCP Sequence Prediction: Class=random positive increments
Difficulty=2103891 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 22 seconds
That's it. Imagine that, a secure Linux box. What a novel concept. The key difference between *nix administrators and NT administrators is that *nix is designed to be remotely accessible thereby making it more subject to remote attacks. It is also possible to secure *nix. NT on the other hand is traditionally not as remotely accessible, which I think prevents it from being more of a platform for this sort of behaviour. However, if there's a security weakness, it's usually in there for a good long while and on top of that, it's difficult as hell to secure.
IOS does NAT and packet filtering pretty well. The only difference between IPNat, IPFilter and IOS is that IPFilter is stateful. Mind you, I love stateful packet filters and think it's the greatest fucking feature in the world, it's still not much of a difference. Oh, wait, IOS does have a "firewall" feature set that is stateful, so nevermind. When is Linux going to get stateful packet filtering?
1) Cisco hardware is extremely trustworthy, much more so than the generic PC. Good telecommunications equipment (routers, muxes, DSUs)will run for decades in poorly ventilated dusty closets without any hardware maintenance at all.
Some of it is, some of it isn't. You're just as likely to get bad hardware from Cisco (if you can stand the lead times) as you would from any other manufacturer. Personally, I don't trust it, which is why most people use redundant systems anyway.
2) Router hardware boots fast. WAY fast. Iff it has a decent operating system. This is important in real life because even UPSes are really uninteruptable.
I'm sure you mean "interruptible". Router hardware does not boot way fast, in fact it doesn't boot very fast at all. Some of it is faster than others. I have a 6509 that takes a minute or more to boot, granted that's a switch, but still. Foundry was in here the other day and one of their selling points was, "we boot faster than Cisco."
3) Routers (though not the 2500) typically have ridiculously fast RAM for packet buffering. If linux can get Cisco-7000 class throughput on Pentium III hardware, think what it could do on a real router!
Uh, 7000s suck, and don't exist anymore. 7200s are ok, but are still slow as hell (~200,000pps with a NPE300 and a VXR). 7500s suck pretty badly even with the brand spanking new VIP4/80(~180,000pps per card). Unfortunately they are good for routing and Intel P3s aren't. Trust me, you can push way more packets through a 1Ghz P3 with a good NIC than you can through a 7500. If you need real connectivity OC-3+ you'll have to step up to a the 12000 series which will give you a three port gigabit card for roughly $79,000 that can do line-rate (almost, except for itty-bitty packets). 3GE-GBIC-SC GSR12000 three-port GE line card $79,000.00
And that's just the interface card, that doesn't include the $200k for the rest of the router. 4) All software can become obsolete, due to lack of compatability with the real world (what do you mean we need NAT? We didn't need it yesterday!) or penetration (huh? our version of IOS is vulnerable to a script that's all over the net?) or various other reasons. Router software updates are EXPENSIVE!!! Trust me, I have "SmartNet Maintenance" from Cisco not because the hardware ever fails (it doesn't) but because it gives me access to the IOS download site for a single yearly fee. Linux updates are FREE.
Hah! What are you smoking? Cisco Hardware fails pretty regularly, trust me. That's why I have 24x7x4 onsite. I could check CCO but we probably have a couple of hundred RMAs in the last few months. Oh, and having access to IOS is nice too.
Slashdot Mirror
Happy New Year/Century/Millenium
How many surrealists does it take to change a lightbulb?
...Fish!
The Network Appliance also has a large DRAM Cache from 512MB 1 or 2GB on their latest released products.
The benefit of having an NVRAM write cache is that there is no requirement for a backup power source in the event of a loss of power. One can also cluster NetApp filers as well as have synced read-only volumes on other filers.
I wouldn't like to get into a heavy debate of EMC vs. Network Appliance other than to say that one can run a database application doing I/O over a network. One has to have a really good network though. Your Symmetrix is going to be FC connected to your hosts. In my application the Network Appliances are connected to the hosts via Gigabit Ethernet. The max speed of both media is 1Gbps. Granted there's going to be protocol overhead with the NetApp that would cause one to get less performance all other things being equal, except maybe cost. The EMC is going to cost 3x more.
Network Appliance has been doing this on their filers for many years now and it works very well. Although I would question using DRAM for the purpose. How would one know when their battery has failed? NetApp uses 32MB of NVRAM and a lot of other fairly commonplace technology in an interesting fashion that results in a very very fault-tolerant piece of hardware. I have a 600GB Filer (limited to 200GB volumes for back expediency) that I can pull the plug on at any time without damaging the filesystem. As a matter of fact, I have done this on occasion. Boots take a few minutes regardless of how the filer was downed.
"...they have a list a mile long of people to take your place."
I would recommend not taking employment as a ditch digger. Are you familiar with the concept of supply and demand? It's a fairly simple capitalist concept, it works like this: The more things are in demand, the greater the cost. The less things are in supply, the greater the cost. People with skillsets that are in small supply and great demand have an easy time of it when looking for a job. It is the responsibility of the individual to develop his skills such that they are a salable product in a capitalist environment.
For myself, I could be on the verge of death with some highly communicable disease and still wouldn't have a problem finding employment in today's market.
As an employee at a large corporation and also a potential employer I only have one thing to say to this, "huh?" I just don't see this as being a problem. The article uses statements like, "A 1999 survey by the American Management Association found that 30 percent of large and midsize companies sought some form of genetic information about their employees, and 7 percent used that information in awarding promotions and hiring. " I'm wondering what they consider to be "some form of genetic information"? I would imagine it would be questions about race, or gender.
To be honest, based on the evidence presented, I really don't see this as an issue. One lady believes she was discriminated against because of her genetic condition. This may be true but a single instance is not really a cause for concern. The evidence pointing towards genetic discrimination is anecdotal and unconvincing. How would an employer benefit from discriminating against a person based on some predilection for genetic disorder? What possible financial benefit would an employer see by denying himself the opportunity to hire a potentially productive individual? The only possible explanation could be employee turnover. Granted, employee death is one cause of turnover, but I would imagine it is far less likely to occur, even in the face of a possible genetic disorder, then other causes of turnover.
Please explain to me why a company in the business of developing software is a "scumbag company" for charging money for software that they've funded the development of? The possibility that they might give a product away for free seems counterintuitive. This is a fairly common thing within a capitalist system. A company makes something, and then they sell it at a profit and make money. Seems logical, eh? Especially if you want that thing to continue to be made. I like that a whole lot better than, "company makes something, gives that thing away for free and then goes out of business because they didn't make any profit."
If one looks at the past history of Miramax one will realize that they exhibit some semblance of concern about the "art" that they produce. I think that it's less about money and what the customers want and more about artistic value. I believe that in this case someone convinced them, and it shouldn't have been hard, that the film would have more artistic value if it came with the Japanese language track.
Harvey Weinstein and his brother have done a fine job with Miramax. They've released a lot of good material and have fought against corporatism. Unfortunately Disney bought Miramax and I imagine that they probably regret it after all the problems that Harvey has caused them. In the case of Kevin Smith's "Dogma" they lost to Disney, so the Weinstein's put the film out with money out of their own pockets. In my opinion, the change by Miramax is nothing more than a testament to the attitude and culture that the Weinstein's have fostered within the organization. For more of a taste of Harvey Weinstein's attitude read this 1999 Interview by Roger Ebert.
1. 3ivx is not Open Source yet, but they hope to make the decoder OSS eventually.
How do you know this? Do you have some sort of information that we don't?
Have you checked the site? There is no source, therefore the product is not open source. They can trumpet and wave their hands in the air all day long claiming to be OSS, but until the release the source, they aren't.
The same goes for Project Mayo being vaporware. Announcing a piece of software that doesn't exist yet is vapor. They may fully intend to eventually release a piece of software, but there are many cliche's that tell you the value of good intentions.
I became excited when I saw this story, I became disappointed when I went the the site and couldn't find source code. Maybe someday there will be a good OSS MPEG4 Codec.
Right, and I don't know of any tier 1 ISP that would be actually implement this. There is just too many ways that this could hurt the ISP. I can believe that above.net used MAPS to block spam by implementing the RBL on their mail servers, but I just don't think there's anyway they would've blackholed this traffic, particularly to their transit customers. Their customers would be paying them to give them the whole Internet and probably wouldn't be too pleased to learn that they were blackholing traffic on the advice of some third party.
IIRC Theo was contracted to do the mvme68k port. Some commercial entity needed *nix for their industrial computers and funded the development. So, I imagine that if feature "foo" was interesting enough, it could be paid for. Theo has stated himself that many people are using OpenBSD for commercial applications, particulary embedded systems and such. I know for a fact that Network Flight Recorder uses OpenBSD. I've seen very little anti-commercial attitude among the developers on the mailing lists. However, Theo has expressed his displeasure at the corporatism and market hype revolving around FreeBSD and Linux and how the design goals and development of OpenBSD will continue without corporate influence.
Earlier in the year it was announced that SMP support was being developed. On the web site it states, "SMP (Symmetric MultiProcessor) support is not yet in OpenBSD, but there exists a project, started in February 2000, to bring said support to at least the i386 and sparc platforms." What is the current status of SMP and are you targeting a specific release for it?
When did human life become so precious in the first place? You make a fine logical deduction, "Whenever that embryo becomes a human being, logically ending that life after that point becomes murder." I support your deduction and will suggest a fine point for separation. An embryo becomes a human being once it is born and is merely an embryo that relies on the host for survival up to that point. That solved the argument. I think I'm going to go get an abortion now.
I would happily let you plug a box into my network and put it into promiscuous mode. You would see broadcast and multicast traffic only. Shared media is obsolete, which is why this concerns me so greatly. If there is a requirement to have *all* the traffic at an ISP pass by this one box that will seriously limit the ability of that ISP to scale their network. I would hazard a guess at this point in time and say that it only monitors the traffic bound for the MTA for that particular ISP. That being the case, I would recommend only forwarding mail through a trusted MTA.
In spite of this announcement, the people at Sun aren't brain-dead. They purchased Cobalt to gain an entry into a specific market. That market being low-priced rack-mounted servers. What would be the point of buying yourself into a market and then raising prices to push yourself right back out. Sun already has a high-priced 1u rack-mounted server, it's called a Netra T1. Properly configured they go for about $10k.
Also, I challenge you to show me how Sun could possibly "close" the architecture of these boxes? Linux binaries wouldn't run on the same box with Solaris, but that's about it. Most Linux binaries aren't compiled for ARM architecture anyway, so back when the raq was ARM you couldn't run x86 binaries then either. Nothing's stopping you from getting gcc and compiling your own versions of any of the great software out there that comes in source form. I run several Solaris boxen and there's not much good about Solaris beyond the kernel. When I get a new box, I put gcc on it, and replace most of what comes with Solaris with the equivalent gnu alternatives that just happen to be much better (I like tar xvfz!).
An another note, can someone explain to my why xfree86 supports solaris x86 as well as linux on sun hardware with creator 3d cards but *not* solaris on sparc? That's just innane. Even more so is Xsun, man that X server blows goats.
IANAL but I am a network engineer at a "Tier 1" ISP. This article is a joke. It's very clear that the author doesn't understand what he's writing and is most likely simply regurgitating marketing materials being fed to him from the company that is the subject of the article. They are bleeding money and would probably like their stock price to go up.
The most obvious error is that OC-3 is not 622Mbps, it is 155Mbps. OC-12 is 622Mbps.
How do you think InterNAP gets the 11 major backbones to honor BGP local prefs? Very simply, InterNAP establishes a BGP peering session between its router and one of the routers of the ISP that it is purchasing service from.
Is the software they use revolutionary? Perhaps, but I also know of a major Tier-1 provider that uses some clever software to re-compute static routes for every router on their network every single night rather than use a proper IGP like OSPF or IS-IS. Unfortunately this software is so clever that no one completely understands how it all works. Except for that guy that did the clever bits, and he's long gone.
In the end, InterNAP is very simply a hosting provider that instead of being multi-homed to a couple of ISPs is multi-homed to 11 ISPs. They are doing nothing different than anyone else on the network. Hell, if they convinced all those backbone providers to use MPLS and used that to shunt the traffic to them, I would be impressed. They're just using the same old BGP4 that everyone else is using (Cisco's).
It is a secure server, what you missed was hlds_l (half-life dedicated server for linux) running on port 27015. Nmap doesn't scan that high by default. Hlds_l is not running as root and is as secure as I can make it in this environment. The point that I'm trying to make is that I'm only explicitly running the services that are needed, I understand what services are needed, and what the security implications are by running those services.
from http://www.ietf.org/i nternet-drafts/draft-manning-dsua-03.txt
169.254.0.0/16 has been ear-marked as the IP range to use for end node
auto-configuration when a DHCP server may not be found. As such, network
operations and administrators should be VERY aggressive in ensuring that
neither route advertisements nor packet forwarding should occur across
any media boundaries. This is true for the Internet as well as any
private networks that use the IP protocols. End node administrators
should be aware that some vendors will auto-configure and add this
prefix to the nodes forwarding table. This will cause problems with
sites that run router discovery or deprecated routing protocols such as
RIP.
Definitely not geek enough. My girlfriend and I have roughly 8 computers on fast ethernet with a DSL connection. A couple of Windows boxes, a G3 Mac, an old Mac running OpenBSD, an x86 running OpenBSD, an x86 running Linux, an x86 laptop running Linux, another x86 laptop dual-booting linux and windows, a sparc5 and a dual-processor sparc10 running Solaris, there's also the HP LJ5 with an ethernet port and it's all on 100BaseTX switched. Oh, and there's some fddi too. All that might be somewhat geek enough. I have a friend that needs 3-phase power for his IBM ES9000 Mainframe that I suspect he'll put right next to his Dec PDP-8. That, my friend, is geek enough.
Wiring is not important when you have your own 802.11 wireless lan setup. Browsing the web from the bathtub is what it's all about.
Ok, admittedly, I'm not all that up on MIPS hardware. However I am quite aware of how badly both sparc and alpha architecture suck when compared directly with P3s at high speeds. I know a p3/500 smokes an ultrasparc 440 when it comes to server web pages (similarly configured machines, similar amounts of memory, same drive hardware). And Network Appliance went with x86 in their new F840 and apparently doubled their performance with a P3/800 over an Alpha AXP21264@750Mhz in the F740.
Well, I had a user at one of my sites today get DDoS'd of the Internet. As a matter of fact, we were receiving so much traffic my firewall at that site choked. I got a couple of packet traces. Basically it was a bunch of tcp syn packets going to random port numbers. I started nmapping the source addresses to determine if they were real or spoofed (spoofed source addresses typically consist of a lot of invalid addresses that don't actually exist on the Internet). It turns out that 80% of the source addresses in question responded to ping. After nmapping a few of them I came to realize that they were all Linux boxes. Here's the results of one:
turmoil# nmap -sS -O 216.17.xxx.xxx
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on xxx.dsl.frii.net (216.17.xxx.xxx):
(The 1506 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
79/tcp open finger
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
113/tcp open auth
143/tcp open imap2
511/tcp open passgo
514/tcp open shell
515/tcp open printer
1023/tcp open unknown
1024/tcp open kdm
3306/tcp open mysql
TCP Sequence Prediction: Class=random positive increments
Difficulty=1200108 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 54 seconds
Now, I don't know how you would assess the skills of this particular administrator, but as for me, I would say that he is a completely and totally ignorant and most likely stupid to boot. What kind of kneebiter actually puts a box like this in the wild? Ok, here's a little contrast. I'm running a counterstrike server on a generic install of Redhat 6.2. Here's the results of an nmap:
turmoil# nmap -sS -O 206.173.xxx.xxx
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on ahl (206.173.xxx.xxx):
(The 1522 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
TCP Sequence Prediction: Class=random positive increments
Difficulty=2103891 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 22 seconds
That's it. Imagine that, a secure Linux box. What a novel concept. The key difference between *nix administrators and NT administrators is that *nix is designed to be remotely accessible thereby making it more subject to remote attacks. It is also possible to secure *nix. NT on the other hand is traditionally not as remotely accessible, which I think prevents it from being more of a platform for this sort of behaviour. However, if there's a security weakness, it's usually in there for a good long while and on top of that, it's difficult as hell to secure.
sing it brother!
Cisco does NAT pretty well, thank you. and with the right access lists can do all the things that you are describing.
IOS does NAT and packet filtering pretty well. The only difference between IPNat, IPFilter and IOS is that IPFilter is stateful. Mind you, I love stateful packet filters and think it's the greatest fucking feature in the world, it's still not much of a difference. Oh, wait, IOS does have a "firewall" feature set that is stateful, so nevermind. When is Linux going to get stateful packet filtering?
1) Cisco hardware is extremely trustworthy, much more so than the generic PC. Good telecommunications equipment (routers, muxes, DSUs)will run for decades in poorly ventilated dusty closets without any hardware maintenance at all.
Some of it is, some of it isn't. You're just as likely to get bad hardware from Cisco (if you can stand the lead times) as you would from any other manufacturer. Personally, I don't trust it, which is why most people use redundant systems anyway.
2) Router hardware boots fast. WAY fast. Iff it has a decent operating system. This is important in real life because even UPSes are really uninteruptable.
I'm sure you mean "interruptible". Router hardware does not boot way fast, in fact it doesn't boot very fast at all. Some of it is faster than others. I have a 6509 that takes a minute or more to boot, granted that's a switch, but still. Foundry was in here the other day and one of their selling points was, "we boot faster than Cisco."
3) Routers (though not the 2500) typically have ridiculously fast RAM for packet buffering. If linux can get Cisco-7000 class throughput on Pentium III hardware, think what it could do on a real router!
Uh, 7000s suck, and don't exist anymore. 7200s are ok, but are still slow as hell (~200,000pps with a NPE300 and a VXR). 7500s suck pretty badly even with the brand spanking new VIP4/80(~180,000pps per card). Unfortunately they are good for routing and Intel P3s aren't. Trust me, you can push way more packets through a 1Ghz P3 with a good NIC than you can through a 7500. If you need real connectivity OC-3+ you'll have to step up to a the 12000 series which will give you a three port gigabit card for roughly $79,000 that can do line-rate (almost, except for itty-bitty packets).
3GE-GBIC-SC GSR12000 three-port GE line card $79,000.00
And that's just the interface card, that doesn't include the $200k for the rest of the router.
4) All software can become obsolete, due to lack of compatability with the real world (what do you mean we need NAT? We didn't need it yesterday!) or penetration (huh? our version of IOS is vulnerable to a script that's all over the net?) or various other reasons. Router software updates are EXPENSIVE!!! Trust me, I have "SmartNet Maintenance" from Cisco not because the hardware ever fails (it doesn't) but because it gives me access to the IOS download site for a single yearly fee. Linux updates are FREE.
Hah! What are you smoking? Cisco Hardware fails pretty regularly, trust me. That's why I have 24x7x4 onsite. I could check CCO but we probably have a couple of hundred RMAs in the last few months. Oh, and having access to IOS is nice too.