The article is saying that perimeter defense costs more than internal multiple layer defense. And a perimeter firewall is more restrictive of end user access than it needs to be.
Also the article is saying that perimeter defense leads to lax internal security.
The article is advocating firewalls between the end users and the servers, not the end users and the Net.
The points are valid, but I'd say a system based on it needs to be pen-tested to be sure it can work.
"The price tag of such a hardware-intensive architecture may seem high, but virtualization software allows us to deploy all three tiers within the same server."
Re:He's only giving up the border firewall...
on
Tear Down the Firewall
·
· Score: 4, Insightful
The "harm" is described in the article:
"Perimeter security was originally intended to allow us to operate with the confidence that our information and content wouldn't be stolen or otherwise abused. Instead, the firewall has slowed down application deployment, limiting our choice of applications and increasing our stress.
To make matters worse, we constantly heard that something was safe because it was inside our network. Who thinks that the bad guys are outside the firewall and the good guys are in? A myriad of applications, from Web-based mail to IM to VoIP, can now tunnel through or bypass the firewall. At the same time, new organizational models embrace a variety of visitors, including contractors and partners, into our networks. Nevertheless, the perimeter is still seen as a defense that keeps out bad behavior. Taking that crutch away has forced us to rethink our security model."
I can see the point. However, as always,YMMV. If you can't devote the resources to doing decent monitoring of your applications and servers, and keeping the workstations patched, then you might need a perimeter firewall.
The point of the article is that a perimeter firewall - a "moat mentality" - leads to lax security on the internal network. And it's NOT "cheap insurance" because it requires much more maintenance to secure an entire perimeter of thousands of workstations AND still provide Net access to those systems (and visitors) than it does to secure an inner ring of a few hundred servers and to treat EVERYBODY outside that ring as a threat - including your own users.
"The first tier consists of presentation servers such as Web and e-mail servers--these are the only servers accessible to end users."
What part of "presentation" didn't you understand? The clients access their apps via these servers. Everything else is in a (two tier)protected server ring accessible only from the presentation servers themselves. Thus, clients do NOT need to access the critical application, and especially the database (where the corporate data hacking targets actually are), servers.
Now I'd still like to see that the presentation apps can't be compromised, but that's what the Application firewalls and application monitoring referenced in TFA is supposed to accomplish.
The article makes the point that it costs money and time to "reject all other traffic" because the end users often need to access things outside the system, new applications such as Skype also need to have new ports opened, and outside visitors need to connect to the network internally which leads to security risks as firewalls are administered.
By treating EVERYBODY outside the server ring as a potential risk, you eliminate these problems and take a more proactive, paranoid approach to the security of the internal network rather than relying on perimeter security which is hard and expensive to do. At the same time, you make the network outside the server ring more useful to end users.
I can see the point - I'd just like to see it TESTED against a good-quality pen-test using compromised workstations against the server ring to see if Layer-Three switches with ACLs and PKI authentication and application firewalls are sufficient to protect the servers against island-hopping attacks by a good hacker.
"Yeah, I could lock down every one of their machines - Or I can just block the relevant sites at the firewall. Which takes less work if a similar new annoyance appears?"
I'd saying locking down the user so they can't install ANYTHING. You're going to update your firewall rules for every oddball Internet site? You have lots of time on your hands for a sys admin. You ARE a sys admin, right? If not, well...
This makes no sense.
As for phoning home, the point of the article is that nothing the workstations do can (supposedly) compromise the SERVERS which are on their own internal network. Now I'd like to see that point TESTED but the concept has been put forward before since perimeter security has been proven to be extremely difficult to do.
Re:Firewalls are needed only for leaky systems
on
Tear Down the Firewall
·
· Score: 2, Informative
"higher-end firewalls can also scan the traffic on those open ports looking for exploits"
And why? So you know there are exploits being run against you? And this helps how? Your goal is to prevent exploits from being SUCCESSFUL, not from being run against you, since they will be run anyway. Check your firewall logs long enough for a big enough company, you'll see every exploit there is. So what?
"I have tons of services running on various servers that I do not want made available to the public, yet need to be available to (a) the other servers behind the firewall, and (b) trusted users that connect over our VPN... which, incidentally, is another function of a good firewall."
You didn't read TFA, right? They deal with this as follows:
"This begins with separating our servers from our clients. We can do that now, thanks to layer-3 data center switches that allow for the low-cost creation of subnets. By defining simple ACLs, we further isolate our backend servers.
The servers and their respective applications sit in their own DMZ, protected by an Application-layer firewall. We organize servers into three tiers: The first tier consists of presentation servers such as Web and e-mail servers--these are the only servers accessible to end users. The second tier, made up of application and middleware servers, is in turn only accessible to the presentation servers. Finally, the third tier, consisting of the database servers, is only accessible to the application and middleware servers."
They also specifically took this approach because it allows them to connect with business partners and also allow their end users, visitors and contractors to use their laptops more freely without compromising security by treating EVERYBODY as if they were a potential script kiddie - which is how security should be since most hacks occur from INSIDE the network.
That deals with your issues. The only issues I have with the concept is that I don't see where it has been TESTED against a significant hacker attack where workstations have been thoroughly compromised and used to attack the servers in an island-hopping attack. I'd like to see these people do a high-quality pen-test from some pros.
Re:Firewalls are needed only for leaky systems
on
Tear Down the Firewall
·
· Score: 2, Insightful
Apparently the problem for some admins is that firewalls become a security hazard in themselves because they have to be constantly adminned by opening and closing ports for special end user purposes, which tends to introduce configuration errors and security holes. And if they don't do this, they get endless complaints from the end users that they can't access things they need (or think they need) on the Net.
And this also applies to the problem of connecting with business partners, contractors, etc., as well as supporting new apps like Skype.
By dumping the end users on the Net themselves and protecting the servers only, the admins eliminate this problem.
I'd say it remains to be seen if completely dumping the firewall is feasible, since the article doesn't address whether they've survived SIGNIFICANT hacker attacks using this model. THAT is the real test.
"The servers and their respective applications sit in their own DMZ, protected by an Application-layer firewall. We organize servers into three tiers: The first tier consists of presentation servers such as Web and e-mail servers--these are the only servers accessible to end users. The second tier, made up of application and middleware servers, is in turn only accessible to the presentation servers. Finally, the third tier, consisting of the database servers, is only accessible to the application and middleware servers."
Only problem I have with that is what happens with "island hopping" attacks. I suppose their use of Layer-3 switches and ACLs to protect the second and third tier servers is adequate, as long as there are no exploits for the switches - but then again, one could say that about firewalls as well, since there have been known flaws in various firewall products.
Yeah, but the problem is this: what if it's your firewall admin who screws up? Granted, it's better to leave a port open on ONE device than on twenty different ones, but it's still the same problem.
I admit I'm not impressed with their notion that the workstations should just be kept patched and users authenticated before allowing access to the servers.
Still, there is something to be said for this sentence from TFA:
"By accepting that our internal network isn't much safer than a hostile external network, we've created a more realistic security architecture."
And they also do this:
"We assign each user a central identity, which is authenticated and validated before accessing the internal DMZ. We use central directories to manage identity privileges and PKI certificates. Existing systems, such as Active Directory, allow for low-cost private certificate authorities where PKI isn't well-established. We also log and monitor the activity and enforce acceptable application behavior."
In other words, if the end users have to use PKI to get into the internal network, they're basically being treated like potential intruders themselves - which is how it should be, given that much hacking is done from INSIDE the network. If your end-users are treated the same as any script kiddie, you don't have any problems separating the two except via authentication. Although I still wonder if this layout would protect from a clever hacker who does manage to penetrate and fully compromise a workstation.
Still, it should be sufficient to keep the ordinary worms and viruses off the servers - as long the worm or virus can't take advantage of a flaw in the basic network infrastructure.
And if you really ARE monitoring your network servers for bad behavior - with real human eyes instead of an IDS - instead of just paying lip service to the idea - you have the equivalent of a fully monitored system which is probably the best way to prevent intrusion. In other words, human guards AND electronics are the best security, not either one alone.
The article discusses that. They deliberately leave the workstations exposed to the Net. The SERVERS are protected and application-level firewalls are also used. The advantage is that they don't have users continually frustrated at being unable to access various services on the Net due to the firewall blocking everything, and their admins have less work to do opening and closing ports for end user special purposes which presumably results in less configuration errors and less security holes.
The overall effect sounds good, but I'd need to see more evidence along the lines of EXACTLY how they're set up and also whether they have withstood SIGNIFICANT hacker attacks with this configuration rather than just script kiddie scanning.
It's possible I'm not getting the full speed, but I haven't tested it against a download site that can go full speed.
I just did the DSLReports speed test, and it showed only 155Kbps down and 419 up. In comparison with others in my area code, I'm near the bottom of the list. The max is 2500 down, 425 down.
Then I did the ADSL Guide test from the UK and got 134.8KB down and 40KB up - which probably reflects the Transatlantic connection.
Now I just did the SBC Yahoo Support speed test and it shows 1.3Mbps down and 435Kbps up.
Obviously I'm not getting 3Mbps...
So I guess SBC 3Mbps DSL just isn't working well over my lines.
Not that it matters, I'm still paying twenty dollars less a month than I did before.
On the other hand, I am getting better speed than I used to because I've seen bursts up to 256Kbps recently which is more than I ever saw on the 1.5 (except for a couple weird cases where I saw 600K) and a steady speed of over 150Kbps which is more than I used to get with the 1.5.
Most US providers are not "geek-friendly" or anybody-else-friendly, for that matter.
Speedwise, if you're in SBC territory (California, southwest US, some other places), you can get 1.5Mbps for $14.95/month, 3Mbps for $29.99, with I think some extra cash for static vs dynamic IPs. The upload limits are much less, 128Kbps to 384Kbps. If you want to go business rate or symmetrical DSL, of course, you can go faster.
Cable modem is about the same, maybe somewhat more expensive depending on whether you are getting cable TV at the same time. You tend to get somewhat higher consistent speeds from cable if it's not being shared by everybody in the neighborhood - but you have no control over that. With DSL, you're clear to the DSLAM, then it depends on how much they've oversubscribed their backbone connection - which you have no control over either. "Real" speeds are thus lower than they tout in either case.
If I had cable TV (it's in my room, but I can't afford cable TV at the moment), I might go with cable, but I'm satisfied with SBC DSL. They used to drop connections a couple times a day two years ago, but hardly ever drop connections these days - and never when I'm actually online. As usual, YMMV.
I'm seeing some improvement, but not much because most servers out there are bandwidth throttled for a single connection anyway - they aren't serving at 3Mbps per connection, so you won't get anything faster from a single download point.
And I think most people aren't downloading from multiple sources most of the time. I was downloading a half dozen Corrs videos from Yousendit and another file download site the other day and still saw a maximum of only 162KBps being used according to Firefox download box. And I normally get 150Kbps since I'm less than a couple miles from the CO.
I switched mostly because I was paying the old $49.95/month rate for 1.5Mbps and the new rate is twenty bucks less for twice the speed. So even if I don't get the full 3Mbps, I'm still saving.
When I did so, the rep told me within a year SBC would be offering 20Mbps. I'm not sure how many users are going to even come close to filling that pipe just doing Web surfing, email, etc. You'd have to be downloading a lot of Bittorrent movies or every Linux distro CD/DVD at the same time to be able to eat up that much. I'm sure it will happen once services are launched to provide more and larger content, but for the next three to five years I think it will be overkill for most people.
I do know a lot of people are going to switch to DSL now that it's $14.95 for 1.5Mbps. At that price, it's ridiculous to stay with dialup unless you just can't get DSL in your neighborhood. And the rep told me SBC was laying fiber all over the place to extend the reach of DSL, so unless you're really rural, odds are it will be available at some point (I omit places like the middle of Montana, or the Mendocino forest, or whatever.)
Windows Server 2003 is a bloated, unmitigated piece of shit. It's nearly impossible to use because you can't find anything in the hundreds of services, management consoles, menus and dialog boxes, ALL of which have some kind of effect on each other.
It needs to be shrunk about fifty percent to be usable. That would put it somewhere around Linux which is at least comprehensible.
And it's unreliable - it screws up even in an college training lab doing canned exercises. And when it screws up, you can't possibly find out why or where, so a reboot is the only thing that might shake it loose - until the next time - which will be within a few days at most.
And Longhorn promises to be even worse.
More desktop apps for Linux? How many does the average end user actually use? Almost everything the average user is likely to use is already included. How much would the equivalent software COST on Windows? Ten grand? Twenty grand?
What IS needed is more enterprise level apps - which is no problem since the Java tools to build same are becoming available from dozens of open source projects.
RAD tools? RAD tools lead to crap software because design takes a back end to "get the shit out the door". This is WHY Windows is crap - their design practices (and hiring practices which is the point of the discussion) are crap. RealBASIC? Gimme a break. I don't how much you twist and pull BASIC, it's a crap language not intended for serious development work.
Stop cashing those Microsoft propaganda checks and get a clue.
Redhat charges quite a bit for their support (server-wise, anyway, not sure about their desktop) and I'm not sure they have the best rep in the industry for that support.
Novell has a long history of decent support of their customers and I believe their prices for workstations are less than Red Hat's (correct me if I'm wrong here, I haven't looked recently.)
The only question you might have is Novell's long-term viability vrs Red Hat's. But since Novell HAS been around longer, has a lot of cash in the bank, and Red Hat is a newer company, I'd say that's a wash as well.
Go with Novell.
Better yet, install a couple desktops from each on test machines, play with them, run into troubles, and call them up and see who handles real support issues better - or even if your developers can handle support better on their own.
It's always funny to see idiots say that because Microsoft is a monopoly and most people are taught to use Windows software, that therefore it will never be any different and it's completely useless to try to teach anyone anything else but Microsoft.
Tell that to the IBM System/34 programmers from back in the 1970's.
Fucking moron.
If the educational system was worth a shit in the first place - which it is NOT - people wouldn't be taught ANY particular system. They would be taught the PRINCIPLES of systems with examples from the major contenders and encouraged to use whichever one they thought they liked the best for some hopefully RATIONAL reason other than "it came with my computer".
Instead, the so-called "educational establishment" accepts free software and "support" from Microsoft and in turn becomes unpaid Microsoft recruiters along with acceding to demands by equally brain-dead CIOs and corporations in their area to teach "business relevant" courses intended to cookie-cutter people into corporate job descriptions.
It's a fucking joke all around. Al Qaeda needs to dive-bomb some airliners into some Boards of Education buildings and the National Education Association and some corporate HQs (starting with Microsoft).
Well, I quit one job in the middle of a project because it was fucking stupid, got fired from another stupid job when the boss decided he couldn't keep the company going long enough to do the job right (after having done it totally wrong), and I cussed out my supervisor on another job and got fired while they were laying off everybody because they fucked up their market with crap. That doesn't count a couple other layoffs because I was dumb enough to get hired by morons.
Does that answer your question, Mr. Recruiter?
Oh, did I mention I did eight years in prison for armed bank robbery? I'm kinda required by my supervised release terms to disclose that to potential employers.
I wouldn't work for an employer any more even if I could find one that would hire me. Fuck those morons. They don't know how to hire, they don't know how to manage, and they don't know pretty much anything else. So I find it hard to be interested in their questioning of MY capabilities.
I don't think begging for a job is the best position to be in when you're a primate - tends to bring out the worst in the people on the other side of the table - sort of like begging for a loan from a bank, or begging a prison guard for a shower today. Primates are simply incapable of handling differences in authority in a neutral manner. It's hardwired into their little brains to be assholes when confronted with someone lower on the primate hierarchy than themselves.
So it doesn't surprise me that Microsoft - run by the King of Primate Assholes Himself - behaves the way they do to job applicants.
And it doesn't surprise me that job applicants - and actual Microsoft employees - will debase themselves to any degree to be employed there and then will LIE LIKE RUGS on command about the reliability, security and other issues with the software and corporate business practices.
After all, dogs will eat their own shit. So will humans - which is why humans like dogs and dogs like humans. And why your average dog owner looks like his dog.
But that's EXACTLY the kind of person Microsoft wants.
A "whiz kid" who can do something clever without thinking about the overall consequences - such as security or even simple common sense.
Somebody who can't threaten Bill's ego or raise issues about system design or corporate behavior they don't want to have to deal with.
None of those tests is really relevant to turning out a well-designed, well-coded and documented system. Maybe if you're doing embedded work in 16K on some microcontroller - or Tiny BASIC back in the 1970's when Bill learned his trade. I'd look for something a lot more conceptual such as how would one handle the documentation of such-and-such a code module.
It's like I've always suspected. Microsoft wants inexperienced whiz kids right out of school or experienced guys who can't think about anything but code.
Already got Google search on my address bar as it is with Firefox.
And I can already spell.
Never need to translate words FROM English, and any software I've seen translating INTO English sucks.
Rest of the stuff is just worthless to me.
Oh, well. I only have four Firefox extensions installed (Flashblock, keyconfig, Download Manager Tweak, and Netcraft Toolbar - and the latter is of questionable value until I actually find a suspicious site being flagged) as it is. I'm not someone that needs to load down his software with every tweak and button somebody comes up with.
I never customize my Linux or Windows desktops and windows with anything except a wallpaper displayer to see my babe pictures.
You're obviously an idiot since you think that just because some project of your company's needed "Windows hardware" or that some companies limit their game development to Windows that this somehow absolves Microsoft of every shady practice they indulged in for the last twenty years.
Which is why another poster assumed you were a student with no life - because you obviously reflected zero experience with the world and Microsoft's history. I make no assumptions - I base my opinion that you're an idiot on your specific words.
Read my lips - Bill Gates is a FUCKING ASSHOLE as every bio of him and an anti-trust trial has proven. And his company runs on his say-so and has produced numerous DELIBERATE LIARS as employees.
She finally decided she wants to know what you meant when you said Microsoft could hire twice as many woman for half the price as men and they'd do the grunt work because "they're only women."
Slashdot Mirror
Which is not what the article is saying.
The article is saying that perimeter defense costs more than internal multiple layer defense. And a perimeter firewall is more restrictive of end user access than it needs to be.
Also the article is saying that perimeter defense leads to lax internal security.
The article is advocating firewalls between the end users and the servers, not the end users and the Net.
The points are valid, but I'd say a system based on it needs to be pen-tested to be sure it can work.
You didn't read this part, did you?
"The price tag of such a hardware-intensive architecture may seem high, but virtualization software allows us to deploy all three tiers within the same server."
The "harm" is described in the article:
"Perimeter security was originally intended to allow us to operate with the confidence that our information and content wouldn't be stolen or otherwise abused. Instead, the firewall has slowed down application deployment, limiting our choice of applications and increasing our stress.
To make matters worse, we constantly heard that something was safe because it was inside our network. Who thinks that the bad guys are outside the firewall and the good guys are in? A myriad of applications, from Web-based mail to IM to VoIP, can now tunnel through or bypass the firewall. At the same time, new organizational models embrace a variety of visitors, including contractors and partners, into our networks. Nevertheless, the perimeter is still seen as a defense that keeps out bad behavior. Taking that crutch away has forced us to rethink our security model."
I can see the point. However, as always,YMMV. If you can't devote the resources to doing decent monitoring of your applications and servers, and keeping the workstations patched, then you might need a perimeter firewall.
The point of the article is that a perimeter firewall - a "moat mentality" - leads to lax security on the internal network. And it's NOT "cheap insurance" because it requires much more maintenance to secure an entire perimeter of thousands of workstations AND still provide Net access to those systems (and visitors) than it does to secure an inner ring of a few hundred servers and to treat EVERYBODY outside that ring as a threat - including your own users.
What part of TFA didn't you read? This one?
"The first tier consists of presentation servers such as Web and e-mail servers--these are the only servers accessible to end users."
What part of "presentation" didn't you understand? The clients access their apps via these servers. Everything else is in a (two tier)protected server ring accessible only from the presentation servers themselves. Thus, clients do NOT need to access the critical application, and especially the database (where the corporate data hacking targets actually are), servers.
Now I'd still like to see that the presentation apps can't be compromised, but that's what the Application firewalls and application monitoring referenced in TFA is supposed to accomplish.
You did't have to.
Bill Gates has already done it for you.
See why you buy Microsoft products?
The article makes the point that it costs money and time to "reject all other traffic" because the end users often need to access things outside the system, new applications such as Skype also need to have new ports opened, and outside visitors need to connect to the network internally which leads to security risks as firewalls are administered.
By treating EVERYBODY outside the server ring as a potential risk, you eliminate these problems and take a more proactive, paranoid approach to the security of the internal network rather than relying on perimeter security which is hard and expensive to do. At the same time, you make the network outside the server ring more useful to end users.
I can see the point - I'd just like to see it TESTED against a good-quality pen-test using compromised workstations against the server ring to see if Layer-Three switches with ACLs and PKI authentication and application firewalls are sufficient to protect the servers against island-hopping attacks by a good hacker.
"Yeah, I could lock down every one of their machines - Or I can just block the relevant sites at the firewall. Which takes less work if a similar new annoyance appears?"
I'd saying locking down the user so they can't install ANYTHING. You're going to update your firewall rules for every oddball Internet site? You have lots of time on your hands for a sys admin. You ARE a sys admin, right? If not, well...
This makes no sense.
As for phoning home, the point of the article is that nothing the workstations do can (supposedly) compromise the SERVERS which are on their own internal network. Now I'd like to see that point TESTED but the concept has been put forward before since perimeter security has been proven to be extremely difficult to do.
"higher-end firewalls can also scan the traffic on those open ports looking for exploits"
And why? So you know there are exploits being run against you? And this helps how? Your goal is to prevent exploits from being SUCCESSFUL, not from being run against you, since they will be run anyway. Check your firewall logs long enough for a big enough company, you'll see every exploit there is. So what?
"I have tons of services running on various servers that I do not want made available to the public, yet need to be available to (a) the other servers behind the firewall, and (b) trusted users that connect over our VPN... which, incidentally, is another function of a good firewall."
You didn't read TFA, right? They deal with this as follows:
"This begins with separating our servers from our clients. We can do that now, thanks to layer-3 data center switches that allow for the low-cost creation of subnets. By defining simple ACLs, we further isolate our backend servers.
The servers and their respective applications sit in their own DMZ, protected by an Application-layer firewall. We organize servers into three tiers: The first tier consists of presentation servers such as Web and e-mail servers--these are the only servers accessible to end users. The second tier, made up of application and middleware servers, is in turn only accessible to the presentation servers. Finally, the third tier, consisting of the database servers, is only accessible to the application and middleware servers."
They also specifically took this approach because it allows them to connect with business partners and also allow their end users, visitors and contractors to use their laptops more freely without compromising security by treating EVERYBODY as if they were a potential script kiddie - which is how security should be since most hacks occur from INSIDE the network.
That deals with your issues. The only issues I have with the concept is that I don't see where it has been TESTED against a significant hacker attack where workstations have been thoroughly compromised and used to attack the servers in an island-hopping attack. I'd like to see these people do a high-quality pen-test from some pros.
Apparently the problem for some admins is that firewalls become a security hazard in themselves because they have to be constantly adminned by opening and closing ports for special end user purposes, which tends to introduce configuration errors and security holes. And if they don't do this, they get endless complaints from the end users that they can't access things they need (or think they need) on the Net.
And this also applies to the problem of connecting with business partners, contractors, etc., as well as supporting new apps like Skype.
By dumping the end users on the Net themselves and protecting the servers only, the admins eliminate this problem.
I'd say it remains to be seen if completely dumping the firewall is feasible, since the article doesn't address whether they've survived SIGNIFICANT hacker attacks using this model. THAT is the real test.
The article deals with that:
"The servers and their respective applications sit in their own DMZ, protected by an Application-layer firewall. We organize servers into three tiers: The first tier consists of presentation servers such as Web and e-mail servers--these are the only servers accessible to end users. The second tier, made up of application and middleware servers, is in turn only accessible to the presentation servers. Finally, the third tier, consisting of the database servers, is only accessible to the application and middleware servers."
Only problem I have with that is what happens with "island hopping" attacks. I suppose their use of Layer-3 switches and ACLs to protect the second and third tier servers is adequate, as long as there are no exploits for the switches - but then again, one could say that about firewalls as well, since there have been known flaws in various firewall products.
Yeah, but the problem is this: what if it's your firewall admin who screws up? Granted, it's better to leave a port open on ONE device than on twenty different ones, but it's still the same problem.
I admit I'm not impressed with their notion that the workstations should just be kept patched and users authenticated before allowing access to the servers.
Still, there is something to be said for this sentence from TFA:
"By accepting that our internal network isn't much safer than a hostile external network, we've created a more realistic security architecture."
And they also do this:
"We assign each user a central identity, which is authenticated and validated before accessing the internal DMZ. We use central directories to manage identity privileges and PKI certificates. Existing systems, such as Active Directory, allow for low-cost private certificate authorities where PKI isn't well-established. We also log and monitor the activity and enforce acceptable application behavior."
In other words, if the end users have to use PKI to get into the internal network, they're basically being treated like potential intruders themselves - which is how it should be, given that much hacking is done from INSIDE the network. If your end-users are treated the same as any script kiddie, you don't have any problems separating the two except via authentication. Although I still wonder if this layout would protect from a clever hacker who does manage to penetrate and fully compromise a workstation.
Still, it should be sufficient to keep the ordinary worms and viruses off the servers - as long the worm or virus can't take advantage of a flaw in the basic network infrastructure.
And if you really ARE monitoring your network servers for bad behavior - with real human eyes instead of an IDS - instead of just paying lip service to the idea - you have the equivalent of a fully monitored system which is probably the best way to prevent intrusion. In other words, human guards AND electronics are the best security, not either one alone.
The article discusses that. They deliberately leave the workstations exposed to the Net. The SERVERS are protected and application-level firewalls are also used. The advantage is that they don't have users continually frustrated at being unable to access various services on the Net due to the firewall blocking everything, and their admins have less work to do opening and closing ports for end user special purposes which presumably results in less configuration errors and less security holes.
The overall effect sounds good, but I'd need to see more evidence along the lines of EXACTLY how they're set up and also whether they have withstood SIGNIFICANT hacker attacks with this configuration rather than just script kiddie scanning.
You obviously didn't even CONCEIVE of reading the F'ing article, right?
Good
It's possible I'm not getting the full speed, but I haven't tested it against a download site that can go full speed.
I just did the DSLReports speed test, and it showed only 155Kbps down and 419 up. In comparison with others in my area code, I'm near the bottom of the list. The max is 2500 down, 425 down.
Then I did the ADSL Guide test from the UK and got 134.8KB down and 40KB up - which probably reflects the Transatlantic connection.
Now I just did the SBC Yahoo Support speed test and it shows 1.3Mbps down and 435Kbps up.
Obviously I'm not getting 3Mbps...
So I guess SBC 3Mbps DSL just isn't working well over my lines.
Not that it matters, I'm still paying twenty dollars less a month than I did before.
On the other hand, I am getting better speed than I used to because I've seen bursts up to 256Kbps recently which is more than I ever saw on the 1.5 (except for a couple weird cases where I saw 600K) and a steady speed of over 150Kbps which is more than I used to get with the 1.5.
Most US providers are not "geek-friendly" or anybody-else-friendly, for that matter.
Speedwise, if you're in SBC territory (California, southwest US, some other places), you can get 1.5Mbps for $14.95/month, 3Mbps for $29.99, with I think some extra cash for static vs dynamic IPs. The upload limits are much less, 128Kbps to 384Kbps. If you want to go business rate or symmetrical DSL, of course, you can go faster.
Cable modem is about the same, maybe somewhat more expensive depending on whether you are getting cable TV at the same time. You tend to get somewhat higher consistent speeds from cable if it's not being shared by everybody in the neighborhood - but you have no control over that. With DSL, you're clear to the DSLAM, then it depends on how much they've oversubscribed their backbone connection - which you have no control over either. "Real" speeds are thus lower than they tout in either case.
If I had cable TV (it's in my room, but I can't afford cable TV at the moment), I might go with cable, but I'm satisfied with SBC DSL. They used to drop connections a couple times a day two years ago, but hardly ever drop connections these days - and never when I'm actually online. As usual, YMMV.
I'm seeing some improvement, but not much because most servers out there are bandwidth throttled for a single connection anyway - they aren't serving at 3Mbps per connection, so you won't get anything faster from a single download point.
And I think most people aren't downloading from multiple sources most of the time. I was downloading a half dozen Corrs videos from Yousendit and another file download site the other day and still saw a maximum of only 162KBps being used according to Firefox download box. And I normally get 150Kbps since I'm less than a couple miles from the CO.
I switched mostly because I was paying the old $49.95/month rate for 1.5Mbps and the new rate is twenty bucks less for twice the speed. So even if I don't get the full 3Mbps, I'm still saving.
When I did so, the rep told me within a year SBC would be offering 20Mbps. I'm not sure how many users are going to even come close to filling that pipe just doing Web surfing, email, etc. You'd have to be downloading a lot of Bittorrent movies or every Linux distro CD/DVD at the same time to be able to eat up that much. I'm sure it will happen once services are launched to provide more and larger content, but for the next three to five years I think it will be overkill for most people.
I do know a lot of people are going to switch to DSL now that it's $14.95 for 1.5Mbps. At that price, it's ridiculous to stay with dialup unless you just can't get DSL in your neighborhood. And the rep told me SBC was laying fiber all over the place to extend the reach of DSL, so unless you're really rural, odds are it will be available at some point (I omit places like the middle of Montana, or the Mendocino forest, or whatever.)
Windows Server 2003 is a bloated, unmitigated piece of shit. It's nearly impossible to use because you can't find anything in the hundreds of services, management consoles, menus and dialog boxes, ALL of which have some kind of effect on each other.
It needs to be shrunk about fifty percent to be usable. That would put it somewhere around Linux which is at least comprehensible.
And it's unreliable - it screws up even in an college training lab doing canned exercises. And when it screws up, you can't possibly find out why or where, so a reboot is the only thing that might shake it loose - until the next time - which will be within a few days at most.
And Longhorn promises to be even worse.
More desktop apps for Linux? How many does the average end user actually use? Almost everything the average user is likely to use is already included. How much would the equivalent software COST on Windows? Ten grand? Twenty grand?
What IS needed is more enterprise level apps - which is no problem since the Java tools to build same are becoming available from dozens of open source projects.
RAD tools? RAD tools lead to crap software because design takes a back end to "get the shit out the door". This is WHY Windows is crap - their design practices (and hiring practices which is the point of the discussion) are crap. RealBASIC? Gimme a break. I don't how much you twist and pull BASIC, it's a crap language not intended for serious development work.
Stop cashing those Microsoft propaganda checks and get a clue.
Redhat charges quite a bit for their support (server-wise, anyway, not sure about their desktop) and I'm not sure they have the best rep in the industry for that support.
Novell has a long history of decent support of their customers and I believe their prices for workstations are less than Red Hat's (correct me if I'm wrong here, I haven't looked recently.)
The only question you might have is Novell's long-term viability vrs Red Hat's. But since Novell HAS been around longer, has a lot of cash in the bank, and Red Hat is a newer company, I'd say that's a wash as well.
Go with Novell.
Better yet, install a couple desktops from each on test machines, play with them, run into troubles, and call them up and see who handles real support issues better - or even if your developers can handle support better on their own.
Why ask around when you can FIND OUT at low cost?
It's always funny to see idiots say that because Microsoft is a monopoly and most people are taught to use Windows software, that therefore it will never be any different and it's completely useless to try to teach anyone anything else but Microsoft.
Tell that to the IBM System/34 programmers from back in the 1970's.
Fucking moron.
If the educational system was worth a shit in the first place - which it is NOT - people wouldn't be taught ANY particular system. They would be taught the PRINCIPLES of systems with examples from the major contenders and encouraged to use whichever one they thought they liked the best for some hopefully RATIONAL reason other than "it came with my computer".
Instead, the so-called "educational establishment" accepts free software and "support" from Microsoft and in turn becomes unpaid Microsoft recruiters along with acceding to demands by equally brain-dead CIOs and corporations in their area to teach "business relevant" courses intended to cookie-cutter people into corporate job descriptions.
It's a fucking joke all around. Al Qaeda needs to dive-bomb some airliners into some Boards of Education buildings and the National Education Association and some corporate HQs (starting with Microsoft).
How'd I handle past job situations?
Well, I quit one job in the middle of a project because it was fucking stupid, got fired from another stupid job when the boss decided he couldn't keep the company going long enough to do the job right (after having done it totally wrong), and I cussed out my supervisor on another job and got fired while they were laying off everybody because they fucked up their market with crap. That doesn't count a couple other layoffs because I was dumb enough to get hired by morons.
Does that answer your question, Mr. Recruiter?
Oh, did I mention I did eight years in prison for armed bank robbery? I'm kinda required by my supervised release terms to disclose that to potential employers.
I wouldn't work for an employer any more even if I could find one that would hire me. Fuck those morons. They don't know how to hire, they don't know how to manage, and they don't know pretty much anything else. So I find it hard to be interested in their questioning of MY capabilities.
I don't think begging for a job is the best position to be in when you're a primate - tends to bring out the worst in the people on the other side of the table - sort of like begging for a loan from a bank, or begging a prison guard for a shower today. Primates are simply incapable of handling differences in authority in a neutral manner. It's hardwired into their little brains to be assholes when confronted with someone lower on the primate hierarchy than themselves.
So it doesn't surprise me that Microsoft - run by the King of Primate Assholes Himself - behaves the way they do to job applicants.
And it doesn't surprise me that job applicants - and actual Microsoft employees - will debase themselves to any degree to be employed there and then will LIE LIKE RUGS on command about the reliability, security and other issues with the software and corporate business practices.
After all, dogs will eat their own shit. So will humans - which is why humans like dogs and dogs like humans. And why your average dog owner looks like his dog.
But that's EXACTLY the kind of person Microsoft wants.
A "whiz kid" who can do something clever without thinking about the overall consequences - such as security or even simple common sense.
Somebody who can't threaten Bill's ego or raise issues about system design or corporate behavior they don't want to have to deal with.
None of those tests is really relevant to turning out a well-designed, well-coded and documented system. Maybe if you're doing embedded work in 16K on some microcontroller - or Tiny BASIC back in the 1970's when Bill learned his trade. I'd look for something a lot more conceptual such as how would one handle the documentation of such-and-such a code module.
It's like I've always suspected. Microsoft wants inexperienced whiz kids right out of school or experienced guys who can't think about anything but code.
And it shows in their systems.
Didn't see a single thing I need to use.
Already got Google search on my address bar as it is with Firefox.
And I can already spell.
Never need to translate words FROM English, and any software I've seen translating INTO English sucks.
Rest of the stuff is just worthless to me.
Oh, well. I only have four Firefox extensions installed (Flashblock, keyconfig, Download Manager Tweak, and Netcraft Toolbar - and the latter is of questionable value until I actually find a suspicious site being flagged) as it is. I'm not someone that needs to load down his software with every tweak and button somebody comes up with.
I never customize my Linux or Windows desktops and windows with anything except a wallpaper displayer to see my babe pictures.
I never detailed a car either.
Frills just don't interest me.
You're obviously an idiot since you think that just because some project of your company's needed "Windows hardware" or that some companies limit their game development to Windows that this somehow absolves Microsoft of every shady practice they indulged in for the last twenty years.
Which is why another poster assumed you were a student with no life - because you obviously reflected zero experience with the world and Microsoft's history. I make no assumptions - I base my opinion that you're an idiot on your specific words.
Read my lips - Bill Gates is a FUCKING ASSHOLE as every bio of him and an anti-trust trial has proven. And his company runs on his say-so and has produced numerous DELIBERATE LIARS as employees.
Get a fucking clue.
Bill, Melinda says to call her cell.
She finally decided she wants to know what you meant when you said Microsoft could hire twice as many woman for half the price as men and they'd do the grunt work because "they're only women."
As I've asked elsewhere:
What does the word IGNORE mean to you?
What do you think it means to the average user?
This is called "doing what you can get away with" and it is standard Microsoft operating procedure as the anti-trust trial proved.
Get a fucking clue - either that or stop cashing Bill's checks to write this excuse crap on