Exchange 2003 600 or so users, "normal" users get 150MB of mail store + 750MB (quote enforced) home directories (we have prepositioned \mail directories here for user.PST's if they want them), SarOX requirements are taken care of with backups (EVault), use Exchange Server Deleted Mail Retention to make sure deleted items get backed up before being permanently deleted.
Senior Executives essentially get as much storage space as they want, however since they've been asked to keep mail storage reasonable most of them are way less than a gig (a few funding requests for expensive new storage to expand mail store space generally helps to garner their active support in keeping there mailbox sizes at a reasonable level:) ).
It also helps to have a good email policy stating that company email use is for company business only, as well as limiting attachment sizes (I think ours is around 15 mb). Educating your users (and getting a buy-in) as to best practices usage is essential (i.e. why keeping mailbox sizes reasonable is important, saving off attachments and then deleting them from inboxes, archiving important mail in.PST's, how to filter and organize mail, etc..,).
Lastly for users that really need to save large amounts of mail in near line storage (easy access) we.PST it up for them and throw it on a couple of cheap NAS boxes we have for this purpose. All in all works out pretty well.
My other suggestion is to register everybody a Gmail account for personal use and then have a special talk with the biggest inbox abusers
Perhaps the "inappropriate" remark was based on the presumption that it's not a very good idea to allow your user base to access free mail services from inside your network, let alone encouraging them to do it. After all most businesses are a bit shy about having totally uncontrolled conduits for data flowing into and out of the network, no?
I could see simply helping your user base out with a suggestion for a personal gmail account as long as it was qualified with "but don't expect to be able to access it while your on the company network"......;)
Nothing that says you can't do delayed backups with this solution as well, replicate to your (near) real-time backup machine across the network, then tape back-up the replicated machine, this way you're never having to run backups (loading) against your production box and you've got a near-line image sitting on your replicated machine for quick restores.
Possibly, but it would be a lot more EXPENSIVE as well, iSCSI HBA's + the iSCSI SAN device, not to mention what if you want to replicate your backups to multiple locations? then you're looking at replication agents on your iSCSI device.
Query every 5 minutes for changed data that fits the backup parameters (within the system dir, the user's home dir, certain filetypes) and then transfer the data as the network isn't being used.
Unless I'm reading you wrong here, with a 5 minute delay you can already do this with rsync, a shell script and a cron job. According to the article this guy is doing it in near real time across the network (from what I can tell) by intercepting the write calls to the file system driver(s).
Not sure how else you could do it with involving hooks into the drivers themselves, unless you have really frequent polls to the file system to check for changes which seems to me would be very expensive.
Sounds like it's essentially a DoubleTake daemon for BSD, cool, I wonder how well it scales? Say if you wanted to fully mesh 10 or more servers or something. Sounds like it might come in handy for keeping the content in web farms in synch as well....
"Lucas told me, adding that it's no accident that the "small movies" outclassed the spectaculars in this year's Academy Awards. "Is that good for the business? No -- it's bad for the business. But moviemaking isn't about business. It's about art!"
One wonders what George Lucas is smoking these days? Moviemaking is about art and not about business? Are the heads of the studios, distribution companies and theater operators aware of this ? do the all the stockholders know?
Speaking of "out of touch", I think it's time for George to cop a ride from Han Solo back to Earth, if it's not about business then why is the MPAA scared to death of piracy and declining theater revenues? Seems to me if small budget indie films are going to be the wave of the future then the movie industry would be embracing new distribution channels (Internet) like gangbusters and I don't see that happening right now.
Great points, It seems to me that you could do something like a MITM SSL attack if you were able to insert your own trusted CA onto the client machine and then use something like a Proxy with an SSL Accelerator on it between the client and the target site, in other words the actual client SSL session is to the proxy (which sets up the SSL session with it's own certificate) and then proxy's the SSL session (decrypt-encrypt) to the target site? seems to me this would be doable even without inserting a trusted root on the click if the user chooses to ignore the "invalid site certificate" browser warning.
Wow ! You're a genius ! the hosts on your network are apparently invulnerable to everybody in world because you have followed something approaching reasonable password complexity practices, I'm sure Aunt Jenny knows exactly how to follow best practices when securing the hosts on her open Wireless Network just like you do.
Newsflash...it's probably not a good idea to share your wireless network with the whole wide world if you don't know what the heck you're doing with respect to system security or what the possible ramifications of doing so are.
Interesting concept (auto MITM attack on SSL connections), however one could think of all sorts of nefarious things that a WAP honeypot could do, after all if you're picking up a dynamic address from my honeypot WAP then chances are I also control your name resolution as well, in other words www.(yourbank).com points exactly to what address again? how many piggybackers actually check to see if they are running an encrypted session? or ummmm... are you really on MICROSOFT'S Windows Update Site ?or are you hitting a look alike server on the honeypot network? Oh.. you have Automatic Updates turned on...OOPS.;)
I wonder when/if we're going to start seeing stories about people setting up open WAP's as honeypots? In other words, set up an open AP, for the sole purpose of comprimising hapless piggybackers that connect to it with relatively unsecured machines -- I think it would be hilarious and a nice little piece of payback for those folks that thinks it's okay to piggyback off resources that someone else if paying for (with a little publicity might make people think twice about piggybacking).
Of course if you're too clueless (or too lazy) to take any steps to secure your wireless network then you probably shouldn't be complaining when someone else takes it upon themselves to utilize the resources that you've basically left laying around in public, I mean it's akin to putting a wad of money out on the sidewalk in front of your house and expecting it to be there next week.
Securing your WAP isn't any great task, the OEM's producing these devices for home/small business networks have made it very easy to do, have for the most part documented it well and there are a plethora of resources on-line to supplement the OEM documentation. No excuse not to do it, unless of course you really don't care that any Tom, Dick or Harry can connect to your home LAN and basically do whatever they want with that connection, including poking around on every machine you have connected to it as well utilize your Internet connection for whatever they feel like doing with it.
Cool, let me know when you post your project up on sourceforge, I'll be happy to help:)....btw why would you packetize the data and why would you need the "intervening network"?
I completely agree with the situation that you describe, any ISP that tells it's customers "no you can't use XYZ protocol on our network" (especially in the case of outbound connections), is indeed a pompous asshat. I would say there is a valid arguement for not allowing inbound service ports like HTTP, SMTP, etc.., to customers that are *residential* customers but, not allowing outbound SSH is just well....evil not to mention lame.
That's great, as long as you're the only one that uses your network.
What sucks is when some pompous asshat says "no, I can't provide you with a mechanism to accept incoming connections" or "no, you can't open an outgoing ssh connection".
I feel your pain, however I've found that it makes sense use a simple formula when evaluating an end user request to allow XYZ traffic to traverse a firewall(s) on my organizations network, 1. Is there a business need for it or is it just a user saying "oh this would be nice to have" 2. Is there a more secure and/or functional way to accomplish what the user needs to do? 3. Am I going to open up my network to significant security risks if I do this? do those risks outweigh the business need?
Characterizing any admin that says to you "no you can't traverse the company firewalls with XYZ traffic because doing so represents a significant security risk to the company network" as a "pompous asshat" is a bit unfair don't you think? perhaps you should attempt to look at it from the "pompous asshats" point of view and ponder what your response would be if the positions were reversed, if your answer is "well I'd let any traffic that any user asks for to traverse my firewalls" then there's a very good reason you're not the one making the determination what crosses company firewalls.;)
What would you like it to do, magically go faster than the bandwidth you have?
I think the point is to use what you have more effeciently, if real "bandwidth" is measured as the transfer rate of actual payload from point A to point B, then using it more effeciently (less overhead) does actually increase "bandwidth", not magic but it does allow me to go "faster" than I can without utilizing those more effecient technique(s).
I can't see a real advantage of multi-stream SCTP over multiple TCP connections... Someone in the know care to elaborate ?
Good question
Perhaps this provides a bit of insight: From the article: "Multi-streaming is an important feature of SCTP, especially when you consider some of the control and data issues in protocol design. In TCP, control and data typically share the same connection, which can be problematic because control packets can be delayed behind data packets. If control and data were split into independent streams, control data could be dealt with in a more timely manner, resulting in better utilization of available resources."
I suspect (although it's not explicitly stated) that SCTP multi-streaming offers less resource consumption of the end points than multiple TCP connections do.
Fallacy: You have assumed that there -is- an invention corresponding to a "mark".
Apparently there is, I hear SCO is claiming Intellectual Property rights on it and has threatened to sue "The Beast" as soon as he/she can be located and properly served. =)
Yeah of course it is, were else besides a Federal Government Agency do you have to spend almost a million and a quarter dollars just to convince the suits that the IT department knows what it's talking about?
Three years, $1.24 Million, and what do we got.....
The envelope please...
"LAMP "showed significantly better software quality" above the report's baseline with an average of.32 defects per 1,000 lines of code, according to Coverity. The average for open source projects analyzed is.42 per 1,000 lines."
Wow, LAMP is a pretty damn high quality stack after all....gee thanks Captain Obvious, we didn't really need those tax dollars for anything anyways.:)
Of course, when people switch providers, they will switch to the lowest-cost (or greatest price-feature) provider, not the one with the best quality of service
Customers will switch to whatever "solution" that they PERCIEVE offers the best value. It varies from customer to customer how they calculate said value (some weight price over quality or vice versa or features over price, etc.., etc..,) in the end though you're never going to go wrong with percieved superior quality of service, it's one of things that allows companies to justify a higher price in the customers value equation.
Or perhaps some suit at Business Week asked the question at the weekly staff meeting, "Could this open source thing be applied to the Media Business?"..."Well yes possibly, perhaps a company comes along and publishes the hidden agendas, background information on all their sources and puts out articles which contain multiple points of view, might be really popular"...."EEEEKKKK! so which one of you writers is going to do a piece about the grim future of open source?"
Open Source isn't anti-capitalism, it's a model of product development that's been highly successfull in fostering increased quality, more choice and increased innovation, IMHO it's not a "business model", never was and wasn't intended to be. That doesn't mean that successful business models cannot evolve around an "Open Source" product development model (obviously they can, already have, and will continue to do so).
I see no problem whatsoever that companies like Oracle are buying up "Open Source" companies nor do I think it paints a future for "Open Source" that's "grim", quite the opposite acutally, it only adds to the diversity of the model.
Slashdot Mirror
As of Windows 2003 R2, there is a capability to do a VSS type of thing over the network to a remote server.
;)
I'm a little ashamed that I know that, but it's true.
Really?...learn something new everyday, thanks for the tip and of course knowing something isn't anything to be ashamed of.
Exchange 2003 600 or so users, "normal" users get 150MB of mail store + 750MB (quote enforced) home directories (we have prepositioned \mail directories here for user .PST's if they want them), SarOX requirements are taken care of with backups (EVault), use Exchange Server Deleted Mail Retention to make sure deleted items get backed up before being permanently deleted.
:) ).
.PST's, how to filter and organize mail, etc..,).
.PST it up for them and throw it on a couple of cheap NAS boxes we have for this purpose. All in all works out pretty well.
Senior Executives essentially get as much storage space as they want, however since they've been asked to keep mail storage reasonable most of them are way less than a gig (a few funding requests for expensive new storage to expand mail store space generally helps to garner their active support in keeping there mailbox sizes at a reasonable level
It also helps to have a good email policy stating that company email use is for company business only, as well as limiting attachment sizes (I think ours is around 15 mb). Educating your users (and getting a buy-in) as to best practices usage is essential (i.e. why keeping mailbox sizes reasonable is important, saving off attachments and then deleting them from inboxes, archiving important mail in
Lastly for users that really need to save large amounts of mail in near line storage (easy access) we
My other suggestion is to register everybody a Gmail account for personal use and then have a special talk with the biggest inbox abusers
Perhaps the "inappropriate" remark was based on the presumption that it's not a very good idea to allow your user base to access free mail services from inside your network, let alone encouraging them to do it. After all most businesses are a bit shy about having totally uncontrolled conduits for data flowing into and out of the network, no?
I could see simply helping your user base out with a suggestion for a personal gmail account as long as it was qualified with "but don't expect to be able to access it while your on the company network"......;)
Nothing that says you can't do delayed backups with this solution as well, replicate to your (near) real-time backup machine across the network, then tape back-up the replicated machine, this way you're never having to run backups (loading) against your production box and you've got a near-line image sitting on your replicated machine for quick restores.
Possibly, but it would be a lot more EXPENSIVE as well, iSCSI HBA's + the iSCSI SAN device, not to mention what if you want to replicate your backups to multiple locations? then you're looking at replication agents on your iSCSI device.
Query every 5 minutes for changed data that fits the backup parameters (within the system dir, the user's home dir, certain filetypes) and then transfer the data as the network isn't being used.
Unless I'm reading you wrong here, with a 5 minute delay you can already do this with rsync, a shell script and a cron job. According to the article this guy is doing it in near real time across the network (from what I can tell) by intercepting the write calls to the file system driver(s).
Not sure how else you could do it with involving hooks into the drivers themselves, unless you have really frequent polls to the file system to check for changes which seems to me would be very expensive.
Just a thought...
If I'm not mistaken VSS doesn't work across a network and VSS stores the snapshots on the same volume as the original data.
Sounds like it's essentially a DoubleTake daemon for BSD, cool, I wonder how well it scales? Say if you wanted to fully mesh 10 or more servers or something. Sounds like it might come in handy for keeping the content in web farms in synch as well....
"Lucas told me, adding that it's no accident that the "small movies" outclassed the spectaculars in this year's Academy Awards. "Is that good for the business? No -- it's bad for the business. But moviemaking isn't about business. It's about art!"
One wonders what George Lucas is smoking these days? Moviemaking is about art and not about business? Are the heads of the studios, distribution companies and theater operators aware of this ? do the all the stockholders know?
Speaking of "out of touch", I think it's time for George to cop a ride from Han Solo back to Earth, if it's not about business then why is the MPAA scared to death of piracy and declining theater revenues? Seems to me if small budget indie films are going to be the wave of the future then the movie industry would be embracing new distribution channels (Internet) like gangbusters and I don't see that happening right now.
Great points, It seems to me that you could do something like a MITM SSL attack if you were able to insert your own trusted CA onto the client machine and then use something like a Proxy with an SSL Accelerator on it between the client and the target site, in other words the actual client SSL session is to the proxy (which sets up the SSL session with it's own certificate) and then proxy's the SSL session (decrypt-encrypt) to the target site? seems to me this would be doable even without inserting a trusted root on the click if the user chooses to ignore the "invalid site certificate" browser warning.
doable? What do you think?
Well, you just showed you don't have a clue.
Wow ! You're a genius ! the hosts on your network are apparently invulnerable to everybody in world because you have followed something approaching reasonable password complexity practices, I'm sure Aunt Jenny knows exactly how to follow best practices when securing the hosts on her open Wireless Network just like you do.
Newsflash...it's probably not a good idea to share your wireless network with the whole wide world if you don't know what the heck you're doing with respect to system security or what the possible ramifications of doing so are.
Interesting concept (auto MITM attack on SSL connections), however one could think of all sorts of nefarious things that a WAP honeypot could do, after all if you're picking up a dynamic address from my honeypot WAP then chances are I also control your name resolution as well, in other words www.(yourbank).com points exactly to what address again? how many piggybackers actually check to see if they are running an encrypted session? or ummmm... are you really on MICROSOFT'S Windows Update Site ?or are you hitting a look alike server on the honeypot network? Oh.. you have Automatic Updates turned on...OOPS. ;)
I wonder when/if we're going to start seeing stories about people setting up open WAP's as honeypots? In other words, set up an open AP, for the sole purpose of comprimising hapless piggybackers that connect to it with relatively unsecured machines -- I think it would be hilarious and a nice little piece of payback for those folks that thinks it's okay to piggyback off resources that someone else if paying for (with a little publicity might make people think twice about piggybacking).
Of course if you're too clueless (or too lazy) to take any steps to secure your wireless network then you probably shouldn't be complaining when someone else takes it upon themselves to utilize the resources that you've basically left laying around in public, I mean it's akin to putting a wad of money out on the sidewalk in front of your house and expecting it to be there next week.
Securing your WAP isn't any great task, the OEM's producing these devices for home/small business networks have made it very easy to do, have for the most part documented it well and there are a plethora of resources on-line to supplement the OEM documentation. No excuse not to do it, unless of course you really don't care that any Tom, Dick or Harry can connect to your home LAN and basically do whatever they want with that connection, including poking around on every machine you have connected to it as well utilize your Internet connection for whatever they feel like doing with it.
Cool, let me know when you post your project up on sourceforge, I'll be happy to help :)....btw why would you packetize the data and why would you need the "intervening network"?
I completely agree with the situation that you describe, any ISP that tells it's customers "no you can't use XYZ protocol on our network" (especially in the case of outbound connections), is indeed a pompous asshat. I would say there is a valid arguement for not allowing inbound service ports like HTTP, SMTP, etc.., to customers that are *residential* customers but, not allowing outbound SSH is just well ....evil not to mention lame.
That's great, as long as you're the only one that uses your network.
;)
What sucks is when some pompous asshat says "no, I can't provide you with a mechanism to accept incoming connections" or "no, you can't open an outgoing ssh connection".
I feel your pain, however I've found that it makes sense use a simple formula when evaluating an end user request to allow XYZ traffic to traverse a firewall(s) on my organizations network, 1. Is there a business need for it or is it just a user saying "oh this would be nice to have" 2. Is there a more secure and/or functional way to accomplish what the user needs to do? 3. Am I going to open up my network to significant security risks if I do this? do those risks outweigh the business need?
Characterizing any admin that says to you "no you can't traverse the company firewalls with XYZ traffic because doing so represents a significant security risk to the company network" as a "pompous asshat" is a bit unfair don't you think? perhaps you should attempt to look at it from the "pompous asshats" point of view and ponder what your response would be if the positions were reversed, if your answer is "well I'd let any traffic that any user asks for to traverse my firewalls" then there's a very good reason you're not the one making the determination what crosses company firewalls.
What would you like it to do, magically go faster than the bandwidth you have?
I think the point is to use what you have more effeciently, if real "bandwidth" is measured as the transfer rate of actual payload from point A to point B, then using it more effeciently (less overhead) does actually increase "bandwidth", not magic but it does allow me to go "faster" than I can without utilizing those more effecient technique(s).
I can't see a real advantage of multi-stream SCTP over multiple TCP connections ... Someone in the know care to elaborate ?
Good question
Perhaps this provides a bit of insight: From the article:
"Multi-streaming is an important feature of SCTP, especially when you consider some of the control and data issues in protocol design. In TCP, control and data typically share the same connection, which can be problematic because control packets can be delayed behind data packets. If control and data were split into independent streams, control data could be dealt with in a more timely manner, resulting in better utilization of available resources."
I suspect (although it's not explicitly stated) that SCTP multi-streaming offers less resource consumption of the end points than multiple TCP connections do.
And no overzealous firewalls on the way.
;)
Guess I must have "underzealous" firewalls, since they allow the traffic I tell them to and block everything else.
Fallacy: You have assumed that there -is- an invention corresponding to a "mark".
Apparently there is, I hear SCO is claiming Intellectual Property rights on it and has threatened to sue "The Beast" as soon as he/she can be located and properly served. =)
Yeah of course it is, were else besides a Federal Government Agency do you have to spend almost a million and a quarter dollars just to convince the suits that the IT department knows what it's talking about?
Three years, $1.24 Million, and what do we got .....
...
.32 defects per 1,000 lines of code, according to Coverity. The average for open source projects analyzed is .42 per 1,000 lines."
:)
The envelope please
"LAMP "showed significantly better software quality" above the report's baseline with an average of
Wow, LAMP is a pretty damn high quality stack after all....gee thanks Captain Obvious, we didn't really need those tax dollars for anything anyways.
Of course, when people switch providers, they will switch to the lowest-cost (or greatest price-feature) provider, not the one with the best quality of service
Customers will switch to whatever "solution" that they PERCIEVE offers the best value. It varies from customer to customer how they calculate said value (some weight price over quality or vice versa or features over price, etc.., etc..,) in the end though you're never going to go wrong with percieved superior quality of service, it's one of things that allows companies to justify a higher price in the customers value equation.
Or perhaps some suit at Business Week asked the question at the weekly staff meeting, "Could this open source thing be applied to the Media Business?"..."Well yes possibly, perhaps a company comes along and publishes the hidden agendas, background information on all their sources and puts out articles which contain multiple points of view, might be really popular"...."EEEEKKKK! so which one of you writers is going to do a piece about the grim future of open source?"
Open Source isn't anti-capitalism, it's a model of product development that's been highly successfull in fostering increased quality, more choice and increased innovation, IMHO it's not a "business model", never was and wasn't intended to be. That doesn't mean that successful business models cannot evolve around an "Open Source" product development model (obviously they can, already have, and will continue to do so).
I see no problem whatsoever that companies like Oracle are buying up "Open Source" companies nor do I think it paints a future for "Open Source" that's "grim", quite the opposite acutally, it only adds to the diversity of the model.