So we have about 3000 laptops in our organization. Mostly Win2K Pro, some XP pro. Users only have power user rights, and we're so far behind on patching it's not even funny (can you say SP2 with 1 or 2 hotfixes?). Their machines are so overrun with Spyware that some web apps won't even run.
Due to our desktop team's negligence in patching (even though we own Altiris), I've been taking a hard look at Cisco's Secure Agent... It's really robust, but it complains about ANYTHING trying to do ANYTHING (think Zonealarm from hell), the Altiris client apparently needs 'self modifying code' to run, KlipFolio tries to make a network connection and all sorts of alarms go off, and most spyware still ends up installing anyway. I've been spending some time with Cisco, and I'm sure I'll be spending more, but this looks like an uphill battle the entire way.
Another 'solution' I'm looking at is the Check Point Integrity VPN client (Check Point sucked up Zone Labs last year)... Instead of my clients using traditional VPN software, we'd look at deploying an SSL-type-VPN with Integrity. Basically, everytime you make a VPN connection back to our office, your machine gets scanned for spyware (this would hold true for Internet kiosks as well as their home PCs and even corporate PCs)... Depending on how infuckted you are, you can define different access levels (keylogger = no access, normal cookie crap and a couple Browser Helper Objects, you get access to webmail only. You're clean? Congrats, you get the Intranet and network drive shares). It sounds great and all, but I can't say I've had time to see if the rubber meets the road. Read for yourself, more info here and here.
This is definitely a very interesting 'ask slashdot', and I'll be keeping my eye on the ideas presented.
Whilst googling for another place to download the ISO (I'm late to the party and the agnula.org site is smoldering), I found this mailing list announcement that mentions their French Mirror, graciously hosted by IRCAM:
Just going through the pain of 2 days without Comedy Central and CBS have left a sour taste in my mouth. I was seriously considering upgrading my dish setup to include the new 921 DVR, but I'm upset with both Charlie and Viacom. Viacom doesn't directly get my money, but Charlie does... I ain't paying him $900 for a piece of hardware.
I was 1/2 tempted to pull the trigger on VOOM, but they don't carryTechTV, nor offer a PVR device.
Instead of watching Letterman the other night, I started reconsidering my options... Comcast does not yet have HDTV cable in my area. I have 4 TVs (1 HD and 4 standard), and I absolutely require the crack that is TechTV _and_ a PVR now that I've sampled the both of them. What's a geek to do? I currently use a HTPC to pull in local channels over the air, but CBS only comes in at around 50% signal strength (WBBM in Chicago Fiasco.) It would be great to get DVR, HD/Standard Def, and program guide integration so I have a wife-proof solution. Anyone else go through these pains?
DirecTV seems like an option, especially if I pick up the DirecTiVO with DVD recorder, and maybe tack up an HD reciever... but that sounds like it will cost me a bit of coin as well.
Agreed. We try to 'greenhorn' in good network admins/engineers. Start them off in basic fw administration, show them the ropes of the IDS (Snort!), and teach them why it's important to ride their former coworkers like zorro to ensure thier stuff is up to date patchwise.
The basic fact of the matter is, Network Security _requires_ a seasoned network admin/engineer/programmer who has the potential to analyze systems on all levels of the OSI model (when analyzing a production payroll server - is it plugged into a hub all the way up to transmitting passwords in cleartext or non-aged accounts?). I'd say it's damn near impossible for a hair stylist to come into a company as a Network Security Administrator, but a hungry NT admin or Network Engineer has great potential.
I manage 11 Nokia devices in B2B site to site VPNs around the world. For the remote managability and the ability to pre-configure and 'parachute' them into their environment, there is absolutely no better piece of hardware out there. I have an IP330 in Japan with an uptime of damn near 2 years.
Lately, however, I've had differing opinions of Nokia. Why should I pay $4K for an AMD processor and then $1500 a year for support? It's insane! I could take a $4K HPaq DL360 and install Check Point's (free) SecurePlatform on it. Hands down 10000% better performance, and SecurePlatform (RedHat) is a supported Check Point SKU on commodity hardware. A drive pops on an IP330? You're screwed.
The only major benefit I can think of in regards to this article is the Linux/IPSO performance numbers I've read about... I've heard that Linux will hands down outperform IPSO, but have _not_ done any formal testing myself. If I could take an IP330, install RedHat 7.3 (like I have running my management server), and then FW1, plus still have the remote managability (using the internal modem), I'd think about it. The article doesn't say a thing about the internal modem (an additional option), but I'm betting that it ain't gonna work.
my.02
Re:well since noone else wants to ...
on
Securing Your Network?
·
· Score: 2, Insightful
I know this is Slashdot and all, but I stopped reading your post the second you said you have 'Sisco' routers.
It's a bit difficult to respect your level of experience when you can't spell the company's name that provides your infrastructure and the connectivity of all of your remote sites.
NetApp has been excellent at addressing previous CERT vulnerabilities (ie DNS resolver client). Also, if you notice, they state the Gigabit 1 NIC is at risk, which leads me to believe their Filers (NAS devices) are more vulnerable than their NetCache devices. Usually, it's Damn Good Practice(tm) to leave your NAS devices _inside_ your LAN.
OTOH, I'm extremely concerned about vendors like Nokia (IP firewalls), Cisco, and off-the-shelf NIC vendors like Intel and 3Com because of the impact of exploiting security devices (firewalls, proxies, IDS, etc).
For the most part, I agree with your theory that most wireless users (be they wardrivers, casual corporate users, or geeks trying to check up on slashdot) aren't threats, one needs to take into consideration crackers.
If I'm a malicious cracker and I'm out wardriving around, I find an unprotected network. Sure, I may not care about the corporate resources on _that_ network I'd have to IPSEC to, but what about other networks? I've gained access to Corporation XYZ's WLAN, why don't I start rooting boxen on other networks? They're going to trace it back to XYZ's netblock, and potentially pursue legal action. As the security architect for XYZ, I would have no option to view my deployment as criminal negligence. Sure, my internal net is protected, but crackers are sullying my good name by using my network to attack others. What if the cracker decides to use my WLAN to attack my strongest competitor? Do I drop an IDS on the WLAN? Now I've spent more time/money/resources in babysitting my open WLAN than properly introducing (be it weak) WEP and (be it also weak) registered MAC addresses.
Rose Electronics remote KVM
on
Cheap KVM Over IP?
·
· Score: 3, Interesting
We have a semi-large farm of Windose Boxen at a lights-out colo (Frontend application servers to most of the UNIX boxen). We just picked up the Rose ElectronicsUltralink for remote management. We need this so we can do remote diags, like troubleshoot hardware, view POST, etc. We have Cyclades for the *NIX boxen, and our HP Netservers have the serial 'management' console that other people are boasting about, but that just won't cut it in a real-world production environment. A Console is a Console and a serial port is a serial port.
We're going to plug the Ultralink into our cascaded KVM tree and hope for the best. Initially looking at the unit, I have some gripes:
* No distributed authentication. It's gotta be local accounts. Can't hit my LDAP, NIS, NT Domain, or RADIUS servers.
* Client is a proprietary Win32 app. No JAVA, no browser. Cripes, not even ActiveX!
* Only one user at a time... including console. You have to log into the console to gain access (crappy for CEs out to fix a problem), and if the CE stays logged in, guess what? You can't access it remotely! We had to plug it into our intelligent PDU so we could remotely hard boot it if that happened.
* We have what must be version.99a... we had to wait about 2 months to get it, and we must have been the first guinea pig to take shipment. I'm afraid to open it up to see if there is about 35 feet of spaghetti-wire patches.
Aside from these (minor) flaws, I think we'll be OK. Anything is better than booking a last-minute 606 mile flight to reboot a Windows box that shows 'It is now safe to power off your computer' because PCNowhere admin chose the wrong logoff choice. [don't laugh] (Although, there is Buckhead...)
You're right... The LH3/LH4/LX8000 series LCD displays are completely useless. The older Compaq Proliant (3000, 6000 series) would show the CPU utilization, mem util, etc... As an influential HP shop, I asked them for these enhancements for years. For god's sake, just let me show the server's host name!
Alas, there may be some justice in this world since the Proliants will be the dominating HP server model.
I seem to recall the rumour that Saddam Hussein ordered hundreds/thousands of PS2s shipped to Iraq when they first came out because of export restrictions of normal PCs.
If someone were to port Linux to unmodded Xboxen, I would imagine an inexpensive, powerful Cluster solution is not far behind, and I'm thinking of different solutions than one big-ass Quake server.
Got an email asking if I wanted to beta one. Replied sure (duh, more geek-toys), and a rep called me. Currently, only Win2K drivers are out (again, duh... Who needs an embedded firewall more than a Windoze box?) but Linux drivers are right behind. So far, there are 2 NICs, a 'server' class NIC and a 'workstation' class NIC. The differences aren't throughput; it's the capacity for 'rulebases'. Forthcoming are PCMCIA NICS (great for end users who VPN in and are exposed to the 'Net), and potentially a combo 56K/NIC in the next year.
All in all, should be pretty cool for people like me stuck in the corporate world.
I have an "older" Neopoint NP1000 w/ Sprint PC$... AT commands work flawlessly. I think the "modem" is really emulated at the network, when you type AT, your phone just relays it to SprintLand where their network takes it, and responds "OK".
-MoreBeer
Slashdot Mirror
Nothing a AR50 with .50cal incendiary rounds won't fix...
HardOCP TV - .50 Caliber BMG - Shooting Hard Drives
So we have about 3000 laptops in our organization. Mostly Win2K Pro, some XP pro. Users only have power user rights, and we're so far behind on patching it's not even funny (can you say SP2 with 1 or 2 hotfixes?). Their machines are so overrun with Spyware that some web apps won't even run.
Due to our desktop team's negligence in patching (even though we own Altiris), I've been taking a hard look at Cisco's Secure Agent... It's really robust, but it complains about ANYTHING trying to do ANYTHING (think Zonealarm from hell), the Altiris client apparently needs 'self modifying code' to run, KlipFolio tries to make a network connection and all sorts of alarms go off, and most spyware still ends up installing anyway. I've been spending some time with Cisco, and I'm sure I'll be spending more, but this looks like an uphill battle the entire way.
Another 'solution' I'm looking at is the Check Point Integrity VPN client (Check Point sucked up Zone Labs last year)... Instead of my clients using traditional VPN software, we'd look at deploying an SSL-type-VPN with Integrity. Basically, everytime you make a VPN connection back to our office, your machine gets scanned for spyware (this would hold true for Internet kiosks as well as their home PCs and even corporate PCs)... Depending on how infuckted you are, you can define different access levels (keylogger = no access, normal cookie crap and a couple Browser Helper Objects, you get access to webmail only. You're clean? Congrats, you get the Intranet and network drive shares). It sounds great and all, but I can't say I've had time to see if the rubber meets the road. Read for yourself, more info here and here.
This is definitely a very interesting 'ask slashdot', and I'll be keeping my eye on the ideas presented.
Whilst googling for another place to download the ISO (I'm late to the party and the agnula.org site is smoldering), I found this mailing list announcement that mentions their French Mirror, graciously hosted by IRCAM:
. 1.1/demudi-live-cd_1.1.1.iso
http://freesoftware.ircam.fr/mirrors/agnula/1.1/1
Now that my download is almost complete, I feel I can share the love.
Just going through the pain of 2 days without Comedy Central and CBS have left a sour taste in my mouth. I was seriously considering upgrading my dish setup to include the new 921 DVR, but I'm upset with both Charlie and Viacom. Viacom doesn't directly get my money, but Charlie does... I ain't paying him $900 for a piece of hardware.
I was 1/2 tempted to pull the trigger on VOOM, but they don't carryTechTV, nor offer a PVR device.
Instead of watching Letterman the other night, I started reconsidering my options... Comcast does not yet have HDTV cable in my area. I have 4 TVs (1 HD and 4 standard), and I absolutely require the crack that is TechTV _and_ a PVR now that I've sampled the both of them. What's a geek to do? I currently use a HTPC to pull in local channels over the air, but CBS only comes in at around 50% signal strength (WBBM in Chicago Fiasco.) It would be great to get DVR, HD/Standard Def, and program guide integration so I have a wife-proof solution. Anyone else go through these pains?
DirecTV seems like an option, especially if I pick up the DirecTiVO with DVD recorder, and maybe tack up an HD reciever... but that sounds like it will cost me a bit of coin as well.
It's called a Fire Hazard.
When I was a kid the actual usable life was in the toilet... I can only imagine poor luck nowadays with MP3 players, digital cameras, etc...
If you don't use the right batteries in my HP Digital Camera, the life is sucked out of them in 15 minutes!
Agreed. We try to 'greenhorn' in good network admins/engineers. Start them off in basic fw administration, show them the ropes of the IDS (Snort!), and teach them why it's important to ride their former coworkers like zorro to ensure thier stuff is up to date patchwise.
The basic fact of the matter is, Network Security _requires_ a seasoned network admin/engineer/programmer who has the potential to analyze systems on all levels of the OSI model (when analyzing a production payroll server - is it plugged into a hub all the way up to transmitting passwords in cleartext or non-aged accounts?). I'd say it's damn near impossible for a hair stylist to come into a company as a Network Security Administrator, but a hungry NT admin or Network Engineer has great potential.
I manage 11 Nokia devices in B2B site to site VPNs around the world. For the remote managability and the ability to pre-configure and 'parachute' them into their environment, there is absolutely no better piece of hardware out there. I have an IP330 in Japan with an uptime of damn near 2 years.
.02
Lately, however, I've had differing opinions of Nokia. Why should I pay $4K for an AMD processor and then $1500 a year for support? It's insane! I could take a $4K HPaq DL360 and install Check Point's (free) SecurePlatform on it. Hands down 10000% better performance, and SecurePlatform (RedHat) is a supported Check Point SKU on commodity hardware. A drive pops on an IP330? You're screwed.
The only major benefit I can think of in regards to this article is the Linux/IPSO performance numbers I've read about... I've heard that Linux will hands down outperform IPSO, but have _not_ done any formal testing myself. If I could take an IP330, install RedHat 7.3 (like I have running my management server), and then FW1, plus still have the remote managability (using the internal modem), I'd think about it. The article doesn't say a thing about the internal modem (an additional option), but I'm betting that it ain't gonna work.
my
I know this is Slashdot and all, but I stopped reading your post the second you said you have 'Sisco' routers.
It's a bit difficult to respect your level of experience when you can't spell the company's name that provides your infrastructure and the connectivity of all of your remote sites.
NetApp has been excellent at addressing previous CERT vulnerabilities (ie DNS resolver client). Also, if you notice, they state the Gigabit 1 NIC is at risk, which leads me to believe their Filers (NAS devices) are more vulnerable than their NetCache devices. Usually, it's Damn Good Practice(tm) to leave your NAS devices _inside_ your LAN.
OTOH, I'm extremely concerned about vendors like Nokia (IP firewalls), Cisco, and off-the-shelf NIC vendors like Intel and 3Com because of the impact of exploiting security devices (firewalls, proxies, IDS, etc).
For the most part, I agree with your theory that most wireless users (be they wardrivers, casual corporate users, or geeks trying to check up on slashdot) aren't threats, one needs to take into consideration crackers.
If I'm a malicious cracker and I'm out wardriving around, I find an unprotected network. Sure, I may not care about the corporate resources on _that_ network I'd have to IPSEC to, but what about other networks? I've gained access to Corporation XYZ's WLAN, why don't I start rooting boxen on other networks? They're going to trace it back to XYZ's netblock, and potentially pursue legal action. As the security architect for XYZ, I would have no option to view my deployment as criminal negligence. Sure, my internal net is protected, but crackers are sullying my good name by using my network to attack others. What if the cracker decides to use my WLAN to attack my strongest competitor? Do I drop an IDS on the WLAN? Now I've spent more time/money/resources in babysitting my open WLAN than properly introducing (be it weak) WEP and (be it also weak) registered MAC addresses.
We have a semi-large farm of Windose Boxen at a lights-out colo (Frontend application servers to most of the UNIX boxen). We just picked up the Rose Electronics Ultralink for remote management. We need this so we can do remote diags, like troubleshoot hardware, view POST, etc. We have Cyclades for the *NIX boxen, and our HP Netservers have the serial 'management' console that other people are boasting about, but that just won't cut it in a real-world production environment. A Console is a Console and a serial port is a serial port.
.99a ... we had to wait about 2 months to get it, and we must have been the first guinea pig to take shipment. I'm afraid to open it up to see if there is about 35 feet of spaghetti-wire patches.
We're going to plug the Ultralink into our cascaded KVM tree and hope for the best. Initially looking at the unit, I have some gripes:
* No distributed authentication. It's gotta be local accounts. Can't hit my LDAP, NIS, NT Domain, or RADIUS servers.
* Client is a proprietary Win32 app. No JAVA, no browser. Cripes, not even ActiveX!
* Only one user at a time... including console. You have to log into the console to gain access (crappy for CEs out to fix a problem), and if the CE stays logged in, guess what? You can't access it remotely! We had to plug it into our intelligent PDU so we could remotely hard boot it if that happened.
* We have what must be version
Aside from these (minor) flaws, I think we'll be OK. Anything is better than booking a last-minute 606 mile flight to reboot a Windows box that shows 'It is now safe to power off your computer' because PCNowhere admin chose the wrong logoff choice. [don't laugh] (Although, there is Buckhead...)
You're right... The LH3/LH4/LX8000 series LCD displays are completely useless. The older Compaq Proliant (3000, 6000 series) would show the CPU utilization, mem util, etc... As an influential HP shop, I asked them for these enhancements for years. For god's sake, just let me show the server's host name!
Alas, there may be some justice in this world since the Proliants will be the dominating HP server model.
I'm not normally a theorist, but...
""
I seem to recall the rumour that Saddam Hussein ordered hundreds/thousands of PS2s shipped to Iraq when they first came out because of export restrictions of normal PCs.
If someone were to port Linux to unmodded Xboxen, I would imagine an inexpensive, powerful Cluster solution is not far behind, and I'm thinking of different solutions than one big-ass Quake server.
Am I completely insane here?
Got an email asking if I wanted to beta one. Replied sure (duh, more geek-toys), and a rep called me. Currently, only Win2K drivers are out (again, duh... Who needs an embedded firewall more than a Windoze box?) but Linux drivers are right behind. So far, there are 2 NICs, a 'server' class NIC and a 'workstation' class NIC. The differences aren't throughput; it's the capacity for 'rulebases'. Forthcoming are PCMCIA NICS (great for end users who VPN in and are exposed to the 'Net), and potentially a combo 56K/NIC in the next year.
All in all, should be pretty cool for people like me stuck in the corporate world.
Is it me, or is the Technical Leader for Cisco named Huge BareAss?
I thought he worked for goatcx...
I have an "older" Neopoint NP1000 w/ Sprint PC$... AT commands work flawlessly. I think the "modem" is really emulated at the network, when you type AT, your phone just relays it to SprintLand where their network takes it, and responds "OK". -MoreBeer
Dammit, let the rabbits wear glasses! -tool