I'd you'd read the article (or another source with $clue, say NANOG) you'd know that this was a national ring, and the other part of it was also cut and under repair outside Reno, NV at the time. You can't cut any ring architecture network in more than one place on a single ring and NOT have it fair.... it is a function of....geometry???
SONET/SDH rings are *usually* but not always built this way.... SONET/SDH is a Layer 1 standard... but is does not specify construction details... the idea here is ring architecture, be it token ring, RPR, SONET, FDDI or whatever.
Ring architecture is the bare minimum cheapest tradeoff of redundancy and cost
Partial mesh with MPLS switching or routing is much more resilient.
I switched to it from RHEL4 and FC4 on a Dell Latitude D610 and was *very* pleasantly with the sound/wifi/video/multimedia taht all worked with minimal (ie: NONE) hassles out of the box.
this is a good reference... Feynman's Lectures on Computation
Seriously.... several things about computer science became clearer once I had read part of it...
If the system is truly "PRODUCTION", the users should never ever ever ever ever get root. Root in "QA" and "DEVELOPMENT" environments is something else entirely. I would say not in "QA" environment as that should be a mirror of "PRODUCTION", used solely for testing updates before fragging the "PRODUCTION" environment. In "DEVELOPMENT", the developer monkeys often legitimately need root to work out the issues, change service configs and restart, etc.
By the way... as primarily a network engineer... how many of you out there truly replicate the "PRODUCTION" environment in your "QA" and "DEVELOPMENT" environments... ie: the same model and numbers of firewalls (in HA or Firewall load-balanced config), GLSB's, SLB's, routers (with redundant routing/forwarding engines), IDS's, switches (with redundant routing/forwarding engines and its GLBP/VRRP/HSRP peer), SSL offloaders, etc.. in addition to the web, application, and database servers that all that infrastructure is there for???? I'll bet almost none..... (full replication of a POP architecture is fairly standard in medium to larger ISPs so that a bug, code update etc can be tested/isolated w/o fragging the revenue generating ISP network... the "lab" expense is justified as on-site spares for when the network infrastructure has a meltdown...)
some interesting facts for you people to mull over:
ALL Predator missions are flown from the Predator CAOC at Nellis Air Force base via remote control over a vast private fiber network. (well technically Indian Springs, but Nellis Tech Controllers do the support for that base) Predator info
the DOD has the largest number of ASN's assigned to it (try "whois -h ws.arin.net DoD" and "whois -h ws.arin.net DISA")
DOD has far and away the most IP address space assigned to it. (can't find the page summarizing IP assignment stats to orgs just now)
the DOD operates 2 global IP networks, NIPRNET (unclassified) and SIPRNET (classified)
part of the Force XXI initiative is WIN-T... Warfighter Information Network - Tactical, a tactical radio/satellite/wireline circuit backbone linking theater networks for Net-centric warfare to the DOD Global Information Grid Net-centric Warfare
We have app proxy firewalls (Cyberguard TSP), but have found that actually *using* the proxy and app-aware firewall proxy features inbound breaks the application either due to the firewall/app proxy slamming the connections shut at some interval and Oracle not checking for connectivity before trying to use these closed connections.... using proxy features outbound breaks many websites out there on the net.... so the functionality is essentially wasted.
Securing the application via *good* coding and code review is the only sustainable way to prevent application level attacks, IMHO.
which part?
application penetration testing and code review covers most of that just fine, with firewalled CVS config repository with strong user access authentication handling 6.5.10
which part?
application penetration testing and code review covers most of that just fine, with firewalled CVS config repository with strong user access authentication handling 6.5.10
What does it NOT save you from?
someone sniffing the traffic as it crosses the network via SPAN session on a switch, or tcpdump from a unix-based firewall (ie: Cyberguard or Secure Computing)
In-flight data encryption, even internally on the private network is needed, in addition to at-rest data encryption.
11.4 == SPAN traffic from appropriate subnets to a box running Snort for a NIDS, IPTables on Linux hosts as HIDS, trapping to multiple syslog servers which email, page, SMS msg, etc
11.5 == Osiris doing the same sort of notifications
Level 1 service provider... recently passed PCIDSS v1.0 compliance... auditor was Cybertrust, an approved auditor, and yes we have the 3rd party scans quarterly, and NO application aware firewall is required, either in the PCIDSS standard, OR the Audit Procedures.... I've got a ROC to prove it.
Additionally some flawed items from PCIDSS are that certificates and password is sufficient for 2-factor authentication, that NAT is required as a security feature, and that *Compensating Controls* can be accepted by Visa instead of compliance with the PCIDSS standard... IE: an additional firewall limiting access to cleartext database server rather than *actually* encrypting or rendering unreadable account # information in the database everywhere on disk or on tape.... see a big processor's example of a compensating control.
I know for a *fact* that FDMS and VISA are current in violation of at least a portion of PCIDSS, as the routers and switches VISA deploys as part of a DEX package are not capable of SSH (v1 or v2) and neither is FDMS's equipment.
You're HIGH if you think that companies handling credit card transactions are *required* to use an application level firewall... PCIDSS Section 1.1 requires a FIREWALL... and that's it... I've been through a PCIDSS audit and a stateful packet inspection firewall will pass just fine...
Slashdot Mirror
I'd you'd read the article (or another source with $clue, say NANOG) you'd know that this was a national ring, and the other part of it was also cut and under repair outside Reno, NV at the time. You can't cut any ring architecture network in more than one place on a single ring and NOT have it fair.... it is a function of ....geometry???
SONET/SDH rings are *usually* but not always built this way.... SONET/SDH is a Layer 1 standard... but is does not specify construction details... the idea here is ring architecture, be it token ring, RPR, SONET, FDDI or whatever. Ring architecture is the bare minimum cheapest tradeoff of redundancy and cost Partial mesh with MPLS switching or routing is much more resilient.
I don't know... mine was a Intel mini-PCI card using the ipw2200 driver..
Ubuntu Breezy Beaver 5.10
I switched to it from RHEL4 and FC4 on a Dell Latitude D610 and was *very* pleasantly with the sound/wifi/video/multimedia taht all worked with minimal (ie: NONE) hassles out of the box.
this is a good reference... Feynman's Lectures on Computation Seriously.... several things about computer science became clearer once I had read part of it...
If the system is truly "PRODUCTION", the users should never ever ever ever ever get root. Root in "QA" and "DEVELOPMENT" environments is something else entirely. I would say not in "QA" environment as that should be a mirror of "PRODUCTION", used solely for testing updates before fragging the "PRODUCTION" environment. In "DEVELOPMENT", the developer monkeys often legitimately need root to work out the issues, change service configs and restart, etc.
By the way... as primarily a network engineer... how many of you out there truly replicate the "PRODUCTION" environment in your "QA" and "DEVELOPMENT" environments... ie: the same model and numbers of firewalls (in HA or Firewall load-balanced config), GLSB's, SLB's, routers (with redundant routing/forwarding engines), IDS's, switches (with redundant routing/forwarding engines and its GLBP/VRRP/HSRP peer), SSL offloaders, etc.. in addition to the web, application, and database servers that all that infrastructure is there for???? I'll bet almost none..... (full replication of a POP architecture is fairly standard in medium to larger ISPs so that a bug, code update etc can be tested/isolated w/o fragging the revenue generating ISP network... the "lab" expense is justified as on-site spares for when the network infrastructure has a meltdown...)
LOL!! Sounds like a PFY that hasn't been BOFH'd yet. BOFH
Oh please!
Wars always have been and *always* will be about economics... see Clausewitz's Von Kriege (On War)
All wars ever, everywhere, always have been and always will be, based on economics.
We have app proxy firewalls (Cyberguard TSP), but have found that actually *using* the proxy and app-aware firewall proxy features inbound breaks the application either due to the firewall/app proxy slamming the connections shut at some interval and Oracle not checking for connectivity before trying to use these closed connections.... using proxy features outbound breaks many websites out there on the net.... so the functionality is essentially wasted.
Securing the application via *good* coding and code review is the only sustainable way to prevent application level attacks, IMHO.
which part?
application penetration testing and code review covers most of that just fine, with firewalled CVS config repository with strong user access authentication handling 6.5.10
which part?
application penetration testing and code review covers most of that just fine, with firewalled CVS config repository with strong user access authentication handling 6.5.10
What does it NOT save you from?
someone sniffing the traffic as it crosses the network via SPAN session on a switch, or tcpdump from a unix-based firewall (ie: Cyberguard or Secure Computing)
In-flight data encryption, even internally on the private network is needed, in addition to at-rest data encryption.
11.4 == SPAN traffic from appropriate subnets to a box running Snort for a NIDS, IPTables on Linux hosts as HIDS, trapping to multiple syslog servers which email, page, SMS msg, etc 11.5 == Osiris doing the same sort of notifications
Level 1 service provider ... recently passed PCIDSS v1.0 compliance ... auditor was Cybertrust, an approved auditor, and yes we have the 3rd party scans quarterly, and NO application aware firewall is required, either in the PCIDSS standard, OR the Audit Procedures.... I've got a ROC to prove it.
Additionally some flawed items from PCIDSS are that certificates and password is sufficient for 2-factor authentication, that NAT is required as a security feature, and that *Compensating Controls* can be accepted by Visa instead of compliance with the PCIDSS standard ... IE: an additional firewall limiting access to cleartext database server rather than *actually* encrypting or rendering unreadable account # information in the database everywhere on disk or on tape.... see a big processor's example of a compensating control.
I know for a *fact* that FDMS and VISA are current in violation of at least a portion of PCIDSS, as the routers and switches VISA deploys as part of a DEX package are not capable of SSH (v1 or v2) and neither is FDMS's equipment.
You're HIGH if you think that companies handling credit card transactions are *required* to use an application level firewall... PCIDSS Section 1.1 requires a FIREWALL... and that's it... I've been through a PCIDSS audit and a stateful packet inspection firewall will pass just fine...