Should be -- the hard drive installation uses it now (you loopback mount the ISO image) so it has had a good deal of testing. Support knows of no problems currently -- file 'em if you find em.
Also no idea on what the "debacle" was, but... The default firewall is actually ipchains, and the configuration tool is lokkit, a simple ipchains-based tool. The iptables stuff is all in there, with/etc/sysconfig/iptables in iptables-save format and the ability to control the firewall via the service scripts. Support is working on some docs for the Knowledge Base (and possibly helping with the LDP stuff, still a ways out) that detail some basic iptables configurations and how to set them up.
In addition, the Engineering team (with some small assistance from Support) went over every service, and locked everything down as much as was practical. For example, *everything* under xinetd is disabled by default, and you have to turn it on intentionally. lpd isn't started if it isn't needed, and sendmail is localhost only (used by too many things in the system to be off by default). As far as security goes, even the "no firewall" option is a good deal better than anything we've ever done, in my opinion, and the "high security" option looks like a black hole to nmap.:) There probably is more work we could do on default file permissions and that sort of thing -- detailed suggestions and rationals are always welcome on bugzilla.
I can't speak for the developers here, but from the support side 7.0 was an okay release. Other than the initial "I can't compile my kernel" panic and the rp3/init-scripts general craziness, 7.0 was a pretty quiet release.
Can I ask what you would like to see as an escalation path? Would a referral to Sales to purchase a higher-level support contract be enough? That's what we do currently. Any comments and suggestions would be welcomed (flames too, if you feel like it -- we're tough). Thanks,
I'll catch this for support. We had some problems with our auto-mailer a few months ago that we didn't catch for a while (it was failing silently). We thought it was a rare intermittent problem, and it turned out to be much more serious than that. All that was fixed about a month ago. As noted on our web site and in the email you receive when you submit a ticket via the web site, you can contact sup-manager@redhat.com if there are any problems with your submission. We do not have an email address that you can send support requests to -- all of that is handled on the web site. As far as we know, there were no problems with the initial automated response -- everyone seemed to get those. If you did not get one, drop me a line off-list and we can look into it.
In any case, Installation Support would not have been able to help you with your issue, as we don't assist people working on compiler problems. What we support is defined in our Service Level Agreement. Also feel free to comment on the sla to sla@redhat.com -- I wrote the monstrous thing and would love some feedback.
Finally, Bero is right -- bugzilla is the way to go for issues like these, so that you can deal with someone that really knows what you are talking about. Support does have support available at that level (developer support) but it does not come with the boxed set.
Handling telecommuters and remote offices. This is really big for us since we have a lot of small offices around the world and a lot of people who telecommute from different countries. This kind of thing will only get more prevalent. The scheduling app has to handle low-bandwidth high-latency situations well, which probably means severely limiting the bandwidth used to communicate (and also making it configurable).
Providing security out of the box. Anyone who doesn't integrate SSL into an application like this is just asking for trouble. This goes against the KISS priniciple, but is required for today's corporations and project groups to take it seriously.
The 760 is NOT at fault. The Linux error he reported is a known bug -- see Red Hat bugzilla ID 19535 (I added the workaround this morning, after realizing that we hadn't put anything up about this on our website). It is basically the kernel trying to disable the P3 serial number -- on the Athlon processor. (oops) It only affects Thunderbird-core Athlons and Durons. It has been fixed in all 2.2.16 and later kernels. I emailed damage to let him know about -- hopefully we'll get to see some benchmarks.
After installation, at the LILO boot: prompt use this command:
linux x86_serial_nr=1
That'll get you booted, and you can upgrade/recompile/append to lilo.conf from there. There was supposed to be a Gotcha added for this, but obviously it isn't up yet. I'll track things down today and get it added to the Gotchas page for 6.2
(rant) So let me get this straight -- if I work hard, make money, and am successful, Mr. Nader wants to take away my success because it isn't fair!!!!! Screw you. Who defines what "we" like? Who is going to enforce the tax on my Tool tunes because "they" don't like it? Let 'em try. And just for the record, you can buy food and books on the Internet, Mr. Nader, which just goes to show how shocking ignorant you are. Small businesses have a way better chance on the internet than in any other milieu -- where else is your possible customer base the world? Businesses that could've never survived on Main Street are flourishing on the Internet. New businesses and ways of doing business are being created every day. That is why we don't tax the Internet.(/rant)
Here's a paraphrased tip from a well-loved movie: Mr. Nader, life is unfair. Anyone who says differently is selling something. I can honestly say I believe that anyone who votes for this man is a fool.
Sorry for the explosion, but to see this quoted and praised just ticks me off.
Re:PC is hardly dead - but it may not be very well
on
Vanishing Game Genres
·
· Score: 1
I would disagree with the entire article. There is innovation occurring at a fantastic rate in the PC Gaming industry -- you just have to look for it. I mean, you can count the really great PC games in the last ten years on your fingers. Its always been like this, but since there is a lot more money involved now, the wait between the games seems much longer.
I like Diablo II sometimes, and I like Combat Mission sometimes -- it depends on my mood. I would like to see a lot more innovation rather than putting out games that are guaranteed to make money because they are basically identical to a previous game with a few twists, and that is happening.
Specifically, I would disagree entirely with the death of the War Game genre. The meteoric rise of Combat Mission makes this out for the lie it is. CM has a huge and rapidly growing fan base -- they've sold so many games they were out of stock a couple weeks ago. It just goes to show that it depends entirely on the gameplay, and not flashy graphics. Let's play!
Now, however, the interests of corporations (like the interests of the Catholic Church in Martin Luther's day) demand that information be controlled so they don't lose their privileged positions. Who says they won't win?
Where are the Chinese today? Resurgently powerful, and beginning to realize that they again hold a place on the world stage. And they have gotten there not by restricting information, but by spreading it -- allowing the infection to enter their country (as if they could stop it) but guiding it, using it, reaping the benefits of it -- accepting it as inevitable and finding ways to exploit the Information Age to their own ends (right or wrong) rather than fight it. They have not forgotten their humiliation and occupation (Hong Kong, Japan in WWII, etc). And they know that that happened to them because they slipped behind in their information skills.
And where is the Catholic Church today? Still doing it's job, but without the vast temporal power that it wielded in Luther's time. The Catholic Church doesn't have armies, they don't own country-size areas of land, and the Pope does not have the final say in the secular matters of any country (although I think the Church makes a valuable contribution, that's off-topic here).
Why did this happen? Arguably, it was because one man, Luther, decided to take a stand against the Church and expose the non-Christian things that were going on at the time (indulgences, etc). Information destroyed the secular power of the Church. In this case, you could even argue that the information became more useful/powerful as it spread among the populace of that time. And it was the printing press that enabled this to happen.
I think the spread of information is diametrically opposed to attempts to centrally control nations, people, and power. The Internet scares a lot of companies because of this. It travels where they cannot go, it touches where they cannot reach, and it ruthlessly exposes companies who forget the basic rule that the customer comes first. Worse, it practically ensures that anything of interest, once leaked, is impossible to control, as it is almost instantly known to several million of the most influential people in the world.
Who says they won't win? I do. They may win today, tomorrow, or even for the next few years. But the tide of history is against them. The genie is out -- it is up to each of us to choose our wishes. The sum of those wishes will determine where we go from here. If corporations do succeed in controlling the Internet, it will be because we, the developers and builders and users of the Internet, allow it to happen.
Ummmm... the Boston Tea Party was a riot.:) Or rather, a planned destruction of property, so it was worse than a riot -- it was essentially an act of terrorism. The rough equivalent today would be destroying an oil tanker (minus all the pollution).
Granted, if one needs a super high performance Internet server they should use FreeBSD or Linux, behind an OpenBSD firewall:-)
That's why Bastille Linux is being written and maintained. The OpenBSD firewall can't stop what it has been configured to let through -- all the boxes in the DMZ need to be locked down as tight as a drum, regardless of OS. Bastille is for those Linux boxes that, for whatever reason, have to exist on the internet, be they firewalls, LDAP servers, VPN machines, or web servers.
I'd add a third group, although it doesn't seem that there will be many it this installation -- technical users. These users need powerful, flexible machines, and tend to have more problems (and sometimes be able to fix them themselves) than the other user groups because they are pushing their machines to the limit.
This group is tough to deal with because scripted installations are hard to maintain for them (in some cases they are creating either the script or the software that is being scripted!). These users need access to individual scripted applications that can be installed if necessary, and removed just as easily (there's a CA product that does this, and Novell and Microsoft both have capability, as well as all the Unices through scripts). These users can be a source of help and good ideas, though, as they often have many talents in different areas.
I think this is kind of bogus. I believe the real issue here is how many different kinds of workstations you have. With a scripted automatic installation, who cares how many workstations you have? That's just time and network bandwidth, which is important but not critical in terms of upgrading. The effort put into scripting an installation of 25 machines versus the effort put into 1000 machines is exactly the same if the workstations are all identical. Hence, the real problem is how many different workstation "templates" you are going to have -- that's where the work is. In my experience, most servers are different -- it seems that people need servers to be flexible, strangely enough. That means that a scripted across-the-board server installation is more prone to failure, and you generally have more server templates than you do workstation templates (excepting some folks like ISPs). That's because it is easier to make the workstations generic -- an application that is installed but not used is just disk space, and we all know we've got plenty of that on anything that isn't a server.:)
This is where LDAP fits in -- not only can you go to someone else's workstation and log in, but you also get all of your personalizations, and can log into any of your applications just as easily as if you were at your own machine. At least in theory...
There are a couple of things you also need to consider here. We've had trouble finding a good project management package on Linux, as well as a good HR package. You need to seriously consider what you are rolling these desktops out for -- and have a solution built before the first desktop hits the production floor.
You basically have two choices when it comes to upgrading -- automated re-installation from a developed image (Ghost-type) or scripted installation of various products, with the script changing over time and modified to take into account all the older systems, so that by running the script you will bring all workstations to the same level (in that department at least). The scripting solution takes a little more maintenance but is a lot more flexible in terms of upgrading applications, while using the Ghost-type solution is low-maintenance, but means that your workstations will always be behind the curve and slow to respond to the user's needs.
First off, Russ, you should know that all boxes that are connected to a network (any network) are not secure. So the question becomes, How can I make things harder on on an attacker? How can I make it as difficult as possible for someone who is trying to break in?
Firewalls do a few useful things. One, they provide a single point (suitably redundant) that all incoming and outgoing traffic must pass through and be checked (well, poorly, whatever). This allows you to monitor one place, one server, and see everything that is coming across from the Internet to your webservers. This is important -- it gives you the whole picture at the same time.
Two: in combination with NAT/load balancing, they allow you to have multiple servers on the "same" IP address. The web servers can have internal IP addresses (192.168.0.0/16 or whatever) that are not addressable (theoretically and really because my firewall/router does not accept those IP's from the outside) from the Internet. Also, the way Slashdot is doing it makes sense -- separate the task of firewalling from that of doing NAT/load balancing. Sure, your latency is going to be a little higher because of going through two boxes, but not as bad as if you put both those tasks on the same machine. Even Slashdot does not have unlimited resources, and no machine is powerful enough to do everything. That's the whole idea behind load balancing, clustering, etc.
The last advantage they give you is that, given the above arrangement, you can mask services that are theoretically more vulnerable. It works like this:
A firewall should not have any ports open at all -- no services running. It accepts packets on all ports, checks them (however it does that) and either passes them to an internal network or drops them. Therefore it is very difficult (in theory) to compromise the firewall. One can attack the servers behind the firewall, which presents these issues:
1)If I am able compromise one of the servers, (say via an httpd buffer overrun exploit) I have to do it to most of them -- otherwise, in attempting to exploit my compromise, I might get sent to one of the uncompromised boxes (how do you know which one you'll get? remember the load-balancing, and you can't change that without being immediately noticed). This increases the time it takes to compromise the entire system and increases my vulnerability.
2)Once I am able to compromise all the boxes (or enough of them to matter), how do I utilize those servers to do or get what I want? I can't telnet or SSH to them unless the firewall permits it, and I'm limited in my options to further attack the boxes (I can't use NFS exploits because the firewall won't let those packets through, etc). It's possible to get that theoretical http buffer overrun to return me some information, but highly unlikely that I will be able to use that to take control of the server or return any meaningful data from the disks. Eventually, I could probably do it -- but that means more time and more vulnerability for the attacker (being identified, etc). Without the firewall, the internet-connected host is much easier to exploit -- break in, launch a telnet or rlogin daemon, and away we go. With a firewall in place, it is much harder to do that sort of thing (as the firewall should be filtering outgoingpackets too, on most ports).
The bottom line is this -- yes, properly configured firewalls (KISS) are useful and effective tools in making things more difficult for an attacker. What DDoS attacks is the bandwidth that your site has. If the bandwidth is full, it doesn't matter what you have protecting your site, your viewers are still being denied service. Firewalls can help with this but generally need to be further upstream.
What Slashdot discovered was that the devices they were using for firewalling/load-balancing were not up to the task, and were creating their own problems by failing at the critical moment. The decision they made was correct -- separate the tasks, don't allow any one point to be overwhelmed and become a DoS in it's own right by succumbing to the attack. By "staging" their firewall/load-balancing, they helped the site deal with the attack instead of stopping it (which they can't do). If a machine is running two processes, it is more than twice as easy to run it up to 100% processor usage (or memory usage, or whatever), and the more tasks you run, the easier it is to overwhelm. Remember, the only real difference between a DDoS and real traffic is the popularity of your site. What is normal traffic to Yahoo would be a major DDoS to my site. They did what they could -- now the ISP and the folks upstream need to start looking around.
Backbone routers do not, in general, filter packets. It takes processor power to filter, and a lot of it, especially at very high traffic levels. In any case, it doesn't matter one whit whether you are doing local filtering or not when it comes to a DDoS attack. The packets still come to the firewall, still consume bandwidth, and (at this point who cares)if they are illegally addressed, get dropped. The point is that the bandwidth is still used on the line(s) from the ISP router(s) to the Slashdot firewall/load balancer/whatever.
From what I know, right now anti-DDoS efforts revolve around getting people further up-stream to block the traffic, before it gets to Slashdot's ISP and Slashdot itself. The DDoS systems were designed to defeat this by, of course, using so many different hosts that upstream blocking is only partially useful.
WINS is NOT a form of DNS. It is a hack to get around the non-routability of NetBIOS. It does match names to IPs but it matches NetBIOS names, not DNS names. It is intended specifically to assist the master browser/browsing network in building the master browse list (what you see when you click "network neighborhood"). It is in a parallel pipe to DNS -- similar task in a different environment, with some of the same structures (because name resolution is pretty standard no matter how you do it).
Not to jump into a waaaay offtopic discussion, but... Actually, I believe the gun-death rate has been decreasing in the U.S. for several years now, even in the high-risk demographic sectors (young black male being the worst and the demographic where most of the gun-deaths are concentrated). There have always been large numbers of guns in American society -- it is only recently that gun-deaths have surged drastically, and that can be directly associated with the surge in crime rates (and has been by some researchers). There is still a general lack of enforcement or protection from thieves, highwaymen, and burglars -- and there always will be, since the police are not required in any way to protect anyone from anyone.
And, as a fun little flame, there were strict gun control laws in Kosovo, too, and look where it got them. Personally, I'd rather live in a country where lots of people have guns, as it tends to prevent that sort of idiocy. Our government should live in fear of us, not the other way around.
This argument implies that it is the fault of the people who choose AOL rather than the fault of AOL itself. That's true!!! That is the reason corporations get where they get and have the power they have -- people, individuals, are too lazy to eat real "food", but prefer to be spoon-fed by the corporations. The current state of corporatism is the direct responsibility of YOU and the person next to YOU. YOU buy things at Wal-Mart. YOU go and see movies made by Hollywood. YOU watch "Who wants to be a Millionaire" (well, maybe not...). It is YOUR fault, and MINE, and everyone else's. Once you figure that out you'll be a lot happier and a lot more effective at dealing with corporate invasion into your life. Take responsibility for your own life!!!
Define "destroy the rest of your life". How could not getting into a good college "destroy your life"? Is it going to kill you? Force you to live in a mud hut and farm for the rest of your life? Force you to fight and kill other human beings just to stay alive? You can pursue science and knowledge on your own without going to college -- it is completely optional. You are caught in the same self-created maelstrom that many others are caught in. You think that to succeed you have to have the money, or the power, or the education. Success and happiness have nothing to do with money. They do have everything to do with power -- not power over others, but power over ourselves.
Windows is the problem. Allowing the user to overwrite system files??? Cheap, easy, but definitely not safe. Unix by design does not (in general) allow that. That's what he's talking about. Of course, if your NT people really know what they are doing, nothing vital would be affected -- the NT image should be locked down to the point of not letting the user access anything but their own home directory. Unfortunately that is difficult to do (some would say near impossible) and most NT "admins" don't know how.
In order for you to browse the network, NetBIOS traffic has to be passed through the VPN -- not bloody likely with most routers. Alternatively, you can attach to a WINS server on the remote network to browse (which will show you all the WINS-connected machines on the remote network).
Also, use VNC -- its faster and easier than PCAnywhere, and with a PPTP VPN you have semi-adequate security. Just make sure you log out when you leave.:)
Seven dollars an hour, in some places in the world, is enough to buy anything you could have ever dreamed of. Seven dollars is more than a goodly portion of the world makes in a month. Seven dollars an hour is enough to survive on -- I know, I did it for several years, and even had a TV and a computer. Get off whatever you are taking.
Slashdot Mirror
Should be -- the hard drive installation uses it now (you loopback mount the ISO image) so it has had a good deal of testing. Support knows of no problems currently -- file 'em if you find em.
MattAlso no idea on what the "debacle" was, but... The default firewall is actually ipchains, and the configuration tool is lokkit, a simple ipchains-based tool. The iptables stuff is all in there, with /etc/sysconfig/iptables in iptables-save format and the ability to control the firewall via the service scripts. Support is working on some docs for the Knowledge Base (and possibly helping with the LDP stuff, still a ways out) that detail some basic iptables configurations and how to set them up.
In addition, the Engineering team (with some small assistance from Support) went over every service, and locked everything down as much as was practical. For example, *everything* under xinetd is disabled by default, and you have to turn it on intentionally. lpd isn't started if it isn't needed, and sendmail is localhost only (used by too many things in the system to be off by default). As far as security goes, even the "no firewall" option is a good deal better than anything we've ever done, in my opinion, and the "high security" option looks like a black hole to nmap. :) There probably is more work we could do on default file permissions and that sort of thing -- detailed suggestions and rationals are always welcome on bugzilla.
MattI can't speak for the developers here, but from the support side 7.0 was an okay release. Other than the initial "I can't compile my kernel" panic and the rp3/init-scripts general craziness, 7.0 was a pretty quiet release.
Can I ask what you would like to see as an escalation path? Would a referral to Sales to purchase a higher-level support contract be enough? That's what we do currently. Any comments and suggestions would be welcomed (flames too, if you feel like it -- we're tough). Thanks,
MattI'll catch this for support. We had some problems with our auto-mailer a few months ago that we didn't catch for a while (it was failing silently). We thought it was a rare intermittent problem, and it turned out to be much more serious than that. All that was fixed about a month ago. As noted on our web site and in the email you receive when you submit a ticket via the web site, you can contact sup-manager@redhat.com if there are any problems with your submission. We do not have an email address that you can send support requests to -- all of that is handled on the web site. As far as we know, there were no problems with the initial automated response -- everyone seemed to get those. If you did not get one, drop me a line off-list and we can look into it.
In any case, Installation Support would not have been able to help you with your issue, as we don't assist people working on compiler problems. What we support is defined in our Service Level Agreement. Also feel free to comment on the sla to sla@redhat.com -- I wrote the monstrous thing and would love some feedback.
Finally, Bero is right -- bugzilla is the way to go for issues like these, so that you can deal with someone that really knows what you are talking about. Support does have support available at that level (developer support) but it does not come with the boxed set.
MattProblems we've had at work:
Handling telecommuters and remote offices. This is really big for us since we have a lot of small offices around the world and a lot of people who telecommute from different countries. This kind of thing will only get more prevalent. The scheduling app has to handle low-bandwidth high-latency situations well, which probably means severely limiting the bandwidth used to communicate (and also making it configurable).
Providing security out of the box. Anyone who doesn't integrate SSL into an application like this is just asking for trouble. This goes against the KISS priniciple, but is required for today's corporations and project groups to take it seriously.
heh -- I did. Too damn early in the morning. :)
The 760 is NOT at fault. The Linux error he reported is a known bug -- see Red Hat bugzilla ID 19535 (I added the workaround this morning, after realizing that we hadn't put anything up about this on our website). It is basically the kernel trying to disable the P3 serial number -- on the Athlon processor. (oops) It only affects Thunderbird-core Athlons and Durons. It has been fixed in all 2.2.16 and later kernels. I emailed damage to let him know about -- hopefully we'll get to see some benchmarks.
After installation, at the LILO boot: prompt use this command:
linux x86_serial_nr=1That'll get you booted, and you can upgrade/recompile/append to lilo.conf from there. There was supposed to be a Gotcha added for this, but obviously it isn't up yet. I'll track things down today and get it added to the Gotchas page for 6.2
Aetius(rant) So let me get this straight -- if I work hard, make money, and am successful, Mr. Nader wants to take away my success because it isn't fair !!!!! Screw you. Who defines what "we" like? Who is going to enforce the tax on my Tool tunes because "they" don't like it? Let 'em try. And just for the record, you can buy food and books on the Internet, Mr. Nader, which just goes to show how shocking ignorant you are. Small businesses have a way better chance on the internet than in any other milieu -- where else is your possible customer base the world? Businesses that could've never survived on Main Street are flourishing on the Internet. New businesses and ways of doing business are being created every day. That is why we don't tax the Internet.(/rant)
Here's a paraphrased tip from a well-loved movie: Mr. Nader, life is unfair . Anyone who says differently is selling something. I can honestly say I believe that anyone who votes for this man is a fool.
Sorry for the explosion, but to see this quoted and praised just ticks me off.
I would disagree with the entire article. There is innovation occurring at a fantastic rate in the PC Gaming industry -- you just have to look for it. I mean, you can count the really great PC games in the last ten years on your fingers. Its always been like this, but since there is a lot more money involved now, the wait between the games seems much longer.
I like Diablo II sometimes, and I like Combat Mission sometimes -- it depends on my mood. I would like to see a lot more innovation rather than putting out games that are guaranteed to make money because they are basically identical to a previous game with a few twists, and that is happening.
Specifically, I would disagree entirely with the death of the War Game genre. The meteoric rise of Combat Mission makes this out for the lie it is. CM has a huge and rapidly growing fan base -- they've sold so many games they were out of stock a couple weeks ago. It just goes to show that it depends entirely on the gameplay, and not flashy graphics. Let's play!
Now, however, the interests of corporations (like the interests of the Catholic Church in Martin Luther's day) demand that information be controlled so they don't lose their privileged positions. Who says they won't win?
Where are the Chinese today? Resurgently powerful, and beginning to realize that they again hold a place on the world stage. And they have gotten there not by restricting information, but by spreading it -- allowing the infection to enter their country (as if they could stop it) but guiding it, using it, reaping the benefits of it -- accepting it as inevitable and finding ways to exploit the Information Age to their own ends (right or wrong) rather than fight it. They have not forgotten their humiliation and occupation (Hong Kong, Japan in WWII, etc). And they know that that happened to them because they slipped behind in their information skills.
And where is the Catholic Church today? Still doing it's job, but without the vast temporal power that it wielded in Luther's time. The Catholic Church doesn't have armies, they don't own country-size areas of land, and the Pope does not have the final say in the secular matters of any country (although I think the Church makes a valuable contribution, that's off-topic here).
Why did this happen? Arguably, it was because one man, Luther, decided to take a stand against the Church and expose the non-Christian things that were going on at the time (indulgences, etc). Information destroyed the secular power of the Church. In this case, you could even argue that the information became more useful/powerful as it spread among the populace of that time. And it was the printing press that enabled this to happen.
I think the spread of information is diametrically opposed to attempts to centrally control nations, people, and power. The Internet scares a lot of companies because of this. It travels where they cannot go, it touches where they cannot reach, and it ruthlessly exposes companies who forget the basic rule that the customer comes first. Worse, it practically ensures that anything of interest, once leaked, is impossible to control, as it is almost instantly known to several million of the most influential people in the world.
Who says they won't win? I do. They may win today, tomorrow, or even for the next few years. But the tide of history is against them. The genie is out -- it is up to each of us to choose our wishes. The sum of those wishes will determine where we go from here. If corporations do succeed in controlling the Internet, it will be because we, the developers and builders and users of the Internet, allow it to happen.
Ummmm... the Boston Tea Party was a riot.
Granted, if one needs a super high performance Internet server they should use FreeBSD or Linux, behind an OpenBSD firewall :-)
That's why Bastille Linux is being written and maintained. The OpenBSD firewall can't stop what it has been configured to let through -- all the boxes in the DMZ need to be locked down as tight as a drum, regardless of OS. Bastille is for those Linux boxes that, for whatever reason, have to exist on the internet, be they firewalls, LDAP servers, VPN machines, or web servers.
AetiusI'd add a third group, although it doesn't seem that there will be many it this installation -- technical users. These users need powerful, flexible machines, and tend to have more problems (and sometimes be able to fix them themselves) than the other user groups because they are pushing their machines to the limit.
This group is tough to deal with because scripted installations are hard to maintain for them (in some cases they are creating either the script or the software that is being scripted!). These users need access to individual scripted applications that can be installed if necessary, and removed just as easily (there's a CA product that does this, and Novell and Microsoft both have capability, as well as all the Unices through scripts). These users can be a source of help and good ideas, though, as they often have many talents in different areas.
AetiusI think this is kind of bogus. I believe the real issue here is how many different kinds of workstations you have. With a scripted automatic installation, who cares how many workstations you have? That's just time and network bandwidth, which is important but not critical in terms of upgrading. The effort put into scripting an installation of 25 machines versus the effort put into 1000 machines is exactly the same if the workstations are all identical. Hence, the real problem is how many different workstation "templates" you are going to have -- that's where the work is. In my experience, most servers are different -- it seems that people need servers to be flexible, strangely enough. That means that a scripted across-the-board server installation is more prone to failure, and you generally have more server templates than you do workstation templates (excepting some folks like ISPs). That's because it is easier to make the workstations generic -- an application that is installed but not used is just disk space, and we all know we've got plenty of that on anything that isn't a server. :)
This is where LDAP fits in -- not only can you go to someone else's workstation and log in, but you also get all of your personalizations, and can log into any of your applications just as easily as if you were at your own machine. At least in theory...
AetiusI've used it in 6.2, it works like a charm.
AetiusThere are a couple of things you also need to consider here. We've had trouble finding a good project management package on Linux, as well as a good HR package. You need to seriously consider what you are rolling these desktops out for -- and have a solution built before the first desktop hits the production floor.
You basically have two choices when it comes to upgrading -- automated re-installation from a developed image (Ghost-type) or scripted installation of various products, with the script changing over time and modified to take into account all the older systems, so that by running the script you will bring all workstations to the same level (in that department at least). The scripting solution takes a little more maintenance but is a lot more flexible in terms of upgrading applications, while using the Ghost-type solution is low-maintenance, but means that your workstations will always be behind the curve and slow to respond to the user's needs.
AetiusFirst off, Russ, you should know that all boxes that are connected to a network (any network) are not secure. So the question becomes, How can I make things harder on on an attacker? How can I make it as difficult as possible for someone who is trying to break in?
Firewalls do a few useful things. One, they provide a single point (suitably redundant) that all incoming and outgoing traffic must pass through and be checked (well, poorly, whatever). This allows you to monitor one place, one server, and see everything that is coming across from the Internet to your webservers. This is important -- it gives you the whole picture at the same time.
Two: in combination with NAT/load balancing, they allow you to have multiple servers on the "same" IP address. The web servers can have internal IP addresses (192.168.0.0/16 or whatever) that are not addressable (theoretically and really because my firewall/router does not accept those IP's from the outside) from the Internet. Also, the way Slashdot is doing it makes sense -- separate the task of firewalling from that of doing NAT/load balancing. Sure, your latency is going to be a little higher because of going through two boxes, but not as bad as if you put both those tasks on the same machine. Even Slashdot does not have unlimited resources, and no machine is powerful enough to do everything. That's the whole idea behind load balancing, clustering, etc.
The last advantage they give you is that, given the above arrangement, you can mask services that are theoretically more vulnerable. It works like this:
A firewall should not have any ports open at all -- no services running. It accepts packets on all ports, checks them (however it does that) and either passes them to an internal network or drops them. Therefore it is very difficult (in theory) to compromise the firewall. One can attack the servers behind the firewall, which presents these issues:
1)If I am able compromise one of the servers, (say via an httpd buffer overrun exploit) I have to do it to most of them -- otherwise, in attempting to exploit my compromise, I might get sent to one of the uncompromised boxes (how do you know which one you'll get? remember the load-balancing, and you can't change that without being immediately noticed). This increases the time it takes to compromise the entire system and increases my vulnerability.
2)Once I am able to compromise all the boxes (or enough of them to matter), how do I utilize those servers to do or get what I want? I can't telnet or SSH to them unless the firewall permits it, and I'm limited in my options to further attack the boxes (I can't use NFS exploits because the firewall won't let those packets through, etc). It's possible to get that theoretical http buffer overrun to return me some information, but highly unlikely that I will be able to use that to take control of the server or return any meaningful data from the disks. Eventually, I could probably do it -- but that means more time and more vulnerability for the attacker (being identified, etc). Without the firewall, the internet-connected host is much easier to exploit -- break in, launch a telnet or rlogin daemon, and away we go. With a firewall in place, it is much harder to do that sort of thing (as the firewall should be filtering outgoingpackets too, on most ports).
The bottom line is this -- yes, properly configured firewalls (KISS) are useful and effective tools in making things more difficult for an attacker. What DDoS attacks is the bandwidth that your site has. If the bandwidth is full, it doesn't matter what you have protecting your site, your viewers are still being denied service. Firewalls can help with this but generally need to be further upstream.
What Slashdot discovered was that the devices they were using for firewalling/load-balancing were not up to the task, and were creating their own problems by failing at the critical moment. The decision they made was correct -- separate the tasks, don't allow any one point to be overwhelmed and become a DoS in it's own right by succumbing to the attack. By "staging" their firewall/load-balancing, they helped the site deal with the attack instead of stopping it (which they can't do). If a machine is running two processes, it is more than twice as easy to run it up to 100% processor usage (or memory usage, or whatever), and the more tasks you run, the easier it is to overwhelm. Remember, the only real difference between a DDoS and real traffic is the popularity of your site. What is normal traffic to Yahoo would be a major DDoS to my site. They did what they could -- now the ISP and the folks upstream need to start looking around.
Backbone routers do not, in general, filter packets. It takes processor power to filter, and a lot of it, especially at very high traffic levels. In any case, it doesn't matter one whit whether you are doing local filtering or not when it comes to a DDoS attack. The packets still come to the firewall, still consume bandwidth, and (at this point who cares)if they are illegally addressed, get dropped. The point is that the bandwidth is still used on the line(s) from the ISP router(s) to the Slashdot firewall/load balancer/whatever.
From what I know, right now anti-DDoS efforts revolve around getting people further up-stream to block the traffic, before it gets to Slashdot's ISP and Slashdot itself. The DDoS systems were designed to defeat this by, of course, using so many different hosts that upstream blocking is only partially useful.
AetiusWINS is NOT a form of DNS. It is a hack to get around the non-routability of NetBIOS. It does match names to IPs but it matches NetBIOS names, not DNS names. It is intended specifically to assist the master browser/browsing network in building the master browse list (what you see when you click "network neighborhood"). It is in a parallel pipe to DNS -- similar task in a different environment, with some of the same structures (because name resolution is pretty standard no matter how you do it).
AetiusNot to jump into a waaaay offtopic discussion, but... Actually, I believe the gun-death rate has been decreasing in the U.S. for several years now, even in the high-risk demographic sectors (young black male being the worst and the demographic where most of the gun-deaths are concentrated). There have always been large numbers of guns in American society -- it is only recently that gun-deaths have surged drastically, and that can be directly associated with the surge in crime rates (and has been by some researchers). There is still a general lack of enforcement or protection from thieves, highwaymen, and burglars -- and there always will be, since the police are not required in any way to protect anyone from anyone.
And, as a fun little flame, there were strict gun control laws in Kosovo, too, and look where it got them. Personally, I'd rather live in a country where lots of people have guns, as it tends to prevent that sort of idiocy. Our government should live in fear of us, not the other way around.
AetiusThis argument implies that it is the fault of the people who choose AOL rather than the fault of AOL itself. That's true!!! That is the reason corporations get where they get and have the power they have -- people, individuals, are too lazy to eat real "food", but prefer to be spoon-fed by the corporations. The current state of corporatism is the direct responsibility of YOU and the person next to YOU. YOU buy things at Wal-Mart. YOU go and see movies made by Hollywood. YOU watch "Who wants to be a Millionaire" (well, maybe not...). It is YOUR fault, and MINE, and everyone else's. Once you figure that out you'll be a lot happier and a lot more effective at dealing with corporate invasion into your life. Take responsibility for your own life!!!
Define "destroy the rest of your life". How could not getting into a good college "destroy your life"? Is it going to kill you? Force you to live in a mud hut and farm for the rest of your life? Force you to fight and kill other human beings just to stay alive? You can pursue science and knowledge on your own without going to college -- it is completely optional. You are caught in the same self-created maelstrom that many others are caught in. You think that to succeed you have to have the money, or the power, or the education. Success and happiness have nothing to do with money. They do have everything to do with power -- not power over others, but power over ourselves.
AetiusWindows is the problem. Allowing the user to overwrite system files??? Cheap, easy, but definitely not safe. Unix by design does not (in general) allow that. That's what he's talking about. Of course, if your NT people really know what they are doing, nothing vital would be affected -- the NT image should be locked down to the point of not letting the user access anything but their own home directory. Unfortunately that is difficult to do (some would say near impossible) and most NT "admins" don't know how.
AetiusIn order for you to browse the network, NetBIOS traffic has to be passed through the VPN -- not bloody likely with most routers. Alternatively, you can attach to a WINS server on the remote network to browse (which will show you all the WINS-connected machines on the remote network).
Also, use VNC -- its faster and easier than PCAnywhere, and with a PPTP VPN you have semi-adequate security. Just make sure you log out when you leave. :)
AetiusSeven dollars an hour, in some places in the world, is enough to buy anything you could have ever dreamed of. Seven dollars is more than a goodly portion of the world makes in a month. Seven dollars an hour is enough to survive on -- I know, I did it for several years, and even had a TV and a computer. Get off whatever you are taking.