> Paul D. Robertson <proberts @
clark .
net> wrote:
> What's proper software if the OS isn't safe?
I refered to proper security policies. Don't run FTP server on NT using NT
authentication as domain userid's and passwords will be send un-encrypted.
Make full use of NT auditing and auto archive event logs when full to DAT
tape. Enforce regular password changes. Hide confidential network shares by
suffixing the sharename with a $ character. All the basic stuff. It seems
to me that most NT administrators comes from the Windows 3.1 and LAN
Manager environment and are pretty lax/inexperienced when it come to
security. OTOH Unix sysadm usually make very good NT administrators.
> Having seen many Unix stacks go down in flames on big Web sites, and
> having seen stack code changes by vendors raise their thresholds for
> that by several hundred hits per second, I'd say pretty often. Moving
> from serially getting the next available local port number to a hashed
> table increased the throughput on a couple of stacks by over 100% for
> instance.
OK, but that's a different ball game. Having a million plus hits on a web
site requires fine-tuned and iron hard software. But remember, not everyone
is running these monster web sites. In my experience most hacker-type
attacks are internal (remember it's dark africa here and the net is fairly
new in the commercial market). BTW, the Microsoft site is one of the
busiest on the web and they're running NT. IMHO it says a lot about NT, IIS
and NT's IP protocol stack.
> 300 users is an awefully small network. I've had subnets with almost
> half as many users on them.
300 OLTP users - the total WAN I guess runs with a 1000+ users. Many of
them using mainframe emulation, e-mail etc.
> If an FTP session kills your WAN, I'd suggest you buy some consulting in
> network design and capacity planning.
Bull. In the ideal world you may have enough money for ISDN or ATM - in the
corporate world is a hell of a struggle to balance user needs with users
expectations and what the board is prepared to invest in hard cash. Users
are dumb. Like the time they did the tutorial for a new system in Power
Point and then e-mailed the resulting file of 32 MB to more than a 100
users. And the way MAPI works it means 32MB x 100 across the WAN. You can
capacity plan and consult till you blue in the face, the users will screw
it up everytime.
> Most companies have simply lowered the bar of what 'robust and stable
> enough' mean to them. Also, most of those NT servers are replacing
> Netware servers, which weren't exactly the best for mission-critical and
> robust either. Robust for a departmental server is *much* different than
> robust for a firewall handling traffic for *all* the departments as
> well.
Very true. But then instead of making a simple statement that NT's IP
protocol stack is shit why not back it up with proper facts and technical
detail?
> This is 'firewalls', not 'databases', and while NT may be ok for your
> database environment, we've got some where it wouldn't even come close to
> fulfilling the requirements.
Once again what are the requirements? If you want an internal firewall to
protect your local LAN services why not run it on NT? Why buy a Ferarri
when a Volkswagen can do the job? Time and time again I have to fight with
both IT and users that decide on what they want instead of why they want
it. You match the solution to the requirements - try it the other way
around and your budget is shot and you can kiss your performance bonus
goodbye. Or at least that's how it works in the hard reality of the
corporate world.
> Perhaps we can topic drift
> back to firewalls, or at least the qualities of an OS which give it good
> or bad firewalling traits?
Agreed. As long as bad and good traits are backed up with facts and not
sweeping statements. ;-)
regards,
Billy
Follow-Ups:
|
|
