Very Computer

by **fil krohnengol** » Sat, 10 Nov 2001 03:16:33

I can't believe I have to fight this fight again, but I do.

The Boss is pretty much sold on a VPN solution involving a dedicated
Cisco VPN box, Cisco ACE server, and an RSA SecurID server. And our
friends at Cisco are recommending that both servers run w2k.
According to company websites, Solaris is very much supported by both
servers - but apparently there were hints in the sales meetings (to
which I wasn't invited) that solaris support was being phased out -
except for existing installations - or something.

There is currently an amin staff of one - and he (me) knows nothing
other than FUD about w2k and its friends - which makes me pretty
useless in an argument. All our other major services run on
solaris/linux - very well. I fear bad things down the road if I lose
this one.

help?

-fil

by **pe..** » Sat, 10 Nov 2001 18:37:47

> I can't believe I have to fight this fight again, but I do.
> The Boss is pretty much sold on a VPN solution involving a dedicated
> Cisco VPN box, Cisco ACE server, and an RSA SecurID server. And our
> friends at Cisco are recommending that both servers run w2k.
> According to company websites, Solaris is very much supported by both
> servers - but apparently there were hints in the sales meetings (to
> which I wasn't invited) that solaris support was being phased out -
> except for existing installations - or something.

VPN solutions exists lot's of. What are you talking about lot's of
windoze clients coming into your company ? Or are you talking
about a VON between 2 networks ?

In the first case i would look on v-one ( smartwall) which definitly runs
on wintendo AND solaris AND BSD AND ...

In the second case there is no competition : IPSec on OpenBSD (which
runs on Intel, sparc AND ...)

Unless your boss is bribed, he should look at cost-efficient
solutions. Now you have the tool, find something cheaper
then his solution.

/PS
SecureID builds on a "propetary algorithm, which by my definition
is usabale as snakeoil. Select a token device that uses
known and good algorithms. Read examples about snakeoil
algorithms , sa teh one selected by GSM ( which now anyone can
vreak in real-time) or WEB ( which also is close-to realtime
breakable)
/DS

Quote:> There is currently an amin staff of one - and he (me) knows nothing
> other than FUD about w2k and its friends - which makes me pretty
> useless in an argument. All our other major services run on
> solaris/linux - very well. I fear bad things down the road if I lose
> this one.
> help?
> -fil

--
Peter H?kanson
IPSec Sverige (At the Riverside of Gothenburg, home of Volvo)
Sorry about my e-mail address, but i'm trying to keep spam out.
Remove "icke-reklam"and "invalid" and it works.

by **Martin hepwort** » Sat, 10 Nov 2001 20:57:51

> I can't believe I have to fight this fight again, but I do.

> The Boss is pretty much sold on a VPN solution involving a dedicated
> Cisco VPN box, Cisco ACE server, and an RSA SecurID server. And our
> friends at Cisco are recommending that both servers run w2k.
> According to company websites, Solaris is very much supported by both
> servers - but apparently there were hints in the sales meetings (to
> which I wasn't invited) that solaris support was being phased out -
> except for existing installations - or something.

> There is currently an amin staff of one - and he (me) knows nothing
> other than FUD about w2k and its friends - which makes me pretty
> useless in an argument.

<snip>

No that makes you very powerful in the argument. You have no knowledge
of w2k servers so who's going to support the things? Will your company
train you up in win2k and take the hit on sys admin performance levels
while you 1) get trained and 2) get experienced in w2k?

Remember training is just to help you, an experienced admin with no
formal training in IMHO, much better than someone with all the courses
and no experience in the subject.

--
Martin Hepworth
Senior Systems Administrator
Solid State Logic Ltd
+44 (0)1865 842300

by **Scot Wilcoxo** » Wed, 14 Nov 2001 02:11:39

> The Boss is pretty much sold on a VPN solution involving a dedicated
> Cisco VPN box, Cisco ACE server, and an RSA SecurID server. And our
> friends at Cisco are recommending that both servers run w2k.

Remember to include enough W2K admins in the budget to provide 24/7
coverage. You certainly won't be able to use VPN to reboot a crashed
VPN server.

by **Alun Jon** » Wed, 14 Nov 2001 04:25:40

>> The Boss is pretty much sold on a VPN solution involving a dedicated
>> Cisco VPN box, Cisco ACE server, and an RSA SecurID server. And our
>> friends at Cisco are recommending that both servers run w2k.

>Remember to include enough W2K admins in the budget to provide 24/7
>coverage. You certainly won't be able to use VPN to reboot a crashed
>VPN server.

I'm not quite sure of the point of that comment - is there _any_ protocol that
allows you to reboot a system through the protocol when the system handling
the protocol is dead?

Alun.
~~~~

[Note that answers to questions in newsgroups are not generally
invitations to contact me personally for help in the future.]
--
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at

Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.

by **Alan J. Flavel** » Wed, 14 Nov 2001 06:52:27

On Nov 12, Alun Jones inscribed on the eternal scroll:

Quote:> I'm not quite sure of the point of that comment - is there _any_
> protocol that allows you to reboot a system through the protocol
> when the system handling the protocol is dead?

Oh, quite.

But you ("one" if you want to be pedantic) may be able to achieve the
effect automatically. My multicast router, for example, is a bit
flakey, so there's a process which checks it periodically, and hits it
over the head and starts it afresh if necessary. If it has to do that
too often, then it commands a reboot of the OS instead, in the hope of
that being more-effective.

But if it's the OS that hangs rather than merely the multicast router,
obviously that doesn't help. Then you'd need another separate machine
doing the monitoring, and a remote-control line to waggle the reboot.

by **Ramses van Pinxtere** » Wed, 14 Nov 2001 17:22:14

Sorry to say, but did you ask you boss if HE can support the w2k system??
You wrote that you cant.

I think then the problem is very quickly decided.

You must never change a winning team (you and unix)

Bye!
ram6

Quote:
> I can't believe I have to fight this fight again, but I do.

> The Boss is pretty much sold on a VPN solution involving a dedicated
> Cisco VPN box, Cisco ACE server, and an RSA SecurID server. And our
> friends at Cisco are recommending that both servers run w2k.
> According to company websites, Solaris is very much supported by both
> servers - but apparently there were hints in the sales meetings (to
> which I wasn't invited) that solaris support was being phased out -
> except for existing installations - or something.

> There is currently an amin staff of one - and he (me) knows nothing
> other than FUD about w2k and its friends - which makes me pretty
> useless in an argument. All our other major services run on
> solaris/linux - very well. I fear bad things down the road if I lose
> this one.

> help?

> -fil

by **fil krohnengol** » Thu, 15 Nov 2001 01:45:38

Quote:> Sorry to say, but did you ask you boss if HE can support the w2k system??
> You wrote that you cant.

Oh - he plans to. That's what worries me.

Quote:> You must never change a winning team (you and unix)

Hear hear!

-fil

by **Alun Jon** » Thu, 15 Nov 2001 05:45:08

>> Sorry to say, but did you ask you boss if HE can support the w2k system??
>> You wrote that you cant.

>Oh - he plans to. That's what worries me.

>> You must never change a winning team (you and unix)

>Hear hear!

Of course, on the other hand, one shouldn't generally make a decision and
_then_ seek ammunition to support it. If Windows is the wrong answer, then
that should be obvious from the data without having to go looking specifically
for anti-Windows information. And if Windows is the right answer for this
case, and you've been seen to propose the wrong answer for the wrong reason,
without having ever investigated both sides of the coin, then your job (no
matter how well you may run Unix systems) is essentially over.

Alun.
~~~~

[Note that answers to questions in newsgroups are not generally
invitations to contact me personally for help in the future.]
--
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at

Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.

by **fil krohnengol** » Thu, 15 Nov 2001 09:03:08

> Of course, on the other hand, one shouldn't generally make a decision and
> _then_ seek ammunition to support it. If Windows is the wrong answer, then
> that should be obvious from the data without having to go looking specifically
> for anti-Windows information. And if Windows is the right answer for this
> case, and you've been seen to propose the wrong answer for the wrong reason,
> without having ever investigated both sides of the coin, then your job (no
> matter how well you may run Unix systems) is essentially over.

True enough, but I'd argue that managers shouldn't really be making
designs based on one set of brochures behind the back of the network
administrator and then informing him/her after the fact. Windows may
well be part of the right answer, but having not been invited to the
initial process of finding out, I'm left to try and shoot it down
before it starts so that I can be included as I should have been from
square one.

-fil

by **Alun Jon** » Fri, 16 Nov 2001 00:13:27

>> Of course, on the other hand, one shouldn't generally make a decision and
>> _then_ seek ammunition to support it. If Windows is the wrong answer, then
>> that should be obvious from the data without having to go looking
> specifically
>> for anti-Windows information. And if Windows is the right answer for this
>> case, and you've been seen to propose the wrong answer for the wrong reason,
>> without having ever investigated both sides of the coin, then your job (no
>> matter how well you may run Unix systems) is essentially over.

>True enough, but I'd argue that managers shouldn't really be making
>designs based on one set of brochures behind the back of the network
>administrator and then informing him/her after the fact. Windows may
>well be part of the right answer, but having not been invited to the
>initial process of finding out, I'm left to try and shoot it down
>before it starts so that I can be included as I should have been from
>square one.

Partly right. Be careful, though, that you aren't seen as "shooting it down"
just because it says "Windows". Shooting down your manager's idea because
it's a technical decision made without technical information or technical
input is the only good way to approach this.

InfoWorld used to have a column by Nick Petreley, called "The Open Source".
Week after week, it focussed on the many ways in which Linux, FreeBSD, et al,
were not Windows. InfoWorld now has a column called "The Open Source",
written by Russell Pavlicek. The column now focusses more on what Open Source
OSs _are_, rather than what they are not, and that change alone seems to me
more inclined to persuade its readers to consider Linux, FreeBSD, etc, as
possible solutions. Managers like to buy things for what they _are_, rather
than for what they are _not_.

Alun.
~~~~

[Note that answers to questions in newsgroups are not generally
invitations to contact me personally for help in the future.]
--
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at

Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.

by **pe..** » Sat, 17 Nov 2001 20:28:00

>>> The Boss is pretty much sold on a VPN solution involving a dedicated
>>> Cisco VPN box, Cisco ACE server, and an RSA SecurID server. And our
>>> friends at Cisco are recommending that both servers run w2k.

>>Remember to include enough W2K admins in the budget to provide 24/7
>>coverage. You certainly won't be able to use VPN to reboot a crashed
>>VPN server.
> I'm not quite sure of the point of that comment - is there _any_ protocol that
> allows you to reboot a system through the protocol when the system handling
> the protocol is dead?

No. But there _are_ implementations that will keep on running thus
not needing any reboot.

Exampel :

Quote:> w

12:27PM up 469 days, 19:47, 1 user, load averages: 0.16, 0.04, 0.02

peter p0 warp.ipsec.nu 11:53AM - w

> Alun.
> ~~~~
> [Note that answers to questions in newsgroups are not generally
> invitations to contact me personally for help in the future.]
> --
> Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at

> Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
> Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.

--
Peter H?kanson
IPSec Sverige (At the Riverside of Gothenburg, home of Volvo)
Sorry about my e-mail address, but i'm trying to keep spam out.
Remove "icke-reklam"and "invalid" and it works.

by **Alun Jon** » Sun, 18 Nov 2001 03:22:06

>No. But there _are_ implementations that will keep on running thus
>not needing any reboot.

>Exampel :
>> w
>12:27PM up 469 days, 19:47, 1 user, load averages: 0.16, 0.04, 0.02

>peter p0 warp.ipsec.nu 11:53AM - w

Again, that's not an argument. I've got similar boxes sitting around me
running Windows NT that have been up for similar time-spans, and a Windows
2000 that's been running unrebooted since the last service pack install.
Vague hand-waving arguments, like "I've got a system that's been running for
longer than your system" don't cut it when you're trying to explain to a
business person why you are refusing to implement a vendor's suggested
solution (as the OP apparently is).

Alun.
~~~~

[Note that answers to questions in newsgroups are not generally
invitations to contact me personally for help in the future.]
--
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at

Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.

by **Eric M Haa** » Sun, 18 Nov 2001 05:03:05

Excerpts from netnews.comp.security.unix: 16-Nov-101 Re: seeking

> > I'm not quite sure of the point of that comment - is there _any_
protocol th
> at
> > allows you to reboot a system through the protocol when the system
handling

> > the protocol is dead?

> No. But there _are_ implementations that will keep on running thus
> not needing any reboot.

> Exampel :
> > w
> 12:27PM up 469 days, 19:47, 1 user, load averages: 0.16, 0.04, 0.02

> peter p0 warp.ipsec.nu 11:53AM - w

Also, most unix workstation and server class machines have a hardware
console that you can set up a modem on. You can either leave the modem
on, or, if you have even unskilled people there at all times, teach them
how to flip a certain switch to turn it on, or connect it to the phone
line. Then you have to deal with securing the modem, but there are ways
to do that. You can do anything you want with the system, just as if
you were sitting in front of the machine. (other than insert media, but
if you need to do that, you should already be driving in)
It's the same problem that many large companies/ISP's do with routers in
remote locations where they don't have (skilled networking) staff.

-Eric

by **Alun Jon** » Sun, 18 Nov 2001 05:48:17

>Also, most unix workstation and server class machines have a hardware
>console that you can set up a modem on. You can either leave the modem
>on, or, if you have even unskilled people there at all times, teach them
>how to flip a certain switch to turn it on, or connect it to the phone
>line. Then you have to deal with securing the modem, but there are ways
>to do that. You can do anything you want with the system, just as if
>you were sitting in front of the machine. (other than insert media, but
>if you need to do that, you should already be driving in)
>It's the same problem that many large companies/ISP's do with routers in
>remote locations where they don't have (skilled networking) staff.

The lack of support for "dumb terminal" access is one of the better arguments
I've seen for Unix over Windows.

Alun.
~~~~

[Note that answers to questions in newsgroups are not generally
invitations to contact me personally for help in the future.]
--
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at

Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.

Very Computer

seeking anti-w2k ammo for VPN + SecurID

seeking anti-w2k ammo for VPN + SecurID

seeking anti-w2k ammo for VPN + SecurID

seeking anti-w2k ammo for VPN + SecurID

seeking anti-w2k ammo for VPN + SecurID

seeking anti-w2k ammo for VPN + SecurID

seeking anti-w2k ammo for VPN + SecurID

seeking anti-w2k ammo for VPN + SecurID

seeking anti-w2k ammo for VPN + SecurID

seeking anti-w2k ammo for VPN + SecurID

seeking anti-w2k ammo for VPN + SecurID

seeking anti-w2k ammo for VPN + SecurID

seeking anti-w2k ammo for VPN + SecurID

seeking anti-w2k ammo for VPN + SecurID

seeking anti-w2k ammo for VPN + SecurID

seeking anti-w2k ammo for VPN + SecurID