[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Attackalert
- Subject: RE: [cobalt-users] Attackalert
- From: elmer@xxxxxxxxxxxxxx
- Date: Wed Mar 28 03:16:05 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Wed, 28 Mar 2001, Dan Kriwitsky wrote:
} You might think so, but Cobalt gives no information on that and markets the
} product specifically against using Telnet. Finding any Telnet info in the
} manuals is a task. "The browser-based UI shields the administrator from
} technical complexities and minimizes the need for trained staff."
Please understand, I'm not looking for an argument or a fight, I'm
just pointing out an often overlooked fact.
Servers - any server - have to be plugged into a Network of
some sort and that network must have access to the Internet in order
for the content of the server to be world accessible.
While I do harden our servers before plugging them into our
network here, and while there are different configurations, nuances
and opinions, I know no professionals who will simply plug a server
into an unmanaged network and let it rip. That's often the case with
colo'd servers but even then I personally would not place a server
on a network that was just a simple port leading directly into the
electronic haze of cyberspace. Finding a reseller who spent the
money for that which is needed to run a solid network is not that
hard to do.
We don't do collocation here so this is not a sales pitch.
But for those who simply wish to plug their Cobalt in and survive
well off without having to work from the command line are best
advised to find a provider who provides a good solid managed network
or to hire an expert who can set one up for them, and advise them of
the best way (opinions may vary of course) of doing things. Fact is,
everything you need can be found on http://cobalt.com/ and putting
it all together would more than likely result in just what I'm
suggesting is needed for serious web hosting.
Yes indeed, opinions do enter into the equation. I don't
wish to argue those opinions. That's not the point I'm trying to
make. What I'm trying to say is that we have few problems here -
very few. We've only got a few hundred (less than 200) live sites
running out of here, but supporting those sites requires 6 servers
(3 web servers - each configured for different needs, 1 DNS server,
1 rsync server for doing backups and a dedicated network monitoring
server), a router, a switch, off site secondary DNS service, and the
stuff to make it all work ( a desktop or two to work from, cables,
etc). There is always someone here - always - and all inbound and
outbound traffic is displayed in real time on two dedicated and
stretigically placed monitors - one on each of the desks we work
from. Fact is, and much to the dismay of my wonderful wife, I even
have a monitor hanging on the wall in the living room of our home
just so I watch the traffic flow, see any alarms, etc - keep on top
of things when I'm not in the office. She hasn't yet consented to my
putting a monitor in the bedroom but I'm still working on that.
Anyone with a cheap cable connection can do the very same
thing as far as monitoring is concerned. Put Iptraf, trafshow or
someting similar on your server, Netsaint perhaps, then put putty on
your home desktop, open a window or two and and let it rip while
you're doing whatever you do.
And our setup here is not at all unusual. Even the colo'd
clients I consult for have similar setups in their cages. The
people we swap secondary DNS with do things differently and we've
had some rather impressive arguments while discussing the nuances
but the results are pretty much the same - they manage their
network very closely. They just do it differently than we do.
Fact is, few of those I know well enough to know their network
architecure are the same as our setup but they all start with some
type of layer 3 device between the servers and the network and which
has been configured to limit access to the servers to only that
which specifically needs to access them, and they all watch over
their networks very very closely.
I'm not saying that any of this will make your servers more
secure or that colo's that don't provide this kind of thing are
doing something wrong. Quite the contrary in fact. Colo facilities
are in the business of providing space for equipment - the nuances
of the setup are up to the owner of that equipment. But I am saying
this, if plug-and-play is what you are after then the network
architecture does indeed enter into the equation - and it does so in
very big way.
brent