Off topic : So ... mac support can be a pain if you're not using proper tools. But a couple of awesome guys at Google recently opensourced munki[1] which can deploy packages to macs (like WSUS for windows).
And using puppet[2] (instead of GPO) is an excellent way to ensure proper configurations are established on all systems. You just need to figure out where all of the plists are kept. :-) [1]: http://code.google.com/p/munki/ [2]: http://www.puppetlabs.com On Thu, Jul 14, 2011 at 11:09 PM, Edward Ned Harvey <[email protected]> wrote: >> From: Giovanni Tirloni [mailto:[email protected]] >> Sent: Thursday, July 14, 2011 9:29 AM >> >> How about ensuring the small company's network is up to the same security >> standards as big company's network and then connect both together as if >> they were the same network? It probably would take longer but whoever >> decided on acquiring complex infrastructure should have an idea of what it >> takes. > > It goes like this ... Big Co decided Little Co should have a VPN tunnel > back to Big Co data center, and all outbound network traffic must go through > their firewall. So we got another IP address, configured the new Big Co > router, brought up the tunnel, configured a new LAN with the same IP range > as the old LAN, and started testing routes & firewall rules. Intent is to > simply patch the legacy equipment into the new LAN switches. And then > discovered it's impossible to add a route to the Big Co router which will > direct traffic the right way, when the destination IP happens to be on the > same public subnet as the external interface of the Big Co router. Because > the destination IP is on the same interface, the routing tables are ignored, > so the packet goes directly to the destination instead of traversing the WAN > and going through the central firewall. So return traffic is blocked. > Unfortunately this poses a problem for critical services such as the > conference room reservation system and so forth. I would not describe this > as "Big Co has better security policy." I would just say "Big Co has more > security policy." > > It looks like it's going to be at least a couple more weeks before we can > split apart IP ranges to solve that problem. Meanwhile, the Big Co LAN is > already connected and available and usable for certain things on the new Big > Co switch in the server room. And various people need access to the new Big > Co internal resources. So we have no choice: Both the Big and Little LANs > must be on for a coexistence period, and cannot be connected to each other. > People must be easily able to switch from this network to that network, and > back again. And reasonable measures must be taken to ensure no bridging > will occur. > > The above problem is merely one of many. So the coexistence period is > likely to be months. For example, Little Co works primarily on macs. Take > 'em away and you're likely to have serious attrition. Yet the Big Co IT > dept has always supported only windows. Many services require windows. > Many of these are solved by simply having windows VM's in all the macs, but > that doesn't help for things like VPN and Wifi. For political reasons, the > CIO refuses to support VPN clients or Wifi on macs... He perceives the Macs > as a threat, which will "infect" the rest of the organization and skyrocket > support costs. Which means some big guys (VP's) are working out these > issues at a high level. It seems obvious, but there can only be one > conclusion. First outrule the possibility of eliminating the macs, because > that leads to a failed acquisition. Then the CIO must give, and permit the > macs to have VPN and wifi access. There's enough complexity that it will > certainly take weeks, if not months, for the conversations to resolve. > (Heck, acquisition took place 6 weeks ago already.) I've been staring at > the unconnected Big Co LAN switches in my closet now for 2 weeks. Fully on, > operational for certain purposes. But my IT comrade at Big Co is forbidden > to allow usage of that network for anything other than testing purposes, > until the Mac issues are resolved. > > It's just typical Big Co BS politics. > > _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
