From: Paul D. Robertson <[EMAIL PROTECTED]>
> On Thu, 10 Jun 1999, John Wiltshire wrote:
>
> > Telnet generally isn't the best solution (password sniffing and other
> > mischief) - why not use a VPN connection? Then all your tools work just
> > fine.
>
> One-time two-factor password schemes with telnet work just fine as long
> as you're monitoring for session hijacking attempts. VPN solutions are a
> flawed answer when you don't trust the host or network you're coming in
from.
>
> There's no enforcement of the encryption boundary on an untrusted OS or
> network. VPNs also introduce a lot more code to the solution, which means
> carrying around a lot more gear. VPNs are a good solution if you trust
the
> remote OS, machine and network and have a reasonable assurance in the VPN
> software and key handling protocol. IOW, they're a substitute for
> leased-lines in some environments where the extra risk isn't significantly
> disuasive. For most other things the security model is "not quite there."
VPN systems provide the same protection from an untrusted OS as do telnet
systems. You have to have some degree of trust in the OS you are running
on, or you simply should not be performing admin tasks on a remote system
from that machine. There are a variety of VPN solutions available for most
local operating systems - it really is a matter of finding one that suits
the task.
VPN is simply a more flexible solution to the same problem - access to the
system being managed.
> > > GUIs are nice but rotten for remote administration unless you
> > > tote along
> > > your own environment which I don't find desirable, especially
> > > when you don't
> > > anticipate getting called.
> >
> > I've never had a problem.
>
> I've traveled with luggables, laptops, palmtops, notebooks and
sub-notebooks.
> The ability to get in and out of a network via remote dial from a Palm
Pilot
> makes a *huge* difference to how lightly you can travel. It also saves
time
> getting through airport security when you're taking commercial flights.
> Lastly, it means you don't have to worry as much about losing the device
> since there's generally not much data resident on it.
>
> I can do 99.99% of my infrastructure job from a vt100 terminal attached
> to the console port of a router. At 3am from a hotel room when you just
> discovered that your laptop screen was crushed in overhead, being able to
> telnet around from a borrowed or backup organizer is a *huge* difference.
>
> For that matter, being able to hook the Pilot's serial port up to the
> laptop and still use the machine is a win you can't get from a GUI-centric
> environment. My laptop screen died just that death on the way to Interop
> last year. I could still copy my presentation to floppy diskette, play
> with some source code I was interested in at the time, and even use the
> keyboard for input and the Pilot for output.
>
> There's a huge difference in functionality during "normal times" and when
> you're in an emergency situation or things aren't going your way. When I
> need to get creative, I want to have the tools to do so, and a command
> line gives that. Access to the command line then becomes the difference
> between "fixed" and "still broken" or "primary person fixes it" and
> "whoever's actually present, clue or not has a go at it."
>
> In an ideal world, remote administration would never be necessary. In
> general for me it's a very rare occurance. When I absolutely need to
> react to something though, I can. Those times tend to be the ones that
> really make a difference.
Agreed. This is why I install NT on machines, not Unix. I find it easier
to admin (I know a lot more about it) and can fix things up remotely -
though usually from home (NT machine).
Having a telnet connection does make a big difference, though I have not yet
had the need to start up a telnet session to NT lately so I can't comment.
It sounds like you manage a lot more systems than I do and are on the road a
lot more - have different requirements and hence different solutions.
To be perfectly honest, if my job had me travelling all over the place with
a laptop and palm pilot and still be expected to admin systems then I'd be
looking seriously at command line solutions as well, though I would possibly
still use NT - can do pretty much everything from the CLI if you absolutely
have to (and have the right tools of course). Unix systems would be up
there but I'd have to do a lot of work to make sure I could guarantee the
same level of security I could on an NT box.
> I work for a very large corporation. We have lots of NT, a small ammount
of
> Unix and a good number of minicomputers. I get to watch and participate
in
> the differences in management, tools and problem solving ability every
single
> day. I find it amusing to watch administrators who can't predict or
> verify the behaviour of their systems in certain circumstances. When
> everything's running well, it's not a bad thing for the tasks we use it
> for. When it isn't, NT is a complete bear to wrestle with.
Sounds like your NT admin guys aren't as good as they say they are. If my
NT boxes don't behave as predicted I go and find out why and fix it.
Putting it down to "unknown" on a mission critical system is simply not good
enough. People can quite litereally get killed that way.
Regards,
John Wiltshire
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
