Re: Multiculture in a single company? (was: Re: Linux firewall failover)
On 04/05/07, Omer Zak [EMAIL PROTECTED] wrote: On Fri, 2007-05-04 at 07:51 +0300, Shachar Shemesh wrote: Omer Zak wrote: Why are you unifying all the Linux servers in one distribution? Won't this expose your organization's computers to the dangers of monoculture? (I didn't see your original question, hence the answer to this iteration). Basically - as a long time Debian user (and having just less than two years experience with RHEL 4) I arrived to this company which has about 4 different Linux distros on its servers, at least two of the machines which run the same distro are configured differently and have different software installed on them (e.g. proftpd vs. pure-ftpd), and recently I learned what yum update really means and found that, not surprisingly, they are way out of date. The servers were maintained (for want of a better word) so far by people who didn't put Linux system administration as their career goals, to say the least (not that they excelled in programming either...) So the bottom line is that I want to be able to keep track of system updates without having to learn the specific tricks of each distribution, and I want to know that once I learn how to configure something on one box I'll be able to replicate it to the other boxes easily (using automatic tools). I believe that this will result in a better maintained and more secure network than if I have to keep juggling too many types of balls and take care of systems which are not my cup of tee. --Amos (Another example from just this morning - I finally learned how to configure the SNMP daemon on Debian to give me more access, and even managed to apply my new knowledge on a couple of FC 5 machines, but the RH 9 machine has a much older SNMP daemon which wouldn't work with the config file).
Re: Linux firewall failover
Omer Zak wrote: Why are you unifying all the Linux servers in one distribution? Won't this expose your organization's computers to the dangers of monoculture? I cannot talk for Amos, but here is my experience. The dangers of monoculture mostly apply when you have a group from which you want the maximal survival (or minimal damage). A heterogeneous environment is the best way to achieve this, as the minimal number of item will be vulnerable to any specific attack. A single company, often, is not like that. In a single company the danger is often equally placed for ANY item failing. In other words, you are not trying to improve the average, you are trying to improve the worst case. It's a different problem and it has different optimization points. As far as the practical side goes, there is another consideration. Even with the first case, an environment of poorly maintained individuals, be them as heterogeneous as they might, is still more vulnerable than an environment of well maintained but uniform individuals. This is under the assumption that most attacks are based on vulnerabilities that have vendor patches at the time of the attack, and that all platforms are attacked to some extent. Won't it be a good idea to deploy different distributions/OSes on computers through which crackers will have to break in order to break into the organization's computers? I think you are assuming two things: 1. It is possible to set up the environment so that the attacker has to break into ALL systems in order to gain access. 2. It makes economical sense to invest the extra time to set up and maintain such a system. I think 1 is remotely possible, but 2 is extremely unlikely. --- Omer Shachar = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
RE: Linux firewall failover
If you do not limit yourself to Linux, you can easily use PF (pf+pfsync+CARP) to do the job. http://www.openbsd.org/faq/pf/carp.html -Original Message- From: [EMAIL PROTECTED] [mailto:linux-il- [EMAIL PROTECTED] On Behalf Of Amos Shapira Sent: Tuesday, May 01, 2007 5:39 AM To: Linux-IL Subject: Linux firewall failover Hello, I'm looking at an option to deploy a couple of Linux boxes as our main router for HA (after the power supply of our SonicWall fried itself on the night of a non-working day). This morning I though it would be neat if the standby firewall node could replicate the connection tracking info from the primary node and a quick search shows that a couple of people have already beaten me to it - enter contrackd ( http://people.netfilter.org/pablo/conntrackd/, announcement in http://lists.netfilter.org/pipermail/netfilter-devel/2006- May/024548.html ) and ctsyncd (blog in http://gnumonks.org/~laforge/weblog/linux/netfilter/ct_sync/, SVN in https://svn.netfilter.org/netfilter/trunk/netfilter-ha/ct_sync/ https://svn.netfilter.org/netfilter/trunk/netfilter-ha/ct_sync/ ) conntrackd came later but seems to be more active and feature complete than ctsyncd (e.g. using both firewall nodes at once to double the bandwidth), it's not packaged for Debian yet (it's in some ITP list and debian already has conntrack) and appears to be still in experimental state. Does anyone here have experience with anything like this? Cheers, --Amos To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]