Re: [lopsa-discuss] Hype Convergence: Nutanix Questions

[Matt Finnigan]

I can answer question 2 for simplivity and similar vendors. We are
currently on HP blades and Nimble storage, and we evaluated Simplivity.
We're much heavier on storage than compute/RAM requirements. We would have
had to overbuy significantly on nodes to get the storage requirements.

You can add just storage, but then you lose the benefits of the
hyperconvergence - the dedupe and IO benefits, the integrated
snapshots/backup. If you needed a lot of storage but it was "second tier",
that might not be a problem for you.

We ended up going with a stack of new DL360 pizza boxes and more Nimble. We
also have an existing investment in Veeam, and a requirement to get backups
onto tape, so it made more sense for us.

On Sat, Dec 17, 2016 at 7:18 AM, Joseph Kern 
wrote:

> Is there anyone running Nutanix (or any "hypeconverged" architecture) at a
> large scale on this list?
>
> I have a few questions:
>
> 1. Nutanix performance compared to Dell/HP + Netapp (do I need to
> over-purchase Nutanix to get similar performance results for the same
> hardware)?
> 2. Is there a way to just scale storage (I have a feeling you need to buy
> more compute as well)
> 3. Common pitfalls in implementation or operations and maintnance?
> 4. Does this current generation of "hyperconverged" architecture seem as
> immature as I think it is?
> 5. What type of support and turnaround time does Nutanix offer?
>
>
> --
> Joseph A Kern
> joseph.a.k...@gmail.com
>
> ___
> Discuss mailing list
> Discuss@lists.lopsa.org
> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
> This list provided by the League of Professional System Administrators
>  http://lopsa.org/
>
>
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

[Matt Finnigan]

I've implemented RSA RBA (risk-based authentication), which builds on a lot
of the same infrastructure as their fob-based product. I haven't done Duo.
I'll be implementing Okta sometime next year, we already use it for SSO.

Product-agnostic implementation outline:

You need their server/VM/appliance, and whatever you're adding the auth
layer onto has to support your product (or vice-versa.) You may end up
installing something that replaces the default OWA login page for Exchange,
for example. You may have to point Cisco AnyConnect to a customized RADIUS
server. It all depends on what's getting MFA added to it.

Their software/appliance now needs to get a user list; it may integrate
into AD directly, it may require LDAP, etc. There's going to be some way to
provision users into the system, defining who is and isn't covered by MFA.

-Matt Finnigan


On Wed, Nov 30, 2016 at 1:31 PM, Kyle Stewart <_kylestew...@outlook.com>
wrote:

> Hi all, hope this email finds everyone well. We're looking into setting up
> two-factor authentication at my company for a 2017 project and I'm in the
> "Let's get the lay of the land" phase. Right now it seems like Duo is
> making big headway in this market, but I've heard good things about RSA as
> well. I'd love to get some first-hand feedback from people who have used
> these types of 2FA solutions who aren't sales people :)
>
>
> Overall I get what 2FA/MFA does, but I'm blurry on how it gets implemented
> - at face value I'm very interested in Duo so if anyone has experience with
> Duo and setting it up (preferably alongside Palo Alto's and GlobalProtect)
> that'd be fantastic.
>
>
> Thanks in advance!
>
>
> _
> Kyle Stewart
>
> ___
> Discuss mailing list
> Discuss@lists.lopsa.org
> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
> This list provided by the League of Professional System Administrators
>  http://lopsa.org/
>
>
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] How to you track relationships between servers, services, etc.

[Matt Finnigan]

You can use automated tools that capture this, to varying degrees of
success and expense (both monetary and operational time.)

We use ServiceNow's CMDB, which will let you manually assign relationships
between assets. They do sell an automated tool, but we haven't purchased
it. We're not a very dynamic environment, so if you're willing to put in
the time to populate (and update) it, it works well.

On Mon, Nov 21, 2016 at 10:58 AM, Ski Kacoroski  wrote:

> Hi,
>
> I have been asked to create way to create a way to link servers, storage,
> switches to services so if we need to work on a server, storage, or switch;
> we know what services it will affect.  Just wondering if other folks have
> solved this problem.
>
> cheers,
>
> ski
>
> --
> "When we try to pick out anything by itself, we find it
>   connected to the entire universe"John Muir
>
> Chris "Ski" Kacoroski, kacoro...@gmail.com, 206-501-9803
> or ski98033 on most IM services
> ___
> Discuss mailing list
> Discuss@lists.lopsa.org
> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
> This list provided by the League of Professional System Administrators
> http://lopsa.org/
>
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] BCMOne & Panterra

[Matt Finnigan]

Kyle,
FYI, they will absolutely put you on MPLS, that's what we're doing with
them for our offices. Cheaper than Windstream, too.

On Mon, Sep 26, 2016 at 3:43 PM, <kyle.b.stew...@hotmail.com> wrote:

> Hi Matt,
> We almost went with Fuze / TPN as well actually. We ran into limitations
> with their system where they could not implement the call coverage buttons
> that we wanted (we're a 15 person shop and rely on these heavily rather
> than traditional call trees or hunt groups.)
> In order to get the functionality we wanted it meant each user needed 2
> buttons to cover one person. Not ideal, especially for the secretary who'd
> wind up having about 20 buttons to watch.
> Aside from that, it was the call quality that we didn't like. Since
> they're routing over internet, you lose quite a bit of quality compared to
> having a dedicated MPLS circuit for voice traffic. Don't get me wrong, if
> you've never been on an MPLS circuit you won't hear the difference, but if
> you had a phone routing over internet and another routing over MPLS side by
> side, you'll hear it.
>
> Hope that helps
>
> ___
> Kyle Stewart
>
> On Sep 26, 2016, at 2:27 PM, Matt Finnigan <mfinni...@gmail.com> wrote:
>
> We're about to implement Fuze (formerly ThinkingPhones) - what were your
> reasons for passing them by? We had a reference call with a similar-sized
> law office to mine (we're 400 employees at three sites), they loved it.
>
> On Thu, Sep 22, 2016 at 1:39 PM, Kyle Stewart <kyle.b.stew...@hotmail.com>
> wrote:
>
>> Hopefully this email goes through - I think this is my first time posting
>> to the general discussion area.
>>
>> We are looking to migrate from our aging on-prem Cisco UC 7.0 platform to
>> a cloud-based VoIP solution. We've been through ThinkingPhones and 8x8
>> without any sort of success, and are now looking to utilize a platform
>> called Panterra, offered by our exiting telecoms provider, BCMOne.
>>
>> We're wondering if anyone has used or heard anything on this platform and
>> could speak to it. Our concerns are voice quality, uptime, and how much
>> (generally speaking) they actually care. Eg. are they just interested in
>> closing tickets? Or do they actually want to see resolutions. That kind of
>> stuff.
>>
>> Thoughts from the community?
>>
>> _
>> Kyle Stewart
>>
>> ___
>> Discuss mailing list
>> Discuss@lists.lopsa.org
>> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>> This list provided by the League of Professional System Administrators
>>  http://lopsa.org/
>>
>>
>
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] BCMOne & Panterra

[Matt Finnigan]

We're about to implement Fuze (formerly ThinkingPhones) - what were your
reasons for passing them by? We had a reference call with a similar-sized
law office to mine (we're 400 employees at three sites), they loved it.

On Thu, Sep 22, 2016 at 1:39 PM, Kyle Stewart 
wrote:

> Hopefully this email goes through - I think this is my first time posting
> to the general discussion area.
>
> We are looking to migrate from our aging on-prem Cisco UC 7.0 platform to
> a cloud-based VoIP solution. We've been through ThinkingPhones and 8x8
> without any sort of success, and are now looking to utilize a platform
> called Panterra, offered by our exiting telecoms provider, BCMOne.
>
> We're wondering if anyone has used or heard anything on this platform and
> could speak to it. Our concerns are voice quality, uptime, and how much
> (generally speaking) they actually care. Eg. are they just interested in
> closing tickets? Or do they actually want to see resolutions. That kind of
> stuff.
>
> Thoughts from the community?
>
> _
> Kyle Stewart
>
> ___
> Discuss mailing list
> Discuss@lists.lopsa.org
> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
> This list provided by the League of Professional System Administrators
>  http://lopsa.org/
>
>
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] The Goal in a Craft Culture Organization?

[Matt Finnigan]

I'm sure no one will say that an R organization should be run the same
way as a production organization. Creation of a fancy new product depends
on a lot of things that don't line up with the way to run a production
line/factory floor, of course. The latter can lend itself to formalization;
the former, of course, cannot. That's why skunkworks and R departments
are run the way they're run - you can't really productize invention, you
can only invest in a wide portfolio of attempts and hope enough pan out to
justify the investment.

On Mon, Dec 21, 2015 at 12:41 PM, Atom Powers  wrote:

>
> Thank you Yves, you describe what I term the "business culture" very well.
> A year ago I might have agreed with anybody who described this as the
> "only" way to run a business. Now I believe that it may not even be the
> best way.
>
> Where did Gmail come from? Or Amazon Mom, Google Glass, etc.? These
> products were not built to satisfy a specific need for a given life cycle;
> they were created because somebody thought that it would be cool to do that
> and then the business supported the experiment to build that product the
> best way that they could, without an immediate concern to whether that
> product would be profitable.
>
> Talk to anybody at Amazon and they will tell you that their driving goal
> is to build the best product for their customers. Not the most profitable
> product or the product that fills a niche, just the best product they can
> build. If you go to Google and say "we should build a router for X specific
> market segment" they will laugh you out the door; if you say "we should
> build a router because we can do it better than anybody else" then you have
> a new project to work on.
>
> Much of Drucker's work does apply to a "craft culture" and some of it
> blatantly doesn't, like managing top-down resource constraints. The
> Capabilities Maturity Model is generic enough that it could apply to either
> and it makes no mention of how or why a product is being developed.
>
> I'm interested in books and resources about working in and creating a
> bottom-up "craft culture" organization. Or in learning that I am now insane
> and need to spend some time in a padded room without Internet.
>
>
> On Mon, Dec 21, 2015 at 9:21 AM Yves Dorfsman  wrote:
>
>> > On Dec 21, 2015 9:51 AM, "Atom Powers" > > > wrote:
>> >
>> > A business culture organization is one where you do work
>> because it is
>> > profitable to do the work. You build products because you want
>> people
>> > to buy those products. Examples: Comcast, Dell, Oracle, and
>> almost
>> > everybody with publicly traded stock.
>> >
>> > A craft culture organization is one where you do work because it
>> > improves the product. You build products because you want to
>> build the
>> > best thing. Examples: Amazon, Google, Lego, and often private
>> companies.
>> >
>>
>> On 2015-12-21 09:03, Atom Powers wrote:
>> > Of course business cultures try to make the best product they can (as
>> long as
>> > it is cost effective) and craft cultures try to make money (on the best
>> > products they can make). It isn't a black-and-white distinction. You
>> could
>> > probably also call this a top-down (business) vs bottom-up (craft)
>> culture.
>> >
>>
>> I don't buy this... To me craft resonate with Maturity Level 1 (※) you're
>> playing around, learning, with no care for cost nor efficiency. "Business"
>> resonate with Maturity Level 3 (※) and up with understanding of costs,
>> profit, long and short term goals etc... Yes there are people doing
>> "business" at each level of maturity, and some businesses move through
>> levels while other cater for different levels in different departments (eg:
>> R vs Production, startups vs established market).
>>
>> There is no such thing as "the" best product, products are design for a
>> specific need for a given life cycle. Everything real-world product is a
>> compromise (even mustard!). For example, what is "the best network switch"?
>> For people who don't need VLANs in their home, the 60$ one, for my own home
>> the 200$ one, but I hope my ISP is using the 3000$ one an has two of them.
>>
>>
>> ※ https://en.wikipedia.org/wiki/Capability_Maturity_Model#Levels
>>
>> --
>> http://yves.zioup.com
>> gpg: 4096R/32B0F416
>>
>> ___
>> Discuss mailing list
>> Discuss@lists.lopsa.org
>> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>> This list provided by the League of Professional System Administrators
>>  http://lopsa.org/
>>
> --
> Perfection is just a word I use occasionally with mustard.
> --Atom Powers--
>
> ___
> Discuss mailing list
> Discuss@lists.lopsa.org
> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
> This list provided by the League of Professional 

Re: [lopsa-discuss] Questions on DNS/DHCP/IPAM software

[Matt Finnigan]

Most of my experience is with Windows Server, which can easily do DHCP and
DNS via GUI :-)

It's certainly less expensive than the vendors you're looking at. IPAM
isn't amazing in Windows, but it can mean different things to different
people, so maybe it can fill your requirements for that part.
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Most common (or Most important) privacy leaks

[Matt Finnigan]

As an IT person, the approach you should have is compliance with company
policies. Of course, it is hoped that company policy was written to comply
with any relevant legal requirements like HIPAA, or SEC regs, state privacy
laws, etc - if not, you may have to step into more of a compliance role
than just strict IT. Not everyone can (or should) do this, but it's like
anything else - you do your best to advise management and then get
commitment to compliance.

After that, you ensure that you have the necessary tools (technological
and/or process-based) to achieve compliance, and then you (or someone else)
works on user education and perhaps some form of auditing. If there is a
legal or compliance team, you had better be working with them.

Find out why people are not following the processes that exist and they
have been educated on. Are the processes and tools not easy to use
(something for you to fix) or are they bad workers taking risky shortcuts
(something for HR and management to fix.)

I don't really think its up to you, as IT, to handle much triage and
prioritization. Obviously, IT needs to have its own house in order, so DO
THAT FIRST (it's probably your job to do so), and then write a report of
findings with associated risks for management to analyze and assign
priorities to. The only thing I think that you can assign weight to is the
risks portion; management/ownership are the people who accept the risk or
assign resources to fix the problems.

On Tue, Feb 17, 2015 at 8:42 AM, Edward Ned Harvey (lopser) 
lop...@nedharvey.com wrote:

  I see a lot of people and businesses out there, that just don't care
 about their own privacy.  They email passwords to each other, W2's with
 salary and social security information, photocopies of drivers' licenses
 and passports to be used by HR to complete I-9 forms...



 As an IT person advising a business to be more responsible, what areas do
 you advocate securing most urgently?  IT admin credentials?  HR records?
 Financial records?  Other stuff?  Simply everything, bar none?



 Email is obviously a huge area of insecure information sharing.  Do you
 also see a lot of people storing information that should be secured in
 other non-private services like Dropbox, Google Drive, Box, etc?

 ___
 Discuss mailing list
 Discuss@lists.lopsa.org
 https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
 This list provided by the League of Professional System Administrators
  http://lopsa.org/


___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Management of credentials for a group (aka, nonprofit org, or a large club)

[Matt Finnigan]

A password management vault. At my current large client, we use PMP,
Password Manager Pro, and I quite like it.
For myself, I use and enjoy LastPass, and they have an Enterprise version
as well.

On Wed, Nov 12, 2014 at 10:28 AM, Craig Constantine cr...@constantine.name
wrote:

 Ideas/best-practices/specific recommendations on how to manage credentials
 (login instructions/urls, usernames, passwords, private keys, etc) for a
 group; for example a non-profit with a board of directors, or a large club
 of people…

 --Craig Constantine, http://constantine.name

 ___
 Discuss mailing list
 Discuss@lists.lopsa.org
 https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
 This list provided by the League of Professional System Administrators
  http://lopsa.org/

___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Data Centers / DR Sites

[Matt Finnigan]

My recent employers have had racks or cages at Internap in Somerville MA,
although they have other locations. They do what they say they're going to
do.

On Tue, Oct 14, 2014 at 4:54 PM, Warner w...@projectgamma.com wrote:

 I know the Columbus, OH market really well as well as some regional
 markets. Unfortunately, the areas I'm looking at are new to me.

 I'm looking for a tier 3 or better top class data center for DR
 purposes. It will serve as a co-location facility for servers, probably
 a cage with approximately five racks. Carrier neutrality is preferred.

 Of course, I want standard security fare (CCTV, access control, physical
 controls) as well as redundancy (power - generators/UPS/redundant feeds
 and cooling).

 I'm exploring the Atlanta, Dallas, and Charlotte areas. Any
 recommendations?


 Thanks,

 Warner
 ___
 Discuss mailing list
 Discuss@lists.lopsa.org
 https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
 This list provided by the League of Professional System Administrators
  http://lopsa.org/

___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Certificate confusion

[Matt Finnigan]

To filter HTTPS traffic in this way, you *do* in fact need to pose as
Google using a self-signed cert. You're essentially performing a MitM
attack against your own users, in that scenario - and yes, think of the
damage you could do. If you don't want to do that, then you can't filter
the HTTPS traffic.

On Thu, Oct 9, 2014 at 7:46 PM, Ski Kacoroski kacoro...@gmail.com wrote:

 Hi,

 I need someone with more certiticate-fu than I have.  I have an iBoss web
 filtering device that sits in between our internal users and the internet.
 We are trying to set it up to also filter https web pages which means it
 has to decrypt the connection to see what is going on. They are claiming
 that we have to use a self-signed cert on their device instead of our
 wildcard *.nsd.org cert and then install the public key on all the
 browsers of our internal machines which, as you can imagine, is not
 something we want to do or maintain.  I have 6500+ macs, 3000 chromebooks,
 2000 ipads, 1000 windows, and several hundred other things such as kindles,
 etc.  In addition, several of these have multiple browsers.

 I appreciate any comments or ideas why we cannot get our wildcard cert to
 work (it works with erverything else except for an old Oracle application
 server where I had to get a machine specific cert).

 Their description is:
 

 * The certificate needed to do the decryption must be trusted by the
 browser to sign ALL domains.
 * GoDaddy and other Certificate Authorities (CA) will not sign a
 certificate for use with domains other than your own. So… The certificate
 must be self-signed with no verification path back to a trusted CA.
 * The *.nsd.org certificate you have will work to access the iboss UI,
 block or login pages.

 Follow up email states:
 The first 2 bullet points from yesterday are important to understand.
 There is no possibility of getting a CA certificate from anyone that is
 trusted by the browsers. As far as we have seen it takes a CA cert to be
 fully functional for intercepting HTTPS traffic and re-sign so that the
 browser will accept it. This means using a self-signed cert. To stress the
 point, imagine what damage you could do with a certificate that allowed you
 to pose as Google without the browser alerting the user.

 I can’t answer why we have had the limited success with decrypting using
 the *.nsd.org or how far we can push it. In a couple cases we were able
 to get everything working unless Chrome was used. In another case IE seemed
 to be the biggest problem. They each perform validity checks of their own
 design. Technically, the cert you have should not be accepted to sign
 anything. That is not a feature of the cert (CA:FALSE).
 

 cheers,

 ski


 --
 When we try to pick out anything by itself, we find it
   connected to the entire universeJohn Muir

 Chris Ski Kacoroski, kacoro...@gmail.com, 206-501-9803
 or ski98033 on most IM services
 ___
 Discuss mailing list
 Discuss@lists.lopsa.org
 https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
 This list provided by the League of Professional System Administrators
 http://lopsa.org/

___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Help me with an article?

[Matt Finnigan]

Here's a good discussion on ServerFault
http://serverfault.com/questions/171893/how-do-you-search-for-backdoors-from-the-previous-it-person/171924

Plus, Tom Limoncelli's two volumes on The Practice of System and Network
Administration do quite a good job of covering this.

As you can imagine, a requisite part of this is an accurate inventory of
all the accounts and authorizations that users have, both in-house and with
vendors/hosters/cloud providers - including the bank, the local PF/FD, the
security/alarm company, etc.

On Fri, Oct 3, 2014 at 3:13 PM, Esther Schindler est...@bitranch.com
wrote:

 Howdy, folks. It's me again -- your random writer/journalist who
 occasionally asks for input in order to ensure her articles reflect the
 real world.

 In particular: *What should a company do to protect its information when
 an employee departs? *When someone leaves the company, the HR department
 is quick to grab the employee's laptop. But what about the data on the
 employee's equipment? How can the organization know what's on her mobile
 devices? Does anyone know to which websites and other cloud-based software
 the employee has access?

 I'm aiming to create a checklist for IT (working with HR) to ensure the
 company's data doesn't walk out the front door.

 For example, I still have access to a surprising number of websites and
 other company/client resources. For example, one client had given me access
 to Google Analytics in 2009. They closed down the project in 2010 (and I
 believe there's NOBODY left at the company who even remembers it existed).
 But I can see its web traffic today. I also had access to a major
 publication's blog comment system (e.g. mark as spam) for three years,
 and the only reason it went away then is that they changed their commenting
 system. It's a good thing I'm ethical, or I could have had entirely too
 much fun doing naughty things.

 So… what advice would you give sysadmins about what to look for? Because
 while it might occur to IT to change a user's admin rights on Active
 Directory, it might not occur to them to check for all site access (if they
 even know, and I'm sure that in neither of my cases anyone did).

 I could quote you by name if you like, but I'm just as happy to share your
 wisdom without naming names. Here I only care about expertise… not who said
 it. So you don't have to worry about getting in trouble!

 Can you send me whatever input you have by, say, Tuesday October 7th?

 ___
 Discuss mailing list
 Discuss@lists.lopsa.org
 https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
 This list provided by the League of Professional System Administrators
  http://lopsa.org/


___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Anything like Linode's LISH out there?

[Matt Finnigan]

That does only work because they are VMs. If you have physical boxes, you
can use IP-KVM (as you know) or you can pay for terminal server hardware,
assuming all of your servers have appropriate serial consoles. Then, you
could front-end that terminal server hardware with some sort of access
server, so that you could do it all over SSH.

On Wed, Oct 1, 2014 at 4:40 PM, Craig Constantine cr...@constantine.name
wrote:

 Linode has a “LISH” feature. Basically, you ssh to one of their systems,
 and it can connect you to the console of your virtual macine (your linode).

 Anyone know how that actually works under the hood? …does it only work
 because they’re running VMs?

 I would really love to be able to dumpster the whole model of
 JavaApplet--KVM-IP—KVM-dongles . . .

 --Craig Constantine, http://constantine.name


 ___
 Discuss mailing list
 Discuss@lists.lopsa.org
 https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
 This list provided by the League of Professional System Administrators
  http://lopsa.org/


___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Anything like Linode's LISH out there?

[Matt Finnigan]

Of course, there's also vendor-supplied remote access tools like DRAC and
iLO, assuming your hardware is from one of those vendors.

On Wed, Oct 1, 2014 at 4:56 PM, Matt Finnigan mfinni...@gmail.com wrote:

 That does only work because they are VMs. If you have physical boxes, you
 can use IP-KVM (as you know) or you can pay for terminal server hardware,
 assuming all of your servers have appropriate serial consoles. Then, you
 could front-end that terminal server hardware with some sort of access
 server, so that you could do it all over SSH.

 On Wed, Oct 1, 2014 at 4:40 PM, Craig Constantine cr...@constantine.name
 wrote:

 Linode has a “LISH” feature. Basically, you ssh to one of their systems,
 and it can connect you to the console of your virtual macine (your linode).

 Anyone know how that actually works under the hood? …does it only work
 because they’re running VMs?

 I would really love to be able to dumpster the whole model of
 JavaApplet--KVM-IP—KVM-dongles . . .

 --Craig Constantine, http://constantine.name


 ___
 Discuss mailing list
 Discuss@lists.lopsa.org
 https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
 This list provided by the League of Professional System Administrators
  http://lopsa.org/



___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Why don't people join Lopsa?

[Matt Finnigan]

No, you're paying to go to the conference. Such events are rarely free. You
could choose to not attend the conference.


On Thu, Jul 31, 2014 at 12:22 PM, Derek Balling dr...@megacity.org wrote:


 On Jul 31, 2014, at 12:18 PM, Will Dennis willard.den...@gmail.com
 wrote:

 Honestly, if not for the bundled LOPSA membership that I get from
 attending PICC/LOPSA-EAST conf, my membership would have lapsed a long time
 ago, because everything I want that LOPSA provides is free to anyone
 (aforementioned mailing lists and IRC.)


 ^- This.

 This is literally the *only *value I perceive in LOPSA at the present
 time. If I wasn't riding high on memberships obtained from prior
 sponsorship and from conference attendance, I would have let it lapse a
 long long time ago.

 I am a member not by choice at this point but because I am captured,
 like a union-shop employee, unable to go to a given conference without
 kicking up to the local capo who ensures that everything runs smoothly
 because that's a really nice conference you've got there, it'd be a shame
 if anything happened to it.

 D


 ___
 Discuss mailing list
 Discuss@lists.lopsa.org
 https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
 This list provided by the League of Professional System Administrators
  http://lopsa.org/


___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Tracking CVEs / security updates

[Matt Finnigan]

Ideally, you only allow the ports from the scanner to the other machines at
the time that you're running the scan.
If you have thousands of servers, you're *not* doing this manually; you're
automating the process.


On Tue, Mar 18, 2014 at 12:39 PM, A O Doll ini...@hotmail.co.uk wrote:

 Question from a rookie here:
 Is it wise to rely on a scanner to check critical points? If the scanner
 has its own set of priveleges, is it feasible that someone might use this
 as a means to attack the network?

 Also, a suggestion for output:
 Each scan is logged in a spreadsheet with a date and time, and any issues
 raised. The spreadsheet is emailed internally to the operator, who can then
 review it.

 --
 Date: Mon, 17 Mar 2014 17:13:55 -0400
 From: mfinni...@gmail.com
 To: disc...@lopsa.org
 Subject: Re: [lopsa-discuss] Tracking CVEs / security updates

 In the past (at companies under PCI compliance) we've had a vulnerability
 scanner that runs at intervals (monthly or quarterly) and tells you what
 needs to be patched (or covered with paperwork, ie documentation of
 mitigating controls.) It is updated with the latest CVE entries on its own
 interval, presumably before scanning.

 The scanner may dump its output into a ticket system, or not. Depends on
 how you want to track the work.


 On Mon, Mar 17, 2014 at 2:23 PM, Phil Pennock 
 lopsa-discuss+p...@spodhuis.org wrote:

 What are people currently using for tracking status of security updates
 of software which you depend upon in production?  This is separate from
 apply vendor security updates as it pertains to the items which you
 build from source or with custom packaging, because it's a core part of
 the line of business, or for whatever other reason.

 Just tickets in your regular ticketing system, perhaps in a special
 queue?  Something else?  What sort of automation?

 Eg, a vendor security notice (Ubuntu USN or whatever) comes in; does it
 tie into existing tickets with CVEs already tracked and handled, or is
 it a new issue?  Is it partly for something already dealt with, but
 there's an extra CVE which was fixed and which needs a new rollout?
 How do you track when you'll need customer/client notification, vs just
 being able to hotfix?  How do you track release qualification status?

 If you're using an existing ticketing system with some customisation,
 are there any templates which you can share?

 Thanks,
 -Phil
 ___
 Discuss mailing list
 Discuss@lists.lopsa.org
 https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
 This list provided by the League of Professional System Administrators
  http://lopsa.org/



 ___ Discuss mailing list
 Discuss@lists.lopsa.org
 https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list
 provided by the League of Professional System Administrators
 http://lopsa.org/

 ___
 Discuss mailing list
 Discuss@lists.lopsa.org
 https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
 This list provided by the League of Professional System Administrators
  http://lopsa.org/


___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/