Re: Config files?
Hey Tim, We recently bought the NCM tool by SolarWinds as well. We've had it for two months, and I personally am quite happy with it. We had Cisco's CiscoWorks product for the last 5-6 years but ditched it because of it never quite works consistently. The thing to be aware of for config auditing, like with NCM's reports, is that in some environments config is ALWAYS changing. I'm in a small enterprise setup with a very dynamic datacenter and it is not abnormal to have a few hundred changes across a week with the number of server moves/rebuilds/expansions going on in our place. So in our case, we are primarily using NCM for pushing configs, and using the alerting of changes mostly to do spot checks on the fellow team-members. Since there are so many changes, it is nice to have visibility to make sure that appropriate standards are being met. David. On Wed, Oct 5, 2011 at 3:16 PM, Green, Timothy timothy.gr...@mantech.com wrote: Hey all! I'm a IT Security Manager (policy creation) that has been lurking on NANOG for about 3 years. I have some experience in networking but nothing like what is mostly talked about on here. I just love the talks you experts have and researching the tools you all mention. I was having a tough time yesterday explaining to one of my nosey co-workers why I had the word Octopussy on my screen yesterday! I'm trying to put a baseline policy together for all my network equipment and I have a few questions: 1. Should config files be consistent? By this I mean; does the STIG apply its baseline to the config files or elsewhere? 2. Are config file change alerts necessary for the security of network equipment? We have just purchased the SolarWinds suite. 3. Should we obfuscate our Private addresses on our Network Diagram? What is the common practice? 4. How can I get a grip on my ACLs or is it even possible? How do you all maintain them without going insane! If this isn't the correct forum for this low level stuff I understand; just guide me in the right direction. Thanks in advance! TG
Re: Config files?
Hi Tim, How long have you been on that position? IT Security Manager are you self-employed or running your own limited company? what areas of knowledge are you mostly interested in? where about are you based? what do you think the role of an IT Security Manager is about? From: David Swafford da...@davidswafford.com To: Green, Timothy timothy.gr...@mantech.com Cc: NANOG nanog@nanog.org Sent: Saturday, October 8, 2011 12:56 PM Subject: Re: Config files? Hey Tim, We recently bought the NCM tool by SolarWinds as well. We've had it for two months, and I personally am quite happy with it. We had Cisco's CiscoWorks product for the last 5-6 years but ditched it because of it never quite works consistently. The thing to be aware of for config auditing, like with NCM's reports, is that in some environments config is ALWAYS changing. I'm in a small enterprise setup with a very dynamic datacenter and it is not abnormal to have a few hundred changes across a week with the number of server moves/rebuilds/expansions going on in our place. So in our case, we are primarily using NCM for pushing configs, and using the alerting of changes mostly to do spot checks on the fellow team-members. Since there are so many changes, it is nice to have visibility to make sure that appropriate standards are being met. David. On Wed, Oct 5, 2011 at 3:16 PM, Green, Timothy timothy.gr...@mantech.com wrote: Hey all! I'm a IT Security Manager (policy creation) that has been lurking on NANOG for about 3 years. I have some experience in networking but nothing like what is mostly talked about on here. I just love the talks you experts have and researching the tools you all mention. I was having a tough time yesterday explaining to one of my nosey co-workers why I had the word Octopussy on my screen yesterday! I'm trying to put a baseline policy together for all my network equipment and I have a few questions: 1. Should config files be consistent? By this I mean; does the STIG apply its baseline to the config files or elsewhere? 2. Are config file change alerts necessary for the security of network equipment? We have just purchased the SolarWinds suite. 3. Should we obfuscate our Private addresses on our Network Diagram? What is the common practice? 4. How can I get a grip on my ACLs or is it even possible? How do you all maintain them without going insane! If this isn't the correct forum for this low level stuff I understand; just guide me in the right direction. Thanks in advance! TG
Re: Telus mail server admin
On Sat, Oct 08, 2011 at 04:58:09AM -, John Levine wrote: That's nice for you, but some of us are stuck with a corporate policy that requires us to use such disclaimers, or face disciplinary actions. Not to seem unsympathetic or anything, but it's not my problem if your management are idiots. I, for one, never use a corporate account to access mailing lists. My career has spanned many jobs, and I prefer to have a contiguous footprint that _I_ control... R's, John -- Brian Reichert reich...@numachi.com BSD admin/developer at large
Re: Botnets buying up IPv4 address space
* Christopher Morrow: On Fri, Oct 7, 2011 at 3:10 PM, Arturo Servin arturo.ser...@gmail.com wrote: I agree with Benson. In fact, for this problem I find irrelevant that IPv4 is running out. They are just looking for good reputation IP nodes. isn't this a short-lived problem then? IPv4 addresses will never run out in a strict sense of the word, it will just become increasingly more difficult to reassign IPv4 address space to those who need it.
Re: Botnets buying up IPv4 address space
On Sat, Oct 8, 2011 at 11:14 AM, Florian Weimer f...@deneb.enyo.de wrote: IPv4 addresses will never run out in a strict sense of the word, it will just become increasingly more difficult to reassign IPv4 address space to those who need it. And hopefully... the greater the address space pressure or contention there is for IPv4 address resources, the more strongly organizations will feel compelled towards swapping over to IPv6 :) -- -JH
NeuStar locality .us domains.
I know it's not very common these days but I am a big fan of the locality.ST.us domain structure as it was setup 25+ years ago. Having been in the ISP industry for more than half that time I have also dealt with 100's of these registrations although maybe only 25 in the last year. Guess I have been lucky since all of them were with previously delegated localities. So today I go to register a domain for a friend, in what I consider to be a large enough city to have at least been delegated in the past (Lowell, MA) but of course it is currently assigned to NeuStar. I send in the request anyways, figuring there will just be some additional paperwork. This is the response I receive. . The US Department of Commerce has specifically stated that only certain 4th level domains can be registered until further notice. The DoC has only allowed us to register fourth level domain names beginning with borough, ci. for city, co. for county, twp. or town for township, or vil. for village. . I have had a couple back and forths with there support department. Waiting for a response coming during the work week. Does anyone know the actual status of the locality .us structure? Are they trying to push people to the .us pay domains? Isn't NeuStar up for renewal on their last 1 year extension? -- Alex Romanauskas ZipLink / GNAPs
