For the best possible security, servers should be on a seperate
network from any machines that connect to them and the traffic to and
from the servers should be restricted by a firewall with active
intrusion detection monitoring.
That type of firewall is complex to manage and likely to be quite
expensive (in general, throughput is a major factor in the cost of a
firewall). The benefits of such a setup are unlikely to surpass the
limitations and expenses encurred. The opposite end of the spectrum is
to plop your servers onto the same network as all of your machins and do
everything on that one network.
A good in-between setup is to place your servers on two separate
networks and move all services that you can from the network shared with
the workstations to the server only network (effectively setting up an out-of-band network).
Each of my servers has at least two network interfaces (mostly dual
port Intel
Pro 1000/MT Server Adapters). One of those interfaces is connected
at 100 megabit to the general network shared with all of the workstations.
The other uses a private ip
addressThis setup has provided performance improvements and increased
security. The performance is only real noticed when performing backups,
although it has given me the bandwidth needed to experiment with the idea
of moving my VMWare images to a NAS like device.
For the security improvements, I needed to move services from the
public network to the private one. I was able to relatively easily move
my snmp queries, backup process, and ssh access to be accessible to only
the private network. Now if only I could work out how to only enable
Windows Remote Desktop on just one interface.
There was a box in my mailbox the other day. At first I thought it was a new batch of CDs for TechNet subscription. The box turned out to be the wrong size, and most definately the wrong color.
Now I have become pretty calloused in throwing out out flashy advertisements, but this one had a shiny red box! It turned out to be an advertisement for ExaGrid's disk-based backup system.
Now I'm not in the market for a backup system; and I am a bit uneasy with black box backup system hardware. But I did get a little bottle of Tabasco Sauce, so it wasn't a total loss.
As I tweak various bits on the blog, I thought I should share what all
makes this blog go. The webserver is Apache running on Solaris on Sun hardware with an UltraSPARC processor. The blog
software is Blosxom.
Tangent: Now Blosxom hasn't really actively been
developed since 2003. And the
authormigrated
away from the package in early 2006. I don't let such things bother me
though, as I am used to choosing software packages and products that aren't
really the most popular or mainstream.
There is however an active User Group, Yahoo group, and a SourceForge Group.
Now blosxom is a darned simple package, less than 400 lines of perl
parsing text files in a simple directory structure. That simplicity is
part of what attracted me to the package, but it does mean I have a few plugins to add or refine
various features.
categorytree: This provides the category list on the right.
flatarchives: This plugin provides the archive list on the right.
preview: A plugin that provides a way for me to see posts on the blog that I am working on, without showing those posts to the general public.
strip_unix_comments: I use unix style comments in my entries to put various meta data for my own benefit. It wouldn't be bad if the public saw them, but they are really only beneficial to me.
date_fullname: A simple plugin that provides templates with the full month name.
flavourdir: Allows me to put my flavour files (the templates used for the html and rss versions of this page) in a different folder than the default.
imagesizer: This plugin automatically puts in the height and width tags for images.
This card amused me and has puzzled many friends and acquaintances over the years. It is indeed as simple as it looks, an ISA card with a momentary switch connecting two pins on the card slot. The back is just as simple as the front. I not sure as to what it was use for, my best guess is that it was used to manually trigger an interrupt for hardware developers.
If you have a good idea as to what it is, please contact me so I can update this post.
