Life of a Sysadmin 05 2006

Private Server Networks, or A Great Step for Security

For the best possible security, servers should be on a seperate network from any machines that connect to them and the traffic to and from the servers should be restricted by a firewall with active intrusion detection monitoring.

That type of firewall is complex to manage and likely to be quite expensive (in general, throughput is a major factor in the cost of a firewall). The benefits of such a setup are unlikely to surpass the limitations and expenses encurred. The opposite end of the spectrum is to plop your servers onto the same network as all of your machins and do everything on that one network.

A good in-between setup is to place your servers on two separate networks and move all services that you can from the network shared with the workstations to the server only network (effectively setting up an out-of-band network).

Each of my servers has at least two network interfaces (mostly dual port Intel Pro 1000/MT Server Adapters). One of those interfaces is connected at 100 megabit to the general network shared with all of the workstations. The other uses a private ip addressThis setup has provided performance improvements and increased security. The performance is only real noticed when performing backups, although it has given me the bandwidth needed to experiment with the idea of moving my VMWare images to a NAS like device.

For the security improvements, I needed to move services from the public network to the private one. I was able to relatively easily move my snmp queries, backup process, and ssh access to be accessible to only the private network. Now if only I could work out how to only enable Windows Remote Desktop on just one interface.

Tabasco Sauce, or To bad I'm not in the market for the Product

There was a box in my mailbox the other day. At first I thought it was a new batch of CDs for TechNet subscription. The box turned out to be the wrong size, and most definately the wrong color.

Now I have become pretty calloused in throwing out out flashy advertisements, but this one had a shiny red box! It turned out to be an advertisement for ExaGrid's disk-based backup system.

Now I'm not in the market for a backup system; and I am a bit uneasy with black box backup system hardware. But I did get a little bottle of Tabasco Sauce, so it wasn't a total loss.

Colophon, or What I use to make this blog go

As I tweak various bits on the blog, I thought I should share what all makes this blog go. The webserver is Apache running on Solaris on Sun hardware with an UltraSPARC processor. The blog software is Blosxom.

Tangent: Now Blosxom hasn't really actively been developed since 2003. And the author migrated away from the package in early 2006. I don't let such things bother me though, as I am used to choosing software packages and products that aren't really the most popular or mainstream. There is however an active User Group, Yahoo group, and a SourceForge Group.

Now blosxom is a darned simple package, less than 400 lines of perl parsing text files in a simple directory structure. That simplicity is part of what attracted me to the package, but it does mean I have a few plugins to add or refine various features.

categorytree: This provides the category list on the right.
flatarchives: This plugin provides the archive list on the right.
preview: A plugin that provides a way for me to see posts on the blog that I am working on, without showing those posts to the general public.
strip_unix_comments: I use unix style comments in my entries to put various meta data for my own benefit. It wouldn't be bad if the public saw them, but they are really only beneficial to me.
date_fullname: A simple plugin that provides templates with the full month name.
flavourdir: Allows me to put my flavour files (the templates used for the html and rss versions of this page) in a different folder than the default.
imagesizer: This plugin automatically puts in the height and width tags for images.

Self Destruct Button, or What a strange ISA card

Written 2006-05-03

click image for a full view of the card

This card amused me and has puzzled many friends and acquaintances over the years. It is indeed as simple as it looks, an ISA card with a momentary switch connecting two pins on the card slot. The back is just as simple as the front. I not sure as to what it was use for, my best guess is that it was used to manually trigger an interrupt for hardware developers.

If you have a good idea as to what it is, please contact me so I can update this post.