Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
security policy rant
171 views
Skip to first unread message
hymie!
Nov 27, 2017, 8:24:51 AM11/27/17
to
OMG i just need to scream at somebody.
I work for a large government agency. I don't know if it matters that I
am based in Maryland while my production machinery is housed in New Mexico.
Part of ${LGA}'s security policy is that network switches cannot have ports
just turned on and waiting. I need to have a specific machine, that has
been approved to connect to that specific network; and I need to request
a specific port be activated for this specific machine. [1]
So far so good. However...
Another part of $LGA policy, a machine can only be attached to one port. [2]
So even though we allegedly have a pair of "redundant switches", each
machine is plugged into one or the other.
For our own convenience, we assign the switche ports as a pair, so if
(say) port 12 is in use on switch A, it will be empty on switch B. So in
theory, it's easy to tell the on-site people "Take all of the cables
out of Switch B and plug them into the like-numbered ports on Switch A."
At least, it would be easy... However...
The redundant ports are not turned on. That would be against $LGA policy.
As I found out just this morning, having a dead switch is not sufficient
to bypass the normal turning-on-a-switch-port procedure -- identify
the machine(s), submit a request, wait for the appropriate number of
signatures, and wait for the network team to turn the port on.
So in sum, I've got
* a dead switch
* 2 inaccessable machines
* a live "redundant" switch that I cannot plug these machines into
[1] Even further, the switches monitor the MAC address of the devices plugged
into it, so if I change the machine plugged into a port, the port will
auto-off itself.
[2] This is not 100% accurate, as we have machines with multiple networks
that are plugged into ports on other switches. I freely admit that I
don't fully understand the policies in question.
--hymie! http://lactose.homelinux.net/~hymie hy...@lactose.homelinux.net
I work for a large government agency. I don't know if it matters that I
am based in Maryland while my production machinery is housed in New Mexico.
Part of ${LGA}'s security policy is that network switches cannot have ports
just turned on and waiting. I need to have a specific machine, that has
been approved to connect to that specific network; and I need to request
a specific port be activated for this specific machine. [1]
So far so good. However...
Another part of $LGA policy, a machine can only be attached to one port. [2]
So even though we allegedly have a pair of "redundant switches", each
machine is plugged into one or the other.
For our own convenience, we assign the switche ports as a pair, so if
(say) port 12 is in use on switch A, it will be empty on switch B. So in
theory, it's easy to tell the on-site people "Take all of the cables
out of Switch B and plug them into the like-numbered ports on Switch A."
At least, it would be easy... However...
The redundant ports are not turned on. That would be against $LGA policy.
As I found out just this morning, having a dead switch is not sufficient
to bypass the normal turning-on-a-switch-port procedure -- identify
the machine(s), submit a request, wait for the appropriate number of
signatures, and wait for the network team to turn the port on.
So in sum, I've got
* a dead switch
* 2 inaccessable machines
* a live "redundant" switch that I cannot plug these machines into
[1] Even further, the switches monitor the MAC address of the devices plugged
into it, so if I change the machine plugged into a port, the port will
auto-off itself.
[2] This is not 100% accurate, as we have machines with multiple networks
that are plugged into ports on other switches. I freely admit that I
don't fully understand the policies in question.
--hymie! http://lactose.homelinux.net/~hymie hy...@lactose.homelinux.net
The Horny Goat
Nov 28, 2017, 4:13:48 AM11/28/17
to
On Mon, 27 Nov 2017 13:24:50 GMT, hymie! <hy...@lactose.homelinux.net>
wrote:
Hell if your network card dies and you have to replace it with another
you've got a problem.
If this is UI to you then to quote Bill Clinton "I feel your pain!"
(Though likely not nearly as much as Bill did when Hillary found out
about Monica which apparently was the last straw for her)
wrote:
you've got a problem.
If this is UI to you then to quote Bill Clinton "I feel your pain!"
(Though likely not nearly as much as Bill did when Hillary found out
about Monica which apparently was the last straw for her)
Garrett Wollman
Nov 29, 2017, 12:30:09 AM11/29/17
to
In article <rrn1fe-...@news.leftmind.net>, AdB <ab...@leftmind.net> wrote:
>There's a better feature that can be configured to let strange MACs use
>the clown VLAN and still let known MACs onto their proper networks.
>Lest this be UI, I note that configuration of the clown network is left
>as an exercise for the reader.
On a somewhat related note, today we had a new Lignux install on a
system which was then subsequently configured for failover bonding,
but rather than using one of the MAC addresses attached to the
interfaces in question, it pulled one out of its ass instead. This
caused it to be unable to communicate with anything, since (from the
install) it had an active DHCP lease for the MAC address it was
supposed to use, and so long as that lease was unexpired, $UI[0] on
the switch would drop $UI[1] for that IP from any other MAC address.
-GAWollman
--
Garrett A. Wollman | "Act to avoid constraining the future; if you can,
wol...@bimajority.org| act to remove constraint from the future. This is
Opinions not shared by| a thing you can do, are able to do, to do together."
my employers. | - Graydon Saunders, _A Succession of Bad Days_ (2015)
>There's a better feature that can be configured to let strange MACs use
>the clown VLAN and still let known MACs onto their proper networks.
>Lest this be UI, I note that configuration of the clown network is left
>as an exercise for the reader.
On a somewhat related note, today we had a new Lignux install on a
system which was then subsequently configured for failover bonding,
but rather than using one of the MAC addresses attached to the
interfaces in question, it pulled one out of its ass instead. This
caused it to be unable to communicate with anything, since (from the
install) it had an active DHCP lease for the MAC address it was
supposed to use, and so long as that lease was unexpired, $UI[0] on
the switch would drop $UI[1] for that IP from any other MAC address.
-GAWollman
--
Garrett A. Wollman | "Act to avoid constraining the future; if you can,
wol...@bimajority.org| act to remove constraint from the future. This is
Opinions not shared by| a thing you can do, are able to do, to do together."
my employers. | - Graydon Saunders, _A Succession of Bad Days_ (2015)
Steve VanDevender
Nov 29, 2017, 3:44:37 AM11/29/17
to
wol...@bimajority.org (Garrett Wollman) writes:
> configured for failover bonding
Things that sound kinkier than they actually are.
--
Steve VanDevender "I ride the big iron" http://hexadecimal.uoregon.edu/
ste...@hexadecimal.uoregon.edu PGP keyprint 4AD7AF61F0B9DE87 522902969C0A7EE8
Little things break, circuitry burns / Time flies while my little world turns
Every day comes, every day goes / 100 years and nobody shows -- Happy Rhodes
> configured for failover bonding
Things that sound kinkier than they actually are.
--
Steve VanDevender "I ride the big iron" http://hexadecimal.uoregon.edu/
ste...@hexadecimal.uoregon.edu PGP keyprint 4AD7AF61F0B9DE87 522902969C0A7EE8
Little things break, circuitry burns / Time flies while my little world turns
Every day comes, every day goes / 100 years and nobody shows -- Happy Rhodes
Wojciech Derechowski
Nov 29, 2017, 3:32:40 PM11/29/17
to
On Wed, 29 Nov 2017 08:43:44 +0000, Steve VanDevender wrote:
> wol...@bimajority.org (Garrett Wollman) writes:
>> configured for failover bonding
>
> Things that sound kinkier than they actually are.
Sex changers.
> wol...@bimajority.org (Garrett Wollman) writes:
>> configured for failover bonding
>
> Things that sound kinkier than they actually are.
--
WD
Who is Entscheidungs and what is his problem?
Steve VanDevender
Nov 29, 2017, 11:04:15 PM11/29/17
to
ab...@leftmind.net (AdB) writes:
> Steve VanDevender posted thus:
> days noone wants to be the passive member of the pair.
That is, of course, why you shoot the other node in the head.
> Steve VanDevender posted thus:
>>wol...@bimajority.org (Garrett Wollman) writes:
>>> configured for failover bonding
>>
>>Things that sound kinkier than they actually are.
>
> The kinky reality you're looking for is filed under "flailover". Some
>>> configured for failover bonding
>>
>>Things that sound kinkier than they actually are.
>
> days noone wants to be the passive member of the pair.
That is, of course, why you shoot the other node in the head.
Alexander Schreiber
Dec 1, 2017, 9:40:05 AM12/1/17
to
Roger Bell_West <roger+a...@nospam.firedrake.org> wrote:
> little to security, considering the hassle it generates.
Well, depends. When I was part of the crew running the dormitory network
at $UNIVERSITY, we had all our switches in port security mode (which shuts
down the port if the MAC changes). Not so much for security (due to <UI>),
but to
- reduce the amount of irritation caused by clueless wannabe hacker kiddies
- keep the clueless from breaking policies (e.g. only registered machines
allowed in order to nail abuse to names)
- detect wonky crap on the hardware side[0]
Kind regards,
Alex.
[0] A certain POS Realtek NIC[1] which was built using the absolute minimum
of silicon and did everything possible, down to building actual ethernet
packets, in the Window driver, would occasionally forget about that
ethernet stuff and vomit raw IP onto the ether. Oops. Our recommended
fix for that: "Nail this POS to the wall and buy something decent[2].
[1] But I repeat myself.
[2] e.g. DEC Tulip or 3Com.[3]
[3] Yes, this has been A While Ago (TM).
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison
> On 2017-11-28, The Horny Goat wrote:
>>Hell if your network card dies and you have to replace it with another
>>you've got a problem.
>
> Not necessarily, because <UI>. Which is why the whole thing adds so
>>Hell if your network card dies and you have to replace it with another
>>you've got a problem.
>
> little to security, considering the hassle it generates.
Well, depends. When I was part of the crew running the dormitory network
at $UNIVERSITY, we had all our switches in port security mode (which shuts
down the port if the MAC changes). Not so much for security (due to <UI>),
but to
- reduce the amount of irritation caused by clueless wannabe hacker kiddies
- keep the clueless from breaking policies (e.g. only registered machines
allowed in order to nail abuse to names)
- detect wonky crap on the hardware side[0]
Kind regards,
Alex.
[0] A certain POS Realtek NIC[1] which was built using the absolute minimum
of silicon and did everything possible, down to building actual ethernet
packets, in the Window driver, would occasionally forget about that
ethernet stuff and vomit raw IP onto the ether. Oops. Our recommended
fix for that: "Nail this POS to the wall and buy something decent[2].
[1] But I repeat myself.
[2] e.g. DEC Tulip or 3Com.[3]
[3] Yes, this has been A While Ago (TM).
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison
Steve VanDevender
Dec 1, 2017, 1:46:49 PM12/1/17
to
Roger Bell_West <roger+a...@nospam.firedrake.org> writes:
> On 2017-12-01, Alexander Schreiber wrote:
>>[0] A certain POS Realtek NIC[1]
> They won.
Amazingly enough this page is still in its original location on the web:
http://pages.cs.wisc.edu/~kovar/realtek.html
> On 2017-12-01, Alexander Schreiber wrote:
>>[0] A certain POS Realtek NIC[1]
>>[1] But I repeat myself.
>
> Yeah. Seems like every second mainboard has a Realtek POS on it now.
>
> They won.
Amazingly enough this page is still in its original location on the web:
http://pages.cs.wisc.edu/~kovar/realtek.html
Peter Corlett
Dec 4, 2017, 4:40:46 AM12/4/17
to
[Tale of typical Kafkaesque government bureaucracy deleted]
As I see it, you are in an organisation with a policy that actively prevents
you from working. So find a good book to read, rest your feet on the desk, and
make sure you're not working. Anything else would be against policy.
As I see it, you are in an organisation with a policy that actively prevents
you from working. So find a good book to read, rest your feet on the desk, and
make sure you're not working. Anything else would be against policy.
0 new messages