Show Us Your Racks

groen said:
I try to run ip scans on the internal network to make sure there are no mistakes but realy difficult, any suggestions?
Click to expand...

Do it properly? If it's actually meant to be secure then it's laughably poor as a solution, you should be using 802.1x port security as a minimum, if you did that then it doesn't matter if it's connected wrong accidentally (or maliciously) as it won't work.

If it isn't deserving of that much security then you may as well run them as seperate VLANs on the same switch (and possible enforce some basic port security) because having physically separate networks like that is strictly security theatre.

If you want to repatch then waiting for VOIP is an excuse though, yeah, non VOIP phones require repatching but that's not a problem if a) you tell people how it must be done and b) enforce dire consequences on those who don't. We do hundreds of repatches a month in our datacenters and the cabinets are still pristine, because people are given to understand that not following procedures for cabling (or anything else) is a disciplinary matter. If people can't take 2 minutes to get the right length cable and do it neatly you need new people to be honest...
 
That site definitely requires the internal network to be off the internet because they deal with extremely confidential data. Without giving too much away, the information is so confidential that it is probably the most confidential data I will ever work with. Unless i get employed by intelligence industry, which is highly unlikely. Thus the site has a real requirement for an internal network off the internet.

It is just the nature of the contract. I work for a managed services company that has the site as a client. I frequently mentioned the need to sort out the patching but the office manager was reluctant. Basically the site can't be down at all ever. So the thought of redoing the phone system gave the office manager a panic attack. He said that when they do redo the phone system they will go to Motorola or one of the massive phone companies to do it and not some micky mouse managed services company that I work for. This further delays the projects etc.

I have been taken off that site because i was promoted per se and now manage a few more sites rather than just the one. I am meant to be 3rd line for that site in emergencies and dr situations. But I don't have any power or say in what is done there.

I think the patching was like that when the company i work for won the site. But what else can be done apart from redoing it ?
 
Picture as promised. Just got the gear today. Not had a chance to play with it yet :D



That's my light reading piles......
 
groen said:
That site definitely requires the internal network to be off the internet because they deal with extremely confidential data. Without giving too much away, the information is so confidential that it is probably the most confidential data I will ever work with. Unless i get employed by intelligence industry, which is highly unlikely. Thus the site has a real requirement for an internal network off the internet.
Click to expand...

If you believe the next step up is MI5/MI6 then I think there is plenty for you to learn, I've known people who have a more secure setup for their home lab :)

If the confidential data was as critical as you say, there would be much bigger budget to protect it, and it wouldnt be sat in the shared rack of some managed services company, it'd be located in a secure datacenter, in its own rack, caged off... at the very least.
 
groen said:
That site definitely requires the internal network to be off the internet because they deal with extremely confidential data. Without giving too much away, the information is so confidential that it is probably the most confidential data I will ever work with. Unless i get employed by intelligence industry, which is highly unlikely. Thus the site has a real requirement for an internal network off the internet.
Click to expand...

Yet you keep asking questions that only new sysadmins would ask. :)
 
n3vrmind said:
If you believe the next step up is MI5/MI6 then I think there is plenty for you to learn, I've known people who have a more secure setup for their home lab :)

If the confidential data was as critical as you say, there would be much bigger budget to protect it, and it wouldnt be sat in the shared rack of some managed services company, it'd be located in a secure datacenter, in its own rack, caged off... at the very least.
Click to expand...

There is a big budget and it is not in a shared rack it is in a secure building (the server room in the office of the client) behind several physical layers of security.

I never said the next step up was mi5. I said that it is the most confidential data that i will ever deal with unless i worked in the intelligence sector, which is unlikely because i am a market anarchist. To work there they they had to do a security watchdog check on me at the cost of a few thousand £ so they do take security very seriously. A data leak at that place could mean jail time.
 
Last edited:
Not known any of the security watchdog screening levels to cost in the thousands, but fair enough if that's the case.
 
groen said:
There is a big budget and it is not in a shared rack it is in a secure building (the server room in the office of the client) behind several physical layers of security.
Click to expand...

An ultra-secure site where taking a picture of the site and posting it on the internet isn't a direct route to a P45? Anywhere that's even pretending to be secure confiscates personal electronics before you get access to a data area.
 
Indeed, I worked with a few ftse 100 companies and government clients and theres a reason I dont post pictures of their datacenters online
 
bigredshark said:
Do it properly? If it's actually meant to be secure then it's laughably poor as a solution, you should be using 802.1x port security as a minimum, if you did that then it doesn't matter if it's connected wrong accidentally (or maliciously) as it won't work.

If it isn't deserving of that much security then you may as well run them as seperate VLANs on the same switch (and possible enforce some basic port security) because having physically separate networks like that is strictly security theatre.

If you want to repatch then waiting for VOIP is an excuse though, yeah, non VOIP phones require repatching but that's not a problem if a) you tell people how it must be done and b) enforce dire consequences on those who don't. We do hundreds of repatches a month in our datacenters and the cabinets are still pristine, because people are given to understand that not following procedures for cabling (or anything else) is a disciplinary matter. If people can't take 2 minutes to get the right length cable and do it neatly you need new people to be honest...
Click to expand...

I could not agree more with you Mr Shark, poor basic security is where it should start and continue...

Stelly
 
bigredshark said:
An ultra-secure site where taking a picture of the site and posting it on the internet isn't a direct route to a P45? Anywhere that's even pretending to be secure confiscates personal electronics before you get access to a data area.
Click to expand...

n3vrmind said:
Indeed, I worked with a few ftse 100 companies and government clients and theres a reason I dont post pictures of their datacenters online
Click to expand...

Why is this, its not like a picture of some servers, switches and patch leads really tells you anything!
 
I had to take a picture because the cabling was so bad, i thought you all might appreciate the cringe. I didn't expect the third degree and personal insults as a result. But come to think of it, not realy that surprising. I was told by the office manager that the security watch dog costs over £1000 but they screen all their employees.
 
bit different to a few thousand then ;)

TRNC said:
Why is this, its not like a picture of some servers, switches and patch leads really tells you anything!
Click to expand...

As much as you might not think it they can be used for information gathering with regards to attacks on a company.
 
TRNC said:
Why is this, its not like a picture of some servers, switches and patch leads really tells you anything!
Click to expand...

It varies...

Some sites have lots of details labelled on devices including IP addresses and circuit numbers etc (a well known UK bank has 40 odds racks of routers for remote sites labelled with these details I know) , this can be a positive in preventing mistakes but is sensitive information.

Some places (most even) it's security theater, is practically pointless as anything photos would tell you a detailed examination and taking notes would do better. It's also massively frustrating when you need to talk a vendor and work on something locally at the same time but you can't have a mobile phone.

Some places it's justified and some it's just ticking a box for show, but it's almost always the rule anywhere considered high security.
 
You must log in or register to reply here.
Back
Top Bottom