Show Us Your Racks

bigredshark · 20 Jun 2012 at 15:23

groen said:
I try to run ip scans on the internal network to make sure there are no mistakes but realy difficult, any suggestions?

Do it properly? If it's actually meant to be secure then it's laughably poor as a solution, you should be using 802.1x port security as a minimum, if you did that then it doesn't matter if it's connected wrong accidentally (or maliciously) as it won't work.

If it isn't deserving of that much security then you may as well run them as seperate VLANs on the same switch (and possible enforce some basic port security) because having physically separate networks like that is strictly security theatre.

If you want to repatch then waiting for VOIP is an excuse though, yeah, non VOIP phones require repatching but that's not a problem if a) you tell people how it must be done and b) enforce dire consequences on those who don't. We do hundreds of repatches a month in our datacenters and the cabinets are still pristine, because people are given to understand that not following procedures for cabling (or anything else) is a disciplinary matter. If people can't take 2 minutes to get the right length cable and do it neatly you need new people to be honest...

anything I don't mind · 21 Jun 2012 at 12:33

That site definitely requires the internal network to be off the internet because they deal with extremely confidential data. Without giving too much away, the information is so confidential that it is probably the most confidential data I will ever work with. Unless i get employed by intelligence industry, which is highly unlikely. Thus the site has a real requirement for an internal network off the internet.

It is just the nature of the contract. I work for a managed services company that has the site as a client. I frequently mentioned the need to sort out the patching but the office manager was reluctant. Basically the site can't be down at all ever. So the thought of redoing the phone system gave the office manager a panic attack. He said that when they do redo the phone system they will go to Motorola or one of the massive phone companies to do it and not some micky mouse managed services company that I work for. This further delays the projects etc.

I have been taken off that site because i was promoted per se and now manage a few more sites rather than just the one. I am meant to be 3rd line for that site in emergencies and dr situations. But I don't have any power or say in what is done there.

I think the patching was like that when the company i work for won the site. But what else can be done apart from redoing it ?

Dashik · 21 Jun 2012 at 23:58

Picture as promised. Just got the gear today. Not had a chance to play with it yet

That's my light reading piles......

kalvindeane · 22 Jun 2012 at 00:00

Dashik said:
Picture as promised. Just got the gear today. Not had a chance to play with it yet

That's my light reading piles......[/QUOTE]

Like a boss! Now buy the same for me... :p

n3vrmind · 26 Jun 2012 at 06:59

groen said:
That site definitely requires the internal network to be off the internet because they deal with extremely confidential data. Without giving too much away, the information is so confidential that it is probably the most confidential data I will ever work with. Unless i get employed by intelligence industry, which is highly unlikely. Thus the site has a real requirement for an internal network off the internet.

If you believe the next step up is MI5/MI6 then I think there is plenty for you to learn, I've known people who have a more secure setup for their home lab

If the confidential data was as critical as you say, there would be much bigger budget to protect it, and it wouldnt be sat in the shared rack of some managed services company, it'd be located in a secure datacenter, in its own rack, caged off... at the very least.

Deleted member 77746 · 26 Jun 2012 at 15:31

groen said:
That site definitely requires the internal network to be off the internet because they deal with extremely confidential data. Without giving too much away, the information is so confidential that it is probably the most confidential data I will ever work with. Unless i get employed by intelligence industry, which is highly unlikely. Thus the site has a real requirement for an internal network off the internet.

Yet you keep asking questions that only new sysadmins would ask.

slylittlefox · 26 Jun 2012 at 19:42

OOOOOF

Deleted member 77746 · 26 Jun 2012 at 23:04

slylittlefox said:
OOOOOF

Just saying.

anything I don't mind · 27 Jun 2012 at 12:16

n3vrmind said:
If you believe the next step up is MI5/MI6 then I think there is plenty for you to learn, I've known people who have a more secure setup for their home lab

If the confidential data was as critical as you say, there would be much bigger budget to protect it, and it wouldnt be sat in the shared rack of some managed services company, it'd be located in a secure datacenter, in its own rack, caged off... at the very least.

There is a big budget and it is not in a shared rack it is in a secure building (the server room in the office of the client) behind several physical layers of security.

I never said the next step up was mi5. I said that it is the most confidential data that i will ever deal with unless i worked in the intelligence sector, which is unlikely because i am a market anarchist. To work there they they had to do a security watchdog check on me at the cost of a few thousand £ so they do take security very seriously. A data leak at that place could mean jail time.

Ev0 · 27 Jun 2012 at 13:08

Not known any of the security watchdog screening levels to cost in the thousands, but fair enough if that's the case.

bigredshark · 27 Jun 2012 at 15:39

groen said:
There is a big budget and it is not in a shared rack it is in a secure building (the server room in the office of the client) behind several physical layers of security.

An ultra-secure site where taking a picture of the site and posting it on the internet isn't a direct route to a P45? Anywhere that's even pretending to be secure confiscates personal electronics before you get access to a data area.

n3vrmind · 27 Jun 2012 at 15:45

Indeed, I worked with a few ftse 100 companies and government clients and theres a reason I dont post pictures of their datacenters online

PhillyDee · 27 Jun 2012 at 15:47

bigredshark said:
An ultra-secure site where taking a picture of the site and posting it on the internet isn't a direct route to a P45? Anywhere that's even pretending to be secure confiscates personal electronics before you get access to a data area.

Its groen.

Deleted member 77746 · 27 Jun 2012 at 15:55

PhillyDee said:
Its groen.

Moan*

Stelly · 27 Jun 2012 at 16:00

bigredshark said:
Do it properly? If it's actually meant to be secure then it's laughably poor as a solution, you should be using 802.1x port security as a minimum, if you did that then it doesn't matter if it's connected wrong accidentally (or maliciously) as it won't work.

If it isn't deserving of that much security then you may as well run them as seperate VLANs on the same switch (and possible enforce some basic port security) because having physically separate networks like that is strictly security theatre.

If you want to repatch then waiting for VOIP is an excuse though, yeah, non VOIP phones require repatching but that's not a problem if a) you tell people how it must be done and b) enforce dire consequences on those who don't. We do hundreds of repatches a month in our datacenters and the cabinets are still pristine, because people are given to understand that not following procedures for cabling (or anything else) is a disciplinary matter. If people can't take 2 minutes to get the right length cable and do it neatly you need new people to be honest...

I could not agree more with you Mr Shark, poor basic security is where it should start and continue...

Stelly

TRNC · 27 Jun 2012 at 16:07

bigredshark said:
An ultra-secure site where taking a picture of the site and posting it on the internet isn't a direct route to a P45? Anywhere that's even pretending to be secure confiscates personal electronics before you get access to a data area.

n3vrmind said:
Indeed, I worked with a few ftse 100 companies and government clients and theres a reason I dont post pictures of their datacenters online

Why is this, its not like a picture of some servers, switches and patch leads really tells you anything!

anything I don't mind · 27 Jun 2012 at 16:12

I had to take a picture because the cabling was so bad, i thought you all might appreciate the cringe. I didn't expect the third degree and personal insults as a result. But come to think of it, not realy that surprising. I was told by the office manager that the security watch dog costs over £1000 but they screen all their employees.

Ev0 · 27 Jun 2012 at 16:51

bit different to a few thousand then

TRNC said:
Why is this, its not like a picture of some servers, switches and patch leads really tells you anything!

As much as you might not think it they can be used for information gathering with regards to attacks on a company.

bigredshark · 3 Jul 2012 at 13:37

TRNC said:
Why is this, its not like a picture of some servers, switches and patch leads really tells you anything!

It varies...

Some sites have lots of details labelled on devices including IP addresses and circuit numbers etc (a well known UK bank has 40 odds racks of routers for remote sites labelled with these details I know) , this can be a positive in preventing mistakes but is sensitive information.

Some places (most even) it's security theater, is practically pointless as anything photos would tell you a detailed examination and taking notes would do better. It's also massively frustrating when you need to talk a vendor and work on something locally at the same time but you can't have a mobile phone.

Some places it's justified and some it's just ticking a box for show, but it's almost always the rule anywhere considered high security.

anything I don't mind · 3 Jul 2012 at 14:18

Well obviously I made sure there was no labels or information readable from the images before uploading it.