Firewall Wizards mailing list archives
Re: Personal Firewall Day?
From: Christopher Hicks <chicks () chicks net>
Date: Tue, 7 Oct 2003 08:51:53 -0400 (EDT)
On Tue, 7 Oct 2003, Dragos Ruiu wrote:
But distributed storage and computing is much more fault tolerant than centralized systems. Proposing putting all your eggs into one basket is never wise.
Right on. But your concept of distributed computing seems to mean "let everybody do what they want with no limits". Effective distributing computing just doesn't happen that way.
I can't actually believe you are sugesting a monoculture is a good thing.
It's not inherently a bad thing as some would like you to believe. Dictatorships are all bad, but they're the organizational structure with the lowest overhead. I doubt that helps anyone see monocultures as not necessarily bad, but the "monocultures are all bad" meme is so pervasive there's no stopping it. Monocultures aren't all bad, but they do have some well known disadvantages. This whole monoculture versus operating system analogy continues to provide me lots of amusement. The big problem with monocultures as everyone "knows" by now is that having only one genetic strain makes you an easier target. Avoiding a monoculture only require a very little genetic variation. Do different passwords qualify? Maybe we could randomize the directory structure on each machine to introduce the .1% difference in "code" to avoid the monoculture label that so concerns people? This would give our desktops as much genetic variability as most crops while getting us all on one computing platform that would work. As someone who is happy to keep the disadvantages of monocultures in mind while trying to eliminate certain species (Windows) I'm not sure how much arbitary variation is necessary to please the "monocultures are bad" crowd. Have these people taken a genetics course in the last twenty years? ;)
I administered quite a few big Unix boxes, and MIS departments in their empire building attempts to justify recentralizing always omit some of the notable disadvantages to centralization like the fact that small incremental upgrades to newer processors, oses, and software are impossible or difficult. You don't have to get a large capital allocation to replace the big box, you can buy some zippy new small boxes for key apps. And there are counltess others. System upgrades don't have to be massive all or nothing multi-year committee study efforts in a distributed environment... just a pain in the ass for the IT department to find the stragglers... :-)
You've created a straw man and successfully killed it. How you manage the central server farm is a seperate question from how your bulk of desktops should be managed which is also a seperate question from how your development desktops and servers should be managed. Additional categories requiring special attention may be added (CAD desktops, public access terminals in the library, etc.) There's nothing about putting a common client on most desktops (or all desktops in a given class) that prevents you from adding a new $1000 server to "try out" something new. Once you've tried it out and come up with a deployment plan let's hope you've got some central SAN/backup strategy in place to keep it going once the cheap box behaves as cheap boxes ultimately do.
Moore's law killed mainframes not any addiction to software.
Central computing does not require mainframes, but if you already have one they may well provide the best I/O of any of your hardware which isn't something to ignore. If anyone's got a 3090 or more recent "dead according to Dragos" mainframe I'll be by with a truck in a little while to pick it up, ok? :)
The system rack next to my desk has more computing power and storage than all the supercomputers in the world combined back when I used to administer such things. Tough to argue with that.
No it's not. How you serve the little vanilla boxes on all the desktops doesn't really matter. Getting rid of the Windows desktops and replacing them with something that is cheaper and more manageable is. Whether you do that with a mainframe, a floor-standing UNIX box, or rack machines didn't seem to be a point anyone was trying to make.
As far as vulnerability to virii, sure theoretically your alcolytes and high priests that administer the central monolith can likely be counted to not click on the wicked screensaver, but with that monolith architecture all it takes is one mess up to knock everything off line as opposed to n% of a distributed architecture manned by undertrained users.
You're still assuming a mainframe. Why is that? If I've got a rack of servers and if one dies, only that server's application goes. (Or maybe not even necessarily that given that we have multiple servers for some apps.) Having virus protection for all users centralized on our mail servers has reduced desktop management issues considerably. That doesn't mean we don't run virus protection on desktops too, but if I wait a few days to get it installed on a machine behind the firewall nobody will notice. :)
Locked down devices also presumes that the locker knows better than the users what they want to do with the device. I doubt that.
The user knows better. The chick answering the phone needs word processing to write her resume to send her next employer. The dood in the mailroom needs Solitaire to wait on hold instead of using the speaker phone. The accountant needs IM. The sales person needs Morpheus. They all know better than I what they need and they should cost the organization whatever it costs to keep them that flexible. Puh-leaze.
When I worked at HP we had(I believe they still use/sell it) this wonderful innovation called Common Operating Environment. COE pretty much assured that if you wanted to get something done you had to abide by the mediocre software set available in it as opposed to the applications you really wanted. You could opt out, but it was an all or nothing deal - with considerable disincentives like inability to participate in any central volume purchasing discounts and substantial budget charges. In practice it always took longer for fixes to roll out in the COE system than the time a knowledgeable user would take to deploy it individually as needed, because of the substantial additional complexity of testing it for everyone. COE software was perpetually one or more versions behind current. Uh, blech.
Sounds like most corporate desktops today. People don't choose what goes on them. The IT folks decide after months and months of testing. So, we can choose between central control with central applicability or central control with applicability from the network and servers all the way down to the desktops. What if an upgrade requires everything be upgraded at once? Centralization is inevitable many places and it doesn't mean all of the nasty associations some make about it. It would be a good thing for the community to provide places trying to centralize a less painful way to do things that already has enough bugs out and features in to keep folks like yourself from whining. The Linux Terminal Server project is the sole effort I know of currently and even that is aimed more at reusing existing desktops so the last time I checked it didn't seem to do much for thinner clients.
A key disadvantange to centralized locked down systems is that for the sake of consistency you have to hobble your knowledgeable users to the lowest common denominator of capabilities.
NO! Some knowledgeable users deserve flexibility and some don't. The employer gets to decide these things in whatever arbitrary way they choose. Centralization doesn't need to be the sole technique for solving an orgs computing problems, but when you have masses of people that need reliable access to a reasonable set of appliations, centralization is a big win. Focusing on the areas where centralization can't penetrate yet doesn't help you see the real advantages that it can provide.
Every coin has two sides. I know which side I'll call on this issue.
If your imagination didn't run away with you on how bad the other side is I doubt you'd have as easy a time proclaiming one side over the other. -- </chris> No, no, you're not thinking, you're just being logical. -Niels Bohr, physicist (1885-1962) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Personal Firewall Day?, (continued)
- Re: Personal Firewall Day? Crispin Cowan (Oct 06)
- Re: Personal Firewall Day? Marcus J. Ranum (Oct 06)
- Re: Personal Firewall Day? Crispin Cowan (Oct 07)
- Re: Personal Firewall Day? Gary Flynn (Oct 07)
- Re: Personal Firewall Day? Marcus J. Ranum (Oct 07)
- Re: Personal Firewall Day? David Lang (Oct 07)
- Re: Personal Firewall Day? Bill Royds (Oct 11)
- Re: Personal Firewall Day? Devdas Bhagat (Oct 11)
- Re: Personal Firewall Day? Devdas Bhagat (Oct 07)
- Re: Personal Firewall Day? Dragos Ruiu (Oct 07)
- Re: Personal Firewall Day? Christopher Hicks (Oct 07)
- Re: Personal Firewall Day? Marcus J. Ranum (Oct 07)
- Re: Personal Firewall Day? Adam Shostack (Oct 07)
- Re: Personal Firewall Day? R. DuFresne (Oct 07)
- Re: Personal Firewall Day? Frank Knobbe (Oct 16)
- Re: Personal Firewall Day? Marcus J. Ranum (Oct 07)
- Re: OfficeTV (was: Personal Firewall Day?) Dragos Ruiu (Oct 07)
- Re: Personal Firewall Day? David Lang (Oct 06)
- Re: Personal Firewall Day? Adam Shostack (Oct 07)
- Re: Personal Firewall Day? Crispin Cowan (Oct 07)
- Re: Personal Firewall Day? Achim Dreyer (Oct 07)