Re: Personal Firewall Day?

[Christopher Hicks <chicks () chicks net>]

On Tue, 7 Oct 2003, Dragos Ruiu wrote:

> But distributed storage and computing is much more fault tolerant than
> centralized systems. Proposing putting all your eggs into one basket is
> never wise.

Right on.  But your concept of distributed computing seems to mean "let
everybody do what they want with no limits".  Effective distributing
computing just doesn't happen that way.

> I can't actually believe you are sugesting a monoculture is a good thing.

It's not inherently a bad thing as some would like you to believe.  
Dictatorships are all bad, but they're the organizational structure with 
the lowest overhead.  I doubt that helps anyone see monocultures as not
necessarily bad, but the "monocultures are all bad" meme is so pervasive 
there's no stopping it.  Monocultures aren't all bad, but they do have 
some well known disadvantages.

This whole monoculture versus operating system analogy continues to
provide me lots of amusement.  The big problem with monocultures as
everyone "knows" by now is that having only one genetic strain makes you
an easier target.  Avoiding a monoculture only require a very little
genetic variation.  Do different passwords qualify?  Maybe we could
randomize the directory structure on each machine to introduce the .1%
difference in "code" to avoid the monoculture label that so concerns
people?  This would give our desktops as much genetic variability as most
crops while getting us all on one computing platform that would work.  As
someone who is happy to keep the disadvantages of monocultures in mind
while trying to eliminate certain species (Windows) I'm not sure how much
arbitary variation is necessary to please the "monocultures are bad"
crowd.  Have these people taken a genetics course in the last twenty
years?  ;)

> I administered quite a few big Unix boxes, and MIS departments in their
> empire building attempts to justify recentralizing always omit some of
> the notable disadvantages to centralization like the fact that small
> incremental upgrades to newer processors, oses, and software are
> impossible or difficult. You don't have to get a large capital
> allocation to replace the big box, you can buy some zippy new small
> boxes for key apps. And there are counltess others. System upgrades
> don't have to be massive all or nothing multi-year committee study
> efforts in a distributed environment... just a pain in the ass for the
> IT department to find the stragglers... :-)

You've created a straw man and successfully killed it.  How you manage the
central server farm is a seperate question from how your bulk of desktops
should be managed which is also a seperate question from how your
development desktops and servers should be managed.  Additional categories
requiring special attention may be added (CAD desktops, public access
terminals in the library, etc.)  There's nothing about putting a common
client on most desktops (or all desktops in a given class) that prevents
you from adding a new $1000 server to "try out" something new.  Once
you've tried it out and come up with a deployment plan let's hope you've
got some central SAN/backup strategy in place to keep it going once the
cheap box behaves as cheap boxes ultimately do.

> Moore's law killed mainframes not any addiction to software.

Central computing does not require mainframes, but if you already have one
they may well provide the best I/O of any of your hardware which isn't
something to ignore.  If anyone's got a 3090 or more recent "dead
according to Dragos" mainframe I'll be by with a truck in a little while 
to pick it up, ok?  :)

> The system rack next to my desk has more computing power and storage
> than all the supercomputers in the world combined back when I used to
> administer such things. Tough to argue with that.

No it's not.  How you serve the little vanilla boxes on all the desktops 
doesn't really matter.  Getting rid of the Windows desktops and replacing 
them with something that is cheaper and more manageable is.  Whether you 
do that with a mainframe, a floor-standing UNIX box, or rack machines 
didn't seem to be a point anyone was trying to make.

> As far as vulnerability to virii, sure theoretically your alcolytes and
> high priests that administer the central monolith can likely be counted
> to not click on the wicked screensaver, but with that monolith
> architecture all it takes is one mess up to knock everything off line as
> opposed to n% of a distributed architecture manned by undertrained
> users.

You're still assuming a mainframe.  Why is that?  If I've got a rack of
servers and if one dies, only that server's application goes.  (Or maybe
not even necessarily that given that we have multiple servers for some
apps.)  Having virus protection for all users centralized on our mail 
servers has reduced desktop management issues considerably.  That doesn't 
mean we don't run virus protection on desktops too, but if I wait a few 
days to get it installed on a machine behind the firewall nobody will 
notice.  :)

> Locked down devices also presumes that the locker knows better
> than the users what they want to do with the device. I doubt that.

The user knows better.  The chick answering the phone needs word 
processing to write her resume to send her next employer.  The dood in the 
mailroom needs Solitaire to wait on hold instead of using the speaker 
phone.  The accountant needs IM.  The sales person needs Morpheus.  They 
all know better than I what they need and they should cost the 
organization whatever it costs to keep them that flexible.  Puh-leaze.

> When I worked at HP we had(I believe they still use/sell it) this wonderful
> innovation called Common Operating Environment. COE pretty much 
> assured that if you wanted to get something done you had to abide 
> by the mediocre software set available in it as opposed to the 
> applications you really wanted. You could opt out, but it was an 
> all or nothing deal - with considerable disincentives like inability to 
> participate in any central volume purchasing discounts and substantial 
> budget charges. In practice it always took longer for fixes to roll
> out in the COE system than the time a knowledgeable user would
> take to deploy it individually as needed, because of the substantial
> additional complexity of testing it for everyone. COE software was 
> perpetually one or more versions behind current. Uh, blech. 

Sounds like most corporate desktops today.  People don't choose what goes
on them.  The IT folks decide after months and months of testing.  So, we
can choose between central control with central applicability or central
control with applicability from the network and servers all the way down
to the desktops.  What if an upgrade requires everything be upgraded at
once?

Centralization is inevitable many places and it doesn't mean all of the
nasty associations some make about it.  It would be a good thing for the
community to provide places trying to centralize a less painful way to do
things that already has enough bugs out and features in to keep folks like
yourself from whining.  The Linux Terminal Server project is the sole 
effort I know of currently and even that is aimed more at reusing existing 
desktops so the last time I checked it didn't seem to do much for thinner 
clients.

> A key disadvantange to centralized locked down systems is that
> for the sake of consistency you have to hobble your knowledgeable 
> users to the lowest common denominator of capabilities.

NO!  Some knowledgeable users deserve flexibility and some don't.  The
employer gets to decide these things in whatever arbitrary way they
choose.  Centralization doesn't need to be the sole technique for solving
an orgs computing problems, but when you have masses of people that need
reliable access to a reasonable set of appliations, centralization is a
big win.

Focusing on the areas where centralization can't penetrate yet doesn't 
help you see the real advantages that it can provide.

> Every coin has two sides. I know which side I'll call on this issue.

If your imagination didn't run away with you on how bad the other side is 
I doubt you'd have as easy a time proclaiming one side over the other.

-- 
</chris>

No, no, you're not thinking, you're just being logical.
-Niels Bohr, physicist (1885-1962)

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards