Dec/113
New record holder for inefficient storage – VMware VSA
TechOps Guy: Nate
I came across this article last night and was honestly pretty shocked, it talks about the limitations of the new VMware Virtual Storage Appliance that was released along side vSphere 5. I think it is the second VSA to receive full VMware certification after the HP/Lefthand P4000.
The article states
[..]
Plus, this capacity will be limited by a 75% storage overhead requirement for RAID data protection. Thus, a VSA consisting of eight 2 TBs would have a raw capacity of 16 TB, but the 75% redundancy overhead would result in a maximum usable capacity of 4 TB.VMware documentation cites high availability as the reason behind VSA’s capacity limitations: “The VSA cluster requires RAID10 virtual disks created from the physical disks, and the vSphere Storage Appliance uses RAID1 to maintain the VSA datastores’ replicas,” resulting in effective capacity of just 25% of the total physical hard disk capacity.
[..]
That’s pretty pathetic! Some folks bang on NetApp for being inefficient in space, I’ve ragged on a couple of other folks for the same, but this VSA sets a new standard. Well there is this NEC system with 6%, though in NEC’s case that was by choice. The current VSA architecture forces the low utilization on you whether you want it or not.
I don’t doubt that VMware released the VSA “because they could”, I’m sure they designed it primarily for their field reps to show off the shared storage abilities of vSphere from laptops and stuff like that (that was their main use of the Lefthand VSA when it first came out at least), given how crippled the VSA is(it doesn’t stop at low utilization see the article for more), I can’t imagine anyone wanting to use it – at any price.
The HP Lefthand VSA seems like a much better approach – it’s more flexible, has more fault tolerance options, and appears to have an entry level price of about half that of the VMware VSA.
The only thing less efficient that I have come across is utilization in Amazon EC2 – where disk utilization rates in the low single digits are very common due to the broken cookie cutter design of the system.
Sep/112
EMC’s Server strategy: use our arrays?
TechOps Guy: Nate
I just read this from our friends at The Register. I just have one question after reading it
Why?
Why would anyone want to use extremely premium CPU/Memory resources on a high end enterprise storage system to run virtual servers on? What’s the advantage? You could probably buy a mostly populated blade enclosure from almost everyone for the cost of a VMAX controller.
If EMC wants in on the server-based flash market they should just release some products of their own or go buy one of the suppliers out there.
If EMC wants to get in on the server business they should just do it, don’t waste people’s time on this kinda stuff. Stupid.
May/110
Sony Compromised by Apache bug?
TechOps Guy: Nate
Came across an article from a friend that talks about how Sony thinks they were compromised.
According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which “was unpatched and had no firewall installed.”
The firewall part is what gets me. Assuming of course this web server(s) were meant to be public, no firewall is going to protect you against this sort of thing since of course firewalls protecting public web servers have holes opened explicitly for the web server so all traffic is passed right through.
And I highly doubt those Apache web servers had confidential data as the article implies, obviously that data was on back end systems running databases of some sort.
Then there are people out there spouting stuff on PCI saying the automated external scans should of detected they were running outdated versions of software. In my experience such scans are really not worth much with Linux, primarily because they have no way to take into account patches that are back ported to the operating system. I’ve had a few arguments with security scanners trying to explain how a system is patched because the fix was back ported but them not being able to comprehend that because the major/minor version being reported by the server has not changed.
Then there was the company I worked for who had a web app that returned a HTTP/200 for pretty much everything, including things like 404s. This tripped every single alarm the scanners had, and they went nuts. And once again we had to explain that those windows exploits aren’t going to work against our Apache Tomcat systems running Linux.
IDS and IPS are overrated as well, unless you really have the staff to watch and manage it full time. In all of the years I have worked at companies that deployed some sort of IDS (never IPS), I have seen it work, one time, back in I want to say 2002, I saw a dramatic upsurge in some type of traffic on our Snort IDS at the time from one particular host and turns out it had a virus on it. I worked at one company that was compromised at LEAST twice while I was there(on systems that weren’t being properly managed). and of course the IDS never detected a thing. Then that company deployed(after I left) a higher end hardware-based IPS, and when they put it inline to the network (in passive, not enforcing mode) for some reason the IPS started dropping all SSL traffic for no reason.
They aren’t completely useless though, they can help detect and sometimes protect against the more obvious types of attacks (SQL injection etc). But in the grand scheme of things, especially when dealing with customized applications (not off the shelf like Exchange, Oracle or whatever), IDS/IPS and even firewalls provide only a tiny layer of additional security on top of good application design, good deployment practices(e.g. don’t run as root, disable or remove subsystems that are not used, such as the management app in Tomcat, use encryption where possible), and a good authentication system for system level access (e.g. ssh keys). With regards to web applications, a good load balancer is more than adequate to protect the vast majority of applications out there, it is “firewall like” as in it only passes certain ports to the back end systems, but (for higher traffic sites this is important) vastly outperforms firewalls, which can be a massive bottleneck for front end systems.
With regards to the company that was compromised at least twice, the intrusion was minor and limited to a single system, the compromise occurred because the engineer who installed the system put it outside of the load balancers, it was a FTP server, or was it a monitoring server, I forgot. Because it needed to be accessed externally the engineer thought hey let’s just put it on the internet. Well it sat there for a good year or two, (never being patched in the meantime) before I joined the company, compromised in some fashion, and ssh was replaced with a trojaned copy (it was pretty obvious, I am assuming it was some sort of worm exploiting ssh). It had all sorts of services running on it. I removed the trojan’d ssh, asked the engineer if he thought there might be an issue, he said he didn’t believe so. So I left it, until a few weeks later that trojan’d ssh came back. And at that point I shut the ethernet interfaces on the box off until it could be retired. There was no technical reason that it could not run behind the load balancer.
If you really need a front end firewall, consider a load balancer that has such functionality built in, because at least you have the ability to decrypt incoming SSL traffic and examine it, something very few firewall or IDS/IPS systems can do (another approach some people use is to decrypt at the load balancer than mirror the decrypted traffic to the IDS/IPS, but that is less secure of course).
It really does kind of scare me though that people seem to blindly associate a firewall with security, especially when it’s a web server that is running. Now if those web servers were running RPC services and were hacked that way, a firewall very likely could of helped.
One company I worked at, my boss insisted we have firewalls in front of our load balancers, I couldn’t convince him otherwise, so we deployed them. And they worked fine(for the most part). But the configuration wasn’t really useful at all, basically we had a hole open in the firewall that pointed to the load balancer, which then pointed to the back end systems. So the firewall wasn’t protecting anything that the load balancer wasn’t doing already, a needless layer of complexity that didn’t benefit anyone.
Myself I’m not convinced they were compromised via an Apache web server exploit, maybe they were compromised via an application running on top of Apache, but these days it’s really rare to break into any web server directly via the web server software(whether it’s Apache, IIS or whatever). I suspect they still don’t really know how they were compromised and some manager at Sony pointed to that outdated software as the cause just so they could complete their internal processes on root cause and move on. Find something to tell congress, anything that sounds reasonable!!
Dec/103
OpenBSD installer: party like it’s 2000
TechOps Guy: Nate
[Random Thought] The original title was going to be “OpenBSD: only trivial changes in the installer in one heck of a long time” a take off of their blurb on their site about remote exploits in the default install.
I like OpenBSD, well I like it as a firewall — I love pf. I’ve used ipchains, iptables, ipfwadm, ipf (which I think pf was originally based off of and was spawned due to a licensing dispute with the ipf author(s)), ipfw, Cisco PIX and probably one or two more firewall interfaces, and pf is far and away the best that I’ve come across. I absolutely detest Linux’s firewall interfaces by contrast, going all the way back almost 15 years now.
I do hate the OpenBSD user land tools though, probably as much as the *BSD folks hate the Linux user land tools. I mean how hard is it to include an init script of sorts to start and stop a service? But I do love pf, so in situations where I need a firewall I tend to opt for OpenBSD wherever possible (when not possible I don’t resort to Linux, I’d rather resort to a commercial solution perhaps a Juniper Netscreen or something).
But this isn’t about pf, or user land. This is about the OpenBSD installer. I swear it’s had only the most trivial changes and improvements done to it in at least the past 10 years, when I first decided to try it out. To me it is sad, the worst part about it is of course the disk partitioning interface. It’s just horrible.
I picked up my 2nd Soekris net5501 system and installed OpenBSD 4.8 on it this afternoon, and was kind of sadened, yet not surprised how it still hasn’t changed. I have my other Soekris running OpenBSD 4.4 and has been running for a couple years now. First used pf I believe back in about 2004 or so, so have been running it quite a while, nothing too complicated, it’s really simple to understand and manage. My first experience with OpenBSD was I believe back in 2000, I’m not sure but I want to say it was something like v2.8. I didn’t get very far with it, for some reason it would kernel panic on our hardware after about a day or so of very light activity, so went back to Linux.
I know pf has been ported to FreeBSD, and there is soon to be a fully supported Debian kFreeBSD distribution with the next major release of Debian whenever that is, so perhaps that will be worth while switching to for my pf needs, I don’t know. Debian is another system which has been criticized over the years for having a rough installer, though I got to say in the past 4-5 years it really has gotten to be a good installer in my opinion. As a Debian user for more than 12 years now it hasn’t given me a reason to switch away from it, but I still do prefer Red Hat based distros for “work” stuff.
First impressions are important, and the installer is that first impression. While I am not holding out hope they will improve their installer, it would be nice.
Jul/100
Vulnerable Smart grid (again)
TechOps Guy: Nate
A while back I wrote an entry about the vulnerable smart grid, nothing has changed of course but there is a new article from The Register touting a new report that once again warns about security issues with the smart grid.
[..]
However, Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, warns that the move to smart metering introduces a “strategic vulnerability” that hackers might conceivable be exploit to remotely switch off elements on the gas or electricity supply grid.
[..]
The rollout of an estimated 47 million smart meters to each of the UK’s 26 million homes by 2020 is estimated at costing around £8bn.
The only issue with the statement I have is the word might. Given the maturity of organized computer criminals out there whether they are individuals, organizations or backed by governments you know they will exploit this stuff it’s only a matter of time, and I think the time required is not much more time than it will take to deploy the smart grid itself. The only question is how much damage can they do, could they go so far as to disable the power grid and brick the smart grid devices themselves forcing a wholesale replacement? That is probably a worst case thing.
This is what happens when people who don’t know much of anything about technology are put in charge of using it. It’s a pretty scary thought, given the scale of these smart grid deployments and the amount of hype surrounding them.
Mar/100
Vulnerable Smart Grid
TechOps Guy: Nate
As some of you who know me may know, I have been against the whole concept of a “smart grid” for a few years now. The main reason behind this is security. The more intelligence you put into something especially with regards to computer technology the more complex it becomes, the more complex it becomes the harder it is to protect.
Well it seems the main stream media has picked up on this with an article from the AP -
SAN FRANCISCO – Computer-security researchers say new “smart” meters that are designed to help deliver electricity more efficiently also have flaws that could let hackers tamper with the power grid in previously impossible ways.
Kind of reminds me of the RFID-based identification schemes that have been coming online in the past few years, just as prone to security issues. In the case of the smart grid, my understanding of it is that the goal is to improve energy efficiency by allowing the power company to intelligently inform downtream customers of power conditions so that things like heavy appliances can be proactively turned off in the event of a surge in usage to prevent brown and blackouts.
Sounds nice in theory, like many things, but as someone who has worked with technology for about 20 years now I see the quality of stuff that comes out of companies, and I just have no confidence that such technonlogy can be made “secure” at the same time it can be made “cost effective”. At least not at our current level of technological sophistication, I mean from an evolutionary standpoint “technology” is still a baby, we’re still figuring stuff out, it’s brand new stuff. I don’t mean to knock any company or organization in particular, they are not directly at fault, I just don’t believe – in general technology is ready for such a role, not in a society such as ours.
Today in many cases you can’t get a proper education in modern technology because the industries are moving too fast for the schools to keep up. Don’t get me started on organizations like OLPC and others trying to pitch laptop computers to schools in an attempt to make education better.
If you want to be green, in my opinion, get rid of the coal fired power plants. I mean 21st century and we still have coal has generating roughly half(or more) of our electricity ? Hasn’t anyone played Sim City?
Of course this concept doesn’t just apply to the smart grid, it applies to everything as our civilization tries to put technology to work to improve our lives. Whether it’s wifi, rfid, or online banking, all of these(and many others) expose us to significant security threats, when not deployed properly, and in my experience, from what I have seen, the numbers of implimentations that are not secure outnumber the ones that are by probably 1000:1. So we have a real significant trend of this in action(technology being deployed then being actively exploited). I’m sure you agree that our power grid is a fairly important resource, it was declared the most important engineering achievement of the 20th century.
While I don’t believe it is possible yet, we are moving down the road where scenes like those portrayed in the movie Eagle Eye (saw it recently had it on my mind), will be achievable, especially now that many nations have spun up formal hacker teams to fight future cyber wars, and you have to admit, we are a pretty tempting target.
There will be a very real cost to this continued penetration of technology into our lives. In the end I think the cost will be too high, but time will tell I guess.
You could say I long for the earlier days of technology where for the most part security “threats” were just people that wanted to poke around in systems, or compromise a host to “share” it’s bandwidth and disk space to host pirated software. Rarely was there any real malice behind any of it, not true anymore.
And for those that are wondering – the answer is no. I have never, ever had a wireless access point hooked to my home network, and I do my online banking from Linux.
Follow Nate
