If you were a corporate network admin?

Open discussion about any topic, as long as you abide by the rules of course!
Giraffe }{unter
Posts: 2941
Joined: Fri Mar 17, 2000 8:00 am

Post by Giraffe }{unter »

Foo wrote:
+JuggerNaut+ wrote:in all honesty GH, i feel bad for you. i would never be able to work in that kind of zoo.
I fucking love a challenge. Especially if there's power in reserve to actually make changes.
:icon14: I love my job man, the challenges, the money, the toys, the power, the hours, and the team I work with make... all the silly user problems just something to worry about untill 5:30pm, then I hop in my car and forget about everything till the morning, unless my blackberry goes off ;)
[url=http://www.dumpt.com][img]http://www.giraffe-hunter.com/images/dumpt.gif[/img][/url]
[size=85]DUMPT.com fully revamped, simple image hosting/dumping ground
No registration required![/size]
+JuggerNaut+
Posts: 22175
Joined: Sun Oct 14, 2001 7:00 am

Post by +JuggerNaut+ »

Foo wrote:What's the cost involved for licensing, have to deal with CALs just like ghost I imagine?

Even for the RES and zones and shit, there's group policy. I'm convinced SUS is the way forward.
I'd have to ask our Systems Management team, i have no idea.
+JuggerNaut+
Posts: 22175
Joined: Sun Oct 14, 2001 7:00 am

Post by +JuggerNaut+ »

Giraffe }{unter wrote:
Foo wrote:
+JuggerNaut+ wrote:in all honesty GH, i feel bad for you. i would never be able to work in that kind of zoo.
I fucking love a challenge. Especially if there's power in reserve to actually make changes.
:icon14: I love my job man, the challenges, the money, the toys, the power, the hours, and the team I work with make... all the silly user problems just something to worry about untill 5:30pm, then I hop in my car and forget about everything till the morning, unless my blackberry goes off ;)
sorry, but that doesn't sound like a corporate environment.
User avatar
Foo
Posts: 13840
Joined: Thu Aug 03, 2000 7:00 am
Location: New Zealand

Post by Foo »

Giraffe }{unter wrote:
Foo wrote: hehe. That's the right approach though. the key paradigm is that if the company requires an IT facility which is badly thought out and unreasonable to yourself, you implement it and give the lions share responsibility to the people who clamoured for it.

Well that's similar to what I am looking to do, before I started there were virus outbreaks on a regular basis, I got tossed into fixing them and decided why not prevent them. Norton Antivirus Corporate was the available weapon and in about a year every PC was protected, and connected to a central monitoring console. Mail servers were then locked down, witch caused a riot, but since the respect I gaind form all the higher ups who were no longer loosing months of work due to a virus they had a felling this was necessary. They problem is I get slack for a few months for every change until people realize "holy crap" he was right...


I'm getting the managers to take responsability for their looseness, and they complain much less about downtime. I just wish there was a way to catch it before it happens.


Lets compair my company to an average household.
The VPs= daddy
ME = the Big Brother
Users = my 999 12 year old daughters
Computers = Wide open PCs

Without limiting their access to backsteet boys.com what can you do to prevent their computers form getting destroyed without actually touching them. Because if you though then they scream and daddy gets pissed off.
Hire me. I'm serious. H-I-R-E M-E.

I don't like being anyone's bitch, but I'll be yours if this is genuinely how you conduct business.

Fuck me, I'll even move to yankeeland for a job oppotunity* likethat.

*just because you hire me doesn't mean I'll learn to type.
"Maybe you have some bird ideas. Maybe that’s the best you can do."
― Terry A. Davis
Cool Blue
Posts: 916
Joined: Wed Mar 02, 2005 2:39 am

Post by Cool Blue »


So lock all your ports down except the ports necessary for operations then. That will drop your traffic load in half.

Then implement Content filtering, banning all non-corporate/business required/related sites.

Then implement logging and monitor which users abuse the priviledge. Log and generate reports to show their activity and then talk with them or their supervisor about it, asking for a behavior change.
Giraffe }{unter
Posts: 2941
Joined: Fri Mar 17, 2000 8:00 am

Post by Giraffe }{unter »

+JuggerNaut+ wrote:
that's beyond a challenge. just look at Mr. eDonkey. he still works there? that's incredible. you can't have that kind of employee in a corporate environment. at least not on your network.
Mr. eDonky is actually a friend of mine, I told you the company is leiniant especially with people with valuable brain power.
[url=http://www.dumpt.com][img]http://www.giraffe-hunter.com/images/dumpt.gif[/img][/url]
[size=85]DUMPT.com fully revamped, simple image hosting/dumping ground
No registration required![/size]
Giraffe }{unter
Posts: 2941
Joined: Fri Mar 17, 2000 8:00 am

Post by Giraffe }{unter »

Cool Blue wrote:

So lock all your ports down except the ports necessary for operations then. That will drop your traffic load in half.

Then implement Content filtering, banning all non-corporate/business required/related sites.

Then implement logging and monitor which users abuse the priviledge. Log and generate reports to show their activity and then talk with them or their supervisor about it, asking for a behavior change.
exactly my idea.. Untill I nail the budget for this device is there a monitoring software to keep an eye on multiple vlans from one locations? al request, from specified ports?

ie...
192.168.100.xxx
192.168.101.xxx
192.168.102.xxx

all the ones I see need to be on a specific Vlan to work
[url=http://www.dumpt.com][img]http://www.giraffe-hunter.com/images/dumpt.gif[/img][/url]
[size=85]DUMPT.com fully revamped, simple image hosting/dumping ground
No registration required![/size]
Guest

Post by Guest »

Giraffe }{unter wrote:
Kracus wrote:I wouldn't let them install anything that isn't installed by me. It's tough to do with all those web programs but once you determin what's need for the buisness to run you just make sure nothing else get's in.
you gotta read man....


there are way too many employees that need to swap software versions on a minutes notice, we don't have the staff to do that every day. we're down to about 1 idiot outbreak a week, which is not bad compaired to how it used to be.
Ah I thought it was more like an office type setting where the employees don't need to install shit. If it's needed then the solution is to train your employees better if they're required to have that level of access. There's no stopping computers from getting bogged down unfortunately. you can decrease the ammount of time by limiting access to what can be installed but eventualy it will need to be serviced. But don't fret, your job probably depends on it anyway ;)
User avatar
Foo
Posts: 13840
Joined: Thu Aug 03, 2000 7:00 am
Location: New Zealand

Post by Foo »

Giraffe }{unter wrote:
Foo wrote:
+JuggerNaut+ wrote:in all honesty GH, i feel bad for you. i would never be able to work in that kind of zoo.
I fucking love a challenge. Especially if there's power in reserve to actually make changes.
:icon14: I love my job man, the challenges, the money, the toys, the power, the hours, and the team I work with make... all the silly user problems just something to worry about untill 5:30pm, then I hop in my car and forget about everything till the morning, unless my blackberry goes off ;)
haha. Nothing like having your problems PUSHED to you. Thanks Blackberry.
"Maybe you have some bird ideas. Maybe that’s the best you can do."
― Terry A. Davis
+JuggerNaut+
Posts: 22175
Joined: Sun Oct 14, 2001 7:00 am

Post by +JuggerNaut+ »

Giraffe }{unter wrote:
+JuggerNaut+ wrote:
that's beyond a challenge. just look at Mr. eDonkey. he still works there? that's incredible. you can't have that kind of employee in a corporate environment. at least not on your network.
Mr. eDonky is actually a friend of mine, I told you the company is leiniant especially with people with valuable brain power.
running a server off of a corportate network = brains? please.
User avatar
Foo
Posts: 13840
Joined: Thu Aug 03, 2000 7:00 am
Location: New Zealand

Post by Foo »

Kracus wrote:If it's needed then the solution is to train your employees better if they're required to have that level of access. There's no stopping computers from getting bogged down unfortunately. you can decrease the ammount of time by limiting access to what can be installed but eventualy it will need to be serviced. But don't fret, your job probably depends on it anyway ;)
There's a cost involved in training users 'up'. Always. That's not just the simple training costs, either. Sad;y the reality of being a network bod is that if something you beleive needs doing had to be done,. you'e solely responsible for not only deploying it, but being the only bastard who knows what it's all about.

The rest of the job is about taking people (non-it) for a ride safe in the knowledge that what you're doing is right and they don't know it.

Which is not the same as being an IT-Nazi.
"Maybe you have some bird ideas. Maybe that’s the best you can do."
― Terry A. Davis
Cool Blue
Posts: 916
Joined: Wed Mar 02, 2005 2:39 am

Post by Cool Blue »

Giraffe }{unter wrote:
Cool Blue wrote:

So lock all your ports down except the ports necessary for operations then. That will drop your traffic load in half.

Then implement Content filtering, banning all non-corporate/business required/related sites.

Then implement logging and monitor which users abuse the priviledge. Log and generate reports to show their activity and then talk with them or their supervisor about it, asking for a behavior change.
exactly my idea.. Untill I nail the budget for this device is there a monitoring software to keep an eye on multiple vlans from one locations? al request, from specified ports?

ie...
192.168.100.xxx
192.168.101.xxx
192.168.102.xxx

all the ones I see need to be on a specific Vlan to work
I'm not sure what you're using to segregate your LAN, I use Cisco appliances with allow traffic logging from the device itself. I'm not sure if yours do or not.

Ports wise. ALL of them it's not about what to block, but what to leave open.

Not knowing your exact needs, off the top of my head, you should keep open (and mapped to the correct servers):

20-21 for FTP
80 for web
25/110 for Mail(POP)/SMTP
500/1723 for VPN connections (if you have any)
3389 for RPC (Remote Desktop, if you use it to admin any of your servers from outside your network)

Those are the standard ports used by all your common network services. Blocking all but those ports would stop all P2P traffic on your network while allowing all your essential services to run comletely unaffected by the filter.
User avatar
Foo
Posts: 13840
Joined: Thu Aug 03, 2000 7:00 am
Location: New Zealand

Post by Foo »

I wouldn't just block those at the firewall level. I'd go one step further and use a proxy. Even if it costs 40 grand.

Course that's an ideal. If 40 grand isn't in your job-role-budget, a cheaper bobajob proxy would be my vouch, except for specific, uh, exceptions (group policy, rmemeber)
"Maybe you have some bird ideas. Maybe that’s the best you can do."
― Terry A. Davis
Cool Blue
Posts: 916
Joined: Wed Mar 02, 2005 2:39 am

Post by Cool Blue »

I'm not sure how a Proxy server would be justified here.

I can reference a specific appliance that does everything I suggested to G}{ for less than the cost of a new server (no software licenses).

Then on top of that, I'd argue it's ten times more secure because it's not running either Windows or some open source software as its core OS.
Last edited by Cool Blue on Tue Jul 19, 2005 7:53 pm, edited 1 time in total.
Guest

Post by Guest »

Foo wrote:
Kracus wrote:If it's needed then the solution is to train your employees better if they're required to have that level of access. There's no stopping computers from getting bogged down unfortunately. you can decrease the ammount of time by limiting access to what can be installed but eventualy it will need to be serviced. But don't fret, your job probably depends on it anyway ;)
There's a cost involved in training users 'up'. Always. That's not just the simple training costs, either. Sad;y the reality of being a network bod is that if something you beleive needs doing had to be done,. you'e solely responsible for not only deploying it, but being the only bastard who knows what it's all about.

The rest of the job is about taking people (non-it) for a ride safe in the knowledge that what you're doing is right and they don't know it.

Which is not the same as being an IT-Nazi.
So they say, it does cost time which in turn does cost money and depending on the size of the company it can be difficult but I think worthwhile in the long run, especialy since it can be integrated with training given to any corporate employee that's hired. At least that's how it's done around here. The only job you don't need training for is one you're fully qualified for in which case this wouldn't be a problem either. I more or less suspect the people he's talking about though are probably trained when they begin.

I'm not saying it's a perfect world but I remember when I was network admin for the local school I did train the staff on what to do and what not to do. Everyone didn't always listen to what I said mind you but a lot did and it helped curb others from repeating their mistakes. I dunno, it's all unique, certain things apply in certain sitatuations but if I had a situation where installing programs was a requirement for the job I'd definitely list what's acceptable to install and what's not and failure to adhere to these standards would result in corrective action if they seem to be a regular occurance.
Cool Blue
Posts: 916
Joined: Wed Mar 02, 2005 2:39 am

Post by Cool Blue »

riddla wrote:It looks like you completely missed my post on page 1 about port usage.
I did. :P But it appears we concur on how to resolve this type of issue.
Giraffe }{unter
Posts: 2941
Joined: Fri Mar 17, 2000 8:00 am

Post by Giraffe }{unter »

riddla wrote:A much easier solution is to use a firewall that has access lists. I can access anything I want but my users can only use port 80, 443, 25, 110 and a couple other custom ports. This alone cuts out alot of the crap like filesharing and music streaming without me getting into the true Nazi-istic nature of my network ;)
you are right I did miss the post, I went that route once last year, we use all Cisco routers, so it wasn't an issue on HOW to do it, I can't remember why we couldn't do it... I'm gonna look into it again.
[url=http://www.dumpt.com][img]http://www.giraffe-hunter.com/images/dumpt.gif[/img][/url]
[size=85]DUMPT.com fully revamped, simple image hosting/dumping ground
No registration required![/size]
AmIdYfReAk
Posts: 6926
Joined: Thu Feb 10, 2000 8:00 am

Post by AmIdYfReAk »

i wouldent allow them to install nothing.. at all. no seriously.. best thing to do EVER!
User avatar
Foo
Posts: 13840
Joined: Thu Aug 03, 2000 7:00 am
Location: New Zealand

Post by Foo »

But seriously I'm the best thing that would happen to your infrastructure, but would you consider my post? no. Doomed
"Maybe you have some bird ideas. Maybe that’s the best you can do."
― Terry A. Davis
+JuggerNaut+
Posts: 22175
Joined: Sun Oct 14, 2001 7:00 am

Post by +JuggerNaut+ »

bitter
User avatar
Foo
Posts: 13840
Joined: Thu Aug 03, 2000 7:00 am
Location: New Zealand

Post by Foo »

lager actually.

Fuck me, it IS bitter. Clairvoyant? Claire is a girls name, any questions fagger?
"Maybe you have some bird ideas. Maybe that’s the best you can do."
― Terry A. Davis
Tormentius
Posts: 4108
Joined: Sat Dec 14, 2002 8:00 am

Post by Tormentius »

PhoeniX wrote:Also force them to use firefox, I think you can probably get thigns to force iexplore.exe to load firefox too, that should fix most of the spywareproblems.
The reason that Firefox isn't usually used in corporate networks is because it isn't anywhere near ready for the enterprise yet. Updates are clumsy, there aren't any policies to control it, and it doesn't integrate with Active Directory like IE does.

By the way a simple registry entry (distributed via startup script) or changing one flag in Group Policy will disable ActiveX in IE completely. No additional software to support and a reduced learning curve for staff = cost savings.
Tormentius
Posts: 4108
Joined: Sat Dec 14, 2002 8:00 am

Post by Tormentius »

Foo wrote:What's the cost involved for licensing, have to deal with CALs just like ghost I imagine?

Even for the RES and zones and shit, there's group policy. I'm convinced SUS is the way forward.
I couldn't agree more. SUS (now WSUS) combined with RIS and software deployment via Group Policy keep my networks easily managed.
Giraffe }{unter
Posts: 2941
Joined: Fri Mar 17, 2000 8:00 am

Post by Giraffe }{unter »

Tormentius wrote:
PhoeniX wrote:Also force them to use firefox, I think you can probably get thigns to force iexplore.exe to load firefox too, that should fix most of the spywareproblems.
The reason that Firefox isn't usually used in corporate networks is because it isn't anywhere near ready for the enterprise yet. Updates are clumsy, there aren't any policies to control it, and it doesn't integrate with Active Directory like IE does.

my thoughts exactly but I didn't feel like starting that argument

By the way a simple registry entry (distributed via startup script) or changing one flag in Group Policy will disable ActiveX in IE completely. No additional software to support and a reduced learning curve for staff = cost savings.


Sadly active X is needed ofr our admin console one piece of our equipment monitors who is on the phone and who is available and reports it to a web page that uses active X
[url=http://www.dumpt.com][img]http://www.giraffe-hunter.com/images/dumpt.gif[/img][/url]
[size=85]DUMPT.com fully revamped, simple image hosting/dumping ground
No registration required![/size]
User avatar
Foo
Posts: 13840
Joined: Thu Aug 03, 2000 7:00 am
Location: New Zealand

Post by Foo »

But seriousy. Firefox IS ready for enterprise, but enterprise locked themselves out of using Firefox because they blindly accepted activex as a standard platform. Stupid? Fucking too right , but it doesn't matter. What matters now is dealing with it.
"Maybe you have some bird ideas. Maybe that’s the best you can do."
― Terry A. Davis
Post Reply