Network pics thread

[djBon2112]

nms ag4040 quad t1/e1

So what is it?
Posted via [H] Mobile Device

 

[Berg0]

i tried trixbox, debian, and suse,
no luck, the card doesn't have drivers for NIX look like that

looks like it works on solaris

 

[D-EJ915]

looks like it works on solaris

fwiw most multi-port network cards (and with scsi) I've seen are for sun systems.

 

[Berg0]

fwiw most multi-port network cards (and with scsi) I've seen are for sun systems.

99% of our sun iron is x86, running VMware, so can't say I've played with it much. Only Solaris exposure I've had is a few of our old t1000's that we ripped out a few months ago anyway

 

[djBon2112]

Well, finally got my switch, and it's up without a hitch! (Edit: Wow, I rhymed and didn't plan it ) It's only 10/100 but fully managed makes me happy

(Sorry for the blurry pics, my camera phone isn't that great.)

The front of the rack

Close up of the logo

Now, on to the server. If you know anything about Xen networking and Debian, please check out my LQ thread, I'm getting a little desperate for advice!

 

[Berg0]

finally posting a pic of my junk. I just moved, so forgive the mess.

Starting top to bottom in the 42U NetApp rack:
24U patch panel
Cisco 2924LX
Cisco 871W
Belkin 8-port KVM
NEC 15" LCD and a keyboard
1U Whitebox server (caching proxy server running squid on CentOS)
Cisco 1130 AP
16 Disk fiber Channel disk shelf
Two Dell PE R200's (VMware ESXi boxes)
12 Disk U320 Disk Shelf
APC 3000XL 2U UPS (need to wire in a 30A twistlock for it yet) with Network management card for SNMP/remote cycle


In "The pile""

Back:
A Dozen or so Dual P3 2U rackmount servers

Front (top to bottom):
Two Belkin 8-port rackmount KVM's (I can daisy chain all three, but no use right now)
Two Cisco 1912's
Two Cisco 2501's
Cisco 2611
Cisco PIX 501
5-in-3 disk backplane
Openfiler NAS in Black 4U case
Empty Black 4U case (destined to become the head for the disk shelves)

Not shown:
Additional reasons why my wife hates my computer obsession

 

[cyberjt]

finally posting a pic of my junk. I just moved, so forgive the mess.

Additional reasons why my wife hates my computer obsession

Hmm, but your energy supplier must be in love with you for it though!

Surely with that much kit re-assigning to a decent beefy VM server you would see a return under the year?

 

[Berg0]

The 2U P3's don't see any action, I just bought them cheap to resell for the most part.

The two 1U Dell PE R200's are VMware ESXi servers, and the only other two servers that will be running for the mean time are the Openfiler NAS (which is a pretty weak Pentium D 805) and the 1U whitebox for a caching proxy, which I may or may not end up using, it was mostly for education while I was setting up some cache servers at work.

Power bill should hopefully not be TOO bad

(read; it won't be as bad as when I was overclocking and using phase change cooling for my 24x7 rig)

 

[Phantum]

**Update**

 

[xphil3]

**Update**

Why the firewall between the two switches? Content filtering?

 

[Captain Colonoscopy]

Why the firewall between the two switches? Content filtering?

it shows untangle there in bridge mode.

 

[xphil3]

it shows untangle there in bridge mode.

yes, I understand that... but why? You can content filter in bridge mode ..... Im just wondering why he has a perimeter firewall and an interior firewall? His placement of said firewall would have no bearing on internal host communications(protection) unless they were subnetted and logically behind the firewall, which still wouldn't work because he is bridging. To me, it doesn't make any sense unless hes using it for proxy/content filtering and or possible cacheing?

 

[jmroberts70]

My home network center's latest configuration. I have plans to eventually mount it all in my closet (maybe even clean it up) but it works, what can I say?!

 

[Captain Colonoscopy]

it doesn't make any sense unless hes using it for proxy/content filtering and or possible cacheing?

that's what you use an untangle box for, content/malware/spam filtering. no caching proxy as of yet, however.

 

[xphil3]

that's what you use an untangle box for, content/malware/spam filtering. no caching proxy as of yet, however.

Once again, I know this is why you *might* use an untangle box for, but why have it positioned in the green side of the network. It doesn't make sense. Something like this should be moved to the perimeter of the network unless there is routing going on, which there isn't. I want to hear from the OP why he has two firewalls and not one.

also, wasn't aware that untangle didn't do cacheing. Thanks for the info.

 

[LittleMe]

I have an Untangle box and a pfsense box but my Untangle sits infront of my pfsense box. I like having all the content/malware/spam filtering of Untangle but I like pfsense more for routing and it does my caching.

 

[xphil3]

I have an Untangle box and a pfsense box but my Untangle sits infront of my pfsense box. I like having all the content/malware/spam filtering of Untangle but I like pfsense more for routing and it does my caching.

I guess for the cacheing it makes sense(only because untangle doesn't support it), but other than that its just architecturally a incorrect and inefficient design. Even taking layered security into account, having two firewalls like that gains you nothing(even if you want to consider adding another layer of HA, you still have one more point of failure). Ive been doing a fair amount of architecture lately, hence the reason I want to understand why people may do stuff like this.. Its just... not right . Then again, its for a house so it really dosen't matter.

 

[Berg0]

...stuff like this.. Its just... not right . Then again, its for a house so it really dosen't matter.

come on, you know as well as I that you should follow best practices at work AND at home!

 

[xphil3]

come on, you know as well as I that you should follow best practices at work AND at home!

hahahah

 

[Shockey]

come on, you know as well as I that you should follow best practices at work AND at home!

Home for experiments

 

[LittleMe]

I guess for the cacheing it makes sense(only because untangle doesn't support it), but other than that its just architecturally a incorrect and inefficient design. Even taking layered security into account, having two firewalls like that gains you nothing(even if you want to consider adding another layer of HA, you still have one more point of failure). Ive been doing a fair amount of architecture lately, hence the reason I want to understand why people may do stuff like this.. Its just... not right . Then again, its for a house so it really dosen't matter.

Once Untangle does caching, I'll switch over to only UT. Until then, I'll keep both though.

 

[QHalo]

Figured since I'm sub'd might as well throw up my lab equipment. This is my BSCI lab. Does what I need it to do.

5x 2610
1x 1841
1x 2511 - Access Server
1x3620 - running as my Frame-Relay Switch

Loving the Skeletek rack. Nice to find out that they are actually just up the street from me.

Cabling is a bit out of control but meh. I need to replace the 3620 at some point. Damn thing is way too loud. Louder than anything in the rack.

 

[Captain Colonoscopy]

Once again, I know this is why you *might* use an untangle box for, but why have it positioned in the green side of the network.

where else would you stick it if you only have one public IP? It sits in between your firewall and your LAN and filters all the traffic for malware and pr0n in a transparent bridge.

 

[Phantum]

xphil3....I have it on the green side of my network because I don't trust Untangle at the border of my network. I prefer that a dedicated firewall be there and that the traffic filtering should be conducted on a different machine.
The traffic that isn't dropped (aka "good" traffic) by my firewall will then be further refined by my Untangle server. If the traffic manages to pass that chokepoint then it more than likely is friendly. If you think of it like a castle....I have a moat (firewall) and a drawbridge (untangle)!

Edit: It makes me sleep better at night knowing that my firewall is running software designed specifically for firewalling! Just my belief....you can put it wherever you think you should. And as far as to the interworkings of it all. The modem does the NAT'ing so it has 1 internet IP and a private range. The smoothwall does seminat routing private to private ranges with everything on the same subnet. The UnTangle sits between as a Transparent Brige...which means that it merely forwards traffic in NIC1 and out NIC2 and filters (based on apps used) all traffic flowing thru.

 

[Thall860]

Once Untangle does caching, I'll switch over to only UT. Until then, I'll keep both though.

Could some one please explain caching on a network?

 

[xphil3]

xphil3....I have it on the green side of my network because I don't trust Untangle at the border of my network. I prefer that a dedicated firewall be there and that the traffic filtering should be conducted on a different machine.
The traffic that isn't dropped (aka "good" traffic) by my firewall will then be further refined by my Untangle server. If the traffic manages to pass that chokepoint then it more than likely is friendly. If you think of it like a castle....I have a moat (firewall) and a drawbridge (untangle)!

Edit: It makes me sleep better at night knowing that my firewall is running software designed specifically for firewalling! Just my belief....you can put it wherever you think you should. And as far as to the interworkings of it all. The modem does the NAT'ing so it has 1 internet IP and a private range. The smoothwall does seminat routing private to private ranges with everything on the same subnet. The UnTangle sits between as a Transparent Brige...which means that it merely forwards traffic in NIC1 and out NIC2 and filters (based on apps used) all traffic flowing thru.

where else would you stick it if you only have one public IP? It sits in between your firewall and your LAN and filters all the traffic for malware and pr0n in a transparent bridge.

I think you're both missing the point. You're creating more potential bottlenecks and more points of failure. This is a no-no in our industry. Yes, you do gain a more layer approach to security, but once again this is nullified by the fact that you have the "one connection in, one connection out" setup. There is no redundancy, but like I said its for your home.

Capt.
Since its a UTM, I would throw it at the perimeter where it belongs. If you're doing JUST transparent filtering(not firewalling) then sure, throw it inline but again... its a UTM for a reason. Also, depending on what that box is ACTUALLY doing placement could be far better. Example, if he is simply doing web filtering, inline would be a far worse option then simply dropping it off the switch and pointing a web browser at it for proxying.

Phantum,
This is the explanation I was looking for, but im curious as to why you dont trust untangle at the edge of your network? You do understand that both of those UTM's do the same type of firewalling using the SAME technology(iptables), SPI. Also, many of the things that untangle can do smoothy can do. It can do antivirus/spam/url filtering so why not move those duties to the edge? That is, if you're not hardware constrained.

Yes, I understand that the untangle box does transparent filtering and I understand what that means, but keep in mind that if that box ever borks then you're transparent filtering box has no become a traffic blackhole.

Could some one please explain caching on a network?

When people talk about cacheing, more often then not they're refering to web caching. There are multiple different kinds of web caching but they all have the same intent, to save bandwidth. What a caching server will do is store segments of website, pictures, pages that are often visited(that pass through the caching server). The problem today is that way too many sites are dynamic, causing new pages/images/p0rn to be sent through the caching server thus defeating the propose of having parts of it locally. This is a barebones description, if you want something more indepth(and it gets WAY more) look up the following:

proxy cacheing - usually somewhere inline, local to you perhaps
web acceleration - most often server side though client end(ISP) placement is becoming common, closest to the websever. Check out WAAS(i know, whoring up the company)
gateway caching engines

 

[Berg0]

Could some one please explain caching on a network?

further to what xphil3 said, reverse caching is also very common. Where I work we use squid reverse cache servers to memcache (or disk cache depending on file size and # of requests) a few GB of photo's that are commonly accessed, the other couple terabytes of data that aren't touched as frequently can then just sit on the SAN until they're needed. Saves a bunch of load on our http servers and graphics processing servers to just have the commonly requested content cached.

 

[Phantum]

I think you're both missing the point. You're creating more potential bottlenecks and more points of failure. This is a no-no in our industry. Yes, you do gain a more layer approach to security, but once again this is nullified by the fact that you have the "one connection in, one connection out" setup. There is no redundancy, but like I said its for your home.

Phantum,
This is the explanation I was looking for, but im curious as to why you dont trust untangle at the edge of your network? You do understand that both of those UTM's do the same type of firewalling using the SAME technology(iptables), SPI. Also, many of the things that untangle can do smoothy can do. It can do antivirus/spam/url filtering so why not move those duties to the edge? That is, if you're not hardware constrained.

Yes, I understand that the untangle box does transparent filtering and I understand what that means, but keep in mind that if that box ever borks then you're transparent filtering box has no become a traffic blackhole.

Are you sure it's a no no? The way I understand it, you want only one point of entry and exit so as to minimize any route mishaps that may occur. Not to mention the fact that if someone wanted to get inside there's only one way! The redundancy I'm speaking of is in terms of security. I wouldn't go outside in a blizzard with just a t-shirt, I'd want layers! I only need a one way path to and from the internet because no matter how you slice this pie it ALL begins and ends at the modem. I've experimented with just a smoothie, with smoothie and UnTangle and just UnTangle and the differences in latency and bandwidth is negligible (+/- 2ms, +/- 10kbps).
So let me rephrase the UnTangle and edge security because it didn't come out right the first time around. It's not that I don't trust UnTangle at the edge I'd just prefer that border security (firewall) be done explicitly by a dedicated machine that doesn't do anything other than pass or drop packets! Not to mention the fact that I've got computers coming out of the demon-hole so to have two different machines doing security is actually good because then the computers aren't just gathering dust.
What I'd really like to do is get my ESXi server up and running so that both duties can be handled by one machine, acting as two. When it comes to security it is my belief that it's not in ones' best interests to put all your eggs in one basket. Sure both products do pretty much the same thing but the WAY in which the tasks are executed is different.

EDIT: I use the smoothie strictly for firewalling whereas the UnTangle is a traffic inspection (anti-virus/malware/spyware/phishing/Spam) tool. The latter could actually be done with a proxy server instead of UnTangle....which is supposed to be behind the firewall anyways (unless you're doing reverse proxying or load balancing).

 

[xphil3]

Are you sure it's a no no? The way I understand it, you want only one point of entry and exit so as to minimize any route mishaps that may occur. Not to mention the fact that if someone wanted to get inside there's only one way! The redundancy I'm speaking of is in terms of security. I wouldn't go outside in a blizzard with just a t-shirt, I'd want layers! I only need a one way path to and from the internet because no matter how you slice this pie it ALL begins and ends at the modem. I've experimented with just a smoothie, with smoothie and UnTangle and just UnTangle and the differences in latency and bandwidth is negligible (+/- 2ms, +/- 10kbps).
So let me rephrase the UnTangle and edge security because it didn't come out right the first time around. It's not that I don't trust UnTangle at the edge I'd just prefer that border security (firewall) be done explicitly by a dedicated machine that doesn't do anything other than pass or drop packets! Not to mention the fact that I've got computers coming out of the demon-hole so to have two different machines doing security is actually good because then the computers aren't just gathering dust.

Once again, you're failing to make the connection between a good design and a bunch of equipment thrown together to have some kind of enforced security blanket. Im 100% this is a no, no... trust me on this one. If you can, you always want multiple paths to exist in any kind of network to the exterior, this is how we create redundancy.

You're also failing to see that just because you put one firewall behind another you're gaining any kind of security, which you don't because of your physical configuration. In that configuration if ANY of your firewalls does go down you're hosed(see my black hole comment).. so there goes your layered security. Layered security should be built on ALTERNATE paths, not one single path(which is how you have it configured. The way you have it designed(for a business mind you) would be unacceptable, point blank. Also, building in layered security does not involved putting one firewall in after another just separated by a switch, unless you actually have hosts hanging off that interim switch. You should google security enclaves, read some of the government STIG documents.

Also, like I said... you have almost 3 identical filtering technologies inline with each other, doing the same exact stuff(filtering wise). You're not gaining yourself anything.

What I'd really like to do is get my ESXi server up and running so that both duties can be handled by one machine, acting as two. When it comes to security it is my belief that it's not in ones' best interests to put all your eggs in one basket. Sure both products do pretty much the same thing but the WAY in which the tasks are executed is different.

Im not sure if you noticed, but you totally contradicted yourself here. You say that you dont want to put all your eggs into one basket yet you want to virtualize both firewalls on one box? Then you truly have no layered security. Also, having any kind of virtual firewall to protect physical assets is a HUGE, MASSIVE no no... virtualized firewalls provide seucrity for virtual guests. This is standard.

EDIT: I use the smoothie strictly for firewalling whereas the UnTangle is a traffic inspection (anti-virus/malware/spyware/phishing/Spam) tool. The latter could actually be done with a proxy server instead of UnTangle....which is supposed to be behind the firewall anyways (unless you're doing reverse proxying or load balancing).

No, its not. Why do you think they created UTMs? and loadbalancing has nothing to do with this conversation, so its completely irrelevant. Ive run smoothy in your configuration, at the edge and with proxying, it all depends on the rest of your infrastructure.

This has been a pretty good conversation, I know this thread isn't meant for it... but oh well.

 

[OmegaAvenger]

How is layered if each layer of security is on a seperate path? You are wrong. Layered security is like layered clothing. You HAVE to take of the pants before you can get her panties off and have full access. (otherwise the best you can get is a hand down there, i know.. but its the best analogy i could come up with)

Seems like each of you is speaking from a different perspective. Phantum is speaking from a security stand point which means he wants the fewest links to the outside world and as much security as he can have without it breaking the bank or degrading performance. Perfect for a company office, home network, or anything where uptime isnt the biggest concern. Uptime comes second to security.

You are speaking from a reliability stand point which means you think the most important concern is reducing the amount of weak links in the chain and having the greatest amount of links to the outside world. Better for a data center.
Security comes second to uptime.

 

[agrikk]

While this is an interesting conversation guys, I think you should start another thread for it, or else mods are going to come along and edit this thread for too much chitter-chatter. (THere are two pics on this page so far and massive wall of text.)

Not that I'm against conversations about pics in the thread, but you guys are getting into a debate on network topology, which deserves its own thread mos' def.

 

[OmegaAvenger]

Now its three pics.

 

[agrikk]

hah hah hah

 

[xphil3]

How is layered if each layer of security is on a seperate path? You are wrong. Layered security is like layered clothing. You HAVE to take of the pants before you can get her panties off and have full access. (otherwise the best you can get is a hand down there, i know.. but its the best analogy i could come up with)
.

No, im not wrong... I just know how to design a secure network. Read about security enclaves like I suggested to phantum and you'll understand why I suggested layered security is built in multiple paths, not one. This is the nicest way I can say to you that you need to read before you post up stuff about people being wrong. I understand defense in depth quite well, and the way that his network is designed(for a SMB or anything else) in incorrect. DiD takes into account more than just perimeter security. Modules.

^ pic contribution.

Also, and this is not because we write the standards but..
http://www.cisco.com/en/US/netsol/ns954/index.html

Seems like each of you is speaking from a different perspective. Phantum is speaking from a security stand point which means he wants the fewest links to the outside world and as much security as he can have without it breaking the bank or degrading performance. Perfect for a company office, home network, or anything where uptime isnt the biggest concern. Uptime comes second to security.

I guess I can agree here, but Im taking into account both security and efficiency and correct design.

You are speaking from a reliability stand point which means you think the most important concern is reducing the amount of weak links in the chain and having the greatest amount of links to the outside world. Better for a data center.
Security comes second to uptime.

No, im not arguing only good reliability but more a good overall network design. Again, putting two SPI firewalls(hes doing transparent, so they're both still keeping state and dropping traffic in addition to the spam/filter/et/etc) in line is NOT a layered security approach. Security must include designation of security domain, then those broken down and secured by physical firewalls, then again broken down at the access layer with proper ACL's and other security measures. He has SP edge security, that's all.... there are NO layers here. I understand the motivation of breaking out duties between devices and maybe it gives you some "quasi" layered security but again this is NOT a good design and more so a false security blanket with more negatives than positives(relating to reliability). Everything is a balance.

This has been a stimulating conversation, and Im sure that a lot people are learning so hopefully the mods dont decide to edit the posts.

Heres another contrib:

ASR+494810GE

 

[OmegaAvenger]

So are you stating he should run just one box that does the firewall and everything else or what?

Old partial pic of my lan:

 

[moose517]

^^ omega, what are those black boxes that don't quite go all the way across?

 

[CaseyBlackburn]

Omega, what are all the black boxes? Some sort of disk array?


About the firewall conversation, I personally would like it to be moved elsewhere, but that's my personal opinion.

Edit: Apparently I was beat to the question.

 

[xphil3]

Omega, exactly. but again, from my initial comment this is home... who really cares, its all learning but I just wanted to point out that its not the best design. Thats all.

moose&casey: Those drives definitely look like a drive array. They look very similar to netapp stuff.

Casey: Any updates on your network? I remember it looking quite healthy way back when.

Cable managment? bwhahaha.... how about some toilet paper rolls! It actually worked. Can anyone say HELLA ghetto.

a bit of recabling.

 

[agrikk]

how about some toilet paper rolls!

I've used TP rolls for stuff like power strips and extension cords around the house, but hah hah for using them at work. Classic.

After taking a closer look at the last pic, it looks like you have a bunch of cables connecting the same devices. Do you have hella VLANs configured or are those connections port bonded?

 

[xphil3]

I've used TP rolls for stuff like power strips and extension cords around the house, but hah hah for using them at work. Classic.

After taking a closer look at the last pic, it looks like you have a bunch of cables connecting the same devices. Do you have hella VLANs configured or are those connections port bonded?

unfortunately this is at home
and the last picture is from, ugh.... I hate to even say it, my CCIE pod. Bascially all 4 switches are fully messed with 4 connections to each switch.