@dashrender said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

@jaredbusch said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

Are you guys using pvlan features in your switches?

If I understand correctly it will isolate vlan ports from each other.
So for instance:

• your desktops can talk to the servers, but not each other,
• servers in a dmz can talk to the firewall but not each other

etc.

That would require me to use a VLAN in the first place...

Seriously though, I use VLAN for Guest WiFi and that is about it. Since my WiFi hardware is UniFi, it already does this, so no.

You could put all computers in the same vlan... Are you not worried about the security implication of letting every device have access to everything on the LAN? Zero-day exploits?

So it infects the server, then the server infects the PCs.. what's the diff?

Maybe nothing, maybe something. The server might not be running the same OS, it is likely not running the same services as desktops. Either way the intruder/malicious software has to gain access over the server as well before getting access to the other PCs. One more layer of security to overcome. More difficult for things to spread.

@jaredbusch said in PVLAN (private VLAN) in the switch - are you using it?:

@pete-s said in PVLAN (private VLAN) in the switch - are you using it?:

Are you guys using pvlan features in your switches?

If I understand correctly it will isolate vlan ports from each other.
So for instance:

• your desktops can talk to the servers, but not each other,
• servers in a dmz can talk to the firewall but not each other

etc.

That would require me to use a VLAN in the first place...

Seriously though, I use VLAN for Guest WiFi and that is about it. Since my WiFi hardware is UniFi, it already does this, so no.

You could put all computers in the same vlan... Are you not worried about the security implication of letting every device have access to everything on the LAN? Zero-day exploits?

@jaredbusch said in 802.1x port-based authentication - when and why?:

If you are plugging something in to a company asset that you were not told to do, you are intentionally doing something. Shit doesn't plug itself it. Shit does not bring itself into the office.

That reminds me of something. When you set up 802.1x on a windows computer, is it the user account that is logged in that you are authenticating or is it the computer itself or both?

Are you guys using pvlan features in your switches?

If I understand correctly it will isolate vlan ports from each other.
So for instance:

• your desktops can talk to the servers, but not each other,
• servers in a dmz can talk to the firewall but not each other

etc.

@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:

You can't determine what the problem is and also fix it in 5 minutes, that's completely unrealistic.

This is true regardless of whatever way you do things. Assuming it's the VM, and it's crashed. Restore it in 5 minutes from on-prem backups, or take the time to fix it in hours, cease fsmo roles, and rebuild a new DC from scratch in hours.

I agree. I was just saying if we were to calculate the cost of the downtime, the down time will not be 5 minutes. You have to calculate the time it takes for everything including the users having problems, to them calling you (and get a hold of you), time for troubleshooting and then to the last 5 minutes of restoring the VM. So 2 hours it was

@black3dynamite said in Handling DNS in a Single Active Directory Domain Controller Environment:

@pete-s said in Handling DNS in a Single Active Directory Domain Controller Environment:

@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:

No, because it doesn't take 2 hours to restore a 40GB VM. It takes 5 minutes. If it happens over the weekend, and business takes place during the weekend, that's a different story. For many, it won't even matter and can be handled on Monday morning or VERY QUICKLY Sunday night. You don't need to be on-prem to restore a VM.

It might very well take two hours if you have cloud backup. Actually, you should probably be very glad if you can restore a tiny little 40GB VM from the cloud in two hours

But even if the backup is local you still have to determine what the problem is first. Why would the VM crash if there is not a hardware problem on the VM host? What does the disks on the host looks like, do we have bad sectors? Or is it a NIC problem on the VM host or a port on the switch? You can't determine what the problem is and also fix it in 5 minutes, that's completely unrealistic.

Why not isolated the bad DC VM for troubleshooting later and restore the backup now?

If you fear the VM host has a severe disk or disc controller problem it doesn't make sense to keep it running. Then you'd want to shutdown all VMs and run diagnostics before taking it back up again.

@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:

No, because it doesn't take 2 hours to restore a 40GB VM. It takes 5 minutes. If it happens over the weekend, and business takes place during the weekend, that's a different story. For many, it won't even matter and can be handled on Monday morning or VERY QUICKLY Sunday night. You don't need to be on-prem to restore a VM.

It might very well take two hours if you have cloud backup. Actually, you should probably be very glad if you can restore a tiny little 40GB VM from the cloud in two hours

But even if the backup is local you still have to determine what the problem is first. Why would the VM crash if there is not a hardware problem on the VM host? What does the disks on the host looks like, do we have bad sectors? Or is it a NIC problem on the VM host or a port on the switch? You can't determine what the problem is and also fix it in 5 minutes, that's completely unrealistic.

Also, if you're not on-prem and don't have a working AD, are you even able to remote in and access anything?

If you need to save what's on the disk you need to:

• insert the 1st drive on a linux computer (don't mount it) and make a dd image copy of the entire disk.
  Use options conv=noerror,sync so the drive keeps reading even after errors.
  Expect the cloning to take a long time if you have many bad blocks.
• do the same with the second disk.
• mount the cloned disks/images and run fsck on them or use recovery software
• recover or copy what is possible and copy the data to where you want it.

Don't do anything else with the failed disks other than clone them. That's data recovery 101.

@guyinpv said in Synology one bad sector crashes whole volume RAID0:

I'm running them striped since I wanted more space and perhaps speed.

Disks fail, that is what they do. You're asking for it when running RAID0.

But now you just buy new drives and restore your backup.

WD has some test program that can verify that the disk is broken, then just send it in for warranty replacement - if it's still under warranty. WD Red had 3 years I believe but can be extended to 5 years for a small fee.

@jaredbusch said in 802.1x port-based authentication - when and why?:

@pete-s said in 802.1x port-based authentication - when and why?:

802.1X port-based authentication - when is it used and why?

Is it to protect the network from unauthorized physical access to ports that you have no physical control over?

Basically, yes.

In @scottalanmiller’s lan-less design it doesn’t matter. But for the rest of us....

Well really it comes down to risk assessment, like all things. How much will it cost you to set up and manage day to day versus doing nothing. Then how much of a cost would be associated with some type of malicious actor accessing an open port.

How about just using MAC address to lock down ports in use and turn off ports not in use? Would that not be as effective?

802.1X port-based authentication - when is it used and why?

Is it to protect the network from unauthorized physical access to ports that you have no physical control over?

@momurda Great! Thanks for posting!

@scottalanmiller said in GDPR Requiring Centralized Password Management:

@pete-s said in GDPR Requiring Centralized Password Management:

This is the GDPR. You can check yourself what it says. It's only 88 pages.
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

Every countries in the European Union are required to make it national law.

Yeah, I've read most of it. But anything 88 pages is long enough to make creating FUD pretty easy to do.

Yeah, FUD is how the big boys make their money. If it's not fear, uncertainty and doubt then it's complexity. Make something that could have been simple, as complex and convoluted as possible so that you absolutely need lots of consultants and experts helping you. Which of course the supplier can offer. And finish of the cocktail of deception with a big chunk of vendor lock-in on top.

This is the GDPR. You can check yourself what it says. It's only 88 pages.
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

Every countries in the European Union are required to make it national law.

Also, companies have to make sure they are compliant but it's not until something happens, like a data breach, that the authorities want to check what you have done to be compliant. If they find out that you did in fact not follow the GDPR you risk heavy fines.

This of course makes everyone and their grandma offer products and services and tout their GDRP compliant products.

I've have not studied GDPR in detail but I'm familiar with other European directives and regulations.

It's a lot about having processes in place. For instance if we are to protect access to sensitive information we must know what information is sensitive and who has access. And someone has to have the responsibility of making sure only the people that needs access have access. And we have to know who accessed what information and when. And we have to protect the information against threats and someone has to have that responsibility as well. And all these processes and procedures have to be documented and on a regular basis the company and 3rd parties have to check that they are in compliance.

These are the type of things you'll see in the law - not should I use product X or Y or that AD is okay but XYZ is not...

@tonyshowoff said in My first computer:

@pete-s I think it was essentially a Z80 clone of sorts. It was also a kit computer, and I know that it was compatible with the same tape drives/players and BASIC.

Yes, I assumed it was a kit since you said it was a bitch to get working

@scottalanmiller said in Automation with Ansible, Salt etc - at what point?:

@pete-s said in Automation with Ansible, Salt etc - at what point?:

Would it be very hard to write something that could mount an iso using ipmi, power up the server over ipmi, install xenserver, set up networks and storages, then install a few different guest VMs with some different packages?

Sounds like MaaS.

Teraform is probably the best tool for this.

It's for setting up our servers we will put in colocation. There will be twice as many as originally planned, so 20 hardware nodes. 8 of them will run bare metal, maybe with containers, and 12 will run xenserver with an estimated 4 to 8 VMs on each.
Some of these will be for production and some for development.

I guess I could clone them as well but then we're back to manual operations.

Alright, if you guys says so I guess I better get around to it.
Ansible seems to be the least complicated to get started with so I guess that'll be as good as anything.

I have a lot of VM hosts and guest to set up as well as a way to do changes and keep everything updated and patched. So I might as well start with it from scratch.

Would it be very hard to write something that could mount an iso using ipmi, power up the server over ipmi, install xenserver, set up networks and storages, then install a few different guest VMs with some different packages?

@tonyshowoff said in My first computer:

Robotron Z1013 If I recall correctly, my grandfather got it for me one Christmas season/New Year/Something. It was a bitch to get working. I also had a monitor that was not monochrome but basically was because it was a modified, broken colour TV set that only displayed green.

That looks awesome.

Reminds me of the Sinclair ZX80. You could buy it as a kit and solder it together yourself.