Alien Technology in our Datacenters

Mika/ November 5, 2012/ High Entropy, Security, Stories

Sometimes when I watch administrators at work, especially when I start to ask questions, I get an uneasy feeling: “this is not right”. As it turns out many of the people who maintain, manage and configure IT or communication equipment don’t understand the technology they are using. At least not in depth. Mostly they have a rough idea what it’s all about but cannot explain in detail how it works and cannot predict what will happen if a few changes are made to the setup.

Although I couldn’t put my finger on it I had a familiar feeling, something like a déjà-vu. Just recently when I browsed through my bookshelves it suddenly became clear: I reached for a science fiction classic, “Gateway” by Frederic Pohl which describes an alien race, the “Heechee”, which have left behind thousands of small space ships. Citation from the Wikipedia article:

Unable to understand how they [the space ships] work, a small level of functionality has been recovered simply by trial and error. Occasional attempts at reverse engineering to find out how they work have ended only in disaster. The controls for selecting a destination have been identified, but nobody knows where a particular setting will take the ship or how long the trip will last – starvation is a major danger.

And this much how most of the core technology in our data centers is operated today: trial and error, experimenting, be happy when the expected results appear – no need to understand why. Even the danger of starvation turns out true if you translate it into “meeting the project deadlines”.

Just think about Citrix Xenapp: Can you (or your administrators) answer these questions in detail:

  • What does the XML-broker do?
  • What kind of information does it prepare?
  • May or even must that information be changed if NAT, Firewalls or load balancers are in the path?
  • Describe in less than 50 words how the client decides, where to connect to and don’t spare me with the details.

Or Microsoft Network Load Balancer:

  • Can you use any mac-address for the NLB? Why?
  • What if the NLB-members are connected to different switches?
  • Why can some clients reach the NLB-members but not the virtual NLB address while other clients have no problems at all?
  • Why does a rfc-compliant router need static ARP entries?
  • Should I use also static switching table entries on the layer 2 switches? Why?

How a bout 802.1X authentication:

  • Why do I have to configure two EAP methods? Do I?
  • Can I use certificates for the outer, the inner or both methods?
  • Are there limitations about the password exchange when you authenticate against Microsoft AD?

The list can go on like this forever, but I stop here. In daily administrative life this is not a big issue, mostly the combinations or options are limited so it’s possible to solve a task in a comfortable time by trial and error or consulting online support groups. Been there, done that, check mark on the list. Now move on.

So the question you should ask is: Do I have enough understanding of the technology to fully control my IT and communication infrastructure? Or will I be hurled into a black hole if touch any of these levers and dials?

We at the DeepSec are always helpful to bridge this gap. As a hint: we still have a couple of seats vacant at our workshops and the talks are eye-opening…

Share this Post

2 Comments

  1. Good read and oh so true – thanks for that!

Comments are closed.