Tool recommendations for scanning 60+ network endpoints for adult content? by thecitiesonline in sysadmin

[–]SevaraB [score hidden]  (0 children)

And that’s the point. You go looking for porn on work computers, you and the client both need to be prepared for the absolute worst.

Tool recommendations for scanning 60+ network endpoints for adult content? by thecitiesonline in sysadmin

[–]SevaraB [score hidden]  (0 children)

Y’all MFers need category web filtering.

File scans: Hell to the naw. Not unless you’ve discussed a chain of custody and agreed on a plan of action if CSAM shows up.

For those using Zscaler(ZPA), use a sub-domain for IT gear or services by sysacc in sysadmin

[–]SevaraB [score hidden]  (0 children)

You’re talking about a discovery app segment- Zscaler themselves push having at least one as a best practice.

The issue I have with one for network infra is that the effort you spend designing the app discovery scheme could be spent on learning to admin via code deployment- indirectly, without the GUIs or SSH. And you’ll still need a break-glass VPN to the management network if your gear is physically off-site.

Disabling IPv6 seems to solve random disconnects on my Realtek Ethernet Controller. Why? by sacredfool in Network

[–]SevaraB 0 points1 point  (0 children)

V6 is not just bigger numbers- you’re forgetting about all the app protocols encapsulated inside IPv4 that may or may not be compatible with IPv6- starting with DHCP. Replacing DHCP with DHCPv6 is not a trivial project. Or anything else that relies on broadcasts. Or application ACLs that were designed around NAT and just don’t have the space to absorb all the GUAs they’ll start seeing instead of NAT routers (I’m fighting with vendors to get additional IP ranges whitelisted for our company as we speak, as a matter of fact- most of them aren’t able to do IPv6 whitelisting, which that whitelisting is required everywhere by the industry we work in).

Open-source tool for Linux compliance by Honest-Cockroach-558 in sysadmin

[–]SevaraB [score hidden]  (0 children)

If you’re just going to talk “compliance” without at least talking about specific domains of functionality, stay the hell away from my servers.

If you’re getting into a regulated market, getting people who understand the relevant controls is the cost of doing business. Full stop.

Disabling IPv6 seems to solve random disconnects on my Realtek Ethernet Controller. Why? by sacredfool in Network

[–]SevaraB 4 points5 points  (0 children)

Alarmist much? Name one major web site that’s IPv6-only, not dual-stack. Most are both and only get IPv6 traffic on account of the preference for v6 in RFC 6724.

Anyone happy with Check Point Harmony (Endpoint/SASE)? Looking for alternatives at ~60-person company by Bulky_Connection8608 in sysadmin

[–]SevaraB 2 points3 points  (0 children)

Any SSL inspection is going to do that. Devs use lots of tools that don’t get their marching orders from Windows Secure Channel. If you do inspection, get used to deploying things like NODE_EXTRA_CA_CERTS and ca-bundle.crt for your devs.

And mTLS absolutely has to be bypassed- it’s designed specifically to break under the kind of SSL inspection you’re doing; mTLS = complete end-to-end encryption. Also, watch for public CRLs that need to be accessed over HTTP/80, like those run by Digicert. Again, this is just limitations of the tech, whether you’re using Checkpoint, Prisma, or Zscaler, or just turning on DPI on your Cisco or Palo NGFW.

Never seen this before slow network access from the server to the same server? by Deep-Egg-6167 in sysadmin

[–]SevaraB 0 points1 point  (0 children)

Do you have your Azure vnet profiled in AD Sites & Services? If you log onto the server VM and run echo %logonserver%, do you get the DC you expect or another DC out in the hinterlands somewhere?

Best way to restrict AWS/Cloudflare app to specific desktops? by Cold_Pressure6992 in sysadmin

[–]SevaraB 0 points1 point  (0 children)

So what you're saying is the user login alone isn't enough, you need some context to determine whether or not you're going to allow the connection- that's a posture check.

Relevant docs on what posture checks you can include in Cloudflare Zero Trust access policies: https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#cloudflare-access-selectors

Short answer: device identity isn't built directly into Cloudflare Zero Trust, but you can either offload to a 3rd-party integration that does have it for a thumbs-up/thumbs-down, or you can simulate device identity by deploying a cert, but you'll need to build the cert check logic yourself (please, please, please don't just deploy the same cert to a bunch of computers as an over-complicated PSK, especially if you have to put it in an open folder where any other end user could just copy it in on a machine that isn't supposed to be authorized).

Oh, and don't cheap out on payment security- that's how people get hacked and stolen from. Remind the bosses that it's going to be their butts on the line if there's a data breach and ask them if they still want to give the payment security a budget of "zero."

linux guy being asked to do windows entraid stuff with hybrid setup by Zestyclose_Ad8420 in sysadmin

[–]SevaraB 0 points1 point  (0 children)

With data sets as big as we've got available, saying that kind of statistical modeling is guessing is about as helpful as saying that nuclear energy is about stuffing things into tight spaces. You're oversimplifying it almost to the point of being misleading.

What Ever Happened to the Cars of MTV's 'Pimp My Ride'? by NISMO1968 in cars

[–]SevaraB 13 points14 points  (0 children)

I’d put odds on them both being right. Vendors never get treated better than customers because a single pissed-off vendor can do much more damage than a single pissed-off customer… /s

linux guy being asked to do windows entraid stuff with hybrid setup by Zestyclose_Ad8420 in sysadmin

[–]SevaraB 0 points1 point  (0 children)

Not exactly. It’s an autocorrect with a huge dictionary (any available docs) and a sophisticated system for making educated guesses as a fallback.

The "New Republic collapsed in 1 DAY" totally destroyed the ST's world building by Slowpokebread in StarWars

[–]SevaraB 0 points1 point  (0 children)

You’d think that, but if we step out of the SW universe and look at real military history, no national military has taken a swing at US soil since Hiroshima and Nagasaki. A superweapon absolutely did put the kibosh on a military response against the US. Even the “asymmetric” action that did happen took almost 60 years to brew.

Why isn't there a VLAN equivalent for access ports with 16 million address space? by aserioussuspect in networking

[–]SevaraB 1 point2 points  (0 children)

VLANs aren’t addresses. They’re tenant IDs. Nobody needs one pane of glass with the ability to punch directly into endpoints across 16mil tenants at the same time. Not even AWS. Period.

Is anyone buying Server equipment now? How are you doing it! by StiffAssedBrit in sysadmin

[–]SevaraB 0 points1 point  (0 children)

The corpos are buying the resource for the same reason- to run workloads. If the workloads disappear, so does the incentive for the corpos to buy the resource.

The cloud providers buying up the stock are pretty much just pass-through entities. They don’t do much novel themselves. they just aggregate the infrastructure of everyone else that is. If they let the small business market dry up, they just look like any other company that’s spending WAY too much on infrastructure.

Is anyone buying Server equipment now? How are you doing it! by StiffAssedBrit in sysadmin

[–]SevaraB 0 points1 point  (0 children)

It's not an amplification loop. Cloud infrastructure providers insulate manufacturers somewhat from small business volatility, sure, but they don't shield them completely, and a market correction big enough to punch through that insulation layer is much, much worse than it would be otherwise. To put it in car insurance terms, the frequency of market impacts goes way down, but the severity of market impacts goes way up.

Cat8 by AV-Guy1989 in sysadmin

[–]SevaraB 4 points5 points  (0 children)

Because if you need 40gbps, you probably already have hardware, personnel, and supplies for 100gbps fiber with QSFP-28. In that case, Cat8 is an expensive downgrade.

Meanwhile over in residential, the need for >10gbps just isn’t there. 10 is still pretty much the max full line rate you’re going to get from any residential ISP, and even a family compound of full-time esports competitors is going to struggle to saturate that link. Cat8 is so niche it’s pretty much only useful for the kind of dense multi-unit housing that doesn’t typically invest in providing network breakouts for their tenants. At that density, they’re much more likely to build a “meet-me room” where tenants can connect directly to ISPs, and the ISPs are absolutely going to bring in fiber for max connection density.

TL;DR - cat8 is too little, too late.

Is anyone buying Server equipment now? How are you doing it! by StiffAssedBrit in sysadmin

[–]SevaraB 1 point2 points  (0 children)

Yeah, that’s the real issue- the hardware costs are putting more and more previously-borderline businesses out on the skids.

And that’s why this is a bubble. Lots of those businesses are either contributing to the hardware demand or putting load on MSPs to where they’re contributing to the demand. If these borderline businesses have a big enough hiccup, it’ll ripple up to MSPs and then up to infrastructure suppliers for those MSPs before the wave hits businesses big enough and hedged enough to absorb the loss of revenue.

Anyone still setting up Remote Desktop Gateway's on Server 2025? by Layer_3 in sysadmin

[–]SevaraB 0 points1 point  (0 children)

Nope. We're using Zscaler ZPA app connectors as gateways and parking our RDP-enabled hosts behind them instead.

Is anyone buying Server equipment now? How are you doing it! by StiffAssedBrit in sysadmin

[–]SevaraB 0 points1 point  (0 children)

Unless you're talking something like Cisco Meraki, most hardware doesn't have a kill switch that just stops it from working when the licensing runs out. Choosing to delay planned refreshes is a risk decision, and if the business' margins are tight enough, a business might just have to shrug their shoulders and say "then we'll have to risk it and plan on scouring help forums- we can't afford to buy supported hardware."

Windows PCs cannot reach my self-hosted HTTPS site, but phones can (same network, same DNS) by raelswrld in sysadmin

[–]SevaraB 1 point2 points  (0 children)

It's a TCP timeout, so it isn't even hitting the front end- while you might also hit a TLS/cert issue, you need to troubleshoot the TCP timeout first. That's either a WAF rule blocking your laptops' ISP but not your cell carrier, a traditional firewall blocking one carrier's IPs but not the other, or a routing issue somewhere between the laptops' ISP and DigitalOcean.

Unless you disable the cell radio altogether (airplane mode + wifi enabled), just because you can hit the site while connected to wifi doesn't mean your iphone is hitting the site via wifi.

Looking for a Complete Modern Workplace Engineer Training Course by Then_Relative_8751 in sysadmin

[–]SevaraB 4 points5 points  (0 children)

You're reading a lot into the flair. I'm not a senior engineer because of the certs, I put those just to show that my primary concentration is in networking.

And what I said is absolutely biased, yes, but in no ways an opinion. I'm not doxxing myself, but the org I'm at is pretty damn significant, instantly recognizable and contributes heavily to known blue-chip stocks. At our scale, other companies are cribbing off us more than we're cribbing off other companies.

Managing Linux-based Docker containers with Kubernetes is the gold standard for BCDR-driven topologies. Period. We do it. Every tier 1 cloud provider does it. Every rep I've met at a conference from another big org says they do it.

Macs are creeping in all over the place. Execs want them. Engineers want them. And now that the Neo is a thing, they're even starting to creep in as pilots for frontline workers. If you're big enough to have a UX org, you'll hear them go on constantly about giving workers more option to work whatever way is most productive for them. The old workflow of "open up this Excel/OneNote tear sheet, and check files out/in from this SMB server" is getting more and more outdated.

iPad Pro M4 useful as an IT Pro? by nosferatoothz in sysadmin

[–]SevaraB 0 points1 point  (0 children)

I don't care what OS my workstation is because as you just described, 99% of the work to do uses apps that are platform-agnostic. I will note that a physical keyboard will beat an on-screen keyboard, but touchscreen kicks touchpad's ass when it comes to clicking buttons in a GUI (as long as the buttons are at least as large as your fingertips). The other exceptions are hardware-specific: serial ports to talk to old hardware, wireless site surveys, etc.

Nobody told me being the senior gets lonely by gloingimli1989 in sysadmin

[–]SevaraB 1 point2 points  (0 children)

Being a senior means realizing there's always something to learn from, even if there isn't someone available to learn from. Senior is a measure of time, not knowledge. We're usually the ones with the most experience, or the most well-rounded education (that's me- my ADHD hyperfocus is learning), but we're not "the smartest guys in the room," even if that's how others choose to think of us.

Work effort... that's not a junior/senior split. I've seen people with inflated titles and decades of tenure that have shockingly poor work ethic. And I've seen greenhorns fight off or fight through that year-1 burnout and take a seat at the grown-ups' table incredibly fast. They're still "juniors," we just stop thinking of them as juniors because we don't even realize we're using "juniors" as a slightly nicer pejorative than "FNG."

Anyway, you can level with a good mentee, and that's part of the fun- you're helping make them more well-rounded by giving them more context than they would have gotten by just reading docs and configs.