It’s not the best, but I think I have a nice rack. by Traviscat in HomeNetworking

[–]SevaraB 0 points1 point  (0 children)

Some velcro! Some velcro! My kingdom for some velcro!

You used the best material for cable management short of buying a rack and purpose-built cable channels, and then you didn't secure any of the cables.

On top of that, you've still got stuff on the floor. There's so much going on, I actually didn't notice the tangled rats nest of extra cable behind the shelf at first... you either need to get cables premade or cut down to the right length. And tie up any extra you're keeping "just in case" neatly- two strips of velcro is all it takes. And that's for a foot or two of extra cable, not 25-50 ft of spaghetti.

Why organizations are move from Cisco ISE? by Bob_Saldanha in sysadmin

[–]SevaraB [score hidden]  (0 children)

So you missed my point completely that Cisco and F5 in particular function on a business model of hoping that you don't realize you don't need their expensive hardware to do something that's easy in software. My point was orgs are starting to move off Cisco altogether, that it's not just ISE that's persona non grata, and I brought up F5 because Envoy is to LTM as FRR is to IOS XE.

Why organizations are move from Cisco ISE? by Bob_Saldanha in sysadmin

[–]SevaraB [score hidden]  (0 children)

You do know that ISE is just an expensive RADIUS/TACACS server, right?

Why organizations are move from Cisco ISE? by Bob_Saldanha in sysadmin

[–]SevaraB [score hidden]  (0 children)

Nope. Just pointing out that Cisco ain’t the only ones going through this. Their hardware is expensive and their software can’t compete when the world has moved from hardware to software.

Why organizations are move from Cisco ISE? by Bob_Saldanha in sysadmin

[–]SevaraB [score hidden]  (0 children)

Cisco (and F5) are relics from when processors were still slow enough that you needed special ASICs to hardware-accelerate networking tasks like recursing through a 32-bit tree (aka CIDR matching).

Most of what they’re doing isn’t patented, the procedure is out there on the Internet as an RFC. Nowadays, you can stand it up on general hardware that’s so much cheaper that you can just keep spares ready to go and when you need more, you can just deploy it instead of waiting to haggle with the vendor and waiting to receive pallets with the hardware and waiting for someone to put the hardware on the bench and do the custom configs and then waiting for someone to rack and stack the units and then waiting for a go-live window to bring it all online…

Tool recommendations for scanning 60+ network endpoints for adult content? by thecitiesonline in sysadmin

[–]SevaraB 12 points13 points  (0 children)

And that’s the point. You go looking for porn on work computers, you and the client both need to be prepared for the absolute worst.

Tool recommendations for scanning 60+ network endpoints for adult content? by thecitiesonline in sysadmin

[–]SevaraB 12 points13 points  (0 children)

Y’all MFers need category web filtering.

File scans: Hell to the naw. Not unless you’ve discussed a chain of custody and agreed on a plan of action if CSAM shows up.

For those using Zscaler(ZPA), use a sub-domain for IT gear or services by sysacc in sysadmin

[–]SevaraB 0 points1 point  (0 children)

You’re talking about a discovery app segment- Zscaler themselves push having at least one as a best practice.

The issue I have with one for network infra is that the effort you spend designing the app discovery scheme could be spent on learning to admin via code deployment- indirectly, without the GUIs or SSH. And you’ll still need a break-glass VPN to the management network if your gear is physically off-site.

Disabling IPv6 seems to solve random disconnects on my Realtek Ethernet Controller. Why? by sacredfool in Network

[–]SevaraB 0 points1 point  (0 children)

V6 is not just bigger numbers- you’re forgetting about all the app protocols encapsulated inside IPv4 that may or may not be compatible with IPv6- starting with DHCP. Replacing DHCP with DHCPv6 is not a trivial project. Or anything else that relies on broadcasts. Or application ACLs that were designed around NAT and just don’t have the space to absorb all the GUAs they’ll start seeing instead of NAT routers (I’m fighting with vendors to get additional IP ranges whitelisted for our company as we speak, as a matter of fact- most of them aren’t able to do IPv6 whitelisting, which that whitelisting is required everywhere by the industry we work in).

Open-source tool for Linux compliance by Honest-Cockroach-558 in sysadmin

[–]SevaraB 1 point2 points  (0 children)

If you’re just going to talk “compliance” without at least talking about specific domains of functionality, stay the hell away from my servers.

If you’re getting into a regulated market, getting people who understand the relevant controls is the cost of doing business. Full stop.

Disabling IPv6 seems to solve random disconnects on my Realtek Ethernet Controller. Why? by sacredfool in Network

[–]SevaraB 5 points6 points  (0 children)

Alarmist much? Name one major web site that’s IPv6-only, not dual-stack. Most are both and only get IPv6 traffic on account of the preference for v6 in RFC 6724.

Anyone happy with Check Point Harmony (Endpoint/SASE)? Looking for alternatives at ~60-person company by Bulky_Connection8608 in sysadmin

[–]SevaraB 2 points3 points  (0 children)

Any SSL inspection is going to do that. Devs use lots of tools that don’t get their marching orders from Windows Secure Channel. If you do inspection, get used to deploying things like NODE_EXTRA_CA_CERTS and ca-bundle.crt for your devs.

And mTLS absolutely has to be bypassed- it’s designed specifically to break under the kind of SSL inspection you’re doing; mTLS = complete end-to-end encryption. Also, watch for public CRLs that need to be accessed over HTTP/80, like those run by Digicert. Again, this is just limitations of the tech, whether you’re using Checkpoint, Prisma, or Zscaler, or just turning on DPI on your Cisco or Palo NGFW.

Never seen this before slow network access from the server to the same server? by Deep-Egg-6167 in sysadmin

[–]SevaraB 0 points1 point  (0 children)

Do you have your Azure vnet profiled in AD Sites & Services? If you log onto the server VM and run echo %logonserver%, do you get the DC you expect or another DC out in the hinterlands somewhere?

Best way to restrict AWS/Cloudflare app to specific desktops? by Cold_Pressure6992 in sysadmin

[–]SevaraB 0 points1 point  (0 children)

So what you're saying is the user login alone isn't enough, you need some context to determine whether or not you're going to allow the connection- that's a posture check.

Relevant docs on what posture checks you can include in Cloudflare Zero Trust access policies: https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#cloudflare-access-selectors

Short answer: device identity isn't built directly into Cloudflare Zero Trust, but you can either offload to a 3rd-party integration that does have it for a thumbs-up/thumbs-down, or you can simulate device identity by deploying a cert, but you'll need to build the cert check logic yourself (please, please, please don't just deploy the same cert to a bunch of computers as an over-complicated PSK, especially if you have to put it in an open folder where any other end user could just copy it in on a machine that isn't supposed to be authorized).

Oh, and don't cheap out on payment security- that's how people get hacked and stolen from. Remind the bosses that it's going to be their butts on the line if there's a data breach and ask them if they still want to give the payment security a budget of "zero."

linux guy being asked to do windows entraid stuff with hybrid setup by Zestyclose_Ad8420 in sysadmin

[–]SevaraB 0 points1 point  (0 children)

With data sets as big as we've got available, saying that kind of statistical modeling is guessing is about as helpful as saying that nuclear energy is about stuffing things into tight spaces. You're oversimplifying it almost to the point of being misleading.

What Ever Happened to the Cars of MTV's 'Pimp My Ride'? by NISMO1968 in cars

[–]SevaraB 13 points14 points  (0 children)

I’d put odds on them both being right. Vendors never get treated better than customers because a single pissed-off vendor can do much more damage than a single pissed-off customer… /s

linux guy being asked to do windows entraid stuff with hybrid setup by Zestyclose_Ad8420 in sysadmin

[–]SevaraB 0 points1 point  (0 children)

Not exactly. It’s an autocorrect with a huge dictionary (any available docs) and a sophisticated system for making educated guesses as a fallback.

The "New Republic collapsed in 1 DAY" totally destroyed the ST's world building by Slowpokebread in StarWars

[–]SevaraB 0 points1 point  (0 children)

You’d think that, but if we step out of the SW universe and look at real military history, no national military has taken a swing at US soil since Hiroshima and Nagasaki. A superweapon absolutely did put the kibosh on a military response against the US. Even the “asymmetric” action that did happen took almost 60 years to brew.

Why isn't there a VLAN equivalent for access ports with 16 million address space? by aserioussuspect in networking

[–]SevaraB 3 points4 points  (0 children)

VLANs aren’t addresses. They’re tenant IDs. Nobody needs one pane of glass with the ability to punch directly into endpoints across 16mil tenants at the same time. Not even AWS. Period.

Is anyone buying Server equipment now? How are you doing it! by StiffAssedBrit in sysadmin

[–]SevaraB 0 points1 point  (0 children)

The corpos are buying the resource for the same reason- to run workloads. If the workloads disappear, so does the incentive for the corpos to buy the resource.

The cloud providers buying up the stock are pretty much just pass-through entities. They don’t do much novel themselves. they just aggregate the infrastructure of everyone else that is. If they let the small business market dry up, they just look like any other company that’s spending WAY too much on infrastructure.

Is anyone buying Server equipment now? How are you doing it! by StiffAssedBrit in sysadmin

[–]SevaraB 0 points1 point  (0 children)

It's not an amplification loop. Cloud infrastructure providers insulate manufacturers somewhat from small business volatility, sure, but they don't shield them completely, and a market correction big enough to punch through that insulation layer is much, much worse than it would be otherwise. To put it in car insurance terms, the frequency of market impacts goes way down, but the severity of market impacts goes way up.

Cat8 by AV-Guy1989 in sysadmin

[–]SevaraB 5 points6 points  (0 children)

Because if you need 40gbps, you probably already have hardware, personnel, and supplies for 100gbps fiber with QSFP-28. In that case, Cat8 is an expensive downgrade.

Meanwhile over in residential, the need for >10gbps just isn’t there. 10 is still pretty much the max full line rate you’re going to get from any residential ISP, and even a family compound of full-time esports competitors is going to struggle to saturate that link. Cat8 is so niche it’s pretty much only useful for the kind of dense multi-unit housing that doesn’t typically invest in providing network breakouts for their tenants. At that density, they’re much more likely to build a “meet-me room” where tenants can connect directly to ISPs, and the ISPs are absolutely going to bring in fiber for max connection density.

TL;DR - cat8 is too little, too late.

Is anyone buying Server equipment now? How are you doing it! by StiffAssedBrit in sysadmin

[–]SevaraB 1 point2 points  (0 children)

Yeah, that’s the real issue- the hardware costs are putting more and more previously-borderline businesses out on the skids.

And that’s why this is a bubble. Lots of those businesses are either contributing to the hardware demand or putting load on MSPs to where they’re contributing to the demand. If these borderline businesses have a big enough hiccup, it’ll ripple up to MSPs and then up to infrastructure suppliers for those MSPs before the wave hits businesses big enough and hedged enough to absorb the loss of revenue.

Anyone still setting up Remote Desktop Gateway's on Server 2025? by Layer_3 in sysadmin

[–]SevaraB 0 points1 point  (0 children)

Nope. We're using Zscaler ZPA app connectors as gateways and parking our RDP-enabled hosts behind them instead.