On Thu, 10 Jun 1999, John Wiltshire wrote:
> Telnet generally isn't the best solution (password sniffing and other
> mischief) - why not use a VPN connection? Then all your tools work just
> fine.
One-time two-factor password schemes with telnet work just fine as long
as you're monitoring for session hijacking attempts. VPN solutions are a
flawed answer when you don't trust the host or network you're coming in from.
There's no enforcement of the encryption boundary on an untrusted OS or
network. VPNs also introduce a lot more code to the solution, which means
carrying around a lot more gear. VPNs are a good solution if you trust the
remote OS, machine and network and have a reasonable assurance in the VPN
software and key handling protocol. IOW, they're a substitute for
leased-lines in some environments where the extra risk isn't significantly
disuasive. For most other things the security model is "not quite there."
> > GUIs are nice but rotten for remote administration unless you
> > tote along
> > your own environment which I don't find desirable, especially
> > when you don't
> > anticipate getting called.
>
> I've never had a problem.
I've traveled with luggables, laptops, palmtops, notebooks and sub-notebooks.
The ability to get in and out of a network via remote dial from a Palm Pilot
makes a *huge* difference to how lightly you can travel. It also saves time
getting through airport security when you're taking commercial flights.
Lastly, it means you don't have to worry as much about losing the device
since there's generally not much data resident on it.
I can do 99.99% of my infrastructure job from a vt100 terminal attached
to the console port of a router. At 3am from a hotel room when you just
discovered that your laptop screen was crushed in overhead, being able to
telnet around from a borrowed or backup organizer is a *huge* difference.
For that matter, being able to hook the Pilot's serial port up to the
laptop and still use the machine is a win you can't get from a GUI-centric
environment. My laptop screen died just that death on the way to Interop
last year. I could still copy my presentation to floppy diskette, play
with some source code I was interested in at the time, and even use the
keyboard for input and the Pilot for output.
There's a huge difference in functionality during "normal times" and when
you're in an emergency situation or things aren't going your way. When I
need to get creative, I want to have the tools to do so, and a command
line gives that. Access to the command line then becomes the difference
between "fixed" and "still broken" or "primary person fixes it" and
"whoever's actually present, clue or not has a go at it."
In an ideal world, remote administration would never be necessary. In
general for me it's a very rare occurance. When I absolutely need to
react to something though, I can. Those times tend to be the ones that
really make a difference.
I work for a very large corporation. We have lots of NT, a small ammount of
Unix and a good number of minicomputers. I get to watch and participate in
the differences in management, tools and problem solving ability every single
day. I find it amusing to watch administrators who can't predict or
verify the behaviour of their systems in certain circumstances. When
everything's running well, it's not a bad thing for the tasks we use it
for. When it isn't, NT is a complete bear to wrestle with.
Obviously, YMMV.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
