RE: OpenVMS - When downtime is not an option

-----Original Message-----
From: bill@xxxxxxxxxxxxxxxxxxxx [mailto:bill@xxxxxxxxxxxxxxxxxxxx] On
Behalf Of Bill Gunshannon
Sent: June 29, 2007 3:07 PM
To: Info-VAX@xxxxxxxxxxxx
Subject: Re: OpenVMS - When downtime is not an option

In article <VoS7tnp8U2oh@xxxxxxxxxxxxxxxxxxxxxxxx>,
koehler@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Bob Koehler) writes:
In article <5ekdm1F38esk5U1@xxxxxxxxxxxxxxxxxx>, bill@xxxxxxxxxxx
(Bill Gunshannon) writes:

And that is a management problem and not a Windows problem.
Management
should mandate who can do what on any machine and what is not to be
done
on a server.

Management mandates are not a good tool for overcoming poor
quality.
Management may mandate no surfing from the server console, but
that
won't stop it from happening.

It will if you counsel him the first time and fire him the second
time. :-)


[snip ...]

Bill,

As I alluded to earlier, if you are mandating that browsers not be used
from servers, then with all due respect, you really do not understand
med-large DC and server environment management.

You need to understand that many of today's server management tools and
utilities have browser interfaces. Which typically means servers require
things like IIS, Apache or some other web server running. So right away,
all those IIS/IE issues need to be considered as potentially serious
server issues.

And while you can argue all you want about "real sysadmins use command
line, cryptic commands with exciting qualifiers", that is simply not how
modern day DC's are managed and/or monitored on a large scale -
especially in the Windows space. Heck, even large SAN environments today
use Windows or Web based based mgmt interfaces to Mgmt appliances and
have NO access to the console because there often is none.


Poor quality in Microsoft's product is a Microsoft problem and a
problem for each of thier products, the only fault on the part of
management is failing to block its use.

Bull crap. Just because some people have an axe to grind doesn't mean
the fault is all MS's. The products have come a long way (as have
other
products, like Linux). They can be used securely and efficiently and
they
can be made stable. And, that is the job of the sys admin. Otherwise,
why have them? Why not just let the secretary do it? What's that old
adage about a workman and his tools?

Just how secure would a VMS system be if the sys admin just turned on
all
the ports and services, needed or not. The SYSTEM account had no
password.
And everyone who used the machine just logged in as SYSTEM anyway.
You
would never consider running a VMS system like this, so why accept it
with Windows and then blame MS for the problems?

bill

Both of the Bill's are missing the point. Again, with all due respect,
both of you do not appear to have any real experience in med to large DC
operations.

Let me explain the typical medium DC environment.

[Large ones simply take what follows and multiply x 5-10 times. One
large US Customer bank server consolidation external RFP stated they had
10K servers WW of which 70-80% were Wintel based (they had no idea if
that was real or not since it was a SWAG which was part of the reason
for the RFP. The other reason was that they estimated that average peak
utilization of those 8K Wintel servers was less than 20%)]

Again, assume well managed Windows (Linux), UNIX and OpenVMS servers are
the baseline. Cust has trained their staff well in terms of secure
processes like disclosing sensitive information over the phone etc.
Fine, no issue here. In this environment, there are likely something
like 200-400 applications and/or utilities running of varying importance
and significance. Before patches are rolled out, they are tested against
the important applications.

That's the baseline.

A single typical medium DC has say 300-500 servers of which about 60-70%
(approx 200-400) are Wintel/Linux based. For discussion, lets assume
300. That means about 200+ Wintel based. About 25% (50) of these will be
IT infrastructure/operations based so IT OPS has a good feel for what is
running on these. That leaves 150+ prod/dev/test Wintel App/DB servers.

That's also part of the baseline.

Most IT operations staff have little to no understanding of what the
applications running on the 150 Wintel/Linux App servers require in
terms of things like ActiveX, COM, LDAP, Apache, IIS, what services are
running and/or not running. Also, remember that dev/test environments
are run by many different App groups who freely install whatever they
want. For prod environments, IT Operations simply follow vendor or App
provided instructions for installing new software (click set-up.exe and
answer default questions) in prod environments.

That's also part of the baseline.

Now. Introduce 5-20 well documented security issues each and every month
for Windows and Linux. Also, keep in mind that most security analysts
state that 50-60% of all security issues are internally initiated. Some
are inadvertently caused via Trojans, worms on laptops, PDA's, memory
sticks, cell phones etc looking for known holes and that regularly
travel to and from external networks.

So, what is the real cost to an organization like this that now needs to
test their important app's against a subset of these monthly security
patches? [which really means little as an App test is an App test
regardless of 1 or 20 patches applied]

And please do not say the IT OPS should have a detailed understanding of
what is running on every server because while in theory that might be
true in Wonderland, the reality is that they are all under staffed and
just trying to keep their nose above water with day to day support
issues - let alone planning monthly testing of applications and patch
deployments across all these servers because of these monthly
Windows/Linux security patches.

So, now you see the difference in terms the impact and costs of 1 or 2
security patches every couple of years for OpenVMS vs. 5-20 released
*each and every* month for Windows/Linux.

And so, yes, regardless of the initial costs, long term OS platform
quality really does mean a big difference to the organization.

This is likely the issue facing medium to large companies today - one of
the true "hidden" reasons why IT costs are so high today as compared to
the past.

Regards


Kerry Main
Senior Consultant
HP Services Canada
Voice: 613-592-4660
Fax: 613-591-4477
kerryDOTmainAThpDOTcom
(remove the DOT's and AT)

OpenVMS - the secure, multi-site OS that just works.




.

Relevant Pages

  • Re: how to bring my vfp screen to the front
    ... critical networks doing mission critical work. ... donna developer screwing up their windows. ... I've worked in environments where you were not even allowed to change ... Management brags about how much they ...
    (microsoft.public.fox.programmer.exchange)
  • Re: Samba to W2K3 Migration?
    ... Management have decided to bring 1/2 of the servers and site in-line with the ... Windows 2003 or Windows 2000, that there are to be NO non-MS boxes (the only ... be moved to WinXP. ...
    (microsoft.public.windows.server.general)
  • RE: Betr.: Re: MS Patches Management software: SUS vs 3rd party
    ... We are also currently looking at a solution for updating our clients and servers. ... The major drawback is that if a new unpatched client connects to it, it retrieves all patches at once. ... There is no management in SUS, ... >The Presidio integrates PGP data encryption and XML Web Services security to ...
    (Security-Basics)
  • From Tracker....
    ... Remember, we're talking about Windows Platforms 95,98 ... provided with Cable/DSL dial-up accounts. ... Wrong IP no news. ... We aren't talking about News Servers here (at the ...
    (comp.security.firewalls)
  • number 2
    ... Remember, we're talking about Windows Platforms 95,98 ... provided with Cable/DSL dial-up accounts. ... Wrong IP no news. ... We aren't talking about News Servers here (at the ...
    (alt.computer.security)