|
Just do it like my first job, where bossman thought DHCP is a security risk: Have none, just hand out random static IPs to every device and pray they don't clash.
|
#
?
Sep 19, 2023 12:52
|
|
|
|
| # ? May 25, 2024 11:36 |
|
|
sfwarlock posted:
I worked at a startup where my job was automation engineering. They didn't know what the gently caress they were doing. I couldn't figure out why my scripted machine builds kept failing to do network stuff. Turned out the entire network was filled with machines set to static IPs at the machine level inside the goddamn scope. Took me a week to unfuck that.
|
|
#
?
Sep 19, 2023 13:26
|
|
|
Happiness Commando posted:I worked at a startup where my job was automation engineering. They didn't know what the gently caress they were doing. I couldn't figure out why my scripted machine builds kept failing to do network stuff. Turned out the entire network was filled with machines set to static IPs at the machine level inside the goddamn scope. When I worked for an MSP I've had a surprising number of conversations with in-house IT guys about how DHCP is "bad" and "causes all kinds of problems". When I've asked "what kinds of problems?" No one can answer outside of some anecdotes.
|
|
#
?
Sep 19, 2023 13:32
|
|
|
Invariably "DHCP causes problems" translates to something like "the mission critical finance server is only running 50% of the time and sometimes when it boots the static IP address has been allocated by DHCP" which is obviously not DHCP's fault, or "it's a security issue because you can just plug in a device and it gets an IP address!" and that's failing to understand what layer 2 protections are for.
|
|
#
?
Sep 19, 2023 14:53
|
|
|
There's been resistance to dhcp in my department because of concerns if the dhcp server fails for some long period of time. I appreciate the logic, but if we failed to notice a server was down for days or weeks the problem isn't dhcp it's us. There's also security concerns with someone plugging something into a switch and getting on the network but again that's an organizational issue and not dhcp. It just feels lazy to wimp out like that. That said I do feel more comfortable if a host is static configured, less troubleshooting to do if something goes really bad. So we set up a reservation for a host's registered address, provision it, and the installer sets up a static address (usually multiple because we have a lot of multi-homed servers).
|
|
#
?
Sep 19, 2023 15:14
|
|
|
Happy Litterbox posted:Just do it like my first job, where bossman thought DHCP is a security risk: Have none, just hand out random static IPs to every device and pray they don't clash. We mustve had the same boss! Wouldnt let us configure DHCP, kept statics tracked on "the excel server". Also hid SSIDs and thought that was the pinnacle of security.
|
|
#
?
Sep 19, 2023 15:44
|
|
|
The concern that you can just plug in and get an IP with DHCP maliciously sort of falls part because you can just plug in and assign a static IP manually.
|
|
#
?
Sep 19, 2023 16:14
|
|
|
Literally what I used to do in college labs before they got wifi. Check the IP, pop out the ethernet cable, switch to my laptop and configure the system proxy and IP. Bam, I'm a lovely Optiplex GX240. I could have bypassed MAC filtering there too anyways what with being able to run ipconfig, but it'd have made it slightly less convenient.
|
|
#
?
Sep 19, 2023 17:23
|
|
|
xzzy posted:There's been resistance to dhcp in my department because of concerns if the dhcp server fails for some long period of time. MS dhcp failover is pretty good and works well. Just have to make sure you install and schedule the script that copies over new static reservations, etc. from the primary to the secondary. Throw both IP helpers everywhere it needs configured on the network and you’re up and running in about half an hour’s worth of effort.
|
|
#
?
Sep 19, 2023 17:37
|
|
|
"we're scared of DHCP" is amazing. It's like I'm back in 1998. Great question to file away for when you're interviewing. It would be an instant nope from me.
|
|
#
?
Sep 19, 2023 17:40
|
|
|
"What if our DHCP server fails" is in the same category as "what if our DNS server fails" and "what if our authentication services fail"? You just make sure they don't. Nobody is suggesting memorising IP addresses because their understanding of a DNS server is a single Linksys router from 2005.
|
|
#
?
Sep 19, 2023 18:06
|
|
|
We're working on unfucking years of technical debt, today we disabled some "unused" rules in the OT firewall. An hour later, poo poo stopped working  (it was DNS)
|
|
#
?
Sep 19, 2023 18:16
|
|
|
Thanks Ants posted:"What if our DHCP server fails" is in the same category as "what if our DNS server fails" and "what if our authentication services fail"? You just make sure they don't. Nobody is suggesting memorising IP addresses because their understanding of a DNS server is a single Linksys router from 2005. "What if the server room burns to the ground, killing your supervisor and destroying all our data? Then we won't have DHCP or DNS! Best to manually configure IPs and add known sites to the local machine's hosts file."
|
|
#
?
Sep 19, 2023 22:06
|
|
|
Wibla posted:We're working on unfucking years of technical debt, today we disabled some "unused" rules in the OT firewall. Kind of loved explaining the sudden giggles to my wife.
|
|
#
?
Sep 20, 2023 00:18
|
|
|
Contractors. Contractors working on a software development contract. Contractors, who hunt and peck single letters, working on a software development contract. Contractors, who misunderstand "Y like Yankee" as "S like Sam", and hunt and single letters, working on a software development contract. Contractors whose disorganized manager had 4 of them show up all at once on a day where I was flying solo. Contractors. They're what is pissing me off.
|
|
#
?
Sep 20, 2023 00:24
|
|
|
I loving hate Visio and resent being asked to use it to create diagrams. Change the colour of a connector? Visio moves the connector halfway up the page. Try to drag one end of a connector off the shape while you add a new connection point? Visio attaches the end to the far side of the large rectangle you happen to have under the shape. Want to stop text labels on connectors having an opaque white background? You have to jump through a subtab of a submenu. Want to use an icon for "PC" that doesn't look like 80s clipart? gently caress you, go download one instead of searching the built in library. Plus a whole boatload of other usability issues. I swear I was more productive using CorelDraw 5 back in the late 90s than using this garbage fire.
|
|
#
?
Sep 20, 2023 00:43
|
|
|
Do it on your phone with Apple's Freeform app!
|
|
#
?
Sep 20, 2023 01:00
|
|
|
That assumes having an Apple device to do it on. Instead use https://app.diagrams.net/ and export as a Visio file.
|
|
#
?
Sep 20, 2023 01:14
|
|
|
I’ve been ripping on the stupid renaming of Azure AD along with everyone else, but Entra Global Secure Access looks like it’s trying to provide a lot of the features that Cloudflare Access and Tailscale are doing, except it’s included with a P1 license that any M365 product tier worth using already includes. Assuming that licensing position doesn’t change, or even if it does and it’s cheap, and the thing tests well, then it could be the go-to for “how do I let people RDP to this one legacy system when they all work remotely”.
|
|
#
?
Sep 20, 2023 01:21
|
|
|
lmao rip zscaler. We were already looking at cutting back our licenses from company wide, especially once we turn on Okta fast pass and don’t need line of sight to the DCs for seamless SSO.
|
|
#
?
Sep 20, 2023 01:43
|
|
|
devmd01 posted:lmao rip zscaler. We were already looking at cutting back our licenses from company wide, especially once we turn on Okta fast pass and don’t need line of sight to the DCs for seamless SSO. Yeah, there’s a reason their stock took a hit when the Entra stuff was announced. Palo also took a hit based on Prisma access I think but they at least have the “single pane of glass” “platform play” going for them if you’re a firewall customer.
|
|
#
?
Sep 20, 2023 01:47
|
|
|
Weatherman posted:I loving hate Visio and resent being asked to use it to create diagrams. I'm responsible for docs at my job and I've given up on diagrams. No one cares to make a good one, to maintain one, or to refer to one. What is the point then, just write a paragraph of how things are done and leave it at that, on top of various issues with software
|
|
#
?
Sep 20, 2023 02:28
|
|
|
Visio is poo poo, but not having updated docs is worse 
|
|
#
?
Sep 20, 2023 06:14
|
|
|
Every diagramming app sucks. I prefer draw.io/app.diagrams.net to Visio, because it's free and better-performing and doesn't require you to install anything, but they are all very cumbersome for this purpose. The complexity comes from the fact that it's used for a lot more than just network diagrams, but boy is it no fun. Takes forever to make even simple stuff.
|
|
#
?
Sep 20, 2023 14:13
|
|
|
I've been using Miro for doing diagrams and it works well enough, but my org pays for the enterprise tier and I don't know if I'd have picked it if they didn't
|
|
#
?
Sep 20, 2023 14:18
|
|
|
I like diagramming and had no problem with Visio besides it not running on Macs. Pour one out for LucidChart which used to be a light-weight web-based version, but has all the loving cruft now of an company gone public: aggressive sales, price increases, unwanted features shoehorned into the product, etc. Miro is pretty bad for that too.
|
|
#
?
Sep 20, 2023 15:11
|
|
|
Wibla posted:Visio is poo poo, but not having updated docs is worse Oh I absolutely agree, and I'm eagerly awaiting for the day where poo poo goes south real bad to rub it in people's faces. I have yearly audits for this purpose and it takes months to swap out 2 sentences (I usually end up doing it myself even though I shouldn't). I know it's my job, but lord do I have other poo poo to do than make you update your doc when you don't want to (which is especially annoying because a lot of people bemoan the existence of documentation, which already exists, they don't refer to it). This is going to be especially disastrous if we lose some devs on our solutions, because they built the drat thing, and I know they are largely unsatisfied with how things are being ran, so it's a matter of time until we eat poo poo. I'm aware this is absolutely the wrong mindset to have especially since this is my job, but what the gently caress else am I meant to do? Even my COO pushing down on them (at my request once I explain what the issue is and the time investment required) doesn't make them do it, and me doing their job I don't think is something I should encourage. We have a lot of poo poo that is somewhat crumbling or held by duct tape and I just move through it all with a "people are a drag" attitude.
|
|
#
?
Sep 20, 2023 15:15
|
|
|
At that point, something needs to go badly wrong, in a very visible way. No other way to force change.
|
|
#
?
Sep 20, 2023 15:17
|
|
|
Yeah and it's a matter of time. Wonder how that's all gonna go, especially since we were acquired very recently. Gonna be interesting, to say the least.
|
|
#
?
Sep 20, 2023 15:20
|
|
|
Weatherman posted:I loving hate Visio and resent being asked to use it to create diagrams. This but Lucid.app I would kill to be able to use Visio.
|
|
#
?
Sep 20, 2023 15:29
|
|
|
DHCP chat in my home network, I have exactly two statics configured, and neither of them are through my DHCP server, my home server has active failover, so assigning an IP from dhcp wouldn’t be ideal, and IPMI for that server is also static on device
|
|
#
?
Sep 20, 2023 15:37
|
|
|
Today has been a perfect storm of things going wrong, the weather being poo poo, and colleagues just completely refusing to pull their weight and creating more work
|
|
#
?
Sep 20, 2023 15:51
|
|
|
I have three VLANs on my home network and DHCP serves two of them. I have a home network (which contains all of my family’s devices, connects to media servers and so like, and hosts our home SSID) a guest network (with a guest SSID that only provides routes to the internet and a printer), and an infrastructure network with domain controllers, ESX hosts, media servers, a printer, WAPs, etc. I use statics on my infrastructure VLAN because that’s how it was done when I started doing IT a loooong time ago and I haven’t really had a pressing reason to change. Sure, there ARE reasons to change but I haven’t encountered them and at this point my file server has been 192.168.3.20 for so long that I can’t imagine it being anything else.
|
|
#
?
Sep 20, 2023 15:54
|
|
|
Happy Litterbox posted:Just do it like my first job, where bossman thought DHCP is a security risk: Have none, just hand out random static IPs to every device and pray they don't clash. I work in an extremely high security, highest level clearance environment where every PC, laptop, phone, printer and video conference unit is assigned it's own IP. Oh we have DHCP servers, but we manually create reservations for every single device. Fortunately we have amazing asset management and perfect process so it runs smoothly. We do not amazing asset management and perfect process
|
|
#
?
Sep 25, 2023 08:20
|
|
|
I'll be straight with you, how in the hell does a NARA validated IS environment not have a literally perfect inventory? I have my own criticisms of environments I've worked in but inventory isn't one of them. Inventory is such a massive Thou Shalt By The Book thing that people actually kept up on it dogmatically.
|
|
#
?
Sep 25, 2023 10:44
|
|
|
Potato Salad posted:I'll be straight with you, how in the hell does a NARA validated IS environment not have a literally perfect inventory? Like any government function, it gets split and outsourced and retasked and messed with and split some more... with multiple agencies demanding their own way of doing things and operating within their own little silos. Then those silos go rogue because everything is so locked down clearance wise there's nobody to provide oversight. Then you get a situation where someone is literally caught selling some of these assets to lovely exchange shops for coke money which you would think would trigger them taking your screams to perform a full audit seriously, but it gets shut down because that person's boss is far too important to be implicated in something as silly as tracking assets.
|
|
#
?
Sep 25, 2023 11:33
|
|
|
 Lord almighty that's a bit of a night and day difference from my experience, especially with the "no empowered party can actually audit the silo." I've only had experience with very, very empowered security departments and I wonder if that's what made the difference. also I've had Contractors Touching Things but maybe not at the scale you've experienced
|
|
#
?
Sep 25, 2023 13:38
|
|
|
Potato Salad posted:
It's terrifying at times. Fortunately we have a lot of very competent engineers so we're able to head off most disasters and keep the ship afloat, but it would make a scary/interesting ask/tell thread if it wouldn't get me into a metric gently caress-tonne of trouble down the line. But I will say that at least the manual DHCP reservations and locked down port security helps us build a picture when someone actually decides to investigate occasionally
|
|
#
?
Sep 25, 2023 15:37
|
|
|
https://twitter.com/IdahoBones/status/1706298916449181744?s=20
|
|
#
?
Sep 25, 2023 20:57
|
|
|
|
| # ? May 25, 2024 11:36 |
|
|
I've got about 13 hours of training to knock out this week and the diabolical bastards have enlisted a chat bot to talk you through the concepts so there's no letting it run on the second monitor while I do something else. I have to actively engage with it. Ugh.
|
|
#
?
Sep 26, 2023 01:11
|
|
