Monthly Archives: January 2006

Mac OS X Server Mass Deployment

Headless Xserve Setup

New Xserves are shipped with video cards. Much to the chagrin of many administrators and the humor of many older UNIX administrators, the Xserves were not being shipped with a graphics card for a couple of years and now many don’t come with dongles. In many cases you will come across one of these server that need to be set up. During this time this was an upgrade that many administrators did not know they would need to purchase if they did not wish to perform a headless installation. Luckily, Apple has provided us with numerous ways around this issue.

One of the best features of Mac OS X Server is that the when you boot to a CD or DVD SSH and a client for the Mac OS X Server Setup Assistant are automatically running on the system. You can use Setup Assistant to complete the installation that was started at the factory. Likewise, Mac OS X will run in a similar fashion, allowing administrators access through SSH when booted to a CD. Most Xserves are setup with static IP addresses. However, computers crash. For this reason it is a good idea to setup a DHCP reservation for the MAC address of your Xserve. When you use a DHCP reservation you will tell the DHCP server that if a host with your Mac address requests an IP address it will always be given the same IP. This is similar to assigning a manual IP address to servers.

How do you find the system on the network. Bonjour browser can be useful for this. The Setup Assistant will search the network for systems that are waiting for this portion of the installation to be complete.

The password to log into an Xserve when it is booted to the CD is the first eight digits of the server’s serial number. If you are installing on an older Xserve, the serial number may be “12345678.”.

/System/Library/ServerSetup/sa_srchr IP_Address

You can also boot to a Fibre Channel port.

Once the server has been installed, you should be able to tap in using Apple Remote Desktop and SSH provided you did not disable this at installation. For headless systems you will typically use ARD, SSH or Timbuktu for the bulk of your administration.

Luckily, Metadata Controllers do not require much work. However, for Xsan administration you may find that you use Xsan Admin more often than you use the desktop or SSH for configuration.

Mac OS X Mac OS X Server Unix

Backing Up and Restoring Subversion

To make a Subversion backup (replacing /repositorypath with your actual repository path and /repositoryname.dump with the path and name of the file you would like to export your repository into):

svnadmin dump /repositorypath > /repositoryname.dump

To then restore the Subversion backup (replacing /repositorypath with your actual repository path and /repositoryname.dump with the path and name of the file you would like to export your repository into):

svnadmin load /repositorypath < /repositoryname.dump

Mac Security

Internet Security 101

I originally posted this at http://www.318.com/TechJournal

“We’re not a high profile target.” We’ve heard it countless times before, but that argument just doesn’t hold up any more. There are malicious applications out there that scan entire chunks of the internet for computers that are vulnerable to specific attacks.

Most small businesses hold the position that because they are not a “high profile target”, such attacks do not represent a threat to them. In terms of modern security, the attitude of “We’re not NASA, and therefore our information is not confidential enough to protect”, just doesn’t hold up.

The security attacks described in this article are sometimes less about your competition covertly gaining access to your trade secrets or client/job data, and more about random entities exploiting your precious technology resources. In addition to stealing confidential data, Internet hacks can compromise the performance of your technology assets with Bots and other Spyware as well as use up most if not all of your Internet bandwidth. all of these potential symptoms cost business in lost productivity and the direct costs of having to resolve these performance issues.

No device that’s open to the web’s protocols is secure

Nearly every router and firewall, from consumer grade to professional grade has the option to create what is called a Demilitarized Zone, or a DMZ. DMZs offer the ability to quickly split an Internet connection to many computers while still moving all incoming traffic into a specific computer. Often, the standard setup is to DMZ a server in a small office that has one server. This is especially common when this server is being used for multiple purposes (such as a web server, FTP server, mail server, etc.). Each one of these services uses a specific port to differentiate incoming requests. For example, web traffic typically uses port 80. When selecting ports coming into a network, it is important to remember that the less traffic that comes into a network, the better. However, when using DMZ, all ports are open, giving attackers a virtually limitless amount of ports to scan, infiltrate, and exploit.

Selectively granting access is now a must.

Attackers are also using Google to find unsecured stations that accidentally get crawled (a book on hacking with Google was just released ). If one of your systems is compromised by a hacker and used to launch an attack on another computer, then those victims have every right to sue you for damages in court.

Another excuse that doesn’t hold up any more is, “It’s a Mac, and they’re secure.” It’s true that Mac OS X has been labeled the “most secure” OS on the market. However, the MOST secure doesn’t mean FULLY secure. Macs are going to become higher profile targets in that more and more attacks can be launched from them, even if there are still fewer people attacking them than Windows.

Since nothing that’s open to the web is secure and most every business relies on open connections to the Internet to remain competitive, Three18 recommends that our clients keep as many copies of everything important in as many locations as they can, as well as having routine security audits and port scans.

Rotating redundant offsite backup solutions are critical.

The best way to protect your data is to back it up. When evaluating the costs, ask yourself how much money one day’s data is worth to your company. A week? A month? An hour? Then, make decisions on how often to back up based on the backup cost vs. the cost to recreate the data.

Protecting your assets requires a plan for both your perimeter and your data as well as your technology assets.

Now having said all of this, the real cost of security is inconvenience. The rule of thumb is that the more security is applied to an environment, proportionally the less convenient access to that environment becomes.

More often than not, the cost of 100% security is too high for two reasons: it limits the convenient access of a company’s data both internally and remotely, which often is required to support a company’s business logic as applied to technology; and it simply costs too much money to implement.

The best analogy is that of the homeowner who chooses to get an alarm system and put high quality locks on all the doors of his/her home, but opts to leave all of the windows on the home’s first floor without bars. In this case, the home is safe from the typical entry points, but at the price of maintaining a nice view through the windows, the home is vulnerable at the same time.

Sometimes less than 100% is good enough.

Security, as with most business decisions, is a risk-based decision. Factors of costs, convenience and liability must all be considered to fully understand the implications of business security.

On the Road

On the Road: Mexico City

It’s huge and there are just too many people.  That’s all I have to say about Mexico City.

Football

Georgia Falls to Mountaineers

This was one mountain we didn’t see coming.  That offense just looked too powerful.  We couldn’t stop them.  Georgia looses 38-35 to end season 10 and 3.  :(

Business

Telecommuting 101

I originally posted this at http://www.318.com/TechJournal

Trying to imagine how to run an office in Los Angeles, New York City and London (with thoughts of Paris)? Well, there are a whole host of products looking to make your life easier. The hard part is figuring out which ones work best for each and every specific environment. Usually it boils down to matching your company’s business logic to products that are offered with an emphasis of working within your budget while attaining goals set forth by senior management.

Typically, the most paramount need businesses have with Remote Access Services (RAS) is file sharing. From Word and Excel documents to Final Cut projects, sharing files means sharing budgets, pictures, correspondence and other digital assets. It becomes increasingly important for individuals to be able to share files the larger an organization grows Ð and increasingly important to ensure that it’s done so securely.

There are technologies today that allow for the efficient sharing of large files.

Companies with file servers know that a central repository (or a server) has many benefits, but when opening branch offices, special considerations must be given to the access that individuals have to the place where everyone’s data resides. Companies that haven’t yet encountered a need for a server may find that it is essentially required in order to share data between remote locations. Sometimes, files that are easily shared locally on one server, become difficult to share between remote locations due to size or motion video issues.

Virtual Private Networks (VPNs) are the most common method in securely connecting multiple offices or locations. This is often handled within a company’s gateway (router). VPNs send data over the public Internet through encrypted “tunnels.” Using a VPN to connect two or more networks is also a way to help ensure ease of use, which becomes paramount in organizations that are increasingly complex from a technical point of view.

VPN Encryption ensures safe delivery of your data.

The second most common type of data for sharing between multiple locations is contacts, calendars and schedules. This type of sharing is often called “groupware.” Cross-Platform groupware products include Microsoft Exchange and Now Up-To-Date/Now Contact.

Groupware means workflow automation.

Exchange, a centrally managed groupware solution, allows staff members highly configurable access to items that other staff members or workgroup members are working on. With the release of Office 2004, most of the Exchange features available for the PC are now available through the Mac. Sharing calendars, emails and contacts is what Exchange is all about. However, the product is still a little limited in what it can do on the Mac.

Many cross-platform companies still have the need for this detailed level of sharing, and have turned to products like Now Up-To-Date and Now Contact. With Now Up-To-Date it is possible to view schedules across networks easily. One use of this has been to use a key to specifically switch between the calendars of Editors in London and editors in Los Angeles. This allows one person to handle schedules in multiple offices, and everyone to see live scheduling data.

The same goes for contacts. Using Keywords or categories (two different options), users can find contacts quickly based in whichever city they choose. Using the notes feature of Now Contact, it is possible to track correspondence, meetings and phone calls on a per contact basis. This way, each person that talks to a client is able to see who spoke to him or her last, when they spoke to them and what it was about. This enables companies to rely on the data as opposed to the people, allowing business processes to occur out of any office they choose.

sites

1 Year Now

1 year and going.  We’ll see if I can keep this up…