[plug] DB Question

Leon Brooks leon at brooks.smileys.net
Fri Dec 1 11:04:00 WST 2000


Peter Wright wrote:
> On Fri, Dec 01, 2000 at 09:18:07AM +0800, Leon Brooks wrote:
>> You will be pleased to know that a large (in dollars, not in seats)
>> Perth-based Gummint department is carefully considering (ie experimenting
>> with) migrating from MS-SQL to PostgreSQL, and also swapping most if not
>> all of their Windows workstations for diskless Linux workstations plus
>> (where needed) Win4Lin.

> I'm extremely intrigued. Can you tell us which particular Gummint dept is
> considering this, or is it tippety-top secret?

Not so much tippy-top secret as that they really dislike people knowing what
goes in inside their network. Especially while there's still Windows on it. In
short, no. Commercial in confidence.

The exposition below is about as specific as I can safely get even without
giving away who they are. You will notice the conspicuous absence of names,
addresses, version numbers, even brand names. And if your questions get too
specific, they will go unanswered. (-: ``Chew this email thoroughly and swallow
it before reading. Then feed all of the results to an anaerobic digestor and
plow the residue into a paddock no smaller than 20 hectares in area.'' :-)

> The DB changeover isn't so amazing (being more of a server-side thing), but
> even thinking about changing over Windows "workstations" to Linux is pretty
> freaky, especially for the government.

The workstations are all late-model PCs with flatscreens (except the ones with
19" or larger CRTs). They're hoping to emdiskulate the whole lot and turn them
into Linux workstations. For where Windows is needed, they will use Win4Lin to
run the apps on a carefully-partitioned and heavily-firewalled server.
Non-network-aware apps may be run under WINE. Needless to say, no web, email
chat etc traffic will be allowed in or out of that box, no connections allowed
in at all except for Win4Lin's VNC connects. I'm expecting that the users'
Windows subdirectories will all be replaced nightly.

To give you some idea of the levels of paranoia involved, they have a router
interfacing to the outside world, firewalled to forbid all inbound connects
except web, DNS and mail. I can't even ssh in. Behind that is a Linux box with
more firewalling fore and aft. Behind that is another router which forbids *all*
inbound connects. The amount of honkey-tonk that has to be played to get data to
and fro the MS-SQL database which is accessed only through another NT box is
truly stunning, including a server on the in-between NT box polling the
webserver on the Linux box regularly and ambassadoring for the SQL server box. A
lot of the in-between software is closed-source custom so they have security by
obscurity as well as an ``airgap'' plus three layers of firewalling plus a layer
of (NT) filtering plus only necessary services. The only dialin line that they
have there is outside the ``airgap'' and one layer of firewalling, and doesn't
even answer unless you call it from a known number.

And they still almost-failed a security audit!

-- 
"Somebody once said that in looking for people to hire, you look
for three qualities: integrity, intelligence, and energy. And if
they don't have the first, the other two will kill you. You think
about it; it's true. If you hire somebody without the first, you
really want them to be dumb and lazy." -- Warren Buffet



More information about the plug mailing list