Thursday, September 23, 2010

Changing IT paradigms, the cyclical revolution.

In 1994 we had two large Unix boxes connected to a terminal concentrators. The only way into the machines was via console. We had physical access to the machines and would load tapes to install software and databases. The only way to admin the machines was through bastion terminals. From a bastion terminal you could type Ctrl alt Pf4 and get to login prompt that would take you a unix shell.
Slowly IP was adopted and we could access the machines via terminal emulator. Our Desktop machines could do most of the work we needed to do but to admin the servers we had to use the consoles.
The next move was to telnet. Most users still connected to the machine via terminal emulator, but admins were able to connect from bastion hosts via telnet and get a Unix shell.
Sometime around 2002 our security folks realized telnet was insecure. So we compiled and ran ssh in its place. The Remote system console ports did no support SSH so we had to take them off the network. The console ports had to be direct connected to a terminal concentrator that supported ssh.
As SSH became ubiquitous we started allowing users to connect to the machines from anywhere via SSH. The console ports were now SSH and we moved those to the regular network also.
SSH was a good fit until ITIL and change control. What is the number one cause of system outage in an IT datacenter? Superusers and admins, how do you control users and admins? You don't let them log into the machines unless they have an approved change request. DBA's can't log into a database box unless they are doing an actual update. All SSH traffic must go through bastion hosts, The only services you can see from a machine on the production network, are services its serving. For example database, Apache, middleware. All maintenance on the machines is done through a bastion Maintenance VLAN, All storage is mounted on the Storage VLAN, all dev machines are on a DEV VLAN, all test machines are on a TEST VLAN, no traffic gets through between the VLANS except through bastion hosts.

And we have come full circle.


Post a Comment

<< Home