March 27th, 2006

driveline

First day new brain

Despite some concerns raised by the manufacturer's engineer, the wheels did not come off our newly reconfigured firewalls today. The box handling our Internet feed from AT&T chugged away without difficulty, and the box handling our feed from CEN did just fine. The CPU on that box spiked up into the high seventies during busy times, but it was just that -- spiking. Memory utilization was fine, and more importantly, performance was very good. Our peak utilization on that feed was ~40Mbps (as measured by a five-minute average -- I saw some momentary spikes up into the 65Mbps+ range).

I think our plan at this point is to let the boxes perk along separately for a while (read: a few weeks) and see if their good behavior continues. What comes after that depends on conversations I need to have with the manufacturer's support team.
  • Current Music
    USS Carter soundtrack vol. 1
cluelesssql

I'll take 'things I didn't want to know'

...for a thousand, Alex.

OK, memo to all of you out there who might, someday, ever write a web application. And, memo to all of you who might, someday, ever consider conducting your personal Internet affairs at work.

As part of the great cleaving-in-twain of the firewall boxes we were able to re-enable web content filtering. On the CEN side of things, because we use the State's filtering system (N2H2) to do the filtering, we're just running in 'monitor' mode, logging all web site visits to disk (as we are required to do by Federal law). On the AT&T side of things – which is used by municipal staff – we enabled content blocking on a few clearly out-of-bounds types of sites (you guessed it, pr0n, nudity and 'adult content').

I did some poking in the logs to see what we caught today. The list is pretty short; only 72 out of thousands of web sites visited. Now, one of the great things about our spiffy new-ish Fortinet firewalls is that they give full host name resolution and URL text. This is a step up from what our old Cisco PIXs gave us (host IP and URL text). You couldn't tell from the host IP what site the user was going to if the site was hosted by one of those hosting services where they stack fifty web sites on a box using virtual servers. They all have the same IP address; the web server looks into the HTTP header to figure out which virtual web site is being requested. Well, now we get that information too.

With the other data collection tools we put in place two years ago after a kiddie porn incident in the Fire Marshall's office, we can now track a web site visit right back to the individual user. Not just to the PC, but to you. I'm sure that other organizations' IT shops are at least abreast, if not ahead of us shuffling civil servants in Hartford in this Internet arms race. So, for all you folks who think that sites like www.thongbattle.com are work fare, knock it off: we know who you are!

Ok, this part is ACHTUNG! for both desk-bound punters and web application developers. Along with the web server's host name, we get the full body of the URL. If you build some sort of "autologin" feature for your 'alternative lifestyle personals' web site that relies on a long string of gobbledygook to identify the user (and not something marginally more secure like placing an encrypted cookie on the user's PC) you are enabling devious sh*thead administrators like me to login to said 'alternative lifestyle personals' web site and utterly hose that user.

The fact that this URL text (/p/login.cgi?autologin=UmFuZG9tSVYtv5_l_5bVhid6z9TYUrxh9poePl1BO%2FQ-), when combined with the host name gets me in to the user account of a senior manager in one of the City departments – who I happen to know – just adds some gratuitous ick factor to the whole thing.
  • Current Music
    Avenue Q - The Internet is for Porn