Cover V07, I04


Questions and Answers

Bjorn Satdeva

 Q We've been trying to remember what LISA stands for, but all we can come up with is __ __ Sys Admin.

 A LISA stands for Large Installation System Administration. It was named this way back in 1987 when a large installation consisted of maybe 100 systems and 1 Gb of disk space. A lot has changed since then.

The conference was renamed back in 1992 or 1993 to the Usenix System Administration Conference, because Usenix was afraid that it would loose too many potential attendees by implying that it was only for large systems. However, since the acronym had become well known by that time, it was retained in connection with the new name of the conference.

 Q I enjoy your articles in Sys Admin. Reading them gives me a real appreciation of how much I don't know. I've been involved in UNIX administration for years, but have never gone terribly deep into security issues. I'm administering an AIX 4.1 box and contemplating hooking it up to the Internet. We have a number of WIN95 PCs networked to it now. We also have a bunch of ASCII terminals connected to serial ports. I've read a lot about Internet security and firewalls and realize that a standalone firewall PC would probably be the best protection. Money is tight, so I would like to try a Linux-based Web server/firewall/whatever. Can you recommend a book, Web site, or other resource that would give me a good look (read: step-by-step with reasonable explanations of the options) at setting up such a firewall? I would also be interested in any writings on general security issues in an AIX setting in particular and UNIX in general. Do you have any recommendations?

 A The best book on firewalls I have seen is Brent Chapman's Building Internet Firewalls from O'Reilly and Associates. While it is mostly focused on packet filtering, it gives a good description of proxy-based firewalls too. The basic starting point when implementing a firewall for the first time is to have a security policy in place, so you know what to allow and what not to allow. The latter can be difficult if the site is already directly connected to the Internet, because it is always difficult to take services away from the user community.

For security in general, I can recommend Practical UNIX & Internet Security, second edition by Simson Garfinkel and Gene Spafford. This book gives a good overview of many security issues in UNIX. For more specific Internet related security, I like Internet Security - Stories from the Trenches by Linda McCarthy from Prentice Hall. In this book, she shares her experiences with Internet security and firewalls. The book is filled with case stories, which makes it interesting reading. I like this book a lot, in fact enough to forgive her for stealing my subtitle.

 Q I am a subscriber to Sys Admin magazine and always enjoy your Q&A column. If I had one complaint it is just that this column is too short!

I wanted to respond to your comment that a backup program should be a front end to the UNIX dump command. I completely agree with your comments regarding the reliability of information retrieval. The problem that I see with this is that most businesses are heterogeneous in nature. These companies want a solution that not only backs up UNIX, but many other operating systems using one centralized backup system. Plus, this solution needs to be able to do it in a very short backup window. In this regard, I believe the UNIX dump command is not an acceptable solution.

 A The comment you are referring to was in the context of a UNIX-only backup system. When other types of operating systems are involved in a comprehensive backup solution (or enterprise-wide solution in marketing hype), it is necessary to reconsider that solution. No decision, technical or otherwise, can exist in a vacuum, so when the conditions change by adding non-UNIX systems to the mix, the technical solutions may have to change too. However, the basic requirement, that of reliability and predictability of the restores, should not be affected. In the situation you are referring to, I would most likely prefer a front-end solution which manages system-specific backups. In other words, I would like to continue to use dump on the UNIX systems, while using another appropriate solution for the NT (or whatever) systems. There are both commercial and freeware solutions that allow the user to define the low-level backup agent. These also have the advantages that databases can be backed up using the front end, as many database programs require special backup agents (when the database is on a raw file system).

The bottom line for me is that I have learned the hard way to trust dump and mistrust other solutions. As a systems administration consultant, I have had ample opportunity to see how many ways a backup system can go wrong without being detected by the system administrator. There are a lot of situations where restoring a backup is the last line of defense, and when we get to that line, it had better work.

 Q Do you have any information regarding personnel planning for Systems Administration duties (i.e., how many servers/workstations a single administrator could be expected to handle)?

 A This question comes up quite often. Unfortunately, there is no good answer, because it is diffuclt to take into account the level of service that should be provided for each system, and how much freedom each user is allowed in personal preference of the configuration of their workstations. If your site is adopting a policy where each workstation is identically configured and easily replaceable, it will require a lot less support compared to a situation where the support of each workstation is a custom job. It will also depend on how well the various configurations are documented. Many system administrators does not spend much time documenting their systems, and, as a consequence, are forced to spend more time diagnosing problems. Also the amount of support seems to depend on the system type.

It seems to me that PCs require more system administration support than a UNIX system, although again it depends on the system configuration. I am always very reluctant to give out any kind of numbers, because they are not very meaningful outside of the environment in which they where collected. I am assuming that you need these numbers to justify the hiring of more support people to your management. You can do this better by providing hard data, by keeping logs of what you do, and by implementing a job tracking system. Using such data, you can quantify the requirement and make forecasts of the future ability to provide support to users with or without hiring more people. You should also make an attempt to quantify the hidden support cost - the cost of the users doing their own support. Adding more support people may be able to reduce your hidden cost, thereby creating a cost saving by hiring more system administrators.

 Q What would you be looking for if you were looking for an information security specialist? Things like experience, training, certifications...? I'm trying to determine the difference between what I have and what I need.

 Q This is a very good question. These days, it seems as if you can spell Internet Security Consultant, then you are one. Let me start with eliminating the easy stuff. I don't believe in certification. At the most it proves that you have taken some courses, but it does not prove that you have a deep understanding of the issues. The same goes for training. Training can be used as a starting point, but I would be very reluctant to recommend anybody straight out of school, however bright they are. This leaves experience. But how do you really gauge the experience of another person? Some people are experts at pretending to have experience they do not possess, and others may be very good at what they do, but not good at projecting that image.

I would suggest that you ask lots of questions, and although you do not want to discard any answers, you should pay close attention to how at ease the consultant is when answering the questions, and most importantly, how easy it is for that person to state there is something they do not know. Regardless of how much experience a person has in a certain field, there are always gray areas where the person doesn't know the answer off hand. If they are good, they should be able to find out, but they should not try to cover up. In my experience, only a person who is really good at what they do will be able to say "I don't know" with the ease that comes from knowing that when you get such a question, it is either non-trivial or irrelevant to the topic.

You should of course check references. Never hire a person without doing that. In the end, however, it might come down to the fact that you, through the interview process, have developed a certain trust in the person's ability to solve problems.

About the Author

Bjorn Satdeva is the president of /sys/admin, inc., a consulting firm which specializes in large installation system administration. Bjorn is also co-founder and former president of Bay-LISA, a San Francisco Bay Area user's group for system administrators of large sites. Bjorn can be contacted at /sys/admin, inc., 2787 Moorpark Ave., San Jose, CA 95128; electronically at; or by phone at (408) 241-3111.