Contributed by dhartmei on from the success-stories dept.
IT managers who want to deploy an open source solution but are worried about company politics should go ahead and do it without asking, according to PricewaterhouseCoopers (PWC) Japan IT manager Mark Uemura.Faced with an unreliable network, Uemura went ahead and migrated systems from Windows to OpenBSD on the premise that management would trust his judgement.
(Comments are closed)
By Fábio Olivé Leite (200.182.144.93) on
I guess this point says it all. Nice read for this monday morning!
Comments
By Fábio Olivé Leite (200.182.144.93) on
By Confused (193.63.217.208) on
<quote>"Microsoft just happens to be one of our clients and Checkpoint is our standard firewall," Uemura said. "Checkpoint on Windows was unmanageable but after a few months of using OpenBSD we were told to put Checkpoint back."</quote>
This paragraph is inpenetrable. I am left with questions like "Huh?" followed by "If it was unmanageable why was OpenBSD better?" and "If it was unmanageable why put it back?" I've seen more depth in a puddle. Anyone care to explain for poor stupid people like me?
Comments
By Anonymous Coward (131.202.10.5) on
By SleighBoy (64.146.180.98) on http://www.code.cx/
Then PWC was hit with a virus affecting network traffic and the Checkpoint firewall was running at 100 percent CPU capacity which was effectively a denial of service.
"So we had to put an OpenBSD firewall in front of Checkpoint," he said.
By Anonymous Coward (151.203.220.161) on
By Lars Hansson (203.65.245.7) lars@unet.net.ph on http://mono.blogsome.com
By Anonymous Coward (205.156.117.1) on
Comments
By Anonymous Coward (66.195.28.5) on
Comments
By Anonymous Coward (68.164.139.181) on
Comments
By Anonymous Coward (69.70.207.240) on
Comments
By Anonymous Coward (216.220.116.154) on
The last one I touched was running FBSD 2.1.7. It was interesting... No ssh on there, and no https on the web interface. So I took sshd from a FBSD box and installed it there and tunneled web requests over ssh. Amusing thing was that you could pull the FW-1 kernel module off the box and load it up on a stock FBSD box. Last I heard, Nokia was moving to Linux. Odd choice really, it seems like *BSD would be much easier to track/maintain.
Comments
By bert (68.100.43.184) blambert at thepresidency dot org on
Yes, but 'BSD' isn't a buzzword, and therefore aren't compliant.
Comments
By Anonymous Coward (68.164.139.181) on
Comments
By Anonymous Coward (200.5.117.242) on
Comments
By scarynetworkguy (12.18.141.172) on
By djm@ (203.217.30.86) on
Comments
By Luiz Gustavo (200.165.155.139) on http://hades.uint8t.org
By Anonymous Coward (68.164.139.181) on
Truely the "windows" of the firewall world.
By Mike Murphy (66.240.199.156) mrm@mole.org on http://www.mole.org
By Nathen Hinson (67.79.3.162) nathen.hinson@gmail.com on
Comments
By Anonymous Coward (60.225.121.218) on
By Jim (198.62.124.245) on
:)
By Anonymous Coward (82.71.120.74) on
Comments
By Luiz Gustavo (200.165.155.139) on http://hades.uint8t.org
And before you claim something, fw-1 is far from the fastest kid outside.
Btw I serious doubt that SPLAT is hardened or whatever they call it anyway.
Comments
By Chris (24.76.100.162) on
By Anonymous Coward (168.143.113.47) on
By Lars Hansson (203.65.245.7) lars@unet.net.ph on http://mono.blogsome.com
Comments
By Anonymous Coward (82.71.120.74) on
By Lars Hansson (203.65.245.7) lars@unet.net.ph on http://mono.blogsome.com
Long story short, changed insanely overpowered NT+Checkpoint box into web hosting machine and replaced it with a p2 300 running OpenBSD that is still running flawless to this day.
By Joel Sing (202.173.154.90) joel@ionix.com.au on
Comments
By Darren Tucker (203.217.17.96) on
Comments
By Anonymous Coward (69.70.207.240) on
Comments
By Anonymous Coward (12.168.235.2) on
By Joel Sing (131.172.4.44) joel@ionix.com.au on
The OpenBSD FAQ contains all of the information you should need:
http://www.openbsd.org/faq/faq6.html#CARP
There are also a couple of sysctl's which you can tweak, as documented in teh FAQ. Also, "man carp" is your friend.
By Mark T. Uemura (221.249.159.51) mark.uemura@gmail.com on
a talk by carefully crafting his story from bits and pieces mostly
taken out of context. So, in all fairness to my firm and to those who
were not present, I feel compelled to set the story straight.
First off, the story is not an interview even though it may come across
as such. The title is rather sensational but I certainly wasn't
desperate. There were problems and they were fixed and our team was
just very resourceful in doing so.
Gedda writes:
> IT managers who want to deploy an open source solution but are worried
> about company politics should go ahead and do it without asking,
> according to PricewaterhouseCoopers (PWC) Japan IT manager Mark Uemura.
No, this is taken out of context. What I said was that we had very big
and important changes that we needed to make in order to restore network
and application stability. My reference to just going ahead and doing it
referred to making the necessary changes behind the scenes. It wasn't
about company politics and it wasn't about migrating services from Windows
to OpenBSD. My experience was that we did ourselves a disfavour by trying
to inform and explain to users and management the technical reasons for
the changes that needed to be made. In fact, all of the pushback had
nothing to do with OpenBSD. We needed to migrate from an old Domain
Controller with a corrupt Active Directory to a new one. We also
introduced the concept of working on Application Servers in Terminal
Services to take advantage of server power for resource intensive
applications that ran very slowly on users' PCs. So, the push back was
related to things like "you'll have to login to this new Domain rather
than the old one from tomorrow onwards." or getting users to change the
way they work and use applications running on a Terminal Servers for speed.
In the end, when all was sad and done, users and management realized the
difference that we had made; no more downtime or data loss. Furthermore,
they've never had everything running so smoothly and as efficiently for
as long as they could remember. Their IT problems went away as a result
of our efforts and the decisions that we made.
In fact, all of the migrations to OpenBSD were either behind the scenes
where the users were oblivious to the changes. Well, almost oblivious.
Often times we would get "Hey, the Internet is really fast today, cool!"
or "Man, can you guys like spill some coffee in the server room or
something? We're not used to this much uptime. It means we can't go
home early anymore!"
In those cases where users did have to interact with OpenBSD, it was
always well received and positive such as moving off of a very slow VPN
for remote access on to a quicker and more user friendly alternative
such as port forwarding applications through OpenSSH.
> Faced with an unreliable network, Uemura went ahead and migrated systems
> from Windows to OpenBSD on the premise that management would trust his
> judgement.
Once again, migrating services to OpenBSD was not an issue. So long as
we did not compromise security in doing so. Generally, we did so to
improve security and that's what OpenBSD is famous for and yet there's
so much more.
> "PricewaterhouseCoopers is a Windows shop but we were forced to use open
> source," he said. "I inherited a real nightmare with servers going up
> and down. There were e-mail outages and on top of that there was a bad
> relationship between our users and IT."
Well it's either replace Windows with Window for Internet facing servers
or find a more secure alternative that didn't have to be patched and
rebooted so often. Bringing back network and application stability
was important to the business as much as increasing security wherever it
was possible to do so. I feel that stability is a result of good security.
We concentrated on network perimeter security. Hence anything that was
public facing was considered so long as it satisfied four main criteria:
1) If security was a concern, then we used a more secure alternative to
Windows.
2) If cost was a factor either for software licenses, service/support
contracts or hardware, then we considered the Open Source alternatives.
3) If stability and uptime was important, then this was taken into account.
4) If all three points above qualified, then the last question to be
answered before replacing any Windows based application or service
was the following. Will there be any interoperability issues? That
is, will there be any downside to replacing Windows and implementing
a more secure, stable, cheaper Open Source alternative? If the
answer to the last question was "NO", then we used Open Source when
appropriate.
Once again, we were really concerned with any Internet facing servers.
> "My predecessor spent too much [so] I was told not to spend any money."
We could have begged for new hardware but it wasn't necessary. I knew
that we needed to make big changes that required applications to be
migrated from hardware to hardware. It is true that management told us
not to spend any more money than was absolutely needed. This is just
good business sense and a good rule of thumb to follow for any company
big or small. If we were given the opportunity to spend on hardware,
we would have had twice the server power that was really needed for our
office in the end.
> When asked what argument he used to convince management to use an open
> source solution, Uemura said: "They didn't have an argument because they
> said don't spend any money." "They trusted me," he said. "The whole
> office was relying on one domain controller which was dying."
Again, we are not talking about the migration from Windows to OpenBSD.
The journalist is really good at combining different parts of my talk
and the answers to questions following it in order make his story that
much more sensational. This news story is a great example proving that
you shouldn't believe everything that you read. At face value, it's
very misleading.
> Uemura said a lot of work was done "behind the scenes".
My team did a lot of work behind the scenes for which I am grateful.
I didn't do it alone.
> "My experience is that if something has to be done, just do it - don't
> ask! They will thank you later," he said.
If you give users a choice, change or no change, they'll tend to favour
the status quo.
> commercial lock-in.
There are many companies that have clued into this however many large
financial institutions still have big support contracts with Open Source
Vendors liken to a kid's security blanket where they just don't want to
let go. I'm not against it, I just don't think it adds much value.
Rather than hire smart and experienced Admins, they now feel that they
can skimp on the higher salary candidate for someone not so qualified
because they have a million dollar support contract in hand. My
experience has been that hiring inexperienced IT Admins will cost
you more in third party vendor support as just about anything that
is remotely difficult gets outsourced.
Regardless, even with contracts, the savings are still substantial after
the decision is made to integrate Open Source.
> "We had a lot of downtime and data loss before we migrated over. After
> five months that was eliminated," he said. "There is a lot about open
> source that people don't know. Many corporations tend to lump open
> source into one basket, which is a shame."
Sadly, this is my biggest gripe when discussing the merits of OpenBSD.
It's almost as if having the two words "Open Source" associated with
OpenBSD just seems to have a negative effect. I've come to realize that
this is mainly due to a mis
Comments
By Mark T. Uemura (221.249.159.51) mark.uemura@gmail.com on
this is mainly due to a misunderstanding or misconception about OpenBSD
and Open Source.
> After the five-month migration, PWC's servers are now equally split
> between Windows and OpenBSD.
Yes
> "Microsoft just happens to be one of our clients and Checkpoint is our
> standard firewall," Uemura said. "Checkpoint on Windows was unmanageable
> but after a few months of using OpenBSD we were told to put Checkpoint
> back."
Another glaring example of professional journalism at its best :(
After one month, I was informed that OpenBSD was not the firm standard
Firewall. No, problem. I just rebuilt the Checkpoint Firewall and
put that back into production...
> Then PWC was hit with a virus affecting network traffic and the
> Checkpoint firewall was running at 100 percent CPU capacity which was
> effectively a denial of service.
This was the only case in all of the Windows to OpenBSD migrations that
I had to struggle with. As much as this Checkpoint was a new
installation, it didn't sit well with me...
> "So we had to put an OpenBSD firewall in front of Checkpoint," he said.
This then satisfied our firm policy and also let me sleep at night
knowing OpenBSD was the "Titan" out in front taking the worst of it
without breaking a sweat.
> "We saved seven salaries worth over one year. It was so dramatic they
> gave me a big raise and I was promoted from system administrator to IT
> manager. And because of the savings we get more productivity out of old
> hardware."
The savings are all relative but whether you're a small business where
every penny counts or a large multi-national with huge IT budgets, the
saving are substantial in either case. Any company that doesn't have
some sort of Open Source adoption strategy is just throwing money away.
> Despite this Uemura is adamant the move wasn't made because he wanted
> to. "As much as I love OpenBSD, we had no choice," he said.
Just because it can be done, doesn't mean it should be done. We could
have done a lot more in terms of our migration of services to OpenBSD.
It's not about pushing the envelope, but getting a balance that makes
sense while ensuring the utmost in security and interoperability
when doing so.
It took about five months with very long days and sacrificing most of
our weekends in order to get it all done. However, it was worth it in
the end. Not only did we save the firm money, we increased security,
stability and restored user confidence in our IT systems and IT team.
Our great sense of accomplishment was knowing that we did it, all the
while maintaining business as usual.
Comments
By Anonymous Coward (131.202.10.5) on
By Anonymous Coward (24.26.114.212) on
I saw a nice little draft paper at one stage outlining that we go through and remove ALL open source software anywhere in the company. Not sure how were goint to connect to any of our unix boxes without our consoles, and i am sure we will be fine without firewalls and other such appliances.. but by damn we'll be free of that cancerous open source! Least thats the impression given.
The short sightedness and extreme political nature of some of the technical decisions made astounds me at times, sometimes its as if we'd rather doom ourselves to an expensive unworkable solution that is completely unlike anything anyone else is running than learn from our peers and run something contempory that fits the problem, even if it is open source.
my hat is off to you for getting something like that accomplished in this medieval firm we work in.