Im hard at rethinking how we build our corporate networks today.For some reason we can put endless ours into automating some tasks and in the process put much more man hours into it than it would take to manage things manually. This automation also brings some bad side-effects like the self serving struggle to make machines conform to corporate standards. Im not at all convinced the time i for eg. put into researching, impementing and deploying some policy settings save even an hours work over several years and a couple of hundred machines. Some time those policies even adds significantly to my support burdon. Mind you this is Windows boxes and thats why i have taken a step back and started thinking. One other very bad side effect is that this also makes it next to impossible to introduce anything other than the corporate approved desktop OS.

Our network is built upon the assumption that a workstation thats managed by us on our internal network is more or less secure.  I wonder if thats really a secure way of handling things. Most users that can do anything bad with the information they can potentially steal are employees, not some random hacker trying to get my Wow account

 The most common way is to treat anything inside the LAN as more or less trusted and anything from outside the firewall as untrusted. Im starting to believe that its time to move the trust even longer into the LAN and treat the internal network as untrusted. 

Im currently pondering building a network where its up to the user what they do with their own machine as long as it has antivirus on it and is updated regularly. No managing of the computers whatsoever, no boundaries and no stupid it-policies thats there just for the sake of the it-crowd. By doing that and put every possible service on webservers and refuse to buy server software with clients this would become a totally free network that can be pretty much platform agnostic. The biggest hurdle, the machine management is in itself the biggest stumbling block for the users today. By making the internal LAN completely untrusted and demanding two factor auth regardless of location what computer people use and wheather its trusted or not becomes moot. Everything has to be secured just as if it was publicised on the internet.

 eBox is one way of acheiving this which im currently investigating. Coupled with Google apps and two factor auth its pretty much ready.

 I really call this going one step back and two large step forward.

Linux Servers for the masses?

 I work with both Linux, Windows and Netware servers. The difference from my view is that the amount of work on setting up a server is more or less the same regardless of OS. The only difference is how fast the service is configured initially.

 On some systems you can have a wizard  make your server 10% ready in a heartbeat and then put countless ours into tweaking it into what you really want. On Linux you often spend much time doing the initial setup and then maybe 10% for the rest. For the casual deployer Linux seems much harder when its in reality far easier to manage and deploy.

 Its fully possible to make a distribution that makes assumptions, ask the user for the missing pieces of information and slaps up an LDAP, Mail, Webmail, FileServer and other services without to much work from the user. The  missing link is often to tie the bits and pieces together to make a good default system easily. The services are mostly installed without any integration at all by default.

 The thing is not to make the best configuration possible initially but to give users a working system fast and without much work just as they are used to if they come from the Windows world. They are used to put many ours into the system after the installation is done but not to read up on things and know what they do before even beginning.

Various virtual systems that companies like zenoss use to showcase their systems are a good bit on the way but really not an ideal solution.

There are going to be some big changes at my company.  And they will hardly be noticed.  While the users will keep using their Windows XP/Office 2007 desktops, the backoffice will undergo a major overhaul.  The Microsoft Small Business Server  that, honestly, has served us well will be going away as we move to full featured systems without limitations.

I hired a consultant to design a system with high availability for mission critical functions and a 72 hour disaster recovery window.  I stressed I wanted to use open source wherever practical.  They have done the environment discovery and will be presenting their recommendations in a couple of weeks.   We have talked about using a Windows Server as a DC to provide Active Directory authentication, Windows Software Update Services, DNS, DHCP, WINS, etc.,  We will also keep our Sharepoint Services 3.o intranet.  Everything else will be running on CentOS5 servers.  Email will be Kerio Mail Server, file sharing/storage will be Samba.  Website will be Joomla.  While the Kerio Mail Server is not open source itself, it does rely heavily on open source products such as Apache, MySQL, ClamAV, SpamAssassin, et al.   I'll be extremely happy to see Exchange Server go and the end users will not see much difference at all with their Outook connected to KMS.

In the meantime, I'm learning CentOS.  Most of my Linux work has been on Ubuntu both server and desktop.  I set up a test server with Kerio Mail Server on CentOS 5.3 and I'm very impressed with the CentOS system.  I'll probably replace the Ubuntu desktop on my notebook with CentOS to help me get used to the differences in file structure and package management.

The eventual goal will be to replace the Windows DC with Samba when Samba will handle Active Directory and WSUS.  I don't know how we'll ever get off Sharepoint, though.

Exciting times.