Daemon News 199904 : Corporate BSD

Corporate BSD

Copyright © 1999 Donald S. Wilde

System Architecture

This month, I'm going to take a look at corporate systems architecture and how it will evolve as a company grows.

Once a company grows beyond the stage where PC's are connected directly to ISP's with modems, then first thing necessary is a firewall (See "System 1"). I can't stress this enough. The Internet is a sewer as well as a treasure trove, and there are lots of automated sniffers out there just looking for your IP address to savage. BSD, of course, makes a perfect firewall. My experience has been with FreeBSD and the Trusted Information Systems (now owned by Network Associates) Fire Wall Tool kit (fwtk), available upon approval from http://www.fwtk.org. My systems have never been cracked, although I am told that OpenBSD is even more secure. A firewall system, which is also available within the FreeBSD system itself, is essential to preventing bad guys from trashing your systems or stealing your data. Once you have a BSD gateway system, you can also use it to combine your ISP accesses into one modem, using demand-based ppp connectivity. Since BSD is much more effective at networking, you can have multiple users sharing the same ppp channel without appreciable performance loss until you get above four users or so. Even at that, most of the time none will notice any slowdown, as page accesses are rarely simultaneous. Even a small company can benefit from this, as they reduce their vulnerability. ISDN and other charged-by-the-minute connectivity users will benefit even more as their connection is only up when needed.

The next level of corporate growth is where the company buys a full-time connection, such as a Fractional T1 or dedicated modem line. This removes the time lag of dialing the modem from the picture, and it also allows the company to have a static IP address on their gateway system. This is a crucial improvement, expensive as it is (See System 2).
Now you can mount a webserver and corporate mail server on your gateway, and your customers can access your website on your system. Although ISP-hosted websites are certainly cheap, there's a world of difference between what you can do with a 10-Meg website with limited CGI and what you can do with a full server with several gigabytes of disk space and full access to the BSD system calls. Although it is possible for a web server to be a vulnerability, the holes are well known and well documented, and it's easy for a knowledgable programmer to avoid creating them. Likewise the Sendmail server. There are certain precautions to be taken, but they are straightforward.

For performance reasons, you want to install a separate file server. BSD is the superior option, of course, even with SAMBA installed to make it act like a Windows peer-to-peer system for ease of use by PC clients. MIPS for MIPS, a SAMBA server (http://www.samba.org) on top of FreeBSD is superior in every way to an NT server. User Administration time alone is enough to justify the BSD system. BSD quota management and scripting tools save hours of work on every global administrative change, and BSD printer spooling software is far more flexible and robust than that provided with Microsoft NT. Any way you set it up, use TCP/IP as the underlying transport protocol. Do not use Microsoft's NetBEUI or IPX, even when adding Novell servers to the mix. TCP/IP is routable, which NetBEUI is not, and IPX isn't even in Novell's good graces any more, and they invented it.

Although I have had excellent results from systems set up as described above, using a single server as an Internet gateway, ftp and web server is eventually going to become a bottleneck. Although it's easiest to leave the Sendmail server on the gateway, an early expansion should be to place the Web and ftp servers outside the firewall. (See "System 3").
This will increase their efficiency dramatically, although one must always bear in mind the fact that most of the system bottleneck is going to be the input pipe; a T1 is nowhere near as fast as 10Base-T. Still, separating the systems is important for both speed and security reasons. The firewall can be made more secure, and the web/ftp server more speedy. This also makes the webserver "sacrificial", in the sense that if a cracker vermin does get into your system (not very likely, but still remotely possible), you can simply reload it from its last backup. Don Libes' 'expect' programming language, an extension of Tcl, is an excellent tool for scripting the transfer of data files from the webserver to the inside file server. You install expect on the gateway machine and use it to ftp first to the webserver and then to the fileserver. The only tricky part is that you need to check the file timestamps to make sure they are completely written before you ftp them inside the firewall. Alternatively, you can also use forms emailers, although this isn't appropriate for 20MB CAD files and the like.

BSD systems have performed gateway duties for many years. Although there are now NT-based products which can do firewall duty, they do so by completely eliminating the NT operating system itself from the mix. This is hardly an efficient solution. Likewise, NT mail servers are notoriously slow, even when operating to text-based clients, not MS Outlook, and their Exchange server is known to clog even small 100Base-T networks. Although both Sendmail and Apache are now available on NT platforms, neither performs well even after the inefficiency of NT itself is removed from the equation. Couple this with the performance and flexibility of SAMBA, and it is obvious that there's very little reason for the existence of NT server in even the largest Windows-based organization. Add PostgreSQL or Oracle as a stable replacement for MS SQL server, and it's a no brainer. BSD simply works better and takes less effort to maintain.

<RANT>

I've decided that if I spend as much time wailing about The Way Things Are as I want to, you all will get tired of me really quick. So, from now on, I'm going to limit my ranting and raving to this small section at the bottom of a chunk of Good Stuff, like that which I've presented above. Hopefully, after you've read the Good Stuff, you'll read my (very biased, but from painful experience) opinions in this section.

Today's topic is the reasons why it is so hard for freeware to get press and acknowledgement from manufacturers and trade publications. IMHO, the reason is simple: payware people stick together. No software manufacturer will acknowledge freeware operating system software for fear that he will be replaced next. They know that it's absolutely amazing the progress that freeware is making, and they know that once we make Windows obsolete, their turf will be next on the agenda. Knowing our guys and their enthusiasm, they're right to be worried. This is the real reason SGI is going NT: They know they can soak Windows users until the end of time, but freeware Un*x users know Mesa is damn near as good as OpenGL and Blender isn't far behind. The trade pubs know their bread comes from payware advertising. Need I say more?

So who can we convert? Who will listen? Bluntly, who stands to gain if we make payware obsolete? Hardware manufacturers, that's who. Very simply, I can buy twice as many servers with FreeBSD as I can with Windows NT. Now that Dell and Gateway and Micron and the like are big enough that they no longer need Microsoft to bootstrap off of, they can afford to look at doubling their system sales. We all know we need more servers than we're budgeted for, so freeing up the money the beancounters allocated for software means we get our needs fulfilled... and so do our hardware vendors. Write to your vendor of choice and tell him that we want to buy their systems, and we will buy twice as much... on the one condition that they sell it to us without feeding Bill Gates a dime.

Corporate BSD

Copyright © 1999 Donald S. Wilde

System Architecture

<RANT>

</RANT>

Donald Wilde dwilde1@thuntek.net

	Corporate BSD Copyright © 1999 Donald S. Wilde System Architecture This month, I'm going to take a look at corporate systems architecture and how it will evolve as a company grows. Once a company grows beyond the stage where PC's are connected directly to ISP's with modems, then first thing necessary is a firewall (See "System 1"). I can't stress this enough. The Internet is a sewer as well as a treasure trove, and there are lots of automated sniffers out there just looking for your IP address to savage. BSD, of course, makes a perfect firewall. My experience has been with FreeBSD and the Trusted Information Systems (now owned by Network Associates) Fire Wall Tool kit (fwtk), available upon approval from http://www.fwtk.org. My systems have never been cracked, although I am told that OpenBSD is even more secure. A firewall system, which is also available within the FreeBSD system itself, is essential to preventing bad guys from trashing your systems or stealing your data. Once you have a BSD gateway system, you can also use it to combine your ISP accesses into one modem, using demand-based ppp connectivity. Since BSD is much more effective at networking, you can have multiple users sharing the same ppp channel without appreciable performance loss until you get above four users or so. Even at that, most of the time none will notice any slowdown, as page accesses are rarely simultaneous. Even a small company can benefit from this, as they reduce their vulnerability. ISDN and other charged-by-the-minute connectivity users will benefit even more as their connection is only up when needed. The next level of corporate growth is where the company buys a full-time connection, such as a Fractional T1 or dedicated modem line. This removes the time lag of dialing the modem from the picture, and it also allows the company to have a static IP address on their gateway system. This is a crucial improvement, expensive as it is (See System 2). Now you can mount a webserver and corporate mail server on your gateway, and your customers can access your website on your system. Although ISP-hosted websites are certainly cheap, there's a world of difference between what you can do with a 10-Meg website with limited CGI and what you can do with a full server with several gigabytes of disk space and full access to the BSD system calls. Although it is possible for a web server to be a vulnerability, the holes are well known and well documented, and it's easy for a knowledgable programmer to avoid creating them. Likewise the Sendmail server. There are certain precautions to be taken, but they are straightforward. For performance reasons, you want to install a separate file server. BSD is the superior option, of course, even with SAMBA installed to make it act like a Windows peer-to-peer system for ease of use by PC clients. MIPS for MIPS, a SAMBA server (http://www.samba.org) on top of FreeBSD is superior in every way to an NT server. User Administration time alone is enough to justify the BSD system. BSD quota management and scripting tools save hours of work on every global administrative change, and BSD printer spooling software is far more flexible and robust than that provided with Microsoft NT. Any way you set it up, use TCP/IP as the underlying transport protocol. Do not use Microsoft's NetBEUI or IPX, even when adding Novell servers to the mix. TCP/IP is routable, which NetBEUI is not, and IPX isn't even in Novell's good graces any more, and they invented it. Although I have had excellent results from systems set up as described above, using a single server as an Internet gateway, ftp and web server is eventually going to become a bottleneck. Although it's easiest to leave the Sendmail server on the gateway, an early expansion should be to place the Web and ftp servers outside the firewall. (See "System 3"). This will increase their efficiency dramatically, although one must always bear in mind the fact that most of the system bottleneck is going to be the input pipe; a T1 is nowhere near as fast as 10Base-T. Still, separating the systems is important for both speed and security reasons. The firewall can be made more secure, and the web/ftp server more speedy. This also makes the webserver "sacrificial", in the sense that if a cracker vermin does get into your system (not very likely, but still remotely possible), you can simply reload it from its last backup. Don Libes' 'expect' programming language, an extension of Tcl, is an excellent tool for scripting the transfer of data files from the webserver to the inside file server. You install expect on the gateway machine and use it to ftp first to the webserver and then to the fileserver. The only tricky part is that you need to check the file timestamps to make sure they are completely written before you ftp them inside the firewall. Alternatively, you can also use forms emailers, although this isn't appropriate for 20MB CAD files and the like. BSD systems have performed gateway duties for many years. Although there are now NT-based products which can do firewall duty, they do so by completely eliminating the NT operating system itself from the mix. This is hardly an efficient solution. Likewise, NT mail servers are notoriously slow, even when operating to text-based clients, not MS Outlook, and their Exchange server is known to clog even small 100Base-T networks. Although both Sendmail and Apache are now available on NT platforms, neither performs well even after the inefficiency of NT itself is removed from the equation. Couple this with the performance and flexibility of SAMBA, and it is obvious that there's very little reason for the existence of NT server in even the largest Windows-based organization. Add PostgreSQL or Oracle as a stable replacement for MS SQL server, and it's a no brainer. BSD simply works better and takes less effort to maintain. <RANT> I've decided that if I spend as much time wailing about The Way Things Are as I want to, you all will get tired of me really quick. So, from now on, I'm going to limit my ranting and raving to this small section at the bottom of a chunk of Good Stuff, like that which I've presented above. Hopefully, after you've read the Good Stuff, you'll read my (very biased, but from painful experience) opinions in this section. Today's topic is the reasons why it is so hard for freeware to get press and acknowledgement from manufacturers and trade publications. IMHO, the reason is simple: payware people stick together. No software manufacturer will acknowledge freeware operating system software for fear that he will be replaced next. They know that it's absolutely amazing the progress that freeware is making, and they know that once we make Windows obsolete, their turf will be next on the agenda. Knowing our guys and their enthusiasm, they're right to be worried. This is the real reason SGI is going NT: They know they can soak Windows users until the end of time, but freeware Un*x users know Mesa is damn near as good as OpenGL and Blender isn't far behind. The trade pubs know their bread comes from payware advertising. Need I say more? So who can we convert? Who will listen? Bluntly, who stands to gain if we make payware obsolete? Hardware manufacturers, that's who. Very simply, I can buy twice as many servers with FreeBSD as I can with Windows NT. Now that Dell and Gateway and Micron and the like are big enough that they no longer need Microsoft to bootstrap off of, they can afford to look at doubling their system sales. We all know we need more servers than we're budgeted for, so freeing up the money the beancounters allocated for software means we get our needs fulfilled... and so do our hardware vendors. Write to your vendor of choice and tell him that we want to buy their systems, and we will buy twice as much... on the one condition that they sell it to us without feeding Bill Gates a dime. </RANT> Donald Wilde dwilde1@thuntek.net