Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Setup Behind Microsoft.com

kdawson posted more than 6 years ago | from the matter-of-scale dept.

Microsoft 412

Toreo asesino writes "Jeff Alexander gives an insight into how Microsoft runs its main sites. Interesting details include having no firewall, having to manage 650 GB of IIS logs every day, and the use of their yet unreleased Windows Server 2008 in a production environment.

Sorry! There are no comments related to the filter you selected.

Mostly how they run it (5, Funny)

Anonymous Coward | more than 6 years ago | (#21684425)

is have some crazy sys admins throw chairs around.

first penis (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21684427)

suck it bitches

Re:first penis (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21684695)

just like your penis, second place is the first loser.

Beta in production environment. (2, Funny)

LordSkippy (140884) | more than 6 years ago | (#21684441)

"Windows Server 2008 in a production environment."

So even MS has given up on Vista.

Re:Beta in production environment. (5, Informative)

EvanED (569694) | more than 6 years ago | (#21684463)

Vista was never meant as a server. Same as XP isn't used as a server, it's Server 2003.

Re:Beta in production environment. (1)

LordSkippy (140884) | more than 6 years ago | (#21684559)

Funny, that's what I thought was the entire reason for having Home and Professional versions.

Re:Beta in production environment. (5, Informative)

schnikies79 (788746) | more than 6 years ago | (#21684593)

Funny, but you're wrong. Pro is for networking enviorments where you need RDP, policies, ability to join a domain, file encryption, etc. Home lacks these.

Re:Beta in production environment. (3, Informative)

EvanED (569694) | more than 6 years ago | (#21684641)

No, the pro version is more intended toward business users. Not servers, but the sort of thing workers have on their desktop. That's why it has tunings for corporate networks and ACLs and quotas and such.

You can debate the drawbacks and benefits of having so many versions, but XP was never intended to be a substantial server.

Re:Beta in production environment. (1, Informative)

Anonymous Coward | more than 6 years ago | (#21684683)

No, professional versions offer business-required desktop features that are stripped out of the home version. If it mirrors XP, this would include things like the ability to manage security for accounts on a per-file level.

But it's not intended for servers, either on Vista or XP, as the GP said.

Re:Beta in production environment. (5, Funny)

JCSoRocks (1142053) | more than 6 years ago | (#21684619)

Tis a sad day when the fanbois can't even get their insults right. shameful.

Re:Beta in production environment. (5, Funny)

vtscott (1089271) | more than 6 years ago | (#21684865)

And of course it's already been modded up (at least only as funny). To clarify why the GP is wrong, from the wikipedia entry [wikipedia.org] on Windows server 2008:

Windows Server 2008 introduces most of the new features from Windows Vista to Windows Server. This is a similar relationship to that between Windows Server 2003 and Windows XP.

Gotta give credit to MS for eating their own dog food...

Allow incoming connection on port 80? Confirm/deny

Re:Beta in production environment. (0)

Anonymous Coward | more than 6 years ago | (#21685173)

Mod parent up. That was the funniest comment I've read in a while :)

Re:Beta in production environment. (0)

Anonymous Coward | more than 6 years ago | (#21684737)

where's that "-1 clueless idiot" mod?

Re:Beta in production environment. (0)

Anonymous Coward | more than 6 years ago | (#21685073)

Maybe it's next to the "-1 Can't take a joke" mod?

Re:Beta in production environment. (3, Insightful)

ByOhTek (1181381) | more than 6 years ago | (#21684761)

Windows Server 2008 is (or rather, will be) effectively "Windows Vista Server Edition", just as Windows Server 2003 is effectively "Windows XP Server Edition".

Re:Beta in production environment. (-1, Troll)

b3m87 (1176511) | more than 6 years ago | (#21685257)

are you retarded? Did you seriously believe what you just posted?

Firewall Schmirewall (5, Funny)

mrtroy (640746) | more than 6 years ago | (#21684447)

No firewall? Of course not!

Microsoft servers are notorious for their invulnerability.

Re:Firewall Schmirewall (5, Informative)

great_snoopy (736076) | more than 6 years ago | (#21684511)

Of course they have a firewall, just watch the difference between a tcptraceroute to a public port (like 80) and tcptraceroute to the same ip but some other port (like 110 pop3 for example). You'll see that packets get dropped at some point indicating a firewall. It's not a RST (port closed) it's just dropping packets for nonpublic services. That is a packet filtering firewall.

Re:Firewall Schmirewall (-1)

tha_mink (518151) | more than 6 years ago | (#21684971)

Of course they have a firewall, just watch the difference between a tcptraceroute to a public port (like 80) and tcptraceroute to the same ip but some other port (like 110 pop3 for example). You'll see that packets get dropped at some point indicating a firewall. It's not a RST (port closed) it's just dropping packets for nonpublic services. That is a packet filtering firewall.
Actually you're wrong. They're blocking ports. Port blocking != firewall.

Re:Firewall Schmirewall (2, Funny)

Anonymous Coward | more than 6 years ago | (#21685297)

"They're blocking ports. Port blocking != firewall."

So when I write my firewall rules and have the choice to block, drop or pass, the firewall is kicks into a a non-firewall mode for block?

Re:Firewall Schmirewall (0)

Anonymous Coward | more than 6 years ago | (#21685299)

It's so wrong you can't possibly be serious, but it's so unimportant you can't possibly be a troll. But you would know that I'd know that it's too unimportant to be a troll, so you would make it seem stupid. I feel like I need Wallace Shawn in here to explain the situation.

But generally.. (5, Insightful)

Junta (36770) | more than 6 years ago | (#21685323)

Router ACLs are in place to block unnecessary ports
Cisco Guards for DoS detection and automated response
In other words, they don't use firewalling where you have administrator defined rules to control traffic flow, they use networking equipment that accept administrator defined rules to control traffic flow .... totally different..

What in the world do *you* perceive the difference being between a 'firewall' and a router blocking ports based on source and destination being compared with a set of rules (aka ACLs)? Generally, firewall rules *can* get more complex than that, but mere port blocking by an intermediate router has been considered a firewall, even if it doesn't log violating or accepted packets, even if it doesn't have complex rules about connection state. Even if it doesn't have the word 'firewall' emblazened on the chassis somewhere.

Re:Firewall Schmirewall (4, Informative)

oliderid (710055) | more than 6 years ago | (#21684545)

from the article:
"...At this point we still don't use firewalls for MS.COM..."

and then

"Router ACLs are in place to block unnecessary ports"

blocking unnecessary ports is a firewall feature (IMHO ?)

Anyway it looks quite impressive. I still don't understand how to handle 650 GB of logs :-).

Re:Firewall Schmirewall (4, Funny)

MstrFool (127346) | more than 6 years ago | (#21684679)

Well, remember the story a while back about MS using Linux for some things? I think we just found where they use it. Storing their logs in /dev/nul is the most likely way they deal with 650 GB of logs.

Re:Firewall Schmirewall (1, Informative)

truthsearch (249536) | more than 6 years ago | (#21684879)

MS was (and maybe still is) outsourcing web page caching to Akamai, which is using Linux servers.

Re:Firewall Schmirewall (5, Funny)

rasputin465 (1032646) | more than 6 years ago | (#21685101)

Storing their logs in /dev/nul is the most likely way they deal with 650 GB of logs.

Well geez.. in that case I sure hope they do regular backups of /dev/null! ;-)

Re:Firewall Schmirewall (3, Informative)

allenw (33234) | more than 6 years ago | (#21684735)

Large scale log processing isn't hard if you have the right tools [apache.org] . :)

Re:Firewall Schmirewall (1)

dave420 (699308) | more than 6 years ago | (#21684763)

Having wheels is a feature of a car - that doesn't make my bike a car :)

Re:Firewall Schmirewall (1)

Xformer (595973) | more than 6 years ago | (#21685059)

They're both forms of transportation, though. In that case, are you trying to argue for or against the parent?

http://www.tech-faq.com/firewall.shtml [tech-faq.com]

Re:Firewall Schmirewall (1)

MightyYar (622222) | more than 6 years ago | (#21684795)

I still don't understand how to handle 650 GB of logs
That the government wants them to store :)

Re:Firewall Schmirewall (3, Interesting)

Anonymous Coward | more than 6 years ago | (#21684905)

Anyway it looks quite impressive. I still don't understand how to handle 650 GB of logs :-).

My question is why are the logs in ASCII text format? When all you want is say the IP [4 bytes], time of day [4 bytes], URI, referrer and return code [do you really care about their browser strings? You are MS after all, just assume it's IE].

Storing an IP as text requires on average 15 bytes, so right there you can shave off 11 bytes with a binary IP. Time of day is worse, a date+time string is like 25 chars. Doesn't seem like much, but multiply the 32 bytes per entry you save by say 50 million hits and that's 1.5Gbyte you saved. That's not counting the white space you can remove, and a simple huffman code you could apply to the URL/referrer.

Heck, just piping the binary IP/date and ASCII URL/referrer through gzip [or use libz's gzPrintf() etc...] could make a large difference as well.

Point is, bragging about 650GB/day logs is not really impressive when you're "doing it wrong" (tm). That's like bragging about how much you cut your face while shaving.

Re:Firewall Schmirewall (1)

theGreater (596196) | more than 6 years ago | (#21685137)

I wonder if Morgan Stanley [ms.com] knows they are outsourcing their webfarm to Microsoft's I.T. department....

-theGreater.

Re:Firewall Schmirewall (3, Insightful)

morgan_greywolf (835522) | more than 6 years ago | (#21685235)

Using router ACLs to block ports is pretty much the same thing as using iptables on Linux to filter ports. So, IOW, yes, blocking unnecessary ports on a router means that the router is a firewall. Something is filtering packets and even if it's called a router and not a firewall, that's the function it is serving.

If it walks like a duck and quacks like a duck...

Bill Gates Behind a Curtain (1)

darth_MALL (657218) | more than 6 years ago | (#21684459)

*flipping switches* *turning dials frantically*
There's Nothing to see here! Erm....Ahhh...
*closes curtain*

Supporting (0, Troll)

kripkenstein (913150) | more than 6 years ago | (#21684477)

The highly objective and insightful article mentions, for example,

Windows and IIS...rock solid and secure!
Way to go with supporting the troops there.

Re:Supporting (5, Insightful)

plague3106 (71849) | more than 6 years ago | (#21684563)

How many times have you seen the microsoft.com website down / hacked?

Re:Supporting (4, Insightful)

outZider (165286) | more than 6 years ago | (#21684693)

Reliability in numbers. If you have 30 machines running your website, no one will notice if one goes down.

Re:Supporting (1)

kripkenstein (913150) | more than 6 years ago | (#21684825)

How many times have you seen the microsoft.com website down / hacked?
My point was that TFA reads like it was written by a fanboy.

Re:Supporting (2, Funny)

MightyYar (622222) | more than 6 years ago | (#21684973)

My point was that TFA reads like it was written by a fanboy.
You mean that the guy who describes himself as "IT Pro Evangelist, Microsoft Australia" is a MS fanboy? Oh the horror! :)

I think that we can forgive him - it seems to be his job description.

Re:Supporting (1)

sid0 (1062444) | more than 6 years ago | (#21685051)

So you're saying IIS isn't secure? Please check your facts [secunia.com] .

Re:Supporting (1)

MightyYar (622222) | more than 6 years ago | (#21684903)

True that... and I guess it also is a testament to Akamai (and by extension Linux), since that is who MS uses to serve their site:

% nslookup www.microsoft.com
Server: 192.168.1.1
Address: 192.168.1.1#53
 
Non-authoritative answer:
www.microsoft.com canonical name = toggle.www.ms.akadns.net.
toggle.www.ms.akadns.net canonical name = g.www.ms.akadns.net.
g.www.ms.akadns.net canonical name = lb1.www.ms.akadns.net.
Name: lb1.www.ms.akadns.net
Address: 207.46.192.254
Name: lb1.www.ms.akadns.net
Address: 207.46.19.190
Name: lb1.www.ms.akadns.net
Address: 207.46.193.254
Name: lb1.www.ms.akadns.net
Address: 207.46.19.254

Re:Supporting (4, Informative)

MightyYar (622222) | more than 6 years ago | (#21685325)

Whoopsie, looks like Akamai uses IIS now - I'm behind the times, I guess:

% nmap -A -T4 -F -P0 www.microsoft.com
 
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-12-13 11:48 EST
Interesting ports on wwwbaytest2.microsoft.com (207.46.19.254):
(The 1218 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS webserver 7.0
179/tcp closed bgp
443/tcp open ssl/http Microsoft IIS webserver 7.0
 
Nmap finished: 1 IP address (1 host up) scanned in 167.891 seconds

Re:Supporting (2, Funny)

stvmty (983149) | more than 6 years ago | (#21684729)

I wonder what restrained him from using the <blink> tag.

Re:Supporting (3, Funny)

Digital Vomit (891734) | more than 6 years ago | (#21685085)

The highly objective and insightful article mentions, for example,

"Windows and IIS...rock solid and secure!"

Talc [wikipedia.org] is technically a rock...

Microsoft brainwashing (2, Insightful)

morgan_greywolf (835522) | more than 6 years ago | (#21684481)

Windows and IIS...rock solid and secure! www.microsoft.com is on Windows Server 2008/IIS7, MSDN/TechNet are migrating to Win2k8/IIS7, and update.microsoft.com is on Windows Server 2003/IIS6. We do all the normal shut-off-unused-services practices that line up with MS published security guidance and we utilize GFS images to ensure standardized builds of systems.
This guy is brainwashed. There should be no unused services turned on by default! Admins shouldn't have to shutoff unused services -- they shouldn't be enabled unless necessary. Also, rock solid and secure? Uh, didn't I read an article not too long ago about how the update.microsoft.com site was broken into?

Re:Microsoft brainwashing (4, Informative)

plague3106 (71849) | more than 6 years ago | (#21684609)

You realize that Win2k3 does turn off most services by default, and Win2k8 takes this even further by not installing them at all.

Uh, didn't I read an article not too long ago about how the update.microsoft.com site was broken into?

Link, please?

Re:Microsoft brainwashing (1)

morgan_greywolf (835522) | more than 6 years ago | (#21685045)

You realize that Win2k3 does turn off most services by default, and Win2k8 takes this even further by not installing them at all.
Really? Then why did he say that they had to turn them off?

Re:Microsoft brainwashing (0)

Anonymous Coward | more than 6 years ago | (#21685095)

Someone needs to learn the definition of "most".

Re:Microsoft brainwashing (1)

ShatteredArm (1123533) | more than 6 years ago | (#21685269)

I read it as "We had to turn them off when we installed everything" rather than "We turn them off each time we reboot the server." But maybe I read it incorrectly...

Re:Microsoft brainwashing (1)

Bert64 (520050) | more than 6 years ago | (#21684639)

And there are some services you cannot easily turn off without breaking things...
They use router ACLs to drop connections to unused ports, router ACLs cause significant performance hits unless your running really high end kit with hardware firewall service modules. Really, if a port is unused it should be closed, and thus rejected by the target machine.

Also if they're using router ACLs to filter ports, that *is* a firewall, albeit a fairly crude one.

Re:Microsoft brainwashing (1)

oliderid (710055) | more than 6 years ago | (#21684725)

"This guy is brainwashed."

He looks like a man enjoying his job to me.

"update.microsoft.com"

Devil's advocate would say:
If Windows Servers are so insecure
And microsoft.com is one of the busiest web sites in the world

Then one major security breach in (+)ten years would mean that there is a pretty good IT team behind. (Which was a Ddos attack if I remind well...It used to be lethal for any architecture at that time)

Re:Microsoft brainwashing (1)

truthsearch (249536) | more than 6 years ago | (#21685175)

Most of microsoft.com uses distributed Akamai linux servers for protection against DDOS attacks.

Re:Microsoft brainwashing (1)

tha_mink (518151) | more than 6 years ago | (#21685037)

Uh, didn't I read an article not too long ago about how the update.microsoft.com site was broken into
Uh...no. The article was about a domain name close to update.microsoft.com being hijacked and used to distribute trojans. I'm actually surprised, considering what a huge trophy it'd be to at least deface their site, that it doesn't ever really happen.

Re:Microsoft brainwashing (1)

dedazo (737510) | more than 6 years ago | (#21685267)

There should be no unused services turned on by default!

Right, that's what's he's saying... right?

Also, rock solid and secure? Uh, didn't I read an article not too long ago about how the update.microsoft.com site was broken into?

I don't doubt that. Of course shit [debian.org] happens [lwn.net] elsewhere as well.

Hi, and welcome to Bizaro World... (1)

Jargon Scott (258797) | more than 6 years ago | (#21684483)

Interesting details include having no firewall, having to manage 650 GB of IIS logs every day, and the use of their yet unreleased Windows Server 2008 in a production environment.
Please try a complimentary goatee.

wtf! (1)

mseidl (828824) | more than 6 years ago | (#21684491)

They run AV when they can? No firewalls? It's like a 1960s flashback!

Re:wtf! (1)

dgr73 (1055610) | more than 6 years ago | (#21684637)

Maybe they've just seen too many hacker movies and want to try out their "You have hacked into microsoft.com!" page.

Re:wtf! (1)

slashbob22 (918040) | more than 6 years ago | (#21684767)

I call honeypot.

They are doing one of 2 things:
1) Trapping all the nasties to figure out what's out there and make their product better
OR
2) Trapping all the nasties to figure out what's out there and sell another solution to protect you
3) ...
4) Profit!
Come to think of it if you select number 2 you can go straight to 4.

I wonder what platform they use... (1)

thriemus (514728) | more than 6 years ago | (#21684503)

...I am guessing they do not use an Apache Cluster :)

Router ACL= Firewall (-1, Redundant)

Farakin (1101889) | more than 6 years ago | (#21684505)

AMIRITE?

Re:Router ACL= Firewall (1, Flamebait)

udippel (562132) | more than 6 years ago | (#21685097)

SUREURCORRECT!

2. Router ACLs are in place to block unnecessary ports

Right-o ! Shows what a brainwashed, single-minded dim he is. Doesn't say "(Microsoft) Firewall v.0.38.2a" on the shrink-wrapped package; and voilà, isn't (a firewall). That's how they keep the masses unwashed and in admiration. (But I digress.)

Actually, the whole thing is a disgrace, but what to expect ... !?

2. We have ~650GB/day of IIS logs [...] Just IIS logs are a challenge without trying to parse another ~650GB of firewall logs.

Why is an IIS log size just as large as a firewall log ? Makes me wonder, if he thinks they were the same ??
650GB of what ? ASCII text or gzip ?

3. 5+ years ago, there wasn't a firewall solution that would scale to our needs and this forced us to focus on network, host, and application security.

I'd never would want their stuff for free even. Because the use of the word 'forced' is absolutely wrong. Program security is the alpha and omega of security; and anyone who wants to have his software taken seriously would look into exactly these. Not into firewalls.

5. Application security is critical since a firewall is likely going to allow traffic on the correct port and protocol through to the web servers so IIS/ASP.NET/Applications must deal with these requests gracefully.

This is so right, see above. But the mentality implies he is unaware of the fact that predictable and graceful behaviour is what we want in the applications in the first place.

6. We do run AV on our servers when we can. At times product adoption means we don't install it, but we do normally run AV.

Makes one wonder what this is supposed to tell us. At times they don't get an AV running on their own boxen ? Can someone point out to me, which logic underpins non-usage of AV for 'product adoption' ? Like, on those boxen containing Vista ?

Eating dogfood is good (5, Insightful)

ReallyEvilCanine (991886) | more than 6 years ago | (#21684519)

How can anyone complain that they're running Server 2008? My company's software quality dropped considerably when we stopped eating our own dogfood two years ago. When techs, engineers and everyone else is stuck with the same problems as the future ell-users, shit gets fixed a lot faster and a lot better.

Re:Eating dogfood is good (2, Insightful)

iroll (717924) | more than 6 years ago | (#21684633)

People are complaining?

((rereading thread))

Care to point that out? I'd say most people would be happy that they are using their own product in a critical environment.

Re:Eating dogfood is good (1)

ReallyEvilCanine (991886) | more than 6 years ago | (#21685023)

Not complaining in TFA, but this is /. -- I just anticipated the howls of the unwashed hordes rightfully bitching about yet another "professional" OS with a markedly unprofessional Teletubbies UI which certainly isn't ready for market yet, all while ignoring MS' internal dogfood consumption. I'll bet if enough Microsofties had eaten Office dogfood you could shut off that fucking control-click "Research" panel easily.

Re:Eating dogfood is good (1)

JCSoRocks (1142053) | more than 6 years ago | (#21684675)

True that. I wasn't surprised at all. I'd be disappointed if they *weren't* using Server 2008.
Also, the summary is a little deceiving - although they don't have a firewall they are using the ACL on the router... so it's not like they've just plugged their web server directly into the interwebs - they do have some protection.

Re:Eating dogfood is good (0)

Anonymous Coward | more than 6 years ago | (#21684899)

yes; but, microsoft internet sites also compete with other internet sites and some of those other internet sites are supplied by microsoft, giving microsoft through its position as supplier in the operating system and services market an (arguably unfair) advantage in its position in the internet sites market.

No firewalls? (1)

LiquidCoooled (634315) | more than 6 years ago | (#21684537)

If they don't have firewalls, then I have a definition of a firewall wrong.

look:

In terms of how we protect the sites, we utilize (starting at the outside edge of the network and working in):

      1.
            Cisco Guards for DoS detection and automated response
      2.
            Router ACLs are in place to block unnecessary ports
...

Re:No firewalls? (1)

Major Blud (789630) | more than 6 years ago | (#21684591)

I think what the MS guy was getting at is that there are no firewalls on the indiviual servers. A Cisco ACL isn't technically a "firewall", since it isn't based off of NAT, but accomplishes the same thing.

Re:No firewalls? (1)

cavtroop (859432) | more than 6 years ago | (#21684937)

No, I think he was getting at the fact that they don't have any firewalls that do any sort of packet inspection, etc. Just ACLs blocking ports, which is *technically* a firewall.

Packet inspection is the key to his comments here, I think.

Re:No firewalls? (0)

Anonymous Coward | more than 6 years ago | (#21685013)

Oh dear. You've got a bit more learning to do if you think NAT has anything to do with firewalling.

Re:No firewalls? (1)

0racle (667029) | more than 6 years ago | (#21685071)

NAT != Firewall and vice versa. A firewall does not have to use NAT and a NAT device is not necessarily a firewall.

http://en.wikipedia.org/wiki/Firewall

No a firewall, but... (2, Insightful)

VxSote (709833) | more than 6 years ago | (#21684539)

FTA: "Router ACLs are in place to block unnecessary ports" While that might not provide SPI and other benefits of a true firewall, it's still a hell of a lot different than plugging a box into a wide open connection.

Priceless... (4, Funny)

orclevegam (940336) | more than 6 years ago | (#21684573)

Cisco Router: ~$700
Server to run it on: ~$2000
Beta testing Microsofts new server 2008 in a production environment: Priceless

Re:Priceless... (3, Insightful)

BytePusher (209961) | more than 6 years ago | (#21684785)

It's called Alpha testing in this case. It's good marketing on their part to say, "We're so sure our software is good we use our pre-Beta software in a production environment." Never mind the fact that they have Server 2003 waiting ready to take over when their 2008 server horks itself.

Ever tried to bookmark something on that site? (1)

hey (83763) | more than 6 years ago | (#21684601)

Its like they change the URLs weekly.
I wonder if its on purpose (to avoid bookmarking) or just bad design.

They do use firewall (1, Redundant)

zukinux (1094199) | more than 6 years ago | (#21684615)

"In terms of how we protect the sites, we utilize (starting at the outside edge of the network and working in):
1. Cisco Guards for DoS detection and automated response
2. Router ACLs are in place to block unnecessary ports
..."
That's what a firewall does... and the funniest thing that this guy doesn't know the definition of a firewall.

Re:They do use firewall (1)

oni (41625) | more than 6 years ago | (#21685025)

Maybe he meant that the building itself has no walls to protect it from a fire. Maybe their server room is in a gazebo in a park somewhere.

Re:They do use firewall (0, Flamebait)

LibertineR (591918) | more than 6 years ago | (#21685087)

No, dufus. A true firewall inspects individual packets.

HBI? (1)

RandoX (828285) | more than 6 years ago | (#21684631)

What is HBI? A quick search found the following unrelated and unhelpful information:

HBI Health and Biomedical Information
HBI Healthcare Building Ideas (magazine)
HBI Home Builders Institute
HBI Home Business Institute
HBI Horizontal Blanking Interval (television)
HBI Hot Beef Injection (band)
HBI Hot Briquetted Iron (plant or facility)
HBI Hubbard Broadcasting Inc.

Wikipedia: Page does not exist.

Re:HBI? (4, Funny)

orclevegam (940336) | more than 6 years ago | (#21684705)

Humongously Bad Interface. That's the internal name for all new MS APIs.

Re:HBI? (2, Funny)

JCSoRocks (1142053) | more than 6 years ago | (#21684797)

HBI - Hot But Incarcerated?

Re:HBI? (0)

Anonymous Coward | more than 6 years ago | (#21684817)

Hung Burly Italians

Re:HBI? (3, Insightful)

SpaFF (18764) | more than 6 years ago | (#21684831)

I was assuming he meant Host Based Intrusion.

Re:HBI? (0)

Anonymous Coward | more than 6 years ago | (#21684919)

HBI stands for High Business Impact. It's MS speak.

Microsoft and logs do not compute (1, Funny)

Anonymous Coward | more than 6 years ago | (#21684697)

I once had a 800MB plain-text logfile that I wanted to do a simple search and replace. I opened up the file in Word on a P4-2Ghz-2GB system and it took over two hours to complete roughly 50% of the task at hand. At this point I finally gave up because I was worried what was being done to my file and copied the file to an old PIII/450MHZ/512mb running linux and the task took about 2 seconds using a simple regex with sed.

Re:Microsoft and logs do not compute (1)

orclevegam (940336) | more than 6 years ago | (#21684733)

You have just got to love a text editor that copies an entire file into memory before displaying it.

Re:Microsoft and logs do not compute (4, Insightful)

Crane Style (1196643) | more than 6 years ago | (#21684877)

Isn't that just you announcing your ignorant of which tools to use? Are you that kid in gym class that was always trying to put his shoes back on without untying them, rather than take the seconds to untie/re-tie he'd stomp himself around the locker room for minutes until they fit right. Oh and, how long would it take you to create and print a tri-fold pamphlet using sed? Perhaps you're the problem, not the app.

Re:Microsoft and logs do not compute (0)

Anonymous Coward | more than 6 years ago | (#21685213)

Except that when I started the task in Word, I left for lunch and came back two hours later and found it 50% done. I did not care as long as it finished before I got back - which it did not. I knew Word would take much longer than any *nix tool, I just did not expect that it would take orders of magnitude longer.

Swimming in acronym soup... (5, Funny)

thatseattleguy (897282) | more than 6 years ago | (#21684717)

Could someone with more Microsoft Kool-Aid in their veins stick their fork in the acronym salad that is this article? ACL (Access Control Lists - which technically are a firewall), DoS (denial of service attacks) and IPS (intrusion protection services) I all know, but WTF are:


HBI?
GFS (is the G for "Ghost")?
NBI?
NLB?
ACE?


TIA :),
/tsg/

Re:Swimming in acronym soup... (3, Interesting)

loconet (415875) | more than 6 years ago | (#21684945)

Interesting, I thought I was the only one. Why is it that every time I read about Microsoft related technology it's always an acronym salad. Not even commonly used acronyms either, they use acronyms for their own way of calling technology xyz. It's almost like they do it on purpose ..

A router can be a firewall too (0, Redundant)

was kroepoek (1098895) | more than 6 years ago | (#21684743)

From TFA:

At this point we still don't use firewalls for MS.COM sites[...] 1. We don't handle HBI data so we don't have the need for external logging capabilities. If we did handle HBI, we'd have firewalls.
Can someone explain this please? HBI?

2. [...] Just IIS logs are a challenge without trying to parse another ~650GB of firewall logs.
That's a non-argument. I use iptables without the LOG target; why would i want to log packets before dropping them? This would make no sense to me. If i want a NIDS, i'll install a NIDS.

2. Router ACLs are in place to block unnecessary ports
Wait a minute, ACLs you say?! Isn't this *exactly* what firewalls are for? Blocking/allowing IP ranges and incoming connections on certain ports...

Re:A router can be a firewall too (1)

cream wobbly (1102689) | more than 6 years ago | (#21684913)

HBI means "High Business Impact [google.com] " in Microsoftese. There are also MBI, meaning "Moderate Business Impact", and LBI; "Low Business Impact".

Better response: (0, Flamebait)

Rik Sweeney (471717) | more than 6 years ago | (#21684773)

At this point we still don't use firewalls for MS.COM sites and don't have any plans on the books to put them in place. Here is the short answer as to why:

1. We run Linux.

What happened to Akamai Linux? (2, Interesting)

140Mandak262Jamuna (970587) | more than 6 years ago | (#21684805)

I vaguely recall MSFT had to outsource load balancing to Akamai which used Linux boxes to redistribute the incoming traffic at some point in the past. Looking at Netcraft.com, it shows some subdomains of microsoft.com resolved to Linux boxes before the year 2000. So it is able to get out of the sandbox now? Is that the main story?

Perhaps the only ones who can do it "right" (5, Insightful)

teebob21 (947095) | more than 6 years ago | (#21684811)

Let's set aside the natural urge to bash MS into oblivion. Let's (just for now) ignore conventional advice about network security and firewall use. Now, not only are these guys a Microsoft shop...they ARE Microsoft. MS claims their software is stable and secure. Perhaps it is -- when was the last time microsoft.com was taken down by malevolent hackers?

That said, with their closed source and closed-doors policy to revealing details about the inner workings of the OS, _Microsoft_ may be the only company that can successfully deploy a 100% Microsoft powered solution. How many registry changes, service daemon modifications, and other tweaks have been made to get their config running this way? The world may never know. It's probably impossible for the consumer world to ever have that level on knowledge about the Windows environment, and thus run it at peak security levels. For most consumers and businesses, a Linux OS with properly implemented firewalls is much more secure than an out-of-the-box Windows deployment and router ACLs.

650 GB log (0)

Anonymous Coward | more than 6 years ago | (#21685119)

they used MS Excel...right

akamai (3, Informative)

wwmedia (950346) | more than 6 years ago | (#21685189)

don't forget the whole slough of Linux servers that they use through Akamai to handle the bandwidth;

it's one reason why why doing a lookup on Microsoft servers, it often shows that they are running Linux. It's also another reason why people point out that Linux is more scalable because even Microsoft can't eat it's own dogfood.

Ok... (1)

Verunks (1000826) | more than 6 years ago | (#21685231)

Nice setup but what about root passwords?

Misleading Summary. Total Propaganda (3, Informative)

mpapet (761907) | more than 6 years ago | (#21685259)

1. The asshat highlights they use no firewall, and yet buried deeper in the article is this "Router ACLs are in place to block unnecessary ports" That's the functional equivalent of a firewall.

2. I get into discussions where tech guys spew traffic numbers and I'm never impressed. It creates issues if you want to actually do something with the data which I doubt they do much beyond running the usual marketing metrics. Until you actually shoot for 99.99 service uptime, you begin to comprehend the challenge it is (on any platform) the traffic itself is not the challenge.

3. I'm very interested in reading what their hardware budget is like. I get excellent performance out of Linux compared to server 2003 boxes on similar compaq dl380's.

Now there's a best practice (2, Funny)

QuietLagoon (813062) | more than 6 years ago | (#21685275)

use of their yet unreleased Windows Server 2008 in a production environment.

Now there's a best practice that other corporations should follow - the use of test software in a production environment.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?