Managing Hyper-V
-
-
@dbeato said in Managing Hyper-V:
@scottalanmiller How about SVCMM?
https://technet.microsoft.com/en-us/library/gg610646(v=sc.12).aspx
https://technet.microsoft.com/en-us/library/jj863389(v=ws.11).aspxRight, for the big money, that's there. That I knew. And you could argue that Scale isn't cheap like Hyper-V, which is free, so it's a valid point.
-
This shows some promise.
https://cloudbase.it/using-freerdp-to-connect-to-the-hyper-v-console/
-
@scottalanmiller This is almost like doing RDP to it. FreeRDP is like Rdesktop at best but I guess it has Powershell so that is an upside.
-
@scottalanmiller said in Managing Hyper-V:
@brianlittlejohn said in Managing Hyper-V:
@scottalanmiller said in Managing Hyper-V:
@Tim_G said in Managing Hyper-V:
If it's off domain, you have to perform a couple quick extra steps that can be put into a script.
I've never tried to use RSAT over a WAN, seems like a bad idea
I use it over a vpn to our office in OKC... it works a little slow, but it works.
VPN is just another term for the LAN, just a slow portion of it. That's still LAN security as a model, which we don't do here.
So how do you do it with SCALE? You leave the web interface public facing?
-
@dbeato said in Managing Hyper-V:
@scottalanmiller This is almost like doing RDP to it. FreeRDP is like Rdesktop at best but I guess it has Powershell so that is an upside.
It IS RDP to it, which is a perfect solution in my mind, if it works.
-
@stacksofplates said in Managing Hyper-V:
@scottalanmiller said in Managing Hyper-V:
@brianlittlejohn said in Managing Hyper-V:
@scottalanmiller said in Managing Hyper-V:
@Tim_G said in Managing Hyper-V:
If it's off domain, you have to perform a couple quick extra steps that can be put into a script.
I've never tried to use RSAT over a WAN, seems like a bad idea
I use it over a vpn to our office in OKC... it works a little slow, but it works.
VPN is just another term for the LAN, just a slow portion of it. That's still LAN security as a model, which we don't do here.
So how do you do it with SCALE? You leave the web interface public facing?
Yes, that's the idea. Properly secured web is the same as a VPN, but limited to a single task. So equal or more secure. Scaling, now that requires some kind of automation to handle it, but can be done.
-
@scottalanmiller said in Managing Hyper-V:
@stacksofplates said in Managing Hyper-V:
@scottalanmiller said in Managing Hyper-V:
@brianlittlejohn said in Managing Hyper-V:
@scottalanmiller said in Managing Hyper-V:
@Tim_G said in Managing Hyper-V:
If it's off domain, you have to perform a couple quick extra steps that can be put into a script.
I've never tried to use RSAT over a WAN, seems like a bad idea
I use it over a vpn to our office in OKC... it works a little slow, but it works.
VPN is just another term for the LAN, just a slow portion of it. That's still LAN security as a model, which we don't do here.
So how do you do it with SCALE? You leave the web interface public facing?
Yes, that's the idea. Properly secured web is the same as a VPN, but limited to a single task. So equal or more secure. Scaling, now that requires some kind of automation to handle it, but can be done.
True but now your only barrier is the login page. So any vulnerabilities in whatever language it's in (e.g. PHP) is the only barrier.
-
@stacksofplates said in Managing Hyper-V:
@scottalanmiller said in Managing Hyper-V:
@stacksofplates said in Managing Hyper-V:
@scottalanmiller said in Managing Hyper-V:
@brianlittlejohn said in Managing Hyper-V:
@scottalanmiller said in Managing Hyper-V:
@Tim_G said in Managing Hyper-V:
If it's off domain, you have to perform a couple quick extra steps that can be put into a script.
I've never tried to use RSAT over a WAN, seems like a bad idea
I use it over a vpn to our office in OKC... it works a little slow, but it works.
VPN is just another term for the LAN, just a slow portion of it. That's still LAN security as a model, which we don't do here.
So how do you do it with SCALE? You leave the web interface public facing?
Yes, that's the idea. Properly secured web is the same as a VPN, but limited to a single task. So equal or more secure. Scaling, now that requires some kind of automation to handle it, but can be done.
True but now your only barrier is the login page. So any vulnerabilities in whatever language it's in (e.g. PHP) is the only barrier.
That can be done at the server level, too. But not ideal. Or can be done with keys and not a login. All the same limitations as any VPN.
-
But all VPN solutions have that limitation. The difference here is that the limitation only exists for this one thing, rather than the entire network.
-
@scottalanmiller said in Managing Hyper-V:
But all VPN solutions have that limitation. The difference here is that the limitation only exists for this one thing, rather than the entire network.
My point is I don't understand why you go with salt because of the concern of security with SSH but you leave a web page open directly to the internet.
I trust SSH on a bastion host which gets daily updates and bug fixes more than I trust a web page that gets development but not daily updates.
-
@stacksofplates said in Managing Hyper-V:
My point is I don't understand why you go with salt because of the concern of security with SSH but you leave a web page open directly to the internet.
Because I can turn access on and off with Salt.
-
@stacksofplates said in Managing Hyper-V:
I trust SSH on a bastion host which gets daily updates and bug fixes more than I trust a web page that gets development but not daily updates.
As the web page uses the same daily updates for the encryption as SSH, I don't think that this is an issue. Both rely on the same OpenSSL library equally.
-
Or if you can lock it down to a local tunnel through SSH that would be better. Ours isn't set up yet so I'm not sure if you can do that.
-
@scottalanmiller said in Managing Hyper-V:
@stacksofplates said in Managing Hyper-V:
I trust SSH on a bastion host which gets daily updates and bug fixes more than I trust a web page that gets development but not daily updates.
As the web page uses the same daily updates for the encryption as SSH, I don't think that this is an issue. Both rely on the same OpenSSL library equally.
The hosts get daily updates from SCALE? And SSL updates don't fix bugs in PHP or JS or whatever they use.
-
@stacksofplates said in Managing Hyper-V:
Or if you can lock it down to a local tunnel through SSH that would be better. Ours isn't set up yet so I'm not sure if you can do that.
I figure anything you can do through a web or SSL tunnel, you can do through SSH, too. And I've been trying to figure out how to automate that well with a "reach out" system and if that is logically a good approach.
-
@stacksofplates said in Managing Hyper-V:
@scottalanmiller said in Managing Hyper-V:
@stacksofplates said in Managing Hyper-V:
I trust SSH on a bastion host which gets daily updates and bug fixes more than I trust a web page that gets development but not daily updates.
As the web page uses the same daily updates for the encryption as SSH, I don't think that this is an issue. Both rely on the same OpenSSL library equally.
The hosts get daily updates from SCALE? And SSL updates don't fix bugs in PHP or JS or whatever they use.
Oh, on the Scale specifically? No, not daily. But regularly. It alerts you whenever there is an update to apply. I don't get SSH regularly either. I update systems daily and go weeks or months between OpenSSH or OpenSSL library updates at times. But they are released on any given day as needed, and the same with the Scale.
Language bugs exist for everything, including for SSH.
-
But with web, you have good choices like adding reverse proxies and such. It's easy to lock down SSL based channels in standard but still accessible ways.
-
@scottalanmiller said in Managing Hyper-V:
@stacksofplates said in Managing Hyper-V:
Or if you can lock it down to a local tunnel through SSH that would be better. Ours isn't set up yet so I'm not sure if you can do that.
I figure anything you can do through a web or SSL tunnel, you can do through SSH, too. And I've been trying to figure out how to automate that well with a "reach out" system and if that is logically a good approach.
But web isn't key based. A 4096 bit key is better than a login page no matter how long the password is. And mitigates brute forcing (whether that's even still a concern anymore).
-
@scottalanmiller said in Managing Hyper-V:
@stacksofplates said in Managing Hyper-V:
@scottalanmiller said in Managing Hyper-V:
@stacksofplates said in Managing Hyper-V:
I trust SSH on a bastion host which gets daily updates and bug fixes more than I trust a web page that gets development but not daily updates.
As the web page uses the same daily updates for the encryption as SSH, I don't think that this is an issue. Both rely on the same OpenSSL library equally.
The hosts get daily updates from SCALE? And SSL updates don't fix bugs in PHP or JS or whatever they use.
Oh, on the Scale specifically? No, not daily. But regularly. It alerts you whenever there is an update to apply. I don't get SSH regularly either. I update systems daily and go weeks or months between OpenSSH or OpenSSL library updates at times. But they are released on any given day as needed, and the same with the Scale.
Language bugs exist for everything, including for SSH.
That's my point tho. You get them immediately when they are available.