Re: [SAGE] Naming conventions for servers, network gear, etc.

[Richard Chycoski <rskiadmin@chycoski.com>]

There are (at least) two divergent trains of thought for naming servers 
and network devices:

Names completely unrelated to the function/location/OS/other 
characteristic, and names that are related to one or more of these 
characteristics.

Both methods have their place and uses, and can sometimes be used together.

The old Unix trait of naming a group of machines after a the names of 
some other group of objects (elements, planets, beers, Paris Hilton's 
exploits :-) usually doesn't scale to really large groups of machines, 
but using these kinds of names as memorable names for the clients to use 
for a subset of the machines, or as aliases, can work even in a large 
environment.

There is a combination of naming schemes at Cisco.

Production routers/switches/other network and utility devices are named 
by location and type of device, followed by 1,2,3...

Some servers are named in a similar fashion, but others have a 
combination of location and memorable name (it effectively replaces the 
'1,2,3...'). The latter works something like this:

BUILDING-FUNC-saturn
BUILDING-FUNC-phoebe
...

This has an advantage for both clients and sysadmins. Change messages 
relating to the clients' work are more likely to be noticed when someone 
who works on '...phoebe' sees a message rather than '...23'. The clients 
are more likely to get the right machine as well.

For sysadmins who may be working on several machines, fewer mistakes of 
sending commands to the wrong machine are likely to happen as well.

This isn't terribly useful for large farms of machines (remembering a 
hundred names isn't practical), but if you have a smaller number of 
machines of the same function that are used for distinct projects or 
client groups, memorable names embedded in an otherwise 
characteristic-related name can be useful. (Cnames are another 
alternative for this, but don't always work in practice.)

For the most part, 'utility' devices (like network gear and farms) are 
best named by location, possibly their type and/or function (if this 
isn't dynamic), and some serial number. It's also appropriate for 
services that the clients never need refer to by name - for example, if 
you have a bunch of NFS servers but the clients only need to know the 
automounter directory mount points, then memorable names don't buy you 
as much. It's getting more difficult with systems-oriented data centres 
where a given machine is a chameleon, possibly even running different 
OSes at different times, but machine hardware type doesn't change, and 
unless the DC is in a trailer (these do exist!) location doesn't either.

As to STO naming - 'real' security people (those who have worked for 
those three-letter government orgs - we have a few such people around) 
just laugh at the suggestion. We had a former security admin who thought 
that keeping the name of the security servers out of documentation and 
even *conversation* was a good thing - but it's trivially easy to figure 
out this information if you can log into *any* machine in the 
environment! That 'policy' has been rescinded. (:-)

However, I wouldn't name the most secure machines with names that 
*invite* people to go after them, like 'fortknox', 'impenetrable', or 
'supersecure'. There's no use laying out the red carpet, either! I 
remember when a university (I think it was Texas A&M?) claimed that they 
had a secure firewall, and hackers were gleefully penetrating this 
'firewall' even as the announcements of its superiority were being 
broadcast. Staying low-key is a good idea to prevent encouraging the 
script kiddies, just don't depend on your naming to really hide anything 
for you.

My own personal machines at home have names that are chosen by whim for 
the servers (and function for the utility devices) - like I did for my 
personal machines when I worked at the university. My desktop was 
'wizard', and the other machines were wizzl, wizznd, etc. When I got my 
first laptop, someone suggested that I call it 'takeawiz', but I went 
with the more politically correct 'wizalong'...

- Richard



Cat Okita wrote:
> On Sat, 6 Jan 2007, Jason Antman wrote:
>> For my personal networks, I really prefer names that have nothing to do
>> with the functional nature of the machine, as I view this as making
>> network reconnaissance too easy. My home development network has 
>> "SATURN"
>> as the main DHCP/DNS/LDAP server, and the other machines are named after
>> Saturn's moons, allowing approximately 56 unique names.
>
> I'm always entertained by the idea that names must somehow make doing
> network reconaissance easier.  When was the last time you saw a scanner
> that worked by name, rather than by IP, _especially_ in bulk.
>
> IMNSHO "it makes things harder for crackers" simply isn't a good argument
> for names that have nothing to do with the nature of the machine.  That's
> like arguing that a different colour of umbrella will somehow make it
> less obvious that you're using an umbrella.
>
> On your home network it doesn't much matter what you choose - presumably
> you're either the only admin, or one of a tiny number of admins who know
> their machines extremely well - but that certainly doesn't hold true as
> the environment scales.
>
> cheers!
> ========================================================================== 
>
> "A cat spends her life conflicted between a deep, passionate and profound
> desire for fish and an equally deep, passionate and profound desire to
> avoid getting wet.  This is the defining metaphor of my life right now."