dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2730

train_wreck
slow this bird down
join:2013-10-04
Antioch, TN
Cisco ASA 5506
Cisco DPC3939

train_wreck

Member

[Other] "Messy cabling/no documentation" = "for security"?

Click for full size
So..... was sent out for contract work last week to an unnamed, but large, restaurant chain. I was sent there to reterminate the cut green ethernet wire you can see hanging in the top left of the picture & find a way to connect it to the black DLink switch hanging in the bottom left front of the rack. Also, I was to find out why a Ubiquiti access point wasn't showing up on the network, and once found configure it with 2 SSIDs for customers & employees (but no VLANs, and clients from both of the SSIDs were connected to the same network as the employee back office..... ) Most of the network was managed remotely from IT at the corporate office, but interestingly the router/firewall (a Watchguard) was managed by a third party, and neither corporate IT nor I was able to access it at all. I terminated the broken end, and had to use an inline shielded coupler to connect it to the bottom DLink switch since the black cable running from that switch to the right was stretched as far as it could, and it ran stapled along the wall, through a drilled hole and out further into the restaurant, so was not easy to remove, and my instructions were to replace as little as possible to get everything back running. The access point was also fairly simple; the ceiling run from the AP to the patch panel was terminated OK, but the patch cable going from its port on the panel to the 5 port switch was missing. (There were numerous cables in the rack that weren't connected to anything; I had to remove one from the 5 port switch to get everything connected). Employees said they thought that both of the "incidents" happened at the same time by a HVAC company that had to get into the ceiling around the rack.

While I was on the phone checking in with the corporate IT manager after getting onsite, I found the rack and immediately asked if there was any documentation of where the patch panel ports led to. He said there wasn't. I remarked that the rack was a "bit disorganized". He replied that both of these things (no docs, mess of cabling) were done "for security, to make it harder for someone to figure out the network".

3 questions:

-Was he pulling my leg?
-He also said the cables were ran in a "nest configuration j/j", does that mean anything?
-Does this look typical for a big corporate chain?

billaustin
they call me Mr. Bill
MVM
join:2001-10-13
North Las Vegas, NV

9 recommendations

billaustin

MVM

I frequently see the same. It's nice, neat, and pretty when first installed. Maintenance is done by a string of contracted techs, usually never the same one, and whatever needs to be done to get it working is what's done. Sometimes there is a label showing where cables are supposed to connect, but documentation is usually at the other end of the phone line.

It's called a nest configuration because it looks like a birds nest.

train_wreck
slow this bird down
join:2013-10-04
Antioch, TN
Cisco ASA 5506
Cisco DPC3939

5 recommendations

train_wreck

Member

said by billaustin:

Maintenance is done by a string of contracted techs, usually never the same one, and whatever needs to be done to get it working is what's done.

You mean techs like me Man, I wish I could have spent a few good hours cleaning it up, but I was under strict instructions to change as little as possible to make it work. It's what I don't like about contract work; my orders are literally to make NO improvements beyond a few specific things, and since I'm the 16th person who's touched the thing, the setup is a hurricane by the time I get there, and isn't usually much better by the time I leave.

I particularly was amused at the 5 port switches just hanging there, with what looks like some previous person that attempted to tie the power cables in a big knot that you can see in the middle.... like what is the point of that?

I brought up the fact that if the 24 port switch was managed (or even one of those cheap "smart" VLAN-aware switches), they could get rid of the extra switches and remove some failure points. The IT director just chuckled and said "yeah we should". (Not to mention "Intellinet" is firmly bottom-of-the-barrel; my company has used Intellinet and "Manhattan" branded products for years, and they are the worst. Belkin would be better than them).

What I was more concerned about, however, was the fact that guests were connecting to the same network as the back office. One computer there was the server that handled the "Aloha" credit card terminals.... seems like some sort of PCI violation there....

I was overall a bit shocked at the IDGAF attitude from the corporate guys. All the employees I talked to said that they were consistently having problems inputting orders, taking payments, and doing basically anything network-related. They were supposed to have Windstream business 5mbps DSL, and all the speedtests I did never hit 2......

Of course, the stinger is that the corporate staff I spoke with were probably banking high 5 figures, possibly more. I was making... less than that

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro

7 recommendations

NetFixer to train_wreck

Premium Member

to train_wreck
Thanks for the reminder of how nice it is to be retired and not have to mess with other people's messes any more.
HELLFIRE
MVM
join:2009-11-25

6 recommendations

HELLFIRE to train_wreck

MVM

to train_wreck
said by train_wreck:

He replied that both of these things (no docs, mess of cabling) were done "for security, to make it harder for someone to figure out the network".

I read that as a combination of "Documentation n. from an ancient and obscure dialect that translates as 'For some other poor schmuck to do,'"
and a healthy dose of "I'm not paid enough / there aren't enough hours in the day to give a crap about this!"
said by train_wreck:

ran in a "nest configuration j/j", does that mean anything?

Also known as "cable spaghetti," -- here's more examples to make you cringe at and run for the hills.
said by train_wreck:

What I was more concerned about, however, was the fact that guests were connecting to the same network as the back office.

said by train_wreck:

I was overall a bit shocked at the IDGAF attitude from the corporate guys.

said by train_wreck:

Of course, the stinger is that the corporate staff I spoke with were probably banking high 5 figures, possibly more. I was making... less than that

Speaks volumes to this "unnamed but large restaurant chain's" attitude to IT overall, read:Cheap, Fast, Perfect, Ready By Yesterday(TM)
Par For Course...

My Sarcastic & Opinionated 00000010bits

Regards

Anondc32c
@verizon.net

2 recommendations

Anondc32c

Anon

The Dlink switches are what confuses me. Why use consumer devices when there is a managed switch right there? I am guessing the "large restaurant chain" is something like a Burger King that are privately owned. Most business owners don't even know what kind of network they have, nevermind how to fix them. I have seen better network layouts at a Olive Garden. :-(
lawsoncl
join:2008-10-28
Spirit Lake, ID

2 recommendations

lawsoncl to train_wreck

Member

to train_wreck
said by train_wreck:

-Was he pulling my leg?
-He also said the cables were ran in a "nest configuration j/j", does that mean anything?

Yes. Nest configuration is also know as the ball of yarn setup. That really is a cluster-fuck and I'd have a tough time walking away instead of trying to clean it up. Did you notice the jumper that just goes between ports on the punchdown? Maybe the 5-port was a bandaid to get gigabit since the mounted swithc looks to be 10/100.
Sliffer21
join:2016-07-06
Charleston, WV

5 recommendations

Sliffer21 to Anondc32c

Member

to Anondc32c
said by Anondc32c :

The Dlink switches are what confuses me. Why use consumer devices when there is a managed switch right there? I am guessing the "large restaurant chain" is something like a Burger King that are privately owned. Most business owners don't even know what kind of network they have, nevermind how to fix them. I have seen better network layouts at a Olive Garden. :-(

Doubt it is a Burger King. A few years ago I did some work for a chain on their network and security system. They were given managed access points (Motorola) from AT&T that tied into their network from BK Corporate that they had (no choice) to have installed. I guess the access point itself had some sort of security VPN built in to segregate the guest traffic as they were forced to use it. Granted this Franchise had a great IT infrastructure in place with a Cradlepoint router and PCI compliant separated with multiple VLANs, Guest Network, BOH Network etc. But moral of the story was they were forced to put this Motorola AP on their default VLAN 1 (BOH Network) to allow guest access. Replacing the WiFI Guest VLAN on the cradlepoint to conform to a BK corporate rollout. I assumed there was some security built in to that AP but long story short they had to use that Motorola AP that all store was given (and most likely had to pay for) for Guest Access not a Ubiquiti in order to centralize the guest access across all BK locations with a splash screen and analytic tracking.

train_wreck
slow this bird down
join:2013-10-04
Antioch, TN
Cisco ASA 5506
Cisco DPC3939

4 recommendations

train_wreck to Anondc32c

Member

to Anondc32c
said by Anondc32c :

Why use consumer devices when there is a managed switch right there?

It's not managed and to be honest I would absolutely consider it a "consumer" device, just thrown inside a rackmount case.
said by Anondc32c :

I am guessing the "large restaurant chain" is something like a Burger King that are privately owned.

Yes, but more upscale than Burger King.

Our company has also done contract work for McDonald's. Their networks are typically much more professionally setup. I recall some locations having dual WAN connections via local DSL and backup LTE. The menu boards are just Adobe Flash applications running on a rackmount Windows PC with a crazy FireGL card to support all the screens:


microphone
Premium Member
join:2009-04-29
Parkville, MD

4 recommendations

microphone to train_wreck

Premium Member

to train_wreck
That nest configuration is symbolic of what is wrong in life. People just don't give a shit anymore and when someone actually does care they get instructed not to fix it.

wavelength
CyberSec Pro
join:2015-05-22
Raleigh, NC
Juniper SRX240
Ubiquiti UniFi UAP-AC-PRO

5 recommendations

wavelength to train_wreck

Member

to train_wreck
said by train_wreck:

What I was more concerned about, however, was the fact that guests were connecting to the same network as the back office. One computer there was the server that handled the "Aloha" credit card terminals.... seems like some sort of PCI violation there....

Oh, no, that is not a "seems like"... That is a clear and blatant violation of the guidelines in the PCI-DSS. Unsecured, guest network access has to be segregated from the CDE (cardholder data environment).

That is how Target was breached - an insecure network had access to the CDE, specifically the payment terminals.

domnatr6
join:2001-03-06
Kyle, TX

2 recommendations

domnatr6

Member

Yep, that would fail an audit for sure as well as not having proper network documentation.

Hate to say it, but that setup is VERY typical for restaurants. They usually sign a managed service contract where the person working on the network gets in and gets out as fast as possible because being onsite costs them money.
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

2 recommendations

cramer

Premium Member

How the f*** would you even audit that?

Unfortunately, that's exactly how things end up when there are 39 different techs from a dozen different firms sent to do "instant" work. There's no documentation because no one will maintain it -- and which of the dozen firms has the current, up-to-date version? When you're paid "by the minute", you do what's necessary and only what's necessary. In this case, either fish out the remaining ends to replace the cut cable, or "telco splice" it back together... in and out in less than 2min.

Even when there's a single contract firm involved, there can be more than one tech working at the site. If they don't maintain the docs -- and they don't, things snowball. I've been in local places that are "ADP managed". It's pretty when you open the door / look through a window, just don't ever remove one of the panduit covers. It's a complete nightmare behind a black plastic cover. 4000 yellow wires. Not a label in the entire building.

Anondc32c
@verizon.net

3 recommendations

Anondc32c to wavelength

Anon

to wavelength
I used to work 3rd shift Tier 2 for a ISP that provided HFC service to 10-20 Burger Kings in the Mid West. I had one user tell me he used a wireless AP connected to a CC machine as a wifi adapter to connect to a wireless repeater, all it with no security. We only handled up to the CPE though, so it was nothing done by us and when I raised my concerns, he said "don't worry. I hid the SSID". All because he didn't want to pay for his network people to come out to run a ethernet to the machine instead. Pretty sure he just used what he could buy at the local Walmart. That was 3-4 years ago, and the area they were in was not the best, so perhaps that is an isolated event, but I doubt it.

kevinds
Premium Member
join:2003-05-01
Calgary, AB

kevinds

Premium Member

said by Anondc32c :

I had one user tell me he used a wireless AP connected to a CC machine as a wifi adapter to connect to a wireless repeater, all it with no security.

Here anyways, the Burger King uses the self-contained card terminals.. The kind that you can give them a public IP and still not be in violation, because they secure on their own (sorry, drawing a blank at the technical term for them).

I say this to point out that just because it is not the best way to connect something, doesn't mean it is bad..

train_wreck
slow this bird down
join:2013-10-04
Antioch, TN
Cisco ASA 5506
Cisco DPC3939

2 recommendations

train_wreck to cramer

Member

to cramer
said by cramer:

Unfortunately, that's exactly how things end up when there are 39 different techs from a dozen different firms sent to do "instant" work. There's no documentation because no one will maintain it -- and which of the dozen firms has the current, up-to-date version? When you're paid "by the minute", you do what's necessary and only what's necessary. In this case, either fish out the remaining ends to replace the cut cable, or "telco splice" it back together... in and out in less than 2min.

Very true. If I am methodical and try to take time and label/organize things or if I take time to have conversations about additional problems/areas of improvement, my company has to bill them for more hours. They see that, and realize that the company down the street can half-ass it and "get the job done" in half the time, so the dept. heads choose them over us.

So paradoxically, me being thorough actually loses my company money. And this is why networks end up like the one pictured.....

The unspoken secret of the whole situation is that the networks quickly start to crumble when managed this way. The previously mentioned employees who complained about problems processing payments are a sign of this. Over time, the head company has to send more techs like us out there again and again, resulting in less and less ROI. But business types ironically often fail to see the long game..

kevinds
Premium Member
join:2003-05-01
Calgary, AB

kevinds

Premium Member

said by train_wreck:

But business types ironically often fail to see the long game..

Well the big companies can 'successfully' do it, I want to be like them, so this is the way business is supposed to be.. (Verizon neglecting maintenance for decades type of success)

Anon72a97
@2606:6000.x

Anon72a97 to train_wreck

Anon

to train_wreck
said by train_wreck:

So..... was sent out for contract work last week to an unnamed, but large, restaurant chain. I was sent there to reterminate the cut green ethernet wire you can see hanging in the top left of the picture & find a way to connect it to the black DLink switch hanging in the bottom left front of the rack. Also, I was to find out why a Ubiquiti access point wasn't showing up on the network, and once found configure it with 2 SSIDs for customers & employees (but no VLANs, and clients from both of the SSIDs were connected to the same network as the employee back office..... ) Most of the network was managed remotely from IT at the corporate office, but interestingly the router/firewall (a Watchguard) was managed by a third party, and neither corporate IT nor I was able to access it at all. I terminated the broken end, and had to use an inline shielded coupler to connect it to the bottom DLink switch since the black cable running from that switch to the right was stretched as far as it could, and it ran stapled along the wall, through a drilled hole and out further into the restaurant, so was not easy to remove, and my instructions were to replace as little as possible to get everything back running. The access point was also fairly simple; the ceiling run from the AP to the patch panel was terminated OK, but the patch cable going from its port on the panel to the 5 port switch was missing. (There were numerous cables in the rack that weren't connected to anything; I had to remove one from the 5 port switch to get everything connected). Employees said they thought that both of the "incidents" happened at the same time by a HVAC company that had to get into the ceiling around the rack.

While I was on the phone checking in with the corporate IT manager after getting onsite, I found the rack and immediately asked if there was any documentation of where the patch panel ports led to. He said there wasn't. I remarked that the rack was a "bit disorganized". He replied that both of these things (no docs, mess of cabling) were done "for security, to make it harder for someone to figure out the network".

3 questions:

-Was he pulling my leg?
-He also said the cables were ran in a "nest configuration j/j", does that mean anything?
-Does this look typical for a big corporate chain?

if someone was to break in and disable that they would just unplug the power to it rather then try and find the security camera cable that goes to he dvr

#think outside the box
Anon72a97

Anon72a97

Anon

see the cheap 99cent store Surge protector that will do nothing to protect from surges and because it's just a power strip

you just have to press the butting to the OFF position.

Bam your remote security video is gone.

battleop
join:2005-09-28
00000

2 recommendations

battleop to train_wreck

Member

to train_wreck
"Does this look typical for a big corporate chain?"

VERY typical. It doesn't matter if it's a chain of medical offices, hotels, or banks. Most of them look like this or worse. No one from corporate IT ever visits these sites. What IT employees they have are often just barely smarter than the guy that hired them and they quickly become entrenched in their job so you get answers like the one you did on security.

Being a big corporate company does not automatically mean they hire the best of the best IT guys. They often pay a fraction of what you are worth or just don't really care about IT enough to do things right.
battleop

1 recommendation

battleop to train_wreck

Member

to train_wreck
"What I was more concerned about, however, was the fact that guests were connecting to the same network as the back office. One computer there was the server that handled the "Aloha" credit card terminals.... seems like some sort of PCI violation there."

After years and years of caring and trying to get people to do the right thing you will eventually give up and learn to say "Fuck it, it's their problem not mine if they get hacked". Non IT people are cheapasses and if they can't understand an immediate need for something they will alway think it's no big deal and that those grumpy IT people are just over reacting.
battleop

3 recommendations

battleop to Sliffer21

Member

to Sliffer21
"Doubt it is a Burger King"

The absence of caked on nasty grease is the give away.
Sliffer21
join:2016-07-06
Charleston, WV

Sliffer21

Member

said by battleop:

"Doubt it is a Burger King"

The absence of caked on nasty grease is the give away.

True in some cases. In most of the properly ran stores however there isn't much grease in the office (where in my experience all network equipment was). They clean the hoods every few months by professionals and all the grease goes up in those and scoped out down the road in a trap, not in the office.

battleop
join:2005-09-28
00000

battleop

Member

If it's been there any amount of time it's going to look dingy. Most people won't touch the IT gear so they will wipe everything down in their cleaning routine but that. I once went to a restaurant probably 15 years ago and everything there was very clean except for the telecom/IT gear. It was like a perfectly white block wall and then this brown rectangle that was no man's land.
joshh20
join:2012-12-19
ARRIS SB6183

1 recommendation

joshh20

Member

said by battleop:

If it's been there any amount of time it's going to look dingy. Most people won't touch the IT gear so they will wipe everything down in their cleaning routine but that. I once went to a restaurant probably 15 years ago and everything there was very clean except for the telecom/IT gear. It was like a perfectly white block wall and then this brown rectangle that was no man's land.

Can you really blame them when it looks like that?!

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 recommendation

NetFixer to battleop

Premium Member

to battleop
said by battleop:

Most people won't touch the IT gear so they will wipe everything down in their cleaning routine but that.

Considering how many service calls I have taken (with of course, down time for the customer) because of damaged/disconnected/relocated cables caused by cleaning crews, that (sanitary reasons aside) is a wise policy.

kevinds
Premium Member
join:2003-05-01
Calgary, AB

1 edit

1 recommendation

kevinds

Premium Member

I've also had many service calls for servers failing because the dust built up enough that the machine overheated.

Server was idle most of the time, so it lasted as long as it did, but yes, hadn't been cleaned in a number of years... I was actually surprised it didn't light itself on fire, it was that bad. After that one, I started taking a portable air-compressor everywhere I went, cans of air just were not enough.

Edit: didn't
Sliffer21
join:2016-07-06
Charleston, WV

1 recommendation

Sliffer21

Member

said by kevinds:

I've also had many service calls for servers failing because the dust built up enough that the machine overheated.

Server was idle most of the time, so it lasted as long as it did, but yes, hadn't been cleaned in a number of years... I was actually surprised it did light itself on fire, it was that bad. After that one, I started taking a portable air-compressor everywhere I went, cans of air just were not enough.

I don't understand why any company that has servers wouldn't have some sort of reliable IT. Not even a managed services agreement but at least one trusted IT Tech or Company they would use from time to time. SOmeone that could at least prevent that from happening. Of course no one wants to spend money on IT.
itguy
join:2017-05-04

itguy to train_wreck

Member

to train_wreck
Theres for sure probably at least 1 or 2 bad cables in that somewhere

Those little switches are terrible

kevinds
Premium Member
join:2003-05-01
Calgary, AB

1 recommendation

kevinds to Sliffer21

Premium Member

to Sliffer21
said by Sliffer21:

Not even a managed services agreement but at least one trusted IT Tech or Company they would use from time to time. SOmeone that could at least prevent that from happening. Of course no one wants to spend money on IT.

IT services are frequently cut back on..

They are invisible when there are no problems, so easy to cut funding.. Not customer facing, not revenue generating..