your mail

Does any one else out there think smart hands at Equinix is a rip off? I
can send a package over night to the IBX for less than what it costs to
move it from the mailroom to my cage. Just curious....

Uh, yes. Equinix is a rip off in general. I got kicked out of Chicago
using the side door. I was sick of the stupid man trap crap and noticed
they had a door that was propped open in the back that leads outside. It
was much easier to back the truck up there and go in and out. The whole
thing is a joke, they spent a lot of cash to look good, but there is very
little substance.

<>

Nathan Stratton
nathan at robotics.net
http://www.robotics.net

Yes.

Equinix security, while it looks very tough, is very easy to social
engineer.

Too much fluff, need more stuff.

nathan@robotics.net (Nathan Stratton) writes:

Uh, yes. Equinix is a rip off in general. I got kicked out of Chicago
using the side door. I was sick of the stupid man trap crap and noticed
they had a door that was propped open in the back that leads outside. It
was much easier to back the truck up there and go in and out. The whole
thing is a joke, they spent a lot of cash to look good, but there is very
little substance.

nevertheless PAIX hasn't made it to chicago yet, and equinix is quite
a bit more neutral than a normal abovenet/exodus/att/qwest/ibm/uunet
hosting center would be, and that makes them the only game in that town.

i recommend that you work hard at helping them fix whatever it is they're
doing wrong. think of your work in that regard as a public service.

I think that getting caught is a good indication that they take the security
of the facility seriously. Some places will ban you forever if you violate
their policies. The mantrap thing is there for a reason. People are always
free to build out their own spaces however they wish. If you don't like
their policies, don't colo there. Build your own. I like their approach of
controlling access very tightly. Overkill is definitely better than
underkill. My experience is that a lot of security measures that appear
ridiculous or redundant actually act as a defense-in-depth strategy. Their
practice of requiring a guard to leave the control booth to allow someone in
instead of using a buzzer may seem stupid but serves an important but not
entirely well-publicized purpose.

There is no perfect location. Any common location has a certain level of insecurity. Im sure u could sneak in a squeeze bottle and spray equipment also. The point is, it is a relatively secure location, short of building your own facility or blding and manning it.

Even many military installations are open to social engineering. Paul is absolutely right, as a good engineer and customer, put your suggestions in the suggestion box. Or access one of their people on the list. I think Bill Norton is easy to reach by email and so is their CTO.

Dave

Equinix has show considerable interest in catering to the carrier market,
and has always been very customer service oriented. Their security is
generally good, and their security managers take the sort of stuff you are
talking about very seriously. I have no doubt that they would take some
serious action if told about a propped door.

Their technical folks (Louie, Lane, etc) are sharp, and their helping hands
is far above the level found at most carrier colos. In addition, they have
folks like Bill Norton and Jay Adelson, folks with real service provider
experience, who provide perspective to their ops folks, and who actively
promote things that are good for the internet community like peering. Their
Gigabit Peering Forums are at least as useful as NANOGs, sometimes quite a
bit better.

If you are looking for more basic, non-carrier neutral colo, it's out
there - it might even be cheaper, in the very short run. However, getting
lots of space in, say, Worldcom colos, may sound like a good deal, but it
can cost you dearly in the long run, with incompetent or non-existing remote
hands, dealing with very bad customer service, or bad security.

- Daniel Golding

Paul Vixie wrote....

Which is clearly exhibited by them leaving a side door propped
open, or not checking or securing this door earlier....

  --msa

> Does any one else out there think smart hands at Equinix is a rip off? I

Did you try just asking if you could pull up to the loading dock?

I can only speak to SJC and IAD, but since Equinix in Chicago is in the
ghetto (how many blocks is it from the projects? :P) you would think it
would have decent physical security.

Yes if you get creative enough you can start talking about fake IDs and
drugging someone and taking molds of their hands, but compared to the joke
of most colo security it covers the areas where you could reasonably
expect to see attacks. Personally I'm more concerned about quick and
hassle free access than having to deal with a guard following me around
the entire time.

But I'm sure none of this matters to you, because you probably couldn't
fight your urge to test the security, then got upset when they booted you
for it, am I right? As for being a "rip off", I suggest you price other
carrier neutral colo and then come back with that.

And no I don't have any vested interest in Equinix, I've even had my own
bad experiences with their security (which were delt with promptly). But
they're still reasonable to deal with, offer an all around excellent
service, and they've done a much better job on security and other fronts
than other colos.

As for the original poster, remote hands service is expensive, and smart
hands is usually for "smart" services. If all you want is "hands" either
drag your...self down to the colo and start lifting, or hire your own
$10/hr rack and stack monkeys.

At any rate, this has no place on nanog.

Leaving or forcing doors to be propped open generally triggers an alarm that
prompts a visit from someone in security. It is entirely possible that
someone who worked at the facility informed the security staff of what they
were doing because they needed to leave the door open to fetch a package or
something that was going to be moved through that door. It's also entirely
possible that someone working there was violating the security policy
entirely. That happens as well. I would need many more fingers and toes to
count the number of sleeping guards I've caught at colo sites.

The point is: people do dumb things that compromise security for everyone in
order to make their own lives easier. A good security plan anticipates
these lapses and puts measures in place to deal with them.

If you haven't worked in an environment where you had to turn in your
cellphone and pager at the front desk, show a badge to a camera around every
corner, and get your office keys from a vending machine you dont know what
real security looks like.

I think that getting caught is a good indication that they take the security
of the facility seriously. Some places will ban you forever if you violate
their policies. The mantrap thing is there for a reason. People are always
free to build out their own spaces however they wish. If you don't like
their policies, don't colo there. Build your own. I like their approach of
controlling access very tightly. Overkill is definitely better than
underkill. My experience is that a lot of security measures that appear
ridiculous or redundant actually act as a defense-in-depth strategy. Their
practice of requiring a guard to leave the control booth to allow someone in
instead of using a buzzer may seem stupid but serves an important but not
entirely well-publicized purpose.

I was not caught, that was my issue. They only gave me a hard time after I
showed them all the issues they had with their security. My issue is they
have very little control.

<>

Nathan Stratton
nathan at robotics.net
http://www.robotics.net

I'm curious -- did they kick you out for the day, or terminate your contract
and move you out?

Basically they said they would ban me personally if I gave there security
people a hard time about their security. I don't think they ever would
terminate a contract if you were paying their sick rates.

<>

Nathan Stratton
nathan at robotics.net
http://www.robotics.net

Leaving or forcing doors to be propped open generally triggers an alarm that
prompts a visit from someone in security. It is entirely possible that
someone who worked at the facility informed the security staff of what they
were doing because they needed to leave the door open to fetch a package or
something that was going to be moved through that door. It's also entirely
possible that someone working there was violating the security policy
entirely. That happens as well. I would need many more fingers and toes to
count the number of sleeping guards I've caught at colo sites.

Correct, I am sorry I think that is my point. There are a lot of things
that they SHOULD have been doing, but they were not. I am saying they
spent lots of money on a security image and not on security. They never
found me using the door and that is a problem, when I let them know about
their issues they rather shut me up then deal with them.

The point is: people do dumb things that compromise security for everyone in
order to make their own lives easier. A good security plan anticipates
these lapses and puts measures in place to deal with them.

If you haven't worked in an environment where you had to turn in your
cellphone and pager at the front desk, show a badge to a camera around every
corner, and get your office keys from a vending machine you dont know what
real security looks like.

I know what real security looks like, I also know what real security is. I
am saying that I am willing to pay for real security, but I am not willing
to page for the image of real security and go through the hassle of the
image of real security when there is no real security. I don't know about
all of their sights, but at least two have the security image when you
walk in, but the rest of the building and other entrances have less then
my house.

<>

Nathan Stratton
nathan at robotics.net
http://www.robotics.net

Speakig of paix's and locations, I know the mfn filings have held up
progress but I wondered and maybe others on this list wonder what the
status of the paix nyiix interconnection might be?

Good contract point here - if for any reason Customer's key personnel are
not able to access the facility or equipment, at Customer's option Agreement
may be terminated with 30 days notice.

That will make everyone a little more polite, IMO.

Deepak Jain
AiNET

Then the appropriate person to talk to is the account manager. Catching a
problem yourself doesn't do anyone any good if the management of the
facility (or the company) isn't involved. My experience is that a LOT of
companies want to hear from customers when things go amiss. They can't
always rely on their own employees to let them know when the are falling
down on the job. I've gotten corrective action form people just by
threatening to bring in a higher management layer. People would rather fix
a problem themselves than allow their management to fix it for them.

That presumes there is a single account manager.

With Equinix, there are no less than 5 different people I need to call
depending on what I need. They've shifted account management costs back on
the customer.

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
                               Patrick Greenwell
         Asking the wrong questions is the leading cause of wrong answers
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Obviously their secret plan to shut you up failed

Like commercial ventures, there is a certain amount of fluff and puffery.
Banks still get robbed even with that really, really thick door on the
vault. Most car commercials have fine print at the bottom saying don't do
this insane thing. It gives the sales people something to talk about.
Stick your fingers in your ears and ignore the sales person until you
want to talk about discounts. Any technically savvy person should be
able to do due dilegence and determine if a facility meets his needs.

The question isn't really about security, but how it compares to other
facilities of a similar caliber. You could drive a tank, but its really
hard to park and gets lousy gas milage. Comparing a car to a tank isn't
very useful. Comparing a Volvo to a Saab might provide information to
make an informed choice.

Is Equinix (PAIX, MFN, NOTA, etc) less secure than NORAD? Yes.
Are there things I wish they did differently? Yes.
Have they ever left a door unlocked? Yes.
Have they ever made a mistake? Yes.

Is Equinix a clean, secure, well-run facility I would trust to house my
equipment? Yes.
Would I also buy insurance and consider a diverse, back up site for my
equipment? Yes.

Disclosure: I'm an ex-employee of Equinix.

I am not an ex-employee of Equinix, so here's my 2 cents:

When we built the IBXs, having spent a couple of years listening to
you folks tell me what you want at the PAIX and elsewhere, I basically
learned it was impossible to satisfy everyone. If you please one network
engineer, you're going to annoy another one, and that's just the way
it works. In the immortal words of Stephen Stuart, "Sorry."

Apparently our secret plan to shut up Nathan did fail miserably.
We'll have to set the hand geometry readers to electrocute him on his
next appearance at the IBX.

1) Fire codes and other local ordinances interfered with my grand plan to
bury you in concrete and eliminate fire exits. In other words, we have
no choice put to put fire exits in there, otherwise many of you would die
in a fire due to the sheer size of our facilities. Fire doors don't work
very well if you can't open them. In some regions, we're allowed by code
to lock it shut for a delay and theoretically that's enough time to send
a guard to hunt you down and remove you. In others we need to let it open,
but an alarm goes off (sometimes silently, other times very loudly) to
accomplish the same effect. If Nathan propped open a door and was able to
enter/exit without being caught then that was a failure and one I'd like
to address... In any case, yes we do have a camera watching you, and we
do keep records of all that, so if you think it's a big security hole and
plan on balancing that GSR on one toe into the back of your pickup so you
can sell it on the street corner go ahead and try. Don't be surprised if
I don't write you in jail.

2) Customers are given one point of contact they can call for anything. You
know, it's that game... if you do what one person wants it annoys another...
So therefore, just like engineers love to call their favorite go-getter of
the day, it's ok for customers to call account reps, SEs, or even network
engineers and folks like me. We don't care. However, if you want to call
the ERC we figure that's fine as well. We thought everyone would want
to bypass humans all together and use a web site. We were proven wrong
on that front, though some of the more organized customers use the
web interface regardless. So you don't HAVE to call five different people,
but hell, if you want to, have a field day. (What? You mean there is
flexibility? Preposterous!!!)

Finally, remember the point of all this... peering points didn't take into
account the physical issues associated with colo, and we tried to address
them from the network engineer's perspective...paying special attention to
the VERY different colocation needs for different customers. Oh yeah,
and then try and duplicate it exactly in seven buildings. At 3am one
day maybe even Nathan can appreciate the way we designed them... Being
a colo provider is a necessary evil needed to accomplish the much more
important goals of solving certain other exchange point issues.

2) Customers are given one point of contact they can call for anything.

I'm your customer and I'm telling you that I haven't been and when I've
specifically asked for a single point of contact I've been told that I
need to contact a variety of people based on what it is I need.

You know, it's that game... if you do what one person wants it annoys
another... So therefore, just like engineers love to call their favorite
go-getter of the day, it's ok for customers to call account reps, SEs,
or even network engineers and folks like me. We don't care.

Really?