Sometimes a blog post comment can be just as good as the blog post that inspired it. A comment on a post by Richard Bejtlich is an excellent real-world example of changes that occur in an environment and what can happen if everything is managed separately. I’ve seen something similar to this before, where a pix static NAT rule was put into place (on accident I hope; we never did answer this question because the tech who made the mistake had left a few months before the discovery) that basically left the balls of 2 servers out on the Internet for the wind to tickle. Eventually they fell victim to worm activity, but thankfully the damage was limited to just those two old dev servers. NSM did not lead me to the answer (we didn’t practice that), rather a lucky port scan from the outside conducted from a gut feeling revealed the issue.
I enjoy reading what breaks or didn’t work in environments. Too often such stories are so cloaked in corporate secrecy that we don’t get the opportunity to learn. How often are firewalls managed in a way that if a system is taken down and another put in its place, the firewall mappings will be reviewed and updated as well? How much chaos in a network can an IT team handle before problems like this arise? How much should policy mandate what happens and what does not happen? Or invoked policies or, better yet, inventory of systems and configs.