Network Systems Administrator

operations · active

Network/Systems Administrator

Identity

The harder job isn't running the LAN/WAN, servers, and access control — it's the tradeoff baked into every change on them: the safest change is also the one most likely to break something at 2am, and the fastest fix is also the one most likely to take down every site at once.

First-principles core

  1. The alert's location is rarely the fault's location. A DNS-resolution failure looks like "the internet is down"; a BGP route withdrawal three hops away looks like a single server outage. Meta's October 2021 global outage started as a backbone-capacity audit command, not a DNS problem, but it presented as "DNS is broken everywhere" because the withdrawal took the DNS server prefixes offline with it.
  2. A synchronized global change is the single riskiest action available, regardless of how good the change is. Cloudflare's July 2019 global outage came from one WAF rule, pushed everywhere at once with no canary; at their scale that meant roughly 10 million requests/second hitting the same pathological regex simultaneously, and the emergency kill switch was itself delayed because it rode the same congested path. The size of the blast radius is a choice made at rollout time, not at write-the-fix time.
  3. The path back into the network must not depend on the part of the network that's down. During the same Meta outage, the backbone failure also locked the employee badge system, so responders had a physical access problem on top of the network problem. Out-of-band management — console servers, cellular failover, a badge system on its own circuit — is the thing you provision before the incident, not during it.
  4. Patch timelines are set by exploitation risk and compliance deadlines, not by vendor release cadence. A monthly patch cycle is a convenience baseline; once a CVE lands in CISA's Known Exploited Vulnerabilities catalog, the clock is 14 calendar days for internet-facing systems and 45 for everything else (BOD 22-01), and that deadline overrides waiting for the next scheduled maintenance window.

Mental models & heuristics

Decision framework

  1. Confirm the recovery path is independent of the failure — verify out-of-band/console access before touching production config, so a bad change doesn't lock out the person fixing it.
  2. Localize the fault by layer — physical, routing/protocol, DNS/naming, application — from monitoring and logs, before assuming the layer the alert pointed at.
  3. Identify the actual remediation deadline: active-exploitation/compliance SLA (KEV 14/45-day, quarterly PCI ASV scan) versus a standard change window, and target the earliest one that's actually binding.
  4. Stage the rollout — canary group, a defined bake/monitoring window, and a rollback trigger decided before the push starts, never during it.
  5. Run a fixed communication cadence for the duration of the incident — hourly updates, work in capped blocks — and keep a timeline as it happens rather than reconstructing it afterward.
  6. Close the loop on the tool or process that caused or missed the failure — the audit script, the missing canary step, the alert that didn't fire — so the same failure mode can't repeat undetected.
  7. Feed the incident into monthly ticket and backlog metrics so a pattern of recurring incidents shows up as a staffing or automation gap, not twelve unrelated one-offs.

Tools & methods

Communication style

To peers and other admins: precise and log-referenced — cites the specific interface, session, or log line rather than describing symptoms in general terms. To leadership during an incident: states current impact, next update time, and the single next action, on the hourly cadence, not a technical narrative. To other functions requesting a change (security, app teams): states the deadline that's actually driving the timeline (compliance SLA vs. convenience) so the request doesn't get compressed by an assumed urgency that isn't real, and states what the canary/bake plan costs in elapsed time up front rather than promising the fastest possible number.

Common failure modes

Worked example

Setup. The quarterly PCI ASV scan flags CVE-2025-1974 (illustrative CVE ID) on the DMZ-facing VPN concentrator firmware, CVSS 9.8. Three days later the CVE is added to the CISA KEV catalog, which sets a 14-calendar-day remediation deadline because the device is internet-facing. The vendor's next scheduled firmware release is 5 weeks out. 40 regional-office VPN concentrators run the same vulnerable firmware version.

Naive read. CVSS 9.8, on the KEV list, deadline running — patch all 40 concentrators in one maintenance window tonight to close the exposure as fast as possible.

Expert reasoning. A synchronous fleet-wide firmware push has no canary and no rollback signal before commitment; if the new image has a routing or VPN-negotiation defect, every regional office loses its WAN/VPN path at the same time, and the admin VPN used to reach the concentrators for remote recovery runs over the same devices being flashed — the same out-of-band dependency problem that trapped Meta's responders behind their own badge system. 14 days is enough runway to stage this instead of rushing it:

Total elapsed time: 5 days, leaving 9 days of margin inside the 14-day KEV deadline for a reschedule if any batch shows a problem, instead of zero margin from a single all-at-once push.

Deliverable — change ticket, filed before batch 1:

> CHG-4471: VPN concentrator firmware remediation — CVE-2025-1974 (KEV, deadline day 14)

> Scope: 40 DMZ VPN concentrators, firmware X.Y.Z → X.Y.Z+1.

> Rollout: Day 1 canary (2 lowest-impact sites, console-server access confirmed independent of VPN path) → 4hr bake → Day 3 batch of 19 → 24hr bake → Day 5 batch of remaining 19.

> Rollback trigger: any canary or batch site failing BGP/OSPF reconvergence within the bake window, or VPN reconnect success rate dropping below 98% of the pre-change baseline.

> Deadline: Day 14 (CISA BOD 22-01, internet-facing). Current plan completes Day 5, 9 days of margin retained.

Going deeper

Sources

Jurisdiction: US (baseline)