Monday, May 25, 2015

Leg Work

I always wanted to write a program that took forever to run just due to the amount of processing it did.  Now, I think I’ve got one. 

Unless I remember to run the thing frequently, it takes about 85 minutes to process through all the files I’ve collected to watch the status of my network.  That’s not pleasant, but it’s working on getting better.  It shouldn’t take as long the next time, as I’ve written in a few checks and balances that prevent it from re-checking every single file over again.  I end up running a “select everything and see if you return nothing” comparison.  Afterwards, I move the folder off to a different directory to archive and eventually clean up that directory.

Which, all of that seems to be working properly.  For the most part.  There are still some issues I need to debug, and some error conditions that need to be solved.  But it’s working better than it did.  The second part is that I’ve finally got it to where it will take multiple input units in the same file, so you don’t have to have multiple scripts logging in every five minutes.  The next part is to start working on NAT table translating and interpretation.  I’m not sure how I want to do that as of yet.  Show ip nat translations gives all the translations, but is that enough information?   What else would I want?

I think that’s the basic problem of all network security people.  You want to gather information, but it begs the question of what the correct amount of information is, and what really needs stored.  And there is always the question of when enough is enough.  

Flipping back through my Cisco book, it looks like I’m going to need show ip nat translations verbose for several different reasons.  The main reason is that is tells when that connection was last used, and that’s vital to proper identification of what has happened.  It provides the “when” and “how long” needed to trace information back to the source.

Show ip nat translations just gives a static view of an event that happened. The connection could have lasted for seconds or it could have lasted for hours.  There is no way to tell.  So the need is to translate the verbose method of the call.  

Where do I go from there?  I don’t know.  At some point I’ve got to figure out how make Apache work the way I want it to.  But that?  That’s another day.


Note: bold notations are specific Cisco commands.  

Tuesday, May 19, 2015

The next steps

Now that the Routing and Switching class is over, it's time to get ready for the CCENT.  I'm aiming for that in the next month.  I was aiming for two weeks, but I can get a voucher for half-priced testing, so I'm going to go for the voucher.

That being said, let's go back to network security.

I had a AHA! moment last week on network security, and it leads me to believe a very large vendor does not really provide security updates.  They also have some serious problems with their code.  It's all Apache web server, but it's an unpatched version of Apache that still has some serious vulnerabilities.

About a year ago, or maybe a little less, I realized when we replaced a router, all of our internal vulnerability scans started passing.  It was weird.  But I didn't know what it could have been.  Over the past couple of weeks, I've been working on replacing their router with my own.  After breaking our internal vulnerability scanner for a couple of weeks, our vendor finally fixed the device.

About the same time, we ran into a situation where a location suddenly started showing up as failing when it had been passing.  Thinking back, during the intervening period we had upgraded the site and swapped out the equipment.  At that point, we had swapped out a router.  And suddenly the site started failing scans.

Not suddenly, but it seems like it.  So I started thinking about what could have gone wrong during the upgrade.  Everything is built from standard equipment.  The results are pretty predictable and cookie cutter.  So how did this cookie fall out of the cutter mess up?  We'd tried a different configuration with the router, and the site ended up failing internal scans.

So, why did this router fail and other pass?  It's pretty simple: access control lists.  There was an implicit deny on the VLAN with the internal scanner.

Now I know why my scans are all passing.  The door to the scanner is closed.  And the equipment we're dealing with is no way near as secure as we thought.  All because of Apache.

It's also the realization that I can fake a passing scan in less than 30 minutes by simply throwing an ACL in every single router we have.  It'd be easy.  I already know the syntax.  Come to think of it, I could make it highly precise, so it wouldn't be something I could automate.

Anyways.

It just pisses me off that a multi-national company can't patch Apache.  Or, that I have to find the holes in their system.

Now, off to figure out Apache on my own so I can ramp up my network base lining and turn all the data I've collected into something usable.

I should probably write an article on that.   It's basically a combination of Java, mySQL, and some Ubuntu cron jobs.

Wednesday, May 13, 2015

end of a semester

Routing and Switching is over.   Finished the final with an 85, closed book closed notes.

That should give me an A for the semester.  I need to prepare for the CCENT for the next 2-3 weeks, and then go take that.  Based on the Routing and Switching final, I need to study OSPF more.  I missed more than I would have liked on that.

Scaling Networks is next.   The book is on order.  I spent a few minutes looking through the chapter headings on the final book, and found the PPPOE section.   Yeah.  Book 4, right before the CCNA.

Moving on.   Back to site construction tomorrow, now that finals are complete.   Yay.

Monday, May 11, 2015

construction

Working on a site out of town.   Learning many new things.  The crash course in PPPOE was interesting.

Routing and Switching class final is tomorrow.  Need to schedule the CCENT for about 2 weeks from then.  That should give me enough time, without being too much time.

I think I've come to the conclusion that IPv6 will permanently be a WAN interface technology, while the world uses dual stack routers to NAT into IPv4 private addresses.  

One bad tracert and a nefarious person could find your entire inner networking scheme.  But that doesn't work if NAT is involved.  The door shuts at the front door, and not somewhere inside.  That's really the problem with globally routable IP addresses inside your network.  If you don't have tracert blocked, you'll end up giving away your entire network structure.

It's not the "one shot, one kill" approach to network security.  There isn't such a thing.  There is only security in depth.   Walls and trenches and gates and guards and ACLs and NAT and every other thing you can possibly through between you and the outside world.  Maybe some machine gun nests and razor wire, as well.

Friday, May 1, 2015

Onwards towards mastery (not even .01% complete)

I’m still continuing with my project towards mastery of Java.  I’ve said this before, but that’s 10,000 hours of working on Java programs.  I should probably be working on something like C++, but I’d rather not.  I spent a lot of hours on C++, and I just got pissed rewriting the same program over and over.  Or forgetting what one section meant and having to rebuild the entire thing from scratch when something impossibly stupid quit working.

Anyways, after 4 and a half hours, I can tell a difference in my technical abilities.  Yeah, there is still a lot of things to do and places to go.   I can tell you I’ve gone off in directions I’ve only contemplated going before.  Now, those areas are becoming a reality. 

And I’ve picked up this blog at over 7 hours.  Yeah.   Can you say leaps and bounds?  I’m beginning to see what is described when mastery is discussed.  7 hours of programming later, Java makes a lot more sense and doesn’t seem to be causing me near as many headaches.  I’ve probably done things in the slowest and most backwards way, but I don’t care.  It’s been a great learning experience.  I wish I could code for hours and hours on end, but I don’t have that kind of time.  Though I do admit, what I’m working on would definitely be useful in the creation of things I do.  

It really feels good watching an idea come together, even though it has taken a considerable amount of time.  What was originally just some random pipe dream is moving towards half complete.  There’s still a lot of changes, and some hard information to go through.  But I’m becoming convinced the path to mastery is a worthwhile path.

Though mentally, there’s the realization that I haven’t even completed 1/10th of 1 percent of the task.  But there’s a lot of fun to be had along the way.  Because really, the idea of staring at nothing and producing something great off the top of your head only works when you’ve done the prerequisite work.  And most haven’t.

But who cares about them?  You are either on a path to a goal, or you aren’t.  And all those other people who whine and complain need to decide what they want to do with their lives.  Because really, it’s nothing more than the application of time.  Malcolm Gladwell said it pretty distinctly: all you need to be a solo-ready musician is 10,000 hours of practice.  Anyone who puts in 10,000 hours of play can be a solo-ready musician.  Everyone that puts in 10,000 hours of play can be a solo musician.  Technically, anyone can do it.  It’s just a matter of putting in the time.