The next steps

Now that the Routing and Switching class is over, it's time to get ready for the CCENT.  I'm aiming for that in the next month.  I was aiming for two weeks, but I can get a voucher for half-priced testing, so I'm going to go for the voucher.

That being said, let's go back to network security.

I had a AHA! moment last week on network security, and it leads me to believe a very large vendor does not really provide security updates.  They also have some serious problems with their code.  It's all Apache web server, but it's an unpatched version of Apache that still has some serious vulnerabilities.

About a year ago, or maybe a little less, I realized when we replaced a router, all of our internal vulnerability scans started passing.  It was weird.  But I didn't know what it could have been.  Over the past couple of weeks, I've been working on replacing their router with my own.  After breaking our internal vulnerability scanner for a couple of weeks, our vendor finally fixed the device.

About the same time, we ran into a situation where a location suddenly started showing up as failing when it had been passing.  Thinking back, during the intervening period we had upgraded the site and swapped out the equipment.  At that point, we had swapped out a router.  And suddenly the site started failing scans.

Not suddenly, but it seems like it.  So I started thinking about what could have gone wrong during the upgrade.  Everything is built from standard equipment.  The results are pretty predictable and cookie cutter.  So how did this cookie fall out of the cutter mess up?  We'd tried a different configuration with the router, and the site ended up failing internal scans.

So, why did this router fail and other pass?  It's pretty simple: access control lists.  There was an implicit deny on the VLAN with the internal scanner.

Now I know why my scans are all passing.  The door to the scanner is closed.  And the equipment we're dealing with is no way near as secure as we thought.  All because of Apache.

It's also the realization that I can fake a passing scan in less than 30 minutes by simply throwing an ACL in every single router we have.  It'd be easy.  I already know the syntax.  Come to think of it, I could make it highly precise, so it wouldn't be something I could automate.

Anyways.

It just pisses me off that a multi-national company can't patch Apache.  Or, that I have to find the holes in their system.

Now, off to figure out Apache on my own so I can ramp up my network base lining and turn all the data I've collected into something usable.

I should probably write an article on that.   It's basically a combination of Java, mySQL, and some Ubuntu cron jobs.

end of a semester

Routing and Switching is over.   Finished the final with an 85, closed book closed notes.

That should give me an A for the semester.  I need to prepare for the CCENT for the next 2-3 weeks, and then go take that.  Based on the Routing and Switching final, I need to study OSPF more.  I missed more than I would have liked on that.

Scaling Networks is next.   The book is on order.  I spent a few minutes looking through the chapter headings on the final book, and found the PPPOE section.   Yeah.  Book 4, right before the CCNA.

Moving on.   Back to site construction tomorrow, now that finals are complete.   Yay.

construction

Working on a site out of town.   Learning many new things.  The crash course in PPPOE was interesting.

Routing and Switching class final is tomorrow.  Need to schedule the CCENT for about 2 weeks from then.  That should give me enough time, without being too much time.

I think I've come to the conclusion that IPv6 will permanently be a WAN interface technology, while the world uses dual stack routers to NAT into IPv4 private addresses.  

One bad tracert and a nefarious person could find your entire inner networking scheme.  But that doesn't work if NAT is involved.  The door shuts at the front door, and not somewhere inside.  That's really the problem with globally routable IP addresses inside your network.  If you don't have tracert blocked, you'll end up giving away your entire network structure.

It's not the "one shot, one kill" approach to network security.  There isn't such a thing.  There is only security in depth.   Walls and trenches and gates and guards and ACLs and NAT and every other thing you can possibly through between you and the outside world.  Maybe some machine gun nests and razor wire, as well.

Onwards towards mastery (not even .01% complete)

I’m still continuing with my project towards mastery of Java.  I’ve said this before, but that’s 10,000 hours of working on Java programs.  I should probably be working on something like C++, but I’d rather not.  I spent a lot of hours on C++, and I just got pissed rewriting the same program over and over.  Or forgetting what one section meant and having to rebuild the entire thing from scratch when something impossibly stupid quit working.

Anyways, after 4 and a half hours, I can tell a difference in my technical abilities.  Yeah, there is still a lot of things to do and places to go.   I can tell you I’ve gone off in directions I’ve only contemplated going before.  Now, those areas are becoming a reality. 

And I’ve picked up this blog at over 7 hours.  Yeah.   Can you say leaps and bounds?  I’m beginning to see what is described when mastery is discussed.  7 hours of programming later, Java makes a lot more sense and doesn’t seem to be causing me near as many headaches.  I’ve probably done things in the slowest and most backwards way, but I don’t care.  It’s been a great learning experience.  I wish I could code for hours and hours on end, but I don’t have that kind of time.  Though I do admit, what I’m working on would definitely be useful in the creation of things I do.  

It really feels good watching an idea come together, even though it has taken a considerable amount of time.  What was originally just some random pipe dream is moving towards half complete.  There’s still a lot of changes, and some hard information to go through.  But I’m becoming convinced the path to mastery is a worthwhile path.

Though mentally, there’s the realization that I haven’t even completed 1/10^th of 1 percent of the task.  But there’s a lot of fun to be had along the way.  Because really, the idea of staring at nothing and producing something great off the top of your head only works when you’ve done the prerequisite work.  And most haven’t.

But who cares about them?  You are either on a path to a goal, or you aren’t.  And all those other people who whine and complain need to decide what they want to do with their lives.  Because really, it’s nothing more than the application of time.  Malcolm Gladwell said it pretty distinctly: all you need to be a solo-ready musician is 10,000 hours of practice.  Anyone who puts in 10,000 hours of play can be a solo-ready musician.  Everyone that puts in 10,000 hours of play can be a solo musician.  Technically, anyone can do it.  It’s just a matter of putting in the time.  

Logical fallacies

I keep seeing posts wander through the Internet about a husband that wants to pay his wife to stay home with their child.  In the end, he’s mad because he can’t pay her his perceived salary of close to $100,000 per year and still pay the bills.  

Let me say this up front: my wife is a stay at home mom of three kids, not one.  She has a very hard job in taking care of the household.

The value my wife adds to my life is incapable of being counted.  If I lost my wife, my life would be devastated from the loss of her.  Not from the loss of what she does.  I love her to death.

But it’s not a $100,000 a year job on the open market. 

It’s a horrible argument that is used to trump up the job of stay at home moms.  It’s an argument made by people who don’t know business.  It’s an argument made by people who want money for breathing.  If any one of these people really forked out the kind of money they talk about, they would quickly change their standards. 

But let’s get to the real problem with the argument.  The original writer of the argument assumes that everything a stay at home mom does should get charged at a different rate.  That’s just crazy.  Let’s make an adequate comparison.  I have an office.  I keep it relatively clean most of the time.  I don’t get paid a dime to clean my office.  I clean it because I’m not a slob, and because I’m an adult.  I clean it because it’s part of presenting a professional appearance.  But I don’t get paid a separate rate to clean my office.  I don’t work for a union that says I can only do one single job.  I do it all because that is what I was hired to do.  I have to do my job, plus all sorts of other little things that seemingly have nothing to do with my job.  Clerical?  Tied in with the package.  Negotiation?  With the package.  Data entry?  Part of the job.

The major invalid assumption of the argument is that each service is being purchased ala carte from an outside vendor.  That can be done, but hiring ala carte is about hiring a professional.  And hiring a professional means you get someone who works faster than the average person at their job. 

Let’s compare laundry.  If I was to hire ala carte for laundry, then I would bag my laundry up, and leave for work a few minutes early.   I would stop by a laundromat and drop off my laundry, and pay by the pound to get someone else to clean my laundry.   I would come back on my way home to find my laundry complete and ready for pickup.  Total amount of my time: 20 minutes.  And laundry goes for about $1 a pound.  Given an adequate clothes supply, laundry could be dropped off once or twice a week without real problems. 

Following that same line of reasoning, you could easily negotiate salary positions to handle every single household task.  And once the child becomes school age, then the amount of time hired to do those tasks drops dramatically due to the child being in school.  The average day would go from 10 hours to 5.  Half the time involved?  Half the pay involved.  Unless the nanny is hired at salary.  And that’s what the intelligent nanny is going to do to even out their paycheck.

Now, I'm excluding places where living expenses are out of control  Those places are just flat crazy.  And $100,000 in those local dollars is really not the same amount in comparison to other locations.  

Realistically, I've had to think about what would happen if my wife died.  And in that case, what would I do?   Really, I could replace my wife with a 15 year term life insurance policy for about $500,000.   In comparison, I need about $800,000 on me.  That's from the purely financial perspective.  

Due to getting out of debt, I don't have $800,000 on me.  I have $400,000.   So should I die, my wife is good for 5-6 years.  Should my die, I'm screwed as I don't have anything on her.  Kids each have a $10,000 burial stipend tied to my life insurance policy.  And term life is cheap.  I pay about $35 per month.  

Speaking of Java and MySQL

So, I finally got my Java/MySQL connection working.

Hooray!


https://help.ubuntu.com/community/JDBCAndMySQL

Was where I learned to fix the "class not found issue".

After that, I dug up http://www.tutorialspoint.com/jdbc/jdbc-quick-guide.htm to get instructions on how to use/connect to the database.

Afterwards, I was capable of spitting out information to the system console from the database.  Holy crud!  

Definitely making progress today.

Yay.

The first two hours

In trying to program 10,000 hours worth of stuff in Java, I realized I was going to be building a whole lot of stuff.  After two hours, I’ve finished the first program.  It’s a translator that takes CIDR notation information and turns it into Snort rules.  The entire purpose is to block entire countries.  The problem is countries are large and have a lot of IP addresses.  Blocking China takes a few thousand lines of CIDR notation.   And aggregate it all into smaller routs?  Highly unlikely.  So you end up with 3,000 lines that you can either manually parse through or write a program to parse through.  I chose to write a program. 

And I’ve also come to the realization that in the run to get 10,000 hours, I’m going to program a lot of stuff.  That is a lot of time.  At 30 minutes per day, that’s 54 YEARS.  So at some point, I’m definitely going to have to put in a lot more effort than I currently am.  

 

So now that the Snort builder is done, what’s next?  Probably moving back to my automatic network test application.   Which is mostly writing text parsing.  From there, I’ve got to figure out how to design a database structure and get the information into a database.   From the database, I have to get data into a web form and display it on a web server that doesn’t exist. 

Just a slight bit complicated, but I’ve got nothing but time.  

After that, there's a SHA application I've been contemplating.  SHA is secure hash algorithm.  It's essentially a long number that indicates the properties and data of a file.  Well, if the SHA is the same for two files, then the file is the same.  So if you have a desire to back up data, you can create a SHA of every file on your system, and every file on the remote system.  Compare those two files together, and identify which files need transferred.  Do so, and you synchronize the data on both systems.

It's an idea.  Like I said, 10,000 hour is a lot of time.  A whole lot of time.  

side note: I realize this is April Fools Day.  I am not a practical joker.