Nokia Console Cables

It’s been a while since I’ve been up close & personal with a nokia firewall , but recently I’ve needed to play.

The first thing I noticed was that the console cable has changed, now let’s not focus too much on the design floor where by you can’t actually get your fingers in properly to release the cable, but at least they got rid of the db9 type, serial thing that kept breaking.

The good news is, looking at the cable colours you can see that the cables are roll over cables – exactly the same as cisco use – great ! One less thing to carry around in the laptop bag

Nagios Checker – Firefox Extension

Been looking for something like this for a while…..

Nagios Checker | Firefox Add-ons | Mozilla Corporation
The statusbar indicator of the events from the network monitoring system Nagios. Information is parsed from Nagios web interface. In the extension settings dialog simply fill the start page URL of your Nagios web interface, eg. http://www.yourfirm.com/nagios/ and let the button to locate status script url.

Sneak Peak !

“Oh the anticipation will send me mad!”

Posting has been a bit slow, November really was a poor month ! The reason will become clear if you peak over to my new business site … yep that’s right, I have a local linickx !

I’ve been busy writing guides on some basic Internet stuff, and the really techie bits will end up here, hence my post about linux security.. it’s been a while since I’ve had to do some operation maintenance, but all the old favourites are back, in fact my nagios knowledge has improved so I’ll try and share that too !

I think this new venture adds the perfect balance to my site, both professional input from my cisco networking experiences, and now security & linux for online servers & services… All I need now is a PS3 and I can party all the way home !

Securing a Linux box – my Tips !

November was a slow posting month, the reason being that I’m working on a rather time consuming project, one of the areas I’ve had to focus on again is Linux Security.

Security goes on and on forever, you can do as much or as little as you deem necessary, too much will consume resources*, too little opens you up to attack; this article talks about some steps I take, be advised tho’ this will generate a load of e-mails, and if you’re not going to read them why bother implementing them.

The first point of security is “need to know” – only install what you need, applications , people , operating systems all have floors so the less you install the lower your risk. I get that command line for n00bs is a problem so you might want to install gnome or kde to get started but that’s not to say they need to be installed on your production servers. I try to make an effort that everything is tested offline (in a vmware machine since �� are tight) and when I’m happy upload or copy what I need.

Another golden rule is patch patch patch, it’s a good idea to subscribe to application mailing lists, where possible I try to use YUM (I’m a redhat/fedora/centos/whitebox man) and then I have the following script in /etc/cron.daily to tell me what needs patching.

#!/bin/bash
yum list updates

Now the basics are covered you need to “lock down” your box, so this I’d recommend bastille-linux, it’s a script that tightens up existing installs, it’ll also covers firewall (iptable) settings for you has well.

Moving on you now need some kind of intrusion detection, lets be honest no-one knows everything about linux so how to we know if it’s been hacked? To start with I like to use tripwire. Tripwire goes through your files on the hard drive and creates a database, if they change a report shows you what and when.

Getting paranoid. Rootkits are the linux virus, so I like to install a detection method, well actually two chkrootkit and root kit hunter hopefully one will find something.

Even more paranoid. Get your box to e-mail if someone logs in as root. Edit /root/.bash_profile and add the following to the end…

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Now I actually don’t use root, the password is set using this generator and I force all users to use sudo , this allows me to make a couple of important changes to ssh (/etc/ssh/sshd_config),

AllowUsers someadmin
PasswordAuthentication no

Notice password authentication can’t be used… google has some great documents on the alternatives.

And finnaly tune your app, if it’s a mail (pop/imap) install ssl encryption, if it’s a webserver things like mod_Security and suphp

Hopefully this helps someone get started…. here are some useful references:

Centos Perfect Setup (install)
How to Secure Centos with Bastille
Tips for securing your server
Tripwire on a Fedora box (works for any Redhat type linux)
sudo
Mod Security
Ultra High Security Password Generator
Putty SSH

*To much doesn’t stop you working, that’s just poor security management

tip: Transparent ssh on Windows.

Reference:Putty Wish List

pointless frippery and would bloat the binary to no useful purpose.

… Yeah, but it looks, since I’m using windows for work at the moment I miss this from Gnome, but now I’ve found the answer…. PuTTY Transparency at covidimus.net … nice

HTTPS backups of Cisco ASA

Here you are, a cisco security “tid bit”, you can secure backup the running config of your Cisco ASA over https, now you should enable AAA and set a username, but for now, here’s default url & command for wget.

wget –http-user= –http-passwd=<YOUR PASSWORD> https://<IP ADDRESS >/admin/exec/show%20running-config%20asdm/show%20running-config#

Have Firefox & Google Toolbar Merged ?

So firefox 2 was released yesterday , and I’ve just been browsing through the features list. The fact that some of the google toolbar features have sneaked in as default functionality doesn’t surprise me, for example the google spellchecker spell checker from the google plugin is an obvious feature for mozilla to include in the core.

What surprised me was how the anti phishing feature was just lifted:


Google Anti-Phising	Mozilla Anti-Phising

This is an excellent example of open source, and it’s really good to see google sharing their work , I just hope that anti customize google doesn’t sneak in or worse still targeted adversting !

FC 6 Is out !

…and their server is down…..

Fedora Project
We are working hard to bring fedora.redhat.com back up to its fully operational state.

DOH !

Oh well I haven’t got time to install it now anyway, I’ll wait for the “Zod” frenzy to finish I think

Basic Example Cisco Switch Config

Layer 2 Overview

Figure 1

I’ve been meaning to add a dedicated cisco section to my site for a while, I thought it’d be helpful if I converged my rants with work a little I’m hoping to build up a personal archive of notes for work, and in doing so help other with similar roles & problems. I’ve gone through and added any cisco related posts to my archive , useful cisco bookmarks have always been online with del.icio.us , and now to finish off I have a config files directory. Usual rules apply to this an all other posts – see disclaimer.

Moving from a general security reseller to a “cisco cisco cisco” house has meant that templates have become important in my life; lets take security products like checkpoint or websense, not only are they gui driven (which makes templating difficult) but their implementation is very specific to their environment, as such companies that install with templates here usually aren’t doing a very good job. Switches or Routers on the other had can be templated, because there are only a few design scenarios (engineers usually stick to a favourite) and once you’re happy with a design, moving it from customer to customer usually only involves changing ip’s and passwords (of course a little intelligence to spot what else might need changing also helps).

This is a switch design my boss has handed down, it’s a basic collapsed core (i.e. no distribution layer) site campus implementation. I’m not going to take all the credit for the content as Frank helped a great deal (thanks mate).

Each access layer switch has two connections up to the core, and the core has an etherchannel link to provide the resilient triangle loop – See Figure 1. There a couple of things you need to pay attention two within this design…

1. The obvious one is that all the layer3 takes place in the core, now there is currently a cisco document circulating that we should be pushing the layer3 to the edge to take advantage of QoS for all things new like voice and video, I am aware of these considerations, but I haven’t found it entirely applicable*, which brings me to…
2. The design relies on having two VLANS on each access layer switch. Why ? Because is my experience cable and physical faults occur more often (human errors excluded of course) in cisco networks than switch failure, as such it’s good to have a design where by all cables have traffic flow. If traffic flows down all ports then MRTG can be used to view the usage, and if the “bloke that changes the light bulb” accidentally cuts through a fibre link you’re aware… this is much more preferable than having a standby link that’s never used/tested fail just as you need it. In short why two vlans, traffic for both routes. – See Figure 2. *why do I need QoS on my campus if I have two vlans, one dedicated for voice, and the other for data

Splitting the VLANS

Figure 2

Hopefully I’ve explained this well enough, if you take a look at the configs you’ll see that I’ve mirrored up the active HSRP SVI with the STP root bridge. This implementation ensures that I get the desired traffic flow, and distributed processing, i.e. if I force a route bridge on core b, why send it to core a for layer3 ? With all the technologies working correctly we have a completely resilient solution.

Mainly for my reference the example configs have some default security settings, these settings closely meet the safe blueprint but may need tuning, i.e. if you have a large campus you should be using TACACS+ rather than local user names and passwords…. it’s also important to note, if you don’t know what some of this does, you should probably google for it to find out The configs have been applied to cat4500/6k type devices in the core, and a stack of 4 3750′s at the edge (access layer). You should be aware that not all functionality is available on all switches , note I’m using vlan acls for rfc 2827 filtering, this probably isn’t available on lesser switches.

Anyway, enjoy !

links for 2006-10-12

Link

The Cisco-centric Open Source Exchange Community

(tags: Cisco opensource)

Gmail File Space Extension (gSpace)

For those who can’t wait for the fabled gdrive, this is worth a look, you get like an FTP style interface to gmail within firefox, I’ve found it useful for quick backups.

Gmail File Space
his extension allows you to use your Gmail Space (2 GB) for file storage. It acts as a remote machine. You can transfer files between your hard drive and gmail. This is similar to “Gmail Drive” on windows platform. Your gmail account looks like a FTP host and you can upload and download your files. After you install, you get an option called “GSpace” in your “tools” menu clicking on which opens the window for transfer of folders/files. Works great for photos and music files less than 14MB.

Calcylator Closed……for now.

My Last Calcylator post was full of hope… but now the site is closed.. what gives ?

Well our ISP had a spam issue, as part of the investigation, to protect calcylator I closed the site; development has been v.sloooooow after the last few months and I thought I’d take the time to reflect.

I stand by that the site is a good idea, working out true profit from ebay is important to individual sucess. The fundamental problem is working out your exact fees per transaction is difficult & time consuming, so users just don’t want to dedicate the time. I’ve been through two iterations of calcylator, and discovered that I just can’t make the process easy enough for users to be bothered. Financially it doesn’t bother me if people can’t work your their profit accurately, but I do want the site (idea) to be successful, so calcylator is moving into a new phase.

The first phase will a gimmick, but hopefully useful, from their we’ll step towards what will hopefully be a better solution… once again, another empty space to watch

Evolution of Cisco.com

Looks like cisco have given their website an image overhaul…..

Evolution of Cisco.com – Cisco Systems
A transformation is occurring on the Web. The end user is more in charge, creating collaborative websites and blogs, generating, mixing and sharing content, and having more of a say in how companies do business with them. The potential of the Internet is being fulfilled by more than the physical network alone, it is the human network where people are connecting and collaborating, enabling ideas and opportunities. This represents an ideal time for Cisco to transform our website, into a platform for collaboration, interaction and innovation.

Today is our first step. We�re launching a “new face” for Cisco.com with a redesigned home page…

It took me by surprise actually, it’s not very often such large companies make this kind of statement, notice there is less “cisco green”, and even a new logo, very 2.0

Tripwire RPM for RHEL 4 , WBEL 4, CentOS 4.

I don’t know everything about linux, who does ? So if I put one into a production environment I want to know if anything changes.

It took a couple of goes, but I finally managed to build a tripwire rpm for Redhat Enterprise Linux, I’ve been testing it for a couple of weeks, all looks good.

It’s available from my files directory or my repo , if you have any problems let me know

Download Statusbar :Firefox extension

This extension is probably more of a personal thing than actually useful, if you download a lot like me, then the download man ager can get in the way a bit, so this is a good alternative….

Download Statusbar
View and manage downloads from a tidy statusbar – without the download window getting in the way of your web browsing.

Nick is on Google+