While building a vmware 5 lab, I had the need for network attached disks, which would be used as shared hypervisor storage for virtual machines. In this arena, there are several open source options to choose from. However, at the time of this writing, it appears that NAS4Free is taking charge and has pulled out away from the rest of the pack. In this article, we will discuss taking a physical server (with lots of disk space) and turning it into a dedicated NAS device.
Starting with a computer that has plenty of disk space for this role will obviously be the most beneficial. In my lab, that was a Dell PowerEdgeM600 with a couple of 146G drives installed – configured as Raid0. This blade server is installed inside a M1000 chassis. After downloading the NAS4Free iso, I proceeded to launching the iDRAC GUI for the server. For anyone not familiar, this is a remote console that allows you to do just about everything that you could do if sitting in front of the machine.
After the console was open and connected, I launched the virtual media wizard and connected the cdrom to the NAS4Free iso. This step is just like inserting a CD into the local drive. After the virtual CD was connected, the server was restarted and booted from it.
In this article, we will build a software repository to be used for updating the official Red Hat enterprise 6 installation. This has many advantages, one of the biggest being each server will not require internet access to receive software updates.
The machine being built will be registered on RHN and entitled to download the updates we want to provide. Other RHEL machines on your local network can be updated from your local repository server without having to be registered on the RHN. In a nutshell, this machine will serve as a proxy to all other machines on your internal network for software updates.
Red Hat Linux OS installed on physical or virtual machine
At least 50G+ of available disk space (This will vary depending on how many repositories are kept)
Standard Server (minimal) installation
Apache installed and enabled
To get started installing the software (mrepo) that will download binaries from RedHat, install the following dependencies:
We will pick up with Part II of this series going over the configuration required to control inbound and outbound access through the firewall. At the end of Part 1, we were able to browse the internet with our test machine located on the inside network, behind the ASA. In a company environment, the common rule of thumb is to deny by default and allow by exception. This means we need to start with not allowing access to anything, which is the exact opposite of what we have currently.
To recap, we can communicate with anything on the outside network – because the test machine is on the network with the inside interface that has a high security level (100) and we are going over a lesser trusted interface (outside/security level 0) for internet access. By default, the ASA has an implicit allow for this behavior, which is why we can communicate to the internet. Another default behavior, all traffic originally sourced (i.e. otherwise un-inspected) from a lower security level interface (outside) going to a higher security level interface (inside) will be blocked.
Let’s start by creating a basic policy that will deny all communications, apply it, and test for proper functionality.
logging buffered informational
access-list ACL_INSIDE_OUTBOUND remark - Block all and log
access-list ACL_INSIDE_OUTBOUND extended deny ip any any log
access-group ACL_INSIDE_OUTBOUND in interface inside
This article will describe how to configure a basic ASA appliance using current best practices and latest software versions. I recently found myself having to create a standardized configuration for some ASA 5505 devices that would be used in small, remote offices. When researching for current configuration/best practices, I found information from all ends of the spectrum – old pix configs, ASA version 8.2, ASA version 8.3, etc… Some of the examples proved to still be relative, but most was dated and should not be used with modern software versions.
This article will start like most others I found and mentioned previously, with the intention of being current and somewhat future proof, since it is based on latest versions of software to date. However, as we all know, when the next major version appears – this article will also become dated, just as the others are. Maybe, just maybe, I can come back and revisit this article for a refresh from time to time – so that it can retain its usefulness.
If your ASA does not have the latest software, the first thing I would recommend is to go and get it. This is of course, assuming you have access to the Cisco software center via a valid SmartNet contract. If not, hopefully it shipped with something fairly current. Cisco will offer updates that anyone can obtain to fix a security flaw, so check to make sure it is at least the current revision.
The software version this device used to write the article is: ASA Version 8.4(3)
Let’s jump into the initial configuration:
Configure hostname of the device
This article will describe how to setup two-factor authentication for a Debian based Linux machine. This solution will work for console and remote (ssh) logins. When changing a Linux host to using two-factor authentication, there is actually a couple of options. I’ll briefly explain the two options and why one was chosen over the other in this particular example. Before getting to that part, a brief mention of the type of two-factor authentication server that is being used.
RSA Authentication Manager provides an authentication mechanism consisting of a “token” – either hardware (e.g. a Keyfob) or software (application that provides same functionally as a keyfob). A hardware or software token is assigned to an individual, which generates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the tokens factory-encoded random key (known as the “seed”). The seed is different for each token, and is loaded into the corresponding RSA SecurID server (RSA Authentication Manager, formerly ACE/Server) as the tokens are purchased.
In this example, I are using RSA Authentication Manager 6.1, which is running on a purpose built appliance that uses Windows 2003 Server with the RSA server software installed. This particular solution includes Funk Software’s Steel Belted Radius, which provides a radius authentication mechanism into RSA. At the time of this writing, this particular appliance and software version is approaching end of life and has since been replaced with Authentication Manager 7.1. In the appliance version of 7.1 (known as Authentication Manger 3.0), the operating system has moved to Linux with Authentication Manager 7.1 loaded on top of it. Version 7.1/3.0 also includes a radius server that can be used for radius clients needing to utilize two-factor authentication.
In the world of firewall administration, one very common problem is a host behind a firewall has more access than what was intended. This occurs mainly due to ‘loosely defined’ rules that happen to ‘catch’ unintended traffic and then inadvertently allows it to pass. I recently was given a task of reducing access from a set of hosts behind a CheckPoint firewall which had a 1000 rule policy installed, with logging turned on for each one (including the cleanup rule). My point of describing the environment is that it can quickly become overwhelming to fire up Tracker and begin to piece access information together, especially across multiple days. In order to get started, the first item of business was to find all the rules this group of hosts were using, which had to be known before implementing the required ‘bare bones’ access.
Before I go any further, it must be stated that commercial packages exist that can do this type of analysis for you. These software programs usually import CheckPoint logs into a larger data-source and then run various reports against it. While those packages are extremely valuable to the firewall administrator, often times it is cost prohibitive to the company they work for. It will be my attempt to share a Do It Yourself, bare bones, just get it done, alternative approach to buying these costly software packages.
It is not uncommon to be performing a software upgrade on a network appliance type of device and the operation fails. Hopefully, the failure doesn’t render the hardware useless and allows for a retry of the operation. However, there are times where an upgrade will fail and the device will no longer function. This article uses a specific example to carry you through steps that can be applied to any appliance like device.
First, a few details regarding the example scenario:
A previous upgrade to an IP enabled KVM switch was causing issues with it’s normal operation. There were issues with local use using a directly attached keyboard/monitor/mouse and also when using the viewer plugin remotely. After my co-workers had complained enough, I decided it was time to downgrade the software to the previously running code, which did not have all the issues that was currently happening. Using the management software for the KVM, I downgraded 7 of 8 devices successfully. One device failed during the procedure and subsequently stopped responding on the network.
I have a lab setup with a few Windows machines, including a domain controller, which I can never seem to remember the password for. After reading over some different options, this is by far the most easiest method to reset the Administrator password and does not require any third party software – outside of a Windows Server 2008 install disk.
First shut the running machine down, luckily my lab was running in a virtual environment and had the vmware tools installed on the guest machine that needed the password reset on. I opened a console window to the vm and in the viewer selected VM from the menu bar, Power, then Restart Guest (Ctrl+R). Obviously if this is a physical machine or a virtual without the tools installed, you may have to shut it down / power off not so gracefully. However, at this point – if you can’t login to the machine – what else can you do?
Make sure your boot order is setup properly in the BIOS, so that the machine will attempt to boot from CD/DVD first, before the hard drive. Once this is correctly set, be sure to press a key for booting to the DVD, while the message is shown telling you to do so.
Recently, I needed to close a file that was open via a network share on a server containing user home directories. This particular file was a temporary excel file opened from a user workstation. These files are easily identifiable, in this case the name was ~$Weekly Sales Report.xlsx. The Office suite of programs creates a temporary file that is prepended with the ‘~$’ characters, of the same file name which contains the logon name of the person who opened the file first. This temporary file is called the “owner file” and is used to prevent more than one network user from opening the same file in read/write mode at the same time. When this file exists and the second user goes to open the same file, they will see a similar message to the following:
This file is already opened by (user name). Would you like to make a copy of this file for your use?
The reason I needed to close this file, was because I was running robocopy to mirror a directory from one drive to another. Robocopy detected the file in use and would stall for 30 seconds then retry to copy the file. Since I didn’t specify how many times to retry, the default was one million times. How’s that for bringing a 450GB copy operation to a standing halt! Since this job was over 50 percent complete, I didn’t want to start it over – so the question was: How do I close this file in use?
Anyone who manages a network will benefit from having a plan in place to backup network device configurations. Switches, Routers, Load Balancers, Firewalls, and VPN devices all contain configurations that should have copies stored off the device itself. By doing this, it provides a backup in case the device fails and needs to be replaced, or more commonly, a mis-configuration is performed on a device and you need to go back to where you started from.
In this example, we will use a very nice tool called Expect. Expect has traditionally been run on Unix variants, but has also been ported to Windows. Activestate, the company known for Perl on the Windows platform, also offers TCL for Windows – which includes Expect. This particular article will cover the program running on the Linux platform, with the possibility of revisiting at a later date to explore whether we can run the same processes in Windows.