Monthly Archives: September 2014

Security – Additional Shellshock Resource – Cisco

As a followup to my previous post concerning the BASH bug, known as Shellshock, Cisco has confirmed that a number of it’s products are vulnerable. You can read Cisco’s Security Bulletin for information that may end up affecting some of your network infrastructure.

As more vendors check their equipment, you will see additional bulletins posted. Stay on top of this…active exploits are already being seen out in the Internet.

Security – The BASH Bug Gives Us Shellshock

Oh dear…here we go again. And this one is a biggie! (If you only use Windows systems and servers, then you are probably not vulnerable to this. You can sit back and watch all us Linux/UNIX people squirm…which you don’t get to do very often!!)

A vulnerability has been found in the BASH shell, which runs on most Linux/UNIX systems. And when I say most, I mean LOTS of systems. Known as Shellshock, some believe this will end up being worse than Heartbleed. And that’s saying a lot. To stay up to date on this issue I would recommend several things…

Visit SANS Internet Storm Center at:  https://isc.sans.edu   They have a number of detailed articles concerning Shellshock and mitigation procedures.

I would also visit the main websites of whatever flavor Linux distro you are using, such as www.centos.org. They will also have updated information for mitigation and testing.

For an example, I use CentOS on several systems. Patching them was rather simple…just run “yum update bash”…

BASH update example on CentOS

BASH update example on CentOS

Note: Further testing has revealed that the initial patches have not completely solved the problem, although they have helped. Don’t just run this quick update and think you are done. Stay updated on this issue as noted above…network security is a constant vigil.

More Network Security Reading

Here are a couple of additional security resources to check out, and they are both very good. (Check out my first post on security resources if you missed it.)

US-CERT  –  This governmental organization does a good job of monitoring and alerting on critical vulnerabilities and associated fixes/patches. Go to their homepage and sign up for their alerts and tips.

Verizon Data Breach Investigation Report  –  This is an excellent source of information from around the world concerning the hacking community, methods of infiltration and what’s driving the hackers. This report comes out once a year and is well documented and detailed. You really can’t read it all in one sitting, so download a copy onto your tablet, and work your way through it bit by bit during your daily lunch. (Note: After reading this your first impulse will be to run to work and disconnect your company from the Internet. Effective, yes….but not very conducive to long term employment.)

Using the RELOAD Command to Prevent Lockouts

There are two types of Network Engineers…those that have locked themselves out of a router and those that will. I am in the former group. If you do this long enough, so will you. How to prevent this? You can use the RELOAD command to schedule a reload should you get locked out. I made use of this feature earlier today, just in case.

I had to reconfigure a router at our DR site (Disaster Recovery) due to some IP address changes, and this involved both re-configuring the VTI tunnel interface and the main access-list. (Oh, and the router is located out of state.) This is just ripe for accidentally locking yourself out of the router should you mistype an ACL entry or add an entry in the wrong order. Let’s look at the options for RELOAD…

reload1

Viewing the options for the RELOAD command

As you can see there are several options. My changes would only take about 5 minutes to input so I decided to configure a reload in 10 minutes…

Configuring the reload for 10 minutes out

Configuring the reload for 10 minutes out

To review the reload status, simply do a “show reload”…

SHOW RELOAD to view status

SHOW RELOAD to view status

I also added a reason for the reload, so if someone else logged into the router they would know the “who” and the “why” for the reload. They would see something like this…

RELOAD status for other users that might connect into the router

RELOAD status for other users that might connect into the router

Now you can proceed with the configuration changes…just don’t save the configuration, at least not yet. If you do get locked out, then wait just a bit. The router will reload and come back up with it’s original configuration, and you can connect right back in and try again. I have used this many times, and it has saved me on more than one occasion.

After you have successfully made your configuration changes without getting locked out, then you can cancel the reload…

Canceling the reload

Canceling the reload

Hope this helps!  (And don’t forget to save your changes!!)

Security in the Internet of Things – Get Educated

Security in all of it’s different flavors…network, server, PCs, mobile…is something that every Network Engineer needs to be aware of, study on, and implement in their networks. In this area, there is no truer statement than “If you are not part of the solution, then you are part of the problem”.  Whether you are a student working towards your IT degree or a seasoned IT veteran, security should be part of your daily experience. How to begin? Find some good blogs and websites that focus on security, and make it a daily read. You will be amazed at how much you will learn once you get this habit started. Here are several of my favorite sites…

krebsonsecurity.com  –  Excellent articles on hackers and how they think, plus tons of information on how they broke into various organizations. Most of what you hear reported on the news came from this website. This is a must read.

sans.org  –  The best IT security training around. Expensive, but worth every penny. Click on their “Resources” tab…lots of great information here. Visit their Internet Storm Center everyday. Plus check out their free whitepapers in their GIAC site and make sure to read their 20 Critical Controls. They also have a great semiweekly email newsletter (free!!) which you can sign up for here: https://www.sans.org/account/login

packetstormsecurity.com  –  Nothing but security here on every kind of platform, OS and application. It will make your head swim.

This is a good start, but there is much more to add….which I will as I have time.

On Second Thought…the iPhone 6 Dilemma

I’ve been playing with my iPhone 6 Plus replica for almost a day now, and I must say it is really big. (Read my iPhone 6 Plus post if you missed it.) I’m now second guessing on whether to get the 6 Plus or go with the smaller 6. Of course, to properly determine which phone would best suite my needs required the construction of an iPhone 6 replica…to scale of course…

Just like before...two layers of cardboard and a color printout from Apple's website

Just like before…two layers of cardboard and a color printout from Apple’s website

The plain 6 definitely sits in your hand more comfortably and feels more secure, and the thumb can easily reach any of the icons. Here is a side by side picture…

Side by side comparison of my cardboard replicas

Side by side comparison of my cardboard replicas

Still not sure yet…this will require a bit more time and testing. But it is fun!

You Know You’re a Geek If…

Yes, I’m a geek. If it has anything to do with technology then count me in. So for the last couple of days, the question in my mind has been:  iPhone 6 or iPhone 6 Plus

I would like the added size and features of the Plus, but I’m not so sure how the larger phone will fit in my pocket. What to do? Create a full size replica of course…

My iPhone 6 Plus (some cardboard and a color printout)

My iPhone 6 Plus…two layers of cardboard and a color printout from Apple’s website

Yep…that did the trick. It’s a touch large in my hand but still easy to navigate and it fits in my pocket just fine. I’m looking forward to the larger screen as I do a lot of reading and researching on my phone. (Thanks to my fellow co-worker as it was his initial idea that got us going on this.)

Dealing With Carriers — The Painful Part of Being a Network Engineer (Part 2)

Yes, I’m out of state for my son’s wedding. And yes, I’m still dealing with the carrier mess for our new office. (Read Part 1 of this post if you need to catch up on things.) The carrier ended up confirming our worse fears….they are unable to provide fiber to our new office. One month from go-live. (Thank you very much!!) Their option, at first, was to deliver 8 T1 circuits bonded together for a throughput of 12 Mb. (Thanks, but no thanks.) But then they realized they don’t even have enough copper facilities in the area to support 8 T1’s. (I’m being very honest when I say that dealing with certain carriers is like dealing with five year old kids who haven’t learned to play well together.) All they can give us is 2 T1’s bonded and our voice PRI.

Not quite 20 Mb is it?

So we said no thanks to the double T1’s but yes to the PRI circuit. As for data, we are heading in a different direction. I have had two conversations already with the fixed wireless provider, going over our needs and getting a clear understanding of their technology. I will admit that I am impressed. They can give me a 20 Mb Internet link on a dedicated radio (not shared with other customers), with only two hops to their data center, then Gig fiber back to a major carrier. And they peer with two other carriers for redundancy. Very nice indeed!

And you know what’s even better? They are not 5 year old kids. So far it’s been a pleasure working with them. They know the problem I have and are moving quickly…a site survey is scheduled for tomorrow already. Sure, they want my companies monthly payment…that’s how business works. But they are also interested in providing a solution well suited for my company, one that balances performance with price. In other words, they are helping me solve my problem. That’s what good carriers do.

Now…back to my son’s wedding. Rehearsal dinner is tomorrow night (with some great BBQ afterwards), and the wedding is Saturday. I’m very excited for my son, and can’t wait to add a new daughter to my family!

What Overwhelms Your Life?

The last several months have been just way too busy. Work is busy, church is busy, my wife and I are busy…and we are involved in planning my son’s wedding in Missouri. The last couple of weeks have been almost too busy. Sometimes I tend to get overwhelmed by life, and that’s not good. One thing I enjoy doing is listening to Christian music, and there is one song in particular that is speaking to me called “Overwhelmed” by Big Daddy Weave. (Yeah, I agree…that is an interesting name for a singer.)

The song talks about being overwhelmed by God’s presence…his Creation, power, and forgiveness. When you allow God to overwhelm you, then His peace will also overwhelm. And the problems of life will fade to the background.

So give the song a listen…maybe it will help you too…

Overwhelmed:  http://youtu.be/F6oxXwRWFTo

Dealing With Carriers — The Painful Part of Being a Network Engineer (Part 1)

As a Network Engineer I have to deal with a variety of carriers almost on a daily basis. AT&T, Verizon, Sprint, TWtelecom, Level3, TelePacific….just to name a few. Some are a pleasure to work with…friendly staff, a sales team that’s on your side, technical support that actually knows what they are doing…you get the idea. Some are not so nice to work with. And then there are some that are just PAINFUL to work with. Such as today.

We are opening a new district office in a major city here in California, and we ordered a hi-speed fiber network connection this past Spring. Go-live is in October (as in next month). For four months the carrier has said that things are progressing normally, no problems. Until today. All of a sudden, they have encountered a “major construction problem”. They couldn’t figure this out until today? Does this mean no circuits at all? Or will there be a long delay? No answers as yet…wait until Monday they say. Just great. I’m on vacation next week…out of state…for my son’s wedding.

So, as a Network Engineer, what should you do? Plan out some options and quickly.  Which we did this afternoon…

  • For data and Internet access: I found a local fixed wireless provider that can give us a high-speed Internet circuit, and get all of this installed in as little as two weeks. I’ll configure an IPsec tunnel to our Data Center…all is good.
  • Voice: We can leave our current PRI voice circuit and router at our old location for now until all of this is straightened out, and just route the VoIP calls over the data network.
  • Analogs lines (fax, etc): Vonage can deliver plain analog lines over the Internet, and I’ve used this before at some of our temporary job-sites. Or, perhaps now is a good time to test some of the e-fax providers. We have several options here.

Of course, none of this is ideal. But we should still be able to meet our deadline and not disrupt the scheduled move of staff and equipment. So, perhaps I can relax and enjoy my son’s wedding next week. Perhaps…