ramblings of a {sys,net}admin…

A week or so ago I came across an article entitled “A Student-Hacker Showdown at the Collegiate Cyber Defense Competition”. I heard never heard of this particular event before, but it definitely sounds cool. I would love to get a team together at the school where I work and try to compete in this next time around. I’d also love to hear from anyone who’s been involved in it in any fashion. For those who don’t know, I work at a post-secondary institution in Bloomington, Indiana, and do various sysadmin/netadmin/infosec chores there. I’ve thought about trying to organize some sort of “capture the flag” game, but it’s never moved past the “hey, that’s a cool idea” phase in my head. =)

I’m in need of the OID to monitor CPU usage on an HP Procurve 9304m routing switch. I’ve googled till my fingertips hurt and haven’t come up with anything that actually works. I’d be forever in debt to someone who could give that to me. Thanks!

On a side note, .1.3.6.1.4.1.11.2.14.11.5.1.9.6.1.0 seems to work for the 4108GL’s.

“CCIE9277″ has a really good, detailed article (complete w/ screenshots) called “Configuring a free VPN solution in your home” which shows you how to set up a secure connection between Microsoft Windows XP and a D-Link router. I use IPCop and IPSec myself, but this article is very helpful, in major part due to the provided screenshots.

A month and a half or so ago, I wrote about some security podcasts I listen to on a regular basis. I was specifically looking for some good technical podcasts that I might be missing out on. Network security pro Martin McKeay (who hosts a security podcast himself) directed me to Security Catalyst and Sploitcast.

I’ve managed to find some others “on my own”, mainly thanks to the fact that I somehow stumbled across the Yahoo! Music Engine Podcast Plugin (thanks to Jeremy Zawodny). I’ve been using the Yahoo! Music Engine (YME) and subscribing to their service since just after Christmas. I had bought Lindsey a Dell DJ MP3 player for Christmas, so we subscribed to the Yahoo! Unlimited service so that she could keep it full of the latest music. Since Yahoo! lets you share the music between three PCs and two mobile devices, I also installed it on my laptop which usually travels back and forth to work with me. I started putting a few songs on my PDA as well, and the YME worked flawlessly transferring the files back and forth.

So, anyways, as I was saying… The YME is incredibly easy to use and sync’ing a mobile device with it is as easy as plugging your device in. I’ve been listening to podcasts for a while, but it’s been a manual job of downloading them using Juice then dragging them over to the PDA in Windows Explorer.

Now that I’ve got the Podcasts plugin installed, I’ve dumped Juice and subscribed to a bunch more podcasts inside of the YME application. It’s set to check for updates on a daily basis (it stays resident and active in the system tray) and will automatically download them. YME is configured to automatically sync with my device whenever it’s plugged in, so all I will have to do to get the latest podcasts is drop the PDA in its cradle and wait for it to sync. Kickass!

So, here’s a list of what I’m subscribed to now (in no particular order):

• -Technorama
• -Gillmor Gang
• -SABAGsecurity
• -Geek Muse
• -PodcastStudio.net Show
• -Geek News Central
• -Security Now! ¹
• -NerdTV
• -A Day in the Life of an Information Security Investigator
• -PaulDotCom Security Weekly
• -InfoWorld Daily Podcast
• -The Security Catalyst
• -We Hate Tech
• -KFI Tech Guy
• -Friends in Tech
• -Silicon Valley, Technology, Media InfoTalk
• -Z100 Phone Taps
• -Network Security Blog
• -Diggnation
• -In The Trenches
• -CyberSpeak
• -this WEEK in TECH

That’s all of ‘em, I think. Let me know if I’m missing out on anything worth listening to. I like the shorter ones as it’s only about a 10-minute commute to work (if I stop for gas or smokes). I usually let the longer ones build up until either I have to travel to Indianapolis or somewhere fairly far away or until I just finally decide to delete ‘em. Since I’ll probably be spending a day or two in the hospital, maybe I can catch up on some of ‘em then. The only thing there to do is watch TV, which I don’t do anyways, so at least I can listen to some podcasts.

Hmm, I do know two I.T. guys that work there at Bloomington Hospital, though — one of the Microsoft guys and one of the Information Security guys — and I did notice Cisco wireless AP’s hanging outta the ceiling on my way to X-ray. Wonder if I could get access to the wireless network while I’m there? =)

¹though Gibson is a f**kin’ idiot - “I WROTE MY OWN WEBSERVER IN x86 ASM!!!” –siglite, making fun of Gibson

The Department of Homeland Security is providing funding for the analysis of major open-source projects for security vulnerabilities, including: Apache, BIND, Ethereal, KDE, Linux, Firefox, FreeBSD, OpenBSD, OpenSSL, and MySQL.

See

• http://www.schneier.com/blog/archives/2006/01/dhsfundingope.html
• http://www.eweek.com/article2/0,1895,1909946,00.asp
• http://news.zdnet.com/2100-1009_22-6025579.html

Lately, I’ve been considering the idea of a browser-based open-source SSL VPN. At the educational institution where I work, we have a FirePass 4000 from F5 Networks and it works wonderfully for the most part. I’m not the one who wrote the check for it, so I’ve no idea what it costs, though.

What I’ve been looking into is SSL-Explorer from 3SP. It seems to do a lot of the same things, but for many dollars less. The big thing for me is the ability to access a desktop remotely, e.g. by using the Remote Desktop Client in Windows XP.

Anyone used SSL-Explorer and have an opinion of it, good or bad? I’m actually installing Linux (CentOS, to be exact) on a new server at the moment just to try this out (if actually used, it’ll most likely be deployed on a Red Hat Enterprise Linux server, though). What about other browser-based SSL VPNs? Did I miss another open-source one?

Last night while looking through Digg, I came across sharemywifi.com.

“sharemywifi.com connects people with WiFi to people without it!”

Basically, if you have a wide-open access point that you don’t mind others using, you can post it on the web site. Likewise, if you need Internet access in a certain area, you can search on the site to see if anyone is sharing their wireless access. It seems so simple, and it just might work.

I haven’t listed my access point on there just yet. I wouldn’t care if anyone used it, but I’ll wait until I have it properly segmented off from my home servers and workstations and rate-limit it a bit before I open it up. Right now, it’s on the same segment as my home servers and workstations and I don’t want anyone else having access to that. I can, pretty easily, put it on a network segments of its own, however, with a Cisco router in between the two networks. Doing that will allow me to put some ACLs in place to prevent anyone using the wireless from hitting “my” side of the network, and I can do some rate limiting on there as well (perhaps limit the wireless to 1544/128kbps of my 3088/512kbps bandwidth).

I’ll keep sharemywifi.com in mind whenever I’m travelling, as well. Anyone actually using this thing or posted their open AP’s on it yet?

A couple of days ago, I wrote “IPCop Rocks My Socks” in which I told about installing and setting up IPCop for my home office use. I have to say, I still haven’t had a single issue with.

Since the initial installation, I’ve installed two add-ons from firewalladdons.sourceforge.net: Cop+ and Logsend.

Cop+ is “a DansGuardian bundle of addons designed for a small office environment”. In a nutshell, it’s DansGuardian packaged up for IPCop. I don’t really need this content-filtering at home, but I’m implementing this exact setup for a customer so I wanted to test everything out first, of course. It’s been working flawlessly.

The second add-on I installed was Logsend. “This includes DShield, and Logcheck. It also adds the ability to send DansGuardian, Squid Proxy, and Snort logs to the Adminstrator. DShield, checks your firewall logs for possible intrusion and mails a copy to DShield. LogCheck, checks your firewall logs and Mails the report to the Administrator.”

Logsend will take the various logs that are recorded throughout the day and send them to an administrator overnight. This will be real handy for the customer mentioned above, who previously had this functionality with their previous network appliance. The ability to send logs to dshield is just something I like. When I can help out without having to do anything, that’s a win-win! I have been to a SANS conference and hold a GIAC certification, so I’m all for helping out the SANS guys whenever possible.

I mentioned previously that I had set up IPCop for a customer. I haven’t heard a single complaint as of yet (always a good thing!), though none of the users should have known a difference. I love it when you can complete replace the supporting infrastructure and no one notices — that means you did it right! This evening, after they close, I’ll be adding in the Dansguardian piece. This will make them CIPA-compliant once again (which is a requirement for them) — this is a public library, by the way.

Also, I’ve found somewhere else to deploy this solution! The College that I work for has a computer lab in a building on “the hill”, which is a section of town that is basically “the projects”. There’s a Windows-based content-filtering proxy in use over there right now, but it was commercial, of course, and we’ve had some issues with it previously. I got the okay from my boss to implement this same IPCop+DansGuardian setup there. The nice thing is, we’ll have the ability to administer it from anywhere, which will come in handy the first time someone calls to report a problem in/with the computer lab.

Anyways, I’ll keep everyone updated — this promises to be fun and interesting. As always, I’m interested in hearing about anyone else’s experiences with anything mentioned here.

It’s official. IPCop rocks my socks.

From the site, “IPCop Firewall is a Linux firewall distribution geared towards home and SOHO (Small Office/Home Office) users. The IPCop interface is very user-friendly and task-based. IPCop offers the critical functionality of an expensive network appliance using stock, or even obsolete, hardware and OpenSource Software.“

I had originally planned on installating SmoothWall at home, but apparently it doesn’t include SCSI support. Normally, this wouldn’t be an issue except that the box I wanted to use is a Dell PowerEdge 1300. It’s an old box, P2-450MHz, 384MB RAM, 2×9.1GB SCSI drives, and it would fit the bill perfectly. Unfortunately, the only IDE drive in it is a CD-ROM. I came across IPCop, which is based off of SmoothWall, but it has SCSI support.

I removed the 2Wire “residential gateway” (ADSL modem/router/WiFi) box from service, and replaced it with an old Westell “dumb bridge” that served me for a few years when I lived in Mitchell and had my DSL through Blueriver. SBC, my current DSL provider, requires one to use PPPoE to logon, which IPCop handles with ease. The Dell server, running IPCop handles the PPPoE connection and also does DNS and DHCP for the local network. The “other end” of the IPCop box runs into a Cisco switch, which all of the other LAN devices plug into.

IPCop has proven stable, and I haven’t had a single issue since I set it up. They have sure packed a helluva lotta power into a 40 MB ISO image: Firewalling, IPSec (for VPNs), DNS and DHCP servers, an intrusion detection system (Snort), a proxy server (Squid), and NTP and web servers. They built a nice little web-based GUI on top of it, meaning even non-Linux or non-I.T. people can manage it. The only issue I have is that their web-based GUI runs on port 445/TCP, which many companies may block since that’s also the port used by Windows filesharing traffic. My own company blocks 445/TCP at the edge for that very reason, meaning I can’t reach the web-based GUI from my office (well, I can, but it requires some trickery).

It’s actually working so well that I just set it up last night at a customer’s site. I’m sure they’ll be very pleased (they are thus far), but I’ll wait until it’s been “in production” for a bit before I post anything about how it’s working out for them.

Anyone else currently using IPCop (or have used it in the past)? Did you run into any issues? Is it working well? Are there other options you would recommend?

I had to reload an HP Procurve 9304m Routing Switch a few minutes ago, due to a configuration change to enable DVMRP.

Here’s the end of the output from “sh ver” just a minute before I rebooted it:

The system uptime is 1120 days 9 hours 40 minutes 6 seconds The system started at 13:47:41 GMT-05 Tue Dec 17 2002

Sweet!