VirtualBox Seamless Mode

It's been about two years since I really used VirtualBox, and at that point it was mainly so I could develop packages on various OSs (Solaris, Windows, Linux, etc..). I can't recall if Seemless Mode was available, but it wasn't a feature I used at the time. I would normally boot my VM in full screen and go from there.

But my current job requires me to VPN into their environment for certain functions, but the VPN actually hampered my ability to perform other job functions. To allow me to be both on VPN and off-vpn, I loaded up virtualbox with my companies standard linux build. Now, I was prepared to simply switch back & forth between the VM and my desktop...until I found seamless mode.

This is not a new feature, if you use VMware, parallels, or VirtualBox you have most likely already come across it. A good write-up on it can be found here: http://blogs.techrepublic.com.com/opensource/?p=757

Now I can switch between my linux and windows applications seamlessly (get it just like the name!).

Like I said, nothing ground breaking...but its still really really cool.

netbook chrome

Well...I installed one of the Flow builds (Chromium OS) by Hexxah: http://chromeos.hexxeh.net/

If all you want is a browser, and let's face it with the number of web accessible application its a valid market, then chromium is decent. This isn't going to much of a review, because I really didn't get too deep into testing it. Additionally, I think it would be unfair to talk about bugs or missing features that I assume will be fixed by launch.

Anyway, I liked it for a beta and look forward to the official release when its finally available. It worked on my HP with no issues. It booted and ran well off of a thumb drive, and installed easily on the HD.

I'm now going to check out Ubuntu 10.10 Netbook Edition...in general I like the Ubuntu distros so I expect to be generally pleased with their Netbook OS. Guess we'll see in a couple weeks.

Moblin Update

Well its been about two weeks with the netbook, and given the choice between the netbook and a tablet I'm currently leaning towards the tablet. I like the fact that I can be on AIM while I search the web and generally play around on the netbook. However, my thumbs always hit the touch pad moving the cursor and making it generally annoying to do much typing on it.

It's main use, for me at least, is a web browser and even that is annoying due to the smaller screen than a tablet. I also like the tablet games more due to the touch screen interface. Add to that the apps that are available for the tablets, and the cross-platform (tablet/phone) nature of the apps and I've got to give the advantage to the tablets.

Next up for me will be the Chrome OS. Going to download the most recent beta build and give it a run.

Got to keep Moblin on...

I came into posession of an HP Mini 2140. Now, in general I don't really get the purpose of thes netbook. Personally, I think its too small to be useful and too big to be portable, but that's the opinion of a person whose fingers are too fat for a full size keyboard. Now that I have one, I figure I might as well see if my opinions are correct.

I had to load an OS, since HD was cleaned before I received it. It comes with a Windows 7 licenses, but whats the fun in that? So...my plan is to load various Netbook OS's and see if I get to the point that I change my opinion. First up in the little experiment is Moblin

Moblin intrigues me, its got a user interface that is different from the other netbook OSs. So I downloaded and installed it using the instructions on the site. The installation was straight forward and in an hour I went from a blank netbook and no idea what I was going to do with it...to a Moblin netbook.

The only piece that didn't work out of the box was the wireless card...which is a show stopper for a netbook. I mean...the whole point is the portability. Luckily it just needed the Broadcom drivers...the instruction can be found here: http://slaine.org/_slaine/Dell_Mini_9.html

So far so good...still getting it set-up and customized. I did post this blog from it using blogtk. Which showed a bit of a bug when inserting a link, the link windows pops up in its own zone. Other than that..its seem like a decent OS, but not a easy to use as I had hoped. The menus seem like they might be easier to navigate on a touch device.

I'll keep playing with it...but I'm also looking for the next OS to try. Looking at OSX86, unless chrome os comes out before then.

(Note: I ended up cleaning up this post...still getting the hang of BlogTK)

RSA ACE Queries or how I spent my summer

Well...just got done spending way to much time writing what is probably a basic SQL query for what I know is an outdated RSA ACE server ( ver. 6.0). However, its to prepare for our eventual upgrade and help reign in the management of the system.

Problem: We have multiple business units that use SecurID authentication. These business units have various groups set-up with specific agent hosts assigned.

What I need is a list of all AgentHosts including their IP, Site, and Group. I can then send this to the POC for the site, who can verify the agent hosts and groups.

I won't bore you with my ramp-up time on OUTER and INNER joins, or the way I love to insert typos randomly, or how the ACE server only give useful 'syntax error' pop-up messages. Suffice it to say, something that should have only taken a few hours...blossomed into a couple day journey. Live and learn.

So, first the bookmarks:

The database schema's are listed here:
http://theether.net/download/RSA/SecurID/6.1/authmgr_admin_toolkit.pdf

Some info on syntax can be found:
http://theether.net/download/RSA/SecurID/6.1/authmgr_admin.pdf


Here is the first *working* version, there are no options..it just prints that information I needed for ALL AgentHosts:

SELECT SDClient.chName, SDClient.chNetAddress, SDSite.chName, SDGroup.chName FROM SDClient
LEFT JOIN SDEnabledGroup ON SDClient.iClientNum = SDEnabledGroup.iClientNum
LEFT OUTER JOIN SDGroup ON SDEnabledGroup.iGroupNum = SDGroup.iGroupNum
LEFT OUTER JOIN SDSite on SDClient.iSiteNum = SDSite.iSiteNum
ORDER BY SDSite.chName, SDGroup.chName, SDClient.chName

Easy enough, a few join statements...bam.

Checkpoint Firewall..no thanks..

Checkpoint Firewalls remain a bane of my IT existence.

I have worked with many versions...in almost all cases the version I am using is NOT the current version of the software.

Why would so many shops use out dated checkpoint software? I imagine due to the buggy nature and overall annoyance of the upgrade processes. Sure if you have a policy server, you can just push the policy to the system.

Just kidding. You need to make sure you have your license correct...make sure you have saved all the local configuration...and don't forget your local.arp...what about routes...sure hope this works....

I've done it...and anyone out there can tell me "oh..its not that hard..did you export...did you run x, did you.."

All I'm going to say is CISCO or NETSCREEN. I can upgrade in less then 15 minutes...with a cluster I can do it with no downtime. I've done it...could not have been a more pleasurable experience.

Now...how about when it comes time to audit? Ever try to export the rules so they can be reviewed? Good luck with that. Screen capture and print to PDF are not good solutions. I can do a 'sho access-list' on Cisco and export to MS Excel.

If you are out there and contemplating purchasing checkpoint firewalls..don't

If you have checkpoint firewalls..and are looking to upgrade...Upgrade to a Cisco ASA or a Juniper Netscreen.

If you are a Checkpoint administrator and believe it to be the superior firewall platform...you clearly have not had the pleasure of using a system with a command line.

CLI 4 LIFE!

OSSIM, VMTools, and YOU!

I have had the pleasure of installing OSSIM for use at our company. It is replacing our old Cisco MARS appliance which, after using it at several place, I can say is a sub-par correlation and monitoring system.

I'm still setting up OSSIM, so I can't give it a review yet. I will say it's easy to install and looks great. I need to get some event pumping through it to really test it.

Anyway, if you are like me you want to do-it-yourself when it comes to installing something for the first time. In this case instead of using the configured VM image, I installed OSSIM from the installation media onto a VM.

Everything installed easily, now it's time to install the VMware tools. First I need to mount the virtual CD with the VM image:

# mount -t iso9660 /dev/cdrom1 /cdrom

I chose to install the tools from the tar.gz instead of the .rpm.

# ./vmware-install.pl

I accept the default, just to ensure ease of management. This is a personal choice, but I believe that unless their is a valid technical reason to change the settings, you shouldn't.

Which works fine until you get the following errors:

None of the pre-built vmmemctl modules for VMware Tools is suitable for your running kernel. Do you want this program to try to build the vmmemctl module for your system (you need to have a C compiler installed on your system)?

One solution is to load the generic Debian kernel. I boot from the AlienVault kernel and assume there is a valid reason they have their own kernel, and would prefer to keep it. So I decided to compile the VMtools for loading into the kernel.

First, you need to install the compliler and headers:

# apt-get install build-essential linux-headers-$(uname -r)

Next, we run the install and just choose yes when it asks us to build the modules:

None of the pre-built vmmemctl modules for VMware Tools is suitable for your running kernel. Do you want this program to try to build the vmmemctl module for your system (you need to have a C compiler installed on your system)?
[yes] Yes

If all goes well, after each module is compiled, you will get a success message:

The vmmemctl module loads perfectly into the running kernel.

I checked, and the VMTools appear to be running perfectly. I still have some testing to do...but it works great.

Never say it can't be done

I have recently come across a fairly simple task, that as decidedly difficult to figure out how to implement on the Cisco ASA, multiple external IPs NAT'd to a single internal IP.

A google search will bring up several forums in which the consensus is that it can't be done:

"There is no way the device would allow you to have 2 public ip to point to the same internalip."

That's not correct, sadly if you call tier 1 Cisco support they will give you the same answer. The issue is how the ASA performs various NATs:

static - This is a bi-directional NAT that is used for traffic to the host and from the host
static (inside,outside) public-ip internal-ip netmask 255.255.255.255

nat (pat) - This is for traffic FROM the host only, traffic cannot be initiated TO the NAT IP
nat (inside) 1 inside-ip
global (outside) 1 outside-ip

The issue is that the static is bi-directional, so the ASA will not let you add two statics since this would cause a conflict for outgoing traffic.

Now, I refused to accept the answer "it can't be done"...I refuse to believe that Checkpoint..the peak of early 90's technology can do this..yet the ASA cannot. So I escalated.

I was right it can be done, and here is how:

Given two Public IPs: 200.100.30.40 & 200.100.30.41
Given one Private IP: 10.10.10.1

First, you create an ACL for each NAT:

access-list nat1 extended permit ip host 10.10.10.1 any
access-list nat2 extended permit ip host 10.10.10.1 any

Now you create that static NAT statement:

static (inside, outside) 200.100.30.40 access-list nat1
static (inside, outside) 200.100.30.41 access-list nat2

NOTE: Traffic generated FROM the inside will always get NAT'd to the first static entry.

You can verify by doing a show xlate:

Global 200.100.30.41 Local 10.10.10.1
Global 200.100.30.40 Local 10.10.10.1

Cisco Nexus gear

We recently installed a Nexus 5020 with 12 2048T Fabirc Extenders (FEX). This will become the core switching environment for our new network. These are some pretty sweet switches with some wicked cool features. Some of the nice features:

• Unified Fabirc - Allows IP and Native SAN over the same infrastructure.
  
• VMWare intergration - Allowes the creation of VM network profiles that can travel with the VM.
  
• Multi-switch Etherchannel - On the Nexus it's refered to as Virtual Port Channel (vPC)
• No Spanning Tree - Can be either a plus or minus..but for us its simplifies in our current deployment.
  

For all of the good features there are a few gotcha's that we ran into:

• FEX ports are GigE...only...don't even think of doing 10/100
• 5020 has limited GigE....16 ports are GigE the remaing 32 are 10Gig
• vPC limits the number of Etherchannel ports per FEX to ONE

One of the interesting things we ran into with this system was configuring TACACS+ for authentication. Normally it's pretty straight foreward you define TACACS servers & the key..bam you're good to go. For the nexus it's slightly different:

1. Enable TACACS on the system:

switch (config)# feature tacacs+

2. Add TACACS+ servers:

switch (config)# tacacs-server host 12.123.34.5

3. Add TACACS+ Key:

switch(config)# tacacs-server key

4. Add authentication group:

swith (config)# aaa group server tacacs+ tacplus

5. Add Server to auth group:

switch (config-tacacs+)# server 12.34.56.7

6. set AAA to use the tacplus group:

switch (config)# aaa authentication login default group tacplus

7. Log it on the tacacs server:

switch (config)# aaa accounting default group tacplus

8. Finally, this line was needed for our set-up:

(config)# aaa authentication login ascii-authentication

So far, fairly pleased with the Nexus. We aren't doing anything too cutting edge, but our set-up on the Nexus cost considerably less than a comparable 6509 configuration. Obviously, there are pros & cons to each set-up so your mileage may vary based on the requirements for your specific deployment.

ASA, ASDM, and longevity

I have spent the last several day cleaning up firewall configurations. These were brand new, out of the box firewalls and in less than a year their configuration was utter crap. I blame this on two things the administrator and the ASDM gui.

I blame the administrator, for relying soley on the GUI and operating under the impression that it doesn't matter how the changes are made. Let me assure you...it does.

I blame the ASDM GUI for all of the extraneous crap that it puts in the configuration. Some are due to the administrator not using it correctly, and some of it is just the way the GUI works.

Let me just give a few do's and don'ts to ASA management:

1. DO use object-groups in rules. Let's face it, it's easier to update one object-group than multiple rules.
2. DO use descriptive names for object-groups and access-lists. When troubleshooting it's much easier when you know what things are.
3. DO NOT accept the default names the GUI assignes for anything. It is for this reason that I have object-groups like DM_INLINE_NETWORK_1, interfaces name OUTSIDE_VPN_VLAN999, and access-list named OUTSIDE_VPN_VLAN999_access_in

Now, there are few other tips I have, these are really dependent on your site...but I find them to be pretty standard:

DO NOT use interface access-lists for your VPNs:

I've seen this done at several places, and honestly I don't know why. This actually introduces a new risk..especially if public IPs are used on both ends of the tunnel.What happens if the tunnel configuration is removed, but the ACL is not? The traffic will go out the interface unencrypted.

DO use VPN filters to apply ACLs to VPNs:

group-policy tunnel-name-filter internal
group-policy tunnel-name-filter attributes
vpn-filter value access-list-name

tunnel-group peer-ip general-attributes
default-group-policy tunnel-name-filter

Now, if we use descriptive names...we can tell which ACLs pertain to which tunnels.

DO NOT use names in the configuraiton:

no names

This is really just a preference, but when troubleshooting I like to be able to run the command 'sh access-list | in 12.234.45.6' and get all rules associated with that host. If I have names, I would first need to resolve that host to the name configured and then search for the name.

What happens if the hostname has changed or the host is known by several names?

DO AUDIT your firewall periodically:

Now, if you've followed the tips I've laid out auditing should be able to breeze. Simply capture the output from 'show access-list'. It's in cvs delimited format with the [space] as the delimiter. You can easily import into EXCEL.

Now if your object-group names are descriptive...you should be able to tell what each rule is for and since the object-groups are expanded..you can verify all of the IPs that have access. You can annotate the excel with the any POC information for a set of rules, justifications, etc.. that you will need during your audit.

In my experience by following these tips, you will have a firewall that is easy to manage for years to come. Troubleshooting issues is simpler, since you can visually distinguish what ACLs and object-groups apply.

I have to thank my mentor at Sun Sam Munzani, who casually mentioned these tips to me as he handed off some ASA firewalls. It was immediately clear the genius behind it the first time I had to audit the firewall. It was also amazingly simple to troubleshoot issues.