- Jan 27, 2010 by the_angry_angel
I've not been doing anything that could be considered interesting with Cisco kit recently, although at work do have have some of their products in use. Before rolling out the solutions simulators were rather handy to try out different scenarios, but it seems that this may become a bit of an issue from IOS 15 - at least at the moment.
If you want to know more I'd suggest taking a gander at Strech's article on the need for educational IOS licensing.
- Jan 20, 2010 by the_angry_angel
I've been playing with Micromiser for a few days, and wanted to graph what it claims to be saving on one of the servers. Luckily this is pretty easy with Munin (which is already running on the box), since Micromiser logs into syslog occasionally. Below is the plugin I hacked together that looks at syslog and uses sed to extract the percentage saving. It's not pretty, but it does work.
Perhaps this'll save you a few minutes.
#!/bin/sh
# Plugin to graph the savings made by micromiser
if [ "$1" = "autoconf" ]; then
echo yes
exit 0
fi
if [ "$1" = "config" ]; then
echo 'graph_title Micromiser Savings (percentage)'
echo 'graph_args --upper-limit 100 -l 0'
echo 'graph_vlabel savings'
echo 'graph_category system'
echo 'savings.label savings'
echo 'savings.draw AREA'
echo 'savings.min 0'
exit 0
fi
RES=`grep Estimated /var/log/syslog | tail -1 | sed 's/.*(\([0-9\.]*\)%)$/\1/'`
echo -n "savings.value $RES"
- Jan 16, 2010 by the_angry_angel
I've had a few people asking me, via various channels, about my "sudden" change in status on the LFSforum. Rather than deal with it individually again I figured a quick post might help.
- It's correct that I'm no longer a moderator.
- It wasn't the result of anything I'd done, or any animosity between myself, any of the other mods, or the LFS devs. Quite the opposite, in fact, and I wish the both the moderation and development team all the luck in the world with LFS.
- It was the largely the result of the community as a whole, which I no longer felt that I could moderate impartially. I won't go into further details, even if you ask. So please don't.
- It was also due, in part, to my ever increasing lack of time to post, let alone do consistent and "proper" moderation.
For these reasons I'm taking a break away from the forums, however I intend to return to assist with the programmers forum and various bits of support again at some [undetermined] point in the future.
- Jan 05, 2010 by the_angry_angel
Over the last few days there's been an interesting debate on NANOG [1] over the usefulness of firewalls. Although NANOG focuses on much larger networks than I typically look after, the topic of conversation does present some arguments that are interesting, and some which I simply hadn't considered because I've never been directly on the receiving end of what you could ever consider a large attack.
Roland Dobbins makes a very good point, and it's the main one that hadn't really twigged in my brain. Servers, by their nature, sit there listening for unsolicited communication. Using a stateful firewall could be considered overkill, provided that you have some degree of control over the hardware in-front of the server(s). ACLs are much faster, especially as they're typically handled in hardware on routers and switches. Combine this with hardened servers [2] and you're onto a good start.
Although some vendors are now doing stateful filtering in hardware, it's still likely that the firewall can be made to fall over before the host, by exhausting the state table. You can resolve this by making the firewall highly available, but you're ultimately only postponing the problem and simply waiting for someone able to launch a bigger attack. You're now in a hardware and cash race.
When this happens you're probably at the point of being worried by large attacks; you're a big target (such as facebook or twitter), or you're a service provider. In these circumstances detecting potential attacks and null routing the traffic, or forcing it to go through a scrubbing mechanism, you can make them useful. Fortunately for us at the much smaller end of the things, these generally aren't things we need to worry about (although I'd seriously love to set it up and play with it on real hardware [3]), and are something we can run to the service provider about.
At the end of the day us small guys and girls can only go so far. Our domain of control is much, much smaller. If you're renting very small quantities of servers you may well not have access to the hardware in front of your box(es) to implement some lovely hardware based ACLs (although 1and1 did provide this feature last time I had servers with them). For us in this situation there really isn't much of an option if you want some form of control over stuff that hits your box(es).
Ultimately I'm not advocating for the stateful firewall to go away. Hopefully that's clear. They've definitely got their uses; such as protecting a gaggle of clients, and perhaps single servers. All I'm trying to say is that sometimes you don't always need a sledgehammer, a tack hammer will do. Just make sure that the little tack hammer is more prominent in your mental toolbox!
I'll certainly be thinking a lot more carefully when it comes to all of the technical decisions over the next few months. After all, you never know - there could be all sorts of really elegant solutions that you've been dismissing.
[1] It all started with "D/DoS mitigation hardware/software needed" and is currently continuing under "I don't need no stinking firewall!".
[2] Really, turn stuff off on external cards you don't need. Like NetBIOS, networking for Windows. Bind servers to the interfaces or addresses they need. Don't be lazy.
[3] Lets be honest, virtual labs just aren't as fun.
- Jan 05, 2010 by the_angry_angel
Over Christmas we had to do a bunch of VMWare to Hyper-V conversions at work. Once you've sufficiently prepared the VM, there are a whole bunch of ways you can do this, ranging from raw converting the vmdk, to mounting the vmdk and a blank vhd and then copying the contents between. We chose it as an opportunity to play with Disk2VHD from SysInternals.
If you're using SCSI disks in your VMWare VM then you will first need to ensure that you add the IDE controller driver, to hopefully avoid a BSOD when you boot under Hyper-V for the first time. Why don't you just set Hyper-V to use SCSI disks? Sadly because Hyper-V cannot boot from SCSI. Once you've added the driver and rebooted to ensure that it's stuck we simply ran Disk2VHD and pumped the VHD off to a network share.
Interestingly Windows 2003 x64 and 2008 were a lot more resistant to the change in "hardware" than older Windows versions, which needed a Windows repair, however I can't fault Disk2VHD for that as it was something I was expecting anyway.
What worried me most was that the first run we did Disk2VHD produced a mangled VHD which I managed to repair and get working by doing the following;
- Mounted the VHD and declined Windows offer to format the partition it could see.
- Extended the partition so that it filled the VHD (for some reason it had left a whole load of space free - none of the other conversions did this). I chose to use diskpart, but whatever you're comfortable with.
- Ran TestDisk to ensure that all was ok with the partition. In this case it threw up some weird error that I failed to note down and right now I can't 100% remember for sure if TestDisk helped or not. A chkdsk /f was definitely able to, however. After this the VHD was in perfect working order.
Fortunately all other conversions didn't seem to have this issue, and as much as I would've loved to investigate why this happened, I just didn't have the time.
