Diary of a Network Geek

Man, I hate to admit this…
But, my home network is illin’, yo. I have run Netware at home for years. My firewall has been Bordermanager, because who the heck knows enough about it, besides me and the guys at Novell, to crack it? Yeah, yeah, I know, security through obscurity is a Bad Thing, but sometimes it does work. Anyway, I have one Netware server that crashes hard with the slightest power fluctuation, even with line conditioners in place. Just the littlest bit of power blip makes it shutdown. Not reboot, mind, but shutdown. And, several weeks ago when it did that, the data volume took a dump and never came back. I have no idea how much data I lost there, or how mad my wife is going to be because of the data she lost there, but I don’t think it’s coming back this time.
So, that got me thinking… Why should I stick with Netware? I’m more of a Linux guy now anyway, so maybe it’s time to look into Linux firewalls.
Any suggestions? And, anyone have any suggestions for ways to try and recover that crashed Netware data volume?

The secret word for today is “firewall”.
Not only is it an essential part of any connection to the Internet, it’s also what I installed today at work. Yes, that’s right, what I thought I was looking at in the config of the weird, little Covad router was NOT a firewall or even an active filter set. Unfortunately, I found that out the hard way when I rebooted the router last week and the filters activated, killing everyone’s Internet access. I’m not sure who was more surprised, the support tech or me, when they discovered the active filters. I know I was more shocked than the tech when he told me that they don’t support firewalls built into their routers. In short, we were flapping in the proverbial breeze. And, apparently, we had been since, well, since they’ve had an Internet connection. Doh!
Anyway, after a bit of scrambling and some gulping at spending real money for a real firewall, I got a D-Link DFL-1100. It’s a nice, little firewall appliance that has a built-in DMZ, for later use with a mail server, and IDS detection with e-mail notifications. It was pretty easy to configure, once I got the details on the funky Covad router. I really don’t like them. Hooked directly to the console port on the router, I still had refresh issues and timing strangeness that got really frustrating when I had everyone in a hurry to get their e-mail. Damn irritating. the DFL-1100, however, was pretty simple to install and configure. It even had predefined filters and exceptions that seemed to be working just fine. I’ll probably fine tune that over the next couple of weeks, but, for now, it works okay.

It’s really frightening to me, though, that they could have gone for so long without any protection at all. How could an Internet company sell service to someone and not check with them about having a firewall in place? How could anyone who knows anything about the Internet leave a connection open for literally years? I wonder how many spam problems will go away here, now that I’ve gotten a firewall in place?
Of course, I’m pretty dissapointed in myself for not understanding what I was seeing in that Covad router, too. I should have caught that sooner. Sure, I don’t mess with routers on a regular basis, but I’ve done it enough that I should have seen this. Well, at least it’s taken care of now. Lord, help me, what will I find next?

I love Dr. Suess, but all he did was inspire the title.
I have two concerns this week: Linux servers and security. I’ve installed a test RedHat server and configured Samba on it, so now I can start testing how the accounting system will run from a mapped Linux drive. And, I’ll be testing the custom, in-house app that gives us our competitive edge. I’ve got server spec to get to the boss, when he’s in the office again, but I’m still waiting on pricing for a Linux-based backup system. It was actually much easier to get setup than I thought it would be. Though security may be an issue, since, essentially, Samba emulates Windows sharing on a Linux platform.
Security is my second issue. There’s a basic firewall in place on the router, but I don’t think that’s enough, especially if we want to block “adult” sites. And, since we do actually have a policy against that sort of thing, we do. So, eventually, I need to get that all spec-ed out and installed, too. And tested. Yeah, a little scan against our outside link would be interesting to look at, especially if I do it before and after. Ah, well, that’s down the line. First, I have to get the server upgraded.
Oh, and I still need to evaluate Novell’s Open Server on Linux before I decide which way to go for an OS on the new server. I know I want to avoid a Microsoft product, if at all possible. Frankly, it looks like it should be a real possibility. It all depends on how testing goes this week, so we’ll see. That and getting a CD burner at the office so I can burn the demo ISOs and install them.
Then, there are all the “little” projects that everyone keeps bringing me, not to mention all the nice G4s and assorted Macintrash… Ah, the work of a one-person IT department is never done. But, somehow, having easily defined goals makes the work more fulfilling. I know where I’m going and how I’m going to get there, so it’s all okay.
(The Suess book, by the way, was One Fish, Two Fish, Red Fish, Blue Fish and a childhood favorite.)

Well, I survived my first day at the new job.
Oh, what’s that? New job? Oh, didn’t I mention it before?
Yeah, okay, there’s a funny story behind that. Well, there’s a story behind that which involves things like lawyers and teenagers and medical insurance and divorce. Come to think of it, it’s not a very funny story at all. But, I hope that it will be one day.

Anyway, I’m the IT Manager at a new company called SeaTrax now. We make cranes. Big cranes that are based on big platforms in the ocean. It’s actually pretty cool. It’s a Windows shop, but, well, nothing’s perfect. With any luck at all, I’ll be able to convert them to either a Linux shop or a Novell shop, or both!
It was a long, hard day trying to set priorities, so when I got home, I microwaved some chicken-fried steak and gravy followed by a dessert of Krispy Kreme mini-crullers. And, I washed it all down with a Sam Adams. Yes, even the Krispy Kreme! (Hey, back off! It was a long day!) And, my sweet doggie was so happy to see me when I got home, I let her lick off my dinner plate. She loves gravy!
Anyway, all I managed to do was get a rudimentary “To Do” list put together. Actually, I even stole that idea from a faithful reader, BlueCube. But, here it is anyway. Feel free to make suggestions!

Jim’s Great Big, Enormous To Do List of Doom

Short Term
* Get specs for hardware for server upgrade
* Figure out solution for PeachTree for server upgrade
* Figure out OS for server upgrade
* Document security layout for new server
* Order enought Backup tapes for Full GFS at for every backup server
* Tape Inventory & sign out
* Tape backup courier or a whole new scheme for backupadmins
* Clean up Edirectory
* Clean up data junk on servers
* Clean up active directory

Long Term:
* Address Windows Server Updates
* Work out Tape Cleaning procedure for all backups
* Upgrade Anti-virus software and automate
* Figure out Name Changes and write up procedures
* Figure out to do with multi-user accounts
* Create New user/change form
* Write backup procedures guidelines
* Write anti-virus procedures
* Write workstation software and hardware policies and procedures
* Evaluate T1/WAN connection, price and reliability
* Come up with plan for “roaming” staff
* Create Firewall maintenance/monitoring guidelines
* Create montly network maintenance procedures
* Create shutdown scripts for server

Blue Sky:
* create monthly newsletter
* Build wishlist for end of budget
* Formulate server percentage uptime
* Clean computer room
* Clean tech room
* Setup IDS system
* Implement PDA synchornization system and standards

I love the smell of burnt circuits in the morning!

Actually, no, I don’t, but it was a good, catchy line. So, it turns out that, yes, my DSL router got kissed by lightning and cooked. Actually, just the DSL modem part got cooked, but that was enough to keep me from getting to the Internet. And, to add insult to injury, I also lost several network cards. So, I spent the better part of the week scrounging up network cards, testing them, findind drivers for them, and replacing dead cards at home. Saturday afternoon, I had a tech over who took all of about 10 seconds to confirm that it was, in fact, my DSL Router that had gone all crispy.
In fact, his whole visit lasted all of about 15 minutes. I wore my new Novell Cool Solutions Tip T-shirt, in lovely Hunter Green, which arrived Thursday night, just so he could see I was a real geek. He took one look at that, my Wall O’ Computer Books (most of which are terribly out of date), all the equipment laying about and basically got out of my way. He metered the line, then offered to sell me a router out of his truck. It cost at least twice what it was worth, but saved me the hassle of configuring it and let me test while he was still there. Another 10 minutes to change out the last bad network card and reconfigure my BorderManager firewall, then I was back up and running.

Actually, I did get a bit more reading done than I would have otherwise this past week. And, I was less obsessive about the new game I’m playing on-line (more about that on Friday). Still, it’s nice to have e-mail again. And, I think my wife likes having access to the ‘Net again, too. So, it’s back to wasting time as normal for us. Wee!

Well, that was exciting!

I fried two power supplies last night. And, I think either my DSL router is toasted, or two of my three PCI network cards are. Apparently, we got hit with lightning yesterday. I say “apparently” because I wasn’t there, but my wife described at “big flash and a boom” that sounded like it was “right here”. And, of course, right after that, my DSL stopped working. (So, yes, I’m posting this from the office.)
Anyway, I was up until about 1:00am troubleshooting that, but with little effect. I’ll try and scrounge a new network card at the office, but I’m not holding out much hope. Oh, and I blew the two power supplies while trying to get everything into a new machine, just to elminate that as a possibility. I finally scrapped my poor wife’s Linux machine and made it the new firewall. Unfortunately, I still can’t get it to see both network cards! Ah, well, I guess I’ll work on that tonight…

So, I have one entry in the queue and that’ll be the last one for a bit. At least until I get the firewall working again. *sigh*

Of course, I’m sure everyone’s talking about this already, but…

Well, it’s a pretty big deal! So, yesterday morning I read an article on Australian IT about a really big problem with TCP. Now, if you don’t know what TCP is, don’t worry. It won’t effect your job at all. Of course, I’m not sure why you’re reading this blog, but, whatever. Now, for those of you who understand what this means: Stop Panicking!

First of all, if you check the articles that are floating around, it’s not every implementation of TCP that’s effected. On the other hand, if you’re running a router with Border Gateway Protocol, you’d better check on it. That’s one of the biggest nasties here. It makes all sorts of routers vulnerable. That’s thousands of times worse than just hitting a workstation. A firewall can usually block attacks on a workstation, but routers are something else again. After all, most hardware firewalls are really special purpose routers, so… Well, best to check on them. (Frankly, I’ve never been so glad that I’m primarily a server guy!)
As for the rest of it, I’ll hold on for a bit and see what turns up. I’m sure there will be tonnes of Micro$oft service packs and other patches, but until they’re released, there’s not much I can do. Fasten your seatbelts, kids, the ride’s about to get a little bumpy.

Though, my wife tells me I could be.

No, really, she once encouraged me to fully explore my Rageboy-ness. Never heard of Rageboy? Oh, I think you have. You probably know him as Christopher Locke, the author of Gonzo Marketing: Winning Through Worst Practices and The Cluetrain Manifesto: The End of Business as Usual. But, I’m really trying to not give into the “dark” side and rip into people anymore. Hey! Stop laughing!!

Okay, I have to admit, sometimes I get a little, well, cruel when I’m dealing with idiots. For instance, when the guy from overseas e-mailed me looking for advice on installing a Gauntlet firewall asked me what I meant by “hardening the OS”, I kind of went balistic. I mean, if he doesn’t know that there are steps to take to make Windows 2000 more secure, should he really be installing a firewall? And, what does he think I’m going to do for him? Search TechNet and get only the “good” articles? But, I digress. I’m trying to be a kinder, gentler Network Fascist. (Okay, in actual conversation, I get specific about the kind of alliterative fascism, but why should I risk insulting anyone I haven’t met?) Really, it’s part of the new image that I hope will let me compete with all the fine off-shore outsourcers who don’t know how to spell LDAP, much less what it is.
Besides, Rageboy has nudity on his blog page and I try to be “family friendly”. Sure, it’s Manson Family, but, still…. I do try to put a “nicer” face on disgruntled, soon-to-be-outsourced, under-paid, over-qualified, angry, thirty-something Network Engineers. I mean, I don’t go out of my way to be cruel and nasty. It just happens. Er, “it seemed like the thing to do at the time”?

Well, anyway, I’m happier being the Network Geek, or even the only Novell Certified James Hoffman, than I am being an imitiation Rageboy. And, that’s the story I’m sticking with!

you have a moat!

I’ve been working on my CompTIA Security+ certification using, in part, the Security+ Exam Cram 2 book to study for it. And, on page 227, under the Organizational Security section, they say:

The last physical barrier is a moat. Moats surround part or all of a facility and are excellent physical barriers because they have a low profile and are not as obtrusive as fencing. In this instance, the consideration would be the depth and width. As with all physical barriers, the moat must be well maintained.

No, I am not kidding. The book actually suggests that a moat is a physical defence. I can just see trying to sell this to my boss now.
“Uh, Joe? I feel our revised security plan really needs a moat.”
“Did you say ‘a moat’?”
“Yep, it’s right there in the Security+ cirriculum. A moat, Joe.”
“A moat.”
“With alligators, if you think we can manage to get them through the budget.”

Oh, God help me. What am I doing in this business? If it weren’t so damn funny, it’d make me cry.

Wanna’ be the next Red Hat?

Well, here’s a site called Linux From Scratch that will help you do it. The whole site is dedicated to creating a Linux distribution from the ground up. And, if you have a particular application in mind, like a firewall, you can go to Beyond Linux From Scratch and get info there.
Of course, Red Hat has all the marketing and support stuff knocked out already, but still, you could have your very own distro. Hmmm, imagine that, the Official Diary of a Network Geek Linux Distro. Sounds yummy, doesn’t it?

Well, enough dreaming, back to studying for my Linux+ test!