Stuff I'm Up To

Technical Ramblings

Extreme Networks – Routing (RIP) — March 22, 2017

Extreme Networks – Routing (RIP)

Rather than tagging uplink ports with a load of VLAN’s and spanning those VLAN’s out to every switch you need them spanned out to. Create a separate VLAN and IP Scope on each switch (stack) location. Then use a single VLAN subnet (192.168.254.0/24) for routing between locations.

# create vlan Routing
# configure vlan Routing tag 1000
# configure vlan Routing ipaddress 192.168.254.254
# configure vlan Routing add port 1:46 tagged
# enable ipforwarding vlan Routing

Add RIP to the Routing VLAN so that when you create VLAN’s on the switch they are added to the central routing tables automatically.

# enable rip
# enable rip export direct cost 1
# configure rip add vlan Routing
# configure rip vlan Routing rxmode v2only

Continue reading

CVE – Security Vunerability Datasource — March 18, 2017
STIG — March 17, 2017
Oracle Database Patches —
Category 5 Plug Wiring — March 12, 2017
How to use vSphere 6.x Certificate Manager — March 10, 2017
Dell iDRAC and Certificates —

Dell iDRAC and Certificates

A wider vulnerability scan picked up that we had self signed certificates on our Dell iDRAC’s (Dell Remote Access Controller). But also highlighted that the certificates keys were too small. So that meant in order to resolved the issue we must issue our own certificates and ensure they are the right key size.

This would normally be fairly straight forward. Use the Web UI to generate a CSR and then submit that to the CA. Then just upload the issued certificate to the Web UI and all is done. However, when we submitted the CSR the CA responded with an “Denied by Policy Module” error.

In the CA servers Application event log we see Event ID: 53

Active Directory Certificate Services denied request 78050 because The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH).  The request was for E=root@localhost, CN=DRAC.domain.local, OU=My OU, O=My Organisation, L=Any Town, S=Some County, C=UK.  Additional information: Denied by Policy Module

Continue reading

HTTPS and SNI — March 9, 2017
Guidelines for Microsoft Clustering on vSphere —

Guidelines for Microsoft Clustering on vSphere

This article provides links to a subset of articles that provide guidelines and support status for running various Microsoft clustering solutions and configurations on VMware vSphere.

VMware provides customers additional flexibility and choice in architecting high-availability solutions. Microsoft has clear support statements for its clustering solutions on VMware.

Additionally, VMware provides guidelines in terms of storage protocols and number of nodes supported by VMware on vSphere, particularly for specific clustering solutions that access shared storage. Other clustering solutions that do not access shared storage, such as Exchange Cluster Continuous Replication (CCR) and Database Availability Group (DAG), can be implemented on VMware vSphere just like on physical systems without any additional considerations.

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1037959

SSL/TLS Deployment – Best Practices —
Setting the Killbit for an ActiveX Control — March 7, 2017

Setting the Killbit for an ActiveX Control

Adding a killbit for a control that Nessus says requires one.

https://support.microsoft.com/en-gb/help/240797/how-to-stop-an-activex-control-from-running-in-internet-explorer

In brief you need to find or create the classid in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility

However, on one I found I first had to hunt the name in HKEY_CLASSES_ROOT\CLSID

eg. Nessus reported

  Class Identifier  : {D63891F1-E026-11D3-A6C3-005004055C6C}
  Filename          : C:\Program Files (x86)\xxxx\Runtime\NCSECW.DLL
  Installed version : 1.6.6.32

But when I search for NCSECW.DLL I got a different Class ID and that was what I needed to use to add a killbit for.

Kali and OpenVAS — March 4, 2017