Stuff I'm Up To

Technical Ramblings

Orphaned RIP Route — May 10, 2017

Orphaned RIP Route

After making some changes to the way our network was setup I ran into a problem with RIP.

We started out with a VLAN spanning a pair of switches and using a tagged uplink port to connect and span the two. This worked fine, but with the new design favouring routing I thought we’d take the opportunity to change the configuration.

As the edge switch was being replaced it was easy enough to just rebuild the new switch and configure it for RIP. But on the core switch it meant I needed to delete the VLAN that would no longer be needed. This is what stopped me in my tracks.

Continue reading

Broken ARP — April 26, 2017

Broken ARP

Not a fun morning. We spent an hour or two trying to figure out why our GUEST networks was unable to route any packets to the Internet.

For many a GUEST network may be a trivial network, but for us we also us GUEST for unauthenticated devices to access our Virtual Desktop System – primarily including devices that are re-purposed laptops/desktops that no longer require a full Windows PC for domain access and just provide a VMware Horizon Client. So we had a large number of users unable to connect to the back office systems.

The strange thing here was that all other network traffic from the trusted networks worked as expected.

Continue reading

Sophos UTM HA —

Sophos UTM HA

We encountered a few problems with licensing when we looked at moving from the UTM525’s to UTM430’s so we had to delay the project until yesterday. On the one hand it gave us plenty of time to plan for the eventualities like Martians and be confident that the configuration restore testing worked whilst testing.

The one thing we didn’t expect was problem getting the two UTM430’s to configure themselves using High Availability (HA).

Continue reading

HTTPS on the Synology NAS — April 25, 2017

HTTPS on the Synology NAS

I love this Synology NAS. It’s so versatile and immensely capable. I use it for streaming my TV, movies and music. It also acts as my Couchpotato, Sonarr and NZBGet system. I think I’ll definitely get another when the time comes.

But enough glorification.

Using the free certificate services from Let’s Encrypt you can obtain a FREE TLS/SSL certificate that you can use on any of your encryption services with the one caveat that it will expire every 3 months.

Continue reading

Sophos UTM Up2date CLI — April 4, 2017

Sophos UTM Up2date CLI

After buying some replacement UTM430’s to replace the UTM525’s the new 430’s came in with some ancient firmware. As I’ve not got them plugged into the network right now I want to get them up to the same firmware as the current 525’s.

In our case the shipped firmware was 9.311 and the current 525’s was 9.411. There’s quite a few updates between those releases!

Continue reading

Preventing Martians —

Preventing Martians

In the process of changing firewalls and routers around we encountered the Juniper detecting what it suspected were malicious MAC address changes that no longer match the IP address it last used. Which is understandable as we’re giving the same IP address to new hardware.

This MAC mismatch error triggers some Martian alerts, which results in the IP addresses for the new devices becoming unroutable. To try and prevent this we should try clearing down the IP ARP cache tables for various devices.

Juniper (ScreenOS)

-> clear arp [192.168.0.254]

or

-> clear arp all

Extreme Switches (XOS)

# clear iparp [192.168.0.254]

or

# clear iparp vlan [TRUST]

Martian addresses are host or network addresses about which all routing information is ignored. When received by the routing device, these routes are ignored. They commonly are sent by improperly configured systems on the network and have destination addresses that are obviously invalid.

Extreme Networks – Routing (RIP) — March 22, 2017

Extreme Networks – Routing (RIP)

Rather than tagging uplink ports with a load of VLAN’s and spanning those VLAN’s out to every switch you need them spanned out to. Create a separate VLAN and IP Scope on each switch (stack) location. Then use a single VLAN subnet (192.168.254.0/24) for routing between locations.

# create vlan Routing
# configure vlan Routing tag 1000
# configure vlan Routing ipaddress 192.168.254.254
# configure vlan Routing add port 1:46 tagged
# enable ipforwarding vlan Routing

Add RIP to the Routing VLAN so that when you create VLAN’s on the switch they are added to the central routing tables automatically.

# enable rip
# enable rip export direct cost 1
# configure rip add vlan Routing
# configure rip vlan Routing rxmode v2only

Continue reading

STIG — March 17, 2017
Category 5 Plug Wiring — March 12, 2017
Dell iDRAC and Certificates — March 10, 2017

Dell iDRAC and Certificates

A wider vulnerability scan picked up that we had self signed certificates on our Dell iDRAC’s (Dell Remote Access Controller). But also highlighted that the certificates keys were too small. So that meant in order to resolved the issue we must issue our own certificates and ensure they are the right key size.

This would normally be fairly straight forward. Use the Web UI to generate a CSR and then submit that to the CA. Then just upload the issued certificate to the Web UI and all is done. However, when we submitted the CSR the CA responded with an “Denied by Policy Module” error.

In the CA servers Application event log we see Event ID: 53

Active Directory Certificate Services denied request 78050 because The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH).  The request was for E=root@localhost, CN=DRAC.domain.local, OU=My OU, O=My Organisation, L=Any Town, S=Some County, C=UK.  Additional information: Denied by Policy Module

Continue reading

SSL/TLS Deployment – Best Practices — March 9, 2017
Kali and OpenVAS — March 4, 2017