I don’t know if this really pertains to the ISCW test per se, but this is something I learned in my class last week.  I’m sure I should have learned this years ago, but, alas, I didn’t.

Access lists get messy.   You build one, apply it to an interface, and think all is well.  Then, ask for more access, so you may have to insert new entries between existing lines.  Your security team may ask you to deny access from a host while allowing it from others.  The next thing you know, you ACL looks something like this.

I’m at training for the ISCW test this week, and this topic came up yesterday.  Since it came up last week at the office, I figure it was a sign from $deity that it was time for a blog entry.

An admin in another business unit was trying to set up command access for some of his techs.  He was going through a couple of routers and assigning commands to privilege levels so that his techs could access them.  He was having a boat load of problems, though, and couldn’t get it to work

It looks like one of those Russian b*%*#rds got me some time last week.  I don’t know how long the site was down for sure, but I would guess that he first got access on Thursday, 22 October.  Since we’re talking about WordPress here, I just restored back to 15 October to be safe, and it looks like we’re back in business.

As a precaution, I’ve reset some passwords and deleted a whole mess of accounts.  I tried to leave the ones that look familiar to me like Blindhog and LBSources, but, if I killed your account, I apologize.  I’m afraid you’ll have to sign up again for the sake of security.

My biggest complain about modern firewalls is their lack of the ability to create rules based on URLs or HTTP streams; you have to open access between IP addresses.  Yes, I know there are other means to do that, but I want my ASA/PIX/FWSM to do it without making me do so much work.

Anyway, the fact that you have to use IPs brings up some interesting problems.  Let’s say you have a server in a DMZ that needs to query Google for some content.  Since you’re a hard-ass network guy like I am, you tell the admin that they have provide the data flow they want to use – source IP, destination IP, protocol, port.  They come back and tell you that they need their server to connect via HTTP to 74.125.45.100.  You put in the rules as given, but the IP has suddenly changed on you.

I can’t believe I haven’t talked about object-groups yet.  I had a whole other blog entry written up, and, when I went to link things over, I realized I couldn’t find an intro to it.  Here it goes.

Welcome to the modern world.  A world of wonder.  A world of quickly-advancing technology.  A world where clusters of machines sit behind load balancers for scalability and availability.  A world where those clusters need access to other clusters.  A world where your firewall rulebase gets so big that it’s unreadable without some help.

Wow.  A new entry.  Everyone sit down before you pass out.

I’ve got a real-world example for you today.  We have an ASA 5540 installed at a business unit with interfaces in multiple networks, including one containing the production servers and another containing the accounting servers.  The production network sits on a 7600 that’s not ours, so, to avoid IP conflicts, we are statically NATting connections into that network.  The 7600 has with many, many VLANs, and, since the firewall production servers are on different VLANs, there’s an interface VLAN between us.  Sounds pretty straightforward, but it just wasn’t working when we try to connect between the interfaces.

I apologize to my adoring fans (both of you) for the lack of posting.  I’m in the middle of moving, buying a new house, selling my current house, getting a mortgage, etc.  I’ve up until 11:30 nearly every night filling out forms and going through red tape.  Don’t get me started on getting money from a 401k!  Anyway…

I got in this morning, and a coworker was telling me that the data center’s HVAC was crippled due to an oil leak, and it was 90F in there.  D’oh!  It wasn’t quite that high, but it was warm.  Luckily, all of our network gear is on the end of the rows with AC, so we’re safe, but it got me thinking about monitoring temperature of our 6500s via SNMP.  I’ve done it via Cacti, but I never really looked how to do it manually.

I can’t believe I stuck with something for 2 years.  I usually get a month in before I get bored and give up.

Anyway, 2 years ago this month, I wrote a terribly-written article on The Principle of Least Privilege.  Since then, though, my writing has improved (at least, I think it has), the topics have broadened, and I’ve picked up some faithful readers (thanks, Mom!).

EtherChannel lets you aggregate links into one logical connection, but the distribution of traffic is not uniform.  It does not use per-packet load-balancing or the like to determine what interface in the bundle to use.  Instead, it uses a XOR function on packet information to generate a hash that is used to determine what interface to use.

By default, the switch will use both the source and destination IP addresses to generate the hash, but there are lots of others.