Man I seem to be contently adding my quote collection but still no where near the end! In fact not even 20% of the way through! Main trouble is that I have them all over the place with different formats so have to copy each one by hand! Once there all up I shall be tidying up the quote pages.
On a side note added a few more flash cards to Anki, some QoS stuff.
Just been going through QoS in the foundation guide, it has a small bit on the Leaky bucket algorithm, but I think the wikipedia article explains in much clearer.
I had always though of it as the packets where the water running in to the bucket and there was a small hole in the bottom from which it drained out. As long as the average in was less than the drainage hole, and bursting did not over flow the bucket the water flows out with out spilling.
However I see now that in the case of CISCO switches the leaky bucket is a metering method. The packet it self does not flow in to the bucket. Rather how fast the packets flow in to the switch determines how fast the tap above the bucket it flowing. While the bucket it not full the packets can pass through the switch. But if the bucket should over flow the packets are dropped until enough water has run out of the bucket that they can continue.
Like I said the article on wikipedia explains it all very nicely, so if like me it is taking a bit to get your head around have a look.
DevilWAH
Getting the pretty Permalink’s to work on this blog has been a bit of a pain, According to word press you click on the format you want under the settings and then they should all work nicely.
so rather than have a link that looks like
“http://www.devilwah.com/?p=344”
you can have the same link looking like
“http://www.devilwah.com/2010/09/minority-report-the-reality/”
Pretty 🙂 right.. 😉
So how did I get it all up and running?
I found out when first trying to activate it that I came across a “page not found error” suggesting that the mod_rewrite module in Apache was not running correctly. And after lots of searching around I found it this is to do with the “Allowoveride” directive in Apache.
The default setting for the directive in the virtual site file in Unbuntu is,
<Directory />Options FollowSymLinksAllowOverride None</Directory>
Further reading suggests that with this set to none, the .htaccess file that is needed for mod_rewrite to be able to work will not be used.
Searching the net lots of people suggest changing this to “Allowoverride All”, which after a restart of Apache will work fine. But for a little more security I found “Allowoverride FileInfo” will achieve the same thing.
And that’s it, one little word change is the difference between it all working fine and page not found!
The same can be achieved by editing the httpd.conf and associated config files, but as I use virtual sites I prefer editing these directly.
Thank fully the old style links still work just find, the mod_rewrite simple takes the pretty version of the link and translates it back to the ugly version behind the scene. Leaving you the user with a more pleasurable browsing experience. 🙂
DevilWAH
OK so the real life Minority Report interface did not do it for you?
Well lets try a bit of Brain control!
OK so its not perfect yet, but I have been following these over the years and they are getting better and faster to respond year by year. I remember when the most they could flip the colour of the screen by thinking about a CAT?! To think it can learn an action in 8 seconds, and if its any think like Voice recognition software, I know from experience practice really does make perfect.
I still think there’s a long way to go yet, but we are getting close to being able to sit at our desk and control objects on the screen with our mind.
However I think the use I would most like to see the research go to first if for helping disabled. Controlling wheel chairs is only the beginning, Imagen those people with diseases like Stephen Hawkins, who currently can only communicate by moving his eye lids. Returning some ones ability to move is a great thing to be able to do, but returning some ones ability to communicate would be something truly amazing.
Plus I want one cause they look cool!!! 😉
DevilWAH
I remember searching around for ages looking for this solution a few years back, so I thought I would share it with you. Bear in mind that there are much more secure solutions around, such as 802.1x port based authentication. However these require a lot more setting up, not to mention the kit to support it. For what it is “Lock and Key” is one of these ideas that does exactly what it says on the tin..
So what exactly is it that “Lock and key” does any way. The idea behind it is to allow you to on demand open up access between subnet / networks. May be it is clearer if we look at the following digram.
In Figure 1 we have the IT PC’s, the users PC’s, the servers and the DRAC cards all on separate networks. If you have not come across DRAC cards before, they are an additional card that can be fitted to Dell servers, that have there own redundant NIC, if the server should crash, you can connect to the DRAC card and force a hard reboot among other things. Very useful for remote management of server! However as you can image not some thing you want to allow users near!!
So looking at the digram above you may place an access list on the incoming traffic from the user network (192.168.20.0) to block any access to the DRAC network. While leaving the IT admin PC’s able to reach them. But what happens if you are at a users PC, the server has crashed and you need to reboot it? This is where the “Lock and Key” idea come in.
By using a dynamic Access list along with the user name auto command. you can on the fly open up the blocking access list you have created to allow the PC you are working on have access to the Drac network.
First we need to set up the a dynamic IP access list under global config, remember this access list has to be applied to the interface connection to the user PC’s, we will be applying it in the “in” direction.
ip access-list extended Lock-key
dynamic Dracacess timeout 60 permit ip any 172.64.20.0.0 0.0.0.255 log
deny ip any 172.64.20.0 0.0.0.255
deny ip any 172.16.10.0 0.0.0.255
permit ip any any
So before “lock and Key” is active users are prevented from accessing the IT unit PC’s and the Drac network, but have access to every thing else.
Next we set up the user we are going to use as the “Key”
username Dracs secret CISCO
username Dracs autocommand access-enable host timeout 15
So here we set up the user Drac and add the auto command to run when they log in. The 15 minute time out here is the idle time out. However as we have set an absolute time out above in the access list its self, this will log out the user after 60 minutes if they are active or not.
Lastly we need to go in to the interface that faces the users network and assing the Access list, and set the VTY line for telnet access and to use the local user database. so from global config again.
interface <ID>
ip access-group Lock-key in
exit
vty 0 15
transport input telnet
login local
exit
Now to use it is simple, from a users PC start a telnet session with the router, at the user name and password prompt users the user name of Drac and password configured. The connection will be droped by the user but you an extra line will be added to the access list along the lines of.
permit ip host xxx.xxx.xxx.xxx 172.64.20.0.0 0.0.0.255 log
Any you user PC now has access as long as it is sending data or until the limit of 60 minutes.
Of course you may not like using telnet and it is possible to use SSH (but then the user PC needs a ssh client installed), you can also change the port that the router listens for telnet or SSH on a VTY line. You can also apply the auto command to the VTY line so any one who logs on through that VTY line will trigger the lock and key. If you do this then you will need to set up some VTY lines to use one port with the autocommand config, and some other VTY lines to use a different port with out the autocommand. Other wise you will not be able to mange the router!!!
This Link covers some more examples.
As I said at the beginning there are much better ways to do this, 802.1x as i mentioned is just one of them and some thing I will cover in more detail soon. But for a small/medium size networks, where cost is an issue, but you still want to add an extra bit of security. They are a nice way to restrict users, while allowing network admins to carry on working efficiently away from there desks.
DevilWAH
Well added a few more cards to the pack.
I think I am about ready for this exam now 🙂 so hopefully a week more and it will be behind me. Bring on ROUTE!!
The US defence officials have recently released information about a security breach they suffered back in 2008.
It seems some one placed a USB flash drive in to a government computer that contained malicious code placed on it by a forigen intelligence agency. This spread to other systems and opened up the Defence network to allow data to be transferred to rogue servers.
USB seems to have become the new medium for spreading virus and malware, and to be honest its hardly a surprise. Many companies seem to react to the growing security threats by creating stronger and stronger network gateways. In many cases these become so secure and so restrictive that they prevent the staff they are designed to protect, from actual carrying out there jobs.
And then the problems really start, people start to despair at the work provided service and will carry out the downloads at home and bring them in on there USB sticks. Completely circumvention the security policies in place.
There is of course the option to restrict access to only authorised USB devices, but to actual set this up is a major headache, and a large cost is involved. Especially when the Client PC’s are spread over a number of sites and you don’t have complete and utter control over them. Also by restricting the USB devices you hit the same issue as when you lock down the firewalls. People unable to carry out there jobs effectively.
It’s surprises me the number of times a valid request from a user to run an application or run some java code, gets turned down with a “its against company security policy”, when what the help desk engineer really means is ” I don’t know what the security policy is and I don’t have the time to look in to this for you fully to see if we can help”.
When “security policies” effect the efficiency in how some one can do there work, or even worse push people to find ways around them, then there is a problem with them. Good security policies, and set ups should be invisible to the end user, they should also be implemented in such a way that when users have valid reasons that cause them to come up against them, there are clear processes of how to take it forward for quite and decisive resolution.
Losing your users confidence in this area, and they will go from helping to being the major week link in the system. Many companies seem to see there security policy as a fight against the stupidity and malicious activity of there user, shutting them out of this loop of IT. Rather the users should be a central part of the policies, when you think that a huge % of breaches are caused by user “error”, there education should be where at least some of the money that funds the security should go.
I know at home using some common sense I have managed to survive many years now with out any security issues with only a basic consumer hardware firewall (linksys), and some well known free virus software. Where as friends and family regularly hit issues despite having paid for every virus scanner under the sun.
Spending 10’s of thousands of pounds on software to block USB devices, and more on IPS scanning, and still more on you hardened firewall, you will still never cover all the bases, while giving your users the freedom they need, and as soon as they hit that wall they will look for ways around it.
Making a network secure is easy, making a secure network that is usable… That what require the skill.
DevilWAH
OK not 100% there, but it’s amazing to think how far we have moved on in such a short time. When he says it will be in every PC within 5 year, I have my doubts, but with in 10 I am almost sure.
Enjoy
DevilWAH
Today I was upgrading some from windows 2000 to XP, and 99% of the upgrade I was able to do over the network. The only part I needed to go out to the PC was due to the network card not getting picked up correctly. While the PC is in the building next door this is not really an issue. But the next block are on some farms a mile or so from the main site.
The system I was using to install is straight forward.
First copy the i386 folder from a windows XP CD to a network drive and make it available via a share. The users who will be running the install needs read access to this folder.
Second go in to your group policy editor and create a new policy called “upgrade XP”
Edit this policy and chose User Configuration –> Software Settings.
Right click software insulation and chose new –> package.
in the box that pops up browes to the i386 folder on the share and choses the Winnt32.msi file. Click OK.
Now when you log on to a windows 200 PC, and either the user or the PC has that GP applied to them, by going in to add/remove programs and then clicking Add new Programs, you will see the upgrade to XP insulation.
But as I said the big problem is the default XP CD does not have many network drivers and many PC’s although will run the upgrade will not be able to connect to the network, requiring a you to visit the PC’s with a pen-drive and a copy of the correct drivers.
Many years ago I remember slip streaming office on to an XP CD, and I remember at the time it was a right pain and took me for ever to get it working, requiring manually editing config files and many attempts before I got it to run. But knowing that slipstreaming drivers is possible I thought I would take a look at how things are now.
All I can say is Nlite, This tool has come on massively and even tough it has not been in active development for a while now, it still does every thing you need. Where are before slipstreaming was copy this there, edit this file, run this, copy that back there……
Now the process is simple.
Install nlite.
Copy your XP insulation CD in to a folder on the hard drive.
Run nlite and point it to the folder.
Chose what you want t0 add/remove, drivers, packages, set up default settings…
Decided if you want to build the boot-able ISO image
Click GO.
Nlite
And its all done for you…
If you still do install from disk and you find your self having to do the same tidy ups after every install, slipstreaming is a great method to automate the process.
Now I can upgrade the PC’s remotely and they pop back on to the network after a reboot to let me complete the upgrade, going to save a few miles of travel 🙂
Old but still useful.
DevilWAH
Where I work we have a slightly strange network set up, as an agency of the government we run under what is knows as the GSI (government secure internet). What this means in practice is that our main site + the 16 or so regional sites have there WAN routers managed by a central government IT centre, and all traffic to the outside world has to pass through there systems. This in its self causes no end of issues in terms of restrictions such as no VPN access and no FTP allowed. But leaving that aside it does mean we sit behind a very secure gateway. All you really need to understand is that we have “10mbs” full duplex fibre as our primary link of the main site, through which both internet and WAN traffic is routed. Oh and of course we have no access to the WAN router to see what is going on.
Well last Friday, the network grinds to a screeching halt.. What was a 20msec latency link to the regional sites has now become 4000msec (yep that’s right 4 seconds!!). As I say no access to the WAN router but from out 4506 that connects to it I can see the link to it is looking fine. So nothing for it but to call the service provider, after a short chat they agree that traffic has dropped and latency has shot up and start looking in to it for me.
A few hours pass (well 3 days to be more correct during which time we have moved over to the 4 mbs backup link) and they finally come back saying that the link seems to have dropped and the most data they can push through it is 1.6mbs, and they think it is a routing issue on our sites subnet as latency to the outside address of the router seems fine.
Now at this point my mine is saying 1.6mbs??? hmmm why does that number sound familiar, may be if they measured it a bit more accurately they would find it was actually 1.54mbs which of course is a T1 link speed. Which suggests to me either some one added a bandwidth policy along the link or the route had changed to pass across a T1 link. But no “defiantly not!!”, I am told with absolutely certainty that no changes have been made to the configuration and some one will attend site to test it out.
Following day the service provider has an engineer on site, after hours of testing the local loop section on the fibre can’t find anything wrong signal strength is perfect and router on site has low latency to next hop. After hours on the phone and a few more suggestions from me that 1.6mbs suggests a T1 link some where along the line. I am told again there have been no changed to the configure or routes, but he say he will call head office and have them check the configs. He come of the phone and says he will try one last test… And what do you know the Link is suddenly back working, latency’s dropped back to the 20msec region and pushing about 9mb of data across the link.
So what did they change? “Nothing”, all they did was set a 10mbsec bandwidth policy on one of the interfaces along the router… So why did it drop in the first place “no idea, some times these things happen”. Hold on so they are telling me they changed nothing, the link just stopped working on its own, and where as it had worked fine for the last 4 years with out the policy configured, it now just happens that adding it has solved the issue??
Forgive me for feeling that someone made a cock up, and had to fix it in a hurry, and I have not been told the full story.
So great after 4 days all back up and working. Or is it? For a long time now I have been suggesting that we don’t have the 10mbs full duplex link we have been paying for. In tests I have never been able to get more than 9mbs total throughput. As I push the outgoing traffic if pulls the incoming down. (Of course as I said I don’t have access to the routers so all I can do is push traffic from our devices at either end). But one of the engineers mentioned in passing that our link was 2 X 4.5mbs??? Which is exactly 9mbs which is what my test show… So not only did they muck up the link for 4 days but for the last 4 years they have not been providing the service we pay for!!
Not really impressed with them over the last week (not that I have been overly impressed with them before, although a few members of there staff I have to say have been very helpful to me over the years), but maybe some thing good will come out of it and I will have the full 10mbs full duplex link promised.
It is also quite nice in the sense that I informed management and the service providers of my consern’s about the link speed, about 2 years ago when I first really had reason to look at it. All of who dismissed me, and told me it was a 10mbs full duplex and that I was only seeing 9mbs due to the type and volume of traffic. So I would be laying if I said I didn’t slip the “as I told you 3 years ago” in to my report to management this time round. 🙂
I still can’t believe that no one can hold there hands up though and tell us what really happened last Friday. This is where network device management accounting comes in handy, can’t even log on to my devices, let alone update config with out it getting logged. It’s not just I like to spy on people, but if all changes are logged on the syslog server, then if some one does make a change, and the next day when they are off it all falls apart. I can view the last 24 hours, 3 days, etc, of changes at a glance and see what has happened. No need for them to remember to document every change they make, that’s all done for them.
Well I wait to see what come of this episode. But after this I not sure I will ever trust a service provider again.
laters all
DevilWAH