Saturday, April 30, 2016

Wednesday, April 27, 2016

Back up Your Site

 on  with No comments 
In , ,  
I recently wrote up a quick and dirty guide on backing up your blog on Blogger, as the documentation available from Google and other sources is dated and doesn't line up well with Blogger today.  That's the price we pay for Google constantly updating their platforms in hopes of improving the experience.  I'll let you decide whether or not the upgrades result in a better platform.

I'm seeing the value of this again after I looked at Twitter today and noticed several posts recently relating to a recent oopsie at 123-reg.  Here, Ars Technica UK covers the story of the UK based hosting company recently losing all of the data on 67 of it's 115,000 virtual private servers (VPS).  The company declined to reveal how many of their reported 800,000 customers were affected by this, only that they believe it to be a "small portion."  Those that were have been offered 6 months of free hosting.  It's not clear what they'll be hosting for free though, as the sites are gone.

123-reg is still working to restore as much of the data as they can, but as of Friday, April 22, they only have 39% back online, and the rest have been informed that their data may be lost permanently.   The data loss has been attributed to a clean-up script error.  A coding error in this script "effectively deleted" customers entire websites.  They are now working with a data recovery specialist as they do not have a backup copy of anything that has not already been restored.  In a disturbing followup, "Customers who had purchased 123-reg backups can be online now."  I wouldn't be surprised if the 39% back online exist exclusively of those who purchased this additional service.

The bottom line is that no matter who hosts your website(s), you cannot expect that this will never happen to you.  Backup your data.  Back it up to more than one location.  I don't believe that Google Drive (where my first backup resides) is hosted on the same server as Blogger, but I also have a copy of everything on Dropbox as well.  With a total of 90 posts on Firewallninja, the XML file for my backup is only 800KB in size, so you can see how keeping a couple copies of your data in different spots isn't that big of a deal.  Note that this does not include images, which appear to require additional effort to backup.  On that note, I think it's time I looked into that as well as I don't believe that I have a complete backup of all the screenshots that accompany my posts.

I'd like to note that this post isn't aimed at trashing 123-reg as we've all been there. I've written scripts that worked as expected in every single test I could come up with, but has horrific results in production.  We're human.  Instead, my point is to note that you, the owner of the data, ultimately needs to take responsibility for it's backup.

Backup your blog content.  Backup the images.   Backup the blog's template.  Keep multiple copies in multiple locations.  Someday, you'll thank yourself for doing so.

Sunday, April 24, 2016

Free MCSA 2008 and 2012 Resources

 on  with No comments 
In , ,  
This blog was originally started in order to post my collection of Free CCNA Resources.  To date, versions 1 and 2 of that post are my top two posts in terms of traffic.  And depending on when you check, version 1 is the second or third hit in Google for that search term, right behind a great post at the Cisco Learning Network and the Free CCNA Workbook.  Not bad company to be in.

I'm now starting this collection for MCSA resources.  I'm not differentiating between 2008 and 2012, because there is so much overlap.  The 2012 exams will cover material that is present on the 2008 exams in addition to the new bits and pieces in 2012 and 2012R2.  

As with the Free CCNA Resources post, this will be a living document that will be updated as additional resources are discovered or existing items disappear from the Internet.

Getting the Bits

The most important part of any certification chase is the hands on portion, and the MCSA is no different.  There's two common ways of going about this.  Like any other labbing, I highly suggest against experimenting with the production environment at work for obvious reasons.

First, you can download an evaluation copy of Windows Server and build a few virtual machines on your computer(s) at home.  Unfortunately for those who wish to pursue the MCSA 2008 route, the evaluation copies only come in 2012, 2012r2 and 2016 Technical Preview.  While there is nothing in 2008R2 that is not also in 2012 and up, things are in different places and Server Manager is a completely different beast, so it'll be a little tricky.  Windows 8.1 and 10 Enterprise editions are also available.

Second, you can utilize Microsoft's Virtual Labs, also at Technet.  This gives you access to predesigned labs that you can complete in 90 minutes or less. While convenient, you miss out on a lot of things not starting from scratch on your own.

Technet Evaluation Center
Technet Virtual Labs


Free eBooks from Microsoft Press - Bookmark this link and check back regularly.  Microsoft adds new books here regularly that you can download in multiple formats.
Largest collection of FREE Microsoft eBooks ever - I'm not sure how much, if any, overlap there is with the Free eBooks from Microsoft Press link above, but I'll include this here in case there's anything unique here.

Video Series

I'm going to avoid all of the various Microsoft YouTube channels because those seem to duplicate the content available on the Microsoft Virtual Academy. 

Microsoft Virtual Academy - An amazing free resource with material for all things Microsoft. 
BJTechNews Blog - Posts a lot of MS Certification related content in addition to content related to other technology topics such as gaming.
CBT Nuggets - A popular paid for video producer.  This is their YouTube channel where they post a lot of great free content.
ITFreeTraining - Posts a lot of content that is certification related as well as content that is not. 
PeteNetLive - If you've looked up a few things on Google, you've surely come across Pete's blog.  It's amazing.
Pluralsight IT - Like CBT Nuggets, Pluralsight is a popular paid for video producer.  And like CBT Nuggets, they post a lot of great free content on their YouTube channel.  
System Administrator - While not necessarily certification focused, there is a ton of great content delivered via long videos.

Step by Step Guides

MCSA Lab Manual Articles - Great collection focused on Server 2012R2

Active Directory on Server 2008
Active Directory, Move from 2003 to 2008
Active Directory, Move from 2008R2 to 2012R2
ADAM - the legacy Active Directory Application Mode
AD CS Step by Step Guide 1 - Single Tier PKI Hierarchy Deployment.
AD CS Step by Step Guide 2 - Two tier PKI Hierarchy Deployment.
AD FS 2.0 - Multiple guides related to AD FS 2.0.
AD LDS - Multiple guides related to LDS.
Advanced Group Policy Management
AppLocker Step by Step Guide
Encryption File System - This one is a downloadable PDF.
Failover Cluster - Setup a 2 node file server failover cluster.
Group Managed Service Accounts - A new feature with Server 2012
DHCP Step by Step Guide - Multiple DHCP related guides.
DNS - Setup and configure DNS on 2008R2
Hyper-V on Windows Core
Microsoft iSCSI Initiator
Multipath I/O - A guide from Technet
Multipath I/O - Another guide from another source
SQL Server - Dont just run a local instance of WID for everything.  Get serious and build a database server in your lab.  ADMT, WSUS, and Sharepoint will thank you.
SQL Server - Another guide in PDF format.
Trusted Platform Module Management
VPN-Based Remote Access
Windows Deployment Services- Installation
Windows Deployment Services - Configuration
Windows Deployment Services - Deploy Windows 10
Windows Server 2003 Guides - For when you're trying to save your resources and run something on 2003.
WSUS 3.0 SP1

Great Blogs

Adrian Costea's Blog - Numerous topics related to Microsoft and VMWare
Aidan Finn, IT Pro - A real go-to resource for Hyper-V, but lots of other great stuff as well.
Born to Learn - Microsoft's certification related blog, contributed to by a number of Microsoft personalities.
Exchange Server Pro - Paul Cunningham is the Exchange expert. While this site is Exchange focused, there's a lot of great content you'll find useful.
Jason Helmick - The Pluralsight and MVA man blogs about DevOps, PowerShell, Azure, and IIS.
Mark Russinovich's Blog - I came to know Mark because of his work with Sysinternals, and his books are well know as well.  This blog hasn't been updated in some time, but there's a lot of great reading on Windows Azure here.
Mark Wilson - Mark has a ton of content on Azure, Office 365 and even an occasional post on Cisco or Barracuda. - A blog with multiple contributors talking all things PowerShell.
Regular IT Guy - You should recognize Rick Claus from the Microsoft Virtual Academy.  If you don't, you should watch more content there, and follow Rick on Twitter.
Richard Hicks' DirectAccess Blog - The name says it all.  All things DirectAccess.
Tim Bolton - MCITP - MCTS - Tim blogs about a wide range of Microsoft technologies.

Other Great Websites

Google - If you can't find it here, you're not going to find it.
Microsoft Technet - Not to be confused with Microsoft's old software subscription model, this is THE documentation source for all things Microsoft.

Saturday, April 23, 2016

But I Haven't Given up Anything

 on  with No comments 
In , , ,  
An Opinion Piece Written in March of 2015.

It seems as of late that the general consensus on-line is “I haven’t given up anything. You can’t do anything to me with just” whatever piece of information that they just posted online. As an administrator of a very large Facebook group dedicated to people studying for Information Technology certifications, I hear this all the time. A popular phone application today is Whatsapp, which allows users to form discussion groups allowing them to chat using their cell phones. All that is required is for the users to all know one another’s phone numbers. And here’s where the problem comes in, they’ll post their numbers all one right after another in the Facebook group. It’s just a phone number, what are you going to do with it, right?

I had a conversation today about the recruitment of users for a Whatsapp group, and the article really hit home on this. Considering the addition of Whatsapp to their online life, these users are obviously not just on Facebook anymore. A 2012 article by Kirsten Martin discusses people being constantly asked to move to new, competing or add-on platforms. Specifically mentioned is Gmail users being asked to use GoogleBuzz, or people being asked by their doctor to use the new online health system.

On this subject the author doesn’t go far enough. Do you remember Friendster or Myspace? Did you have an account with them? Did you remember to delete everything you could and deactivate your account, if that is even possible? Of course not, we just move on to the next platform where all of our friends moved on to, in this case Facebook. Here’s where the connection comes in. These websites still exist, and your profile is still there if you took no action when you left. This is just a small sample of sites that we know and remember. Over the years, we’ve all signed up for numerous online forums, newsletters, social media platforms, email services, etc. Do you remember what information was given to each site? Of course you don’t, but those sites certainly do. Hopefully you at least set your profile to remain private.

One of the current hot topics of the day is metadata. This can be thought of as data about data. For example, you can look at the properties of this document (Editor note:  This was originally submitted online as a MS Word document, hence that wording) and see who wrote it and when they wrote it. This can be just as valuable as the contents of the document itself. According to the ACLU of California, computer scientists are able to determine information about a person such as their ethnicity and current relationship based solely on information from that person’s cell phone. Furthermore, researchers from the Office of the Privacy Commissioner of Canada were able to use the IP address that an online post came from to determine the religion, job, interests, health issues and more. Do you think that post that was signed as WingsFan1976 was anonymous now?

As an I.T. professional, I’ve taken on clients who have no idea who hosts their website, who controls their DNS settings, or much else that doesn’t exist within their own building. Since they’re no longer a client, the previous I.T. company is usually not interested in taking the time to gather up the information for us. Armed with nothing more than the business phone number and/or the email address that the service was registered under (generally publicly visible through a whois search), I am almost always able to help them to regain control of what rightly belongs to them. I don’t have any resources available to me that any other person on the Internet has doesn't have access to. So I ask again, to the gentleman today that was defending people posting their phone numbers specifically. What can I possibly do with “just your phone number?”

Wednesday, April 20, 2016

Lock and Key ACLs

 on  with No comments 
In , ,  
Lock and key, or dynamic ACLs allow you to configure dynamic access on a per user basis using authentication to destinations that would otherwise be blocked.  This functionality relies on three technologies: telnet or ssh, an authentication process, and an extended ACL.

Here's the basic idea of how it operates. First, the user starts a Telnet or ssh session to the router that the Lock and Key ACL is configured on. The router prompts the user to authenticate.  After the user successfully authenticates, the router closes the Telnet session and then creates a dynamic entry or entries into the extended access-list.  This entry or entries allow that user access for a set amount of time.  Once that time has expired, the router removes the dynamic entries from the extended access-list.  This time period can be configured as an idle-timer, or an ablsolute timeout.

We'll use the following topology to demonstrate.  In this network, there is a host PC where the user who needs access sits, the server that the user requires access to, and the router configured with the Lock and Key ACL to grant that access.  The router interface will have the .1 address on both networks, and the hosts will be .2 on their respective networks.  For simplicity sake, we'll just use Telnet in this simulation.
Let's move on to the configuration now.  The first thing we'll do is to configure a local user with the name test. User authentication can be done using the local database, an AAA server, or a line password on the VTY lines. We'll create a user like any other local user, and then the second line associates the user with the lock and key ACL.  Without the second line, the user will telnet into the router as normal.

username test password 123
username test autocommand acccess-enable host timeout 10

Next, we'll create the extended ACL.  Don't forget to permit any traffic needed by the network such as routing protocol, and permit Telnet traffic to the router itself.  For the sake of testing, I'm going to also allow pings to this interface.  Then apply that ACL to the appropriate router interface. You can allow all access beyond this router with permit ip any any, or you can get granular with individual subnets or hosts.

access-list 100 permit ospf any any
access-list 100 permit icmp any any
access-list 100 permit tcp any host eq telnet
access-list 100 dynamic ACCESS timeout 15 permit ip any any
access-list 100 deny ip any any log

interface FastEthernet0/0
 ip address
 ip access-group 100 in

Finally, configure the VTY lines for telnet access as you normally would.  You can also set a global timeout value on the VTY line.

line vty 0 4
 login local
 autocommand access-enable host timeout 5

Note that we've set timeout values in three different places.  Absolute-timeout in the dynamic ACL will supercede values set on the user and on the VTY lines, and the timeout set per user overrides that of the ACL, which is the default timeout.

Let's test this ACL now.  First on pc1, note that we're able to ping the first router interface, but we're not able to ping through to the server.

So let's authenticate to the router.  Simply type telnet at the c: prompt and enter the credentials for the test user.  Now, you'll be able to ping through to server1 and reach it's web page.


Saturday, April 16, 2016

Adding Hyper-V VM's to your GNS3 topology

 on  with No comments 
In , ,  
In a previous post, I covered using the IOU VM on Hyper-V with GNS3.  This time I'm going to go a little more in depth on using Hyper-V virtual machines in your GNS3 topology.  Since VirtualBox and Hyper-V do not play nicely together, I have to use my Hyper-V VM's on the servers. If you have Hyper-V installed, you'll be in a similar situation.

We'll begin by creating a virtual switch in Hyper-V.   Load the Hyper-V Manager, and then under Actions, select "Virtual Switch Manager."  With New virtual network switch hilighted, choose Internal in the box under "What type of virtual switch do you want to create?"  Click on "Create Virtual Switch."

Give it a name that has some meaning to your usage.  I generally name them with the VLAN that they're going to connect to on the GNS3 switch since I'll tie multiple VMs to that virtual switch at some point, but you can also name it after the hostname of the virtual machine if that's all you're ever going to tie to it.  Again, double check that Internal Network is selected, and then hit OK to create the switch.

Back at the Hyper-V manager, right click on the VM you want to use and select Settings.  On the left side of the settings dialog box, find Network Adapter, and click on it.  On the right side, find the drop down menu under Virtual Switch and select the virtual switch that you just created, and then click OK.  Note that you can tie as many VMs to this virtual switch as you need to.

With all the virtual switches that you will need created and in use, we'll turn our attention to GNS3.  From the devices menu, grab a cloud and drop it into your topology.  A popup asking you to choose a server will appear, the default selected option should work, assuming everything else is already working.  Right click on the cloud and choose configure.  In the dialog box that comes up, hilight the cloud you just dropped into the configuration on the left.  Under General Ethernet NIO, select the virtual switch you created, and then hit OK.  You can right click on this cloud again to change it's hostname or to change it's symbol (the icon used to note the device).

In my configuration, I have to use a GNS3 "Ethernet Switch" in between the cloud device and any IOU device.  I don't know why exactly, but since it's simple enough to work around I don't really care.  In the below screenshot, ACS1 is my cloud interface that the ACS server is connected to.  I'll change the symbol and name if I ever tie other hosts to that virtual switch.


Wednesday, April 13, 2016

Resequencing an ACL

 on  with No comments 
In , ,  
Here's a quick post on a very useful command when working with ACLs.  I first heard about it while watching a CBT Nugget video, and I can say that it was definitely not covered in the NetAcad curriculum when I went through the classes, because I remember bringing it up to the instructor and it was news to him.

So let's begin by setting the scenerio.  You have the following ACL:

show ip access-list EXAMPLE

Extended IP access list EXAMPLE
    1 permit ip host any
    2 permit ip host any
    3 permit ip host any
    4 permit ip host any
    5 deny ip any
    10 permit tcp any host eq smtp

And let's say that we now need to allow one additional host out.  We could rewrite the ACL, but that could be a lot of work if its a long ACL.  Any other options?

Yes, the resequence command can help.  This command was introduced in IOS 12.2(14)S, and allows you to easily resequence an entire ACL.

ip access-list resequence EXAMPLE 10 10

This will renumber every line in the ACL starting with 10, and with an increment of 10 between each line.  This is the default sequencing for an access-list where no sequence numbers are entered.  The end result would be:

Extended IP access list EXAMPLE
    10 permit ip host any
    20 permit ip host any
    30 permit ip host any
    40 permit ip host any
    50 deny ip any
    60 permit tcp any host eq smtp

Old documenation will tell you that you can't edit a numbered ACL, but that's actually not true anymore.  

Saturday, April 9, 2016

Blog Comments

 on  with No comments 
In ,  
The comments for the blog appear to be fixed, though a lot of recent ones may have been lost. When I linked the blog to my own domain name, it said that Google+ comments would be adversely effected by this, so I disabled the Google+ association.  This didn't fix the underlying issue, however, as "Use Google+ Comments" was still selected, even though the checkbox disappears when you remove the Google+ association.

To fix this, you have to reenable Google+ association and then the checkbox to Use Google+ Comments or not will appear again.  After you uncheck it, you can remove the association again, or not, as the comments are the only thing adversely affected by the association when using your own domain name.  Hopefully my adventures with this will help someone else out in the future as everything I read on the matter said to uncheck Use Google+ Comments and left it at that.

Wednesday, April 6, 2016

Reflexive ACLs on IOS Routers

 on  with No comments 
In , ,  
In a nutshell, reflexive ACLs allow packets to be evaluated based on upper layer session information. You use reflexive ACLs in order to permit the return traffic from an established session, but deny all other traffic in that direction.  For example, you open up a browser and establish an HTTPS session with  Now obviously, you want the return traffic from the server hosting to make it back to you so you can see this awesome website.  But you also do not want malicious traffic trying to reach your workstation to come in with it.  A standard or extended ACL does not allow this, it's all or nothing.  But a reflexive ACL allows you to do exactly that, allow the return traffic from your session with, but deny all other incoming traffic.  I've heard reflexive ACLs described as "a poor man's stateful firewall."

Cisco documentation points out that you can also configure it in the other direction.  You can, for example, allow all incoming traffic to a server in your DMZ, but only allow return traffic from that server to go back out to the Internet. In this example, external users would be able to view the content on your DMZ server, but it would mitigate the risk of your server becoming part of a botnet and eat up your upload bandwidth participating in a DDoS attack.  While possible, I doubt it's used very often.  So in the configuration example, we'll focus on the more common scenario.

So lets configure a reflexive ACL.  We'll start out with a basic ACL in the outbound direction which will allow all outbound traffic.  As typical, I'll use upper case letters for words and names I've created so they stand out as such when viewing show statements. 

ip access-list extended OUTBOUND
  permit ip any any reflect REFLECTED

And that's it.  In this ACL, we are allowing all outbound traffic. The difference here between this ACL and no ACL at all is the keyword reflect.  This tells the router to remember all traffic matched by the permit ip any any, and create a dynamic ACL for the return traffic that will be allowed.  But we're not limited to this single permit in the OUTBOUND ACL, we can combine that with any combination of permit and deny statements as needed.  Note that reflexive ACLs can only be used as part of extended named ACLs.   But other than that, you're pretty much only limited by your imagination.

ip access-list extended OUTBOUND
  permit tcp host any eq smtp REFLECTED
  deny tcp any any eq smtp
  permit ip any any reflect REFLECTED

Here, we're denying outbound smtp except from a single host (the company email server), and then allowing all other traffic to go out reflected. Next, we'll create a basic ACL for the inbound direction.

ip access-list extended INBOUND
  evaluate REFLECTED

Again, we're not limited to just a single evaultate statement in this ACL either, we can add in any other needed statements allowed by a named ACL.

ip acess-list extended INBOUND
  evaluate REFLECTED
  permit any host eq smtp
  permit any host eq http

Now we just need to apply those lists to the outward facing interface of the router.

interface Ethernet 1/0
  ip access-group INBOUND in
  ip access-group OUTBOUND out

If you have multiple outward facing interfaces, you can apply these same ACLs to multiple interfaces and the same REFLECTED dynamic list will be maintained between them, shielding you from the side effects of asymmetric routing.  Now if Cisco would only give us a way to share the state of reflexive ACL's between different routers (one pointed at ISP1 and one pointed at ISP2 for example), then we'd be all set.

interface Ethernet 1/0
  ip access-group INBOUND in
  ip access-group OUTBOUND out
interface Ethernet 1/1
  ip access-group INBOUND in
  ip access-group OUTBOUND out


Saturday, April 2, 2016

SENSS Introduction

 on  with No comments 
In , , ,  
Now that the the base of the lab environment is setup, it's time to really start focusing on the next certification exam that I plan to tackle which is Cisco's 300-206 SENSS. The first thing I would normally do when I begin to study for a Cisco exam is pick up a copy of the Official Certification Guide. However, with the SENSS, that's a bit of a problem as there is no OCG available and it appears that Cisco Press and resellers such as Amazon have given up hope on ever seeing a copy. I recall seeing original estimates on a January 2015 release date, but then it got pushed back farther and farther until Cisco Press no longer shows it on their site, and Amazon just says out of stock. I've heard rumblings that the book is actually off, and there is isn't even an author lined up any longer, but I can neither confirm nor deny that.

The Cisco Learning Network also does not show an OCG on it's study material page for this exam, but instead lists out a number of sources of information organized by topic. A lot of various PDFs from the Cisco site, a lot of videos I'll probably not even look into, and a lot of Cisco Press books that aren't geared towards this exam, but cover a lot of the material that's on it. A lot of these are already on my bookshelf and/or on Books 24x7, but I have to get these 4 exams knocked out within Cisco's 3 year time frame so there just isn't time to be reading 6 or 7 books for each of the exams.

Currently available to me via Books 24x7 are LAN Switch Security: What Hackers Know About Your Switches and Router Security Strategies: Securing IP Network Traffic Planes. Those two books should cover the majority of the routing and switching security topics on the exam, so I'll just need to find a good low level guide to for the ASA.  I've also got access to the Skillsoft videos both at work and through school, but I've heard that those video sets can be lacking.  It won't hurt to put on my headphones and play a video or two every day while I'm doing the 9 to 5 stuff so I will.  The Cisco SAFE Reference Guide is also recommended on several topics on CLN's sources of information so I'll read through that also.

For the hands on, I'll be using my typical hybrid lab. Most work involving routers, switches and firewalls will be done in GNS3 with IOU, while physical hardware is available to connect devices in that do not virtualize well, or at all such as wireless access points.

Let's get this exam started.  Ideally I'd like to get it done this summer while I'm between semesters at school.