Feb 22, 2012

Sonicwall with Spanning Tree Best Practices

Sweet baby Jesus I have to say that I love Sonicwall firewalls! I used to work at a company back when I started Bauer-Power that used various Sonicwall firewalls in over 30 locations around the United States. For the main offices they used Sonicwall Pro appliances, and for the small offices they used TZ-170's. It worked out great, and they are very easy to use. The company I went to after that used a Cisco ASA firewall that was pretty cool, but for me I just thought it was overly complicated. I wanted to go back to the comforting arms of Sonciwall.

Well at my current gig I got my wish, although it was a few months after I got started. They were using Sonicwalls, but they were managed for us by a group of incompetant, overcharging jerks (Just my opinion). Anyway, we purchased the firewalls from them and took our business elsewhere. Now I am knee mutha' flippin' deep in all things Sonicwall, and I thought I would share with you some of my findings. I already shared with you how one configures an HA pair with HSRP a few days ago. Today I will talk about Sonicwall's compatibility issues with Spanning Tree (STP).

If you don't know what STP is, Wikipedia says:

The Spanning Tree Protocol (STP) is a network protocol that ensures a loop-free topology for any bridged Ethernet local area network. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. Spanning tree also allows a network design to include spare (redundant) links to provide automatic backup paths if an active link fails, without the danger of bridge loops, or the need for manual enabling/disabling of these backup links.

There are two documents I will be referring to in this post. One is the HA configuration guide for several Sonicwall devices here: (How to Configure High Availability (HA) in SonicOS Enhanced)

The other is a PDF on the best practices for deploying SonicPoint devices: (SonicWALL SonicPoint Deployment Best Practices Guide)

The first one has this to say about switch ports that are connected to Sonicwall ports:

If you are connecting the Primary and Backup appliances to an Ethernet switch that uses the spanning tree protocol, please be aware that it may be necessary to adjust the link activation time on the switch port that the SonicWALL interfaces connect to. For example, on a Cisco Catalyst-series switch, it is necessary to activate spanning tree port fast for each port connecting to the SonicWALL security appliance’s interfaces.

That is all well and good. I am actually connecting the appliance to some Dell PowerConnect 5424 switches, and have spanning tree port fast (Fastlink if you use the web GUI) enabled on the ports connected to the Sonicwall. For the most part this works fine, but if the network drops for a few seconds, I have noticed that it will cause a failover for about a minute, then it will fail right back. That is not good at all. It doesn't cause any outages with our web servers per se, but it does create a hiccup that lasts for a few seconds.

With that little issue I searched around for some more info on Sonicwall and STP and I found the following in the second document:

When an Ethernet port becomes electrically active, most switches by default will activate the spanning-tree protocol on the port to determine if there are loops in the network topology. During this detection period of 50-60 seconds the port does not pass any traffic – this feature is well-known to cause problems with SonicPoints. If you do not need spanning-tree, disable it globally on the switch, or disable it on each port connected to a SonicPoint device

So one document recommends enabling port fast with STP, and one says just disable STP if possible. I realize that a SonicPoint is different from a Sonicwall NSA appliance, but if they both have known issues with STP, I think it is best practice to disable it altogether on the ports connected to the Sonicwall. If your switch doesn't support turning off STP for individual ports, you may just want to disable it altogether if you're going to use a Sonicwall firewall. You will have to be especially careful not to create loops in your network though.

Are any of you Sonicwall CSSA certified? If so, can you shed some light on this? Do you agree with my evaluation? Disagree? Let me know in the comments.

del.icio.us tags:         


Feb 21, 2012

Life Hacking [Infographic]

One of my favorite websites is Lifehacker. It happenes to also be one of my favorite IPTV shows. The folks at Lifehacker not only have all sorts of interesting tips to hack or mod your computer, but they have really interesting stuff to transform, and improve stuff you do or use every day! In that spirit, I found a really cool infographic for you from the people at Theirtoys.com. It's a compilation of 35 different "life hacks" you can implement to make your life a little easier. Stuff from a method to keep your closet cleaned up, to screwing with people in the checkout line. There are some really great hacks here! Enjoy!

TheirToys.com

[Via Theirtoys]

del.icio.us tags:         

Feb 20, 2012

Sonicwall HA and Cisco’s HSRP

About a week ago my company did our second, and hopefully our last data center move in a year. Our first move was because we were using a managed colocation (colo) company to host our equipment. What is that you ask? Basically it’s a middle-man that rents out a cage at a local colocation facility, then sub-rents you a cabinet to put your stuff. They provide you with an Internet connection, and in our case they also managed our firewalls. Anyway, they wanted to move us from one data center to another, so we went ahead and did that.

After the move a month or two later we started having these strange network hiccups where one of our VLANs would stop routing traffic for a few minutes, then come back up. It was causing our production web servers to drop connection with the database and would cause our sites to go down. I tried working with our managed colo provider to help troubleshoot. Stuff like, asking for the firewall logs so I can see if there was a problem with the firewalls or the switches or both. Working them was kind of like asking your neighbor to kick you in the balls. It wasn’t very fun. After a while we decided to kick them to the curb and go direct with American Internet Services. With that move we were also going to save about $18,000 per year and a heap of head aches.

Or so I thought. Like I said, about a week ago we performed our move away from our previous company, and into a new cabinet just down the hall in the same data center. Our setup in our old cabinet was with an active/passive Sonicwall NSA 2400 failover cluster. We had two redundant internet connections that came out of a little biscuit in our cabinet directly into the X1 ports of the primary and secondary firewall appliances. Not really thinking about it, I thought that when I plugged those ports into the biscuits in my new cabinet, everything would work great. No, sorry folks.

You see, our new colo provider uses HSRP for creating a redundant default gateway. If you don’t know what HSRP is, Wikipedia describes it saying:

Hot Standby Router Protocol (HSRP) is a Cisco proprietary redundancy protocol for establishing a fault-tolerant default gateway, and has been described in detail in RFC 2281.

The protocol establishes a framework between network routers in order to achieve default gateway failover if the primary gateway becomes inaccessible,in close association with a rapid-converging routing protocol like EIGRP or OSPF.

When we plugged in our HSRP connections directly to the firewall our internal network worked fine, but for some reason our DMZ in transparent mode could not ping out to the internet. I shut down our switch port connecting the DMZ VLAN to the firewall, and brought it back up and then the servers could ping out to the internet. The problem we saw after that though was connectivity was intermittent. Some servers could talk on the internet, and others could not. We also found that when sending traceroutes to our public websites some of them would make it, others would get dropped by our firewall. We finally unplugged one HSRP connection just to get everything working for the time being until we could figure out what the hell was going on.

Well it turns out that I’m not the only one experiencing an issue with Sonicwall and HSRP. Like most IT guys when faced with an issue I turned to Google. Google didn’t have a lot to say, but I did find this thread where a guy had an issue, but there was no resolution.

After speaking with an engineer at American Internet Services, he suggested placing a layer 2 switch in-between the HSRP connections and the Sonicwalls. He said:

I firmly believe that the issue with the HSRP is that there is no level 2 connectivity between the links as you have them plugged into two separate Sonicwall systems.

HSRP works by having the two routers communicate with each other and ensuring that one router is "Active" and the other is "Standby".  If they are unable to communicate with each other, they will both become "Active" and they will both announce themselves as the default gateway which can cause collisions and packet loss.

If you have a little 4-Port switch, you could plug the two links from our routers and the two links to your Sonicwalls into it and, I believe, that would solve the connectivity issue.

It made sense to me, and it was also backed up by this KB article on how to configure high availability on a Sonicwall in the first place. Here is a diagram from the KB article that shows that you need a switch on the WAN side to make HA work correctly.

sonicwall-hsrp-diagram

I didn’t want to rely on a shitty little 4-port switch to hold up my entire internet connection though, so I decided to take four ports on my two core switches, put them in a new VLAN, and make them access ports. I then ran my HSRP links into one port on one switch, and one port on the other switch (You know, in case one switch died, the Internet will stay up!) I then plugged my firewall into the other two ports. Now both HSRP connections are working correctly, and we have redundant internet again. Plus our transparent DMZ works fine with this configuration.

It dawned on me that since our previous provider was sub-renting our cabinet that our biscuit in the old cabinet must have been connected to a core switch or something on the back end which handled all of their customers internet connections. That’s why we were able to plug the Sonicwalls directly in without having to put a switch in front. Just a hunch really. They won’t tell me how theirs was setup because they are pissed at me. I guess I understand that since I did fire them for being terrible.

Although it was rough figuring this one out, it like any hard issue I run into, forced me to learn more about how all of this works. In the end I dig this stuff because it makes me a better admin, and I can take it with me further in my career.

Do you have a similar setup to this at your colocation facility? Did you solve it differently? If so, let me know what you did in the comments!

Feb 14, 2012

Shit IT Security Guys Say

Yesterday I posted a funny video from Youtube on some of the dumb stuff computer illiterate people say. My favorite example was the two guys talking, and one guy is bragging that IT just upgraded the memory on his computer, and when the other guy asks him how much memory he has now he says, "I don't know... Like a hundred?" Then the other guys says, wow that's pretty cool. Nice! More importantly, very accurate!

Well a related video popped up in Youtube that I thought I should post here as well. It is a video on the other side of the spectrum. It showcases some of the things that IT security guys say. Now not all of you who read Bauer-Power are in security. most of you are Systems Engineers like myself, however most of us dabble in Network Security, or have formal training in it. I'm sure you can all relate. Check it out!



So what did you think of this video? Funny? Not true at all? Let me know what you think in the comments.

del.icio.us tags:          

 

Feb 13, 2012

Shit Computer Illiterate People Say

Having been in the IT field for a while, I have seen a bunch of different types of users. The worst in my opinion are the ones who are absolutley computer illiterate. I mean, sometimes I wonder how these people even have an office job where the use of computers is an absolute necessity! I mean, they can't do the simplest of tasks like reboot a computer! How do you even work here?

Just about every company has them. I even wrote about it once when I talked about 12 o'clock flashers in the work place. Well, another group of guys decided to play on this type of idiocracy in the work place, and combine it with the "Shit Girls Say" phenomenon. Check out Shit Computer Illiterate People Say:


How many people in your company say the stuff in the video? Did you like it? If you liked this video, check back for the video I'm posting then which pokes a little fun at IT Security guys to, you know, keep things even.

Special thanks to @Viss for posting it on Facebook :-)

del.icio.us tags:         

 

Feb 10, 2012

Another Alternative to Pandora One

Ever since Pandora, the internet radio site, changed their layout it broke my favorite desktop client for Pandora called Open Pandora. True, I could upgrade to Pandora One, but I'm a cheap bastard. Also true, I can just listen to Pandora from my web browser, but sometimes I just don't like to have my browsers open all the time. Hence the need for a desktop client.

Well I found a very cool little application on the Hak5 Forums from a user named ZigZagJoe called the Standalone Pandora Client. This little player does not work in anonymous mode, so you have to have a Pandora login to use it, but that's no big deal. You will also need .Net Framework 2.0. If you have a Linux computer, this will run in WINE, you just need to check the box for WINE compatibility at install. After you install it, you have a very lightweight client to listen to Pandora without your browser!

Here is a list of features:

  • Supports creating and seeding stations by searching for music
  • Supports deletion and renaming of stations
  • Supports shared stations, creation by station url or ID or when using sproxy when you click on a listen link
  • Supports feedback (duh) and will skip when badly rated (unless you choose otherwise)
  • Shuffle stations (every 4 songs) or songs
  • Web control if using sproxy (controls, change station, see what's playing)
  • Global media hotkeys (play pause, next)
  • UNLIMITED SKIPS
  • Mute, volume control, etc.

Here are a couple of screen shots I took of it as well:

standalone pandora client

standalone pandora client windows

What do you think about this? Have you been looking for a free Pandora client for your desktop? Have you tried other ones? Do you use a different one? Which one do you like? Let us know in the comments.

del.icio.us tags:        


Feb 9, 2012

Which is Better? PHP, Ruby or Python? [Infographic]

I guess this is the week of infographics here at Bauer-Power. That is mainly because I am preparing for yet another colocation facility move at my day job. This will be the third colocation move I have been involved with since being in IT, and let me tell you it is rather stressful. There are a lot of things riding on systems at one's data center, and there are a lot of potential hazards if you don't prepare the move down to the most minute detail.

Today's infographic aims to compair three of today's modern open source coding platforms, PHP, Ruby and Python. All of which are used in web applications. Some of the biggest websites use these languages including Facebook (PHP), Twitter (Ruby), and Youtube (Python). Which one is the best though? That's up to you, but hopefully this infographic comparison can help you decide which one you like the best.

programming languages, infographic
[Via Udemy]

del.icio.us tags:        


Feb 8, 2012

One Way Bad Guys Steal Your Credit Cards

My parents and my brother came out to visit me during Christmas last year. I didn't hear about it until January, but apparently during that time my Dad's credit card or bank card number had been stolen. Some fraudulent charges were made, but luckily he watches his accounts regularly and was able to dispute the charges and get the old card cancelled. No real harm was done because he caught it in time, but it certianly was an inconvenience to have to cancel the card, and get it replaced. 

We often hear about credit card data stolen from online merchants. It's actually fairly common. I mean back in January last year, the Internet shoe giant, Zappos was hacked exposing 24 million accounts and credit card numbers. Online hacking is just one way the bad guys get your information. The other place? Right at your neighborhood ATM!

Bad guys are placing devices on ATM machines called Skimmers. According to Wikipedia, an ATM Skimmer is a device that is placed over the card reader on an ATM that:

...reads the magnetic strip as the user unknowingly passes their card through it. These devices are often used in conjunction with a miniature camera (inconspicuously attached to the ATM) to read the user's PIN at the same time. This method is being used very frequently in many parts of the world, including South America, Argentina, and Europe.

Here is an image of one such ATM Skimmer that was found on an ATM in December 2009 in Woodland Hills, CA according to Brian Krebs of KrebsOnSecurity.com:

ATM Skimmer

atm skimmer 2

Could you have spotted it? Looks pretty real doesn't it? Here is a video from NBC 10's Doug Shimell in Philadelphia reporting on ATM Skimming:


Pretty gnarly huh? Are you going to think twice about using an ATM now? Are you going to check to make sure the card reader can't be easily pulled off? I would recommend it. Have you ever seen one? Let me know in the comments!

del.icio.us tags:        

 

Feb 7, 2012

Enhance Your Google Kung-Fu [Infographic]

I'm glad I found this infographic. It comes on the heels of one of my coworkers asking me about certain Google search functions to help make searching easier, and to help find more relavent data to what one is looking for. She is writing up some training material to help her train her research team to gather more information on the web from search engines like Google.

She is certainly not the only one who can benefit from something like this though. In fact, I would venture to say that this is a valuable skill for IT professionals as well. I mean Google is probably the most common uncredited company tech support's knowlege base than any other knowlege base application. If you can't Google your way out of a problem in IT, you won't last long. 

Check out this really great infographic that gives you tips on how to enhance your Google searching skills!

Get more out of Google
[Via HackCollege]

 

Feb 6, 2012

How Hackers Get In [Infographic]

I recently took over the role of Security Officer for my company. One of the reasons I was awarded the role was because of my Bachelor of Science degree in Network Security. Now with that degree I certainly don't consider myself a hacker, nor would I ever venture to say I know all there is to know about network security, but I am versed in the basics and concepts of many security threats businesses face in these times.

I mean look at the news. It would almost seem that security breaches are happening even more frequently do to "hacktavist" groups like Anonymous. If your company takes a political stand that goes against the groups beliefs, you better believe they will come after you. So what should you look out for? Here is an interesting infographic I found that talks about the main ways hackers "get in." Check it out!

Hackers: How They Get In, How They Got In
[Via: Wikibon]

del.icio.us tags:       


Feb 3, 2012

My Biggest Weakness in IT? I'm A Tinkerer!

A few months ago I wrote about one of my biggest weaknesses in IT is networking. I mean I am Network+ certified, and I can subnet, and do a basic configuration of a switch with VLANs and such, but it's not really my strongest skill. I am more of a systems guy. I am more proficient in servers, software, active directory domains, etc. Even though networking is my weakness, I don't think it's my greatest weakness. 

No, my greatest weakness is that I am a tinkerer. What I mean by that is that I have a serious problem of leaving well enough alone when it comes to servers and networking. I often find myself in a position where I see something, and get it in my head that although it is working fine, I can make it better if I only do (fill in the blank). That more times than I like has come to bite me in the ass.

I don't know too many IT guys that will readily admit their weaknesses. Most of the IT guys I know have really big egos, and it's hard for them to admit when they are wrong. I think knowing one's weaknesses is the only way you can better yourself by getting stronger in the areas where you are weakest, and eventually not have said weakness any more.

epic fail

What I resolve to do to squash this bug is to not attempt any fixes or improvements, especially if everything is running fine without it. If it's not running fine, then I really need to work on my patience to fix things, and wait for a better time to do my tinkering during a maintenance windows or something.

What do you think? What's your biggest weakness in IT? Lets hear about it in the comments, along with what you are trying to do to get rid of your weaknesses.

del.icio.us tags:     


Feb 2, 2012

Zombies vs Supermodels

Have you ever watched one of those super model contest shows like America's Next Top Model, or Make Me A Supermodel? No? Errr... Me neither. Ok, but you have seen stock footage of emaciated models walking down a runway during a fashion show right? How many times have you said outlout, "Give that girl a sandwich!"? Oh, am I the only one? Anyway, a lot of these girls look like walking skeletons!

What does this have to do with geekiness or technology? I'm sure you're asking yourself this right about now. Let me tell you, I found a funny picture on the Internet the other day that does a side by side comparison of a supermodel vs a zombie! Zombies are friggin' awesome, and thus this post does very well belong here. Why wouldn't you compare a walking skeleton to a zombie? Check it out!

Zombie vs Supermodels

[Via Minutebuzz]

del.icio.us tags:        


Feb 1, 2012

Stages of Pulling The All-Nighter For College

Remember back in your college days right before an exam, or perhaps during the final weeks of class and the big 30 page compare and contrast paper was due? Did you begin preparing for the exam when the professor told you about it? Hells no! Did you begin researching your paper when it was assigned right after mid-terms? Screw that!

Nope, you did what everyone else does. Wait until the last friggin’ minute, then try to pull an all-nighter to get it all done. It’s a strenuous game of choking back Red Bulls and trying not to give into exhaustion from the huge weekend kegger you went to the night before. That’s okay because you’ve done it before right?

Check out the 8 stages of pulling an all-nighter:

panic

acceptance

[Via CH and GAS]

del.icio.us Tags: ,,,



Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam