Building a Home Network – Part 3 Firewall VM

Posted on by
2

This post will summarize how to configure Hyper-V and build the Sophos UTM firewall as a virtual machine. This is part 3 in a series of posts about rebuilding my home network.

Before I get into the firewall I’ll give my thoughts on Hyper-V. I’ve never used Hyper-V before this little project. I have experience with VMWare ESX but I wanted to learn Hyper-V for comparison purposes. I have to say that it’s really easy to use but there are a lot of “if’s” and “but’s” with it still. I can appreciate Hyper-V’s capabilities for what they are and I wouldn’t be afraid to use it for hosting development or testing environments. It’s not ready to compete with ESX and I question if it ever will based on the gap between the two. VMWare is working on a virtual ecosystem while Microsoft is still trying to polish their hypervisor. Hyper-V is a capable product that can provide business value under the right circumstances. Microsoft has made a case for a share of the market that is looking to reduce their VMWare licensing costs but VMWare is much more capable of hosting business critical services.

Back to the topic at hand. I chose the Sophos UTM because it’s a full featured firewall and it’s free for home use. I have experience working on Checkpoint, Cisco and McAfee (Secure Computing Sidewinder) firewalls. Working on a firewall is not for everyone and it can be difficult to get experience on such a critical enterprise security system. I think that’s an attractive benefit of using the Sophos UTM system as a home firewall. If you’re looking to pick up firewall management as a skill then you can get experience with enterprise level features in your home lab or network.

The first thing to do is visit the Sophos website and register for your home license. The Sophos website has a “Free Tools” section on their website where you can find the Sophos UTM Home Edition. You’ll receive an e-mail with instructions on how to download the software and access your license key file. Don’t be confused by any Astaro labeling which is what the product used to be called. I downloaded the file asg-9.004-33.1.iso to be run as a VM on my 2012 Hyper-V server. Download the ISO file and store it where it can be accessed from the Hyper-V server.

As I mentioned in a previous post, I have already setup my external and internal virtual switches for the firewall. See the picture below for the configuration of my external and Internet interface (vSwitch).

vSwitch CFG

 

Basically, I have a Broadcom NIC which will be my Internet NIC and my Realtek NIC will be the inside interface for the Firewall. The Realktek NIC will also be used for other VM’s on the LAN.

Now that we have the network setup and our ISO file we can prepare the installation. Open Hyper-V Manager and select New->Virtual Machine.

  1. Give the new virtual machine a name for your reference and select the location you want to store the VHD. As mentioned in a previous post, I put my VHD on a stand-alone mechanical hard drive. This is a firewall and it will write everything that passes through it to disk for logging purposes. Don’t burn out a SSD unnecessarily.
  2. On the next screen enter the amount of RAM you want to give the firewall. The minimum recommendation is 1 GB and I’ve gone with 2 GB and have not had an issue. Linux does not support dynamic memory so do not enable this setting.
  3. Add a vSwitch. It doesn’t matter which one, just remember which one you add. We’ll add the other after this wizard completes.
  4. I’m creating a new VHD through this wizard. So, I’ll just verify the name and location and change the size. The minimum recommendation for the hard drive is 20 GB. I’ve gone with 30 GB and have not had any space issues yet. The larger the drive the more log history you will be able to maintain.
  5. On the Installation Options screen we’ll choose to install from media using the Image File (.iso) option. Browse to the location where you saved the .ISO file.
  6. Click Finish and Hyper-V will prepare the virtual machine.
  7. Let’s add the second vSwitch now. Open the settings menu for the VM and add a new network adapter under the add new hardware option. Select the vSwitch that was not added during the wizard.
  8. Next we can disable hardware acceleration for our network adapters. If you have a NIC that provides this functionality then you can leave it on. I recommend turning it off for your standard consumer NIC though. See the picture below for an example.

Sophos VM CFG

 

If you have a desire for other network adapters then go ahead and add them. Maybe you want a DMZ, repeat step 7 to add that adapter as well assuming you have created the vSwitch. What we have just done is prepared the logical hardware configuration for the firewall and inserted our media into the CD-ROM drive. Now it’s time to power this VM up. Select the VM and click “Start” to power the system. Click “Connect” to provide a console window to the VM. You should be presented with a window that looks like this:

Sophos UTM Boot Screen

 

If you don’t get this screen then there is either a problem with the ISO file or Hyper-V itself. Go ahead and press ENTER. The hard drive it is referring to is the VHD that we created through the wizard. Proceed to start hardware detection. At the end of the detection routine you should be presented with a screen that summarizes the hardware configuration we built through the Hyper-V wizard.

Sophos hardware detectionThe next step is to go through the software configuration wizard. You’ll be asked to select your language and time zone. You’ll also select your internal network adapter where you will access the webadmin interface. It’s difficult to determine which virtual adapter translates to which physical NIC. If you get it wrong then you can boot the media and go through the wizard again and select the other adapter. Go ahead and complete the software configuration and Sophos will boot. At completion you should be at the following screen.

Sophos started

 

The remainder of the configuration will be completed through the webadmin interface using your browser. I’ve given the internal NIC an IP address of 10.1.1.1. You can use 192.168.x.x or whatever scheme you want to use on your network. The next step is to get a client system, potentially the Hyper-V server, with an IP address in the same subnet that can communicate with 10.1.1.1 or whatever you chose to use. For this example I can either boot another VM using the internal vSwitch or use my spare network card on the Hyper-V server and assign a static IP of 10.1.1.2 then connect it to the same switch that the internal NIC is connected to.

The Sophos UTM manual available from the support site provides very good documentation walking through the setup step by step. You should be able to go through the configuration and see what the wizard has configured for you based on the questions you answered.

I will say that the interface is a bit cumbersome. I wouldn’t be too thrilled if I were a firewall administrator for an organization and this was my interface. It doesn’t make adding and modifying rules very easy but it’s functional. For a home environment I can’t complain but if I spent a fair amount of time on the dashboard I would definitely prefer a bit more flexibility. At this point it’s really up to you what services you want to enable and how you want to configure the firewall. I’ve enabled Country Blocking (Geo Blocking) and Endpoint Protection and spent time setting up static mappings and DNS records for all of my internal devices.

If you’re thinking of using the Country Blocking functionality I must warn you to tread lightly. When you block a country it applies to both inbound and outbound traffic as the rule to deny this connection is applied before your firewall access rules. For example, if you block all of Asia you’ll probably have a hard time getting firmware and drivers for your hardware. Sites like Facebook distribute services all over the world. This also applies to sites that host services on Amazon Web Services which could be located in any one of their data centers. The interesting outcome of using country blocking is determining what countries your accessing data from. From my perspective, the benefit of using this functionality is to reduce risk if there is no need for connectivity. Maybe it’s safe to block all communications with North Korea but you might have a need to communicate with Taiwan to get driver updates for your motherboard. I recommend getting a threat report from McAfee or another security service provider and select the top 3-5 geographical risks.

Sophos dropped traffic

You can see some of the traffic that my firewall is dropping in the dashboard above. I have country blocking enabled with Ireland and China being blocked. You can see that Facebook has a service that resides in Ireland and the connection is being dropped. Another site is using AWS (Amazon Web Services) out of China and that traffic is being dropped. I also have two internal clients that are attempting to communicate through the firewall but there is no ACL to allow the traffic so it is being dropped.

Here is my recommendation for the firewall ICMP configuration

Sophos Firewall ICMP CFG

 

Unless you enable a rule that allows all clients to communicate externally over any port and protocol you’re going to spend some time in the Firewall Log. This will let you see what communications the firewall is blocking. You’ll then need to determine if you want to allow that traffic and setup a rule to do so. It would be nice if the live firewall log had an exclusion filter in addition to the inclusion filter.

Sophos live firewall log

You can see the green rows are my client PC connecting to the webadmin interface as being allowed. The red rows are a client attempting to communicate to an external service (AWS) over UDP 49317. Let’s say this is valid traffic and I want to allow it. In this case the client is an Amazon Kindle attempting to talk to AWS over UDP 49317. Let’s walk through how to allow this traffic.

  1. I like to create a static mapping for IP leases from the DHCP server. The first thing I will do is go to Network Services->DHCP. On the IPv4 Lease Table tab I should see 10.1.1.14 as a lease. I’ll click the button to create a new mapping for that IP address. I’ll also check the boxes to create a DNS mapping and a network definition for the host. 
  2. This is also optional but I will now go to Network Services->DNS and look at the Static Entries tab. I should see an entry for 10.1.1.14 based on what I did in step 1. What I want to do here is create a reverse lookup record. I’ll edit the entry for 10.1.1.14 and select the checkbox for reverse DNS and save it.
  3. In the above steps I have created a static mapping in the DHCP server. This means the client should obtain the same IP address from the DHCP server when it connects to the network. I’ve also created a forward and reverse DNS entry for the device and a host object that I will use in the firewall ACK. Now I’ll go to Network Protection->Firewall and click New Rule.
  4. The new ACL requires three elements: Source, Service and Destination. My rule will allow the Kindle host object to communicate with Any destination over UDP-49317. See the image below.
  5. After I save the ACL I have to enable it. When ACL’s are created they are disabled by default. From the main ACL listing I can enable the rule and traffic should start flowing through the firewall. This means my live firewall log should be void of the rows we saw earlier.

Sophos ACL allow rule

 

This will most likely be an iterative process unless you just put a broad allow ACL in place for your network. If you’re new to firewalls then you should be getting the idea of the type of fun and knowledge that can be gained from firewall systems.

I would recommend running a port scan against your firewall once you have it setup. There are a couple of reputable and free port scanners that can be run from the Internet. Just determine your IP (Google: what’s my ip) and plug it into a port scanner. Unless you have enabled an ACL to allow traffic from the Internet to your network this port scan should be pretty clean with no active ports found. If the scan found an open port then you have a configuration or ACL allowing it.

I’ve been running the Sophos UTM firewall on Windows Server 2012 as a Hyper-V virtual machine for about a month now without any issues. I did have to spend a few hours configuring it initially but I’m very happy with the service it provides. If you have any questions feel free to contact me or leave them in the comments section and I’ll do my best to help.

Building a Home Network – Part 2 Wireless

Posted on by
Reply

This is part 2 in a series of rebuilding my home network. In this topic I’ll review why I decided to implement a robust firewall and the what impact the wireless network had on it. In the next post I will review the build of the firewall as a Hyper-V virtual machine.

In part 1 of this series I walked through the hardware configuration for the virtual server I am using as the centerpiece of my home network. I also reviewed the disk and network configuration as it relates to my next post of building the firewall. Based on that I already have two virtual switches built in Hyper-V. One is for external connectivity to my ISP and the other is the internal network connectivity. What I’m missing is the logical connection between the two and some standard network services such as DHCP, DNS and NAT.

For my Internet gateway I would like to be able to apply basic rules to interfaces. This is the traditional source ip to destination ip via port and protocol with a default deny rule following all of my “allow” rules. I would also like some standard protection of basic Internet attacks and probes. While looking at options I came across the Sophos UTM which is a free download for home use. This is the same firewall they sell to corporate customers but with slightly limited functionality. In my opinion, this is a brilliant idea from Sophos. It presents the opportunity for a broader population to train themselves and gain familiarity with their product while contributing to improving security on the Internet. This device allows me to offer gateway anti-virus, intrusion detection, geo-blocking and other enterprise level services to my small home network clients.

I could have put a simple Linux virtual machine in place to provide the services and act as a firewall. Of course, you might be asking why I didn’t just use a wireless firewall/router that can be found online or at any electronics store. For one, I wanted more control over what my network was sending to the Internet and better protection against threats. That means I need a managed firewall like the Sophos UTM. Second, I wanted to split my broadcast domains between wired and wireless clients. Before I get to the post on the firewall I though it was best to review the wireless networking and why you might want to consider what your broadcast domain looks like.

Let’s consider what a standard wireless router or gateway offers. Typically this device has a WAN port for ISP connectivity and let’s say 5 ports for LAN connected devices. The device also offers wireless connectivity which logically acts as a 6th switch port for multiple wireless clients to use. The device might offer some access control list functionality and provides basic network services like DHCP, DNS and NAT. From a networking perspective we refer to the 5 LAN switch ports and the 6th wireless switch port as a broadcast domain. This means all clients connected to these ports have the same default gateway, are on the same network and can talk to each other. There is no router between these clients as they are all on the same layer 2 segment.This is a simple network configuration to build and support which is why it is the default configuration for a home network.

This single broadcast domain is not a problem itself. If you have a couple of clients like a laptop and a desktop then it is certainly the way to go. Obviously, you would want to patch your OS and applications regularly.You probably have anti-virus software and a host based firewall like Windows Firewall running on the clients as well. However, as my network grew  so did my exceptions to best practices. I currently have around 15 IP addresses allocated to devices on my network and I expect that to grow. These devices vary in operating system and interface. It includes mobile phones, tablets, and entertainment devices like TV’s and media players. So, in the network design above, all of these devices are in a single broadcast domain. One of the greatest weaknesses in this design is the wireless network. I can’t control who can listen to my wireless communications. Even though the communications are encrypted, a portion is not. Think of it like the US Postal Service. You can send an encrypted note inside an envelope but the postal service will require a readable address for delivery. A network attached client is constantly shouting out or broadcasting information like “Hey, this is laptop, where is desktop?” and someone else on the network will respond with the answer. This is why it is know as a broadcast domain as a router will not pass this information along to clients on another network. The picture below is an example of what I’m talking about.

Kismet screenshot

Using a linux laptop with a wireless card I can see all of the wireless networks and broadcast communications in my vicinity. I’m using completely free software (Kismet) on Backtrack 5 Linux and an old Intel Centrino based laptop for the surveillance. In the window you can see the wireless networks that my 802.11 b/g ipw2200 network card is picking up. It lists the SSID, the radio channel, the encryption type and a few other details at the top of the window. I’ve distorted the SSID names a bit out of respect for the innocent. All of this information is publicly available to anyone in the area of the wireless signals. In the middle of the screen you can see the clients that are broadcasting on the highlighted wireless network. On the particular wireless network I have highlighted I can see there are four wired clients and their MAC address. It even attempts to determine the manufacturer of the networking device for each client. I would guess a Motorola cable modem, a Sony computer or media device like a TV or Blu-Ray player, and the unknown MAC is assigned to the Lite-On Technology Corporation.

Now keep in mind, I’m not “hacking”, or more appropriately attacking, anything here. I’m just listening to all of the wireless computers in the area broadcasting information in public. I’m not decrypting the conversations. However, if I were to take the next step and (attempt to) crack the encryption key I could then attempt to associate as a wireless client. If successful then I could attempt to communicate with these other clients depending on a few other factors. Keep in mind this is probably illegal in most locations and is certainly unethical. Is it probable that someone will crack my encryption key and attack my wireless network? Probably not but I’m also not interested in finding out.

Another thing that I thought about as to why I might want to separate my wired and wireless clients with a firewall is the different risk levels associated to the devices. I categorize my wireless devices as a higher risk and more vulnerable to threats because they travel and connect to various networks. They could catch some nasty germs being out in public and I’d like some protection of my stable assets like my media center HTPC when they come back home. The firewall will prevent unlimited and unfiltered access from wireless clients to all stationary and stable systems on my network. With the firewall in place I can just add a wireless access point to another virtual switch, or firewall interface, and apply rules to it. My firewall will apply all of its capabilities to the traffic between the two network segments. I’ll go into more depth on the firewall capabilities in the next post.

Now there are other ways to address the wireless security threat to a network. Using certificates or client authentication via 802.1x are much more advanced options that would be preferable in an enterprise network. This requires a bit more infrastructure and more management overhead though. Segmenting networks is a best practice in a corporate environment and I believe we will start seeing this become more common in consumer grade components as home networks grow in the breadth of device types and services they must support. As an aside note, the Sophos firewall supports these advanced capabilities but this is some of the functionality that is disabled in the home user license.

That’s a long winded explanation of why I want to split my broadcast domains between wired and wireless clients and implement a firewall as my default gateway to the Internet and between broadcast domains. I’m not sure that’s helpful to too many people. If you know this stuff then this write-up is probably too rudimentary for you and if you don’t then you probably don’t care a great deal. Anyways, it provides a bit of background as to why you should consider segmenting your wireless clients.

Building a Home Network – Part 1

Posted on by
1

This is a follow up from a previous post regarding a rebuild of my home network. In this post I’ll discuss the foundational components that are used to deliver the end user services. I will follow up with part 2 of this with the Sophos UTM firewall as a VM.

The first thing I needed to do was assemble my server for virtualization. I have a Core 2 Duo desktop computer that was built in 2006 to reuse but it needs a hardware refresh. The Core 2 Duo processor is a bit dated and consumer technology has come a long way since 2006. The first thing to do is to identify the chipset to be used. As I mentioned in the previous post, AMD offers a great value for a virtual system. You can get a motherboard and processor for less than the price of an Intel setup. I wanted to incorporate Intel’s Smart Response Technology (SRT), also known as SSD caching, though. SRT dictates that a specific Intel chipset be used. I settled on the Intel Z68 chipset as the cheapest option with the SRT feature. I’m not overclocking so there was really no reason to look at the more expensive chipsets. I picked up the ASRock Z68 Pro3 Gen 3 motherboard and the Intel i3-3225 processor to go with it. These two components give me 64-bit hardware, virtualization support, SRT, SATA 3.0 for SSD and 32 GB of memory capacity. This will be a great setup for an economy server in a desktop form factor. My only projected limitation will be processor contention.

cooler master case sideThe goal was to reuse my existing Cooler Master case and power supply to save a couple hundred dollars. Even though the case is 6 years old it provides adequate room for my needs on this project. I’m most concerned about PCI expansion and HDD slots in the case and it has enough room for my needs. After ripping everything out I put the new motherboard in and tested power. To my dismay I could not power the processor. With the 12V rail of the power supply connected to the motherboard the fans would spin up and then shut down repeatedly with no video out. A short exchange with ASRock technical support via e-mail and I had a new BIOS chip in the mail. The BIOS that the motherboard ships with only supports Sandy Bridge processors. My processor is an Ivy Bridge and required an updated BIOS chip. After swapping out the BIOS chip I had power, and video.

The next step was to load up the case with my peripherals.

  • 4 x 8 GB RAM should provide plenty of room for growth and virtual machines
  • 1 Blu-Ray ROM drive for reading media
  •  2 PCI network interface cards (NICs). One card is dual port plus the motherboard’s onboard RealTek NIC provides 4 network interfaces. Since this will be a virtual server I wanted to have enough network flexibility for future testing. See below for more information.
  • 1 SSD disk for the SRT caching
  • 4 standard hard disk drives to max out the available SATA ports

Some serious consideration needs to be given to the logical disk layout of the virtual server. My NAS storage and the SRT caching functionality needed to be considered as well. The logical configuration will determine the physical configuration. My logical configuration is determined by the following.

  • Virtual servers will not be cached and do not need RAID. I don’t want to cache the virtual hard drives (VHDs) because they may be disk intensive. For example, firewall’s can write a lot of data to their disk for logging. As I mentioned in my previous post I was going to attempt to run a virtual firewall on this server. I didn’t want to burn up my SSD by caching unnecessary disk activity that wouldn’t benefit from the speed of the SSD. I can also snapshot the VHDs for backup so I won’t need to RAID the physical drive. Therefore, the VHDs would go on a standalone physical drive.
  • I want one standalone drive for data backup which means it cannot be physically associated to the disks that contain the data being backed up.
  • My NAS data will be on a RAID 1 array to survive a disk failure without interrupting services. I’ll be hosting home theater media on the NAS and interrupting access to this media might cause a hardship or at least change my priorities that day. A little planning here will save me time down the road.
  • Half of the SSD will be used as cache for the RAID array. A second LUN of the remaining capacity will be available for future use.
  • The host OS will reside on the RAID 1 array.

Based on my logical configuration the physical configuration looks like this:

Hyper-V physical disk cfg

Once all of the cables are plugged in then I’ll move on to the software. I’ll now make all of the necessary BIOS configuration changes and build the RAID array. Installation of Windows Server 2012 is fairly simple. The only thing I needed to do was create a LUN for the installation on my RAID array. Windows found most of the drivers for my hardware and installation was fairly quick compared to previous versions. After the initial installation was finished I installed the Hyper-V role to complete my installation.

I decided to install the Intel SRT software and configure caching on the SSD for the RAID array at this time. I obtained the SRT software from the ASRock support website and installed it on Server 2012. Intel does not explicitly state that it supports 2012 so I expected to run into some issues. The software installed and I configured the cache without problem. So, I have proof that SRT works on Windows Server 2012.

The next step is to prepare Hyper-V for guests. I created my 500GB LUN in Windows which will be used for my VHDs. I can then modify the Hyper-V settings and configure it to use my new LUN for storage of all guest data. These settings are just defaults that can be changed at the time a guest is created. It is important to create virtual switches before the guest is created though. The firewall will be my first guest so I’ll need two virtual switches. One will be for the external interface and the other for the internal interface of the firewall. These will be “External network” connection types as they will be allocated a physical NIC. The diagram below depicts this.

Hyper-Vnetwork cfg

 

Notice that the “Internal” virtual switch is also used by other VMs. While the external virtual switch NIC is directly connected to the ISP modem, the internal virtual switch NIC is connected to my standard layer 3 network switch. All virtual machine guests that require standard internal network access will use this virtual switch. The third NIC is used for the Windows Server 2012 host system to communicate with the network and I have a fourth NIC that I can allocate in the future.

Overall, I’m quite happy with the build and performance of the system. All of the work above should take a day or less to complete. In the next post I’ll walk through the setup and capabilities of the Sophos UTM firewall as a VM. I’ll say that it’s up and running and I plan to keep it that way. I also P2V’d my desktop system before I ripped apart the hardware and have it running as a VM now.

Datacenter in a Box

Posted on by
Reply

Storage Area Network PhotoThe future is bleak for storage vendors if they think business remain strong. SAN systems won’t disappear but I believe the market is going to shrink which will have economic consequences. The driving force behind this change is the virtualization hypervisor which isn’t just for CPU and RAM any longer. SAN systems will continue to play a role for service providers and demanding enterprise applications but I believe a noticeable chunk of the market will be replaced with some type of low cost disk solution that can be managed by software.

I had planned on writing more about this topic but while I was doing some research I came across a pretty good article that is worth a read. This article is focused on a particular solution by an up and coming organization called Nutanix but I think it provides some context for those that need it. I’m pretty hyped up on this particular solution and I look forward to this market shaking out a bit more. If I were looking at a VDI deployment in the near term I would certainly give the Nutanix solution a hard look and forego the traditional SAN storage. I’m also very interested in seeing the next revision of the the Microsoft and VMWare  hypervisors. I’ll refer you to the article and give credit to the appropriate author.

Nutanix server-storage half-bloods armed with Xeon E5s

Designing a Home Network

Posted on by
Reply

I have been spending some time thinking about redesigning my home network. My household electronic demands are growing in scope and capacity. I also have some gear that is due for a life cycle replacement. I figured it was time for a redesign of the network and build the system from the ground up to take my household through the next 5 years or so.

I made a list of requirements that needed to be accounted for in the design.

  • My home theater PC (HTPC) will support whole house entertainment by serving cable TV, DVR, photos, movies and music to different rooms in the house.
  • My IP security camera system should be scalable and have a centralized storage medium.
  • A centralized location is required for data storage to be available for all internal clients. (2-3 TB capacity with RAID for fault tolerance)
  • A secure wireless network is required for mobile devices of at least 802.11g speed.
  • Network backbone should be of gigabit speeds to support multimedia streaming and NAS access concurrently.
  • Capacity for future platform testing.

I thought it would be interesting to provide context by showing what I believe is a traditional home network. My belief is not based on research but I believe the typical home network is primarily composed of a consumer grade wireless router and some number of client devices. The figure below shows a high-level representation of this description.

Typical Home Network Design Diagram

The simplicity of this network design is the what makes it popular. Consumers can buy a cheap wireless gateway router from any number of manufacturers and it will work with most Internet connections. The only real decisions at hand are the manufacturer and wireless standard for client devices. Plug a couple of cables in then walk through the wireless setup wizard and we have a home network.

My requirements dictate something a bit more complex. Let’s walk through the components of the solution and then see how it all fits together.

Security
I want a bit more security between my internal systems and the Internet. The capabilities include fine grained access controls between networks, stateful packet inspection (SPI), network address translation (NAT), remote VPN capability, and gateway anti-virus/sanitization for web surfing. I plan on using the Sophos UTM firewall as a virtual appliance to meet these needs. This device will be counted on to protect my internal systems from external threats.

Wireless
I really don’t have a preference for wireless. I will be looking for an access point with WPA2 encryption that supports 802.11g at a minimum. I don’t really have a need for 802.11n at the moment and I’m interested in some of the progress being made on wireless standards. I think I might go with something cheap for the time being like a used enterprise level Cisco AP or something similar. I think I would like to keep future enhancements to my wireless service in mind without the need to reconfigure or overhaul large portions of my network. Using an access point to extend my network and services to the wireless spectrum is an important consideration. This way I can rip this access point out at a later date and replace it with new technology when it is available with relative ease.

Switching
I have an existing HP gigabit switch with power over ethernet (PoE) capability.I’ll repurpose this switch to become my core switching platform. This will become the heart of my network that distributes services to the consumers (my devices). The PoE will come in handy to power IP cameras and potentially my wireless access point. This gives me more flexibility in device placement as I won’t need AC power for the devices themselves.

Storage
I would like to replace my current DLink DNS-323 NAS server. It’s a handy two disk RAID array but I would like more storage and flexibility with services. I looked at consumer options and there are some good choices available on the market today. However, these solutions come at a fairly steep price for a home network. I’m going to attempt to build a Linux server running a freely available NAS software application. This will allow me to use a RAID 5 array of large capacity disks and layer on the services that I need for my network. I haven’t decided upon the Linux distro or NAS software yet. There are a couple of good options available and the price is right. I’m also going to see if I can virtualize this server to keep hardware costs down.

Servers
I’d like to be able to run a variety of different systems within my network. Some of these might be directory servers while others might be lab type servers. Being able to test or prove capabilities on new software will be a nice capability to have. A virtual platform will be ideal for this need. With a virtual platform in place I can build a new server or desktop for testing quickly without the need for additional hardware, mess, power needs, etc… The virtual platform will also provide capabilities for backing systems up and migrating them to new hardware in the future.

Virtual Platform
I’ve already identified the need for 3-5 systems running in my back-office on this network. I don’t want a server rack in my house and I don’t want to add electrical outlets to support this. Hardware also costs money. In a home network, hardware utilization is typically very low unless you are actively gaming or processing multimedia. I have an existing tower desktop that is underutilized as I spend most of my time on a laptop. I’m going to attempt to gut the desktop and convert it into a virtual server. This LGA 775 Core Duo desktop will have the motherboard, processor and RAM ripped out and replaced with new components. I’m planning on replacing with an ASRock Z68 Pro3 Gen3 motherboard, Intel i3 processor and 32 GB RAM. I can reuse the case and power supply to cut down on costs. My hope is to convert this desktop into a capable virtual platform for a few hundred dollars not counting the storage requirements for the servers and NAS.

I could choose a cheaper motherboard and processor. AMD offers great value for building a virtual platform. My choice is base on the availability of the Intel Smart Response Technology in the Z68 chipset. Theoretically, this will give me the option of adding a SSD drive to serve as a cache for the virtual server platform. I haven’t been able to test this yet but it should allow the platform to cache commonly accessed data for faster access. This could be beneficial for the virtual server guests but it also adds flexibility for NAS or virtual desktops in the future.

I’ll layer on Microsoft Server 2012 using Hyper-V for the hypervisor. Why Hyper-V and not an alternative? I would like to have a better understanding of its capabilities. We use VMWare at work and I have a fair understanding of ESX. I’d like to be able to realistically compare the two platforms for future needs.

New Design
If I put all of this together into a design diagram it looks like this.Final Home Network Design Diagram

Please keep in mind that this is a high-level design. It does not represent the actual implementation from a security perspective for security reasons. It is intended to provide a conceptual understanding from a network perspective with some security elements.

I expect this design to provide enhanced security, server platform capacity, acceptable server performance, network capacity for growth and a modular design for future life cycle refreshes of hardware and technologies. My goal is to build this for under $1,000 by repurposing some existing hardware and investing the money in technologies that will provide the most benefit. That should answer the questions on why I didn’t opt for a Synology NAS, a better Ivy Bridge processor or individual servers for various services. I expect value out of my investments and I think this is the best approach towards achieving my goals with an acceptable investment.

As I begin to build this solution I’ll provide additional updates on what works and how it performs. I’ll do my best to parse it out into posts that relate to the modular components of the design for reusability.

Should an Executive Order be Issued on Cybersecurity?

Posted on by
Reply

An executive order is not an act of leadership. An executive order is a directive that seems to be more commonly used to force an issue out of stalemate or bypass process. Leadership is creating a vision and helping others realize the value and purpose of that vision. Leadership is working with the other branches of the government (or organization) to identify a solution and plan to achieve the vision.

Dark Reading has an interesting article on what an executive order might mean to businesses. I can’t help but relate this to existing regulations such as HIPAA and PCI. These are checklists and that is how a number of organizations view these regulations. They have intent but they fail in execution. If you don’t believe that then I urge you to talk to any of the people who have had their data compromised from a PCI compliant organization. The failure is not the standards. The failure is the lack of knowledge and execution. In a nation where business is driven by growth and cost management, there is no incentive to do more than the average when it comes to information security.

Let’s examine a scenario to describe what I am talking about. Let’s say we need to be HIPAA, or whatever, compliant and we’re building a new website for customers to login and view their health record. We can probably handle the system build fairly well as this is standard operating procedure. We’ll harden the platform, firewall the systems, use SSL, encrypt the database, deploy intrusion detection, anti-virus and patch management systems. We’re probably doing fairly well right now. We could bring an auditor in and they could look at the design and do some system checks and cross everything off of their checklist. The problem is, all we have is infrastructure right now with no business functionality. To rectify that we’ll develop the website and some applications. So, the software development team produces some code. Did they do a security review on the code? Do they even have that expertise if they do? Are they trained in information security development techniques? Probably not but you could always outsource that function although it’s not required. We can always check the box on the audit by performing a web application security test at regular intervals. Oh, and by the way, the project sponsor wants to outsource a function within the website to a cloud vendor. Well, we’ll just encrypt the data we send to them and get the appropriate forms in place for liability protection. We’ll perform “due diligence” and move forward regardless of the gaps we find. In the end, we can integrate multiple isolated solutions and meet the requirements of a regulatory checklist. Is it really secure though? Are we protecting the people that trust in us to do so? On the battlefield they would refer to this situation as a cluster xxxx. Yet in business, this is actually a good situation. Not only did we get the product built but it’s compliant.

What’s the solution? That’s a broad topic that deserves more thought and attention. In summary, I don’t believe issuing an executive order is the appropriate approach for our long term goals. This is a complex topic that deserves time for thought, conflict, innovation and careful planning before decisions are made.

P.S. Here is another article from Senator Joseph Lierberman

SENATORS COLLINS, SNOWE, AND LUGAR TO WHITE HOUSE: REFRAIN FROM EXECUTIVE ORDER ON CYBERSECURITY

Posted on by
Reply

SENATORS COLLINS, SNOWE, AND LUGAR TO WHITE HOUSE: REFRAIN FROM EXECUTIVE ORDER ON CYBERSECURITY

 Washington, DC -   U.S. Senators Susan Collins, Olympia J. Snowe, and Richard Lugar today sent a letter to the White House outlining their objections to a possible executive order on cybersecurity.

Senator Collins is the Ranking Member of the Homeland Security and Governmental Affairs Committee and one of the principal authors of comprehensive cybersecurity legislation.

The text of the letter follows.

October 10, 2012

The Honorable Barack Obama
President of the United States
The White House
1600 Pennsylvania Avenue, NW
Washington, DC 20500

Dear Mr. President:

As strong supporters of cybersecurity legislation, we are writing to urge you to refrain from issuing an Executive Order on this matter of national importance.  For the reasons outlined below, we believe that your issuing an Executive Order would be a mistake and we urge you to redouble your efforts to work with Congress to pass a cybersecurity bill.

The ramifications of a national cybersecurity policy for the public and private sectors are significant and deserve the transparency and legitimacy that can be achieved only though the legislative process.  Moreover, an Executive Order could have the unintended consequence of undermining the need for Congress to act by lulling people into a false sense of security that the problem has been “solved” through executive action.

Only the legislative process can provide all of the tools, including clear protections from liability, necessary to incentivize voluntary participation to meet best practices and to protect companies that share cyber threat information with the government.  Only legislation can put in place the privacy protections that Americans expect from their government.  Only legislation can ensure that the cybersecurity policy endures from one Administration to the next and provide the long-term solutions needed to address the cyber threat.

As Members who have worked hard to advance cybersecurity legislation in the Senate, we believe the legislative process remains the best way to build lasting consensus on an issue that is vital to our national security and our economic prosperity.  We share your frustration that Congress has not yet completed its work on this legislation, but we remain committed to the legislative process and urge you to continue to work with Congress, rather than acting unilaterally through an Executive Order.

Sincerely,

Susan M. Collins
United States Senator

Richard G. Lugar
United States Senator

Olympia J. Snowe
United States Senator

IT Resource Management

Posted on by
Reply

There are a variety of methods and frameworks for resource management. Here is what I have found to work for my needs on internal resources. If you are working with contract resources or specific statements of work (SOW) then this would not be my recommended approach. However, if you have an internal pool of resources that you are looking to capture data on then this is worth a review.

Step 1 – Determine your resource types. There should be at least one resource type per resource manager. A resource manager would be the manager overseeing the pool of resources and managing their workload. This would be the development manager versus the systems engineering manager as an example. You don’t want to get too detailed on this step. For example, you might not want to use job descriptions to define a resource type. Think of your reporting needs as this will be a filter you can apply to the data. If you’re note sure then start with one resource type per manager or group of resources. In a small shop you can just pool them all together. Assign a dollar value to your resource types per your market rate if you are looking for cost analysis.You can use the going contract rate for a fully loaded rate if you need someplace to start.

Step 2 – Define projects or operational categories. These would be your financial reporting categories. These categories will be used by your resource managers to project resource utilization. So, with that being said, you want categories where you can project resource utilization but you don’t want to many where your resource managers have to change 30 categories when priorities shift. Projects that require capital investment might be called out separately for financial reporting purposes. Example:

  • ADMIN TIME
  • MAINTENANCE (ENHANCEMENTS)
  • SUPPORT (BREAK-FIX)
  • PROJECT #1
  • PROJECT #2

Step 3 – Define sub-categories using your service catalog or business functions. These will be the categories that your staff report time on and you use to determine the cost allocation for a business function. You want to determine the fine line between categories the staff can understand and log time to versus business functions that you want to report cost allocations on. If you have an incident management or development ticketing system then these categories would correlate to the top level of the categories in that system. This would allow you to do detailed reporting on cause of resource utilization. For example, if we had 2 FTE of resources logging data to the CRM category for a year then that might raise our attention. We could look in the ticketing system for detailed analysis of what activities they were performing on what specific system (Salesforce.com?). Maybe we would want to evaluate a problem or consider a re-design. What you do not want is catch-all or generic categories. Staff will use these and the data integrity will suffer. Example of categories:

  • CRM
  • Website
  • Financial
  • Desktop Computing
  • Mobile Communications
  • Network
  • Storage
  • Computing (server)

Now you have the three data variables to capture data:

  1. Resource type for resource management
  2. Financial categories for projections or allocations
  3. Business functionality for logging data

In this example the staff timesheet would look like this:

  • ADMIN TIME
  • MAINTENANCE (ENHANCEMENTS)
    • CRM
    • Website
    • Financial
    • Desktop Computing
    • Mobile Communications
    • Network
    • Storage
    • Computing (server)
  • SUPPORT (BREAK-FIX)
    • CRM
    • Website
    • Financial
    • Desktop Computing
    • Mobile Communications
    • Network
    • Storage
    • Computing (server)
  • PROJECT #1
  • PROJECT #2

Step 4 – Try and work and the resource type level to keep things easy but sometimes it’s necessary to work at the individual level. Assign resource types or individuals to financial categories. Now you (think) you know where resources are spending some amount of their time.

Step 5 – Allocate (project) resource for the financial categories they are assign too.Take a guess if you don’t know. Once you start collecting data you will have a baseline to work against.

Step 6 – Define the categories at a detailed level for staff to use as a resource for logging time. This goal should be to cut down on the “Where do I log this?” questions.

Don’t get too granular. Keep the categories to a reasonable level for both the resource managers and the staff. The more categories you have the more chance for the data to lose integrity.

What type of reporting can I get from this model?

  1. Variance against projections. See how well the resource managers are projecting utilization and see how well actual utilization measures against plans.
  2. What business functions your staff are spending their time on.
  3. Variance and cost of support versus maintenance.
  4. Cost allocations by resource type.
  5. Under/over-utlized resource types
  6. Bandwidth available for future workload
  7. Cost of specific business functions
  8. Indicators to prompt further analysis of specifics within a ticketing system

This framework could be implemented in a PPM system or any type of tool that support projects (categories) and sub-projects (sub-categories).

Audit Your Mobile Security Procedures

Posted on by
Reply

I recently performed an informal audit of a security procedure used to protect data on mobile devices in the event of theft of the device. What I found was a gap and potential liability.

The mobile device management (MDM) software in use is McAfee Enterprise Mobility Manager (EMM) connecting Apple iPhone/iPad devices to Microsoft Exchange. One of the security controls in place is the capability to wipe the device if the owner is no longer in possession of it. This “poison pill” function sends a command to the Apple cloud that the device will pick up the next time it connects to the carrier network. The device is cleaned of all data and restored to factory defaults. While there are many other controls that should be in place to protect the data on the device, this is a nice safety net control and what I will be focusing on.

My organization recently lost an iPhone (again) and the operations team executed the standard procedures for the scenario. However, with the most recent version of McAfee EMM they have introduced a selective wipe function in addition to the traditional full wipe. In this case the technician used the selective wipe function to clean the device. Selective wipe is also referred to as “Delete email and PIM data”. The McAfee EMM manual describes this functionality as:

Delete email and PIM data from iOS devices
Deleting email and PIM data (contacts and calendars) from a user’s device leaves software, profiles, and applications intact. For iOS4 devices with MDM enabled, deleting email and PIM data removes the Enterprise Activation profile, which contains the Exchange configuration and all email data. The MDM profile remains so the device can be fully wiped in the future. For iOS versions prior to iOS4, the Inbox folder name remains on the device, but all emails, email folders, contacts, and calendar data are deleted.

The results of the selective wipe command are the removal of corporate data from the device but leaving all user data on it. The selective wipe command is intended for BYOD (bring your own device) scenarios. This is where a user might want to connect their personal device to the corporate mail server. When they leave you want to remove the corporate data but leave their personal data intact. When we’re looking at a theft scenario, what is the role of the organization in protecting the individual’s data? It’s a bit of a gray area but unless your policy explicitly states your position on the responsibility then you could be opening yourself up to liability that you had not intended. Especially in the case where the device is issued by the organization. I’m not a lawyer, and don’t want to be, but I tend to focus more on security for the greater good in this scenario. A lawyer may disagree with that position (or any position as long as they get paid).

Think of the uses for mobile devices these days. Users have pictures, Gmail and application data on their phones. If I had access to your phone I might have access to your Facebook and Twitter accounts or pictures of your family with GPS coordinates of your house. There’s even the possibility I can gain access to your banking information. Whether it’s via an installed application or your personal e-mail account where I can request a password change. In the event of loss or theft the default procedure should be to perform a full wipe with restoration to factory defaults. Selective wipe should be used in specific scenarios.

Fortunately, a selective wipe leaves the MDM application on the device and does not modify the security policy. Therefore, if a password is enabled on the device it will remain and the device will still remain in contact with the Apple cloud and MDM commands. In this specific case, the gap was resolved within a couple of hours and a full wipe command was issued. In a debriefing with the user it was confirmed that they were reliant on all of the organizational security controls to protect their personal data as well as the corporate data. They were surprised to learn, and concerned, that the organization had only removed its data from the phone and left the personal data intact.

Lessons learned:

  1. Audit procedures to ensure they are being executed as stated
  2. Revisit procedures when systems are upgraded, provide training on new features
  3. Be explicit in documenting the security controls and policies
  4. Use the Find My iPhone to track a missing Apple device

Why Doesn’t Anyone Else Understand How Important Our Backups Are?

Posted on by
Reply

You want to upgrade your backup solution but can’t get your senior team or CIO to understand why it’s important to fund an upgrade of the backup solution. You keep asking yourself, why doesn’t anyone else understand how important our backups are? Maybe you’re asking the wrong question. Maybe the question should be, does my senior team/CIO understand the current risk associated with recovering services? After that question is answered we can ask, do we need to adjust the risk associated to recovering these services?

Most C-level executives don’t have the time to understand the existing backup solution and why it’s working or not working. They want to know that a system or data set can be recovered within a specified period of time. They view this as risk and you need to speak to them in their terms. However, they may need to learn some terms as well if they are not already familiar with them. Recovery risk should be defined by mean time to recovery, or MTTR, and recovery point objective, or RPO.

MTTR can be defined as the average period of elapsed time to recover an asset to a functional state. I use the term asset because you need to define what you are applying the risk to. We can apply it to a service, a server system or a data set generally speaking. So, if our e-mail server crashes and it takes us 1 day to restore the system to backup hardware then our MTTR is 1 day. Obviously, testing this recovery procedure throughout the course of a year is an effective way to measure compliance with stated MTTR.

RPO can be defined as the maximum tolerable period in which data may be lost due to an event such as a failure of a computing system or a disaster. I’m not going to go by the books and I’ll take some shortcuts here for those of you that are BCP/DRP experts for the purpose of this being a blog and not a study manual. Let’s say we perform weekly full backups on Sunday of our systems and data. If that’s the case and we have a system failure of the e-mail server during the backup job then we’ll need to recover using the previous weekly tape. Hopefully, we have daily differentials available for recovery but let’s say only our full backups go off-site. If this were a disaster then we would only have our full backup available to us. The daily diff’s would be unavailable due to the disaster. Therefore, our recovery point or data loss is one week.

Now we know that it takes us 1 day to recover our e-mail server and we lose 1 week of data on the system. Is this acceptable? For most organization I would guess it is not. So, we ask, what should our RPO and MTTR (RTO (recovery time objective)) be for this service/system? The question we must be prepared to answer is what are the cost thresholds as we adjust the RPO/MTTR (RTO)? Can we just increase the frequency of off-site full backups to mitigate the risk and meet our objectives? What is the impact to maintenance windows and service downtime if we do this? Do we need to swap out our backup solution to meet our objectives? At least we can have a conversation now but it’s important to have recovery point and time objectives defined for business services. It’s also important to have the business owner of that service aware and accept the risk associated to the service. They can then be an ally in helping justify the costs of a change.

Maybe the investment in disk based storage with inter-datacenter replication is worth the reduction in risk it would offer across our service portfolio. On the other hand, maybe e-mail is our only service with strict risk requirements. If that’s the case then we need to take a look at this from a different perspective. I want to reduce my MTTR and RPO for e-mail but I don’t really want to invest in a new backup solution. Our existing solution is perfectly fine for all of our Active Directory and website servers but e-mail is critical for us to do business. Then we can just look at the architecture of the specific service. Maybe this is an opprtunity to implement an Exchange DAG or outsource to Office 365 for e-mail hosting. We get to leverage the scalability and availability of a provider network and reduce our risk at the same time. Maybe it’s not what you would prefer to do but at the end of the day it’s a business service and not a server or technology system.

What I’m really attempting to walk through here is the thought process and communication necessary to think about change through the use of risk as a driver. If you research RPO, RTO, MTTR and BCP/DRP you will find these are much more complicated topics than I cover here.