2008 July

My employer Snow

On July 31, 2008, In Technical, by Remko

Recently my employer switched offices, from the “smaller” office in Waardenburg, we transfered to a bigger office in Geldermalsen. This office is very surely large enough to accompany the growth that Snow is currently facing. As a member of the team (for almost 2 years now) I am happy that we can grow this well in these times and that we have this very nice new building! If you are ever in doubt over your employer and are experienced with Unix systems, consider contacting them

Apart from that: I also feel very thankful to the snow team. Now that I am looking for a home to live in with Denise and Luca, they are helping me the best I can, almost if it were a family. The Snow team very actively helps were possible and I like that a lot, I have never ever seen that with other companies. It makes me that I still wear my Snow clothing with pride!

Thanks Snow for all the things that we have been through together so far! Did I already mention that if you need an employer you should checkout Snow?

Weekend

On July 27, 2008, In FreeBSD, Technical, Weblog, by Remko

So, I had been very productive this weekend, not as productive as I hoped to be for FreeBSD (merging some changes that I had made recently for example) but productive nevertheless. We went to Plaswijckpark on friday with Luca, who had a very nice day there (and so did we). It was good to see him again and Denise as well ofcourse .

On saturday I started translating the Jail chapter and the FAQ (in parallel), which I inserted into the perforce repository, so have a look if you are interested, note that it’s very much work in progress!

Later that day I went to the cinema with Denise, The Strangers is a very nice horror movie!, I enjoyed being with Denise again and spending time together , oh and we are ofcourse still looking for our perfect house to start living together

After doing that I noticed an update from Rene Ladan who finalized the Virtualization chapter! Brilliant work! I checked it, and imported it into the FreeBSD Repository as well as updated the local perforce branches with it.

On sunday I watched Saw 4 with my dad, and bicycled towards the office I am currently working at to see how far that would be. It’s bit too far to bicycle every day, or actually it costs too much time to get there , but it was an impressive thing to do as a non-biker for soo long. I got around 24km/hr according to Robert.

After that I vacuum cleaned the car and continued working on some projects, now it’s getting dark while I am writing this blog entry..

I enjoyed this weekend, thanks to technology and ofcourse (the most important) Luca and Denise!

Multiple languages / Meerdere talen

On July 26, 2008, In Technical, by Remko

Tom Scholten informed me about how he did his multiple languages within Wordpress. He told me how he did it, but at first I messed up because of the broken lang_rewrite option. I had set this option to false after Tom advised me to do so, and now it works like a charm. I have multiple language support now!

FAQ Translation started

On July 26, 2008, In FreeBSD, Technical, by Remko

So, I picked up a lot of changes through Gabor Pali (pgj@) for the FAQ, and decided that I could easily start the initial translation. Most of the content so far is very readable and translatable (which isn’t always the case for the regular handbook, see for example the MAC chapter and the Audit ones, which I am trying to finish for the Dutch Project as well), and probably I’ll have a look at the jails chapter soon as well. Beyond that Rene is helping a lot with translations, which gives me a good feeling about being able to finalize the entire handbook at some point.

Back to the FAQ, I started the translation, and I progress not that fast, but fast enough to find it nice to do. I am now sitting in the sun translating the stuff, which is awesome if one can do this .

More updates will ofcourse follow..

The new FreeBSD Core Team

On July 18, 2008, In Weblog, by Remko

After persuing a position in the FreeBSD Core Team, we received the results of the election last night, here are the results:

New Core Team
=============
Robert Watson (172)
Peter Wemm (160)
Kris Kennaway (157)
Murray Stokely (134)
George V. Neville-Neil (126)
Brooks Davis (116)
Wilko Bulte (114)
Hiroki Sato (111)
Giorgos Keramidas (91)

Runners Up
==========
Julian Elischer (80)
Marcel Moolenaar (77)
Doug Rabson (75)
Remko Lodder (62)
David E. O’Brien (57)
Alfred Perlstein (48)
Jack F Vogel (18)
Juli Mallett (12)

As one can see, I didn’t make it, but (!) I am proud to see that we have such a strong team for the core-team. Congratulations all current members and thanks Warner and Wes for their efforts in the past time.

CCSE

On July 16, 2008, In Technical, Weblog, by Remko

Today I did the CCSE exam in Zoetermeer, this is the second exam you can do for checkpoint. After preparing it for around two months (in which time I went on holiday to Tunesia, been on business trip to Canada, had a weekend-holiday with Snow in Texel, searching for and arranging side-paths for a house which we are looking for, so basically study time was ~2 weeks) and spending a weekend and yesterday mainly to learn for the exam, it was time to do it.

I passed with a score of 85% (70% was required); so I didn’t do that bad. I got all kind of enthoustic responses from Snow, and I got a lot of text messages from my current assignment. Thanks folks! It’s appreciated!

Onward to CISSP (the materials seem boring so far) and Juniper (Which I am preparing already as next candidate) (also a dual track, the initial one, and the second level one), and then Cisco (if possible) and if then still possible, the BSDP (second level BSD certification) so that I have broad knowledge in multiple regions of the activities that Snow is offering .

The guide to a succesfull migration

On July 15, 2008, In Technical, Weblog, by Remko

Today at work I did a very succesfull migration from one machine to another pair of machines. I cannot say the details (ofcourse); but it went very well. All we had to do is pull out the old cables, unshut some network interfaces and plugin 2 detached cables (Additional security measure from us). So what lead to this succesfull migration?

Actually, it’s very simple. We planned the things properly. Ofcourse the company wanted to have it sooner, but hardware materials were not shipped on time, and we needed to do some additional testing before we could deploy this.

Because of that, I had more time then anticipated, so I did a “major” inventory, cleaned up old machines, network cables and stuff like that. That was the first big bullet that you should do. Before migrating anything, cleanup the old environment, so that it’s easier to get an overview.

Next thing I did was do an inventory on the switches that were used to connect the “old” facilities. After getting clear what all was running where and how, it was a simple step to reproduce a couple of networks on the new switches, connect up the old switches and the new ones, and have working switching connectivity. (First time I properly did a stack btw).

So, now we created space (overview by removing old unused stuff), and we did an inventory on the network to learn how that works and what was available and what not.

Next thing we did is bring in all the new goodies. While we put them in the racks, we made sure we had space left to glide cables were needed and things like that. So this is a next item, after cleaning up and knowing what lies in front of you, insert the machines, but keep cabling etc in mind, do not stick machines together, but leave a bit of space, it’s for cooling and cables!

So, after bringing in the goodies and powering them up, we had a couple of switches and some other material hanging around. OK next on this list, decide how we are going to cable the machines on the new switches and how we are going to cope with the cables. It’s important that you know upfront how you are going to do it. I had a basic idea in my head, and was very sure on how to approach the cabling thing (Robert from Snow learned me a couple of things on how cables should flow when binding them together). We placed the cables, and nicely made a couple of bundles (one going down, one returning back up, bundling the binding in the cables so that it had a nice half-round shape instead of being smashed together) and supported them on the side of the rack. Afterwards we put in some more cable gliders, now it’s really neath!

So the machines hang, ofcourse I configured them to be on the management network, and I cabled everything. Lets see whether we can reach them. Jip we could (ofcourse, we knew upfront what we were about to do!).

The next step I cheated myself and already did this with the machines in the test-lab, but in case you didn’t have that luxury, now is the time to easily configure the device and copy over the old settings from the old machine(s) where needed and improving them or doing them better (within the bounds of your project).

One or two days prior to the change, you should familiarize yourself with the goals, try to get someone else involved and look at the steps together. You have them in your head, but that’s not enough. Discuss the points with a collegue and write them down. Make sure you generate a worksheet from it. That way you know exactly what to do during migration and what is left and what not.

We did that today, (the final part) and we might have even broken a record with it. We were very quickly and had good grip on the cases. We didn’t see any problems afterwards so far, so I think the migration had succeeded very well.

One other thing I did throughout the migration is invite different people to help. The current team I am in, has 5 working people. I used them all to help me carry the machines, cables, attach them etc. Everyone now has feelings with the machines. They know which machines we are talking about, they all did something to help making this migration go smoothly. Ofcourse it could have been done without them, but it’s an team effort to make it happen, so use the people from the team to get a platform to build upon. (yes I realise that it’s not always possible to do it like this in the various environments).

Hopefully this helps you to do magic like we did today

Securing your DNS Server

On July 13, 2008, In FreeBSD, Technical, Weblog, by Remko

While most people think that Securing your DNS server is practically impossible, I want to give a few hints and tricks to make sure that it’s possible to mitigate problems from DNS to your local server.

This setup should actually be followed by everyone that cares about his DNS Server!

There are a few options to protect your DNS server as much as possible.

Split your DNS servers. The internal networks is most likely to do remote queries, the external network probably only serves your internet zone’s. Why have them in one instance? Split the machines where possible, or create different views, so that the internal people can only recurse and the external people can only lookup the domains you host. (SPLIT-DNS)
Add ACL’s and limit recursion; if you cannot do the above, you should try the best as possible to limit the amount of people that can use your DNS server to do remote lookups. Is it really necessary that joe-next-door uses your dns server to visit www.triplexdomain.com ? ISP’s are here to service these DNS queries for him
an Example of an ACL in named:

acl your-acl-name { 10.0.0.0/8; };

This matches any host in the 10/8 network.

Limiting recursion through the ACL

Add the following to the options {}; statement in named.conf:

recursion yes;
allow-recursion { your-acl-name; };

Do note the semicolons and the brackets!
Use random query ports. Whilst in the past people had been using static ports for doing remote DNS queries, to make it easily go through firewalls, that’s no longer an option. Recently ISC and CERT announced advisory’s to address static-query-ports. It makes you very vulnerable to be spoofed, and could mean that secure.yourimportantbusiness.com suddenly points to my evil.notsoimportanthost.com so that I can trick your users into submitting their data on my machine, which I can then use to do very nasty things (like having a free holiday to the bahama’s, I like it already!).
In this case one should point out a DNS server, and tell that it can do queries from port 53 and >1024, I have been using this setup for ages, and I do know that a lot of larger companies also have similiar rules in their external firewalls. This allows the DNS server to pick a lot of random ports to do queries from.

If you use a recursive DNS (because you are an ISP); then consider using only SSH and BIND on the machine (or whatever product you use). The machine does not need to be firewalled at all then , as long as you disable any unused applications. One could ofcourse filter away the SSH login, but having a stateful filter before a large DNS is just asking for problems (thanks Bjoern and Doug for this information!).
Use DNS-SEC where possible. Currently not many TLD’s support this, but if there is the possibility, you can add a security layer by using it. Ofcourse this does not prevent it forever, but it makes it again harder to do. And security is all about making the barrier too high to try (if the barrier is low, one will try, if it requires too much time or money, people will not do it that easily, though there is always someone that is willing to put in the required resources, keep that in mind).
Always use the latest available version from your vendor where possible. It’s sometimes a pain in your royal behind’s to update the services you host. But do realise that mostly by running the latest (stable) release from your vendor, you can close many known holes. Yet it leaves you open for things not yet found ofcourse (but isn’t that always the case): do plan these kind of actions and make sure you test such a setup first, or keeping the “old” machine alive till you are confident that everything works. You do not want to explain to some high-ranking boss that you didn’t test, or that you cannot return to the old situation. (Something I learned to do is; install a new machine, and it’s applications. Test whether the basic things that you expect it to do; still work. Unplug (yes do not power off!) the old machine and plugin the new one. If you worked through it for XX days, then you can backup the old machine (make sure you test the backup before really turning off the machine!) and turn it off.
Ofcourse managers and people around you will complain that it will require a lot of resources; properly planning things will demand tme and money etc. But you can easily counter that by telling your boss or manager that in case something does go wrong, the damage is most likely higher. Point at your risk-index numbers that you periodically create (right!?) to show what kind of risk is involved.

The above are ofcourse a couple of open-doors, though we (Security People) see enough in the real world to know that the above isn’t followed most of the time. Most bigger companies have the resources etc to properly do this, and some indeed use this to do the new setup, but many many many smaller companies are not using these kind of things at all, because it costs too much money. Please try to openly discuss these things with your company if you hit this. You are better off in the end if you properly discussed this, got a “no” anyway, and then things go wrong.

Hopefully the above helps a bit. I wrote this information stream based upon the latest CERT advisory for BIND, and having a few discussions here and there on the FreeBSD-Security Lists. Thanks Doug Barton, Bjoern A Zeeb to give me some thoughts about this (they might not be aware of this yet).

Studying

On July 12, 2008, In Weblog, by Remko

Here I am again, studying. I am sitting in the garden while writing this. I just texted Denise and Luca that learning goes very well today (having a mini-break at the moment), I think the sun and being outside does miracles.

I vacuumcleaned the upperfloor, and entirely cleaned up my room, or at least wrt. dust and stuff like that. I also found some lost cables (in the shed, so dreaded easy to find, I wonder why my dad overlooked them) and I did a whole lot of studying so far.

What am I actually studying? I am actively studying Checkpoint NGX at the moment to make sure that I can pass my CCSE. I have a good understanding of how things practically work, but I also need to know the theoretic style (I’d prefer cisco alike stuff where you need to demonstrate your knowledge) . That is going fine so far! I downloaded the smartconsole, which I have access to, so that I can play in demo mode, without needing to have any resources available. I downloaded the documentation bundles, which I have access to as well, so that I can review them as well.

And beyond that, I am sitting in the sun, with a nice glass of cold Hoegaarden whitebeer, studying for my upcoming exams. What more does a techy want? (Well, ofcourse that his girlfriend and their kid are here, but we will sort that out as soon as possible )…

Back to the studyboard!

Volunteer projects – FreeBSD

On July 10, 2008, In FreeBSD, Weblog, by Remko

As people most likely already found out, there is a problem with DNS, and there was already a problem for some extensive time with DNS. There is the possibility to spoof the reply’s returning from a DNS server.

Beyond that, some discussion was raised last night with regard to the responsiveness of the FreeBSD Security Team.

The FreeBSD Security Team is a team of people, that were picked from a volunteer pool out of the FreeBSD Development Community. These volunteers, analyse, patch and create an advisory for incoming security problems. The latter is only done ofcourse after verifying that it is really a security problem.

The moment the FreeBSD Security Team enters an advisory stage, a lot of time investment is required. Which we ofcourse do not mind but it’s something that should be emphasized. For example, patches need to be generated, tested etc. Then after that the FreeBSD-Update builds have to be started and in parallel we also write the advisory.

The advisory is proof-read by multiple people, and the FreeBSD-Update process takes time to deliver the required patches. Because of that we need a little time to do the job right.

We also want to take the time, the moment something comes in, we properly need to evaluate the incoming items, and see whether it would harm the -RELEASE branches or not. Our -RELEASE branches are not something we would like to mess with if it generates a regression. We try to prevent that or emphasize that this will be the case after a required update.

Now, for my official blog entry subject: what does that have to do with a volunteer job?

I hope that it’s easy to guess at this stage. We are all volunteers, that we do the job in our spare time, outside of our regular working hours and social life. We only have a few hours per day in which we can do things. We are geographically spread, so in case of an issue there is a small timeframe we can work together, but that could take a little to get aligned properly. We also have to feed our kids, make sure we generate money to keep on living. And we need to be socially active, not only for FreeBSD, but also for our wives and kids. That all just takes tremendous amounts of time. A part of that is put into the FreeBSD Project by us, the volunteers.

Sometimes, people start crying out loud that they need something NOW because THEY want it NOW. That is a bit unfair; they do not realise that we need to invest our precious spare-time in it, and a
re happy to do so, but that sometimes things can take some time. They start ranting that everyone else has already the fixes in place, that they did it very quick etc. That’s all fine, but most of those vendors have paid people working on these things. No wonder they can quickly respond to such a thing. We do not have that.

Instead of ranting around and demanding OUR -FREE- Time, it could be beneficial to have a couple of people around that are payed to keep an eye out for these things, on a structural basis. That will cost a lot of money, because people are not for free. They also need to be on guard all the time, so it’s a full time job. Costing a lot of money. The moment thigs comes in play, most people hook-off the challenge and remain quiet, only to start ranting again the next time when something (insert your favorite ‘requirement’ here) occurs.

When you counter those people and ask them to paint your entire hous in their freetime, they get angry and tell you that they are not idiots and that you are not entitled to demand this time from that. But it’s exactly the same thing as they demand from us, the volunteers.

The above hopefully makes clear that we try to do our best whenever possible but that it’s not always possible to respond as quickly as possible to anything that comes in. We feel responsible for the tree that we maintain and are willing to do our best for that. But every now and then, people are on holiday, not in, sick, busy with other things, and we have to respect that as long as we do not have a paid staff that can work on these items.

Please, try to understand that this is just common life for a volunteer. It’s OK to disagree on something, but it’s very selfish to demand something from a volunteer if you are not willing to put something in yourself as well.

If you have a suggestion on how we can improve this, with YOUR support included. Give me or the FreeBSD Foundation a poke, I am sure there are ways to get things done, as long as it’s feasible to spend our precious time on, or when paid to do the things people want the payed person to do.

But do remember that in case you are not willing to put something in, your demands are shouts in the space and are likely to be ignored. Just a fact of life.

Thanks for taking the time to read this!

BTW: I’ll be giving a talk about my life as a volunteer in December in Utrecht. The NLUUG/NLGG is doing a Linux/BSD day then, if you are able to visit this. Please do so.

Evilcoder.org