Categories
pfSense

pfSense – The Ultimate Free Firewall

pfSense LogoIf any one is looking for an alternative firewall for their home, office, small / medium sized business or enterprise, I may have something in store for you. I have been using pfSense, a BSD based firewall at home for about a year and a half. Well, I was using M0n0wall for about 6 months of that but pfSense is based on M0n0wall so maybe I didn’t lie. Oh well. You can check it out at http://www.pfsense.com .

Please take some time to mull over all the features that the BSD based firewall offers for FREE. Unlike a Cisco or Fortigate, you don’t have to pay for the extras that actually make the thing functional. This is one of the best open source firewall solutions on the marked, the best in my opinion but well, thats my opinion. Take a look for yourself. The website has some tutorials of how to set things up and get you going however, any computer savy home user could set this up without too much fuss.

The firewall, hardware wise doesn’t require much of a system to run. I would recommend a PIII 500Mhz with 256Mb of memory and 2 NICs to get started. The server/firewall can actually boot and run from the bootable CD, then store it’s configuration on a floppy if you wish, however, some of the cool additional features can not be installed to make this thing really bad ass. Just install it to a hard disk, something small like a 6Gb drive or something. Could also be installed on a solid state disk if you have the time and money. Anywho, once you get the hardware, pop in the CD and floppy and get the thing to a basic config, you will have to tell it which interface is which NIC. So the outside interface goes to NIC fx0 and the inside interface goes to fx1 or something. You’ll figure it out. After you have an IP address on the box you can web into it and configure the rest from there. A few features that are worth mentioning would be:

Failover/Load Balancing
SNORT
Statefull Packet Filtering
QoS / Traffic Shaping
Captive Portal
Wireless LAN Support
Free Radius
IPSec Tunnel Support
OpenVPN Support
Traffic Graphing with RRD Graphs
Real Time Graphing
and many more…

Please, Please, Please take a look at this package and give it a try. I know pretty much everybody has an extra computer laying around that they could put this on. If not, let me know and I’ll try to source you one. At work, a colleague of mine and I are working to get these into the production network and possibly offer it as a line of service for out clients. More on what I do and this project later. Enjoy.

Categories
blog

Backup Strategies

In my line of buisness, I often have to install, setup, and maintain backup services for clients on a wide array of hardware and software. In today’s post, I’ll discuss the PROs/CONs of doing different types of backup strategies.

Daily Full-

Ok, Basically this backup strategy is nothing more than backing up all of your data on a daily basis. Depending on how long you want to keep your data around, you would need a very large number of tapes to pull this off effectively. However, for a 7 day data retention policy, you would need a total of 7 tapes that would rotate in during it’s day of the week.

PROs: Easy to setup, easy to troubleshoot, ensures that you always have the data that you need in one of your backup tapes.

CONs: Backup Time, more read/write time on tapes and drive, inefficient

Recommendation: Great for small businesses with single tape drives, however, requires user intervention on a daily basis to be effective.

Weekly Full / Daily Incremental-

This strategy in a nutshell requires you to do exactly what it says, backup your data in full on a weekly basis, then follow that with an incremental (data that has changed since the last full or incremental backup. This strategy allows you to backup the longest time taking portion of your backup on a day or weekend in which you are not pressed to get the data backup finished by a specific time. Depending on your specific storage needs, you can get an entire weeks backup on two tapes. One tape for your full backup, then another for your daily incremental backups. This can be crafted into a pretty good solution for archiving your data backups or keeping a specific retention policy.

PROs: Easy to setup, cheap (less tapes required), less time required to backup on daily incremental backups.

CONs: Restores require all previous incremental backups and last full backup, not having to change tapes everyday could make you lazy.

Recommendations: This backup (in my opinion) is great for just about any size of network or business. The best thing about going this route is you can have as little as one tape or as many as your little heart desires (as long as your data fits).

Weekly Full / Daily Differential-

This method is pretty much the same as the previous except the main difference between incremental and differential backups. In a differential setup, you have your full backup, then a backup of everything that has changed since your last full backup. This is different than an incremental because, for example: full backup on Saturday/Sunday then daily differential backups throughout the week. On Monday, the backup would be exactly the same as in the incremental but on Tuesday, the backup would include everything that changed on Monday and Tuesday since your last full backup on Saturday/Sunday. This trend continues throughout the week which yes, does increase the size of your backups throughout the week but your restore only requires the full and the differential that has the version of file that you would like to restore. The backup retention policy is just as easy to setup and follow as the incremental setup.

PROs: Easy to setup, requires less tapes that daily fulls, faster than daily fulls, easy to recover data.

CONs: Recovery is still not as quick as a daily full.

Recommendations: I actually prefer this backup method over the previous two because you get all the benefits of of a full backup (well most of them) and really none of the downfalls.

Disk to Disk to Tape-

For the seriously large networks or just big backups this solution has a lot of value in it. What this allows you to do is have more read/write time on your tape backups. For example: do your initial backup utilizing any of the three backup strategies mentioned before but instead of writing to tape write to another drive array, then when that backup is finished you have the next 24 hours to complete your backup to tape cycle. Now obviously you would need a very large amount of data to get the full benefits out of this as it will be a little more expensive due to the extra space needed.

PROs: Allows for plenty of time to backup any amount of data, ensures that you have at least the last days backup on disk for quick and easy recovery.

CONs: Greatly increases cost (extra large drive array needed for disk backup), increases complexity of backup and recovery solution, in most cases requires extra licensing through backup vendor.

Recommendation: This last backup strategy is really my top choice but because of its CONs, namely the cost, this way is usually out of the question. However, I would recommend that you at least consider this plan if you are backing up more data that your current tape system allows you to backup in a specific amount of time.

I hope you read this and take something from it that may be of value, at least consider the possibility that your current solution is not perfect and look for ways to improve it.

Categories
Cisco Extreme Networks

Cisco vs. Extreme Networks Switching Commands

Don’t get your hopes up, I’m not taking sides here. I just wanted to show how the companies differ in basic switch configuration. Now for you who don’t know who Extreme is, they are the purple ones, better known as Extreme Networks. They offer some pretty nice products that compete very well with the likes of Cisco or HP. Feel free to check out their product line at http://www.extremenetworks.com/.

Configuring VLANs:

Extreme – Create 2 VLANs and basic configuration

create vlan data
configure vlan data tag 2
configure vlan data ipaddress 10.0.2.1/24
create vlan voice
configure vlan voice tag 3
configure vlan voice ipaddress 10.0.3.1/24
enable ipforwarding

Cisco – Create 2 VLAN interfaces and basic configuration

vlan dat
vlan 2 name data
vlan 3 name voice
exit
configure terminal
interface vlan 2
ip address 10.0.2.1 255.255.255.0
no shutdown
interface vlan 3
ip address 10.0.3.1 255.255.255.0

Port Configuration

Extreme

-switch to pc on (vlan 2)
configure vlan data add port 4 untagged
-switch to phone (vlan 3) and PC (vlan 2)
configure vlan voice add port 4 tagged
configure vlan data add port 4 untagged
-switch to phone (vlan 3)
configure vlan voice add port 4 tagged
-switch to switch
configure vlan default add port 1 tagged
configure vlan data add port 1 tagged
configure vlan voice add port 1 tagged

Cisco (skipping configure terminal)

-switch to pc on (vlan 2)

interface g0/4
sw mode access
sw acc vlan 2
-switch to phone (vlan 3) and PC (vlan 2)
interface g0/4
switchport mode trunk
switchport trunk encapsulation dot1q
switchport access vlan 2
-switch to phone (vlan 3)
interface g0/4
switchport mode trunk
switchport trunk encapsulation dot1q
-switch to switch
interface g0/4
switchport mode trunk
switchport trunk encapsulation dot1q

Show Commands

Extreme – show port 4 information detail
Cisco – show interface g0/4
Extreme – show iproute
Cisco – show ip route
Extreme – show edp port all
Cisco – show cdp neigh
Extreme – show vlan
Cisco – show vlan
Extreme – show fdb
Cisco – show mac-address-table
Extreme – show config
Cisco – show run

Saving your work

Extreme – save
Cisco – write memory
Extreme – upload configuration vr vr-default 10.0.0.100
Cisco – copy start tftp

Starting over

Extreme – unconfigure switch all
Cisco – write erase

Categories
blog

Better DNS Service

Today I would like to take a moment and tell you about a FREE service that does more than just DNS for you. This service can be utilized by a single user or an entire data center. OpenDNS.com is a website that allows you to utilize it’s services by adding them as your primary/secondary DNS servers or as a forwarder for your larger networks. OpenDNS offers a Safer, Faster, Smarter and More Reliable DNS Service.

Ok, now for what the service really does. Taken from OpenDNS’ website:

Safer

Phishing Protection: OpenDNS can identify and stop sites trying to phish (steal) your personal information or money.The OpenDNS phishing protection works with all operating systems and browsers, complementing any other security measures already in use.

Adult Site Blocking: OpenDNS lets you block adult websites from loading, by category, for free. All sites blocked are human-reviewed by the experienced iGuard team at St. Bernard Software.

Domain Blocking: OpenDNS also lets you block specifics websites from loading. This helps you protect the people using your computer or network from visiting specific websites. We give you the control to decide what gets blocked and what doesn’t.

Faster

DNS is used every time you use the Internet, for the web, email, and more. You want DNS to be blazing fast. OpenDNS is so fast because we run some of the largest DNS caches around and do it on our own high-performance network.

Open DNS is also a distributed network so you are always routed to the closest/fastest servers available to you at any given time.

Smarter

The address bar is how you navigate the Internet. We make your address bar more intelligent.

We correct your common spelling mistakes, on the fly. That means when you are typing fast and type yahoo.cmo instead of yahoo.com, you still get there.

Shortcuts

With OpenDNS, you can create shortcuts that let you type something easy-to-remember into your address bar and leap straight where you want to go.

Navigating the Internet is easier with shortcuts. Learn more.

More Reliable

The only thing worse than a slow DNS service is an unreliable DNS service. When DNS isn’t working it appears as if the entire Internet isn’t working. Our service is built on our own high-performance network that is connected in multiple cities and to many different networks. We know reliability is important, and we stand behind ours.

I encourage all of you to take a gander at the website, try it out for a while and see if you like it. Still not convinced, well stick with the current crappy, probably ISP provider that you have and see where that get’s you. Kidding. Just give it a try and see for yourself. Good Luck.

Categories
Linux Ubuntu

Broadcom BCM4306 on Ubuntu Feisty Fawn

Ubuntu DisksIn my last post I mentioned that I needed to install a non standard package to get my laptop wireless device working. Well, I decided that because it took me about 20-25 minutes to find the fix for this I would post it so I can save someone some unneeded grief.

To get the wireless hardware working with the OS most people recommend NDISWrappers but the easiest and most supported was is to use Synaptic (the package manager) to install bcm43xx-fwcutter which is nothing more than the firmware that the kernel needs to load during the boot process to make the Wireless NIC usable. After installation just reboot and the viola you have a working Broadcom wireless NIC which supports pretty much any encryption method available.