Search

Steve's Stuff

Random postings of tech and other life things…

Open Search
Author

irockon15

Maximizing Server Security: The Power of Microsegmentation Strategies

I work in a small IT deparment and about a decade ago we dove into the microsegmentation world. With the news constantly covering stories about breaches, security vulnerabilities, and just the general world of hacking, moving into a server network that is microsegmented made lots of sense. It reduces attack surfaces, prevents lateral movements, and provides lots of advantages than the typical flat networks most are probably accustomed to. But it doesn’t come with its challenges and hurdles to face. I’ll cover the lessons that we’ve learned, how we’ve addressed those challenges, and achieved a working playbook to make this system work on a regular basis.

As a server engineer, I’ve spent most of my career inside of a server or workstation OS of some type and initially really didn’t understand or know how networks worked. It was just the thing that was there to make my servers talk to other devices on the network. After 10 years of living in this environment there’s a few things that quickly became essential to being sucessful in working in this type of enviroment:

  • Fundamentals: Having a basic understanding of the fundamentals of technology is a must
  • Documentation: Vendor Documentation becomes essential
  • Logging: A good logging strategy is needed to understand what’s happening in the environment
  • Practice makes Perfect: Taking a playbook from Tom Cruise’s movie in Edge of Tomorrow: Live. Die. Repeat.

Fundamentals
First and foremost, having a good understanding of the technology and general concept of how things work are very important. When you don’t know how the technology works, it becomes very confusing to understand why something is happening in the environment. For example, if ICMP is blocked from the users network to a server, then pinging the server will fail. But if port 443/tcp is opened then that will allow you to browse to a website on that server on that port even though you can’t ping it. If you don’t understand that ICMP is different than SSL traffic over port 443 this can be a confusing situation for sysadmins and engineers working in the space. A few tips to think about if you’re in an environment like this that can help you be successful.

  1. Get to know the environment that you’re in
    • Get a network diagram or topology of the layout. Understand what stands between point A and point B. This will help you understand what hurdles you have to clear.
  2. Get a general understand of the type of firewalls being used in the environment.
    • Are they next-gen firewalls that identify the type of traffic traversing the firewall? Or is it just based on ports being opened or closed?
    • A next-gen firewall can identify the type of traffic passing over a certain port, and allow the “application” along with the port number. This extra layer of checking prevents certain malicious actors from being able to tunnel traffic over an open port that is not intended for that function. This would allow undesired actions to occur.
  3. Understand if ICMP is opened and pinging things are expected to work, or is it blocked and not allowed. Note: we allow ICMP internally for everything as an easy method for troubleshooting
  4. Understand the basics of network routing: On the initial surface, a routing problem can appear to be a firewall block. This can become a challenging issue to understand and convey to the network engineering team. If ICMP is open that helps troubleshooting as being able to ping a device means that you have a route to reach that device. If another service on another port isn’t work this makes it easier to know that a firewall is preventing that. If pinging it fails then it could mean a routing issue. Doing a trace route to review the path it’s taking is helpful to the network engineer trying to understand the issue.
  5. Having regular training sessions internally to make sure everyone understands the fundamentals and knows how to test for the specific problem being experienced is very important to be successful.

Documentation
Vendor documentation: Anyone that has spent time in the IT world has come to know vendor documentation. There’s varying levels of competent documentation, but every vendor should provide some type of information about their application. Included in this documentation should be network ports required for the application to function as expected. It will include the source, the destination, the port number, and the protocol it uses. Most all apps will need a default set of ports open to function as expected (DNS, NTP, Active Directory if it’s used, etc), as well as custom ports specific to the application. Knowing the traffic flow is very important to understanding what you need to request. (e.g. does the server start the communication to the laptop, or does the laptop start the communication to the server?) A small list of typical ports are (there’s dozens of others):

  • 21 – FTP, File Transfer Protocol
  • 22 – SSH, Secure Shell
  • 23 – Telnet
  • 25 – SMTP, Simple Mail Transfer Protocol
  • 53 – DNS, Domain Name System
  • 80 – HTTP
  • 110 – POP3, Post Office Protocol
  • 123 – NTP, Network Time Protocol
  • 443 – HTTPS, HTTP over TLS/SSL
  • 3389 – RDP, Remote Desktop Protocol

Internal Documentation: In conjunction to the vendor documentation, you should develop a good strategy for internal documentation. This allows you to help engineers working in the environment to understand what is set up and what the expected behavior is. You also have to make sure that you have a good procedure to deal with blocks and issues as they arise. We have an internal wiki that we try and document each application, the servers running that application, and the custom firewall rules required for that application to function.

Logging
At the core of all of this is having a good logging strategy in place so that everyone, not just the network engineers, are able to see the firewall or network security device logs and understand what’s happening. We use splunk as our syslog system and all users have read-only rights to the logs. This allows anyone to search firewall logs to see if attempted connections were allowed or blocked. Understanding the logs starts with making sure you have the first bullet point, a solid understanding of the fundamentals.

Practice Makes Perfect
As with anything you do, whether dieting, playing a musical instrument, or learning a new skill, practice makes perfect. When you first start down the path of microsegmentation, you have to understand that you’re probably not going to be successful right at the beginning. There’s going to be learning pains, new challenges, and a different way of thinking than you’ve become accustomed to. So going into it, you have to acknowledge that you will probably have multiple challenges you’ll have to overcome. Setting up good processes and a good framework before moving into the rollout will determine if you’re successful.

0

Trouble upgrading Synology DSM

I use my Synology for so many things for my home network. 

  • Synology Photos with mobile backup
  • Plex Home Media Server
  • Homebridge
  • Synology Drive
  • Node on my Tailscale account
  • Target for backups via Time Machine (Mac) or Windows Backup

I’ll be working on separate posts on each of these to share more info on each, but with this being such a critical piece of my home network, keeping it updated is essential. I often check in on each application and apply any new update that has been released as well as the DSM software that runs on the Synology.

I recently ran into an issue where I need to install the new Node.JS v20 to support the newest update to Homebridge. Unfortunately I was not able to locate the v20 package for Node.JS, only the v28 one. I wondered if I needed to update the Synology DSM version. I went in and checked and it was running 7.1.1-42962 and checking for new updates in the web interface returned that I was at the latest. So I started getting confused and began to do some research. It turns out that there was a newer version of the DSM available but I needed to manually update by downloading the correct versions and applying a manual update to bring me current. So, if you are in the same situation here’s the steps to follow to bring everything current:

Steps to upgrade

First, go to this link and choose the model you have and the version of DSM that you’re currently using:
https://www.synology.com/en-us/support/download
For me this was

Next, I chose the OS version of DSM that I wanted to go to

Finally I choose the DSM version I’m running and which DSM version I’d like to upgrade to. This will give you a list of the patches to apply and in which order to bring you to the version you want. In this case I chose the latest version which was 7.2.1-69057

I downloaded all the files making a note of which one to apply first, and then second. Next, I logged into my Synology and opened up Control Panels and clicked on Update & Restore.

I then clicked on the Manual DSM Update button and browsed to the location where I saved the 7.2.1-69057 (with Update 1) and applied the update. It took about 10 minutes for the update to apply and the Synology rebooted. I repeated the same process again for 7.2.1-69057 (with Update 3). After that finished I am now at the most current version.

After this was completed, I was then able to see the Node.JS v20 package and install that and the Homebridge package update that started this whole process.

I hope this may help others that are struggling like I was initially on why my DSM wasn’t updating and how to get it current again.

0

Setting up a home lab (Planning stages)

While most things these days are living in the cloud and cloud adoption is at an all time high, we still currently have most things living in our own datacenter running on VMware. So there is still a case to be made that home labs still have a place and a purpose when trying to test out new things in that space. With that being said, my current lab equipment has a few years on it, so while I’ve read posts online that say this does work, how well and effective it works remains to be seen.

“Do or do not. There is no try” -Yoda

While I try to follow Yoda’s teachings as much as possible, I am going to attempt to reuse some equipment that has been around a few years and see how far I can get with it. The hardware are three Intel NUC 8th generation machines with 32GB of RAM each. They are all using a USB attached drive to boot from since ESXi still can’t see the MicroSD card slot present on the machine.

The plan is to install the latest version of ESXi 8 along with a Vcenter server of the same version. I have a MacBook Pro as well as a Windows 11 home desktop that can be used to do the deployment of the Vcenter server. I’ll update future blog posts of my progress and experience but will be pulling helpful info from others out there from their previous experiences. More to come so stay tuned.

0

What I Use

I thought I would put this post here more as a way for me to keep a running list of what I have and what I’m using.  This is by no means a complete list, but I’ll update it over time in an attempt to get it there.

Computers

I used to use 2 different computers, a primary more powerful desktop and lesser powerful portable laptop. With the introduction of Apple Silicon I’ve decided to collapse both of those into a more powerful laptop as my primary computer. I’ve recently gotten the Apple MacBook Pro “M2 Pro” 10 CPU/16 GPU 14″. I opted for the Pro with the M2 Pro processor to have native support for multiple monitors. I have the model with 16GB of RAM and a 512GB SSD storage. This has been an amazing laptop so far and can’t recommend it highly enough. I’ve also picked up the Apple Studio Display and I’ve replaced my dual monitor setup with the single 27″ monitor and the laptop on a laptop stand. This is probably the best monitor I’ve ever owned and fits in perfectly with my setup. I’ve also been plugging this monitor into my work Dell laptop and it’s working just as you would expect.

I also have a gaming computer that I built circa 2019. While it’s now 6 years old it’s still working well for things that require Windows, as well as gaming via Steam, Xbox, and retro emulation using LaunchBox. If you are a gamer and enjoy retro games you should definitely check out LaunchBox. It’s been by far the best and easiest way to enjoy retro games. My gaming computer is using the following hardware:
MSI MPG Z390 GAMING PRO CARBON ATX LGA1151 Motherboard
Intel Core i7-9700K 3.6 GHz 8-Core Processor
Corsair Vengeance RGB Pro 32 GB (2 x 16 GB) DDR4-3200 CL16 Memory
Samsung 970 Evo Plus 1 TB M.2-2280 PCIe 3.0 X4 NVME Solid State Drive
-NVIDIA – GeForce RTX 4070 SUPER 12GB GDDR6X Graphics Card – Titanium/Black
DIYPC Ranger-R4 ATX Mid Tower Case

Peripherals

While docked at the desk, my keyboard is the Logitech MX Keys Mini. While it’s not a perfect keyboard it is very affordable and has pairings to 3 different devices which allows me to swap between my personal Mac laptop and my work Dell laptop. The mouse I have at my desk is the Logitech MX Master 3 Mac. I also keep the Apple Magic Trackpad to the side to use for any gestures that may be easier on the trackpad versus using the mouse.

On my gaming computer, I’m using the Razer – Huntsman Elite Full Size Wired Opto-Mechanical Clicky Switch Gaming Keyboard with RGB Chroma Backlighting – Black, and for a mouse I’m using the Razer – Basilisk V2 Wired Optical Gaming Mouse – Wired – Black.

Phone

I recently upgraded (December 2023) to an Apple iPhone 15 Pro 512GB in Titanium Blue. I have found iOS to be very stable and reliable in the years that I’ve been using it. My previous phone was a 128GB model and I regretted not getting more storage, so made sure to remedy that this time around. (Who ever thought that 128GB of storage on a phone would be considered “small”)

Tablet

I have a space gray Apple iPad Pro (2018) in 256GB with Verizon cellular attached to the Magic Keyboard and Apple Pencil.  The iPad had become my right hand man so to speak as I would have it with me everywhere I go. I find the extra screen real estate compared to the iPhone worth the extra weight and bulk of the iPad.

I also have and use an Apple iPad mini 6th generation for content consumption and casual usage. The size of it is great which makes it much more portable than the 11-inch one.

Software

I’ve been slowly building a list of useful software tools to use in my daily activities. I’m always on the lookout for anything that can help make things easier or more streamlined.

  • 1Password – These days, a password manager is a must. With website breaches becoming more and more common, using the same password on multiple sites is a terrible idea. With desktop and mobile OSes embracing password managers and integrating them more naturally for use, the argument against using one is becoming harder and harder. I’ve chosen 1Password and have used it for years. It’s a subscription and I pay each year for the family plan. It is also OS agnostic as there’s clients for every main platform. Highly recommended.
  • Alt-Tab – This is a useful tool to give you a better look at switching apps on the Mac, much like it does on the Windows side. You get a thumbnail of the screen from each app. And better yet, it’s free!
  • Bartender 4 – This app is another Mac app that cleans up your menu bar, and displays only the ones you want, but tucks away the others for when you need them. It’s a must have if you have sprawl up there, and keeps things organized. It’s also highly customizable, (e.g. you can display the battery icon while it’s running on battery, but it tucks it under the menu when charging). It’s a $16 one time fee but once you adjust it’s hard to stop using it.
  • Etcher – When working with ISO files to do USB bootable drives. Etcher is a simple but effective application to get that done. There’s always the CLI option of dd for anyone that’s versed in command line but if you’re looking for a simple interface to do the same thing check out Etcher.
  • ExpressVPN – I signed up for a trial of ExpressVPN and now it’s a constant thing I make sure to install on all of my devices. With public hotspots not very trustworthy it’s nice to have a VPN you can use. ExpressVPN makes it seemless and most of the time I don’t even realize I’m on VPN until I check due to how fast it is.
  • iMovie – I’ve been starting to play around with video editing and recording more video. So I’ve started using iMovie as a way to cut and build custom movies with it.
  • NetNewsWire – I’ve been using this on the PC and on mobile/tablet for a few years now. For an RSS reader it’s a great tool and is very fast at downloading and swiping through articles.
  • Quicken Classic – Yes, I am that guy that still manages his finances via a local Quicken application on the computer. I know most have moved to cloud based or online programs for this, and I also use Mint for several things in conjunction with this. But the ability to have a calendar with all my bills laid out, reports of past spending, and having it all local to me, is still a nice thing for me. Maybe one day I’ll join the others but for now I still enjoy having this.
  • Reeder – I have recently switched my RSS app over to Reeder on both the Mac and the iOS/iPadOS side. I really like the look and feel of it and appreciate the effort they’ve done to make this an enjoyable app

Note: some links above are tied to my Amazon affiliate account and I do get paid a small fee from following the links. I appreciate your support.

1

Running Windows 11 in VMware Fusion

I’ve been seeing lots of people trying to run Windows 11 in the virtual space. I wanted to do the same thing to test out the new OS so wanted to document the steps for anyone else wanting to do the same.  Note, Windows 11 have unique requirements than previous versions of Windows, so there’s a few steps you will need to manually do to prep the Fusion VM to run it.  System Requirements

First, create a new virtual machine in Fusion. When it asks for the ISO file provide the Windows 11 ISO.

Next, choose Microsoft Windows, and the Windows 10 x64

Leave the default set to UEFI, and choose Continue

On the last screen, choose Customize Settings

Now pick a location to save the VM

When you get to the settings screen, we’ll need to make 3 changes

1. Enable Encryption 

You’ll be asked to set an encryption password. Please store this somewhere safe. You can also check the Remember Password to store this password in your Keychain Access as well. If you don’t remember it, you’ll have to enter this password every time you use the VM.

2. Install a TPM Module

(Windows 11 requires that computers have a TPM module to run. More on that can be found here link.)

First you need to click on Add Device in the top right of the Settings window

Next, click on Trusted Platform Module and choose Add

3. The last step is required because by default VMware Fusion sets any Windows 10 VMs to 2GB of RAM. Windows 11 requires at least 4GB of RAM for it to install. It needs to be a minimum of 4GB.

That’s it. Save the settings and boot the VM and you will be off and running doing the install. Thanks for reading and happy virtualizing!

0

Fixing Authentication Failed error in Outlook 2016 on the Mac

I had a weird issue this morning. When logging into all my apps to begin my work day I noticed that my Exchange account wasn’t connecting in Outlook.  We use Office 365 with SSO, and it was continually prompting me with our SSO page to logon in a loop.  I checked the Mail app and everything appeared fine in there, so I knew it wasn’t Office 365 but something with my local Outlook app.  I attempted to remove and readd the account and then started to get “Authentication failed. Check your account information and try again.” It was this point I went to keychain access.  I figured something in keychain had been saved or set wrong and it was passing bad credentials to Office 365 from keychain.  There are 3 sets of items you will need to delete to clear everything being used by Outlook.

  • Open up Keychain Access
  • With “login” highlighted search for the following 3 items
    • Search “Exchange” and delete everything
    • Search “Office” and delete everything
    • Search “ADAL” and delete everything

After I performed those steps, I returned to Outlook and it allowed me to add my account back to the app as expected. I hope this can help others that might have this issue as well.

0

Adding disk cleanup to Server 2008 machines

Have you ever wanted to run disk cleanup on a server but found out it’s not installed?  One way to get it installed is to install the Desktop Experience feature via Server Manager.  While this will install disk cleanup, it also installs other things you don’t necessarily need.  There is a faster way to manually install it if that’s all you’re looking for. Basically, you manually copy 2 files for it from the winsxs folder into the current system folders. Run these commands from an elevated command prompt.

copy C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_6.1.7600.16385_none_c9392808773cd7da\cleanmgr.exe %systemroot%\System32
copy C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9cb6194b257cc63\cleanmgr.exe.mui %systemroot%\System32\en-US

Once that’s done, you can run disk cleanup by typing cleanmgr.exe from a command prompt.  It’s that easy.

0

Editing Powershell on a Mac

So I’ve been looking for something like this for a long time but apparently just not hard enough.  I finally found this blog that had exactly what I’ve been looking for. The original blog is here.

http://www.jonathanmedd.net/2013/03/writing-powershell-code-on-os-x-using-sublime.html

Basically, this will give you a text editor to highlight the syntax of powershell for editing powershell scripts on the Mac.  Most of the time you will have to have a windows machine to do the testing of the script, but it’s nice to have something like this when it’s needed.

First, download Sublime from here: download

Next, download the Zip package (button in the bottom right corner of the page) from here https://github.com/SublimeText/PowerShell

Then, copy the entire powershell folder into the directory here: Users\Username\Library\Application Support\Sublime Text 2\Packages.  The original poster noted that you can just open sublime and navigate to the menus Sublime – Preferences – Browse Packages to open this location.

Once that’s copied in there, just quit and reopen Sublime and then you can navigate to the View menu – Syntax – Powershell v2 and it will highlight the code properly.

I hope this helps anyone else out there that had been looking for this.

1

Microsoft’s New Remote Desktop Client for the Mac

When upgrading my work computer to Windows 8.1 last month, I was a bit horrified when I realized that the Remote Desktop app that was provided with Microsoft Office 2011 could no longer remote into my work computer.  This was bad as this was my main means of working remotely for the tasks that required me to be on a Windows machine.  A quick search out there revealed a new app from Microsoft in the iTunes store for a new Microsoft Remote Desktop. After downloading this and getting it installed I was easily able to remote into my work computer again and all was well.  And this app handles the multiple RDP sessions a little differently than the old app did.  While there’s some good and bad with it, overall I think it’s a much improved version and one I was happy to see made available.

There is also a matching version in the iTunes store for the iPad and iPhone/iPod touch as well.  They work very similar to the desktop version.
One of the best benefits this new version does other than support Windows 8.1 and Server 2012 R2, it also supports the .RDP files much better that are sometimes used to distribute remote connection sessions.  I recently took a virtual CCNA class which utilized an RDP session into the lab equipment.  I was able to successfully launch the RDP session thru the classes website and it launched as expected in the new client.  Kudos to Microsoft for helping to bring a little better app development to some of their lesser used Mac applications.
0

Blog at WordPress.com.

Up ↑