CheckPoint have bulletproof excuse for domain name cock-up
Remember the fun earlier in the week where CheckPoint forgot to renew their domain name? Well, they've responded in this article on The Register.
Genius excuse:
“This happened due to Network Solutions, our domain host, sending our renewal notification to an incorrect email address at Check Point”
Sorry, CheckPoint, but it’s your responsibility to make sure your domains get renewed on time. Don’t count on your registrar to remind you! Oh, and if you are going to trust their automated system to do your job for you, it’s up to you to make sure your correct email address is in their system. Are you trying to suggest reminders are typed manually by a team of clumsy people with fat fingers? Please.
Lesson of the day: Don’t try and blame-shift to your registrar when they did nothing wrong - it just makes you look worse.
Still, maybe this mistake is because you were so busy “Securing the Internet”.
“We secure the Internet”… but can’t keep our domain registrations up to date
Congratulations, CheckPoint. Not only are you my least favourite network vendor, but you have also damaged your reputation a fair bit today:
Here's the WHOIS info, queried at 14:00 UTC on 02/04/2012:
"We secure the Internet", indeed.
Creating configs with Bash, for loops, and awk
So, maybe you sit next to someone that loves using GUIs to administer their firewalls. Or, maybe that person is you. Well, it's time to start looking at why the CLI is so much more powerful than any GUI... Because you can script any repetitive parts of the configuration. This becomes invaluable when you work on large networks with lots of nodes.
In this post, I'll show you one of my favourite ways of quickly throwing together some very lengthy, repetitive config in just a few simple steps. For this, we'll use Bash brace expansion.
What is Bash brace expansion? It is a way of giving Bash a series to expand, and letting it do the hard work. I'll assume that you know how a simple for loop works (and if you don't it should be fairly obvious just by reading this), so I'll just show you a quick example of brace expansion:
$ for i in blah{08..12}; do echo $i; done
blah08
blah09
blah10
blah11
blah12
$
Note that as long as we're using Bash 4 or above, the brace expansion even copes with leading zeros in the way we'd expect it to (this was a pain with brace expansion before Bash 4).
You can also have multiple brace expansions in one expression, as shown here:
$ for i in {foo,bar}-{1..3}; do echo $i; done
foo-1
foo-2
foo-3
bar-1
bar-2
bar-3
$
So, why is this important, and why should we care as NetSec engineers? What happens when someone says something like "we're adding 64 new web servers to our farm, and need them to be added to the webservers group on the firewall"? Fancy spending an hour clicking through the GUI, which is both mind-numbingly boring and error-prone? Nope, me neither. Instead, you could do this in an easy for loop, tidying up things a little with awk.
For this example, we'll assume that we're working on a Cisco ASA/PIX, as the syntax is what most people will be familiar with.
You can easily look up the hosts in DNS like this (I'll just do 4 servers, but you get the idea - with our brace expansion, it can be for as many as we like):
$ for i in site01-web-{01..04}; do host $i; done
site01-web-01 has address 10.10.1.1
site01-web-02 has address 10.10.1.2
site01-web-03 has address 10.10.1.3
site01-web-04 has address 10.10.1.4
$
Now we can just create our config by echoing our object-group line, followed by network-object statements for each IP we resolve, followed by echoing an "exit":
$ echo "object-group network webserver-group"; for i in site01-web-{01..04}; do host $i | awk '{print "network-object host", $4}'; done; echo exit
object-group network webserver-group
network-object host 10.10.1.1
network-object host 10.10.1.2
network-object host 10.10.1.3
network-object host 10.10.1.4
exit
$
The syntax of awk should be fairly obvious here - the "$4" just means the fourth field that was piped to it - in this case, the resolved IP. Read the manpage if in doubt!
So what have we just managed to achieve here? We've managed to generate a config with one line of Bash syntax, where we're adding as many webservers as we want to scrape from DNS! No chance of typos, as long as your DNS is correct, and more importantly, no mind-numbing clickety-clickety!
Installing Cygwin (a.k.a. Making a Windows Computer Useful)
For getting work done, I like to use a Linux OS, normally Debian. But what about when I'm working at a site where I'm not allowed to install my OS of choice? Or one where I am, but there's so many Windows-only tools that the company uses that would mandate that only a Windows OS would be useful as the default install?
Well, of course, there are options like VirtualBox that would let me run a guest OS of my choice, even with features like seamless mode making the experience nicer. However, what if I could have all those nice CLI programs from the GNU toolkit available to me in Windows? Especially if it could be in a Bash shell too.
Well, enter Cygwin. It's the first utility I install on any Windows workstation that I will be working with. In a nutshell, Cygwin allows you to run a Bash shell natively on Windows, and have all the tools at your fingertips that you'd expect to have on a regular Linux installation - Perl, Python, sed, awk, vim, dig, GPG, etc.
The installer is very straightforward to use - just select an installation path, a path for packages, and a mirror to download from. The only slightly tricky thing is making sure you have installed all the packages that you'll find useful. I make sure that the following packages will be installed (although you can always install more packages by running setup.exe again later):
Editors/vim (chose another editor that you're more comfortable with if you like)
Net/bind, iperf, netcat, openssh, openssl, rsync, socat, stunnel
Perl/perl, perl-manpages
Python/python, python-doc
Security/pwgen
Utils/screen
Web/wget
Once Cygwin has installed and you start it, you'll be presented with a rather ugly screen like this:
Hmm, not so nice looking (sometimes it can look even worse, depending on the system font). Wouldn't it be nice if you could have Cygwin look like all your other nice PuTTY windows? Well, if you install PuTTYcyg, you can! After installing PuTTYcyg, you can create a shortcut like this so you can start your Cygwin session(s) quickly by hitting your Windows key and typing "bash" then hitting Enter:
Just make sure you throw this shortcut in your Start menu and you're all set, and you've got a nice useful shell to work with, even though you're running Windows:
The last thing I like to do is set a more normal prompt that Cygwin's default two-line prompt (as you may have noticed in the screenshot above). To do this, just put a couple of lines line this at the end of your .bash_profile:
PS1='\u@\h:\w\$ '
export PS1
Enjoy your new Bash CLI!
Coming soon…
Okay, so you've read some network blogs already. There are quite a few out there, after all. Some of them are excellent. I know, because I enjoy reading them too.
So what's this site going to be about? What is going to be different? Well... good question.
I had noticed that many of the network blogs out there have concentrated on "this is how to configure feature x" type of articles, where "feature x" is something like OSPF or private VLANs.
What I'd like to do with this blog is concentrate on a few topics that are somewhat rarer. For example, I'd like to demonstrate why implementing certain security features in a network is important; I'd like to show you how scripting skills will help you build many networks to a particular design with minimal effort (no GUIs here!); I'd like to show you how to accomplish tasks using open source software, or using non-Cisco kit.
More than anything, this is also just a braindump of the kind of things that I do and how I do them. It is a reference for myself, and for whoever else may find it interesting.
I hope that you enjoy reading this blog, and I hope I enjoy writing it too.
Now, all I have to do is start writing some content...