11/21/2007

NAC - A bandaid for your network?

This is just a blog storming session about why I feel NAC is over-rated.. It may be the best marketing invention in a while to give vendors the opportunity to sell you a security solution, but it clearly isn't the best use of technical minds to come up with an effective way of securely managing diverse networks.

NAC - Posture Assessment

If you are responsible for keeping the corporate workstations up to date, then you are just proving to yourself that your method is ineffective if you perform posture assessment and fail the workstation. Why not concentrate on way to deliver updates and patches to a workstation while it is not directly connected to your corporate network?

- Windows Update can be configured to access an internet site accessible: (ie: windowsupdate.corporate.com) that works internally and externally.

- SMS and GPO updates can't easily be applied unless you have a VPN connection back to the corporate network.. seems like a good place for MS to work on ISA Server.

Quarantine Network

What is going to provide network services such as dhcp and dns for your quarantine environment? Are these your Active Directory DNS servers?

How isolated is it going to be if you have managed workstations that need to get updates when the users run as non-local admins?

It seems it would be more appropriate to properly engineer the network and windows services than create *another* network of update servers to do what the initial update servers should have done to begin with.

I understand that computers that aren't part of corporate policy are one of the primary reasons to quarantine. But..

Trying to stop malware by not letting the infected computers connect?

If you look at creating a network model that doesn't allow any communication to protected resources, you'll probably run across Microsoft's Server and Domain Isolation. This is a great start based on IPSEC but leaves little room for analyzing data passing across the network.

Detecting when a computer comes on the network?

- Doesn't work with SNMP notification on a switch behind an ip phone, hub, or switch
- Doesn't work with 802.1x if the port can be authorized with another device (corp workstation, print server, ip phone)
- How do you handle virtualization environments where the guests can be NAT'ed

- What about physical connectivity wired in a particular fashion:
(802.1x switch) -> (4 port hub w/ NAT) -> (Corp Workstation) + (Rogue Workstation)

Other Ideas:

Lock down all physical ports where there is really nothing to attack.. DoS is always a possibility, but when is it ever not? If you only provided DHCP, DNS, and RDP or ICA with thin clients you would have a very tight ACL that could be applied to a client VLAN.

Only allow guest's wireless access.. much easier to control how can and cannot connect to secure WPA2 enabled SSIDs.. Guests have access to open SSIDs.. then you focus on traffic shaping and ACLs to allow only certain ports. Deep inspection on those few open ports would be great, a few vendors will look inside SSL..

I'll elaborate more on the details of each of these thoughts in future posts..

blog.author - Randy J. Cress blog.post - 6:30 PM 0 - blog.comments

11/18/2007

Using VLC to create a web-based VOD library

There are many reasons why you would want to create Video-on-Demand library with a web interface.. training videos, past security recordings, news clips, etc..

My reason was different this weekend.. it is starting to become difficult to weed through all of the DVDs with children's show for my daughter. While she has no problems sorting through the DVDs and picking out a show to watch if we label it correctly, it still is time consuming and over time the discs become worn and damaged. I needed a way to create a video on demand library and have it easy to use for her. Since she can navigate around on the web just fine, I wanted to make it as simple as YouTube for point and click access to her shows.

Enter VideoLAN VLC Player/Server

Now we can do the following:
TV -> DVR -> DVD -> VLC -> RTSP -> PC = Happy Child

The quick and dirty approach for serving DVDs over wired/wireless for VOD via the web:

Download and install VLC 0.8.6c here.
Copy the entire VIDEO_TS folder from the DVD under a directory (ie: d:\videos\kidshow1)
Create a vlm.conf folder under c:\program files\videolan\vlc with the following contents:

vlm.conf
--------
# rtsp streams

new kidshow1 vod enabled mux mp2t input "dvdsimple://d:\videos\kidshow1@1:1"

# @1:1 specifies the first title and chapter
# @2:1 would automatically select the second title

Create a shows.html under c:\program files\videolan\vlc\http with the following contents:

shows.html (for firefox plugin only, replace [] with <>)
--------
[html]
[head][title]Kids Show #1[/title][/head]
[body]
[h1]Kids Show #1[/h1]
[embed type="application/x-vlc-plugin"
name="kidshow1"
autoplay="yes" loop="no" hidden="no" width="640" height="480"
target="rtsp:@localhost/kidshow1" /][br /]
[a href="javascript:;" onclick='document.kidshow1.play()']PLAY[/a]
[a href="javascript:;" onclick='document.kidshow1.stop()']STOP[/a]
[a href="javascript:;" onclick='document.kidshow1.fullscreen()']FULLSCREEN[/a]
[/body]
[/html]

Now run the vlc app on the "server" from: c:\program files\videolan\vlc with the following arguements:

vlc -I http --vlm-conf vlm.conf --rtsp-host 0.0.0.0:554

This will launch vlc without the gui and the web admin interface is on port 8080
You can get the the vlm portion of the configuration at:
http://localhost:8080/vlm.html and verify the VOD stream is loaded.

On the viewing computer just browse to:

http://vodserver:8080/shows.html

Of course, there is alot more design that needs to go into the web pages to make this kid friendly, but that is just the icing on the cake.

This worked over a 11mb/s wireless connection without any problems. You need around 4mb/s so don't count on a weak 1mb/s wireless connection for anything but garbage!

There are some limitations with this configration, mainly not being able to use IE as the browser.. but the firefox plugin sample was so easy to get started with.

More reference information at:
http://people.videolan.org/~dionoea/vlc-plugin-demo/serversetup.php

And for a nice cross browser player with a slider bar:
http://people.videolan.org/~damienf/plugin-0.8.6.html

Now to get this running as a service and find out a quick way for my wife to be able to import new DVDs and change the vlm.conf file on the fly!

blog.author - Randy J. Cress blog.post - 9:54 PM 3 - blog.comments

blog.tags - ,

11/16/2007

Xen-based VMM with SAN-less HA from Thinsy

After reading the latest blog post from virtualization.info:
http://www.virtualization.info/2007/11/thinsy-announces-7th-xen-based.html

I just can't help wonder how many more Xen-based virtualization packages are going to delivered and how well they are going to keep up with Xen's release of the VMM along with their own enhancements and modifications. It seems like everyone is ready now that Xen 3.1.0 supports Windows-based guest OSes.

What is interesting in this release is that I've just finished a proof-of-concept with XenEnterprise 4.1 to perform disk to disk replication and XenMotion utilizing LVM on top of DRBD 8.2.1 since XenSource (now Citrix) provides a DDK image to recompile kernel modules for Dom0. It worked and I was able to perform XenMotion with running DomUs between the two hosts utilizing a primary/primary cluster with the "allow-two-primaries" option in the DRBD resource config file.

It will be interesting to see what Thinsy's EnSpeed VMM is using as an underlying filesystem and whether Jagane Sundar wrote his own disk sync program for LiveSync or is utilizing DRBD or the likes. Maybe he will post an entry on his blog explains the underlying details.. until then, I'll have to wait until my 1.3gb iso download completes before I can look under the hood.

blog.author - Randy J. Cress blog.post - 8:47 PM 1 - blog.comments

blog.tags - ,

11/15/2007

Thin Clients, Library Shared Workstations, VDI for a perfect combo

Microsoft has matured their original Shared Computer Toolkit to Windows SteadyState. The new version is well documented and really becomes a player against existing Deepfreeze environments for libraries. The Windows Disk Protection feature is very similar and now supported scheduled update windows.

If this product were to be combined with thin clients at libraries along with VDI and a SteadyState prepared load of Windows XP you would have a great combo for an IT staff and librarian freedom for implementation of new software in computer lab or kiosk environments.

Utilizing thin clients, you could reduce the hardware costs and risk of theft or damage at the physical lab setting. Having the image run on backend servers would minimize replacement or addition time frame of new lab computers. This would work especially well if you utilized a single virtual drive that they all boot from..

Library staff would be able to make changes and add software very easily with wizard interface in the SteadyState application and then re-protect the hard drive after installation.

Once SteadyState 2.5 comes out of beta and supports Windows Vista, it would be just creating another image on the VDI servers and instructing then thin clients to run the new OS. You could even offer the lab users an option and have the library staff select the image based on their preference if needed.

blog.author - Randy J. Cress blog.post - 10:13 PM 1 - blog.comments

blog.tags - , ,

11/13/2007

Site Content Introduction

The purpose of this blog is to document thoughts and ideas about events that relate to my daily work and research. It's hard to try and give back thoughts and opinions in a digital communication form when you are so used to formulating ideas and concepts from Googling everything, subscribing to a hundred or so RSS feeds, and drilling through all of the marketing hoopla with vendors. There is not enough time to digest the information I've read and heard, let alone try and comment on it in any meaningful way.

Nonetheless, I feel it is about time I tried.. we'll see how it goes, and hopefully there will be some unique content that will be considered a contribution back to the greater good.

Topics that are currently at the top of my interest:

virtualization - comparison of hypervisors and the end game of commodity enterprise v12n
network security - documentation of best practices, focusing more real ways to solve problems instead of buying alot of appliances to make you feel that you are more secure.
network monitoring - how to proactively monitor your critical resources (does anyone sleep beside their Blackberry in the normal profile?? hmm.. it has to be possible)
web apps - Google Apps and Amazon EC2 are changing the way we think about storing critical business data and running our virtualized servers.. just waiting for pdf upload at Google Docs and Xen 3.1 at Amazon EC2

more to come..

blog.author - Randy J. Cress blog.post - 11:53 PM 0 - blog.comments

blog.tags - , ,

Subscribe to: Posts (Atom)