Business FIOS at the office. Part II.

Our changeover from XO DSL for Verizon FiOS is now complete. We just ordered the cancellation of the DSL line yesterday so there is no turning back now. Our network topology with the DSL service was not what I would call ideal, particularly when it came to security and because of that it was quite an effort to get completely functional with the new design. We leased a block of 32 IP’s from the DSL provider and every device on our network had a public Class A address (I know, not cool), it’s just how I did it from the beginning 11 years ago. But I was able to keep everything secure with diligent firewall rules and reviews and by keeping all the systems up top date. I knew long ago that I should change this but it was one of those things that just remained on the back burner.

With the new FiOS package that we chose I went with leasing only 14 IP’s which obviously forced me into making the long needed change. We have approximately 30 network devices here at the office including the IP phones (they were not publicly adressed, thank you). So, logically I did what should have been don in the first place and put all of our network devices on a private network and left only the servers on the public IP’s. Needless to say this required the reconfiguration of all the desktops, printers, the scanner, switches and servers. The switch was the most involved as we had to reassign a number of ports and add an additional VLAN for the new private address network. A number of the servers were also converted to multihomed mode so that they would have a physical connection to both the public and private networks because they provide services to both. Additionally, we have 2 primary DNS servers here that provide name resolution for a number of domains including some that are not ours. The coordination of reconfiguring those servers and making the authoritative record changes was done carefully so as to avoid any downtime for web-services, they were completed on Monday this week.

As I mentioned in the previous post, we are using a Soekris Net5501 as our router and firewall. It runs BSD’s well regarded PF packet filtering software via pfSense and has more than enough processing power to allow our bandwidth to operate at full speed.
net5501_70_bo_front_big_new_1
Our Sonic Wall SOHO 50 is now retired after almost 12 years in service. Proprietary it may have been but it ran like a champ. It’s so out-dated I can’t find a picture of it on the internet. We have the Soekris set up to provide NAT to the new private address LAN and then we set up a bridge from the WAN port to another port that provides the connectivity to all the new FiOS leased public IP’s. Its a mildly complicated configuration but once its going it is rock solid reliable.

I also mentioned in the earlier post that I was looking forward to the speed increase that would allow us to do offsite backups in a reasonable amount of time. That is working out great. We have about 330GB of current and archived data. It wouldn’t pay to start the offsite transfer from scratch so I made an initial transfer at the office and then took that drive to the offsite location. From then on all that needs to happen is to transfer the incremental updates. That amounts to a few GB at most a on any given day, only mere minutes now instead of hours.

It’s done.

Behold the Qube.

Back in the late 90’s when the WWW and the “Information Superhighway” were all over the news and everyone was getting an email address (remember Compuserve and Earthlink and AOL), Linux was also gaining traction because it provided so much of the back-end to the internet. A small group of engineers put their heads together and started the Cobalt company. Their history is available here. Their first product called the Qube 2700 shipped in March of 1998. It was soon upgraded to the Qube 2 and then later the the Cache Qube and Qube 3. There were also a few other products developed for the datacenter/ISP industry, those were the CacheRaq the NasRaq and a series of other Raq* devices. These were all 1U form factor, low power, low cost, rack ready appliances that allowed fast deployment of ISP type services to customers.

I can’t find the original order so I don’t know the exact date but I think it was around late 1999 that I ordered the Qube2. I have always enjoyed tech-gadgets and computers and I just loved these things from the moment I saw one. I set it up at the office in Hackensack where it was connected to our wicked-fast 768Kbps DSL line (now we have 25/25Mbps Fiber). It really had to be the coolest computer you could buy at the time, with its deep cobalt blue case and green Cylon style LED on the front and its diminutive footprint. And best of all it ran Linux. And second best of all it had an unusual 64bit 250Mhz MIPSel processor inside. It really was unique and so much fun to look at and use. I have a soft spot for that one too because it ran our hx4.com site for years.

Cobalt Qube 2
Cobalt Qube 2
Cobalt Qube 2

I still have that Qube2 and two others that I have since obtained through eBay over the last 10 years. The most recent of which was practically a steal (for a fanboy). I was fortunate to happen upon an auction for a NIB Qube2 model in its original packaging, unopened plastic seal on the Qube2 and all the accessories and the original product sticker still intact on the box, all for $33.00. I’m still stoked about it.

IMG_20110224_122153IMG_20110224_122510IMG_20110224_122342

Unfortunately these are obsolete and not good for much other that to serve as neat looking bookends and as conversation pieces. They indeed do still run and there is a community of enthusiasts as you can see from the links above. I have installed NetBSD 5.1 on two of them and that at least makes them current as far as the operating system goes but they are doggedly slow by todays standards and it can get tiresome trying to do anything productive on them. At this point I couldn’t see one serving much purpose other than perhaps for running a persistent instance of IRSSI under Gnu/screen or something similar. One of these days I think I will attempt to gut one of them and stuff a Nano/ITX system inside that will have all the comforts of modern hardware. They still look amazingly current.

Todays funny.

I came across a website related to open code and information freedom and encountered this bio on one of the members of the organization. I’ve redacted their name because I don’t mean to poke fun at them personally. I just thought the bio was pretty funny in a what the heck does that even mean sort of way.

*REDACTED* is a strategic and conceptual advisor to *REDACTED*, helping to articulate an approach toward creative visualization and to evaluate and develop potential partners and engagements relative to that vision. *REDACTED* is a highly regarded experience designer and conceptual strategist, guiding the creative direction and vision of multiple successful endeavors

Motorcycle trip 2005

I know it’s not as exciting as current events but like I mentioned previously, it is therapeutic for me to reminisce on these trips during the cold and icy winter months.

This one was from back in May of 2005. We began in Las Vegas again and headed to the Grand Canyon, we then went through Bryce Canyon and Arches NP. We spent a good deal of time on Southern Utah. Utah is spectacular. There were times we went from high elevation covered in snow caps to lush green valleys and farmland to such striking desert landscapes that made me feel like we were on the moon. One evening we had a great dinner at Rays Tavern in Green River and decided to press on to Moab to stay the night there. Then once we got to Moab we had a miserable time trying to get a place to stay for the night because the entire town was booked with a 4×4 rally. We finally found a room at the Red Cliffs Lodge about 20mi north of town well after 1:00am. The drive up to the lodge was daunting, in the pitch dark on a twisty valley road, it was cool and there was a sense that the river was at our side the entire time but we couldn’t see it. It would have been a nice place to spend some time. We woke up to a fantastic view of the red cliffs on one side and the Colorado River in full spring swell outside our back door. I remember having a great breakfast in the old town jailhouse (Jailhouse Cafe) in Moab then heading to Arches NP. This trip will always stick in my mind out for the surprising beauty and landscape variety that Utah offered and the fact that we had perfect weather the whole time.

2005 TRIP SLIDESHOW

Motorcycle Trip 2008

My good friend Mike Brown and I have done a number of motorcycle trips together in years past. This is the time of year that I reflect on those experiences and gain some escape from the cold and snow here in the north east. They were all trips of a lifetime. I will attempt to get them all posted here eventually. This post highlights the trip from 2008.

These are some memories of our trip from 2008 which took us through the Grand Canyon, Telluride Colorado, Southern Utah and Lake Powell, the White Mountain Apache Reservation in Arizona and Past the VLA in New Mexico.

We hit quite a snowstorm atop the pass from Show Low to Globe in AZ., the kind where you know your fate is no longer in your hands. I don’t know how we made it.

2008 TRIP SLIDESHOW

SSH usage, multiple private keys.

There is no doubt that SSH stands as one of the greatest system administration tools ever. I use it many times a day manually and many more through scripts for sysadmin stuff. Sometimes, like today I needed to do something that I have never needed to do before. And of course SSH is capable.

Due to a new network topology at the office I needed to be able to have SSH source more that one private key for authenticating to a remote host. There is more that one way to do this. I used the first solution as it was the most basic.

In the ~/.ssh folder create a file named “config” and chmod it to 600. Add the following line: “IdentityFile ~/.ssh/id_rsa.keyA” and add a subsequent line for the other private keys you want to use. For example you can have “id_rsa.keyA” “id_rsa.keyB” and so on. Make sure that those references actually match the names of your private keyfiles, if not, rename them. Thats it. From now on, when you attempt an ssh key exchange, all those keys will be sourced.

The second solution is more refined. This is what your ~/.ssh/config file might look like for this method.
Host *.home
IdentityFile ~/.ssh/id_rsa.home
Host *.office
IdentityFile ~/.ssh/id_rsa.office
Host *.wan
IdentityFile ~/.ssh/id_rsa.wan

In this case the host you are connecting to will determine the key that will be presented rather than presenting all keys like the first example.

Thanks to Karanbir Singh and his post for helping me with this.

Vocabulary for the week.

New IP Addresses may crush the earth.

There are  232 = 4,294,967,296 (4.3 billion) IP addresses available in the current IPv4 addressing scheme. The new 128 bit IPv6 scheme offers 2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456. Thats 340 trillion trillion trillion addresses. An impressive number visually, almost unimaginable. Imagine this, if one IPv6 address weighed one 1g then all of them would weigh the equivalent of 56 billion Earths.

I’m going on record and saying that this is going to be enough, forever.

More privacy related thoughts.

Our governments abuse of its power is nothing new and it will not end. It is in the nature of any large governing bureaucracy be it corporate, civil or federal. Clearly the frenetic pace which technology has advanced over the last couple of decades has afforded the government an opportunity to take advantage of a gap in the public’s understanding of the true nature of these technologies and the potential consequences of their use. Because I’m a bit if a geek it’s clear to me on a daily basis how little people understand about the technology they use and depend on on a daily basis. It may not be so important to understand the workings of your refrigerator but when it comes to the way you share and communicate all aspects of your life you really need to understand whats going on. Most of us are voluntarily contributing to a massive information store that is the result of such daily activities as using cell phones, texting, internet phone calling, emailing, credit cards, grocery store discount cards, movie rentals, online purchases, ATM withdrawals, DMV auto inspections, EZ-Pass toll payments, airline/train travel and more. Some of these situations seem benign, however all of them result in some amount of data being collected, transmitted and stored on a computer in a database somewhere. Do you know who knows every item you purchased at Shop Rite for the last 5 years you’ve been using your membership savings card there? Did you even know that someone has that information? Perhaps you don’t care, after all its only a grocery list. But take all the databases for all the activities I mentioned and start putting them together and your life story is suddenly patent knowledge. What you read, what you eat, how much gas you put in your car and where you go, how much cash you tend to have in your purse and the people you talk to most on weekly basis, how much money you owe and how much you drink, what kind if driver you are and how long you have owned your home. Such is the way we exist to lesser or greater degrees but we do live is a digital world and digits are very cheap to store and very valuable depending on the end user. Life with these amenities is quite nice. It affords many conveniences and efficiencies. The problem is that we trade our privacy for convenience and often without the understanding that we are doing so. When was the last time you agreed to a terms of service by clicking that “I Agree” button? Did you actually read the entire “Terms of Service” document? Never. Try it sometime, you will be shocked at what you are agreeing to. The truth is, in most cases, we don’t control or even own any of this information and we have expressly given away all rights to it forever.

In this recent article by the EFF there are some examples of how privacy can be violated by the government and your service providers. The article focuses on abuses but what strikes me most is that much of the abuse is facilitated by what I hope is the general misunderstanding of the tech we use every day rather than a blatant disregard for our own privacy as a citizenry.

This portion of the report referenced in the article caught my eye and highlighted my concern.

In over half of all NSL violations reviewed by EFF, the private entity receiving the NSL either provided more information than requested or turned over information without receiving a valid legal justification from the FBI. Companies were all too willing to comply with the FBI’s requests, and — in many cases — the Bureau readily incorporated the over-produced information into its investigatory databases. For example, in a violation reported in 2006, the FBI requested email header information for two email addresses used by a U.S. person. In response, the email service provider returned two CDs containing the full content of all emails in the accounts. The FBI eventually (and properly) sequestered the CDs, notified the email provider of the overproduction, and re-issued an NSL for the originally requested header information; but, in response to the second NSL, the email provider again provided the FBI with the full content of all emails in the accounts.

The failure in the bureaucratic process outlined in this example here is completely preventable, not by a more lawfully compliant FBI or a more adept service provider but a more informed and better equipped citizen. Like Uncle Ben told Peter, “with great power comes great responsibility”, the information age is our superpower. Let’s not destroy ourselves with it.

Dear winter, with your cold and snow…

SUCK IT !