Friday, 9 June 2017

Secure DNS Recursion with DNSSEC

As you're no doubt aware, the Internet basically runs on two things: TCP/IP and DNS.

Given that you usually hit DNS before you get anywhere near TCP/IP, it seems like a good idea that you can actually trust DNS records. Also, many of our security features require DNS - think about things like SPF and DMARC, and emerging protocol DANE.

It turns out, as with most Internet security, that this was an afterthought.

Read on to see how you can secure your DNS resolvers against DNS cracks...

Wednesday, 7 June 2017

Outgoing Email Security in 2017: SPF, DKIM and DMARC

In the IT trade, you are regularly exposed to the misery of others that are somewhat less tech-savvy.

Of late, I've been exposed to far too many people falling prey to 3rd party compromised accounts and spoofed email attacks - with quite significant financial losses. It has also happened to other schools. It's something sysadmins can help with, so let's do that!

As you no doubt know, the Internet is not secure by design - and that includes Email. Read on for how you can take some steps to help secure your school's outgoing email communications...

Thursday, 2 February 2017

When Microsoft DNS Broke YouTube...

School IT departments have an interesting life.

The Internet is simultaneously incredibly useful for education, but also carries significant risk - and it is often a regulatory or other legal requirement to filter content for minors (or just something you know parents want done, or you believe is ethically desirable in less "controlling" regions of the world).

Google (having deprecated header-based mechanisms, which didn't even work properly) offer a number of very useful DNS-based mechanisms for enforcing control of questionable content for your users, both on YouTube and for Google search.

Of course, this requires some DNS hacks.

And when Microsoft changes the way their DNS hacks work, things break...

Thursday, 15 September 2016

When your firewall dies, and you need something, FAST.

For a number of years, I've been mentioning to colleagues, managers, interested members of staff and random strangers in the supermarket (well maybe not the last one) that I don't like single points of failure in enterprise ICT infrastructure.

I occasionally picture my network layout in my head, and think about the single points of failure with dread.
"One of these days, that single fancy firewall is going to die. And we're not going to be happy about it". 
Said firewall "died" last week...

Caching servers are a great idea with new IOS releases...

Would you like to save hundreds of gigabytes of Internet traffic?

That's some serious caching...
With the recent release of IOS 10, it's clear our users have been chomping through a fair few megabytes of data... Hopefully, we don't see too many people visiting us with "early adopter flu" in the next few days...

Wednesday, 14 September 2016

Netflix, have you heard about RFC 952?

Having had a firewall melt-down last week (the subject of another post, when I get around to it), I rebuilt our entire firewall ruleset from scratch, because the config backups simply brought back the undesired effects (clearly something in the 45,000 lines of config disagreed with it...).

As a result, I've ended up "experimenting" with some options, with sometimes unintended, or non-obvious effects.

Netflix. It's broken. Oh noes!
One early casualty was Netflix - one of the few video streaming things we allow (because: bandwidth [available on plentiful and cheap national traffic] and legality [has a legitimate presence in South Africa]). Children love copyright infringing content; I try to make it easy to access legal stuff instead.

Thursday, 16 June 2016

Synology RackStation RS3614xs+

Some time back, we received two Synology RS3614xs+ units so that we could address our rather painful lack of on campus storage (my Thruk monitoring system has a lot of machines that complain about lack of disk space cluttering up the place; most typically are over 90% full, which is not ideal). Off campus storage, thanks to Google Apps for Education, is not exactly a problem any more.

Synology RS3614xs+
We chose these after carefully surveying the low-mid range NAS/SAN market. They had a number of features which appealed, including dynamic flash/SSD caching, AD integration, integration with Google Drive, and 10 gigabit network interfaces; they also feature redundant power supplies and the possibility of adding more storage through expansion chassis. I'm particularly excited about having them set up as a redundant pair. The price/performance seemed about the best we were going to get. And it never hurts when a fellow sysadmin has had similar units in production for a while, and rather likes them.

One thing I'm particularly excited to see is faster student logins, one shared profiles end up cached on SSDs and spewed into the LAN at multi-gigabit speeds.

So, it's probably about time we configured these and put them into production...