Tuesday 21 November 2017

Weak defaults in IIS 8 cryptography (TLS/HTTPS/SSL)

So, this isn't exactly a breaking news headline. IIS isn't the most secure web server in the universe. However, it came as a shock to get a "C" grade on testing our school's management information system portal on Qualys' rather awesome SSL Labs tester.

Even if you're not governed by things like GDPR or POPI, it should be a point of ethical professional practice to ensure there isn't a hole large enough to drive a bus through in your security infrastructure.

Fortunately, there's a really easy way of fixing this.

Monday 23 October 2017

RTFM: Speeding up your (Fortigate) firewall performance

I was witness to the installation of the (yes, single) Fortigate 300C firewall the school uses, however, it was not my own configuration/installation/design, although I've maintained it for several years now.

We've been having intermittent issues with close to 100% CPU usage and a sort of live lock up where the Fortigate responds, but packets do not flow (some of the scanning engines (ipsengine, or ipsmonitor) monopolise CPU time and need to be restarted several times [three, that's the magic number - diagnose test application ipsmonitor 99 - and wait several minutes between attempts] - or the unit rebooted, with resulting network chaos). And packets, like the spice, must flow.


The "death knell" for the 300C was a member of senior management unilaterally decreeing (without asking IT) that a whole year of pupils could have twice as many devices - a year ahead of schedule, and before the planned replacement to deal with the load... So I've been looking for ways to eke out a little more performance until we can afford/acquire a replacement for it.

It turns out that one of the design decisions that was made was not ideal - it completely disables the use of the onboard dedicated traffic ASICs...

Unfortunately, schools need quite paranoid and intense filters, and this comes at a cost (in terms of power, and price!).

Friday 15 September 2017

Linux Game Server Manager

One of the teachers at school has declared that "eSports" will now be a Thing at school; his dream is that we thrash our arch-nemesis (more resourced  [top ten most expensive schools in the country] and bigger [more pupils]) school across the valley during the annual inter-school sports day. Indeed, he even talked to the Headmaster about it, who was initially confused, but eventually gave it his (tentative!) blessing.

This then means we need to facilitate such things as "gaming"...



Thursday 14 September 2017

Goodbye, eth0 - Hello enp4s0?!

Today, I got a small shock whilst installing a few services on a new Ubuntu Server 16 LTS (16.04.3)  instance on an old HP Proliant server we had lying about not doing very much in order to do something more useful with it.

Whilst installing and configuring shorewall (my go-to iptables firewall management tool on Ubuntu), each time I started it, it just stopped all external connectivity, despite having it "correctly configured".

After a few moments, I thought to just check that I did indeed have an eth0 and ran ifconfig - lo and behold, the cryptically name enp4s0 was my Ethernet interface.
/etc/network/interfaces also had an entry for this cryptic new device and lo - but nothing else.
Wait. What happened to eth0?

Wednesday 26 July 2017

Goodbye, YouTube Video Editor...?

It's rare that Google do something anti-awesome.

Sometime late last year, I discovered YouTube has a basic (but well-featured) video editor built into YouTube - which has been there for a decade... They've recently decided to discontinue it, as of the 20th of September 2017 - which is the anti-awesome part. I'm sad, because I'd mentally flagged it as a "killer feature" to introduce to teachers as we start to go beyond the very basic use of GSuite for Education features.

The real killer of this change is that it was one of the few ways K-12 schools could leverage across several platforms - notably Chromebooks - to edit video for free.

Indeed, it seems to be one of the only options to edit video on Chromebooks, so schools that have gone heavily in for Chromebooks will be particularly sad. Later generation models that support Android apps may have a few options, but the limited storage onboard Chromebooks will make it hard for budding videographers!

Google Connect has a thread calling for the retention of the feature. You may want to upvote it!

Google cites poor uptake, but this is probably primarily because it's an obscure feature, and many people quickly graduate onto "better" software (or don't edit at all). Of course, schools with small budgets, and especially those with Chromebook programmes, will really suffer from this change, as video is a popular medium to enrich teaching, learning and project work. Perhaps being Flash-based is the final "death knell", but it's a shame they don't consider HTML5 or some similar framework - which would also open it up to iPads.

Please Google/YouTube, reconsider!

Friday 30 June 2017

Distributed Monitoring Projects - RIPE ATLAS & FlightAware FlightFeeder

I'm currently hosting nodes for two distributed monitoring networks - one for several years now (since perhaps 2010 or so), and the other one as of yesterday.

Distributed monitoring networks put small, low power, low bandwidth devices into your network to get a better view of various things of global scope.

The two I'm currently involved in are RIPE Atlas Probes and FlightAware's FlightFeeder.

Thursday 15 June 2017

DMARC Breaks Mailing Lists - in the wild!

In a recent post, I mentioned that SPF and particularly DMARC can break mailing lists.

For the first time ever, I've actually seen an email to a mailing list that was somewhat "broken" by the implementation of DMARC.

This is possibly correlated to the fact that I don't belong to a lot of mailing lists, or perhaps because as we're busy rolling DMARC out ourselves, I'm more attuned to it...

Friday 9 June 2017

Secure DNS Recursion with DNSSEC

As you're no doubt aware, the Internet basically runs on two things: TCP/IP and DNS.

Given that you usually hit DNS before you get anywhere near TCP/IP, it seems like a good idea that you can actually trust DNS records. Also, many of our security features require DNS - think about things like SPF and DMARC, and emerging protocol DANE.

It turns out, as with most Internet security, that this was an afterthought.

Read on to see how you can secure your DNS resolvers against DNS cracks...

Wednesday 7 June 2017

Outgoing Email Security in 2017: SPF, DKIM and DMARC

In the IT trade, you are regularly exposed to the misery of others that are somewhat less tech-savvy.

Of late, I've been exposed to far too many people falling prey to 3rd party compromised accounts and spoofed email attacks - with quite significant financial losses. It has also happened to other schools. It's something sysadmins can help with, so let's do that!

As you no doubt know, the Internet is not secure by design - and that includes Email. Read on for how you can take some steps to help secure your school's outgoing email communications...

Thursday 2 February 2017

When Microsoft DNS Broke YouTube...

School IT departments have an interesting life.

The Internet is simultaneously incredibly useful for education, but also carries significant risk - and it is often a regulatory or other legal requirement to filter content for minors (or just something you know parents want done, or you believe is ethically desirable in less "controlling" regions of the world).

Google (having deprecated header-based mechanisms, which didn't even work properly) offer a number of very useful DNS-based mechanisms for enforcing control of questionable content for your users, both on YouTube and for Google search.

Of course, this requires some DNS hacks.

And when Microsoft changes the way their DNS hacks work, things break...