Angelo’s blog

Sometimes you just have a single public IP address (unfortunately ipv6 is not that widespread yet), and you still want to publish stuff like Outlook Web Access and other applications to the net in a secure way. If you want that, the easiest way to do so, is to just pass port 443 to the Exchange server. But this means that if you have other web apps, you have to run them on the Exchange server as well. And besides, not everybody wants to put an IIS machine directly out on the net..

One way to solve that, is by putting a reverse proxy like Apache or Squid in front of it. Read more ..

Quote from Slashdot:

“The popular open source privacy tool, TrueCrypt, has just received a major update. The most exciting new feature provides the ability to encrypt an entire drive, prompting the user for a password during boot up; this makes TrueCrypt the perfect tool for non-technical laptop users (the kind who are likely to lose all of that sensitive customer data). The Linux version receives a GUI and independence from the kernel internals, and a Mac version is at last available too.”

BBC writes: “Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing.”

“The chancellor blamed mistakes by junior officials at HMRC, who he said had ignored security procedures when they sent information to the National Audit Office (NAO) for auditing. Mr Darling told MPs: “Two password protected discs containing a full copy of HMRC’s entire data in relation to the payment of child benefit was sent to the NAO, by HMRC’s internal post system operated by the courier TNT. The package was not recorded or registered. It appears the data has failed to reach the addressee in the NAO.”

Well, this at least shows why the security procedures were there in the first place. I wonder what kind of password protection the disks have. It’s probably a fancy way of saying it wasn’t encrypted.If they would have just used a TrueCrypt volume on the CD’s, there would not be a problem, and the CEO wouldn’t have had to resign.

I was trying to get Apache2 to authenticate using the local user database, and I would expect it to be quite easy. I was wrong.

But thank god for blogs This user described a way to use pwauth and mod_athnz_external, that works like a charm for me:
http://blog.innerewut.de/2007/6/26/apache-2-2-authentication-with-mod_authnz_external

Thanks Jonathan!

This week, I ordered a Cisco 1131AG access point on Ebay, at 2/3 of the price.. I got the product because it’s a cisco (support, robustness, etc), and because of the extra range. And this one even looks fabulous! Guess who it’s inspired by

One thing I noticed as I received the AP, is that the circle around the Cisco logo lights up! It’s green when no one is connected, and blue when someone is. (And all kinds of colours in between I haven’t figured out yet, didn’t read the manual all the way through)

As usual with cisco, it has so many options, that you can easily drown in them, and you really need to know what you are doing. In the menu is a ‘express setup’ as well, but it does not satisfy my needs (wpa without radius). The box ships with radios disabled, and as soon as I enabled one, I was up and running. Took me some extra time to get it running with WPA, as I want to use pre-shared key authentication. (don’t want to set up certifates for 2 users, and without a radius server). I had it up and running, but then I got the problem that the AP would not pass DHCP reply packets.. Must have done something wrong.

So I set it to factory defaults again this morning and set it up according to this user’s instructions, and I was up and running again in a few minutes.

I set it to WPA2 only to be secure (WPA/TKIP is flawed or can be hacked as well), and my mac worked immediatly. My girlfriend, who uses Windows XP and the Windows tools to manage the wireless network card on her laptop, had to install the WPA2 update manually (it’s not an automatic update, and requires genuine valiadation!), and after that, it connected as well, and worked perfectly.

update: seems the DHCP reply packet issues is not solved yet. If I reboot my laptop it gets an ip, but when I suspend and resume, I don’t get an IP from my DHCP server. The DHCP server is SENDING the package though, I see in the sniffer. And the laptop is getting ipv6 router advertisements. Hmm.. Looks like the AP is eating the DHCP reply packets.. grrr..

I’ve got a MS ISA 2004 server, and some colleagues that connect to the office remotely, using the built-in windows PPTP client.

After using Microsoft’s PPTP server for about 6 years, I’ve totally had it. I’m tired and sick of problems with networking infrastructue (passing GRE through firewalls), the lack of easy error reporting functionality, etc. Every now and then connections don’t work, and rebooting a firewall here and there usually solves the problem.

After thinking about it for a while, I decided to ditch the MS PPTP server, and implement an OpenVPN server for my collegues on the road. I’ve been using OpenVPN for a while now as well, and I’m a big fan.. I’ve hooked up several data centres and remote locations using OpenVPN, and it has always been a rock solid solution. It can get a little complex at times, but it’s definitly worth the effort.

read more

I’m a big fan of OpenVPN, but sometimes an IPSec VPN is the way to go if one of the parties involved require it, for example because one of the ends is a Cisco VPN device, or because one of the administrators doesn’t know OpenVPN (and doesn’t want to get to know something new), or because security policy doesn’t allow the use of other VPN solutions.

One of our clients connects to all kinds of different VPN endpoint, and as a test I wanted to try connecting to one of his remote endpoints using a FreeBSD machine (a VMware ESX guest), to simplify management and lessen the cable-clutter in the rack.

I’ve been trying to set up the tunnel to the remote VPN3005 concentrator, and have been unsuccessful so far. The phase 1 connection is set up, but the phase 2 won’t complete successfully. I’ve even asked the developers for help (discussion), but haven’t been able to get much further. One of the problems is that the remote VPN concentrator admin won’t answer any phone calls or emails. Well, it’s only testing anyway. I guess our customer will have to stick to buying Cisco boxes for the time being.

Along the way I have gotten to know IPSec a little bit better, and I have written a guide to help people (like myself) to get up and running quickly, at least with a FreeBSD-FreeBSD tunnel: Read the guide here

Last week, I got a 250GB FreeCom USB2 harddisk at work. We were going to ship the disk to a customer, and the customer would send it back, with confidential data on it. Usually, I’m not that paranoid, but I like to keep my customer’s mission-critical confidential data secure, especially if I’m shipping the disk using normal low-cost shipping service. With TPG Post here in the Netherlands, it’s not that uncommon for packages to just go missing.. And even if it doesn’t go missing, I still don’t trust all postal service employees..

A logical thing to do, was to create a TrueCrypt volume on the disk, and place the data in that volume. I wanted to convince my customer that TrueCrypt is not only a secure, but also a fast tool to secure data.

The funny thing is, I couldn’t find any basic benchmarks on USB2 disks, let alone in comparison to encrypted volumes. So I created a volume myself, and benched it with ATTO Disk Benchmark.

This is the disk attached to my Dell Optiplex GX620 (Dual Core 2.8GHz, 2GB RAM). I didn’t tune anything, just plugged the disk in the back of my computer, and went ahead. The disk is formatted as one big NTFS volume.

Then I created a 100GB TrueCrypt volume, using default AES. Took a while to format the volume, but that’s not the strange considering the fact that a 100GB of data has to written. After that I mounted the volume, and did the same test:

Reads perform at 63%, and writes perform at 69% of the speed on the unencrypted volume, looking at big files. In this case, my client’s data consists of one huge file. In my opinion, these rates are quite acceptable, and I feel confident to tell my customer that this solution is ‘fast’ as well.