Jump to content

decepticon_eazy_e

Active Members
  • Posts

    164
  • Joined

  • Last visited

Everything posted by decepticon_eazy_e

  1. 172.168.x.x is not an address you can use. That range happens to be owned by America Online, so your packets never come back home, they get routed out to AOL. :) Thanks for making it easy on me!!
  2. You have to do quite a bit of work on the vSwitch. That's where you define the vlan tagging and iSCSI initiators. None of the guest OS's will see or know that it's iSCSI (or FC, or sata, etc). The clients/guest OS should not have any interaction with the actual iSCSI network, unless you have a very specific need to allow them in. Attach a kernel port to the existing vSwitch and configure the iSCSI initiator there, only the kernel of the ESXi box will communicate with the SAN.
  3. Double posty goodness! I got curious, so I scanned my own. This is a HP C6180 (fax, scanner, wireless, mem card reader) PORT STATE SERVICE VERSION 80/tcp open http HP PhotoSmart 8450 printer http config (Virata embedded httpd 6_0_1) 139/tcp open netbios-ssn? 6839/tcp open tcpwrapped 7435/tcp open tcpwrapped 9100/tcp open jetdirect? 9101/tcp open jetdirect? 9102/tcp open jetdirect? 9110/tcp open unknown 9220/tcp open unknown 9290/tcp open unknown 9500/tcp open unknown port 139 gives me the file share to the mem card, pretty nice way to get at it actually. The jetdirect is pretty straight forward, but I have no idea what the other stuff goes to!
  4. Their buffer on the outside fastethernet port fills up with SYN connections and becomes unusable, and stops taking connections. They remote in to a server outside the router and go through the serial connection to issue a reboot. Yup, their management doesn't see the need to allocate funds to IT for better equipment, so that's that. I wash my hands of the problem. I read an article a while back about jetdirect HP hacking in 2600. Very interesting stuff, they found most printers have an FTP directory for downloading and holding firmware. Then it pulls the new firmware off that directory during the reboot. Do a packet capture during a firmware update and see what it's doing, maybe you can hijack that and put some custom firmware on it. They also found that the OS had a java server running on it, which opened up more possibilities. Do a full (1-65535) TCP scan with Nmap and see if any other ports are open. Also, if you have a scanner on that printer, it probably can hold the images there for later download. The big high end ones do, they save the scans as raw images and can convert them to PDFs. I had an interesting weekend at a hotel looking through the office printer they had. They had scanned time cards, insurance forms, passports of the workers, etc. Also, checks for deposit. TONS of good stuff. I saved it all somewhere, never did anything with it (honest!!). I just wanted to show some friends when I got home. I think printers might become the new security hole...
  5. because you can name everything in your network. No more remembering IPs. I have "router" and "printer" and "switch". Makes it all pretty nice, and movable. I can change the IP of my printer without having to change anything else, it all relies on the DNS.
  6. I had to troubleshoot a router for a client one time. They complained that it locked up or died a couple times a day. After some debug captures, it turns out they were a victim of a syn attack/flood. This was a medical insurance company, so the uptime was pretty critical. It was interesting to see this all in action, on a larger scale than my own house. My DOS'ing at home never goes very well, gigabit switch with 3 PCs. The switches and linksys router handle it all perfectly. Anyways, the resolution was that I told that company to get a real firewall instead of a NAT router. A cisco ASA router is immune to SYN attacks due to the adaptive sec algorithm, it doesn't hold open the TCP connection and respond to every possible SYN packet. A typical cisco router does. You can't ACL that off because a SYN is part of a legitimate transaction and needs to stay open. Not much you can do to mitigate that kind of attack. *end of the story is they bought the lowest router capable (and supported by cisco) of doing what they needed, 2691. To my knowledge they still have it, and still have to remote in twice a day to reboot the router. That was over a year ago. No firewalls in the entire company, only NAT routers.
  7. Symantec has found what seems to be the first ALL Mac botnet. I'm loving this, I'm going to forward this to all my Mac buddies. Turns out the Mac isn't invulnerable to viruses and hackers!! http://blogs.zdnet.com/security/?p=3157
  8. The XP cd you have does not have the drivers needed to read the disk controller. The newer Win7 cd does. Hit F6 during the blue "install starting" screen and load them in via floppy. Or learn to slipstream drivers.
  9. Perhaps you are talking about using the Archive bit? http://en.wikipedia.org/wiki/Archive_bit
  10. Default route should always be set, since the IP address could potentially change, use the the "ip route 0.0.0.0 0.0.0.0 ethernet0/0" command instead. That way it won't matter what your ISP changes the IPs to. NAT needs to be configured for any traffic to pass. 192.168.x.x or 10.x.x.x or whatever type addresses are not route able to the outside world. "show ip nat trans" will verify that NAT is working properly.
  11. Thanks for the output there. Reinstall the SDM package on the router, maybe you're missing some java files. http://www.cisco.com/en/US/products/sw/sec...00803e4727.html You get wizards to do all the complicated tasks you are requesting. http://www.cisco.com/en/US/docs/routers/ac...e/SDM25UGD.html or get started on the CLI... Here are the basics http://www.icalvyn.com/cisco-router-basic-configuration/ (skip the serial port, AUX, and bandwidth junk) Configure NAT: http://www.cisco.com/en/US/tech/tk648/tk36...080094e77.shtml DHCP server: http://www.cisco.com/en/US/docs/ios/12_0t/...de/Easyip2.html Once you have NAT done, forward ports through it: http://www.beyondweblogs.com/post/How-to-e...forwarding.aspx
  12. Wow, that's quite a list of requirements. Let's start with the basics. Did it come with all this? Includes: 32 MB Flash, 64 MB DRAM, 4-Port 10/100BASE-T Switch with VLAN, 10/100 WAN & Analog Modem Backup, VPN Hardware Module, Cisco IOS IP Plus/ADSL/Firewall/IDS/IPsec 3DES, embedded Web-based SDM Dump the "show version" and "show diag" output and post it, if you don't know. I highly recommend you figure out the java problem and use SDM. Downgrade Java to 1.5, 1.6(newest) has been known to mess up cisco GUIs. I'm not going to write your config for you, I get $165/hr for that. I'll get you started though.
  13. SDM is free, it might require a cisco login, but that's free too. http://www.cisco.com/en/US/products/sw/sec...00803e4727.html
  14. 1710 is pretty limited as far as expandability goes. No slots for WIC cards or AIM cards. If you install SDM, even the most novice user can configure a cisco router. The 16mb flash might limit you on SDM. VPN capabilities are an IOS limitation, not a hardware limitation. This will do 3DES and IPSEC, no AES vpn options. Otherwise, it's a good NAT router, if you need one of those. One port is 10meg only, so that's going to be your max throughput. Current IOS upgrades go to 12.4 which is current. IP/IPX/AT/IBM/FW/IDS PLUS IPSEC 3DES c1710-bk9no3r2sy-mz.124-23.bin Release Date: 12/Nov/2008 Size: 13974.43 KB (14309808 bytes) Minimum Memory: DRAM:96 MB Flash:16 MB IP/FW/IDS PLUS IPSEC 3DES c1710-k9o3sy-mz.124-23.bin Release Date: 12/Nov/2008 Size: 12643.02 KB (12946452 bytes) Minimum Memory: DRAM:64 MB Flash:16 MB Full SDM requires 7.63 MB free on the router, so that might be tight. The express version is only 2.43 MB and that one sucks. If you get the 96mb of RAM and IOS upgrade it might make a nice little firewall for somebody. Any other question, let me know!
  15. Dedicated management is a good idea, more layers (like ogres). So you will have at least this many VLANs... 1 Management 1 iSCSI 1 production traffic Just keep a list like that going as you plan it out.
  16. He's talking about dedicated switches and wires for iSCSI (SAN terms call any disk access network a fabric - not necessarily optical). Best practices also say get an iSCSI HBA, which is pretty unnecessary in a low volume environment such as this. If you start to see CPU spikes and bottlenecks, you could invest in one of those. Dedicated iSCSI network gives you speed and security. You don't share the wire with anything. The most secure network is a closed one, which is what you have. No security worries if nobody can get to the physical network. My 2 cents is, traffic measurements will show that nobody ever gets close to a gigabit. Only on big trunks on large networks do you reach a gig. Since you don't have to worry about bandwidth, you picked iSCSI because of cost, use it. If you wanted to spend the money on building a dedicated network for disk access, you would have picked fibre channel. Proper VLANs will give you proper security. (by proper I mean, config native vlans, trunk limits, ACLs, etc) I think you have the right plan here, the important part is draw out everything ahead of time. You will then see where your holes are and how to fill them.
  17. Take out all the RAM except for 128mb.
  18. That one has a ADSL modem built in, I like to keep my parts separate. Modem is modem, and router is router. If one goes bad I don't lose both.
  19. I answered your question in the other thread... I didn't see this one right away. :) I don't think you have enough servers to tax that SAN, you have a pretty good setup there. I think you'll be just fine with iSCSI, speed wise. You just need to configure your ethernet switch properly. Get a switch that supports VLANs and trunk a dedicated VLAN for iSCSI to each server. If you can dedicate a NIC to iSCSI, even better. Check to see if you can team a NIC in vmware, I don't think you can. You can etherchannel a few NICs but you need to configure it perfectly on the ESX box and the switch. Not sure if ESXi has all the options needed for that. If you do NIC teaming inside a VM, you will gain no benefit. Only when the ESX NICs are spread across an etherchannel do you get load balancing. Otherwise you just get 2 virtual NICs running to 1 physical NIC. Let us know what kind of switch you plan on putting behind those. If you say Dell, I'm leaving. :P Dell doesn't make switches.
  20. Do you have a difference in disks behind those technologies? The R/W and RPMs of the drives will make more of an impact. FC is 1,2,4,or 8gbps.... So which FC speed are you comparing to 1gbps ethernet to? iSCSI is great for keeping the costs down, the switches and infrastructure are much cheaper than FC. However, if you just put it in and forget about it, you'll pay for it. iSCSI is an ethernet protocol, just like TCP, UDP, etc. It is susceptible to the same problems. Congestion, dropped packets, QoS, broadcasts, etc. You need to plan out an iSCSI implementation more. You need VLANs and ACLs. You really don't want that same traffic running on the same wire as your WWW traffic. IP addresses can be spoofed, DOS'd, rerouted, and all the other fun things we discuss on this forum. If you take all that into consideration when designing the data center, you should have no problem. FC is a bit easier for the inexperienced to implement. Zoning and aliasing really should be done and in place before production. However, if you don't do those things, it will still work (but it could work better and easier). FC usually stays contained in your FC switches, which generally are protected by a lock on the door. A bit more secure than iSCSI, but you still need to protect it. VMware guest OS's will see all disks as directly attached SCSI drives, there is no difference. ESX will need to be configured appropriately for those technologies. If you don't use an iSCSI card in the ESX box, some kind of TOE HBA, the CPU must do all that processing. FC HBAs do the processing on the HBA, much less CPU load. How much less depends on how much disk access you use.
  21. The difference you quoted is because one is a FAstethernet port and the other is an ETHernet port. Fastethernet means 10/100 and does trunking. You'll find 10baseT ethernet ports in the 2600 series also, these concepts are not dependent on the series, but rather the time the router came out. You'll find both those kind of ports on 3600s. The only time the syntax really changed is the jump from 11.x to 12.x, it's very different. Upon writing this, the 2600's latest IOS you can get is 12.3.26 and the latest IOS you can get on a 2611XM (and 3600) is 12.4.23. There's not that much of a difference here. There is definitely NO difference you'll encounter while studying for the CCNA. The 2600 line is more than capable at providing everything you need for a CCNA. The 3600 line is even older, but still viable. The big problem with the 3600 line is that you have to buy EVERYTHING extra. None of them have ethernet ports or anything, they all require an extra NM card. I got my CCNA about 2 years ago and yes it expires every 3 years. Here's the nice secret. If you pass a test that is higher than a CCNA, you automatically get your CCNA renewed for another 3 years. So, when I got my SNPA certification last year, my CCNA got renewed automatically. So here's what you should do... Pass the CCNA and then start on the next track, for example the CCNP. There's maybe 4 tests for that (I think) and if you passed one of those tests every 2 years, it would be 11 years before your CCNA expired. After that time, you should know if you need to keep it current or not. I myself am on the CCSP track, so next year I'll take another test and keep it going. My opinion from what I've seen in the field is the "+" exams aren't worth the money. Get a CCNA instead of a Network+. Get a Microsoft cert instead of A+ and so on.
  22. DHCP in each subnet. Somebody needs to change the IP address and if you don't want the user to do it, then it has to be DHCP or some other automated method.
  23. If you do have Cisco switches there, start using the port security feature. When the port detects a new MAC address, that now exceeds the specified limit of MAC addresses allowed (usually 1), it shuts down the port. You have to manually open it back up, but you'll know somebody did something because your phone will ring and the user will complain. It's a pain in ass to manage on a large scale, but it will be the most sure-fire way to find out who is plugging new devices into the network, and fast. Other ideas... limit the scope of the network with VLANs. You then have to manually configure a DHCP helper address (your own DHCP server) in each VLAN. The rougue DHCP broadcasts won't leak out of the VLAN and you have a smaller area to search for rouge devices.
  24. That is the American Transformers series that aired from 1984 to 1987. There was a movie between season 2 and 3, but it did not have Sparkplug (the human in that picture) and Spike (the younger human in that picture) was older and had a son named Daniel. There's not that many episodes if you want to start finding them, they are all available on DVD, season 4 only had 3 episodes for a grand total of 98 episodes. I picked them up on VHS off ebay many years ago and was thoroughly disappointed by the quality, the new DVDs are much better. http://en.wikipedia.org/wiki/The_Transformers_(TV_series) I am a walking Transformers encyclopedia....
  25. Winantivirus 2009 is the best. It's free, just google around for it. It give me CONSTANT updates. Give it a try!!
×
×
  • Create New...