| Recent
Articles |
We Need A More Flexible Sense Of Ethics In...
One of my greatest mentors in information security is the CISO of a major educational institution; he has served the information security community well, with honor and with distinction over his many years in information...
Talking With Samba Team GPL Compliance Officer...
Simo Sorce is the Samba Team GPL Compliance Officer, hired by Red Hat in 2007 where he is a Senior Software Engineer, maintainer of Samba and expert on...
SharePoint: Back Door Storage Play
We've been a SharePoint user, of sorts anyway, since the original beta. I didn't think much of it, to be honest, as eventually it became a giant pain in the rump just like every other tree oriented file system - once you...
Lazy DNS
I had a call this morning from a customer who wanted me to come down because their mail server was broken. They had experienced an ISP outage, which subsequently...
Apache Geronimo Should Be Included In BEA's Future
I just read that Carl Icahn owns a 8.5% stake, worth $426.5M, in BEA. He wants to see BEA sold in order to maximize shareholder value. While I can understand this point of view, I'd like to offer another option..
|
 |
|
01.02.08
Router Down: Some Days You Just Can't Win
 By
A.P. Lawrence
Some days you just can't win. One of my clients (you know who you are) had such a day yesterday.
It started with doing some reprogramming of a Fortinet WiFi router. Normally I don't like to see WiFi in a business environment, and if it must be there, I like to see it locked down very securely: access by pre-approved MAC address only if possible, and if not, limited to very little access - maybe just Internet for the convenience of visitors but darn little else. But that's me: some businesses have reasons for allowing more, and that was the case here.
So it started with "How am I going to let the wireless side be able to browse the internal network?". The answer, of course, is to point that side's DNS at whatever server knows about internal machines; in this case that would be their Windows Domain Controller. I wanted the Wireless DHCP to provide the router itself as the secondary and the Domain Controller as the primary, as shown in this screen shot. The router's internal ip is 192.168.2.250, the DC is at 192.168.2.49, and the Wireless itself is on 10.10.50.1 and will be handing out addresses from 10.10.50.2 through .20
If you are used to home appliance routers, you may be confused right now, because most of these will set things up so that the wireless and wired are on the same subnet. That's not how we do things in the big-boy world: Wireless and Wired will be separate subnets. That's so that you can create appropriate rules (policies) to control access to your business computers. Sure, Mr. Traveling Salesman doesn't have the password to your main server, but why should he even get a chance to see it, never mind try to log in? He shouldn't. So there will be more work to do on the policies: only trusted machines should be able to get to the internal network. But I digress..
So, initially I had set the wireless side to only get DNS from the ISP. The ISP of course knows nothing about internal machines, so that had to be changed. My client went into the Fortinet browser config to do that and..
Probably because he's also in charge of two hundred other things - he's the kind of guy who always has other people asking him questions when you are on the phone with him - "What do we do about.." and he'll say excuse me, and then you'll hear him bark out a string of instructions before he returns to your conversation - probably because he gets hammered from six directions all day long, well, he made a teeny little mistake. Instead of changing the DNS to point at his Domain Controller, he changed the Fortinet's internal IP to that address.
Oh-oh. That's not good. IP conflict with the main server. Definitely not what you want. But it should be simple enough to fix.. right?
Well sure. Just isolate the Fortinet and one computer from the rest of the network and there's no IP conflict. Reprogram it, put it back, and we're all set. Simple, right?
Um, apparently not. By this time he had called me, so I led him through the rewiring (or unwiring), and we programmed his PC manually (because he had, of course, shut off the DHCP server on the Fortinet), but it wouldn't connect. No access. Ugggh. Maybe he fat-fingered some other address in? We tried a few possibilities, but no luck..
Continue reading this article.
About the Author:
A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com
|
