BSIT380 - Week 1 Posting - Welcome!

This is my first Blog entry for a college course I have just started, called " BSIT 380 - System Hardening and Network Risk Management." This is a cybersecurity course, and I'm not a cybersecurity analyst, so this should be an interesting 12 weeks. My experience is mainly in Linux/Unix systems administration, systems engineering, and data center design and management.
The book for this class is the CompTIA CySA+ Cybersecurity Analyst Certification All-in-One Exam Guide, Second Edition (Exam CS0-002), which is an excellent book to read and an interesting certification to achieve. I may have to take the exam at the end of this course and see how I do. I hold a current CompTIA CASP+ certification, so I hope that knowledge comes in handy for completing this class. Wish me luck!

 

BSIT200 - Week 12 Posting - Passwords...

 About 21 years ago, Mr. Bill Burr wrote information security guidelines for the U.S. National Institute of Standards and Technology (NIST), and is responsible for the most obnoxious advice ever given about passwords. It's the one about how your password must be 15 characters long, include uppercase, lowercase, numbers, symbols, hieroglyphics, and a blood sample, and must be changed every 60 days. 

He has since apologized for writing a standard for passwords that no one can remember, and that causes people to write down their passwords, which defeats the purpose of complicated passwords in the first place. 

There's an excellent article about it here: https://www.cbc.ca/radio/asithappens/as-it-happens-wednesday-edition-1.4240252/man-who-made-passwords-hard-to-remember-regrets-rules-that-drive-people-crazy-1.4240255

 This is the last blog posting for this class I'm taking (BSIT200), but no worries. I'm sure the next class I take will require blogging as well. 


Fools are everywhere...

“A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.”
-- Douglas Adams, “Mostly Harmless”

BSIT-220 - Week 11 posting - Documentation

One of the things that bothers me the most where I work are people that won't document what they do in fear that their employer will keep their documentation and replace them with a lower cost employee. These people don't realize that having or not having documentation will in no way stop their employer from firing them with no reason given. 

Back in the day when I worked at Dell, accountants decided that Dell needed to reduce their workforce by 10%. At the time, that meant that 8000 people needed to be laid off. So to make it "not personal" they decided to select a specific pay grade, and then lay off everyone in that pay grade. It had nothing to do with work performance. I saw people (myself included) that produced millions in revenue for Dell, lose their jobs. 

So if documentation (or the lack thereof) doesn't contribute to job security, what does it do?  

Documentation ensures that processes are efficient, consistent, and scalable. Documentation ensures critical business processes survive the loss of personnel or resources. 

Documentation ensures that you can go on vacation, and that the person that has to do your job while you are away, does not develop a personal dislike for you. It also keeps your phone from ringing on your time off. Most importantly, unless you have a photographic memory, documentation helps you keep knowledge organized and available when you need it. 

Make the time to document your business processes. You will be glad you did.

BSIT-200 Week 11 Posting - Printers Kill Trees

 I can understand why in some situations we might need a "hard copy" of a document. But in my line of work, I see people print a lot of things that don't need to be printed. I generally tend to print things to a PDF file and then read them on my laptop or tablet. Where I see the biggest part of the problem is when business have to print documents that require "original signatures" to make them valid. I consider this to be a failure of the encryption and authentication methods used today by IT. 

If we had a secure and easy to use method of identifying ourselves via a cryptographic token, and the method was legally accepted by the US Government and business, I'm sure the pile of paper I had to deal with the last time I bought a house would be reduced drastically. We do have methods for signing a PDF file with a cryptographic token, but I don't think the legal system has caught up with it yet. Also the technology is not as wide-spread as it should be. 

BSIT220 - Week 10 Post - Network Segmentation

The most important reason for configuring network segmentation is improving network security. Network segmentation involves dividing a computer network into smaller more manageable parts. This helps limit any damage if there's a security breach and can help prevent unauthorized access to important data or systems. Segmentation can also help to contain security problems by stopping threats from spreading.

Implementing network segmentation involves configuring Routers and Switches to create and manage different network segments, thus enabling the control of traffic in order to enforce security policies. Segments can be configured through the use of Virtual Local Area Networks (VLANs), which create logically separate networks within a single physical infrastructure.

Firewalls can be used to monitor and control incoming and outgoing network traffic based on predetermined security rules, to regulate the flow of data between different segments, and to enforce security policies at the boundary of each segment.

Intrusion Detection and Prevention Systems (IDPS) can be deployed to monitor network traffic, detect potential security threats or violations, and take proactive measures to prevent security breaches.

Implementing antivirus, anti-malware, and encryption solutions helps to safeguard data and communications within each network segment.

Implementing network segmentation effectively requires a certain level of expertise in various areas of IT.

Understanding network architecture, protocols, and components is essential for designing and configuring network segmentation in a way that aligns with the organization's requirements and security policies.

Knowledge of cybersecurity principles, best practices, relevant industry regulations, compliance standards, and emerging threats is important for identifying potential vulnerabilities and security measures to protect against cyber-attacks.

Proficiency in IT infrastructure management, including hardware, software, and network administration, is necessary for deploying and maintaining the software and hardware components required for network segmentation.

Having skilled professionals with expertise in these areas will contribute to the successful implementation and management of network segmentation, ensuring that the network remains secure, resilient, and capable of supporting the organization’s operational requirements.

 

BSIT-200 Week 10 Post - Why I love iOS and hate Android.

My preference for a mobile device operating system is Apple's iOS, which strikes a lot of people as odd, since I am a Linux Systems Administrator. Most Linux Admins prefer Android, since it is similiar to Linux, and can be tinkered with. I've heard some people actually refer to Android as a Linux Distribution!

However, my reason for liking iOS is simple. After a long day of supporting Linux servers and end-users, and dealing with other people's IT problems, the last thing I want to do is come home to IT problems. I have plenty to do at work. Bringing IT stress home is counter-productive.

I have an iPhone and an iPad, and I've never had a problem with any of these devices. The way they are designed allows me to perform the tasks that I want to perform without any issues, and without me having to fix, side-load, tweak, configure, or otherwise mess with, iOS in any way. I use Apple's Apps, and they just work. If I want to self-induce an IT headache, I have a Windows 11 Laptop for that. If I want to see a computer that just works,  I have a Linux PC and Linux servers for that. I'd rather leave all the IT stress at work where it belongs.

I tried Android once a few years ago and I did not like it. It made me work, by having to spend time configuring things and making them work. Also, the applications just didn't look as good as their iOS counterparts, nor did they seem as intuitive to use. I was using a Samsung Galaxy S10 (when it was new) and as an end-user, I just wasn't impressed. Someone suggested that I wanted to look into side-loading some apps and hacking something. 

No. Just, no.

 

BSIT-220 Week 9 Post

Presenting my favorite Internet Service Provider of All-Time: 

Fastwyre Broadband

URL: https://fastwyre.com/availability/ne/bellevue/

Plans start at $44.99/month for 100Mbps access, with their most popular plan being the 1Gbps service priced at $69.99/month. A new 2Gbps service is now available for $99.99/month. There are no data caps, and no contracts. Connections to homes are via fiber optic cable, and require a media converter (fiber to Ethernet) and a cable modem/router.Their fiber optic cables are buried, which protects them from the elements. We shall see how well they survive the ground freezing this winter. I should not be too worried since they are also a internet service provider in Alaska, so they should know something about bad weather.

Pros: Fast reliable access, available in Bellevue and parts of Papillion.Can be combined with a telephone service.Cables are buried, which protects them from the elements.

Cons:  Outages are possible due to cable damage. However, they have no where near as many reported outages (in my area) as Cox Communications.

I've had their service for a few months now after giving up on Cox Communications. I work from home, so having a reliable internet connection with good uptime is very important to me. My livelihood and income depend on it! I highly recommend this provider!

 

BSIT220 - Week 8 Blog Posting - IPv6 has a lot of addresses

IPv6, short for Internet Protocol version 6, is the successor to IPv4 (Internet Protocol version 4) and represents a fundamental shift in how the Internet addresses devices. IPv6 was developed to overcome the limitations of IPv4, primarily the exhaustion of available IPv4 addresses due to the rapid growth of internet-connected devices. At its core, IPv6 expands the address space from 32 bits in IPv4 to a whopping 128 bits, resulting in an astronomical number of unique addresses, approximately 3.4 x 10^38 addresses. This abundance of addresses ensures that every device, from smartphones and laptops to IoT devices and more, can have its unique, globally reachable IP address. IPv6 addresses are represented as eight groups of four hexadecimal digits, separated by colons, making them longer but more versatile.

IPv6 introduces several other key improvements, such as simplified header formats that enhance routing efficiency and reduce the processing burden on routers. Additionally, it incorporates built-in support for quality of service (QoS) and security, making it more suitable for the demands of today's internet. In essence, IPv6 not only addresses the address space scarcity issue but also brings improved network performance, security, and scalability, laying the groundwork for the ever-expanding digital world we inhabit. While the transition from IPv4 to IPv6 is ongoing, understanding the basics of IPv6 is crucial for network administrators and organizations looking to future-proof their networking infrastructure and ensure seamless connectivity for all their devices in the rapidly evolving digital landscape.

“IPv6.” Wikipedia, Wikimedia Foundation, 18 Oct. 2023, en.wikipedia.org/wiki/IPv6.

BSIT200 - Week 8 Posting - Unraveling the Different Ethernet Physical Technologies

Ethernet, a critical element of modern networking, encompasses various physical layer technologies that enable the transmission of data across local area networks (LANs). These technologies include twisted pair Ethernet, which uses cables with twisted wires. There are two kinds: unshielded twisted pair (UTP) and shielded twisted pair (STP). UTP is cost-effective and commonly used in homes and offices, while STP is more suitable for environments with high electrical noise, such as industrial settings.

Fiber optic Ethernet is another essential type that transmits data using light through glass or plastic fibers. It offers high-speed data transmission and is immune to electromagnetic interference, making it ideal for long-distance communications and high-bandwidth applications. Additionally, there is coaxial cable Ethernet, which, although less prevalent today, is proficient at delivering high-speed internet and television services due to its ability to carry substantial data with minimal signal loss. Understanding these distinct Ethernet physical layer technologies is crucial for selecting the most suitable option based on specific requirements and environmental factors.

 

BSIT220 - Week 7 Posting - Let's Encrypt the Internet!

In this week's post I bring to you a website called "Let's Encrypt" which is "a non-profit certificate authority run by Internet Security Research Group that provides X.509 certificates for Transport Layer Security encryption at no charge." (Wikipedia, 2023)

According to their FAQ, "The mission for the organization is to create a more secure and privacy-respecting World-Wide Web by promoting the widespread adoption of HTTPS." (FAQ 2022)

These people will give you a free SSL/TLS server certificate that you can use to secure your site communications for 90-days, and a mechanism for the automatic renewal of your free certificate. It's totally legit and according to Wikipedia, "As of September 2022, Let's Encrypt reports having issued 234 million active (unexpired) certificates." (Wikipedia 2023) 

The service is free, and gets along great with Linux server, which is good since " Linux is used to power 96.3% of the world's top web servers." (Elad, 2023)

Wikipedia. (2023). Let’s Encrypt. Wikipedia. https://en.wikipedia.org/wiki/Let%27s_Encrypt 

FAQ. Let’s Encrypt. (2022, Sep 28). https://letsencrypt.org/docs/faq/

Elad, B. (2023, September 13). Linux statistics 2023 by market share and usage data. Enterprise Apps Today. https://www.enterpriseappstoday.com/stats/linux-statistics.html


BSIT200 - Week 7 Posting - What is "The Cloud" and why should I care?

 You will often hear informed IT people (often System Administrators) refer to the cloud as "Someone else's computer". Technically, they are correct. The cloud is indeed someone else's computer. Many computers as a matter of fact. So why should you care? One of the reasons is that you may already be using the cloud and not even know it. More and more companies are using the power of cloud technology every day to improve their services to the public, and cut down on their operational costs. Services such as Facebook, X.com, Instagram, and Snapchat are all cloud-based services. Applications running on large groups of interconnected computers at remote locations on the internet. 

File storage services such as Dropbox and Google Drive are hosted on computers out on the internet somewhere. Many people have personal web pages hosted on cloud-powered sites. Google's Gmail product is cloud-based, so your email is out on the cloud as well.

So is the cloud safe? It's as safe as your service provider can make it. So check the small print in the end-user agreements, and don't put anything in the cloud that you can't afford to accidentally share with the entire world!


BSIT220 - Week 6 Posting - How does DNS work?

The Domain Name System (DNS) is a critical component of the Internet that helps translate human-readable hostname/domain names into machine-readable IP (Internet Protocol) addresses. It serves as a distributed database and a hierarchical naming system for mapping domain names to their corresponding IP addresses, and vice-versa. Without DNS, we would have to keep meticulous records of what IP addresses correspond to our favorite websites, and a lot of the web technologies in use today would have diminished features and capabilities.

So let's take a look at how a “simple” DNS request works :

The User Initiates a Request: When a user enters a domain name (e.g., www.vargasmas.com) into a web browser or any networked application, the application needs to determine the corresponding IP address to establish a connection. Hostnames are for humans. Computers talk to each other via IP Addresses (yes and MAC addresses, but that’s for another post).

Local DNS Cache Check: The first place the system checks is in the local DNS resolver cache, which stores previously resolved domain names and their corresponding IP addresses. If the desired domain name is found in the cache, the process is complete, and the IP address is used. This cache helps speed up the process since it is faster to access previously cached information than it is to repeat a query to a distant DNS server.

Recursive DNS Query: If the domain name is not found in the local cache, or if the previously cached record has expired, the user device contacts a recursive DNS resolver, which is typically provided by the Internet Service Provider (ISP) or a third-party DNS service like Google DNS (8.8.8.8).

Root Name Servers: If the recursive resolver does not have the requested information, it starts the DNS resolution process by contacting the root name servers. There are 13 sets of these root servers distributed worldwide, each identified by a letter (A through M) and managed by different organizations. This was done on purpose so that no one organization controls all of the DNS Root servers.

Top-Level Domain (TLD) Servers: The root name servers do not have information about specific domain names but can direct the resolver to the appropriate TLD server based on the top-level domain of the requested domain (e.g., .com, .org, .net). TLD servers are responsible for knowing the authoritative name servers for their respective TLDs. So in our example, a Root Name server would know who is the DNS for .com servers (the TLD) and the query would be routed to a server that can answer queries for the vargasmas.com domain.

Authoritative Name Servers: The TLD server directs the resolver to the authoritative name server for the requested domain. Authoritative name servers are responsible for storing the DNS records for a specific domain. There may be multiple authoritative name servers for a single domain to provide redundancy and load balancing.

DNS Record Retrieval: The recursive resolver contacts the authoritative name server for the requested domain and asks for the specific DNS record associated with the domain name, such as an A record (IPv4 address) or AAAA record (IPv6 address). There are various types of DNS records, and the ones we are most interested in at the moment are:


A Record: The A record maps a hostname to an IP Address.
PTR Record: This record type maps an IP address to a hostname.
CNAME: This record maps a “nickname” to an A record.

CNAME records are particularly interesting because we use nicknames to access websites all of the time and never really think about it. For example, I could have a webserver called “webserver124.vargasmas.com” with a CNAME record that maps the nickname (or “alias”) “www” to the hostname (A record) webserver124. So when you access my webserver from the network, you use the Uniform Resource Locator (URL) https://www.vargasmas.com instead of the real hostname which would look like this: https://webserver124.vargasmas.com”. So why wouldn’t we just set the hostname of the server to “www”? We certainly could do that, however if we wanted to host more than one function on a server, such as email, the server could have two CNAME records, “www” and “mail”, mapped to the same hostname. Also, if we want to move www.vargasmas.com to another server, all we have to do is change the CNAME record and we are all set.

Response to Resolver: The authoritative name server responds to the recursive resolver with the requested DNS record(s). If multiple records are available (e.g., multiple IP addresses for load balancing), all relevant records are returned. Normally, you would only map one IP address to one hostname, but you could have a situation where multiple servers are sharing the work of hosting a website. So, one hostname could point to multiple IP addresses. But that’s a more complex scenario beyond the scope of this post.

The Resolver Caches Response: The recursive resolver caches the DNS response for a specified time period, known as the Time to Live (TTL), to speed up future requests for the same domain.

The User Application Uses the IP Address: With the IP address now available, the user's application (e.g., web browser) can establish a connection to the desired web server using the IP address. The DNS resolution process is complete.

DNS operates efficiently and quickly due to its distributed nature and the use of caching to reduce the need for repetitive queries. This hierarchical system ensures that DNS queries are resolved accurately and reliably across the internet. It also helps when the DNS server itself has the memory, CPU, and network resources to be able to handle many simultaneous queries.