TechBait

TCP/IP is used within corporate and other private networks.  Address conflicts with Internet systems is something to be avoided, so non routable IP address ranges are used internally on private networks to prevent this and also for security reasons.  An Internet based system cannot directly address one of these IP addresses.  The non routable addressed systems are allowed to access the Internet through NAT or a proxy system.

The non routable IP address ranges are:

Class A:  10.0.0.0 – 10.255.255.255

Class B: 172.16.0.0 – 172.31.0.0

Class C: 192.168.0.0 – 192.168.255.255

Have you ever wanted to communicate somewhat securely over a public network, like the Internet, in order to exchange confidential or sensitive information, passwords, or other data?  You need a VPN to connect you from one point to another over the insecure public medium.  This secure connection is the VPN, or Virtual Private Network.  The VPN, whether purely software or by utilizing a VPN appliance device containing it’s own software, uses encryption software to construct a tunnel between the two points, thus allowing the user to exchange confidential information or sensitive login information between two points.  VPN’s can also be useful for simply contacting your private network remotely, since you don’t want unknown entities to see your internal network infrastructure, hosts, or to sniff out your passwords.

On a similarly related line of thought, if you use UNIX or Linux, a good way to access your home network over the Internet from a remote point is to set up an SSH tunnel, where the Secure Shell is used to contruct a tunnel.  You login to the remote UNIX or Linux host via SSH, and then you can launch graphical Xwindows applications using an SSH tunnel.  You can do this from a Windows client by using the Cygwin or other software which allows one to run POSIX, GNU, and UNIX/Linux utilities on a Windows machine.  You can do this from work if your network allows this sort of Internet access.  It is handy to be able to access your home UNIX/Linux server over an SSH tunnel.

$ ssh -X u...@server.homenetwork.com
$ ssh -X user@<public ip address of server>

You can requests compression of all data to improve up user experience (good for a low speed link such as wan link) using -c option:

$ ssh -c -X user@<public ip address of server>

You can then run any Xwindows application on the remote xterm by simply typing the program executable name followed by the ampersand to spin it off into it’s own process ID.  You can also run an entire desktop like KDE, Gnome, or the default Xwindows desktop with the startx command.

In computer networking parlance, ARP stand for Address Resolution Protocol.  Well, this tells us that computer addresses are being resolved via some sort of lookup table.  The ARP cache is what translates IP (Internet Protocol) addresses to hardware MAC (Media Access Control) addresses within a TCP/IP network.  ARP replies can be spoofed easily if one of your network;s systems are compromised.  The compromised system can spoof other systems on the network.  The spoofing is when the target machine receives faulty information linking an unsafe MAC address to a local IP address.  The preventative measure (UNIX and *NIX) is a list of trusted systems that is hard coded into the /etc/ethers (or equivalent) file where the true MAC addresses are mapped to the true IP address, preventing the ARP protocol from overriding this information.  The file needs to be updated if a network card is changed since every networked device must have a unique MAC address.

I’m happy to see that the Rite Group still has their page up on how to set up a Solaris DHCP client.  This works and it is very useful.  I always would point field engineers who needed to accomplish this task to this page, and I used it myself for any in house Solaris machines that had to be set up as DHCP clients.  Find this useful method HERE.

Solaris is Sun Microsystems’ version of UNIX.  For non NIS/NIS+ Solaris machines, the things necessary to add it to an IP network are:

• The /etc/hosts file must have the hostname and IP address of the machine.
• There must be an /etc/hostname.[interface] file which contains the system hostname.  The [interface] is the designation of the network interface assigned the address, for example, /etc/hostname.eri0 or /etc/hostname.dmfe0
• There must exist an /etc/netmasks file which holds the subnet mask for the machine.
• The /etc/resolv.conf file must contain the DNS server if the host relies on DNS for name to IP address resolution.
• Finally, the /etc/defaultrouter file needs to hold the IP address of the router for the subnet – or in other words the default gateway address.

Verizon is set to release the HTC Droid Incredible to great fanfare.  It figures that I just switched to Verizon from AT&T and got a shiny new Motorola Droid.  I wasn’t told about the pending release of this new HTC unit when I was at the Verizon store, so I got the Droid.  The Droid is a great machine, but the Incredible has twice the CPU speed and more main memory, as well as what seems to be a better camera.  The Incredible also comes with an OLED type of video display, which I read is not very good in direct sunlight, so maybe the Droid is better for me since I hate when you can’t read a phone display outside.  The Incredible does not have a real keyboard the way the Droid does.  When I was shopping for my phone I thought a real slide out keyboard was a necessity, but now I feel otherwise.  Most of the time I opt for the on screen virtual keyboard on the Droid.  It’s just easier and more convenient to use, and when I eventually upgrade the real keyboard will no longer be a necessity for me.

From the linked article:

Specifications for the HTC DROID Incredible include the following:

• Android 2.1 with HTC Sense experience
• 1GHz Qualcomm Snapdragon processor
• Integrated 8GB flash drive (6.6 GB usable) with microSD expansion card slot
• 8 megapixel camera with dual LED flash for crisp, detailed images
• 3.7 inch WVGA (480×800) AMOLED capacitive touch display
• Optical joystick for smooth navigation
• Dedicated, touch-sensitive Home, Menu, Back and Search keys
• Proximity sensor, light sensor and digital compass
• Integrated GPS
• Wi-Fi (802.11 b/g)
• 3.5 mm headset jack
• Friend Stream for unified Flickr, Facebook and Twitter updates
• Leap view for quick access to all seven home screen panels
• Dimensions: 4.63 x 2.30 x 0.47 inches and 4.59 ounces

Ever wonder how to use your smart phone’s Internet connection as a modem for your notebook or laptop computer while unable to connect to another WiFi hot spot?  While WiFi hot spots are available at an increasing rate, sometimes you are in a place where an unsecured public access one just is not available.  Now, if you are out and about one might wonder can’t you just use the phone’s web browser to look something up?  Well, yes, to a degree.  Sometimes there is just no replacement for a full computer for your Internet needs.  There are several programs out there, and there are also methods that involve rooting your phone, but a non root convenient method is to use a nifty application called PDAnet on your PC and phone.  Simply install PDAnet to the computer and it will also install the driver.  Once you connect your Android phone to the computer via the USB charging cable, the phone side app will be installed and you can now use the phone as a modem for the computer.  You have to turn on USB debugging mode, which was already enabled on my phone.  Once everything is up and running, you will have full Internet access on the computer via the phone and your unlimited data plan.  I wouldn’t use it as my sole connection or to download vast amounts of data, but it is great in a pinch.  Case in point, you want to use your computer with Internet access at a friend’s house where there is no WiFi hot spot to connect to.  You need to show them something on the computer which requires Internet access.  This solution is the solution to that conundrum.  PDAnet has a trial period and after that you need to pay a modest one time $29 fee for continued full access.  You can continue to use it free of charge but secure HTTPS sites will not be able to be accessed from the free version after the trial expiration.  You can still use it for regular HTTP access however.

Once upon a time I was called on by a software developer to assist him in a problem where he had to code a solution to a bug in the enterprise software that our employer was a vendor of, but the client had their network interface cards combined into a single virtual device, also known as link aggregation.  Why would you want to do this?  Aggregating the nics allows the throughput to be higher for the server.  So, aggregating two Gbit nics will essentially create a 2 Gbit connection, although the individual line speeds are still the 1 Gbit speeds.  It also provides failover since the physical connections are aggregated into a virtual connection which uses one IP address, so if one fails the connection is still active.  This is good fault tolerance, to a point.  I had to figure out how to make one of our AIX servers into a machine with an aggregated nic setup.  It wasn’t so hard once I found the documentation on how to do it.  He was able to work on this machine once I combined the two physical network connections into one virtual device using one IP address, and he was able to then verify the issue the customer was having and code a fix.  This is how a sysadmin in a software company assists the software development and fix process.  I did this for years and it was very interesting and rewarding work, although it was only a small portion of my daily repertoire.

I don’t have to explain it here since the good folks at IBM were kind enough to outline how to do this on their documentation site.  Also, a good overview is available on Wikipedia’s link aggregation page.

NAT is most commonly used in a private IP network where the NAT device or server will forward packets between networks making all source packets look as if they originate from the NAT device or server itself.  After a reply is gotten, the NAT system reformulates the destination address which allows the packet to be delivered to the system that requested it.  This is a proxy system which is a good security measure.  A large amount of systems can access an outside network – usually the Internet – through a single IP address.  Since Internet IP addresses are rare and getting rarer, this system allows a person or corporate entity to have many non routable IP’s in their private network accessing the larger network through an ISP assigned IP address.

A network DMZ, or demilitarized zone, is a place between the Internet and an entity’s internal network. It is a place where a server can be set up on a different protected network segment. It provides a service to the outside, like FTP file hosting access for customers, a mail server for offsite personnel, webservers, or proxy servers, and shares this data internally through a protected funnel. This is desirable since if the DMZ server is compromised by a malicious person out on the Internet, they won’t have access to the rest of the internal network and it gives the internal IT people time to sever the external connection and fix the problem, clean the system, or rebuild the system without fear that he or she has already moved on to wreak havoc on the rest of the internal network.

You can set this up by using either a single or dual firewall approach. A single firewall approach requires the DMZ host to have at least 3 network cards. One card goes to the Internet Service Provider, the other goes to the DMZ host, and the third to the internal network router. The firewall needs to have enough computing power and memory to be able to handle the traffic and all associated filtering to and from the 2 network cards. A dual firewall approach is more secure and consists of 2 firewall computers or devices. One goes from the ISP to the DMZ machine or segment, while the second is on the back end and sits between the DMZ machine or segment and the internal network router. The IT staff can further mix things up by using different firewall vendors for each firewall so that neither has the same vulnerabilities and it can slow down and hamper attackers which could use the same methods to defeat both firewalls if they are identical.