Tuesday, June 24, 2008
Dodging black ICE to do a job …
Yet anther data point for the NAT is eeeeeeeevil meme …
Smirk called up and asked if I could set up Cacti for one of our customers. They were having an issue with their local network (broadcast storms) and with Cacti monitoring the network, it would be easy to see the problem box. We already manage their firewall, which is a Linux system using iptables, so it can be easily installed there.
Only in the process of setting up Cacti (not difficult, just tedious as there's several pieces of software that have to be compiled and installed manually) I realized that the firewall wasn't handing the NAT for the customer's network—that was another device behind the firewall. And that means Cacti, running on the firewall, had no way of contacting an individual system on the private network.
Sure, there's port forwarding, but that's one port per box that needs to be configured on the NAT device, and while possible, there's usually a limit to the number of port forwards allowed by such a device.
“Sorry, no can do,” I told Smirk.
About an hour later, he calls back. “They have a Linux server on their network. You can install Cacti there,” he said. “They're port forwarding ssh to their Linux system.”
Okay, so to get to the internal Linux system of our customer, I first have to ssh to my virtual workstation at The Data Center (since The Office no longer exists—we all telecommute), then ssh to their firewall (since the firewall only allows connections from known hosts), then ssh to the NAT system, which forwards the traffic to their Linux system.
Okay.
So I'm in the process of installing Cacti on this system when I realize that to finish up the install, I have to access a webpage on said Linux server.
Which I can't do, because port 80 isn't being forwarded to said Linux server.
Sigh.
I bring this up to The Weekly Meeting, and the solution is to use ssh to build a rather crazy SOCKS tunnel between my workstation and the Linux server on the customer site, using several intermediary systems to bounce the packets around.
Seriously.
I'm trying to configure a software package, not hack into NORAD or steal confidential corporate material. But, because of NATing, I have to employ some pretty heavy networking to do what should be a simple job.
Interview with a Fed
In April, Kip Hawley, the head of the Transportation Security Administration (TSA), invited me to Washington for a meeting. Despite some serious trepidation, I accepted. And it was a good meeting. Most of it was off the record, but he asked me how the TSA could overcome its negative image. I told him to be more transparent, and stop ducking the hard questions. He said that he wanted to do that. He did enjoy writing a guest blog post for Aviation Daily, but having a blog himself didn't work within the bureaucracy. What else could he do?
This interview, conducted in May and June via e-mail, was one of my suggestions.
Being a former Fed herself, Bunny often takes me to task for some of my more outrageous “anti-government” stances, and the difficulty faced by Federal law enforcement in protecting our country.
But … it's the TSA … security theater at it's finest! A target even easier than shooting fish in a barrel.
And to his credit, Kip Hawley even mentions as much in this interview, which I think is well worth reading.
(I had thought of titling this entry “Interview with a Vampire” but
thought that might be a bit too much. I would have done “Interview
with a Vampire Fed” but adding HTML to the title would render my RSS feed invalid. I only mention this because
I really liked the idea.)
