Security - We will get there

One of my customers is paying vmware tons of money to run vSphere. It's really nice to work with the vCenter tools and I was definitely enjoying this product until I found it doesn't allow me to add virtual disk on the fly while the virtual instance was running. It says "License not available to perform the operation, Feature hotplug not licensed, requires need have have".

There are so many buzz words out there for cloud computing and google type infrastructure etc. It's my first time yesterday I saw the real thing yesterday when I came across in one of the largest data center in Toronto.

1. Switched Gigabit Ethernet network : Connect arrays and hosts to a switched network and ensure that all network connections between hosts and arrays are Gigabit Ethernet. An array can operate at 10 and 100 Mbits, but performance will be significantly degraded.

I have my servers send out log analysis reports to my web application hosted by a hosting provider. This had been working fine for several years until last month. All my reports were not received after Jan 28. Here is how I get it figured out. It could be the backend database is full. This was my first thought as I haven't backup and clean the db for a while. But it's not the case when I logged into the hosting server and found there was enought space.

It's been a while that I got part of my calendar and contact synced between my desktops and mobile device through online services. I lost some calender today so I decided to clean it up and make sure they all work together nicely.

I know it's not pretty or even a little bit complicated but it works. :-)

I consolidated my trixbox server recently into a vmware server, this time I also upgraded the trixbox to the latest version. To verify my system document, I didn't do backup/restore type of upgrade, instead I recreated the new trixbox configuration plus some modification according to the new requirement.

After installed nedi 1.0.w, I got the following error msg when viewed the graph for subinterface from web gui.

I have a client running a Linux box with OpenVPN for a while. It passes through my enterprise firewall to get into their own isolated environment. After the upgrade of the firewall last week, the client started to complain they lost the vpn access and my colleague started to look into it.

It took a while for my colleague to go through whole bunch of tests but could not find out why the traffic was broken after established by the firewall. I mentioned the app layer inspection factor of the firewall could be the cause and soon it was resolved.

The client is using port 80 for the SSL VPN traffic which they should not. It tends out to be the firewall is evaluating the traffic more deeply than before after the upgrade as firewall thought it's clear text http traffic. It uses a technology called protocol agent to associate the protocol with evaluation service. By took away the protocol agent, my client's SSL VPN worked again.

In this case, both sides should not be blamed actually. But as a precautions thought, do not run SSL VPN through port 80. Especially more and more firewalls are trying to do more high layer inspection nowadays.

This idea is from the snort.org web site for invisible tap. Basically with a 24 port patch pannel, you can have 6 100M full duplex taps right from it. Each tap will use 4 ports, two ports for host connection and the other two for tap purpose. For example, I have port 1 and 4 for host and 2,3 for tap. I use 4 wires to connect the following 4 pin groups:

1. pin 1 of port 1, pin 3 of port 2 and pin 1 of port 4
2. pin 2 of port 1, pin 6 of port 2 and pin 2 of port 4
3. pin 3 of port 1, pin 3 of port 3 and pin 3 of port 4
4. pin 6 of port 1, pin 6 of port 3 and pin 6 of port 4

After that, you can get traffic from port 2 and port 3, one for sending and one for receiving traffic. Then you can use interface bonding to setup a virtual interface to capture the full duplex 100Mbps traffic. Cool!

Just dived into the hot VoIP technology a while ago. Started with the adapters, asterisk and now integration for those cool stuff.

VBuzzer provides a very inexpensive DID service in Toronto area(although not free as some other lucky guys). It's sip compatible but only vBuzzer software is officially supported. My goal is to setup my home asterisk box to work with vBuzzer. Here is my journey.

First I found this great post at http://www.voip-info.org/wiki/view/Asterisk+settings+vBuzzer, set it up and test it. Outbound is working but not inbound.

Searched again and found a lot of people are complaining the inbound issue when using adapters or asterisk. Hmmm, let me try.

After a lot of sniff data, firewall tuning and config change etc. I had my vBuzzer service working properly with my asterisk box. It's been up and running for more than two weeks now so I would like to share this with my readers.

1. sip.conf: make sure externip,localnet and fromdomain are setup properly. For example:
   externip=www.jlisbz.com
   localnet=192.168.0.0/255.255.255.0
   fromdomain=www.jlisbz.com:5060
2. rtp.conf: make sure rtpstart and rtpend are in a smaller range for your firewall so you can forward them to your asterisk box. For example:
   rtpstart=10000
   rtpend=11000
3. You firewall needs to allow and forward UDP 5060(SIP) and UDP rtpstart-rtpend (RTP) into your asterisk box
4. In registry string and peer setup, DO NOT use vbuzzer.com as the host, please use 209.47.41.48 instead. This is very very important as you will not get SIP invite for inbound signaling from vBuzzer servers if you don't use .48. I don't know why they set it up that way but just happen to find that after couple of sniffing.

You should be able to get inbound call now. Sometimes it will take a short while for it to be effective, but should be less than 5 minutes in my experience. I saw someone posted that you need to wait for more than hours to get the inbound call. Maybe they didn't set the host ip properly.

I just got email back from vBuzzer support that told me "Please understand our dedication to provide low prices for calling services does not allow such support now and in near future". But guess what. I can be a volunteer for their support now. :-)