As a self-generating content site, (I write my own articles and most of my images are hand-taken. Those that aren’t are linked and used with permission from the original content owners or with permission from the parent company.) this is seriously a threat to my sites’ existences.  If I posted a bad review of a product didn’t like it, under SOPA,  they could scream that my site was enabling piracy and they could effectively steal my domain without any due recourse. I could not petition to get my domain back, nor could I do anything else legal about it.  All of my hard work on this site would have been wasted and even worse, under SOPA, they could even make it so I would lose all of my webhosting in its entirety.

I am opposed to any legislation that is written so vaguely and allows the indiscriminant shutdown of any website on the allegation of piracy.  I oppose any legislation that makes my ISPs the “police” of the Internet. I oppose any legislation that allows others to take control of my domains without due process.  If you are to charge me with something, you had best be prepared to defend yourself.

Other sites have taken notice.  Google, Reddit, The Electronic Frontier Foundation, Mozilla, and many others are joining in the protest tomorrow and I am going to be one of them.  We must send the warning to Congress that this must not be allowed to pass as it will destroy the Internet. Essentially, this will turn into a witch hunt, where everyone is guilty.

I understand that some of you may not understand and that some of you will be upset, however I will return on January 19th and I hope you will continue to read my site.

IPv6 Introduction

First, the basics….

Understanding IPv6 networking may first come off as an extremely complicated endeavor however it’s not that much different from IPv4.  The biggest thing about IPv6 is the massive amount of IPs that are made available by the change in the network protocol.  To put it in perspective, the entirety of the existing IPv4 address space consists of approximately 4,228,250,625 addresses (from 0.0.0.0 to 255.255.255.255, or 255^4 including private network blocks and multicast addresses) An IPv6 network block (like the /64 network block that we’ll get from Hurricane Electric) contains  18,446,744,073,709,551,616 IPs.  The /64 network assigned to us from Hurricane Electric is only a minuscule fraction of the entire IPv6 address space.

An IP address in IPv4 uses four numbers in a dotted quad notation with numbers between 0 and 255, like 192.168.1.4 and will include a subnet mask like 255.255.255.0.  This is used to establish the “network” that an IP address is a member of. An IPv6 address is radically different, with 8 hexidecimal (from 0000 to FFF) numbers seperated by a colon (:), then following up with a subnet mask in CIDR notation. An example of an IPv6 address (in this case, ipv6.google.com) is 2001:4860:4002:0802:0000:0000:0000:1010.  Rather than spell all that out, you can use :: to represent one contiguous block of zeros, and leading zeros can be removed.  The formidable example address now becomes slightly less scary 2001:4860:4002:802::1010.  Another example of an IPv6 address in this “compressed” notation, would be the IP address for Facebook 2620:0:1cfe:face:b00c::3 (faceb00c, lol). Yet another funny IPv6 address is cisco.com, at 2001:420:80:1:c:15:c0:d06:f00d (c15co, f00d).

Some differences in IPv4 and IPv6

The biggest difference in IPv6 from a network standpoint is that it virtually eliminates the requirement for Network Address Translation.  Instead of proxying an IP address for multiple home networks/hosts, your IPv6 network is fully routable, meaning that you can access your home computer from the Internet without the need of using port forwarding or IP masquerading.  While you technically can NAT an IPv6 address, it’s no longer an absolute requirement for Internet access. Because the Internet can now access your network, it is especially important that your firewall is configured to deny incoming connections from the Internet and explicitly allow connections on an as-needed basis (like running a web server from home, etc..). We will establish a common ruleset later on, once we have completed the IPv6 configuration.

Another significant change in IPv6 is changes made to the DHCP protocol.  Instead of a DHCP server telling a host what the default gateway is for the attached network, the host will instead listen for a router advertisement and will use that in its internal routing table to know how to get to the public Internet.  This router advertisement is handled by radvd which announces the router’s IP address to the network.

A few things to consider

When World IPv6 Test Day was enacted and executed last June, many major websites went online and started offering IPv4 and IPv6 dual stack websites for the purpose of testing the world’s readiness for IPv6.  Many important things were discovered that day including the fact that most CPE devices (like Linksys routers, DSL and Cable modems and other devices) were not IPv6 compatible.  This was later broadened to include many Internet-connected devices like DVRs, Media machines and other devices were also not ready for IPv6. While some sites maintain IPv6 connectivity, once World IPv6 Test Day closed, so did many sites on IPv6 connectivity.

Before you start out on bringing IPv6 into your network, it is important to understand that IPv6 is still regarded as being an experimental protocol. Most of the sites you are used to won’t work in a pure IPv6 environment so we are going to set up a dual-stack network.  This means that you will be able to bring in IPv6 connectivity for IPv6 only sites and still be able to access your IPv4 sites just like your network has done in the past.

It is also important to realize that most embedded class devices will not use IPv6.  Devices like embedded media players, game systems, WiFi access points, printers and the like  may not support IPv6 even with firmware updates from the manufacturer.  Some devices may get support later on through vendor updates however many devices will probably not work.

At the very least you will learn a lot about IPv6 deployment, and you will have plenty of time to test your equipment prior to IPv6 becoming mandatory.

Enough of the theory already, Let’s get started.

In order to bring IPv6 into your home, we will be using an IPb6 tunnel provided by Hurricane Electric’s TunnelBroker.net service.  The service is free, and they provide you with a full /64 IPv6 network to play with.  In addition, they provide a certification service to test your IPv6 knowledge and skills once your IPv6 connectivity is up and running.  They give you a series of goals to accomplish even after your tunnel is up and you’re routing away and plus, it makes for great bragging rights.

In order to pull this off, you’ll need the following:

• PfSense 2.0 installed and working at the edge router on your network.
• A client computer for testing. ( Windows Xp, Windows Vista, Windows 7, Linux, etc..)
• Network switch, etc to make sure your client computer is connected to your router.
• A WAN Internet connection.  (DHCP, Static, PPPoE, etc does not matter as long as it’s broadband)

Please Note: Due to the fact that we are using git to sync experimental code, you cannot use pfSense Embedded.  I tried to find a way around this, but unfortunately even at the 4GB disk image size, I was never able to get it to fit and work.

The IPv6 configuration will be split up into six sections:

1. Configuring your existing pfSense router to sync up the latest IPv6 code.
2. Registering for an IPv6 Tunnel from Hurricane Electric.
3. Configuring pfSense for the tunnel, and DHCPv6.
4. Configuring workstations for IPv6.
5. Performing website testing

1: Sync up the latest IPv6 code

We’ll start off with our already established and running pfSense router. We will need to enable SSH on the router so we can get to the commandline.  This will be the only time you will need to access the commandline however I do recommend leaving it enabled so you can troubleshoot the IPv6 connection later on.

Start off by logging into the router.  Click on “System”, then “Advanced”.  Place a check box next to “Enable Secure Shell”.  If you don’t want to use the standard port of “22″, you can specify a different port below.  Scroll down to the bottom and hit “Save”.  Don’t worry about opening up your SSH port, this does not enable it on the WAN interface.

Enabling SSH in pfSense

Open up PuTTY and type in the IP address of your router.  If you specified an SSH port, be sure to specify it here as well.  For reference, here is my PuTTY configuration.

PuTTY settings

Upon successful connection, you will be prompted for a username.  Use the same username and password you use for the Web UI (admin/pfsense).  Once you have successfully logged in, you will get the same status screen like you see on the serial port showing the WAN and LAN statuses and a menu.

SSH menu

Select option 8 (Shell) and then type in the following command:  pkg_add -r http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/git.tbz  This will install GIT and perform the update.  This will take several minutes to download and install all of the packages required to perform the sync.

Installing Git

Once it has completed, type in exit or hit Ctrl-D to return to the SSH menu. At the SSH menu, type option 12 for the “pfSense Developer Menu”.

Accessing the Developer Shell

Now we will do the GIT sync. It is important to follow these instructions exactly as this is where the current running pfSense code is synched up with the pfSense developer code.    At the pfSense developer shell prompt, type in playback gitsync and hit enter.

Performing the Git sync

You will be prompted for the git branch to sync against.  Type in master and hit enter.  The next prompt will be for a custom RCS branch, just hit enter as we want to use the master branch only.  After you hit enter, the GIT Sync will begin.

Specifying the Git Branch

Ok, now here’s the kicker.  You must reboot! In the screenshot below, it looks like the upgrade has terminated and the device has restarted services however there are settings that have been changed that will only take effect on the next reboot.  The SSH Session should drop you back to the main SSH menu (what you saw when you initially logged in).  From here, select option 5 and answer y to reboot the device.

Reboot after your SSH session gets terminated

When the router has successfully rebooted, check that your Internet connection works and that all is working well.  The one thing that remains is to set up an ICMP rule to allow Hurricane Electric to ping your WAN interface.  This is required as part of the tunnel setup. Login to your router, click on “Firewall“, then “Rules“.  Click the “+” add button at the bottom and add a new rule.  Set the interface to WAN, protocol to ICMP, and ICMP Type to Any.  (This can be modified later).  For the source, set the type to “Single Host or Alias” and enter the IP address of 66.24.2.74.  This is the IP address of the IPv6 test endpoint.  Set the destination to “WAN Address” and lastly, enter a description.   Refer to the screenshot below if you need help.

WAN Ping rule

Now that everything is in place in your router, it’s time to get your tunnel.

2:Registering with Hurricane Electric

Now that our router is prepped for the IPv6 installation, it’s time to register the account with Hurricane Electric.  Head on over to tunnelbroker.net and register an account.  Once you’ve registered the account, you will get an email with the account information and a validation link.  After you validate, click on the “Create Regular Tunnel” on the left hand sidebar and you will be provided a form similar to the one in the screenshot below.  Be sure to select an endpoint that is as geographically close to you as possible or let the tool recommend the closest endpoint.  (Note: Hurricane Electric allows you to create up to five tunnels. If this is your first tunnel, you will not see the “You currently have 1 of 5 tunnels” message.)  Type your WAN IP address into the “IPv4 Endpoint” field, select the endpoint, then scroll down and hit “Create Tunnel”.

Hurricane Electric Tunnel Setup

After your tunnel has been successfully created, you will get a page that shows your tunnel information.  At the bottom of the page, you will notice that the rDNS delegation fields are blank. Click the “delegate to dns.he.net” link to autofill the reverse nameservers with Hurricane Electric’s default nameservers.  Click “Save” to commit the changes, then print this page. You will need it for the pfSense page.  Keep in mind that the tunnel IP address and the Routed /64 are off by one digit. This will be important later on.

Tunnel Information Page

If you are on a dynamic IP connection (DSL, Cable Internet, FiOS, etc…), there’s one more thing you need to be aware of.  Should your WAN IP change, you will need to update your tunnel. When you login to Hurricane Electric, you will get a page similar to the below, showing all of the configured tunnels on your account.

Tunnel List Page

To edit the tunnel, click on the tunnel name and you’ll be taken to the Tunnel Information page.  Click on the Client IPv4 address and make your IP change then simply click elsewhere on the page (not on a link) and wait for the text field to turn back to a link.  If it does not, it will provide an error message indicating the error (usually that it can not ping the WAN).

WAN IP Setup Error

3: Configuring pfSense

Building up our tunnel endpoint

Note:  From here on out, I will be using the example IPs of 2001:470:1234:5678:: for the IPv6 tunnel and 2001:470:1234:5679:: for the Routed /64.  In your tunnelbroker.net configuration, you should have a similar offset (your tunnel is one IP less than your routed netblock).  Please keep this in mind as we go through the next steps as you can not get the two confused.

We have a synched router and we have our tunnel configuration. Now it’s time to start configuring pfSense.  We will start out by building out the tunnel endpoint. Login to the router and click on Interfaces > Assign and click on the GIF tab.  We will be adding a GIF tunnel in order to bring in the IPv6 connectivity to our router. GIF uses RFC2893 to encapsulate IPv6 into an IPv4 packet.  When we receive an encapsulated packet, pfSense will “unpack” it and reassemble it into an IPv6 packet before acting on it according to the firewall policy.  On the GIF tab, click the “+” link and enter your IPv6 tunnel endpoint information.

• Parent Interface should be set to WAN
• GIF Remote Address should be the “Server IPv4 address”
• GIF Tunnel Local Address should be the “Client IPv6 address”
• GIF Tunnel Remote Address should be the “Server IPv6 address”
• Description should be something descriptive but can be freeform.

GIF interface page

Once complete, hit “Save”. This will add the tunnel endpoint to the router. Click on Interface Assignments so we can assign it to a virtual interface.  To do this, click on the “+” icon and the GIF tunnel should show up as an OPT interface as shown in the screenshot below.

Interfaces page

Now we need to configure the OPT interface. Click on Interfaces > OPT1.  This will be the equivalent to the “WAN” of our IPv6 network.  Since it has never been used before, it is disabled by default. Place a checkbox next to “Enable Interface” which will add the IPv6 configuration section shown here. Set the

Click on the text “Add a new one” in the Gateway section and enter the configuration as shown.

• Default v6 Gateway should be Checked.
• Gateway Name IPV6 is a brief one-word name to help you identify the gateway.  I have chosen “IPV6GW”.
• Gateway IPv6 should be the Server IPv6 Address.
• Description is an arbitrary length text to describe this gateway definition.

When you’re done, you should have something similar to what is in the below screenshot.  For some reason, the gateway text showed up very small, so I increased the zoom so it was readable.

IPV6WAN setup

Click on “Save Gateway” first to commit the gateway information. You should see te IPv6 gateway show up in a dropdown.  Next, scroll down and click “Save” to save the Interface information.  Finally, click “Apply Changes” to apply the interface configuration and start the tunnel.  You can validate the tunnel’s operation by checking the dashboard (click on the pfSense logo).  If you don’t have the Interfaces and the Gateways windows, they can be added by clicking on the “+“  and selecting the relevant options.

Dashboard status page

Now that the endpoint is up and running, it’s time to configure the LAN interface.

Setting up the LAN interface

Since we’re running in a dual-stack configuration, we are going to just add the IPv6 information to the existing IPv4 interface.  As an option, you could theoretically set up a VLAN and a new LAN interface and create an IPv6 only network.  This is something I’m planning on my network and something I’m sure I’ll cover in another article. Let’s start off by pulling up the LAN configuration via Interfaces > LAN.

First thing to do is set the IPv6 Configuration Type to Static IPv6. This will show the IPv6 configuration section.  Enter the first IP address in the Routed /64 section from the tunnel information.  When complete, you should have something like the screenshot below.  Scroll down and hit Save to write the settings, then Apply to make the new settings active.

LAN configuration page

Setting up DHCPv6

In order to bring the IPv6 configuration to your workstations, we will set up DHCPv6.  This is entirely optional as right now you could go ahead and set up static IPv6 addresses just as well as using DHCP however rather than typing insanely larger addresses into all of your workstations, it’s easier and faster to set up DHCPv6 and let the client OSes pull the DHCPv6 as needed.  To get started, click on Services > DHCPv6 Server and then on the LAN tab.

• Set the Router Advertisements to Assisted.  This controls the radvd daemon mentioned earlier.  By setting the mode to “Assisted”, you are telling radvd to perform router advertisements on the local network. The radvd broadcasts are used by the DHCP client applications to set the default router.
• Place a check next to Enable the DHCPv6 server on the LAN interface.
• Enter the desired start and end addresses for your network DHCP range. Please note that unlike the “short notation” using the double colon, you must explicitly declare the zeroes for all octets.  In my example, I’m using 2001:470:1234:5679:0:0:0:100 as my start point and 2001:470:1234:5679:0:0:0:200 as my end point, allocating 256 addresses to DHCP (remember, IPv6 addresses are hexidecimal.)
• Enter the Anycasted IPv6 DNS server from the Hurricane Electric tunnel configuration into the DNS server field.

DHCPv6 configuration

Configure some Firewall rules

At this point, we have the router configured however without some firewall rules in place, we will not be able to route out or get a DHCP address. We will need to add a rule so that our IPv6 traffic can get out.  Click on Firewall -> Rules then click on the LAN tab.  We are going to duplicate the outbound rule created for the LAN outbound.   In the rule listing, click on the “+” icon to the right of the IPv4 outbound rule and change the protocol from IPv4 to IPv6.  Once done, hit Save then Apply.  When you’re done, your LAN rules should look like the below.

Duplicated Firewall rules

 4: Configure your workstations

After you get the router configured, it’s time to set up a workstation.  For this test, I used a Linux box and a Windows 7 workstation.  For Windows, all that is needed is to make sure that the NIC has IPv6 support bound to it.  To do this, go to the Network and Sharing Center and click on the “Adapter Settings” on the left hand sidebar.  Right click the adapter and go to Properties.  Make sure that IPv6 is listed and checked as shown below:

Windows 7 Network protocols list

To test that it’s working properly, open up a command prompt and check to see that ipconfig is showing the proper IP address.  Disregard any fe80:: addresses as these are link-local and not routable for our purposes. Your output should look something similar to my output below:

Windows 7 ipconfig

In Linux, the setup is even easier.   Most Linux operating systems already have IPv6 enabled, so it’s just a matter of pulling an IP address.  Run sudo dhclient -6 -v {interface} where {interface} is your network interface.  In my output below, I am using wlan0.  The -v parameter is optional, this is only to show what dhclient is doing and that it picked up the address from pfSense.

Linux dhcpcd output

This next screenshot shows ifconfig with three IP addresses: One IPv4 address, one link local IPv6 address and the routeable IPv6 address.

Linux ifconfig output

If you want to make the IPv6 settings permanent, you can set this information in Network Manager.  Edit your existing network connection, click on IPv6 Network, set the “Method” dropdown to Automatic and hit Save.  I didn’t provide screenshots on this because it depends on the network type and connection name and it ended up being way more complex than necessary.  IPv6 connectivity should work on both wired and wireless Ethernet adapters.

5: Time to test!

There are several sites that are available that allow IPv6 testing and IPv6/v4 dual-stack testing. My favorite is http://test-ipv6.net.  The site does IPv6 and IPv4 dual stack testing and ensures that you are able to connect to IPv6 and IPv4 sites.  There is also test surfing to http://ipv6.google.com which is an IPv6 only site.   If all goes well, you should receive output like the below:

Test-ipv6.com test results

So, what now?

With IPv6 properly working on your network, you are good to go however there’s probably not much to look at.  Most of the sites I tested were IPv4 only and the few IPv6 sites I could find were mostly broken.    From a consumer-side standpoint, you will notice no difference in the operation of websites.  From a server standpoint, each IP address is routeable meaning that each and every IP in your netblock can run web-accessible services.  The thing now is to pay close attention to your firewall.

Remember that all IPs are routeable!  Prior to this setup, your router implicitly “protected” your LAN by using network address translation. By default, the router would allow LAN connections to exit the router but any unsolicited connection from the Internet could not access the LAN workstations due to how NAT works.  We used port forwarding to allow outside Internet computers inside to access local services.  IPv6 has no such requirement and all IPv6 addresses are public.  You need to make sure that your router’s firewall is set up properly and only allows incoming connections to IPs as needed by your network.  Our firewall configuration is set up with a default deny policy with an explicit LAN outbound rule.  This means that inside IPv6 addresses can surf the Internet uninhibited but any unsolicited connection from the Internet is automatically blocked.

Test your network devices! Test all of your devices, from your computers to your smartphones, printers and anything else that plugs into the network.  You’ll get a quick idea of what works on IPv6 and what doesn’t. You’ll also have a good idea of which manufacturers and what devices to look for firmware updates in order to get ready for when IPv6 goes live.

For further things to do with your tunnel, take a look at Hurricane Electric’s IPv6 certification test.  The IPv6 certification test will test your knowledge of IPv6 and setting up various services on an IPv6 server including email and a Web server.  It’s a good idea to give it a shot so you can get experience working with the new IPv6 network.

Hopefully all went well in your IPv6 configuration and you’re up and running. If not, post a reply and I’ll try my best to help out.

Happy Hacking!
FIRESTORM_v1

After publishing the last post on networking and the security series, I felt it was necessary to go ahead and publish a piece on building a custom router.  I have been a fan of pfSense for the past four years and swear by it. It has the ease of use of a commercial GUI-driven router and unrivaled flexibility limited only by the hardware it is installed on.  In this howto article, we will cover installing pfSense on an embedded platform and initial configuration for getting your router up and running.

First, an introduction to pfSense

PfSense is a lightweight FreeBSD based distribution geared towards router and firewall installations. It has been around since 2004 when it was forked from the m0n0wall project and has since turned into an excellent stand-alone distribution for routing and firewalling.  Although pfSense is generally intended towards full-PC installations, they offer an embedded image for use without skimping on the features.  pfSense is well known in the Linux/Unix/BSD community and is very highly regarded for both it’s feature set and it’s flexibility.

A question I get asked a lot is “Why pfSense? Why not just buy a Linksys?”  The answer is about hardware and software.  While I do own a couple of Linksys routers and do admire Linksys for bringing NAT devices to the common user, their hardware is restrictive and is only usable in the standard configuration (1 WAN and 4 LAN/WIFI) Even though it has been proven several times that the hardware they use for the LAN portion can support advanced features like VLAN support, bridging, multiple interfaces/IP’s, they will never release this functionality to those that want it and will instead force the advanced user to look elsewhere. In Linksys’s view, the router dictates the network.  With pfSense, I can build a custom configuration however I deem fit, with multiple NICs for WAN and LAN, with custom configurations and with VLAN support.  Not to mention that “stock” pfSense even supports DHCP, Captive Portal (like “free wifi”) , DNS, VPN support, Fail Over mode and many other options that Linksys wouldn’t ever make available.  Even if I never use VPN support or use the Failover mode, it’s nice to know those features are there should I ever need them.

Hardware Requirements:

In order to use pfSense Embedded, you will need a computer that adheres to the below spec.  Of course more is better, but these are the minimum specs as posted on the pfSense website.

• CPU: 100MHZ x86 Pentium or equivalent.
• RAM: 128 MB RAM
• Serial Port
• 512MB Flash storage or 1GB hard drive
• Two Network Adapters (NICs)

Please note that some of the advanced features like VPN support, Captive Portal and some high-bandwidth connections may require faster processors than what is outlined below.  If you want to make sure your embedded platform matches spec, take a look at pfSense’s hardware sizing guide which covers some of the items more in depth.

A note on storage:

The pfSense distribution comes in two flavors.  You have the “desktop PC” version for full-size computers with a CD ROM and a hard drive, and you have an “embedded” version which is for devices without a CDROM or hard drive and use some method of flash storage.  While you may be able to install the desktop PC version on the embedded device, it is not recommended as the distribution will be tailored for running on a hard drive, not a solid state memory device.  If you intend to use a hard drive, install the PC version.

You can use any IDE device for storage as long as it is recognized by your computer’s BIOS and is supported by FreeBSD.  I have not had a problem with either of these two stipulations, so you should not have any problems with it. One thing to consider is the use of an IDE to CF adapter like this one on Newegg.  This particular device fits right into the IDE header on the motherboard and allows you to use a Compact Flash cartridge as an IDE hard drive which is perfect for installing and running pfSense.  The router in my home is a slightly different model, but is running on a Sandisk 4GB CF cartridge and has been doing so for the last two years without fail.

My hardware:

In this howto, I will be using a Transcend 1GB IDE solid-state device that I got on Ebay. This device plugs into the 40 pin IDE header and mimics a standard hard drive.  It is fast and will definitely get the job done.  The hardware I will be using is a set top box device I scavenged from a computer show a long time ago.  It has a 233MHz Cyrix processor , 512MB RAM, an onboard serial port, an IDE port, an onboard NIC and a single PCI riser slot where I will be installing a dual 10/100 Intel NIC.

Getting Started:

If you are using the CF to IDE adapter mentioned earlier, you can use a USB-CF reader and an application to burn the image to the CF cartridge.

In order to proceed, you will need the following items

• A Linux based computer with one free IDE port
• An IDE-CF adapter with an appropriately sized CF card minimum 512MB, recommended 1GB, referred hereafter as flash cartridge.
• The “target system” that will ultimately run pfSense with at least two NICs.
• A third NIC (optional, for guest network, discussed in the “Advanced” section below).
• A serial cable (Female to Female) and a Null Modem Adapter.
• A pocket switch with a small patch cord.

Identify your Flash device

First, attach your flash cartridge to your Linux PC and boot it.  Make sure that it boots your Linux distribution first and does not attempt to boot from the flash cartridge.  Once booted, login as root and run dmesg. Look for the /dev entry for your flash module.  You may be able to look for the manufacturer name as is the case in my output below:

My dmesg output.

In the output above, my Transcend module was recognized as hda (primary master HD), so my /dev entry is /dev/hda.  We will need this later on to burn the image.

Download, validate, burn:

Now that we know what device we need to burn to, it’s time to get the image.  Head on over to the pfSense Mirror selection page and pick a server that’s closest to you.

You should then be presented with a list of images named pfSense-1.2.3-RELEASE-XXXX-nanobsd.img.gz where XXXX is a choice of 512mb, 1g, 2g and 4g images.  In my particular case, I will be using pfSense-1.2.3-RELEASE-1g-nanobsd.img.gz as it is pre-built to a 1gig flash cartridge.

Use wget to download the image along with the accompanying .md5 file as shown in the sample output below. Note: URLs in the below image may differ depending on the mirror you are using, but the filenames will be the same.

wget download of files

Once both files have downloaded, use md5sum -c to check the file for consistency against the provided md5 checksum as shown in the sample output below.

md5sum validation

If the MD5 check returns OK then you are clear to proceed. If not, go back and re-download the file again. Make sure you downloaded the same file and md5 checksum.  In order to burn it, we will use zcat to cat the zipped image out to the /dev entry mentioned earlier.  My syntax will be zcat pfSense-1.2.3-RELEASE-1g-nanobsd.img.gz | dd of=/dev/hda bs=16khowever, if your flash cartridge shows up at another location other than /dev/hda, be sure that you change the command above to point to the proper device.  Once the command completes, it should look like this:

Image Burn Completed

Now that the image burn is done, shutdown the Linux box and pull your flash cartridge out and install it in the device that is going to run pfSense.  Go ahead and connect it up but do not attach any network cables to the interfaces just yet.  You will also need to connect the serial cable with a null modem adapter to the device to continue initial setup.

Initial Configuration and Setup

Now that we’ve burned the image, we are ready to do the initial setup.  This entails doing some NIC probing to find the network adapters in the system and to assign them to their respective duties (WAN, LAN, Optional Interface 1, etc).  You should only ever need to do this once as once the NICs are set up and the router is running, you can do everything including re-assign the interfaces from the web-based GUI.

Open up PuTTY, Hypertrm or your favorite terminal application and set the serial port parameters to 9600 baud, no parity 8 data bits, 1 stop bit.  Turn on the embedded device and after a moment, you should see some BSD boot stuff flash past.  Wait until it prompts you to set up VLAN information as shown below:

Vlan Setup Prompt

If you are lucky, you should see two interfaces, one for each NIC.  If you have three network cards in your system, you will see three different interfaces.  In the above screenshot, I have em0, em1 and fxp0.  Since we will not use VLANs for our basic or our advanced configurations, we will answer “N” here.

Now, we will do some network probing to figure out exactly which NIC  goes to which interface using the pocket switch and the patch cord.  Don’t plug anything in yet.

Probe for LAN interface

With nothing plugged into the network interfaces, hit a and hit enter.  This will start the autodetection process. When prompted, attach the pocket switch to the interface you will use as the LAN interface and make sure that the LINK light on the switch and the NIC come on.  Hit Enter and you should see a message where it detected the LAN interface link come up.  It will then prompt you for the WAN interface.  Hit a then enter again and move the patch cord to the WAN interface and hit enter.  Repeat this process for the Optional interface (OPT1) or if your router only has two NICs, just hit enter.  Refer to the below output.

Assigned NICs

Be sure that you only change the patch cord when it tells you to.  If you disconnect the cable at the “hit A for autodetect” prompt, it may not detect link when it should.  If you run into this issue, disconnect the patch cord and restart your router.  Allow it to boot up and start over.  Once you get done assigning interfaces, simply hit Enter to exit assignment.  It will print the current assignments of the interfaces and ask you to validate.  Answer Y if the displayed assignments are correct and hit Enter, otherwise hit N and start over or restart the device.

Assuming all went well, you will see it do a bunch of additional configuration.  Once you get to the menu as shown below, you can then disconnect the serial cable and proceed with the configuration of the pfSense router.

Configuration Completed

Continuing the Configuration

Connect the pocket switch up to the LAN port of the router and connect your router’s WAN port to your Internet connection.  Connect a computer to an unused port on the pocket switch and start it up. Once booted, you should have an IP address in the 192.168.1.x subnet and depending on whether or not your Internet connection is DHCP, you may already be able to surf.

Open a browser and go to http://192.168.1.1 and when prompted login with the username of admin and the password of pfsense.  If all goes well, you should see a screen that looks like the one below.

pfSense Wizard

Click “Next”

On this screen, you will set some basic network configuration parameters like the pfSense’s hostname, local domain and the two DNS servers.  Use the ISP provided DNS servers here and click Next.

pfSense Wizard, page 2

On this screen, we will set up the timeserver and the timezone of the firewall.  Set the timezone where appropriate and then either use the provided time server or set your own.  I left it default and have not noticed any issues with time reporting.

pfSense Wizard, page 3

The next screen is where we will set up the WAN parameters.  Start off with selecting which type of WAN link you have.  Choices are DHCP (default),  Static IP, PPPoE and PPTP.  For each selection, there is a relevant section that must be completed.  Since I use DHCP, I left it as default.

pfSense Wizard, page 4

Pay special attention to the bottom two options.  The first option “Block RFC1918 networks” prevents LAN IP addresses from the “private” networks from entering from the WAN interface. Private networks are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.  Unless you are using this router inside another NAT environment, this option is best left turned on.

The other option “Block Bogon Networks” should be left enabled. This prevents non-routed and not-assigned networks from being routed against from your WAN interface. Since these addresses are not routed and not assigned, they should never contact your router anyways.

pfSense Wizard, page4, Bogon networks and RFC1918 options

Now we are at the LAN configuration.  This is where we can change the router’s internal IP address and subnet mask.  Please note that most of pfSense uses CIDR notation, so you may want to get familiar with it or have a CIDR calculator at the ready. Tip: a /24 is the same as 255.255.255.0

pfSense Wizard, page 5

This screen allows us to change the default password of pfsense.  I highly recommend changing it to something memorable.  If you forget it, you can always reset it via a serial connection without resetting the router back to factory settings.

pfSense Wizard, page 6

Finally we have reached the end of the wizard.  Click “Reload” and wait a few minutes.  During this time, the router will reboot itself to get adjusted into the new environment.  Let the web page reload the router’s admin page and it should take you to a configuration page like the one below.

pfSense main status page

Once you are at this screen, you should be able to browse the Internet.

Some basic tips:

• Portforwarding can be set up under Firewall -> NAT and works pretty much like you would expect a Linksys box to work.  Be sure to leave the “Auto Add a firewall rule to permit traffic through this NAT rule” at the bottom checked.  This will create a matching rule on the WAN side to allow traffic along with the rule to bring the traffic from the WAN to your destination computer.
• You can see each interface’s status by going to Status -> Interfaces.  If you are on a PPPoE or PPTP connection, you can disconnect and reconnect from this page.  If you are using DHCP, you can also release and renew your IP here.
• If you run into trouble performing port forwarding, you can access the system firewall logs via Status -> System Logs.  Be sure to turn on Logging on your rules so you can see new connections as they are being performed.
• If you’re having problems with a specific host, you can access a packet capture utility via Diagnostics -> Packet Capture
• If you want to diagnose upstream Internet connectivity issues, you can access Traceroute via Diagnostics -> Traceroute. and a ping utility via Diagnostics -> Ping
• Like numbers and graphs? Check out the system traffic graph (Status-> Traffic Graph) and the system RRD graph (Status -> RRD Graphs).  You may need to install the Adobe SVG viewer to view these graphs.
• Unlike a Linksys box, it is recommended to halt the router before powering down and use the reboot function if a restart is needed.  Both options appear under Diagnostics with the labels “Halt system” and “Reboot system” respectively.

What’s next?

Even in its basic configuration you already have a very powerful router on your hands.  The sky’s the limit. The pfSense installation can support a great many different configurations and options so don’t think that you’re locked into a single configuration.  Out of the box, pfSense has the software support for DHCP, DNS server, and other basic functionality as well as more things like CARP Failover, Open NTPD (Time server), OpenVPN, Remote Syslog, Traffic aggregation, and many other features that warrant exploration.

In a follow up article, I will explore setting up an advanced configuration, establishing a VLAN to isolate a wireless network from the wired network while still providing Internet access.  This is a useful configuration for you that like to share your Internet access but don’t want to make your home network vulnerable.

Happy Hacking!

FIRESTORM_v1

Sparkfun at Microcenter!

After reading this post on Hack-a-day, I went to the local MicroCenter to see what all they had to offer in a brick-and-mortar store.  I remember when Parallax and RadioShack had joined together and while the new availability had made it easier to get started with microcontrollers, the most common expression recalled is one of sadness at the general disarray of the parts cabinets.  Thankfully Microcenter seems to have done Sparkfun right.  Read on for my initial impressions of Microcenter’s offerings and a full review of my first Arduino kit, the Sparkfun Inventor’s Kit.

If you are interested solely in the review, scroll down to the “Finally, the review!” section below.

 Online Only stores and Brick and Mortar stores intersect, a bit of history.

A lot of online-only stores have made offerings into brick and mortar retail stores  with varying amounts of success, unlike retail stores going into online offerings which anyone would say has been a huge success and convenience.  Unfortunately, the DIY/Hobbyist market hasn’t seen such a success and for the most part has remained largely an online-only affair.

Several years ago, Parallax announced that they would start offering some sensors and kits for sale at Radio Shack.  After hearing the news, I was tentatively excited however after seeing their initial offering, I don’t think Parallax was done right by Radioshack. They were given half of a disorganized “parts drawer”  and a couple of pegs to offer hanging merchandise.  Despite Parallax’s attempt, the move into retail ultimately floundered. It is my belief that if Radio Shack had given Parallax’s parts offering a bit more shelf space  and Parallax had made more of an initial offer in Parallax’s own packaging, they might have been able to make it more successful. Instead, Parallax’s limited offering (around 10 sensors and the “What’s A Microcontroller” kit) and Radio Shack’s shoddy mismanagement of the parts bins where the sensors were stored served to bury the Parallax name in the forgotten corners of the store.

Although there was a post several months ago with a shot of custom Parallax retail packaging, I can’t find the link now, nor did any searching reveal any information. Several other companies watched the Parallax and Radio Shack situation unfold and took notes, now it’s time to evaluate another initial transitional offering from online only to online/brick-and-mortar offerings.

Now, to Sparkfun and Microcenter…

Sparkfun Electronics has been well known in the Arduino community with their extensive offerings online. Chances are, if there’s a sensor out there, they have it either in kit form or as a complete pre-fab module.  When I heard that they are making an offering through Microcenter, I was thankful that I lived near Microcenter. Using Parallax and Radio Shack as an example of a failed attempt, I went to Microcenter to scope out their product  offerings.  I was very pleasantly surprised.  Sparkfun’s initial product offering outpaces Parallax’s offering by a significant margin as shown in the image below.  Not only do they offer a Getting Started kit (reviewed below), they also offer a wide variety of parts and shields for the Arduino platform.

Sparkfun Offering at Microcenter.

You can see in the above photo that they have a lot to offer. From my estimates, they had the Arduino platform as well as the Inventor’s kit and several other non-Arduino projects.  They also offered a wide array of sensors and components as well as several Arduino shields in kit form. Some of the shields they offer is the Arduino motor shield, Arduino Prototype Shield with microSD card reader and the Arduino Joystick Shield.  Their component offering is equally impressive with a multitude of sensors, both serial and parallel character LCD displays, breadboards and modules. Something I saw that I plan on getting later on is a dedicated 3.7V Lithium Polymer charging module with battery.  This module will charge off a USB port and will keep an Arduino running for 50 hours according to the box.  Having something like this is a big bonus when working on embedded hardware.

They also offer several kits like the X-Bee modules kit (which is probably my next purchase) which contain everything you need to get started.  You get a USB to Serial converter board, two X-Bee modules and an X-Bee to Arduino interface shield.  Their RFID kit also has the same level of thought put into it with the necessary adapter board, the RFID sensor and sample RFID cards to experiment with.

In addition to their parts and components, I found something I had been wanting personally. They had tool kits available in store. The kits were ranged according to skill level (easy, medium and complex) with the complex kit featuring a multimeter and soldering iron, while the medium kit only offered the soldering iron.  As the user’s skill level progresses, they can add to their kit as needed.

One thing that seemed to stand out about their Arduino offering is that they introduced three flavors of Arduino.  The Arduino Uno (which comes in the Inventor’s kit as well as individually), The Arduino Mini (and the related FTDI programming module) and the Breadboard Arduino (Arduino made on breadboard rather than the standard PCB board).

For those of you asking about cost, this was one of my concerns as well.  In my previous experience, anything in a brick-and-mortar store is usually more expensive.  I did a side-by-side comparison with my phone as I priced random components and kits and I found that the cost at the store was pretty much dead on, only varying by a few cents.

Final thoughts

I am thankful that Sparkfun and Microcenter teamed up and I am hoping that they continue to expand their product selection.  I have a feeling that there are a lot of people out there that are wanting to get into microcontrollers and embedded electronics however just aren’t convinced and need that one little push over from “Maybe” to “Definitely”.  I can’t wait to see what is “in store” next.  (That was a pun, laugh!)

And without more blathering about Sparkfun and Microcenter, finally we get to the review.

Finally, the Review!

The kit I picked up is the Retail version of the SparkFun Inventor’s Kit (SIK)which has everything one would need to get started with the Arduino and electronics. I won’t enumerate the full list of materials in the box, however I will present several pictures as shown below.

SIK Kit cover

Most of the kits on the market have a hinge at one end however Sparkfun’s kit has a completely detached cover meant to be removed. This presents the bonus of not eating up twice the kit’s floor space on your desk.

Kit Contents

Inside the kit comes a nicely packaged assortment of parts in the right hand compartments and in the top compartment.  More on those in a bit.  The left hand compartment contains several pin jumpers for breadboarding and Arduino connections and the center large compartment holds the USB cable, the circuit flash cards, the Arduino in its own box and the mounting plate and breadboard.

Arduino Box

The Arduino Uno comes in its own little box, prepackaged and QC’ed from Italy where the Arduino was built and designed.

Unboxed Arduino

Along with the Arduino Uno comes a handful of stickers and a little pamphlet with more information about the Arduino.

Mounted Arduino and Breadboard

The mounted Arduino and breadboard on the included Sparkfun mounting plate.  This gives the user a good and stable place to work with the Arduino and the sample circuits in order to understand the Arduino’s capabilities.

Parts Pictures

The other parts of the SIK kit include:

•  74HC595 shift register (pictured)
• Rotary Potentiometer
• Photoresistor
• Two pushbuttons
• Piezo speaker
• Several LEDs
• Several Resistors in a few different values
• two Diodes
• Transistor (2N2222 variant)
• Subminiature Hobby Servo
• DC Motor
• Flex sensor (top center)
• Variable Flex resistor (under sensor)
• Additional headers and pins

The kit also includes a small booklet that has several circuits and sample code to get started.

Manual, flashcards and USB cable

The booklet (pictured) contains several circuits and is intended to be used with the flash cards together in order to guide the novice through building the circuits and becoming familiar with the Arduino.  The flash cards each contain a circuit diagram that correlates to how the components should be connected to the Arduino and the book contains sample code with a brief explanation of how the code works.

Thoughts on the booklet itself

The book is targeted at new users to the Arduino platform however I quickly came to the conclusion that this kit is not targeted at beginners to electronics.   Coming from the “What’s A Microcontroller” world that explained everything including the basic 101′s of electronics, this may be a bit off-putting for some however with an understanding of some of the basics, this may serve to bridge the gap between building basic passive electronics projects and more advanced digital electronics projects.

Unlike the “What’s A Microcontroller” kit, there is no complete guide to the command reference included in the kit however the Basic Stamp and the Arduino both have extensive community support.

Final Thoughts on the Kit

The Sparkfun Inventor’s Kit appears to be well stocked with a typical selection of components fit for a beginner’s kit and will make a good start in working with the Arduino, even if you have never had any microcontroller experience.  While I can’t recommend this kit as a complete beginner’s guide to electronics, any newbie should be able to perform additional research to locate the answers they seek.  This is not a completely offline course but I do not consider this to be enough of a deterrent to stop from recommending the kit.  I feel that this kit will be a great addition to any electronics bench and will help anyone with even the most basic electronics experience get started with the Arduino.

Verdict:  Buy!

Cost: $99

Found at: Microcenter and sparkfun.com (sku: RTL-10339)

In this post, I will review a recently acquired WD TV Live Plus purchased from Microcenter for around $100.  The quest was to find a media player solution that could read media from network shares and play them with minimal fuss.  Since this is going to be attached to the primary TV, it has to be “Girlfriend Approved” and easy to use.  I believe that the WD TV Live Plus fits this requirement adequately however the installation of the device could be easier.  Once done, the device is wonderful.  Read the full review after the break.

Foreword

One of the things that I’ve been keeping a close eye on is the development of the media center computer.  A non-PC PC that is used to play local network content and can provide other services through the TV and still maintain the ease of use of a standard DVD player.  I had previously experimented with XBMC and was pleased with it’s overall hardware support and the features it supported “out of the box” however the UI was a bit kludgy and having to predefine all media sources and items before it would show up.  It also didn’t help much that the only device that I had that would work properly was an old Averatec laptop which did work very well, even with the embedded Intel graphics.

I skipped the newer iterations of XBMC partially due to lack of time and due to the fact that I was still not looking forward to using the Averatec laptop as it required a mouse and I didn’t have the money to pony up for Windows Media remote (which would have been supported).  Time grew on and by then my needs for additional storage had exceeded a single drive.  I built a Windows based NAS server using a 3ware card donated by a friend and buit a 2Tb storage array.  Soon after that, I got to the point where looking at a media player began to become feasible again as now I had plenty of storage and lots of plans.  I ultimately wanted to rip and encode my DVDs so that I could play them without needing to swap disks endlessly.

I was already accustomed to using Netflix on the Xbox360, however I wanted the same convenience of couch-surfing with all my local media.  A bonus through work found me with extra cash to finally take a look at a media player.  My requirements were simple.

• It must support a variety of media in a variety of formats and codecs.
• It must have a remote and be easily operated.
• It must have a variety of outputs including HDMI and Component.
• It must be able to read SMB shares easily and remember credentials.
• It must be inexpensive.
• The box, UI and remote have to not look fugly.

Research, research, research

I started looking around at a lot of the common media players that are out there.  The Apple TV was too “hipster” and I really didn’t feel like dealing with iTunes after the fiasco that was my iPod.  The price was right and the Apple TV did have the right connectors, but dependence on the iTunes application really made it a deal killer.

Boxee was an attractive option and had high ratings however when I saw the final product and it’s cubelike design, it was an instant turnoff. While the hardware was more than adequate, the box itself looked rather ugly. When I did some additional research, the price point (at almost $250 at initial research, now $199) it was still out of my price range. While Boxee did have the free software option like XBMC, I had no “decent” hardware on it to make it not suck. so unfortunately this option was nixed.

There were some other media devices that I had found however they were really proprietary and for various reasons, they don’t even merit mention.  That said, I reluctantly asked around work and several coworkers offered suggestions, most of which were either Apple TV, XBMC, Boxee.  A couple of guys mentioned the WDTV Live Plus so I started doing research.

The WD TV Live Plus appeared to support all of my requirements although several forum posts came up about difficulty with networking.  At $100 a unit, this appeared to be a viable option so I decided to gamble.

Hardware

Without further ado, let’s take a look at what we’re up against.

WD TV Live Plus box

This is the outside of the box.  Inside the box, you get a remote, two AAA batteries, the WDTV Live Plus, a 1/4in to AV (Video, L and R Audio) cable, a 1/4in to Component (Y,Pb,Pr) cable and power supply adapter.

WDTV size comparison

To put a size comparison on things, this thing is SMALL.  It’s about the size of a large pocket switch roughly 4inches deep, five inches wide and about an inch tall. The remote control is about three inches long  and an inch wide and roughly a half-inch deep. Although it is small, it does fit in either hand comfortably thanks in part to a finger wide notch cut into the bottom of the remote.

Back Ports

The rear of the WDTV contains several ports as shown above.  The ports from left to right are Power, USB, HDMI, Optical Audio TOSLINK, Ethernet, Component, Composite+Audio.

Top view

The Top of the WDTV features an additional USB port and the always good-to-have reset pinhole.  In the event of a device failure, you can use the pinhole to factory reset the device and to perform software updates.

My WDTV installed and running.

Here is a picture of my WDTV installed and running.  To put it in persepective, that is a Netgear 8 port switch it is sitting on top of and the salt rock to the right is about the size of a 2 liter bottle of soda.

Other things worth mentioning:

• The two USB ports can support a variety of USB Mass Storage devices including cameras, USB Hard drives, Thumb drives and Media Card readers.  It can also support a limited range of wireless adapters, USB keyboards and other options. Although Wireless options are available, my network does not run Wireless N and as stated in the link, Wireless G may be too slow for streaming.  I did not get the ability to test Wireless connectivity as my network is primarily wired 10/100 network.
• There is no HDMI cable included with this kit so you will need to buy one if you intend to use HDMI.

Software

As mentioned earlier, I required that the device be easy to use and able to pick up SMB shares While the UI appeared to be quite usable, there were difficulties in getting the network shares to show up.  Several posts to the WD Customer Support forum complained about this very same issue however I was able to overcome the issue once I found out what the root issue was. If you want a further review of the software, skip this section.

Not all SMB networks are the same

As stated on the box, this device should be able to read content from SMB (MS Network) shares and play it however there was a significant issue with the implementation of the SMB protocol in the WD TV Live Plus.  My network is largely Windows clients seeing as how my NAS is a Windows XP computer with a storage array and that most of my computers are Windows XP based (except for my core networking equipment and my laptop which uses Ubuntu.)  This ended up causing more hell than I was expecting and I’ll explain.

Oh master, where art thou?

In a Windows network where there is no domain controller, Windows computers will get into an election process to attempt to establish a browse master.  This browse master is a Windows computer that maintains a list of active computers on the network.  This behavior is part of NetBIOS and SMB sharing and allows the computers to “discover” each other.  Once the browse master is established, additional computers will communicate with the master to “register” themselves, and once registered can discover each other’s network shares.  This share list is populated each time someone tries to browse the network.

I’m talking, but no one’s listening!

The WDTV on boot, will perform a broadcast to the network on UDP port 137 (NetBIOS Name service) which is according to the NetBIOS protocol.  It waits for a browse master to return the broadcast so it can then download the browse list. The issue is that Microsoft has altered the way NetBIOS works and in doing so, has altered the way NetBIOS operates.  One of the alterations is that Windows computers (whether browse master or not) is that the computers will no longer respond to broadcasts to port 137.  The result is that the WDTV will never receive the response it’s looking for and it’s server list will never get updated.

You are my slave now!

The workaround is to install NetBIOS (part of the SAMBA package) on a Linux box and set “local master = yes” in samba.conf.  This will also give you the added benefit of sped up network browsing on your computers and the installation of NetBIOS is very simple, requiring only one modification to a configuration file and a service restart.  In my testing of the WDTV,  I was unable to get the WDTV to show any network shares prior to the installation of the NetBIOS service.  Once I installed the NetBIOS service, it was a matter of seconds that the network shares listed out all of the active computers on the network.

Carrying on….

Testing the UI under component, composite and HDMI cables showed little difference in the display resolution aside from the appreciable differences in the three connection technologues themselves. In each test, the UI was sharp and clear with menu options easily highlighted. The UI is a dark-blue theme and reminds me a lot of the Playstation 3 interface.

UI main image

In the above image, I have highlighted the server “Zeus” from Videos -> Network shares.   The icons scroll vertically to allow you to select options, while horizontal movement allows you to proceed or go back via the four way D-pad on the remote.  Hitting “OK” is only required on media titles, menu options (like Configuration Settings) and various sub-menus as needed.

Media List

The Media List view shows up once a server has been selected and allows you to drill down to find the content you want.  On the “Zeus” server, I have several shares dedicated to each type of media that the WDTV supports.  This is the list of the “Movies” fileshare.  Photos and Music are other fileshares available.  In this view, you can simply highlight a movie and without further action, it will start playing in the preview window on the right.  If you want to play it fullscreen, just select the preview window and hit OK.  The display will then go full size without missing a beat.

All in all, the UI is simple to use, easy to navigate and offers a lot of functionality without cluttering up the display.

It also has apps

I hesitate to mention this as I didn’t purchase the WDTV for applications, but it does bear mentioning.  This device supports games and apps including Youtube, Facebook and Netflix support. While I did briefly try out the Netflix and Youtube options and they appeared to work as expected, I did not try the Facebook app and felt that the inclusion of Facebook on a media client to be in excess.  I can’t contemplate using my media client to check my Facebook as I have phones, laptops and full-size computers for that.

Final Verdict

To summarize the total experience of the WD TV Live Plus, let’s break down the experience into the Good and the Bad. It may be cliche to do it, but it works well.

The Good

• Small Form Factor
• Includes remote, component and composite cables and battery
• Supports HDMI, DVI (via HDMI to DVI cable), Composite and Component connections.
• Includes TOSLINK optical audio out for connectivity to a surround sound system.
• Plays a wide variety of video formats: AVI(Xvid, AVC, MPEG 1,2 and 4, WMV9, VC-1, MPEG/MPG, VOB (DVD), MKV, TS/TP/M2T, MP4/MOV, M2TS and WMV9.  I have not tested DivX format as I don’t have any DivX formatted media.
• Plays a wide variety of audio formats: MP3, WAV, PCM, LPCM, WMA, AAC, FLAC, MKA, AIF/AIFF, OGG, Dolby Digital.
• Picture is clear regardless of connector type
• Menu navigation is easy and intuitive without clutter.

The Bad

• No HDMI cable included in kit.
• Networking requires NetBIOS browse master and setup can be daunting for non-Linux networks or unexperienced users.
• Will not play DRM protected content.
• No Web-based interface or control application.

My Thoughts

The WDTV Live Plus is a great addition to the network and will work very well for playing media. After getting the network issue resolved, this device has flawlessly performed without issue for the last week.  I have started a project to rip all my DVDs to the NAS so I can watch all my movies and TV shows without having to touch a single DVD disc.  This product gets a firm thumbs up from me.

My Girlfriend’s Thoughts

Of course, being a geek means I have a high tolerance for making stuff work, but since I live with my girlfriend, it doesn’t get a thumbs up if she can’t use it.  In this particular case, she liked the menu configuration and ease of navigation.  She was able to look at video content with very little prompting from me unlike the initial case of the failed XBMC attempt. The WDTV Live “just worked” and she was very pleased with it.  She says it’s definitely Girlfriend Approved and she can’t wait until I get the DVDs ripped.

In the next month or so, I will provide a follow up on how to establish a NetBIOS browse master, rip and encode DVDs and how to set up fileshares in Windows to allow you to use your WDTV effectively.  Minus the initial configuration issue, this device is cheap on cost without being cheap on features. It is a well designed product that will help integrate computer media into your existing entertainment system without significantly impacting your wallet or your sanity.

Verdict:  Buy!

Cost: around $100, sometimes on sale for around $70-80

Availability: Most Online Retailers, and some brick-and-mortar stores like Best buy, Fry’s, etc..

Have fun!

FIRESTORM_v1

Structured wiring in businesses and the enterprise are as expected as the sun shining and a regular paycheck, however in the home a structured wiring solution can be an unexpected gift from the Gods of Ethernet.  While structured wiring in an apartment complex is usually done central to a utility closet or shelf, sometimes the central point isn’t always convenient for your router or you find yourself needing to run multiple networks.  In this tutorial, I will show you how to turn one structured wiring drop into two drops for carrying two different network segments, something that can be of benefit should you ever need it.

What these splitters do and what they don’t do.

Before we begin slicing up cables, it’s important to understand what is going on here so you can decide if this will work for you.  Generally speaking, these splitters can be used if you want to carry two different networks over the same drop. If you are simply looking for more connections to your home network, and you are not doing anything special, you will more than likely want to save some time and get a mini-switch instead.  Here’s a good rundown of some scenarios of why you should and should not consider these splitters:

These splitters would be a good idea for the following scenarios:

• Moving your router from the default ingress point.  In my case, the central “panel” is in the utility closet, but I want my router on my desk.  I use the “1″ portion of the splitter to transport the WAN segment to the WAN port of my router, then use the “2″ portion of the splitter to transport the LAN segment to a mini-hub in the closet to activate the rest of the jacks in the house.
• Moving a “hostile” segment or Guest network to another location.  An example would be having a router installed at the ingress point and using a splitter to transport a “Guest Network” and a “LAN” connection via the same drop.  In this case, the Guest Network feeds an open access point, while the LAN feeds a desktop computer. In this application, the Guest Network is kept physically separate from the LAN via the splitters but allows you to position the access point somewhere more convenient while maintaining the availability of the LAN.
• Transporting two Ethernet drops to a managed switch located in a central closet.  An example for this would be to allow per-port monitoring and administration of both drops individually as opposed to using a mini-switch which would force you to  perform the change across all devices attached to the mini-switch.

These splitters would not be a good idea for the following scenarios:

• Creating more Ethernet ports for the same network and you are not using a managed switch.   If you are plugging two devices into your LAN at the same location, just use a mini-switch and save yourself the trouble. There’s no benefit to using splitters in a non-managed switch environment. Additionally, you may incur additional costs with having to buy an additional mini-switch to split the connections off at the central panel anyways.
• You are using Gigabit Ethernet and do not want to drop the line speed in the location you are looking at.
• You are using Power over Ethernet at this location and do not want to move the power supply.

A little bit on structured wiring and Ethernet standards

In a structured wiring environment, a “drop” is the term for a 4 pair (8 wire) cable run through ceilings, walls, etc from a faceplate with proper termination to a central wiring panel with proper termination (usually a patch panel of sorts).  It’s called structured wiring as the wiring is usually planned out first with attention to detail and locations of equipment like access points, computers, etc.  Generally speaking, if you are in a structured wiring location and you see an RJ-45 jack marked “Cat-5″ this generally means that it’s an Ethernet jack and that the cabling and connectors comply with the Cat-5 standard.

Speaking of wiring standards, you may want to take a look at this link which provides more detail into the wiring convention commonly used in structured wiring for Ethernet networks.

In standard 10/100 Ethernet cabling that uses an RJ-45 jack, you have two wires(a pair) for transmit and two wires(a pair) for receive.  In most locations, the extra two pairs (four wires) are simply left idle and untouched. In rare situations (at least in residential equipment) these extra pairs are used for Power over Ethernet which use these spare pairs to deliver power to a network device where it is not convenient to use a standard “wall-wart” power supply. This requires special adapters (not unlike our splitters) to send power and network connectivity over the same drop, then split it again at the device end.   As mentioned before, if you are using PoE to feed a device using a drop that you need two connections for, you will either need to move the PoE power supply to another location or use our splitter elsewhere.

Unfortunately, Gigabit Ethernet requires all four pairs be used for sending and receiving at Gig-E speeds. If you are not willing to move the Gig-E device and are not willing to drop the speed to 10/100 , you will need to use the splitter elsewhere.

Do the Splits!

In order to pull this off, you will need the following:

• Two Cat-5 patch cords
• A RJ45 crimper
• Four RJ45 Crimp Ends suitable for the wire in your patch cords. (more if you are new at this, just in case)
• Heatshrink that is big enough to accommodate twice the diameter of your patch cords.
• Lighter
• Diagonal cutters
• Sharpie (not pictured)
• Cat-5 tester (Optional, not pictured)
• Cat-5 Female to Female junction adapter (optional, not pictured)

Tools

To start off, cut one CAT-5 end off of your patch cord and determine how far back you want to strip the jacket off.  In my example, I wanted this splitter to go next to a managed switch where the ports are close together so I used about 8 inches which leaves about 4 inches for each “branch”.   If you are using a pocket switch and a computer, you may want to use one foot (12 inches) which leaves you with two 6 inch branches.

Start snipping the jacket of the patch cord, paying close attention to not damage any of the wires underneath. If you do snip a wire, cut the rest of them at the same length and repeat the process.   Once you have managed to snip the jacket clean, begin pulling the jacket off of the cable in one piece.  When completed, you should have eight wires similar to the below picture.

Stripped Wiring

Split the wires into two groups.  Separate the White/Blue and the White/Brown pairs from the White/Green and White/Orange pairs.  Slip the heatshrink tube over all four pairs down past the cut jacket.

Fold the stripped away jacket in half and cut at the half line.  Slip one piece of the jacket over the White/Blue and White/Brown pairs, and thread the White/Green and White/Orange pairs through the remaining piece of the jacket.  Use the image below as a guide.

Wires threaded through Jacket

Slide the two jacket pieces down as far as they will go, then push the heatshrink tube at least one inch past the split.  This will toughen the split to ensure it doesn’t fall apart with use.  Use the lighter to shrink the tubing around the three pieces of jacket.

Now for the fun part.  At the ends of the two pieces of jacket, you now have one piece with a White/Blue pair and a White/Brown pair and another piece with White/Orange and White/Green. We need to put ends on these wires so we can start using them.  Start off by spreading the wires out and untwisting them like in the image below.

Separated Wires

Trim the wires so that there is approximately one inch sticking out of the jacket and make sure that the wires are laid out like so:

• Solid Green (or green with white dots)
• White/Green – white wire with green stripe
• Solid Orange (or orange with white dots)
• White/Orange – white wire with orange stripe

The important part is when you insert them into the crimp end, the solid green wire must go into position 3, and the rest will go into positions 6, 7 and 8 as shown below.  Please take note that the orientation of the RJ-45 crimp end is that the spring clip is pointing towards you, and the wiring enters from the left.

• Position 1 – Blank
• Position 2 – Blank
• Position 3 – Solid Green
• Position 4 – Blank
• Position 5 – Blank
• Position 6 – White/Green
• Position 7 – Solid Orange
• Position 8 – White/Orange

Before you crimp the RJ45 onto the wires, hold the whole thing up to a bright light and ensure that the wires are long enough to hit the end of the connector.  Sometimes, a bad crimp can result if the wires are too short.  Use the below image as a reference and take some time to make sure your wiring is correct.  If all looks good, go ahead and crimp!

Visual Inspection

Now for the White/Blue and White/Brown pairs, you must perform the same process, except this time we will use White/Brown in place of the White/Orange pair and the White/Blue will substitute the White/Green.  Our wiring diagram will change to below:

• Position 1 – Blank
• Position 2 – Blank
• Position 3 – Solid Blue (or Blue wire with White dots)
• Position 4 – Blank
• Position 5 – Blank
• Position 6 – White/Blue
• Position 7 – Solid Brown (or Brown wire with White dots)
• Position 8 – White/Brown

Do the same inspection as you did for the first crimp and check, recheck and crimp your second connector.    Mark the crimp with the White/Orange and White/Green wires as “1″ and the other crimp with the White/Blue and White/Brown wires as “2″.  This will be important later on when you implement your splitters.

Do it again, Sam!

Now that you have one splitter, go ahead and do it again with the other Cat-5 patch cord.  When you are complete, your patch cord should look like the following image.

Finished Splitter

Final Thoughts

Now that you have a pair of these splitters, you should be able to enjoy a bit more freedom when setting up your network in a structured wiring environment where additional cable runs are simply not feasible.  In my particular installation, I am using my splitters to feed the router’s output that carries VLAN tagged traffic into a managed switch.  The other leg of the splitter, goes back to the wiring closet to feed a mini-switch with network connectivity.  VLAN tagged traffic will not traverse a non-managed switch so for me this was the only way to be able to use my VLAN tagged network and my “primary” network without having to give up either.  Below is an image of my splitter feeding my 24 port switch. Yes the switch is on however it appears that the flash washed the lights out.

Installed Splitter

I hope you enjoyed this quick post as I did making the splitters.  Reply to this post and tell others how you intend to use your splitters.

Happy Hacking!

FIRESTORM_v1

A few months ago, I posted a hardware teardown of the CVS Sylvania Netbook pictured above. After working with it and performing a lot of research on it, I promised a follow up article, and here it is.  To sum it all up, with a bit of modification to the software, a spare SD card and a lot of patience, you can actually turn this thing into a somewhat useful Linux device.  There’s also some improvements and suggestions to be had for improving the Windows CE side of things should you decide to continue using it in its default state.

When I posted the original teardown, I was somewhat distressed at how little information there was for this device. There was a ton of “marketing” material online however very few real-world posts.  This appears to have changed and although most of the reviews lamblasted the device as a horrible design and underpowered, I have found that for the price I paid for it, it’s not bad at all.  In this article, we will be focusing on software because as much as I’d like to say I’ve done a lot of hardware mods to this thing, the truth of the matter is that I haven’t.  Time has continued to get away from me and I’ve had to put a lot of projects on hold.  But let’s not start this article off on a downbeat.

In the three months that I’ve been doing research on the Sylvania Netbook, I have uncovered a lot of information that can help turn this machine into a pretty useful piece of equipment.  The fact that it has a pretty decent battery in of itself should be of merit to justify the time invested in fine-tuning it.

1: Windows CE

In my research, there have been two key complaints against the Sylvania netbook in regards to a “stock” configuration.  The first complaint has been that it is running Windows CE (affectionately called “WinCE”) and the second being that the WinCE installation is really badly implemented.

• The key thing to remember with working with Windows CE is that Windows CE is NOT Windows like on your desktop or “normal” laptop! Windows CE was designed for small form factor devices and although it shares the same name as it’s bigger brother desktop OS, Windows CE can not run Native Windows applications. This appears to be the biggest hurdle in locating user software for the device as people will attempt to download software then when they get the software into the netbook, they are thrown off by an error message stating it’s not a “valid” application.  Consider it like taking a MacOS program designed for MacOS and attempting to get it running in Windows XP.  It ain’t gonna happen.  That being said, there is Windows CE applications out there, however the pickings are slim.

• The other issue with working with the stock Windows CE installation is that the OS software is so badly implemented on the netbook that most things that should work, don’t.  Thankfully for us there is a patch available that will make things easier.  From research, the patch addresses several performance issues with the core OS, several updates to the builtin applications as well as an update to Internet Explorer.  Unfortunately, IE will still render mobile sites by default, but the rendering won’t take as long.  The patch also fixes the issue with the wireless card not being able to properly associate with WPA/WPA2 secured networks and DHCP release/DHCP renew works as expected.  I have uploaded the patch to here.  In order to install the patch, follow the below instructions. You will need a spare SD card at least 128MB in size.

Here’s how to download and perform the OS update:

1. Download the patch from here:  sylvania_laptop_OS_update.zip
2. Extract the executable to an SD card.
3. Insert the SD card into the Sylvania netbook.
4. Browse to the SD card slot (Computer -> SD Card)
5. Launch the patch and follow the on screen prompts.

2:On the Linux side of things…

When I did my original research, I was fortunate to have come by a site dedicated to a Linux distribution made solely for the WM8505 series devices like the Sylvania Netbook. The site and the distribution were called Bento Linux and much like the Japanese namesake, the distribution was very small and was designed to be able to run within the computer’s limited spec.  Unfortunately, the site www.bento-linux.org no longer exists but thankfully I still have the documentation and files needed to pull it off.  If you are the owner of bento-linux.org and are willing to give me the site files, I would be more than happy to host it here. Please contact me in the comments.

One of the added benefits of Bento-Linux is that unlike some replacement OS installations, this is a sidecar installation meaning that all work is done on the SD card.  If you want to boot to Windows CE, halt the Linux OS, pop out the SD card and power the Netbook back on and you’re up and running like nothing happened.  Although the Bento Linux site did have instructions for performing an installation to the device’s flash ram, it is not recommended as if you accidentally mess up the Linux distribution, there may be no recovery. In a sidecar installation, you can pop the SD card into another device, make your changes, and then put the SD card into the netbook and you’re up and running again.

Although the site claimed that the distro could run on a 512MB SD card, I will up the recommendation to at least a 2GB card.  Prices are low and SD cards are very commonplace so it’s worth it to get a larger chip.  I started out on a 2GB SD card, but later upgraded to a 4GB Microdrive and noticed a significant performance increase going from solid-state memory to a USB Microdrive. Your mileage will vary, but it is recommended to stick with an SD card first, then perform upgrades and additional installations as needed later on.  As far as USB devices are concerned, you can use any USB storage device/keydrive that is recognized by the usb mass-storage driver in Linux.

Please note that the version of Bento I was running is usable however it did not appear that the sound card was operational. Since I am intending to use this as an external serial console, this was not a deal breaker for me.

Installation (SD Card Only)

Bento-linux comes in two parts. One part is for a FAT16 partition placed at the beginning of the SD card and it contains the boot commands needed to tell u-boot (the Netbook’s bootloader) how to boot the linux kernel and the root filesystem.  The other part contains the linux kernel and the filesystem in an EXT3 filesystem and will contain all the files needed to run Linux.

1. You will need to start with an SD card at least 1GB in size.  I used a 2GB which gave me some room to play around on and of course the bigger, the better.
2. Partition the SD card with a 20MB FAT16 partition at the beginning of the card and the rest of the disk space can be allocated for an EXT3 partition.  Do not create a swap partition.
3. Download the file fatpart.tgz and extract it into the root of the FAT partition on the SD card.
4. Download the file extpart.tgz and extract it into the root of the EXT3 partition of the SD card.
5. Unmount the card and insert into the Sylvania’s SD cardslot and power on the machine. It should boot the Bento Linux distribution

Installation (SD Card + USB stick)

This setup does not require special partitioning, however it does require that the SD card be formatted FAT16.   You will also need a USB storage device formatted EXT3.

1. Download the file fatpartusb.tgz and extract it to the root of the FAT formatted SD card.
2. Download the file extpart.tgz and extract it to the root of the EXT3 formatted USB stick (or hard drive).
3. Insert the SD card into the Sylvania’s SD slot and insert the USB stick into a free USB port on the Sylvania.

In either instance, when you first boot the distro, it will simply bring you to a console prompt and you are good to go.  There are a couple of things you may want to do:

• (Pretty much required)  Set a root password.
• Install fluxbox (light weight graphical interface) and wicd for wireless control.
• Install aurora (lightweight firefox lookalike)
• Install other applications though apt-get as desired.

Although the bento-linux site is no longer in existence, it appears that all the repositories that come with the distribution point to the arm ports of the official Debian repositories.  Prior to them going offline, I saw a note about Bento-Linux had the sources for the WM8505 however it appears that VIA has recently released the sources for the WM8585/VT8505 chips that drive the netbook so if you have any custom drivers, it appears that now there is an easier method for getting the drivers compiled in.  I am not a kernel compiler expert so I can’t advise on this process, however some brief research does seem to indicate that there is some element of truth to this.

Linux Impressions and final words

After getting the Bento Linux distribution working comfortably in the netbook, I played around with it and made some tweaks here and there that did give some notable boost in performance.   If you are using a spinning platter form of storage, creation of a  swap file or swap partition is recommended as it will give you a performance boost.  Attempting to make a swap file on the SD card or on a solid-state USB drive are not recommended because of the performance hit when writing to these devices and also due to the issue of “burn-in” when a storage cell is written to frequently.  I found that the device works decently enough for quick tasks and light webpages however it will not handle flash at all, nor will it be able to render sites with large amounts of images.  In my testing, I was able to use this device to configure Cisco switches and other devices through a USB-Serial adapter and Linux’s “minicom” terminal emulator.

While I believe it was a valiant effort by Sylvania to enter into the netbook market, I do believe that they should have done more research.  The Sylvania netbook, even running Linux and with all the performance tweaks mentioned, still is easily beat by Asus’ first offerings into the Netbook market. The two biggest things that seem to harm this device are the lack of RAM in the system (mine only has 128MB RAM) and the sub-par processor less than 1GHz.  If you have one, then you may be able to make it work for you, however if you are considering one, I’d stay clear.  It’s not worth the price they are asking for it at CVS.

A couple of comments left by Syed and Dave to the original CVS netbook post indicates that there are people out there that are able to get Android running on this device.  If you have information or an article written on how you did it, let me know in the comments.  I’m interested in trying it out and finding out what works on this machine.

In this final article in the three part Ubuntu IDS series, we will go over installing, compiling and configuring Snort and Nessus on our new IDS device.  We will use Snort to analyze traffic as seen by the IDS and we will use Nessus to perform vulnerability testing on the network. The process for installing Snort will also cover installing SnortReport provided by Symmetrix Technologies so we can translate Snort’s cryptic messages into a more readable format that we can take action on.  Read on as we wrap up the installation and finish our IDS device.

This article is divided into three sections. The first section will cover installing Snort, then we will move on to customizing Snort beyond the steps covered in the first section for our specific installation.  Finally we will end with installing Nessus.

1:  Installing Snort

Admittedly, this was the longest part in the series. I had tried manually to compile and install Snort from sources over and over again and wasn’t getting anywhere fast.  I had performed research over and over again on what options to use and was no further along than when I had unzipped the sources.  Luckily my research finally turned up a complete HOWTO article written by Symmetrix Technologies which provided instructions on how to compile and set up Snort.  You can download their HOWTO from this site:  http://www.symmetrixtech.com/articles/004-snortinstallguide286.pdf

There are some discrepancies that you must take note of: If you are using the bonded interface as described in the prior articles, you will need to use the interface “bond0″ instead of the document’s provided eth1 interface for monitoring.  If you monitor an ethX interface, you will only get half of the conversation, and since most of Snort’s ability to detect traffic relies on analyzing stimulus and the responses to that stimulus, you will be severely cutting down on Snort’s effectiveness.

2: Snort Tuning

If you’re this far in, then it’s safe to assume that you have already downloaded Snort, the associated ruleset and have SnortReport installed and running.  There are some things that the Snort installation howto did not entirely touch on and these are things that we will cover here.

Adding BPF to /etc/init.d/rc.local

One of the things missing from the Installation HOWTO was to add a BPF expression to the snort command line. BPF stands for “Berkeley Packet Filter” and is used by Snort and tcpdump to control what traffic is being analyzed by the respective tool.  In our configuration, we need to add an exception for the IDS’s management traffic otherwise when we install and run Nessus, we will end up triggering a ton of alerts.

Edit the /etc/rc.local file and locate the snort line.  Add ” not host 192.168.0.253″ to the end of the snort line. Replace 192.168.0.253 with that of the IP of the management interface of your IDS.  This is the BPF syntax that tells it to monitor your network but not the IP of your IDS device. By adding it to the end of the snort command, we are effectively telling Snort to not listen to the traffic generated by Nessus when we decide to fire it off.

Password Protect SnortReport:

Regardless of whether or not your IDS device can be reached from the Internet, there exists several vulnerabilities in SnortReport including one that allows potential code execution.  This could allow someone that knows you run SnortReport to execute code on your IDS and would be counterproductive to our efforts.  Until SnortReport has been fixed by SymmetrixTech, we will have to use a more basic method of securing it.  In order to provide minimal protection for SnortReport, we will add .htaccess protection to the directory that SnortReport was installed in so that way only authorized people will have access to SnortReport.

As root, we will use htpasswd to create the password file.  If you forget it later on, you can recreate the file easily using the below steps. Use the below command to make the password file and replace “joe” with that of your desired username.

# htpasswd -c /var/snortreportpasswd joe

Now, we need to create a .htaccess file in /var/www/snortreport-1.3.1 to reference it.  Copy the below code and enter it into /var/www/snortreport-1.3.1/.htaccess and don’t forget the . in the filename.

AuthName "SnortReport"
AuthType Basic
AuthUserFile /var/snortreportpasswd
Require valid-user

Finally, there is one more change we need to make to Apache2 to get the .htaccess protection working.  Edit /etc/apache2/sites-available/default and look for the clause that looks like the one below:

<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

Change the “AllowOverride None” to “AllowOverride All” and then restart apache2 via /etc/init.d/apache2 restart . Now try it out by going to http://(your IDS IP address)/snortreport-1.3.1/alerts.php. You should  get a password prompt. Type in the password that you created using the htpasswd command earlier and you should see a green page that says SnortReport.

When you first load the page, you will see two dropdowns for Timeframe and Day.  If your IDS has received any incidents, you will see it show the incidents here.   Clicking on the incident summary will show more details including the source and destination IP addresses. Clicking on the IP will return correlated events that include the source or destination IP you clicked on and will show packet payloads and IP addressing information.

Now that you have a way to read the incidents that the IDS receives, it’s up to you to decide whether or not the incidents generated are something to take action against. However, installing an IDS is only one half of the solution.  In order to be aware of the effect an attack may have on your network, you first must know what vulnerabilities exist on your network.  For that, we turn to the free vulnerability scanner, Nessus.

3: Installing Nessus

Nessus is widely used as a professional commercial-grade vulnerability scanner. It can generate reports that indicate per host what vulnerabilities exist and can provide information on where to go to learn more about patching or mitigating the threat.  Keep in mind that while Nessus is often used on Linux, it is a commercial product.  It does have a home version which we will be using in our installation however the home version can not be used in a commercial environment.

The Nessus HomeFeed provides your Nessus installation with the most up-to-date vulnerability detection methods and signatures.  Access to the HomeFeed does come at a cost, however the benefits of having a vulnerability scanner outweigh the loss of a couple of features. Most notably, a feature that is only available to their commercial feed is that you can not set up recurring scans of you home network, e.g. you can’t tell the IDS to automatically scan your network and generate reports on a regular schedule.  The only other limitation that I have been able to find is that the scans are limited to 16 active hosts per report so if you have 32 hosts, you will need to run two scans. Despite the two limitations mentioned above, Nessus is still a great scanner, and will work quite well for identifying vulnerabilities on your network.

All that being said, let’s get started.

First off, head to Tenable Security’s website at http://www.tenable.com/products/nessus/nessus-homefeed and register to receive your activation code. Keep your email handy, you will need it later.

Next, head to http://www.tenable.com/products/nessus/nessus-download-agreement and agree to the license, then download the Ubuntu debian package that is appropriate for your distribution.  Since this tutorial is based on using Ubuntu 10.04, I downloaded the Ubuntu 10.04 32 bit version. Although the filename says “ubuntu910″, this version was recommended by Tenable as the version to use for 10.04.

Now, SCP the installation package to the IDS and then use dpkg -i Nessus-4.4.1-ubuntu910_i386.deb to install it into the server. Please note: If your Ubuntu Server is running a 64 bit kernel, please download the 64bit version of Nessus.

Once installed, you will need to add a Nessus user to the service so you can login.  Nessus users are seperate from OS users, so you can have multiple users without having to add multiple users to the system.  To start this process, run /sbin/nessus-adduser and follow the prompts.  For the first user that you add, you will want to add an administrative user. This user will be able to adjust Nessus’s scan policies, behaviors and other settings within Nessus.

Now that you’ve added a user, you will need to register your Nessus installation using the HomeFeed code in your email.  Run the command /opt/nessus/bin/nessus-fetch –register <Activation Code> and allow it to complete the installation. Substitute <Activation Code> with the HomeFeed code in the email.  Please note: This step may take a considerable amount of time due to the fact that Nessus will download and update itself according to the HomeFeed subscription.  This only took about an hour on my system, your mileage may vary depending on Internet connectivity speeds.

Now that the Nessus service is installed, registered and updated, it’s time to test the installation.  Open a web browser and go to https://your-ids-ip-address:8834 .  If you are running Firefox and are using Noscript, AdblockPlus or Flashblock, you will need to add exceptions for Javascript and Flash for the IDS IP.  This is required as the Nessus UI relies entirely on Javascript and Flash.

Now that you have Nessus installed, it is highly recommended to take a read through the Nessus User’s Guide: http://cgi.tenable.com/nessus_4.4_user_guide.pdf While Nessus is a vulnerability scanner, some of the tests it performs can cause unpredictable results. It is recommended to set up a “safe” scan that performs basic testing and then set up a “full” scan for aggressive testing.

How to read the scan results:

Once you have made it through the User’s Guide and have performed your first scan, you can download or view the report.  The report is listed according to IP address, then service name, then vulnerability. Each vulnerability will include the service name, port, protocol, related CVE information (links to the CVE database for more information), as well as common fixes for the vulnerability.

I recommend taking a look at the vulnerability list in this order:

1. Externally accessible services: A vulnerability in Apache that listens to the outside world threatens your internal network.  Address this first!
2. Internally accessible services on the same server as external services:  Should the external service be compromised, internal services could be used to further compromise the network.
3. Internally accessible services: A service listening internally may not pose much of a threat, but may be a possible point of compromise should another host get infected.  ( A common example is a weakness in older versions of Samba that would allow for remote code execution.)

Generally speaking, it is a good idea to keep up to date with all service packs, updates and patches as this will prevent any known exploits from turning into full-blown worms.  Remember, it only takes one vulnerability to get compromised.

Final thoughts:

This has definitely been quite a project. I have learned a whole lot about network security in the course of my GCIA training and in building this project. I honestly think that building an IDS device from scratch is a great way to get acquainted with network security and how to perform vulnerability assessments.  Using Snort Report to analyze suspicious traffic and incoming threats and using Nessus to identify vulnerabilities in your system will help your home network stay secure against the ever evolving threats going around the Internet.

Always remember that security is no use if the warnings go unheeded.  While you don’t have to turn into a complete security nut, make it a good habit to take a look at Snort Report once a week at least.  Personally, I record the number of events logged and if it changes, I then investigate further however I haven’t picked up any incidents in the last month so for me it’s a pretty easy check.  If you find yourself with tons of IRC events and you don’t use IRC, it’s very possible that you have an active trojan on your hands and may warrant further investigation.

I hope you had fun and learned a lot from this project. I had a lot of fun building it and working out the kinks to make it all work together.  If you have any comments or questions, please leave me a comment and I’ll do my best to answer.

FIRESTORM_v1

In an earlier article, I demonstrated how you can build a passive monitoring device for an Ethernet network as the first part to a three part project to build a home IDS device.  In this article, the second in the series, I will describe how to set up the networking for an IDS using the passive tap that I built earlier.This setup will involve using a technique called bonding to take two physical interfaces and bond them together, creating a logical interface that we can use for Snort.  This article will also explain where is the best location to place the tap and what you can expect to see once the networking is set up using common Linux utilities like tcpdump.

Requirements

• A Passive Tap as mentioned in “Build a Passive Ethernet Tap” or similar device.
• Three network cards or a single network card with  three interfaces.
• A new installation of Ubuntu Server. (I am using Ubuntu Server 10.04LTS).
• Beer. (Always)

The requirements for this project aren’t that extensive and chances are you have most if not all the equipment you need in your parts bin. The most significant item in this list is the three network cards.  If you followed the steps in my first article in this series, you already have a machine with two or three network cards in it so you’re pretty much there. If not, then go ahead and get three network cards in your Ubuntu server and ensure that all three cards re properly recognized by the system even if there’s no IP address. for them.

The first two network cards will be combined together to form the monitoring interface while the third card will be for our management interface.  The management interface will be assigned an IP address and will be how we acccess the server’s commandline (via SSH), and the scanning and reporting tools we will install in Part 3.

Getting things set up

With the proper hardware in hand, we can now set about performing the configuration necessary to getting our interfaces configured properly. In the code below, you can see the interfaces (eth0, eth1 and eth2) and that eth0 has been configured with an IP address.  If you haven’t configured yours with an IP address, this will be covered while we perform the configuration.

matt@ids-01:~$ ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:18:f3:18:1c:25 
 inet addr:192.168.0.222  Bcast:192.168.0.255  Mask:255.255.255.0
 inet6 addr: fe80::218:f3ff:fe18:1c25/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 RX packets:45458 errors:0 dropped:0 overruns:0 frame:0
 TX packets:23861 errors:0 dropped:0 overruns:0 carrier:2
 collisions:0 txqueuelen:1000
 RX bytes:55984695 (55.9 MB)  TX bytes:2326303 (2.3 MB)

eth1      Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06 
 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 RX packets:11505094 errors:2 dropped:0 overruns:0 frame:2
 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:3057886364 (3.0 GB)  TX bytes:218 (218.0 B)

eth2      Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06 
 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 RX packets:8061127 errors:1 dropped:0 overruns:0 frame:1
 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:1434430796 (1.4 GB)  TX bytes:250 (250.0 B)

lo        Link encap:Local Loopback 
 inet addr:127.0.0.1  Mask:255.0.0.0
 inet6 addr: ::1/128 Scope:Host
 UP LOOPBACK RUNNING  MTU:16436  Metric:1
 RX packets:48 errors:0 dropped:0 overruns:0 frame:0
 TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:3948 (3.9 KB)  TX bytes:3948 (3.9 KB)

In this output, you can see eth0 is my management interface as it has been assigned an IP, eth1 and eth2 are both going to become a new interface called bond0.  When we set up Snort, we will use bond0 as our monitoring interface so that way we can take advantage of Snort’s stateful analysis and because it will be critical for any network analysis to hear both sides of the conversation on the passive tap.

In order to set up bonding, we will need to install the ifenslave package.  As root, run the below command:

# apt-get install ifenslave

Once apt-get completes, let’s check a few things.  First, let’s take a look at /etc/modprobe.d/aliases.conf.  Make sure that the two lines below appear in the file:

alias bond0 bonding
options mode=0 miimon=100 downdelay=200 updelay=200

If you will be making more than one bonding interface, you will need to add another alias line to coincide with the bond interfaces you wish to add (bond1, bond2, etc..) and you will need to add max_bonds=X to the end of the options line. Set X to the maximum number of bonding interfaces you will be using.

Now this is where things get interesting.  In order to test this out, we will bond the interfaces using the command below:

# ifenslave bond0 eth1 eth2

It does not matter which order the two eth interfaces appear, however bond0 must come first.  This command tells the Linux kernel to take eth1 and eth2 and pair them together into a single interface (bond0).  Now that we have done that, ifconfig -a will present a new interface:

root@ids-01:~# ifconfig -a
bond0     Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06 
 inet6 addr: fe80::2e0:b6ff:fe00:a206/64 Scope:Link
 UP BROADCAST RUNNING PROMISC MASTER MULTICAST  MTU:1500  Metric:1
 RX packets:19568527 errors:3 dropped:0 overruns:0 frame:3
 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:198240524 (198.2 MB)  TX bytes:468 (468.0 B)

eth0      Link encap:Ethernet  HWaddr 00:18:f3:18:1c:25 
 inet addr:192.168.0.222  Bcast:192.168.0.255  Mask:255.255.255.0
 inet6 addr: fe80::218:f3ff:fe18:1c25/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 RX packets:45907 errors:0 dropped:0 overruns:0 frame:0
 TX packets:24117 errors:0 dropped:0 overruns:0 carrier:2
 collisions:0 txqueuelen:1000
 RX bytes:56024505 (56.0 MB)  TX bytes:2411029 (2.4 MB)

eth1      Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06 
 UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
 RX packets:11506043 errors:2 dropped:0 overruns:0 frame:2
 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:3058301702 (3.0 GB)  TX bytes:218 (218.0 B)

eth2      Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06 
 UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
 RX packets:8062484 errors:1 dropped:0 overruns:0 frame:1
 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:1434906118 (1.4 GB)  TX bytes:250 (250.0 B)

lo        Link encap:Local Loopback 
 inet addr:127.0.0.1  Mask:255.0.0.0
 inet6 addr: ::1/128 Scope:Host
 UP LOOPBACK RUNNING  MTU:16436  Metric:1
 RX packets:48 errors:0 dropped:0 overruns:0 frame:0
 TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:3948 (3.9 KB)  TX bytes:3948 (3.9 KB)

Now that we have the bonding interface up, we need to write the configuration in /etc/networking/interfaces so that they will be brought up at boot time.  After struggling with this for a few moments, I finally found out the proper rules needed in order to do this:

1. You have to define your bonding interface first.
2. You must use an “up” statement to specify how to bring up the interfaces. We will be using the parameter promisc to ensure that the interfaces are ready for when we install Snort.
3. We must use bonding-specific statements to specify how the bonding interface will be created and for each interface’s role in the bonding configuration.

Edit /etc/networking/interfaces and remove the existing information.  Add the below lines, but be sure to add the proper IP addressing information for your management interface.

# The primary network interface
auto eth0
iface eth0 inet static
 address 172.20.1.253
 netmask 255.255.255.0
 broadcast 172.20.1.255
 gateway 172.20.1.250

auto bond0
iface bond0 inet manual
 bond-slaves none
 bond-mode 0
 bond-miimon 100
 up ifconfig bond0 promisc up

auto eth1
iface eth1 inet manual
 up ifconfig eth1 promisc up
 bond-master bond0
 bond-primary eth1 eth2

auto eth2
iface eth2 inet manual
 up ifconfig eth2 promisc up
 bond-master bond0
 bond-primary eth1 eth2

In the above configuration, the up parameter tells the network scripts to bring up the selected interface up with the promiscuous mode enabled so we can prepare the interfaces at boot time for  listening to network traffic. The bond-master and bond-primary parameters indicate which bonding interface the physical interface should be added to.  Granted for one bond interface it would appear faster to just single keywords however if you decide to set up multiple bonded interfaces, the keywords would lose meaning quickly.

When all is said and configured, reboot the computer.  When the computer comes back up, check ifconfig -a and see if you see something like the below.

root@ids-01:~# ifconfig -a
bond0     Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06 
 inet6 addr: fe80::2e0:b6ff:fe00:a206/64 Scope:Link
 UP BROADCAST RUNNING PROMISC MASTER MULTICAST  MTU:1500  Metric:1
 RX packets:19570074 errors:3 dropped:0 overruns:0 frame:3
 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:198918392 (198.9 MB)  TX bytes:468 (468.0 B)

eth0      Link encap:Ethernet  HWaddr 00:18:f3:18:1c:25 
 inet addr:172.20.1.253  Bcast:192.168.0.255  Mask:255.255.255.0
 inet6 addr: fe80::218:f3ff:fe18:1c25/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 RX packets:46106 errors:0 dropped:0 overruns:0 frame:0
 TX packets:24224 errors:0 dropped:0 overruns:0 carrier:2
 collisions:0 txqueuelen:1000
 RX bytes:56042559 (56.0 MB)  TX bytes:2427777 (2.4 MB)

eth1      Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06 
 UP BROADCAST RUNNING PROMISC SLAVE MULTICAST  MTU:1500  Metric:1
 RX packets:11506719 errors:2 dropped:0 overruns:0 frame:2
 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:3058600599 (3.0 GB)  TX bytes:218 (218.0 B)

eth2      Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06 
 UP BROADCAST RUNNING PROMISC SLAVE MULTICAST  MTU:1500  Metric:1
 RX packets:8063355 errors:1 dropped:0 overruns:0 frame:1
 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:1435285089 (1.4 GB)  TX bytes:250 (250.0 B)

lo        Link encap:Local Loopback 
 inet addr:127.0.0.1  Mask:255.0.0.0
 inet6 addr: ::1/128 Scope:Host
 UP LOOPBACK RUNNING  MTU:16436  Metric:1
 RX packets:48 errors:0 dropped:0 overruns:0 frame:0
 TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:3948 (3.9 KB)  TX bytes:3948 (3.9 KB)

Now to install it…

In order to install this machine where it will be most effective in your network, there are some things to consider:

• What kind of Internet access do you have? (Cable, DSL, FiOS, etc…..)
• Does your ISP require running a program on your router to connect? (like PPPoE clients, RASPPPoE, others..)
• What is considered the “edge” of your network?
• Where is the location where the IDS would have most visibility to the network traffic generated by your computers either wired or wireless?

In most corporate networks, there is a single switch that handles all the traffic for a network. This makes things a loss less complex as the network traffic is in one place however in most homes, this is simply not the case.  At least in my network, there’s at least four switches between the router (my edge) and the innermost device (my Wireless Access Point). Since I wanted all the traffic monitored, I elected to connect the passive tap between my router and the first switch.  Any internet activity generated by any device on the network will be monitored by the IDS and if malicious will generate an alert.  If you have only a couple of PCs that are wireless but have several embedded devices like gaming consoles or media streaming boxes (not media center PCs, more like Boxee boxes and the like) you may want to move the passive tap between your wireless access point and the switch connecting the embedded devices as they are a lot less likely to generate malicious traffic.  Your configuration may be different, but when in doubt, installing the passive tap and your soon-to-be IDS between your edge router and the rest of your network is a safe bet.

What’s Next?

We’ve covered how to build a passive tap. We just covered how to configure bonding for the passive tap.  In the final article in the series, we will discuss how to install Snort and make this machine into a full blown IDS device.

Happy Hacking!

FIRESTORM_v1

One of the things that the GCIA study has taught me is that being able to monitor the network your computer is on is a critical necessity to maintaining a secure network. Corporate environments can set up IDS devices to monitor traffic however monitoring doesn’t work unless you have proper connectivity to what you want to monitor. Unfortunately, most of us don’t have central wiring in our house and expensive managed switches that can set up span sessions with which to monitor traffic in transit.  In this HOWTO, I will cover how to build your own monitoring connection that you can use on your own network to monitor traffic without breaking the bank. This article is first in a three part series on how to build your own home IDS for monitoring your network traffic. Look for the other two sections soon!

A little bit more info first…

In the early days of affordable Ethernet networking, devices called hubs (or repeaters) were used to bring the signals together from each workstation in order to allow the workstations to communicate with each other. When a packet was sent to the hub, the hub repeated the packet across all ports on the device and all other workstations would receive it, even if it was not destined for that particular workstation.  The hubs gave way to switches as networking technology became cheaper and faster. Unfortunately, the switches also changed the old way of signal transmission. When a workstation sends a packet to a switch, it is sent from the sender’s switch port  and arrives at  the switch port of the workstation that the packet is destined to. It does not get sent to other workstations’ switch ports unlike the hub’s transmission method.  Because of the need for network monitoring, more advanced switches started offering monitor ports (Cisco calls them span sessions) that are used to forward all traffic that goes through a switch out of this specifically configured port.  This port would then be connected to the monitoring device and would allow the monitoring device to “listen” to all packets that traversed the switch.

The good thing is that most if not all managed switches support a monitor port however the bad thing is that a managed switch is way outside the pocketbook of most home network users.

But why not use a hub?

A hub would allow us to listen in on network traffic however a hub would degrade your network’s performance thanks to it’s lack of proper high speed flow control and its susceptability to collisions.  In my testing, I used a 100baseT hub between my firewall and my network and found that my previously rock solid network connection had dropped well below speed and would barely support YouTube streaming, much less Netflix.  Instead of using a hub and risking continued degradation, I decided to research another solution.

So, what’s the solution and how do I use it?

The solution is the Passive Tap.  This device sits between a unmanaged switch and a computer or router and allows a monitor device to listen in on the network connection between a computer and switch.  The word passive in this instance means that there is no way to detect the device’s presence. It does not have a MAC address, it does not repeat. For all intensive purposes, the tap does not exist.

In the image above, we have connected the Passive Tap between a network switch and a monitored host in order to monitor traffic between the host and other machines on the network (in this case the Server).  This would be an ideal setup for monitoring traffic generated by the monitored host and the rest of the network with the focus being on the monitored host. In this configuration, the monitor device would pick up all traffic destined to or originating from the host and any broadcast traffic generated by the network.

This configuration is a bit different than the first image however the scope of the monitor device’s visibility has changed. Instead of just monitoring the Monitored Host, this configuration allows the monitor device to monitor any Internet traffic that passes between any host on the switch and the firewall. If there were additional devices connected to the switch (other desktops, an Xbox, a Wifi Access point, etc..) their communication with the Internet would also be monitored.  The only communication that would not get monitored would be communication between the devices plugged into the switch (for example the Monitored Host and a Wifi Accesspoint, etc.)

Parts List

In order to build a passive tap, you will need the following items.  The parts themselves cost me about $20 at a computer store which is a lot better than the $200 that some eBay sellers want.

• A cat-5 patch cord
• A surface mount biscuit jack / modular mounting box. (See picture below)
• Two CAT5 keystones (they don’t have to be green/red like mine)
• Screwdriver
• Wire cutters/blade
• A M110 punch down tool (If you have one, it makes the installation easier)
• A monitoring computer with two network interfaces and Wireshark installed (windows) or tcpdump(linux)
• A test computer (or device) with one network interface
• A network switch.
• Beer (optional)

Parts

Here’s an image of the parts. The biscuit jack on the left, the two keystones are in the center and the patch cord is on the right.

We’ll start off by first taking a look at the keystones up close.

Keystones

These keystone jacks are wired up and marked in such a way that all you need to do to wire it up properly is to follow the color code. A closer inspection will reveal that there are small numbers in between the symbols for the wire positions. In this page on twisted pair wiring, you can see that of the four pairs in a Cat-5 10/100 cable, only pairs 2 (white/orange) and 3(white/green) are used.  In order to properly receive both sides of the conversation on the wire, we will need to “tap” into both pairs and route them to the proper pins on the two keystones to each jack’s Pair 2 (receive pair) so that the data being sent can arrive at the NIC of our monitoring device.

If you scroll down to the section labeled “568A and 568 B Color Schemes”, you will see that the receive pair is on pins 3 and 6 of the diagram jacks.  Our keystones are similarly labelled and when we are done, we will have one pair of the Cat-5 patch cable going to pins 3 and 6 of one jack, and the other pair of the Cat-5 patch cable going to the other jack.

Let’s get started.

First off, it is important to understand that you must be able to do this WITHOUT NICKING OR CUTTING THE WIRES.  A cut or nick could result in either your tap not working properly or the tap getting all the data but your connected host doesn’t or any one of a whole handful of issues.  Thankfully, Cat-5 patch cords are not very expensive, but it still sucks to put a project on hold because a slip of the knife.

To start, lay out the patch cord and decide on where you want the tap.  Since the hosts are closer to my monitor machine, I’ve decided to create a short end and a long end with the tap being more towards one end.  You may want to have the tap in the middle or very close to one end of your patch.  It electrically does not matter.

Strip back about two to three inches of jacket so that you have something like below.

Stripped Wires

Mount the keystones in the surface mount box as shown below.

mounted keystones

Now that they are mounted, we will then need to take a look at which pair of pins we need to match the wires up to. Below is a better side-view pic of the green jack in detail.  Please note, your jacks may appear different, but all CAT5 keystone jacks that I have seen have both a color designation and a numeric designation. Be sure to pay attention to which is which and where you are placing your wires otherwise it may not work.

Wire/Pin designations

You can click on the picture for a larger more detailed image.  In the above image (using the top set of colors as a guide) we see that the orange/white hash is pin 3 and the solid orange is pin 6. The same goes for the red jack (not shown).  That being said, untwist the orange and green wires, and place them into their respective slots. Make sure that the solid wire goes with the solid pin and the hashed wire goes with the hashed pin. A reversal here will cause the monitor port not to receive data and could affect your host/switch.

Wires ready to crimp

In the above photo, you can see that the white/orange pair are lightly inserted into the wire channels.  If you don’t have the M100 punch tool, you can get away with using the wire caps that came with your keystones.  These caps will push down the wire and crimp it into place over a metal pin that connects the wire to the pin in the jack.  When you are done, you will have something akin to the below:

Tap ready to close

Also of note: To act as a strain relief, I have added tiewraps on the cable. This will serve to protect the cable from getting yanked out and damaged.  In this picture, you can also see the two white caps that have punched the wires down in place. Reassemble the jack and make sure to install the screw in the lid if your jack has one.

Completed Passive Ethernet Tap

Here’s the completed tap in all it’s glory!

Testing the Tap

In order to test the tap, we need at least two computers, one of which must have two network adapters.  The computer with one network adapter will be our “test host” and the other computer will be our monitoring host.  On the test host, I have assigned the IP address 10.0.0.2 and on the monitoring computer, I have assigned one interface (eth0) with the IP of 10.0.0.1.  The monitoring interface (eth1) will have no IP address assigned to it and will be for testing the tap.  Remember that as far as the test host is concerned, the tap is just a CAT-5 patch cable.

Before proceeding, mark the passive tap where the Ethernet cables come out as A and B.  This will be important as this test will also help us label which side of the conversation we are listening to.  One side will be considered “Network to Host” and the other will be considered “Host to Network”.  It is imperative that we get both sides of the conversation, each side represented by one of the two keystone jacks. While it might not be important now, later on when you use this tap for something else (like an IDS project), you will need to know which side of the conversation you are listening to.

To get your test rig set up, connect the long side (side A in my case) of the tap cable to the switch.  Connect the short side (side B in my case) to the test host.  Connect the ethernet interface on the monitoring machine to the switch, but leave the  unmonitored interface disconnected.  Keep in mind that on my monitoring machine, eth0 was the interface with the IP address, and eth3 was the interface that will be used for monitoring. I’m using Linux on my system, you may need to make adjustments where needed.

• On the monitoring host, ensure that you can ping the test host before hooking up the monitoring interface to the tap.
• On the monitoring host, open two terminal windows
• In the first window, start tcpdump using this command:  sudo tcpdump -i eth3 -nvs0 -c 10 ip[9]=1This translates to start tcpdump on eth3, no host resolution (-n), verbose mode (v), no snapshot length (s0), for a count of 10 packets (-c 10) and only on ICMP protocol (ip[9]=1).
• Attach the monitoring interface to one of the two keystones.  I picked the red jack.
• In the second window, ping the test host using the -c 5 parameter:  ping testmachine -c 5 The -c 5 tells ping to try 5 times.
• You should see the below text in your ping window:

$ ping  testmachine -c 5
PING testmachine (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=7.25 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.685 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.719 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=0.746 ms
64 bytes from 10.0.0.2: icmp_seq=5 ttl=64 time=0.704 ms

• Your TCPDUMP window should show something like this:

21:48:59.093624 IP (tos 0x0, ttl 64, id 27270, offset 0, flags [DF], proto ICMP (1), length 84)
 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 24899, seq 1, length 64
21:49:00.088502 IP (tos 0x0, ttl 64, id 49871, offset 0, flags [DF], proto ICMP (1), length 84)
 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 24899, seq 2, length 64
21:49:01.087486 IP (tos 0x0, ttl 64, id 36772, offset 0, flags [DF], proto ICMP (1), length 84)
 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 24899, seq 3, length 64
21:49:02.086630 IP (tos 0x0, ttl 64, id 27025, offset 0, flags [DF], proto ICMP (1), length 84)
 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 24899, seq 4, length 64
21:49:03.085505 IP (tos 0x0, ttl 64, id 28037, offset 0, flags [DF], proto ICMP (1), length 84)
 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 24899, seq 5, length 64

• Keep in mind that there are two packets associated with ping. One is an ICMP Echo Request and the other is an ICMP Echo Reply In this case I received the echo reply which means that the red jack is for “Host to Network” monitoring or B->A. If you got ICMP echo request, then your jack is A->B.
• Mark the jack as B->A and continue testing. At this point, we know that our tap at least hears half the conversation.
• Switch the monitor interface to the other jack (Mine is green) and rerun the ping.  Your ping should show the below just like before:

$ ping 10.0.0.2 -c 5
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=9.69 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.705 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.663 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=0.722 ms
64 bytes from 10.0.0.2: icmp_seq=5 ttl=64 time=0.714 ms

• This time, however, the TCPDUMP output should have changed:

22:00:28.084339 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
 10.0.0.1 > 10.0.0.2: ICMP echo request, id 40269, seq 1, length 64
22:00:29.077220 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
 10.0.0.1 > 10.0.0.2: ICMP echo request, id 40269, seq 2, length 64
22:00:30.076215 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
 10.0.0.1 > 10.0.0.2: ICMP echo request, id 40269, seq 3, length 64
22:00:31.075218 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
 10.0.0.1 > 10.0.0.2: ICMP echo request, id 40269, seq 4, length 64
22:00:32.074214 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
 10.0.0.1 > 10.0.0.2: ICMP echo request, id 40269, seq 5, length 64

• Just like before, I received 5 packets however last time I got the ICMP echo reply, this time I got the ICMP echo request.  This means that the green jack is the A->B connector, that is Network to Host. Mark it as appropriate.

If you’re at this point, then you have demonstrated that the tap works.  It allows the test host to communicate with the network unimpeded, it also allows the monitoring of host to network and network to host data.  My passive tap looks like the one below:

Finished Passive Tap

Now what to do?

At this point, with a good passive tap in hand, you have a whole bunch of things you can do. You could:

1. Establish an IDS for your network (my original plan)
2. Monitor a host’s traffic exchange with the network/Internet.
3. Perform traffic reconstruction for analysis.
4. Monitor network communication between your Wireless access point and the rest of your network

Troubleshooting

Unfortunately, I can’t account for every situation however there may be some situations where the tcpdump test doesn’t exactly work as planned.  Here’s some common solutions if your tests don’t work quite right:

I can see the A->B traffic, but can’t see the B->A traffic. The ping window shows the host responds. (or)

I can see the B->A traffic but can’t see the A->B traffic. The ping window shows the host responds. (or)

I can not see any traffic, but the ping window shows the host responds.

Check your wires on the keystone and make sure the wire went down onto the metal pin. Sometimes when using the caps to crimp down the wires, one of the wires will shift at the last second.

I can see the ICMP Echo Request  on one port but I see nothing on the other. The ping window shows that the host does not respond.

Check to see that the wires didn’t rip apart or that they were not nicked in the construction process.

Last Thoughts

Even if you don’t plan on building a home IDS, having a passive tap in your toolbox is a good idea.  You never know when you will need to intercept and analyze traffic between two devices on a network. This device will allow you to do so with minimal effort and cost all while allowing the host to chatter away unimpeded by the monitoring.

Happy Hacking!

FIRESTORM_v1