CCNP Enterprise (Routing and Switching)

Happy to say that I passed my CCNP re-certification after letting it expire in 2016. It felt good getting back in the lab and running through various routing and switching problems. I used EVE-NG to study with, it’s simply amazing software.

Posted in Uncategorized | Leave a comment

Site Reliability Engineering: How Google Runs Production Systems

If you support systems @ scale than you must read the Google SRE book!  Do yourself and your team a favor by making sure you donโ€™t repeat the mistakes in this book! This should be required reading for all managers and front line engineers.

Posted in Books | Leave a comment

Chromecast WPA-EAP from guest WiFi

You may have recently seen the article about the FBI recommending that all IOT devices be placed onto their own networks for security purposes. The reason being that security in IoT devices has been notoriously bad and in some cases, non-existent.

That got me thinking about the chromecast that was sitting on my LAN and looking for solutions to make it more secure. The unfortunate thing about the chromecast is that it does not support WPA-EAP Security, only WPA-PSK. Lucky for me I also have an “Ultra” version which supports 4K and has an Ethernet port, without this Ethernet port I would be forced to dumb down my wifi to make the chromecast work.

What I found out, through much trial and error, is that chromecast uses mDNS to find the various network components needed to make the necessary connectivity. All of my attempts were failing due to the fact that the mDNS was not propagating across broadcast domains. The missing piece was “Avahi“, available in PfSense, which forwards mDNS requests across broadcast domains.

Once this package was in place, the chromecast was able to configure itself correctly in the wired DMZ portion of my network. Moreover, with the mDNS being forwarded across selected broadcast domains, WiFi clients are able to stream to the IoT device using the much more secure WPA-EAP protocol that is not supported via the wireless NIC on the chromecast, it only supports WPA-PSK.

This solution has the added benefit of allowing clients on the Guest WiFi (WPA-EAP VLAN99) to cast to the IoT device sitting in the DMZ. All of this is accomplished without enabling “Guest Mode” on the chromecast and without having to drop down to a less secure version of wifi security. Moreover, I found that I now have the ability to cast content from my PLEX server, connected over VPN , via LAN, DMZ, or the guest WiFi.

Therefore I’ve essentially setup my IoT device to work securely from 4 different networks while isolating it into a DMZ network with a little trial and error. Of course there are lots of firewall rules to make it all happen, if you want to know more head to the Home Lab section for the configuration specifics and some examples.

Posted in IoT, Security | Leave a comment

Delegated Credentials: Improving the security of TLS certificates

This is worthy of a share if you are interested in TSL. Facebook, Cloudflare, and Mozilla are working together with the ITEF to develop a new protocol for handling the private keys for SSL certs. Facebook Engineering gives a great overview in the article below.

Posted in Security | Leave a comment

Tutanota: Secure email, calendar and contact list

Today I upgraded my email provider to Tutanota. They provide encrypted email hosted on servers in Germany. In addition to the encrypted inbox you can easily send end to end encrypted emails with users of other services like Gmail. Fellow Tutanota users have their emails automatically encrypted end to end with no effort at all on their part as it’s built into the service by default.

I opted for the premium service and was able to set this up using my own domain name and was provided 5 email aliases. Price was very reasonable and it was a HUGE security improvement over the crappy email service my hosting provider was giving me. I highly encourage everyone to checkout this open source email service that focuses on privacy and security and ditch your Gmail account that scans your emails to deliver ads!

Posted in Security | Leave a comment

Site Back Online

Website is back online after a small hiatus. I’m pretty sure my old wordpress instance had been hacked so I nuked the entire site and left it dormant for awhile. Now I’m starting to rebuild it to highlight some of the things I’m interested in.

It’s a work in progress so bookmark the site and check back if you like, but it will probably be hacked again since my hosting provider sucks so bad at security. I’ll need to look into alternatives after reading an article about how easy it is to hack their console site ๐Ÿ™

Posted in Uncategorized | Leave a comment