Thursday, July 7, 2016

Learn Something New! My introduction to Data Science.

There are so many interesting things to learn and not nearly enough time.

While I am an able technologist and experienced software engineer I am not a data scientist.  I want to learn more about that arena.  Much more.

I also want to explore the world of massive open online courses (MOOCs).

A professor I know who is an expert in data driven analysis (among other things) recommended the Data Science Specialization taught by a team at Johns Hopkins University and offered through Coursera.  That was good enough for me.  I am following the recommended course sequence.  While I am at the front end of the program, so far so good.

iTinker.net is all about exploring technology and implementing small but often complex systems in my home lab as a means to fuel real world work (and not just technology focused work).  The MOOC universe looks like it will become an important tool in my tool kit.

If you are interested in Data Science, check out the Coursera course.  More importantly, if you want to learn more about a topic see if there's a relevant MOOC out there.

Thursday, May 5, 2016

Hardware for Virtualization Home Lab

I started my VMware home lab in late 2012 by building a server using Chris Wahl's blueprint found here.

I'm now in the process of upgrading my servers to machines that allow for more memory.  With 8 cores (16 threads), 4 on board NICs (2 x 1 GB and 2 x 10 GB), a dedicated IPMI port and up to 128gb of memory in a small, quiet, mini tower case, the Supermicro Superserver 5028D-TN4T is tailor made VMware home labs.  More details on that system can be found here.  I bought mine from WiredZone - their prices are good and customer service terrific.  I'm partial to their Bundle 2 package with an additional 64gb of memory tacked on.

If you are looking for a solid home server for your VMware lab but aren't ready to purchase the Supermicro system described above, you might consider that server I built in 2012, which I'm now selling on eBay.

Friday, April 8, 2016

Getting Out Of The Stone Age -- I Finally Discovered WordPress

I am not a web site designer.  That said, I have set up a few simple web sites over the years.  Nothing fancy.  I learned enough html to hand code what I needed.  Those old sites are now hopelessly out of date.

Two weeks ago I decided that it was time to rebuild one of my old sites.  I was not in the mood to acquire and then learn Adobe Dreamweaver.  I suspect that if I was a web site design professional that's the tool I'd use.  But I'm not, so I don't.

My old tool of choice, Microsoft Frontpage, was discontinued over a decade ago. While Microsoft Expression is available without charge, that too looks to require more than a little bit of work to master.

I enjoy using Blogger for this site, but I don't get the sense that it's well suited for more general purpose web sites.

I know that WordPress is considered by many to be the go-to tool for blogging sites.  What I didn't realize is that it's also geared for developing web sites that are much more than just blogs.

I'm astonished at how easy it was for me to create a much more modern rendition of my old site.  I can't believe I hadn't figured this out years ago.

Oh, if you want to see what I created, take a look at http://www.usml.net

I have lots of ideas for things I will do with that site going forward.

Apologies in advance to any professional web site designers out there who will likely scoff at that little site.  If you have any suggestions for ways to make that site better, don't hesitate to comment.

Perhaps I will migrate this blog to WordPress too. . .

Thursday, March 10, 2016

Network Level Threat Protection For Home Networks

Not too long ago an elderly relative asked me about an email message she received. Even though the message purported to be from Apple, she was leery about clicking on the link and reluctant to supply whatever information the sender sought.  She said she had forwarded the message to me for my review. I hadn’t received anything at all.  She attempted to send it again.  I received nothing.

While that email message purported to be from Apple, it was not.  It was a thinly veiled phishing attempt.  Kudos to my relative for not falling for the trick.
We’ve had “that talk” more than once.

So why didn't the forwarded message make its way to me?  It's because I have deployed a variety of network level threat management tools – and one of them blocked it.  In this case, one that leverages technology to identify likely phishing attempts.

I realized a long time ago that there was no way I'd be able to take precautions to protect each device that might connect to my network.  So I supplement reasonable device-specific antivirus tools and firewalls with network level intrusion prevention, phish blocking, antivirus and content filtering tools.

I’ve used these so-called "unified threat management systems" on my home network for many years – starting with when my children were very young. While they are not typically deployed in home systems, there’s no reason why that needs to be the case.  There are good choices for home use.

My current favorite is Untangle.  Untangle can be deployed on a small, silent, inexpensive appliance with a variety of free and licensed modules.  You can put the software on your own hardware or purchase a purpose built appliance from Untangle or other vendors.  I bought mine from Nexgen Appliances.  Right now both Untangle and Nexgen offer appliances that are ideal for home networks.  I will not hesitate to do business with Untangle or Nexgen.  It all comes down to what offering makes the most sense at the time of purchase.  Untangle employees actively participate in online forums and the user community is very supportive. And I can't say enough great things about my experience as a Nexgen Appliances customer.  When I've had questions, Nexgen has responded in the most helpful way I can think of.  It's an embarrassment of riches.

The Untangle free configuration is very nice.  Nevertheless, the licensed modules are a step up.  Untangle recently started to offer a home use license for $5 a month, with discounts for longer subscriptions.  Home users can get the benefit of the full suite of modules offered by Untangle for that very low fee.
So now, my elderly relative will be getting an Untangle.  And with any luck, so will other members of my family.

Is this overkill for a home network?  Not in my book.

Sunday, March 6, 2016

How To Geo-Tag All Your Digital Photos

Last year I discovered how nice it is to have digital pictures tagged with GPS coordinates.  I was experimenting with an iPhone camera and realized that the images were tagged with locations – something I was aware of but had never really thought about.  I liked it.  


If you have an iPhone and want to learn more, just read up on Apple’s geo-tagging feature -- and if this sort of thing bothers you, learn how to disable geo-tagging.

Following the iPhone camera experiments I wanted to be able to get GPS coordinates added to digital pictures shot with cameras that don’t do so automatically.  

While I am happy to use a smart phone for a quick snapshot, when I’m serious about my photos I’m more likely to reach for one of my digital SLRs or perhaps a smaller enthusiast oriented digital camera.  Don’t get me wrong, you can produce wonderful images with smartphone cameras, but with fast moving subjects, or in low light, or when you really want to fiddle with exposure or focus settings to get a particular image with just the right depth of field, you need better tools.

It turns out that the relatively few cameras offer the ability to capture GPS coordinates automatically.  In some cases, you can tack on that feature with an accessory built for your camera.  There are also some really cool Bluetooth add-ons for a few higher end DSLRs that let you tether your camera to a GPS tracking device so that a stream of GPS information is fed to your camera as you shoot and the images get tagged that way.  Even though either of those approaches would work for my DSLRs, it was not going to help me with my other digital cameras. Moreover, I wanted a cheap way to experiment and wasn't inclined to spend what either of these alternatives would cost.

Then I discovered a very inexpensive and flexible way to solve the problem for any digital camera, it’s called gps4cam.  I’m hooked.

While you are shooting pictures you also run a gps tracking app on your smart phone (iPhone and Android versions are available).  Then, when you are done shooting, you grab the tracking information from the phone and run your pictures through a desktop application that uses the tracking information from your phone to tag your photos.
  
One really nifty part of their system is the way you synchronize your camera to the gps4cam app.  You take a picture of an image displayed on your phone by the app and their software uses the embedded information to figure out how far off your camera clock is from the clock used to generate the gps information. There are a number of different ways to use app, all are very simple.
  
For the price of a few dollars to buy a smartphone app you can add GPS tagging to all your digital photos. If this is something you are curious about there’s no reason to avoid experimenting.

Saturday, March 5, 2016

The iTinker Network

I call my home network the iTinker Network.  I will take some time soon to discuss its evolution and future, as well as some of the things I've built with it.  I'm not particularly good at creating network drawings and recently stumbled on a tool (yEd) that allowed me to quickly create a picture without too much of a fuss.  Here's a current snapshot of the network.


Sunday, February 21, 2016

Untangle VPN Part 2 -- Amazon Web Services Software VPN Connection to an Untangle Firewall Using OpenVPN

I recently managed to get an Amazon Web Services (AWS) hardware VPN connection running between a Virtual Private Cloud (VPC) and a home lab with an Untangle firewall via the Untangle IPSec module.  I described the necessary steps here.

After getting the connection running I decided that I wanted to try a lower cost alternative, a software connection between an instance I’d deploy in a VPC and my existing physical network.  I don’t require the extra bandwidth or higher availability that the AWS hardware VPN connection affords out of the box.

While the IPSec connection I had configured was working well in general, there was one problem I struggled to solve.  I use OpenVPN to permit remote access to my network.  The Untangle OpenVPN module makes using OpenVPN for the so-called “road warrior” scenario very easy.

I found that OpenVPN clients were unable to traverse the IPSec tunnel to connect with hosts on the remote end of the network. I believe that this was nothing more than a routing or firewall problem between the relevant networks, however, it was one I struggled to solve.

My limited review of IPSec vs. OpenVPN discussions left me with the sense that OpenVPN is considered more secure and, at least by some, more efficient than IPSec, whereas IPSec is more established and better supported, generally speaking.

Several people had told me that it would be challenging to implement an OpenVPN site-to-site connection between the Untangle firewall and some other OpenVPN implementation.  As I thought about how easy it was to implement the OpenVPN point-to-site connections it occurred to me that a network-to-network connection shouldn’t be that tough.  After all, a point-to-site connection can become a site-to-site connection with not much more than the addition of a static route on one side.

I assumed that if I could limit myself to the Untangle OpenVPN module on the physical network I’d stand a better chance at having my remote clients being able to traverse the tunnel to get to the other side of the site-to-site connection.  As for the AWS side I considered extending one of the special purpose AWS Linux NAT instances by adding an OpenVPN client or by using OpenVPN already included as part of a VyOS instance.  As I describe here, I recently chose to deploy a VyOS instance to provide NAT between the public and private subnets that reside in my VPC.  Unfortunately, the documentation for VyOS is somewhat lacking and I struggled to find the kind of reference material that made me confident I’d configure the VyOS OpenVPN components properly without undue difficulty.  For that reason, I elected to deploy an Amazon Linux NAT instance for the OpenVPN client.
  
I could have deployed a full OpenVPN server in the VPC but since I already had a perfectly good OpenVPN server running on the Untangle firewall I didn’t see a need to deploy yet another server.  I chose the AWS NAT instance because I knew it was already slimmed down to provide nothing more than NAT, which meant that port forwarding and the few other things you’d like to see in a firewall/router were already in place.  I’d only need to add the OpenVPN client. It wouldn’t have been too difficult to start from virtually any standard linux distribution.

Step 1 – Create A Remote Network Entry in the Untangle OpenVPN Module

The first task is to create a remote network client entry in the Untangle OpenVPN module.  (I assume that you have a working knowledge of the Untangle firewall and that you are also familiar with the OpenVPN module and how to use it to create a connection with a remote host or mobile device.  If you aren’t there are ample descriptions available.)

Go to the Untangle OpenVPN module Server tab and, if you’ve not already done so, enter a site name for your VPN.  

Check the box to enable the server.  

The OpenVPN server allocates addresses in its own space that’s separate from your other network spaces.  Make sure that the address space indicated in the box doesn’t conflict with an address space you are using.  

You will also need to decide if you want to NAT the LAN-bound OpenVPN traffic to a local address.  Your implementation will be simpler if you check the box.
Here’s what that tab looks like on my system after having added the entry for the AWS-VPC.



Press the button to add a new remote client.  Choose to add a Network rather than an Individual Client.  Pick a name for the entry and add the CIDR specification for the remote network.


















Click the “Done” button and then the “Apply” button.  Click on the “Download Client” button for the client you just created.  The system will generate a few files that you can use depending on what you will be using to connect to the Untangle server.  In this case, you should select the link to download the configuration zip file for other OSs.












Hang on to the zip file.  You will need it to configure the OpenVPN client.

Step 2 – Export Networks

The next task is to identify the networks that your OpenVPN clients should be able to access.  In my case, I’ve got the local LAN attached to the Untangle appliance, the AWS VPC LAN, and the LAN that consists of the various other remote clients that may be connected to the OpenVPN server at any given time. Set up your list of exported networks accordingly and click the Apply button.
















Step 3 – Deploy the Linux Instance and Add the OpenVPN Client

Deploy a linux instance into your VPC in any way that suits you.  

I chose one of the special purpose linux NAT instances supplied by Amazon.  By doing so I knew that I was getting an instance with port forwarding enabled, which is important.  The instructions for deploying a NAT instance are found here.  Do not forget to disable source/destination checking as described in those instructions.

You will want the instance to have a public IP address so make sure to assign an Elastic IP too.

Update the instance software and install the openvpn client with the following commands:

$ sudo yum update
$ sudo yum upgrade
$ sudo yum install openvpn

Step 4 – Extract and Place the Configuration Files



Use your favorite zip file extraction tool to extract the files in that zip file you got from the Untangle OpenVPN server and copy them to the /etc/openvpn directory in the instance you created on AWS.  



When you are done, the directory should look something like this (with the file names reflecting whatever you named the client).















Step 5 – Modify VPC Route Tables


Add static routes on your private AWS subnet to route traffic for the remote networks through your VPN tunnel.  In my case, I added routes pertaining to the my local LAN and the OpenVPN client subnet.






















Step 6 – Start OpenVPN

The standard openvpn distribution file includes scripts to start, stop and reload the openvpn service.

In the following screen capture you see that initially openvpn is not running and that accordingly there are no tunnel devices, then, we use the openvpn start command to initiate the openvpn client at which time a tunnel device (tun0) is created.





















Once you get to this point you should be able to ping from hosts on the two private networks that you have now connected.





















Step 7 – Start The Remote Client Automatically

Use the chkconfig command to cause the openvpn client to start whenever you boot the AWS instance.










Please let me know if you find any mistakes in this posting.  If you do, drop me a line and I will update the description.