12:00 PM Short update for the moment; longer one tonight, hopefully. I'm a bit busy at the moment, as it appears not everyone got that carefully prepared virus warning this morning. For those of you who haven't heard yet, here is a link to CERT's information on the virus. Also, please note that I'll be going through the throes of DNS hell with Tom, so this site may be down for short periods of time.

9:30 PM Sigh. Long week last week, longer weekend, and if today was any indication, I'm going to be hating this week.

I spent most of Wednesday, Thursday, and Friday being very busy without accomplishing much. I hate those kind of days, and here I had three of them right in a row.

Just to make life even more special, I discovered that one of my brand-spanking new IBM Netfinity 5600 servers had a hard drive that was throwing Predictive Failure Analysis errors and making wierd noises. Make a call to IBM tech support for a replacement. Make three calls to IBM tech support. Get two calls back. Still no hard drive, although they promised to send it Thursday. How are they sending it? Pony Express? I'll find out, though; that drive AND ANOTHER IN A SEPARATE SERVER both died today. It's pretty impressive when they go; lots of warnings and error messages. Pretty lights. Now, what I'd like to know is, why are IBM top-quality SCSI drives failing like that? Two separate drives, with different lot numbers, in different servers, have now failed. Truly awe-inspring work there, guys.

Today, I rebuilt servers that were supposed to be running weeks ago; sent four more (in a series of over a dozen) emails to get an answer to a simple question; and spent over two hours trying to get home on a commute that usually takes 40 minutes. To top EVERYTHING off, my wrist is sending warning signals about all the typing I've been doing; I suspect it's because of this small laptop keyboard. I think I need to find a good USB keyboard to replace it with. I'll probably be OK for evenings and so on in my chair at home, but at my desk I don't need to be using this tiny keyboard at odd angles.

9:30 PM Today was better. I got some things done - that felt like a bit of a novelty, sadly. Got some cooperationg from the central office - that felt like a miracle. And I had time to play a bit with something new.

The permanent network, which I'm in the process of creating, will have substantial security; that's one advantage to resources. I'm used to working with the leftovers and still making things secure; not this time. Everything from full-up PIX firewalls with built-in VPN and encryption to dedicated intrusion detection hosts and redundant systems. Until then, it's still meatloaf night. But, I have to cover all the criticals and as many of the mere essentials as possible.

So, we start with a NAT router and firewall, similar to what I have here at home. Only this box doesn't have to do dual-duty; it's a dedicated box. So there's only one open port; 22, for SSH. I was tempted to make it accessible only from the inside, but that's just not feasable; I don't have an internal RAS line, so from home I still need access. OK, but we're going for the full-up 4096-bit keys and really, really long passwords. For the only normal user on the box AND for root, and root can't log in except from console and the serial port.

We've just made an impenetrable wall. Nothing gets in; nothing gets out. Um, wait...

OK, that's no good. First, use IPChains to allow any traffic to go out. The same rule set will allow returning traffic. OK, better. Portsentry to patrol the walls and rattle the gates.

Two more problems, somewhat related. The first is that I currently have four, and will have more, servers that need remote access. They aren't web servers, they're development servers; the public doesn't need access - in fact, they shouldn't have it - but some of our developers need the ability to work from home. Hmmm. I'd prefer to use a modem bank and dial-up PCAnywhere, but I don't think that's going to happen; we don't own the phones, and we've had enough problems with the people who do that I don't see that going anywhere. So it's got to be some kind of VPN, or encrypted PCAnywhere access.

PCAnywhere has the ability to use strong encryption, but not not internally. Still, I can do that. The problem is allowing the legitimate connections - and only the legitimate connections - through the firewall. I have multiple IPs available, so I'll bind multiple IPs to the external interface, then use SSH to forward connections to those IPs to internal IPs. That's a security hole, of course. So we close it with Access lists; only legit home IPs can connect. Uh-oh, new problem; the majority don't have fixed IPs. This grows tiresome.

OK. I can either open the IP access list to the entire range of possible IPs for each person - bad idea - or I can use some other form of authentication. Better yet, let's do both. Restrict to the range of IPs, including specific IPs where possible, AND a different form of authentication.

OK. What authentication? Password? Probably, but I don't have a convenient way to do that. Encrypted channel? There's a thought. A much better thought. Hmmm. A dial-up form, software VPN? I've done that before, and I'm pretty familiar with it; I can be persuaded. Better yet, that allows me to ignore the encryption in PCAnywhere, which I don't fully trust.

Last (for the moment) problem; our connection to Siebel's main intranet is a hardware VPN. I don't want to leave that ouside the firewall. This one's easy; bring it inside the firewall, then use the IP forwarding solution. No problem with security there; only one legit IP to connect to, and the link - since it's a VPN - is secure.

And how was your day?

I have little recollection of anything from today. It must have happened, I just don't remember it.

11:30 PM Long day, but reasonably productive. I think things are beginning to fall into place. I spent most of today working on the firewall; I have made two changes, the first being the addition of another network card for the VPN's external interface; it proved easier to bind it that way. I also Have Decided; we shall have a VPN server, as well. That won't be ready from day 1, but it's just not feasable to allow pcAnywhere connections through the firewall without some serious encryption. That's pretty much all I've done, is work and sleep. I did find time to read through my new copy of a book; Outlook 2000 in a Nutshell, by Tom Syroid and Bo Leuf. (Do I need to provide a link to two such august personages? I thought not. <G>. Of course, I'd read it before, when I reviewed it; but then, I wasn't able to just READ it, I read a bit, edited and sent suggestions and ahrrassed Tom to see just WTF he meant by THAT, then started again on the next bit only to restart the cycle. I didn't remember much. It's an excellent book.

Tom, though, is currently running a poll about using Outlook in IMO mode or CW mode. Sorry, Tom, but I have to side with Bob on this one. Most users are CW users.

Why? Because the average home user is using Outlook Express; it's smaller, faster, and has that nice built-in newsreader. It's not as complex. And it's still close enough to resemble what they use at work, which, for the time being, still means Outlook in an Exchange environment. That will change, as the majority of workers shift from Large Corporations to smaller startups, but for now, the server is still king in the corporate world.

And with that bit of pontification out of the way, I'm going to SSH in to my firewall and work some more. Have a good one.