The successful construction of all machinery depends on the perfection of the tools employed; and whoever is a master in the arts of tool-making possesses the key to the construction of all machines... The contrivance and construction of tools must therefore ever stand at the head of the industrial arts. (Charles Babbage)
It all sounds good from the pulpit,but come Monday morning all the sinners are back to business as usual writing crappy code. (Tony Lawrence)
I tore out a perfectly good Astaro Firewall and replaced it with a Kerio Control box. The Astaro was only two years old and was working fine, but tearing it out made both me and my customer very happy. Read on to learn why.
I'm very happy today. Yesterday I installed a brand new Kerio Control box at a customer I've known for almost 20 years now. We replaced an Astaro firewall that had been put in just two years ago and you probably think I'm happy because I made a sale, but no, that's not it at all.
I'm happy because my customer is now going to get decent support.
With the Astaro, he was getting awful support and at a damn high price, too. His phone calls and emails would often go ignored for days and sometimes weeks. There was nothing wrong with the Astaro itself and I suppose he could have gone searching for some better Astaro reseller to take over the support, but instead he and I decided to rip and replace - he'll be paying far less in the long run and I do NOT ignore my customers! That's why I'm happy.
Best laid plans
My plan was to replace the Astaro with Kerio Control on Wednesday. We knew the Astaro license would expire a few days before that, but I only got the unit the previous Wednesday, and of course I had other things on my schedule already. I expected that Astaro would have some reasonable policy on expired licenses. For example, Kerio Control has this policy:
If the License (or the trial period) expires, the functionality of the product will be limited. In particular, the following features will be turned off:
* IPS, integrated and external anti-virus engines
* VPN Server, all tunnels, SSL-VPN Server
* Accounting - gathering statistics,
* HTTP Policy, FTP Policy, HTTP Proxy Server, Forbidden words
* Bandwidth Limiter, is turned off
* 'Require user authentication', NTLM authentication
* UPnP server, P2P Eliminator, Anti-spoofing, MAC Filter
* Kerio Web Filter will stop working
I expected Astaro to have something similar.
On Saturday afternoon, however, someone from the customer called saying that the Internet was down. I wasn't where I could test anything at that particular moment, so I asked them to call their ISP (Verizon) to see what they said. An hour later the customer called back, telling me that Verizon said a line was "down" somewhere.
I shrugged my shoulders - there's not much I can do about that, although I knew that they also have a slower line and I thought that would have been configured for failover. The person I was talking to on Saturday would know nothing about that, though, so perhaps they had simply discontinued it.
On Monday morning, I had a call from my usual contact. Apparently Verizon had not yet fixed the problem. They were 'on their way', he said and had narrowed it down to something very close to the building. I commiserated, but then he said something odd.
"Email is still coming in. I can't send email, but I get it."
Excuse me? If the Verizon line is down, how could anything be coming in? Unless maybe it was coming through the failover line? But why wouldn't he be able to get out? I was at a computer now, so I ssh'ed to his Linux server and, sure enough, it let me in. But once in, I couldn't even ping outside sites. That made no sense to me and I suspected the Astaro licensing. I asked him to check what the Astaro said about its interfaces, but he couldn't see much: almost everything he looked at just said his license was expired.
I offered to reschedule and come in early Tuesday, but if Verizon was still looking for a broken line, that didn't seem to make sense. We decided to leave it for Wednesday.
Of course I preconfigured most of this before going on site, but I didn't add users or fully configure the secondary Internet line - it might not exist. When I arrived, Verizon had just completed the repairs and had asked him to reboot his routers. Good timing!
We headed down to the network closet and I found pretty much what I expected to find. The Astaro had three CAT5 cables plugged in. That would be one for the main ISP, one for the failover and one for the network switch. I pulled them out and started hooking up the new Kerio Control..
All hell broke lose a few minutes later. Cries of pain echoed down the halls. I had somehow disconnected them from their server!
That made no sense, but then we looked more closely at the line coming from the "failover" connection. It was disconnected and had been before we walked in. Huh?
"Oh yeah - I remember he [the Astaro guy] had me disconnect this. It was slowing us down.", my contact guy explained.
Slowing you down? "Wasn't it a failover?", I asked. No, he explained: it had been configured to use both, but it is a much slower link, so people were complaining..
I muttered something unfriendly about the Astaro guy. That link shouldn't have been configured for load balancing. If you have a fast link and a slow link, you either configure the slow one for failover only or you use it only for some specific purpose like incoming mail - you don't plague users with it! I pulled out the "wrong" wire and plugged this one in to the port I had planned for failover.
But what about the wire I just pulled out of that port? What the heck was that? How could we have two connections to the network? It took me a few minutes to understand: there were not two connections to a switch; there was a connection to one switch and a connection to another and the firewall was sitting in the middle! So of course I killed the network when I switched it - I plugged half of their network into a port I had configured for the failover link! The really hilarious part of it was that a little 8 port switch was sitting right there - that extra line could have been plugged into that instead! Sheesh!
But at least we were working. Within a few tens of seconds, people had Internet access again and the network was reunited. I began introducing my contact to his new firewall.
Users and VPN access
I like to set up the VPN users and administrators first. Those are the users we absolutely need to define; the rest can wait. We already had six or seven people who ssh in and I had defined a DNAT rule to bring them in, but I explained that it really would be better for them to use the free Kerio VPN client instead. That would give them access to all network resources instead of just logging in by ssh. We set them up and gave them VPN rights.
I held off on adding any more users because I wanted to show him a neat way to do it in Kerio Control. This way is easier for everyone..
In the DHCP section of the firewall, you can see leases. If you double click on one, you can give it a name (helpful when the machine names were carelessly assigned) and reserve the lease so that the device will always get that same IP. Why do we care? Because in the user config, there is the ability to assign an IP to a user - when the system sees traffic from that IP, it logs it as belonging to that user.
In this case, that "user" is called "Front Desk Downstairs". Note that spaces in the name are fine and that we really aren't defining a user - we're defining a machine. The Kerio reporting will treat it as a user and a user with more rights could specifically login at that machine, but otherwise we don't care who uses it - we're tracking what happens at that machine. The real user doesn't have to login, doesn't have to know the assigned password, really doesn't have to care at all. But the administrator can now easily see that "Front Desk Machine" spent a lot of time on Facebook just before lunch..
That's a simple and transparent way to handle users. The only people who even need to know passwords are the VPN users or anyone who has rights to unlock otherwise protected content. The administrator gets the oversight and the users don't have to login.
Kerio Control has a built in rule for its Kerio Web Filter, but don't forget that you have to double-click on it and select the specific categories you want to block.
Of course there may also be things you want to block specifically. The easiest way to do that is to create a new URL group:
And then add an http policy that blocks them:
This doesn't clutter your policy with dozens of rules and makes it easy for the administrator to add and remove sites.
Kerio's StaR reports seemed to really fascinate my contact. "Didn't the Astaro do something like this?", I asked. He replied that it did, but only by IP address, so he never knew who was doing what. He said that the Astaro guy was "supposed to fix that", but never did.
Yeah. I think can you see why I was happy about this sale.