Archive for the Systems Engineering Category

How to Secure iPad VPN with Windows L2TP

miqrogroove
2013-01-15T10:30:39+00:00
VPN diagram showing both Windows and iPad remote clients.

Different protocols for different clients.

Back in August, I mentioned the importance of disabling most versions of PPTP for security reasons, and included my own tutorial for How to Secure a Windows VPN with PEAP.  That solution works great for Windows, but is not compatible with iPads.

Now I will offer a solution that works great for iPad, but may not work on Windows computers.  In addition, I will explain how to get the two solutions to work together securely so that both Windows and iPad computers will be able to connect to a Windows VPN simultaneously without using the insecure versions of PPTP.

The Layer 2 Tunneling Protocol (L2TP) is an obvious choice for the iPad because it is the only supported protocol other than the insecure PPTP option.  On the server side, however, there are some implementation nuances that could easily discourage the use of L2TP.  I took the time to research L2TP in more depth before writing this article, because I felt that a generic recommendation could leave readers totally confused about the security issues involved.  So before delving into a new tutorial, I want to explain two new concepts:  L2TP Pre-Shared Key, and L2TP NAT Traversal.

NAT Traversal could be a major concern for any L2TP implementation, because Microsoft wrote a very technical and rather intimidating knowledge base article called IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators.  If you’ve seen that article, I want to assure you that the Microsoft recommendation is not relevant here.

A careful reading of the Microsoft recommendation against NAT-T will reveal that the underlying security problem with NAT-T is not a server problem but a client problem.  In other words, Microsoft recommends that Windows XP computers not attempt to use NAT-T to connect to privately-addressed servers.  The Windows 2003 server itself fully supports NAT-T out of the box and doesn’t even need to be configured to use it.  This is perfect for iPad users, because iPad also supports NAT-T out of the box, and this almost eliminates the address translation challenges of using L2TP.

Read the rest of this entry »

14 Jan 2013

Category:
Systems Engineering

Tags:
, ,

Discuss:
Comments Go Here

UPS Replacement and APCUPSD for Windows

miqrogroove
2012-12-26T05:37:14+00:00

After replacing a UPS device, Windows may automatically delete the APCUPSD USB driver.  When the computer boots up, the tray icon status will say “Network Error” and three errors will be logged in the Windows Event Viewer.

To restore APCUPSD to online status, simply re-install the USB driver by following the manual installation instructions.  That information can be found in the program directory.  For example, C:\Program Files\apcupsd\driver\install.txt  In a nutshell, you need to look in the system’s Device Manager.  If there is an item in the Human Interface Devices group named “American Power Conversion USB UPS” then the desired driver is missing.  Right click that item, click “Update driver” and then pick the correct driver.

After restoring the driver, restart the APCUPSD service by using the “Start Apcupsd” shortcut in the Start menu, or by using the Services administrative tool.

Read the rest of this entry »

26 Dec 2012

Category:
Systems Engineering

Tags:

Discuss:
Comments Go Here

Split Tunnel VPN, Part 2

miqrogroove
2012-08-31T00:06:09+00:00
Diagram of the split tunnel VPN configuration that does not require static routing

Updated Split Tunnel Design

Two years ago, I devised a Windows XP split tunneling solution that involved static routing.  That solution had the advantage of being cheap, but also had the disadvantage of scaling poorly with any number of client computers.

Now I have a second solution that eliminates the static routing problems.

While researching new VPN security issues recently, I came across an obscure piece of information about the Windows VPN client.  It is nestled cryptically in this one sentence from a Microsoft whitepaper:

When the Use default gateway on remote network check box is cleared, a default route is not created, however, a route corresponding to the Internet address class of the assigned IP address is created.

Absent any other explanation, that sentence requires some mental gymnastics to understand.  Allow me to help with this.

Read the rest of this entry »

31 Aug 2012

Category:
Systems Engineering

Tags:
,

Discuss:
Comments Go Here

How to Secure a Windows VPN with PEAP

miqrogroove
2013-04-22T14:25:22+00:00
Authentication Methods page in the RRAS Remote Access Policy Wizard

Setting up PEAP

In light of last month’s announcement by Moxie Marlinspike and David Hulton that they developed a method for decrypting Windows VPN traffic in under 24 hours, it is now important to stop using MS-CHAPv2 as a means of authenticating VPN passwords.

There is a relatively simple fix for this.  Microsoft VPN servers have the ability to authenticate passwords using another protocol called PEAP, also known as PEAP-EAP-MSCHAPv2.  The only reason one might avoid using PEAP in the first place is that the Microsoft documentation is confusing and describes a requirement for Public Key Infrastructure (PKI) deployment.  The PKI as described in Deploying Remote Access VPNs requires anywhere from one to three servers just to issue certificates.  However, it only specifies the PKI requirement for a slightly different protocol called EAP-TLS.

To be clear, PEAP does not require a full-blown PKI or even an internal Certificate Authority.  You can, in fact, use the same certificate that has been, or would be, issued to a web server for SSL encryption.  There is no reason to add a second certificate just for a VPN server.  This also means there is no investment required in PKI if a free certificate issuer is used, such as startssl.com.

Below is a brief tutorial for configuring an existing RRAS installation with PEAP-MS-CHAPv2.

Read the rest of this entry »

12 Aug 2012

Category:
Systems Engineering

Tags:
,

Discuss:
7 Comments

Don’t Use min-width Media Queries

miqrogroove
2012-03-16T01:31:24+00:00
Opera Mini Screen Shot

Mobile Friendly

Two weeks ago, I tried to point out a shortcoming of example CSS code over at the Opera.com website.

The point in question was the use of the “min-width Media Query” which I felt was incompatible with Internet Explorer.

Since this is tricky to describe without drawing a picture, I decided to set up a few sample web pages here to serve as a live demonstration of the problem.

The demo is: My min-width Media Query Test Case

For readers uninterested in the demo or the raw code, I am providing a set of screen shots below to fully illustrate the results.

My scenario begins with a page that looks fine in most browsers, but renders poorly in Opera Mini, a mobile web browser.

In an attempt to make the page mobile friendly, I used the min-width CSS media query to cause Opera Mini to ignore parts of the code.  Unfortunately, this rendered poorly in Internet Explorer 8 and older versions.

Read the rest of this entry »

16 Mar 2012

Category:
Systems Engineering

Tags:

Discuss:
Comments Go Here

Server Monitoring Through DD-WRT

miqrogroove
2013-08-18T19:09:04+00:00
DD-WRT Commands screen with a server monitoring script.

Powerful Little Script

Happy New Year!  I’m kicking off my 2012 blog entries with a fun little hack for Linksys routers.

There are plenty of articles on the web about using DD-WRT to enable router monitoring.  I decided to turn this idea on its head and use my router for server monitoring!  When I realized DD-WRT comes with a sendmail command, I knew this was going to be quick and easy to set up.

This is great for anyone who would like their celly to light up as soon as something goes wrong with an important computer or website.  All of the needed software is already built in to compatible routers, so there is no need to purchase or install a dedicated monitoring system on a separate computer.

By following these easy steps, you can create your own reliable monitoring service.

Read the rest of this entry »

1 Jan 2012

Category:
Systems Engineering

Tags:
,

Discuss:
2 Comments

PERT Chart With Nodes

miqrogroove
2011-12-05T18:21:33+00:00
PERT chart with nodes and a single task

PERT Chart

Visio 2010 is a great tool for designing PERT charts.  Since it lacks some of the shapes needed to easily add and connect nodes with other PERT items, I came up with a few tools to make it easier.

My step-by-step tutorial explains how to create nodes and connections that work seamlessly.  After completing these steps, you will have three new shapes to work with:

PERT Node, PERT Connector, and PERT Task.

Read the rest of this entry »

2 Dec 2011

Category:
Systems Engineering

Tags:

Discuss:
Comments Go Here

Windows VPN Keep Alive

miqrogroove
2011-10-10T13:16:24+00:00
Batch file properties window.

Batch Shortcut

I enjoy the one-click facility for connecting to my VPN in Windows XP.  It gets the job done, but I sometimes struggle with the famous dead connection bug.  This is a very common problem in Windows that causes the VPN to become unresponsive after two to five minutes of inactivity, even though the status still says “Connected.”

I created a one-click solution for both connecting and maintaining a VPN.  Setting it up is simple.  It involves just these steps, which I will explain below:

  1. Set the VPN “idle time before hanging up” period to “5 minutes” instead of “never.”  This forces Windows to properly reflect any disconnection.
  2. Create a new batch file, which I have provided below.
  3. Edit the batch file to match the name and address of your connection.
  4. Create a desktop shortcut to the batch file.
  5. Edit the shortcut properties so that the batch automatically runs minimized with a nice icon.

Read the rest of this entry »

1 Nov 2011

Category:
Systems Engineering

Tags:
,

Discuss:
3 Comments

Visio Shapes and Dashed Lines

miqrogroove
2012-11-20T19:32:14+00:00
Navigating the options: More Shapes > Visio Extras > Callouts

Shapes Menus

My Flight Operations professor would like his students to create procedural flow diagrams in Visio 2010 using comment boxes with both solid lines and dashed connectors.  This turns out to be easier said than done because the latest version of Visio has line style “effects” that globally override any dashed connectors.  We can create the comment boxes easily, but how do we get them to automatically show up with specific connector formats?

The answer is to create a custom shape using a connector that is not styled.

My step-by-step instructions will guide you through a procedure to achieve that outcome.  I am providing screen shots as a visual aid, though a corresponding flow chart can be provided as needed.

Read the rest of this entry »

6 Oct 2011

Category:
Systems Engineering

Tags:

Discuss:
One Comment

Windows VPN Requires NTLMv1

miqrogroove
2015-08-28T20:36:06+00:00
LAN Manager authentication level set to Send NTLMv2 response onlyrefuse LM

Solution Screenshot

I’ve stumbled upon a seemingly undocumented authentication error in the Windows VPN system.

Error 691: Access was denied because the username and/or password was invalid on the domain.

This can be caused simply by elevating the VPN server’s LM authentication level to 5, which refuses the NTLM protocol.  According to KB823659 requiring NTLMv2 should not break Windows XP connections unless older systems are involved.  However, this configuration does cause client and server authentication errors.

Read the rest of this entry »

3 Sep 2011

Category:
Systems Engineering

Tags:
, ,

Discuss:
3 Comments