KDB Systems

I usu­ally don’t rec­om­mend every­one imme­di­ately upgrade to a new ver­sion of any­thing. I’m firmly in the wait for oth­ers to find the bugs camp. I like to run the lat­est myself but for pay­ing cus­tomers if it ain’t broke why fix it. I don’t rec­om­mend they upgrade until ver­sion 1.1 or pos­si­bly with a hard­ware change. I’m chang­ing this posi­tion for Win­dows 7. It’s not that dif­fer­ent from Vista. Vista’s now at Ser­vice Pack 2 and is very sta­ble. For what­ever rea­son many peo­ple are still run­ning XP. The secu­rity ben­e­fits of Win­dows 7 com­pared to XP far out­weigh any cons about upgrad­ing. The Inter­net is worse than the wild west was. Surf­ing the net with XP is like show­ing up at the OK Coral naked with a water pis­tol. It doesn’t mat­ter what you do, you’re prob­a­bly going to lose. When you do lose you will become a zom­bie both­er­ing the local town­ies until they finally put you out of your mis­ery. Win­dows 7 puts you in the game. You’ve got as good of a chance as the bad guys. For this rea­son alone Win­dows 7 is worth upgrad­ing for. All the fancy UI, net­work­ing, media enhance­ments, etc, are just gravy. Secu­rity is the num­ber one rea­son to upgrade. Heck, even the Linux and Mac crowd should be urg­ing the Win­dows crowd to upgrade. The Inter­net will be a much bet­ter place when XP is forgotten.

A while back I wrote a blog post com­par­ing com­puter secu­rity to walk­ing in the rain. This morn­ing it was rain­ing pretty hard dur­ing my morn­ing walk. It wasn’t rain­ing quite as hard as when I wrote the pre­vi­ous post but west coast­ers know what “rain­ing pretty hard” means. For the rest of you, it was rain­ing as hard as you’ll prob­a­bly ever expe­ri­ence unless you live in a rain for­est. For some rea­son I decided not to use the same gear as in the blog post. I had the Halti jacket and Tilley hat on. I didn’t take an umbrella, wear gloves, or wear rain pants. I ignored my own advice from this blog post about secu­rity being a marathon where we can never relax. In half a block my pants were soaked through. A few min­utes later my hands were cold. I had to cut my usual walk in half because I was get­ting cold and wet. Com­puter secu­rity is sim­i­lar. Use the appro­pri­ate tools. Don’t take short­cuts. Never relax or get complacent.

IPv6 is com­ing. We’ll all have to learn how to deal with it. With this in mind I’ve set out to edu­cate myself about IPv6. I learn bet­ter by doing than by read­ing. I like to read enough that I have a very basic under­stand­ing of the sub­ject then play. After play­ing with it I gen­er­ally find I need to do some more read­ing or pos­si­bly even take some courses. With IPv6 I’m at the play­ing stage. I decided to setup a Server 2008 R2 vir­tual machine as a test bed for IPv6. I needed a sec­ond domain con­troller on my SBS 2003 net­work so I made it a DC and a DNS server. It’s prob­a­bly not the best idea to use a DC for an IPv6 exper­i­ment but I fig­ured I may as well go whole hog and learn by mak­ing mistakes.

The rea­son for the DNS server is so once I fig­ure out IPv6 it can answer IPv6 queries from the work­sta­tions. Plus it’s a DC which implies a DNS server. This is the first place I ran into a prob­lem. There is a bug in the 2008 R2 DNS server imple­men­ta­tion. It wasn’t resolv­ing some queries. NSlookup microsoft.com worked but nslookup www.microsoft.com didn’t. It was very per­plex­ing and took a lot of Bing-foo and Google-foo to fix. The fix is here in Scott Forsyth’s Blog. It appears it’s a com­bi­na­tion of some DNS servers not return­ing EDNS results prop­erly and the way Server 2008 R2 DNS deals with that.

The server was now setup as a DC and a DNS server. To play with IPv6 I needed to set up a tun­nel. My ISP doesn’t sup­port IPv6 and nei­ther does my router. I decided to acti­vate a free IPv6 tun­nel at tunnelbroker.net. This was rel­a­tively straight for­ward. I was hap­pily test­ing IPv6 over the tun­nel think­ing that was too easy. I was right, it was too easy. I decided to run a port scan of the IPv6 tun­nel. Imag­ine my sur­prise to find out that as far as the Win­dows fire­wall was con­cerned the tun­nel was part of the local net­work. I had just put a DC on the Inter­net with no fire­wall. Not good to say the least. I quickly dis­abled the tun­nel. I spent the next sev­eral hours Googling and Bing­ing to no avail. So far I haven’t found any way to block incom­ing ports on the IP6Tunnel inter­face while leav­ing ports open for the local net­work. I’m stuck for now. I need to use the Win­dows fire­wall because the tun­nel by def­i­n­i­tion bypasses the fire­wall in my router. I’m sure there’s a way but until I find it no IPv6 for me. Once I get past this set­back I’ll con­tinue this blog series.

Update

It looks like the only way to do this is to add a sec­ond NIC for the IPv6 tun­nel. I should be able to set the fire­wall pro­file for the sec­ond NIC to Pub­lic which would solve the prob­lem. I don’t want the headaches caused by a multi-homed domain con­troller. I’d prob­a­bly need to setup a VLAN as well, which my router doesn’t sup­port. The project is tem­porar­ily on hold while I rethink things.