Job 1: Get the boss on the network. Job 2: Figure out why Job 1 broke the network for everyone else Welcome readers one and all to another instalment of Who, Me? in which we recount tales of technical troubles (and occasional triumphs) that our valued readers have been dying to get off their chests. This week meet a reader we'll Regomize as "Walt" who found himself working in technical support at, of all things, a theme park …
There's no way a park that big has help desk folk given that kind of network access. Especially not without a change request.
In fact given my own experience working at a theme park based around bricks in Windsor, that became part of a large conglomerate whilst I was there, I'd suggest this theme park was a smaller, independent affair.
"Almost certainly on different SSIDs and VLANs but the same physical access points and cabling. Because it's expensive to double-up everything over a whole park when VLANs will do the job just as well.
But the MAC allow/deny list may not be VLAN specific."
I am 'Walt' and you are entirely correct!
PS: It was not a Disney theme park and I can't remember for the life of me what the issue with the iPad actually ended up being.
Because the safest approach is to consider EVERY WiFi network hostile and thus only allow access via VPN? That way you don't have to worry about staff using airport WiFi (which is *always* intercepted) or falling victim to a proxied network.
In addition, just because you hide the SSID and use a complex password doesn't mean it cannot be accessed. Even an "internal" WiFi network should not be able to reach anything critical without at least a DMZ or better in the way.
That's why you use a VPN.
Always use MAC restrictions on private WiFi (even though you can spoof your MAC address) and if you can, on any internal network. At home I run a private WiFi network with MAC allow list and a separate guest WiFi via voucher code for when visitors ask "What's your WiFi password?".
Possibly because you can easily spoof a MAC address, but that still requires breaking into the traffic first to actually pick up valid MAC addresses to use (and then you have to wait for them to be offline before you can use them as the ARP request results would otherwise be, err, interesting).
Frankly, if you have something on your home network that someone wants to put in that much effort to access I'd use a VPN wrapper. Or cables.
I just name my network Federated Bread Incorporated
One of my neighbours called his network 'ASIO Monitoring Vehicle #267'
He never got an intrusion either, although he did initially get a visit from local plod, who thought it was a wizard wheeze.
For the folks in the old dart, ASIO is the Australian Security Intelligence Organisation. Think spooks in thongs and boardshorts
For people in the old dart (again thongs are flip flops and not at all what you were thinking
I'm gonna go out on a limb and guess there were no available IPs in the DHCP pool when he tried to connect. If so, the solution would be to assign a static IP for VIP devices - and make them know if they replace the device they need to contact him to make that change if they want to insure this doesn't happen again.
The allow list wasn't a fix for the problem, other than for the fact that it caused everyone else to be kicked off, which voila freed up plenty of IPs :)
> No one is assigning public IP addresses to iPads and iPhones in an amusement park.
IPv6: Yes, you do. By design! Else they will not be able to use internet. Even if you use IPv6 in you LAN, with your correct configured LAN IPv6 range, you always get a second IPv6 just for internet. The third one, fe80:: is for link-local, the follower of the 169.254.0.0/16 range - which is always active.
Yup, one of the drawbacks of IPv6: The router and its firewall must be correctly implemented to, by default, not allow every device be accessible from the internet. And for portforwardings, which is actually the wrong word here, it must handle that clients change their IPv6 address when the internet address changes, but they keep their lower /64 (or /56, depending on ISP) address. Including that the clients keep their former address for a few minutes, sometimes for an hour, in parallel to their new actual internet IPv6 address.
Not trivial. And one of the reasons why IPv6 is slow on the uptake.
If I worked there (which I haven't) I would probably have a rule that blocks any idevice purporting to be from the upper executive team, since almost all will be script kiddies playing around. But when one of those folks brings an ithing they bought off AliExpress and expects it to work, well, there's a change management process and reviews and ... Oh here's this whitelist option...
I once was the network guy for an entertainment company. This was in the 90s in all its win95 glory, with the cursed NetBUI protocol by which every connected PC was telling the whole world it was here every single bloody second, via broadcast. That was annoying.
Since we'd just replaced the network legacy hubs by brand new switches, I began to explore the new possibilities and Oh, I found our switches could rate limit broadcasts !
So, I went the following morning to set this up and remove 90% of the broadcasts.
But what I didn't know was, the bloody Banyan Vines protocol was doing something crazy: use broadcasts and even assemble multiple broadcasts into bigger packets.
Just after the set up, the global directory went VERY SLOW, indeed, which prompted a queue of users at my office. Didn't take me long to fix it, though.
Bloody Vines !
I'll raise your mid-90s Vines with the fact I recently found a bunch of 2019 servers running the computer! browser! service in our AD. Some numpty had enabled SMB1 in the build, and by default, it enables Computer Browser. The legacy build procedure that disabled it was not applied to the newer boxes.
I noticed because I was idling through the SMB audit logs and found a load of servers yelling at each other for network browser elections.
Yup. As a newly-hired network administrator, I took down an entire dial-up ISP with an implicit deny-all rule while mitigating DoS attacks against some users. Once I realized what I had done and that my back-door into the system was also affected, I had that sinking feeling of letting go of the car door just as you realize your keys are still in the ignition.
Fortunately, this happened around 2am when usage was low. A 20-minute drive across town to the office (completed in 12 minutes) resolved the issue and no one was any the wiser. Though, I admitted my tomfoolery to my boss in the morning, which elicited a chuckle.
Let me tell you a story. I met my boss at that job before I was hired, when the company held a customer appreciation event. How I became a customer is almost as interesting. See, I had an Amiga, and I was told by a couple of places there was no way they could get me on-line. When I called this company, the guy who answered the phone thought it was cool as hell, and while we were talking he had signed me up and let me have a chance to get going. I did.
At the event, some people wanted to meet me and I got to meet them... but not after I had already gotten completely shit-faced, but was still very excited to talk about the Amiga and technology in general. I kind-of had a job interview right there, and within a month I was working with them.
I was brought on to be an assistant administrator, and the guys taught me the ropes. In a couple of months I was proficient with the dial-up and ISDN system, Windows on the Internet, IP networking, and some colocated server management. In the dark, dark corners of the network sat a Unix machine (Solaris 2.4 on a SparcStation clone,) with a dying hard drive and some other issues. I was tasked with its administration since I knew some Unix and the administrator, aside from having a lot on his hands with the NT side of things, would get uncharacteristically furious at Unix.
By the time the dial-up system lock-out occurred, I had a deep respect for my boss. We worked as both equals and as pupil and master. I had no reason to hide what I had done, especially when expressing that I had learned a valuable lesson about "implicit deny." A lesson he admitted to having had learned the hard way, as well.
We all worked together for almost four years; we became a team, and our work relationships mostly turned into good friendships. Our company was sold to a local competitor and I spent the first six months working in the new company's office as a contractor. We have continued that mutually beneficial working relationship for 20 years, coming back around to me not playing a major part in the company under new management
I am proud to say that I am still close friends with a couple of the guys I started with there, and have had the deepest honor to participate in their weddings, as a groomsman and as my former boss's Best Man.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
