Monday, September 10, 2018

Introduction to Virtual Private Network - VPN


VPN Tutorial Guide
A VPN (Virtual private network) is a secure connection between two or more endpoints. It can also be seen as an extension to a private network. A VPN saves organizations \ companies from renting expensive dedicated leased lines, VPN's give the ability for users to work from home and saves cost on resources such as e- mail servers, file servers, etc, as all these can be accessed on the VPN connection at the central site

A VPN is commonly used to provide secure connectivity to a site. There are two key types of VPN scenarios, Site to Site VPN and a Remote Access VPN

Site to Site VPN
In a site to site VPN data is encrypted from one VPN gateway to the other, providing a secure link between two sites over the internet. This would enable both sites to share resources such as documents and other types of data over the VPN link. Site to site VPN is a VPN tunnel between two or more sites. This would allow offices to share files and other resources. A VPN tunnel would be created using VPN gateways on each site usually using IPSec to secure the VPN connection over the internet.
When a tunnel has been created between sites, users are able to access and share files and resources easily. However this would all rely on an internet connection and relying that both sites ISP's are up. Some site to site VPN's are configured using multi-wan setup which would provide them with some redundancy if an ISP went down. So on their VPN they would have two ISP's connected. The primary ISP would usually be the faster internet connection, and they would have a slower link connected as a back-up link. This backup link would come into affect if the primary ISP goes down.
VPN's can also be setup in a site to multi site configuration. So you would have all branch offices connected to the head office VPN. The branch offices can connect to each other via the head office. This is usually referred to as a hub and spoke deployment. The head office is the hub, and the branch offices are the spokes connecting to the hub. The head office VPN appliance would need to be powerful and scalable to provide connectivity to all branch offices. 

Remote access users or Mobile users
In a remote access VPN scenario which is also known as mobile VPN a secure connection would be made from an individual computer to a VPN gateway. This would enable a user to access their e-mail, files and other resources at work from where ever they may be, providing they have an internet connection. There are two common forms of technology that exists in remote access VPN known as IPSec and SSL that are covered further below.
Remote access users are end users and employees who access their corporate network remotely. This would be via a VPN client. On the remote user's laptop VPN client software would be installed, which a remote user would use to connect to their VPN gateway at the corporate site over the internet. Initially when the client software is installed on a laptop, it would require setting up, so that it knows how to reach the corporate VPN gateway and how to encrypt and authenticate to it as well as other parameters.
Usually the VPN client software also consists of a firewall protecting them as well as the corporate network from outside threats. After all a remote user with a laptop can be a threat to the corporate network. The laptop may contain viruses and trojans. So for this reason a firewall is required mainly to protect the corporate network, as well as the remote user's laptop.
Also many VPN servers now come with the ability to control their end user's via network access control. For example if the laptop is not on the latest windows patch, is not up to date with the newest anti virus dat files, has not got a certain application running, then the laptop is not allowed access to the corporate network. 

VPN Networking Protocols PPTP (Point to Point tunneling protocol)
PPTP is a protocol or technology that supports the use of VPN’s. Using PPTP, remote users can access their corporate networks securely using the Microsoft Windows Platforms and other PPP (Point to Point tunneling Protocols) enabled systems. This is achieved with remote users dialing into their local internet security providers to connect securely to their networks via the internet.
PPTP has its issues and is considered as a weak security protocol according to many experts, although Microsoft continues to improve the use of PPTP and claims issues within PPTP have now been corrected. Although PPTP is easier to use and configure than IPSec, IPSec outweighs PPTP in other areas such as being more secure and a robust protocol. 

L2TP (Layer 2 Tunneling Protocol)
L2TP is an extension of the PPTP (Point to point tunneling protocol), used by internet service providers to provide VPN services over the internet. L2TP combines the functionality of PPTP and L2F (Layer 2 forwarding protocol) with some additional functions using some of the IPSec functionality. Also L2TP can be used in conjunction with IPSec to provide encryption, authentication and integrity. IPSec is the way forward and is considered better than the layer 2 VPN’s such as PPTP and L2TP. 

4 key functions or services of IPSec are as follows;
1 Confidentiality – Encrypting data, and scrambling.
2 Data Integrity – data has not been changed.
3 Data Authentication – authenticating receiver. Sender receiver is who they say they are. 4 Anti-replay – each packet is unique, has not been duplicated or intercepted. 


5 phases of IPSec
1 define interesting traffic
2 IKE phase 1 – key exchange phase
3 IKE phase 2 – IPSec policy and transform sets are processed
4 Transfer data – After the tunnels are established you transfer the data.
5 Tear down the tunnel


IPSec uses two different protocols to encapsulate the data over a VPN tunnel:  

Encapsulation Security Payload (ESP): IP Protocol 50
Authentication Header (AH): IP Protocol 51
ESP is more secure as it provides data encryption. AH just provides authentication. 


SSL VPN (Secure Socket Layer)
SSL VPN provides excellent security for remote access users as well as ease of use. SSL is already heavily used such as when you shop online, accessing your bank account online, you will notice an SSL protected page when you see the “https” in your browser URL bar as opposed to “http”.
The difference in using SSL VPN to IPSec is with IPSec a remote user would require client software which would need installing, configuring and sometimes troubleshooting. However with SSL there is no client software if a user was using the SSL portal. The portal is a GUI interface that is accessed via a web browser and contains tools and utilities in order to access applications on the network such as RDP and Outlook. SSL can also imitate the way IPSec works via a lightweight software. If a user required client SSL software, it can be installed with very little effort via a browser which simplifies the process in securely accessing to the corporate network. 

Using SSL VPN would mean thousands of end user’s would be able to access the corporate network without the support of an administrator and possible hours of configuring and trouble shooting, unlike IPSec. The end user would just need to know the address of the SSL VPN portal. Another advantage is they can do this from any computer as they do not have to rely on a configured client side software.
Now vendors have started making use of the SSL application layer protocol in conjunction with VPN’s. SSL provides excellent security for remote access users as well as ease of use. SSL is already heavily used such as when you shop online, accessing your bank account online, you will notice an SSL protected page when you see the “https” in your browser URL bar as opposed to “http”. The difference in using SSL VPN is, with IPSec a remote user would require client software and would need to configure this. 

However with SSL VPN you do not need any client software as you log into a portal. You just need the URL address and use a web browser to access the portal.The portal is a GUI interface that is accessed via a web browser and contains tools and utilities in order to access applications on the network such as RDP and Outlook. SSL VPN can also imitate the way IPSec works via a lightweight software client that can be configured and installed without much effort, which simplifies the process in securely accessing the corporate network.

Key points between IPSec and SSL VPN's
SSL VPN is accessed via a web portal front end after a secure https connection has been established between the client and server. From here a user can access the configured enterprise applications. IPSec VPN connectivity happens via the configured client software, and when connected can use resources available on the network. 

SSL is very easy and simple to install and use as compared to IPSec. The IPSec protocol is sometimes blocked in public places such as hotels and cafe's where SSL is usually always open.
IPSec software has to be installed and configured on all client machines before being able to remotely connect. With SSL, the remote user only requires a web browser and the possibility to be able to download and install Java or ActiveX. 

IPSec provides security to network access only, where SSL VPN's provides secure access to certain applications. IPSec is suitable for LAN to LAN or gateway to gateway connectivity where SSL VPN is suitable for remote client access only. 

IPSec is an all or nothing scenario. This means you are either connected to the network or you are not. SSL VPN has much tighter control and can be setup so that for certain users they get access to certain applications only and can only access the network if their system is compliant. 


Setting up VPN with IPSec
Below is a basic overview in the typical way a site to site VPN is configured using IPSec. IPSec is chosen as the example because it’s the most commonly used technology and is known to be a solid, robust and secure VPN technology.
You may be new to all the VPN terminology, so clicking on the links in this VPN article will give you a good understanding on meanings within the below guide. 

Basics in setting up a site to site VPN with IPSec
Below covers what is required to set up a VPN connection on a VPN gateway with IPSec. It is not really aimed at a specific vendor and is fairly general.
First you would decide how your going to authenticate both VPN peers to each other. Either select a Pre-shared key or install a digital certificate. This is used for authentication and to ensure the VPN gateways are authorised. This would prove their identities to each other. Both gateways must use the same type of credentials, so either both use pre-shared keys or both use digital certificates. Also if you are using pre-shared keys, then both keys would have to match. 

Phase 1 - Main Mode
VPN's are configured and processed in two phases, phase 1 and 2. In phase 1 using Main mode or Aggressive mode you will set up a secure and encrypted channel, to protect your phase 2 negotiations. 

1) You will need to specify both gateway addresses. So you would specify the address of the local VPN gateway and you would also specify the address of the remote VPN gateway. You can either specify an IP address or a domain name. On some VPN gateways you could also specify an e-mail address, or if you use a digital certificate you could specify the certificates subject field. 

2) Main mode or aggressive mode can be selected depending on which one you would want to use. Main mode is more secure, but slower than aggressive mode. In Main mode peers exchange identities with encryption, and Aggressive mode, although faster exchanges identities without encryption. Main mode is the more commonly used. Aggressive mode is typically for when one or both of the VPN gateway's have a dynamic IP address. 

3) Specify whether to use Nat-Traversal. This is selected if your VPN gateway is behind a NAT device. Also specify whether you want both peers to use IKE keep-alive. This ensures that if a VPN gateway’s interface is not responding it will failover to the second interface. This is true when your ISP goes down and your secondary interface is a backup ISP. 

4 You would now decide on your transform set. This includes the type of encryption, authentication and how long your security association will last. For your authentication you can either use Sha1 or MD5. Sha1 is the stronger authentication algorithm. 

For your encryption you can select either DES, 3DES or AES 128, 192, 256 bit key strength. AES is the strongest protocol. 

You can specify a limit before your SA expires, which will add more security to your VPN if your keys have been hacked. Although this will also have a slight affect on performance as well.
You will need to specify a Diffie-Hellman key group, usually 1, 2, 5 or 14 in which 14 is the most secure group. 

You can optionally set up extra transform sets if needed. If you’re not sure on your peers transform settings, then you may want to set up more transform sets. Although it is recommended to know your peers settings and create the minimum transform set’s required as it is more secure this way. 

Phase 2 - Aggressive Mode
In phase 2 using Quick mode you would establish the IPSec SA. You would tell the gateway what traffic you will be sending over the VPN, how to encrypt and authenticate it. 

1) You will need to specify what traffic will go across the VPN. So you would be specifying an IP address, Network address, or IP address range. This is access to your internal network, so either remote users from home, or the peer office can have access to resources behind the VPN gateway. 

2) You can choose whether to use PFS (Perfect forward secrecy), for optional and an extra layer of security. If you will be using PFS, remember that both VPN peers must support and use PFS. You can select which Diffie-Hellman group to use for new keying material. The higher the group you select, the stronger the key. 

You would now need to specify some more parameters in securing your data within the IPSec SA (Phase 2), also known as phase 2 proposals. The parameters are made up of encryption and authentication algorithms. 

3) Here you first specify the type of proposal, either selecting AH or ESP. AH only provides authentication, and ESP provides authentication and encryption. 

4) If you have specified ESP, which the majority would choose, then you would specify your authentication and encryption. For authentication and integrity you can select SHA1 or MD5, where SHA1 is the strongest algorithm. For encryption you can select DES, 3DES or AES 128, 192, or 256-bit key strength. AES 256 is the strongest encryption protocol. 

5) You may want to specify a value for when your key would expire. This would ensure your encryption keys would change over a period of time, adding more security, as well as having a slight affect on performance. The majority leave these settings as the default. However if your a bank or any other company dealing with confidential data then you may want to force keys to expire, and have them re-created. 

Final steps
You may now need to create policies or rules to allow your VPN traffic in and out of your firewall. This may have already been done for you when you had completed configuring your gateway, and you may have had the option to either enable or disable your VPN gateway to automatically doing this for you, all depending on the product functionality. You can now save all changes to your VPN gateway. 
 
You are done in configuring your VPN gateway, and you can now configure the peer VPN gateway. Remember to configure your peer VPN gateway with the exact same settings as you configured your local gateway or else the VPN tunnel will not form successfully.

Sha-1 (Secure hash algorithm)
Sha-1 (Secure Hash Algorithm), also known as HMAC-Sha-1 is a strong cryptographic hashing algorithm, stronger than MD5. Sha-1 is used to provide data integrity (it is a guarantee data has not been altered in transit) and authentication (to guarantee data came from the source it was suppose to come from). Sha was produced to be used with the digital signature standard. 

Sha-1 uses a 160-bit encryption key. It is cryptographically stronger and recommended when security needs are higher. Cryptology specialists did announce a possible small mathematical weakness in Sha-1 and as a result Sha-2 was made available. Sha-2 is actually a group of algorithms, which consist of Sha-256, Sha-384 and Sha-512. However Sha-1 has proven to be a strong hashing algorithm and no records of it being hacked so far. Other integrity algorithms include MD2, MD5, MD6, Haval and Tiger. 

MD5 (Message Digest Algorithm 5)
Message integrity algorithms ensure data has not been changed in transit. They use one way hash functions to detect if data has been changed.
The MD algorithms consist of a family of one way hash functions. MD2, created by Ron Rivest produces a 128 message digest hash. MD2 was considered slow, and so the creation of MD4 was developed. MD4 was faster, however found to be vulnerable to some attacks, and so finally the MD5 was developed. 

MD5 is a cryptographic one way hashing algorithm which uses a 128 bit hash value just like its predecessors. Although it still uses the same hash value, the algorithm is more complex and difficult to break than the others. MD5 is used by to provide data integrity and authentication, ensuring data has not been altered in transit. However sha-1 is a stronger hash function than MD5, and ideally should be used if the option is available. MD5 will ensure data has not been tampered with and achieves this by converting plain data into unreadable ciphertext known as a hash. If any data during transit has changed, even slightly the hash will look completely different, and it would be assumed data has been tampered with.
In a nutshell MD5 will ensure data has not been changed when in transit. MD5 is a symmetric key algorithm. MD5 consists of a key size of 128 bits. A hash is appended to the original message.
Other common integrity algorithms include Sha1, Sha256, Sha384, Sha512, Haval and Tiger. 

DES (Data Encryption Standard)
DES encryption algorithm uses a 56 bit key to encrypt data for transit. DES is a symmetric key algorithm, and so uses one key which does the encryption and decryption on the same data.
Some claim DES is a 64-bit key algorithm. However out of the 64 bits, 56 bits are actually used for keying material, where the remaining 8 bits are reserved for parity information and to ensure integrity of the remaining 56 bits of data. So in a sense it is correct that DES uses 64 bits, but 8 of those 64 bits are not used to encrypt data. For the keying it actually uses 56 bits, so in other words the encryption strength is 56 bits.
DES is not used anymore as it is an old, weak and broken encryption algorithm, and was replaced by 3DES. AES is the standard and is being used as of today and proves to be safe and a strong symmetric encryption algorithm. However you will still find 3DES is supported with VPN gateways. This is for backward compatibility, as older VPN gateways may only support the 3DES algorithm. 

3DES (Triple DES or Three DES)
3DES is simply the DES symmetric encryption algorithm, used three times on the same data. The same data is encrypted two more time using DES, and hence where the name triple DES came from. Of course this makes the encryption stronger and more difficult to break, although Triple DES was later replaced by AES which proves to be the strongest encryption algorithm.
3DES is a block cipher which uses 48 rounds in its computation (transpositions and substitutions), and has a key length of 168 bits.
The process of 3DES works as follows;
1) Data is encrypted using a 56-bit key
2) Data is decrypted using a different key
3) Data is encrypted using a completely new key 


When the 3DES process is complete, data is sent to its final destination. However 3DES works in a number of other modes as well. As shown above it is basically Encrypt, Decrypt and finally encrypts again using 3 different keys. This is known as DES-EDE3.
There are also the following modes;
DES-EDE3 – Encrypt, Decrypt and Encrypt with 3 unique keys as mentioned above.

DES-EEE3 – A block of data is encrypted, and encrypted again with a different key and finally encrypted once more with another key, using a total of 3 unique keys.
DES-EDE2 – Here we only use two keys, in which the first and last encryption is done using exactly the same key.
DES-EEE2 – Finally this also uses two keys, the first and last encryption is done using the same key.
If you’re wondering what happened to Double-DES? This was also developed and tested but was later found it had weaknesses and is no stronger than DES, and so was considered obsolete.
As well as DES and 3DES, some other common symmetric encryption algorithms are AES, blowfish, Twofish, IDEA, CAST, SAFER, Skipjack and RC. 

Diffie-Hellman
Diffie-Hellman is an asymmetric key algorithm used for public key cryptography. As well as IPSec it is also used for SSL, SSH, PGP and other PKI systems.
The Diffie-Hellman algorithm was created to address the issue of secure encrypted keys from being attacked over the internet when in transmission, though using the Diffie- Hellman algorithm in distributing symmetric keys securely over the internet.
The process works by two peers generating a private and a public key. Peer A would send it’s public key to peer B and peer B would send it’s public key to peer A. Peer A would then use the public key sent from peer B and it’s own private key to generate a symmetric key using the Diffie-Hellman algorithm. Peer B would also take the same process as peer A and in turn produce the exact same symmetric key as peer A, though enabling them to communicate securely over the in-secure internet. Both peers can now encrypt, transmit and decrypt data using their symmetric keys. 

However some concerns were found later within the Diffie-Hellman algorithm such as Man-in-the-middle attacks as there is no authentication in place before keys are exchanged. How would peer B know that it is about to exchange keys with peer A? It could easily be a hacker spoofing peer A’s identity. This led to the more advanced public key cryptography in RSA. However using authentication methods such as pre-shared keys and digital certificates to authenticate VPN gateways have overcome this issue. So using Diffie-Hellman along side authentication algorithms is a secure and approved solution. Diffie-Hellman is based on calculating discrete logarithms in a finite field.
Diffie-Hellman public key cryptography is used by all major VPN gateway's today, supporting Diffie-Hellman groups 1,2 and 5. DH group 1 consists of a 768 bit key, group 2 consists of 1024 bit key and group 5 comes with 1536 bit key. Group 5 is the strongest and most secure.
Diffie-Hellman just does key exchange and does not do data encryption, digital signatures or any authentication.

Authentication Header - IPSec protocol
IPSec uses two basic protocols, AH (authentication header) and ESP (encapsulation security payload). AH ensures data has not been tampered with and assures data integrity when in transmission. This is achieved by adding authentication information to a datagram. AH is not as used much as ESP as it does not provide data encryption (confidentiality) and so all data would be transported in clear text. So data would be readable although protected from any modification attempts.
However if authentication is all that is required then only AH should be used. By leaving ESP turned off will provide better performance. 

ESP (Encapsulating Security Payload)
ESP provides all four security aspects of IPSec. These are confidentiality, integrity, origin authentication, and anti-replay protection. Confidentiality would ensure data is encrypted. Providing integrity would ensure data in transit has not been tampered with and origin authentication would ensure the remote peers are who they claim to be. Anti- replay will ensure duplicated traffic is not accepted which would prevent DOS attacks, as well as spoofed traffic. 

ESP can operate in either tunnel mode which is more secure due to encrypting the routing, header information and IP payload, or can operate in transport mode in which it only encrypts the IP payload. Tunnel mode is usually used between gateways through the internet, and transport mode is usually used for host to host VPN’s such as between a server and a computer.

Saturday, August 25, 2018

Weekend fun with Virtual Environment

Finally last night i installed few virtual machines on my VMWare Workstation and configured them to setup a virtual lab. It includes Juniper SRX, Palo Alto, Ubuntu, CentOS, IPS/IDS, Cisco router & switches. I'm also running Ansibles on Ubuntu & Cisco NSO on CentOS.

Next is to configure Security Onion IDS and span my home network traffic through it and try to create some Snort rules and analyze the traffic. Also i will try to work on Ansible Playbooks and NSO Yang model and play around with some automation.

#automation #ansible #ubuntu #security #virtualmachines #virtualization #CiscoNSO

 

Wednesday, July 25, 2018

Cloud Will Block Out the Sun



I love this picture :-)

I'm not an expert in AWS Cloud computing but lately i start working and studying about the AWS Cloud and more I read about it, more I find it interesting.

I'm a Network & Security Nerd and interested in exploring all the services and features AWS offer for Network & Security. I took few AWS courses which taught and exposed me to a whole new world about AWS architecture, all the AWS services and features, how to integrate them with each other, etc.

If you are a Network or Security person and want to pursue your career in Cloud domain, i would recommend you to take below training to get in-depth knowledge.
  • AWS Security Essentials
  • AWS Certified Advanced Networking – Specialty
  • AWS Certified Security – Specialty
Below are the some important topics in AWS. There are many more features which AWS offer but i can't cover them all in one topic.

If you are working on AWS platform, if you are going to start working on AWS, you should know all of it.

  • What is VPC and how to create it? How to connect private VPC with public network?
  • What is IAM? How can we create different IAM policies?
  • Relationship between EC2 instance and AMI?
  • Difference between ELB and ALB?
  • What is CloudTrail & CloudWatch and how you integrate them?
  • How do you integrate CloudWatch event to send SNS topics?
  • How do you enable VPC Flow Logs?
  • What is AWS KMS & HSM?
  • Network ACL’s v/s Security groups?
  • Can we scale-up ec2-instances virtually?
  • Is it possible to peer two VPCs with matching IP address ranges?
  • What is AWS Cloud Formation?
  • What are the templates in Cloud Formation?
  • What are the parameters that are mandatory in AWS Cloud Formation templates?
  • What is Autoscaling?
  • What is the min & max instances in Autoscaling configuration?
  • What is Elastic Bean Stalk?
  • What is managed Platform?
  • What is S3? What is versioning? What is life cycle management?
  • What is AWS glacier?
  • What is Cloud Front? How do you configure Cloud Front in AWS?
  • What is Route 53? What is the use and how to work with it?
  • What is CIDR (Classless Inter-Domain Routing)


Hope this is helpful. 

"More to come, lot to do"

Kamran Rafiq!




Thursday, June 7, 2018

Technology Shifting Gears


Why is it that engineers still mainly using ping, traceroute, and human verification for network validation and testing?

 #The Network is an Application, Automate it!


Network Automation is everywhere now!

Network Engineers are gradually becoming "DevOps Engineers" and start using tools like Ansible, Puppet, Chef, and Salt to automate the network infrastructure. There are several python courses, network automation classes focused on Network Engineers where they showcase how you can efficiently automate your network with minimal to no human intervention. Start with basics and do simple task-specific automation like "output from the device". Continue doing this until you reach a level where you automate the components in the network and the system will execute without any human interaction.

#Treat your Network as Cattle, not Pets!


Don't let cows leave the server farm!

IT departments have traditionally treated devices as “pets” – that is, they are lovingly nurtured, nursed back to health when they get sick (stop working) and given affectionate or amusing names. Unlike a pet that requires love, attention and more money than you ever wanted to spend, your infrastructure should be made up of components you can treat like cattle – self-sufficient, easily replaced and manageable by the hundreds or thousands. 

#CLI or API? Wait...


API = nimble and flexible. CLI = brittle and difficult to manage.

CLI is not our biggest problem. We happen to be exposed to the CLI on a daily basis due to lack of automation tools. CLIs are hardwired scripts that work well in the short term but don't evolve as gracefully as true integration. APIs provide a more dynamic, fluid integration and binding between software and infrastructure. You can create an object model by implementing RESTful API, JSON or XML, NETCONF API or any other data manipulation protocol.

#Let's go to Cloud!


The Cloud Will Block Out the Sun!

When you update your Facebook status, Checking your bank balance on your phone, chatting and calling using WhatsApp, you’re using cloud computing. You’re in the cloud.

Cloud computing services fall into three major categories: Infrastructure as a service (IaaS), Platform as a service (PaaS), and Software as a service (SaaS). Today, cloud computing is recognized as an invaluable tool for any organization, regardless of its size, market niche, or annual revenue. Cloud computing increases efficiency, helps improve cash flow and offers many more benefits…Flexibility, Disaster recovery, Scalability, Integration, Data security.

#Traditional Network to Software Defined Network (SDN)


With SDN, we’re making the network programmable.

SDN is needed because networks grow too big for manual configuration. SDN is centralized programmable software networks which separate the Control and Data planes allowing for provisioning and changes to be implemented at the same accelerated rate as the servers and storage around them. When an engineer needs to provision additional capacity or make changes to existing rules or regulations about data movement they do not need to connect to multiple devices and make manual changes. Creating a more agile, open network is the fastest way to close the gap between what the customer wants and what the network can provide and that you can achieve with SDN.

#Self-healing Network - Less Troubleshooting


Wouldn’t it be great to have our servers, systems, and networks solve their own problems?

Leading to more stable systems and networks in which System & Network administrators would be free to work on higher priority activities and be more productive. Network self-healing is when network problems are resolved without the need for humans to get involved. Your network automation tools detect and remediate outages, failures, and breaches of all kinds. 

Conclusion: The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency - Bill Gates

Understand the technology before you automate it!  



Tuesday, January 2, 2018

What is Ansible?


Ansible is an open source IT Configuration Management, Deployment & Orchestration tool. We can use Ansibles to automate cloud provisioning, configuration management, application deployment, intra-service orchestration etc. Ansible was bought by Red Hat in October 2015, it is now referred to as Ansible by Red Hat.

Ansible uses Playbooks for express configurations, deployment, and orchestration.

The Playbook format is YAML each and Playbook maps a group of hosts to a set of roles. Each role is represented by calls to Ansible tasks. Ansible does not require an agent on the host system for SSH. As long as Ansible can make an SSH connection to the target device, we should be good. Ansible is primarily used for server & network administration. 

There are two versions for Ansibles, free and paid. The paid version is called Ansible Tower which is an enterprise framework for controlling, securing and managing your Ansible automation with a GUI and Restful API.


Here I will show you how to install Ansible on Ubuntu Server.

I'm using Ubuntu 16.04 to install Ansible on my VMWorkstation but you can use any Linux OS.

1 - Installing Ansible

The best way to get Ansible for Ubuntu is to add the project's PPA (personal package archive) to your system.

sudo apt-add-repository ppa:ansible/ansible

You will need to press ENTER to accept the PPA addition.

Next, we will refresh our system's package index so that it is aware of the packages available in the PPA. 

sudo apt-get update
sudo apt-get install ansible

Once it's completed, run the below command to verify the Ansible version

ansible --version

2 - Configuring Ansible Hosts

Ansible keeps track of all of the servers that it knows about through a "hosts" file. We need to set up the Ansible Host file.

Open the file with root privileges:

sudo nano /etc/ansible/hosts

You will see a file that has a lot of example configurations, none of which will actually work.  Let's comment out all of the lines in this file by adding a "#" before each line. Once all of the lines are commented out, we can begin adding our actual hosts.

[group_name]
variable ansible_ssh_host=server_ip

In this example, we have a server which we are going to control with Ansible. We can access the server from Ansible by typing below command:

ssh root@server_ip
[servers]
HostA ansible_ssh_host=10.10.10.1
hostB ansible_ssh_host=10.10.10.2
hostc ansible_ssh_host=10.10.10.3
If you want to enable colorful terminal in Ubuntu, below are the commands:

Edit the file .bashrc in your home directory:

vim .bashrc

Uncomment the line that says ‘force_color_prompt=yes’ and save it. Then type the following:

source ~/.bashrc

Done!

Ansible is a very powerful tool and is going to change the way of automation in future.

I hope this will be helpful for you. This was a simple tutorial and there will be more to come.

Introduction to Virtual Private Network - VPN

VPN Tutorial Guide A VPN (Virtual private network) is a secure connection between two or more endpoints. It can also be seen as an ex...