Facebook offers the ability to add an additional layer of security for Graph API calls. Facebook Securing Graph API Requests provides guidance on generating the proof using PHP. Here is how we generate the proof with NodeJS.
base64 Encoding and Decoding
A quick note on using
base64 for encoding and decoding on macOS
Google Cloud References
Various references for when I am using Google’s App Engine for NodeJS
Installing NodeJS & NPM on macOS
This is for installing NodeJS (which includes NPM) for macOS and properly configuring it for secure use not requiring
One Venti MoCA Please
When my family and I moved into our townhouse almost 2 years ago I never thought providing wireless coverage was going to be difficult. Well, I was wrong, and it’s mainly my fault.
I live in a three story townhouse with Internet service from Comcast coming into our basement terminated into an Apple AirPort Time Capsule providing great 802.11ac coverage up to the second floor.
On my second floor I have a TV, TiVo and Apple TV that I have plugged into an Apple AirPort Extreme (802.11ac) and here’s where I (knowingly) messed up: it’s connected by extending my wireless network from the basement. Ever since I’ve done that, wireless and network connectivity on the third floor has been around 2 to 5 Mbps (Megabits per second) and I’ve been OK with that until something happened that killed Internet access on my third floor.
Why I needed MoCA
When this happened, all I got were complaints about the Internet “sucking” from my family and the pleasure of watching my LTE data usage go up. My house is not wired for Ethernet and to wire CAT6 to my second floor AirPort would require tearing down drywall and ripping up hardwood floors, which was not going to happen, so, I started looking into what my options were.
I could only think of two available options: using my existing coax cable infrastructure or power lines to extend Ethernet. After a quick Google search, I quickly eliminated using power lines because, I just don’t like the thought of using the power lines in my house to extend Ethernet and, the fastest equipment I could find topped out at 500Mbps (Megabits not Megabytes!). Next up, coax and to be honest, I was not interested in using it either because it reminded me of when I used to install Novell Netware networks for Title Insurance companies throughout Florida in 1998-2000.
What I investigated about MoCA before buying MoCA
For starters, there is an industry standard from the Multimedia over Coax Alliance for extending an IP network over coax in the home. It’s simply called MoCA (pronounced mo-cha like the chocolate coffee drink we all love) and is a Layer 2 (Datalink) protocol that has two revisions MoCA 1.1 and 2.0. According to the MoCA WiKi, MoCA 1.1 operates at speeds up to 275Mbps and 2.0 operates at speeds up to 1.4Gbps, clearly MoCA 2.0 was the winner here so what next?
Not a lot of technical info out there for ‘technical people’, because it just works
I started with a simple Google search about what specifically was required to implement a MoCA network and how to secure it. As a networking/collaboration person, I wasn’t finding what I wanted. I found a bunch of forums where people used it to network their TiVos and loved it, which led into discovering that MoCA is how all the cable/satellite/ftth providers networked their cable boxes on premise for their customers. Basically, people turned it on, really didn’t understand it and didn’t care because, it just worked. The primary issue most people had was forgetting to install a Point of Entry (POE) filter.
Technical details of MoCA
At this point, I’m sold on MoCA and wanted to implement it but, I needed to make sure that I wasn’t going to stop my cable modem and TV from working. For starters, I wanted to know what the purpose of a MoCA POE filter was and how it would not interfere with service from Comcast.
There are two primary reasons for a MoCA POE filter: security and isolation. Think of connecting Comcast’s (or any cable provider’s) public service into your home coax network, the same as plugging your home Ethernet network directly into your Internet Service Provider (ISP) without a NAT Router or Firewall; you’re exposed. With the Internet, you’re computer is exposed to the public Internet and in a matter of minutes it will start getting scanned and probed for weakness. In the case of coax, since it’s shared infrastructure, your coax network is now on the same segment as the rest of your neighbors that use that same shared infrastructure from your cable provider. So, if you enable MoCA, you’re enabling it for your neighbors and all they need to do is plug in a MoCA bridge (like a TiVo) and they’re now a part of your network. How you prevent this is by installing a MoCA POE filter, which can loosely be related to a NAT Router for your Ethernet network. A MoCA POE filter isolates your MoCA network to your home and physically stops your MoCA network from getting extended into your cable provider’s network, which covers isolation and security.
Some MoCA equipment will allow you to encrypt MoCA traffic but I’m a perimeter and policy security guy when it comes to my home network. Encrypting the MoCA signal on the bridge, to me, seems like unnecessary overhead on the equipment that will slow my throughput down and make troubleshooting a bit more complicated. I just plain see it as unnecessary with a MoCA POE filter.
How does a MoCA POE filter accomplish all of this? MoCA operates in the 500 to 1650 MHz bands. A MoCA POE filter will block this range from exiting one side of the filter and keep it on the other, hence the name Point of Entry filter. So, you place the MoCA POE filter where your cable service provider comes into your home before it is split. In the below screenshot, Comcast comes in on the left into my POE filter, then to the splitter and in-home coax runs.
Without getting into a bunch of details, because I’m not a coax expert, there is a different type of MoCA filter for traditional cable (Comcast, TWC, etc.) providers than there is for Verizon FiOS and Direct TV, so pay attention if you use Verizon or Direct TV, to what type of MoCA POE filter you purchase.
What I bought and why
First, I started with the MoCA POE filter. I purchased one made by Holland Electronics from Amazon that was specifically made for traditional cable providers, since I have Comcast that “Bandstop provides a typical 35-45dB of rejection in the MoCA 1125-1525Mhz band.”
Next, I wanted to find good and fast MoCA 2.0 Bridges to bridge my coax and Ethernet networks together and, I wanted to make sure that they operated within the range of what my MoCA POE filter blocked. This was not an easy task but, I settled on the Actiontec ECB6200 Bonded MoCA 2.0 Network Adapter so I could get 1.4Gbps bi-directionally. After looking through the documentation, I discovered that it operated in the extended D band of 1125 to 1675 MhZ range. I bought a pair directly from Actiontec and anxiously awaited their arrival.
How easy it was and next steps
Once my MoCA POE filter and pair of Actiontec MoCA bridges arrived I installed them and had my network up and running in under 30 minutes and it was literally plug and play.
It has now been 3 months since I installed my MoCA network and I am getting ready to light up the two remaining coax runs in my home. With that said, it introduces signal loss from Comcast because I’ll have to introduce another splitter into the environment but, that’s for another day and post and will have no impact on my MoCA network.
I wrote this post to share knowledge gaps and fears I had going into this project and hope it helps someone else out there contemplating MoCA vs. Powerline. Go MoCA!
Creating Virtual Floppies with El Capitan
If you’re like me and deploy a lot of Cisco Collaboration software in a virtualized environment, you may not know this yet but, the changes to Disk Utility in El Capitan pretty much destroy the ability we used in previous versions of OS X to create a ‘virtual’ floppy disk for the Answer File. Below is a quick summary on what you need to do to create those cool little floppy images to keep on building.
- Launch Terminal and create the new virtual floppy:
hdiutil create -sectors 2880 -fs “MS-DOS FAT12” -layout NONE -volname “floppy” floppy
- Mount the new virtual floppy via Terminal:
hdid -nomount floppy.dmg
- Open Disk Utility & Format the Image
- Place your platformConfig.xml file on the Virtual Floppy
- Eject the Virtual Floppy
- Rename via Terminal: mv floppy.dmg floppy.flp
I hope this helps someone out. I wasted two hours of a TAC Engineer’s time last night while figuring out my issue was self-inflicted.
OpenSSL & IANA TLS Cipher Suites
I have been working with OpenVPN, OpenSSL and OpenSSH for the past couple of weeks on my Raspberry Pi running Debian “Wheezy” which has been fun and frustrating at the same time.
Due to the version of OpenVPN included with “Wheezy” and OpenVPN that I was running on my client, I was having a heck of a time getting the TLS Cipher to match up between Server and Client in configuration.
I found a software patch written by someone on the OpenVPN Dev team and within it, it had a nice table showing the OpenSSL Cipher Suite Name and corresponding IANA Cipher Suite Name. Since I wasted hours trying to figure this out, I hope it will help someone else out and save them time.
|TLS OpenSSL Cipher Suite Name||TLS IANA (IETF) Cipher Suite Name|
Restore a UCM Publisher from a Subscriber
This week I was hit by the perfect storm. I came across an environment that had two issues occur that created a nightmare, which I lost sleep over. Had these events occurred separately I would have had no problems and navigated them quite easily. Well, if our jobs were easy we would be bored and easily replaced by computer subroutines. And for those of us who are consultants we wouldn’t get those nice perks that come with our job. So, this week I dropped everything, cried a little, asked my boss if I could quit and faced the nightmare like a good consultant. Enough bloviating, let’s get to it.
First this environment runs on the, now EOS/EOL MCS 7845-I3, which in itself is a great teacher of patience with its (what feels like) 20 minute uEFI boot times. The Publisher started displaying that amber light we’ve all seen before on one of the hard drives. No big deal right? I logged in and discovered that the Publisher’s filesystem went into read only mode. Great. After a ‘show hardware’ it was discovered three of the four hard drives were gone. 1 failed and 2 in imminent failure mode. TAC case opened to get the drives replaced, done. Next step grab the last successful DRS backup to prepare for a Publisher restore. Life’s OK.
Here is where I started to get upset and our second event occurs: DRS had been failing for months. Only the Publisher showed as complete. At this point I’m like great, I have to attempt a restore from an incomplete backup which I’ve never seen work but this is me so it’ll work this time right? So the drives come in and I go through the forever process of installing UCM on the Publisher, which was easy. During this time I remembered why I love UCS and Collaboration in a virtualized environment, pondered life and attempted to formulate the plan on rebuilding a production cluster from scratch, if this restore didn’t work. Four or so hours later I got to attempt the restore and wait, what? DRS will only restore CDR from those incomplete backups. Great, I called it a night and went to bed, seriously.
After a sleepless night I reached out to Cisco TAC and one of the best Collaboration SEs I’ve ever worked with, who is also a CCIE. Affer a few minutes the SE shares this document on how to restore a Publisher from a Subscriber with no previous DRS backups. First, I felt like he should have delivered that to me in a LMGTFY link and then second, I was thankful for all of those previous cases opened by people who were screwed by lazy consultants or bad network engineers who never cared to make sure backups were set up. After three hours I was able to successfully restore the Publisher without impacting call processing. I chose this moment to set up those pesky RSA IMM boards and update the server firmware as well, so I did cause brief outages but this document worked great.
- I knew the cluster Security Password, if you don’t I believe you’re out of luck
- The Publisher was glass housed
Here is the document: CUCM Publisher Node Restoration from Subscriber Database without Prior Backup or Root Access
If you ever find yourself in this situation, follow it to the letter.