DevOps Training Session 2: Networking

# DevOps Training Session 2: Networking ###### tags: `devops` `research` `reliable` `network` Hello, BTB I have to meet Networking training so let train with this LAB, just about some theory and basic knowledge about network --> [LAB2](https://drive.google.com/file/d/1juPEwyBOlum5r1ESHaSiLedPC5iYLaJ2/view?usp=sharing) ## QA **1. How could you know a server is accessible? List down all the ways you can do** Server can access if network config can prefer for your Ip can access this through may be it can be SG(Security Group) or NACL (Network access control list) The way to know it like you need to - Try ssh with port 22 - default but on some situation it can be set on specify port - Try ssh or using anykind remote can access through public key you get to acess through putty, SMDB, ... - To figure out what port can access try scan port or formal you can contact with your network manager have responsibility for there server. - Connect on state physical but you need in the room on that like same network - Or hacking server which you want :smiley: - ... **2. Commonly, people ping a server to make sure it is up, running, or accessible. Assume your server is running and public but can’t be pinged, what is the problem?** - First thing i think about this situation is ping work on ICMP and ICMP is blocking by Security Group or ACL which you can block that inbound or outbound - It can be ICMP is filtering by Firewall and you send ICMP packaget throught ping without weight storage - Thirdly, reason can comefrom your IP is on the block IP range - it make you can't interact with this network from icmp to tcp/ip - ... **3. How can you add your home IP to the allowlist of a server?** - Config that ip on state permit by Security Group or Network access list (Security group only can permit but NACL can do both deny and allow) - Secondly, if you want to private your ip you can write private key for IP and give it for that one, it can be help you indentify IP is permit but also you can know it have on IP table or Firewall to block it --> So config both key value and Firewall and Iptable. **4. How do you allow web access only on a server?** - Config that with Security group or NACL. Write a rule for specify - Write rule for webserver what you want to access or block anything else if it out of route - Hiding or block all trafic to access this work except web server **5. Assume your network is 192.168.192.0/18, can you create a sub-network 192.168.64.0/20? Why?** <h3>Tiếng việt:</h3> Hiển nhiên là không chính xác trong trường hợp này Ta có thể hiểu rằng trong trường hợp này ta có mạng 192.168.192.0/18 ta có được thông tin sau mà ta có thể có được - Ta sẽ có được subnet mask ở đây 18 trong trường hợp này, ta chia 1 IP addr là có 32bit mỗi octet sẽ có 8bit do đó trong trường hợp subnet mask là 18 ta có thể sẽ mượn thêm 6 bit - tức là mạng của ta nếu như trên thì mạng tiếp theo sẽ có bước nhảy là 2^6=64 và ta tạo được 4 subnet trong mạng này tức là range của 1 subnet này có thể 192.168.192.1/18 - 192.168.255.254/18 với host 192.168.192.0 và broadcast 192.168.255.255 - Vì thế mạng này nó không có bao hàm 192.168.64.0/20 vì mạng này có subnet /20 --> Mượn 4 bit bước 2^4=16 và subnet có thể trong mạng này 2^4=16 thì tức trong subnet của mạng 192.168.64.0/20 sẽ có source from 192.168.64.1/20 - 192.168.79.254/20 và host 192.168.64.0/broadcast 192.168.79.255 ==> Thông qua đó ta có thể hiểu việc chia mạng 192.168.192.0/18 theo CIDR sẽ không thể chia subnet 192.168.64.0/20 <h3>English:</h3> Obviously not correct in this case We can understand that in this case we have the network 192.168.192.0/18 we have the following information that we can get - We will get subnet mask here 18 in this case, we divide 1 IP addr is 32bit each octet will have 8bit so in case subnet mask is 18 we can borrow 6 more bits - ie our network if above, the next network will have a hop of 2^6=64 and we can create 4 subnets in this network ie the range of this 1 subnet can be 192.168.192.1/18 - 192.168.255.254 /18 with host 192.168.192.0 and broadcast 192.168.255.255 - So this network it does not include 192.168.64.0/20 because this network has subnet /20 --> Borrow 4 bits step 2^4=16 and subnet can be in this network 2^4=16 then in subnet of network 192.168.64.0/20 will have source from 192.168.64.1/20 - 192.168.79.254/20 and host 192.168.64.0/broadcast 192.168.79.255 ==> Through that we can understand that the 192.168.192.0/18 network division according to CIDR will not be able to divide the subnet 192.168.64.0/20 **6. Does a self-signed SSL certificate mean no encryption?** - Self-signed SSL certificate not mean no encryption, it encrypted because it use the same algorithm as CA - But using self-signed will meet problem about: - The point of the SSL server certificate is that it is used by the client to know the server public key, with some level of guarantee that the key indeed belongs to the intended server. So you will have guarantee from CA for authorize this site - But if do your self, there is no possible revocation on cerficate not managed by CA. An attacker can steal your private key, you permanently lose, whereas CA-issued certificates still have the theoretical safety net of revocation **7. When you have an SSL certificate for the `example.com` domain, are you able to use that certificate for the `test.example.com` domain?** - Yes and No, it depends. Your standard SSL certificate will be for single domain, say `www.domain.example.` There are different types of certs you can aside from the standard single domain cert: **wildcard and multi domain certs**. - wildcard certs: A wild card cert will be issued for something like `*.domain.example` and clients will treat this as valid for any domain that ends with `domain.example`, such as `www.domain.example` or `ws.domain.example` - multidomain cert: valid for a predefined list of domain names. It does this by using the Subject Alternative Name field of the cert. For example, you could tell an CA that you want a multi domain cert for domain.example and ws.mysite.example. This would allow it to be used for both domain names. - It depend on your version or webserver you hosted, somekind it support something about Server Name Indication (SNI) - Like you can assign the cert for host name instead of IP - On the other way, it can be depend on situation it require just for IP so you make to do some SSL for subdomain **8. Assume you are using VPN but can not access a private domain (the browser keeps loading but no content), what is the problem? How to resolve it?** On opinion i will use resolve to talk about problem on using vpn but not connect or access to private domain ![](https://i.imgur.com/dCrGXKf.png) 1. Check the VPN tunnel status - Make sure the client VPN status displayed Connect because in some situation it not connected, so it not established on tunnel list page (VPN->L2TP or PPTP->Tunnel list) - If not connect need to check internet access of the both side --> If not go to nextstep 2. Check the access to the remote network - Ping is solution should use on the step ![](https://i.imgur.com/YoZiXZD.png) ![](https://i.imgur.com/kRSW5lz.png) - If you fail to ping all device, include the VPN server so you need to **Check the local IP address of the VPN client and the LAN IP of the VPN router.** - If you can ping the VPN server, but fail to ping some device so you can **check the Firewall status and try to disable it temporarily.** - Ping cannot reach or respond it mean firewall, antivirus, IDS/IPS can do something to deny that networkflow through internet. 3. Check the local IP address of the VPN client and the LAN IP of the VPN router. - If situation u using WIFI or Ethernet for internet access, Check the local IP address it obtained from the local router ![](https://i.imgur.com/8bMG8KX.png) - Example above, we can figure out the VPN client through wireless router meet router on VPN setup with same subnet 192.168.0.1/24 .**In this case, the VPN client may not be able to access the remote network. You have to change the network IP address of the local network or remote network.** 4. Check VPN adapter ![](https://i.imgur.com/oiA9kFf.png) Use default gateway on remote network” is enabled, all network request, whether to Internet or to the remote network, will be forwarded via the VPN tunnel, and handled by the VPN server. Please set up the configuration the same as the following figure, and check if the remote access is available. 5. Check the Firewall status and try to disable it temporarily. - Windows Defender Firewall, or some other Antivirus programs will block Ping whose source IP is in a different subnet. - Temporarily disable the firewall or antivirus or you can adjust the firewall policies --> Make right filter ![](https://i.imgur.com/inOf85y.png) ## Conclusion - That all for today, Networking is around basic QA and some situation. But networking is so big and devops process is just one of many process in networking (Big Topic) - But on DevOps that will be enough for setup on cloud but somekind it will be have some unique on platform lại internet gateway, Direct connect, VPC, ... - Hopeful you get to new knowledge and understand somekind of networking have role in devops session. :small_airplane: ## Reference [Does each subdomain need it's own SSL certificate?](https://serverfault.com/questions/566426/does-each-subdomain-need-its-own-ssl-certificate) [What are the risks of self signing a certificate for SSL](https://security.stackexchange.com/questions/8110/what-are-the-risks-of-self-signing-a-certificate-for-ssl) [Is a self-signed SSL certificate much better than nothing? [duplicate]](https://security.stackexchange.com/questions/38727/is-a-self-signed-ssl-certificate-much-better-than-nothing#:~:text=Self%20signed%20certificates%20use%20the,get%20the%20protection%20of%20encryption.) [What to do if you cannot access the remote network through Client-to-LAN/Site VPN tunnel](https://www.tp-link.com/us/support/faq/3044/)