It's firewall time!

It's been a while, hasn't it?

Hardware Aug 4, 2023

Looks like I took another long break again; time flies and sometimes life gets busy I suppose.

I've got quite a lot of changes, and upgrades, and other fun stuff to go over, so let's get started.

Vertical Rack Expansion

I decided, spur of the moment, that I didn't have enough rack units, and I wanted to build a networking lab with various vendors so I hatched a plan.

I noticed that I had a sizable amount of space above the rack that I had previously built, and figured I could fit ~9u in there. So I bought some 9u "DIY Rails" just like before, cut a 2x4 and screwed it all together.

Look at all that room for potential!

Au-voila, another 9u to work with.

Nice and tidy!

Networking Lab

About that networking lab, so I wanted to branch out a little bit and learn a little bit more about other vendors I had never worked with before (i.e. Juniper, Brocade, etc). I personally like to learn with a hands-on approach, so I had to acquire some equipment from my favorite place: eBay.

I did my research, and the first company's equipment I wanted to play around with was Juniper. They have an interesting, yet familiar command structure compared to Cisco. I went to school for Cisco, and got my CCENT, so I know their CLI pretty well.

Jumping into Juniper was not as easy, they have some great educational material on transitioning from Cisco CLI to Juniper CLI, but it's just not the same.

I decided to download and print every book they ever published, because who knows, they might decide to pull them one day!

I also didn't realize that Juniper equipment can be a bit pricy. Apparently they're one of the only vendors that will still sell equipment to Russia. Due to the Ukraine conflict, a lot of vendors stopped selling equipment to Russia in retaliation to the conflict.

/r/wNvIO0.png?compress=false
$300 starting price for last-gen router/firewall combos, yeesh.

I ended up going with an SRX550, and an EX2200. The SRX is a router/firewall/VPN appliance combo, think edge device. And the EX2200 is a switch. They're both a bit dated, but they're post-rebrand, so they have the new fancy Juniper logo and both support JunOS 15.

Mucking around with the equipment

The SRX550 was a special device, under the hood it has standard DDR3 DIMM slots, and a CF card slot, so there was room for upgrades. Down the line, apparently Juniper released an "upgraded" version of the SRX550 called the "SRX550 HM" which doubled the RAM and upgraded the CF storage size to 4GB. The plan was to upgrade my SRX550 to match a SRX550HM, but ultimately I couldn't get it to load any of my firmware packages and retain 100% functionality. Ultimately, I returned to JunOS 12.

Don't turn it on, take it apart! Man I miss EEVBlog.

The EX2200 was an interesting experience. I thought "man I should upgrade this thing as high as it goes right?" WRONG. Apparently, a JunOS 15 release slipped out and wasn't supposed to, and you bet I flashed it. Everything imaginable went wrong; crashing, sluggishness, packet drops, it was catastrophic failure. I rolled back to JunOS 12, but it just got worse from there. Apparently I managed to cook the internal flash chip and now on every reboot it corrupts and requires a reflash.

The switch would mostly, if not always boot to this indicating flash failure.

I got a refund on the EX2200 thankfully, I honestly wasn't sure if the flash chip was dead before, or after I got it, but I figured it was worth a shot. As for the SRX550, I haven't touched it since I don't have a switch to pair with it. I guess I could learn CLI and muck about with the UI, but that's for a later date.

Firewalls

I also purchased a Cisco ASA, this seemed like a fun device, and I really wanted to learn Cisco AnyConnect. Their virtual AnyConnect appliance is a pain to get working, not to mention requires licensing.

Tons of ports to work with!

This took an interesting turn from the minute I turned it on...

I eagerly plugged in my console cable, and pressed the power button. The last owner forgot to reset the appliance, ugh. I lookup the password reset procedure and follow along, resetting in recovery mode, and then boot it up again. I login, and out of curiosity I check the running config...

Boy did I unearth something, the last owner had left tons of sensitive information in the config, unencrypted for anyone to find. IP addresses, DNS names, usernames, passwords (thankfully, these were hashed) and names of personnel that perhaps worked or interacted with this device in the past.

I did my typical thing, sleuthing around looking for company names, and found that it belonged to a financial institution named "Santander" based out of MA.

Man, someone is definately getting fired for this...

Thinking it was the right thing to do, I took a dump of the config to a text file, and reached out to their support team, letting them know that this information was floating around on a (presumably) recycled appliance.

The other thing that concerned me was the fact that this wasn't the only device out there. In the config, they had specified that it was part of a HA (high availability) setup, and that there should be another ASA in the rack, for redundancy.

This means, that somewhere out there there's another ASA floating around with the same configuration as this one, exposing the same information to whoever gets their hands on it.

After a few days, I got an email back from Santander's IT / NOC asking for further information. i.e. S/N, Seller's name on eBay, Seller's address from shipping, etc. And that they were very grateful that I had submitted this information to their team. They said that they were going to pursue their recycling company, and see what went wrong in the data sanitization process.

This email conversation was pretty cool hearing from the VP of Corporate Security!

Back to the device itself, it's pretty cool. Under the hood, it's just a plain-ol x86 1u server with an array of networking ports, and an expansion bay for Firepower if I ever want to get into that. (Probably not, licensing is obnoxious)

Looks just like a typical server, right?

In the end, I got a nice 750-user AnyConnect license, and got to learn AnyConnect!

Jank-Blue

So, I decided to upgrade my personal computer, and had some spare parts floating around in inventory...

I also had this ancient Barracuda firewall appliance I acquired from a friend of mine, and it has some interesting characteristics.

Being the masochist I am, I thought to myself: "Man, I wonder if I can cram these modern parts into a 1u form-factor?" And thus, the "Jank-Blue Barracuda" was created.

See, Barracuda in their infinite wisdom decided to use standard PC parts in their firewall appliances. Standard motherboard, hard drives, RAM, you name it. Take a mid-range PC from 2013, squish it down to fit into a 1u chassis and bam, firewall.

Before modifications...

I took everything out of the case to assess what I was working with, nothing wild couple standoffs and heck, they're even re-adjustable for different motherboard sizes!

Test-fitting the modern stuff...

Assembling my old PC parts was a breeze, I just had to find a solid 1u blower CPU cooler on Amazon, a bit expensive because the block is solid copper...

/r/1zYBWE.png?compress=false
Yikes 😬

The OEM power supply was a little short on juice, providing only 300w, and missing a +4 on the 24-pin power adapter, and another +4 on the CPU power cord, but since we aren't overclocking, or using high-power PCIe cards we should be alright.

Also, the CPU I was using doesn't have a GPU onboard (Ryzen 7, 2700x) so I had to get creative and install old faithful, my original GT710 to get an image out of it.

A GPU in a firewall just looks so wrong...

Slapping in the only NVMe drive I had left (256GB cheapo transcend) I got it to post! Huzzah, the power LED / switch cables from the original chassis are standard too!

Nice! POST!

The only question that remains is; what am I going to do with this thing? Well, boy do I have the answer you weren't expecting: AI.

Serge AI

With a somewhat modern Ryzen 7 CPU, you probably saw this coming tbh.

AI has always peaked my interest, I personally never used ChatGPT or BingAI or whatever Google's doing with Bard before this project. It seemed daunting and as an IT professional my Google-fu powers are about as strong as AI.

Then, while searching "what can I do with this stupid amount of compute I have" I came across the concept of running AI models at home using GPUs and alternatively CPUs.

First I tried running GPT4All, but that didn't pan out. Something didn't work, and ultimately I gave up. It was cool that it uses the same API as ChatGPT so you can use all of the apps built for it, but I wasn't planning on taking this that far.

GitHub - nomic-ai/gpt4all: gpt4all: an ecosystem of open-source chatbots trained on a massive collections of clean assistant data including code, stories and dialogue
gpt4all: an ecosystem of open-source chatbots trained on a massive collections of clean assistant data including code, stories and dialogue - GitHub - nomic-ai/gpt4all: gpt4all: an ecosystem of ope...

Then Serge came up, it looked pretty similar to GPT4All, but without the frills like API translation and all that nonsense. It was a simple bundle of software; run AI models in a docker container, take questions and spit results into a Web UI.

GitHub - serge-chat/serge: A web interface for chatting with Alpaca through llama.cpp. Fully dockerized, with an easy to use API.
A web interface for chatting with Alpaca through llama.cpp. Fully dockerized, with an easy to use API. - GitHub - serge-chat/serge: A web interface for chatting with Alpaca through llama.cpp. Fully...

And just like that, I was hooked. Boy were the responses slower than dirt, but it was the coolest thing ever seeing MY HARDWARE spit out full, complete sentences that made it seem like a human was talking to me in plain English.

I want to try hooking the GT710 into it, and getting Stable Diffusion working, but we'll save that for another time.

That pretty much sums it up though, thanks for reading!

And until next time!

Tags

Phoenix (Jacob)

IT Specialist, Plastic Guitar Aficionado | 🏳️‍🌈 | 23

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.