Previously on...
Welcome back, readers!
When we left off, I was determining how to use the tools I had on hand to do cybersecurity-oriented projects, culminating in building the machine that would become my web server. Still, there was a problem: The main router blocked remote connection requests to the server. This time, we'll expand the scope from one machine to a whole network with even more troubleshooting. Because you are not doing it right if you're not trying to fix a minuscule error that breaks your entire project.
Before I get into the journey, I figured I'd do a little breakdown of the lessons I've learned in making this entry in the journal. The series is meant to be readable by beginners, after all. This way, as I recall what I was working on, everyone will have some context as to what I'm doing:
IP Address - A set of numbers that a computer uses to find the "location" of a device. They're the house number of a network.
Subnet - a list of IP addresses set aside for a certain set of hosts (computers). The IP addresses are similar but grouped according to what device goes where. In other words, If IP addresses are house numbers, then the subnet is the community name or apartment building.
Subnet Mask - An IP-address-like number, the subnet mask determines how many IP addresses a subnet can have. For instance, if your subnet mask is 255.255.255.0, you can have up to 255 IP addresses. If your subnet mask is 255.255.0.0, you can have up to 510 IP addresses, and so on.
Network Segment - similar to a subnet, a network segment is a piece of the network that is more or less isolated from the rest. It is separated via hardware or software and guarded by a firewall and other countermeasures. This makes network segments akin to a gated community.
SSH - Short for Secure Shell, SSH is a protocol that is a remote control function for other computers. It's encrypted to prevent people from spying, which is why 'secure' is in the name.
Router - Technology that determines where network traffic goes. In a home or small office network, the router is usually built into one device with a firewall, Wi-Fi, and network switch.
Self-Taught Network Engineering 101
When we left off in the last installment, I was dealing with my network's router blocking port 22 whenever I set a static (unchanging) IP address to my Ubuntu web server. This was a real problem, as the router blocking the request isn't mine, and I do not have permission to change it. I was honestly glad about this challenge: it was a perfect parallel to administrative controls, which are very common in the information technology industry, and while they make things more difficult, necessity is the mother of invention. So this was my challenge: since the router was the source blocking my SSH requests that I could not change, I needed a way around it. This objective would lead me to many rabbit holes, from subnetting and segmentation to configuring routers and bridges. Let's talk about it!
Initially, I figured I could take the diplomatic approach: Present my findings to the 'stakeholders' (the owners of the network router) in an effort to convince them to let me change some settings. However, this plan had a few flaws: This router was the main defense against the unfiltered internet, and any misconfigurations could result in a vulnerability that was not there before. Additionally, the owners had suffered multiple cyberattacks recently and were not keen on potentially opening up this network to attack. Needless to say, this plan had a shaky foundation at best.
Thankfully, the answer came to me after talking with my step-brother about the issue. Being well-established in the tech field already, having his knowledge goes a long way for someone like me who has never worked in Information Technology. He suggested getting my own router and using that as a bridge. That way, I could configure traffic flow directly between my hosts and allow/deny whatever rulesets I needed without changing the primary router's security settings. It also allowed for an extra layer of security through network segmentation. This was perfect! And so, my objective was clear.
First, though, I had to get my hands on a router. Surprisingly enough, there are a lot of different routers around that I could use, and the specifications and limitations I established in part one -educational, industry standard, and low cost- meant I could narrow my options.
After some research, I chose the MikroTik hEX RB750Gr3 5-Port Ethernet Gigabit Router. This option provided the best balance of affordability, compatibility, and safety. Plus, it's based out of Latvia, where the General Data Protection Regulation (GDPR) prevents the creators from sneaking a peak into my data usage.
Setting up the router was simple enough, at least physically: I plugged it into the home network and connected all my devices via ethernet cables. In this case, my segment consists of:
My Ubuntu Server, the "Blue Team"
My main/work computer, the "White Team"
My laptop, the "Red Team"
My router, which I will call "Green Team," connects my segment to the primary router and the internet.
If you are a visual learner like myself, this is the graphic I created to visualize the process correctly:
So, with that all connected, the next step was to configure everything. This is where the biggest challenge lies.
Back to Basics
Now that I knew what I needed to do to get my little segment of the network going, the next step was research. Lots and lots of research. I first had to learn about router configuration—an essential skill for many network-related fields. And there was no time like the present for someone like me to learn. Thankfully, MikroTik was a reputable brand that provided helpful advice and community support. Hence, learning how to adjust and change the default settings to integrate with the network was as simple as following the tutorials. Unfortunately, a lot of what makes network engineering work is a fundamental knowledge of addressing and subnetting. I had to take another step back to understand what I was doing on the router.
And so, I dove into learning about IP addresses and subnetting, and as with MikroTik, there were a lot of resources on YouTube and in the community about this, too. Most of which I was able to put together. The simple math of converting binary to decimal and counting how many subnets I could have on a network is easy to understand. The main pitfall I had was determining how to put it all together, and that was a simple matter of overthinking the whole thing. Human error can get in the way of even the simplest tasks. How would I choose what IP address I would use for my devices? Does my IP address need to match the primary network? Why won't my router send traffic directly to my device instead of through the primary router? It turns out that this process doesn't need to be overly complicated: most of it is automated! A few resets later, and after a few tweaks for security, my network segment was up and running with no issues. Connecting to my Ubuntu server through SSH was easy enough now that I had traffic flowing through a router I could control.
With that, I finally had a base set to where I could start constructing my web server, and I had much more knowledge on how the whole thing works.
Lessons Learned
It is probably obvious to anyone with a background in IT just how much I don't know about this field and how much I am stumbling through trying to figure it out. Frankly, that's what this series is about. Teaching myself the ins and outs of the subject will be messy and have a lot of zigzags. For one, I spent an embarrassingly long amount of time mixing up the terms "segment" and "subnet," meaning I spent a very long time researching something I did not need for this project. In the end, however, it is valuable information, so now I have a basic knowledge of IP addresses and subnets and converting from decimal to binary to CIDR notations and vice versa.
At the end of the day, whenever I do something like this, I am constantly reminded of how much I don't know about this field. Every question I answer seems to lead to more questions about how all these pieces work together to bring us this vast array of communication you're using to read this. And if you are still reading, thanks for joining me on this journey. Stay tuned for the next issue, where I plan to assemble the pieces for my website on the server and learn about the tools needed to get that going.
Sources
General Data Protection Regulation - https://gdpr-info.eu/
MikroTik hEX RB750Gr3 5-Port Ethernet Gigabit Router - https://mikrotik.com/product/RB750Gr3
An Introduction to RouterOS for Newbies: https://youtu.be/rwjtRLQjMjA?si=g3yNoDqdd4Eh5gjv
You SUCK at Subnetting, episode 1 of 9: https://youtu.be/5WfiTHiU4x8?si=5AuWj5LMpOCN-LPD
Comments