I regularly use tools in my workaday life. The following 5 tools are those that I wouldn’t want to work without.
5 – KeePass Password Safe
As the recent Gawker password leak has proved, using one password everywhere is not smart. I used to use 4 passwords. The first was a throwaway, used anywhere where I didn’t mind someone gaining access. Make me use a password to make a comment on Gawker and out comes the old favourite. Funnily enough, it was actually rather similar to the number 1 password revealed by the gawker hack (although not the same, still uppercase and lowercase letters and numbers). I used this for anything I didn’t care about. Then I had my email password. This I used on all my email accounts (and isn’t it ridiculous how many we have these days), twitter, facebook, etc. Then I had my SECURE password. This was something I’ve been using for about 10 years, and only for money sites, like ebay, paypal, banking, Amazon, etc. Finally, I had my PC login password.
However, a couple years ago I decided that this wasn’t really secure enough. So I did a little research into password safes. I had 3 requirements.
- It had to be open source. I don’t mind paying for software, but really don’t believe that security software should be closed source. It should be open to scrutiny. Which, of course, is a rule I break in tool number 1 below. But I’m pragmatic, not dogmatic, which sounds better than saying “I know I’m a hypocrite”.
- It had to be portable. That is to say, it had to run in a secure fashion from a USB stick on any machine I might have in front of me, without installation.
- It had to be supported by both Mac and Windows
KeePass does all of this. A master password is used to access a password database, and I use the Savernova password card for the database password. This uses a random jumble of characters and letters laid out on an alphanumeric grid. Select a starting point and count off the number of letters.
What’s great about this system is:
- Every site uses a unique, long and secure password. One website being compromised will not result in a cascade of compromised sites. Just search acacia berries on twitter to see gawker users’ twitter accounts compromised by the recent hacks.
- The password is never typed – this avoids key loggers (likely for anyone) or even laser microphone and acoustic snooping (less likely).
- This is a form of two-factor security. Something I know (location on password sheet) and something I have (password sheet and database). Of course, you might remember your master password (good going if it is over 20 characters) but you will never remember the passwords you use for an individual site, as you never type it.
- When you have to change your password every couple days by overzealous sysadmins, it won’t affect you. You didn’t know the previous one anyway.
Of course, backing up your password database is crucial. Lose that, and you lose everything! Backing up the database and Savernova password file is fine, as it is just a random jumble unless you know where to start.
KeePass runs on a whole mass of different systems, including my Blackberry.
4 – Notepad++
Another great tool is Notepad++. Tabbed windows, language detection, syntax highlighting and multiple undos (by itself an improvement over notepad sans ++) are just some of the reasons I love this tool for configuration preparation. If you’ve developed a lot of config scripts using windows notepad, you’ll know the experience of accidentally highlighting some code, typing something, which deletes the code and then messing up the undelete. With notepad, you only get one. With notepad++, you get a lot.
3 – Beyond Compare
Every single change I do, I use Beyond Compare. Quite simply, this is the single best tool I use to ensure that I haven’t gone nuts during a change.
My personal change process is:
- I open a log file to log my change. SecureCRT does this automatically for me – see below.
- I display the starting configuration which is captured into the log
- I make the change.
- I display the changed configuration which is captured into the log
I then take the start configuration and changed configuration and do a diff using Beyond Compare. This diff can be saved as an HTML file and sent to the change management / operations team after the change. Rollback is simply undoing all of the configuration change.
I also use Beyond Compare for paired-device comparisons. Dual-homed sites often use resilient routers to terminate sites. I have wondered why a virtual router protocol hasn’t been developed. I don’t mean a First Hop Redundancy Protocol (a.k.a. HSRP / VRRP), but rather something like 6500 VSS or ASA failover, but for software routers like the 7200s. Without this, there are always opportunities for these paired devices’ configs getting out of sync. Use Beyond Compare for offline configuration comparisons.
Another use is for comparing routers that have a similar function at different locations. P routers at one location should have similar IS-IS configuration. PE routers should probably peer with route reflectors in a similar way. Redundant route reflectors should be very similar.
A final use is with troubleshooting. Why is one router misbehaving? I’m no IOS-XR expert but recently I fed the config of one working and one faulty P-node CRS into Beyond Compare and found the offending line of code in minutes.
2 – GNS3
It never fails to surprise me the number of environments that don’t have a solid lab to trial changes. I often use GNS3 to ensure that my config is solid. It is also really useful to figure out how new IOS features operate.
It isn’t rock solid as anyone who uses it for any length of time would attest to. For example, I have found that BFD doesn’t work on Dynamips 0.2.8. (the current version used by GNS3). It is, however, something that I really wouldn’t want to live without. Most people use it, so I don’t need to over-elaborate. Greg Ferro over at Etherealmind suggests that we should be getting this functionality from our vendors and I wholeheartedly agree. Until we do, GNS3 is as good as it gets.
1 – SecureCRT
Without a doubt, the most important software that I use. Of course, it isn’t free. However, until Putty allows me to define the right-click action, I won’t consider using it. Hopefully, this won’t inspire a war à la vi versus emacs. Ever clicked a screen and pasted a whole lot of stuff to the wrong router by accident? I have, using Putty.
5 more reasons why SecureCRT is brilliant:
- Tabbed session. Putty Connection Manager provides something similar, but I found it clunky. SecureCRT provides per-session settings overrides, multiple session editiong, entire folder (containing any number of sessions) launching and more.
- Dynamip port forwarding and Socks proxy support. This is fabulous for connecting through bastion / jump hosts.
- Scripting in jscript, vbscript, perlscript or python.
- Support for SFTP, SSH1 and SSH2, Telnet, serial and IPv6.
- Autologging. Every session gets recorded automatically to a new log file.
- Now there is support for Macs.
- Portability is possible using U3. With some companies, installing your own software isn’t an option. ThatHowever, if the company is really security conscious, they may have disabled USB drives. If this results in me not being able to use SecureCRT, I would have to have a chat with the desktop support team. The next time they insist on that switch port being opened urgently to bring that critical service on-line I would explain how much more efficient I could be if they installed my software.
Okay – so I really couldn’t stop myself at just 5. The above list might also be partially covered with software like teraterm, putty, iterm or other terminal software. None do all or as well as SecureCRT. I am a fan. So much so that I feel elaborating on point 2 and 3 may require an entire post. I’ll leave that for next time.