Running Barracuda Spam and Virus Firewall 300 out of Hyper-V

First of all, thanks very much to this blog: http://blog.shiraj.com/?p=49 without it, I wouldn’t have been able to get as far as I did. Anyways, now on to virtualizing a Barracuda Spam and Virus Firewall–

Things you will need:
1. Barracuda E-mail Spam Filter
2. Windows 2008 R2 Hyper-V server (VMWare probably works too… only thing I wouldn’t be sure of is how VMware portrays the mount points and what drivers it uses for legacy network adapters)
3. Acronis True Image (or similar bootable “ghosting” media)

The first step is to make an image of a Barracuda. Using the BIOS code from the aforementioned blog, login to the BIOS of the Barracuda and enable Boot from CD as the first boot option. Then connect a USB CD-ROM drive with Acronis True Image. Also connect a USB hard drive with enough space to accommodate at least 32GB worth of data.

Create the TIB image of the entire drive. Remove the USB drive when you are done and connect it to your Windows 2008 R2 Hyper-V server. Create a new virtual machine with 1 CPU, about 1GB RAM (my 300 only came with 512mb… max 2GB according to the motherboard specifications) and a legacy adapter. I also turned on Windows NT CPU support just to play it safe. Remove the SCSI controller and create a fixed 32gb VHD for the OS. Attach an ISO of Acronis True Image and boot the VM to Acronis.

I created a second VHD in the host OS and copied the TIB file into it, then mounted the VHD as a secondary IDE drive. This was the easiest way to get the VM to restore the TIB file… plus at any time I can reboot into Acronis and reimage my system.

Restore the image and reboot. You will want to follow the steps from the previously mentioned blog to gain root access. This is necessary to make the network card work. Once you have root access, modify the /etc/modules.conf file. Change the eth0 alias to use “tulip” instead of “via-rhine.” Type modprobe tulip to verify, then ifconfig to double check eth0 is now available.

This is a great way to avoid having to purchase instant replacement, and in a suitable backup environment… disaster recovery is a breeze if you backup your virtual machines for instant disaster recovery. Creating the image doesn’t void the warranty as long as you can avoid opening the case. However, if you ever experience problems… hopefully they don’t notice your hardware specs ūüôā I’m not sure how much lspci differs from appliance to virtual machine, I haven’t gotten that deep into it yet.

Just an FYI, if you ever need to manually update firmware because the web interface is broken… look for /home/emailswitch/code/firmware/current/bin/update.pl and run update.pl with the argument “firmware”

i.e. ./update.pl firmware

Add -c at the end to perform a check only.

Just about every function of the web site is a perl script… doing some cat/grep operations on the index.cgi should help you out if you are ever in a bind.

Lab in a Box

If you are on a budget, but you have a Cisco PIX 515, Cisco layer-3 switch (I’m using a 3550) and a HP DL/ML 3-series server, you can create an entire lab with just these three devices. Obviously, it doesn’t have to be Cisco or HP… but as long as the Firewall supports trunking and VLAN subinterfaces, the switch supports VRF routing and the server supports trunking/vlans, then you should be able to modify this to work for any setup accordingly.

Lets start with the core switch, here is relevant config from the 3550 I’m using:

ip vrf INET
rd 2600:2
route-target export 2600:2
ip vrf NET1
rd 2600:3
route-target export 2600:3
ip vrf NET2
rd 2600:4
route-target export 2600:4

interface FastEthernet0/1
description Trunk to HP Server
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-4
switchport mode trunk
no ip address
spanning-tree portfast

interface FastEthernet0/10
description Uplink to PIX Outside
switchport access vlan 2
switchport mode access
no ip address
spanning-tree portfast

interface FastEthernet0/11
description Trunk to PIX Inside
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 3-5
switchport mode trunk
no ip address
spanning-tree portfast

interface Vlan2
description LAB-INET
ip vrf forwarding INET
ip address 1.1.1.1 255.255.255.0

interface Vlan3
description LAB-NET1
ip vrf forwarding NET1
ip address 192.168.10.254 255.255.255.0

interface Vlan4 description LAB-NET2
ip vrf forwarding NET2
ip address 192.168.20.254 255.255.255.0

ip route vrf NET1 0.0.0.0 0.0.0.0 192.168.10.1
ip route vrf NET2 0.0.0.0 0.0.0.0 192.168.20.1

Here is the relevant config on the Cisco PIX:

interface Ethernet0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0

interface Ethernet1
no nameif
security-level 100
no ip address

interface Ethernet1.10
vlan 3
nameif inside-net1
security-level 100
ip address 192.168.10.1 255.255.255.0

interface Ethernet1.20
vlan 4
nameif inside-net2
security-level 100
ip address 192.168.20.1 255.255.255.0

access-list OUTSIDE_IN extended permit ip any any

global (outside) 6 1.1.1.4
global (outside) 7 1.1.1.5

nat (inside-net1) 6 192.168.10.0 255.255.255.0
nat (inside-net2) 7 192.168.20.0 255.255.255.0

access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

On the HP server, configure the trunk interface to have vlan 1, vlan 2, vlan 3 and vlan 4 (name the interfaces appropriately, assign them IP addresses). I used the following IPs:

vlan 1 (n/a)

vlan 2 1.1.1.3

vlan 3 192.168.10.2

vlan 4 192.168.20.2

Then, on the HP server install VMWare Server (free). Configure the VM networks to be bridged to vlan 2, 3 and 4.

Provision a virtual server on each interface and assign a corresponding bridged network.

You now have an “internet” server and two “private” servers behind NAT. On the “internet” server, setup DNS and assign the other servers to use it for DNS.

To test that I had NAT and firewall working properly, I installed IIS on each server and configured a host header and the appropriate DNS A records on the “internet” server.

I set each website to use index.asp (enabled ASP first) and used the following code:

<html>
<head>
<title>Teh Interwebs</title>
</head>
<body>
Welcome to teh interwebs.
Your IP Address = <%=Request.ServerVariables("REMOTE_ADDR")%>
</body>
</html>

You should be able to hit each website and have the correct “WAN” IP address display on each website. If you can successfully hit the “internet” from each server, and each server from the “internet” then you have a working setup. You can now dcpromo, install Exchange… do whatever it is that you want to test. Modify my setup slightly, and you can test DMZ configurations, among other things.

Virtualizing your environment with Microsoft Hyper-V

After having completed 3 more¬†virtualization projects this month, I have decided that anyone who hasn’t done so yet must be the same type of¬†people running CRT monitors, Intel Pentium 4 processors and Windows XP.¬† So… let me explain the benefits of virtualization.

First of all, if you pay your own electric bill and you have more than 2 servers this will reduce your power bill. The new HP servers, in combination with Windows 2008 R2, have excellent “green” features such as the ability to shut off cores that are not in use (google: p-states). Newer processors run somewhere in the neighborhood of 65 to 80 watts. Older processors fall somewhere above 100 watts. Chalk one up for savings: You are running all of your servers on 1 or 2 servers that can run on a fraction of their cores when idle.

Second… ease of management. If you have ever worked for a company that offers managed services then you know how ridiculous it is to managed a customer with lets say… 10 different physical servers. I’m sure you just love trying to manage 10 open RDP windows. On top of that… one of those 10 physical servers locks up. Does it have iLO? If it does, did I document it? I didn’t… crap, now what! Hyper-V allows you to manage the console of each virtualized server from one server. You can shutdown, restart, pause/save state without having to RDP into the server. You can manage the consoles the way you would manage 10 open word documents (Windows 2008 R2, like Windows 7, has that nifty taskbar grouping feature).

Third… if you spend a little extra dough you¬†should add a second server (hopefully you decided¬†on¬†the enterprise¬†version of¬†Windows¬†Server)¬†and¬†implement a Hyper-V cluster. You can have¬†failover and the ability to avoid downtime even when its time to do all those pesky maintenance tasks. Live migration is pretty awesome, I just wish that when a Hyper-V node crashed, that the server wouldn’t reboot unexpectedly. They should really figure that one out… anyways… FAILOVER AND LESS DOWNTIME.

Lastly, and least important of all… you get to put all your old hardware on eBay… clean out that rack and have it look presentable again. Cosmetic, I know… but any IT guy can appreciate a clean, clutter-free rack space.

Something new to me that I have been playing around with is Microsoft’s Windows Deployment Services in R2… its benefits really stand out in a virtual environment. Deploying new servers, or prepping virtual servers for customers has never been easier.

If you want consulting to see if you can benefit from virtualization, or perhaps you already know the benefits and you need a company with several years of virtualization experience over a wide variety of platforms (yea, yea… VMWare can do it too), head on over to www.dcicorporation.com and drop us a line.