After over a month, I decided it was finally time to get rid of the default Wordpress theme. I went live with the new theme last night and just did a little bit of tweaking.  I had to “Widgetize” it, which turned out to be somewhat of a pain.

I’m still not sure what kind of header I want - the Cat5 cable is kind of cool, but I’d like something better. Anyone got any ideas?

I just noticed that Windows XP Service Pack 3 is available on WSUS.  I don’t dare approve it for install without some major, heavy-duty testing, but I’m glad to see it finally available.  Hundreds of patches have been released since SP2 and installing them all on a new system build is painful.  SP3 will include all of those previous pages.

There are also a couple of new features included.  Network Access Protection is now supported for connections to Windows 2008 servers with NAP enabled.  There has also been some IP Stack hardening added, similar to the hardened IP stack in Vista.

Once I get a couple of other projects wrapped up, I’ll do some testing and hopefully get SP3 rolled out in the near future.

It’s amazing how bad it’s gotten lately. We average over 20,000 emails per day and less than 1500 are legitimate messages. Check out this spike this afternoon. I wish I could bill the spammers for their wasted bandwidth.

I’ve been following Joe’s House Pay-Off Spectacular and recently had the chance to attend his FInancial Learning Experience workshop.  I’ve been committed to becoming debt free for a while, but never really tracked my progress.  Joe inspired me to do so.

I can’t believe how much time I spent in Photoshop last night playing with an outline of a house.  I also couldn’t believe how close I actually am.  This is awesome!

I have a little twist on Joe’s pay-off spectacular because I have some cash in savings that I am willing to apply to the mortgage once it get’s low enough.  So, I’ve used two colors.  The green is principal paid on the mortgage, the pink is available savings I’m willing to commit to the mortgage, and the white is unpaid.  Basically, once the green and pink meet, all the pink will be converted to green. (Click for larger image)

Maybe I’m a geek for thinking this is fun, but I’m enjoying it.  I’ll post a monthly update until I’m all green.

I am not a Nine Inch Nails fan at all, but I thought it was cool to see that they have released their new album online.  I am also not an RIAA fan, so I think it’s awesome that bands are starting to choose to use the power of the internet to distribute their music!

I’ve been evaluating our current firewall situation and came to the following conclusion: We have too many products from too many vendors costing too much money and causing too many headaches.

Currently, we use a Watchguard Firebox X700 for our internal network and DMZ. It’s fine when it works, but gets flaky sometimes. It will randomly stop passing FTP traffic, or you add a new rule and it won’t actually work until you reboot. Overall, I’m not impressed.

Inside the Watchguard sites a Barracuda Web Filter. I like this box - it works great and causes very few issues. They do silly stuff sometimes like adding Northpoint.org to the “Spam” category, but, overall, I’m happy.

For our public network, there is a Sonicwall Pro 3060 running Sonicwall’s own content filtering service. The Sonicwall is a nice box, but has it’s issues with occasionally locking up and other weird stuff. I’ve used them in the past and came to the conclusion that it’s a great small office firewall, but really not an enterprise-class solution. The yearly support cost plus the yearly content filter license gets expensive too.

For VPN, we use a Cisco ASA 5510. This replaced the Watchguard VPN (with is absolutely horrible) and provides VPN access for laptops and a few remote sites (5505’s at the remote sites). I love the ASA firewalls. They are rock solid on both stability and performance and, in my opinion, easier to configure. This is definitely a keeper. Ironically, of the three boxes, the Cisco has the lowest yearly support cost.

I’m sure there were good reasons for implementing each product at the time, but everything but the Cisco was here before my time, so I don’t know all the details.

In putting it all together, this is what I’m seeing:

• We’re paying for subscriptions to two different content filtering services - one for the internal network and one for the public network.
• We have support contracts with 3 different vendors.
• There are some stability problems.
• Learning curve involved with multiple products.

Most of those contracts are up for some renewal, so now is the time for change. My thought is to get another ASA 5510 use it’s multiple interfaces to attach the internet network, the DMZ, and the wireless to one firewall. Then, hang the Barracuda Web Filter off another interface and redirect all outbound http traffic to it via WCCP.

It seems almost two simple. Once firewall for all the network segments, one content filter for everything, one less piece of hardware, more stability. It just makes sense all around. If anyone has an thoughts on this, I’d love to hear them.

I had the opportunity to visit Avalon Church yesterday and hear Joe Sangl speak in the morning services as well as at the Financial Learning Experience workshop. I think it’s awesome that Joe has dedicated life to teaching people how to manage their money. I especially like his story of the “Mortgage Burning Party” he attended. I might have to copy that idea.

I made a commitment way back to never fall into the “debt trap” that seems to plague our country today. I had one car loan back in 2001 and hated it, so I worked hard to pay it off in 6 months. Since then, I can proudly say I have never carried a balance on a credit card and today have no debt except for a Mortgage. My goal is to have it paid off in the next year. I think I’m going to start my own Payoff Spectacular to track my progress. Perhaps Joe will be able to attend my Mortgage Burning Party

I arrived back home last night after an few days at the beach with about 60 people from our staff team.  It’s awesome to have the chance to get away for a few days and have a time of relaxation and worship.  I’d like to share a few random thoughts about this week:

• Thomas shared a message with us each night based on Deuteronomy 6:4-5 - a great reminder that we must put the Lord first in our lives and love him with all of out heart, soul, and strength.
• It’s important not only to pray for our work and ministry, but for rest and fun.
• We discussed being “worn out” for the Lord.  Not worn out as in Burnt Out, but from loving and serving Him with all of our strength.  How awesome it would be if when we go home to be with the Lord, we are totally “worn out” from serving him with all of our heart, soul and strength.
• I got to spend a few hours on the beach late Friday night.  It’s so great to walk a few miles down, away from all the hotels, lights, and noise and spend time with God.  There’s so much noise and distraction in our lives these days, sometimes it’s hard to hear is voice.
• Getting up at 5:00 AM to go fishing is WAY too early and the water was really rough, but it was still a lot of fun.
• I’ve never had communion with red Solo cups until this week - there’s a first time for everything I guess.
• These retreats are always great because I get to spend time with and get to know people I otherwise seldom see.  Our staff is so big, it’s hard to get to know everyone well.
• I’m really tired.  I can’t say I came home from this retreat physically rested.  It was, however, a great time of renewing spritually.

Tony made an interesting comment on my Remote Access Post from a few days ago. He has a good point, and I think it’s worth visiting. We do we give remote access to and from what computers. Is it a good idea to allow them access from their personal computers? I have had the same thought, and that is the primary reason I’m not already doing it. Here’s a few thoughts:

Generally, only a user with a church supplied laptop would be given VPN rights. If the user has been granted the right to log in via VPN, though, can I really control what machine they do it from? I really can’t. All they need is the Cisco VPN client and a few configuration details, so, in theory, a tech-savy user could access the VPN from any computer.

• Is it any different from a rogue computer being physically plugged into the network? No, it’s really not. Now, random machines being attached to the network is definitely not something I promote or desire. But, it would take very extreme measures and a lot of expense to stop it. 802.1x is a possibility, but, beyond that, it would require some sort of centralized MAC Address based authentication. This exists from a few vendors, but isn’t cheap. Bottom line is, it’s not easy or cheap to keep rogue machines out completely.
• Putting costs and implementation issues aside, what impact would it have on ministry to implement the above? Are there legitimate reasons for someone to attach a “rogue” machine to the network? In general, no, but there are some exceptions.
• We live in an increasingly “connected” and mobile society. Ministry is no exception. Increasingly, being on the cutting edge of technology is a requirement of our ministry. It is absolutely critical that we enable our staff to perform their duties without being physically present in the office.

So, with the above in mind, I’ve placed a greater focus on keeping our internal defenses in line. Here’s a few actions I’ve taken or plan to take:

• Windows firewall is enabled on all workstations via group policy and no programs are allowed to create exceptions. There are only a handful of ports allowed.
• This is a no-brainer, but centrally managed anti-virus is in place on all internal machines.
• SMTP is not allowed outbound from anywhere on the network, with the exception of our exchange servers. This limits the scope of damage should a machine with a mass-mailing worm show up on the network.
• Access to network file shares is very carefully controlled. User accounts do not have access to anything they do not specifically needs to access for their job function.

After putting a lot of thought into it, I’ve come to the conclusion that the benefits to allowing VPN access outweigh the potential negative impact of not allowing it. I would rather allow limited access via other methods of possible, which is why I’m exploring Terminal Services Web Access combined with RemoteApp. But, if for some reason the Terminal Services solution does not work out, I believe VPN is an acceptable fall-back.

I spent some time on way home today (when I wasn’t driving) to clean up my inbox.  I love cached Exchange mode in Outlook - the ability to delete, move, and reply to stuff and have it all sync up next time you hit the network is great.  Anyway, I still need to do a little bit more work, but I’m down to 160 items in my inbox.  I don’t recall it being that small in a LONG time.  Just thought I’d share