Firewalls have come a long way since the original stateless varieties, which were little more than a collection of access control lists. These were superseded by stateful firewalls which kept track of the state of network connections. Modern firewalls are now application aware, you can do things like block access to certain applications or prevent users from using applications like Bittorrent.

However, these firewalls don’t come without their problems. They require lots of computing power to analyze and filter applications as they pass through. On some networks it can be a challenge getting the right balance of application awareness and traffic throughput. The more features you enable, the more stressed your firewall becomes. A lot of firewalls are priced on throughput: the greater the throughput, the greater the price. As a result of this, I see some networks with firewalls that are just about coping due to the costs involved of upgrading to the next model.

One incident I worked on last week was with an Internet service provider (ISP). A couple of their corporate firewalls, which linked their staff networks to the Internet, were resetting themselves. They suspected a resource issue on the firewalls and installed extra memory, but this seemed to make the problem worse. We discovered the source of the problem by looking at the network traffic going from the network core to the firewalls.

We found that large volumes of syslog traffic was being routed to an external IP address. This was unusual as syslog is normally used for managing local networks.  We looked at the external IP addresses and saw that they were from an IP range that was once owned by the ISP. They sold it off and updated routing tables. However, nobody checked if any remaining systems were exporting data to this old subnet. Once routing tables were updated the syslog traffic was now sent out via their firewall. This caused an overload and the firewalls reset themselves.

It’s an interesting problem caused by the lack of IPV4 address space. A block of addresses is very valuable.  For example, earlier this year Microsoft paid $7.5 million to purchase a block of 666,624 IPv4 addresses. If you are looking to change IP addressing on your network, make sure you have monitoring in place so that you can identify what is using the IP addresses and for what reason.

The second incident I looked at involved a large university in Scotland. The connection rate limit on their main firewalls was peaking.  This resulted in complaints from network users that connections were dropping or that downloading and uploading was slow.

Networks within educational campuses are typically more open than they would be in a corporate environment. This means that even things like what’s on the TV schedules can affect network performance. Applications like Bittorrent can generate large numbers of connections as it downloads small pieces of data from lots of other clients on the Bittorrent network. In the case of this university network, users on their WiFi networks were tunnelling Bittorrent over TCP port 80.  This resulted in large amounts of traffic and connections. The firewall rules were updated to only allow 80 parallel connections per IP address and the firewalls stabilized.

If you haven’t heard, the landscape for wireless router security has drastically changed.

The most important things to know in the old days were fairly simple: chose WPA2 security in combination with AES or CCMP (two names for the same thing) and a long password.

Of course, there is more to configuring a router than just that, but these three things were the definition of safety. WPA2 is the third generation of Wi-Fi encryption/security and it has stood the test of time. It’s safe.

But, it turns out that a router is like a house with great locks on the front door, but a side window left open.

Routers are computers and do many things in addition to WPA2. One of these other things is a simplified setup method  for people unable to deal with logging in to the router and choosing WPA2, AES and password longer than 12 characters (router configuration for dummies, if you will).

This alternate configuration protocol, Wi-Fi Protected Setup (WPS), is broken. It was designed poorly. Bad guys can exploit the design flaws to learn the Wi-Fi network password, even if the router is using WPA2-AES with a long password. The bug is in WPS (the side window left open), not in WPA2 (the impossible to crack lock on the front door).

Needless to say, when this news broke, I went logged in to my ancient Linksys WRT54GL router to disable WPS. But I couldn’t find it. The only thing that seemed like configuration-for-dummies was something called SES. But all the news stories spoke of WPS, not of SES.

Configuring SES on a Linksys WRT54GL router

The documentation in the router says nothing about SES. Perhaps it was explained in hardcopy but the setup instructions that came with the router are long gone. So too is the CD that came with it. All I could come up with was that SES stood for Secure Easy Setup.

One credible source of security information is the U.S. Computer Emergency Readiness Team (US-CERT). At the bottom of their Vulnerability Note describing the bug in WPS is a link for feedback. So, I asked whether SES was related to WPS.

Someone at CERT was kind enough to reply:

SES is a precursor to WPS.  It has the push-button configuration but not the external registrar PIN feature so it is not vulnerable to having a PIN brute forced remotely.

And thus the title of this blog posting. Older routers that do not support WPS at all are the safest ones available.

Go figure.

UPDATE:

Perhaps the worst aspect of the WPS security flaw is that on many routers, even when WPS appears to be disabled, it’s not. Which routers really disable WPS and which do not? It’s hard to know, which makes the lack of WPS support all the more appealing.

WPS was released in January 2007. Routers released earlier, probably don’t support it. The Wi-Fi Alliance, the governing body for Wi-Fi, publishes a list of certified routers that includes the date of certification.

Recently I worked with a few IT managers who wanted to know one thing: who were the top users of bandwidth on their networks? In some cases, WAN links were oversubscribed, and in others, access to the Internet was slow due to large downloads.

Finding the top users of bandwidth can be broken down into two steps. First, you need to gain visibility into what is happening on the network; then you need to associate this with usernames. Seems straightforward enough, but this data is spread all around the network. This is especially true if you have multiple data centers.

To gain visibility into what is happening on your network, you must first understand what makes up your network core. A network core is typically made up of one or more network switches where servers, routers, firewalls and other switches connect. It is the crossroads of your network, and it is at this point where you can gain visibility into what is happening on the network. Even traffic from WAN sites gets routed through the core as users in the remote sites access applications and servers which are hosted in the data centre.

Once you have identified your network core, you can then use port mirroring or flow features to monitor what data is moving around the network. Flow features exist on most layer 3 devices, typically routers or network switches which can route packets between VLANs. When enabled the device will report on things like what systems are connecting to what and how much data is moving around. A simple analogy is a flow report is that its like a bill you get from your telephone company. You get to see what calls you made and how much they cost.

Port mirroring features are available on most network switches and some routers. It allows you to take a copy of the network packets as they move through the switch. Some switches allow you to monitor specific ports while others will allow you to monitor VLANs. The analogy I would use for port mirroring is that it is like an old fashioned phone tap. Not only do you know who is calling who but you also get the detail of what was discussed during the conversations. In networking terms this is sometimes referred to as DPI, deep packet inspection.

There are many systems and applications out there that can support packet capturing and/or flow data. You just need to find a system that works on your network and gives you the level of detail that you need. Both port mirroring and flow monitoring techniques will produce reports based on the hostname, IP or MAC addresses as the source of the data.

The next step in finding out who is responsible for generating the data on your network is to get the usernames from you network authentication infrastructure. A lot of networks use Microsoft Active Directory for this purpose, although other systems like RADIUS are also used. No matter what system you use I would recommend that you have auditing of user logons enabled. What you are looking for is that each time a user logs onto your network a record is kept of what system they logged onto and at what time. In most cases the system that the user logged onto is captured as an IP address.

Now it comes to putting the data together. Your traffic analysis (flow or packets) system should be able to produce an output like top IP addresses generating data on the network. You can then look at what usernames are associated with these systems by cross checking the logs on your authentication systems. The final report will then be the top users of bandwidth on your network.

Enable Remote Desktop Remotely

To enable the remote desktop connection to a network system without going to the physical machine, follow:-

1. Go to Regedit of our local system

2.Click on File then select Connect Network Registry.

3. Here enter the IP address or system name of the computer to which you want to enable remote Click OK

4.Now the registry of remote machine will open.

6. Go to remote system registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server, here in the right panel side selectfdenyTSConnection(REG_DWORD).

7. Change the value data from 1 (Remote Desktop Disabled) to 0 (Remote Desktop Enabled)

Now try to establish the RDP connection to that remote system

How to disable dumprep.exe process

1. Right click on “My Computer,” choose “Properties” from that menu.
2. Click on “Advanced tab,”
3. Click the “Error Reporting” button.
4. Check the “Disable error reporting” box. You may choose to uncheck the the box below it, “But notify me when an error occurs,” if desired.

System Taskmanager Process list http://www.answersthatwork.com/Tasklist_pages/tasklist_d.htm

Workgroup and Domain are disabled

Restart the Netlogon Service

Enabling/Disabling Alt+Ctrl+Del Login

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Intel took the wraps off its new Atom-based S1200 processor family (aka Centerton), a trio of 64-bit SoCs (systems on chips) that run on a mere six watts of power. The S1200 is clearly groomed for the legions of low-power microservers increasingly taking up residence in cloud-computing farms across the globe, as well as energy-efficient storage and networking gear.

The chips are aimed at a specific processing task: lightweight, scale-out Web apps that don’t require heavy processing on the back end. These babies are all about high density, unlike the Intel Xeon line, which is groomed for compute-intensive apps that require a high rate of transactions.

“If you want the maximum possible throughput per node or per rack, Xeon delivers twice as much compared to Atom,” said Chris Feltham, Intel EMEA product manager. “If you want density, Atom will give more than five times [capacity]…. If your business model is based around the number of dedicated servers — hosting or revenue per tweet — [having] the maximum number of nodes is going to interest you.”

The Atom S1200 chips, which feature speeds ranging from 1.6GHz to 2.0GHz, include two physical cores and a total of four threads, all enabled with Intel’s Hyper-Threading Technology. The chip also includes 64-bit support, a memory controller supporting up to 8GB of DDR3 memory, Intel’s Virtualization Technologies, eight lanes of PCI Express 2.0, Error-Correcting Code support for higher reliability, and other I/O interfaces integrated from Intel chip sets. According to Intel, they’re compatible with existing x86 software.

The fact that Intel has managed to crank out a six-watt chip is quite noteworthy, demonstrating that green traits like low energy consumption have shifted from a novelty to a must-have feature. In comparison, the thermal design power for Intel’s Xeon processors in 2006 was 40 watts; this year, the company has reduced the draw to 17 watts. Rivals ARM and AMD have similarly strived to slash the energy draw of their server chips.

Intel also took the opportunity to boast that major server players like Dell, HP, and Supermicro are already embracing the S1200 for microserver designs and other gear.

Floundering AMD pre-emptively jumped on Intel’s announcement with a PR blast to journalists to deride Intel’s latest foray into the microserver space — and to take to jabs at the company’s struggles in the mobile market.