Monday, September 21, 2009

Network Security Software

Sunbelt Software's VIPRE - Redefining security software


Adrian Kingsley-Hughes from zdnet.com

Sunbelt Software’s VIPRE - I’ve finally found an antivirus package that delivers the goods.

Over the years I’ve become truly disillusioned by security software. A good antivirus package used to be the first thing that I installed on a system after installing the OS, but now that’s become one of those tasks that I know I should do (not just to protect myself, and the network, but others that I communicate with) but that I put off until the last minute. Why? Because I know I’ll start hating the system shortly afterwards and resenting the security software for consuming so much of my precious system resources.
VIPRE setup and interface gallery

There have been times when seeing the performance hit that a system takes after installing a security package has actually made me put my head in my hands and wonder whether all these strides we have made in processor power and RAM capacities are all undone thanks to security firms unleashing their bloated wares upon us. I’m not going to name any names - I’m pretty sure that most of you will be able to rattle off a list of them without any prompting from me.

Time for a short story …

OK, story time. Last night my wife and I were at my mother-in-laws and the subject of her slow notebook came up. The notebook is question is an aging IBM ThinkPad R51e that runs Windows XP and which hasn’t really been all that fast from the start. It suffers from not enough RAM and too many drivers and specific apps (which are tricky to remove without losing features) kludging up the system. But what makes matters worse is that any security software that you install onto the system amplifies these problems greatly.

The antivirus package that was installed on the system was Kaspersky AntiVirus 2009 2008. I have a love/hate relationship with this product and use if mostly because it’s the best of a bad bunch (a statement that says a lot about the current line up of security software). We uninstalled this application and immediately there was a performance gain. I didn’t benchmark the system under controlled conditions but I’d say that boot times were cut by about 33% and loading times for applications by 25%. However, I knew that I couldn’t leave the system unprotected and that I’d have to install something in place of Kaspersky. Then I remembered that I’d received an email earlier in the week from Sunbelt Software informing me that the new VIPRE antivirus and antispyware app was out (an enterprise version has also been released). One of the features that the email bragged about what how this software wasn’t a resource hog.

I decided to pull up the website and take a look. The copy for VIPRE (which stands for “Virus Intrusion Protection Remediation Engine”) was full of performance-related claims:

  • “VIPRE Antivirus + Antispyware is high-performance security software that doesn’t slow down your PC like older, traditional antivirus products.”

  • “Tired of old antivirus software that makes your PC slow down to a crawl? Interrupting what you are doing with slow scan times, causing problems and nagging you? Time for a change to next-generation antivirus + antispyware that IS NOT a resource hog!”

  • “Does not slow down your PC”


Bold claims, but that said, almost all antivirus vendors nowadays makes similar claims.

OK, I clicked the download link and the 12.6MB packaged came down swiftly. I started the install process which seemed much like every other install process and the program installed without fuss. After a reboot the setup wizard picked up again and guided us through the initial setting up of the software. VIPRE downloaded the risk definitions and the program was ready to roll.

Then I noticed something. The system was just as responsive with VIPRE installed as without. Wow! I wasn’t expecting that. We rebooted the system just in case it wasn’t running, and then downloaded the EICAR test file to make sure that it was running and sure enough, it was, and it was having almost no effect on the performance of the system. To say I was impressed would be an understatement.

Back at the PC Doc HQ …

Today I’ve had a chance to take a closer look at VIPRE, and it has to be said that I like what I see.

  • First off, the performance claims do seem to be real. today I’ve uninstalled a number of different antivirus packages from a selection of systems and replaced them with VIPRE and on every system I’m seeing and feeling a performance boost. Not only is the real time monitoring far lighter and and less of a resource hog than any other antivirus package I’ve come across, the system scanner is also fast and light-weight (I’ve been typing this, taking screenshots and running a couple of virtual machines while VIPRE has been scanning my system). My testing backs up the claims made by Sunbelt Software and goes to prove the benefits of adopting a clean slate, building a product from the ground up approach.

  • VIPRE offers all-round protection - antivirus, antispyware, protection from email-borne threats, rootkit detections and other goodies such as a secure file eraser and history cleaner.

  • VIPRE is easy to use. In fact, the interface is a pleasure to use.

  • The product is honest and gives you clear feedback relating to what it finds on your system - no scan and scare tactics here.

  • Then there’s the aspect of fair pricing. A single license for VIPRE costs $29.95 and gives you a year’s worth of updates, while a 3-user annual subscription is $39.95, while for $49.95 you can protect all PCs in a single household with a single site license. That’s the fairest deal I’ve come across.
    “Typical ‘household’ licenses offered for security software products limit the number of PCs protected to anywhere from three to five per household,” said Alex Eckelberry, president of Sunbelt Software. “With our unlimited home site license, customers pay one low annual subscription price for the product of their
    choice for all the PCs in their home. We don’t care if it’s five, ten, or 200 computers. One price covers all the computers located in that residence.”


Now I’ve rolled VIPRE onto a number of systems, I’ll let you know how things go in a follow-up post.

System Requirements

  • Microsoft Internet Explorer 5.5 or higher

  • At least an IBM Compatible 400MHZ computer with minimum 256MB RAM

  • At least 150MB of available free space on your hard drive

  • 2x CDROM

  • Internet access with at least 56Kbps connection

  • Supported Operating Systems:
    - Windows 2000 SP4 RollUp 1
    - Windows Server 2008
    - Windows XP SP1, SP2, SP3 (Home, Pro, Media Center, Tablet) 32 and 64-bit
    - Windows Vista+ (All flavors) 32 and 64-bit

  • Supported Email Applications: Outlook 2000+, Outlook Express 5.0+, Windows Mail on Vista, and SMTP and

  • POP3 (Thunderbird, IncrediMail, Eudora, etc.)

  • Installation of VIPRE is not supported on Windows 95, 98, or ME, Macintosh or Linux
A completely fully functioning trial version of Colasoft Capsa R2 is available.

Can peer-to-peer coexist with network security?

Network security experts have long cautioned about the risk posed by the use of peer-to-peer file sharing by individuals working in corporations, warning that the practice creates holes that let malware in and sensitive data out. Their message may be having an impact in the P2P development community.

A trade group representing peer-to-peer file sharing providers next week will publish a report that finds P2P software companies are modifying their programs in an effort to make it harder for users to inadvertently share sensitive information.

Elinor Mills(Cnet news editor) said:

For corporate IT administrators, that shift can't come soon enough. The problem was highlighted by the recent news that avionics blueprints of President Obama's helicopter had leaked through a peer-to-peer network used by a defense contractor to an IP (Internet Protocol) address in Iran.

This isn't the first time sensitive data has trickled out via popular file sharing networks. Last summer, personal information of some 1,000 former patients of the Walter Reed Army Medical Center was believed to have been leaked via a peer-to-peer network. Sensitive health care and financial data has also been found on file sharing networks, according to studies from Dartmouth College and P2P network monitoring service provider Tiversa, which also uncovered the leaked presidential helicopter data.

Peer-to-peer use at ABN Amro and Pfizer led to the exposure of personally identifiable information of more than 20,000 consumers in 2007. And then there was the symbolic slap in the face when politicians called P2P networks a potential "national security threat" at a congressional hearing that summer.
tiversagraphic

Minimizing the risk

IT administrators need to have a written policy that specifies whether or not employees are allowed to use file sharing. And they need to use perimeter security software, including firewall and intrusion detection, "to lock down the ports used by P2P or to look for specific P2P network traffic," said Tony Bradley, director of security at Evangelyze Communications, a unified communications software and service provider.

Corporations also might consider encrypting sensitive information and using data loss prevention tools to block data leakage, experts said. And if they want to see if any of their data has found its way onto a P2P network, they can hire Tiversa to probe Gnutella, eDonkey and FastTrack file-sharing networks.

Tiversa probes the networks, searching for specific terms and lets customers know when it finds any data out there specific to that firm and helps pinpoint the source of the leak and stop it.

After lawmakers accused them of being part of the problem nearly two years ago, P2P providers and their trade group--the Distributed Computing Industry Association (DCIA)--formed a working group to figure out ways to minimize the risk for P2P users and their networks. The DCIA prepared a report dated Thursday on the Inadvertent Sharing Protection Compliance that lists guidelines for better protecting P2P users and percentages of its members who are following them.

The latest version of popular file sharing software, released earlier this year, LimeWire 5, includes a number of the suggested changes and served as a "poster child for compliance," said Marty Lafferty, chief executive of the DCIA.

The report shows 100 percent compliance with the guideline that recommends that default settings prohibit the sharing of user-originated files, while 57 percent of the respondents said they were complying with the guideline to offer a simple way for the user to disable the file-sharing functionality.

Other guidelines, with compliance percentages ranging from 29 percent to 71 percent, included requiring users to select individual files within a folder to share rather than sharing the entire folder, requiring the user to take affirmative steps to share sensitive folders and preventing the sharing of a complete network or external drive or user-specific system folder, such as "Documents and Settings." Among the guidelines are requirements for warnings to the user when particular settings might jeopardize security.

we(Colasoft) are focus on providing all-in-one and easy-to-use software solutions for users to monitor network activities, analyze network performance, enhance network security, and troubleshoot network problems.

Norton Internet Security 2010 Review

Take a quick glance at the just-released Norton Internet Security 2010, and you won't notice much of a difference from previous incarnations -- the interface and feature set are so similar that it appears that only very minimal changes have been made to the suite. But under the hood is a new reputation-based security technology that the company claims is better positioned to protect against quickly evolving threats than traditional signature-based and behavior-based detection.

As with previous versions, Symantec's suite offers protection against viruses, Trojans, rootkits, spyware and malware of all kinds. Also, like previous versions, it has a firewall, intrusion protection, e-mail protection and Web protection. It integrates with your browser and search engine to warn you away from visiting sites that might be malicious.

The suite, despite its hefty feature set, does not take up a good deal of RAM or system resources. It's unlikely that you'll even notice it's running, a welcome change compared to several versions ago when it bogged down your system.

New reputation-based Quorum


Traditionally, security software detects threats by searching for signatures -- distinct code patterns that identify malware -- or by examining the behavior of a piece of software. Symantec claims that these solutions can't keep up with the massive amounts of new malware released every year.

The company has named its new reputation-based technology Quorum. It was designed for a world in which malware threats evolve exceedingly quickly and may be built to last only for a day, because malware writers know that signatures can be released to detect the threat in only 24 hours. Symantec claims that it is these kinds of threats -- those intended to do their damage quickly, before they are caught -- that are the primary dangers today.

Quorum creates a "reputation" for every piece of software it encounters, basing that reputation on a number of factors, including download source, age, prevalence and digital signature. So, for example, a new file downloaded from a not-well-known Web site that very few people have ever used will be regarded as suspect by Quorum, even if it is not known as a piece of malware and exhibits no suspicious behavior. As a result, one of malware writers' greatest weapons -- their ability to quickly turn out new pieces of malware -- makes it more likely that the new malware will be deemed suspicious by Quorum.

NIS 2010

According to Symantec, Quorum relies on data that Symantec has been capturing for years through millions of people who use Norton products and opt in to the Norton Community, sending information anonymously about the applications running on their systems. Quorum uses this information to help calculate its "reputation score" for applications.

Symantec stresses that it hasn't abandoned other means of catching malware; the reputation score is used in concert with signature-based and behavior-based protection.

Will the addition of Quorum actually help protect you more than traditional forms of protection? We'll only know when labs weigh in with their results.

Welcome to the familiar interface


As I mentioned before, Norton Internet Security 2010 looks very much like the 2009 version, so there will be very little learning curve for those who have already used the product.

The main screen is now divided into three sections entitled Computer, Network and Web (rather than the previous Computer, Web and Identity). It tells you at a glance the state of your security, notes whether any actions need to be taken, and lets you turn features on and off. As with the previous version, there are monitors on the left-hand side of the screen that show your CPU's current usage and how much of that Norton is taking up.

If you want a quick glimpse of the state of your security, you'll just use the main screen. But if you're the kind of person who likes to dig deep, you'll find plenty of links here that will lead you to additional data. For example, click the Performance link on the left-hand side, and you'll see a new feature: a page that offers in-depth detail about CPU and RAM use over the last ten minutes, the last half hour, hour-and-a-half, day, week, and month.

Better yet, another new link on the main page gives you access to detailed information from the suite's System Insight feature. This display shows, over time, any events related to your PC's security, such as virus scans and their results, and new software that you've installed. Using this info, you may be able to track down PC problems yourself -- for example, if you notice unusual behavior, you can check this screen to see if that behavior started after you installed a particular piece of software.

Another useful feature accessible from the main screen is the Network Security Map. It shows you all of the devices attached to your network, and includes information such as the IP address, MAC address, whether they're online, and so on.

NIS 2010

Another feature, the Vulnerability Protection link, is less than useful. It lists programs that Norton has found to have vulnerabilities -- but not necessarily those you have on your PC. The list is generic and lists all software against which Norton offers protection. There's no need ever to check it.

What's new?


Quorum's reputation-based strategy represents the biggest change compared to previous versions, but there have been other changes as well. The suite's anti-spam component features a new engine from enterprise anti-spam vendor Brightmail. Symantec claims that it is 20 percent more effective than the suite's previous anti-spam protection.

Also included is Norton Safe Web; this service is new to Norton Internet Security but was previously introduced in Norton 360 version 3.0. It works with Google, Yahoo and Bing, and shows whether any sites that turn up in search results are potentially dangerous or untrustworthy.

In addition, Norton Internet Security 2010 users get a free subscription to OnlineFamily.Norton, a Web-based service that lets parents control what their kids do on the Web.

The bottom line


If you're a user of Norton Internet Security 2009, it's certainly worth going to the newer version, because Quorum will most likely make you safer, and the new features are worthy additions. Not only that, but the upgrade is free.

As for whether to switch to NIS 2010 -- which costs $69.99 for a three-PC license -- from a different Internet protection program, that's a tougher call. The interface is certainly simple and straightforward, and also lets you dig into security details. There's no way to evaluate yet whether the new tools will be more effective than the old ones; only widespread use and exposure to many malware threats will tell.

More information about Internet Security, please go to colasoft.blog.com

Computer Security

A What is computer security?

Computer security is the process of preventing and detecting unauthorized use of your computer. Prevention measures help you to stop unauthorized users (also known as "intruders") from accessing any part of your computer system. Detection helps you to determine whether or not someone attempted to break into your system, if they were successful, and what they may have done.

B Why should I care about computer security?

We use computers for everything from banking and investing to shopping and communicating with others through email or chat programs. Although you may not consider your communications "top secret," you probably do not want strangers reading your email, using your computer to attack other systems, sending forged email from your computer, or examining personal information stored on your computer (such as financial statements).

C Who would want to break into my computer at home?

Intruders (also referred to as hackers, attackers, or crackers) may not care about your identity. Often they want to gain control of your computer so they can use it to launch attacks on other computer systems.

Having control of your computer gives them the ability to hide their true location as they launch attacks, often against high-profile computer systems such as government or financial systems. Even if you have a computer connected to the Internet only to play the latest games or to send email to friends and family, your computer may be a target.

Intruders may be able to watch all your actions on the computer, or cause damage to your computer by reformatting your hard drive or changing your data.

D How easy is it to break into my computer?

Unfortunately, intruders are always discovering new vulnerabilities (informally called "holes") to exploit in computer software. The complexity of software makes it increasingly difficult to thoroughly test the security of computer systems.

When holes are discovered, computer vendors will usually develop patches to address the problem(s). However, it is up to you, the user, to obtain and install the patches, or correctly configure the software to operate more securely. Most of the incident reports of computer break-ins received at the CERT/CC could have been prevented if system administrators and users kept their computers up-to-date with patches and security fixes.

Also, some software applications have default settings that allow other users to access your computer unless you change the settings to be more secure. Examples include chat programs that let outsiders execute commands on your computer or web browsers that could allow someone to place harmful programs on your computer that run when you click on them.

From cert.org

Computer security is a branch of technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible and productive to its intended users.

The technologies of computer security are based on logic. As security is not necessarily the primary goal of most computer applications, designing a program with security in mind often imposes restrictions on that program's behavior.

There are several approaches to security in computing, sometimes a combination of approaches is valid:

1. Trust all the software to abide by a security policy but the software is not trustworthy (this is computer insecurity).
2. Trust all the software to abide by a security policy and the software is validated as trustworthy (by tedious branch and path analysis for example).
3. Trust no software but enforce a security policy with mechanisms that are not trustworthy (again this is computer insecurity).
4. Trust no software but enforce a security policy with trustworthy mechanisms.

Many systems have unintentionally resulted in the first possibility. Since approach two is expensive and non-deterministic, its use is very limited. Approaches one and three lead to failure. Because approach number four is often based on hardware mechanisms and avoids abstractions and a multiplicity of degrees of freedom, it is more practical. Combinations of approaches two and four are often used in a layered architecture with thin layers of two and thick layers of four.

There are various strategies and techniques used to design security systems. However there are few, if any, effective strategies to enhance security after design. One technique enforces the principle of least privilege to great extent, where an entity has only the privileges that are needed for its function. That way even if an attacker gains access to one part of the system, fine-grained security ensures that it is just as difficult for them to access the rest.

Furthermore, by breaking the system up into smaller components, the complexity of individual components is reduced, opening up the possibility of using techniques such as automated theorem proving to prove the correctness of crucial software subsystems. This enables a closed form solution to security that works well when only a single well-characterized property can be isolated as critical, and that property is also assessable to math. Not surprisingly, it is impractical for generalized correctness, which probably cannot even be defined, much less proven. Where formal correctness proofs are not possible, rigorous use of code review and unit testing represent a best-effort approach to make modules secure.

The design should use "defense in depth", where more than one subsystem needs to be violated to compromise the integrity of the system and the information it holds. Defense in depth works when the breaching of one security measure does not provide a platform to facilitate subverting another. Also, the cascading principle acknowledges that several low hurdles does not make a high hurdle. So cascading several weak mechanisms does not provide the safety of a single stronger mechanism.

Subsystems should default to secure settings, and wherever possible should be designed to "fail secure" rather than "fail insecure" (see fail safe for the equivalent in safety engineering). Ideally, a secure system should require a deliberate, conscious, knowledgeable and free decision on the part of legitimate authorities in order to make it insecure.

In addition, security should not be an all or nothing issue. The designers and operators of systems should assume that security breaches are inevitable. Full audit trails should be kept of system activity, so that when a security breach occurs, the mechanism and extent of the breach can be determined. Storing audit trails remotely, where they can only be appended to, can keep intruders from covering their tracks. Finally, full disclosure helps to ensure that when bugs are found the "window of vulnerability" is kept as short as possible.

Early history of security by design

The early Multics operating system was notable for its early emphasis on computer security by design, and Multics was possibly the very first operating system to be designed as a secure system from the ground up. In spite of this, Multics' security was broken, not once, but repeatedly. The strategy was known as 'penetrate and test' and has become widely known as a non-terminating process that fails to produce computer security.[citation needed] This led to further work on computer security that prefigured modern security engineering techniques producing closed form processes that terminate.

From WikiPedia

Tuesday, August 25, 2009

New Worm Installs Network Traffic Sniffer

A new worm whose payload includes the SDBot trojan tries to install a "sniffer," seeking to use infected computers to capture login and banking information for other computers on the same network. While sniffers are hardly new, the bundling of a sniffer with an auto-propagating worm is a new wrinkle, according to security firms.

Sniffers are devices that monitor network traffic, and are a useful network administration tool. They can also be useful to hackers, who install them on compromised computers to monitor and intercept packets flowing through a network. This in turn enables the attacker to capture unencrypted usernames and passwords, which can be used to compromise additional machines on the network.

The sniffing capabilities of the new Worm-SDBot were documented by Trend Micro, and include a list of phrases associated with logins for network administration or Paypal accounts. "If the trojans described by Trend can successfully transmit the filter's packet captures back to the owner, they are going to cause problems well beyond typical bot infestation issues," according to the Internet Storm Center.

Malicious sniffers can be difficult to detect because their activity involves collecting packets, rather than transmitting them. Checking to see whether a network card is set in promiscuous (sniffing) mode is a common approach for users concerend about their own machines. Tools for detecting snifffers elsewhere on a network include WireShark, Capsa.

Monday, August 24, 2009

5 Tools That Every Network Administrator Should Have

Every network administrator has their own set of tools that they like to use on a daily basis to help them do their job. Here I list 5 tools I like
most.

Network Analyzer - There are actually to sniffer applications that I keep in my toolbox, WireShark and Capsa Network Analyzer. Each program can satisfy my different needs,the difference is that Wireshark has more functionality when it comes to filters. But Capsa Network Analyzer, from my point of view, is the user interface. It presents the data in an extremely easy-to-read way, such that you don’t need to be a hard-core network engineer to see what’s happening. and the pretty graphs will make me happy.

PuTTY - PuTTY is a very versatile telnet application for use when you spend a lot of your day working on Cisco equipment. PuTTY allows a number of different ways to connect to a piece of equipment including Raw, Telnet, Rlogin, SSH, and with the newest version of PuTTY Serial connection. The newest Serial option becomes very handy for network administrators since HyperTerm is no longer available with Windows Vista and you still need a serial connection for new routers and switches. PuTTY is also very customizable and can be run from a USB drive without installing anything onto the computer.

PumpKIN - PumpKIN is a free FTP server program that you can download and use to host your computer as an FTP server. I use this program main for transferring Cisco images back and forth from the switch or router to my computer. This program become very valuable when you have a switch or router down that you need to get back up quick.

MAC Scanner Pro - Colasoft MAC Scanner Pro has some advanced
features,apart from scanning MAC addresses and IP addresses, the most pratical feature is that it allows users to export or print the scanning results.

NetStumbler - NetStumbler was one of the first "Wardriving" programs you could get to pick up other people's wireless networks. I use this tool on a regular basis for the opposite reason, I want to be able to check for rouge access points on my network. I simply use this little tool and walk around all of my offices and see what wireless devices pop up. I have found a couple of employees who wanted to work out side or away from their office and added a wireless AP so they could.

So those are 5 tools I believe every network administrator should have in their toolkit. For their ease of use, small size, and versatility they made my top 5 tools.

Friday, August 21, 2009

The 7 Most Common Mistakes Using Network Analyzers

Colasoft Capsa network analyzer

1) Over-Believing the Software's"Intelligence" without understanding how it makes determinations.

Software default settings are very seldom correct for YOU. For example, a device may say that a SQL server should respond in 50ms. But, if that device is across a WAN with a 200ms ping time--that is highly unlikely. This causes false SLOW SQL messages. This is only an example, but there are many such alerts and messages based on default "thresholds" within this type of software tool's configuration.

Particulars of your environment may create false alerts or other messages. The definitions of what is an "excessive" delay--latency--broadcasts, etc, are up to you--not the tool.

It's important for you to know the default settings driving alerts and messages. Then, ignore or alter those alerts that are not set best--for your enterprise. Altering them to make the appropriate settings for your enterprise is the best strategy. Too many false flags or alerts numb you into ignoring important ones or--cause you to make serious errors and incorrect decisions that can be Very Very expensive.

Properly used, those features can save enormous amounts of time and show things your own eye would likely miss.

2) Not understanding the Protocols used, such as TCP, HTTP, etc.

What good is a tool that tells you information about how a protocol is behaving if you do not understand the underlying technology? By this I mean the RFC's for the protocols that are relevent to your concerns.

---What is the impact of various protocols working differently for the same application doing the same transaction--in different locations?

---What is expected according to specs--and how is your trace file showing different--or less optimal behavior?

---Why would there be 2 TCP connections from one location and 10 from another--for the same application doing the same transaction?

This short article cannot answer all these questions--but it can show you the types of information that you will need to understand in order to make sense out of the data a trace file will show you. Know the protocols well. Deep understanding of TCP is the basic price of admission. While you may consider this a matter of skill sets, my point is that attempting to troubleshooting a problem with a packet-sniffer while not understanding the protocols is a mistake--and a common one. If you add this point to the first one listed--about not believing all the standard settings on tools--you find that the tool cannot answer anything for you by itself. You need to know what you are looking at. You are the analyst--the tool is just an aid.

3) Not understanding the layer 1 and layer 2 aspects of the topology you are sniffing.

Ethernet and all other topologies have many different specifications, which are altered or outright ignored by many switch or other network device manufactures. You must know the specs and how the hardware you are working with applies those specs--or doesn't apply them. A classic example is Spanning Tree. There are IEEE specifications for Spanning-Tree but those specifications are just a model...not a law. Each manufacturer has tweaked it in order to create some proprietary advancement to give them a competitive advantage. Sometimes, those advances become the new spec. However, you need to know what is standard and how your equipment varies on that theme. What good is seeing the BPDU's in a trace file if you don't understand what they contain or how it relates to the problem at hand? Again, this may be looked at as a skill set issue but--expecting to solve critical problems with a packet-sniffer while not knowing this about your network is a mistake.

4) Uni-directional SPANs or Port Mirroring & Single-sided trace files.

Often the switch port used by a server you need to monitor is incapable of providing a bi-directional SPAN (Port Mirror). If so, you cannot get answers from such a trace as it will miss critical information. It can be an oversight by the Engineer doing the trace but sometimes it is simply not understood to be such a critical concern--and ignored. Either way, when you have a situation like this you need to bite the bullet and put in a Change Order to get it moved to a fully bi-directionally mirror-able port before any serious analysis can be done.

Here is a good example of why this is so. Picture a Client and a Server. The Server wants to end a specific TCP connection and keeps sending FIN's. Yet, we never see the Client send back a FIN ACK. We do see other traffic between them and know that there is connectivity. So, here are the questions:

--Are the FINs not arriving at the Client--or--is the Client receiving them and appropriately sending back the FIN ACK--which are not getting back successfully?

----If so, then it is most likely a network issue.

--Are the FINs arriving successfully--but being ignored by the Client?

---If so, then it is mostly likely a Server or OS or Data Center issue.

These questions can not be answered with a trace file that only sees one side of the conversation. Two traces, sychronized, are needed to determine the answer to these questions.

5) Incorrect filters--either Capture or Display

An important concept here is that filters add nothing--they only remove--they only filter out. When you say that you are "filtering for" what you mean is that you are "filtering out" everything else. This isn't just semantics as understanding this perspective is critical to success.

Capture Filters:

Capture Filters are irreversible. If you filtered out something that you need to see--you just aren't going to see it. There is no second chance without running the test again.

Capture Filters determine what is allowed in the Capture Buffer. If the data is there to see--great. If you filtered what you need out--you can't change the filter after the fact. A very experienced Protocol Analyst may notice the problem by seeing anomalies that amount to the shadow of the missing data--but most will not be able to tell. And, of course, even if you can tell--you still have to re-test.

This might lead you to think that you should not use Capture Filters--and that is half true. If you don't really need them--don't use them. However, if you are drinking your packets out of the Fire Hydrant--you have no choice. Under those conditions the data will fill up your Capture Buffer is less than a single second.

Another point is that they should be consistent within a Test Design. If they vary too much, they will create false differences that can easily lead the Network and Application Performance Analyst or Protocol Analyst astray.

Monitor Filters:

Monitor Filters are forgiving. They work the same way--in that they filter out, not in. However, you can change your mind. The data is in the can (trace file) and it is only a matter of changing the filter to see what was filtered out the last time. Many times I am stumped and then have an idea--go back and change my Capture Filters--and bam! There is the answer. The point is--incorrect Monitor Filters will just as easily lead you astray--but you still have the opportunity to find your way back since the data is still there.

Again, this might leave you thinking to avoid Monitor Filters. Don't even consider it. Removing irrelevant packets is required to properly measure distinct conversations and search for anomalies. In fact, understanding proper filtering is what using the packet-sniffer software is all about.

6) Lack of understanding the Network-Analyzer's CURRENT settings.

Monday, you created a Capture Filter and left it as the default. Friday you need to capture a trace file and click on Capture. Various people perform their roles in the test and you save the trace file. Everyone goes home, back to their main job function or to bed. Then you look at it and discover that you didn't realize that the old Capture Filter was still in effect! Why? You altered the Default Capture File instead of creating a new one. Your Trace File is useless.

Always remember to review ALL settings before beginning a test. Additionally, run a practice test to make sure all filters and setting are as they should be.

Sometimes the error you discover is that you were given an incorrect IP address and that you never would find what you are looking for from the IP address from which you are capturing packets. That is a GOOD finding. It means someone's diagram is incorrect. It also means you prevented a useless round of testing.

7) Lack of test controls.

Like any proper experiment, a performance or application test requires a control group and controlled data for all groups. If it was a pharmaceutical test you might have a group with a placebo. In our field we need to create a "BESTline" first. A "Bestline" is not a baseline.

Here is an example.

You have a Client in Singapore and a Server in New York City. The client is Singapore takes 40 milliseconds to execute a transaction and European clients only need 30 milliseconds. Singapore, although farther away, has a faster connection and is expected to get it done in the same time as Europe. What now? Take a BESTline. Use a client in New York City running the same transaction in the same way on similar equipment on the same server as the other two tests. You may discover that it still takes 25 milliseconds! This may due to various issues in the Data Center, Server or PC itself, 25 milliseconds is the fastest it goes!

This means that the first 25 milliseconds have nothing to do with the transport distance or speed. It DOESN'T mean that you have to accept those 25 milliseconds. There is a great deal that can be done about it. However, it is not the network and you now know you have to focus on the Server, PC, Data Center and other components.

Such controls are easy to do--yet seldom done. That common error results in many false leads and false errors as well as lost time and money.

Wednesday, August 19, 2009

How to Discover Network Security Loopholes

There is an illusion today towards discovering the loopholes in a network as wonders of global connectivity enfold. Such diversity seems to call for the

need for companies to invest more in training their network operators on discovery of Network loopholes. Simultaneously, there also exists at large sophisticated

hackers and crackers, who spend sleepless nights contemplating how to accurately discover security loopholes in a network enabling them penetrate through. this call

for network security managers who should have the ability to hack into their own systems first.


These few challenges are the main forces driving research on discovering network security loopholes and as technological advances emerge, the cat and mouse

game continues between attacker and protectors.

The major method that is being employed in most networks today to discover security loopholes is Penetration Testing as is examined below.


Penetration Testing


This can be defined as a process of actively testing information security measures. Organisations prefer to perform penetration tests to identify the

threats facing them and resolving its vulnerabilities and weakness.


There are different types of penetration tests available. They are:


i. External Penetration Testing

The oldest approach of testing and is mainly focused on servers, infrastructure and software present in the target system. This type of testing is usually either

performed with no prior knowledge of the site or with total knowledge of how the network topology is.


ii. Internal Security Assessment

This approach is similar to the external penetration testing with the addition of provision of a security report of the site. This testing is typically performed from a number

of access points representing the different network segments.


iii. Application Security Assessment

This identifies and asses threats to an organisation through software applications that might provide interactive access to potentially sensitive materials. It is essential

that the applications are accessed to ensure that they done expose the servers and the software to attack.


iv. Telephony Security Assessment

This assessment addresses security concerns relating to corporate voice technologies.


v. Social Engineering Security Assessment

This assessment addresses social engineering which is a non technical kind of intrusion.

For more information about Penetration Testing a great website that has lots of information is penetration-testing.com .


Network Analysing


After the penetration testings, it is quite easy to detect and confirm the network problems with a network sniffer/analyzer. With the professional data capturing technology and comprehensive capability of network analyzing, Colasoft Network Analyzer will help you monitor your network within seconds and maximize your network

value.

Tuesday, August 18, 2009

Are You Being Watched?

by Brett Glass -- pcmag.com

How private is your PC data? Thanks to the proliferation of Internet worms and hardware and software spying tools, the erosion of loyalty between corporations and their employees, and the 9/11 disaster (which has caused many to value security over privacy and civil rights), the likelihood is greater than ever that your computer is reporting your every move to a suspicious spouse, a government agency, an employer, or the entire world. In this article, we'll cover the most prevalent spying hardware and software and explain how it can be used, abused, and detected.

A hardware key logger is a device that captures keystrokes en route from keyboard to PC. KeyGhost (www.keyghost.com), a New Zealand company, offers two hardware key loggers. The first is an inconspicuous cable that runs from the keyboard to the PC (prices start at $139 and go up to $409 direct). The second is a keyboard with the logging hardware tucked entirely inside the case ($189 and up).

The company claims to have a wide variety of bugged keyboards ready-made to match many brands of computers. If your existing keyboard is unique, KeyGhost will modify it and return it with the logger hidden inside. Both the internal and external versions have maximum capacities of about 2MB—enough memory to capture as much as a year's worth of typing. The Spy Store (www.thespystore.com/pcsurveillance.htm) shows a more compact external key logger ($139 direct). It has a smaller memory capacity, but its capabilities are otherwise similar.

Hardware key loggers usually can't be detected by software and may be tough for non-technical users to spot. They're also compatible with most operating systems and don't require complicated installations. The main drawback is that they can't capture the information that appears on the screen but isn't typed in by the user. So hardware devices are best used to sniff out small but vital pieces of information, such as passwords.

Although keystroke-logging hardware is relatively new, software that performs the same function is not. In 1988, I implemented a primitive network keystroke logger as a DOS TSR, using the NetBIOS protocol. My motivation at the time was not to spy but to ensure that my programming work was preserved on another machine in the event of a system crash.


But today's spying programs do much more than log keystrokes. Spying software can be selective about the data it captures; administrators can set the software to skim information and then capture more data when certain criteria are met. WinWhatWhere Investigator (www.winwhatwhere.com), a major product in the monitoring market, captures keystrokes, e-mails information about your activities when key phrases are entered, and even renames itself and changes its location at random. If the victim's machine has a Webcam connected, WinWhatWhere snaps pictures periodically and sends them out surreptitiously.

SpectorSoft (www.spectorsoft.com) makes Spector Pro, which captures screen shots, records e-mail and chat sessions, and logs keystrokes. In short, if something of interest to you happens on a user's machine, you will not only know what the person typed, you'll have logs of e-mail and chat room conversations and pictures of the screen.

Competing products such as D.I.R.T., from Codex Data Systems' (www.codexdatasystems.com/menu.html), offer similar features. And several keystroke logger programs are freely available for download from many shareware archives. Logging software is easier to detect via system diagnostic tools, however, and may be wiped off the hard drive by reconfiguring or reinstalling the operating system.

In some cases, spying software may be installed as a virus, worm, or Trojan horse that arrives via e-mail or an infected file. BackOrifice, a program created by a group of rogue hackers called The Cult of the Dead Cow, can be installed in this way and can spy on and even commandeer the victim's system. Several recent worms, including Badtrans.B, attempt to capture passwords and credit card information from users' systems and forward the information to the worms' creators via e-mail or Internet relay chat (IRC).

Another spying technique uses a network sniffer (usually a computer running special software) installed on the same LAN as the victim's computer or upstream between the victim's computer and the Internet. The sniffer taps and records the raw data flowing between the victim and other machines; this data can be scanned later.

Only a few Internet protocols use encryption. E-mail is most often sent and retrieved as plain text, and the password needed to break into someone's electronic mailbox is very rarely encrypted. If encryption is used, a key logger can often be used to discover the password that unlocks the data.

The FBI's Carnivore system, which is installed at ISP facilities to collect evidence, is one example of a network sniffer. Civilian tools that can sniff LAN traffic—even on
networks supposedly protected from monitoring by network switches—are widely available for free via the Internet.

Even if the party who wants to spy on you has no physical access to your network, you cannot necessarily rest easy. A cracker who manages to gain control of any vulnerable system on your network can set it up to sniff traffic from the rest of the network. And recently revealed bugs in most implementations of SNMP (Simple Network Management Protocol) may provide an easy way for intruders to take over managed hubs and switches, routers, print servers, and network appliances. (For more on these bugs, see the CERT advisory.)

Sunday, August 16, 2009

Understandings Network Management and Network Monitoring

Network management may mean different things to different people. To some network management may be a network consultant monitoring network activity with Network analyzer(Colasoft Capsa Network Analyzer), to others network management may be about distributed database, high-end workstations generating and traffic. Speaking generally, network management is a service, which uses a wide range of devices, tools, and applications, to enable the network managers to monitor and maintain networks successfully & efficiently.


Network management deals with the top-level administration and maintenance of widespread and large networks, commonly seen in the field of computers or telecommunications, which may be necessarily, include user terminal equipment.


Network management executes functions such as security, control, allocation, monitoring, coordination, deployment and planning to name a few. It is also worth noting that network management is governed by a several protocols which are basically present there for its support, including SNMP, Common Information Model, CMIP, WBEM, Transaction Language 1, Java Management Extensions, and Netconf.


Routing is also an important area of network management. Routing refers to the process of selecting the paths in a computer network on which to send data. In this arena of network management, logically addressed packets get transported from their source to their destination with the help of nodes. These nodes are called routers, in a process termed as forwarding.


Successful network management also uses accounting management. This controls and reports on the financial status of the network. This area of network management involves bank account maintenance, financial statement development, and analysis of cash flow and financial health.


Coming to Network Monitoring, it is about policing network traffic. In other words, network monitoring is spying for the benefit of smooth working of network management. Network monitoring is part of network management. Ideally network monitoring is a function that one of your systems must perform on an ongoing basis. While the other systems are performing the functions assigned to them, one should set aside at least one computer to monitor network activity. This is network monitoring in a nutshell.


The computer performing network monitoring must be kept always on. Which means that network monitoring system should have exclusive power lines or, backup generator facility. Everyone should understand that network-monitoring system is the most critical part of any network, because it is with the help of network monitoring that that the alarm will be sent if something is wrong.


Network monitoring will identify the slow or failing systems and notify the network administrator of such lapses. Issues like overloaded systems, crashing of servers, network connections being lost, virus infections, and power outages will be dealt without losing time if network monitoring is in place.

How to Protect Your Network from Spam?

According to the July 2009 edition of the MessageLabs Intelligence Report,Spam remains a major problem, In fact, it has reached up to 90%, some European countries are higher, up to 95%

Three main problems caused the bad situation.

  • The use of automated tools: Spammers are used to use automated tools to generate email addresses based on domain name.

  • URL-shortening spam: Currently, many social networking offers URL-shortening services to users, 6.2% spamming emails contains shortened URLs to mask unsafe destinations.

  • International problem: Unlike we thought the souces of spam emails are outside United States, According to the static of July, at least, 86% of all e-mails sent in the US are spam.

Be a network administrator,what can we do to mitigate the effect of spam?

Well, there are two specific network methods you may take.

Traffic management

You'd better to install a network analyzer like Colasoft Capsa network analyzer in your network, that will help you monitor network traffic especially SMTP traffic we more care about in this article in real time,Traffic management entails reducing overall message volume by relying on techniques that are implemented at the protocol level. Essentially, unwanted senders are identified and their connections dramatically throttled using features that are inherent to the TCP protocol. This allows incoming volumes of spam to be slowed, allowing legitimate mail an opportunity to be processed and expedited by the mail server.

This technique is obviously effective, but it is nevertheless useful to reduce the effect of a DOS-style of e-mail flooding.

Connection management

Another method would be the use of connection management techniques. An example would be for incoming SMTP connections from sources known for sending spam and malware to be immediately rejected. The use of such blacklists can be done at the firewall level and could also include open proxies or known botnets.

The obvious benefit of connection management is that mail servers do not even have to waste processor cycles to deal with the incoming spam.

Do you have else methords? let's share our knowledge here!

What is the difference between an Ethernet hub and switch?

Although hubs and switches both glue the PCs in a network together, a switch is more expensive and a network built with switches is generally considered faster than one built with hubs. Why?





When a hub receives a packet (chunk) of data (a frame in Ethernet lingo) at one of its ports from a PC on the network, it transmits (repeats) the packet to all of its ports and, thus, to all of the other PCs on the network. If two or more PCs on the network try to send packets at the same time a collision is said to occur. When that happens all of the PCs have to go though a routine to resolve the conflict. The process is prescribed in the Ethernet Carrier Sense Multiple Access with Collision Detection (CSMA/CD) protocol. Each Ethernet Adapter has both a receiver and a transmitter. If the adapters didn't have to listen with their receivers for collisions they would be able to send data at the same time they are receiving it (full duplex). Because they have to operate at half duplex (data flows one way at a time) and a hub retransmits data from one PC to all of the PCs, the maximum bandwidth is 100 Mhz and that bandwidth is shared by all of the PC's connected to the hub. The result is when a person using a computer on a hub downloads a large file or group of files from another computer the network becomes congested. In a 10 Mhz 10Base-T network the affect is to slow the network to nearly a crawl. The affect on a small, 100 Mbps (million bits per scond), 5-port network is not as significant.xoverpin1






Two computers can be connected directly together in an Ethernet with a crossover cable. A crossover cable doesn't have a collision problem. It hardwires the Ethernet transmitter on one computer to the receiver on the other. Most 100BASE-TX Ethernet Adapters can detect when listening for collisions is not required with a process known as auto-negotiation and will operate in a full duplex mode when it is permitted. The result is a crossover cable doesn't have delays caused by collisions, data can be sent in both directions simultaneously, the maximum available bandwidth is 200 Mbps, 100 Mbps each way, and there are no other PC's with which the bandwidth must be shared.

workgrp4

An Ethernet switch automatically divides the network into multiple segments, acts as a high-speed, selective bridge between the segments, and supports simultaneous connections of multiple pairs of computers which don't compete with other pairs of computers for network bandwidth. It accomplishes this by maintaining a table of each destination address and its port. When the switch receives a packet, it reads the destination address from the header information in the packet, establishes a temporary connection between the source and destination ports, sends the packet on its way, and then terminates the connection.


Picture a switch as making multiple temporary crossover cable connections between pairs of computers (the cables are actually straight-thru cables; the crossover function is done inside the switch). High-speed electronics in the switch automatically connect the end of one cable (source port) from a sending computer to the end of another cable (destination port) going to the receiving computer on a per packet basis. Multiple connections like this can occur simultaneously. It's as simple as that. And like a crossover cable between two PCs, PC's on an Ethernet switch do not share the transmission media, do not experience collisions or have to listen for them, can operate in a full-duplex mode, have bandwidth as high as 200 Mbps, 100 Mbps each way, and do not share this bandwidth with other PCs on the switch. In short, a switch is "more better."


Conclusion:


Acutally, this is a frequently asked problem in Capsa customers that why they have to deploy Capsa on hub Only? According to the info above, we can see that Switch transmit the data selectively(by the source of MAC address), while Hub is send the data to every ports randomly. So, we have to install Capsa on the Hub to capture the data in the network.

Tuesday, August 11, 2009

Tips--A list of Switches with Port Mirroring support

Below you will find a latest list of some commonly used managed switches that support port mirroring, port spanning or port monitoring functions (whatever the name is

used for that function).

For some of models there are available instructions regarding how to configure port mirroring.

For other models, please, read the user's manual of the particular switch or contact the vendor for such information.

You are welcome to tell me (willis.huang@colasoft.com), if you know more such switches.

untitled-1

Note 1: Above are reference prices, which were active on the date of writing this article. The actual price may be different.

Note 2: Some of switches do not accept incoming packets on the ports, which is used as a destination for port mirroring session. Because of this fact,

it is necessary to install the second network adapter into a server. This secondary adapter will be used for accessing a server through a network.

Switches by Vendor:
  • Netgear

  • D-Link

  • Linksys

  • Dell

  • Cisco


  • untitled-2

    untitled-3

    untitled-4

    728_90

    Thursday, August 6, 2009

    Basic Network Troubleshooting Tips

    Here you will learn network troubleshooting tips, fix tcp/ip errors, tcp/ip settings, internet connectivity errors, how to fix pc errors, lan connectivity issues, traceroute and ping commands. Whether your operating system is Windows or Linux network problems are likely to arise. Many times the network problems arisee due to improperly configured TCP/IP settings. Following is the basic checklist to identify and troubleshoot the basic networking errors.
    1. First of all you should learn what stopped working server or client computer also see if the outage affecting the other computers or only one.


    2. If you server stopped working you should inform the users of the server and you should start working on fixing the error.

    3. If a single client computer stopped working or disconnected from the network, ask the user of that computer that what recent changes cause the server to stop working such as newly installed software or games, service pakcs, internet software, new hardware or any other thing.

    4. Check the physical network connectivity. The most network problems arise due to the physical layers failure.

    5. Check all the network cable connections. You can start at the NIC and check if the green light is blinking then check the hub and see if the computer is getting the link across the cable.

    6. Get a cable tester to check the connectivity of the cables.

    7. Finally start pinging the network both Windows and Linux have the PING command. You can use ping command in this way start > Run > cmd > type "ping" then IP address of the other computer.

    How to Troubleshoot Connectivity problems

    1. Use the ping command to test the basic connectivity. By using the ping command you can isolate network hardware problems and incompatible configurations. By using the path ping you can detect packet loss.

    2. If you want to see the Ping's statistics then you ping -t command and press enter to continue and if you want to stop then press CTRL+BREAKTo watch Ping statistics, use the ping -t command. To see statistics and continue, press CTRL+BREAK. To stop, press CTRL+C.

    3. If you remote system is across the delay link, such as satellite link responses may take longer.

    4. Check the event logs for network card and other hardware and software configurations and connectivity related entries.

    5. Check whether the NIC card is on the Microsoft Hardware Compatibility List (HCL).

    6. Check other computers that use the same gateway and are plugged into the same hub or switch and if these computers do not show any network connectivity problem then the problem is on the only one computer.

    7. Contact the vendor of each NIC and motherboard and update the BIOS.

    8. Replace the network adapter of the system with the good configured system and see if the same error arise again.

    Conclusion
    Colasoft Capsa Network Analyzer

    As a network administrator, we need to learn about the Basic Network Troubleshooting solutions. Of course, there are many network analyzers in the market,such as Colasoft Capsa Network Analyzer, which can provide us with more advanced & easier network problems troubleshooting solutions. learn more about Colasoft Capsa Network Analyzer, please visit http://www.colasoft.com/capsa/.

    This article is rewriten by Tammy Zhou from Colasoft.com, please read the original copy of this article here: Basic Network Troubleshooting.

    Case Study: ARP spoofing HTTP infection malware

    This year, we've seen many ARP spoofing viruses, also known as ARP cache-poisoning viruses. This type of malware comes in many variants and is widely spread in China. Recently, we uncovered an ARP spoofing virus that exhibits several new features.

    The new ARP spoofing virus inserts a malicious URL into the session of an HTTP response, thus including significant malicious content, and then exploits Internet Explorer. At the same time, the virus makes a poisoned host act as an HTTP proxy server. When any machine in the same subnet with the poisoned machine accesses the Internet, the traffic goes through the poisoned machine.

    Let's take a detailed look at the features of the latest ARP spoofing virus.

    This type of virus replaces the MAC address of the Gateway machine with the MAC address of the poisoned machine. The following screen shows the correct Gateway MAC address:
    arpspoof0

    When we run the ARP spoofing virus, the Gateway MAC address is changed, as shown in the following diagram. The real Gateway MAC address is changed by the poisoned machine to the MAC address of the poisoned machine. Please review the following diagram.
    arpspoof1

    Now let's view a detailed virus analytic report

    The following diagram shows the mechanism used by this type of virus. Normally, when we open a Web page, the traffic goes to the Gateway machine directly (see pathway 4). But if the local network is infected by an ARP spoofing virus, the traffic goes through the poisoned machine before it goes to the Gateway, as indicated by pathway 5 and pathway 6 below:
    arpspoof2

    The following steps describe what occurs.

    First step: The poisoned machine broadcasts ARP spoofing packets saying "I am the Gateway"

    Second step: Each machine in the subnet receives an ARP spoofing packet and updates its ARP table, so the ARP cache is poisoned.

    Third step: A machine accesses the Internet through the poisoned machine, then the poisoned machine routes this HTTP packet through the Gateway (the poisoned machine uses a Net driver, such as wpcap.dll or WanPacket.dll, to get network traffic).

    Fourth step: The Gateway inserts a malicious URL into the HTTP response packet. Then it sends the malicious packet to the object machine.
    In the following code, we see how the virus inserts a malicious link:
    arpspoof3

    In the shown code above, we can see partial IP address information. The information comes from the author's network environment, which is similar to the following:
    0000b3b0 255.255.255.0
    subnet mask
    0000b3c0 10.xx.xx.58
    poisoned machine IP address
    0000b840 10.xx.xx.1
    correct Gateway address
    0000b850 10.xx.xx.*

    subnet information

    When the virus obtains this data, it scans the local subnet and then sends ARP spoofing packets to machines in the local subnet.
    Let's see how the virus implements these functions:
    arpspoof4

    In the code above, the virus calls a system dll file (iphlpapi.dll) to get general information about the local network adapter. The iphlpapi.dll file is a module containing the functions used by the Windows IP Helper API. When the virus gets the local network adapter information, the virus can make spoofing ARP packet. The following graphic shows detailed code:
    arpspoof5

    We used OllyDbg to trace the virus into the Windows system space, and we obtained the code above. When we introduced this virus here, we needed some background knowledge. The virus uses Colasoft Capsa to capture network traffic and insert malicious Web code into the HTTP response.

    Monitor broadcast storm with Colasoft Capsa.

    Causes of broadcast storm:

    Causes of broadcast storm:



    • Incorrect network design and plan

    • Network equipment damage

    • HUB is easily lead to broadcast storm as broadcast equipment

    • NIC or switching equipment damage

    • Network loop

    • Incorrect router configuration

    • Virus


    How to detect Broadcast Storm:


    step1. Set up broadcast packets filter

    Open Filter --> Add --> From Filter Table, check "Broadcast":


    untitled-11

    step2. Detect relevant parameters of the broadcast storm


    untitled-21

    1. Statistical parameters



    • broadcast packets bytes

    • total broadcast packets

    • packets per second

    • packet size distribution

    • protocol type

    • etc (add according to your own network)


    How to make use of these paramaters?


    Take a 100M ethernet for example. The maxmize packet per second is 12.5M x 1024 = 12800 Bytes/s. If the value of packet


    per second of broadcast is greater or close to it, then we can define there's broadcast storm.

    The packets sum, number, and its size distribution are different according to the size of network.

    Protocol Type is mainly to stats the protocols with the largest traffic utilization. (PS: Care must be taken to distinguish ARP


    Request and ARP Response, ARP Request is broadcast, while ARP Response is unicast.)


    2. IPID Identification of the packet


    IPID is the unique flow to identificate the packet. If there's a protocol in a large traffic utilization, we can check its IPID in


    Packets view, if they are the same, we can confirm it is caused by network loop.


    untitled-31

    Currently, network loop is one of the mainly causes to broadcast storm.


    3. Check the Utilization


    untitled-4

    How to make use of the utilization paramaters?


    Utilization is divided into "Utilization (bits)" & "Utilization (percentage)". The computational process of network utilization is: bits per second(in "Summary" view) / network bandwidth(100M or 1000M Ethernet). Ordinary, the network is perfect if the utilization is 50% in a ethernet, we can get the conclusion that there must be broadcast storm in the network if the utilization of broadcast is over 30%.



    Download the latest Capsa 6.9R2(windows 7 supported) to monitor your network perfermances in time.

    Thursday, July 30, 2009

    Admin resource: Use the right tools to manage your network

    To be an effective network administrator, you don't have to be a scientific genius. And you don't have to memorize a bunch of obscure facts about hardware and software. Instead, you need to know two things:
    • Where to find the appropriate solutions to technology problems when they arise

    • How to use the right tools for monitoring, troubleshooting, and managing the activities of the various systems on your network

    We know TechRepublic is the biggest IT community, which provides kinds of sources you turn to for solutions when problems hit your network. To demonstrate that TechRepublic is worthy of being a solutions finder, here I've compiled a list of articles that discuss tools you can use to improve the management of your network.


    • Test-drive: Colasoft Capsa network analyzer

      Having good insight to your network is critical. There are so many potential issues that can be going on that any additional tool can be welcome. This can include attacks, transmissions and applications without encryption, or incorrect configurations bogging down the network.

      Recently, I had a chance to evaluate the Colasoft network analyzer or Capsa.

    • Servers Alive is a valuable and inexpensive uptime monitoring tool"

      To handle a problem, you have to know that it exists. That's where a program such as Servers Alive comes in. It can e-mail, page, or call an administrator with an automated alert when a system goes down, a router fails, or a service goes offline.

    • "Let Big Brother keep tabs on the health of your servers"

      Big Brother is another monitoring tool, but this one runs on Linux/UNIX (although it can monitor systems from other platforms). It's available free under an open source license.

    • "PRTG makes it easy to monitor bandwidth"

      Bandwidth is an expensive and critical commodity for most organizations. PRTG (and its Linux/UNIX cousin, MRTG) allow you to keep a close eye on bandwidth utilization and quickly spot any potential problems.

    • "Get two must-have network tools--for free"

      Here's a peek at two handy troubleshooting tools—HyperTrace and NetStatLive. Since these are small, easy-to-use, and free, there's no excuse not to try them.

    • "Quickly manage systems over KVM with BgInfo"

      Most administrators who manage more than five or 10 servers usually have them loaded into a rack and access them with a KVM switch or remote access software. However, the more servers you have, the harder it can be to tell them apart—and making a configuration change to the wrong server can have disastrous consequences. BgInfo is a little tool that can help you set up desktop screens that allow you to quickly identify your servers.

    Final word

    Of course, this is not a comprehensive list of every tool you need to manage a network. It's just a sampling of the kinds of great tools that can make you more effective at spotting problems and getting them fixed in a timely fashion.

    For more information, please visit:http://articles.techrepublic.com.com/5100-10878_11-5074896.html

    Monitor broadcast storm with Colasoft Capsa.

    Causes of broadcast storm:

    • Incorrect network design and plan

    • Network equipment damage

    • HUB is easily lead to broadcast storm as broadcast equipment

    • NIC or switching equipment damage

    • Network loop

    • Incorrect router configuration

    • Virus

    How to detect Broadcast Storm:

    step1. Set up broadcast packets filter

    Open Filter --> Add --> From Filter Table, check "Broadcast":

    untitled-11

    step2. Detect relevant parameters of the broadcast storm

    untitled-21

    1. Statistical parameters

    • broadcast packets bytes

    • total broadcast packets

    • packets per second

    • packet size distribution

    • protocol type

    • etc (add according to your own network)

    How to make use of these paramaters?

    Take a 100M ethernet for example. The maxmize packet per second is 12.5M x 1024 = 12800 Bytes/s. If the value of packet

    per second of broadcast is greater or close to it, then we can define there's broadcast storm.

    The packets sum, number, and its size distribution are different according to the size of network.

    Protocol Type is mainly to stats the protocols with the largest traffic utilization. (PS: Care must be taken to distinguish ARP

    Request and ARP Response, ARP Request is broadcast, while ARP Response is unicast.)

    2. IPID Identification of the packet

    IPID is the unique flow to identificate the packet. If there's a protocol in a large traffic utilization, we can check its IPID in

    Packets view, if they are the same, we can confirm it is caused by network loop.

    untitled-31

    Currently, network loop is one of the mainly causes to broadcast storm.

    3. Check the Utilization

    untitled-4

    How to make use of the utilization paramaters?

    Utilization is divided into "Utilization (bits)" & "Utilization (percentage)". The computational process of network utilization is: bits per second(in "Summary" view) / network bandwidth(100M or 1000M Ethernet). Ordinary, the network is perfect if the utilization is 50% in a ethernet, we can get the conclusion that there must be broadcast storm in the network if the utilization of broadcast is over 30%.

    Download the latest Capsa 6.9R2(windows 7 supported) to monitor your network perfermances in time.

    How to analyze the statistic of a specific IP in LAN with Colasoft Capsa?

    Nowadays, computers is becoming the necessity in majority of companies all over the world. Network managers/adminstrators have to monitor their network, grasp the network status in time, and find a best solution once there's any abnormal condition occurs in the network. They have to make sure the whole network status is visible to them, even the traffic,conversation, packet in 1 specific IP address. Without a appropriate network management, a large amount of network risks will appear in your network.

    Colasoft Capsa 6.9R2, which is windows7 supported, is such an ideal network monitor. This article is telling you how to analyze the statistics of a specific IP address once you have to analyze the stats by locating a IP address.

    For example:
    There are 200 hosts in LAN. You have detectde the network became very slow due to BT downloading by a specific IP address: 192.168.6.5. To check the stats, including protocols, conversations, packets, etc under this IP to prove it is the specific IP address, you need locate it. In Colasoft Capsa, there are 2 ways to implement it:

    1. select the IP address under "IP Explorer" in the left Explorer window:
    untitled-1

    2. add the IP address in Filter setting, steps as follows:
    untitled-2

    untitled-3

    Then we can check all the stats related to "192.168.6.5" only to further comfirm the problem. For more infomation of "How to Track BitTorrent User in Network with Colasoft Packet Sniffer", please go to http://blog.colasoft.com/how-to-track-bittorrent-user-in-network-with-colasoft-packet-sniffer/

    Thursday, July 2, 2009

    Recommend 5 Nice FREE Network Analysis Tools to Network Admins

    Colasoft, with its all-in-one & easy-to-use network analyzer -Capsa, has been known and recognized in network analysis industry. Today let me recommend 5 nice Colasoft network analysis tools to all network administrators, the tools are totally free and very simple but helpful.

    Colasoft MAC Scanner Pro Colasoft MAC Scanner Pro

    List MAC addresses and IP addresses in your local subnet in seconds. Network administration will never become efficient before you know exactly who is the user and where is the computer. MAC Scanner Pro will do it for you.

    Core Values:
    .Scan MAC addresses and IP addresses

    .Save Scan Results into database for future reference and network maintenance.

    .Add attributes (such as users name and physical location of the host) to scan results and save in database.

    .Automatically compares new MAC scan results with database records and notifies difference and new records (illegal access).

    .Print and Print Review MAC Scan Results

    Special Notice:
    Colasoft is launching a campaign this month,you can get a license key of MAC Scanner Pro edition for free as long as you recommend a friend to download MAC Scanner free editon successfully.

    Find out more information about this ,please go to www.colasoft.com/mac_scanner

    Colasoft Ping Tool
    Colasoft Ping Tool is powerful in supporting to ping multiple IP addresses simultaneously and comparing response time in a graphic chart. Users can view historical charts and save the charts to a *.bmp file. With this build-in tool, users are able to ping the IP addresses of captured packets in a protocol analyzer (e.g. Colasoft Capsa) conveniently, including resource IP, destination IP or both.

    Colasoft Packet Builder
    Colasoft Packet Builder enables creating custom network packets; users can use this tool to check their network protection against attacks and intruders.Colasoft Packet Builder includes a very powerful editing feature. Besides common HEX editing raw data, it features a Decoding Editor allowing users to edit specific protocol field values much easier.

    Colasoft Packet Player
    Colasoft Packet Player is a packet replayer which allows users to open captured packet trace files and play them back in the network. It supports many packet trace file formats created by sniffer softwares such as Colasoft Capsa, Ethereal, Network General Sniffer and WildPackets EtherPeek/OmniPeek, etc.

    Except sending packet files in original interval between loops, Colasoft Packet Player also supports sending packet files in burst mode and defining the delay between loops if the loop count is more than one.

    Why should we monitor the network conversation?

    In a network group, especially for the company, enterprise, school, bank, NSA, etc, the confidential information is very very important, and may very dangerous if they are divulged.

    And also, for a company/enterprise boss, he can get the information of what his staff are talking about via internet, no matter they are using MSN, Yahoo, Gtalk, ICQ, AIM…or Email Webmail…at any time.

    Under this situation, we need a network monitor/packet sniffer, not only to monitor the network conversation, but also to guarantee our network security for prevent it from dangerous beforehand.

    Resolution Take Colasoft Capsa 6.9 for example, We will
    show you how to monitor the email activity & content with it step-by-step:
    1. Choose “Logs” from the main window.
    untitled-12

    2. As shown in the following illustration, there’s a pop up window for changing settings after you choose the “Logs”. Email Log→Log File Settings, then change the settings indicated by an arrow.
    untitled-22

    3. Choose Email Messages in the Logs view, you can find the detail information on all the email activities.
    untitled-32

    4. Just double-click the crossband, then you can check out the content of any email you want to read.
    untitled-42

    Conclusion:
    For every organization, institution, company, enterprise…etc, the confidential information is very important that are never allowed to be leaked out.


    Except the traditional File Encryption, Video Surveillance, what can we do if we are in a huge network? Under this situation, a powerful packet sniffer/network analyzer is quite a good right-hand.

    Thursday, June 18, 2009

    How to detect the real-time network utilization

    Network utilization is the ratio of current network traffic to the maximum traffic that the port can handle. Through monitoring network utilization, we can understand whether the network is busy, normal or idle.

    The Potential threats if the network utilization is over normal:

    • Will slow down the internet access and employee productivity;
    • Affect downloading;
    • Uploading. The bandwidth may becomes the bottleneck of business development. The current bandwidth can’t satisfy customers, without detecting the problem in time, you will lose your customers, decline in customers’ satisfaction, etc.
    • Package lost, some highly demanding IM business(like VoIP) will be affected seriously.

    Colasoft Capsa make it easy for us to monitor the network utilization, so as to find out the bottleneck and improve network performance.

    Check the brief current utilization in “Summary” after start the project:

    We may switch among the nodes in the “Explorer” to view network utilization of a specific node:

    We can also view network utilization by bits or by percentage in “Graphs” view. More ever, we can compare 2 different charts to better understand the network status.

    Give top priority on your network utilization, Colasoft Capsa will help you quickly detect the network utilization and other network problems.

    Wednesday, June 17, 2009

    14 Tips to Protect Your Organization's Network

    Colasoft protocol analyzer

    Network security is an infinitely complex and dynamic subject, implementing these simple measures will go a long way to protecting your Organization's LAN.


    1, Run protocol analyzer Frequently.Recommend an easy-to-use protocol analyzer, Colasoft Capsa.


    2, Disable drives:Disable floppy drive access, USB ports and serial ports on networked computers.


    3, Restrict Permissions: Windows 2000 and 2003 server allow you to set permissions so that users can't run downloaded 'exe' or other executable files.


    4, Block Instant Messenger:IM and its cousins, ICQ and Yahoo Messenger, sends messages and attachments out to a server and then back to its clients. You lose control when this happens.


    5, Password Protect Your BIOS:A BIOS without an administrator password is an invitation to mischief.


    6, Run AV Software: Run anti-virus software on all your computers.


    7, Build Your Defenses: Install a firewall or a proxy server.


    8, Beware Of Attachments From Unknown, Untrusted Sources:Do not open attachments to email unless you trust the sender.


    9, Monitor Your Ports:Install a port monitor to prevent your ports from being scanned.


    10, Encrypt Wireless Access.


    11, Keep Back Office Systems Off The Organization Network


    12, Require passwords to be changed frequently


    13, Use CTRL+ALT+DEL to logon


    14, Keep your networking skills up to date.



     

    Free counter and web stats