a0002: February 2008

Monday, February 25, 2008

OSPF Network Types and Frame Relay

OSPF Network Types and Frame Relay (ardenpackeer.com)
Dynagen Simualtion...

Examples for:

OSPF Over Frame Relay
Non-Broadcast Network Type
Broadcast Network Type
Point-to-Multipoint Network Type
Point-to-Multipoint Non-Broadcast Network Type
Point-to-Point Network Type
Loopback Network Type

Sunday, February 24, 2008

NAT Load-Balancing for Two ISP Connections (Cisco Systems)

IOS NAT Load-Balancing for Two ISP Connections (Cisco Systems)
This document describes a configuration for a Cisco IOS® router to connect a network to the Internet with Network Address Translation (NAT) through two ISP connections. The NAT of the Cisco IOS Software can distribute subsequent TCP connections and UDP sessions over multiple network connections, if equal-cost routes to a given destination are available.

IOS NAT Load-Balancing for Two ISP Connections (pdf)

NAT Load-Balancing with Optimized Edge Routing for Two Internet Connections (Cisco Systems)

IOS NAT Load-Balancing with Optimized Edge Routing for Two Internet Connections (Cisco Systems)
This document describes a configuration for a Cisco IOS® router to connect a network to the Internet with Network Address Translation through two ISP connections. The Cisco IOS Software Network Address Translation (NAT) can distribute subsequent TCP connections and UDP sessions over multiple network connections if equal-cost routes to a given destination are available. In the event that one of the connections becomes unusable, object-tracking, a component of Optimized Edge Routing (OER), can be used to deactivate the route until the connection becomes available again, which assures network availability in spite of instability or unreliability of an Internet connection.

...

IOS NAT Load-Balancing with Optimized Edge Routing for Two Internet Connections (pdf)

Configuring IPSec Router-to-Router, Pre-shared, NAT Overload Between Private Networks (Cisco Systems)

Configuring IPSec Router-to-Router, Pre-shared, NAT Overload Between Private Networks (Cisco Systems)
This sample configuration shows how to encrypt traffic between two private networks (10.50.50.x and 10.103.1.x) using IPSec. The networks know each other by their private addresses.

Configuring IPSec Router-to-Router, Pre-shared, NAT Overload Between Private Networks (pdf)

Configuring IPSec Router-to-Router, Pre-shared, NAT Overload Between a Private and a Public Network (Cisco Systems)

Configuring IPSec Router-to-Router, Pre-shared, NAT Overload Between a Private and a Public Network
(Cisco Systems)
This sample configuration shows how to encrypt traffic between a private network (10.103.1.x) and a public network (98.98.98.x) with the use of IPSec. The 98.98.98.x network knows the 10.103.1.x network by the private addresses. The 10.103.1.x network knows the 98.98.98.x network by the public addresses.

Configuring IPSec Router-to-Router, Pre-shared, NAT Overload Between a Private and a Public Network (pdf)

Configuring an IPSec Tunnel through a Firewall with NAT (Cisco Systems)

Configuring an IPSec Tunnel through a Firewall with NAT (Cisco Systems)
This document provides a sample configuration for an IPSec tunnel through a firewall that performs network address translation (NAT).

Configuring an IPSec Tunnel through a Firewall with NAT (pdf)

Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall (Cisco Systems)

Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall(Cisco Systems)
This document provides a sample configuration for Dynamic Multipoint VPN (DMVPN) using generic routing encapsulation (GRE) over IPsec with Open Shortest Path First (OSPF), Network Address Translation (NAT), and Cisco IOS® Firewall.

Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall (pdf)
multipoint GRE (mGRE)

Using NAT in Overlapping Networks (Cisco Systems)

Using NAT in Overlapping Networks
This document demonstrates how you can use Network Address Translation (NAT) for overlapping networks. Overlapping networks result when you assign an IP address to a device on your network that is already legally owned and assigned to a different device on the Internet or outside network.

Using NAT in Overlapping Networks (pdf)

Network Address Translation (NAT) (Cisco Systems)

Network Address Translation (NAT) Support Page (Cisco Systems)

NAT Order of Operation (Cisco Systems)

Cisco - NAT Order of Operation
This document illustrates that the order in which transactions are processed using Network Address Translation (NAT) is based on whether a packet is going from the inside network to the outside network, or from the outside network to the inside network.

http://www.cisco.com/warp/public/556/5.pdf

In the table below, when NAT performs the global to local, or local to global, translation is different in each flow.
Inside-to-Outside:
If IPSec then check input access list
decryption - for CET (Cisco Encryption Technology) or IPSec
check input access list
check input rate limits
input accounting
policy routing
routing
redirect to web cache
NAT inside to outside (local to global translation)
crypto (check map and mark for encryption)
check output access list
inspect (Context-based Access Control (CBAC))
TCP intercept
encryption
Queueing

Outside-to-Inside:
If IPSec then check input access list
decryption - for CET or IPSec
check input access list
check input rate limits
input accounting
NAT outside to inside (global to local translation)
policy routing
routing
redirect to web cache
crypto (check map and mark for encryption)
check output access list
inspect CBAC
TCP intercept
encryption
Queueing

Using TCL and Macro Ping Scripts

Using TCL and Macro Ping Scripts

foreach VAR {
192.168.255.1
192.168.255.2
192.168.255.3
192.168.255.4
192.168.255.5
192.168.255.6
192.168.255.7
192.168.255.8
192.168.255.9
192.168.255.10
} { puts [exec "ping $VAR"] }

tclsh
+>foreach VAR {
+>192.168.255.1
+>192.168.255.2
+>192.168.255.3
+>192.168.255.4
+>192.168.255.5
+>192.168.255.6
+>192.168.255.7
+>192.168.255.8
+>192.168.255.9
+>192.168.255.10
+>} { puts [exec "ping $VAR"] }

Ajax File Upload (OpenJS.com)

Ajax File Upload

Configuring Sinkholes (Cisco Systems)

Worm Mitigation Technical Details - Cisco Systems

Sinkholes
A sinkhole is a multifaceted security tool-essentially, a portion of the network that is designed to accept and analyze attack traffic. Sinkholes were originally used by ISPs to engulf attack traffic, in many cases drawing attacks away from a customer or other target. In more recent times, sinkholes have been used in enterprise environments to monitor attacks, detect scanning activity from infected machines, and generally monitor for other malicious activity.
This document illustrates how a sinkhole can be used in diverting attack traffic, monitoring for worm propagation, and monitoring other potentially malicious traffic.
Traditional Sinkhole - Diverting Attack Traffic
In the first sinkhole application, a publicly accessible Web server is the target of either a DoS or DDoS attack. Figure 1 illustrates how server WWW1 is unavailable due to the attack. Additionally, the extremely high traffic volume has saturated links and routers, making server WWW2 unavailable as well.

The Attack

The Diversion

Monitoring for Worm Propagation

Backscatter Traffic

First Sinkhole Design Option

Second Sinkhole Design Option

Routing Techniques

Again using an attack scenario as an example, there are many cases where it will not be desirable or feasible to shift the attack stream to a sinkhole. In these cases, it might be preferable to simply drop the stream as close to ingress as possible.

As such, a technique called remote-triggered black hole routing (also known as remote-triggered black hole filtering) can be used. Although the technique was originally developed for dealing with attacks in ISP environments, it can also be used effectively in an enterprise network for preventing worm spread. Additionally, this technique can be used for "black holing" any internal hosts participating in outbound DoS attacks, in the event that a host (such as a roaming laptop) has been compromised in this way.

This technique performs multiple functions:

Black hole traffic at the line rate
Provide remote trigger capability to multiple routers
Process a large number of addresses if required
Drop traffic based on both destination and source address, if required

To explain the technique, we will initially illustrate how it is used to mitigate an Internet-based DoS or DDoS attack. We will then explain how it can be adapted in an enterprise network.

Black Hole Routing

Remote-Triggered Black Hole Routing

Configuration for Announcing Prefixes to Send to Black Hole

router bgp 999
...
redistribute static route-map STATIC-TO-BGP
...
!
route-map STATIC-TO-BGP permit 10
match tag 66
set ip next-hop 192.0.2.1
set local-preference 50
set community no-export 999:000
set origin igp
!
Route-map STATIC-TO-BGP permit 20
!
...
ip route 171.xxx.xxx.1 255.255.255.255 Null0 Tag 66
!

Mapping of a Prefix to Null0

Internal Routing Operation of Remote-Triggered Black Hole Routing (Filtering)

Dropping on Source Address
One of the criteria for remote-triggered black hole routing to be effective as a security tool is the ability to drop traffic based on both destination address and source addresses. For example, if a host is infected with a worm, it will be identified by its source address. To prevent the spread of the worm, it is necessary to have the capability to drop any traffic originating from that source address.

A second scenario requiring a mitigation technique is one in which spoofed source addresses are used. With recent worms, such as SQL Slammer and Blaster, the host’s real IP address is used to propagate the worm. This is not to say that other worms might not use spoofed addresses. As such, the scenario needs to be accommodated. There is no reason that any host should ever send out a packet with an address other than what was assigned to it. Any packets being sent out with illegitimate source addresses should be dropped at the first router hop.

The feature that enables both of these requirements is Unicast Reverse Path Forwarding (Unicast RPF). Information about Unicast RPF is available at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfrpf.htm

Unicast RPF in the traditional strict mode. If a packet is received on an interface, a route to that packet’s source address must be available back through the same interface on which the packet was received. If this route does not exist, the packet fails the RPF check and is dropped. It is recommended that this technique be deployed on all user-facing interfaces. This technique is an effective way to drop any spoofed packets from hosts on the local network at the first router hop.

Unicast RPF in Strict Mode

!
interface FastEthernet2/0
ip address 192.xxx.xxx.50 255.255.255.0
 ip verify unicast reverse-path
...
speed 100
full-duplex
!

Unicast RPF in Loose Check Mode

!
interface FastEthernet2/0
ip address 192.xxx.xxx.50 255.255.255.0
ip verify unicast source reachable-via any
...
speed 100
full-duplex
!

Selective Remote Traffic Dropping

Saturday, February 23, 2008

SQL Server Developer Center: sys.dm_db_missing_index_columns

sys.dm_db_missing_index_columns (SQL Server Developer Center)

Center for Internet Security

Center for Internet Security - Standards
The Center for Internet Security (CIS) is a non-profit enterprise whose mission is to help organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls.

Cymru Bogon List v4.1 14 FEB 2008 released

The Team Cymru Bogon List v4.1 14 FEB 2008

References
IANA IPv4 Allocation Reference. This is the guide I use to generate the bogon range lists.
RFC3330 Special-Use IPv4 Addresses. This is a RFC that lists and explains the special-use netblocks.
Secure IOS Template. This template ensures that bogons can not enter or exit your border.
Secure BGP Template. This template prevents the announcement or acceptance of bogons by your BGP speaking routers.
Secure BIND Template. This template ensures that bogon sourced packets can not hit your name server for queries, updates, etc.
Bogon Prefixes. My bogon prefix tracking page.
Bogus ASNs. My bogus ASN tracking page.
Bogonet The Bogon Tracking Page and Database, by Pascal Gloor.

Bogons lists:
Dotted Decimal Bogons
Bit Notation Bogons
Bit Notation Text, Aggregated
Bit Notation Text, Not Aggregated

Team Cymru Documents and Whitepapers

Team Cymru Reading Room / Documents
Team Cymru is a specialized security research firm dedicated to making the Internetmore secure. By researching the 'who' and 'why' of malicious Internet activity worldwide,Team Cymru helps organizations identify and eradicate problems in their networks.

Here is a repository of various articles we have written over the years about:
Security UNIX Networking Presentations

ICMP Packet Filtering v1.2 - 12 MAR 2003 - A guide that details the minimum ICMP message types that should be allowed into and out of any network.

Bogon List - A list of bogons, IP routes that should not appear in the Internet routing table or as the source of IP packets. This list is handy for generating filters and the like, and includes dotted decimal notation, bit notation, Cisco ACLs, and Juniper prefix-list formats.

Security Configuration Guides (nsa.gov)

Security Configuration Guides (nsa.gov)
NSA has developed and distributed configuration guidance for a wide variety of software from open source to proprietary software. The objective of the configuration guidance program is to provide NSA's customers with the best possible security options in the most widely used products.

FiRST - Best Practices Guide (BPGL)

Best Practices Guide (BPGL)
Public Guides
Acceptable Use Policy Template
CERT-in-a-box
Checking Microsoft Windows Systems for Signs of Compromise
Checking UNIX/LINUX Systems for Signs of Compromise
CSIRT Case Classification (Example for enterprise CSIRT)
CSIRT Setting up Guide
CVSS based patch policy for enterprise (example)
Guide to Tunneling Windows NT VNC traffic with SSH2
IIS and NTS 4.0 Hardening Guide
Online Forensics of Win32 System Guide
Secure BGP Template
Secure BIND Template
Secure IOS Configuration Template
SSH Public Key Configuration Windows NT/2000/XP Guide
Windows 2000 / IIS 5.0 DMZ Hardening Guide
Windows 2003 / IIS 6.0 DMZ Hardening Guidelines

BIND 9 DNS Cache Poisoning (Trusteer.com)

BIND 9 DNS Cache Poisoning (Trusteer.com) March-June 2007

The paper shows that BIND 9 DNS queries are predictable – i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides very few guesses for the "next" query (10 in the basic attack, and 1 in the advanced attack), thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS cache poisoning than the currently known attacks against BIND 9. The net effect is that pharming attacks are feasible against BIND 9 caching DNS servers, without the need to directly attack neither DNS servers nor clients (PCs). The results are applicable to all BIND 9 releases [1], when BIND (the named daemon) is in caching DNS server configuration.

read the whole article:
http://www.trusteer.com/docs/bind9dns.html

Download PDF version

Hardening DNS with the Cymru Secure BIND template

One guide that makes hardening DNS easy is the Secure BIND Template published by security researcher Rob Thomas and the team at Cymru. The guide includes a well structured named.conf for BIND version 9 that does almost everything right: hide version numbers, block unauthorized zone transfers and outside recursive queries, block requests from impossible ("bogon") source IPs and so on. Running BIND in a chroot jail is also covered if you’re ultra-paranoid.
The template is easy to modify to fit your own DNS situation. In a few minutes you can use it to replace your existing named.conf file and have far greater protection against DNS cache poisoning, denial of service and reconnaissance of internal host names and IP addresses. Highly recommended.

Cymru Secure BIND Template:
http://www.cymru.com/Documents/secure-bind-template.html
By the way, there are also many other good things at the Cymru web site, including templates for securing Cisco IOS and BGP. They also maintain the "Bogon list", a list of IP ranges that should never be seen on the Internet (there are far more than the widely known RFC 1918 private IP ranges)… very useful as an anti-spoofing blacklist in firewalls and Internet-facing servers.

Other guides to configuring BIND 9 and DNS in general:
The Center for Internet Security (CIS) Bind Level 1 Benchmark
NIST Secure Domain Name System (DNS) Deployment Guide (PDF)
Tags: DNS, dns security

Secure BGP Template v5.2 14 FEB 2008 released

http://www.cymru.com/Documents/secure-bgp-template.html

! Our ASN is 111 router bgp 111 ! ! Don't wait for the IGP to catch up. no synchronization ! ! Be a little more forgiving of an occasional missed keepalive. no bgp fast-external-fallover ! ! Track and punt, via syslog, all interesting observations about our ! neighbors. bgp log-neighbor-changes ! ! Announce our netblock(s) in a manner that does not increase CPU ! utilization. Redistributing from an IGP is dangerous as it increases ! the likelihood of flapping and instability. Redistributing static is ! more stable, but requires the CPU to peruse the routing table at a set ! interval to capture any changes. The network statement, combined with ! a null route, is the least expensive (in terms of CPU utilization) and ! most reliable (in terms of stability) option. network 1.88.0.0 mask 255.255.224.0 ! ! Our first neighbor, 10.10.5.1, is an eBGP peer with the ASN of 333. neighbor 10.10.5.1 remote-as 333 ! ! Set for soft reconfiguration, thus preventing a complete withdrawal ! of all announced prefixes when clear ip bgp x.x.x.x is typed. neighbor 10.10.5.1 soft-reconfiguration inbound ! ! Type in a description for future reference. Not everyone memorizes ! ASNs. :-) neighbor 10.10.5.1 description eBGP with ISP333 ! ! Set up a password for authentication. neighbor 10.10.5.1 password bgpwith333 ! ! Hard-set for version 4. Disabled BGP version negotiation, thus ! bringing the peering session on-line more quickly. neighbor 10.10.5.1 version 4 ! ! Block any inbound announcments that include bogon networks. A prefix ! list is used because it is: ! 1) Easier on the CPU than ACLs, and ! 2) Easier to modify. ! See the actual bogons prefix-list below. neighbor 10.10.5.1 prefix-list bogons in ! ! Announce only those networks we specifically list. This also prevents ! the network from becoming a transit provider. An added bit of protection ! and good netizenship. See the announce prefix-list below. neighbor 10.10.5.1 prefix-list announce out ! ! Prevent a mistake or mishap by our peer (or someone with whom our peer ! has a peering agreement) from causing router meltdown by filling the ! routing and BGP tables. This is a hard limit. At 75% of this limit, ! the IOS will issue log messages warning that the neighbor is approaching ! the limit. All log messages should be sent to a remote syslog host. ! The warning water mark can be modified by placing a value after the ! maximum prefix value, e.g. maximum-prefix 250000 50. This will set the ! IOS to issue warning messages when the neighbor reaches 50% of the limit. ! Note that this number may need to be adjusted upward in the future to ! account for growth in the Internet routing table. neighbor 10.10.5.1 maximum-prefix 250000 ! ! Our next neighbor is 10.10.10.1, an eBGP peer with the ASN of 222. neighbor 10.10.10.1 remote-as 222 neighbor 10.10.10.1 soft-reconfiguration inbound neighbor 10.10.10.1 description eBGP with ISP222 neighbor 10.10.10.1 password bgpwith222 neighbor 10.10.10.1 version 4 neighbor 10.10.10.1 prefix-list bogons in neighbor 10.10.10.1 prefix-list announce out neighbor 10.10.10.1 maximum-prefix 250000 ! ! This is our iBGP peer, 172.17.70.2. neighbor 172.17.70.2 remote-as 111 ! neighbor 172.17.70.2 soft-reconfiguration inbound ! ! Again, a handy description. neighbor 172.17.70.2 description iBGP with our other router ! neighbor 172.17.70.2 password bgpwith111 ! Use the loopback interface for iBGP announcements. This increases the ! stability of iBGP. neighbor 172.17.70.2 update-source Loopback0 neighbor 172.17.70.2 version 4 neighbor 172.17.70.2 next-hop-self neighbor 172.17.70.2 prefix-list bogons in neighbor 172.17.70.2 maximum-prefix 250000 ! ! Do not automatically summarize our announcements. no auto-summary ! If we have multiple links on the same router to the same AS, we like to ! put them to good use. Load balance, per destination, with maximum-paths. ! The limit is six. For our example, we will assume two equal size pipes ! to the same AS. maximum-paths 2 ! ! Now add our null route and the loopback/iBGP route. Remember to add ! more specific non-null routes so that the packets travel to their ! intended destination! ip route 1.88.0.0 255.255.224.0 Null0 ip route 1.88.50.0 255.255.255.0 192.168.50.5 ip route 1.88.55.0 255.255.255.0 192.168.50.8 ip route 1.88.75.128 255.255.255.128 192.168.50.10 ip route 172.17.70.2 255.255.255.255 192.168.50.2 ! ! We protect TCP port 179 (BGP port) from miscreants by limiting ! access. Allow our peers to connect and log all other attempts. ! Remember to apply this ACL to the interfaces of the router or ! add it to existing ACLs. ! Please note that ACL 185 would block ALL traffic as written. This ! is designed to focus only on protecting BGP. You MUST modify ACL ! 185 to fit your environment and approved traffic patterns. access-list 185 permit tcp host 10.10.5.1 host 10.10.5.2 eq 179 access-list 185 permit tcp host 10.10.5.1 eq bgp host 10.10.5.2 access-list 185 permit tcp host 10.10.10.1 host 10.10.10.2 eq 179 access-list 185 permit tcp host 10.10.10.1 eq bgp host 10.10.10.2 access-list 185 permit tcp host 172.17.70.2 host 172.17.70.1 eq 179 access-list 185 permit tcp host 172.17.70.2 eq bgp host 172.17.70.1 access-list 185 deny tcp any any eq 179 log-input ! ! The announce prefix list prevents us from announcing anything beyond ! our aggregated netblock(s). ip prefix-list announce description Our allowed routing announcements ip prefix-list announce seq 5 permit 1.88.0.0/19 ip prefix-list announce seq 10 deny 0.0.0.0/0 le 32 ! ! The bogons prefix list prevents the acceptance of obviously bogus ! routing updates. This can be modified to fit local requirements. ! While aggregation is possible - certainly desirable - IANA tends ! to allocate netblocks on a /8 boundary. For this reason, I have ! listed the bogons largely as /8 netblocks. This will make changes ! to the bogons prefix-list easier to accomplish and less intrusive. ! I have listed more specific netblocks when documentation, such as ! RFC1918, is more granular. ! Please see the IANA IPv4 netblock assignment document at the ! following URL: ! http://www.iana.org/assignments/ipv4-address-space ip prefix-list bogons description Bogon networks we won't accept. ip prefix-list bogons seq 5 deny 0.0.0.0/8 le 32 ip prefix-list bogons seq 10 deny 1.0.0.0/8 le 32 ip prefix-list bogons seq 15 deny 2.0.0.0/8 le 32 ip prefix-list bogons seq 20 deny 5.0.0.0/8 le 32 ip prefix-list bogons seq 30 deny 10.0.0.0/8 le 32 ip prefix-list bogons seq 32 deny 14.0.0.0/8 le 32 ip prefix-list bogons seq 35 deny 23.0.0.0/8 le 32 ip prefix-list bogons seq 40 deny 27.0.0.0/8 le 32 ip prefix-list bogons seq 45 deny 31.0.0.0/8 le 32 ip prefix-list bogons seq 50 deny 36.0.0.0/8 le 32 ip prefix-list bogons seq 55 deny 37.0.0.0/8 le 32 ip prefix-list bogons seq 60 deny 39.0.0.0/8 le 32 ip prefix-list bogons seq 70 deny 42.0.0.0/8 le 32 ip prefix-list bogons seq 75 deny 46.0.0.0/8 le 32 ip prefix-list bogons seq 80 deny 49.0.0.0/8 le 32 ip prefix-list bogons seq 85 deny 50.0.0.0/8 le 32 ip prefix-list bogons seq 255 deny 100.0.0.0/8 le 32 ip prefix-list bogons seq 260 deny 101.0.0.0/8 le 32 ip prefix-list bogons seq 265 deny 102.0.0.0/8 le 32 ip prefix-list bogons seq 270 deny 103.0.0.0/8 le 32 ip prefix-list bogons seq 275 deny 104.0.0.0/8 le 32 ip prefix-list bogons seq 280 deny 105.0.0.0/8 le 32 ip prefix-list bogons seq 285 deny 106.0.0.0/8 le 32 ip prefix-list bogons seq 290 deny 107.0.0.0/8 le 32 ip prefix-list bogons seq 295 deny 108.0.0.0/8 le 32 ip prefix-list bogons seq 300 deny 109.0.0.0/8 le 32 ip prefix-list bogons seq 305 deny 110.0.0.0/8 le 32 ip prefix-list bogons seq 310 deny 111.0.0.0/8 le 32 ip prefix-list bogons seq 315 deny 112.0.0.0/8 le 32 ip prefix-list bogons seq 320 deny 113.0.0.0/8 le 32 ip prefix-list bogons seq 390 deny 127.0.0.0/8 le 32 ip prefix-list bogons seq 395 deny 169.254.0.0/16 le 32 ip prefix-list bogons seq 400 deny 172.16.0.0/12 le 32 ip prefix-list bogons seq 415 deny 175.0.0.0/8 le 32 ip prefix-list bogons seq 420 deny 176.0.0.0/8 le 32 ip prefix-list bogons seq 425 deny 177.0.0.0/8 le 32 ip prefix-list bogons seq 430 deny 178.0.0.0/8 le 32 ip prefix-list bogons seq 435 deny 179.0.0.0/8 le 32 ip prefix-list bogons seq 440 deny 180.0.0.0/8 le 32 ip prefix-list bogons seq 445 deny 181.0.0.0/8 le 32 ip prefix-list bogons seq 450 deny 182.0.0.0/8 le 32 ip prefix-list bogons seq 455 deny 183.0.0.0/8 le 32 ip prefix-list bogons seq 460 deny 184.0.0.0/8 le 32 ip prefix-list bogons seq 465 deny 185.0.0.0/8 le 32 ip prefix-list bogons seq 490 deny 192.0.2.0/24 le 32 ip prefix-list bogons seq 500 deny 192.168.0.0/16 le 32 ip prefix-list bogons seq 510 deny 197.0.0.0/8 le 32 ip prefix-list bogons seq 512 deny 198.18.0.0/15 le 32 ip prefix-list bogons seq 515 deny 223.0.0.0/8 le 32 ip prefix-list bogons seq 520 deny 224.0.0.0/3 le 32 ! Allow all prefixes up to /27. Your mileage may vary, ! so adjust this to fit your specific requirements. ip prefix-list bogons seq 525 permit 0.0.0.0/0 le 27 ! ! END

Secure IOS Template v5.3 14 FEB 2008 released

http://www.cymru.com/Documents/secure-ios-template.html

Secure BIND Template v6.1 14 FEB 2008 released

http://www.cymru.com/Documents/secure-bind-template.html

BGP through ASA/PIX: random-sequence-number disable

BGP through ASA (6200networks.com)

If you are attempting to pass BGP updates through your ASA/PIX with 7.0/8.0 code you need to be aware that BGP uses TCP option 19, which is not permitted to pass through a PIX/ASA running 7.0 or higher. To permit traffic with these TCP options you must create a TCP map and apply it using the service policy command. Here is an example:

tcp-map MD5-BGP
  tcp-options range 19 19 allow

class-map CLASS-MD5-BGP
  match port tcp eq 179

policy-map global_policy
 class CLASS-MD5-BGP
  set connection advanced-options MD5-BGP
  set connection random-sequence-number disable

Also note that randomization of TCP sequence numbers must be disabled. This used to be done at the end of the static command, but the preferred option in 7.x and above is to use MPF and apply it via the policy-map. Also the addresses of the devices running BGP cannot be NATed. This is because the MD5 hash takes into account the IP header as well as the TCP header; so none of that information can be changed.

Variance, Max-paths, and EIGRP metric calculations

Variance, Max-paths, and EIGRP metric calculations (NetworkWorld.com Community)

Friday, February 22, 2008

JUGENE - Schnellste zivile Supercomputer

Schnellste zivilen Supercomputer (futurezone.ORF.at)

Der mit 65.536 Prozessoren ausgestattete Supercomputer im deutschen Forschungszentrum Jülich schafft 167 Billionen Rechenoperationen pro Sekunde.

Der schnellste zivile Rechner der Welt ist am Freitag in Deuschland im Forschungszentrum Jülich offiziell in Betrieb genommen worden.Die 65.536 Prozessoren und der Hauptspeicher von 32 Terabyte des "Jülicher Blue Gene" [JUGENE] sind in 16 mannshohen Schränken untergebracht und erbringen eine Leistung von insgesamt 167 Billionen Rechenoperationen pro Sekunde [Tera-FLOPS]. Der 15 Millionen Euro teure JUGENE ist damit der zweitschnellste Computer der Welt. Er wird nur noch übertroffen von der Anlage Blue Gene/L im Lawrence Livermore National Laboratory der US-Regierung mit 478 Tera-FLOPS.
Forschungszentrum Jülich

JUGENE ist der dritte Superrechner in Jülich. In der Rechnerhalle der renommierten Forschungseinrichtung haben auch seine Vorgänger JUMP und JUBL ihren Platz. Die drei Computer ergänzen sich dergestalt, dass für jede wissenschaftliche Simulationsaufgabe das passende Werkzeug zur Verfügung steht.Derzeit rechnen auf den Jülicher Supercomputern rund 200 europäische Forschergruppen. JUGENE soll vor allem für komplexe Simulationsaufgaben aus der Physik und Materialwissenschaft, aber auch für Berechnungen aus Biologie, Medizin, Klimaforschung und Maschinenbau eingesetzt werden.

Kälte knackt Festplattenverschlüsselung

Kälte knackt Festplattenverschlüsselung (futurezone.ORF.at)

Nach dem Abschalten eines Rechners lassen sich Passwörter noch minutenlang aus dem DRAM-Speicher auslesen. Kälte verlängert diese Zeitspanne.

Eine Methode, gängige Festplatten-Verschlüsselungsysteme auszutricksen, haben Forscher des Center for Information Technology Policy der Universität Princeton vorgestellt. Ansatzpunkt ist, dass Information in gängigen DRAM-Speicherchips mitunter noch für Minuten erhalten bleibt, wenn die Stromzufuhr unterbrochen wird.
Mit physischem Zugriff auf die DRAM-Chips ist es dadurch möglich, die Schlüssel für die Chiffrierung zu stehlen. Werden die Speicherelemente gekühlt, bleibt die Information sogar noch länger erhalten und ist daher leichter zu stehlen.

Windows, Mac OS und Linux betroffen Die Forscher aus Princton haben gezeigt, dass die Festplatten-Verschlüsselungssysteme BitLocker von Windows Vista, FileVault von MacOS X sowie das ab Version 2.6 im Linux-Kernel enthaltene dm-crypt allesamt auf diesem Weg ausgetrickst werden können.
Website der Forschergruppe

Speicherremanenz"Beinahe jeder, auch Experten, wird sagen, dass DRAM-Inhalte verloren gehen, wenn der Strom ausgeschaltet wird. Aber dem ist nicht so", schreibt Teammitglied Ed Felten in einem Blog-Eintrag.Für einen Zeitraum von Sekunden bis Minuten bleiben die Informationen erhalten. Das Phänomen wird Speicherremanenz genannt.Durch einen Kaltstart mit einer geeignet gestalteten Betriebssystem-Umgebung etwa von einem USB-Datenträger sei es daher möglich, die Informationen aus DRAM-Chips auszulesen.Und unter diesen befinden sich bei üblichen Computersystemen auch die vermeintlich geheimen, sicheren Schlüssel für Festplatten-Verschlüsselungssysteme.
Cold Boot Attacks on Encryption Keys (pdf)

Stickstoff hält Passwörter für StundenWerden die Speicherchips gekühlt, bleiben ihre Inhalte noch länger erhalten, etwa für rund zehn Minuten bei Kühlung mit Druckluft aus der Dose auf etwa minus 50 Grad. Mit flüssigem Stickstoff auf fast minus 200 Grad gekühlt, behalten stromlose DRAM-Chips Informationen sogar für Stunden, so Felten.Damit wäre ein Transport über längere Strecken vor dem Auslesen denkbar. Natürlich muss ein Angreifer, der Chiffre-Schlüssel auf diesem Weg stehlen will, dazu physischen Zugriff auf ein Computersystem haben, doch genau das verleiht den Forschungsergebnissen ihre Brisanz.

Wednesday, February 20, 2008

SQL Server Storage Engine: Bulk Import Optimizations (Minimal Logging)

SQL Server Storage Engine : Bulk Import Optimizations (Minimal Logging) (MSDN)
fn_dblog()

Office 2003 Add-in: Office Web Components

Office 2003 Add-in: Office Web Components
Office Web Components are a collection of Component Object Model (COM) controls for publishing spreadsheets, charts, and databases to the Web.

owc11.exe (Date Published: 11/9/2006)

Performance Analysis of Logs (PAL) Tool

Performance Analysis of Logs (PAL) Tool (CodePlex)

Ever have a performance problem, but don't know what performance counters to collect or how to analyze them? The PAL (Performance Analysis of Logs) tool is a new and powerful tool that reads in a performance monitor counter log (any known format) and analyzes it using complex, but known thresholds (provided). The tool generates an HTML based report which graphically charts important performance counters and throws alerts when thresholds are exceeded. The thresholds are originally based on thresholds defined by the Microsoft product teams and members of Microsoft support, but continue to be expanded by this ongoing project. This tool is not a replacement of traditional performance analysis, but it automates the analysis of performance counter logs enough to save you time. This is a VBScript and requires Microsoft LogParser (free download).

Thresholds files for most of the major Microsoft products such as IIS, MOSS, SQL Server, BizTalk, Exchange, and Active Directory.
An easy to use GUI interface which makes creating batch files for the PAL.vbs script.
A GUI editor for creating or editing your own threshold files.
Creates an HTML based report for ease of copy/pasting into other applications.
Analyzes performance counter logs for thresholds using thresholds that change their critieria based on the computer's role or hardware specs.

The PAL tool is primarily a VBScript that requires arguments/parameters passed to it in order to properly analyze performance monitor logs. In v1.1 and later of PAL, a GUI interface has been added to help with this process.

Requirements
Operating Systems
PAL runs successfully on all of the following operating systems: Windows XP SP2, Windows Vista, and Windows 2003 Server. 32-bit only due to OWC11 requirements.Note: The optional GUI (windows form) portion of PAL requires the Microsoft .NET Framework v2.0.

Log Parser 2.2
Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®. PAL uses the Log Parser tool to query perform logs and to create charts and graphs for the PAL report.
http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&DisplayLang=en

Microsoft Office Web Components 2003
Log Parser requires the Office Web Components 2003 in order to create charts.
http://www.microsoft.com/downloads/details.aspx?FamilyID=7287252c-402e-4f72-97a5-e0fd290d4b76

Sunday, February 17, 2008

sysutil - PingIt

sysutil - PingIt
PingIt 1.11
Where the normal windows ping lacks some features pingit will fill those in. With pingit you will be able too ping a fixed size range of ip-adresses. The output will be shown as ; seperated file. That way the output is easier to proces with your own set of tools later.
download here
Changelog
Examples of commandline usage ( Quick start )
Howto ping a range of ip'ees every 5 minutes 24 hours a day using PingIt

pingit usage:
pingit 192.168.1.*
pingit 192.168.*.*
pingit 192.168.1.* > output.csv
pingit 192.168.1.* 192.168.3.* > output.csv
pingit http://www.google.com/ 192.168.17.* > output.csv

output:
hostname ; resolved ip ; Round Trip Time ; TTL ; online or offline ; error code

PuTTY Connection Manager

PuTTY Connection Manager
PuTTY Connection Manager is a free PuTTY Client Add-on for Windows platforms which goal is to provide a solution for managing multiple PuTTY instances.

Features

Features
Tabs and dockable windows for PuTTY instances.
Fully compatible with PuTTY configuration (using registry).
Easily customizable to optimize workspace (fullscreen, minimze to tray, add/remove toolbar, etc...).
Automatic login feature regardless to protocol restrictions (user keyboard simulation).
Post-login commands (execute any shell command when logged).
Connection Manager : Manage a large number of connections with specific configuration (auto-login, specific PuTTY Session, post-command, etc...).
Quick connect toolbar to quickly launch a PuTTY connection.
Import/Export whole connections informations to XML format (generate your configuration automatically from another tool and import it, or export your configuration for backup purpose).
Encrypted configuration database option available to store connections informations safely (external library supporting AES algorithm used with key sizes of 128, 192 and 256 bits, please refer for the legal status of encryption software in your country).
Standalone executable, no setup required.
Localizable : English (default) and French available (only when using setup version, standalone is english only).
Completely free for non-commercial, and personal use : PuTTY Connection Manager is freeware.

Requirements
This software is a C# application. Microsoft .NET Framework 2.0 is needed. Setup will download and install if needed. Standalone will not work if .NET Framework 2.0 not present..

PuTTY Connection Manager doesn't embbed PuTTY. You must download and use your own PuTTY client. PuTTY v0.60 is recommended (bug identified with previous versions such as 0.59). You can download it here.

Downloads
The latest version is beta 0.6.0.4822. Here is the list of changes.
Current beta version : 0.6.0.4822
Setup (~1.94Mb, ..NET 2.0 downloaded and installed by setup if needed) - Encryption library 0.6.0.0 required if using database encryption
Standalone Executable (~1.63Mb, .NET 2.0 required) - Encryption library 0.6.0.0 required if using database encryption
Help file (~1.34Mb, not included in standalone version)
Encryption library : 0.6.0.0
AES library (~212Kb, not included in PuTTY Connection Manager ) : AES Rijndael Managed 128, 192 and 256 bits encryption support. Please refer for the legal status of encryption software in your country.

Saturday, February 16, 2008

Measuring network throughput

=> Max. Bandwidth = TCP Window Size / Latency.

The Max TCP Window size in the absence of window scaling is 65 535 bytes.
Example: Max Bandwidth "Toulouse-Dubai" = 65535 bytes / 0.220 s = 297886.36 bytes/s = 2.38 Mbit/s.
Over a single TCP connection between those endpoints, the tested Bandwidth will be restricted to 2.38 Mbit/s even if the contracted Bandwidth is greater.