Tom Decaluwé

If you are interested in burshing up on your security basics, this thursday I’m presenting a Microsoft Livemeeting in the afternoon

Abstract
Acquiring and deploying the latest and greatest next generation tools in your business is always great and fun for any Administrator. However while businesses are looking at new horizons in the cloud it’s important not to lose track of basic security measures. They remain a critical first line of defense — patching vulnerabilities, strengthening system configurations and properly configuring software and are proven to be effective.

Feel free to join:

https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032508975&Culture=en-US

Last week I was helping a good colleague of mine troubleshoot a frustrating problem. She is in the process of merging two companies and one of the first thing they would like to achieve is to directly connect the two mail servers to get traffic running internally.

To achieve this the first step was to get IP connectivity running between the two companies and ping from one mail server to the other. Once this was successful all that needed doing was a quick Telnet from ServerA <=> ServerB on port 25.

Sure enough this failed however not with a connection refused type but the connection seemed to work and than dropped off, so the search was on.

1. First thing to do was check with the network providers and admins on both sides to ensure no ACLS where blocking the traffic. When this came back negative there is only one place to look for this type of issues and that’s on the wire.

2. Fired up wireshark on the ServerB side and ran a little trace for packets on tcp.port==25

The traffic seemed to start normally with the 3-way TCP handshake kicking in with Syn > Syn,ACK > ACK

Clearly we had outgoing and incoming packets on port 25 between the two servers so a simple Layer4 firewall could not be causing the problem.

Looking a bit lower in the trace, however you start seeing Retransmits for the data packet with relative Seq=1 Ack=1 len=21 (Wireshark helps us track sequence numbers by showing relative seq nr’s instead of the actual numbers) coming from ServerB. And a bit lower down the trace you start seeing retransmit request for the Syn,Ack packets coming from ServerA.

This should trigger you mind, the Syn and Syn,Ack packets are flowing from ServerB to ServerA and from ServerA back to ServerB but the first data packet sent from ServerB to ServerA is never ack’ed and ServerA starts retransmitting the Syn,Ack packet (second packet in the trace). Clearly for some reason the third packet of the three way handshake did not register well on ServerA’s side.

The best way to view this type of traffic in wireshark is to use the Flow Graph Statistic tool. This view realy gives you a single birds eye overview of the traffic flow and you realy see the retransmissions following each other.

of course to confirm this issue we needed to trace on the ServerA end of the communication to see if it ever received the 3de handshake Ack packet

Again packets and flow graphs show all. You can clearly see he Syn Packet arrive and then the 3 consecutive Syn,ack packets being sent to ServerB and the final RST packet when no ACK packet is received.

So the summary was easily made:

- Packets where flowing between the two servers, the Ack packet left the ServerB but never arrived on ServerA => the packet must have gotten lost in transit. A call to the network provider resolved this as being a symmetric routing going belly up and sure enough after their intervention the situation was resolved and mail started flowing.

If you want to sharpen you knowledge on Private cloud fix one of these dates in your agenda’s!

Join two good friends of mine, Kurt Roggen (MVP) and Mike Resseler (MVP) for the Private Cloud Roadshow.

In this half day you will learn more about private cloud infrastructure setup and how you can monitor this. Learn how to create your private clouds and how to deploy standardized applications or services into these clouds. And as a final session you will learn how you can provide automation in your private cloud.

25 April 2012 in Brussels

https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032509960&Culture=en-US

26 April 2012 in Ghent

https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032509959&Culture=en-US

I have been on the IT security landscape for quite some time now and one of the things I have been facing more and more the past few months is discussions about how important anti-virus software is.

When you where in the IT security industry 10 years ago virus was the buzz word, they where vicious things that needed to be eradicated at the root.

However as time has progressed and technologies evolved viruses changed into Malware and where they used to be targeted at showing the world the code name of their creators and spreading the word, they are now made to be as stealthy as possible and live hidden in systems collecting data.

One of the most scary trends I have been seeing is the tendency of malware to be digitally signed sometimes with stolen certificates of highly trusted parties the most notorious one being stuxnet signed by JMicron and Realtek. It’s important for IT-pro’s to be aware of these trends so they know what to look for and can continue to keep their business executives and end-users on the alert.

As malware becomes more stealthy by design, and the overall end-user’s indifference towards the importance of data confidentiality grows, our task as security conscious IT-Pro will grow even more “exciting”.

If you want some extra insight into the malware Signing problem, head out to this article by Craig Schmugar who works for Mcafee

http://blogs.mcafee.com/mcafee-labs/signed-malware-you-can-runbut-you-cant-hide

I have been waiting to be able to send you all this and it’s out now SCM 2.5

There just is no better way to manage best practice security in your environments.

if you have never seen SCM before check out the recording I did for Microsoft, all I can say it’s gotten better and better since this webcast:

http://technet.microsoft.com/en-us/edge/Gg603760

Key Features Include:

• SCM 2.5 includes Windows and Office client product baselines that deliver on Computer, Domain, and User scenarios.
• SCM 2.5 provides ready-to-deploy policies and DCM configuration packs that are tested and fully supported. Our product baselines are based on Microsoft security guide recommendations and industry best practices, allowing you to manage configuration drift, address compliance requirements, and reduce security threats.
• Additional SCM 2.5 client product baselines are included in the download, including Windows 7 SP1, Windows Vista SP2, Windows XP SP3, Office 2010 SP1, Exchange Server 2010 and Internet Explorer 8.
• Gold master support which enables you to be able to create a snapshot of a reference machine or import an existing Group Policy to quickly build Configuration Manager DCM packs.
• The ability to Configure stand-alone machines and deploy your configurations to non-domain joined computers using the new GPO Pack feature.
• Customize and deploy one of the 64 pre-built DCM packs or group policies that cover multiple operating systems, server workloads and client applications.
• Take advantage of the deep security expertise and best practices in the updated security guides, and the attack surface reference workbooks to help reduce the security risks that you consider to be the most important.
• SCM configuration baselines are integrated into the System Center 2012 Service Manager Process Pack for IT GRC to provide oversight and auditor-ready reporting of your compliance activities.