Tom Decaluwé

Laura Chappell’s Wireshark book get ready

Tom Decaluwé — Tue, 09 Mar 2010 21:49:44 GMT

For anybody interested in Wireshark sniffing, it’s time to get your credit card out of you pockets an get a pre-ordered copy of Laura Chappell’s new book due for release March 29!

Have a look at the sample page and you’ll know it' will be well worth it’s money.

http://www.wiresharkbook.com/

SNMP read IfInOctets => great trend But what about the absolute throughput value?

Tom Decaluwé — Mon, 08 Mar 2010 23:14:55 GMT

If you have ever tried to read the throughput value of an ethernet interface in and out using SNMP you may notice that it’s quite easy to get a nice trend graph using your favorite plotting tool (MRTG, zabbix,…) but when you try to get the actual throughput value the amount just never seems to be correct.

During this article I’ll try to explain how the Cisco IfInOctets and IfOutOctets work and what you need to do to get the right value.

1) What is the IfInOctets and IfOutOctets value:

The first thing you need to know is that a Cisco router holds it’s interface value in two tables IfTable and IfXTable, these are fully described in RFC1213/RFC2233.

- ifTable defines 32-bit counters for inbound and outbound octets

-ifXTable provides similar 64-bit counters, also called high capacity (HC) counters

The values we are interested in are IfInOctest, IfHCInOctest, IfOutOctest and IfHCOutOctests. For the sake of this article we will focus on the In values but know that the exact same logic also holds for the Out counters. So lets have a look at the two in Counters. Let’s have a look at what the Cisco documentation tell’s us about these two counters:

- IfInOctets: "The total number of octets received on the interface,
including framing characters. The reference OID is: 1.3.6.1.2.1.2.2.1.10

Lets query this value of interface 1/0/1 on a Cisco stacked switch and see the result

- IfHCInOctets: "The total number of octets received on the interface,
including framing characters. This object is a 64-bit
version of ifInOctets. The reference OID is: 1.3.6.1.2.1.31.1.1.1.6

Lets query this value of interface 1/0/1 on a Cisco stacked switch and see the result

As you can read, both values actually return the same data “Total number of octest received”, but we are faced with a first dilemma, you have two counters to poll, each returning a different absolute value and in some bizarre way both are giving you the Total number of octets received.

- IfInOctets 1.3.6.1.2.1.2.2.1.10

For us to understand this we need to know what the value is that is being returned. SNMP is a very basic protocol that runs on just about any network device,… The core idea behind SNMP is simplicity, generic usable and low footprint. To ensure the low footprint SNMP has very little to no intelligence built in. It just returns values you would like to monitor and relies on your toolset to harvest this data en make it usable for you.

The counter we are reading returns the amount of octets received since

- the boot of the device

- since the last rollover period

There are two concepts here that we need to explain be for the puzzle will start to fall together for you:

1) # of octets received => that means if you want to know the data throughput you will have to read the counter twice at time_slot1_value and then lets say 1 second later at time_slot2_value. To know the throughput of octets now subtract

time_slot2_value – time_slot1_value = total # of octets send

2) since the last rollover => as you can imagine the amount of octet bytes sent is just an increasing value and this number can grow really really fast. And this is where the 32bit / 64bit values come into play. In the old days with slow speed networks a 32bit value was used to store the # of octets send, once this 32bit value fill’s to it’s maximum the counter resets to Null and restarts it’s count until it reaches the maximum value again. As you can imagine on a slow speed network this 32bit value fill’s up quite gradually and rollover does not occur all that often. However on a high speed gigabit network a lot of packets are passing through the interface and a 32bit value in memory fill’s up much faster. The net problem with roll over is that at a certain point in time you will subtract time_slot1_value from time_slot2_value but time_slot2_value will be smaller than time_slot1_value thus giving you a negative net value. This is alright for trend,… analysis as long as it does not happen to often.

To give you an idea of how fast this rollover occurs:

- a 10 Mbps stream of back-to-back, full-size packets causes ifInOctets to wrap in just over 57 minutes.

- At 100 Mbps, the minimum wrap time is 5.7 minutes

- At 1 Gbps, the minimum is 34 seconds.

=> this means the 32bit value is just not good enough for modern high speed networks and you will almost always ant to resort back to the 64bit ifHCInOctets counter value.

To follow Cisco documenation: “

For interfaces that operate at 20,000,000 (20 million) bits per second or less, you must use 32-bit byte and packet counters. For interfaces that operate faster than 20 million bits per second, and slower than 650,000,000 bits per second, you must use 32-bit packet counters and 64-bit octet counters. For interfaces that operate at 650,000,000 bits/second or faster, 64-bit packet and octet counters must be used.

Correspondingly, Cisco IOS® Software does not support 64-bit counters for interface speeds of less than 20 Mbps. This means that 64-bit counters are not supported on 10 Mb Ethernet ports, only 100 Mb Fast-Ethernet and other high speed ports support 64-bit counters. “

3) Converting Octets to bits is the last part we need to understand if we want to know the bits per tick that pass through our network interface. To convert the amount of transmitted octets on the Ethernet network to bits we must multiply by 8.

The ending formula to know the #of bits being transferred between two ticks would thus be:

Value2-Value1 * 8 = # bits transferred

The configuration of this within the zabbix platform is done as illustrated below. Through the four outlined fields.

and the end result should be a great looking trend graph with correct absolute end values.

OWA keeps prompting for Username / Password => Wireshark to the rescue

Tom Decaluwé — Fri, 26 Feb 2010 15:23:12 GMT

Yesterday evening we patched a number of servers as we where running behind on our normal patch cycle. Everything went well but this morning I got a call from our UK users that their OWA system was not working.

Our infrastructure is running exchange 2003 with one Front-End in our central datacenter and two back-end’s one in each country UK / BE.

The exchange servers are all members of the root domain but the UK users are still part of a child domain.

Belgian users where having no problem accessing there OWA, syncing the Windows mobiles,… But I got a call from UK telling me they couldn’t logon to the webmail.

1. My first reaction was to review all patches and to check if Front-End and Back-End where all running at the same patch levels,… This didn’t seem to be a problem.

2. My second thing to check was if i could actually reach the back-end OWA interface from the front-end server. To my surprise this was also giving me the auth prompt’s and ending in an Access denied.

3. My third step was to access OWA on the Back-End from a local UK client, this was working without a problem :-(

4. After checking the firewall rules between front-end / back-end I decided to fire up my trusted Wireshark and see what the f*ck was going one. And yes within seconds I had my answer.

Packet 360 gave me what I needed to know => there was a +10 minutes time skew between the Front-End and the Back-End server that was causing Kerberos to error out.

6. After updating the firewall rules to allow NTP traffic a quick net time update and kazaaam, everything was back to normal

grtz

Tom

TechNet Live Meeting - Forefront Threat Management Gateway - Technisch overzicht 18-02-2010

Tom Decaluwé — Tue, 16 Feb 2010 21:26:12 GMT

If you are interested in TMG and the Forefront product, don’t forget to register for Thursday’s 18-02-2010 online event:

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032439027&EventCategory=2&culture=nl-BE&CountryCode=BE

This session will be presented by MVP Paul Loonen a security specialist.

IT-Pro Chalk Talk Session

Tom Decaluwé — Thu, 04 Feb 2010 12:49:49 GMT

IT-Talks, Pro-Exchange & Winsec are teaming up to bring you the first every Belgian IT-Pro Chalk Talk session, on Thursday 4 March 2010, the the Microsoft België offices.

During this event we will be bringing a panel of MVP’s and other leading industry experts together to answer any and all of your technical questions in a live and interative environment.

The purpose of this session is to show you how the panel thinks and analyses problems from there expertise and where possible formulate answers or research options to help you solve your real world issues.

The technologies that we will be covering during this event are:

· Exchange Server

· Office Communications Server

· Active Directory

· Security

· General networking TCP/IP

· Group policies

We offer you the option to send your questions / problems upfront by email or bring them in and ask them live.

· info@pro-exchange.be

· info@it-talks.be

· chalktalk@winsec.be

Pre-registration for this event is required at http://itprochalktalk.eventbrite.com/.

If you can’t physically make it to this event you will have the opportunity to join in through a live meeting. The details will be emailed to all registered users.

IT-Talks, Pro-Exchange & Winsec

Registratie via http://itprochalktalk.eventbrite.com/

Location

Kantoren Microsoft België

Corporate Village

Leonardo Da Vincilaan 3

1935 Zaventem (Route beschrijving)

Time

Thursday 4 March 2010 19h00 till +/- 21h00

IE zero day attack patch MS10-002 => Install Now

Tom Decaluwé — Sat, 23 Jan 2010 09:38:14 GMT

Anyone that has been following the security landscape the past few days knows a zero day IE attack was used during the Gmail attack that took place the 12th of January and lead to the Google statement that they would consider pulling out of China.

Since then the Zero Day IE exploit that uses an invalid pointer in IE has been looked at in all detail by the good, the bad and the ugly. There is exploit code out in the wild for every to enjoy and as a result MS as released an out of band security update that you should install NOW!

Head out to your local MS update site and update your PC’s asap. It’s important to know that even though the initial issue was thought to be limited to IE6, this is not the case and you need to patch IE7 and 8 too.

http://www.update.microsoft.com

more info:

http://blogs.technet.com/sus/archive/2010/01/21/microsoft-security-bulletin-ms10-002-978207-released-today.aspx

http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx

Forefront Threat Management Gateway – technet webcast

Tom Decaluwé — Thu, 21 Jan 2010 11:19:10 GMT

Forefront Threat Management Gateway - Technisch overzicht

Deze sessie geeft een overzicht op de Forefront TMG - en de Forefront UAG features. Gesteund door de geïntegreerde Stirling beveiligingssuite en TMG’s geavanceerde beveiligingsfeatures krijgen organisaties geïntegreerde beveiliging die werkt in de praktijk. In deze sessie presenteren we de voordelen van deze geïntegreerde aanpak en gaan we dieper in op de belangrijkste features en de ‘high level’ architectuur. Daarnaast wordt ook ingegaan op de mogelijkheden binnen UAG zoals directe toegang, het publiceren van applicaties en veelvoudige authenticatie methoden.

18 Februari – 14:00 Inschrijven

Where have i been

Tom Decaluwé — Thu, 31 Dec 2009 17:49:41 GMT

Well it’s been a while since i was on my blog but as you can see I had a good reason.

Our first born is a great sun weighing in at 2850gr and measuring 48cm, he’s adorable and really worth all the painting and decorating i have been doing in his room for the past weeks and months.

We have called him Ernest and I hope he grows out to love computers as much as I do ;-)

Fancy searching with Search Documents

Tom Decaluwé — Mon, 02 Nov 2009 21:15:06 GMT

The more you read and work with windows 7 (and windows vista for those still out there) the more you start to find the little things that make it great.

One of the features I have re-discovered is the advanced search and filter in explorer.

I’m a real command line geek and one of the things file explorer could never do for me is give me a great way to search and filter through files untill i know found the search documents field.

In every file explorer you have the Search Documents that gives you a very rich search syntax.

< Field>:<Value>

Lets try some examples: name:Pictures

Lets try some examples: size:<field>

When typing in a field you can set your own value or choose one of the auto completion values.

After completing a search string you can also see the interface gives you option to select additional fields.

a somewhat more complex string could look like:

size:<200 and type:.csv or type:.jpg and not name:H

Aero shake

Tom Decaluwé — Fri, 30 Oct 2009 07:25:42 GMT

If you have been using windows 7, this might be a feature you have not found yet but it’s well worth knowing:

To reduce distraction and clutter on the desktop you can minimize all other windows except the one you are actively using by shaking the window on our desktop. Let go and shake again and you restore all windows back to the original project.

Try it and see for yourself!

Patch Vulnerabilities in SMBv2

Tom Decaluwé — Tue, 13 Oct 2009 21:45:25 GMT

If you have not done so this month, it’s high time to put some priority down and to start patching for the SMBv2 vulnerability!

http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx

Again, i can only stress it has taken a full month before MS released the fix so make sure to read my post on how TMG protects you from 0-day vulnerabilities.

http://trycatch.be/blogs/decaluwet/archive/2009/09/29/how-tmg-protects-you-from-smbv2-0-day-vulnerability.aspx

Next It-TAlks events

Tom Decaluwé — Mon, 12 Oct 2009 20:14:14 GMT

Event Name: "Working with Forefront Threat Management Gateway 2010 "

Topic: During this event we will focus on TMG the follow up of ISA server and all its old and new features.

Speaker: Tom Decaluwé

Event dates:Event Dates:

Event

info

It-Short talk

Date and time: Monday 26 Oktober 2009 start at 19u00 – 21u30

Location: Contributiestraat 9, 9000 Gent

Entry: Free

Focus: During this event we will focus on the theory of the new features inside the TMG project and how and why to use them in your production networks.

Full day talk

Date and time: Saturday 21 November start at 10u00 – 17u30

Location: Spes Nostra - Koning Albertstraat 50 - 8520 Kuurne

Entry: 15€ for drinks and lunch

Focus: During this event we will focus on hands on practice lab around implementing TMG in your network.

you can register for these event by sending an email to tom@decaluwe.eu, include what events you will attend, seats are limited so register ASAP!

Forefront Threat Management Gateway 2010 Release Candidate Now Available

Tom Decaluwé — Mon, 12 Oct 2009 18:56:22 GMT

If you have not done so yet, it’s high time to get the latest TMG RC

http://blogs.technet.com/isablog/archive/2009/10/11/forefront-threat-management-gateway-2010-release-candidate-now-available.aspx

Great Documentation Using Problem Steps Recorder

Tom Decaluwé — Sat, 03 Oct 2009 23:22:36 GMT

Windows 7 and windows 2008 R2 have some great new tools and one of the least know tools must be Problem Steps Recorder.

The tool itself was designed as an easy way for some one to record their steps and send off for trouble shooting. However I have found that this tool is also a great utility for creating very detailed documentation.

Give it a go and you’ll see it works better than any other screen grabbing utility!

Allow me to illustrate.

You can start the tool by typing PSR in the start > run window

Before you start you might want to bump up the amount of screen captures to include in the document depending on how many steps your install has

the value can be between 1 and 100 so if you have more than 100 steps in your install you will want to stop the recording > save and start an extra recording.

To start a recording press start record or what did you think ;-)

When recording you can see the time and the add comment pop up together with the pause and stop button.

You should now minimize the RPS screen and start executing the tasks you want to document.

By pressing the comment button you can add extra info into the documentation. It will be recorded as a separate step and then show up as illustrated in the following screenshot.

Continue to use the execute your tasks and add comments whenever you want.

When you have completed all tasks press stop and the system will ask you to save the file. The result will be a zip file containing a fully illustrated html file.

Open the zip file to access the document.

Double click the document and you will see the result.

As you can see below the screenshots are full screen pages and the active area is highlighted with green squares. Each step you have taken is in a separate screenshot and clearly marked with a timestamp.

Above each screenshot you will also find great illustration of what the exact action was that you did eg. left click, right click, press enter, input text,…

If you go above the set number of screenshots to save you will see this pop us like this

you can even easily copy/past or import into word if you want to add your own touch.

With PSR there really is no more reason why you would not have a fully documented environment.

vreference.com => great reference

Tom Decaluwé — Wed, 30 Sep 2009 18:46:10 GMT

I’m very keen on network segmentation as I really believe it’s the only way to really gain controle and secure your environment. However the major drawback to network segmentation is knowing what protocols, ports,… de allow for network traversal.

If you host a vmware virtual platform in your datacenter Vreference.com is what you need.

This create community effort site has some perfect 1 page sheets that give you a complete overview of all the things you always forget about vmware sytems.

have a look, and here are some examples,

=> ports overview is a great one pager to help you configure firewall access

=> vsphare 4.0 is a great reference to help you remember what the limits are on vSphere4.0

And you will find more of this on the site, let’s just hope some hyperV diagrams pop up soon ;-)

http://www.vreference.com