Secure Progressiontag:typepad.com,2003:weblog-14451502008-03-10T17:00:34-04:00The official weblog of Secure ProgressionTypePadSysadmins and securitytag:typepad.com,2003:post-468453842008-03-10T17:00:34-04:002008-03-10T17:00:34-04:00Why are so many business computers and networks completely unsecured? I'm going to focus on a few of the reasons that have to do with the people responsible to secure thoseKirk Averett
Why are so many business computers and networks completely unsecured? I'm going to focus on a few of the reasons that have to do with the people responsible to secure those
http://securetrends.typepad.com/secure_trends/2008/03/sysadmins-and-s.htmlWireless noise detection with wiresharktag:typepad.com,2003:post-406790802007-10-25T12:33:22-04:002007-10-25T12:33:22-04:00It can be difficult to determine if noise is corrupting a wireless (802.11a/b/g/n) signal because the primary symptom for a user is simply slow performance. Because slow performance can caused at any step along the path between a person's computer...Kirk Averett
<div xmlns="http://www.w3.org/1999/xhtml"><p>It can be difficult to determine if noise is corrupting a wireless (802.11a/b/g/n) signal because the primary symptom for a user is simply slow performance. Because slow performance can caused at any step along the path between a person's computer and a distant Internet site, it can be tough to know what is happening.</p>
<p>Noise that is interfering with an 802.11 wireless signal isn't always constant, but in my experience with 802.11 and with cable TV wired networks using lower frequencies, it doesn't take very much noise to significantly reduce performance.</p>
<p>Why the big drop in performance? TCP. Viewing web pages, downloading files or email, and most other activities on the Internet depend on TCP. TCP was designed to be used on low-noise, wired networks. Every bit of data sent over TCP is numbered sequentially for the conversation between the user's computer and the remote computer or server. If a new bit of data (a "packet") arrives with a number that is too high, then TCP knows that a packet was missed. TCP asks the sender to retry, and tells the sender to slow down.</p>
<p>See the problem? TCP assumes that a packet will be lost only due to high traffic, not because of noise that might corrupt a packet and cause it to be discarded. When a packet is lost because of traffic, slowing down is the best possible response for all parties. When a packet is lost because of a little bit of noise, everything slows down even though the packet really should be resent immediately and the transmission speed should remain constant. Lots of smart people are working on this, although no real standard has emerged. Here is a good academic paper describing <a href="http://pdos.csail.mit.edu/decouto/papers/parsa99.ps">this TCP peformance problem</a> and a proposed solution.</p>
<p><strong>Detecting noise with Wireshark</strong><br />First, download a <a href="http://www.wireshark.org/download.html">copy of Wireshark</a>. Start it up for the first time. You need to record, or capture, some packets to look for a particular type of TCP packet.</p>
<p>To capture packets, click on Capture, Interfaces, then click Options on the far right next to your network card, then press Start.</p>
<p>Open up your web browser and go to www.yahoo.com or www.msn.com (or any other site that's been slow for you and that has a lot of stuff on the page). After the page has loaded, click Stop on the capture.</p>
<p>Click on the label of the Info column to sort by the column contents. Then scroll down and look for this type of information about TCP duplicate ACK's:<br /><a href="http://securetrends.typepad.com/photos/uncategorized/2007/10/25/dupack_2.png"><img border="0" class="image-full" alt="Dupack_2" title="Dupack_2" src="http://securetrends.typepad.com/photos/uncategorized/2007/10/25/dupack_2.png" /></a>
<br />If you have more than one line like these above, then your wireless network almost surely has interference. Because most of us use inexpensive wireless gear, we have to share the frequencies with other devices belonging to our neighbors.</p>
<p><strong>What can I do about it?</strong><br />The easiest thing to do is try a different channel. On 802.11b/g wireless access points and routers, they show you 11 possible channels. Don't believe them. Only channels 1, 6, and 11 don't interfere with each other. So if you're using channel 2 and your neighbor is using channel 3, expect problems.</p>
<p>The general rule for trying to reduce interference is to use a channel number farthest away numerically from any other wireless devices in the area. Usually your laptop or other wireless device can tell you what networks it sees around and what channels they are using. Just pick the most remote channel. If you can't see any other wireless networks besides your own, still change the channel to either 1, 6, or 11 and stop using your old channel-- again, try to be as far away from your old channel as possible because you know there is noise on that channel.</p>
<p>I hope this helps!</p></div>
<img src="http://feeds.feedburner.com/~r/SecureTrends/~4/QtudCGxxuRM" height="1" width="1"/>http://securetrends.typepad.com/secure_trends/2007/10/wireless-noise-.htmlNmap and out-of-date software on the networktag:typepad.com,2003:post-397080682007-10-03T11:45:11-04:002007-10-03T11:45:11-04:00Nmap can be extremely helpful in finding old versions of software on your network. Updated software reduces network worm infections and hacking from internal and external sources. Here's how you use Nmap to do it: nmap -vv -F -sS -A...Kirk Averett
<div xmlns="http://www.w3.org/1999/xhtml"><div class="article-content">
<a href="http://insecure.org">Nmap</a>
can be extremely helpful in finding old versions of
software on your network. Updated software reduces <a href="http://en.wikipedia.org/wiki/Computer_worm" title="Computer network worms">network worm</a> infections and hacking from internal and external sources. Here's how you use Nmap to do it:<p> nmap -vv -F -sS -A -P0 [some ip]</p>
<p>I like to use "-vv" for extra detail.</p>
<p>Let's
say I just wanted to check the version of SSH I was using on an older
Linux machine. Nmap can even tell me what protocol revision SSH
supports on the machine. Here is how I would do that:</p>
<p> nmap -sS -A -P0 -p 22 [my ip] | grep ssh</p>
<p>Here are the results from an actual machine:</p>
<p> 22/tcp open ssh OpenSSH 3.6.1p2 (protocol 1.99)</p>
<p>SSH protocol version 1.99 <a href="http://www.ciac.org/ciac/techbull/CIACTech02-001.shtml" title="Openssh version 1.99 vulnerable">has issues</a> and OpenSSH needs to be updated on this machine.</p>
<p><strong>Nmap and software version detection inside Secure Trends</strong></p>
<p>Because
Secure Trends can use Nmap for scanning, it gathers information about
open network software running on computers that have been scanned. From
the Ports tab, you can click on a port to see what different computers
have that port open and what software is running on those machines.</p>
<p><a href="http://securetrends.typepad.com/photos/uncategorized/2007/10/03/portandversions_3.png"><img border="1" alt="Portandversions_3" title="Portandversions_3" src="http://securetrends.typepad.com/photos/uncategorized/2007/10/03/portandversions_3.png" /></a>
</p>
<p><img src="file:///C:/DOCUME~1/Kirk/LOCALS~1/Temp/moz-screenshot.jpg" /></p>
<p>Above is a partial screenshot from a real set of hosts in ST.
Each IP is a clickable link so that you can see everything else
running on that machine. In this case two machines are still allowing
protocol version 1.99, but it is probably easily fixed by changing
their config file to only permit version 2.0. How do I know this?
Partly because I already know, but also because the machine with the IP
address ending ".24" is running the same OpenSSH program version, but is clearly locked
down to only support protocol version 2. </p></div></div>
<img src="http://feeds.feedburner.com/~r/SecureTrends/~4/LcGHj19_qBI" height="1" width="1"/>http://securetrends.typepad.com/secure_trends/2007/10/nmap-and-out-of.htmlCommand line firewall configurationtag:typepad.com,2003:post-396605302007-10-02T13:15:13-04:002007-10-02T13:15:13-04:00One of the cool little features of our hosted security tools are the "firewall hints", which are available as a link for a host that has been scanned at least one time. It appears underneath the list of ports and...Kirk Averett
<div xmlns="http://www.w3.org/1999/xhtml"><div class="article-content">
<p>One of the cool little features of our hosted security tools are the
"firewall hints", which are available as a link for a host that has
been scanned at least one time. It appears underneath the list of ports
and what is running on them.</p>
<p><img width="221" vspace="5" hspace="8" height="57" border="1" align="right" src="http://www.secure-trends.com/images/firewallhints.png" alt="Firewall hints link" title="Link to firewall hints" />
If the operating system has been detected by Nmap, then the command
line information is appropriate for that OS. If the OS has not yet been
detected, then Secure Trends shows command line hints for all the
operating systems it can. ST shows you how to set up your firewall to
allow outbound Internet traffic, but blocks inbound Internet traffic
except to the ports currently detected by Nmap. Don't want a port open?
Copy the ST firewall hints to a text editor, remove the line that would
open access to that port, then paste to the command-line of the machine
you need to lock down. </p>
<p><strong>Windows firewall rules by command-line</strong> </p>
<p>Windows
XP service pack 2 (SP2) and Windows 2003 have a built-in firewall. It's
actually a decent little inbound port-blocking firewall. But almost
nobody uses it. I'm a fan of not spending money so why would I buy
another port-based firewall if Windows already has one? Here are the
command-line firewall hints for a Windows host scanned by Secure Trends:</p>
<p> netsh firewall set opmode ENABLE<br /> netsh firewall set notifications ENABLE<br /> netsh firewall set logging %windir%\pfirewall.log 4096 ENABLE<br /> netsh firewall set portopening TCP 7 echo<br /> netsh firewall set portopening TCP 9 discard<br /> netsh firewall set portopening TCP 13 daytime<br /> netsh firewall set portopening TCP 17 qotd<br /> netsh firewall set portopening TCP 19 chargen<br /> netsh firewall set portopening TCP 42 wins<br /> netsh firewall set portopening TCP 53 domain<br /> netsh firewall set portopening TCP 80 http<br /> netsh firewall set portopening TCP 135 msrpc<br /> netsh firewall set portopening TCP 139 netbios-ssn<br /> netsh firewall set portopening TCP 445 microsoft-ds<br /> netsh firewall set portopening TCP 1025 msrpc<br /> netsh firewall set portopening TCP 3389 microsoft-rdp<br /> netsh firewall set portopening TCP 5800 vnc-http<br /> netsh firewall set portopening TCP 5900 vnc<br /> netsh firewall set portopening TCP 5901 vnc</p>
<p>I'm sure you're wondering who runs all of this junk? Not me. What does this all mean?</p>
<ul><li> netsh firewall set opmode ENABLE -- This turns on the firewall.</li>
<li> netsh firewall set notifications ENABLE -- Changes to the firewall from the command-line will generate console gui alerts.</li>
<li> netsh firewall set logging %windir%\pfirewall.log 4096 ENABLE -- Logs up to 4k of firewall changes to the file pfirewall.log.</li>
<li> netsh firewall set portopening TCP 7 echo -- Allows computers on the network to access the "echo" service on this computer.</li></ul>
<p>What
if you wanted to shut off access to the echo service? No one should be
using echo anyway. You could issue this command if you had already
explicitly opened up the echo port:</p>
<p> netsh firewall set portopening TCP 7 echo disable</p>
<p>To learn more about the Windows firewall, either using the command-line or the gui, you can check out this article: <a href="http://lantoolbox.com/network-administration/articles/configure-windows-firewall-using-command-line/" target="_blank" title="How to use the windows firewall from the command line">http://lantoolbox.com/network-administration/articles/configure-windows-firewall-using-command-line/ </a></p>
<p><strong>What if I'm running Windows 2000 or XP without SP2?</strong></p>
<p>If you need a free command-line firewall for a slightly older Windows, check out the <a href="http://wipfw.sourceforge.net/" target="_blank" title="WIPFW free command line firewall for Windows">WIPFW</a>
project. It is essentially a port of BSD's ipfw port blocking tools to
the Windows platform. If you're using Secure Trends, you can copy and
paste the firewall hints for BSD and use them on your Windows box. </p>
<p><strong>What other operating systems can do this kind of thing?</strong></p>
<p>Linux has <a href="http://www.netfilter.org/" title="Iptables made by Netfilter.org">iptables</a> from the folks at Netfilter and *BSD has <a href="http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html" title="ipfw firewall for bsd">ipfw</a>
which is developed by FreeBSD. Secure Trends can give firewall hints
for both of these. Solaris probably has something, but as we don't have
access to a Solaris box or the freedom to potentially break it, it
isn't included yet. </p></div></div>
<img src="http://feeds.feedburner.com/~r/SecureTrends/~4/G4Z5pSq2E6c" height="1" width="1"/>http://securetrends.typepad.com/secure_trends/2007/10/command-line-fi.html