Super-Networking Blog

Hey do you need to get rid of NetBios on your network interface but when you try to do it through network properties your server crashes?

Then do it through the registry:

HKLM\System\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_AdapterID}\NetbiosOptions

NetBIOSOptions = 0 | 1 | 2

0 - Uses NetBIOS setting from the DHCP server.

1 - Enables NetBIOS over TCP/IP.

2 - Disables NetBIOS over TCP/IP.

Reboot to make your settings take affect.

So if you want to limit one or more of your real servers in a virtual server farm to a certain amount of connections you can do it with the “maxconns” command.

Login to the CSM go into config mode, go into the serverfarm you want to restrict then go into the real server. Type in “maxconns #” replacing the # with the max connections you want to go to that real server. This way if you want to test something under real traffic but don’t want it to get slammed you can.

Also if you specify this command it will send out a syslog when the max has been reached.

%CSM_SLB-6-RSERVERSTATE: Module # server state changed: server X.X.X.X:0 in serverfarm ’serverfarm’ has reached configured max-conns

The CSM will then send the rest of the traffic to the other real servers in that serverfarm.

First you need to know what module your CSM is in, most of you know I am sure but otherwise use this at the enable prompt:

“show module”

Next you need to session into the CSM with the following command replacing the slot number with the module number you found using the command above:

“sessions slot 1 processor 0″

Finally you need to tftp the core dump file off of the CSM with the command:

“tftp core_dump tftp-ip-addr”

You need to replace the tftp-ip-addr with the IP of your TFTP server. Also if you have multiple core dump file you can put the name of the file you want to tftp after tftp-ip-addr.

So like most IT security minded people I want to use SSH on everything I can because with telnet your username and password are sent over the wire in clear text. Now I know most of you say well if you are internal what matters it your password is sent in clear text who would be listening? Well a lot of people could be, your boss, your fellow employee in IT, a rouge server, etc…

One thing that you can do to mitigate the threat to to make sure you are switching all your data since a switch doesn’t broadcast most data like hubs do. That still leaves it open to people who have access to the network switches and can sniff your port or the port you are going to. So you can use SSH since it is encrypted and that will protect you. Now not everything supports SSH, both on the software side and on the hardware side. I can’t help with the hardware, if your switch or router doesn’t support SSH either you have to buy a new IOS for it or stick to telnet at your own risk.

As for the software side if you have a program that needs to connect to your network devices over telnet and it can’t be switched to SSH and you really need it listen up.

You can use the access-class command under line vty 0 4 to lockdown what IPs have access to SSH or Telnet.

Example Commands:

ip access-list extended vty
permit tcp host 10.10.0.5 any eq telnet log
permit tcp any any eq 22 log
deny tcp any any log

line vty 0 4

access-class vty in

transport input telnet ssh

So that ACL would allow 10.10.0.5 to telnet to the network device and anyone to SSH. FYI that older versions of the IOS don’t allow you to use extended ACLs so you would only be able to determine IPs not ports/services.

The well designed and well run network should basically run itself. Every hour of everyday the network should just hum along. People shouldn’t even realize that it is there. Users should be able to plug-in to a jack or hook-up to wifi without have to contact the IT dept. A well run network should handle spikes in traffic and growth in servers.

A well run network should allow your network administrators to watch what is traversing the network and not waste time watching the status of the network. There are things the come up now and then but if your network requires people to full time manage every aspect of the network just to keep it running you might want to rethink it.

This is not to say that there aren’t thinks to keep up like hardening your security procedures, updating code, updating acls, managing serverfarms, etc… You might have some sort of NAC product that will quarantine some users when they plug in but for the most part the network team should be transparent to 99% of users.

Also it is my belief that simplicity is the best design, the more complex you make your network architecture the harder it is going to be to secure and the harder it will be to maintain. KISS should your networks mantra.

You hosting something on your home PC and the IP address keeps getting changed by your ISP? Check out this service called Dynamic DNS, it is a service that allows you to have a hostname permanently pointed back to your home computer even with a dynamic IP. How they do it is you install a client on your PC and as your IP address changes it update the service. Even better it is free for up to 5 hostname.

So this is a follow-up post to Latency Vs. Bandwidth where I gave a good link to an explanation on the differences between the problem of Latency and Bandwidth on the Internet. The same blogger had a follow-up post that explained a few ways for you to help improve high latencies.

This is another good article that goes over some of the things you can do to mitigate latency problems. I am going to go through a couple of things on this topic myself:

“Tweaking the host TCP settings” was one of his things to try and I agree that if you do it right this can help a great deal but if you tweak it wrong it can make things a whole lot worse. Be sure to test it in a lab before doing anything in production. Also another FYI on this method is that Windows Vista auto tunes your network setting so you are better off just letting it make the changes unless you have major problems.

Another method that he brings up is to move mission critical Internet web pages or downloads to a CDN network. This is a great idea but be wary of the price that this can cost you. There are a lot of them out that and some are cost effective and some are not. I did a mini review of some of the choices here.

Another thing you can do that should help is if you have an application that needs to stay in your datacenter and you need to get it cross county under a maximum latency is work with your ISP. Most of the time your traffic will switch through multiple ISPs between your datacenter and theirs if it is a long distance away. This can cause major increases in your latency.

A couple of ways to mitigate this is to possibly switch your ISP to the same ISP as the business you need to work with. If it is a lower bandwidth need you could get a point to point link, or if it needs to be a higher bandwidth connection you should look at the possibility of getting a MPLS tunnel from end to end through your ISP.

One more tip which doesn’t really relate to Latency but will help if you are wondering why your transfers are so slow over a large pipe. Use parallel transfers, if you have large amounts of data to transfer over long distances either program it in or find a programs that running multiple streams at the same time. You will find a huge increase in throughput.

There are a thousand ways to look at this but hopefully between the post from the EdgeBlog and my posts you can get a lot of options.

If you want to take a quite look at the overall health of the major ISP backbones I found the site for you. I ran across it the other day and it is pretty sweet. Too bad the ISP my company is on isn’t listed but all of the big dog ISPs are.

Internet Health Report

I ran across a pretty good read today that explains the problem with latency on WAN networks. The first part starts out saying that a lot of IT managers do not understand that just throughing more bandwidth at a problem won’t solve all your problems. This might be true of IT manager’s but all Network Administrators/Engineers better know this. This is a simple concept and it one of the reasons why Sattelite Internet hasn’t taken off, latency is a killer.

Check out the article here

I ran across a pretty sweet product today. It is called Yoggie Pico and it is a security suite for your laptop that is based off of a USB stick. It is a hardened Linux box running off a 520MHz processor is a USB stick. It is supposed to provide all of the security you need on your laptop and you can move it from PC to PC.

Features:

Yoggie Pico combines best-of-breed enterprise-class software with proprietary patent pending developments to provide a comprehensive security solution. With its stateful inspection firewall and NAT, Yoggie hides the laptop�s IP address from the outside world and closes any unnecessary network connection. In addition, the hardware design and hardened OS prevents any tampering on the Firewall (a common Spyware, Viruses behavior). Deep packet inspection is performed by a robust intrusion detection/prevention solution to detect attacks as they begin their operation.

The application layer includes four transparent proxies, two for web traffic (HTTP, FTP) and two for email traffic (SMTP and POP3). Using a powerful true-type detection engine, the proxies can deal with any content type, including decompiled elements such as compressed class and file attachments. These elements are analyzed by seven security agents:

• Adaptive Security Policy�
• Multi-Layer Security Agent�
• Layer-8 Security Engine�
• URL Categorization & Filtering
• Anti-Spam
• Anti-Phishing
• Antispyware
• Antivirus
• Transparent Email Proxies (POP3; SMTP)
• Transparent Web Proxies (HTTP; FTP)
• Intrusion Detection System / Intrusion Prevention System
• VPN Client
• Stateful Inspection Firewall