Author Archives: sr71rocks

Security News – Verizon 2015 DBIR and MS15-034

Some important security news you should be aware of…

Each year, many large organizations publish their annual security report…many are good, some are not. One of the best is Verizon, which has been publishing their annual Data Breach Investigation Reports for many years. Their report for 2015 is out, and is a must-read if you are involved with network security. You can download a copy here. Note…it asks for you to opt-in for other announcements from Verizon, but there is a “Download Only” link available if you prefer.

Microsoft has released a Security Bulletin (MS15-034) for a rather nasty vulnerability with how Windows handles HTTP stack requests. Although most Windows clients would not have any applications running that would handle HTTP requests, that is not the case for Windows Servers (especially IIS). If you manage Windows servers, you need to quickly take a look at this Bulletin…there are active exploits in the wild already.

The Force is With J. J. Abrams

I know, my next post was supposed to be a continuation on DIG and troubleshooting DNS, but something MUCH more important has come up. Yes…the newest trailer for Star Wars: The Force Awakens was just released yesterday!! And it seems that J. J. Abrams is doing a great job on developing the story-line, which really left off way back in 1983 with episode VI, Return of the Jedi. This movie should make for a great December when it comes out!!

“The Force is strong in my family…”

Verifying Proper Email Routing – MX Records

I had an issue come up today in which I needed to verify what mail servers were handling email for a particular domain. (I like having easy problems on a Friday!)

So, how do you answer this question? Simple…you need to look up the MX records associated with the domain in question. MX stands for Mail Exchange…which are DNS records of mail servers sitting on the Internet which handle email for a domain. Quick example using my handy DIG utility (available within Linux, or you can download it from isc.org for Windows)…

MX results for cisco.com

As you can see, the DNS reply gave us 3 MX records for mail servers that handle email for the domain “cisco.com”…

10 alln-mx-01.cisco.com.
30 aer-mx-01.cisco.com.
20 rcdn-mx-01.cisco.com.

The numbers in front of each line are known as “preference numbers” and establish which order the servers are to be used, with the smaller number being more preferred. In this case, mail servers will attempt to contact server alln-mx-01.cisco.com first, and if not successful, will then attempt server rcdn-mx-01.cisco.com….and so on. (And no, Cisco does not have a single server that takes care of all their email…most likely alln-mx-01 simply points to a large server cluster). A common technique you will see is to list several servers all with the same preference number…this allows for load-balancing among the servers (a bit crude, but it does work). HP handles load-balancing a bit differently…

MX results for hp.com

I like HP’s solution…simple and efficient…there is only one MX record, but multiple “A” (Address) records that smtp.hp.com resolves to. How about Apple?….

MX results for apple.com

As you can see, Apple handles load-balancing in a bit more complex manner, but it works very well…(sounds just like Apple, doesn’t it?). There are 5 preference number “10” servers and 5 “20” servers, and I bet they are spread out all over the place…different data centers in America and perhaps other parts of the world. Notice the single “100” preference server, which will only get used if none of the other servers are up and running. Knowing Apple, I’m sure this server is kept up to date and patched. But smaller organizations tend to setup a high number preference server as a last backup, which hardly ever gets used, and they tend to forget about it…maybe not keep up with patches and security updates. As a result, you will tend to see hackers go after the high numbered preference mail servers, as they may be an easier target.

Bonus question: Did you notice that all the host names and domain names ended with a “dot”, such as apple.com. and smtp.hp.com.? Know why? I’ll tell you in my next blog.

Hope this info was helpful…

Easter Celebration 2015 – He is Risen!

It has been a busy weekend, but yet an awesome weekend all at the same time. I’ve been playing my French horn in the orchestra at church as part of the Easter celebration, and had a wonderful time doing it….

“For God so loved the world that he gave his one and only Son, that whoever believes in him shall not perish but have eternal life.” John 3:16 (NIV)

You Just Have to Love Google and Their Humor

You have to admit that Google has a great sense of humor, especially on April Fools day. Go to the following website: https://com.google (Update: The link no longer works…it was just for April 1st.) Too funny!!! Here I searched on Cisco…

Google being funny again!!

And here is another one by Google….very funny: Google Smartbox

As big and sometimes scary as Google is (they REALLY do know all and see all), I do like their sense of humor.

Solarwinds TFTP Server and Windows 7

Every network engineer needs a TFTP server utility on your laptop to manage firmware upgrades and configuration files. I’ve been using the free Solarwinds TFTP server for years, and it has worked great!! Highly recommended.

Recently, I just got a new laptop at work, an awesome Dell Precision with a fast SSD drive and 32 Gigs of RAM. The system just SCREAMS, and you should see how good VMware Workstation runs….I can have a bunch of Linux systems all running at the same time!! Anyway, after installing the TFTP server, it would not work. First time I have ever had a problem. I checked both McAfee and Windows Firewall, and they were not the problem. So…what to do?

I accessed one of my CentOS Linux systems running within VMware, and had it do an NMAP scan on UDP port 69, which is what TFTP runs on by default…

NMAP results

Say what?? This shows port 69 is already in use (OPEN), and this is before I started up the TFTP server. Hmmmm. So I opened up a DOS prompt (with Admin privileges) and ran “netstat -anb” to see what was already using UDP port 69…

Running “netstat -anb”

Interesting…Solarwinds was already up and running…it must have installed itself as a service, and started up automatically upon system boot. But, it must not be binding properly or it would be working.

My fix: I don’t want TFTP running all the time anyway, so I went into Windows Services and stopped the TFTP process, and reconfigured it as just a manual startup. Now, when I want to run TFTP, I just go to the Programs menu and run it from there. Plus, it is binding correctly now and works just fine.

An interesting problem which only took a few minutes to solve…but it’s these kinds of things that adds an enjoyable “spice” to the day!

A Day of Mourning…Missing My C6509-V-E

A while back, my company outsourced our Data Center to a third party hosting firm. For the most part, it has worked out well, and from a business point of view, it made lots of sense. From a personal point of view, however….well, it did hurt a bit. I mean, if you are a Sr. Network Engineer, without a Data Center, are you really still a Sr. Network Engineer?

Oh well, it is what it is. After the move, our Data Center was rather empty, except for our core 6509 switch. It was still in place, feeding a bunch of access layer switches and a few remaining servers. Until last night that is. My coworker and I had the sad duty of powering down the switch, removing it from the rack, and replacing it with two Cisco 3650-48 switches. (If you know what the annual SmartNET maintenance is on a 6509 switch, then you know the ROI on replacing it with these 3650’s is a huge no-brainer!!)

Everything went very smoothly, the new switches are in place, and the 6509 is sitting on a cart waiting to be sold. I sure wish I could afford it…it would look GREAT in my lab at home. Of course, my electrical bill would be sky-high, not to mention trying to keep the room cooled.

Before…

And after…

But…to be very honest…I’m going to miss my 6509. There is nothing like a big chassis class switch to brighten one’s day. I know it did for me.

Cisco and NGE (Next Generation Encryption)

Do you still use DES and 3DES for all your VPN and IPsec needs? I sure hope not. Do you wonder what the current and future trends are for encryption? I sure do…inquiring minds want to know, right??!! Well, good news…you don’t have to do all of that worrying….Cisco has done it for you. (And I bet they pay a lot of engineers some VERY good money to work all this out.)

Take a look at this short webpage at Cisco detailing out the current state of encryption protocols. Review your encryption configs, and if you are using any noted as Legacy or Avoid, make plans now to step up to the more secure protocols. Yes, this will take some time and effort to change, but you need to do this soon. If your company is publicly traded or in the medical arena, hopefully past audits have already flagged these issues.

One other thing to note…if you do find yourself needing to make use of better encryption protocols, make sure your existing hardware has the horsepower needed to run some of these more complex algorithms. You may find that you need to upgrade hardware too.

Network Security – Sometimes it’s Really Obvious!

Since network security is one of the hats that I wear, I get various security alerts throughout the day…from my firewall or IDS (Intrusion Detection System). Most of the time they are nothing to worry about, and I quickly figure out what happened. Sometimes, though, I end up spending a lot of time trying to figure out if the alert was serious…is something bad happening on MY network?

But then, sometimes it’s just comical….like, “Hello, I’m a newbie hacker, please let me in”. Take a look at this…

Like duh….textbook portscan example (sterilized for public consumption)

As you can see, this portscan is stepping through my public IP address range, hitting three different destination ports…80 (http), 8080 (http alternative port), and 1080 (typically used for proxy services). And this is just a snippet…there was a total of 147 packets in less than 10 seconds. The source IP address (192.0.17.168) is from a parent block owned by an entity in China, but is sub-delegated to a hosting facility located in Los Angeles. Go figure. There really is no way to know who is doing this…probably some 11 year old kid in Beverly Hills.

But I did get a laugh out of this. Hope you did too.

Don’t Forget to Clear the Router Reload

So, I had to make some changes on the router at our DR (Disaster Recovery) site, located in another state. As I posted about before, setting a “reload in” command can save your bacon if you make a configuration mistake and get locked out of the router. So I did. And then I made all the changes, tested everything, and saved the config. Job well done. I logged off and started working on something else, but I had this nagging feeling…did I forget something? No…I don’t think so. Then it hit me…the router was going to RELOAD shortly, if it hasn’t already.

I quickly logged back into the router (it was still up), and I got this upon login…

Just in the nick of time

Whew…I still had 7 minutes before the reload would have kicked in. As you can see, I cleared the reload, and breathed a sigh of relief.

What did I learn from this? Geez…I don’t know…that I’m getting old? Yep…I guess I am.

Networks Are Cool — A Network Engineer's Blog

Having fun with networks and encouraging the next generation of network engineers