Archive

Archive for July, 2008

Personal Leadership

July 29, 2008 Leave a comment

I was flipping through “The 7 Habits Of Highly Effective People” by Stephen R. Covey today and came across a saying I thought was profound.

“What lies behind us and what lies before us

Are tiny matters

Compared to what lies within us”

By Oliver Wendell Holmes

There is no better place to look for strength then within your own person.  He who has a why will make do with almost any how.  The difference between leaders and followers is that of action.   Leaders forge ahead and overcome adversity using compromise as an effective tool to build relationships.  Followers have no such vision, and if so lack the dexterity to act upon it.  The words…”I can’t” aren’t in a leaders vocabulary.  Often the words “I Can” will entail looking for solutions where none were thought to exist. 

A good way to begin to make the most of your life is to develop a personal mission statement.  Use it to clearly define your values and principles.  Make it your daily “10 Commandments”.   Believe in them…Pursue them..Honor them…Make the ideas exist in this moment through decisive action.   Define all that is important in your world..Family, Friends, Work, Play..

I learned to do something similiar while reading “101 Interview Questions”.   In order to prepare for an interview you need to answer such questions as “How would your best friend describe you?” or “What flaws would your best friend say are most noticable about you?”.  These are hard questions to answer and require deep reflection.   Once a flaw is recognized it is almost impossible to ignore.  Ignorance is truly bliss…

Advertisements
Categories: Daily Insights

DNS Fundamentals

July 21, 2008 Leave a comment

DNS is a required component of Active Directory and without it AD won’t work.  DNS is also responsible for translating internet and intranet web sites to thier corresponding IP address, which is then used by the local machine and routers to locate the server.  The following DNS objectives will be covered:

  • Installing DNS
  • Configure DNS server, zone and forwarding options
  • Managing DNS zone, record and server options and settings
  • Monitoring DNS using System Monitor – Event Viewer – Replication Monitor and DNS Debug logs

DNS Fundamentals

The Domain Name System is composed of a distributed database of names that establishes a logical tree structure called the domain name space which includes subdomains as well.   Each domain is associated with a DNS Name Server.  A domain name identifies the position of the entitiy within the DNS hierarchy.  Common top level DNS Domains are:

  • COM
  • EDU
  • GOV
  • MIL
  • NET
  • ORG
  • UK
  • US

The following terms and concepts need to discussed before managing a DNS Server.

  • Primary vs Seconday DNS Servers
  • Zone Transfers
  • Service Location Resource Records (RFC 2052)
  • Dynamic Updates (RFC 2136)
  • Clients
  • Resolvers: Handle the process of mapping a symbolic name to an actual network address
  • Queries: Recursive & Iterative
  • Root Servers: Responsible for returning an authoritative answer for a particular domain
  • DNS Zones: portion of a DNS Namespace

Dynamic Updates and Active Directory Integrated Zones.

In earlier verisions of Windows, when DHCP was used there was no way to keep an up to date list of corresponding DNS records.  Dynamic DNS resolves this issue by allowing DNS clients to update info in DNS database.  The individual clients can do this but the DHCP server is also able to this on thier behalf. 

The DNS database can reside on the server or be stored in AD.  A typical DNS zone data file stored on a disk is in plain text, easily editable, not replicated and there is no way to delegate control.  ADI zones overcome these limitation and provide a more secure way of storing, replication and editing DNS records.

EX 6.1: Installing and Configuring the DNS Service

Resource Records

The first thing to understand is the fact that each zone file consists of a  number of resource records.  Each RR contains info abou some resource on the network.  The following are some of the RR’s available in 2003 DNS

  • Start of Authority (SOA): @ IN SOA source_host, contact_e-mail, serial #, refresh_time, retry_time, expiration_time, time_to_live
  • Name Server (NS): domain @ IN NS nameserver_host (FQDN)
  • Host Record: host name IN A IP_Address
  • Pointer (PTR)
  • Alias (CNAME): <alias> IN CNAME <hostname>
  • Mail Exchange (MX): <domain> IN MX <priority> <mailserver host>
  • Service (SRV): ldap.tcp.ace.com SRV 10 100 389 srv1.ace.com

How DNS Resolves Names

  1. Resolver sends a recursive DNS query to it’s local DNS server.  The DNS server is responsible for resolving the name and connot refer the resolver to another name server
  2. Local name server checks it’s zone and finds no match
  3. Root name server will reply with IP address of the .GOV domain
  4. Local name server sends an interative query to GOV server
  5. GOV server replies with IP address of name server for that domain
  6. Local name server sends iterative query for name to domain.gov server
  7. domain.gov server replies with IP address of site requested
  8. Local name server sends IP address of site back to original resolvers

Queries for Services

Windows Server 2003 uses special domain names to make it possibel for clients to look up services they need.   Windows uses an (_), which isn’t legal in domain names, to mark these special domains which include the following:

  • _msdcs: Each DC, Global Catalog, and PDC emulator is listed here
  • _sites: Each site has its own subdomain
  • _tcp: service records that run on TCP (LDAP, Kerberos, KPASSWD password changer and GC)
  • _udp: service that run on UDP (Kerberos, KPASSWD service)

Creating New Zones

You must first choose a zone type which includes the following options:

  1. Caching Only
  2. Primary
  3. Secondary
  4. Stub: includes only the information needed to identify the authoritative DNS servers for a zone
  5. Active Directory Integrated

Once the zone has been created it will contain the following tabs in it’s properties:

  • General
  • Start of Authority
  • Name Servers
  • WINS
  • Zone Transfers

The server also has it’s own tabs which include the following:

  • Root Hints
  • Advanced
  • Forwarders
  • Interfaces
  • Debug Logging
  • Event Logging
  • Monitoring

EX 6.2: Configuring Zones and Dynamic Updates

EX 6.4: Manually Creating DNS RRs

Monitoring and Troubleshooting DNS

You can monitor and troubleshoot DNS using the following tools:

  • Turn on Event Logging on the Event Logging tab of server properties
  • Configure options for debugging on the Debug Logging tab of server properties
  • Using System Monitor (AXFR, IXFR, DNS memory, Dynamic Updates, Recursive queries, TCP\UDP Stats, Zone transfer issues)

Event viewer can also be used to monitor DNS.  Look for the following Event ID’s:

  • 2 – DNS server has started
  • 3 – DNS Server has shut down
  • 414 – server has no primary DNS suffix configured
  • 708 – DNS server did not detect any zones and will run in caching mode only
  • 3150 – DNS server updated version number
  • 6527 – Zone zonename expired

Windows Server 2003 also provides serveral useful tools that can help assist in troubleshooting:

  • Nslookup: used to perform DNS queries and examine contents of zone files on local and remote servers
  • Ipconfig: used to view DNS client settings, display and flush the resolver cache and force a dynamic update
  • DNS log file 
  • Replication Monitor ( installed via \SUPPORT\TOOLS\SUPTOOLS.MSI) (Access via RUN – REPLMON)

All Exercises for Chapter 6: Installing and Managing Domain Namer Service 

EX 6.1: Installing and Configuring the DNS Service

EX 6.2: Configuring Zones and Dynamic Updates

EX 6.3: Creating a Delegated DNS Zone

EX 6.4: Manually Creating DNS RRs

EX 6.5: Simple DNS Testing

EX 6.6: Installing and Running Replication Monitor

EX 6.7: Working with Replication Monitor

EX 6.8: Using nslookup Command

Categories: Uncategorized

Managing IP Routing

July 14, 2008 1 comment

We will be covering the following topics regarding Microsofts Routing and Remote Access Services.

  • Understanding IP Routing
  • Installing RRAS
  • Configuring IP Routing
  • Configuring TCP\IP Packet Filters
  • Configuring VPN Packet Filters

Understanding IP Routing

The first term that needs to be discussed is routing.  In it’s most basic form “routing is the process of delivering traffic to the correct address”.  In terms of routing packets, every packet contains a source and destination address. 

Below is an example of an IP header.  The IP Address and Subnet mask use 32 bits or 4 Octets.   Click here to read more on IPv4 on Wikipedia.

 

Although the job of routing is primarily done by routers, such as Microsoft’s Routing and Remote Access Server, every windows PC contains it’s own routing table.  Below is a sample routing table being used on my own laptop while connected to the Sprint Wireless Broadband network    There are two commands that can be used to display the following local routing table: 

route print or netstat -r

As you can see it lists all of my existing network adapters or connections and thier corresponding MAC addresses.  Some other relevant information here is:

  • Network address of the remote host or network – (Network Destination + Netmask)
  • Forwarding address to which traffic for the remote network should be sent – (Default Gateway)
  • Network interface that should be used to send the packet to the forwarding address – (Interface)
  • A cost, or metric, that indicates what relative priority should be assigned to this route – (Metric)

These routes can be static or dynamic.  Dynamic routes are created by routing protocols which discover the world around them and communicate with other routers.  A staic route is a manual entry which is applied until removed.  The following command can be used to add a persistent static route to the table above, which currently has no static routes configured.

Route –p add x.x.x.x mask x.x.x.x default gateway metric 1

Two dynamic routing protocols used by RRAS are Open Shortest Path First (OSPF) & Routing Information Protocol (RIPv2).  RIPv2 has the following characteristic:

  • Uses Multicasts only when the routes have changed
  • Support plaintext authentication of username\password
  • Force trigger updates
  • Prevents loops
  • Supports a metric of 15

RRAS can be used to set up two kinds of filters for notifying and listening for updates:

  • Route Filter: choose network you want to accept announcements
  • Peer Filter: control which neighboring routers your router will listen to

RIPv2 has the following operation modes:

  • Periodic Update Mode: RIP router sends out its list of known routes at periodic intervals which you define and are cleared once router is rebooted
  • Auto-Static Update Model: RRAS router broadcasts the contents of it’s routing table only whan a remote router asks for it and remain static even after rebooting

As it turns out RIP is used mainly for small networks and for much larger networks OSPF is used.  The following are OSPF characteristics:

  • Free of loops
  • Uses a link-state map and adjacencies with neighboring routers
  • Areas are used to break down a large network into more manageable segments and Area Border routers interlink them.
  • Uses multicast for router updates

The following are the OSPF routing Multicast Addresses used:

  • 244.0.0.0 – Base address
  • 224.0.0.1 – All Hosts, all systems on same network
  • 224.0.0.2 – All Routers, all routers on same network
  • 224.0.0.5 – All OSPF Routers
  • 224.0.0.6 – All Designated OSPF Routers
  • 224.0.0.9 – All RIP 2 Routers

The Internet Group Management Protocol (IGMP) is used to exchange multicast group membership and RRAS has two modes: Router and Proxy. 

Ex: 9.1: Installing the Routing and Remote Access Services for IP Routing

Once the RRAS server has been installed you will see the following:

EX: 9.2: Creating a Demand Dial Interface

On the General icon under IP Routing you will see all available interfaces including the Demand Dial one just created:

Note: This Internal interface is part of RRAS and represents all Remote Access Services (RAS) devices. All RAS clients are part of this interface.

Ex: 9.3: Installing the RIP and OSPF Protocols

Once RIPv2 has been installed you will now see the following addition under IP Routing called RIP

Once you have added the routing protocols you will also need to attach them to an interface.  Right-click RIP and choose “New Interface”.  Add the Demand Dial interface configured earlier.  Now Right-Click the interface and choose “Properties”.  There are several tabs including the following:

  • General
  • Security
  • Neighbors
  • Advanced

On the “Advanced” tab an option that can be enabled here is “Enable Split Horizon Processing” and “Enable Poison-Reverse Processing”.  Enable Split Horizon Processing allows a route learned by a RIP router on a network not to rebroadcast to that network and therefore prevents routing loops.  Enabel Poison Reverse Processing modifies Split Horizon as routes learned from a network are rebroadcast to the network with a metric of 16.  I’ve come across both concepts when taking practice exams for 291. 

OSPF also needs to be attached to an interface and is done exactly the same as RIP.  The tabs however are different.  OSPF has the following tabs:

  • General
  • NBMA Neighbors (Non Broadcast Multiple Access)
  • Advanced

Configuring TCP/IP Packet Filters

The reason why routers are most ofter used as gateway devices in relation to security is that they are able to screen out unwanted traffic through the use of packet filters.  Packet filters work in both directions and can be configured to both allow and deny traffic into and out of your network.  They are associated with a particiular network interface and can be used to filter by IP Address and or Protocol. 

 Configuring VPN Packet Filters

There are two types of VPN packet filters that can be created: PPTP or L2TP.  PPTP and L2TP require 2 filters for incoming and 2 for outgoing. 

PPTP requires filters set up to allow Protocol ID 47 GRE (Generic Routing Encapsulation) and TCP 1723 for PPTP.

Ex: 9.5: Configuring PPTP Packet Filters

  1. Expand the server and IP Routing nodes to expse the General node
  2. Right-click the appropriate interface and choose Properties
  3. In the General tab of the interface Properties dialog box, click the Inbound Filters button. 
  4. Click the New button and add IP Filter dialog box appears
  5. Fill out the Add IP Filter dialog box as follows

   6.  Once you click OK the Inbound Filters baox reappears.  Repeat step 5, but this time specify Other in the Protocol field and fill in a protocol ID of 47.  You should see the following:

    7.  In the Inbound filters dialog box, click the Drop All Packets Except Those That Meet The Criteria Below radio button and click OK.

    8.  Repeat steps 3-7 but this time create output filters.  Make sure to specifiy the IP Address of the VPN adapter as the source, not the destination.

Exercises for Chapter 9: Managing IP Routing

9-1 – Installing the Routing and Remote Access Services for IP Routing
9.2 – Creating a Demand Dial Interface
9.3 – Installing the RIP and OSPF Protocols
9.4 – Adding and Removing Static Routes
9.5 – Configuring PPTP Packet Filters
9.6 – Monitoring Routing Status

Categories: Uncategorized

Security Certified Professional

July 11, 2008 Leave a comment

Besides studying for the CCNA exam I’ve decided to study for the Security Certified Network Specialist exam offered by Security Certified Professional.   The exam SC0-541 is titled “Tactical Perimeter Defense” and covers the following 7 Domains:

Examination Domain
Percentage of Exam
1.0 – Network Defense Fundamentals
5%
2.0 – Hardening Routers and Access Control Lists
10%
3.0 – Implementing IPSec and
Virtual Private Networks

10%
4.0 – Advanced TCP/IP
15%
5.0 – Securing Wireless Networks
15%
6.0 – Designing and Configuring Intrusion Detection Systems
20%
7.0 – Designing and Configuring Firewall Systems
25%
Total
100%

If you decided to click on the previous link you would now be viewing a course outline for the 541 exam.  It consists of the following 9 lessons:

  1. Network Defense Fundamentals
  2. Advanced TCP\IP
  3. Routers and Access control Lists
  4. Designing Firewall
  5. Configuring Firewalls
  6. Implementing IPSec and VPN’s
  7. Designing an Intrusion Detection System
  8. Configuring an IDS
  9. Securing Wireless Networks

Lesson 4 & 5 will be my focus for now.  I do work with personal firewalls like Zone Alarm but designed for the home user and don’t provide the level of protection and complexity a corporation firewall  would require.  IPTables is something I’ve only read about and have never had the chance to configure and being that it’s platform is Linux I am even more of a disadvantage.  But never to be detered I have just installed Ubuntu, a very popular version of Linux, and will configure its IPTables firewall. 

The exam material is quite difficult and after an initial review of questions downloaded from testkingcert.com I realized I would need to really apply myself to pass this exam.  Who am i kidding, the CCNA exam is just as hard.   I will be using the downloaded questions from testkingcert.com as my reference point and am currently working on categorizing the questions based on thier domain topic.  Once done, I will be able to study each domain in greater depth.  As with every question,  it’s off to the great Google machine for answers.

One of the very first questions was related to Iptables.  I am familiar with Cisco’s ACL’s and IPSec filters so with that in hand I’m sure to get a grasp on Iptables

Categories: Security

XP Firewall Exceptions

July 10, 2008 Leave a comment

 

I recently gave a class regarding WAN and Remote Access Technologies which included an exercise on setting up an outgoing\incoming PPTP VPN connection between 2 XP machines.  As the students worked in pairs it was necessary for both of them to create incoming and outgoing connections.  There were some issues that had occurred during the connection process which revolved mostly around improper configuration (aka: ‘user error’).  One error in particular was not turning off the XP Firewall.  Being that any firewall is a critical piece of software it would be more prudent to specifically permit the VPN traffic then turn the Firewall off altogether.  So I decided to include the following example on how to configure the Firewall to accept incoming PPTP and L2TP connections.   If you looking for more information on configuring the XP Firewall click here to read the microsoft white paper on “Deploying Windows Firewall Settings”

 

First you will need to open your Local Area Connection Properties.  You can do this by goint to Start – Control Panel – Network Connections and right clicking the LAN connection and choosing ‘Properties’.  Click the ‘Advanced’ tab. 

null

 
On the ‘Advanced’ tab  and in the ‘Windows Firewall’ options click on ‘Settings’.  You should now see the following available tabs: General, Exceptions & Advanced.
 
 

 Click on the ‘Advanced’ tab. 

 In the ‘Network Connection Settings’ area click on ‘Settings’.  There are now two tabs available: Services & ICMP. Click on ‘Services’  Here you are viewing additional exceptions regarding services running on your computer that Internet users can access.  The below example shows that this firewall is already configured for both L2TP and PPTP VPN incoming connections. 

 

 

If you don’t currently see a preconfigured service for L2TP or PPTP then click on ‘Add’.  You will need to add the following configurations

 

Description of service:  Incoming Connection VPN (PPTP)

Name or IP address of the computer hosting this service on your network:  Put your computer name or ip

External Port number for this service:  TCP 1723

Internal Port number for this service:   TCP 1723

 

 

You can also additionaly configure incoming L2TP connections as well using the following settings:

 

 

 

Description of service:  Incoming Connection VPN (L2TP)

Name or IP address of the computer hosting this service on your network:  Put your computer name or ip

External Port number for this service:  UDP 1701

Internal Port number for this service:   UDP 1701

 

In order to use L2TP you will need to add the IKE services as seen below.

 

 

Description of service:  IP Security (IKE)

Name or IP address of the computer hosting this service on your network:  Put your computer name or ip

External Port number for this service:  UDP 500

Internal Port number for this service:   UDP 500

 

Once this has been completed test the connection to make sure it works..

 

 

Categories: Security

Network+ Overview

July 8, 2008 Leave a comment

I’ve decided to upload class outlines for Network+ to assist in making sure all required material is covered as well as allowing the students to review this material whenever they have access to a PC with Internet connectivity.

Categories: Uncategorized

Chap 7: Managing Remote Access Services

July 7, 2008 Leave a comment

 

Today’s class will be covering Chapter 7 “Managing Remote Access Services“.

 

I will be covering the following topics today:

  • Three phases of PPP negotiation
  • How VPN’s work
  • PPTP compared to L2TP
  • Advantages of using PPTP
  • Advantages of using L2TP
  • Installing RRAS
  • Configuring VPN
  • Troubleshooting VPN
  • Managing RRAS
  • Integrating RRAS with DHCP
  • Configure a VPN Client

Although the book begins with Dial Up Networking, I’ve choosen to skip this as dialup is dead as far as I’m concerned. I have included the PPP negotiation process as it is used for serial connections and is something you will be tested on for the CCNA exam as well. When possible, I include material from the CCNA exam as well as 70-291. There are at least six distinct protocols that run on top of PPP. I encourage using Wikipeida.com and you can find more info on PPP by clicking here.

Three Phases of PPP Negotiation

Phase 1: PPP & Link Control Protocol

Phase 2: PPP & PAP or CHAP

Phase 3: PPP & CBCP, CCP & IPCP, IP Datagram exchange

How VPN’s Work

1.  Client establishes connection to internet

2. Client sends VPN connection request to server. Exact format of request varies depending on whether you are using PPTP or L2TP

3. Client authenticates to server. (again varies on protocol used)

4. Client and server negotiate parameters of VPN session, such as encryption algorithm and strength

      5. Client and server go throught the PPP negotiation process 

PPTP Compared to L2TP/IPSec
Both PPTP and L2TP/IPSec use PPP to provide an initial envelope for the data, and then append additional headers for transport through the internetwork. However, there are the following differences:

· With PPTP, data encryption begins after the PPP connection process (and, therefore, PPP authentication) is completed. With L2TP/IPSec, data encryption begins before the PPP connection process by negotiating an IPSec security association.

· PPTP connections use MPPE, a stream cipher that is based on the Rivest-Shamir-Aldeman (RSA) RC-4 encryption algorithm and uses 40, 56, or 128-bit encryption keys. Stream ciphers encrypt data as a bit stream. L2TP/IPSec connections use the Data Encryption Standard (DES), which is a block cipher that uses either a 56-bit key for DES or three 56-bit keys for 3-DES. Block ciphers encrypt data in discrete blocks (64-bit blocks, in the case of DES).

· PPTP connections require only user-level authentication through a PPP-based authentication protocol. L2TP/IPSec connections require the same user-level authentication and, in addition, computer-level authentication using computer certificates.

Advantages of L2TP/IPSec over PPTP
The following are the advantages of using L2TP/IPSec over PPTP:

·IPSec provides per packet data authentication (proof that the data was sent by the authorized user), data integrity (proof that the data was not modified in transit), replay protection (prevention from resending a stream of captured packets), and data confidentiality (prevention from interpreting captured packets without the encryption key). By contrast, PPTP provides only per-packet data confidentiality.

· L2TP/IPSec connections provide stronger authentication by requiring both computer-level authentication through certificates and user-level authentication through a PPP authentication protocol.

· PPP packets exchanged during user-level authentication are never sent in an unencrypted form because the PPP connection process for L2TP/IPSec occurs after the IPSec security associations (SAs) are established. If intercepted, the PPP authentication exchange for some types of PPP authentication protocols can be used to perform offline dictionary attacks and determine user passwords. By encrypting the PPP authentication exchange, offline dictionary attacks are only possible after the encrypted packets have been successfully decrypted.

Advantages of PPTP over L2TP/IPSec
The following are advantages of PPTP over L2TP/IPSec:

· PPTP does not require a certificate infrastructure. L2TP/IPSec requires a certificate infrastructure for issuing computer certificates to the VPN server computer (or other authenticating server) and all VPN client computers.

· PPTP can be used by computers running Windows XP, Windows 2000\2003\2008, Windows NT version 4.0, Windows Millennium Edition (ME), Windows 98, and Windows 95 with the Windows Dial-Up Networking 1.3 Performance & Security Update. L2TP/IPSec can only be used with Windows XP and Windows 2000\2003\2008 VPN clients. Only these clients support the L2TP protocol, IPSec, and the use of certificates.

· PPTP clients and server can be placed behind a network address translator (NAT) if the NAT has the appropriate editors for PPTP traffic. L2TP/IPSec-based VPN clients or servers cannot be placed behind a NATunless both support IPSec NAT Traversal (NAT-T). IPSec NAT-T is supported by Windows Server 2003, Microsoft L2TP/IPSec VPN Client

Installing Routing & Remote Access Services

Exercise 7.1 Installing the Routing and Remote Access Services

Configuring RRAS

Exercise 7.2: Controlling Multilink for Incoming Calls

Troubleshooting VPN

· Is server configured to allow remote access?

· Is server configured to allow VPN traffic and if so what type?

· Are there any available VPN ports?

· Does user account have remote access persmission

Monitoring Remote Access

· Event Log files (systemroot\system32\LogFiles\iaslog.log

· Monitoring Ports and Port Activity

Integrating RRAS with DHCP

*You can’t install the relay agent on a computer that is already acting as a DHCP server

*You can’t install it on a system running NAT with the addressing component installed

*Add New Routing Protocol for DHCP Relay Agent

Exercise 7.6: Installing and Configuring the DHCP Relay Agent on a RRAS server

Configure a VPN Client

Exercise 7.8: Configuring Windows XP as a VPN Client

Here is a complete list of exercises for Chapter 7

UNIT 7 – Managing Remote Access Service

____7-1 – Installing the Routing and Remote Access Services

____7.2 – Controlling Multilink for Incoming Calls

____7.3 – Configuring Incoming Connections

____7.4 – Installing the Routing and Remote Access Service as a VPN Server

____7.5 – Changing Remote Access Logging Settings

____7.6 – Installing and Configuring the DHCP Relay Agent on an RRAS Server

____7.7 – Configuring the DHCP Relay Agent on a Network Interface

____7.8 – Configuring Windows XP Professional as a VPN Client

Categories: Uncategorized