Blog: Networking

Symantec published a paper in conjunction with Indiana University describing how attackers could be using unsecured home wireless access points in pharming attacks. The vulnerability is related to easily guessed credentials on the wireless routers and default installations are definitely easily guessed.

The ploy described in this paper (http://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf) involves the use of javascript on a malicious website that changes the DNS settings on the wireless router - provided the router credentials can be guessed by the application.

So, there is more to it than being sure your wireless transmissions are encrypted.

Engineers beware….enabling Symantec network scanning features of real-time protection will slow the network to a crawl. Symantec actually recommends turning off network scanning on Symantec v10.0 and below because of the severe performance impact it causes. In v10.1 and above, Symantec supposedly “improved” the network scanning functionality as well as introduced the ability to trust a server that was running real-time protection to prevent double scanning of a file. Unfortunately, the network scanning features don’t seemed to be improved in any way and the trust stuff looks to be all fluff. Additionally, after troubleshooting and testing it looks like when Symantec is configured to do network scans, instead of scanning the files on the client side as they traverse through the network stack, Symantec actually opens up literally hundreds of file handles to the files remotely and attempts to scan the on the share remotely on the share. This behavior has been verified to be the cause of several network performance issues at one of our customers lately.

The Xerox WorkCentre Pro line of multi-function printers has network scanning capabilities.  This allows users to scan a document into a PDF and save it in a number of network directories.  Well as it turns out that number is five.  You can set one default destination and up to four alternate destination.  So if you have five people in a branch then your fine, otherwise you’re not so fine.  Well in Xerox’s infinite wisdom, they did manage to work around this issue by allowing each scanning template to be saved it a specified subfolder within a destination directory.  Therefore in order to allow users to scan to a document to their UserDocs folder, you need to do the following:

1. Open or create the branch directory where the WorkCentre was installed
2. Create a new folder and name it “Scans”
3. In Scans Properties, give the domain user “Xerox” read/write/modify rights to the folder
4. In Scans, and create a folder for each user who will use the network scanning feature.  Make the username the same as the folder name
5. Create a shortcut of each folder and put it into the respective user’s UserDocs folder.  Rename the shortcut “Xerox Scans”
6. Access the Xerox Web UI for the respective WorkCentre and click the Scan tab
7. Create a new template with the username as the template name
8. Under Name and Format, click edit
9. Select a descriptive name for the document name and set the format as PDF
10. Under File, edit the default destination
11. Set the Filing Policy to “Add Date to Name”
12. Under Document Path, enter the username in the Optional field.  This is the subfolder path the documents will be saved in.
13. Click Apply

Like past versions of Windows, Vista is available is a full version or an upgrade, with the upgrade being 30-50% less.  However unlike previous upgrades, the Vista upgrade process requires XP to be installed on the system before it can be upgraded.  Prior upgrades only required a physical disk from an older OS as evidence of the previous purchase.

Brian Livingston (author of the “Windows Secrets” series of books) has documented the procedure to perform a clean install with an upgrade license key.  This is not intended to circumvent any licensing, but as we all know, Windows usually performs better if you start over with a clean install.  The steps are documented at http://windowssecrets.com/comp/070201#story1.  This upgrade scenario is also addressed by KB930985 here.

Dynamic users get deleted whenever there is any change in the Windows Database Configuration.  In order to recalculate group membership after a mapping change SecureACS must purge dynamic users.  This is a problem when you have set user-specific properties.  One workaround is to create manually-defined users – they can still use Windows AD authentication, but won’t be deleted if you reconfigure database mappings.

There is a bug in the Windows IPSEC driver that only allows 3 simultaneous L2TP connections to an ISA server from a single location.  The IPSEC session may linger after a user disconnects so it’s not always apparent by looking at the number of connected VPN users.  Installing the following hotfix corrected my issue: http://support.microsoft.com/kb/912213

When installing an application on a terminal server it is necessary to change the server to install mode by running “change user /install” from a command prompt or by performing the install through “Add/Remove Programs.”  After the installation you must run “change user /execute” to bring it out of install mode.  This ensures that the .ini files for the installed application are stored in the Terminal Server system directory.  These files are used as the master copies for the user-specific .ini files. 

Why is this important?  [more]When a user runs an application for the first time, the application looks in the home directory for its .ini files.  If it does not find them in the home directory it will look in the Terminal Server system directory and copy them to the user’s home directory.  If an application is installed while the server is not in install mode, the .ini files will be saved to the home directory.  New users will therefore be unable to pull down the .ini files from the Terminal Server system directory, and the application will not run.

The match statement is used in route-maps and policy-maps in IOS to define criteria that a packet must meet in order to be classified as part of the permit or deny action of a route-map statement.  Route-maps can be roughly compared to an IF… THEN clause in programming.  Some match statements can have multiple conditions, like: [more]

match ip dscp af31 af32 af33

In which case each condition is OR’d with the one before it.  If any condition is true (in the above statement af31 af32 af33 are all possible DSCP values that an IP packet might have), then the match is true.  The other scenario is having multiple match statements:

match ip dscp af31
match ip dscp af32

In this case both statements have to be true for the packet to be classified in the given route-map entry.  In this case an IP packet could never be both af31 AND af32, so the route-map (or policy-map) will never match anything.

1. ISP customer setup automation sometimes creates issues. Email from domain A to domain B works, but from domain B to domain A doesn't. Be careful if both are customers of the same ISP. Sometimes automated processes create mail domains, DNS zones, and web space for all customers. Customers that use the same ISP can experience issues (depending on mail server software used) if one customer uses ISP mail (POP/IMAP & SMTP) and the other hosts their own mail server. If ISP mail servers have mail domains set up for customers who do not use the ISP provided mail (have their own mail server), when another ISP customer who does use the ISP provided mail service attempts to relay mail through the ISP's mail servers, delivery ends up being server local instead of the server looking up the correct MX record. This usually ends up being an SMTP 550 error (user not found) rejection sent to the sender.

2. Can't send mail to AOL, join the club! If a mail domain can not send mail to AOL, it could be a number of things. The first thing to do is start a telnet SMTP session like the following: [more]

telnet mailin-01.mx.aol.com 25

The AOL server will return an error code and a web link to an article explaining why the mail was blocked. A very common error is 554 (RTR:sc) which means that your sending IP has been blocked due to too many AOL members clicking the "this is spam" link for emails that trace back to you mail server IP or domain. If you are curious about what mail is getting sent on your behalf that is being specified as spam by AOL users, you can create a feedback loop (see http://postmaster.info.aol.com/fbl/). Once you have requested a feedback loop you will be notified when a member clicks "this is spam". The email sent to you from [email protected] will contain the complete email and header information. To be removed from an AOL block list, you must call 703-265-4670 and jump through some hoops to be removed. It takes 24-hrs for the removal to take affect.