Lan-Secure Logo

Lan-Secure Network Blog

Network Management and Security


Find technical networking articles
Use our network management and security blog to find technical articles and knowledge base information about networking related issues.

Lan-Secure Networking Blog

Burning Devices Security

Burning devices are one of the major reasons that can cause to severe organization data loss and information theft. Using common Windows GPO (Group Policy Objects) or DLP (Data Loss Prevention) products will be able to eliminate Read or Write access to the burning devices. However, when approved file or documents needs to be burned, the burning device will need burn permissions to complete the burning action. In that case standard GPO or DLP tools will not be able to control which information is burned and once burning permissions are given any sensitive or protected data will be able to be burned and leak outside the organization. The above scenario is a common case in organizations that needs to provide burned information on CD/DVD/Blu-ray media.

Lan-Secure Burn Protector: Secure Burn CD/DVD/Blu-ray Management Software has the perfect solution to deal with files and folders secure burning permissions. The software will automatically disable Write access to burning devices and only approved files or folders will be able be burned using the software protected client interface. Any other burning software or any attempt for direct Write access will be eliminated by the software client protection service.

How does it work?
Lan-Secure Burn Protector software is installed on windows organization platform and all the protected computers needs to be added to the software protection list through the software management console or through any 3rd party deployment system by using the software deployment MSI package. Burning permissions to users files and folders will be set through the software monitor console using default permissions or per user permissions. The clients protection service will prevent any Write access to the protected computers burning devices either directly or from any burning software. Burning data will be available only through the software clients burning interface any unpermitted files or folders will not be available for burning.

How does it protect the organization?
Burning devices in organization computers can cause severe data leaks and information theft either deliberately by potential attackers or by innocent users mistakes. Preventing these devices from burning sensitive organization information while using files and folders burning permissions are crucial tasks in any organization. Using software protection tool that implements both tasks will contribute to the organization security and productivity.

Conclusion
Implementing burning devices security is crucial to any organization that use burning devices to prevent data loss and information theft. However, using the standard access control tools like GPO or DLP can only control the burning devices availability and not the burned information. Using users files and folders burning permissions tool can serve the organization security while keep using burning devices safely.

Disable Wireless When Connected to LAN

Wireless today has become a standard interface in every laptop and in most cases it connects automatically to the nearest Access Point it discovers. Most organizations provide unsecured Wireless connectivity to public networks like the internet for their guests through local Wireless Access Points that works in stand alone mode and disconnected completely from organization LAN. However, when a company employee is using his laptop for connecting to the organization LAN the WiFi adapter of the laptop will automatically try to connect to the nearest wireless Access Point. In most cases the nearest wireless Access Point that the employee laptop will discover will be the organization unsecured wireless network. Now, the employee laptop will become the perfect bridge connection to the organization LAN for any potential intruder from the internet or from the local unsecured wireless network. Because of the duplicate connection the employee laptop will consume duplicate network resources and the employee can suffer from unstable network connectivity.

The above scenario is becoming a day by day issue as wireless networks become common standard in every laptop. Lan-Secure Wireless Protector: Disable WiFi Automatically When Connected to LAN has the perfect solution to deal with the organization wireless management and security. The software will automatically disable WiFi adapters on computers that connected to the company network with LAN cable and re-enable WiFi when the LAN cable is disconnected from the computer.

How does it work?
Wireless Protector Software is installed on windows organization platform and all organization laptops need to be added to the protected computers list. The software will scan all protected laptops and using the network administrator username and password will create a service in each remote laptop. The service that installed on the remote laptops will try to communicate with Wireless Protector Software that installed on the organization LAN each time there is a change in the connectivity status of its network adapters. Upon receiving confirmation from the software the remote laptop will automatically disable the WiFi adapter if the laptop LAN cable is connected to the organization network and re-enable it back when the LAN cable is plugged out from the laptop. Wireless Protector Software will verify that the protection service is running on the remote laptops of the organization and collect protection events and WiFi activation status for each laptop.

How does it protect the organization?
A remote computer WiFi will be disabled only when receiving confirmation from Wireless Protector Software that installed on the organization LAN. That mechanism will assure that protected laptops WiFi adapter will be disabled only when it connected to the organization LAN and not in any place outside the organization. When connected to the organization LAN remote protected laptops will disable their WiFi adapter and the remote user will receive notification message about it. Trying to by passing this mechanism manually by the remote user will fail while the remote laptop is connected to the organization LAN. The software will notify the administrator about the protection status of each remote laptop and collect WiFi disabling events from the protected laptops. The software will assure that the organization LAN will be protected from unsecured wireless connections and from duplicate network connections.

Conclusion
Wireless networks are still the most convenient way for fast and easy communication while WiFi adapters became a standard in every laptop. However, keeping wireless networks accessible to public networks leave them unsecured and vulnerable to potential intruder’s attacks. Wireless Protector Software will protect the organization LAN from wireless networks vulnerabilities and still enable to use wireless communication freely and safely.

Network configuration management software

Network configuration management refers to mechanism that allows controlling and maintaining changes of network devices either automatically or by network administrator request. The tasks of network configuration management are setting configuration changes, collecting configuration history, creating configuration backups and restoring configuration of network devices. Network configuration management software should provide generic mechanism that will be able to control any network device and simplify the configuration tasks to reduce configuration errors of network devices.

Lan-Secure Network Configuration Management Software has the perfect solution to deal with any network device configuration by using generic SNMPv1/2 or secured SNMPv3 protocols for collecting network devices configuration. The easy to use software provides integral mechanism for all network configuration management tasks and supports any network environment size.

Network Configuration Collection
Provide automatic and manual option for collecting configuration from any network device. Tools that provided by equipment vendors are not good enough because most networks using several vendors and types of network devices like switches, routers, firewalls and other network devices. Using generic SNMPv1/2 or secured SNMPv3 protocols can provide central network configuration management system for the whole organization.

Network Configuration Changes
Provide automatic and manual option for changing network devices configuration of specific device or as bulk operation on couple devices. The previous network configuration settings will be restored for historical analyzing or reusing and the new configuration will be used as the current network configuration devices. The changes operation will be logged and saved under the name of the new configuration submitter for tracking.

Network Configuration Backup
Create duplicate configuration of all network devices including all the configurable values that were found for each network device. The backup process could be automated for specific dates and times or created by user request. The backup should include incremental and differential configuration settings for each network device.

Network Configuration Restore
Set current stored configuration for specific device in case of malfunctioning equipment or for analyzing specific networking issue that involves with previous configuration settings. The restore operation will be audited and logged under the name of the restore issuer for historical analyzing.

Network Configuration Actions
There are situations that specific action is needed when collecting network configuration of specific device upon discovery of any configuration change or value. The actions should alert the configuration management team about the changes or values that was discovered either by sending email or trap or by performing specific executable command or fixing specific configuration value. Adding actions to network configuration management system can alert or fix faulty configuration equipments before they can cause severe damage to the network.

Conclusion
Since networks in any size are constantly vulnerable to configuration changes and faulty configuration in live equipment can have devastating effects on networks reliability and services, using the above network configuration management tasks as major configuration tool in any network environment can help network administrators saving time and reducing errors while keeping network performance and stability.

Windows syslog root cause analysis

Syslog is a standard protocol for sending and receiving logging messages from network devices and computer applications. It is typically used for management systems and security auditing and since it is supported on wide variety of devices it is commonly used for integrating logging information from many different types of systems into a central repository. When collecting syslog events to central repository in large IT networks there are huge amount of syslog events that can be received from the network in that case there is a major need for syslog root cause correlation analysis between all collected events.

Lan-Secure Windows Syslog Monitor Server Daemon has the perfect solution to deal with large amount of syslog events using powerfull monitoring engine and proven correlation techniques. The easy to use software provides several syslog root cause correlation analysis reports that can correlate any amount of syslog messages to specific root cause event.

Host Correlation Report
The host correlation report provides correlation between specific host addresses. Using this report displays aggregation of all hosts addresses messages including the time, priority and text message of the events.

Message Correlation Report
The message correlation report provides correlation between specific textual messages. Using this report displays aggregation of all text messages that were sent including, time, priority and the host address of the events.

Priority Correlation Report
The priority correlation report provides correlation between specific message priorities. Using this report displays aggregation of all message priorities that were sent including time, host address and text message of the events.

Time and Date Correlation Report
The time and date correlation report provides correlation of specific time frame of currently collected events. Using this report displays aggregation of all events that were received in selected time and date including priority, host address and text message of the events.

Conclusion
Using the above correlation techniques can help network management administrators and IT networks analysts to deal with large amount of syslog events and figure out which host address has created specific root cause event. Collecting and analyzing syslog events regularly can alert about potential malfunctions before it can cause severe damage to the IT networks.

Network topology using Visio 2007

Using visual diagrams of networks asset for management and maintenance can improve the stability and performance of enterprise networks as well as creating network design information base. But, keeping networks topology updated can be a frustrated task that involved in daily maintenance and human resources. Using Visio 2007 that integrates visual display with network topology database can make this task quite easy.

Integrating network topology database
There are some nice tools that can be found on the net that provides network and equipment topology. Some of them provide database exporting capabilities like Lan-Secure Switch Center and Lan-Secure Security Center. Using the Visio 2007 link data to shapes capability provides database information for diagram visual shapes including asset equipment and asset connectors. The Visio 2007 database link feature enables importing data information from several sources including Microsoft Access Database and SQL database. Those capabilities integrated with topology database create a complete network topology diagram that can be maintained and updated automatically using a simple script.

Visio database integration script
The following Visio 2007 database integration script visualize network components asset from selected database information and creates physical connections between them. For simplicity, the script is using Microsoft Access database or SQL database and two record sets one for the components shapes and one for the physical connectors which needs to be filled in using the appropriate query string of the selected database structure.

VBScript (should be copied and saved as .vbs file after modifying brackets information):
'Select database provider connect string
'Const dbProvider = "Driver={Microsoft Access Driver (*.mdb)};DBQ=[Database File (*.mdb)];"
'Const dbProvider = "{SQL Server};SERVER=[Server Name];DATABASE=[Database Name];"

'Add new visio page
Set visioApplication = WScript.CreateObject("Visio.Application")
Set visioPeriphDoc = visioApplication.Documents.Open("PERIPH_M.VSS")
Set visioDocument = visioApplication.Documents.Add("")
Set visioPage = visioDocument.Pages(1)

'Load database to visio
Set Shapes = visioDocument.DataRecordsets.Add(dbProvider, "[Database shapes query string]", 0, "Shapes")
Set Connectors = visioDocument.DataRecordsets.Add(dbProvider, "[Database connectors query string]", 0, "Connectors")

'Set shapes
shapesIndex = 0
ReDim shapesArray(shapesIndex)
Set server = visioPeriphDoc.Masters("Server")
Set shapesRecordset = visioDocument.DataRecordsets(1)
shapesIDs = shapesRecordset.GetDataRowIDs("")
For shapesRow = LBound(shapesIDs) + 1 To UBound(shapesIDs) + 1
Set shapesArray(shapesIndex) = visioPage.DropLinked(server, 0, 0, shapesRecordset.ID, shapesRow, False)
shapeData = shapesRecordset.GetRowData(shapesRow)
shapesArray(shapesIndex).Text = shapeData(0)
shapesIndex = shapesIndex + 1
ReDim Preserve shapesArray(shapesIndex)
Next

'Set connectors
Set connectorsRecordset = visioDocument.DataRecordsets(2)
connectorsIDs = connectorsRecordset.GetDataRowIDs("")
For connectorsRow = LBound(connectorsIDs) + 1 To UBound(connectorsIDs) + 1
connectorData = connectorsRecordset.GetRowData(connectorsRow)
Set connector = visioPage.Drop(visioApplication.ConnectorToolDataObject, 1, 1)
connector.Text = connectorData(0)
childIndex = 0 'Search appropriate index from shapes array
parentIndex = 0 'Search appropriate index from shapes array
Set parentConnector = shapesArray(parentIndex).Cells("Connections.X1")
Set childConnector = shapesArray(childIndex).Cells("Connections.X1")
connector.Cells("BeginX").GlueTo parentConnector
connector.Cells("EndX").GlueTo childConnector
shapesArray(parentIndex).BringToFront
shapesArray(childIndex).BringToFront
Next

'Set layout
visioApplication.ActiveWindow.DeselectAll
visioPeriphDoc.Close
visioPage.Layout

USB detection using WMI script

USB flash drives are very common and can be found in almost every computerized environment for storing and transferring data between computers. These USB devices make it really easy for potential attacker to exploit unprotected computers with malicious virus and Trojan software and provide a gateway to the network for manipulating sensitive data.

Detecting USB storage devices
There are some nice tools that can be found on the net that will notify about USB devices on local and remote windows platforms. But most of them are not free and will require an installation of an agent on the remote windows platforms. Using the preinstalled Windows Management Instrumentation (WMI) on windows platforms is free and will not require any remote agent. It will only require a simple script that can be run manually from a privileged user account or from another network monitoring software like Lan-Secure Security Center and Lan-Secure Switch Center Protector network security scanners.

WMI notification event script
The following USB notification event script will send an event message in response to any operation of USB device on local or remote windows platform. For simplicity, the script is using a temporary event subscription, which exists only as long as the script is running. Some modifications will be needed for a permanent event subscription that will not require a perpetually running script:

VBScript (should be copied and saved as .vbs file):
strComputer = "." '(Any computer name or address)
Set wmi = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set wmiEvent = wmi.ExecNotificationQuery("select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device'")
While True
Set usb = wmiEvent.NextEvent()
Select Case usb.Path_.Class
Case "__InstanceCreationEvent" WScript.Echo("USB device found")
Case "__InstanceDeletionEvent" WScript.Echo("USB device removed")
Case "__InstanceModificationEvent" WScript.Echo("USB device modified")
End Select
Wend

JScript (should be copied and saved as .js file):
strComputer = "."; //(Any computer name or address)
var wmi = GetObject("winmgmts:\\\\" + strComputer + "\\root\\cimv2");
var wmiEvent = wmi.ExecNotificationQuery("select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device'");
while(true) {
var usb = wmiEvent.NextEvent();
switch (usb.Path_.Class) {
case "__InstanceCreationEvent": {WScript.Echo("USB device found"); break;}
case "__InstanceDeletionEvent": {WScript.Echo("USB device removed"); break;}
case "__InstanceModificationEvent": {WScript.Echo("USB device modified"); break;}}}

MAC spoofing using windows platform

Every Network Interface Card (NIC) on any platform has unique MAC address that used to access Ethernet networks. The MAC address is hard coded by the network card manufacturer and on many security systems used as a platform identity for network access permission. Using the MAC address of a platform with network permission rights by an intruder or malicious software instead of its original address called MAC spoofing.

MAC address network access control
MAC address spoofing is quite an easy task for a potential intruder especially when using MAC address of network nodes that are inactive most of the time like network printers and networking time and attendance systems. This is the main reason for not using MAC address protection as a single network access control (NAC) mechanism but combining multiple protection methods to create safe and reliable security protection like Lan-Secure Security Center and Lan-Secure Switch Center Protector network security scanners.

MAC address spoofing
There are some nice tools and drivers that can be found on the net that will change MAC address of specific platform to any other MAC address. But it can be done easily on any windows platform using the windows built in registry editor. Here are the steps needed to change windows platform MAC address and gain access to the network as another platform MAC address:

Changing MAC address
1. Open windows registry editor by clicking the Start button selecting Run command and typing “RegEdit”.
2. Open registry folder HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}.
3. Select the appropriate network card folder by viewing the data written on the folder DriverDesc value.
4. On the network card folder create new String Value named NetworkAddress and modify its data to the preferred MAC address using its 12 hexadecimal characters in a row.
5. Reset the network card adapter by disable and enable the card from windows Network Connections control panel.
6. Use IpConfig /all windows command to verify the new network card MAC address.

Clearing MAC address
1. Open windows registry editor by clicking the Start button selecting Run command and typing “RegEdit”.
2. Open registry folder HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}.
3. Select the appropriate network card folder by viewing the data written on the folder DriverDesc value.
4. Delete the String Value named NetworkAddress.
5. Reset the network card adapter by disable and enable the card from windows Network Connections control panel.

SNMP management of Ten Giga ports

Using SNMP is the ideal way for managing network performance and traffic. There are also some great tools on the net that will help to do it easily like Lan-Secure Switch Center multi vendor switch port scanner network monitoring software. Either doing it manually or using any preferred tool the exact port speed will be required for having accurate performance and traffic results.

SNMP standard port or interface speed
The standard SNMP port or interface speed can be resolved by using the MIB-II interface speed query (1.3.6.1.2.1.2.2.1.5). Using this query with SNMP Get command and the interface index will return the speed of the specific interface. Using this query with SNMP Get Next command will return the speed of all the interfaces that exist on the device that was queried. The value that will be returned from the query will be the interface bandwidth in bits per second units.

SNMP speed of Ten Giga port or interface
Trying to use the standard SNMP interface speed query on Ten Giga port will return a value of 4294967295 bits per second. This value is the maximum speed that the standard SNMP query will hold for any device interface and it is about 4.3G bits per second. Using this speed to manage the performance and traffic of a Ten Giga ports will return false and inaccurate results.

SNMP high speed port or interface
A solution for the Ten Giga ports speed problem that was described above will require using the MIB-II interface high speed query (1.3.6.1.2.1.31.1.1.1.15). Using this query will return the interface bandwidth in 1,000,000 bits per second units. Replacing the standard speed query with the high speed interface query will work for almost all SNMP devices that support Ten Giga ports and provide an accurate performance and traffic results.

Welcome to Lan-Secure Blog

Lan-Secure blog provides network security and management knowledge base information including technical articles on how to improve networks efficiency and reliability.