Monday Feb 19

Archive for the ‘Network Niblets’ Category

Default Gateway vs Default Route
Last Updated on Monday, 30 November 2009 10:25
Written by jj
Monday, November 30th, 2009

This is the latest article from our company’s “Dear John” column, where my Dad answers questions from customers, readers and partners. Yes, I said my Dad – he taught me everything I know and, while I can’t get him to write regularly on a blog, I’ll certainly share any public articles he puts out for you to enjoy ;)

I thought this was well worth sharing. So often we see misconfigured devices at customer sites- one of the most frequent being the improper use of default gateway configurations versus default routes. I’ve probably spent ten hours just in the past couple of weeks explaining this concept to various clients.

Dear John: Default Gateway vs. Default Route?
Excerpt from a column by John Jabbusch, CAD, Inc.
Carolina Advanced Digital, Inc. November 2009 Newsletter

Q: When should I use a default gateway instead of a default route?

A:  Based upon the source and nature of the question, I am proceeding with the assumption that the question was made in reference to network switches. The short answer is that a default gateway typically is used to direct traffic destined for a “foreign” network (i.e. a network other than the one to which the switch belongs) off the switch to a “gateway” device on the same network as the switch.

A switch that does not perform routing will use a default gateway. On an HP ProCurve switch from the global configuration context the command would look like ip default-gateway

On a switch that contains addresses that reside in two or more networks (meaning VLANs with IP addresses), the switch is almost universally routing at least between the internal VLANs and most likely routing between the “next hop” device and the switch VLAN directly connected to that device. A switch (or really any device) that is routing will need to specify the “gateway address” as a default route. Again, on an HP ProCurve switch from the global configuration context this would be something like ip route

[I have abridged the answer here to comply with space requirements for the newsletter and so there is more to this topic than I have provided here, such as what effect there is upon route tables and route propagation, but those things are beyond the scope of this short forum. -John]

# # #

Tags: , ,   |  Posted under Network Niblets  |  Comments  Comments Off on Default Gateway vs Default Route
Friday Fun: The Day the Routers Died
Last Updated on Friday, 22 May 2009 03:16
Written by jj
Friday, May 22nd, 2009

I was just digging through my inbox (which I’ve successfully trimmed to 36 emails) and found a link from a year ago from my Dad…

If you work in networking, this is beyond hilarious, listen to the lyrics for full enjoyment.

And if you want to sing along, you can read the lyrics here


Happy Friday!

# # #

Tags: ,   |  Posted under Network Niblets  |  Comments  Comments Off on Friday Fun: The Day the Routers Died
Your 3 Favorite Linux Commands?
Last Updated on Thursday, 31 July 2008 09:35
Written by JJ
Friday, July 25th, 2008

Here’s a fun Friday post…

Some of you may know I’ve been preparing to brush up on my *nix skills. A couple of our new solutions are running on Linux platforms and I feel compelled to understand any platform I’m working with inside and out… I know, it’s a bit OCD.

But to be honest, I haven’t really touched a Linux platform for about 10 years, since I was one of the three students running the Sun network over at NCSSM. I still remember the humorous ‘root’ ‘of all evil’ admin name that we used and the password, iaceo (in mixed caps), which was a Latin word for (I think) to lie dead. (Please correct me if you know what it means).  When you’re 17, these things are amusing.

I’ve kept my ls-ing and cd-ing over the years, but will be brushing up on the grep-ing and tail-ing ;)

So with any system, I think we all have our favourite commands that we use daily and are part of our daily arsenal. I’m working out mine but wanted to hear from you…

What are your 3 favorite Linux commands?

And is there 1 obscure one you really love (or hate)?


# # #

Tags: , , ,   |  Posted under Network Niblets  |  Comments  25 Comments
‘The’ DNS Issue of 2008
Last Updated on Thursday, 31 July 2008 09:22
Written by JJ
Thursday, July 10th, 2008

It’s been a day since the public announcement, so by now you’ve probably heard about the DNS issue. The bug was found earlier this year, but the discoverer (Dan Kaminsky) and team worked fervently with leaders of the technology industry to create patches for all platforms before the big announcement. And- kudos to them all for keeping zipped lips until the problem could be contained (despite all the heckling and harassing).

You can find out a little more right now– I’m including some links below for you to read more.

If you don’t know what DNS is or why you care, see the bottom of this post for a little background info.

As for the real deal on disclosure– you’ll have to wait for Black Hat in August. I’ll be there, along with other members of the Security Bloggers Network (a (non-exclusive but highly visible and well-respected) security bloggers channel for Black Hat and RSA). I’m sure you’ll see *plenty* of post-Black Hat blogs, tweets and podcasts recapping the story.

Hear the buzz…


What is a DNS Server? DNS are servers throughout the Internet (and inside networks) that resolve domain names (ie to the IP address of the hosting server. The idea is, if you can trick a DNS server, your request for may just take you to a malicious site where you’ll be immediately infected with a virus, malware or other undesirable creepy Internet-bred monster. They’ve found a bug that could be exploited to do just that.

What do we do? It’s not the end of the world. For now, know that almost all DNS servers need to have a patch installed to protect them from this vulnerability. It’s pretty universal and every manufacturer is on board and offering a patch as of yesterday, July 8th.

# # #

Tags: , ,   |  Posted under Industry Insider, Network Niblets  |  Comments  Comments Off on ‘The’ DNS Issue of 2008
Logging, Correlation and IT Search: An Analogy
Last Updated on Monday, 21 July 2008 11:44
Written by JJ
Friday, June 6th, 2008

We were having some in-house training the other day and trying to demonstrate and explain the value of IT logging, event correlation and IT search functions to non-technical folk. Unfortunately, I think the data being used was unfamiliar and made it difficult to get the point across of what we can do with these tools and why we like them. Everyone was caught up in the whole “what does that src mean” and “what IP address is that” etc.

Sometimes I’m the queen of analogies (likely a trait I inherited from my Dad). Quite often my analogies are pretty silly, but they almost always get the point across.

So I was trying to work out an analogy to explain how we can use logs, events and searching and why these are advantageous. I was in the shower and it hit me! And… here it is.  FYI– If you’re a techie, just stop reading now… (I warned you).

The analogy. Imagine a house… actually, imagine your house. Let’s say that your house is like a network. The house and all the major appliance and structures of the house are like infrastructure devices- switches and servers, for example. Of course, the people living in your house are users. In addition you have ‘gateways’ from your house to the outside world, in the form of doors, windows, vents, etc. These house gateways are like our WAN devices- firewalls, IDS/IPS and other gateway appliances.

Let’s say you live in the house with your spouse and family. You’re going to be the wife for now, so imagine you, your husband, three kids and a dog (only because that amuses me). Each of your house users have a key to get in.

graphic_toastersyslog_lg.gifYour major appliances- the TVs, refrigerator, oven, the family computers and alarm system are all creating logs when anything happens and they’re all giving their logs to the toaster. (The toaster is greatly under appreciated so I’m giving him a big role here- yes- your toaster is the Syslog server). The doors, windows and other ‘portals’ to the outside are also creating events and logging each time they’re opened, closed, locked or broken and, they too, are sending their info to the toaster.

Here’s where life in your house gets interesting. Let’s figure out what’s normal… it’s probably normal for your husband to come home, do some work on the computer while you cook, and then everyone watch TV. The kids are doing their homework, playing on the computer and probably rummaging around the fridge for an after-school snack. You see your syslogging toaster shows you…  

  • the src= Refrigerator was opened multiple times in a short period of time between 3:43pm and 4:16pm by multiple users
  • the src= Kids Computer was logged off the Internet at 4:30 by user: Kid2
  • the src= Front Door was opened at 5:20pm by user: Husband
  • the src= Oven was turned on Bake at 350 at 5:32pm by user: You
  • the src= LivingRoom TV was turned on at 5:56pm by user: Husband
  • the src= LivingRoom TV channel was modified multiple times in a short period of time between 5:56pm and 6:02pm (your husband was probably looking for the ball game)

These are all things you expect to see. So, what’s not normal? Some things your toaster may tell you that would be out of the ordinary…

  • the src= Refrigerator was opened at 02:40am by user: Kid1
    What does this mean? Someone’s late-night snacking, no big deal.
  • the src= Kids Computer was logged onto the Internet at 02:45am by user: Kid1
    Uh-oh, Kid1 is gallivanting on the Internet in the middle of the night un-chaperoned. Might need to check that out.
  • the src= Front Door was attempted to be opened unsuccessfully 14 times in a short period of time beginning at 10:15am by user: UNKNOWN. The toaster logged the key code attempts tried by user UNKNOWN.
    Kids were at school, you were at work- someone’s trying to break in.
  • the src= Front Door was opened the next day at 1:20pm by user: ROOT
    You were still not home- someone just broke into your house.

Maybe we want to be alerted when these things are happening, or have happened. With some log search and correlation tools, in conjunction with your toaster syslog, we can get immediate alerts when something unexpected is happening. We could tell the log search to keep talking to the toaster and immediately send us a text message if the toaster sees the front door or any windows being accessed between 09:00am and 3:00pm on any weekday, by any user. If the toaster saw something happening, we would know immediately and could take appropriate actions- maybe call the police to notify them of a break-in.

Now, back to the network. Now that you have an idea of how we can use logs and events in the house to identify what’s going on and spot abnormal activity, we can port that over to our network. Go back and again think of the house and its appliances as resources on the network. We can see when someone- inside or outside- is trying to or has successfully accessed something and we can alert, take action, or keep logs and reports for future use and accounting.

Replaying events. If you’re using a super-nifty tool, you may be able to replay specific events back in a visual format- almost like a video into the network. Let’s take our Kid1’s midnight snacking. If we replayed all the events that contained user= Kid1 from time 10:00pm (bedtime) to 07:00am (gettin’ up time) we could see Kid1 go from the bedroom down to the kitchen, opening the fridge, watching TV for a bit before going back to the room and surfing the Internet for an hour. We could actually ‘watch’ these events happening with a re-constructed timeline. A great example (and my favourite toy) to do this is Splunk’s Replay application.

That’s the basic gist of it all. There are some other detailed ‘things’ we can do with these technologies, and I may elaborate on those another time. We all have A.D.D. and this one is long enough already!

# # #

More Content

Find more of my content at
- Low Tech Hacking book
- Dark Reading
- Network Computing
- SearchSecurity
- TechTarget

Get Social



Enter your email address:

Delivered by FeedBurner