Monday Mar 27

Archive for the ‘Tips & Tricks’ Category

Layered Security: Solving the Cube
Last Updated on Monday, 21 July 2008 11:50
Written by JJ
Sunday, May 4th, 2008

We always talk about ‘layered security’ and ‘defense in depth’ as strategies for securing the network. And, usually, we’re talking about these as good strategies. However, with more and more security ‘stuff’ on the market, the layered security solutions are starting to lose some of their value.

Why? Well, the problem with layered security is that we tend to assume if Layer X isn’t providing a particular protection, Layer Y must be… and we all know what assuming does.

In the good ol’ days, we relied on firewalls- perhaps nested firewalls, or ones positioned strategically on the LAN as well as the WAN. Because of our network architecture at the time, that was the primary (and probably only required) protection. After years of de-perimeterization and the increase of threats from both remote-access and insiders, we have a much different landscape.

The addition of resources and availability in the network has lead to the addition of vulnerabilities and threats.

Now… our schools need to protect children from material online. Now… we need to stop Trojans from sneaking in with VoIP apps. We need to access our corporate network securely from Starbucks. Our corporations need to protect their network from users accessing or publishing illegal content on the Internet. We need to protect our email, make sure its virus-free and not allowing employees to send sensitive information to the outside world.

All these increased risks and threats lend to the need for more protection in the environment. There’s just no single silver bullet or cure-all for the problems we’re facing.

What does this mean? It means we’re adding security products to the network to address these issues. We need content filtering. We need layer-7 visibility on the WAN for inbound/outbound application control. We need data leakage prevention. We need email security. We SSL-VPNs for secure remote access… the list goes on.

So, what’s the problem? We’re living in a world of security buzzwords and ‘hot topic’ solutions. But the problem is 2-fold.

Problem 1- We forget to KISS IT. In the frenzy to understand and implement these hot new products, we’re losing sight of some basic security functions and overlooking some really important security fundamentals. Remember to KISS IT and keep your basic security solutions simple- then layer on top of that. Your hot new NAC or DLP solution won’t seem so impressive if your basic firewall rules haven’t been properly configured.

Problem 2- We forget thy layers. After you KISS IT, you need to start layering responsibly. That means having a CLEAR understanding of what each solution does- or does not– do. You wouldn’t believe how many customers call and want to hear about Widget A for a certain solution that Widget A is not designed to fix. I deal with it daily and I blame (for the most part) vendors for mis-advertising their product as a fix-all. Whether its hardware or software- know what each piece of your security solution is designed to do, what it’s actually doing, and keep that information documented. Documented– I’m going to say it again. Your firewall/UTM may offer content filtering and gateway AV, but are you using it? Are you using a WAN optimization product to stop prohibited applications, or is your web filter doing that? Do you even know?

rubiks2.jpgSolving the Cube. Layered security is like solving a Rubik’s Cube. You may think you’re on the right track after you get one side solved… but the other 5 are just a huge mess. There are patterns and algorithms you must follow to solve all sides together. Your layered security solution is no different. Understand what each piece is doing, how it fits in, and when to twist one layer here to implement a solution as part of a different layer over there.

# # #

Layer 1: Mr Bump and the Bad Wire
Last Updated on Tuesday, 12 August 2008 03:52
Written by JJ
Wednesday, March 19th, 2008

No, not a bad Mr Bump, or a bad Bump in the Wire… But one of the Bumpster’s recent posts brings about a good topic for mention- bad cable (or wire, as is more appropriate for his post).

In his friendly KISS-it note, he shares a story to remind us of our Layer 1 woes. I can’t TELL you how many times there’s a mystery problem… which almost always later surfaces as a physical dis-connect or mis-connect along the way.

In fact, just last night a certain someone called me from the road while setting up a demo… after hours of agony (and fixing some other issues) the final problem was- YEP- a cable in the wrong spot.

It’s something that happens to all of us- certainly nothing to be ashamed of. And it doesn’t always work out to be a misplaced cable… quite frequently we see bad cables, older cheap Cat 5 that’s not behaving well, home-made ends that corrode or break and even the occasional patching mis-match (see my previous post on 568A vs B).

Don’t we feel stupid after hours (or days) of puzzling, only to find out there’s a piece of metal, plastic or fiber to blame?

Here are a few Tips & Tricks to check Layer 1 and possibly eliminate frustration when you have your next ‘mystery’ problem:

  • Cable placement. Obvious one, but check and double-check, then have someone else check. It’s like proof-reading your own writing.
  • Cable REplacement. If you’re not sure- just replace the cable when possible with a known good. (Note the ‘known good’, I’ve seen batches of lemons more than once).
  • Ditch Home Mades. This little gem comes from my father- many years ago, he started noticing home-made cable ends (even those made with the BEST crimping tools) would eventually deteriorate. It may be fatigue, corrosion or little aliens- you can’t always be 100% sure of the cause, but it happens more often than not.
  • Don’t Bend It. If you are working with fiber, be nice to the fiber… wrap it gently in loose coils. Don’t bend it, squish it or let it get crimped in the cable management. You may know this, but others rummaging in your closet may not.
  • Check Negotiation. Hop in the switch or device interface and see what speed and duplex it auto-negotiated to. This culprit is probably a close 2nd behind finding bad cables.
  • Check Neighbors. A good way to dig around and investigate a possible Layer 1 issue is to jump back in that switch interface and do a show arp or show neighbors (clear old first) and see if you what you think should be there is actually there.( Pings can work too, but it’s possible ICMP is disabled, so I prefer the former method personally.)
  • Check Patching Termination. Instead of repeating myself, I’ll direct you to the recent post on 568A vs B. You’ll usually see this when you upgrade from 10/100 to Gig.

Layer 1 is the FIRST thing we check for when doing a site survey or network migration plan. If you don’t get that one right, the others are surely to fail… which may take you to Layers 8 & 9… and as we know- we like to stay a 7 and below. ;)

# # #

What You Should Know: 568 A vs B
Last Updated on Tuesday, 12 August 2008 03:43
Written by JJ
Friday, February 15th, 2008

Why you need to know what your cabling standards are.

There are a few (okay, several) points of networking I’m working on understanding better. One of those is being able to succinctly explain to customers the difference between 568A and 568B and help determine which they’re using. I’m not at the point I can walk into a closet, glance at the patching, and tell you how it’s punched. I certainly don’t consider myself an expert on this (talk to your cabling provider) but here’s some good information to help you understand when it’s important, and what questions you should be asking.

So, to get started- what we have to understand is there are are two ‘levels’ of the 568 cabling standard. The first ‘mothership’ 568 standard is the all-encompassing EIA/TIA 568-B Telecom Standard (2001). (FYI- TIA, Telecommunications Industry Association is an assoc of the EIA, Electronics Industry Alliance).

Here’s where the A and B come in. Within the EIA/TIA 568-B Standard are a few pages dedicated to the pinouts, or Termination Standards – T568A and T568B which describe the pin/pair assignments for the cabling (Cat 3, 5, 6).

What’s the difference? Physically, pairs 2 & 3 (Green/Orange) are swapped. Functionally, because of the pair-swapping, the T568B is not backwards compatible with many legacy systems and telephony cabling. (FYI, 568B is not even recognized as a standard by several national telecomm organizations).

Why does it matter? In addition to not being backwards compatible, connections terminated with differing standards on each end will not function properly (or at all). This is extremely important if you’re going to be moving from 100-T to 1000-T, since Gig uses all 4 pairs.

To sum it up: EIA/TIA 568-B is the overall telecom standard, and T568A is the recommended termination, or pin out.

If you’re already setup with T568B throughout, then its recommended you stick with that. All new implementations should go with T568A, and we recommend ANYONE upgrading from 100T to 1000T double-check the cabling standards in patch panels when planning an upgrade (it’s part of our Layer 1 checklist). You may be running 10/100 over mixed-ends and it’s working, but when you slap that new Gig switch in the rack you could get a nasty surprise if you’re not paying attention.

# # #

Tags: , , , , , , ,   |  Posted under Network Niblets, Tips & Tricks  |  Comments  No Comments
ProCurve PCM+ Quick Start Tips
Last Updated on Tuesday, 12 August 2008 03:35
Written by JJ
Wednesday, January 30th, 2008

Tips & Tricks: HP ProCurve PCM+ (ProCurve Manager Plus)

Occasionally I like to throw something useful out there- so here goes! Included are some tips and tricks for getting started with ProCurve’s PCM+. PCM is the management software for ProCurve Networking devices, switches, wireless and security. I’ll give you a brief overview of the available options and plug-ins at the end.

What to Install. When you install PCM+, other plug-ins are included in the install package, so you’ll be prompted to select which components to install. My advice- start with PCM+ only. Once you layer in the other plug-ins, the menus, options and views become intertwined and it’s hard to tell what’s a native PCM+ option, or something included in IDM, NIM or PMM (see end for plug in details). If you’ve already purchased licenses for one or more of the others, go ahead and install them. Otherwise, load PCM+, get used to it, then add a plug in. It’s the only way you’ll know if you want/need the additional features from the plug in.

Selecting a Start From Device. When you first install PCM or PCM+, it will ask for a ‘start from’ device, which is exactly what it sounds like- it’s a starting or seed device from which the network sweep will start. Generally, you want something close to the ‘root’ of the network tree- something in the center. Most likely, you have a mixed environment, with other equipment in the WAN or core area of the network. In these cases, we suggest you use a start from device that’s the ProCurve device closest to the core/WAN area, even if it’s a hop or two out from what you consider your core. If the management server you’re loading PCM on is directly attached to a ProCurve switch, that’s another good place to start. You can change this setting later under Preferences if your first choice isn’t working well for you.

Connecting PCM to You may have a reason you don’t want to do this, but barring that, I recommend customers select the option to link PCM+ to their MyProCurve account. MyProCurve provides some asset management and is how you download software and generate license keys for purchased software. If it’s linked to your PCM, it makes the transfer one step easier, keeps a correct inventory of your network devices and lets you set alerts when new software updates are available for your switch types.

Structure. Understanding the general structure will give you a good feel for where to find things. There are a variety of menus, each available in a variety of contexts. You can view information for a) the entire network, b) a group of switch series, c) a custom defined group, d) a specific switch and even e) a specific port (where applicable). If you’re looking for specific information, be sure you’re where you want to be in the left navigation pane- on the overview, on the group, or on a single switch.

Initial Configuration Scan. PCM will give you nice dashboard views of your switches at a glance, from the main dashboard, or a series of sub-boards. The information used for these tallies is incomplete until the device has undergone an initial Configuration Scan. Your pie charts may display unscanned switches as ‘other’. The Scan Device option is available from drop-down menus when you right click on device(s) and in the main tool menu (look for the wrench). You can set an optional comment for the scan- not required and not necessary for initial scans, but may be helpful when scanning after config changes. The Scan Device tool will pull down the current software version and all the configuration details. You can then see if all switches are up to current (or your preferred) firmware version and see a side by side comparison of the most recent configurations. You can perform a manual scan, or schedule scans for a single device or group of devices.

Network Map View. Click Network Map in the left navigation pane for an overall Network Map View. This view is a good ‘default view’ for checking out your network. Switches appear with green backgrounds when all is good. If you see yellow or red- you’ve got problems. When you’re in the Network Map view, you see the default option to the immediate left to view health based on Ping Status. If you have NIM loaded, you’ll see other security-related options in the drop down. In that same area, you can also select to view the switch connections based on other parameters, such as VLANs and link traffic. Other check boxes let you select to display labels for Port Numbers, Link Speed and Discovery Protocol (usually LLDP). Another nice option is the ‘save layout’ checkbox at the top of the screen. Use this to preserve your arrangement of switches in the view. (Note, each view will have its own saved version).

Checking Out the Switches. The best screens to start familiarizing yourself with PCM and the switch views would be under the device Dashboard tab. Dashboards are available in several contexts, your PCM main dashboard displays a variety of network information (and security details if NIM is installed). To view details for a particular switch, click on the switch (IP/name) from the left navigation pane and view the Dashboard tab. The main screen here will give you basic switch info, the friendly name you assigned it, it’s IP, serial number, firmware, etc. At the bottom of the Dashboard, you’ll see a generic photo of the switch model. You can click on this photo to connect directly to the switch’s Web GUI interface in a browser window. In that photo area in the PCM Dashboard is also a ‘Live View’ tab. Click this tab for a current look at active ports and an overview of which are drawing PoE. You can click on ports to view the assigned port name and properties. Note, the Live View requires Java, so if the image doesn’t display that’s the first thing to check.

VLAN Views. It’s easy to miss an uplink tag here or there along the way. A great way to check your VLANs at a glance is to use the Network Map > VLANs view. You can select an individual VLAN and look for any inter-switch links missing. There’s also a tab available at the top for Port Properties- which will show you all the tagged and untagged ports in that VLAN. A great troubleshooting tool if you have multiple VLANs and several switches.

Using Find Neighbors Of. I love the Find Neighbors tool- look for the binoculars icon. This lets you enter an IP or MAC address and find directly connected devices- whether they’re other switches, servers, desktops or other devices (APs, Phones, etc). It’s an easy way to view the connected devices, or map edge ports, such as servers, on a switch. The results will give you (among other things), port number, IP and DNS name (if applicable).

Traffic Views. Use the traffic views, either for the entire network under the main dashboards, or for a specific switch or group, to track down Ports Behaving Badly (maybe Ports Gone Wild?) anyway- it’s a great troubleshooting tool for finding traffic problems, oversubscribed links and even chatty NICs. You can drill down to specific ports and get some very detailed information on Tx, Rx and types of traffic- broadcast, multicast, protocol and such.

Managing from Your Desktop. PCM+ comes with a desktop agent that can be installed to operate PCM+ from your desktop (vs the server it’s installed on). Many customers choose to RDP into the server, but that’s not always the most reasonable solution, especially if multiple users are accessing PCM. Installing the desktop agent is easy- you simply download it by browsing to the secure web GUI. There is a trick though- you need to add your desktop to the list of allowed management PCs in PCM+. This is done in a basic text file (.txt) located in the PCM+ directory. Think of it as an allowed managers IP list on a switch. 

Troubleshooting. Software is never perfect. If you get pages hanging, you might try to just close and restart PCM+. If you start PCM+ and it “can’t find the PCM Server”, stop and restart the PCM-related services in Windows. If it appears new devices aren’t appearing or updating, go to Preferences > Discovery and stop, then start each of the discovery methods. If your switches aren’t connected in the Network Map, there are probably non-ProCurve devices between them that are hindering the discovery protocol(s) (ie ICMP may be turned off).


Plug-ins for PCM+. There are some pretty nifty options available for PCM+. All the software add-ins from ProCurve run as plug-ins to PCM+, offering a ‘single pane of glass’ view for network management. I’m giving you the 20-second drive-by version of each- feel free to find more at ProCurve’s site.

I’ll start with my favourite- Network Immunity Manager (NIM), which is a security add-in that collects and uses sFlow data for a network-wide analysis of traffic to identify anomalous behaviour actually take action at the port level. NIM can also interact with 3rd party security devices (firewalls) for more in-depth analysis. Next, check out ProCurve Mobility Manager (PMM) if you’re running ProCurve wireless solutions- including their light (WESM/Radio Port) or heavy AP (420/530) solutions. If you were using PMM 1.X, you’ll be delighted at several new features in the new 2.0 release. Last, but definitely not least is Identity Driven Manager (IDM), which installs and latches an agent to your RADIUS to offer a truly unique and full-featured user management solution. Set specific ACLs and QoS per user and enforce them throughout the network, instead of at a central point. You can get a free 30-day trial of any or all of these from ProCurve’s site. \

# # #

The 3 C’s- Your Other Network Stuff
Last Updated on Saturday, 28 January 2012 07:10
Written by JJ
Friday, January 18th, 2008

Tips & Tricks: Fully documenting your network.

During regular ‘closet crawling’ (aka site surveys) we often find a few important details overlooked… and we all know… the devil is in the details! (more…)

More Content

Find more of my content at
- Low Tech Hacking book
- Dark Reading
- Network Computing
- SearchSecurity
- TechTarget

Get Social



Enter your email address:

Delivered by FeedBurner