The other day we wanted an Excel graph to show a different color to highlight a certain part of the graph. Click on the link for full details and images.
Here is a summary of notes on Nat-T and IPsec.
Many-to-one, the most commonly implemented NAT solution, maps several private addresses to one single routable (public) address; this is also known as Port Address Translation (PAT). The association is implemented at the port level.
The PAT solution creates a problem for IPSec traffic that does not use any ports.
Most PAT devices do not work with ESP since they have been programmed to work only with TCP, UDP, and ICMP.
The NAT transparent mode in the VPN 3000 Client solves this problem by encapsulating ESP within UDP and sending it to a negotiated port. The name of the attribute to activate on the VPN 3000 Concentrator is IPSec through NAT.
In order for IPsec to work through a NAT, the following need to be allowed on the firewall:
Internet Key Exchange (IKE) – UDP port 500
IPsec NAT-T – UDP port 4500
Encapsulating Security Payload (ESP) – IP 50
Cisco uses TCP/UDP port 10000 as well
Often this is accomplished on home routers by enabling “IPsec Passthrough”.
If everything is enabled, use this precedence:
IPSec over TCP.
IPSec over NAT-T.
IPSec over UDP.
IPSec
IPSec works on layer 3.
SPI (Security Parameter index)
Since the Internet Protocol does not inherently provide any security capabilities, IPsec was introduced to provide security services such as the following:
Encrypting traffic (so it cannot be read by parties other than those for whom it is intended)
Integrity validation (ensuring traffic has not been modified along its path)
Authenticating the peers (ensuring that traffic is from a trusted party)
Anti-replay (protecting against replay of the secure session).
Transport mode
In transport mode, only the payload (the data you transfer) of the IP packet is encrypted and/or authenticated. The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be translated, as this will invalidate the hash value. The transport and application layers are always secured by hash, so they cannot be modified in any way (for example by translating the port numbers). Transport mode is used for host-to-host communications.
A means to encapsulate IPsec messages for NAT traversal has been defined by RFC documents describing the NAT-T mechanism.
Tunnel mode
In tunnel mode, the entire IP packet (data plus the message headers) is encrypted and/or authenticated. It must then be encapsulated into a new IP packet for routing to work. Tunnel mode is used for network-to-network communications (secure tunnels between routers, e.g. for VPNs) or host-to-network and host-to-host communications over the Internet.
Auth Header (AH)
Encrypts the header messages.
Encapsulating Security Payload (ESP)
ESP also supports encryption-only and authentication-only configurations, but using encryption without authentication is strongly discouraged because it is insecure.
# time nmap -A -T4 -F -P0 www.google.com
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2007-12-18 10:26 CST
Interesting ports on py-in-f147.google.com (64.233.167.147):
(The 1228 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
80/tcp open http Google httpd 1.3 (GFE)
179/tcp closed bgp
443/tcp open ssl/http Google httpd 1.3 (GFE)
No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.01%P=i686-pc-linux-gnu%D=12/18%Tm=4767F4F4%O=80%C=179)
TSeq(Class=TR%IPID=RD)
T1(Resp=Y%DF=N%W=1628%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=N%W=1628%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=2009%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=2009%ACK=S%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=2009%ACK=S++%Flags=R%Ops=)
PU(Resp=N)
Service Info: OS: Linux
Nmap finished: 1 IP address (1 host up) scanned in 63.723 seconds
real 1m3.733s
user 0m0.360s
sys 0m0.104s
Here is a config for the 871 to perform pppoe
PPPoE is Point to Point Protocol over Ethernet, it encapsulates PPP frames inside Ethernet frames. PPP allows the provider to use authentication, billing, per-user control.
txt config
www.movement3.com/docs/871_dsl_pppoe.txt
Excel file with config comments
www.movement3.com/docs/871_DSL_pppoe_config_basic.xls
Here is a config for the 871W wireless access with two SSID.
txt config
www.movement3.com/docs/871wireless_audit
Excel file with config comments
www.movement3.com/docs/871wireless_audit.xls
I learned Powershell over the past few days. It was pretty easy to learn and some of the scripting is very similar to Perl. I still had some issues with my script, I was expecting to parse everything as a text file, but some inputs were objects. I guess that is one of the differences between Windows and UNIX.
My script monitors to see if a particular PID, owned by a particular account is running longer than 10 mins, if yes, write to the event log (or email). Then I created an alert in Sitescope to monitor the event log. One item I noticed was if I typed get-process EXCEL and Excel was not running, then I got a nice pretty error message is red text. I guess Windows doesn’t follow the Silence is Golden mindset.
PS C:\vbs> .\4.ps1
Get-Process : Cannot find a process with the name ‘EXCEL’. Verify the process name and call the cmdlet again.
At C:\vbs\4.ps1:4 char:25
+ $processID = get-process <<<< EXCEL | select id
Here is the UNIX philosophy
1. Small is beautiful.
2. Make each program do one thing well.
3. Build a prototype as soon as possible.
4. Choose portability over efficiency.
5. Store data in flat text files.
6. Use software leverage to your advantage.
7. Use shell scripts to increase leverage and portability.
8. Avoid captive user interfaces.
9. Make every program a filter.10 lesser tenets
1. Allow the user to tailor the environment.
2. Make operating system kernels small and lightweight.
3. Use lowercase and keep it short.
4. Save trees.
5. Silence is golden.
6. Think parallel.
7. The sum of the parts is greater than the whole.
8. Look for the 90-percent solution.
9. Worse is better.
10. Think hierarchically.
Here is the script:
http://www.movement3.com/docs/powershell-monitor-pid
To get Powershell to run from a script:
get-help about_signing
set-executionPolicy remoteSigned
*** Updated 1/2 ***
I had problems with scheduling the Powershell script to run:
C:\Documents and Settings\username>C:\WINDOWS\system32\windowspowershell\v1.0\powe
rshell.exe c:\powershell_scripts\check\script.ps1
Get-Content : Cannot find path ‘C:\Documents and Settings\username\status.txt’ be
cause it does not exist.
At C:\powershell_scripts\RPGSQL_check\script.ps1:6 char:14
+ $status = cat <<<< status.txt
I included the full path: cat C:\powershell_scripts\check\status.txt and it worked.
One of our departments was backing up their workstations and placed all the data on their private drives. Within 1-2 hours, 8GBs was used, filling up all of the network drive.
We increased the volume size on the EQL control panel, that easy enough. In Windows, you have to extend the extra hard drive space using diskpart.exe
diskpart
list disk
select disk 0
list partition
select partition 1
extend
Another thing diskpart can do is wipe a partition, it was handy if the disk was formatted GPT style and you need it to be MBR. See KB888929
diskpart
list disk
select disk X
clean
I don’t remember the exact diskpart commands, but there is a PDF doc on EQL’s website.
Treesize is a handy tool like du -sh
http://www.jam-software.com/freeware/index.shtml
