BGP Peering issues???
Apologies for straying off topic, Years ago several tools and sites were available for troubleshooting BGP routing tables and viewing reachability over the Internet. I remember using a site that, when you provided an ASN or IP address, you received a tree-graph showing multi-hop peer points and latency statistics from dozens of sources all over the internet. I know a lot of these sites went away after the release of the vulnerability with the BGP's peering process was disclosed. Some of the sites I bookmarked advertised that they would return once a more secure way of offering this information was worked out. They eventually just went away (example being http://nitrous.digex.net). Did anything replace them? What are some of the tools and sites you use to test if you network blocks are being seen where they should be? Any suggestions would be greatly appreciated. Mike Braun MMS firstam.com made the following annotations on 10/27/2005 04:40:56 PM -- THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM. ==
RE: Good network sniffer?
You should also take a look at EtherPeek http://www.wildpackets.com/products/etherpeek_nx. It has more power than Sniffer Pro and comes at a reasonable price. I like that you can analyze packets while the trace is still running. Mike Braun -Original Message- From: Andy Grosser [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 2:56 PM To: Borger, Ben Cc: [EMAIL PROTECTED] Subject: Re: Good network sniffer? Can anyone recommend a good network monitor that can replay captured packets? Windows or *nix. Free is great, commercial is ok too. Ethereal. Free. http://www.ethereal.com You gotta love their catchy little descriptive sub-heading: Sniffing the glue that holds the Internet together. :-) --- Andy Grosser, CCNP andy at meniscus dot org --- MMS firstam.com made the following annotations on 01/12/2004 03:06:49 PM -- THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM. ==
FW: Cost of Worm Attack Protection
The old saying of you get what you pay for seems to be well directed when it comes to this topic. If you're willing to allocate $100K more than you currently spend to mitigating the effects from Worms and Viruses, I'm sure you will have some increased success. If you allocate 1 mill more, your success will increase substantially. The true cost really boils down to what you are trying to protect, such as how many servers, users, network segments, and other critical devices you are willing to encompass in your protection plan. Also, you may be able to mitigate the cost by using the functionality built into devices you may already own. A good protection schema needs to address the use and benefits from the following: Firewalls, VPN tunnels and policies, HIDs, NIDs, Antivirus software, and a good network security policy that grows with your network. You may already have most of this in place and need only a little extra funding allocated to give you the protection level you feel comfortable with. If you're looking for pricing on each component, they will vary widely depending on the brand and model you go with. You should shop around for components that suit your budget. An example of this price variance can be found by looking at a Net Forensics project priced at $500k compared to a similar solution going will Network Intelligence at $40K. The Network Intelligence solution may not have all the functionality offered by Net Forensics, but it may be enough for your needs. Best of luck in fighting this ever growing problem, Mike Braun -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, November 13, 2003 7:59 AM To: Joel Jaeggli Cc: [EMAIL PROTECTED] Subject: Re: Cost of Worm Attack Protection Good point - then what is the cost of attempting to mitigate or handle attacks vs. doing nothing? - Original Message - From: Joel Jaeggli [EMAIL PROTECTED] Date: Thursday, November 13, 2003 10:14 am Subject: Re: Cost of Worm Attack Protection I haven't seen any network or customer site that has protected itself from worms... only mitigated them. joelja On Thu, 13 Nov 2003 [EMAIL PROTECTED] wrote: I was hoping to get some estimates from folks on the costs of defending networks from various worm attacks. It is a pretty wide open question, but if anyone has some rough estimates of what it costs per edge, manpower vs. equipment costs, or any combination thereof it would be of great assistance. We are doing some simulations of attack and defense strategies and looking for some good metrics to plug into a cost benefit model. We'd be happy to share the results if anyone is interested as well. Thanks in advance, sean -- --- --- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2 MMS firstam.com made the following annotations on 11/13/2003 12:03:21 PM -- THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM. ==
RE: FW: Cost of Worm Attack Protection
You misunderstood me if you though I was saying the key to this problem is to throw money at it. You can spend a load of cash and accomplish nothing. In fact, you can do far worse damage this way by giving you a false sense of security than if you did nothing at all. There is a right way to view security and a wrong way. If you let a couple fast talking sales people sell you their kitchen sink solution without the full understanding on your part as to what you've just purchased, or the understanding on how to install and maintain the product, then you don't belong in your company's security group and should look for a new line of work. I think we can all think of security installations or practices we've seen in the past that we can find fault in, or ones that are so bad they need to fire the security staff and reevaluate the entire infrastructure. The point I was making in my original email was that you need to understand your network. This includes the users and how they interact. You can spend $0 in the way of new hardware and instead work to change the bad habits of users on the network and be in a much more secure position months from now. By understanding your network and the security risks associated in each element, as well as the options available to closing (or mitigating) those security risks, you will find yourself in a better position to spend allocated funds more wisely. You'll never be able to make a network hacker proof, but you can work to mitigate risk to varying degree. Here is where the money comes in. How wisely you spend is up to you. Mike Braun -Original Message- From: Rob Thomas [mailto:[EMAIL PROTECTED] Sent: Thursday, November 13, 2003 12:56 PM To: NANOG Subject: Re: FW: Cost of Worm Attack Protection Hi, NANOGers. ] The old saying of you get what you pay for seems to be well directed when ] it comes to this topic. If you're willing to allocate $100K more than you ] currently spend to mitigating the effects from Worms and Viruses, I'm sure ] you will have some increased success. If you allocate 1 mill more, your ] success will increase substantially. The true cost really boils down to This sort of thinking, unsupported by any data, runs rampant in the security industry. I have yet to see anyone document the ROI on security tools and services. Do they help at all? Does an increase in security spending result in a decrease in pain? In some cases, as already documented here, an increase in security measures can actually increases costs. Let's not fall into the trap that more $$$ equates to greater security or awareness. I've seen many sites that installed numerous pods of the latest IDS at their borders, only to be owned from within or owned by a method not yet in the ever-behind signature database of the IDS devices. One can waste money on security just as easily as one can waste money on anything else. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty); MMS firstam.com made the following annotations on 11/13/2003 01:54:54 PM -- THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM. ==
RE: Distributed sniffer products
We've been playing with Wildpackets http://www.wildpackets.com/. They sniff LAN to Gig and some WAN as well. The Distributed model is still vaporware, but is said to be out soon. The expert analysis is comparable if not better than NAI. Mike Braun -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2003 1:02 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Distributed sniffer products The cost benefit analysis on Ethereal/etc vs Sniffer on anything but the smallest of networks is usually very easy to make. The fundamental issue is what questions do you have and should you have about your network and what tool answers those questions efficiently and reliably. Good protocol analyzers sell because they save time in answering important questions. Sniffer recently released a SMB Sniffer called Netasyst...worth a look if cost has been an issue in the past. So ends this biased response. :-) -Original Message- From: Owen DeLong [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2003 2:50 PM To: Austad, Jay; '[EMAIL PROTECTED]' Subject: Re: Distributed sniffer products Etherial and other libpcap tools work reasonably well, can be easily deployed using commodity hardware, and would cost you a lot less than NetAssoc. Owen --On Wednesday, September 3, 2003 1:07 PM -0500 Austad, Jay [EMAIL PROTECTED] wrote: Anyone have any experience with these? I'm looking for something similar to Network Associates Sniffer product. Are there any open source projects that are decent? What are others using? Jay Austad Senior Network Analyst Travelers Express / MoneyGram e: [EMAIL PROTECTED] p: 952.591.3779
RE: IPsec with ambiguous routing
When the IPsec tunnel is formed, traffic is sent between the IPsec terminating equipment/client at the remote office and the VPN concentrator located at the other end. The source and destination networks are not seen while the data is encrypted over the WAN. Only through a configuration error could the traffic be sent unencrypted from source to destination. It makes no difference that you have multiple WAN links, or even that a potential for an asymmetrical traffic flow exists. The source and destination address as it appears in the WAN cloud always remains the same. Best regards, Mike Braun -Original Message- From: David Wilburn [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 12, 2003 10:40 AM To: [EMAIL PROTECTED] Subject: IPsec with ambiguous routing I've been attempting to beef up my knowledge of IPsec recently, and got to thinking hypothetically about a *possible* problem with implementing IPsec on larger networks. My experience with IPsec is currently limited at best, so hopefully I can communicate this properly: Let's assume that I have a large-ish network with multiple connections to the Internet and ambiguous routing (meaning that a packet might come in one gateway and the response packet might leave through a different gateway). Let's also assume that I'd like to allow IPsec tunnels into my network to allow single workstations and small networks to attach to mine. With such ambiguous routing, is my understanding correct that the response traffic could potentially bypass the VPN concentrator altogether and travel to the destination unencrypted? Is there any best practices advice for dealing with IPsec on such a network, or am I stuck with either redesign your network architecture or don't allow IPsec? From what I can figure, those last two options are my best bet, unless I want to allow lots of VPN concentrators deeper within the network where the routing is less ambiguous. Are there any solutions for quickly, reliably, and securely sharing IPsec Security Association databases between gateways, so that the other gateways would know to encrypt the traffic before letting it out? Any other relevant thoughts, experiences, insults, rude gestures, etc.? Thanks! -Dave Wilburn MMS firstam.com made the following annotations on 02/12/03 11:04:13 -- THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM. ==
RE: Weird networking issue.
I think we all agree that autonegotiation is evil, and should be avoided whenever possible. When you are looking for the root cause of the errors on your 3660, look at the speed and duplex settings for each device connecting to the etherstack hub. If one of those is miss-configured or possibly has a failing NIC, bad packets will be transmitted out all ports on the hub and will show up in the show int f0/0 output on your router. Mike Braun -Original Message- From: Peter E. Fry [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 07, 2003 1:18 PM To: [EMAIL PROTECTED] Subject: Re: Weird networking issue. David G. Andersen wrote: Rule number 1 with any ethernet: Check to make sure you have the duplex and rate statically configured, and configured identically on both ends of the connection. [...] I'd like to thank Cisco for this piece of advice, as the only company incapable of manufacturing Ethernet equipment capable of autonegotiation. At least until 1999 or so. Yeah, there're a few others, all of which seemed to follow Cisco's lead. Nutty. Peter E. Fry MMS firstam.com made the following annotations on 01/07/03 14:22:30 -- THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM. ==
RE: Weird networking issue.
I think we all agree that autonegotiation is evil, and should be avoided whenever possible. When you are looking for the root cause of the errors on I don't agree. I have seen more problems generated by incompetence in trying to fix duplex/speed, than I have seen problems generated by autoneg not working properly. I am always amazed by the fact that very few people out there know that you have to lock duplex at BOTH ENDS of any given link for it to work properly. Generally, in a LAN environment with good quality switches and good network cards, autoneg works just fine. Yes, with 10/100 meg fiber/converters converters you should definately lock duplex, but in most other cases I recommend to leave the duplex setting to auto. I agree that with quality switches and network cards (ones supported by the manufacturer of the switch), you should be OK using autonegotiate in a desktop environment, but not in a sever environment or when interconnecting networking equipment. I've seen servers that initially autonegotiate fine, only to renegotiate later to a different speed or duplex setting; and in a production environment, that ends up costing money. The problems between Cisco and SUN have already been addressed in this thread. I have also seem problems between Cisco and Bay equipment. The bottom line is that if you need to take the guess work out of a connection, then lock up both ends. Yes, cisco routers are notoriously bad at doing autoneg, but I blame that on cisco and not on autoneg. The el cheapo $50 desktop switches seem to hack autoneg just fine. I think that this stems from the folks at Cisco believing that they can dictate the standard for the IEEE 802.3u autonegotiation protocol (aka, their faith that isl will become the trunking standard of the future). MMS firstam.com made the following annotations on 01/07/03 15:33:08 -- THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM. ==