Lan-Secure Network Blog

Network configuration management refers to mechanism that allows controlling and maintaining changes of network devices either automatically or by network administrator request. The tasks of network configuration management are setting configuration changes, collecting configuration history, creating configuration backups and restoring configuration of network devices. Network configuration management software should provide generic mechanism that will be able to control any network device and simplify the configuration tasks to reduce configuration errors of network devices.

Lan-Secure Network Configuration Management Software has the perfect solution to deal with any network device configuration by using generic SNMPv1/2 or secured SNMPv3 protocols for collecting network devices configuration. The easy to use software provides integral mechanism for all network configuration management tasks and supports any network environment size.

Network Configuration Collection
Provide automatic and manual option for collecting configuration from any network device. Tools that provided by equipment vendors are not good enough because most networks using several vendors and types of network devices like switches, routers, firewalls and other network devices. Using generic SNMPv1/2 or secured SNMPv3 protocols can provide central network configuration management system for the whole organization.

Network Configuration Changes
Provide automatic and manual option for changing network devices configuration of specific device or as bulk operation on couple devices. The previous network configuration settings will be restored for historical analyzing or reusing and the new configuration will be used as the current network configuration devices. The changes operation will be logged and saved under the name of the new configuration submitter for tracking.

Network Configuration Backup
Create duplicate configuration of all network devices including all the configurable values that were found for each network device. The backup process could be automated for specific dates and times or created by user request. The backup should include incremental and differential configuration settings for each network device.

Network Configuration Restore
Set current stored configuration for specific device in case of malfunctioning equipment or for analyzing specific networking issue that involves with previous configuration settings. The restore operation will be audited and logged under the name of the restore issuer for historical analyzing.

Network Configuration Actions
There are situations that specific action is needed when collecting network configuration of specific device upon discovery of any configuration change or value. The actions should alert the configuration management team about the changes or values that was discovered either by sending email or trap or by performing specific executable command or fixing specific configuration value. Adding actions to network configuration management system can alert or fix faulty configuration equipments before they can cause severe damage to the network.

Conclusion
Since networks in any size are constantly vulnerable to configuration changes and faulty configuration in live equipment can have devastating effects on networks reliability and services, using the above network configuration management tasks as major configuration tool in any network environment can help network administrators saving time and reducing errors while keeping network performance and stability.

Labels: Management, Security

Syslog is a standard protocol for sending and receiving logging messages from network devices and computer applications. It is typically used for management systems and security auditing and since it is supported on wide variety of devices it is commonly used for integrating logging information from many different types of systems into a central repository. When collecting syslog events to central repository in large IT networks there are huge amount of syslog events that can be received from the network in that case there is a major need for syslog root cause correlation analysis between all collected events.

Lan-Secure Windows Syslog Monitor Server Daemon has the perfect solution to deal with large amount of syslog events using powerfull monitoring engine and proven correlation techniques. The easy to use software provides several syslog root cause correlation analysis reports that can correlate any amount of syslog messages to specific root cause event.

Host Correlation Report
The host correlation report provides correlation between specific host addresses. Using this report displays aggregation of all hosts addresses messages including the time, priority and text message of the events.

Message Correlation Report
The message correlation report provides correlation between specific textual messages. Using this report displays aggregation of all text messages that were sent including, time, priority and the host address of the events.

Priority Correlation Report
The priority correlation report provides correlation between specific message priorities. Using this report displays aggregation of all message priorities that were sent including time, host address and text message of the events.

Time and Date Correlation Report
The time and date correlation report provides correlation of specific time frame of currently collected events. Using this report displays aggregation of all events that were received in selected time and date including priority, host address and text message of the events.

Conclusion
Using the above correlation techniques can help network management administrators and IT networks analysts to deal with large amount of syslog events and figure out which host address has created specific root cause event. Collecting and analyzing syslog events regularly can alert about potential malfunctions before it can cause severe damage to the IT networks.

Labels: Management, Security

USB flash drives are very common and can be found in almost every computerized environment for storing and transferring data between computers. These USB devices make it really easy for potential attacker to exploit unprotected computers with malicious virus and Trojan software and provide a gateway to the network for manipulating sensitive data.

Detecting USB storage devices
There are some nice tools that can be found on the net that will notify about USB devices on local and remote windows platforms. But most of them are not free and will require an installation of an agent on the remote windows platforms. Using the preinstalled Windows Management Instrumentation (WMI) on windows platforms is free and will not require any remote agent. It will only require a simple script that can be run manually from a privileged user account or from another network monitoring software like Lan-Secure Security Center and Lan-Secure Switch Center Protector network security scanners.

WMI notification event script
The following USB notification event script will send an event message in response to any operation of USB device on local or remote windows platform. For simplicity, the script is using a temporary event subscription, which exists only as long as the script is running. Some modifications will be needed for a permanent event subscription that will not require a perpetually running script:

VBScript (should be copied and saved as .vbs file):
strComputer = "." '(Any computer name or address)
Set wmi = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set wmiEvent = wmi.ExecNotificationQuery("select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device'")
While True
Set usb = wmiEvent.NextEvent()
Select Case usb.Path_.Class
Case "__InstanceCreationEvent" WScript.Echo("USB device found")
Case "__InstanceDeletionEvent" WScript.Echo("USB device removed")
Case "__InstanceModificationEvent" WScript.Echo("USB device modified")
End Select
Wend

JScript (should be copied and saved as .js file):
strComputer = "."; //(Any computer name or address)
var wmi = GetObject("winmgmts:\\\\" + strComputer + "\\root\\cimv2");
var wmiEvent = wmi.ExecNotificationQuery("select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device'");
while(true) {
var usb = wmiEvent.NextEvent();
switch (usb.Path_.Class) {
case "__InstanceCreationEvent": {WScript.Echo("USB device found"); break;}
case "__InstanceDeletionEvent": {WScript.Echo("USB device removed"); break;}
case "__InstanceModificationEvent": {WScript.Echo("USB device modified"); break;}}}

Labels: Management, Security

Every Network Interface Card (NIC) on any platform has unique MAC address that used to access Ethernet networks. The MAC address is hard coded by the network card manufacturer and on many security systems used as a platform identity for network access permission. Using the MAC address of a platform with network permission rights by an intruder or malicious software instead of its original address called MAC spoofing.

MAC address network access control
MAC address spoofing is quite an easy task for a potential intruder especially when using MAC address of network nodes that are inactive most of the time like network printers and networking time and attendance systems. This is the main reason for not using MAC address protection as a single network access control (NAC) mechanism but combining multiple protection methods to create safe and reliable security protection like Lan-Secure Security Center and Lan-Secure Switch Center Protector network security scanners.

MAC address spoofing
There are some nice tools and drivers that can be found on the net that will change MAC address of specific platform to any other MAC address. But it can be done easily on any windows platform using the windows built in registry editor. Here are the steps needed to change windows platform MAC address and gain access to the network as another platform MAC address:

Changing MAC address
1. Open windows registry editor by clicking the Start button selecting Run command and typing “RegEdit”.
2. Open registry folder HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}.
3. Select the appropriate network card folder by viewing the data written on the folder DriverDesc value.
4. On the network card folder create new String Value named NetworkAddress and modify its data to the preferred MAC address using its 12 hexadecimal characters in a row.
5. Reset the network card adapter by disable and enable the card from windows Network Connections control panel.
6. Use IpConfig /all windows command to verify the new network card MAC address.

Clearing MAC address
1. Open windows registry editor by clicking the Start button selecting Run command and typing “RegEdit”.
2. Open registry folder HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}.
3. Select the appropriate network card folder by viewing the data written on the folder DriverDesc value.
4. Delete the String Value named NetworkAddress.
5. Reset the network card adapter by disable and enable the card from windows Network Connections control panel.

Labels: Security

Lan-Secure blog provides network security and management knowledge base information including technical articles on how to improve networks efficiency and reliability.

Labels: Management, Security