Jul 21 2009   7:58AM GMT

Support after sales Matters (Cisco Press Support is great)

Posted by: Yasir Irfan
Cisco Press, 640-802 CCNA Exam, CCNA, CCENT 640-822 Network Simulator, CCNA 640-802 Network Simulator; Pearson, Technical Support, Support, Cisco Press Support, Cisco Systems, Servers

 

 Whenever we buy anything either it might be a small thing or huge buch of servers, we always think of support. Yes support matters a lot, especially after buying any piece of software, study guide or a simulator. When Cisco Press released the CCENT 640-822 Network Simulator, I purchased the Simulator to test and see what Cisco Press is offering in this simulator, which was amazing and in fact I wrote a review as well in my ITKE blog.

 

Recently Cisco Press released the CCNA 640-802 Network Simulator, when I purchased the CCENT 640-822 Network Simulator there was an offer , so I was entitled for a free upgrade of the CCNA 640-802 Network Simulator. When Cisco Press released the CCNA 640-802 Network Simulator I was thinking of upgrade but the CCENT 640-822 Network Simulator was corrupted in my laptop and I was not able to activate the product. Immediately I contacted the Cisco Press Support and my problem was solved in matter of hours, which was really amazing.

 

My past experience with other vendors was not as great as of Cisco Press Support. Which proved to be vital for the Certification aspirers, as time matters? Without proper support we can suffer a lot.

Jul 4 2009   6:06AM GMT

Unlocking the Potential of Virtualization - Techwise TV Webcast on 30th July

Posted by: Yasir Irfan
TechWise TV, Cisco Web Cast, Unlocking the Potential of Virtualization, Nexus 1000v, Virtualization, Network Interface Virtualization, Cisco Events, Cisco Online Seminars, Cisco VN-Link, data center virtualization, Data Center, virtual servers, Cisco Systems

 

Starting July 30^th Cisco Systems’ TechWiseTV will be broadcasting the webcast by the title “Unlocking the Potential of Virtualization”.  So act now and register for this online Webcast, learn how the revolutionary new Cisco Nexus 1000V, and Cisco VN-Link enable you to automatically empower virtual servers with the same network properties as physical servers. Learn how these new solutions will allow you to dramatically expand and accelerate your data center virtualization initiatives, so you can reap its full benefits.

The agenda is as follows

Agenda

Segment 1: The Real Impediments to Virtualization Virtualization severed a critical link between server and network activities creating a blindness that is hampering true adoption of virtualization benefits.Segment 2: Understanding VN-Link and the Nexus 1000v Port Profiles will bring a smile to your face as you witness first hand how sanity is not just restored but enhanced beyond what it ever was in the purely physical world. Segment 3: Network Interface Virtualization We breakdown the innovation that brings the physical switch back into the mix and greatly expands your deployment options and architectural models. Segment 4: Virtualization and your Storage Environment Increased virtualization equals increased demand on the network to access storage – We show what you need to know for eliminating costly storage silos from your network.

 

Register Now.

Feb 19 2009   10:32AM GMT

Cisco Catalyst Switches withPoE

Posted by: Yasir Irfan
Cisco Catalyst Switches, POE, Power over Ethernet, CAT 5, Cat6, UTP, STP, IP Phones, Access Points, IP Cameras

 Catalyst switches with PoE are available as 10/100 PoE or  10/100/1000 PoE. The Power over Ethernet feature is an excellent option for deployments of Cisco IP Phones. Wireless access points and IP  cameras can also be powered by PoE switches. The specific technology uses the Cat5/Cat6/Cat 6e UTP/STP cable to deliver power in addition to data, thus removing the need of using power adaptors for devices.

The following Cisco Models support PoE:

• 2960
• 3750
• 3560
• 4500
• 6500
• Nexus 7000

Jan 7 2009   11:35AM GMT

Solar Winds acquires Kiwi Enterprises, best known for its free management and configuration tools (Syslog).

Posted by: Yasir Irfan
SolarWinds, Kiwi Enterprises, free management, Syslog, Network Management System

SolarWinds announced on 5^th of Jan09, it had acquired for an undisclosed sum the assets of New Zealand-based software maker Kiwi Enterprises, best known for its free management and configuration tools.

Picture Courtesy: Solar Winds.

SolarWinds, also known for making freeware versions of its enterprise software available, acquired Kiwi with plans to incorporate the company’s Syslog and CatTools products into its own Orion platform.

“We saw a number of similarities in the products and communities of Kiwi Enterprises and SolarWinds, and expect this acquisition to generate immediate benefit, not only to our respective customer bases, but to the IT community at large,” said Michael S. Bennett, chairman and CEO, SolarWinds. “SolarWinds is committed to delivering deep value to network engineers by addressing their everyday pain, simply and affordably.”SolarWinds will add the Kiwi products, specifically Kiwi Syslog Server and Kiwi CatTools, to its popular line-up of tools for network engineers.  In addition, SolarWinds also expects to use the other software products that it purchased to expand its free tool offerings.

For more details do check the press release from Solar Winds.

Oct 26 2008   5:55AM GMT

In which slot shall we install the Supervisor Engine in Cisco 6500 Series Catalyst Switches -Series1

Posted by: Yasir Irfan
Networking, Switches, Cisco, DataCenter, Cisco IOS, Cisco 6500, Cisco Tips, Module, Cisco Design, Cisco Systems, Cisco 6500 Series Catalyst Switch, Cisco Catalyst 6503-E Switch, Cisco Catalyst 6506-E Switch, Cisco Catalyst 6509-V-E Switch, Cisco Catalyst 6509-E Switch, Cisco Catalyst 6513 Switch, Slot

Dear Friends the Cisco 6500 Series Catalyst Switch comes in different models like Cisco Catalyst 6503-E Switch, Cisco Catalyst 6506-E Switch, Cisco Catalyst 6509-V-E Switch, Cisco Catalyst 6509-E Switch and Cisco Catalyst 6513 Switch. But is there any specific slot assigned in these switches to install the Supervisor Engine SUP720? Yes there are specified slots assigned to install the Supervisor Engine SUP720  in any of the Cisco 6500 Series Switches.

 

Picture Courtesy: Cisco Systems

Now let’s find out these details,

The Cisco Catalyst 6503-E Switch comes with three slot chassis. In the Cisco Catalyst 6503-E Switch the first two slots are reserved for Supervisor Engine SUP720, if you have one Supervisor Engine SUP720 then you can install the Supervisor Engine SUP720 module either in slot 1 or slot 2.

I will cover these details for other models in my next post.

Oct 20 2008   5:33AM GMT

GITEX 2008 is officially inagurated by H.H. SHEIKH MOHAMMED BIN RASHID AL MAKTOUM

Posted by: Yasir Irfan
Oracle, HP, Sun Microsystems, Google, Microsoft, GITEX 2008, GITEX, Exhibition, Dubai

UAE Vice President, Prime Minister and Ruler of Dubai, His Highness Sheikh Mohammed bin Rashid Al Maktoum has opened this year’s GITEX TECHNOLOGY WEEK amidst great expectations of a week of announcements and knowledge exchange.

Dear Friends GITEX happens to be the biggest technological exhibition or fair in this part of world. If you happen to be in Dubai I would strongly suggest to visit GITEX 2008.

More than 3,300 companies from 83 countries are exhibiting at this year, including major international companies such as Blackberry, Dell, Du, Etisalat, Google, HP, Microsoft, Oracle, Panasonic, Samsung, Sharp, Sun Microsystems and Symantec, according to organisers the Dubai World Trade Centre.

GITEX 2008 is open from 1pm to 7pm on Oct. 19, 10am to 7pm on Oct. 20-22 and 10am to 5pm on Oct. 23. The exhibition is open to trade and business professionals only.

Sep 29 2008   12:26AM GMT

Things to be considered before upgrading an IOS in a Cisco 6500 Series Switch with SUP720- Series 1

Posted by: Yasir Irfan
Networking, Switches, Cisco, DataCenter, Cisco IOS, TFTP Server, Cisco 6500, Cisco Tips, Cisco Learning, Network Troubleshooting, IOS Upgrade, 3Com TFTP, SolarWinds, PacketTrap TFTP, PacketTrap pt360

Today I successfully upgraded the IOS for a Cisco Catalyst 6513 Switch with Supervisor Engine SUP720. Couple of years I faced some problems while I was upgrading the IOS for Catalyst 6513 Switch. In this series I will try to focus on the things to be considered before upgrading an IOS in Cisco Catalyst 6513 Switch.

First and foremost is the TFTP server. The main problem you face is the file size limitations with the TFTP servers. Most of the TFTP servers won’t support more than 30 MB of IOS file to transfer. At that time I was using Solar Winds TFTP server which is an excellent software but cannot support more than 30 MB. The IOS transfer failed exactly after 30 MB of transfer. I was worried what might be the problem, after careful observation I figured out the problem lies with the Solar Winds TFTP server .Then I tried Cisco’s old TFTP server but the same problem. Later on I figured out TFTP server can support more than 30 MB of file transfer.

Hence after changing to 3Coms 3CDaemon Server  &  PacketTrap pt360 Tool Suite FREE edition I could able to transfer the IOS files more than 30 MB. So the main point is to make sure your TFTP server can support more than 30 MB of file transfer as always the image file for Cisco Catalyst 6513 Switch is more than 30 MB in size. Presonally I would recommend the TFTP server from PacketTRAP pt360  Tool Suite

Things to be considered for IOS upgrade series 2 

Sep 16 2008   7:55AM GMT

How to enable browsing with multiple subnets(VLANS) through Microsoft ISA Server 2006

Posted by: Yasir Irfan
Networking, Servers, Subnets, ISA Server, Microsoft, Microsoft ISA, Internet Browsing

Other day we installed Microsoft ISA Server 2006 for Internet Browsing as shown in the below figure.

The ISA Server has two NICS one is connected to the DMZ zone with a Real IP Natted to a Private DMZ Zone IP and the Second NIC is connected to the internal network.

Users were able to access the internet from the same subnet of the Windows ISA Server 2006  (10.0.0.0/23 with Default Gateway 10.0.0.1). But we were facing a problem with the users in other subnet they couldn’t able to browse the Internet. So we checked the connectivity from the client to Windows ISA Server 2006  network and VLAN configurations in the Cisco Catalyst Switch. Everything was fine. But we couldn’t able to ping the default gateways for all the VLANS (subnets). Finally we checked the event log in Windows ISA Server 2006 and found that the Windows ISA Server 2006 is dropping the packets due to a suspected spoof attack. Why should requests coming from a different subnet be considered as spoof? This is because Windows ISA Server 2006 believes that requests coming from any network which does not have a direct route mentioned in its routing table are spoof. So what is the solution? Quite Simple! Add a static route using the route add command.

Jul 13 2008   6:03AM GMT

Sample I.T. Security Policy - Internet Security

Posted by: Yasir Irfan
Networking, Security, Servers, Microsoft Windows, Linux, Switches, Cisco, Routers, Policies, Mobile, Internet Security, Network Documentation, Exchange, Network Documentation Policy, Network Policies

Finally we are completing this series; here we go with the last topic. It’s Internet Security Policy which is very important to have for any organization. I would welcome your comments which may encourage me to come up with more interesting stuff.

 

 

INTERNET POLICY

 

“IS” CONSIDERED THE FOLLOWING:

1. Dedicate a firewall device. Don’t run other services on it, and disable all unnecessary service features that may be included in the firewall package.

2. Disallow all connection attempts to hosts inside the network. Allowing any inbound connections provides a mechanism hackers might be able to exploit to establish connections to Trojan horses or by exploiting bugs in service software.

3. Divide provided services using Internet tools into public services and private (organizational) services. Place the public services on an Internet site (or sites) external to the Internet firewall and provide the private services on an intranet site (or sites) on the protected LAN.

4. Do not rely upon packet filtering alone to protect the network.

5. Do not rely upon Windows ISA Server built-in filtering alone to protect the network.

6. Do not use simple packet filtering or packet-filtering services from the Internet service provider as a replacement for application-layer firewalls. They are not as secure.

7. Don’t rely solely on packet filters for security protection from the Internet. Drop all external routing protocol (EIGRP) updates bound for internal routers. No one outside the network should be transmitting RIP updates to internal routers.

8. Filter out and do not respond to ICMP redirect and echo (ping) messages.

9. Limit the number of external hosts allowed to connect through the firewall to the absolute minimum possible. Take measures to make sure the IP addresses of those hosts are difficult to determine using proxy servers, Firewall or IP masquerades.

10. Make sure there’s no way for a hacker to tell which firewall product is in use.

11. Never publish a list of user or employee names on the Web site. Publish job titles instead.

12. Reduce the number of connections to the Internet to the minimum number possible: one per campus. Many large organizations allow only a single link to the Internet at headquarters and then route all remote offices to that point using the same frame relay lines used to connect internal networks. Respond immediately to intrusion attempts when they are detected. Collect as much information about the attacker as possible. Use their IP domains to determine who the higher-level service providers are.

13. Set up the firewall to discard ICMP echo and to redirect messages to interior hosts.

14. Unbind NetBIOS from all servers outside the firewall. Set the TCP/IP stacks on those machines to accept connection only on ports for services that machine specifically provides.

15. If there is only one connection to the Internet, hard code that connection in the router connected to the service provider’s network. Use RIP, EIGR, OSPF or other automated routing protocols to manage routing inside the network.

16. Do not allow SNMP to travel into or out of the network.

17. Use operating system software on Internet accessible machines that are not susceptible to the Ping of Death.

18. Configure the gateway not to pass Ping packets.

19. Install the latest version of the operating system software.

20. Log network activity and to have the log software signal an alert when a SYN attack or and ICMP flood is in progress. Deny access to the computer or network that originates the attack, and take measures (such as calling or sending an Email message to the administrator of the offending network) to stop the malicious behavior.

21. Un-bind NetBIOS from Internet-accessible network adapters. Allow only authorized hosts outside the network to connect to the DNS servers.

22. Configure the gateway or packet filter to discard all IP packets that use the source routing feature.

23. Disallow services for which there are no proxy servers.

24. Do not allow clear text-password authentication.

25. Do not use RIP or other automated routing protocols. Statically assign the routing tables and disable RIP updates unless the network is too large to manage manually. This makes them impervious to RIP -based denial-of service or spoofing attacks.

26. Don’t allow dial-up connections to the Internet. Remove modems and all other uncontrolled network access devices. Disable free COM ports in the BIOS settings of client computers and password protect the BIOS to prevent users from overriding the security settings.

27. Drop all packets that are TCP source routed. Source routing is rarely used for legitimate purposes.

Log all public access to servers, and check the logs often. Use alerting software to detect hacking attempts against the exposed machines.

28. Set up monitoring software that can alert on flood attacks against the network. Record the IP addresses of the source computers (assuming they look valid) and try to determine the source of the attacks so legal measures can be taken to stop the problem.

29. Set up the own firewall. Place Web and FTP servers outside it and mail servers on the inside. Pass only SMTP and POP3 traffic from external sources. Run no other services or software on mail, Web, FTP, or firewall servers.

30. Use a port scanner periodically (about once a month) from outside the network to check the status of the firewall, packet filter, and NetBIOS bindings. This is especially important when servers are maintained by more than one person or when retaining outsourced security services.

31. Use high-level proxies capable of stripping executable content like ActiveX and Java from Web pages.

32. Use IP masquerades to hide the identity of hosts inside the network.

33. Whenever possible, use proxy servers for all application protocols.

34. Use IP address assignment, in combination with an internal firewall and IP selection on servers, to further control and partition the access allowed to remote users.

35. Use a Web and FTP hosting service rather than computers on the own network to provide the customers with information about the Organization. This puts the Web hosting agency at risk rather than the own network, and allows the provision of no public services from internal servers.

36. As a part of security training, make sure users know to report all instances of denial of service whether they seem important or not. If a specific denial of service can’t be correlate to known downtime or heavy usage, or if a large number of service denials occur in a short time, a siege may be in progress.

37. Great care must be taken when downloading information and files from the internet to safeguard against both malicious code and also inappropriate material.

38. Avoid using one of the smaller Internet service providers. Hackers frequently target them as potential employers because they often have less security awareness and may use UNIX computers, rather than dedicated machines, as gateways and firewalls-making spoof attacks easy to perpetrate. Ask the service provider if they perform background checks on technical service personnel, and reject those that say they do not.

39. Consider using the disconnected Internet security model if the services required by the users can be made available from a single machine.

40. Manually assigning IP addresses if the Organization is a potential espionage target.

41. Apply the anti-spoofing filter.

42. Plans are to be prepared maintained and regularly tested to ensure that damage done by possible external cyber crime attacks can be minimized and that restoration takes place as quickly as possible.

43. In order to reduce the incidence and possibility of internal attacks, access control standards and data classification standards are to be periodically reviewed whilst maintained at all times.

44. Contingency plans for a denial service attack are to be maintained and periodically tested to ensure adequacy

45. Procedures to deal with hoax virus warnings are to be implemented and maintained.

46. Antivirus software is to be deployed across all PCs with regular virus defining updates and scanning across servers, PCs and laptop computers.

47. E-commerce processing systems including the e-commerce Web site(s) are to be designed with protection from malicious attack given the highest priority.

48. E-commerce related Web Site(s) and their associated systems are to be secured using a combination of technology to prevent and detect intrusion together with robust procedures using dual control, where manual interaction is required.

49. Personnel should understand the rights granted to them by the Organization in respect of privacy in personal e-mail transmitted across the Organization systems and networks. Human Resources Department should incorporate a suitable wording into employee contracts to ensure that this privacy issue is fully understood.

50. Confidential and sensitive information should not be transmitted by-mail unless it is secured through encryption or other secure means.

51. E-mail should be considered as an insecure communications medium for the purposes of legal retention for record purposes. With the usage of digital signatures and encryption, reliance upon e-mail may soon be available; however, if in any doubt, treat e-mail as transient.

52. External e-mail messages should have appropriate signature footers and disclaimers appended (E-mail Signature File). A disclaimer is particularly important where, through a miss-key, the email is sent to an inappropriate person. The disclaimer should confirm the confidential nature of the email and request its deletion if the addressee is not, in fact, the intended recipient.

53. Personnel should not open e-mails or attached files without ensuring that the content appears genuine. If you are not expecting to receive the message or are not absolutely certain about its source do not open it.

54. Personnel should be familiar with general e-mail good practice e.g. the need to save, store and file e-mail with business content in a similar manner to the storage of letters and other traditional mail. E -mails of little or no organizational value should on the other hand be regularly purged or deleted from your system.

55. Use standard TEXT (ASCII) messages where possible; these are both smaller (in terms of file size) and are less able to ‘hide’ executable code e.g. HTML based e-mails which can ‘run’ upon opening.

56. The sending of inappropriate messages should be prohibited including those which are sexually harassing or offensive to others on the grounds of race, religion or gender.

Jul 8 2008   8:20AM GMT

Sample I.T. Security Policy - Remote Access Security

Posted by: Yasir Irfan
Networking, Network Security, Security, Servers, Microsoft Windows, Cisco, Policies, Network Documentation Policy, Network Policies, Server Security, Remote Access Secuirty

Finally we are almost proceeding towards the completion of the Sample I.T Security policy, we have just two more topics to cover. Coming days I will try to complete that, here we are with Remote Access Security

 

REMOTE ACCESS SECURITY 

“IS” CONSIDERED THE FOLLOWING:

1. RAS server provides the most secure method for remote access to the network if it is reburied.

2. Never allow client computers on the network to answer remote access connections.

3. Organize all remote access servers in a centrally controlled location.

4. Servers have no need to originate dial-out connections (Except when using telephone lines as low cost WAN connections, but these connections should be relatively permanent).

5. To simplify security administration, allow only one method of remote access into the network.

6. Remote access control procedures must provide adequate safeguards through robust identification, authentication and encryption techniques.

7. Carefully consider the wisdom of providing cellular telephones and modems for use with laptop computers. This technology isn’t usually justified considering the relatively modest increase in productivity compared to the cost and the security risk of a lost laptop.

8. Consider using only the NetBEUI protocol for remote access to limit the extent of intrusions on the network.

9. Control the distribution of remote access software on the network. Never allow client computers to run remote control software. If remote control software is necessary, run the software from centrally controlled computers or thin-client servers.

10. Disable dial-in networking, except in the cases of trusted individuals or to special computers,because dial-in networking can bypass regular network security.

11. Encourage an easy-to-use (but secure, of course) method for users to indicate when they need remote access, for how long, and to which phone number. Base the dial-in permissions on these requests. Always verify the request verbally with the user to ensure that it’s not a spoof.

12. Gather contact information for the telephone companies as soon as possible so that it is on hand if dial -up hacking attempts are discovered.

13. If possible, use external modems to answer RAS connections. They can be powered off when no RAS activity is anticipated, and they allow manual disconnection if necessary.

14. If remote access is required only occasionally, set the Remote Access Server service to start manually, then use the services control panel to start the service when needed and stop it when it is no longer in use.

15. Revoke dial-in permissions for users during periods when they are not necessary, and invoke them when the user is away from the office or working from home for a period.

16. Thin client and remote control software can be more secure than remote access software in certain circumstances. For instance, an entire database could be copied down using remote access software, but that same data would be extremely difficult to extract using remote control software configured to disallow file transfers.

17. Tightly control user-based remote access permissions. Allow only those users who have an immediate need to log in remotely.

18. Use alarming software to detect numerous attempts at password guessing over dial-up networks. Use the standard performance monitor to detect this activity, or purchase third party alarming software.

19. Use callback security. Without callback security, tracing RAS based intrusion attempts is very difficult.

20. Use external modems that have on/off switches for those machines that have remote access software installed. Only turn on a modem when a user calls in and requests a remote control connection.

21. Use hard-coded callback security for all remote users that don’t normally travel, to prevent their account from being exploited from unknown locations.

22. Use Microsoft encryption when possible.

23. Use the Point-to-Point Tunneling Protocol for all Internet connections allowed into the network, or some third-party software that performs the encrypted tunnel function in concert with the firewall.