Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Thu, May 30, 2002 (Vol. 7, #42 - Issue #373)
Network Traffic Analysis In Daily Admin
This issue of W2Knews contains:
- EDITORS CORNER
- TECH BRIEFING
- How Do I Use Network Traffic Analysis In My Daily Admin?
- NT/2000 RELATED NEWS
- Windows and .Net Mag Poll on 6.0 Licensing: 51% Higher Cost
- Free MS SQL Worm Scanner Available From Sunbelt
- WinXP SP 1 Beta Imminent
- NT/2000 THIRD PARTY NEWS
- PestPatrol Limited Time Offer Ends May 31-st!
- 15-Minute Update On Award Winning Vulnerability Scanner
- How Fast Are Your Files? New Version Of hIOmon Will Tell You
- New Pocket PC Version 2.5 Of sonicadmin
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- How to Do Everything With Your iPAQ(R) Pocket PC
Migrating to Windows 2000/XP? How quickly can you assess your
entire computing environment to determine current OS, RAM, disk
space, processor and if the user has an open memory slot? Recent
winner of "BEST of Show" at FOSE 2002, Altiris Client Mgmt Suite
conveniently allows you to deploy, manage and migrate desktops,
notebooks and handhelds from the quiet, comfortable place you
call your office. 30-day FREE trial.
Visit Altiris for more information.
Keeping It Short
Since we skipped the Memorial Day issue, there is a lot of news
to report on. That's why I'm keeping my little corner very short
so you can get right to all the goodies!
Our Refer-A-Friend Contest is back! Subscribe to either W2Knews or WinXPnews, complete your profile, recommend up to 3 of your friends, have them complete their profiles and each of you could be eligible to win your own Palm m105 Handheld! We're giving away 4 of these puppies! (Sponsored by Computers4SURE, your source for 60,000+ Technology Products.) Use the link at the bottom of each newsletter to update your profile and recommend your friends.
(email me with feedback: [email protected])
SPONSOR: Be The First To Know
What is the Secret of those System Admins that always seem to have
their systems up and running? An Early Warning System that makes them
aware of problems before downtime hits hard and heavy. The new ELM
3.0 is now an MMC Snap-in, still a terrific value, and helps you be
at home in the weekends and able to sleep at night. Get your 30-day
Visit Be The First To Know for more information.
How Do I Use Network Traffic Analysis In My Daily Admin?
Question: I see you guys picked up eEye Digital Security's Iris Network
Traffic Analyzer product. Can you help me understand how Iris would fit
with my day-to-day network administration?
Answer: Iris is a network traffic analyzer with reconstruction capabilities. It can aide you by clearly and graphically showing what kind of traffic is coming in and out of your network and from where. Installing Iris on different segments of your network allows you to easily troubleshoot any network problems before they become an issue and require potential downtime.
There are three primary uses of Iris:
1) Packet Filtering and Logging
- Packet filtering and logging
- Bandwidth performance analysis
- Packet reconstruction
The primary function of Iris is to capture and record network traffic
for analysis and forensic purposes. Iris's filtering and logging capability
allows you to limit captured traffic on keywords, protocol types, IP
addresses, MAC addresses, ports, and specific information within the
packet itself (which can all be saved for later analysis). Iris is highly
configurable to allow you to filter the network traffic you are interested
in viewing and logging the information to a file. Additionally, you can
be alerted via the Guard feature to be notified when suspect activity
occurs. For example, you can be alerted when a certain service is in use
(i.e. AOL Instant Messenger) or a certain file or email address runs in
Iris can also be run on a scheduled basis, easily customized through a
graphical interface. In this manner you can monitor and log information
about the network only at specific times of concern or interest.
2) Bandwidth Performance
Using Iris's statistical capabilities administrators can gather data
about bandwidth performance, remote host information, and the type of
network protocols running on their network.
By installing Iris on more than one switch on the network, you can:
3) Packet Reconstruction
- quickly detect and fix bandwidth latency and network problems;
- create stats of what day and times the network has the greatest traffic load;
- and view the most popular protocols on the network. (i.e., IPX, TCP/IP, TCP, UDP, ICMP, etc.)
One of Iris's most exciting features is its ability to reconstruct
traffic. Using the 'Decode View', Iris can reconstruct web pages, email,
and instant messaging traffic that has passed on your network. Iris
will recreate the session of a user and allow you to view the reconstructed
web page, or email through a web browser or email client. You can review
email messages, web pages and IM conversations that have passed on the
network. The email as well as the attachment can be viewed and analyzed
through an outlook application. You can also monitor instant messaging
conversations scanning for keywords such as usernames or specific terms.
Iris incorporates highly developed protocol decoding capabilities. Iris
quickly organizes captured packets by session and categorizes them by
protocol such as HTTP or SNMP. In this way, Iris provides a list of all
web-browsing sessions, all email grouped by incoming and outgoing, and
more for quick and easy analysis.
Click here to download a trial version of Iris:
NT/2000 RELATED NEWS
Windows and .Net Mag Poll on 6.0 Licensing: 51% Higher Cost
The first and largest magazine for Windows System and Network Admins
recently did one of their instant Polls on the new Microsoft Licensing
program. The results were quite interesting:
"Do you think Microsoft's new Licensing 6.0 program will lower overall
upgrade costs for your organization?". The results (+/-2 percent) from
the 346 votes were:
Your company may be in this 51% category, and you may be asking
yourself the following questions:
- 4% Yes, it will lower upgrade costs
- 51% No, it will raise upgrade costs
- 39% It won't change our upgrade costs
- 4% Don't know
- 3% We don't use Microsoft products
Here is some help to get the best deal from MS:
- Is your business ready for MS Licensing 6.0?
- Does your company understand the new terms, conditions, maintenance and upgrade schemas and potential price increases?
- What discounts have other companies been able to get?
- How is software license non-compliance going to affect you?
- Should you even do this? Perhaps switch over to other platforms?
- How much is your software cost going to increase... 20 or 100%?
- Should you start leasing your software, much like a car?
- What hidden price increases are in the new 6.0 licensing?
- How much should Software Assurance really cost you?
- Can you still transfer licenses to other divisions?
Free MS SQL Worm Scanner Available From Sunbelt
A new SQLsnake worm, which also goes by the names Spida and Digispid,
has made port 1433 the "most attacked port" according to Dshield.org.
It has wrested the top spot from port 80, the favorite food of Code
Red and Nimda. Port 80 was the most attacked port for several months.
Spida looks for machines running SQL Server without password protection.
The severity level of this worm is: High. Systems Affected: Default
installations of Microsoft SQL Server Description:
The SQL worm (AKA: Spida, Digispid.B.Worm) infects by inserting itself
into MSSQL database servers with no password protecting the SA (System
Administrator) account. The worm executes commands on the vulnerable
server using the "xp_cmdshell" General Extended Procedure, and the
commands it executes activate and configure the Windows "Guest" account
so it can be used to copy files over to the vulnerable machine via
Windows file sharing. After the files have been copied over, they are
"hidden" and the worm goes into a cleanup phase. It deactivates the
Guest account and changes the password for the SA account.
The worm then creates a file containing details about the network
interfaces, database, and Windows account password hashes. This file
is emailed to [email protected], which we are guessing is an email box
created by the worm's author. Finally, the target machine begins to
scan for other machines and continues the chain of infection.
You can download a free scanner to check your network for this hole.
It's an application (subset) of the Retina Scanner and sits on its
download page. Yes, you do need to leave your address info, but that's
all. I just ran this myself and found four machines in our own LAN
that were vulnerable. Get it here:
WinXP SP 1 Beta Imminent
MICROSOFT ON FRIDAY announced it will release a beta of its first
service pack for Windows XP late this month that contains a wide
assortment of new bug fixes and features, as well as the first
changes that bring the operating system into compliance with the
government's consent decree.
Some of the technical fixes in the update are patches developed out
of the company's ongoing Trustworthy Computing Initiative and are
intended to plug security holes in the product. Microsoft will
continue to add other security fixes to the beta version right up
until it ships to manufacturing later this summer, company officials
said. Full article at InfoWorld:
Subscribe to WinXPnews if you want more detail about this:
THIRD PARTY NEWS
PestPatrol Limited Time Offer Ends May 31-st!
Readers of W2Knews and WinXPnews are able to get PestPatrol for the
reduced price of just $19.95 for just a few days more, but then it
will go up to the normal price again. So, if you are concerned about
spyware, scumware, Remote Access Trojan backdoors, and other pests,
this is the time to get your copy. This product is selling like
You may recently have downloaded an evaluation copy of PestPatrol,
but the evaluation software only detects - it doesn't remove the malware
it finds. You need to buy the full product to clean your PC. (You should
be aware that simply deleting the files detected by PestPatrol is not
a complete solution; it's very likely that your registry and .ini files
will need to be repaired - not a task for the faint of heart!)
We're sure you don't want to leave these unwanted and potentially
malicious programs on your system for any longer than is necessary.
So, we've teamed up with our partner, PestPatrol, to offer PestPatrol
evaluators the opportunity to purchase the full product at just $19.95
- a 35% saving over the regular price.
But you need to act soon. This special price is only available until
May 31 2002. At midnight Florida time on that date, the price returns
to $29.95. So don't hesitate. Pop down to the Sunbelt Online Shop today
and give your PC the PestPatrol treatment.
15-Minute Update On Award Winning Vulnerability Scanner
A crucial part of your security toolkit is a scanner that shows holes
in your network and machines. But testing scanners can be a very long
process. We made that easier for you and created a 15-minute show that
you can watch at any time and get all the relevant and important data
so you can move faster on your way to a more secure environment. This
thing is worth watching. Download here:
How Fast Are Your Files? New Version Of hIOmon Will Tell You
hIOmon, the File I/O Performance Monitor from hyperI/O, lets you
easily, quickly and precisely measure and monitor the performance
of your file I/O operations -- all from the file level perspective.
The latest version now includes Windows PerfMon/SysMon Support.
Why hIOmon? Because you need files if you want to start your computers
and keep them running. And if you want your computers to do something
useful (big tasks like run an accounting software package or inventory
application, act as a Web or email server, or simply write a letter,
surf the Web, maybe even play a game), you'll need files (and often
lots of them). Since files are such a crucial part of your computer
systems, understanding their performance is a key consideration when
monitoring (and trying to improve) the overall performance and productivity of your computer systems. As an innovative, unique system utility
tool, Sunbelt hIOmon can collect and display a wide variety of useful,
performance-related information based upon actual empirical data - all
from the perspective of individual files within your own particular
computer system environment.
The Sunbelt hIOmon File I/O Performance Monitor is packed full of useful
features, many of which you won't be able to find anywhere else. hIOmon
provides several unique automation features that allow you to easily,
quickly and automatically get the specific file I/O operation performance
information that you need. Eval here:
New Pocket PC Version 2.5 Of sonicadmin
sonicadmin is making a big splash with system and network admins who
need to perform their jobs from their Pocket PC or RIM Blackberry while
on the move. IT people from all sectors including corporations, government,
and the military have been adopting this amazing technology. Originally
they were excited by the 'coolness' of the product, but now converts
are speaking up about the tremendous ROI they are seeing with one VP
of IT quoted "Since buying sonicadmin three months ago, it has already
paid for itself several times over".
If you thought that sonicadmin 2.0 was great, wait until you try version
2.5. Just released by Sonic Mobility, new features include the ability
to browse the file directory of any system on your network and pull
critical .INI or other text files down to your handheld to edit them.
Imagine being able to change your boot.ini file on the fly when you get
a notice of a hard drive failure on your web server! You can also locate
a file off any server or workstation and email it to anyone instantly.
Connect to any system or piece of hardware with SSH or Telnet, set up
all your DNS settings, manage users, event logs, printers, shares,
services, processes and more. If you really get stuck, you can even
physically cut and cycle the power to a locked up server, router, or
sonicadmin also uses a complete native client architecture that provides
an unprecedented level of security and a highly usable interface on
your handheld device. This means that the only thing being transmitted
across your wireless connection is a highly compressed encrypted data
packet, resulting in maximum speed and usability across a wireless network
(which is critical for real time activities like server management).
There is nothing like the experience of actually trying it, so I encourage
you to download the free trial if you have a wireless enabled Pocket PC
or RIM Blackberry. This is a completely unrestricted 30-day trial so
you can experiment with all the features of the sonicadmin 2.5. Once
you've put it through its paces, the value will be obvious. Eval at:
This Week's Links We Like. Tips, Hints And Fun Stuff
T-shirts that fuse geek culture with high fashion, over at Errorware:
How to crack biometric devices. Article with all the details:
Very smart appliances in Microsoft's Home Of The Future:
It's been all over the news. The U.S. Army has their own game on the web:
PRODUCT OF THE WEEK
How to Do Everything With Your iPAQ(R) Pocket PC
If you own an iPAQ Pocket PC or are thinking about buying one, this is
the book for you. How To Do Everything With Your iPAQ Pocket PC covers
everything that an iPAQ owner needs to know to get their most out of their
device. It includes full tutorials on all the built in software such as
Pocket Word, Excel, Outlook, and others. It also covers important issues
such as securing your iPAQ and the data that it carries and maximizing
your battery life. You will learn about what third party hardware and
software is available for the product, how to connect your iPAQ wirelessly
to the Internet, use GPS units for personal navigation, do business
presentations directly from your iPAQ and much much more.