- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Thu, May 30, 2002 (Vol. 7, #42 - Issue #373)
Network Traffic Analysis In Daily Admin
  This issue of W2Knews™ contains:
  1. EDITORS CORNER
    • Keeping It Short
  2. TECH BRIEFING
    • How Do I Use Network Traffic Analysis In My Daily Admin?
  3. NT/2000 RELATED NEWS
    • Windows and .Net Mag Poll on 6.0 Licensing: 51% Higher Cost
    • Free MS SQL Worm Scanner Available From Sunbelt
    • WinXP SP 1 Beta Imminent
  4. NT/2000 THIRD PARTY NEWS
    • PestPatrol Limited Time Offer Ends May 31-st!
    • 15-Minute Update On Award Winning Vulnerability Scanner
    • How Fast Are Your Files? New Version Of hIOmon Will Tell You
    • New Pocket PC Version 2.5 Of sonicadmin
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
  6. PRODUCT OF THE WEEK
    • How to Do Everything With Your iPAQ(R) Pocket PC
  SPONSOR: Altiris
Migrating to Windows 2000/XP? How quickly can you assess your
entire computing environment to determine current OS, RAM, disk
space, processor and if the user has an open memory slot? Recent
winner of "BEST of Show" at FOSE 2002, Altiris Client Mgmt Suite
conveniently allows you to deploy, manage and migrate desktops,
notebooks and handhelds from the quiet, comfortable place you
call your office. 30-day FREE trial.
Visit Altiris for more information.
  EDITORS CORNER

Keeping It Short

Since we skipped the Memorial Day issue, there is a lot of news to report on. That's why I'm keeping my little corner very short so you can get right to all the goodies!

Our Refer-A-Friend Contest is back! Subscribe to either W2Knews or WinXPnews, complete your profile, recommend up to 3 of your friends, have them complete their profiles and each of you could be eligible to win your own Palm m105 Handheld! We're giving away 4 of these puppies! (Sponsored by Computers4SURE, your source for 60,000+ Technology Products.) Use the link at the bottom of each newsletter to update your profile and recommend your friends.

Warm regards,
Stu Sjouwerman (email me with feedback: [email protected])

  SPONSOR: Be The First To Know
What is the Secret of those System Admins that always seem to have
their systems up and running?
An Early Warning System that makes them
aware of problems before downtime hits hard and heavy. The new ELM
3.0 is now an MMC Snap-in, still a terrific value, and helps you be
at home in the weekends and able to sleep at night. Get your 30-day
eval here:
Visit Be The First To Know for more information.
  TECH BRIEFING

How Do I Use Network Traffic Analysis In My Daily Admin?

Question: I see you guys picked up eEye Digital Security's Iris Network Traffic Analyzer product. Can you help me understand how Iris would fit with my day-to-day network administration?

Answer: Iris is a network traffic analyzer with reconstruction capabilities. It can aide you by clearly and graphically showing what kind of traffic is coming in and out of your network and from where. Installing Iris on different segments of your network allows you to easily troubleshoot any network problems before they become an issue and require potential downtime.

There are three primary uses of Iris:

  1. Packet filtering and logging
  2. Bandwidth performance analysis
  3. Packet reconstruction
1) Packet Filtering and Logging

The primary function of Iris is to capture and record network traffic for analysis and forensic purposes. Iris's filtering and logging capability allows you to limit captured traffic on keywords, protocol types, IP addresses, MAC addresses, ports, and specific information within the packet itself (which can all be saved for later analysis). Iris is highly configurable to allow you to filter the network traffic you are interested in viewing and logging the information to a file. Additionally, you can be alerted via the Guard feature to be notified when suspect activity occurs. For example, you can be alerted when a certain service is in use (i.e. AOL Instant Messenger) or a certain file or email address runs in your network.

Iris can also be run on a scheduled basis, easily customized through a graphical interface. In this manner you can monitor and log information about the network only at specific times of concern or interest.

2) Bandwidth Performance

Using Iris's statistical capabilities administrators can gather data about bandwidth performance, remote host information, and the type of network protocols running on their network.

By installing Iris on more than one switch on the network, you can:

  • quickly detect and fix bandwidth latency and network problems;
  • create stats of what day and times the network has the greatest traffic load;
  • and view the most popular protocols on the network. (i.e., IPX, TCP/IP, TCP, UDP, ICMP, etc.)
3) Packet Reconstruction

One of Iris's most exciting features is its ability to reconstruct traffic. Using the 'Decode View', Iris can reconstruct web pages, email, and instant messaging traffic that has passed on your network. Iris will recreate the session of a user and allow you to view the reconstructed web page, or email through a web browser or email client. You can review email messages, web pages and IM conversations that have passed on the network. The email as well as the attachment can be viewed and analyzed through an outlook application. You can also monitor instant messaging conversations scanning for keywords such as usernames or specific terms.

Iris incorporates highly developed protocol decoding capabilities. Iris quickly organizes captured packets by session and categorizes them by protocol such as HTTP or SNMP. In this way, Iris provides a list of all web-browsing sessions, all email grouped by incoming and outgoing, and more for quick and easy analysis.

Click here to download a trial version of Iris:
http://www.w2knews.com/rd/rd.cfm?id=020530TB-Iris

  NT/2000 RELATED NEWS

Windows and .Net Mag Poll on 6.0 Licensing: 51% Higher Cost

The first and largest magazine for Windows System and Network Admins recently did one of their instant Polls on the new Microsoft Licensing program. The results were quite interesting:

"Do you think Microsoft's new Licensing 6.0 program will lower overall upgrade costs for your organization?". The results (+/-2 percent) from the 346 votes were:

  • 4% Yes, it will lower upgrade costs
  • 51% No, it will raise upgrade costs
  • 39% It won't change our upgrade costs
  • 4% Don't know
  • 3% We don't use Microsoft products
Your company may be in this 51% category, and you may be asking yourself the following questions:
  • Is your business ready for MS Licensing 6.0?
  • Does your company understand the new terms, conditions, maintenance and upgrade schemas and potential price increases?
  • What discounts have other companies been able to get?
  • How is software license non-compliance going to affect you?
  • Should you even do this? Perhaps switch over to other platforms?
  • How much is your software cost going to increase... 20 or 100%?
  • Should you start leasing your software, much like a car?
  • What hidden price increases are in the new 6.0 licensing?
  • How much should Software Assurance really cost you?
  • Can you still transfer licenses to other divisions?
Here is some help to get the best deal from MS:
http://www.w2knews.com/rd/rd.cfm?id=020530RN-MS_Licensing

Free MS SQL Worm Scanner Available From Sunbelt

A new SQLsnake worm, which also goes by the names Spida and Digispid, has made port 1433 the "most attacked port" according to Dshield.org. It has wrested the top spot from port 80, the favorite food of Code Red and Nimda. Port 80 was the most attacked port for several months. Spida looks for machines running SQL Server without password protection.

The severity level of this worm is: High. Systems Affected: Default installations of Microsoft SQL Server Description:

The SQL worm (AKA: Spida, Digispid.B.Worm) infects by inserting itself into MSSQL database servers with no password protecting the SA (System Administrator) account. The worm executes commands on the vulnerable server using the "xp_cmdshell" General Extended Procedure, and the commands it executes activate and configure the Windows "Guest" account so it can be used to copy files over to the vulnerable machine via Windows file sharing. After the files have been copied over, they are "hidden" and the worm goes into a cleanup phase. It deactivates the Guest account and changes the password for the SA account.

The worm then creates a file containing details about the network interfaces, database, and Windows account password hashes. This file is emailed to [email protected], which we are guessing is an email box created by the worm's author. Finally, the target machine begins to scan for other machines and continues the chain of infection.

You can download a free scanner to check your network for this hole. It's an application (subset) of the Retina Scanner and sits on its download page. Yes, you do need to leave your address info, but that's all. I just ran this myself and found four machines in our own LAN that were vulnerable. Get it here:
http://www.w2knews.com/rd/rd.cfm?id=020530RN-Retina

WinXP SP 1 Beta Imminent

MICROSOFT ON FRIDAY announced it will release a beta of its first service pack for Windows XP late this month that contains a wide assortment of new bug fixes and features, as well as the first changes that bring the operating system into compliance with the government's consent decree.

Some of the technical fixes in the update are patches developed out of the company's ongoing Trustworthy Computing Initiative and are intended to plug security holes in the product. Microsoft will continue to add other security fixes to the beta version right up until it ships to manufacturing later this summer, company officials said. Full article at InfoWorld:
http://www.w2knews.com/rd/rd.cfm?id=020530RN-XP_Service_Pack

Subscribe to WinXPnews if you want more detail about this:
http://www.winxpnews.com/subscribe.cfm

  THIRD PARTY NEWS

PestPatrol Limited Time Offer Ends May 31-st!

Readers of W2Knews and WinXPnews are able to get PestPatrol for the reduced price of just $19.95 for just a few days more, but then it will go up to the normal price again. So, if you are concerned about spyware, scumware, Remote Access Trojan backdoors, and other pests, this is the time to get your copy. This product is selling like hotcakes!

You may recently have downloaded an evaluation copy of PestPatrol, but the evaluation software only detects - it doesn't remove the malware it finds. You need to buy the full product to clean your PC. (You should be aware that simply deleting the files detected by PestPatrol is not a complete solution; it's very likely that your registry and .ini files will need to be repaired - not a task for the faint of heart!)

We're sure you don't want to leave these unwanted and potentially malicious programs on your system for any longer than is necessary. So, we've teamed up with our partner, PestPatrol, to offer PestPatrol evaluators the opportunity to purchase the full product at just $19.95 - a 35% saving over the regular price.

But you need to act soon. This special price is only available until May 31 2002. At midnight Florida time on that date, the price returns to $29.95. So don't hesitate. Pop down to the Sunbelt Online Shop today and give your PC the PestPatrol treatment.
http://www.w2knews.com/rd/rd.cfm?id=020530TP-PestPatrol

15-Minute Update On Award Winning Vulnerability Scanner

A crucial part of your security toolkit is a scanner that shows holes in your network and machines. But testing scanners can be a very long process. We made that easier for you and created a 15-minute show that you can watch at any time and get all the relevant and important data so you can move faster on your way to a more secure environment. This thing is worth watching. Download here:
http://www.w2knews.com/rd/rd.cfm?id=020530TP-Retina

How Fast Are Your Files? New Version Of hIOmon Will Tell You

hIOmon, the File I/O Performance Monitor from hyperI/O, lets you easily, quickly and precisely measure and monitor the performance of your file I/O operations -- all from the file level perspective. The latest version now includes Windows PerfMon/SysMon Support.

Why hIOmon? Because you need files if you want to start your computers and keep them running. And if you want your computers to do something useful (big tasks like run an accounting software package or inventory application, act as a Web or email server, or simply write a letter, surf the Web, maybe even play a game), you'll need files (and often lots of them). Since files are such a crucial part of your computer systems, understanding their performance is a key consideration when monitoring (and trying to improve) the overall performance and productivity of your computer systems. As an innovative, unique system utility tool, Sunbelt hIOmon can collect and display a wide variety of useful, performance-related information based upon actual empirical data - all from the perspective of individual files within your own particular computer system environment.

The Sunbelt hIOmon File I/O Performance Monitor is packed full of useful features, many of which you won't be able to find anywhere else. hIOmon provides several unique automation features that allow you to easily, quickly and automatically get the specific file I/O operation performance information that you need. Eval here:
http://www.w2knews.com/rd/rd.cfm?id=020530TP-Sunbelt_hIOmon

New Pocket PC Version 2.5 Of sonicadmin

sonicadmin is making a big splash with system and network admins who need to perform their jobs from their Pocket PC or RIM Blackberry while on the move. IT people from all sectors including corporations, government, and the military have been adopting this amazing technology. Originally they were excited by the 'coolness' of the product, but now converts are speaking up about the tremendous ROI they are seeing with one VP of IT quoted "Since buying sonicadmin three months ago, it has already paid for itself several times over".

If you thought that sonicadmin 2.0 was great, wait until you try version 2.5. Just released by Sonic Mobility, new features include the ability to browse the file directory of any system on your network and pull critical .INI or other text files down to your handheld to edit them. Imagine being able to change your boot.ini file on the fly when you get a notice of a hard drive failure on your web server! You can also locate a file off any server or workstation and email it to anyone instantly.

Connect to any system or piece of hardware with SSH or Telnet, set up all your DNS settings, manage users, event logs, printers, shares, services, processes and more. If you really get stuck, you can even physically cut and cycle the power to a locked up server, router, or other device.

sonicadmin also uses a complete native client architecture that provides an unprecedented level of security and a highly usable interface on your handheld device. This means that the only thing being transmitted across your wireless connection is a highly compressed encrypted data packet, resulting in maximum speed and usability across a wireless network (which is critical for real time activities like server management).

There is nothing like the experience of actually trying it, so I encourage you to download the free trial if you have a wireless enabled Pocket PC or RIM Blackberry. This is a completely unrestricted 30-day trial so you can experiment with all the features of the sonicadmin 2.5. Once you've put it through its paces, the value will be obvious. Eval at:
http://www.w2knews.com/rd/rd.cfm?id=020530TP-sonicadmin

  FAVE LINKS

This Week's Links We Like. Tips, Hints And Fun Stuff

  • T-shirts that fuse geek culture with high fashion, over at Errorware:

  • http://www.w2knews.com/rd/rd.cfm?id=020530FA-ErrorWare
  • How to crack biometric devices. Article with all the details:

  • http://www.w2knews.com/rd/rd.cfm?id=020530FA-Crack_Biometrics
  • Very smart appliances in Microsoft's Home Of The Future:

  • http://www.w2knews.com/rd/rd.cfm?id=020530FA-Future_Home
  • It's been all over the news. The U.S. Army has their own game on the web:

  • http://www.w2knews.com/rd/rd.cfm?id=020530FA-Army_Game
      PRODUCT OF THE WEEK

    How to Do Everything With Your iPAQ(R) Pocket PC

    If you own an iPAQ Pocket PC or are thinking about buying one, this is the book for you. How To Do Everything With Your iPAQ Pocket PC covers everything that an iPAQ owner needs to know to get their most out of their device. It includes full tutorials on all the built in software such as Pocket Word, Excel, Outlook, and others. It also covers important issues such as securing your iPAQ and the data that it carries and maximizing your battery life. You will learn about what third party hardware and software is available for the product, how to connect your iPAQ wirelessly to the Internet, use GPS units for personal navigation, do business presentations directly from your iPAQ and much much more.

    http://www.w2knews.com/rd/rd.cfm?id=020530BW-iPAQ