Archive for the ‘Networking’ Category

Arrow keys not working in Excel, it scrolls instead

April 7, 2011 8 comments

Been a while since I posted, but here is a quick easy answer to a problem I’ve seen quite often. When you are working in MS Excel it is quite easy to move between fields using the arrow key. Every once in a while I’ll have a client call and as if I can fix their Excel because the arrow makes “everything move”.

The fix for this is simple: The scroll lock key has been pushed on the keyboard. Hit the scroll lock key again and your arrows will work normally. If that doesn’t fix it I would check to make sure you don’t have a macro that is causing issues.

Categories: Networking Tags: ,

FTP is dead, now will someone tell developers!

December 7, 2010 3 comments

Today’s post is all about FTP, or rather about why FTP shouldn’t be around anymore. FTP, which stands for file transfer protocol, was created almost 40 years ago when networks looked completely different. At that time networks were small. FTP was a great way to move files between hosts. It worked great for the 70’s, 80’s, and even part of the 90’s for most people.

In the 90’s two major changes happened that basically killed FTP:

  1. Firewalls were making their way corporate network perimeters. With the www introduced in 1990 it wasn’t long before companies were becoming ‘connected’. With this new form of communication came new security risks, and of course new security measures. Firewalls were the cure-all security solution of the 90’s.
  2. NAT was being used so corporate computers could utilize a private IP over the Internet. NAT’s were configured on network devices such as routers, proxy’s, or even firewalls.

To illustrate why FTP is no longer a valid protocol its time look at how FTP works on a basic level. There are two modes for transferring data via FTP: PORT (active) and Passive.

PORT (Active) mode FTP

Here is a sample of PORT (Active) mode communication initialization:

  1. FTP client connects to a server.
    1. The source port for the client is a random number over 1023, this port will be used for commands on the client side.
    2. The destination port on the server is 21, this port will be used for commands on the server-side.
  2. The server replies to the FTP client on the client control port.
  3. Server initiates data connection to the clients data port.
    1. Server data source port is 20
    2. Client data port is client control port plus 1
  4. Client Acknowledges the data ports to be used.

Here is a sample of the above:

***note: For this example I chose 1024 for the RANDOM client control port, which in turn caused the client data port to be 1025

PORT (Active) mode FTP sample

PORT (Active) mode FTP sample


As you can see above the client side of FTP communications in PORT mode has a random port assigned. Also notice the FTP server initiates data connections, even though it was the client that initiated the control connection.

This is what causes many problems with getting FTP through firewalls. Typically a server would only be allowed to access certain ports through a firewall, if at all. Since the data port is a random number over 1023 it is unlikely the server can send data via FTP using Active Mode.

NAT will also have problems in the above scenario because the IP and port being referenced in the control will be the Private IP and port, as opposed to the Public IP and port.

The point is: If you have an old application that is using PORT mode, get rid of that application!

Passive mode FTP

Passive mode overcomes some of the limitations of Active mode. Here is a sample of Passive  mode communication initialization:

  1. FTP client connects to a server.
    1. The source port for the client is a random number over 1023, this port will be used for commands on the client side.
    2. The destination port on the server is 21, this port will be used for commands on the server side.
  2. The server replies to the FTP client on the client control port.
  3. Client initiates data connection to the server data connection port.
    1. Client data port is client control port plus 1
    2. Server data port is a random number specified by the server
  4. Server Acknowledges the data ports to be used.

Here is a sample of the above:

***note: For this example I chose 1024 for the RANDOM client control port, which in turn caused the client data port to be 1025

***note: For this example I chose 2048 for the RANDOM server data port.

Passive mode FTP sample

Passive mode FTP sample


As you can see above the client side of FTP communications in PORT mode has a random port assigned. With Passive mode the servers Data port is also random. Also notice the FTP client initiates data connections, which is the opposite of how Active mode sessions work.

With Passive mode the FTP administrator can set a range of ports to choose from for data connections. These ports can in turn be allowed through the firewall by the Network Administrator. This overcomes the issues caused by firewalls that causes Active mode to fail.

From a network security perspective this is not a good solution. It means opening more ports on the firewall, a rather large amount of ports actually!

It’s also a pain to troubleshoot FTP issues. Many times you will be working with applications that only support Active FTP. Or maybe you’ll have a client that supports Passive FTP but the firewall on either end is still unable to make a proper connection.

The point is: If you have an old application that is using FTP (Active or Passive), get rid of that application!

Alternative to FTP

Here we are 15 years after FTP should have been dead and developers are still using it. Recently I asked a developer why he was using FTP. His simple answer: FTP is simple to use/implement and it’s what I’ve always done. (I really hate the “its always been that way” answer).

There is a good alternative to FTP, it’s called SFTP. SFTP stands for SSH file transfer protocol (not secure file transfer protocol as some might think). SSH stands for Secure Shell. SSH provides a secure connection for the file transfer. Even if you don’t think any data being transmitted needs to be secured, it’s a good idea to always use secure communications.

SFTP is not simply FTP implemented with security. Let me repeat SFTP is NOT a new implementation of the older FTP specification. Instead SFTP is a new specification that has all of the capabilities the older FTP specification. In fact the same commands are available for use. For developers there is very little that need be done differently to use SFTP as opposed to FTP.

Also, there are no longer different control and data streams. The server has only one port, typically 22, the same as other SSH protocols. No more mucking around with random server ports or having to troubleshoot passive connections!

I won’t go any more into why SFTP is a good replacement for FTP. If you want more info on SFTP I would recommend going to the OpenSSH website or RTFM on the OpenBSD website.

One final plea: Developers, please STOP using FTP.. its dead, or at least should have been dead 15 years ago!!!

Categories: Networking Tags: , ,

Some tips to find rogue devices on your network

November 30, 2010 6 comments

Any unknown entity on your network is bad, this is especially true for rogue devices. There are a variety of ways to protect your network from rogue devices, but honestly most small and medium businesses don’t have the resources to do this.  If you’re a network person with good switches you could track these devices down to a physical switch port fairly easily. However if you have unmanaged switches (yes, they still exist) or don’t know how to follow MAC addresses on a switch you may have to use other methods for your investigation.

To assist in finding rogue devices on your network it is helpful to determine the vendor for a MAC address. First, you will need to know the IP address of the rogue device. Chances are you already know the IP because you know this rogue device exists. Often these devices are found when you try to add an IP to a device on your network and find the IP is already in use.

Once you have the IP a protocol named ARP can be used to determine the MAC address. If your on a Windows machine do the following:

  1. Go to the command prompt.
  2. Ping the rogue device. It doesn’t matter if there are replies, this step gets the MAC address in your ARP table.
  3. Type the following command:  arp -a
    1. Here is a sample output:
      Internet Address      Physical Address      Type             00-03-ff-d1-19-04     dynamic
    2. The MAC address is the Physical Address listed as 00-03-ff-d1-19-04
  4. Take the MAC address and enter it into a tool or website that lets you know the manufacturer. I use this website for my vendor lookups, but there others out there.
    1. Using the sample address from above I got the following vendor info returned:
      Prefix      Vendor
      0003FF   Microsoft Corporation (was: Connectix)
  5. Now that I know the vendor of the network card I have some clues as to what kind of device the rogue element is.
    1. Knowing the vendor is Microsoft narrows down my search, since computers won’t show Microsoft as the vendor.
    2. In this case I can assume it is coming from a Windows Virtual PC, since this is the most likely device on my network to show up with a Microsoft MAC address.
    3. This device is actually a Windows Virtual PC running on my laptop for testing purposes. I used this example specifically because I am seeing more and more rogue virtual machines created by IT staff in various companies.

Using the above method can dramatically cut down the investigation time to find rogue devices. Yes, it is much quicker/easier to track rogue devices through managed switches. However as I mentioned before this is not always a possibility.

Tool spotlight: WIMI

November 29, 2010 Leave a comment

Today I thought I would put a spotlight on a favorite online tool: (WIMI). At its core this site serves a very simple and important task by showing what your public IP is. Simply go to the website and it automatically shows your IP address. If you are behind a proxy server it will also let you know that.

But getting information about your public IP is just the beginning of this sites usefulness. I won’t go through everything but here are some highlights:

  • Information. Every tool/section of the website has some good basic networking information available. Anyone looking to learn more about basic network concepts would do well to browse this site.
  • Internet Speed Test: Find out your true upload and download speeds. I wouldn’t use this just once, try it at different times of the day to see how your ISP’s load differs. An alternate I sometimes use for this is the speakeasy speed test, it’s powered by the same ookla code.
  • IP Address Lookup: This will give the physical location of an IP address, most of the time. Because of where this data is captured it may be incorrect, it really depends on who the ISP is and how they maintain their database.
  • IP WHOIS Lookup: This gives information about an IP address owners. This is not the same as an IP address lookup, in fact the information here will likely be completely different.
  • Host Name Lookup: Basically this does a reverse-IP lookup, so you can see if a DNS host name exists for an IP.
  • Email Trace: This is a not a tool to trace an email, however it has some basic steps to help do this yourself. The IP Address Lookup, IP WHOIS Lookup and Host Name Lookup can all be used when trying to find the source of an internet communication.
  • Forum: I haven’t been in the forums there much, but it does seem to be a very helpful forum with some good information.

As I mentioned this is one of my favorite websites. Its quick, uncluttered, and has great tools/information.

Categories: Networking, Tools Tags: ,

What to do when your ISP’s DNS servers are down? Use Google!

November 22, 2010 1 comment

My current ISP Charter is currently having DNS issues. This is easy to verify. I am able to ping some known IPs on the internet. But when I ping Charters DNS servers I get massive packet loss. Here is a sample ping to one of Charters DNS servers:

All of the Charter DNS servers I ping have the same result. Now to get my laptop back on the Internet I decided to drop Charter for name resolution. I have elected to use the Google Public DNS servers instead. The IP’s for the Google DNS servers are easy to remember:


For those unfamiliar with how to change your DNS server settings Google has these instructions. There are instructions for Windows, Mac, and Linux.

Even if you don’t change your DNS server settings, I would keep these IP’s handy just in case!!

Categories: Networking Tags: ,

Setup sflow on a Juniper EX switch for WUG

March 15, 2010 2 comments

Here are the steps to setting up a Juniper EX-3200 series switch to send sflow data to WhatsUp Gold (WUG) Flow Monitor. Technically its the same for procedure for any flow monitor, I’m just doing it for WUG in this instance.

  1. Log into the switches CLI.
  2. Enter edit mode by typing “edit” and hit “Enter”
  3. First the SNMP community must be set. This will be set as read only, in this instance I do NOT want WUG to have configuration capabilities.
    1. Type: set snmp community sflowtest authorization read-only
      1. **Replace “sflowtest” with the community name you wish to use.
      2. Also make sure this community name has been added as a credential in WUG.
  4. Now we will enter the collector information:
    1. Type: set protocols sflow collector udp-port 9999
      1. Change the ip address to the IP address of the WUG flow collector.
      2. By default WUG collects sflow data via udp-port 9999, which is not the default UDP port used by Juniper.
    2. Now to change the default polling interval to 10 seconds and sample rate to 500.
      1. Type: set protocols sflow polling-interval 10 sample-rate 500
    3. Finally set the interfaces you want flows collected from:
      1. Type: set protocols sflow interfaces ge-0/0/12.0
        1. Do the above for each interface you need flows collected from.
  5. Now commit the changes:
    1. Type: commit check
      1. Even though this was a simple configuration I ALWAYS do a commit check!!!
    2. Type: commit confirmed 1
      1. Again, even on simple configuration changes I play it safe. If the changes I am about to commit do cause a problem they will be rolled back in one minute.
    3. Type: commit
      1. Finally I do a commit before the one minute time is done.
  6. If you wait a minute or two you should see the switch show in the WUG Flow Monitor.
  7. In the WUG Flow Monitor you may have to go into the source properties and put a check in  “Collect data from this source”.
Categories: Juniper, Networking

Simple Juniper Cache Cleaner troubleshooting steps

January 21, 2010 4 comments

If you have a Juniper SSL-VPN appliance once of the biggest headaches you may deal with is cache cleaner. Its a great tool from a security standpoint, but most of the problems that get escalated to me have to do with this program. However, none of the problems have been with cache cleaner, rather the problems have been with IE not loading the ActiveX control correctly. Here is a simple list of things to check when having cache cleaner issues:

  • Clear the cache.
    • In IE7 or IE8 do the following
      • Go to Tools > Internet Options
      • In Browsing History click on “delete”
      • In the Temporary Internet Files section click on “Delete Files”
      • Click “yes” to delete temp internet files.
      • Close IE
      • Open IE and try again
  • Uninstall Cache Cleaner
    • Go Start > Programs > Juniper Networks > Cache Cleaner x.x.x > Uninstall Cache Cleaner
    • There will be no confirmation, it will simply uninstall Cache Cleaner.
    • Open IE and try again. When logging in the SSL-VPN the program will install again.
  • Delete the downloaded program from IE
    • In IE go to Tools > Internet Options
    • In the Browsing History section click on Settings
    • Click on ‘View Objects’
    • This will list all the active x controls installed.
    • Right-click on all Juniper programs and click “remove”
    • Also remove any with invalid names (a bunch of weird characters)
    • Close IE
    • Reopen IE and try again.
  • Install the Juniper Installer Service, I always leave this as a last option because I hate putting programs on users personal computer.
    • You can get the Juniper Installer Service from the Maintenance section within the SSL-VPN administration. As a last resort this has always fixed issues. You will need to find a way to get the file to your user. One way it to create a realm with its own URL. This realm only has a download link for this or another important files your user may need for VPN purposes.
Categories: Juniper, Networking, Security