Secure WiFi Networks

WiFi Alliance and Legal Authorities Coming Forward

WiFi, today, has become a near ubiquitous technology, used by most of us, with our WiFi enabled gadgets, while we are at offices, homes, public places or while traveling. However, awareness about WiFi security is still lacking and practice of configuring poorly secured or unsecured WiFi networks is still prevailing, among large section of the society. This can potentially leak the confidential information to the outsiders or can invite unauthorized access to the hosted WiFi network. Such potential pitfalls are already proven by much hyped incidents, such as WiFi hack at TJX in the past and the Google’s WiFi snoopingusing Street View Cars recently.

 

These large scale incidents have wide opened the box of security lapses, possible during the use of unsafe WiFi networks, motivating people for safe WiFi practices. A number of safeguards are already available on web. However, unknowingly or intentionally, people are still accustomed to poorly configured WiFi networks when security is concerned.  The reason for this may lie in the one or more of the following facts:

 

• Out of the box WiFi routers generally come with ‘security disabled’ option checked
• Open WiFi networks provides better performance then their security enabled counterparts
• People carry ‘this will not happen to us’ attitude, so they think why to go for the pain of configuring a password and remembering the same
• People get confused with various WPA versions and hence resort to old nice WEP
• Ad hoc WiFi networks that are very popular for peer to peer wireless networking (no WiFi router required) support WEP mainly

 

Considering the continued practice of using open and poorly secured WiFi and continued happenings of large or small scale WiFi hacking/snooping incidents, WiFi alliance and some Countries are coming forward to take measures which will safeguard the privacy of people from easy WiFi hacks.

 

As reported in the recent news articles on the web, WiFi alliance (responsible for certifying WiFi products according to standards) is going to phase out vulnerable WEP and WPA TKIP option on Access Points and WiFi Clients in stages. The process of phasing out will start from January 2011 and will be completed by 2014, leaving only AES based WPA security on all certified WiFi devices. However, ‘security disabled’ option will still be continued on WiFi routers, but out of the box router will be security enabled. Continuity of the 'Security disabled’ option might continue because it has no security overhead and can be of use in certain specific requirements.

 

Also, along with WiFi alliance efforts, Germany’s top criminal court has saidrecently that private WiFi networks need to be secured; otherwise owners will be liable to fine if unauthorized access to these networks is found for the purpose of downloading data. This ruling will certainly motivate Germans to secure their privately owned WiFi networks.          

 

Realizing that, properly secured WiFi networks are in interest of both, the individual and the country, it seems momentum of properly securing WiFi networks will definitely get a push from WiFi alliance efforts and imposition of criminal liability on owners of open private WiFi networks by countries such as Germany.

Test Your Exchange

Hello,
Friends we can check our internal exchange services which we hosted on internet for global access,


Test from this site https://www.testexchangeconnectivity.com/


1, Exchange ActiveSync
2, Exchange ActiveSync Autodiscover
3, Synchronization, Notification, Availability, and Automatic Replies (OOF)
4, Service Account Access (Developers)
5, Outlook Anywhere (RPC over HTTP)
6, Outlook Autodiscover
7, Inbound SMTP Email
8, Outbound SMTP E-Mail

Exchange 2010: Cluster core resources, the replication service, and active manage

Every Exchange 2010 server has a process internal to the replication service known as Active Manager.  The Active Manager is responsible for all database mount, dismount, and move operations that occur in Exchange 2010.

When a server is a standalone server, Active Manager is configured as a Standalone Active Manager. 

When a server is a member of a Database Availability Group (DAG), Active Manager is either configured as:

• PAM – Primary Active Manager
• SAM – Secondary Active Manager

The Active Manager status in a DAG is determined by the node that owns the cluster core resources.  If a node owns the cluster core resources group, this node is then known as the Primary Active Manager (PAM).  All other nodes successfully participating in the cluster and not owning the cluster core resources are Secondary Active Managers.

Let’s take a look at an example database availability group.

DAGName:  DAG

DagMembers:  DAG-1,DAG-2,DAG-3,DAG-4

Running get-databaseavailabilitygroup –identity DAG –status | fl name,primaryActiveManager you can determine which machine currently owns the cluster core resources and is acting as the PAM.

Get-DatabaseAvailabilityGroup -Identity DAG -Status | fl name,primaryactivemanager
Name                 : DAG
PrimaryActiveManager : DAG-3
Using cluster.exe we can also confirm the owner of the cluster core resources group
cluster.exe DAG.domain.com group
Group                Node            Status
-------------------- --------------- ------
cluster group        DAG-3           Online

Using the cluster command line, the cluster core resources can be moved to another DAG member and the PAM will subsequently change.

cluster.exe DAG.domain.com group "cluster group" /moveto:DAG-4
Moving resource group 'cluster group'...
Group                Node            Status
-------------------- --------------- ------
cluster group        DAG-4           Online
Get-DatabaseAvailabilityGroup -Identity DAG -Status | fl name,primaryactivemanager
Name                 : DAG
PrimaryActiveManager : DAG-4

Remember that Active Manager runs inside the Microsoft Exchange Replication service which is installed on every Exchange 2010 Mailbox Role Server.  This is important – if the replication service on a DAG member is not started, but that DAG member owns the cluster core resources, database mount / dismount / move functionality will not function.

Here is an example…

Currently the cluster core resources are owned on the node DAG-4 which is successfully participating in the cluster DAG.  Using the services control panel the Microsoft Exchange Replication service on the server DAG-4 was stopped.  We can confirm using the commands above that DAG-4 is still seen as the PAM.

Get-DatabaseAvailabilityGroup -Identity DAG -Status | fl name,primaryactivemanager
Name                 : DAG
PrimaryActiveManager : DAG-4
cluster dag.domain.com group
Listing status for all available resource groups:
Group                Node            Status
-------------------- --------------- ------
Cluster Group        DAG-4           Online
Available Storage    DAG-1           Offline 

Using test-replicationHealth and test-serviceHealth we can see that the replication service on node DAG-4 is unavailable.

Server          Check                      Result     Error      
------          -----                      ------     -----    DAG-4           ClusterService             Passed  
DAG-4           ReplayService              *FAILED*   The Microsoft Exchange Replication service is not running on s...
DAG-4           DagMembersUp               Passed         
Role                    : Mailbox Server Role
RequiredServicesRunning : False
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeIS, MSExchangeMailboxAssistants, MSExchangeMailSubmission, MSExchangeRPC, MSExchangeSA, MSExchangeSearch, MSExchangeServiceHost, MSExchangeThrottling, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning      : {MSExchangeRepl}

At this time a dismount operation on a database was issuing using the dismount-database command.  An error is immediately returned:

Dismount-Database DAG-DB0
Confirm
Are you sure you want to perform this action?
Dismounting database "DAG-DB0". This may result in reduced availability for mailboxes in the database.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

Couldn't dismount the database that you specified. Specified database: DAG-DB0; Error code: An Active Manager operation
failed. Error: The Microsoft Exchange Replication service may not be running on server DAG-4.domain.com. Specific RPC error message: Error 0x6d9 (There are no more endpoints available from the endpoint mapper) from cli_MountDatabase.
    + CategoryInfo          : InvalidOperation: (DAG-DB0:ADObjectId) [Dismount-Database], InvalidOperationException
    + FullyQualifiedErrorId : D64CA7E2,Microsoft.Exchange.Management.SystemConfigurationTasks.DismountDatabase

This error is the occurs because the server that is designated as the Primary Active Manager does not have it’s replication service running (and therefore the Active Manager is not running).  Stopping the replication service does not automatically arbitrate Active Manager functions to another DAG member.

To fix this error:

• Start the replication service on the machine that is designated as the Primary Active Manager (preferred).
• Move the cluster core resources to another DAG member (promoting that server to the Primary Active Manager.  (Least preferred since it does not address why the replication service is stopped on a running DAG member).

It is important that the replication service be monitored on all DAG members to ensure it remains functional.

*Updated – 5/30/2010 – Corrected the commandlet for testing services –> test-serviceHealth instead of test-serverHealth.

Juniper Firewall MIP-Definition, configuration of MIP

MIP – Definition: MIP (Mapped IP) is a 1 to 1 mapping of a public IP address to an IP address on the Internal side of the Juniper firewall.

Configuring a MIP to access a single device on the private network:

Consider the following setup:

Internal host IP is 192.168.1.100.
Public interface (e0/0) IP is 1.1.1.250.
Another public IP - 1.1.1.100 is available for use.

Here is how you can configure a MIP to a single IP, and how to configure a policy to permit ANY host from the Untrust zone to access the internal host:

CLI:

set interface "ethernet0/0" zone "Untrust"
set interface "bgroup0" zone "Trust"
set interface ethernet0/0 ip 1.1.1.250/24
set interface bgroup0 ip 192.168.1.1/24
set interface "ethernet0/0" mip 1.1.1.100 host 192.168.1.100 netmask 255.255.255.255 vr "trust-vr"
set policy from "Untrust" to "Trust"  "Any" "MIP(1.1.1.100)" "ANY" permit

WebUI:

1. Click on Interfaces
2. Select the e0/0 Interface
3. Click on MIP
   You will be at the Network > Interfaces > Edit > MIP > Configuration for interface e0/0
   Enter the following:
   Mapped IP: 1.1.1.100
   Host IP: 192.168.1.100
   Netmask: 255.255.255.255
   Host Virtual Router Name: trust-vr 
4. Create an incoming policy by going to
   Policy > Policies (From Untrust To Trust)
   Source: Any
   Destination: MIP(1.1.1.100)
   Service: ANY 
   Action: Permit

You can limit access to networks and services of your choosing.  It is a good idea to start with permitting any service at first to confirm that the MIP is working.


Configuring a MIP to a subnet or multiple internal hosts:

The netmask determines how the mapping is done.   If you use a netmask of 255.255.255.255, the mapping is done on a one-to-one basis. If you use a different netmask, then it maps a range of addresses.

Example:
To map the addresses public addresses 1.1.1.1--1.1.1.30 to the internal addresses 192.168.1.1--192.168.1.30:
CLI:

set interface "ethernet0/1" mip 1.1.1.0 host 192.168.1.0 netmask 255.255.255.224 vr "trust-vr" 
set policy from "Untrust" to "Trust"  "Any" "MIP(1.1.1.0/27)" "ANY" permit

This will result in:

1.1.1.1 maps to 192.168.1.1
1.1.1.2 maps to 192.168.1.2
       ...
       ...
1.1.1.30 maps to 192.168.1.30

Change a MIP

If you have a MIP created and want to change the addresses used in the MIP, it may report that the MIP is 'in use'.  Therefore, perform the following steps to free up the MIP from being 'in use', and make the changes:

1. Either remove the policy that has the MIP or remove the MIP from the policy (by temporarily changing the MIP address book entry in the policy to another address).
2. Configure the MIP and make the changes.
3. Re-add the policy or change the policy back to the MIP.

Key Points:  

Here are some important configuration pointers regarding creating a MIP.  If a MIP overlaps with other IP addresses on your network, it could cause the inability to access those other hosts.

•  If only one address is needed for a MIP, use Netmask of 255.255.255.255   Example:  Defining 1.1.1.65/255.255.255.255 as a MIP will map one address to a host address. Do not set the Netmask equal to the subnet mask for Untrust Interface IP address.  The Juniper firewall will answer ARP requests for all addresses in the subnet defined in the MIP.  If the Untrust IP address is 1.1.1.66/255.255.255.248 and the Gateway is 1.1.1.67 in the above example, these addresses are included in the netmask, and the MIP will break normal traffic.

• Make sure the combination of the MIP address and Netmask does not include the Untrust Interface IP address or the Default Gateway address or any other device's address that are on that subnet. Example: If the Untrust IP address is 1.1.1.250/255.255.255.0 and the Gateway is 1.1.1.251, then the MIP configured as 1.1.1.5 NETMASK 255.255.255.248 is an acceptable configuration because it does not include/overlap with the untrust IP or the gateway IP address.
• In ScreenOS 6.0 and below, a MIP supports a public address in a different network than that of the ingress interface only if the ingress interface is in the Untrust zone.  On all other zones, MIPs must must be in the same network with the IP address of the interface on which they live.   However, in ScreenOS 6.1 and above, a MIP supports a public address in a different network than that of the ingress interface in any zone.

Troubleshooting TIPS - Unable to pass traffic to a MIP:

When configuring a MIP, the Virtual Router that the MIP host resides in plays an important role. If the wrong Virtual Router (VR) is specified, traffic may not pass correctly. For example, if the MIP private host resides in the DMZ zone which is in the untrust-vr, be sure to specify the untrust-VR in the configuration of the MIP.

• If a MIP is unreachable from the Internet, the next-hop Gateway router from the Juniper firewall may not have an ARP entry for the MIP address OR the MIP IP address may be associated with a different MAC. Two methods can be employed to correct this:
  
  1. If you have management access to the next-hop router from the Juniper firewall, clear the ARP cache on the router. Then attempt to ping the MIP address again to get the ARP table entry updated on the router.
     
     OR
  2. Swap the MIP and Untrust interface IP address temporarily, and ping the Gateway address from the Juniper Untrust interface until the router answers back.  This is simply a creative way to update the ARP table on the next-hop gateway router, without logging into the next-hop gateway router.
     
     Save the current configuration and then do the follow steps to swap the MIP and Untrust IP temporarily:
     • Remove the Incoming MIP policy
     • Delete the MIP
     • Change the Untrust IP address to the MIP address
     • Ping the Untrust Interface's Default Gateway IP address from any device on the Trust Lan until the pings are answered.  Again, steps a) - d) is a work-around to getting the next-hop gateway router's ARP table updated.
     • When the next-hop gateway router can ping the MIP address, switch the configuration back to the original configuration (before step a).
• If you do not explicitly permit ping on the private host, you will not be able to ping the MIP. The Juniper firewall does not answer pings to the MIP address.  They are passed on to the server, and the replies are passed back.

PEMU - Free Cisco PIX Firewall Emulator / Simulator

Introduction 

This is a guide on how to install a Free pix emulator / simulator onto a linux platform. You can also obtain the windows version, which you can find (along with other tutorials and forum) atwww.7200emu.hacki.at

This software was written by mmm123, and is called PEMU, which is based on the QEMU emulator.

What do I need ? 

You will need to the following in order to install PEMU, 

1. Install Guide (How-to) - Linux Platform - click here
2. PEMU Software - Linux Platform - download
3. IOS Image - Obtained via the Cisco website

Please bear in mind you will need to unzip the PEMU software, in order to obtain your pemu_2008-03-03_bin.tar.bz2 which you can then use when going through the install guide above. You will also find in here a README file which also has some good information to help with the install.

What do I need to do ? 

The best option with this version of PEMU is to use pcap, this means that you do not have to configure the ifup.ini file and the traffic should run much quicker then if just using tap.

You then configure your host (linux) interfaces to 0.0.0.0 with a subnet of the same (or set them to promisc mode). And then run the PEMU command with the relevant switches (please see below).

Below is the command with the require switches. This presumes you are in the pemu directory, 

./pemu -net nic,vlan=1,macaddr=00:aa:00:00:02:01 -net pcap,vlan=1,ifname=eth0 -net nic,vlan=2,macaddr=00:aa:00:00:02:02 -net pcap,vlan=2,ifname=eth1 -serial stdio -m 128 FLASH

With all the information and tutorials above you should be able to configure this software without to many problems. If you do encounter any issues, visit the forum at www.7200emu.hacki.at and they should be able to help.

Renewing Self Signed Certificate in Exchange 2007

Exchange Server 2007:

Renewing the self-signed certificate posted by Abdul Samad (Riyadh)

Exchange Server 2007 issues itself a self-signed certificate for use with services like SMTP, IMAP, POP, IIS and UM. The certificate is issued for a period of one year.

The self-signed certificate meets an important need - securing communication for Exchange services by default. Nevertheless, one should treat these self-signed certificates as temporary. It's not recommended to use these for any client communication on an ongoing basis. For most deployments, you will end up procuring a certificate from a trusted 3rd-party CA (or perhaps an internal CA in organizations with PKI deployed).

However, should you decide to leave the self-signed certificate(s) on some servers and continue to use them, these need to be renewed - just as you would renew certificates from 3rd-party or in-house CAs.

To renew the certificate for server e12postcard.e12labs.com, a server with CAS and HT roles installed:
Get-ExchangeCertificate -domain "e12postcard.e12labs.com" fl

Note the services the certificate is enabled for (by default: POP, IMAP, IIS, SMTP on CAS + HT servers). Copy the thumbprint of the certificate.

Get a new certificate with a new expiration date:
Get-ExchangeCertificate -thumbprint "C5DD5B60949267AD624618D8492C4C5281FDD10F" New-ExchangeCertificate

If the existing certificate is being used for SMTP, you will get the following prompt:
Confirm
Overwrite existing default SMTP certificate,
'C5DD5B60949267AD624618D8492C4C5281FDD10F' (expires 8/22/2008 7:20:34 AM), with certificate '3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E' (expires 1/28/2009 7:37:31 AM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):

Type y to continue. A new certificate is generated.

Thumbprint Services Subject
---------- -------- -------
3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E ..... CN=E12Postcard

The new certificate is generated and enabled. Examine the new certificate:
Get-ExchangeCertificate -thumbprint "3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E" fl

The old certificate is enabled for IIS, POP, IMAP and SMTP. The new certificate generated using the above command is enabled only for POP, IMAP and SMTP - IIS is missing.

To enable the certificate for IIS:
Enable-ExchangeCertificate -thumbprint "3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E" -services IIS

This enables the certificate for IIS (in addition to any other services it may already be enabled for - it adds to existing values of the services property).

Test services are working with the new certificate. If it works as expected, the old certificate can be removed:
Remove-ExchangeCertificate -thumbprint "C5DD5B60949267AD624618D8492C4C5281FDD10F"

Phonetic Alphabet Tables

Phonetic Alphabet Tables
Useful for spelling words and names over the phone. I printed this page, cut out the table containing the NATO phonetic alphabet (below), and taped it to the side of my computer monitor when I was a telephone help desk technician.
An alternate version, Western Union's phonetic alphabet, is presented in case the NATO version sounds too militaristic to you.
I was inspired to recreate this page and post it online when I overheard a co-worker say "L, as in Log" over the phone.
ShareThis
NATO Phonetic Alphabet
Letter phonetic letter
A Alpha
B Bravo
C Charlie
D Delta
E Echo
F Foxtrot
G Golf
H Hotel
I India
J Juliet
K Kilo
L Lima
M Mike
N November
O Oscar
P Papa
Q Quebec
R Romeo
S Sierra
T Tango
U Uniform
V Victor
W Whiskey
X X-ray
Y Yankee
Z Zulu
Western Union Phonetic Alphabet
Letter phonetic letter
A Adams
B Boston
C Chicago
D Denver
E Easy
F Frank
G George
H Henry
I Ida
J John
K King
L Lincoln
M Mary
N New York
O Ocean
P Peter
Q Queen
R Roger
S Sugar
T Thomas
U Union
V Victor
W William
X X-ray
Y Young
Z Zero