Security - We will get there

The online contact database service from www.plaxo.com is great to help me keep sync with my contact in Exchange/Outlook and Thundbird. Once you setup an account, you can install a plugin into outlook and thundbird so any change you have will be synced through the web based service.

But you need to take extra precaution when you re-install your outlook. I once have plaxo just created all the entries in the online database into the outlook/exchange database when I re-installed outlook client. All the contact items just doubled to two exactly same items. As I don't want to pay the premium service just to fix this kind of duplicates so I had to go through around two hundred items to remove the redudant one. I like redudant often as I design my network but not this kind. :-) After that, I deleted the contacts folder in plaxo web site and re-sync again.

So when you re-install outlook which will retrieve contact from exchange server, just delete the contact/calendar etc in the web site first, then you can install the plaxo plugin, sync up to the web server.

Or you can delete all contact/calendar etc in your exchange server first, then install plugin to pull data from the web server.

As a good practice, it's always good to backup data using export from plaxo web site.

It's a great tool to dissect your traffic type. You can use it to analyze traffic pattern into your site when you put it outside of your firewall, or you can use it to analyze your user behavior when install on your user segment. It detects host os properly.The report is very detail including active sessions, their latency etc etc.

One of the active sessions:

This test is done on a Dell 750 server with P4 2.8G, 512M RAM and 80G SATA HD.

But when the network is busy, NTOP will eat up memory very fast. For example, it used up about 300M memory when "85.0 MB [324,151 Pkts]" passed it's horizon, about 700M memory after "203.6 MB [691,806 Pkts]" passed. The good news is that memory usage will slow down when reach to some point. And it's around 800M after "504.3 MB [1,624,032 Pkts]", it's now 1.1G after "1.1 GB [3,821,462 Pkts]".

I checked with www.ntop.org, it says the memory requirement "In general it ranges from a few MB (little LAN) to 100 MB for a WAN." Why on my machine the memory usage kept rising? Something is not right. Probably it's because I am using NST bundled NTOP. Need to find out.

The data files only occupy couple of mega byte.

According to man page, "-x -X ntop creates a new hash/list entry for each new host/TCP session seen. In case of DOS (Denial Of Service) an attacker can easily exhaust all the host available memory because ntop is creating entries for dummy hosts. In order to avoid this you can set an upper limit in order to limit the memory ntop can use." and " -c --sticky-hosts Use this parameter to prevent idle hosts from being purged from memory." In the current conf file, there is no sticky and no -x or -X.

Tried to use both -x 1000000 and -X 1000000 in ntop, will see the result soon.

This afternoon I noticed that one of my virtual PCs could not connect to Internet. At first I though it could be the buggy Microsoft Virtual PC software/WinXP so I restarted the whole thing include the host OS as I have not restart it for a long while. It didn't work! As I have access to all firewalls/switches for security admin purpose, I decided to give it a shot.

Soon I found out from one of the firewall arp table the mac for the ip of my  virtual pc was not the one it should be. Checked DHCP server but didn't find anything wrong and my virtual pc was getting that ip perfectly fine. Someone was using static ip in the DHCP range, Again! It didn't take too much time to find out Tony who realized the issue right away but here is his explanation. He started workstation in the morning but found he could not get anywhere. Restarted couple of times and changed his ip eventually to the ip next to the one assigned by DHCP. Another static ip in DHCP range! So I asked him to release and wait for my furthur instruction. Then I worked with my network engineer to find out who used this ip. Soon another workstation was found out and disconnected. I asked Tony to renew his ip and made sure he was happy to do his work. Then I got my virtual pc connected.

Now problem resolved. I sent out a email to my team to remind DHCP discipline. It's lucky that not too many users get affected today but it may end up a big chaos if more people get affected, setup static ip, then affected even more people.

So policy come in as a vital player, user education etc etc.

This can be restricted in varieties of ways if in a environment require higher security.