Archives 2008

When security best practices collide (Crippling iSCSI in Windows)

As a security guy, I can tell you – There are a lot of really good security best practices to be applied across all systems, applications, servers and a world over. But when implemented unchecked – Problems will arise.

What I am talking about specifically is this little doozy – EnablePMTUDiscovery

Value name: EnablePMTUDiscovery
Key: Tcpip\Parameters
Value Type: REG_DWORD
Valid Range: 0, 1 (False, True)
Default: 1 (True)

The following list describes the parameters that you can use with this registry value:

  • 1: When you set EnablePMTUDiscovery to 1, TCP attempts to discover either the maximum transmission unit (MTU) or then largest packet size over the path to a remote host. TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs by discovering the path MTU and limiting TCP segments to this size. Fragmentation adversely affects TCP throughput.
  • 0: It is recommended that you set EnablePMTUDiscovery to 0. When you do so, an MTU of 576 bytes is used for all connections that are not hosts on the local subnet. If you do not set this value to 0, an attacker could force the MTU value to a very small value and overwork the stack.

    Important Setting EnablePMTUDiscovery to 0 negatively affects TCP/IP performance and throughput. Even though Microsoft recommends this setting, it should not be used unless you are fully aware of this performance loss.

    That little excerpt taken from:
    How to harden the TCP/IP stack against denial of service attacks in Windows 2000

    This KB article is still used and is applicable to the Windows 2003 space, but what does this do exactly?

    This will drop all transmissions over TCP/IP down to 576 byte packets. Oh and this is a global setting.
    So, you go to connect up to an iSCSI LUN, and it connects up just fine.
    Your host is working, your storage is working everything is all doozy.

    When you start to try to actually -use- that connection for storage though, you’ll begin to experience exponential latency. This latency will translate into IOPS problems and access to the disk, masking this making it appear to be a disk issue. This effectively cripples your application, yet is hidden so well from the system as a problem without sniffing or using something like mturoute you’d never know it is happening.

  • MTURoute is your friend and will help you determine your current MTU

    With that said, on any systems with iSCSI connectivity, I strongly encourage you to NOT disable this setting, ensuring that EnablePMTUDiscovery is always set to 1

    Thanks for your time!

  • Cisco and VUE get SERIOUS about Certification testing!

    I received this email today… see below! It’s amazing!

    Cisco and Pearson VUE Launch Global Test Delivery Exam Security Enhancements

    Cisco and its global testing provider, Pearson VUE, a business of Pearson Inc. are pleased to announce a series of security enhancements that will reinforce the integrity and value of its Career certification program.

    The advanced security enhancements include the use of digital photographs for candidate-identity verification and forensic analysis of testing data. The new measures, to be implemented beginning on Aug. 1, will include:

    * Photo on Score Report and Web – On completion of a certification exam at the test center, candidates will receive preliminary score reports imprinted with their photos and unique authentication codes. The authentication code can be used to access a candidate’s official score online at Pearson VUE’s website usually within 72 hours of the examination. The online score report will also display the candidate’s photo. Candidates may share access to their online records with employers or other third parties.

    * Forensic Analysis – Exam results and other testing data will be continuously analyzed by forensic software to detect aberrant testing behavior and to flag suspect exams for further investigation.

    * Preliminary Score Report – All paper score reports will be preliminary, pending the results of forensic analysis, until official exam scores are posted to the Web usually within 72 hours of exam completion. Once the exam scores are official, candidates may use the authentication codes on their score reports to access the Pearson VUE website for score and photo verification.

    These new exam security measures are part of Cisco’s overall strategy to protect the value and integrity of its certifications. Other measures include simulation-based testing, dynamically generated questions and emulations to help ensure that Cisco certified networking professionals continue to have the knowledge, skills, and credentials to perform well on the job.

    So, you might be thinking “What does this mean to me?”

    This means a new era is upon us! A new way of testing! A whole new paradigm shift…
    Well, not exactly.

  • The picture – Okay idea, sounds kind of interesting and making content available online at your choosing great!
  • The forensic analysis – that’ll be interesting. Hopefully a lot of very skilled people, or learning folks do not get completely burned by this. Oh wait, I must forget who I’m talking about.
  • Am I confusing Cisco – the company who guarantees your certification will expire in 2 years (sometimes 3!) with another company? I must be confused.

    No, alot of people WILL get burned, that’s a fact. This is the positive out look on it.
    Walk in, expecting this to be painful, and I think we’ll be fine.

    I expect and imagine a lot of very good things from this, hopefully inclusive with this is a reform of the entire Cisco Certification track to make it more applicable, viable and useful – Too much memorization involved.

    Good Luck!

    CWUG Tonight in Chicago

    Historically I’ve been pretty bad about announcing the CWUG here on PKGuild – Today is no exception!

    Tonight is the CWUG in Chicago! 77W Wacker and all that goodness.
    We’ll actually be kicking off with a tour of the MTC (Microsoft Technology Center) and all of the goodness which surrounds that. – Here is the information, which is also posted on our Portal

    July Meeting
    Monday, July 21st Microsoft Office, 77 West Wacker, downtown Chicago
    Register Now!

    4:30 p.m. MTC (Microsoft Technology Center) Tour!
    5:00 p.m. – 5:30 p.m. Dinner/Networking
    Windows Vista Gadget Contest Submission Deadline
    5:30 p.m. – 6:15 p.m. Room Introductions/Meeting Kick Off
    6:15 p.m. – 7:30 p.m. First sessions
    Session 1: Automating Windows Desktop Deployments with OSD360 – presented by CyniOS Technologies
    Session 2: Windows Live – production software and a look at some of the betas
    7:30 p.m. – 8:30 p.m. Windows Home Server – PC backup and restore (Live demo!)

    Hope to see you folks tonight!

    Study Tips for SQL 2008 and BI Beta Exams (71-432, 71-448)

    So, you’re planning to take the beta exams, but you want to have a LITTLE more hands-on to prepare yourself!

    Well, look no further! (Well, do look further, but check this out as well)

    Books! Read Read Read away!

    SQL Server 2008 Books Online Release Candidate (RC0)

    Virtual Labs – These are a wealth of information, labs and “live” systems to play with!
    TechNet Virtual Labs: SQL Server 2008
    TechNet Virtual Labs: Business Intelligence

    Hopefully this gives you that headstart you’re looking for, outside of what you already know!