Skip navigation

Geek Speak

12 Posts authored by: einsigestern
einsigestern

Your Name Here

Posted by einsigestern Feb 25, 2014

Do you manage firewalls and other network devices? Does it sometimes seem that swimming the Great Barrier Reef would be safer? Well, hop out of that shark cage. SolarWinds has the solution that will make you say, "This is so easy, I must be dreaming." Well, it is, and you're not. So, before you put on that Speedo, check out Firewall Security Manager.


PCI DSS and Rule Changes

In Firewall Security Manager (FSM), you can apply rule and traffic flow analysis to check and report on firewall compliance with the Payment Card Industry Data Security Standards (PCI DSS) requirements. FSM reports show which PCI DSS control items failed the audit, and the rules that caused the failure.

After your audit, you can track all the rule changes. Business justification for the change can be recorded and displayed in your reports. You can even use rule change history in Rule Documentation reports to track down who changed the rule that borked your audit, then go take their Skittles.

Debug Traffic Flow enables you to investigate problems in firewall configurations that involve packet flow through a device. You can identify policies, security rules, NAT rules, routes, and implied rules that affect a packet as it zips through a firewall. FSM gives you the tools to explore and debug traffic flows between /24 subnets with up to five services.

Traveling Packets

Would you like to see how packets travel through Layer 3 devices? Packet Tracer identifies all routable paths from the source to the destination, including effects of ACLs, NATs, and routes along each path. You can check if a packet will reach the destination, while you enjoy your confiscated Skittles, and even check which devices and rules within the devices are allowing or blocking the packet.

Sometimes it would be great to have the capability to validate a migration from one firewall type to another. FSM compares their traffic flows and generates a validation report that shows specific differences in policy between two compared devices. For Cisco to Check Point firewalls, use the FSM step-by-step migration wizard.

Standard Naming

Don't you wish you had standardized object naming conventions across an entire set of devices? Sure you do. With FSM you can identify objects that have the same name but different definitions, or objects that have different names but the same definition. Automate finding and eliminating object definition conflicts across multiple firewalls. You can split object definitions into two or more separate definitions, combine object definitions, and apply other object restructuring changes. FSM generates scripts and uses the scripts to modify the existing configuration to use the new standard object definitions.

Wait, that's not all. Watch this blog for information on how to run FSM reports from Network Configuration Manager.

Do you manage firewalls and other network devices? Does it sometimes seem that wrestling a two-headed python would be easier? Well, drop that snake. SolarWinds has the solution that will make you say, "This is so easy, I must be dreaming." Well, it is, and you're not. So, before you open that bag of Gummy Bears, check out Firewall Security Manager (FSM).

Did I Change That?

Your network is out-of-whack, maybe. You really don't know and you need to find out. A few changes here and there might make all the difference, but you can't experiment with your production gear. You need a way to tweak a few settings and see what happens without the risk of bringing the entire system down. This is where the FSM features, Impact Monitor, Change Modeling, Change Advisor really shine.

Impact Monitor helps you track changes in rule and object definitions. You can schedule monitoring, and send automatic notifications when FSM detects changes. Reports describe the changes, and tell you the effect on security and traffic flow.

 

What Happens if I Press this Red Button?

Change Modeling helps you determine the results of proposed changes to ACL, NAT, and route rules before you commit them to production. You can experiment with changes, share them with your team in an offline sandbox environment, and evaluate the security implications of the proposed changes. After you are satisfied with the proposed changes, you can generate scripts to automatically deploy the changes to production environments in a predictable, error-free way.

Change Advisor includes a method for non-technical users to enter firewall change requests. The Change Advisor Web form offers drag-and-drop entry to decrease host name and IP address errors. This eliminates fat-finger mistakes with critical parameters. Then you can automatically determine if the network already satisfies the change request. This eliminates unnecessary requests, and reduces the workload on network engineers. At your option, perform risk analysis of change requests, and enable your security/risk analyst to review security implications. To eliminate trial and error, FSM can automatically identify devices that require change, and provide network engineers with guidance regarding where the changes are required.

Don't miss the next in this series of blogs, titled "Your Name Here."

einsigestern

Herding Cats

Posted by einsigestern Feb 5, 2014

Do you manage firewalls and other network devices? Does it sometimes seem that herding cats would be easier? Well, put away the kibble and fret not. SolarWinds has the solution that will make you say, "This is so easy, I can't believe I'm getting paid to do it." So, before you open another Mountain Dew, check out Firewall Security Manager.

Firewall Security Manager (FSM) is an affordable firewall management product with a features that address key issues in managing, and auditing firewalls. FSM is integrated with SolarWinds Network Configuration Manager (NCM). This means you can import NCM-managed firewalls into FSM. Here is a sample of FSM functionality:

  • Automated Security Audits - 120-plus customizable checks based on standards from the NSA, NIST, SANS and others.
  • Firewall Configuration and Log Analysis - Isolate redundant, covered, and unused rules and objects.
  • Modeling - Report what effect a new rule, or change to an existing rule, will have on your firewall policy, without modifying your production devices.
  • Change Management - Simplified firewall troubleshooting for your multi-vendor, Layer 3 network devices.

Browse Your Rules and Objects

The FSM Firewall Browser enables you to view and explore security rules, NAT rules, network and service objects, and network interfaces in an easy-to-navigate user interface. You can search for specific rules, objects, and configurations. This makes identifying locations in rule sets that require changes easier than finding that sock your dog stole from the laundry hamper. You can even query firewall behavior to determine traffic flows, and hosts that are exposed to potentially dangerous or risky services.

Redundant=Bad Simplify=Good

FSM enables you to compare different versions of a firewall configuration to determine the disparities. You can compare ACL and NAT rules, network and service objects, and see how the traffic flow differs. Then compare the traffic flows to determine the rule changes responsible for the differences in policy. You can also simplify firewall rule sets and object definitions, identify redundant, covered rules, and analyze log data to determine which rules and objects are not used. Based on the analysis, you can generate scripts to clean up firewall configurations. The Security Audit Report uses security checks based on standard templates or your own customized templates to compare different versions of a firewall configuration to determine how changes to rules or objects affected security.

Is That All There Is?

Fortunately, no. Otherwise I'd have nothing else to write about. But, there is, and I do. So make your mom proud that you chose tech rather than that liberal arts degree, and check back in a week or so for the second installment "Adventures in Network Management."

einsigestern

Big Data: Big Deal?

Posted by einsigestern Jan 24, 2014

In my June 2013 post "Byte Off More Than You Can Chew", we looked at the inconceivable quantity of data collected by the NSA. Maybe this collection is onlymetadata, but recent revelations, depending on who you believe, may indicate otherwise. This time we wrangle with Big Data.

"Big data refers to our burgeoning ability to crunch vast collections of information, analyze it instantly, and draw sometimes profoundly surprising conclusions from it. This emerging science can translate myriad phenomena—from the price of airline tickets to the text of millions of books—into searchable form, and uses our increasing computing power to unearth epiphanies that we never could have seen before." (1) We can now draw logical conclusions regarding relationships that heretofore we would have never considered. These capabilities are not free. They cost us more than money. Given enough relevant data, predictive models are quite accurate. We can discern the probabilities of events yet to unfold, and we can now do so with frightening accuracy.  "It also poses fresh threats, from the inevitable end of privacy as we know it to the prospect of being penalized for things we haven’t even done yet, based on big data’s ability to predict our future behavior." (1) Queue "Minority Report" montage.

"Leaders in every sector will have to grapple with the implications of big data, not just a few data-oriented managers. The increasing volume and detail of information captured by enterprises, the rise of multimedia, social media, and the Internet of Things will fuel exponential growth in data for the foreseeable future." (3)

A yardstick for the popularity of a given topic is the "...For Dummies" book. "Big Data for Dummies" has got it covered. "Big data management is one of the major challenges facing business, industry, and not-for-profit organizations. Data sets such as customer transactions for a mega-retailer, weather patterns monitored by meteorologists, or social network activity can quickly outpace the capacity of traditional data management tools." (2)

Then there is the privacy concern. Who has access to, who collects, who analyzes big data. These questions, again depending on who you believe, have yet to be answered with veracity. One can assume beneficial goals as easily as nefarious pursuits. "Much of what constitutes Big Data is information about us. Through our online activities, we leave an easy-to-follow trail of digital footprints that reveal who we are, what we buy, where we go, and much more." (1)

Theresa Payton, former White House CIO, offers some food-for-thought on the issue of privacy: "Digital devices have made our busy lives a little easier...we get just-in-time coupons, directions, and connection with loved ones.... Yet, these devices...send and collect data about us whenever we use them, but that data is not always safeguarded the way we assume it should be to protect our privacy. Privacy is complex and personal. Many of us do not know the full extent to which data is collected, stored, aggregated, and used. As recent revelations indicate, we are subject to a level of data collection and surveillance never before imaginable. While some of these methods may, in fact, protect us and provide us with information and services we deem to be helpful and desired, others can turn out to be insidious and over-arching." (4)

 

(1) "Big Data: A Revolution That Will Transform How We Live, Work, and Think" by Viktor Mayer-Schönberger and Kenneth Cukier (Mar 5, 2013)

(2) "Big Data For Dummies" Paperback by Hurwitz, Alan Nugent, Fern Halper, Marcia Kaufman

(3) "Big data: The next frontier for innovation, competition, and productivity " by James Manyika, Michael Chui, Brad Brown, Jacques Bughin, Richard Dobbs, Charles Roxburgh, Angela Hung Byers - McKinsey Global Institute

(4) "Privacy in the Age of Big Data: Recognizing Threats, Defending Your Rights, and Protecting Your Family" by Theresa M. Payton and Ted Claypoole

There may be other items in the news competing your time, but we happen to think this one deserves special attention:

 

Firewall Security Manager version 6.6 (released November 12) includes a new feature: an Orion Module. The Orion Firewall Security Manager Module enables you to view all your firewall details from the Orion dashboard, alongside any other SolarWinds Orion products. This new FSM/Orion module provides visibility into your firewall inventory and security status, along with the ability to point and click for drill-down details. From the Orion FSM dashboard, you can:

 

Get a summary of all the devices that are in FSM, including the PCI summary and the Security Audit summary.

  • View Rule/Object Cleanup reports
  • Review configs and recent changes
  • View firewall details
    • NAT Rules
    • Security Rules
    • Network/Address Objects
    • Service/Application Objects

 

SolarWinds Firewall Security Manager v6.6 is available for download in your customer portal for those customers under current SolarWinds Firewall Security Manager maintenance.

SolarWinds Firewall Security Manager (FSM) is a powerful tool for analyzing firewall configurations and logs to isolate redundant, covered, and unused rules and objects. Without touching production devices, FSM can also model how a new rule, or change to an existing rule, will affect your firewall policy.  FSM simplifies firewall troubleshooting for your multivendor, Layer 3 network devices, and helps fill gaps in your security rules.

Importing Configurations from Network Configuration Manager

After you set up Network Configuration Manager (NCM) to monitor your device configuration changes, and have installed FSM, you can import the device configuration files from NCM into FSM.

To import the device configuration files from NCM into FSM:

In the menu bar, click Add Firewall.

addfirewall.png

 

The Import New Firewall window opens.

fsmncm1.png

 

Choose Import from NCM Repository, then click Next.
The NCM Repository Connection Parameters window opens.

fsmncm2.png

Enter the NCM Server URL, your Username and Password, then click Next.

Choose the device configurations to import into FSM.

After you choose device configurations to import, click Finish.
FSM begins the import process.

When the import process is complete, the imported device configurations are available on the FSM Firewall Inventory tab.

fsmncm4.png

You can now start analyzing the configurations you imported from NCM.

Generating Change Scripts to Run from NCM

To make changes to these configurations in FSM, start a change modeling session.

To start a change modeling session:

In the Firewall Inventory, chose the device.

In the menu bar, click Analyze Change > New Change Modeling Session.

A new Change Modeling Session opens.

fsmncm6.png

You are ready to make changes to the configuration, and test the changes offline. Testing offline enables you to see the effect of your changes before you put them into production.

After you make changes to your configuration, click Generate Change Scripts.
FSM generates a new Change Script. This script includes all the actions required to implement the changes you made to the specified device configuration.

Use NCM to load the change script. Choose the target device, and click Execute.

fsmncm8.PNG

 

Together NCM and FSM make a great team to efficiently manage your device configurations!

For more details on Change Modeling, Virtual Packet Tracing, and other Firewall Security Manager functionality, visit our other resources on Thwack, the SolarWinds community.

FSM Web Interface - You Got It!

Soon (just hang on it's not far off) you'll get to meet the Firewall Security Manager (FSM) Web Interface. This is about the coolest thing that's happened to Network Configuration Manager since blade servers. FSM produces network device audit reports, enables you to model (test) the effect of changes you want to make, and so much more.


Coming to an NCM Near You


The same Network Configuration Manager you know and love has partnered-up with FSM. You'll soon be able to configure, run, and view Cleanup, Security Checks, and PCI Compliance reports using FSM in your browser. This package includes the ability to query traffic flow, run packet traces, and do a VPN Audit.

All for One, One for You


We put this pair of great tools together because we listened to you. I wish I could say more, but we're still busy making this coming release sparkle. We're still fine-tuning. With that in mind, have a look at this:


Watch this space for more news about this new NCM/FSM integration coming Fall 2013.


The National Security Administration (NSA) has been in the headlines recently; something I’m sure every top-secret intelligence agency longs for. In the myriad articles, interviews, and stories about how much data the NSA “gathers” about e-mail contents, phone calls, mobile phone tracking, text messages, and what you feed your cat, you might recall mention of a new NSA facility under construction in Utah. In case you missed this tidbit, just Google “NSA Utah” for a return of a little over 57 million hits.

The big story, for me at least, is not that our government is building a new super-snooper facility in the middle of nowhere, (Apologies to Mormons and other residents of the state.) but the quantity of data the installation is projected to handle.

 

When I heard the term “zettabyte” in reference to the new agency outlet, just like you, I scrambled for my browser to find out just how many a zetta is. According to Wikipedia, a zettabyte is “The zettabyte is a multiple of the unit byte for digital information. The prefix zetta indicates the seventh power of 1000 and means 1021 in the International System of Units (SI), and therefore one zettabyte is one sextillion (one long scale trilliard) bytes.” (See http://en.wikipedia.org/wiki/Zettabyte. The Wikipedia entry is worth a read.) The new NSA post is estimated to support 5 zettabytes of storage capacity. For the less mathematically astute of us, myself included, in Texas that’s what we call a !@#$load.

 

Let’s dial that zettabyte into perspective: If the earth is ~197 million square miles in surface area (it is), and each square mile is the equivalent of 1 zettabyte, I am in possession of empirical knowledge that my calculator does not produce enough zeroes to show me how many times a zetta of square miles would cover the earth. With excessive confidence, I can now say that a zettabyte should be enough for anyone.

einsigestern

Play

Posted by einsigestern May 9, 2013

My wife is a former clinical psychotherapist in private practice. Although I've been interested in the individual response to events and how those responses affects our worldviews, I'd never given the subject the deep thinking it deserves. When we were dating, I asked my future wife to dinner and a movie. When she found out the movie was "Terminator," she demurred. I asked why. She said that the emotions you experience while watching a movie about (pick a subject) are the same emotions you would experience in reality; in your everyday living. The same neurotransmitters circulate throughout your body.


Think, the shower scene in "Psycho." Alfred Hitcock was once asked why he didn't portray the frightening scenes in his movies with more graphic images. He replied (paraphrased), "The images the audience creates in their heads are far more frightening than those I could produce on the screen." Hitchcock knew that our imagination, our response to situations, real or artistic representations of reality, are powerful. Orson Welles used this technique in his noir productions. He employed novel camera angles, unexpected lighting, and dramatic presentation to move us emotionally...and we bought tickets to the experience of it.

More to the point, our reaction to any given stimulus is our decision. We own it. We have complete control over it.

Enter Dan Gilbert and his explanation of "Why We Make Bad Decisions." Watch the TED Talk video later if you wish. The condensed version of his concept is "Favorable events actually, measurably do not affect us as well as we imagine they will; negative events do not affect us in a negative way to the extent that we imagine they might." People who win big in the lottery, people who suffer the tragic loss of a loved one, experience life much differently than their minds predict.

Shawn Achor has developed similar concept with the emphasis on happiness. As John Cleese (Monty Python) once said, "If you want your people to be creative, you must allow them to play." Google, with their 20% time policy has incorporated this concept to great effect. Atlassian, with their off-the-chart sense of humor, has Ozified it.

Achor actually codified the concept. His TED Talk, "The Happy Secret to Better Work," is worth viewing, right now. I dare you to watch it without smiling.

Long ago, after the earth cooled, the dinosaurs died, and DARPA invented the Web, someone cooked-up cookies. At first, they smelled so good...like grandma had just pulled them out of the oven, and she had let you watch her make them and lick the spoon. Now they were all gooey, hot, and new. Well, wake up and smell the coffee, cowboys and cowboyettes. These ain't your grandmother's cookies we're talkin' about.

Browser Cookies

The first cookies of any technological consequence were the browser cookies. These little bytes of bits stored mostly innocuous (This depends on how strictly you define the term.) information about a specific web site you visited. These bytes included some of your activity on the site: maybe the site you were on just before you got there, and your browser specifications, which almost always mentioned your platform specifics. Browser cookies were something convenient. They were chewy, delicious, and left a great taste in your mouth. They were n00bie ch0w in the vast vastness of the new interweb thingy and n00bs gobbled them up like a duck on a bug. You could return to a site weeks later and the cookie enabled the site to welcome you...like grandma...and made your experience much less scary than the one Hansel and Gretel had. Flash forward...

Flash™ Cookies

Onward to the recent future. (Remember my blog about how the future is long gone? We're now in the Post-future Era.)

Adobe invented Flash. Flash enables all kinds of cool stuff...for the folks on the other end of the cookie chain, that is. Often, you land on a site that requires you to install Flash. So, you install Flash, maybe a Flash plugin for your browser, and suddenly your Web experience changes in ways you never imagined before; in ways you couldn't have imagined, because they were unimaginable to most low-info web users...present readership excepted, of course. With Flash cookies, you can play videos, you can view motion graphics, you can now interact with the web, plus, your laundry comes out fresh and clean-smelling as an Alpine breeze.

Many web cerfers (Google it.) never knew/know that Flash cookies are the evil twin of the cookies you were enamored with in your tech youth. Flash cookies, aka LSO (Local Shared Object) scarf-up a whole lot more than where you've been, what you're doing, and what you like. Somehow, Flash cookies are able to look into your very soul and replicate your essence...the thing that makes you you, you know? It's hard to top Ben Nell, Senior Security Engineer at Foreground Security, when it comes to a succinct description, "Flash cookies were designed to track user preferences in Flash applications, and their adoption as a mechanism to keep tabs on our browsing behavior is recent enough that tools that many consumers rely on to clear their cache of advertisers' cookies aren't even looking for them." Let that sink in a moment. With Flash cookies, marketeers have a method to write a file on your computer, and that file contains more about you than you want to know, AND, those rascals hide them in the dark corners of your hard drive; places you never go; places you would never look. A most disturbing aspect of Flash cookies is that they can be shared (Local Shared Objects) to be used by just about any site that wants to use them. From a Popular Mechanics article by John Herrman, "The main problem here—that sites can store and maintain data and tracking cookies through your Flash plug-in, regardless of your browser's privacy settings—is something Adobe is aware of and says will soon be addressed. The latest version of Flash (10.1) already supports the private browsing features of browsers like Firefox and Internet Explorer, which prevent data from being stored locally when activated. Additionally, Adobe says, the company is working with "major browser vendors to develop effective approaches that allow users to control local storage in Flash Player directly from their browser privacy settings"—a fix that could eliminate this problem entirely."

Evercookie

Enter the answer to every marketeer's dream and every users' nightmare, the Evercookie. This tasty, Javascript API morsel that hides copies of itself in several, yea many, places on your computer. Delete an Evercookie (if you can find it), and it recreates itself. As a matter of fact, attempt to delete one and it will actively circumvent your efforts. Evercookies not only make my blood sugar rise, they bump my blood pressure up a few points, too. Lest I risk someone kicking my soap box out from under me, have a look at Evercookie. Follow the resource links. Be afraid. Be very afraid, but not so afraid that you fail to check back when, next time, we'll talk about Zombie Cookies.

einsigestern

Help!!!

Posted by einsigestern Mar 18, 2013

In a previous post, I posed the question, "Are printed manuals still necessary?" More to the point, do users really want a printed software manual. In this installment, we look at some of the different methods used to deliver documentation (help).

 

"Embedded help" is installed with the software. One of the advantages of embedded help is that no internet connection is required to use it. For someone who works in a sensitive environment, where communication breaches or file corruption could constitute a significant risk, access to online information might be prohibited. In this situation, typically called a "black box," embedded help might be a critical requirement. Another desireable feature of embedded help is that the information it contains applies to the specific version of software you are using. The downside is that embedded help, like  printed manuals, is out-of-date even before the product is released. This is just a fact of software development.

 

"Web-based help" is user documentation delivered via a Web server. The Help button directs you to the software company's site. This method of delivery has many advantages over printed or embedded help. Web-based documentation is, under ideal conditions, continuously updated, massively cross-referenced, available wherever you have an internet connection, and sometimes even interactive. Screen captures, diagrams, and other graphic elements can be zoomed to display specific components.

 

Each of these two methods of delivery enable the development of context-sensitive documentation. This simply means that the link you click, the little question mark or Help button, takes you directly to the topic that is specific to your current task or location (context) in the software. Done properly, context-sensitive help is a fast, efficient way to get the correct information you need to complete your task.-el

The future is so last millenium. The pace has quickened, your time is more precious, there are only 22 hours in a day, and people are releasing their pet pythons into the Everglades. We are now in the post-future era, folks. Things have changed and so have you.

 

Just as with engraved plates, and hand-set type, the day of the printed user manual may already be behind us, but we don't know. We, technical writers, just don't know...not for sure anyway...and we want to know: Do our customers still want a printed users manual? This question keeps us up nights.

 

A table of contents provides a visual representation of topics. An index offers a finer-grained method to find the information you seek. However, internet search engines have changed us; changed the way we look for information. Think "Google it." Even when we open PDF on our computer, the fastest path to the information we want is the little search box.


The printed manual question isn't the end, though. How do you like your information served. There's lots of technology available to produce many different content delivery methods. So tell us:

 

  • Printed Manual - yes or no; why
  • Embedded Videos - feature-specific, function-specific presentations in three minutes or less
  • Webinars - extended, instructional, topical, maybe serial

Filter Blog

By date: By tag: