Archive for January, 2006

Proper Network Design

January 31, 2006

Setting up a network of computers is a lot of fun, even if you’re getting paid to do the job. But maintaining, and using, a properly designed and setup network is a lot more fun than maintaining, and using, an improperly designed one. Be aware of some common pitfalls. Proper design, in many cases, is cheaper, and less complex, in the long run.

  • Cabling. Making your own Ethernet cables may look like fun, but it’s not.
  • Grouping. Setting up a domain is not for everybody, but it will make your life easier in many ways.
  • Networking. Using a NAT router for connecting just one computer to the Internet, or for connecting just 2 computers to each other, is cheaper and safer in the long term.
  • Wired or Wireless LAN? Using WiFi is great – when you truly need it. But know the limitations.
  • Firewire / USB Networking. In a pinch, a Firewire or USB port can work as an emergency network device. But they aren’t good long term solutions.


Ethernet Cabling – It’s Not A Good First Time Project
An Ethernet cable is more than a simple group of small wires – it’s actually an electrical system in its own right. The specifications for a 10M Ethernet cable are pretty complex – for 100M cable, you have to be more careful. And Gigabit Ethernet cable requires special equipment.

If you’re a professional, and setting up a large office, hire an experienced and licensed electrician. If you’re setting up your own small network, whether for a small office or for your home, and you’re just starting with Computer Networking, buy premade, and tested, cables at a computer store.

Don’t learn computer networking starting with making your own cables. Setting up an infrastructure, using reliable cabling, is cheaper, and easier in every respect. Don’t start with do-it-yourself Ethernet cabling, when you’re setting up a network.


Domain vs Workgroup – A Little Effort Can Go A Long Way

Every Windows computer will act as a server, but only computers running a true server Operating System – Windows 2000 Server, or Server 2003 – can provide a domain. And setting up a domain is not a good project for your first network. But domains have their advantages as well as disadvantages.

If you have any network expertise, and a server operating system, consider setting up a domain. It’s good for you, in the long run.


Networking Computers Is Cheaper, and Simpler, With a NAT Router
If you have one computer, sitting in your office, and connected to nothing, you have just one computer. If you connect that computer to the Internet, or to another computer, you have a piece of, or the beginning of, a network.

  • The simplest way to connect your single computer, to the Internet, is to connect the modem (Cable, dial-up, or DSL), externally, to your computer. Or install the modem internally.
  • The simplest way to connect your two computers, to each other, is to connect them using a cross-over cable.

In neither case is this true, in the long term.

  • Using a NAT router to connect as few as one (as well as multiple) computers, to your Internet service, is an essential component in layered security.
  • Using a NAT router to share Internet service, between as few as two (as well as multiple) computers, is almost as cheap as using ICS. And it’s far simpler. ICS was a good idea long ago, but it’s not today.
  • Using a NAT router to connect your computers, and / or to share your Internet service, is easily scalable. When you get your second (or third or whatever) computer, just connect it to an available router port. How do you do that with ICS and a cross-over cable?

When you get your first computer, buy your first NAT router. And make sure the router can share the Internet service.

  • If the Internet service is dialup, make sure that you get an external dialup modem, and a router capable of handling dialup.
  • If the Internet service is broadband, cable or DSL, make sure that you get a broadband modem with an Ethernet port. If the modem only has a USB port, get a better modem.


Choosing A Wired or Wireless LAN Is An Important Decision
When you setup a network of computers, in your home or small office, a mass of Ethernet cables running everywhere can be a problem. WiFi, or Wireless networking, can provide relief from the mass of cables. But WiFi is NOT a replacement for Ethernet, for many reasons.

  • Scalability. With a 100M Ethernet cable, you could have up to 200M of data flow (with send and receive simultaneously), between a single pair of computers. Each pair of computers in your office can conduct a separate, yet simultaneous, 200M conversation.

    With 54M WiFi, all of the computers in your home or office, and all of the computers in your neighbors home or office, will all share the same 54M channel. Actually, there are 3 54M channels – but if you have even 1 neighbor, chances are that you’ll have more than 3, so you’ll have to share with at least one other network. And all of your computers will share that one 54M channel. The 54M channel is not a maximum – a 108M channel is a possibility. But there are limitations to that possibility.

    And there are other factors which will prevent you from getting an actual 54M, let alone 108M, of data flow.

  • Security. Ethernet cables stay in your home or office – when you lock your door, your cables, and computers, are secure. The WiFi signal, on the other hand, travels thru your walls, and down the block, to your neighbors computers. You have to use extra security precautions, with a WiFi LAN.
  • Stability. Your WiFi neighbors will come and go, constantly. You have WiFi devices politely, and impolitely, sharing the channel. And, you’ll have noise on the channel. Noise can come from many electronic sources.
    • Baby monitors.
    • Computers.
    • Cordless phones.
    • Microwave ovens.
    • Wireless stereo speakers.

If you truly need WiFi, then use it. The convenience of surfing the Internet from your bedroom is great. But know the limitations of WiFi, before investing a lot of time, and money, needlessly. For many LANs, Ethernet cabling will always be a better solution.

Firewire / USB Networking
Ethernet and WiFi are two dominant standards in networking. Ethernet for massive bandwidth (10G networks are coming closer), and WiFi for convenience. They both have tradeoffs.

Now just about any desktop computer that you may buy today will have an onboard Ethernet port. Most laptops that you buy will too, and most laptops will also have WiFi. And both desktop and laptop computers have a third networking possibility – Personal Area Networking, aka Firewire / USB. Firewire and USB are competing standards. Most computers will have one, if not both, ports. These ports allow you to connect most modern computer peripherals, such as a keyboard, pointing device (pka mouse), even a portable mass storage device (pka disk drive).

Properly designed Firewire / USB devices will use drivers already installed in Windows, and will support hot plugging. You’ll be able to connect or disconnect such a device with the system running, at a moments notice.

And that’s the strength of Personal Area Networks – the ability to attach and remove any accessory to your computer at will.

Now a PAN is a client (peripheral) – server (computer) relationship. The client attaches to the server (peripheral to computer). Networking computers is more or less a peer – peer relationship. But it’s possible to buy a Firewire or USB cable, with an embedded hub, that will act like a client to the PAN bus, and like a peer to the networking stack in the operating system. With a special cable, you can setup a PAN between two computers.

So if one or more computers don’t have an Ethernet or WiFi adapter, you can setup a physical network conveniently. But you will still have to define the logical network between the two computers. Setting up an IP based network, to share files between 2 computers, requires a significant amount of effort. That’s in addition to loading the drivers to support the PAN itself. And there’s no absolute guarantee that any PAN driver will work, between any 2 computers.

Ethernet and WiFi, on the other hand, are de facto standards for networking computers. They are designed for long term connection of computers. And there are a lot of people who know how to install, configure, and support Ethernet and WiFi.

And what if you have another device connected to the PAN bus on your computer? If you have a USB keyboard / mouse, and you’re using a USB based network to connect to the Internet, your Internet access will have to share activity with your typing and cursor movement. The Ethernet bus was designed for inter computer connections, and is dedicated to that purpose.

In short, if you have an emergency, and can’t open up your computer to install an Ethernet adapter, AND both computers in question have Firewire or USB ports, AND you have a Firewire or USB networking hub / cable, using Firewire or USB is a good short term solution. But in the long run, using Ethernet or WiFi to connect your computers makes more sense.

Providing Diagnostic Data

January 24, 2006

As I’ve said elsewhere, when you need help with a problem with Windows Networking, or Internet connectivity, the smart thing to do is to post a problem report, in a reliable and serious help forum, on the Internet. Unless you live on the edge, the chances are that somebody has already experienced your problem, and may already have a solution for it.

So post a properly written help request, with useful details, and wait for a response. When you get a response, the chances are it will include a request for some diagnostic data – for instance “browstat status”, or “ipconfig /all”.

Having run the requested diagostic, what are you going to do to include it in your next post? How you post your diagnostic data is almost as important as how you wrote the original problem report.

When you post diagnostic data, please post it as in-line text. Please do not use either attachments or pictures. This is very important in the serious help forums, where the experienced helpers may be overworked, and would appreciate your help.

  • Helpers work best when they can review your problem description and diagnostic data together, in the same message. Having to switch between multiple windows, with the problem description in one, and the diagnostic data in another, is not an efficient process.
  • Sometimes, your diagnostic data needs to be extracted, as text, and fed to another program (maybe a script to analyse it).

You want help? I assume the answer is “Yes”, since you’re here. Then Help The Helpers. In this example, we’ll see how to provide “ipconfig /all” output.

  • First, run

    ipconfig /all

    from the command prompt. Examine the output, and make sure that it’s what you wanted.

  • Next, run two commands, one after the other

    ipconfig /all >c:\ipconfig.txt
    notepad c:\ipconfig.txt

    from the command prompt. Note that you will get no feedback from the first command; the second will simply pop open a Notepad window. Nothing will show in the command window, except your commands.

  • Highlight the text in Notepad. Either selectively highlight text with the mouse, or hit Ctrl-A to highlight all of it.
  • Copy the highlighted text.
    • In most cases, Ctrl-C will work. Otherwise,
    • Right click on the highlighted text, and select “Copy” from the context menu, or
    • From the Edit menu, select “Copy”.
  • Paste the text into your message. Ctrl-V to Paste.

When you provide logs, such as “browstat status” or “ipconfig /all”, please note that there is much detail in there that may look useless to you. You may be afraid of revealing all of the details to strangers, too.

But be aware that the smallest detail in either of those diagnostics may provide useful in identifying your problem. Some details in there are useful in setting up the next step in diagnostics – CDiag, for instance. So when you’re tempted to edit the contents of either log, please resist the temptation. We’re trying to help you – help us to help you. Copy the entire content of each log into your posted messages. Please.

Windows XP System Restore

January 12, 2006

With Windows XP, Microsoft included a feature that keeps a copy of key system settings. In case you make a mistake configuring a system setting, or some basic application setting, you may be able to, conveniently, recover the system to a previous state before the mistake.

Windows XP automatically makes periodic copies, which it calls System Checkpoints. You can manually make copies too. Windows XP includes the System Restore wizard, which you can run from All Programs – Accessories – System Tools – System Restore.

When presented the System Restore wizard initial menu, you have 2 choices.

  • Restore system settings (“Restore my computer…”).
  • Create a restore point.

Recover To A Restore Point
If you need to recover system settings to a previous time, and System Restore was enabled some time previous, you will be presented a calendar which will identify System Restore points previously created. Upon your selection of a restore point, the system will recover itself to that point. You should plan to restart the computer, so closing all open applications first would be a good idea.

  • Close all open applications.
  • Start the System Restore wizard.
  • Select “Restore my computer…”.
  • Select a restore point, from the calendar, then from the restore point inventory.
  • Hit Next, and follow instructions.

Remember that when you restore to a given past point, all affected changes made after that point will have to be repeated. And remember that System Restore has a limited scope:

  • You should not plan to go back too far. The farther back you go, the more desired system changes will be wiped out, and will have to be repeated.
  • Don’t plan on too many application changes being covered by System Restore.
  • Don’t plan on ANY data files – Windows or third party – being covered.

Create A Restore Point
If you plan to make some system configuration changes, or reload key system files, it’s a good idea to create a System Restore point. Just don’t go overboard – note the limitations described above.

  • Start the System Restore wizard.
  • Select “Create a restore point”.
  • Give a name to your restore point (remembering to make the name unique and descriptive) (note that the name you pick can’t be changed).
  • Hit Next, and follow instructions.

Note The Limitations
System Restore is NOT a backup and recovery tool. Don’t count on System Restore for system backups in general. For more information about System Restore, see How to restore the operating system to a previous state in Windows XP.

Enable System Restore First
To be used, System Restore has to be enabled. It may have been enabled by system setup, but it’s not a bad idea to make sure it’s active. In the System Properties wizard, select the System Restore tab. You enable System Restore for each partition that you wish it to be active on.

Since I, personally, separate my hard drive into 3 partitions (System, Applications, and Data), I enable System Restore on two partitions: C: (System) and D: (Applications). I don’t need the overhead, which would not be productive, on my Data partition, so I leave my E: drive not monitored. This decision is entirely up to you.

Also up to you is the Disk Space usage. For each partition monitored, select that partition, and hit Settings. This will give you a control that will let you adjust how much space you wish to be used, by multiple System Restore checkpoints.

NAT Routers With UPnP – Security Risk, or Benefit?

January 9, 2006

NAT routers, in general, only open ports when necessary. When an application, running on a client computer on your LAN, wants to communicate with a server outside the LAN, it sends a packet out. The NAT router does 4 things, in sequence:

  1. Opens a port which points back to the client computer that sent the packet.
  2. Sends the packet to the distant computer, giving its IP address, and the port that was just opened.
  3. Waits for a return packet from the distant computer.
  4. Forwards the return packet from the distant computer to the client computer that started the whole thing.

Now, NAT is stateful. This is a reason why a NAT router is said to provide protection like a firewall (though a NAT router is NOT a firewall). The port that is opened, from the outgoing packet, only responds to the address of the distant server. Thus when a port is opened, only replies from the distant server will be returned to the client computer on the LAN. Packets from any other computer, to that port, simply get dropped by the NAT router.

NAT, in its purest form, only supports client computers. Unless a client computer opens a port with an outgoing packet, no incoming traffic gets passed, by a NAT router, to any LAN computer.

So how do you use a server (a computer that waits for unsolicited incoming packets) behind a NAT router? Before UPnP, you would use either Port Forwarding, or Port Triggering.

  • With Port Forwarding, you define fixed ports, to be forwarded to a fixed IP address. Those ports are opened when they are defined, and stay opened forever. The ports must be defined, and opened, before they are needed.
  • With Port Triggering, you define fixed ports, to be forwarded, when specific other ports are opened, by any application on any computer. Those ports are opened when triggered, and stay open forever. The ports must be defined before the triggered port is needed.
  • With UPnP, the UPnP capable application tells the router, precisely when needed, what ports are to be opened, and fowarded to what (potentially dynamic) IP address. And properly written UPnP applications will also tell the router when to close those ports.

Many well meaning security experts see UPnP as a security risk. If you have uncontrolled applications running on your computer, they can control your router, have it open ports at will, and create security risks.

If your computer has uncontrolled applications running on it, you’ve already lost that battle. You need to learn about detecting and removing malware (get rid of any existing untrustable software), and then you need to learn about protecting your computers properly (keep any future untrustable software off your computer).

UPnP is just as reliable, and as safe, as any applications running on your computer. If you control your computers properly, and ONLY trusted applications run on them, UPnP is perfectly safe. If you don’t control your computers properly, applications hijacking UPnP to open holes in your router will be the least of your worries.

UPnP is actually more secure when your computers can be trusted. UPnP, as I state above, will dynamically instruct the router to close specific ports when they are not needed. Port forwarding, and port triggering, leave ports open forever.

The other advantage of UPnP is that it allows you to have servers on your LAN, using dynamic IP addressing. Port forwarding requires a server to have a fixed IP address. Port triggering, depending upon the NAT router, may or may not require a server to have a fixed IP address.

  • With port forwarding, or port triggering, you can have only a single computer on the LAN running a given server application. A pre defined port can be forwarded to only one server.
  • With UPnP forwarding, multiple computers can run the same UPnP compliant application, such as an IM program. The server application can negotiate with the router, as necessary, and have the port forwarded.

Bottom line? A properly written UPnP capable application is more functional, and no less secure, than an equivalent non-UPnP capable application. On a LAN with a properly designed layered security strategy, it will not create a security risk.

Look At The Complete Detail In The Error Messages

January 8, 2006

Windows Networking is a very complicated subject, and there are many possible problems. A lot of problems can be represented by one of two basic messages. The Error 5 (“access denied”) and Error 53 (“name not found”) errors are very common, and unfortunately, can each have numerous possibile causes.

That being the case, whenever we see one of the above errors, we may instinctively proceed into basic network problem solving.

This is not always the correct problem diagnosis procedure! There are several known, very specific, problems, which can be instantly diagnosed by mysterious and specific phrasings in various error messages. Always look for these messages, as their causes are known, and can lead to much faster problem resolution.

Also, numbered errors are quite easy to decypher. The “net” command has a subcommand “helpmsg”. When we see an “error = 5”, for instance,

C:\Documents and Settings\pchuck>net helpmsg 5
Access is denied.

When you have a problem with Windows Networking, either in a Network Neighborhood display or share access, look at the exact error presented. If you see either of the above phrases, follow the appropriate link, or decypher the number using “net helpmsg”. You’ll be in luck – the causes are well known, and may involve reasonably simple fixes.

You may also refer to the Microsoft reference article System Error Codes, which lists every error code that you might encounter.

Stabilise Your WiFi – Use Only One WiFi Manager

January 7, 2006

When I got my laptop, I was not at all impressed with the WiFi performance. Two or three times daily, I would have to reboot it, or the WiFi router, to get the laptop online. Compared to Ethernet, and especially compared to the other computers in my LAN, this was unacceptable.

Even after researching all of the known WiFi instability issues, I got nowhere.

A month after first getting the laptop, I reformatted and reloaded the operating system. As a side effect of doing that, I inventoried the WiFi manager programs, and I had 3.

  • HP – The laptop vendor.
  • Intel – The WiFi card vendor.
  • Microsoft – The operating system vendor.

As part of the effort of reloading the operating system, I realised that having three WiFi manager programs loading was not a good thing. So I carefully compared all 3 programs, and in my case, decided that the Intel WiFi manager program was the best for me.

Using Autoruns, I located and removed all startup entries for both the HP and Microsoft WiFi managers.

For the past 4 months, since I reloaded the operating system, my laptop has been rock solid reliable.


January 1, 2006

AOL is not just another ISP – it’s also a content provider. So it attracts a lot of folks who don’t know what it can provide, nor worse yet, what it can provide but shouldn’t.

Take, for instance, the case of the Corporate Email Corruption caused by connection to the AOL domain, as reported by SANS ISC in The Penetrating Packets.