RE: where should I start? help!

From: Paul Benedek (paul.benedek_at_excis.co.uk)
Date: 07/09/03

  • Next message: David J. Jackson: "RE: Wireless Networking" 
    To: "'Mitchell Rowton'" <mitchell@attackprevention.com>, "'Jane Han'" <janehan22@yahoo.com>, <security-basics@securityfocus.com>
Date: Wed, 9 Jul 2003 10:08:23 +0100

    Hi,

    Once you have identified the traffic type i.e. web traffic port 80, you may
    wish to consider turning on some of the traffic management features within
    the Cisco router. This could be a change in queuing strategy and the use of
    Cisco's committed access rate feature.

    By using CAR, you can prioritise the traffic and drop any less important
    traffic if it reaches a certain threshold. Incidentally it is good to use
    CAR to drop inbound UDP traffic in case of DDOS attacks.

    The other thought with regard to this could be that your NAT pool in your
    PIX is not big enough to cope with your outbound requirements. Try
    increasing your pool size so that you have many translation slots available.
    Also look at the session timeout values and make sure that you have timeouts
    to unwanted connections within a reasonable timeframe.

    Another point to look at is your Ethernet interfaces. Make sure that they
    are forced connections rather than using auto (100 meg full duplex). If
    these are causing you any issues, you would see a high number of collisions
    on the Ethernet port counters. This could also account for a high number of
    retransmissions and poor throughput on your Internet connection.

    Regards

    Paul Benedek
    Director
    Excis Networks Limited
    http://www.excis.co.uk

    -----Original Message-----
    From: Mitchell Rowton [mailto:mitchell@attackprevention.com]
    Sent: 08 July 2003 19:27
    To: Jane Han; security-basics@securityfocus.com
    Subject: Re: where should I start? help!

    The bandwidth on the S0 interface is "BW 2048 Kbit" which is higher
    than a T1. This doesnt have any negative impact per say but it does
    change the routers perceived load. The router says it is using
    a "rxload of 188/255" But this is assuming it has 2048K. A T1 is only
    1.544 MB, so the real rxload is higher than that.

    The first step I would take is to put a sniffer online and discover
    what machines are doing the most bandwidth, what protocols are doing
    the most bandwidth. And then decide if this is acceptable to you. If
    the chatty stuff is needed, then upgrade bandwidth or live with it.
    The PIX NAT shouldnt be a problem unless you have more than 30 internet
    speaking host, do you?

    Mitchell

    ____________________________________________________
    http://www.attackprevention.com
    Information Security documents, articles, and policy
    > Hi, all
    >
    > I am relatively new to this field. We have full T1
    > but the internet speed is very slow.
    > Sometimes it's even slower than dial-up speed when
    > downloading files.
    > E1 E0 E0 s0
    > Switch --- PIX ------Cisco 2600 Router------Internet
    >
    > (E1 and E0 are Ethernet Interface and S0 is serial
    > interface) (please see the following status on s0)
    >
    > Serial0/0 is up, line protocol is up
    > Hardware is QUICC Serial
    > Internet address is X.X.X.X/30
    > MTU 1500 bytes, BW 2048 Kbit, DLY 20000 usec,
    > reliability 255/255, txload 26/255, rxload
    > 188/255
    > Encapsulation HDLC, loopback not set
    > Keepalive set (10 sec)
    > Last input 00:00:02, output 00:00:00, output hang
    > never
    > Last clearing of "show interface" counters never
    > Input queue: 0/75/9199/0 (size/max/drops/flushes);
    > Total output drops: 3307
    > Queueing strategy: weighted fair
    > Output queue: 0/1000/64/3307 (size/max
    > total/threshold/drops)
    > Conversations 0/57/256 (active/max active/max
    > total)
    > Reserved Conversations 0/0 (allocated/max
    > allocated)
    > 30 second input rate 1510000 bits/sec, 235
    > packets/sec
    > 30 second output rate 214000 bits/sec, 173
    > packets/sec
    > 76598509 packets input, 1523011153 bytes, 0 no
    > buffer
    > Received 104544 broadcasts, 0 runts, 0 giants, 0
    > throttles
    > 1 input errors, 0 CRC, 1 frame, 0 overrun, 0
    > ignored, 0 abort
    > 66685034 packets output, 4044743843 bytes, 0
    > underruns
    > 0 output errors, 0 collisions, 1 interface resets
    > 0 output buffer failures, 0 output buffers
    > swapped out
    > 0 carrier transitions
    > DCD=up DSR=up DTR=up RTS=up CTS=up
    >
    > I checked the S0 interface status on the internet
    > router. What info does the above indicate?
    > What does input and output packets mean in case
    > internal users download files from internet?
    >
    > I really do not know how to find out where all traffic
    > are from? I bet there are lots of downloads
    > from internet. Where should I start?
    >
    > BTW, we have one block class C public address. But
    > the PIX only use 30 for NAT and one
    > global pool address:
    > global (outside) 1 x.x1.x2.201-x.x1.x2.230
    > global (outside) 1 x.x1.x2.200
    >
    > Could this cause the slowness on internet speed also?
    >
    > Thanks in advance,
    >
    > Jane

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------

  • Next message: David J. Jackson: "RE: Wireless Networking"

    Relevant Pages

    • RE: Continued probing with source IP 10.x.x.x
      ... It's not a routable address (in the sense of Internet routable) - read RFC ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ... about an hour, with no client, server changes, or ongoing maintenance. ...
      (Security-Basics)
    • RE: where should I start? help!
      ... The exernal router serial interface status as follows: ... >> but the internet speed is very slow. ... >> Evaluating SSL VPNs' Consider NEOTERIS, ...
      (Security-Basics)
    • RE: New trojan turns home PCs into porno Web site hosts
      ... way the internet works... ... >>has installed DNS name servers for his domains on other home computers ... > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)
    • RE: where should I start? help!
      ... The exernal router serial interface status as follows: ... 16859032 packets input, 2850828712 bytes, 0 no ... >> but the internet speed is very slow. ... >> Evaluating SSL VPNs' Consider NEOTERIS, ...
      (Security-Basics)
    • RE: where should I start? help!
      ... Like Mitchell stated, the PIX does not seem to be a problem. ... The PIX NAT shouldnt be a problem unless you have more than 30 internet ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)