CPTTM Network Admin newsletter issue #8


In order to keep closer contact with IT network administrators in Macau, we've created a network admin newsletter and I've taken the liberty to add you to our netadmin-news mailing list. If you'd like to unsubscribe or recommend friends to subscribe at any time, just email me.

--- Simon Tam, Chief Editor
--- This newsletter is supervised by: Kent Tong, Manager for CPTTM-IT Department

Topics in this issue:

澳 門電訊與澳門生產力暨科技轉移中心合辦“資訊安全管理講座 ”

為推動本澳機構加強資訊保安方面的危機意識,建立高水平的資訊保安環境,澳門電訊與澳門生產力暨科技轉移中心 於 五月二十三日 下午三時四十五分 假  澳 門世界貿易中心五樓 合辦 “資訊安全管理專題講座”,並邀得澳門特別行政區政府電信管理局局長陶永強工程師致開幕詞。
詳情請參閱附件之邀請函件。

Firewall Settings for Windows Domain Logon

Suppose your network segments are interconnected with firewall e.g. like the following :

 |----------------------------- (F) --------------------------------|
                      Net 1                              Net 2


and :
-The Windows 2000/2003 Domain Controller and DNS server are located at Net 2.
-The Firewall allows all kind of traffic from Net 2 to Net 1 but restrict all traffic initiated from Net 1 to Net 2 unless allowed explicitly.

What ports should you allow so that the Windows 2000 or above clients in Net1 can log on to the domain via the DC in Net 2 and perform network access if necessary?


First, the clients will perform dynamic DNS registration on the DNS server at Net 2, so UDP port 53 is needed.

The clients will authenticate to the DC using the Kerberos protocol, so TCP and UDP port 88 are needed.

RPC locator service is needed. It is TCP port 135.

The clients need to use LDAP to communicate with the DC, so TCP and UDP port 389 are needed.

SMB over TCP/IP is needed for file and print sharing. It is TCP port 445.

The clients need to query the Global Catalog servers for on site DCs, TCP port 3268 is needed.

Port 1025 and Port 1026 for Active Directory Logon.


We have tested that without allowing the above ports, a Windows 2000 client cannot log on to the domain. (It takes a long long time but not finished.) After opening the above ports, it is OK. But, we haven't tried to omit only one of them to see if it is still OK.

The above ports are recommmened by Microsoft KB article. For details, see : http://support.microsoft.com/Default.aspx?kbid=280132

One more additional thing, both the clients and the DC should synchroize with an accurate timing source e.g. NTP server of Macau Observatory : time.smg.gov.mo. The Kerberos authentication process requires strict time synchronisation between the DC and the clients, max 5 min deviation by default.


By Alan Au

VPN Solution in Cyberlab - OpenVPN

Virtual Private Network (VPN) technique is widely used all over the world. There are many techniques and solutions about VPN. For many systems administrators, choosing and managing a VPN system is often quite a headache. Inflexible clients, servers, and protocols often prevent VPN's from being smoothly integrated into an already functioning network. The fact that many VPN clients are installed on users' home computers, well out of the reach of the systems administration team, often means that troubleshooting and upgrading VPN systems is time consuming and a struggle for both admins and users.

As you may know, Cyberlab is one of the center of CPTTM. We got a lot of data exchange between head office and Cyberlab. Migrating from legacy lease line, we chose to use a VPN with IPSEC (actually using a Netscreen firewall pair with Linux running racoon). It works but we found a big problem that our routine network operations (File replication with rync, remote administration with ssh, internal application across network, etc..) got disconnected frequently. We traced and found out that the problem caused by the unstable ADSL line.

Thus, we seek for another better solution and OpenVPN is the answer. OpenVPN solved us
the big problem that OpenVPN connection won't be disconnect or require to reconnect when the physical link (the ADSL for us) was broken. Therefore the application or the network connection will not be disconnected even the ADSL line is unstable. If the ADSL is disconnected, the application will keep waiting for the connection and return normal after the connection is back. It totally solve our problem.

Moreover, OpenVPN is easy to use, administer, and debug, as well as fast, flexible, and free. The client and server both run on numerous platforms, including (but not limited to) FreeBSD, Linux, MacOS X, and Windows. It is simple and easy for staffs to use in home, extending the network from company to home securely. OpenVPN supports multiple platform. Windows users can download an installer (.exe), run it and just click a few buttons, and they are done. We tested and it works fine and smoothly.

If you want to know more about OpenVPN, please refer to http://openvpn.net/

By Simon Tam

Books review - Cisco Wireless LAN Security

Wireless LAN becomes more and more popular in modern IT network because of its mobility, easy and fast deployment.
The crucial point of deploying Wireless LAN is "Secuirty".

This book starts from Wireless LAN Standards and Basics. Then, it talks about the vulnerabilities of Wireless LAN, followed by various ways for the countermeasure of those vulnerabilities, like : different Wireless LAN Authentication methods, Wireless LAN Data Encryption technologies.

So, this book is really suitable for those who wants to learn about Wireless LAN and its security, not only for Cisco guys.


You can borrow this book from our "CPTTM IT Book Shelf" in Cyberlab. Please visit :
http://www2.cpttm.org.mo/cyberlab/mslib/

By Alan Au


CPTTM Network Admin Newsletter can be reviewed from :
http://www2.cpttm.org.mo/cyberlab/netadmin-news/