In previous short articles we have been discussing the options for international company (branches of multinationals with headquarters in US, UK, Australia, Germany, Italy, Portugal, Spain) to implement so-called localized MRP in Brazil. We covered Microsoft Dynamics NAV, AX, CRM. This small article is dedicated to SAP and its mid-market and small-to-midmarket MRP application – SAP Business One. SAP BO in Brazil is available in March 2006.

• Local taxes and regulations. CNAE, CPF, IE, IEST, IM – localization supports these rules and taxes

• Multilanguage. SAP BO has advanced language support in comparison to other localized ERPs: Oracle E-Business Suite, Navision, Axapta, JDEdwards – in SAP Business One you can switch language (from Portuguese to English for example) in the same user session for the same company. Multilanguage support in our opinion enables tight control to financial officers in headquarters for their Brazilian or any other overseas subsidiary.

• Transactional consolidation. SAP integrates SAP BO into its family of ERP systems. SAP BO has transaction consolidation module. Just to give you some excurse – you can use two mechanisms to get cross companies consolidated reporting – using data puling (and original currency historical exchange rate multiplication) mechanism – typical example would be FRx reporting for Great Plains, Solomon and other ERPs. Second and more reliable way is – transaction consolidation – when you physically move transactions (adjusted for the reporting currency) to the image of your subsidiary and then run report over your branches databases. Transactional consolidation makes SAP Business One attractive ERP option for Spoke-and-Hub ERP integration model, when subsidiaries use SAP BO and consolidate transactions to the corporate ERP – mySAP or SAP R/3

• Multicurrency. It is supported in all modules (just in case if you have experience working with multicurrency, available for the GL only).

• Customizations. SAP Business One SDK enables you to tune screens as needed, if you think that end-user intuitive modification is not sufficient. If you need to deploy local programmers – they should be experienced in COM objects programming.

• Competition. As you can expect – you see two types of competitors – local ERPs (Microsiga and Datasul to name major) and international: Oracle E-Business and JD Edwards, Microsoft Navision, Axapta and Solomon (Great Plains is not localized, but local support is available through Alba Spectrum)

If you need help – give us a call: São Paulo: +55-11-3444-4949, USA 1-866-528-0577, 1-630-961-5918, Europa: +44-20-8123-2580, +45-36-96-5520 or help@albaspectrum.com

Andrew Karasev is ERP consultant at Alba Spectrum Technologies (http://www.albaspectrum.com http://www.greatplains.com.mx http://www.enterlogix.com.br) - Microsoft Business Solutions Great Plains, Navision, Axapta, MS CRM, SAP Business One, Oracle Financials and IBM Lotus Domino Partner, serving corporate customers in the following industries: Aerospace & Defense, Medical & Healthcare, Distribution & Logistics, Hospitality, Banking & Finance, Wholesale & Retail, Chemicals, Oil & Gas, Placement & Recruiting, Advertising & Publishing, Textile, Pharmaceutical, Non-Profit, Beverages, Conglomerates, Apparels, Durables, Manufacturing and having locations in multiple states and internationally.

We are serving LATAM: Mexico, Peru, Brazil, Bolivia, Venezuela, Colombia, Ecuador, Chili, Paraguay, Uruguay, Argentina, Dominican Republic, Puerto Rico

Microsoft Great Plains, former Great Plains Software Dynamics, eEnterprise has very long, about 12 years customization & integration history. In earlier 1990th – the customization tool was mostly Great Plains Dexterity, later on when Great Plains was successfully moved to MS SQL Server 6.5, 7.0 and 2000 – we see more historical custom projects done in SQL stored procedures and front ends coded in VB in Visual Studio 6.0. This was probably wise and natural choice in that time (around 1997-2001), but if you consider Microsoft move to .Net platform and reshaping its own programming environments (ADO, OLE, VB, etc) – you would nowadays rather be nervous relying on VB 6.0 custom front end, calling stored procs via ADO. Let’s consider your options:

• Upgrade to .Net. As natural it might sound and look, however it might not be feasible. The reason is - .Net is the whole revolution to Windows object model (or its introduction, somewhat more revolutionary, than J2EE/EJB/Java). Your old VB code is not object oriented in the sense of .Net and majority of technologies are now obsolete or in phase out mode

• Move Front End to Web Application. Or recreate simplified version as VB.Net or C#.Net web project. If you think your stored procedures are still capable to do the job at the data manipulation level, you can redesign front end as web application. This is preferred way for now, however as business owner you may not like the idea to redo it.

• Complications. You might have additional complications, such as tiered design, when your presentation layer is separated from business layer (or physically these two layers sit on different computers). Then, somebody should carefully analyze and design the upgrade path for both. Unfortunately business logic level may deploy third party vendors logic, and these flourishing ISV of late 1990th might be now out of business

• Integrations. If your Great Plains is integrated with Unix, Oracle, DB 2, Lotus Domino, Siebel or other third party application – you need to consider synchronous upgrade for integrated applications to avoid retuning integration piece twice.

• Reporting. Since version 6.0, Great Plains is very conservative to tables structure changes, so if your reporting was done in 1999 or later – more likely you are out of trouble and should use it as it is.

Happy customizing! You can always appeal to us to help you with your system. Give as a call 1-630-961-5918 or 1-866-528-0577, help@albaspectrum.com

Andrew Karasev is Chief Technology Officer in Alba Spectrum Technologies ( http://www.albaspectrum.com ), Microsoft Business Solutions Great Plains, Microsoft CRM, Navision, Microsoft RMS, Microsoft Business Portal customization company, serving clients in Chicago, Boston, New York, Miami, Atlanta, Houston, Dallas, Denver, Los Angeles, San Francisco, San Diego, Seattle, Minneapolis, Phoenix, Toronto, Montreal, Brazil, Mexico, UK, Australia, Canada, UK, Europe, Russia an having small offices in multiple states and internationally.

When your company plans to outsource its manufacturing operations to such countries as Brazil, the ERP system for the overseas subsidiary is one of the first decisions to make. In this small article we will concentrate on functional side of the Microsoft Dynamics ERPs, such as Microsoft Navision, Microsoft Axapta and Microsoft CRM and we will not touch background technologies (Microsoft .Net vs. EJB/Java discussions)

• Localization. It usually has two components: language translation (in the case of Brazil it is Brazilian Portuguese) and sales, purchasing taxes and government regulation/reporting. In the case of Brazil we usually talk about these taxes & regulations: CNAE, CPF, IE, IEST, IM.

• Local versus International MRP brand. This is usually the question beyond the functionality of the ERP – you need to decide for yourself if you would like advanced localization features (usually provided by local made ERP – Microsiga or Datasul to name two) or you want more control over your overseas operations from headquarters – this will probably be international ERP brand, one of them we are evaluating here – Microsoft Dynamics family (former name was Microsoft Business Solutions)

• Navision/Microsoft Dynamics NAV. Around 2004 Microsoft Business Solutions tried to unify its international ERP offer. As the result, in many countries, including Brazil, East Europe, Russia and others Navision kind of pushed out of the market another MBS ERP – Microsoft Great Plains (currently Microsoft Dynamics GP 9.0 – Brazilian version is not available, however you can get local support from Alba Spectrum). There were multiple reasons, including technical feasibility, they are beyond the scope of this article. Navision is localized and has several years of successful implementation in São Paulo, Rio de Janeiro, Curitiba, Belo Horizonte, Salvador and across Brazil. One of the strong points of Navision is Manufacturing module. We see strong demand for Navision ERP implementation from multinational corporations with headquarters in Europe, especially continental: Germany, Italy, France, Spain and Portugal.

• Axapta/Microsoft Dynamics AX. This is relatively new ERP – its design was completed in the very end of XX century, Navision Software bought Axapta prior to be purchased by Microsoft Business Solutions itself. Brazilian localization of Axapta is now complete and it will be released in the first quarter of 2006. In Brazil Microsoft has experiment with Axapta pricing and it is now targeted to compete with Microsiga and Datasul from one side and with SAP Business One from another side. Axapta implementation cycle is longer than for SAP BO, however Axapta is more flexible in its ability to automate upper midsize and large scale business.

• Microsoft CRM/Dynamics CRM. Now we are in the process of upgrade from MS CRM 1.2 to its 3.0 version. Microsoft Dynamics CRM 3.0 will be more flexible to automate franchisee networks and nation-wide servicing organizations. The question of selection is more simple – if you are committed to Microsoft platform – you should know that Microsoft CRM is promoted Worldwide. Here we have to say some words about technical side of Microsoft CRM, especially considering some challenges of MS CRM upgrade – it heavily uses .Net platform, XML web services and requires strong server side programming, if you need Microsoft CRM customization and custom pieces upgrade (Microsoft CRM SDK 3.0 is a bit different from MS CRM SDK 1.2). In Brazil we saw instances of Microsoft CRM, coexisting with such corporate platform as IBM Lotus Notes Domino

If you need help – give us a call: São Paulo: +55-11-3444-4949, USA 1-866-528-0577, 1-630-961-5918, Europa: +44-20-8123-2580, +45-36-96-5520 or help@albaspectrum.com

Andrew Karasev is ERP consultant at Alba Spectrum Technologies (http://www.albaspectrum.com http://www.greatplains.com.mx http://www.enterlogix.com.br) - Microsoft Business Solutions Great Plains, Navision, Axapta, MS CRM, SAP Business One, Oracle Financials and IBM Lotus Domino Partner, serving corporate customers in the following industries: Aerospace & Defense, Medical & Healthcare, Distribution & Logistics, Hospitality, Banking & Finance, Wholesale & Retail, Chemicals, Oil & Gas, Placement & Recruiting, Advertising & Publishing, Textile, Pharmaceutical, Non-Profit, Beverages, Conglomerates, Apparels, Durables, Manufacturing and having locations in multiple states and internationally.

We are serving LATAM: Mexico, Peru, Brazil, Bolivia, Venezuela, Colombia, Ecuador, Chili, Paraguay, Uruguay, Argentina, Dominican Republic, Puerto Rico

1. With mapping software you can create a report that tracks your retirement plan for you.

2. Use mapping software to create an Executive Dashboard, which tracks the bottom line.

3. Use mapping software to find the snowfall reports for your favorite ski resorts in Idaho.

4. You can even use mapping software to explore an interactive map of India for school reports, business, or travel.

5. Track your store incoming and outgoing inventory, including shipping information and warehouse location, mapping software.

6. You can conveniently book your own airline seat, so you don’t need to worry if you are a “window person” as opposed to an “aisle person.”

7. Know the who, what, when, where, and how of your department by using mapping data to interactively manage your department.

8. Receive production information in real-time reports.

9. Look up CIA World Facts online to see how you can look up virtually everything you wanted to know about geographical and population statistics.

10. Get your daily stock quotes, or track their changes over time.

11. Create interactive marketing reports that can be “drilled down” from general to specific trends and statistics.

12. Track and manage personal, department, and company budgets.

13. You can track sales and revenue trends for multiple stores on a national or even global scale.

14. Create managerial and employee training using mapping software. Learn processes and procedures in an interactive setting.

15. Create interactive documents. This is especially helpful in examining large documents with various notes and headings. The U. S. Constitution is available in an interactive online format with mapping software.

16. If you are interested in researching national cancer rates, they are readily available in an interactive format with mapping software.

17. Land developers can find latitudes and longitudes, as well as other helpful geographical information on interactive maps.

18. Using mapping software, customer trends can be tracked, even down to the zip code.

19. You can track your monthly expenses, such as phone bills.

20. Track store receipts for company or personal records using mapping software.

21. Access executive dashboards, as well as other interactive maps on a PDA or other wireless devices.

22. Are you traveling to another country? You can look up cultures, government information, climate information, and anything else you need to be prepared.

23. Convert all HTML documents to PDF for easy printing and paper records.

24. You can track inflation and deflation, as well as other economic variables.

25. Anything Else You Dream Up

Joe Miller is an online advertiser and author of informational articles on business software. More information on Mapping Software is available at Corda.com.

Brazilian ERP/Accounting systems market is represented by local MRP applications, such as Microsiga, Datasul and other local ERP applications as well as several international ERP brands from Microsoft Business Solutions / Dynamics, SAP, Oracle. When planning to penetrate to the market place in Brazil, such lucrative urban areas as São Paulo, Rio de Janeiro, Curitiba, Salvador, Belo Horizonte or simply open manufacturing facility in the industrial areas, corporate ERP selection and implementation question is one of the first questions to raise. Let’s review the options for multinational corporation.

• Management Control. When you select ERP/MRP you are looking for standard solution for international market. Standard solution should allow you to avoid the dependency on the human factor, plus you should have an option to change ERP implementation contractor if needed. We will give you more details on how this control is realized in the ERP. In our opinion one of the international ERP brands will give you more control from your overseas headquarters than one of the local ERPs.

• Localization. It has two components – country specific sales/purchasing tax adoption and language translation. Nowadays it is usually not a big challenge to translate modern ERP to Brazilian Portuguese, but local taxes might be really difficult to program, especially in the case of such large and self-sufficient country as Brazil: CNAE (Cadastro Nacional de Actividad Económica), CPF (Cadastro de persona física), IE (Inscripción Estadual), IEST (Inscripción Estadual Substituto Tributario), IM (Inscripción Municipal) – these rules make localization quit difficult and you should probably stick to the ERPs, which are already localized (even if you have world-wide corporate ERP policy and your MRP is not on the localized list).

• SAP. SAP all-in-one, mySAP, R/3 and SAP Business One are localized, the most recent localization was SAP Business One (February 2006). Flexibility of SAP BO and its transaction consolidation to high-end SAP ERP makes it attractive for local branch, especially if your subsidiary is small or midsize. SAP Business One has all-in-one type of licensing, named user license is below 2,000 USD and implementation cycle should be reasonably short. One of the nice features of SAP BO is possibility to switch languages for the same user session and for the same company.

• Oracle. In Brazil you can choose from Oracle E-Business Suite (also known as Oracle Financials and Oracle Applications) – this ERP is high-end and targeted for large companies (light version of Oracle E-Business Suite is not available), or JDEdwards. Both applications support Portuguese and Brazilian tax code

• Microsoft Dynamics. Microsoft Navision (Dynamics NAV) is one of the popular ones, Solomon is also available. Microsoft Axapta (Dynamics AX) is available in 2006 (April). There are several Microsoft VARs participating in Axapta beta testing: Alba Spectrum (former Enterlogix), XPTA and Cadia. We’d like to kind of give you good words about Axapta – in Brazil it has aggressive price model (which makes it comparable with SAP Business One), plus Axapta can easily automate higher mid-market company and even serve as a corporate ERP for multinationals. If you are US, Australia or UK based corporation – please be advised that Microsoft Great Plains is not localized, however you can get local support if needed.

If you need help – give us a call: São Paulo: +55-11-3444-4949, USA 1-866-528-0577, 1-630-961-5918, Europa: +44-20-8123-2580 or +45-36-96-5520 or help@albaspectrum.com

Andrew Karasev is ERP consultant at Alba Spectrum Technologies

http://www.albaspectrum.com
http://www.greatplains.com.mx
http://www.enterlogix.com.br

Microsoft Business Solutions Great Plains, Navision, Axapta, MS CRM, SAP Business One, Oracle Financials and IBM Lotus Domino Partner, serving corporate customers in the following industries: Aerospace & Defense, Medical & Healthcare, Distribution & Logistics, Hospitality, Banking & Finance, Wholesale & Retail, Chemicals, Oil & Gas, Placement & Recruiting, Advertising & Publishing, Textile, Pharmaceutical, Non-Profit, Beverages, Conglomerates, Apparels, Durables, Manufacturing and having locations in multiple states and internationally.

We are serving LATAM: Mexico, Peru, Brazil, Bolivia, Venezuela, Colombia, Ecuador, Chili, Paraguay, Uruguay, Argentina, Dominican Republic, Puerto Rico

Great Plains Software Dynamics, Dynamics C/S+, eEnterprise were written on GPS proprietary programming language and development environment – Great Plains Dexterity. When Microsoft bought Great Plains Software, Dynamics was renamed into Microsoft Great Plains, but Dexterity is still the architectural base, there were trends to move MS Great Plains to .Net and reprogram it in C#, but in our opinion Microsoft is probing its own technologies and places them into competition with each other. Microsoft Business Portal is probably the direction, when existing ERP products: Great Plains, Navision, Axapta, Solomon will have seamless web interface. In this small article we’ll try to give your Dexterity source code programming options and directions.

• Source Code Program Closing. This move was announced by Microsoft Business Solutions in the beginning of 21st century. It should be probably attributed to .Net optimism. In time MBS acquired Great Plains Software (with GP and Solomon), then Navision Software (with Navision and Axapta). Microsoft had to plan its newly acquired products integration and synergy

• Source Code Program. Great Plains Software provided participants with DYNAMICS.DIC and its third party dictionaries with Dexterity sanscript codes (in commercial DYNAMICS.DIC these codes are stripped off). Source code program allows your dexterity developers to deploy advanced technologies, such as tax engine calls and replacements, posting engine call, etc. Plus it allows you to deploy GP lookup forms in your customization.

• Source Core Program Reopening. As it was announced on the recent MBS conference – Microsoft may reopen the program, this is very interesting move, which signals that MBS takes more conservative approach and might decide to support its products with their legacy technologies

• The Future. Project Green, or Microsoft might decide to rename it, the idea is to form business suites from existing products and code base. However we should be reasonable and respect the efforts of MBS – to form business suites – this is very serious move and it should take several years to come out with the first version.

• Great Plains as Mature ERP. Yes – this is the phase of the product life. Great Plains Dynamics was released in 1994 and it is 11 years old product.

We are confident in Great Plains as an ERP platform for the following industries: Aerospace & Defense, Pharmaceutical, Healthcare & Hospitals, Insurance, Textile, Apparels, Services, Placement & Recruiting, Apparels, Beverages, Logistics & Transportation, Food, Restaurants Supply Chain Management, Gold & Mining, Jewelry, Consignment, Wholesale & Retail.

Good luck with selection, implementation, customization and integration and if you have issues or concerns – we are here to help! If you want us to do the job - give us a call 866-528-0577 or 630-961-5918! help@albaspectrum.com

Andrew is Great Plains specialist in Alba Spectrum Technologies ( http://www.albaspectrum.com ) – Microsoft Great Plains, Navision, Microsoft CRM Partner, serving clients in California, Minnesota, Illinois, Washington, Florida, Arizona, New York, New Jersey, Virginia, Georgia, Louisiana, Texas, Canada, UK, Australia, Brazil, Germany, Russia

Introduction

The war in Iraq and the War on Terror have changed the focus of all three levels of government. Federal, state and local government - all three are seeking better ways to protect themselves, their equipment and data while working amid pressure-filled and dangerous situations. Of course, security has been the buzzword on Capitol Hill for some time, but generally speaking, physical security took initial priority, followed by outer system protection through intrusion detection and patch management. Security at the application level hasn’t happened yet and is really the most critical. Attacks are becoming more sophisticated than worms or even viruses, and can shut down entire systems.

There are a lot of ways to monitor and analyze your network traffic and protect it from Internet intrusions. Organizations commonly use a firewall for network protection. Although firewall logs often provide a huge information regarding intrusion attempts, sometimes might be of too much data to sort through when there is a problem you cannot resolve it quickly. Some organizations also use intrusion detection systems (IDS) on border routers to analyze incoming traffic for patterns that indicate specific problems. But firewall or intrusion detection system is used primarily on borders with the Internet, rather than on internal networks. This is one of reason why Cisco’s NetFlow came to the rescue.

Netflow Overview Netflow is a traffic monitoring and analyzing technology developed by Darren Kerr and Barry Bruins at Cisco Systems. Netflow describes the method for a router and/or intelligent switch to export statistics about the data flow, and this built-in feature is found on most Cisco routers (http://www.cisco.com) as well as Juniper (http://www.juniper.net), Extreme Networks (http://www.extremenetworks.com), Riverstone (http://www.riverstonenet.com) etc. NetFlow technology provides the data necessary to effectively analyze trend and baseline application data as it passes through the network. It can then be exported to a reporting package and can provide the information necessary to manage critical business applications.

What is Netflow? Netflow is defined as a unidirectional sequence of packets between a given source and destination which means there will be two flows for each connection session, one from the server to client, one from the client to server. In order to distinguish flows from one another, the source and destination addresses, protocol and port numbers are used. The Type of Service and source input interface index are also used to uniquely identify the flow to which a packet belongs. A flow is determined to have ended when it has been idle for a specified length of time, when it has become older than a specified age (30 minutes by default) or when the flow is a TCP connection a FIN or RST has been sent. The router may expire flows more aggressively if it is running out of cache space.

A number of router vendors have implemented their version of netflow, but version 5 is now the most common. For a NDE version 5, every single UDP packet contains one flow header and thirty flow records at maximum. Every flow record is made up of several base fields and the rest which include: next hop address, output interface number, number of packets in the flow, total bytes in the flow, source and destination AS number, source and destination network length and TCP flags (cumulative OR of TCP flags).

What is Caligare Flow Inspector? Caligare Flow Inspector (http://www.caligare.com/netflow/cfi.php) is a unique network software solution for companies, who need to plan, build, maintain and manage their network and at the same time keep their network more secure and efficient. Caligare Flow Inspector is a web-based bandwidth monitoring tool that uses NetFlow data export to provide detailed traffic statistics that help answer who, what, when, where of bandwidth usage.

CFI software was engineered to create a secure network-monitoring platform based on industry standards that will fit your existing security policies. The results are the ability to monitor in real time, significantly reducing the time it takes to identify problem and troubleshoot. CFI keeps track of what is happening in your corporate network, detecting attacks, and warning you of problematic network users. All information about network activities are archived in a central database.

Baseline Analysis A baseline analysis is a model describing what "normal" network activity is according to some historical traffic pattern; any other traffic that falls outside the scope of this traffic pattern will be flagged as malicious. A trend analysis reports is the most common and basic method of doing flow-based analysis. In netflow analysis is main focus on records that have some "special high traffic volume" attribute, especially the value of those flow fields that deviate significantly from an established historical baseline. Normally there are two ways to make use of baseline analysis methods: top sessions and top data.

Top sessions A top sessions means a single host tries to open an abnormally high volume of connections to a single node or block of nodes. The most reasons for these activities are worms, denial of service attacks and network scans.

Common clients connecting to the Internet should keep a relatively normal connection frequency. But if a host is infected with a worm, it will absolutely act different. It will mostly open a huge number of connections to the destination for its attempts

to infect the next batch of victims. For the same reason, when a lesser-skilled "script kiddies" is scanning a large block of addresses for certain vulnerable services, we will see especially high volume sessions sent out by that single IP address.

We can also use top sessions method to detect many kinds of network abuses, such as checking the flow records for port 25 connection requests sent out by every single host in real time. In a given duration, for any host, if the statistics of port 25 requests are above a ‘normal’ value, it could be considered to be a spammer or someone infected with some kinds of email worm. It would be better for the Internet as a whole if service providers started using this technology and shut down the spammers upon detection.

Top data streams A second method of using baseline analysis is top data. This can be defined as a large amount of network data transferred in a certain period of time from a single host to a single destination or block of destinations.

The Top hosts that transfer traffic data to or from the outside in an enterprise should be ranked into relatively fixed groups. If this pattern changes, and a new host suddenly appears in the Top hosts matrix, an alert should be triggered.

How to find out if I am being attacked? Traffic inspection and analysis is a very complex problem. On the market there are many tools as IDS, network traffic dump or network probes, but lack of them can process big traffic volume (e.g. 10TB/hour). We decided to use netflow data export (NDE) that is widely available on most high-end routers for user tracking and real time data flow analysis. Netflow brings transparent view what is happening in your network. There are several methods how to detect if "your" network is under attack.

1. Packet size distribution. Many short packets (more than 60%) may signify suspicious traffic.
2. Many connections from single host to considerable destinations.
3. Using reserved or private IP address on the Internet.
4. Excessive number of ICMP messages.

In the latest version of Caligare Flow Inspector software there is implemented packet distribution statistic. In our company we are using small honey pot network (without any real stations) for attack analyzing. You can use the following steps to locate the source of the problem and some tips on how to filter suspicious traffic.

Finding infected stations in your network NetFlow Inspector software is the ideal tool for detecting worm sources (infected stations) in your network. Trends menu may be used for this type of analysis. The following example gives you information on how to find infected stations in your local network.

Log into Caligare Flow Inspector and run the following steps:

1. Select collector that stores netflow data exports (in our case: router R01).
2. In the table selector choose current hourly table.
3. Select statistic: source host distributions.
4. Set source interface (Gigabit Ethernet 1/1).
5. Set destination interface (not Gigabit Ethernet 1/1).
6. Run search query.

After displaying source host distributions you can view top ten source IP addresses sorted by number of used unique destination IP addresses. These source IP addresses are candidates on the infected stations.

Check result and select possible infected stations (infected station pool more than 500 unique destinations in most cases). Ignore your servers that are normally heavy used. Web or application servers normally generate many connections to many destinations.

Write top 5 sources to notebook and then continue to infected station confirmation step. For each candidate IP address run the following query:

1. Set statistic: destination ports by packet.
2. Source IP address:
3. Run search query.

Check destination ports that are in use by potentially infected station. In most case (when station is infected) you will see some of following ports: netbios (137, 138, 139), microsoft-ds (445), ms-sql-s (1433), www (80, 3128) etc (see picture 4).

Now, is a good time to consider if your candidate is infected or not. Decision is yours, because only you know "your" network and servers. If a station opens more than 500 unique destination connections to port 1433, this seems like very suspicious activity.

How to find out who attacked my network? The infected station tries to open a connection to all the servers in your network. You can simply locate this attack by finding the source host that is trying to open a connection to various destinations in your local network.

Check caption "Finding worm sources in your network" and how to find these source hosts. Sophisticated worm sources do NOT pool your whole network, but instead randomly or pseudo-randomly try to open from time to time a single host connection. Locating these attackers is difficult but NOT impossible! You can use TCP flags and ICMP tracking. When the attacker tries to open the TCP connection to an unused destination IP address the TCP SYN flag is set. If the connection is successful you will see cumulative TCP flags SYN and ACK, if the connection is unsuccessful you will see only flows with SYN flag. You can count the unsuccessful connections for every source IP address outside your network and source, the one with the most of connections found is your attacker candidate. If attacker is using UDP protocol and pools your whole network, an excessive number of ICMP messages will then be generated.

How to find out who attacked me? If you suspect (or know) that your station is victim to an attack, then you probably want to know who is the attacker. Locating the attacker is simple if source IP address is NOT spoofed. Select "Trends" menu and use "Source host by packet" statistic. Type in your IP address (victim) into destination host field and run search query. Result is a list of source hosts who communicated with you sorted by number of packets. Often the first host located is the attacker. In case source IP address is spoofed (often used reserved or private IP address) you can only locate source interface through that malicious traffic going into your station. You can not filter this attacker if he uses random source IP address, you can only contact provider or your ISP peer operator.

Protection and Prevention You can use many protection mechanisms, these are widely available through access lists on Cisco routers.

1. Create new access list: ip access-list extended
2. Add block rule: deny ip any
3. Repeat step 2 for each attacker
4. Permit any other traffic
5. Check access list rules: show ip access-list
6. Apply access list on source interface: ip access-group in

Example:

 configure terminal ip access-list extended block_attackerdeny ip 10.0.0.0 0.255.255.255 anydeny ip 192.168.0.0 0.0.255.255 anydeny ip 80.95.102.33 0.0.0.0 anypermit ip any anypermit pim any anypermit igmp any anyexit interface GigabitEthernet 1/1ip access-group block_attacker inexit 

Be very careful before updating access list! On many routers the default rule is drop any traffic if access list exists. We recommend removing access list from interface then creating a new access list and reassign it to interface. On picture 3 is the result of applying access list on our router R01 that was applied at 10:03.

Summary This attack detection manual has discussed the flow-based analysis of malicious traffic and abnormal activities. With top sessions and top data methods, network administrators can simply detect network anomalies in real time more effectively. There is no universal process on how to find source of attack, but with Caligare Flow Inspector software we may make your corporate network run better.

Full story with images and examples is on the: http://www.caligare.com/articles/worms.php

Caligare delivers the most intelligent and secure networking solutions in the industry, and we back the program with our commitment to making our partners successful. We measure success in terms of customer satisfaction, as well as partner profitability. Caligare is providing the Linux based software, to provide a solution that dramatically reduces the cost of providing security, for the midsize and large businesses or agencies. Our goal is to help our customers get an efficient software tool at a reasonable price.

This article is the third of a series of articles exploring specific aspects of groupware. The brief informational articles in this series discuss some of the technologies associated with groupware, as well as some of the characteristics of groupware. Some of these characteristics may go hand in hand with business collaborative needs. Other characteristics go beyond what some groupware providers have to offer. The purpose of these articles is to equip the groupware user or investigator with helpful knowledge about the product in order to enable more effective use or to lead the investigator to the groupware service he or she is looking for. This third article explores groupware as a document manager, and provokes a critical approach to finding the right groupware to meet your business’s needs.

A good litmus test to determine the value of groupware as a document manager consists of the four A’s: Ad Hoc Management, Accountability, Accessibility, and Affordability.

Is Groupware a Document Manager able to Handle Ad Hoc Collaboration?

A document manager is organizational software that tracks and organizes documents. In today’s fast-paced business world, most of the document collaboration that takes place is ad hoc. In other words, documents are continuously fired back and forth in B to B and B to C communication, consisting of multiple individuals. As drafts of documents and presentations are passed back and forth, they are archived in email boxes, saved on hard drives, and passed through servers. If groupware is to be considered an effective document manager, it mush somehow be able to track and manage documents, even in an ad hoc setting.

Is Groupware an Accountable Document Manager?

In other words, as a document manager, can groupware account for the documents and their versions? Can it answer the who, what, when, where, and how questions that inevitably arise? Finding groupware that utilizes Digital Thread technology informs users where a document is saved and which version they are viewing. All tracking information is then collected into a digital flow chart displaying the version history of the document.

Is Groupware an Accessible Document Manager?

Often, document manager software systems require IT infrastructure and limited usability. Unless everyone with whom a user collaborates is a user too, the groupware isn’t very beneficial. However, groupware technology uses existing IT infrastructure and opens up accessibility to everyone with whom a user collaborates. Digital Thread still ties together document versions made by non users. Non-users receive digital signatures with attached document versions. Non-users cannot, however, access a version history, nor can they receive digital signatures in projects with other non-users.

Is Groupware an Affordable Document Manager?

The easy answer to that is “yes, it can be.” In other words, groupware packages are produced in the business market in the millions. Just check out the search engine results page of any search engine after searching “groupware.” As of today, Google results include 4,870,000 indexed pages, Yahoo yields 4,820,000 indexed pages, and MSN yields 961,866 indexed pages.

Sifting through these results is impossible, though this article hopes to simplify that process through helpful information about effective features and technologies needed to meet today’s business needs without costing too much. Groupware without an expensive IT infrastructure is available with simple installation and affordable set up. The cost of time, training, and setup are minimal. Groupware is meant to work for the business. Don’t get stuck looking for products that work the other way around.

Joe Miller is an online advertiser and author of informational articles on business software. More information on Groupware or Document Manager is available at NextPage.com.

Every time I hit the letter * on my computer it replaced it with a *. I said, “What the heck is going on here?”

My wife said, “Hold it down in there! You made me knit when I should have *een purling.”

I kept cussing my computer and my wife decided to move out on the patio with her knitting.

I decided that “someone” had programmed my computer so that every time I hit the * key it printed a *.

When you hit a key on our computer and it prints something other than what key is supposed to print you have a macro assigned to your keyboard. For example, when you hit Control * your computer prints in *old.

Well, that was a *ad example. When you hit Control i your computer prints in italics.

Such a macro is called a shortcut. You can have a macro print the Gettysburg Address if you want to. To set up a macro in Word® go to Tools, Macro, and follow the instructions. You can also remove a macro there.

I looked for a macro that would print a * when I hit the * key. There was no such macro.

That’s when I yelled, XRYTSPET!

Xrytspet said, “What’s up, Taylor Jones, the hack writer?”

I turned and she was sitting on the little green stool I have in the corner of my den. I chuck papers on the stool when I need extra desk space. The papers were on the floor and Xrytspet and the stool where in the air. I said, “Get down from there you idiot.”

Xrytspet de-levitated and drifted down to the floor. She sat on my desk. I said, “You’ve been messing with my computer again, haven’t you?”

She twitched her nose and said, “So?”

I said, “You’ve put a hidden macro assigned to my keyboard in there somewhere. I just can’t find the darn thing. Every time I hit the * key I get a *.

She looked at my manuscript. You push the * key and you get a *. What do you expect?

“Xrytspet!”

She said, “Well, don’t get so huffy. And don’t call me, Idiot. I reserve that term for you.”

I said, “Xrytspet, are you going to tell me what you did?”

She said, “It was all for your own good.”

I said, “I push the * key and I get a *. How can that be for anybodies good? My readers will be confused as hell.”

“Your readers are as confused as hell.”

That’s what she said and it hurt.

I guess I pouted. She said, “It’s all for your own good Taylor Jones, the hack writer. It’s the Chnileieenien Wager.”

I said, “The what?”

“The Chnileieenien Wager,” she said. The Chnileieeniens are in G23874665530. They are the gamblers of the universe. They bet on everything. Right now they have a wager that at some time each of the over 12,000 writers in your writing pool will hit the * key at the same time. I foiled them by having your computer print a * when you press the * key instead of a *. That will fool them until they figured out what I did. By then the time limit on the wager will have expired. ”

I said, “I’m trying to figure out what you did.

“So what if we all hit the * key at the same time and print a *.

“So what?”

She said, “Then the Fonlikors from G78899445 will loose their bet to the Chnileieeniens. The Fonlikors are more-than-ugly killers of the universe. They will come in here with their Avglaitors and cut you and all the other writers in your pool into ribbons.”

I imagined what an Avglaitor looked like. Probably like one of those electric bread slicer they have in bakeries. I said, “When does the wager expire?”

She said, “2034.”

I said, “Why, thank you, Xrytspet!”

I can live with the * key printing a * until 2034.

Let’s see, I’ll only be 102 years old!

The End

John T. Jones, Ph.D. (tjbooks@hotmail.com, a retired VP of R&D for Lenox China, is author of detective & western novels, nonfiction (business, scientific, engineering, humor), poetry, etc. Former editor of Ceramic Industry Magazine. He is Executive Representative of IWS sellers of Tyler Hicks wealth-success books and kits. He also sells TopFlight flagpoles. He calls himself "Taylor Jones, the hack writer."

More info: http://www.tjbooks.com

Business web site: http://www.aaaflagpoles.com

Document Manager and Version History

In previous articles I have discussed the usefulness of a document manager, such as groupware, in organizing document sharing. I have also discussed the role that a Version History plays in a good document manager. In this article I wish to elaborate on Version History and its ability to make or break your document manager. The reason a document manager benefits so much from Version History is that Version History presents a visual flow chart of the editorial process any document has gone through. The who, what, when, where, and how are all answered.

Having Version History as one of your document manager tools creates a three-point advantage in document collaboration, advantages that take businesses to a higher level of efficiency, organization, and communication.

Ad Hoc Management

Business communication and document collaboration move too quickly with the ease of Microsoft Outlook and other email communication, where any presentation or document can be shot back and forth between any number of parties any number of times. Because of the simplicity of this process, it is difficult for a document manager to track all of the editorial changes made to documents without Version History. In other words, the jumble of unordered, chronologically challenged changes are difficult, if not impossible to organize without Version History. Version History helps to present a chronological order of ad hoc business. A document manager that uses Version History will be able to work the way your business does.

Reference

As I mentioned before, as document versions are sent back and forth in no particular order, a document manager can only do so much without the help of Version History. Eventually deadlines fall due, and the various document versions need to be organized before they are brought together into one final draft. The most common process for organizing attached drafts is to dig through your email box and hard drive to collect all of the drafts and to sort them by date. Then, you ask everyone else to do the same and send them to you. Once all of the information comes back to you, you have to go over the same process again, this time deleting duplicate files. Already, too much time has been spent referencing all of the document changes. Version History references documents immediately upon request, displaying exactly where documents were sent, when they were sent, and how versions relate to each other. Version History helps to create a document manager that works for you.

Digital Thread Technology

Every tool a document manager utilizes has its own tricks. Version History is no exception. What is its trick? Digital Thread Technology. As a document is created, whether a budget plan, a marketing presentation, or a legal contract, Digital Thread Technology inserts tracking information into the metadata of the electronic document. This allows the document to be tracked over various email boxes and drives, even if the document has been sent to individuals who do not use your document manager. Digital Thread Technology literally threads each draft together like beads on a necklace, enabling Version History to create a simple and informative flow chart of your document’s draft genealogy.

Joe Miller is an author of informational articles and online advertisements on business software. Read more about a Document Manager and Version History at NextPage.com.