Thursday, August 26, 2010

Computer Purchase Recommendations

Many of you have asked what are some guidelines for purchasing a new computer.  This webpage is intended to try and give you some direction in a way that it is always up-to-date.
For the time being, we are recommending Dell computers.  They are reliable, cost competitive and they offer up to a 4-year warranty.  In addition, their service and support is second to none.  When we need replacement parts, we normally have them the next day or on the 2nd day depending on what time of the day we call for the replacement parts.
One thing we DO NOT recommend is to purchase parts and build your own computer.  If you decide this is the way you'd like to go, you will have to take the responsibility of keeping track of all warranty information and resolving problems under warranty with the manufacturer.
One good place to start with the specifications of a PC is with the software you intend to run on the PC.  In most cases, computer software will give you the minimum hardware necessary to run the software and the recommended hardware for the best performance of the software.  Use this as the basis for configuring your computer. 
As for the specifications for a new computer, use the below chart as a basic guideline and recommendations when configuring a new PC computer.  Remember that these are only suggestions and not strict guidelines.  We are just trying to give you some idea of what to look for when shopping for a new computer.
Processor The processor should be the fastest available or something within 10% of the fastest processor.  For instance, if the fastest processor available is 3.0Ghz, you should purchase something between 2.7Ghz and 3.0Ghz.  To give you an example of the changes in technology when it comes to processors, in just 6 months, processor speeds increased by about 20%.As for the manufacturer of processor, both Intel and AMD processors work very well. 
For laptop computers, we recommend a processor that will provide the best extended battery life.
One processor that we do not recommend for computational use is the Intel Celeron processor since these processors perform poorly when used for computational purposes.  Otherwise, they will work just fine.
If you are going to use the computer for heavy computational use, you may want to consider the Intel Xeon processor, the Intel Itanium processor or the AMD Athlon 64 processor.
Mobile Processors are slower in clock speed but perform as well as most regular Intel or AMD processors.  Use the same 10% guidelines above within the mobile processor speeds.
RAM (memory) The absolute minimum amount of RAM that we recommend is equal to ½ of the total RAM an average computer will hold.  If a computer will hold a maximum of 2GB of RAM, the minimum you should consider is 1GB of RAM.  Under no circumstances should you ever go below ¼ of the maximum RAM.  A general rule of thumb... If this is computer is going to be used for computational use, more RAM is almost always better.
Hard Disk Size We always recommend the largest hard drive available.  With the increasing space needed to load the operating systems and programs, the amount of disk space required to hold the OS, programs and your data increases.
Monitor When you can afford them, we recommend the LCD flat panel monitors.  They give you far more desk space, their quality is very good and they use less power.   When you are not able to afford the LCD monitor, we recommend the CRT monitor with the flat screen.  For the CRT monitors, these will provide the best quality image on the screen.
Video Card There are many video cards that have 32MB, 64MB, 128MB and so on.  You should decide what video card to order based on the planned use and needs you have for the computer you are purchasing.  If you are going to be doing very detailed, high definition graphics, you should consider something with a reasonable amount of RAM for the job you are doing.
Floppy Disk Drive Many companies do not provide you with a floppy disk drive as a regular feature.  Many are making them an option and charge about $15 add it.   Since there is only 1 size (1.44MB) available, adding this to your computer should be something you decide based on your needs.
CDROM, CD-RW, DVD, DVD_RW There are many drives available for writing data to a CD or DVD media.  The main difference between the CD-RW and the DVD-RW is the amount of data that can be stored on a single disk.  The CD hold about 650MB of data and the DVD holds about 4.7GB of data.  In any case you should always get the device with the fastest write speed. One thing to keep in mind is that the writable CD is a great way to backup your data. 
Network Card A network card is normally included in the configuration of the PC.  However, if you are purchasing a laptop, you may want to get a wireless network card in addition to the internal network card.  Many areas on Campus have access to the Internet via UF's wireless network.   The one thing to keep in mind with wireless network cards is that they MUST be WiFi compatible.
Sound Card and Speakers Most of the time, the sound card and the speakers that come with a new computer are sufficient for the needs we have in the Department.   Normally laptop computer have the speakers built into the computer.  With a desktop computer, you may need to purchase the speakers as an option to your computer.
Removable Media Sometimes you may want to have the option of storing your data to some sort of removable media other than a floppy disk or a CD.  Due to their limitations, Zip Drives are not as popular as they use to be.  Unless you have a specific need for this type of media, we recommend that you avoid these drives.
One form of removable media that is becoming very popular are the USB Flash Memory Sticks.  These devices can hold up to 2GB (at a price) and can be carried in your pocket.  These are compatible with most any computer that has a USB port.
Printers In most cases we recommend the Hewlett Packard line of printers.  They have a wide variety of the types of printer available and they are extremely reliable.  
UPS A UPS is always something that is nice to have on critical computers that are doing computations or are servers on the network.  With a UPS you can avoid most interruptions due to power failures or fluctuation in the power.
Warranty What kind of warranty should I look for?  If someone offers a 1 year warranty, that is far too short.  The minimum warranty you should settle for is 3 years.  We expect all computers that we purchase to last for 3 years so we want to keep them under warranty during that time. Here is something to keep in mind.  Labs computers are financially supported by your lab funds and not Department funds.  Having to replace parts that are not under warranty can be rather costly.

Wednesday, August 25, 2010

Exchange Server 2003

How to Run Exchange Server 2003 ForestPrep
ForestPrep is run the first time you install Exchange Server 2003 into your Active Directory forest. It extends the schema to include Exchange specific classes and attributes.
Before You Begin
Before you perform the procedure in this topic, consider the following:
• The account you use to run ForestPrep must be a member of the following groups:
• Enterprise Administrator
• Schema Administrator
• Domain Administrator
• Local Machine Administrator
• When you delegate Exchange roles to a security group, it is recommended that you use Global or Universal security groups and not Domain Local security groups.
• To decrease replication time, it is recommended that you run Exchange 2003 ForestPrep on a domain controller in your root domain.
Procedure
To run Exchange 2003 ForestPrep
1. Insert the Exchange CD into your CD-ROM drive.
2. On the Start menu, click Run, and then type E:\setup\i386\setup /ForestPrep, where E is your CD-ROM drive.
3. On the Welcome to the Microsoft Exchange Installation Wizard page, click Next.
4. On the License Agreement page, read the agreement. If you accept the terms, click I agree, and then click Next.
5. On the Product Identification page, type your 25-digit product key, and then click Next.
6. On the Component Selection page, ensure that Action is set to ForestPrep. If not, click the drop-down arrow, and then click ForestPrep. Click Next.
The ForestPrep option on the Component Selection page


Important:
If ForestPrep does not appear under Action, you may have misspelled the "ForestPrep" command in Step 2. If this is the case, go back to Step 2 and retype the command.
7. On the Microsoft Exchange Server Administrator Account page, in the Account box, type the name of the account or group that is responsible for installing Exchange.
Note:
The account that you specify will also have permission to use Exchange Administration Delegation Wizard to create other Exchange administrator accounts. For more information about Exchange Administration Delegation Wizard, see the Exchange Server 2003 Administration Guide (http://go.microsoft.com/fwlink/?linkid=21769).
The Microsoft Exchange Server Administrator Account page


8. Click Next to start ForestPrep. After ForestPrep starts, you cannot cancel the process.
Note:
Depending on your network topology and the speed of your Windows 2000 or Windows Server 2003 domain controller, ForestPrep may take a considerable amount of time to complete.
9. On the Completing the Microsoft Exchange Wizard page, click Finish.

How to Run Exchange Server 2003 DomainPrep
DomainPrep creates the groups and permissions necessary for Exchange servers to read and modify user attributes in Active Directory. You must run DomainPrep before installing your first Exchange server in a domain.
Before You Begin
Before you perform the procedure in this topic, consider the following:
• Before you run DomainPrep, you must have run ForestPrep in the forest.
• Before you run DomainPrep, make sure the schema changes made during ForestPrep have replicated throughout the forest.
• The account you use to run DomainPrep must be a member of the following groups:
• Domain Administrators for the local domain
• Local Machine Administrator
• You must run DomainPrep in the following domains
• The root domain.
• All domains that will contain Exchange 2003 servers.
• All domains that will contain Exchange Server 2003 mailbox-enabled objects (such as users and groups), even if no Exchange servers will be installed in these domains.
• All domains that contain global catalog servers that Exchange directory access components may potentially use.
• All domains that will contain Exchange 2003 users and groups that you will use to manage your Exchange 2003 organization.
• You do not need any Exchange permissions to run DomainPrep
Procedure
To run Exchange 2003 DomainPrep
1. Insert the Exchange CD into your CD-ROM drive. You can run DomainPrep on any computer in the domain.
2. From a command prompt, type E:\setup\i386\setup /DomainPrep, where E is your CD-ROM drive.
3. On the Welcome to the Microsoft Exchange Installation Wizard page, click Next.
4. On the License Agreement page, read the agreement. If you agree to the terms, click I agree, and then click Next.
5. If the Product Identification page appears, type your 25-digit product key, and then click Next.
6. On the Component Selection page, ensure that Action is set to DomainPrep. If not, click the drop-down arrow, and then click DomainPrep. Click Next.
The DomainPrep option on the Component Selection page


Important:
If DomainPrep does not appear in the Action list, you may have misspelled the "DomainPrep" command in Step 2. If this is the case, go back to Step 2 and retype the command.
7. On the Completing the Microsoft Exchange Wizard page, click Finish.

How to Install Exchange Server 2003
After planning and preparing your Exchange organization, you are ready to run Exchange 2003 Setup. This topic explains how to run Exchange Setup to install Exchange Server 2003.
Before You Begin
To install the first Exchange 2003 server in the forest, you must use an account that has Exchange Full Administrator permissions at the organization level and is a local administrator on the computer. Specifically, you can use the account you designated while running ForestPrep or an account from the group that you designated.
Important:
When you deploy Exchange 2003 servers into multiple domains for the first time, verify that the installation information for the first server you install replicates to all domains before you install the next server. If installation information from the first server has not replicated to all domains, there will be replication collision issues, and that server will lose permissions for the organizational object in Active Directory.
Procedure
To install Exchange Server 2003
1. Log on to the server on which you want to install Exchange. Insert the Exchange Server 2003 CD into your CD-ROM drive.
2. On the Start menu, click Run and then type E:\setup\i386\setup, where E is your CD-ROM drive.
3. On the Welcome to the Microsoft Exchange Installation Wizard page, click Next.
4. On the License Agreement page, read the agreement. If you agree to the terms, click I agree, and then click Next.
5. On the Product Identification page, type your 25-digit product key, and then click Next.
6. On the Component Selection page, in the Action column, use the drop-down arrows to specify the appropriate action for each component, and then click Next.
The Component Selection page


7. On the Installation Type page, click Create a new Exchange Organization, and then click Next.
The Installation Type page


8. On the Organization Name page, in the Organization Name box, type your new Exchange organization name, and then click Next.
Note:
The name must contain at least 1 character, but be fewer than 64 characters. You can use the following characters in your new Exchange 2003 organization name:
• A through Z
• a through z
• 0 through 9
• Space
• Hyphen or dash
The Organization Name page


9. On the License Agreement page, read the agreement. If you agree to the terms, click I agree that I have read and will be bound by the license agreements for this product, and then click Next.
10. On the Component Selection page, in the Action column, use the drop-down arrows to specify the appropriate action for each component, and then click Next.
11. On the Installation Summary page, confirm that your Exchange installation choices are correct, and then click Next.
The Installation Summary page


12. On the Completing the Microsoft Exchange Wizard page, click Finish.

How to Install Active Directory Connector
Active Directory Connector (ADC) is used to connect your Exchange 5.5 directory to Active Directory.
Before You Begin
• To install the Exchange 2003 version of ADC, you must have at least one server in each Exchange site running Exchange 5.5 SP3.
• The account you use to install ADC must be a member of the Enterprise Administrator, Schema Administrator, and Domain Administrator groups. The account must also be a Local Machine Administrator on the local machine.
Procedure
To install Active Directory Connector
1. Insert the Exchange CD into your CD-ROM drive. You can install ADC on any computer in the Windows domain.
2. On the Start menu, click Run, and then type E:\adc\i386\setup, where E is your CD-ROM drive.
3. On the Welcome to the Active Directory Connector Installation Wizard page, click Next.
4. On the Component Selection page, select the Microsoft Active Directory Connector Service and the Microsoft Active Directory Connector Management components, and then click Next.
5. On the Install Location page, verify the folder location, and then click Next.
6. On the Service Account page, in the Account box, browse to the user or group that the ADC service will run as, and then click Next.
Important:
The service account or group you chose must have Local Administrator and built-in Domain Administrator permissions. The account or group that you designate as the ADC service account will have full control of the Exchange organization. Therefore, you should ensure that it is a secure account or group.
7. On the Microsoft Active Directory Connector Setup page, click Finish.
For More Information
For information about running ADC Tools, seeHow to Run Active Directory Connector (ADC) Tools.
How to Run Active Directory Connector (ADC) Tools
Active Directory Connector (ADC) Tools are used to lead you through the process of confirming that your Exchange 5.5 directory and mailboxes are ready for migration. ADC Tools are a collection of wizards and utilities that help you set up and configure your connection agreements. The tools also ensure that replication between your Windows NT 4.0 organization and Windows 2000 or Windows Server 2003 is functioning properly.
Procedure
To run ADC Tools
1. On your ADC server, click Start, point to All Programs, point to Microsoft Exchange, and then click Active Directory Connector.
2. In the console tree, click ADC Tools.
3. Follow the steps indicated in the ADC Tools details pane.
Note:
On the Set Credentials page, click Set Credentials to provide the administrator name and password for each site. Enter the name in the domain\username format.
Note:
On the Site Connections page it is recommended that you choose a two-way connection. One way connections are useful for testing how objects will replicate to Active Directory. However, in a production environment, directory objects should replicate both to and from Active Directory and the Exchange 5.5 directory.
Note:
There is a group named Everyone that is not replicated. Because of this, the ADC Tools will always report at least one warning.
For More Information
For information about installing ADC, see How to Install Active Directory Connector.
How to Use Exchange Task Wizard to Move Mailboxes
Exchange Task Wizard provides an improved method for moving mailboxes. This topic explains how to use the Exchange Task Wizard to move mailboxes.
For more information about the Exchange Task Wizard, see the section "Using Exchange Task Wizard to Move Mailboxes" in Migrating from Exchange Server 5.5 to Exchange Server 2003.
Procedure
Procedure Title
1. On your Exchange 2003 computer, click Start, point to AllPrograms, point to Microsoft Exchange, and then click System Manager.
2. In the console tree, expand Servers, expand the server from which you want to move mailboxes, expand the Storage Group from which you want to move mailboxes, expand the Mailbox Store you want, and then click Mailboxes.
3. In the details pane, right-click the user or users you want, and then click Exchange Tasks.
4. In Exchange Task Wizard, on the Available Tasks page, click Move Mailbox, and then click Next.
5. On the Move Mailbox page, to specify the new destination for the mailbox, in the Server list, select a server, and then in the Mailbox Store list, select a mailbox store. Click Next.
6. Under If corrupted messages are found, click the option you want, and then click Next.
Note:
If you click Skip corrupted items and create a failure report, these items are lost permanently when the mailbox is moved. To avoid data loss, back up the source database before moving mailboxes.
7. On the Task Schedule page, in the Begin processing tasks at list, select the date and time for the move. If you want to cancel any unfinished moves at a specified time, in the Cancel tasks that are still running after list, select the date and time. Click Next to start the process.
8. On the Completing the Exchange Task Wizard page, verify that the information is correct, and then click Finish.

How to Run the Public Folder Migration (PFMigrate) Tool
The Microsoft Exchange Public Folder Migration Tool (PFMigrate) is a new tool that enables you to migrate both system folders and public folders to the new server. This topic explains how to run the PFMigrate tool.
For more information about the PFMigrate tool, see the section "Using Microsoft Exchange Public Folder Migration Tool" in Migrating from Exchange Server 5.5 to Exchange Server 2003. The PFMigrate tool is a command-line script that administrators can use to create replicas of system folders and of public folders. This tool has been updated in Exchange Server 2003 Service Pack 1 (SP1). To obtain the PFMigrate tool, use either of the following methods:
• Open the Support\ExDeploy folder on the Exchange Server 2003 CD-ROM.
• Download the tool at Microsoft Exchange Server Deployment Tools.
Before You Begin
After you run PFMigrate, only the hierarchy of the system folders and public folders is migrated immediately. You must wait for replication for the contents of the system folders and public folders to be migrated. Depending on the size and number of system and public folders, as well as your network speed, replication could take a considerable amount of time. In some cases, you may need to force synchronization.
To force synchronization
1. Open Exchange System Manager
2. Click Administrative Group, click Site, and then click Folders.
3. Right-click the public folder for which you want to force synchronization.
4. Point to All Tasks and then click Send Content.
Procedure
To run the Public Folder Migration (PFMigrate) Tool
1. In Exchange Server Deployment Tools, on the Welcome to the Exchange Server Deployment Tools page, click Deploy the first Exchange 2003 server.
2. On the Deploy the First Exchange 2003 Server page, in the Follow this process column, click Coexistence with Exchange 5.5.
3. On the Coexistence with Exchange 5.5page, click Phase 3.
4. On the Phase 3. Installing Exchange Server 2003 on the Initial Server page, click Next.
5. On theInstall Exchange 2003 on Additional Servers page, click Next.
6. On the Post-Installation Steps page, under Moving System Folders and Public Folders, click move system folders and public folders, and then follow the steps listed to complete your public folder migration.

Cisco PIX Firewall - Practical

Cisco PIX Firewall - Practical Work
About
This whitepaper is the result of hands-on working experience with various PIX platforms and versions and summarizes all core concepts needed by a firewall administrator. The whitepaper also tries to complement other documentation sources by being geared toward the administrator’s direct understanding from a conceptual and presentational perspective. So you may find this guide tailored to your practical needs and easy to use when you are new to PIX or just looking for a memory refreshing reference.  All your suggestions and corrections are more than welcome. Cl
  
1. Essentials

Cisco PIX is a largely deployed firewall solution being specially preferred for security solutions that require high processing speed as are the semi-trusted connections between peering businesses. From a security features perspective it cannot be categorized as the most flexible platform but the latest versions (6.3 and later) cover most of the previously missing features.
PIX architecture is built around the ASA security engine that performs the inspection and maintains the session state information and handles the network translation.
 The inspection sequence is performed as follows:

1. A packet is entering an interface and PIX evaluates the security level for the source and destination interfaces. A low-to-high is allowed only if there is an access-list/conduit that allows the connection and a high-to-low is allowed by default unless a specific access-list/outbound denies it.
 2. The packet enters is checked against the statefull session table. If it is part of an already established flow is passed forward in order to be routed out and eventually translated if specified.
If the packet is identified as part of a new session it is checked against the access-list applied to the inbound interface (or against the conduits for versions earlier than 6.3)
3. As the packet passed the inbound security check is passed to ASA that performs the inbound network translation (destination NAT).
4. ASA creates an entry in the statefull session table and the timers are started for that session. The packet gets routed out to the interface designated by the routing table.
 5. At the exit interface eventual source translation is performed - if specified by using global statements and nat groups
6. The packet is delivered out to the next hop router or to the final destination if it is present in the local firewall’s subnets.


 
  



2. Interfaces and security levels
 Each physical or logical (VLANed from ver 6.3) interface has a security level assigned.
There are two interfaces whose names cannot be changed and are present by default in any system:
Outside interface is always defined as interface no. 0 (ie ethernet0) and has the security level 0 assigned (the least secure)
Inside interface is always defined as interface no. 1 (ie ethernet1) and has the security level 100 assigned (the most secure)
Other interfaces can be defined and named as desired and must have a security level between 1 and 99.
  
3. Naming convention
 Outbound data flow: initiated from a higher security interface toward a lower security interface.
Inbound data flow: initiated from a lower security interface toward a higher security interface.
Inbound and outbound concepts are used in the logging messages generated by the firewall.
  
4. Default security mechanism
 PIX firewall allows by default any sessions or data flows to pass from a higher security interface to a lower security interface without restrictions. This approach is no longer a valid feature in today’s security developments when an already compromised host may initiate outbound sessions and infect other hosts. It is strongly recommended to disable this feature by using access-list on all interfaces and define the legitimate traffic while dropping anything else.

5. Defining and enforcing the security policy
 The default security policy ensures that the packets originating from higher security interfaces are allowed to flow through lower security interfaces and any packets originating from lower security interfaces are not allowed to flow through higher security interfaces.
  PIX-OS later than 5.3
Access lists are the newly recommended security enforcement mechanism.

An access list is applied to an interface and checks all traffic with no difference between the direction of traffic as outbound (high-to-low security) and inbound (low-to-high security).
 Access lists are statefull and are part of the ASA engine.
The access list is applied only when a packet enters the firewall through an interface.
No checking is performed when it exits the firewall using the destination interface.
The flow is defined only once in the access-list that applies for the interface where the flow enters the firewall.
We can make a comparison with Checkpoint FW1/NG which has the option to check a flow when it enters and also when it exits the firewall. This increases the security but downgrades the processing speed.
Some of the features of ACLs in the new PIX-OS ver 6.3 and later:
1. Accept comments (remarks) so that each statement that is part of an ACL can be commented for a more readable security policy (essential feature for a firewall administrator that was missing in the previous PIX versions)
2. Statements are numbered permitting insertion of new statements at any desired position.
3. Accepts TCP/UDP port ranges.
4. Introduces the use of groups of objects for an easier management.
 The ACL statements are checked in a sequential order exactly as they have been defined.
 All hits that qualify for a specific statement are logged. In order to log all dropped traffic visibly specify the implied #deny ip any any statement at the end of the ACL.
An ACL becomes active and assigned to an interface when it is associated with it using access groups.
 The matching policy is the first pattern match is chosen to drop or allow the data flow. For improved performance define the most used statements first.
 Configuration summary:


//define an ACL
#access-list acl_linside remark --- FP: Mar 16 2004: permit outbound  FTP and HTTP
#access-list acl_inside permit tcp 10.0.0.0 255.0.0.0 152.10.10.0 255.255.255.0 eq ftp
#access-list acl_inside permit tcp 10.0.0.0 255.0.0.0 152.10.10.0 255.255.255.0 eq http
#access-list acl_linside remark --- FP: Mar 16 2004: allow outbound DNS
#access-list acl_inside permit udp 10.0.0.0 255.0.0.0 any eq 53
#access-list acl_linside remark --- FP: Mar 16 2004: deny Mydoom virus spreading
#access-list acl_inside deny tcp 10.0.0.0 255.0.0.0 any range 3127 3198
//Apply the ACL to the interface
#access-group acl_inside in interface inside
 
  Note:
The “in” keyword in the access-group syntax does not have an opposite “out” option. The ACLs can be specified only as an inbound checking mechanism when a packet enters an interface and does not checks when exits the firewall.

PIX-OS up to version 5.3
The old security enforcement mechanism is based on using conduits and outbounds.
 Conduits
Define a group of statements that enforces the security policy for all data flows moving from low to high security interfaces. The statements are not bound to a specific interface they are treated as a bulk which is checked for any packet entering any lower security interfaces and exiting through a higher security interface.
The conduits are statefull and accept tcp/udp/icmp/any-ip data flow definitions.
The conduits offer a limited manageability and readability comparing with the extended features presented by the ACLs. They are not numbered and you cannot insert and new statement wherever you want without removing all conduit group and reentering it in the desired order.
The conduits are checked in a sequential priority, exactly as they have been defined and the first match is chosen to allow or drop the data flow. For improved performance define the most used statements first.
 Outbounds
 Outbounds are used to control the outbound communication originating from a higher security level to a lower security level. The outbound connections are allowed by default but you must use the outbounds to define the legitimate connections and prevent the spread of any viruses or security threats coming from the inside.
The statements are not bound to a specific interface they are treated as a bulk which is checked for any packet entering any higher security interfaces and exiting through a lower security interface.
The outbounds are statefull and accept tcp/udp/icmp/any-ip data flows definitions.
The outbounds offer a limited manageability and readability comparing with the extended features presented by the ACLs. They are not numbered and you cannot insert and new statement wherever you want without removing all conduit group and reentering it in the desired order.

The outbounds are checked in a sequential priority, exactly as they have been defined and the first match is chosen to allow or drop the data flow. For improved performance define the most used statements first.

Configuration summary


Note: the conduits syntax could be confusing due to the order the source and destination is specified which is opposite to the ACL statements.
#conduit permit <proto> <destination>  <dest-mask> <port> <source> <src-mask> <src-port>
//define conduits to control the inbound traffic
#conduit permit tcp host 200.31.21.2 host 205.189.2.1 eq  http
#conduit deny tcp any host 205.189.2.1

 For complete syntax information go to Cisco Documentation website








6. Static network translation
 Static network translation is the feature that allows source or destination translation on a one-to-one basis. The translation entries created using statics are permanent mappings and they do not have an expiration timer associated.
Static translation is performed using the static command. Cisco is using the global and local significance attributes for an IP address. For a better understanding think of global and local terms as being related to the physical location in regards to an interface. A global address is an address that can be access externally through other interfaces. The global address hides the local IP address which is behind the interface we refer.
Static destination translation
 The destination translation occurs when you define a so called global IP for a resource which is located behind one of the internal interfaces which is accessed through any of the other interfaces.
 The firewall automatically handles the ARP requests for the global IP address and assigns its own interface MAC address to it. By default PIX performs gratuitous ARP which permits the ARP resolution for the NATed IP.
 Syntax:
 #static(destination_intf, source_intf) <global_IP >  <local_IP> netmask <mask>
 Where:
 - Destination_intf is the interface where the destination/translated host resides.
- Source_intf is the interface where the hosts that requires access come from.
- Netmask could be a host type (255.255.255.255) or a subnet of a random mask length meaning that the whole subnet is published for being accessed. The relationship is one-to-one. You must have enough global_IP addresses available to match each local host address.
 Example:

//NAT for a server located behind the inside interface which is accessed by a client which comes from outside. The global IP address 191.90.30.3 is accessible through the outside interface:
 #static(inside,outside) 191.90.30.3 10.0.0.100 netmask 255.255.255.255
 //NAT for the same server located behind the inside interface which is accessed by a client which comes from the dmz01 interface. The global IP address 172.16.20.100 is accessible through the dmz01 interface: 
#static(inside,dmz1) 172.16.20.100 10.0.0.100 netmask 255.255.255.255


Very important:

1. As observed in the above example, PIX architecture requires individual static statements for each pair of interfaces in order allow access to that translated IP. The static statement is essential in “publishing” the local host to that specific interface and making it accessible through that interface.
 2. It is mandatory to define a “transparent” static translation when you access any host from a lower security interface to higher security interface. The static translation could be called transparent because there is no real address translation; it is only an IP address publishing in order to allow the access.
 
  Example:
In order to access the server 10.0.0.100 situated behind the inside interface from the dmz02 interface you have to define a “transparent” static translation as follows:
 #static(inside,dmz02) 10.0.0.100 10.0.0.100 netmask 255.255.255.255
 You can observe that the global and local IPs is one and the same and no real translation is done. This is mandatory and is part of PIX’s specific architecture. It brings an additional level of security by the fact that even you might have the access lists/conduits to allow the access, it will not work unless you specifically designate which host(s) are published for access.
 This transparent static is required only for inbound transactions from a lower security to a higher security interface. No specific statics are required when you access from a higher security to a lower security interface, unless you want to do explicit source address translation.

  
Static source translation 
Source static translation is used when the source IP address of the host (local IP) is changed to another IP (global IP) once the packet gets routed to the destination. This translation hides the real identity of the initiator and also allows private IP addresses to be translated to public IPs in order to get routed through public networks.
 Syntax:
#static(source_intf, destination_intf) <global_IP> <local-IP> netmask <mask>
 Example:
 

//Host 10.0.0.100 is source translated when connects to another host situated behind dmz03 interface.
 #static(inside,dmz03) 90.30.2.10 10.0.0.100 netmask 255.255.255.255


 7. Dynamic network translation
 The dynamic network translation is exclusively used to translate the source IP for either inbound or outbound sessions. The translation is done on a many-to-one or many-to-many basis.

Example:
 

Outbound dynamic source translation: Your inside users (10.0.0.0/16) are source translated when they go out to Internet using a single IP address - 201.187.12.100 (many to one)

Inbound dynamic source translation
: Your company has a semi-private connection with a customer company and the IP address schema overlaps for the two companies - they both use 10.0.0.0/16 address space. In order to avoid the routing issues that appear in this situation you will define source address translation for the customer company when it enters your network as they will be translated to 172.16.0.0 /16 address space on a many-to-many basis or you can translate all customer IPs into a single IP address 172.16.1.1 /32  (many-to-one)


 Also the latest PIX versions allow the so called policy NAT which permits you to specify a layer 3/4 access to identify the transactions that you want to translate the source IP address.
 Two steps are required in defining the dynamic translation:
 1. On the source interface define the NAT Groups that include the definition of the hosts that will be subject to dynamic translation. You might need the same group of hosts to be source translated to different IPs depending on the destination they want to access. This kind of granularity can be achieved by defining NAT Groups for each type of access and for each group of hosts.
 Syntax:
 To specify only layer3 flows based on the source IP address only:
#nat <interface-name> <group-number> <IP> <mask> dns | outbound
 To specify complex layer3/4 flows that you want to tgranslate the source IP use:
#nat <interface-name> <group-number> access-list <acl-name> dns|outbound

 The options are:
a. dns option allows application layer NAT. PIX looks inside the DNS resolution replies and translates the IP address that is returned that is returned to client.
b. outbound option is required when the source IP is behind a lower security interface and accesses a higher security interface.

2. On the destination interface associate the NAT group with the global IP address(es) that will translate the source addresses. The global IPs could be:
 - A single IP address assigned to a whole NAT group
- A pool of IPs associated to a NAT group
- PIX’s own interface IP address is used for translation
  
Syntax:
 Define a single/pool of global IPs :
#global <destination-intf> <nat-group-id> <IP1> [- <IPn>] netmask <mask>
 Use PIX’s own interface IP address as global IP.
#global <destination_intf> <nat-group> interface

Example:

Define two NAT groups on the inside interface that will be translated differently on the outside interface. First group is a policy NAT group and the second one is a standard NAT group.
  //define the access-list that identifies the policy NAT flows:
#access-list policy-nat-01 permit tcp 10.0.0.0 255.0.0.0 12.10.1.10 eq http
#access-list policy-nat-01 permit tcp 10.0.0.0 255.0.0.0 12.10.1.10 eq https
//define the policy NAT group 1
#nat (inside) 1 access-list policy-nat-01
 //define the NAT group 2
#nat (inside) 2 10.0.10.0 255.255.255.0
 //define the policy NAT global that translates all source IPs to 201.100.1.10
#global (outside) 1 201.100.1.10 netmask 255.255.255.255
 //define the global for NAT group 2 that translates all source IP using PIX’s own interface IP address.
#global (outside) 2 interface

  
Using NAT 0
 NAT group 0 is a specific PIX feature that allows to define the group of source IP addresses that will never be translated when initiate outbound connections to any destinations and any interfaces.
 Example:
 //Host 10.0.0.5 is never translated
#nat (inside) 0 10.0.0.5 255.255.255.255
 
NOTE:
If you do not specify any NAT/GLOBAL statements, all communications will be performed without source IP address translation. It is not mandatory for communication between private subnets that belong to the same corporation but it is absolutely needed when internal hosts initiate Internet or other public networks connections.
   
8. Routing
 PIX performs the routing process based on the directly connected routes, static routes and OSPF - available in the latest PIX 6.3 version.
Static routes are directly linked to the outbound interface that connects to the next hope router. This adds more extra security.
 Syntax:
#route <exit_intf> <destination-IP> <destination-mask> <next-hop-IP> <metric>
 //Example: default route is allowed only through the outside interface.
#route outside 0.0.0.0 0.0.0.0 201.19.20.1
 OSPF routing is a new feature available in ver 6.3 but because PIX is usually deployed to delimitate external/perimeter connections and the path the data may flow could pose a security risk it is recommended to rely only on static routes for security and accuracy reasons. OSPF or other routing protocols could be implemented at the edge routers that connect back and forth to the PIX firewall.

9. Implementing VLANs
 VLANs are also a new feature available in 6.3 or later and bring functionality and deployment flexibility.
 The limitations are: 
1. The number of VLAN interfaces that may be deployed per PIX varies between 3-12 based on the model and license you have.
2. Performance and throughput might be an issue when defining multiple VLANs on a single physical interface. Do proper bandwidth evaluation prior to migrating to VLANs.
 The VLANs are treated as logical interfaces and can be configured and handled as any other physical interface. PIX does not allow traffic to pass between two VLAN interfaces that are defined on the same physical interface unless you specify access-lists that allow that.
 Important: for security reasons PIX does not use the native VLAN. When define the VLAN interfaces do not use the native VLAN. PIX treats the trunk link a little bit differently than a regular router that performs trunking. It just does the tagging/de-tagging operation.
 Configuration summary:

On the physical interface define the VLAN as logical interfaces.
At least one VLAN has to be defined as physical in order to instruct PIX to perform tagging on the physical interface. The other VLANs are defines as logical interfaces.
 //Define the VLANs on the physical interface
#interface ethernet1 vlan10 physical
#interface ethernet1 vlan20 logical
#interface ethernet1 vlan30 logical
#interface ethernet1 vlan40 logical
//Assign a name and a security level the VLAN interfaces.
#nameif vlan10 dmz01 security10
#nameif vlan20 dmz01 security20
#nameif vlan30 dmz01 security30
#nameif vlan40 dmz01 security40
 From this point on you handle the new dmz0x interfaces as any other interface.

 For complete command syntax, access the Cisco Documentation website.

Short Notes on Maintain Your PC(Personal Computer)

How to Maintain Your Computer

Ya.  What you think about  Your Computer. Is it Run faster? .If No, you Should Maintain your PC based on Daily, Weekly and Monthly…

A properly maintained computer will provide you with substantially higher speeds, both via RAM and on the internet, regardless of your hardware setup and configurations.
The second law of thermodynamics states that all systems atrophy (degrade) over time - well, here are a few tips on how delay the inevitable.
1. Clean out all the junk left behind by browsers. To do this, you can use the Disk Cleanup utility included on the Windows systems, or download a freeware program such as CCleaner to do it for you. In Linux you can use Kleansweep or Bleachbit. Cookies and cache left behind by browsers can amount up to gigabytes of wasted space, so it is imperative they're deleted. If you want to use CCleaner  Just go to this Link... www.piriform.com/ccleaner.


2. Search and destroy spyware and/or viruses on your PC. There is a myriad of tools available to do this. I suggest You to Use any Licensed Copy Antivirus as Like Macfee, Kasper etc. You can also use AVG Anti Virus is a good one to use. Download.com is a great place to legally obtain these tools.

3.                  Uninstall programs you no longer use, and delete music you no longer listen to. The more free space your computer has, the faster it will go. You'll be surprised how much space you'll free up and how much your computer's performance will increase.
4.  .Use the msconfig command in the RUN command prompt to open up a window that will allow you to uncheck start up programs you don't use. This can up your start up and boot down times a lot.
5. Use your computers disk management systems.
    • For Windows, select Performance and Maintenance and then choose "Rearrange items on you hard disk..." and "Free up space on your hard disk.".
    • For Mac, go to the Applications Folder, select Utilities Folder then launch Disk Utility.

Hardware/CPU

·  Always run your computer on a UPS as this will help protect it from electric surges. Phonelines for modems and cat 5 or cat 6 network lines also need surge suppression as they can and will take out your network card or modem in a electric storm.
·  Your computer can grow dusty in less than year, depending on where it is stored. Open it about once or twice a year and remove the dust on the bottom with a vacuum (or cloth), then spray with compressed canned air. Pay special to the CPU heat sink and CPU fan. Hold the fan still while spraying it as you can cause it to spin out and on reboot it may have more noise. Spray the intakes to the Power supply fan also. Since you have the cover off reboot and listen for noisy fans make sure all fans are working replace as necessary.
·  Be careful when plugging in USB, Ethernet, speakers, etc. into your computer. Ports such as USB and Ethernet can easily be damaged from careless placement. These repairs can be costly and these ports are a necessity.

Underclock it for the ultimate in longevity

Tips

  • http://www.download.com has a load of great maintenance freeware utilities.
·  Be wary when unchecking in the msconfig prompt. If you don't know what you're doing, do not suggest unchecking anything as you may disable a crucial system process
·  If an uninstall you performed seems ineffective, you can manually uninstall via the regedit command in the RUN prompt. Be VERY wary when you do this as well, as the registry editor grants you unrestricted access to the most sensitive parts of your PC
·  Give your computer a rest by turning it off once in a while. It's no big deal to leave it on for a day or two, but keep in mind that the hotter it is, the more wear and tear on components. That said....
·  There are two schools of thought here. Many prefer to leave their computers on. The thermal expansion and contraction of components can also cause failure by power cycling. In the always on case, just shut the monitor off. And put the hard drives to sleep after one hour per powersaving menu. You can also goto standby after a hour. (This sometimes causes computers to lock up though).
·  Be careful overclocking your PC. It's fun- but as stated above it runs the temperature up on the motherboard and WILL melt your processor if the necessary precautions aren't met. Such as a large CPU/Fan heatsink and case fans.
·  Programs such as LimeWire, BearShare, Kazaa all have great opportunities for sharing information, but there are multiple files that contain malware, spyware, and trojans to infiltrate all your information. Also beware of the potential for identity theft. Don't be a victim.
·  When deleting files, make sure you know what they are. If you accidentally delete something important, it could cause major damage.
*  Any types of  Hardware plugs and Unplugs in PC you need  to turn off your PC.

Things You'll Need

  • Anti-virus software
  • Anti-spyware software
  • Third-party disk utility software [MAC ONLY]

Short  Tips:
Unplug any electronic device before opening it. To ensure you don’t produce an electric shock inside the computer, ground yourself by touching something metal before touching the inside of the computer.

Step 1: Open your computer

Turn off and unplug the computer. Carefully remove your computer’s case with the screwdriver.
àTo further protect from electric shock, wear an antistatic wrist strap, available at electronics stores, and attach it to your computer to ground you.

Step 2: Clean your computer

Using the compressed air, blow away dust and debris that have accumulated inside. Screw the cover back on and give the exterior plug-ins and keyboard a once-over with the compressed air, too.

Step 3: Transfer large files

Transfer any large files, like presentations, music, photos, or giant databases, onto an external hard drive. Clearing out files over 50 megabytes frees up valuable hard-drive space and keeps your machine running smoothly.

Step 4: Delete unused programs

Locate, uninstall, and delete any programs you don’t use. For PC users, you’ll find a simple Add or Remove function in the control panel. For Mac users, open the Applications folder and click and drag unwanted programs to the Trash. Then, empty the Trash.
àLimit the number of programs that run automatically when you turn on the computer. It will increase your overall processing power.

Step 5: Remove temporary files

Every time you access a web page or read an email, your computer stores information in temporary files, which take up disk space. Macs automatically delete temporary files, but PCs do not. To manually do so, use Disk Cleanup, located in System Tools.
àEmpty out your Recycle folder or Trash weekly. Simply placing files in the bin does not remove them from your hard drive.

Step 6: Scan for viruses

Scan your hard drive for infected files with an antivirus and anti-spyware program. Many programs locate and report harmful files for free, but charge a fee to remove them. Find an antivirus program that scans your system at least once a month.

Step 7: Defrag

Over time, files on a PC’s hard drive fragment, slowing down your computer. To “defrag” a Windows operating system, open My Computer and right click on the C drive. In the Tools tab, under Properties, you’ll find Disk Defragmentation. Defragging takes several hours, so be sure to leave enough time.
Macs that run OS X operating systems don’t require defragmentation.

Step 8: Fix permissions

On a Mac, permission errors can clog the system. Before and after you install new software, go to Finder, click Go, select Utilities, and then Disk Utility. Click on Macintosh HD, and click Repair Disk Permissions.

Step 9: Check your RAM

Adding random-access memory (RAM) will improve your computer’s performance and extend its life. To check how much you currently have, on a PC, go to the Control Panel. Click System, and then the General tab. At the bottom of the page you should see the amount of RAM. On a Mac, in Finder, go back to the Utilities folder, and click System Profiler. Click the Memory tab.

Step 10: Determine your RAM type

Every computer model requires a different kind of RAM. Visit the manufacturer’s website to find out what kind of RAM you should install.

Step 11: Install RAM

Turn off and unplug your computer, and put on your wrist strap if you have one. Remove the cover to access the RAM slots, located near the (usually green) metal plate known as the motherboard. The computer will either have empty slots for extra RAM, or you’ll have to replace old RAM with new RAM to increase capacity. Now enjoy your computer’s new lease on life!

Tuesday, August 24, 2010

Diagnosing And Fixing. Motherboard Faults


There is an apparent failure of the motherboard or a system device on the motherboard
Explanation: There is suspicion of a possible failure related to the motherboard. This can be a result of a specific message strongly implicating the motherboard in some sort of erratic system behavior. It may also be the case that the motherboard probably isn't the problem, but that we want to rule it out as a possible cause. Since the motherboard is where all the other components meet and connect, a bad motherboard can affect virtually any other part of the PC. For this reason the motherboard must often be checked to ensure it is working properly, even if it is unlikely to be the cause of whatever is happening.
Diagnosis: Outright motherboard failure is fairly rare in a new system, and extremely rare in a system that is already up and running. Usually, the problem is that the motherboard has been misconfigured or there is a failure with one or more of the components that connect to it. Getting a system in the mail that has a loose component or disconnected cable is very common. In fact, though, there are a surprisingly large possible causes for what may appear to be a motherboard failure.
Recommendation: Follow the suggestions below to diagnose the possible failure of the motherboard. You will find a lot of possible causes listed below, since there are so many problems that can make it look like the motherboard is at fault. This part of the Troubleshooting Expert is referenced by a large number of other sections. For this reason, you may want to skip some of the steps below if you have already tried them elsewhere. Also, try to avoid the very difficult diagnostic steps--especially replacing the motherboard--until you have exhausted the other possibilities both here and elsewhere on the site:
  • First of all, if you have just recently installed this motherboard, or performed upgrades or additions to the PC of any sort, read this section, which contains items to check that may cause problems after working on the system unit.
  • If the PC isn't booting at all, make sure you have at least the minimums in the machine required to make it work: processor, a full bank of memory, video card, and a drive. Make sure that all of these are inserted correctly into the motherboard, especially the memory. Partially inserted memory modules can cause all sorts of bizarre behavior.
  • Remove all optional devices from the motherboard, including expansion cards, external peripherals, etc. and see if the problem can be resolved.
  • Double-check all the motherboard jumper settings, carefully. Make sure they are all correct. In particular, check the processor type, bus speed, clock multiplier and voltage jumpers. Also make sure the CMOS clear and flash BIOS jumpers are in their normal, default operating positions.
  • Reset all BIOS settings to default, conservative values to make sure an overly aggressive BIOS setting isn't causing the problem. Set all cache, memory and hard disk timing as slow as possible. Turn off BIOS shadowing and see if the problem goes away.
  • Double-check all connections to the motherboard.
  • Check the inside of the case to see if any components seem to be overheating.
  • Inspect the motherboard physically. Check to make sure the board itself isn't cracked; if it is look here. Make sure there are no broken pins or components on the board; if there are, you will have problems with whatever component of the PC uses that connection. Check for any socketed components that may be loose in their sockets, and push them gently but firmly back into the socket if this has happened.
  • Make sure the keyboard is inserted correctly into the motherboard.
  • A failed cache module or using the wrong type can cause motherboard problems. If you suspect it, troubleshoot the secondary cache.
  • An overheated processor can cause system problems. Try troubleshooting the processor.
  • Troubleshoot the system memory. Memory problems are often mistaken for motherboard faults, especially on systems that don't have the protection of using memory error detection.
  • Try troubleshooting the video card or replacing it with another one, preferably a simple straight VGA card that is known to work from being in another system that functioned properly.
  • If the power supply is older, or this is a cheap case, or you have added many new drives to a system with a weaker power supply (especially one that is less than 200W) then you may have a power supply problem. You may want to try replacing it.
  • You may have a BIOS bug or other problem. Check your manufacturer's technical support resources for any known problems with your motherboard.
  • Contact the technical support department of your system or motherboard manufacturer for additional troubleshooting information. If this is a new motherboard, you may want to consider returning it for an exchange if you have exhausted all other troubleshooting avenues.
  • Some newer viruses, when activated, overwrite part of the BIOS code in systems that employ a flash BIOS. If the BIOS is corrupted, the system won't boot. See here for ideas on recovering from this.
  • Try swapping the motherboard with another one and see if the problem resolves itself. If it does then the original motherboard is probably faulty, but it could just have been misconfigured or installed incorrectly.

Monday, August 23, 2010

Diagnose common LCD monitor issues with these tips

Takeaway: LCD flat-screen monitors are all the rage, but they do present new challenges. Many of the tricks you learned supporting CRT monitors won't help. This article shows some of the things you can do to troubleshoot issues with LCDs.
Although flat panel monitors have been around for several years, their prices have only recently fallen to the point that they are being adopted by the masses. However, LCD monitors are so mechanically different from CRT monitors that diagnostic techniques that we have all been using for years are now obsolete. Many of the problems that plagued CRT monitors simply aren't an issue for LCD panels. At the same time though, LCD panels are subject to some rather strange issues that you would never encounter with a CRT monitor. That being the case, this article will explain what some common issues are with LCD monitors and how you can resolve them.

LCD vs. CRT

Before I get into the troubleshooting section, I want to take a moment and explore the anatomy of an LCD panel and how it functions in comparison to a CRT monitor. After all, it's tough to troubleshoot a hardware problem if you don't understand how the device works.
CRT monitors rely on a special type of vacuum tube called a cathode ray tube (hence the abbreviation CRT). The tube is narrow at one end and wide at the other. The wide end is the surface where the image is displayed. The narrow end of the tube contains an electron gun that fires electrons at the end of the tube that's used for viewing. The large end of the CRT tube is coated in phosphorous. Whenever an electron from the electron gun strikes the phosphorous, it releases a burst of light, and this is how an image is created.
The phosphorous coating is actually made up of three different colors of phosphorous; red, green, and blue. If the electron strikes red phosphorous, then the burst of light that is released is red. A device called a shadow mask separates the various phosphors from each other. Without a shadow mask, an electron might strike a red phosphor, but some of the energy would bleed over into the blue and green phosphors, causing the incorrect color to be displayed. The shadow mask insures that only the correct phosphor is illuminated at a given moment.
The other thing that you need to know about phosphors is that they release the burst of light extremely quickly. However, phosphorous has a quality called persistence that allows it to keep glowing for a little while after the light burst has been released. This is how monitors are able to give the illusion of a solid picture.
The picture is composed as the electron gun is turned off, aimed, and turned back on. Of course the whole process happens much too quickly to actually reposition the gun. Instead, a device called a yoke uses magnets to pull the electron from the gun in the desired direction. The entire screen is redrawn many thousands of times each second. The number of times that the screen is redrawn per second is the monitor's refresh rate.
An LCD monitor is based on the idea that you can re-align a liquid crystal's molecular structure by applying a small amount of electricity to the crystal. When the electric charge is removed, the liquid crystals return to their original state. This concept has been in use for decades in calculators. A calculator screen appears solid gray until an electric current causes black numbers to appear.
In a calculator, the liquid crystals actually form the numbers that are being displayed. In an LCD monitor though, electricity is applied to a crystal to turn it black, not to display an image, but rather to block out light. An LCD monitor has a cold cathode backlight that illuminates the entire display surface. The liquid crystals are sandwiched between the backlight and a thin film containing millions of translucent red, green, and blue dots. Red, green, and blue dots are arranged into triangle patterns called triads. Each triad represents a single pixel.
Suppose that a computer told a specific pixel to display as blue. The LCD panel would energize the crystals behind the red and green portions of the triad. In doing so, the now black crystals would prevent any light from passing through the red or green holes, leaving only blue illuminated. The result is that the pixel displays as blue.
The process sounds simple enough, but think about how many pixels are present on a monitor. A monitor with a resolution of 1024 x 768 contains 786,432 pixels. Being that there are three separate elements that make up each pixel, the monitor would have to manage 2,359,296 separate crystals.
In early LCD monitors, this was a huge problem. The monitor simply couldn't refresh itself quickly enough to produce a decent picture. If you moved your mouse pointer across the screen, a ghosted trail would follow. These early LCD monitors worked great for word processing and things like that, but their slow refresh rate made them a poor choice for things like gaming and video editing.
The problem of slow response time was eventually solved by adding a transistor to every single crystal on the entire monitor. The transistors made it possible to create LCD monitors with decent refresh rates. In fact, most of the LCD monitors in use today are of the TFT variety. TFT stands for Thin Film Transistor.

Dead pixels

Now that I have described how an LCD monitor works and how it differs from a CRT, let's talk about some common issues with LCD monitors. The first issue that I want to discuss is dead pixels. A dead pixel is a pixel that always displays as either black or white, regardless of the image that is on the screen.
This problem goes back to the way that an LCD monitor works. The problem is related to either a manufacturing defect or to a set of blown transistors. What's happening is that the liquid crystals within that particular pixel are either always receiving electricity (black) or are never receiving electricity (white). There have also been cases in which only part of a triad is damaged. For example, red and green might work, but blue is stuck either on or off. This produces a pixel that is partially responsive but that often displays an incorrect color.
The bad news is that if you have a dead or a partially dead pixel, there is nothing that you can do about it other than buying a new monitor. The good news is that the problem isn't as common as it used to be. A couple of years ago, it was common for most LCD monitors to have at least one or two dead pixels because the manufacturing process had not yet been perfected. Today though, monitors hardly ever ship with dead pixels (bargain basement brands aside). It is possible for pixels to die over time though.

Poor picture quality

By far the most common problem with LCD monitors is poor picture quality. There are several different things that can cause the image on the screen to appear blurry or distorted, but there are relatively easy fixes for most of these problems.
One thing that causes poor image quality is the screen resolution that you've selected. As you probably know, CRT monitors have a maximum resolution, but any resolution at or below the maximum resolution will display clearly. The reason for this is because CRT monitors do not have pre-defined pixels. If you tell Windows to use a resolution that's lower than the maximum, then the monitor's yoke simply causes more phosphors to be illuminated for each pixel. This is done in a way that allows the lower resolution to take advantage of the full size of the screen.
LCD monitors work a little bit differently though. The number of pixels that the monitor contains is known as the monitor's native resolution. The monitor can display resolutions below its native resolution, but doing so usually results in a poor quality image because the monitor has to stretch the lower resolution image over a high number of pixels. Think about it for a moment. If you were to try to display an 800 x 600 image on a monitor with a native resolution of 1024 x 768, the monitor does not have enough pixels to assign two hardware pixels to every pixel of the image. Instead, some of the images pixels might be displayed across two triads while other pixels are displayed across one. The resulting image is usable, but it isn't pretty.
There are some situations in which displaying lower resolution images does not cause distortion though. I used to have an old Toshiba monitor that avoided the pixel stretching issue all together. If you selected a lower resolution, it would display the lower resolution image in the middle of the screen and black out the unused pixels around the edges. Another technique that avoids pixel stretching is to lower the image quality in an evenly divisible increment. For example, if a monitor has a native resolution of 1600 x 1200, then it will have no trouble displaying an 800 x 600 image clearly because 1600 is evenly divisible by 800 and 1200 is evenly divisible by 600. The best solution however is to simply use your monitor at the native resolution.

Text is difficult to read

Although LCD monitors are usually considered to have an image that is more crisp than CRT monitors, sometimes, especially on lower end monitors, text can be difficult to read, even if the monitor is running at its native resolution. There are a number of different things that can cause this, such as a poor contrast ratio, a low native resolution, or poor color reproduction. You can sometimes make things better by tinkering with your monitor's settings. However, Microsoft realizes that text is sometimes tough to read on LCD monitors and has built a feature into Windows XP called ClearType.
ClearType adds shading to text in an effort to make it more legible. You can enable ClearType by right clicking on an empty area of the Windows desktop and selecting the Properties command from the resulting shortcut menu. When you do, you will see the Display Properties sheet. Now, select the properties sheet's Appearance tab and click the Effects button. When you do, Windows will display the Effects dialog box. Select the Use the Following Method to Smooth Edges of Screen Fonts check box and then select the Clear Text option from the drop down list. Click OK twice and ClearType will be active.

Blank screen

Another common problem is that the screen fails to display an image at all. There are several things that can cause this problem. The trick to diagnosing the problem is to determine whether or not an image is displayed when you first turn on your computer.
If you switch on your computer and you see an image up until Windows starts loading, then the issue is most likely related to your video card driver (especially if you are using a DVI connector). To fix this problem, use another computer to download the latest driver from your video card manufacturer's Web site. Some monitor manufacturers also provide monitor drivers, so it's worth checking to see if a driver is available for your monitor while you are at it.
Once you have the drivers, boot your machine into safe mode (Press [F5] just before Windows begins loading). When Windows boots, open the Control Panel and click Performance and Maintenance, followed by System. This will cause Windows to display the System Properties sheet. Now, select the properties sheet's Hardware tab and click the Device Manager button.
Navigate through the Device Manager until you locate your video card. You'll find it in the Display Adapters section. Right click on the listing for your vide card and select the Update Driver command from the shortcut menu. Now follow the prompts to load the new driver that you downloaded. If you have a monitor driver, then you will want to locate the monitor listing and update its driver as well.
If you attempt to boot the system and don't get any image at all, then you've got your work cut out for you. Obviously, you will want to make sure that the cables are secure and that the monitor is getting power. You might even try using a spare video cable or try the monitor on a different PC. Keep in mind that some PCs have multiple video outputs, and it could be that the monitor is connected to a video port that isn't active. Look for other ports that you can try connecting your monitor to.
I have heard several reports of blank screens when using a DVI connector. I personally have never had a problem connecting any of my computers to a flat panel monitor through a DVI connector, but apparently, some people have had to flash their BIOS or perform firmware updates to their video cards in order to make a DVI connection work. I have also heard some rather bizarre reports of DVI connections not working until the monitor has had time to warm up.