NETWORK SECURITY SCANNING TOOLS

January 19, 2014, 10:53 pm

Network Security Scanning Tools

Vulnerability scanning of a network needs to be done from both within the network as well as without (from both “sides” of the firewall). The approach I would suggest is to start from the network evaluation phase, where sniffing and primary attacks are performed. The gathered data is used in the attack phase to exploit the exposed vulnerabilities.

Wireshark (http://www.wireshark.org)

The very first step in vulnerability assessment is to have a clear picture of what is happening on the network. Wireshark (previously named Ethereal) works in promiscuous mode to capture all traffic of a TCP broadcast domain.

Customised filters can be set to intercept specific traffic; for example, to capture communication between two IP addresses, or capture UDP-based DNS queries on the network. Traffic data can be dumped into a capture file, which can be reviewed later. Additional filters can also be set during the review.

Typically, the tester is looking for stray IP addresses, spoofed packets, unnecessary packet drops, and suspicious packet generation from a single IP address. Wireshark gives a broad and clear picture of what is happening on the network.

However, it does not have its own intelligence, and should be used as a data provider. Due to its great GUI, any person with even some basic knowledge can use it.

Nmap (http://nmap.org)

This is probably the only tool to remain popular for almost a decade. This scanner is capable of crafting packets and performing scans to a granular TCP level, such as SYN scan, ACK scan, etc. It has built-in signature-checking algorithms to guess the OS and version, based on network responses such as a TCP handshake.

Nmap is effective enough to detect remote devices, and in most cases correctly identifies firewalls, routers, and their make and model. Network administrators can use Nmap to check which ports are open, and also if those ports can be exploited further in simulated attacks. The output is plain text and verbose; hence, this tool can be scripted to automate routine tasks and to grab evidence for an audit report.

You can read the series of Nmap articles published earlier for better understanding.

Metasploit (http://www.metasploit.com)

Once sniffing and scanning is done using the above tools, it’s time to go to the OS and application level. Metasploit is a fantastic, powerful open source framework that performs rigorous scans against a set of IP addresses.

Unlike many other frameworks, it can also be used for anti-forensics. Expert programmers can write a piece of code exploiting a particular vulnerability, and test it with Metasploit to see if it gets detected. This process can be reversed technically — when a virus attacks using some unknown vulnerability, Metasploit can be used to test the patch for it.

While this is a commercial tool, I have mentioned it here because the community edition is free, yet makes no compromises on the feature set.

OpenVAS (http://openvas.org)

The Nessus scanner is a famous commercial utility, from which OpenVAS branched out a few years back to remain open source. Though Metasploit and OpenVAS are very similar, there is still a distinct difference.

OpenVAS is split into two major components — a scanner and a manager. A scanner may reside on the target to be scanned and feed vulnerability findings to the manager. The manager collects inputs from multiple scanners and applies its own intelligence to create a report.

In the security world, OpenVAS is believed to be very stable and reliable for detecting the latest security loopholes, and for providing reports and inputs to fix them. A built-in Greenbone security assistant provides a GUI dashboard to list all vulnerabilities and the impacted machines on the network.

Creating detailed reports is one thing that makes OpenVAS a tool favoured by infrastructure security managers.

Aircrack (http://aircrack-ng.org)

The list of network scanners would be incomplete without wireless security scanners. Today’s infrastructure contains wireless devices in the data centre as well as in corporate premises to facilitate mobile users. While having WPA-2 security is believed to be adequate for 802.11 WLAN standards, misconfiguration and the use of over-simple passwords leaves such networks open to attacks.

Aircrack is a suite of software utilities that acts as a sniffer, packet crafter and packet decoder. A targeted wireless network is subjected to packet traffic to capture vital details about the underlying encryption. A decryptor is then used to brute-force the captured file, and find out passwords. Aircrack is capable of working on most Linux distros, but the one in BackTrack Linux is highly preferred.

↧

VULNERABILITY ASSESSMENT TOOLS

January 19, 2014, 11:50 pm

≫ Next: COMMON STOLEN PASSWORDS FOR THE YEAR 2013

≪ Previous: NETWORK SECURITY SCANNING TOOLS

Vulnerability scanning tools
Vulnerability assessment tools

1. Nessus (https://store.tenable.com)
Nessus provides the largest collection of network security checks, extensive configuration and compliance auditing, and automatic post-scan analysis and monitoring.

Scan an unlimited number of IPs, as often as needed
Nearly 60,000 vulnerability and configuration checks (plugins) – new plugins updated daily
Audit your systems for secure configurations and compliance – PCI DSS, HIPAA/HITECH, DISA STIGs, and more!
Detects malware and botnets
Perform vulnerability assessments against a wide variety of SCADA systems
Find sensitive and confidential data violations
Apple, Microsoft, IBM, Red Hat, and VMware integration
Download Tenable's Virtual Appliance (supports VMware and Microsoft Hyper-V)
Deploy Nessus on premises or the Nessus AMI in the Amazon Web Services (AWS) Cloud
Email/live chat support and access to the Tenable Support Portal and Nessus knowledge base

2. CoreImpact (http://www.coresecurity.com)

CORE Impact Pro is the most comprehensive, commercial-grade penetration testing product available, enabling you to conduct real-world assessments across a broad spectrum of risk areas, including:

End-User Security Awareness Testing

End-User Security Awareness Testing with CORE Impact Pro determines the susceptibility of email users to social engineering attacks, assesses the overall security of their systems, and depicts how individual client-side exposures can be linked to large-scale breaches of backend servers.

Endpoint Penetration Testing

CORE Impact Pro enables you to penetration test standard desktop images prior to deployment in your live environment.

Mobile Device Penetration Testing

Mobile device penetration testing with Impact Pro pinpoints and addresses gaps in end-user awareness and security exposures in their devices before attackers do. With CORE Impact Pro’s Mobile Device Penetration Testing capabilities, you can demonstrate the exploitability of iPhone®, Android™ and BlackBerry® smart phones using the same attack techniques employed by criminals today.

Network Device Penetration Testing

Impact Pro is the first commercial-grade penetration testing software that can specifically target network devices and prove how a single intrusion could escalate into a widespread data breach.

Network Penetration Testing

Network Penetration Testing with CORE Impact Pro replicates the actions of an attacker taking advantage of OS, service and application weaknesses across network systems, revealing where exploitable vulnerabilities are, how they can be linked to traverse your network, how defenses react, and what remediation steps are necessary.

Password and Identity Cracking

CloudCypher, a new online service from CORE, works with Windows NTLM Hashes discovered by Impact Pro during testing and attempts to determine plaintext passwords for those hashes. Any passwords that are determined will be passed back to the Impact Pro workspace that requested them. This is done through the use of modules, the original module that submitted the hashes will be used to retrieve the resulting passwords. These obtained passwords can then be used for additional security testing. CloudCypher was created and is managed by CORE and held within Amazon Web Services.

Web Application Penetration Testing

Web Application Penetration Testing with CORE Impact Pro allows you to pinpoint exploitable Cross-Site Scripting, SQL Injection and all other OWASP Top 10 vulnerabilities in your web applications, not only giving visibility into where application weaknesses exist, but also determining how they can open the door to subsequent network-based attacks.

Wireless Network Penetration Testing

Wireless Penetration Testing with CORE Impact Pro allows IT security managers to identify at-risk wireless networks, crack encryption codes, and trace attack paths from initial points of wireless exposure to backend resources housing critical data -- gaining actionable data at each step for efficient remediation.

Testing the Efficacy of IPS/IDS, Firewalls and Other Defenses

Using CORE Impact software solutions, you can proactively test the efficacy of their network, endpoint, web application, wireless, and email defenses both to ensure that these technologies are working properly, and to aid in the process of evaluating products to determine ROI and influence future buying decisions.

Validating Vulnerabilities Identified by Scanners

CORE Impact integrates with the most widely-used network and web vulnerability scanners, allowing you to import scan results and run exploits to test identified vulnerabilities.

SCADA Security Testing

CORE Security is partnering with ExCraft labs, a CORE Secured Partner, that has created numerous exploits specifically for SCADA systems, that are utilized in CORE Impact Pro.

3. QualysGuard (http://www.qualys.com)

Core Services enable integrated workflows, management and real-time analysis and reporting across all of our IT security and compliance solutions.

Asset Tagging and Management

Enables your organization to easily identify, categorize and manage large numbers of assets in highly dynamic IT environments and automates the process of inventory management and hierarchical organization of IT assets.

Reporting and Dashboards

A highly configurable reporting engine that provides your organization with reports and dashboards based on user roles and access privileges.

Questionnaires and Collaboration

A configurable questionnaire engine enables your organization to easily capture existing business processes and workflows to evaluate controls and gather evidence to validate and document compliance.

Remediation and Workflow

An integrated workflow engine allows your organization to automatically generate helpdesk tickets for remediation and to manage compliance exceptions based on organizational policies, enabling subsequent review, commentary, tracking and escalation. This engine automatically distributes remediation tasks to IT administrators upon scan completion, tracks remediation progress and closes open tickets once patches are applied and remediation is verified in subsequent scans.

Big Data Correlation and Analytics Engine

An analytics engine indexes, searches and correlates petabytes of security and compliance data with other security incidents and third-party security intelligence data. Embedded workflows enable your organization to quickly assess risk and access information for remediation, incident analysis and forensic investigations.

Alerts and Notifications

An alert engine creates email notifications to alert team members of new vulnerabilities, malware infections, scan completion, open trouble tickets and system updates.

4. NEXPOSE (http://www.rapid7.com/products/nexpose)

proactively scans your environment for misconfigurations, vulnerabilities, and malware and provides guidance for mitigating risks. Experience the power of Nexpose vulnerability management solutions by:

Knowing the security risk of your entire IT environment including networks, operating systems, web applications, databases, and virtualization.
Exposing security threats including vulnerabilities, misconfigurations and malware.
Prioritizing threats and getting specific remediation guidance for each issue.
Integrating with Metasploit to validate security risk in your environment.

5. SAINT (http://www.saintcorporation.com/index.html)

Examine your network with the SAINT vulnerability scanner, and expose where an attacker could breach your network.

Friendly Integrated Interface
Intuitive and Direct Workflows
Easy Scan Set-up with The SAINT 8 Wizard
Data Drill Down and Analysis
Vulnerability, Exploit & Configuration Audit Integration
Dedicated SCAP Module
Risk Management

NOTE: Not supporting Windows

6. MBSA (http://technet.microsoft.com/en-us/security/cc184923)

Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Built on the Windows Update Agent and Microsoft Update infrastructure, MBSA ensures consistency with other Microsoft management products including Microsoft Update (MU), Windows Server Update Services (WSUS), Systems Management Server (SMS) and Microsoft Operations Manager (MOM). Apparently MBSA on average scans over 3 million computers each week.

7. GFI LanGuard (http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard)

GFI LanGuard is a network security and vulnerability scanner designed to help with patch management, network and software audits, and vulnerability assessments. The price is based on the number of IP addresses you wish to scan. A free trial version (up to 5 IP addresses) is available.

Patch management: Fix vulnerabilities before an attack

Patch management is vital to your business. Network security breaches are most commonly caused by missing network patches. GFI LanGuard scans and detects network vulnerabilities before they are exposed, reducing the time required to patch machines on your network. GFI LanGuard patches Microsoft ®, Mac® OS X®, Linux® and more than 50 third-party operating systems and applications, and deploys both security and non-security patches.

Vulnerability assessment: Discover security threats early

More than 50,000 vulnerability assessments are carried out across your networks, including virtual environments. GFI LanGuard scans your operating systems, virtual environments and installed applications through vulnerability check databases such as OVAL and SANS Top 20. GFI LanGuard enables you to analyze the state of your network security, identify risks to the network, determine its degree of exposure, and address how to take action before it is compromised.

Network auditing: Analyze your network centrally

GFI LanGuard provides a detailed analysis of the state of your network. This includes applications or default configurations posing a security risk. GFI LanGuard also gives you a complete picture of installed applications; hardware on your network; mobile devices that connect to the Exchange servers; the state of security applications (antivirus, anti-spam, firewalls, etc.); open ports; and any existing shares and services running on your machines.

↧

COMMON STOLEN PASSWORDS FOR THE YEAR 2013

January 20, 2014, 9:32 pm

≫ Next: AVERAGE EPS FOR SIEM

≪ Previous: VULNERABILITY ASSESSMENT TOOLS

Adobe major security breach in October affected upwards of 48 million users. A list of passwords from the Adobe breach had “123456” on top, followed by “123456789” and “password.” Adobe passwords included close to 100 million test accounts and inactive accounts.

Here's the full list of worst passwords from 2013:

123456
password
12345678
qwerty
abc123
123456789
111111
1234567
iloveyou
adobe123
123123
admin
1234567890
letmein
photoshop
1234
monkey
shadow
sunshine
12345
password1
princess
azerty
trustno1
000000

Weaker passwords are more susceptible to brute-force attacks, where hackers attempt to access accounts through rapid guessing. And when encrypted passwords are stolen, weaker ones are the first to fall to increasingly sophisticated cracking software.

RECOMMENDATIONS:

· A Password must be at-least 13 character long

· Password must contain Upper and lower case characters, numbers and special characters e.g. 34^&agoy@#678

· Avoid using common words as password e.g. Admin, Password

↧

AVERAGE EPS FOR SIEM

January 21, 2014, 11:16 pm

≫ Next: IPv6

≪ Previous: COMMON STOLEN PASSWORDS FOR THE YEAR 2013

EPS for SIEM Deployment

SANS Baseline Network Device EPS Averages, provides a breakdown of Average, Peak and Averaged Peak EPS for different systems logs are collected from. Each total below is the result of device quantity (column 1) x EPS calculated for the device. For example, 0.60 Average EPS for Cisco Gateway/Routers has already been multiplied by the quantity of 7 devices. So the EPS per single device is not displayed in the matrix, except when the quantity is 1.

EPS Calculation worksheet:

↧

IPv6

January 22, 2014, 10:49 pm

≫ Next: LTSP - Linux Terminal Server Project

≪ Previous: AVERAGE EPS FOR SIEM

IPv6 Addressing:

IPv6 has moved from a 32-bit address space to a 128-bit address space. Therefore the need for Classless Inter-Domain Routing (CIDR) is no longer needed because the number of addresses needed are no longer a concern. The number of address available per person on this planet is approximately 1030.

The IPv6 addressing architecture makes a few adjustments to different types of address available to and IP host. There are three types of IPv6 addresses, unicast, multicast, and anycast addresses. The unicast and multicast addresses are similar to the IPv4 versions. However, IPv4 broadcast address is no longer supported and is replaced with a new type of address called anycast.

Unicast:

Unicast is an identifier for a single interface. A packet sent to a unicast address is delivered to the interface identified by that address. A node can have more than one IPv6 network interface. Each separate interface must have its own unicast address associated with it. Contained in the 128-bit field is an address that identifies one interface.

3	13	8	24	16	64 bits
FP	TLA ID	RES	NLA ID	SLA ID	Interface ID

FP: The format prefix is the three-bit prefix to the IPv6 address that identifies where it belongs in the IPv6 address space.

TLA ID: The top-level aggregation identifier contains the highest-level routing information of the address. This refers to the grossest level of routing information in the internetwork, and as currently defined (at 13 bits) there can be no more then 8192 different top-level routes.

RES: The next eight bits are reserved for future use.

NLA ID: The next-level aggregation identifier is 24 bits long, and it is meant to be used by organizations that control top-level aggregation Ids to organize that address space.

SLA ID: The site-level aggregation identifier is the address space given to organizations for their internal network structure. With 16 bits available, each organization can create its own internal hierarchical network structure using subnets in the same way they are used in IPv4. As many as 65,535 different subnets are available using all 16 bits as a flat address space. Using the first eight bits for higher-level routing within the organization would allow 255 high-level subnets, each of which has as many as 255 sub-subnets.

Interface ID: This 64-bit field contains a 64-bit value based on the IEEE EUI-64 interface ID

Multicast:

Multicast is an identifier for a set of interfaces (typically belonging to different nodes). A packet sent to a multicast address is delivered to all interfaces identified by that address. As soon as the first few bytes of a packet are received the node checks to see if the destination address is at the beginning of the transmission. If the destination address is the same as the node's interface address then the node will pick up the rest of the transmission. This makes it relatively simple for a node to pick up on broadcast and multicast transmissions. If a broadcast is sent then the node will listen. For multicasts, the node subscribes to a multicast address, and if it senses that the destination address is a multicast address, it must determine if it's a multicast address to which the node is then subscribed. When a node subscribes to a multicast address, it announces that it wants to be a member and any local routers will subscribe on behalf of that node. When a transmission is sent to that multicast address from another node that is on the same network, the IP multicast packet is encapsulated into a link layer multicast data transmission unit. The IPv6 solution to the broadcast problem is to use an “all nodes” multicast addresses to replace those broadcasts that are absolutely necessary, while resorting to more limited multicast addresses for other situations in which broadcasts were previously used. Below is an IPv6 multicast address format, from RFC 2373.

8	4	4	112 bits
11111111	Flags	Scope	Group ID

The first octet, which is all ones, identifies the address as a multicast address. Multicast addresses include a full 1/256th of the IPv6 address space, as shown above. The rest of the multicast address consists of three fields:

Flags: This is actually a set of four single-bit flags. Only the fourth flag is currently assigned, and it represents whether or not the address is a well-know multicast address that has been assigned by the Internet numbering authority or is a temporary multicast address. If this flag is set to zero, it means the address is well-known; being set to one signifies a transient address. The other three flags are currently being reserved for future use.

Scope: This four-bit field contains a value that indicates what the scope of the multicast group is. Whether the multicast group can include only nodes on the same local network, same site, same organization, or anywhere within the IPv6 global address space. Possible values range from 0 to 15 (hexadecimal) in table below.

Hex	Decimal	Value
0	0	reserved
1	1	node-local scope
2	2	link-local scope
3	3	(unassigned)
4	4	(unassigned)
5	5	site-local scope
6	6	(unassigned)
7	7	(unassigned)
8	8	organization-local scope
9	9	(unassigned)
A	10	(unassigned)
B	11	(unassigned)
C	12	(unassigned)
D	13	(unassigned)
E	14	global scope
F	15	reserve

Group ID: This 112-bit field identifies the multicast group. The same group ID can represent different groups, depending on whether the address is transient or well known, and also depending on the scope of the address. Permanent multicast addresses use assigned group ID's with special meaning, and the membership in such groups will depend both on the group ID and on the scope.

Anycast:

Anycast is an identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the “nearest” one, according to the routing protocols' measure of distance). All nodes that are members of a multicast address expect to receive all packets sent to that address. A router that connects five different local Ethernet networks will forward a copy of a multicast packet to each of those networks. Anycast is the same because multiple nodes may be sharing the anycast address, like a multicast address but different since only one of those nodes can expect to receive a datagram sent to the anycast address.

Address Format:

IPv6 addresses are now four times as long as an IPv4 address. The IPv4 address is represented as X.X.X.X, where the "X" is any number from 0-255. IPv6 address on the other hand is in the form X:X:X:X:X:X:X:X, where X refers to a four-digit hexadecimal integer (16 bits). For example, a few valid IPv6 addresses are as follows:

CFAE:3290:ABCD:1234:CEAF:5678:9012:AAAA

ABC3:0000:0000:0003:ABCD:0123:FFFF:ABCD

The above IPv6 address could also be represented as

ABC3::3:ABCD:123:FFFF:ABCD

Note that the integers are hexadecimal integers, so the letters A through F represent the digits 10 through 15. Each integer must be included, but leading zeros are not required. In addition, a double colon (::) can be used once in an address to replace multiple fields of zeros. For example:

1000:0:0:0:0:0:0:1

could be represented as

1000::1

The double colon means that the address should be expanded out to a full 128-bit address. This method replaces zeros only when they fill a complete 16-bit group, and the double colon can be used only once in any given address.

IPv6 Header:

The new IPv6 header structure has a header boundary at 64-bits and has only 40 bytes, where 32 of them are used for IPv6 addresses and the remaining 8 bytes by 6 additional fields. Whereas IPv4 headers are terminated on a 32-bit boundary and consist of 24 bytes, where 8 of them are used for IPv4 address and the remaining 16 bytes by 12 additional fields. IPv6 headers do not contain any optional elements. If additional functions are need IPv6 uses extension headers. This makes the new IPv6 header much simpler then its predecessor. Below is a side-by-side comparison of the IPv4 and IPv6 header.

IPv4 and IPv6 Header:

0	4	8	16	19		24	31
Version	Header Length	Service Type	Total Length
Identification			Flags		Fragment Offset
Time to Live		Protocol	Header Checksum
Source IP Address
Destination IP Address
Options						PAD

IPv4 Headers

0		4	8	16	24
Version		Priority	Flow Label
Payload Length				Next Header	Hop Limit

	Source Address



	Destination Address

IPv6 Headers

The IPv6 Header Fields:

Version: This is a four-bit value, and for IPv6 must be equal to six. This field is the only field that has the same meaning from IPv4 to IPv6.

Priority: This four-bit priority field allows an application to specify the type of traffic that is being sourced. This allows the network to take advantage of the various queuing and congestion control mechanisms that may exist within it.

Flow Label: This is a 24-bit value used to identify packets that belong to the same flow. Similar to the Service Type field in IPv4, this allows networks devices to prioritize and shape traffic flows appropriately.

Payload Length: This is a 16-bit field that contains an integer value equal to the length of the packet payload in bytes. It is very similar to the IPv4 Total Length Field, except that IPv6's field is the length of the data carried after the header whereas IPv4 included the header.

Next Header: This 8-bit field value indicates what protocol is in use in the header immediately following the IPv6 packet. Similar to the IPv6 protocol field, the next header field may refer to a higher-layer protocol like TCP or UDP, but it may also indicate the existence of an IPv6 extension header.

Hop Limit: This 8-bit field is used every time a node forwards a packet, it decrements this eight-bit field by one. If the hop limit reaches zero, the packet is discarded. This is very similar to IPv4, where the TTL (time-to-live) field fulfills a similar purpose.

Source Address: This is the 128-bit address of the node originating the IPv6 packet.

Destination Address: This is the 128-bit address of the intended recipient of the IPv6 packet. This address may be a unicast, multicast, or anycast address. If a routing extension is being used (which specifies a particular route that the packet must traverse), the destination address may be one of those intermediate nodes instead of the destination node.

Extension Header: The current IPv6 specification defines 6 extension headers

1. Hop-by-Hop Options Header: This header carries information that is intended to be examined by every node en route from the source to the destination.

2. Routing Header: This header replaces source routing as it was implemented in IPv4. Source routing allows you to specify router that the packet must traverse on its way to its destination. IPv6 defines a generic routing extension header, with two one-byte fields: a routing type field, indicating what kind of routing header is in use, and a segment-left field, which indicates how many additional routers listed in the rest of the header must still be visited before the packet reaches it final destination.

3. Fragment Header: By allowing fragmentation only by the source node, IPv6 streamlines the processing of packets by intermediate routers. The fragment header fields include:

o Next header field: This eight-bit field is common to all IPv6 headers

o Reserved: The next eight bits are unused at this time and set to zero.

o Fragment offset field: This 13-bit field indicates, in units of eight bytes, where the data included in this packet (a fragment) begins in relation to the beginning of the fragmented portion of the data.

o Reserved field: This two-bit field is set to zero and is not currently used.

o M flags: This single bit indicates whether or not more fragments are to come.

o Identification field: This is like the IPv4 ID field except that it is 32 bits long rather than 16 bits.

4. Authentication Header: The authentication header provides a mechanism for a source node to digitally sign packets. All data that follows an authentication header remains in plaintext and may be intercepted by attacker. Upon receipt by the destination node, however, the data can be authenticated with the data included in the authentication header.

5. Encrypted Security Payload: The ESP header makes it possible to encrypt the contents of a packet. The ESP header holds enough data to allow the recipient to decrypt the rest of the packet (all data following an ESP header is encrypted).

6. Destination Option Header: This option provides a mechanism, like the hop-by-hop options header, to deliver optional information along with IPv6 packets.

Security:

Authentication and security, including secure password transmission, encryption, and digital signatures on datagrams are all implemented under IPv6 through the Authentication Headers (AH) and Encapsulating Security Payload (ESP). The reason IPv4 did not incorporate any real security features during its time was because IPv4 was created to be an internetworking protocol.

The Authentication Header (AH) provides strong integrity services and strong authentication for IP datagrams. This means that the AH header can be used to carry content verification data for IP datagrams and can be used to link an entity with the contents of the datagrams. This also protects against replay attacks through the use of a sequence number field. The authentication header can be used in tunnel mode or in transport mode, which means that it can be used to authenticate and protect simple, direct datagram transfers between two nodes or it can be used to encapsulate an entire stream of datagrams that is sent to or from a security gateway.

The Encapsulating Security Payload (ESP) header is designed to allow IP nodes to send and receive datagrams whose payload is encrypted. The ESP header is designed to provide several different services including:

Confidentiality of datagrams through encryption
Authentication of data origin through the use of public key encryption
Anti-replay services through the same sequence number mechanism as provided by the authentication header.
Limited traffic flow confidentiality through the use of security gateways.

ESP can be used in tunnel or transport mode In transport mode, the IP header and any hop-by-hop, routing, or fragmentation extension headers precede the authentication header and are then followed by the ESP header. Any destination option headers can either precede or follow the ESP header. Where all headers that follow the ESP will be encrypted.

IPv6 Configuration:

One of the important stated goals of IPv6 was to support “plug-and-play”. This would make it possible to plug a node into an IPv6 network and have it boot to the network without needing manual configuration.

IPv6 offers two types of autoconfigurations, Stateful and Stateless.

Stateful autoconfiguration is the IPv6 equivalent of DHCP. This requires that a DHCP server be installed and administered and it requires that each new node to be served must be configured on the server. The DHCP server keeps a list of nodes that it will supply configurations information to and rejects all others. The problem with stateful auto configuration is that someone needs to maintain and administer a server in order to manage all the current connections. An update to DHCP for IPv6 is called DHCPv6 and is still under development.

Stateless autoconfiguration requires that the local link supports multicast and that the network interface be able to send and receive multicasts. With Stateless auto configuration, a host gains an address via an interface automatically leasing an address and does not require the establishment of a server to pass out and address. This address will be based on the network prefix and Ethernet MAC address. However, before it can take on that address, the node must verify that the starting address is in fact unique to the local link. This is the default mode for most IPv6 systems.

Mobile IPv6 is considerably more convenient to implement and to use. The reason is IPv6 is much simpler with stateless autoconfiguration. Because of its ability to establish contact with its home network even though its regular home agent becomes unavailable. The mobile node can send an anycast packet to an address reserved for home agents on the home network, with result that whatever home agent is available can notify the mobile node of its options.

IPv6 Transition
The IPv6 transition will continue to take place relatively slowly, as vendors and developers gradually introduce versions of IPv6 for different platforms. It is expected that IPv4 and IPv6 will have to coexist for a long time, perhaps forever. One approach is to have protocol tunneling, where IPv6 packets are encapsulated within IPv4 packets for transmission from IPv6 islands through IPv4 oceans. The other approach is to have a dual-stack, where hosts and routers run IPv4 and IPv6 stacks on the same network interfaces. This way, a dual-stack node can accept and transmit both IPv4 and IPv6 packets.

↧

LTSP - Linux Terminal Server Project

January 28, 2014, 9:34 pm

≫ Next: RHEV COMPARISON WITH VSPHERE 5.5 AND HYPER-V

≪ Previous: IPv6

The Linux Terminal Server Project adds thin client support to Linux servers. LTSP is a flexible, cost effective solution that is empowering schools, businesses, and organizations all over the world to easily install and deploy thin clients.

LTSP workstations can run applications from Linux and Windows servers. Linux based thin clients have proven to be extremely reliable because tampering and viruses are virtually non-existent.

Key Benefits of LTSP

An LTSP thin client environment brings many benefits to an organization. Here are five reasons why you should choose LTSP:

Reduced Costs

In an LTSP thin client environment, all software for workstations originates on the LTSP server. Whether you are repurposing old desktop PCs or deploying new thin client devices, LTSP can be a key component in reducing the costs related to your computing environment.

No Licensing Fees

LTSP is open source software, released under the GPLv2 License. There is no cost to download and use LTSP. Benefitting from LTSP? Consider contributing to the project.

Less Maintenance Required

LTSP allows you to maintain your entire computer network from a single point of control; from the operating system image on the thin clients through user authentication and file storage. By reducing your software footprint with LTSP, maintenance and support obligations are reduced when compared to traditional desktop PC computing solutions.

Secure

Security has become a key challenge for administrators. LTSP thin client connections can be secured via SSH and are restricted to a LAN, ensuring that you are operating a manageable and safe computing environment. The LTSP model also makes it increasingly challenging for your systems to be a victim of viruses and spyware.

Community

The LTSP community has been active since 1999. Fueled by participation and experimentation, LTSP users have deployed LTSP in every imaginable scenario possible; from running an irrigation system to offering their company a thin client computing solution to replace desktop PCs. However you choose to LTSP, contributing back to the community is sure to improve your experience.

Install and Configure on Centos

## Open Terminal

yum groupinstall “Development Tools” “Development Libraries”

## Change path to LTSP package

/media/CDROM/

## install ltsp-utils-xxxxx.rpm

rpm -ivh ltsp-utils-0.10-0.noarch.rpm

ltspadmin

1. Install/Update LTSP Packages

Component Size (kb) Status

[ ] ltsp_core 73828 Installed - Up to date

[ ] ltsp_debug_tools 5280 Installed - Up to date

[ ] ltsp_kernel 14036 Installed - Up to date

[ ] ltsp_localdev 22436 Installed - Up to date

[ ] ltsp_rdesktop 560 Installed - Up to date

[ ] ltsp_x336 29448 Installed - Up to date

[ ] ltsp_x_addtl_fonts 16848 Installed - Up to date

[ ] ltsp_x_core 88908 Installed - Up to date

first configure below step then go to step 1 and select all packages and ‘q’

2. Cofigure the installer options

1. where to retrive the packages from?

file:///media/CDROM/

2. In which directory would you like to place the LTSP client tree?

[/opt/ltsp]

3. If you want to use an HTTP proxy, enter it here

Use 'none' if you don't want a proxy

Example: http://proxy.yourdomain.com:3128

[none]

4. If you want to use an FTP proxy, enter it here

(Use 'none' if you don't want a proxy)

[none]

5. Correct? (y/n/c)

3. Configure the installer options

ltspcfg - Version 0.10

Checking Runlevel....: 5

Checking Ethernet Interfaces

Checking Dhcpd....

Checking Tftpd....

Checking Portmapper...

Checking nfs....

Checking xdmcp...........Found: kdmUsing: none!

Checking /etc/hosts.

Checking /etc/hosts.allow.

Checking /etc/exports.

Checking lts.conf.

Press <enter> to continue..

S - Show the status of all services

C - Configure the services manually

Q - Quit

Make a selection:

4. Configure the installer options

↧

RHEV COMPARISON WITH VSPHERE 5.5 AND HYPER-V

January 28, 2014, 10:46 pm

≫ Next: HP SERVERS NIC TEAMING IN WINDOWS

≪ Previous: LTSP - Linux Terminal Server Project

RED HAT ENTERPRISE VIRTUALIZATION COMPARISON WITH VMWARE VSPHERE 5.5 AND MICROSOFT HYPER-V 2012

FEATURES	RED HAT ENTERPRISE VIRTUALIZATION	VMWARE VSPHERE 5.5	MICROSOFT HYPER-V 2012
HYPERVISOR Bare-metalhypervisorcanbe installed directlyontheserver hardwarewithoutafull operating system.	Y	Y	Y
Smallfootprintof<200MB	Y	Y	N
Guest device drivers are optimized for virtualization, resulting in high performance network and disk operations.	Y	Y	Y Red Hat Enterprise Linux guests require installation of the Linux integration services.
Certified on all hardware certified for Red Hat Enterprise Linux, including the latest Intel Xeon and AMD Opteron chipsets	Y	Y	Y
SCALABILITY LIMITS
Per Cluster
Cluster	200	32	64
Per Host
Max cores per host	160	160	160
Max Ram per host	3TB/host	4TB/host	4TB/host
Max virtual CPUs per host	No limit	4096	2048
Per virtual machine (VM)
Max vCPUs per VM	160 vCPU/vm	32 vCPU with standard or Enterprise Edition 64 vCPU with Enterprise Plus Edition	64 vCPUs/VM for Win 2012, Win 2008, and Win 7 32 vCPUs/VM for Linux requires the installation of the new Linux integration services
Max vRAM per VM	2TB/VM	1TB/VM	1TB/VM
GUEST OS SUPPORT
Guest OS Support	Windows Server 2003, 2008, 2010, 2012, Windows XP, 7 and 8 (32bit and 64bit) Red Hat Enterprise Linux 3, 4, 5, 6 (x86 and x64) Vendor support for SUSE Linux Enterprise Server 10, 11 Other OS are known to work and are community supported	Windows, Linux, UNIX (x86 and x64) Windows XP, Vista, 7 and 8	Windows 2003, 2008, 2012 (certain SPs only) Windows XP, Vista, 7, and 8 SLES Red Hat Enterprise Linux 5+, 6+ (certain releases only)
MEMORY MANAGEMENT
Memory overcommitment: Allows the allocation of more virtual memory to its VMs than the host has physical memory	Y	Y	Y dynamic memory only available with some Microsoft operating systems
Memory page sharing: Enables VMs with similar operating systems to share physical memory	Y	Y	N
Transparent huge pages: Large memory pages can be dynamically created for VMs that require them	Y	Y	N
MANAGEMENT FEATURES
High Availability
VM restart in case of host failure	Y	Y	Y
Restart order can be prioritized, allowing the most critical VMs to be restarted first	Y	Y	Y
No single point of failure for high availability	Y	Y	Y
Maintenance mode: Guest VMs of hosts undergoing maintenance are automatically migrated to other available hosts	Y	Y	Y
High availability for enterprise management module: Automatic fail over to stand-by management server in the event of a primary server failure	Y	Y	Y
MIGRATION
VM live migration	Y	Y	Y
Storage live migration	Y	Y Requires Enterprise or Enterprise Plus	Y
WORKLOAD AND RESOURCE MANAGEMENT
System scheduler: Cluster policies automatically distribute workload evenly across cluster host servers	Y	Y requires Enterprise or Enterprise Plus	Y
Power saver: During off-peak hours, concentrates VMs on fewer hosts to save power	Y	Y requires Enterprise or Enterprise Plus	Y
Storage load balancing: Automatically balance storage I/O and storage capacity	Y	Y requires Enterprise Plus	Y
Shared resource pools: CPU, memory, and storage resources are aggregated and managed at the cluster level.	Y	Y	Y
Hot add VM NICs, Disk: Add networks and disk storage to running VMs	Y	Y requires Enterprise or Enterprise Plus	Y
Hot add VM vCPUs and RAM: Add more vCPUs and RAM to running VM (guest operating system and application must support feature)	N	Y requires Enterprise or Enterprise Plus	N
IMAGE MANAGEMENT
Thin provisioning: Virtual disks don’t use all of their allowed space upon creation.	Y	Y	Y
Templates: VMs can be deployed from master installations.	Y	Y	Y
VM snapshots: Roll back patches and upgrades	Y	Y	Y
Live VM snapshots: Snapshot a running VM	Y	Y	Y
Import/export VMs in the standard OVF format	Y	Y	Y
VM conversion: Includes tools to convert VMs from other formats to native format	Y	Y	Y
VM backup: Certified third-party solutions are available for backing up virtual servers (for both data and operating system backup).	Y	Y	Y
SYSTEM ADMINISTRATION AND CONTROL
Single view for centralized control	Y	Y	N requires multiple management tools
Host and VM system monitoring and management	Y	Y	Y
Self service user portal: Provides administrative access to users for creating/running VMs and managing the environment	Y	N requires purchase of VMware Lab Manager deprecated or vCloud Director with Enterprise Plus	Y limited capability through SC2012 App Controller
Roles and permissions: Granular, inheritable, directory-based security roles for all actions and objects	Y	Y	N requires Authorization Manager
Identity management: User authentication domains supported	Y choice of Active directory, IPA, Red Hat Directory Services, or IBM Tivoli Directory Server	Y	Y AD only
Remote console: Red Hat Enterprise Virtualization Manager includes access to VMs using a secure graphical console	Y	Y	Y
Remote network boot via PXE (Preboot Execution Environment)	Y	Y	Y
REPORTING AND MONITORING
Provides customizable reporting for historic usage, trending, and quality of service	Y	N Requires vCenter CapacityIQ	Y LIMITED
Alerts and notifications: Errors and warnings are immediately reported to administrators via email	Y	Y	Y
Logging: Supports remote logging and crash analysis	Y	Y	Y
Guest agents: Enables monitoring of VM health and status	Y	Y	Y
INTEGRATION, AUTOMATION, AND CUSTOMIZATION
API: Programmatic access to all management commands	Y all open	N some proprietary/closed, some open	N some proprietary/closed, some open
Scripting and automation of management commands	Y Linux Python-based CLI	Y Powershell-based CLI	Y Powershell-based CLI
Hooks: Used to run system commands or to execute scripts that modify VM operation	Y	Y LIMITED	N
SECURITY
Kernel level: Includes SELinux and sVirt for an effective intrusion detection, isolation, and containment	Y	N application layer security with add-on vShield products	N application layer security
Small hypervisor footprint minimizes attack surface	Y	Y	Y
NETWORKING
Device support: All network hardware and interfaces are certified for Red Hat Enterprise Linux	Y	Y	Y
vLANs: Support for virtual LANs are inside the virtual infrastructure	Y	Y	Hyper-V Network Virtualization
Support for OpenStack Neutron networking	Y Supports OpenvSwitch and Linux Bridge 2	N Only supports VMware NSX 3	Y Supports OpenvSwitch 4
Network offload: Offloads virtual networking and network I/O to compatible NIC hardware	Y	Y	Y
Supports jumbo frames	Y	Y	Y
STORAGE
Supports iSCSI, FC, and NFS shared storage infrastructure	Y	Y	Y
Includes native support for Red Hat Storage Server, including a built-in GlusterFS Storage domain and datacenter type that use Gluster as the storage back-end	Y	N	N
Storage multipathing: Redundant path to storage for fault tolerance and enhanced performance	Y	Y	Y
Local disk support	Y	Y	Y
Supports storage domains backed by POSIX-compliant file systems	Y	Y	Y
Shared disks: Includes disks that are shared by multiple VMs at the same time	Y	Y	Y
Direct LUN support: Provides the ability to directly attach any block device to a VM as a disk	Y	Y	Y

↧

HP SERVERS NIC TEAMING IN WINDOWS

January 28, 2014, 11:23 pm

≫ Next: VSAT - Very Small Aperture Terminal

≪ Previous: RHEV COMPARISON WITH VSPHERE 5.5 AND HYPER-V

HP Servers NIC Teaming in Windows

What is Teaming?

Teaming NICs is used when you need to group several NICs and make them act as one, Teaming NICs provide fault tolerance, reduce network spikes and eliminate single point of failures from your Servers, you can team 2 NICs or more and then provide a separate IP for Team NIC, below is the image of 4 NICs in our HP server.

Before we continue you can download and install HP Network Config Utility for your OS on HP Server from the following link

http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?lang=en&cc=us&prodTypeId=15351&prodSeriesId=3884319&prodNameId=3884320&swEnvOID=4064&swLang=13&mode=2&taskId=135&swItem=MTX-32efdf5d63764165932fbccf02

1. Open HP Network Config. Utlity
2. You can see from the image that only 2 NICs are connected. Select the

connected NICs and click on Team.

3. Teaming has been successful

4. Now click on Team NIC and click properties if you want to define what you

want to Team Type Selection and Transmit Loadbalancing.

5. Set Team Type Selection to Automatic, as HP NIC teaming is very

intelligent and understands the packet transmission.

6. Select Transmit Load Balancing Method

7. Set IP for NIC1 (10.10.0.110) & IP for NIC2 (10.10.0.111), we need to
configure the IP for the Team NIC, so we are going to assign IP for the
Team NIC as following 10.10.0.112.

There you go, we are done with the teaming configuration of HP Server, make sure you point users to Team NIC’s IP, the Team IP will then balance the load between the two NICs.

↧

VSAT - Very Small Aperture Terminal

January 29, 2014, 11:40 pm

≫ Next: DTH - Direct To Home

≪ Previous: HP SERVERS NIC TEAMING IN WINDOWS

VSAT - VERY SMALL APERTURE TERMINAL

A very small aperture terminal (VSAT), is a two-way satellite ground station or a stabilized maritime VSAT antenna with a dish antenna that is smaller than 3 meters. The majority of VSAT antennas range from 75 cm to 1.2 m. Data rates typically range from 4 kbit/s up to 16 Mbit/s. VSATs access satellite(s) in geosynchronous orbit to relay data from small remote earth stations (terminals) to other terminals (in mesh topology) or master earth station "hubs" (in star topology).

A VSAT network typically consists of a larger earth station, commonly referred to as a teleport, with hub equipment at one end and a Very Small Aperture Terminal (VSAT ) antenna with remote equipment at the other end. The network equipment can be divided into two sets of equipment connected by a pair of cables: the Outdoor Unit (ODU) and the Indoor Unit (IDU).

ODU

An ODU is the equipment located outside of a building and includes the satellite antenna or dish, a low noise block converter (LNB), and a block-up-converter (BUC). The LNB converter amplifies the received signal and down converts the satellite signal to the L band (950 MHz to 1550 MHz), while the BUC amplifies the uplink transmission when the antenna is transmitting.

IDU
The IDU equipment at the teleport usually consists of a rack-mounted hub system and networking equipment connected to terrestrial networks, like the PSTN or Internet backbone. There is also a device that converts between satellite and IP protocols for local LAN applications such as PCs, voice calls and video conferencing.

At the remote location, a router connects to a small VSAT antenna receiving the IP transmission from the hub over the satellite and converts it into real applications like Internet, VoIP and data.

Topologies
Network topologies define how remote locations connect to each other and to the hub. The link over the satellite from the hub to the remote is called the outbound or downlink transmission, whereas the link from the remote to the hub is referred to as inbound or uplink.

Satellite networks are primarily configured in one of these topologies:

Star (hub & spoke) Networks
In a star network topology the hub connects to the remote, where all communications are passed back through the hub. Virtually an unlimited number of remotes can be connected to the hub in this topology. Smaller, lower powered BUCs can be used at the remote end since they are only connecting back to the larger hub antenna.

Mesh Networks
A mesh network topology allows one remote VSAT location to communicate with another remote location without routing through the hub. This type of connection minimizes delay and often is used for very high quality voice and video conferencing applications.

With this topology, larger antennas are required and more power is needed to transmit, thereby increasing cost.

Hybrid Networks
A hybrid topology is a mix of star and mesh networking solutions. This topology allows the hub to send information to the remotes, with the remotes then able to communicate with other VSAT locations.

Point to Point Connectivity
Contrary to the networking topologies, a point-to-point topology involves a dedicated connection between two antennas. This topology is a direct pipeline with a set bandwidth capacity regardless of usage and is typically designed with Single Carrier per Channel (SCPC) technology.

↧

DTH - Direct To Home

January 30, 2014, 9:38 pm

≫ Next: iSCSI, TARGET AND LUN

≪ Previous: VSAT - Very Small Aperture Terminal

DTH (Direct To Home)

DTH stands for Direct-To-Home television. DTH is defined as the reception of satellite programmes with a personal dish in an individual home.

A designation broader than DBS would be direct-to-home signals, or DTH. This has initially distinguished the transmissions directly intended for home viewers from cable television distribution services that are sometimes carried on the same satellite. The term DTH predates DBS and is often used in reference to services carried by lower power satellites which required larger dishes (1.7m diameter or greater) for reception.

How does DTH work?

A DTH network consists of a broadcasting centre, satellites, encoders, multiplexers, modulators and DTH receivers.

A DTH service provider has to lease Ku-band transponders from the satellite. The encoder converts the audio, video and data signals into the digital format and the multiplexer mixes these signals. At the user end, there will be a small dish antenna and set-top boxes to decode and view numerous channels. On the user's end, receiving dishes can be as small as 45 cm in diametre.

DTH is an encrypted transmission that travels to the consumer directly through a satellite. DTH transmission is received directly by the consumer at his end through the small dish antenna. A set-top box, unlike the regular cable connection, decodes the encrypted transmission.

Will DTH be cheaper than cable or more expensive?

DTH will be definitely more expensive than cable as it exists today.

Is DTH superior to cable TV?

Yes. DTH offers better quality picture than cable TV. This is because cable TV in Pakistan is analog. Despite digital transmission and reception, the cable transmission is still analog. DTH offers stereophonic sound effects. It can also reach remote areas where terrestrial transmission and cable TV have failed to penetrate. Apart from enhanced picture quality, DTH has also allows for interactive TV services such as movie-on-demand, Internet access, video conferencing and e-mail.

↧

iSCSI, TARGET AND LUN

February 2, 2014, 9:09 pm

≫ Next: INSTALL OPENOFFICE 4 ON LINUX MINT

≪ Previous: DTH - Direct To Home

What is iSCSI?

iSCSI - Internet SCSI (Small Computer System Interface)

iSCSI is an IP-based storage networking standard for linking data storage facilities, developed by the Internet Engineering Task Force (IETF). By carrying SCSI commands over IP networks, iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances.

iSCSI SANs use Ethernet connections between computer systems, or host servers, and high performance storage subsystems. The SAN components include iSCSI host bus adapters (HBAs) or Network Interface Cards (NICs) in the host servers, switches and routers that transport the storage traffic, cables, storage processors (SPs), and storage disk systems.

What is TARGET?

Targets are created in order to manage the connections between an iSCSI device and the servers that need to access it. A target defines the portals (IP addresses) that can be used to connect to the iSCSI device, as well as the security settings (if any) that the iSCSI device requires in order to authenticate the servers that are requesting access to its resources.

What is LUN?

Logical unit numbers (LUNs) created on an iSCSI disk storage subsystem are not directly assigned to a server. For iSCSI, LUNs are assigned to logical entities called targets.

Servers that require access to a LUN have to connect to the target to which the LUN is assigned. To connect to a target, a server in the storage area network (SAN) uses an iSCSI initiator. An iSCSI initiator is a logical entity that enables the server to communicate with the target. The iSCSI initiator first logs on to the target. The target must grant access before the server can start reading and writing to all LUNs that are assigned to that target.

↧

INSTALL OPENOFFICE 4 ON LINUX MINT

February 3, 2014, 8:46 pm

≫ Next: SQUID ON CENTOS

≪ Previous: iSCSI, TARGET AND LUN

How to Install Apache OpenOffice 4 on Linux Mint?

Apache OpenOffice, commonly known as OpenOffice.org, OOo or OpenOffice, is an open-source office productivity software suite whose main components are for word processing, spreadsheets, presentations, graphics, and databases. OpenOffice is available for a number of different computer operating systems, is distributed as free software and is written using its own GUI toolkit. It supports the ISO/IEC standard OpenDocument Format (ODF) for data interchange as its default file format, as well as Microsoft Office formats among others.

##Open Terminal Ctrl+Alt+T

##Remove libreoffice if installed

sudo apt-get remove libreoffice*

##32bit

wget http://sourceforge.net/projects/openofficeorg.mirror/files/4.0.1/binaries/en-US/Apache_OpenOffice_4.0.1_Linux_x86_install-deb_en-US.tar.gz

##64bit

wget http://sourceforge.net/projects/openofficeorg.mirror/files/4.0.1/binaries/en-US/Apache_OpenOffice_4.0.1_Linux_x86-64_install-deb_en-US.tar.gz

##Extract 32bit

tar -zxvf Apache_OpenOffice_4.0.1_Linux_x86_install-deb_en-US.tar.gz

##Extract 64bit

tar -zxvf Apache_OpenOffice_4.0.1_Linux_x86-64_install-deb_en-US.tar.gz

##Install Apache OpenOffice 4

sudo dpkg -i en-US/DEBS/*.deb

##Install menu Integration

sudo dpkg -i en-US/DEBS/desktop-integration/*.deb

↧

SQUID ON CENTOS

February 4, 2014, 3:33 am

≫ Next: CISCO IOS DHCP

≪ Previous: INSTALL OPENOFFICE 4 ON LINUX MINT

How to install and configure squid on Centos?
How to install and configure squid on Fedora?

1. Open terminal to install squid
Ctrl + Alt + T

2. install as root
yum install squid

3. Edit squid.conf
nano /etc/squid/squid.conf

# Recommended minimum configuration:

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl localnet src fc00::/7 # RFC 4193 local private network range

acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

# Recommended minimum Access Permission configuration:

# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

#http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

####################################################################

#INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

####################################################################

#Time Based ACL

#acl officehours time MTWHFA 9:15-13:30

#acl officehours time MTWHFA 14:00-17:00

#acl blsites url_regex -i "/etc/squid/officetime.acl"

#http_access deny blsites officehours

####################################################################

#disable caching

#acl nocache src all

#no_cache deny nocache

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost

# And finally deny all other access to this proxy

http_access deny all

# Squid normally listens to port 3128

http_port 192.168.100.1:3128 transparent

#ssl-bump cert=/etc/squid/myCA.pem

#acl broken_sites dstdomain .facebook.com

#ssl_bump deny broken_sites

#always_direct allow all

#ssl_bump allow all

# the following two options are unsafe and not always necessary:

#sslproxy_cert_error allow all

#sslproxy_flags DONT_VERIFY_PEER

# We recommend you to use at least the following line.

hierarchy_stoplist cgi-bin ?

## Uncomment and adjust the following to add a disk cache directory.

#lru : Squid's original list based LRU policy

#heap GDSF : Greedy-Dual Size Frequency

#heap LFUDA: Least Frequently Used with Dynamic Aging

#heap LRU : LRU policy implemented using a heap

#cache_mem 18432 MB

#cache_dir diskd /cache/squid 18432 16 256

#cache_replacement_policy heap LFUDA

#memory_replacement_policy heap LFUDA

# Leave coredumps in the first cache dir

coredump_dir /cache/squid

#Log

access_log /var/log/squid/access.log

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp: 144020% 10080

refresh_pattern ^gopher: 14400% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern . 0 20% 4320

4. Enable ipv4 forwarding

echo 1 >/proc/sys/net/ipv4/ip_forward

5. IPTABLES RULES TO ROUTE PORT 80 TRAFFIC TO 3128 AND SEND OUTWARD

iptables -t nat -A PREROUTING -i eth2 -p tcp --syn --dport 80 -j REDIRECT --to-port 3128

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

6. Save iptables

service iptables save

7. Client side default gateway settings

Go to LAN settings at client side and set default gateway to proxy's ip 192.168.100.1

↧

CISCO IOS DHCP

February 5, 2014, 1:54 am

≫ Next: RSYNC BACKUP

≪ Previous: SQUID ON CENTOS

How to Configure Cisco IOS DHCP ?

DHCP:

Dynamic Host Configuration Protocol is a protocol that allows you to automatically configure the settings of the devices on your network. For a device such as a laptop to be able to communicate with other devices on the network it must first have a correct IP configuration on it. This can be done by either manually configuring the IP settings or by using DHCP.

To reduce the tasks carried out by network administrators DHCP is often implemented. This allows for auto configuration for all devices that join a network. It will then also store these details in a centralized location which can be very helpful when troubleshooting. With DHCP, you are able to exclude certain addresses from being allocated and also able to manually assign a DHCP address to a device using the mac address of the device to bind the IP to that device.

Cisco IOS DHCP configuration
Scenario:

In this scenario I will configure router R1 as the DHCP server for devices on the LAN running off the VLAN1 interface. I will also exclude some addresses to show how you can reserve some address space for other devices.

The basic commands to configure a DHCP pool are as follows:

R1(config)# ip dhcp pool R1-LAN-DHCP-POOL
R1(dhcp-config)# network 10.100.100.0 255.255.255.0
R1(dhcp-config)# default-router 10.100.100.1

In this command snippet I have created a DHCP pool for the LAN subnet on router R1, 10.100.100.0/24. I have given this pool a descriptive name of R1-LAN-DHCP-POOL so that it stands out when viewing the configuration and I have also set the default router that the devices will be issued (in this case the IP address of the VLAN1 interface of router R1)

There are a few other options you may wish to add in to this configuration such as domain name and DNS servers. The commands to do this are listed below:

R1(dhcp-config)# dns-server 10.100.100.5
R1(dhcp-config)# domain-name cisco-kid.co.uk Excluded Addresses

If you have a number of servers or similar devices on your network then you will probably want to allocate these devices with a static IP address. It is also probably a good idea to assign these numbers to a range of IP addresses. In our example we want to reserve the addresses from 10.100.100.1 through to 10.100.100.30. These addresses could be used for things such as DNS servers, Mail servers and print servers etc.

To exclude these addresses from being allocated via DHCP you can exclude them. The commands below will demonstrate this:

R1(config)# ip dhcp excluded-address 10.100.100.1 10.100.100.30
IP helper-address

There is a feature within the Cisco IOS range of commands that allows you to forward DHCP traffic through a device on to another device. For example you could configure the routers in the diagram to forward DHCP requests from the 10.100.100.0/24 LAN on R1 through the network to a Windows server on the LAN of R4. The command to do this is ip helper-address.

To demonstrate the commands using the diagram above I will configure router R2 as the DHCP server and configure router R1 to forward the DHCP traffic to router R2 using the ip helper-address command. This will allow devices to get their IP address configuration from router R2.

The only commands you will need on R1 are:

R1(config)# int vlan1

R1(config-if)# ip helper-address 192.168.100.2

This tells R1 to forward DHCP traffic to the DHCP server which in this case is R2.

↧

RSYNC BACKUP

February 5, 2014, 1:54 am

≫ Next: COMPUTER VIRUS, WORM, MALWARE AND TROJAN HORSE

≪ Previous: CISCO IOS DHCP

rsync:

rsync is a file transfer program for Unix systems. rsync uses the "rsync algorithm" which provides a very fast method for bringing remote files into sync. It does this by sending just the differences in the files across the link, without requiring that both sets of files are present at one of the ends of the link beforehand.

Some features of rsync include:

can update whole directory trees and filesystems
optionally preserves symbolic links, hard links, file ownership, permissions, devices and times
requires no special privileges to install
internal pipelining reduces latency for multiple files
can use rsh, ssh or direct sockets as the transport
supports anonymous rsync which is ideal for mirroring

backup to a central backup server with 7 day incremental

#!/bin/sh

# This script does personal backups to a rsync backup server. You will end up

# with a 7 day rotating incremental backup. The incrementals will go

# into subdirectories named after the day of the week, and the current

# full backup goes into a directory called "current"

# directory to backup

BDIR=/home/$USER

# excludes file - this contains a wildcard pattern per line of files to exclude

EXCLUDES=$HOME/cron/excludes

# the name of the backup machine

BSERVER=owl

# your password on the backup server

export RSYNC_PASSWORD=XXXXXX

###############################################

BACKUPDIR=`date +%A`

OPTS="--force --ignore-errors --delete-excluded --exclude-from=$EXCLUDES

--delete --backup --backup-dir=/$BACKUPDIR -a"

export PATH=$PATH:/bin:/usr/bin:/usr/local/bin

# the following line clears the last weeks incremental directory

[ -d $HOME/emptydir ] || mkdir $HOME/emptydir

rsync --delete -a $HOME/emptydir/ $BSERVER::$USER/$BACKUPDIR/

rmdir $HOME/emptydir

# now the actual transfer

rsync $OPTS $BDIR $BSERVER::$USER/current

backup to a spare disk

I do local backups on several of my machines using rsync. I have an extra disk installed that can hold all the contents of the main disk. I then have a nightly cron job that backs up the main disk to the backup. This is the script I use on one of those machines.

#!/bin/sh

export PATH=/usr/local/bin:/usr/bin:/bin

LIST="rootfs usr data data2"

for d in $LIST; do

mount /backup/$d

rsync -ax --exclude fstab --delete /$d/ /backup/$d/

umount /backup/$d

done

DAY=`date "+%A"`

rsync -a --delete /usr/local/apache /data2/backups/$DAY

rsync -a --delete /data/solid /data2/backups/$DAY

The first part does the backup on the spare disk. The second part backs up the critical parts to daily directories. I also backup the critical parts using a rsync over ssh to a remote machine.

mirroring vger CVS tree

The vger.rutgers.edu cvs tree is mirrored onto cvs.samba.org via anonymous rsync using the following script.

#!/bin/bash

cd /var/www/cvs/vger/

PATH=/usr/local/bin:/usr/freeware/bin:/usr/bin:/bin

RUN=`lps x | grep rsync | grep -v grep | wc -l`

if [ "$RUN" -gt 0 ]; then

echo already running

exit 1

rsync -az vger.rutgers.edu::cvs/CVSROOT/ChangeLog $HOME/ChangeLog

sum1=`sum $HOME/ChangeLog`

sum2=`sum /var/www/cvs/vger/CVSROOT/ChangeLog`

if [ "$sum1" = "$sum2" ]; then

echo nothing to do

exit 0

rsync -az --delete --force vger.rutgers.edu::cvs/ /var/www/cvs/vger/

exit 0

Note in particular the initial rsync of the ChangeLog to determine if anything has changed. This could be omitted but it would mean that the rsyncd on vger would have to build a complete listing of the cvs area at each run. As most of the time nothing will have changed I wanted to save the time on vger by only doing a full rsync if the ChangeLog has changed. This helped quite a lot because vger is low on memory and generally quite heavily loaded, so doing a listing on such a large tree every hour would have been excessive.

automated backup at home

I use rsync to backup my wifes home directory across a modem link each night. The cron job looks like this

#!/bin/sh

cd ~susan

{

echo

date

dest=~/backup/`date +%A`

mkdir $dest.new

find . -xdev -type f $ -mtime 0 -or -mtime 1 $ -exec cp -aPv "{}"

$dest.new \;

cnt=`find $dest.new -type f | wc -l`

if [ $cnt -gt 0 ]; then

rm -rf $dest

mv $dest.new $dest

rm -rf $dest.new

rsync -Cavze ssh . samba:backup

} >> ~/backup/backup.log 2>&1

note that most of this script isn't anything to do with rsync, it just creates a daily backup of Susans work in a ~susan/backup/ directory so she can retrieve any version from the last week. The last line does the rsync of her directory across the modem link to the host samba. Note that I am using the -C option which allows me to add entries to .cvsignore for stuff that doesn't need to be backed up.

Fancy footwork with remote file lists

One little known feature of rsync is the fact that when run over a remote shell (such as rsh or ssh) you can give any shell command as the remote file list. The shell command is expanded by your remote shell before rsync is called. For example, see if you can work out what this does:

rsync -avR remote:'`find /home -name "*.[ch]"`' /tmp/

note that that is backquotes enclosed by quotes (some browsers don't show that correctly).

↧

COMPUTER VIRUS, WORM, MALWARE AND TROJAN HORSE

February 5, 2014, 10:38 pm

≫ Next: REGEX - REGULAR EXPRESSIONS

≪ Previous: RSYNC BACKUP

What is Computer Virus?

Computer viruses are small software programs that are designed to spread from one computer to another and to interfere with computer operation.

A computer virus might corrupt or delete data on your computer, use your email program to spread itself to other computers, or even erase everything on your hard disk.

List of Known Viruses
http://en.wikipedia.org/wiki/List_of_computer_viruses

How Computer Virus Spread?

Computer viruses are often spread by attachments in email messages or instant messaging messages. That is why it is essential that you never open email attachments unless you know who it's from and you are expecting it. Viruses can be disguised as attachments of funny images, greeting cards, or audio and video files.

Computer viruses also spread through downloads on the Internet. They can be hidden in illicit software or other files or programs you might download.

What is Computer Worm?

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding.

What is Computer Malware?

Malware is software, a computer program used to perform malicious actions. In fact, the term malware is a combination of the words malicious and software.

The end goal of most cyber criminals is to install malware on your computers or mobile devices. Once installed, these attackers can potentially gain total control of them. Many people have the misconception that malware is a problem only for Windows computers. While Windows is widely used, and thus a big target, malware can infect any computing device, including smartphones and tablets. In fact, the prevalence of malicious software infecting mobile devices is steadily growing. In addition, remember that everyone is a target, including you. The more computers and mobile devices cyber criminals infect, the more money they can make. These criminals usually do not care whom they infect, just as long as they infect as many people as possible.

What is Computer Trojan Horse?

A Computer Trojan horse, or Trojan, is a non-self-replicating type of malware program containing malicious code that, when executed, carries out actions determined by the nature of the Trojan, typically causing loss or theft of data, and possible system harm.

The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.

How to Protect yourself?

The best way to protect yourself is to ensure your devices are updated, have current anti-virus if possible and, ultimately, be on the alert for attacks.

Make sure your operating systems and applications are enabled to automatically install security updates.

Ultimately, the best way to defend against is keep your software up-to-date, install trusted anti-virus software from well-known vendors and be alert for anyone attempting to fool or trick you into infecting your own computer.

↧

REGEX - REGULAR EXPRESSIONS

February 6, 2014, 4:25 am

≫ Next: EIGRP ON A Cisco ASA Firewall

≪ Previous: COMPUTER VIRUS, WORM, MALWARE AND TROJAN HORSE

What is REGEX?

A regular expression (abbreviated regex or regexp) is a sequence of characters that forms a search pattern, mainly for use in pattern matching with strings, or string matching.

.	Matches any single character (use "\." to match a ".").
[abc]	Matches one of the characters ("[abc]" matches a single "a"or"b"or"c").
[c-g]	Matches one of the characters in the range ("[c-g]" matches a single "c"or"d"or"e"or"f"or"g". "[a-z0-9]" matches any single letter or digit. "[-/.:?]" matches any single "-"or"/"or"."or":"or"?".).
?	None or one of the preceding ("words?" will match "word" and "words". "[abc]?" matches a single "a"or"b"or"c"or nothing (i.e. "")).
*	None or more of the preceding ("words" will match "word", "words" and "wordsssssss". "." will match anything including nothing).
+	One or more of the preceding ("xxx+" will match a sequence of 3 or more "x").
(expr1\|expr2)	One of the expressions, which in turn may contain a similar construction ("(foo\|bar)" will match "foo"or"bar". "(foo\|bar)? will match "foo"or"bar"or nothing (i.e. "")).
$	The end of the line ("(foo\|bar)$" will match "foo"or"bar"only at the end of a line).
\x	Disable the special meaning of x where x is one of the special regex characters ".?*+()^$[]{}\" ("\." will match a single ".", "\\" a single "\" etc.)

Regular Expression Basic Syntax

Characters
Character	Description	Example
Any character except [\^$.\|?*+()	All characters except the listed special characters match a single instance of themselves. { and } are literal characters, unless they're part of a valid regular expression token (e.g. the {n} quantifier).	a matches a
\ (backslash) followed by any of [\^$.\|?*+(){}	A backslash escapes special characters to suppress their special meaning.	\+ matches +
\Q...\E	Matches the characters between \Q and \E literally, suppressing the meaning of special characters.	\Q+-/\E matches +-/
\xFF where FF are 2 hexadecimal digits	Matches the character with the specified ASCII/ANSI value, which depends on the code page used. Can be used in character classes.	\xA9 matches © when using the Latin-1 code page.
\n, \r and \t	Match an LF character, CR character and a tab character respectively. Can be used in character classes.	\r\n matches a DOS/Windows CRLF line break.
\a, \e, \f and \v	Match a bell character (\x07), escape character (\x1B), form feed (\x0C) and vertical tab (\x0B) respectively. Can be used in character classes.
\cA through \cZ	Match an ASCII character Control+A through Control+Z, equivalent to \x01 through \x1A. Can be used in character classes.	\cM\cJ matches a DOS/Windows CRLF line break.
Character Classes or Character Sets [abc]
Character	Description	Example
[ (opening square bracket)	Starts a character class. A character class matches a single character out of all the possibilities offered by the character class. Inside a character class, different rules apply. The rules in this section are only valid inside character classes. The rules outside this section are not valid in character classes, except for a few character escapes that are indicated with "can be used inside character classes".
Any character except ^-]\ add that character to the possible matches for the character class.	All characters except the listed special characters.	[abc] matches a, b or c
\ (backslash) followed by any of ^-]\	A backslash escapes special characters to suppress their special meaning.	[\^\]] matches ^ or ]
- (hyphen) except immediately after the opening [	Specifies a range of characters. (Specifies a hyphen if placed immediately after the opening [)	[a-zA-Z0-9] matches any letter or digit
^ (caret) immediately after the opening [	Negates the character class, causing it to match a single character not listed in the character class. (Specifies a caret if placed anywhere except after the opening [)	[^a-d] matches x (any character except a, b, c or d)
\d, \w and \s	Shorthand character classes matching digits, word characters (letters, digits, and underscores), and whitespace (spaces, tabs, and line breaks). Can be used inside and outside character classes.	[\d\s] matches a character that is a digit or whitespace
\D, \W and \S	Negated versions of the above. Should be used only outside character classes. (Can be used inside, but that is confusing.)	\D matches a character that is not a digit
[\b]	Inside a character class, \b is a backspace character.	[\b\t] matches a backspace or tab character
Dot
Character	Description	Example
. (dot)	Matches any single character except line break characters \r and \n. Most regex flavors have an option to make the dot match line break characters too.	. matches x or (almost) any other character
Anchors
Character	Description	Example
^ (caret)	Matches at the start of the string the regex pattern is applied to. Matches a position rather than a character. Most regex flavors have an option to make the caret match after line breaks (i.e. at the start of a line in a file) as well.	^. matches a in abc\ndef. Also matches d in "multi-line" mode.
$ (dollar)	Matches at the end of the string the regex pattern is applied to. Matches a position rather than a character. Most regex flavors have an option to make the dollar match before line breaks (i.e. at the end of a line in a file) as well. Also matches before the very last line break if the string ends with a line break.	.$ matches f in abc\ndef. Also matches c in "multi-line" mode.
\A	Matches at the start of the string the regex pattern is applied to. Matches a position rather than a character. Never matches after line breaks.	\A. matches a in abc
\Z	Matches at the end of the string the regex pattern is applied to. Matches a position rather than a character. Never matches before line breaks, except for the very last line break if the string ends with a line break.	.\Z matches f in abc\ndef
\z	Matches at the end of the string the regex pattern is applied to. Matches a position rather than a character. Never matches before line breaks.	.\z matches f in abc\ndef
Word Boundaries
Character	Description	Example
\b	Matches at the position between a word character (anything matched by \w) and a non-word character (anything matched by [^\w] or \W) as well as at the start and/or end of the string if the first and/or last characters in the string are word characters.	.\b matches c in abc
\B	Matches at the position between two word characters (i.e the position between \w\w) as well as at the position between two non-word characters (i.e. \W\W).	\B.\B matches b in abc
Alternation
Character	Description	Example
\| (pipe)	Causes the regex engine to match either the part on the left side, or the part on the right side. Can be strung together into a series of options.	abc\|def\|xyz matches abc, def or xyz
\| (pipe)	The pipe has the lowest precedence of all operators. Use grouping to alternate only part of the regular expression.	abc(def\|xyz) matches abcdef or abcxyz
Quantifiers
Character	Description	Example
? (question mark)	Makes the preceding item optional. Greedy, so the optional item is included in the match if possible.	abc? matches ab or abc
??	Makes the preceding item optional. Lazy, so the optional item is excluded in the match if possible. This construct is often excluded from documentation because of its limited use.	abc?? matches ab or abc
* (star)	Repeats the previous item zero or more times. Greedy, so as many items as possible will be matched before trying permutations with less matches of the preceding item, up to the point where the preceding item is not matched at all.	".*" matches "def""ghi" in abc "def""ghi" jkl
*? (lazy star)	Repeats the previous item zero or more times. Lazy, so the engine first attempts to skip the previous item, before trying permutations with ever increasing matches of the preceding item.	".*?" matches "def" in abc "def""ghi" jkl
+ (plus)	Repeats the previous item once or more. Greedy, so as many items as possible will be matched before trying permutations with less matches of the preceding item, up to the point where the preceding item is matched only once.	".+" matches "def""ghi" in abc "def""ghi" jkl
+? (lazy plus)	Repeats the previous item once or more. Lazy, so the engine first matches the previous item only once, before trying permutations with ever increasing matches of the preceding item.	".+?" matches "def" in abc "def""ghi" jkl
{n} where n is an integer >= 1	Repeats the previous item exactly n times.	a{3} matches aaa
{n,m} where n >= 0 and m >= n	Repeats the previous item between n and m times. Greedy, so repeating m times is tried before reducing the repetition to n times.	a{2,4} matches aaaa, aaa or aa
{n,m}? where n >= 0 and m >= n	Repeats the previous item between n and m times. Lazy, so repeating n times is tried before increasing the repetition to m times.	a{2,4}? matches aa, aaa or aaaa
{n,} where n >= 0	Repeats the previous item at least n times. Greedy, so as many items as possible will be matched before trying permutations with less matches of the preceding item, up to the point where the preceding item is matched only n times.	a{2,} matches aaaaa in aaaaa
{n,}? where n >= 0	Repeats the previous item n or more times. Lazy, so the engine first matches the previous item n times, before trying permutations with ever increasing matches of the preceding item.	a{2,}? matches aa in aaaaa

↧

EIGRP ON A Cisco ASA Firewall

February 6, 2014, 7:14 am

≫ Next: PORT SECURITY ON CISCO SWITCH

≪ Previous: REGEX - REGULAR EXPRESSIONS

How to Configure EIGRP on a Cisco ASA Firewall?

The Cisco Adaptive Security Appliance is an integrated security equipment that can perform a variety of functions like firewall, intrusion prevention, VPN, content security, unified communications, and remote access. Among these functions, the ASA can also perform routing using popular routing protocol like Routing Information Protocol (RIP), Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF) or static routes.

In this particular scenario, the routers R1 and R2 and the ASA all participate in the EIGRP process. R1 is in the internal network and R2 in the DMZ. A static default route to the Internet outside interface of ASA will be configured and redistributed into the EIGRP process.

We will start by configuring IP addressing and EIGRP on the two routers R1 and R2.

Router R1 Configuration:
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# interface FastEthernet0/0
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# exit

R1(config)# interface FastEthernet1/0
R1(config-if)# ip address 10.0.0.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# exit

R1(config)# router eigrp 10
R1(config-router)# network 10.0.0.0 0.0.0.255
R1(config-router)# network 192.168.1.0 0.0.0.255
R1(config-router)# no auto-summary
R1(config-router)# end

Router R2 Configuration:
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)# interface FastEthernet0/0
R2(config-if)# ip address 192.168.2.1 255.255.255.0
R2(config-if)# no shutdown
R2(config-if)# exit

R2(config)# interface FastEthernet1/0
R2(config-if)# ip address 10.1.1.1 255.255.255.0
R2(config-if)# no shutdown
R2(config-if)# exit

R2(config)# router eigrp 10
R2(config-router)# network 10.1.1.0 0.0.0.255
R2(config-router)# network 192.168.2.0 0.0.0.255
R2(config-router)# no auto-summary
R2(config-router)# end

Now, we will configure the ASA, this being the core of our tutorial here. The ASA will be separating the three zones in the network: Inside network, DMZ and Outside network. This appliance is designed primarily to work at the boundary between internal and external networks. Accordingly, the ASA uses different security levels that are associated with each interface. The security level is a number that varies between 0 and 100. This value signifies the level of trust for the network that the interface is connected to.

For the interface that will be configured inside, it will be assigned a default maximum trust level of 100 and for the outside interface the default value is 0, minimum trust. We can change that level any time, but for the scope of this tutorial we will leave the default values. Also, we will configure an additional interface “DMZ”, assigning a security level of 50.

Cisco ASA Configuration:
ASA1# configure terminal
ASA1(config)# interface GigabitEthernet0
ASA1(config-if)# description outside interface connected to Internet
ASA1(config-if)# nameif outside
ASA1(config-if)# security-level 0
ASA1(config-if)# ip address 50.50.50.1 255.255.255.0
ASA1(config-if)# exit

ASA1(config)# interface GigabitEthernet1
ASA1(config-if)# description Inside interface connected to R1
ASA1(config-if)# nameif inside
ASA1(config-if)# security-level 100
ASA1(config-if)# ip address 192.168.1.2 255.255.255.0
ASA1(config-if)# exit

ASA1(config)# interface GigabitEthernet2
ASA1(config-if)# description DMZ interface connected to R2
ASA1(config-if)# nameif dmz
ASA1(config-if)# security-level 50
ASA1(config-if)# ip address 192.168.2.2 255.255.255.0
ASA1(config-if)# exit

The outside interface of ASA1 will be connected to the internet and for the scope of this lab we will use it just to have a default route and we will assign IP address 50.50.50.1 with default gateway next hop 50.50.50.2. This default route will be redistributed from ASA1 to the rest of the EIGRP domain.

Next, we will configure EIGRP on ASA1, add a default static route and redistribute it into the EIGRP process.

ASA1(config)# router eigrp 10
ASA1(config-router)# network 192.168.1.0 255.255.255.0
ASA1(config-router)# network 192.168.2.0 255.255.255.0
ASA1(config-router)# no auto-summary
ASA1(config-router)# redistribute static
ASA1(config-router)# end

ASA1# route outside 0.0.0.0 0.0.0.0 50.50.50.2

Once the EIGRP is configured we can now verify that it has established neighbor relationships with the peers and that it redistributed the default static route:

Verification Commands:
ASA1# show eigrp neighbors

EIGRP-IPv4 neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num

1 192.168.2.1 Gi2 13 00:16:28 27 200 0 3
0 192.168.1.1 Gi1 11 00:16:28 13 200 0 5

ASA1# show eigrp topology

EIGRP-IPv4 Topology Table for AS(10)/ID(192.168.2.2)
Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
r – reply Status, s – sia Status
P 0.0.0.0 0.0.0.0, 1 successors, FD is 28160
via Rstatic (28160/0)
P 10.0.0.0 255.255.255.0, 1 successors, FD is 30720
via 192.168.1.1 (30720/28160), GigabitEthernet1
P 10.1.1.0 255.255.255.0, 1 successors, FD is 30720
via 192.168.2.1 (30720/28160), GigabitEthernet2
P 192.168.1.0 255.255.255.0, 1 successors, FD is 28160
via Connected, GigabitEthernet1
P 192.168.2.0 255.255.255.0, 1 successors, FD is 28160
via Connected, GigabitEthernet2

ASA1# show eigrp interfaces

EIGRP-IPv4 interfaces for process 10
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
inside 1 0/0 13 0/1 105 0
dmz 1 0/0 27 0/1 89 0

ASA1# show route

Codes: C – connected, S – static, I – IGRP, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2, E – EGP
i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area
* – candidate default, U – per-user static route, o – ODR
P – periodic downloaded static route

Gateway of last resort is 50.50.50.2 to network 0.0.0.0
C 50.50.50.0 255.255.255.0 is directly connected, outside
D 10.0.0.0 255.255.255.0 [90/30720] via 192.168.1.1, 0:19:52, inside
D 10.1.1.0 255.255.255.0 [90/30720] via 192.168.2.1, 0:19:53, dmz
C 192.168.1.0 255.255.255.0 is directly connected, inside
C 192.168.2.0 255.255.255.0 is directly connected, dmz
S* 0.0.0.0 0.0.0.0 [1/0] via 50.50.50.2, outside

Let’s also verify the routing updates received by the routers. They should see the other networks attached to ASA1 and the injected static default route:

R1#show ip route

Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 192.168.1.2 to network 0.0.0.0

10.0.0.0/24 is subnetted, 2 subnets
D 10.1.1.0 [90/33280] via 192.168.1.2, 00:20:44, FastEthernet0/0
C 10.0.0.0 is directly connected, FastEthernet1/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
D 192.168.2.0/24 [90/30720] via 192.168.1.2, 00:20:45, FastEthernet0/0
D*EX 0.0.0.0/0 [170/30720] via 192.168.1.2, 00:20:45, FastEthernet0/0

R2#show ip route

Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 192.168.2.2 to network 0.0.0.0

10.0.0.0/24 is subnetted, 2 subnets
C 10.1.1.0 is directly connected, FastEthernet1/0
D 10.0.0.0 [90/33280] via 192.168.2.2, 00:22:21, FastEthernet0/0
D 192.168.1.0/24 [90/30720] via 192.168.2.2, 00:22:21, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/0
D*EX 0.0.0.0/0 [170/30720] via 192.168.2.2, 00:22:21, FastEthernet0/0

We now have in place the three networks separated by ASA1, with different security levels assigned, that exchange routing information. The ASA will perform stateful inspection by default , so access lists must be configured in order to have connectivity between the various security zones.

↧

PORT SECURITY ON CISCO SWITCH

February 9, 2014, 8:41 am

≫ Next: DNS ON CENTOS 6

≪ Previous: EIGRP ON A Cisco ASA Firewall

How to Enable or Disable Port Security on a Cisco Switch?
The Basics:

In its most basic form, the Port Security feature remembers the Ethernet MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will disable the port. Most of the time, network administrators configure the switch to send a SNMP trap to their network monitoring solution that the port's disabled for security reasons.

Of course, implementing any security solution always involves a trade-off—most often, you trade increased security for less convenience. When using port security, you can prevent devices from accessing the network, which increases security.

NOTE:

However, as you know, there's usually a downside. In this case, it's that the network administrator is the only one who can "unlock" the port, which can cause problems when there are legitimate reasons to change out devices.

Configure port security

Configuring the Port Security feature is relatively easy. In its simplest form, port security requires going to an already enabled switch port and entering the port-security Interface Mode command. Here's an example:

Switch)# config t
Switch(config)# int fa0/18
Switch(config-if)# switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode

Switch(config-if)# switchport port-security
Switch(config-if)#^Z

By entering the most basic command to configure port security, we accepted the default settings of only allowing one MAC address, determining that MAC address from the first device that communicates on this switch port, and shutting down that switch port if another MAC address attempts to communicate via the port. But you don't have to accept the defaults.

Know your options:
As you can see in the example, there are a number of other port security commands that you can configure. Here are some of your options:

switchport port-security maximum {max # of MAC addresses allowed}: You can use this option to allow more than the default number of MAC addresses, which is one. For example, if you had a 12-port hub connected to this switch port, you would want to allow 12 MAC addresses—one for each device. The maximum number of secure MAC addresses per port is 132.

switchport port-security violation {shutdown | restrict | protect}: This command tells the switch what to do when the number of MAC addresses on the port has exceeded the maximum. The default is to shut down the port. However, you can also choose to alert the network administrator (i.e., restrict) or only allow traffic from the secure port and drop packets from other MAC addresses (i.e., protect).

switchport port-security mac-address {MAC address}: You can use this option to manually define the MAC address allowed for this port rather than letting the port dynamically determine the MAC address.

Of course, you can also configure port security on a range of ports. Here's an example:

Switch)# config t
Switch(config)# int range fastEthernet 0/1 - 24
Switch(config-if)# switchport port-security

However, you need to be very careful with this option if you enter this command on an uplink port that goes to more than one device. As soon as the second device sends a packet, the entire port will shut down.

View the status of port security

Once you've configured port security and the Ethernet device on that port has sent traffic, the switch will record the MAC address and secure the port using that address. To find out the status of port security on the switch, you can use the show port-security address and show port-security interface commands. Below are examples for each command's output:

Switch# show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0004.00d5.285d SecureDynamic Fa0/18 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024

Switch# show port-security interface fa0/18
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0004.00d5.285d
Security Violation Count : 0

↧

DNS ON CENTOS 6

February 9, 2014, 11:13 pm

≫ Next: BURN ISO IMAGE USING LINUX TERMINAL

≪ Previous: PORT SECURITY ON CISCO SWITCH

How to install and configure DNS on Centos?

How to install and configure Bind on Centos?

How to install and configure Caching only DNS Server?

## Install bind on centos using 'yum'

yum install bind*

## edit configuration file

vi /etc/named.conf

##Caching Only DNS Server

/etc/named.conf

// CACHING NAME SERVER for EXAMPLE.
//
//
options {
directory "/var/named";
// version statement - inhibited for security
// (avoids hacking any known weaknesses)
version "BIND 9";
// disables all zone transfer requests
allow-transfer{"none";};
// Closed DNS - permits only local IPs to issue queries
// remove if an Open DNS required to support all users
// or add additional IP ranges
// in this case either allow-query or allow-recursion can be used
allow-query {192.168.3.0/24;};
};
//
// log to /var/log/example.log all events
// from info UP in severity (no debug)
// defaults to use 3 files in rotation
// BIND 8.x logging MUST COME FIRST in this file
// BIND 9.x parses the whole file before using the log
// failure messages up to this point are in (syslog)
// typically /var/log/messages
//
logging{
channel example_log{
  file "/var/log/named/example.log" versions 3 size 2m;
  severity info;
  print-severity yes;
  print-time yes;
  print-category yes;
};
category default{
example_log;
};
};
// required zone for recursive queries
zone "." {
type hint;
file "root.servers";
};
// required local host domain
zone "localhost" in{
type master;
file "master.localhost";
allow-update{none;};
};
// localhost reverse map
zone "0.0.127.in-addr.arpa" in{
type master;
file "localhost.rev";
allow-update{none;};
};

root.servers in /var/named/

;       This file holds the information on root name servers needed to
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache . "
;       configuration file of BIND domain name servers).
;
;       This file is made available by InterNIC
;       under anonymous FTP as
;           file                /domain/named.root
;           on server           FTP.INTERNIC.NET
;       -OR-                    RS.INTERNIC.NET
;
;       last update:    Jan 29, 2004
;       related version of root zone:   2004012900
;
;
; formerly NS.INTERNIC.NET
;
.                        3600000 IN NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
;
; formerly NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
;
; formerly C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
;
; formerly TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
;
; formerly NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
;
; formerly NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
;
; formerly NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
;
; operated by VeriSign, Inc.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
;
; operated by RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
;
; operated by ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12
;
; operated by WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
; End of File

master.localhost in /var/named

$TTL86400 ; 24 hours could have been written as 24h
$ORIGIN localhost.
; line below = localhost 1D IN SOA localhost root.localhost
@ 1D IN SOA @root (
     2002022401 ; serial
     3H ; refresh
     15 ; retry
     1w ; expire
     3h ; minimum
    )
@ 1D IN NS @
  1D IN A 127.0.0.1

localhost.rev in /var/named/

$TTL86400 ;
; could use $ORIGIN 0.0.127.IN-ADDR.ARPA.
@       IN      SOA     localhost. root.localhost. (
                       1997022700 ; Serial
                       3h      ; Refresh
                       15      ; Retry
                       1w      ; Expire
                       3h )    ; Minimum
       IN      NS      localhost.
1       IN      PTR     localhost.

## Check the Service Status

service named status

rndc: neither /etc/rndc.conf nor /etc/rndc.key was found

named-sdb (pid 17961) is running...

TROUBLESHOOTING BIND ISSUES
##Resolve rndc issue
rndc-confgen -a -c /etc/rndc.key

or

rndc-confgen >> /etc/rndc.conf

cat /etc/rndc.conf

# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "J8Y41D8CHJlEvmQwRSU1Dg==";
};

options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};

# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "J8Y41D8CHJlEvmQwRSU1Dg==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

put above key section in named.conf file at the end and restart it will resolve the rndc.conf and rndc.key issue.
service named restart
service named status
version: 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 (not currently available)
CPUs found: 2
worker threads: 2
number of zones: 18
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
named-sdb (pid 18103) is running...

To enable and disable query logging run below command
rndc querylog

DNS log issue
Jun 30 11:54:25 localhost named-sdb[1689]: logging channel 'named_log' file '/var/named/chroot/var/log/named.log': permission denied
Jun 30 11:54:25 localhost named-sdb[1689]: isc_log_open '/var/named/chroot/var/log/named.log' failed: permission denied

touch /var/named/chroot/var/log/named.log

chown named:named /var/named/chroot/var/log/named.log

Managed Keys Issue
30-Jun-2012 16:08:28.773 general: error: managed-keys-zone ./IN: loading from master file dynamic/managed-keys.bind failed: file not found

touch /var/named/dynamic/managed-keys.bind

chown named:named managed-keys.bind

Forward or Reverse Map Issue:
Jul 2 11:21:29 localhost dhcpd: Unable to add forward map from my-pc.warproxy.com. to 192.168.5.22: timed out

// required local host domain

zone "warproxy.com" in{
type master;
file "master.localhost";
notify yes;
allow-update { key rndc-key; };
};

// localhost reverse map
zone "5.168.192.in-addr.arpa" in{
type master;
file "localhost.rev";
notify yes;
allow-update { key rndc-key; };
};

add two bold lines in named.conf
add below in dhcpd.conf at top
ddns-updates on;
ddns-domainname "warproxy.com.";
ddns-rev-domainname "in-addr.arpa.";
ddns-update-style interim;
allow client-updates;

key "rndc-key" {
algorithm hmac-md5;
secret "J8Y41D8CHJlEvmQwRSU1Dg==";
}

add below two in subnet { } in dhcpd.conf file
zone warproxy.com. {
primary 192.168.5.5;
key "rndc-key";
}

zone 5.168.192.in-addr.arpa. {
primary 192.168.5.5;
key "rndc-key";
}

restart dhcpd and named and check logs

forward and reverse file .jnl files created and maps adding in those files

My DNS configuration fully working.
++++++++++++++++++++++++++++++++++++++++++++++++
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
include "/etc/named.rfc1912.zones";

################################################
// CACHING NAME SERVER for EXAMPLE.
//
//
options {
directory "/var/named";
// version statement - inhibited for security
// (avoids hacking any known weaknesses)
version "not currently available";
// disables all zone transfer requests
allow-transfer{"none";};
// Closed DNS - permits only local IPs to issue queries
// remove if an Open DNS required to support all users
// or add additional IP ranges
// in this case either allow-query or allow-recursion can be used
allow-query {192.168.5.0/24;};
allow-recursion {192.168.5.0/24;};
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
bindkeys-file "/etc/named.iscdlv.key";
};

//
// log to /var/log/example.log all events
// from info UP in severity (no debug)
// defaults to use 3 files in rotation
// BIND 8.x logging MUST COME FIRST in this file
// BIND 9.x parses the whole file before using the log
// failure messages up to this point are in (syslog)
// typically /var/log/messages
//

logging{
channel named_log{
file "/var/named/chroot/var/log/named.log" versions 3 size 2m;
severity info;
print-severity yes;
print-time yes;
print-category yes;
};

# logging {
# channel null { null; };
# category lame-servers { null; };
# };

category default{
named_log;
};

};

// required zone for recursive queries
zone "." {
type hint;
file "root.servers";
};

// required local host domain
zone "warproxy.com" in{
type master;
file "master.localhost";
notify yes;
allow-update { key rndc-key; };
};

// localhost reverse map
zone "5.168.192.in-addr.arpa" in{
type master;
file "localhost.rev";
notify yes;
allow-update { key rndc-key; };
};

# Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
algorithm hmac-md5;
secret "J8Y41D8CHJlEvmQwRSU1Dg==";
};

controls {
inet 192.168.5.5 port 953
allow { 192.168.5.5; } keys { "rndc-key"; };
};

# End of named.conf
++++++++++++++++++++++++++++++++++++++++++++++++

↧