Quantcast
Channel: Brain Book
Viewing all 195 articles
Browse latest View live

BURN ISO IMAGE USING LINUX TERMINAL

February 9, 2014, 11:41 pm
$
0
0
If you're running Linux and would like to use the terminal to burn the ISO image.

##To open Terminal
Ctrl + Alt + T

Switch to the the directory you have downloaded the image to:

##To Burn ISO to CD/DVD
cdrecord -v -dao dev=1,0,0 linuxmint.iso


Replacing the numbers after dev= with the appropriate device number for your disc drive. 
##You can run
cdrecord -scanbus
Search

NAT / PAT ON CISCO

February 10, 2014, 10:04 pm
$
0
0
NAT / PAT Configuration on Cisco
How to configure NAT and PAT on Cisco?

NAT/PAT Technique Behind Private and Public IP Communication:
Network Address Translation (NAT) is the process of modifying IP address information in IPv4 headers while in transit across a traffic routing device.

When IP addressing first came out, everyone thought that there were plenty of addresses to cover any need. Theoretically, you could have 4,294,967,296 unique addresses (232 ). The actual number of available addresses is smaller (somewhere between 3.2 and 3.3 billion) because of the way that the addresses are separated into classes, and because some addresses are set aside for multicasting, testing or other special uses, which we have discussed in our previous articles on IP addressing/Subnetting.


With the explosion of the Internet and the increase in home and business networks, the number of available IP addresses is simply not enough. The obvious solution is to redesign the address format to allow for more possible addresses. This is being developed right now (called IPv6) but it will take several years to implement because it requires modification of the entire infrastructure of the Internet.


This is where NAT comes to the rescue. Network Address Translation allows a single device, such as a router, to act as an agent between the Internet (or “public network”) and a local (or “private”) network. This means that only a single, unique IP address is required to represent an entire group of computers.
But the shortage of IP addresses is only one reason to use NAT. In this article, you will learn more about how NAT can benefit you. But first, let’s take a closer look at NAT and exactly what it can do.


It is common to hide an entire IP address space, usually consisting of private IP addresses, behind a single IP address, or in some cases a small group of IP addresses, in another (usually public) address space. To avoid ambiguity in the handling of returned packets, a one-to-many NAT must alter higher level information such as TCP/UDP ports in outgoing communications and must maintain a translation table so that return packets can be correctly translated back. RFC 2663 uses the term NAPT (Network Address and Port Translation) for this type of NAT. Other names include PAT (Port Address Translation), IP masquerading, NAT Overload and many-to-one NAT. Since this is the most common type of NAT it is often referred to simply as NAT.


However, most NAT devices today allow the network administrator to configure translation table entries for permanent use. This feature is often referred to as “static NAT” or port forwarding, and it allows traffic originating in the “outside” network to reach designated hosts.


In the mid-1990s, NAT became a popular tool for alleviating the consequences of IPv4 address exhaustion. It has become a common, indispensable feature in routers for home and small-office Internet connections. Most systems using NAT do so in order to enable multiple hosts on a private network to access the Internet using a single public IP address.


Network address translation has serious drawbacks in terms of the quality of Internet connectivity and requires careful attention to the details of its implementation. In particular, all types of NAT break the originally envisioned model of IP end-to-end connectivity across the Internet and NAPT makes it difficult for systems behind a NAT to accept incoming communications. As a result, NAT traversal methods have been devised to alleviate the issues encountered.

What Does NAT Do?
NAT is like the receptionist in a large office. Let’s say you have left instructions with the receptionist not to forward any calls to you unless you request it. Later on, you call a potential client and leave a message for that client to call you back. You tell the receptionist that you are expecting a call from this client and to put her through.


The client calls the main number to your office, which is the only number the client knows. When the client tells the receptionist that she is looking for you, the receptionist checks a lookup table that matches your name with your extension. The receptionist knows that you requested this call, and therefore forwards the caller to your extension.


Developed by Cisco, Network Address Translation is used by a device (firewall, router or computer) that sits between an internal network and the rest of the world. NAT has many forms and can work in several ways:


Static NAT - Maps an unregistered IP address to a registered IP address on a one-to-one basis. It’s particularly useful when a device needs to be accessible from outside the network. In dynamic NAT, the computer with the IP address 192.168.1.10 will translate to the first available address in the range from 202.1.13.10 to 202.1.13.15.

(Config)# ipnat inside source static 192.168.1.10 202.1.13.10/* Static Binding
(Config)# interface F0/0
(Config-if)# ip address 192.168.1.10 255.255.255.0
(Config-if)# ipnat inside
(Config)# interface Serial0/0
(Config-if)# ip address 202.1.13.10 255.255.255.0
(Config-if)# ipnat outside


Dynamic NAT - Maps an unregistered IP address to a registered IP address from a group of registered IP addresses.

(Config)# ipnat pool cisco202.1.13.10 202.1.13.15netmask 255.255.255.0
/*created a pool for dynamic allocation
(Config)# ipnat inside source list 1 pool cisco
(Config)# interface F0/0
(Config-if)# ip address 192.168.1.10 255.255.255.0
(Config-if)# ipnat inside
(Config)# interface Serial0/0
(Config-if)# ip address 202.1.13.1255.255.255.0
(Config-if)# ipnat outside
(Config)# access-list 1 permit192.168.1 0.0.0.255


Overloading - A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. This is known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.
(Config)# ipnat pool cisco 202.1.13.10 202.1.13.10 netmask 255.255.255.0
(Config)# ipnat inside source list 1 pool cisco overload
(Config)# interface F0/0
(Config-if)# ip address 192.168.1.10 255.255.255.0
(Config-if)# ipnat inside
(Config)# interface Serial0/0
(Config-if)# ip address 202.1.13.1 255.255.255.0
(Config-if)# ipnat outside
(Config)# access-list 1 permit 192.168.1 0.0.0.255


Overlapping– When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses. It is important to note that the NAT router must translate the “internal” addresses to registered unique addresses, as well as translate the “external” registered addresses to addresses that are unique to the private network. This can be done either through static NAT or by using DNS and implementing dynamic NAT.


The internal network is usually a LAN (Local Area Network), commonly referred to as the stub domain. A stub domain is a LAN that uses IP addresses internally. Most of the network traffic in a stub domain is local, so it doesn’t travel outside the internal network. A stub domain can include both registered and unregistered IP addresses. Of course, any computers that use unregistered IP addresses must use Network Address Translation to communicate with the rest of the world.

NAT Verification: 
Router#show ipnat translations
Router#debugipnat

You can use clear ipnat translation to clear all entries from the NAT Table.

IIS SERVER 8 SECURITY

February 11, 2014, 10:45 pm
$
0
0
Security Best Practices for IIS 8

Installation and Configuration
Do not run IIS on a domain controller or a backup domain controller.
First, there are no local accounts on a domain controller. Local accounts are important to the security of many IIS server installations. Placing an IIS web server and domain controller on the same computer seriously limits your security account options. Second, any new exploit that compromises your web server could also compromise your entire network when the web server and the domain controller are on the same computer.

Install only the IIS modules you need.
IIS 8 is composed of more than 40 modules, which allow you to add modules you need and remove any modules you don’t need. If you install only the modules you need, you reduce the surface area that is exposed to potential attacks.

Periodically remove unused or unwanted modules and handlers.
Look for modules and handlers that you no longer use and remove them from your IIS installation. Strive to keep your IIS surface area as small as possible.

For high volume installations of IIS, run other resource-intensive products like SQL Server or Exchange on separate computers.

Keep you antivirus software up to date.
Install and run the latest version of antivirus software on the server.

Move the Inetpub folder from your system drive to a different drive.
By default IIS 8 sets up the Inetpub folder on your system drive (usually the C drive). If you move the folder to a different partition, you can save space on your system drive and improve security. For information about how to the Inetpub folder, see the following blog post: Moving the INETPUB directory to a different drive.

Web Application Isolation
Isolate web applications.
Separate different applications into different sites with different application pools.

Implement the principle of least privilege.
Run your worker process as a low privileged identity (virtual application pool identity) that is unique per site.

Isolate ASP.NET temp folders.
Set up a separate ASP.NET temp folder per site and only give access to appropriate process identity.

Isolate content.
Make sure to set an ACL (access control list) on each site root to allow only access to the appropriate process identity.

Authentication
If you use Windows authentication, turn on extended protection.
Extended protection protects against credential relaying and phishing attacks when using Windows authentication. For more information about extended protection and how to turn it on in IIS, see Configure Extended Protection in IIS 7.5.


Be aware that configuring Anonymous authentication along with another authentication type for the same website can cause authentication problems.
If you configure Anonymous authentication and another authentication type, the result is determined by the order in which the modules run. For example, if Anonymous authentication and Windows authentication are both configured and Anonymous authentication runs first, Windows authentication never runs.

Disable anonymous access to server directories and resources.
When you want to grant a user the access to server directories and resources, use an authentication method that is not anonymous.

Do not allow anonymous writes to the server.
Authenticate the user with a method that is not anonymous before allowing the user to upload anything to you website or FTP site.

Request Filtering
Ensure that request filtering rules are enabled.

Request filters restrict the types of HTTP requests that IIS 8 processes. By blocking specific HTTP requests, request filters help prevent potentially harmful requests from reaching the server. The request filter module scans incoming requests and rejects requests that are unwanted based upon the rules that you set up. Both websites and FTP sites should have the protection that request filter rules provide. For more information about request filtering, see Configure Request Filtering in IIS.

Ensure that request limits are set to reasonable values.
Think carefully about the values you assign to configuration parameters. For example, make sure that an upper limit value is higher than a lower limit value. Otherwise, the filter may never trigger.

Application Pool Identities
Don’t use the built-in service identities (such as Network Service, Local Service, or Local System).

For maximum security, application pools should run under the application pool identity that is generated when the application pool is created. The accounts that are built in to IIS are ApplicationPoolIdentity, NetworkService, LocalService, and LocalSystem. The default (recommended) and most secure is ApplicationPoolIdentity.

Using a custom identity account is acceptable, but be sure to use a different account for each application pool.

More Security Practices
Make periodic backups of the IIS server.
Do a complete system-state backup every day or two. Also do it before major software upgrades or configuration changes.

Limit permissions granted to non-administrators.
Look for folders that non-administrators have write permissions and script execution permissions to, and remove the permissions.

Turn on SSL and maintain SSL certificates.
Renew the certificate or choose a new certificate for the site. An expired certificate becomes invalid and can prevent users from accessing your site.

Use SSL when you use Basic authentication.
Use Basic authentication with an SSL binding, and make sure that the site or application is set to require SSL. Alternatively, use a different method of authentication. If you use Basic authentication without SSL, credentials are sent in plaintext that might be intercepted by malicious code. If you want to continue using Basic authentication, you need to check the site bindings to make sure that an HTTPS binding is available for the site, and then configure the site to require SSL.


When you set feature delegation rules, don’t make rules that are more permissive than the defaults.

For a classic ASP application, turn off debug mode.

IIS SERVER INSTALLATION AND SECURITY

February 11, 2014, 11:10 pm
$
0
0
IIS Installation:
Control Panel: select "Add/Remove Programs"
then click on "Add/Remove Windows Components"
The screen will appear that allows you to install new Windows components - this requires caution, because an operating system connected to the Internet is particularly vulnerable to attacks. Therefore DO NOT install IIS together with services that are of key importance for LAN functionality or security. Locate the Internet Information Services (IIS) entry and then click on the Details button to select the necessary IIS pieces of functionality. They are:

  • Common Files - that is, the main files and services included with IIS,
  • Documentation - files of the Default Web Site, files containing IIS error messages and the basic HTML documentation (C:\WINNT\Help\iisHelp directory),
  • Internet Information Services Snap-In - an application for managing IIS from the Microsoft Management Console (MMC),
  • World Wide Web Server - which provides Hyper Text Transfer Protocol (HTTP) services compiled in a user-friendly manner.

Other IIS components that may deserve further attention are as follows:
  • File Transfer Protocol (FTP) Server - included in the system provides support for an FTP account. Remember however, that the FTP service lets you force anonymous logons because it does not use encryption for authentication. You should also be very restrained when considering other options that require logons (web site update, sharing files).
  • NNTP Service - to host newsgroups. It can be utilized, for example, for client-to-server and employee communications, but it is not recommended to use the USENET features (that is the commonly available newsgroup hierarchy) because of their limitations.
  • SMTP Service - the email server. Being an SMPT server, it provides only mail delivery functionality. It is not intended to aid in receipt of emails, but with its Collaboration Data Objects (CDO) component it is able to forward messages from WWW sites. Remember, however, to ensure that your spam-borne mailing service will be appropriately secured to avoid this nuisance i.e. preventing your server from being used to relay spam!

There are also components that when installed, may be risky from the security point of view and are therefore not recommended, please consider:

  • FrontPage 2000 Server Extensions - this is a special communication protocol that supports authoring and administering Microsoft FrontPage webs,
  • Internet Service Manager (HTML) - is designed to configure and monitor IIS using WWW pages,
  • Visual InterDev RAD Remote Deployment Support -this is a sub-component that assists in the development of web applications via Visual InterDev. 

While installing IIS remember, that any subsequently added service will imply the need for proper configuration and maintenance of its security environment otherwise problems may occur and worse, persist. On poorly secured and/or configured servers everything may happen quickly: unauthorized third party relaying, illegal contents, mail viruses and hacking attempts, potentially involving "ritual" problems, with possible legal risks for you, as the owner of the server. Depending on the scale of your web site, installation of the previously mentioned IIS components, SMPT and anonymous FTP may be enough.

The general approach involves closing down the connections to the Internet while installing web services - once installed, IIS can potentially expose your server to unfriendly forces. Of course, a complete firewall solution or a NAT device may be enough to deny incoming traffic as appropriate. In fact, further sections of this article will be devoted to some security countermeasures allowing a safe installation of IIS components while still allowing Internet connectivity and access to your WWW pages.

Security considerations:
The first step in securing your server is to download the most updated Service Pack and current IIS patches. The system administrator, should also download other patches as required for Windows 2012 (at least consider seriously their implementation) and Internet Information Services 8.0.

In addition, don't forget to register so that you will automatically receive Microsoft security bulletins. This is of fundamental importance because procurement and installation of any update patches is a must from time to time in order to keep the server operating securely (hackers and viruses like to find out where "lousy software" is!).

In the next step, setting up the computer is important enough to not be ignored. 
The simplest way is to get HiSecWeb.exe file from the Microsoft Web site, 
unpack it to the C:\WINNT\Security\Templates and follow the instructions given in. 
Open it in mmc.exe (using the "Security Configuration and Analysis" application to be downloaded from the Console > Add/Remove Snap-In menu) and run (being prompted to import hisecweb.inf
select "Analyze Computer Now" from Action menu, and then "Configure Computer Now." 

NOTE: HiSecWeb is designed for dedicated Web servers and it disables all services that are not associated with web access services. The HiSecWeb package does not alter the permissions within the file structure on the system partition, while the WWW files are to be installed on a non-system partition, the hardening of which will be discussed later.

Post installation:
Once all necessary patches and updates have been applied and the system settings chosen, you must disable access to the default Web site that has been installed concurrently with the IIS documentation. To do this, 
run "Internet Services Manager" (within administrative tools, that is Programs > Administrative Tools). 
This program is an MMC application that was been previously installed under the name "Internet Information Services Snap-In". Once started, choose a name for the server, 
right mouse click on "Default Web Site"
and then select "Properties" from the popup menu.

In order to disable the default web site, assign it to the localhost address (that is 127.0.0.1) - in the "IP Address" box (the "Web Site" tab) delete "(All Unassigned)" and insert 127.0.0.1, and then click "OK"

This will cause the default web site to only be accessed from the web browser running on the server, not from the network. It is better to leave the default web site disabled rather than remove it, as it may come in handy later. 
Right mouse-click on the Default Web Site and select "Stop" in popup menu (instead using the right mouse button, you may use "Action" menu). 

Naturally, if you plan not to use the default web site anymore, for example to check location of IIS installed files or to read IIS documentation, you can remove it (from popup menu). So far, no other changes to the IIS configuration are necessary, but you can review all tab settings. As you can simply check, directories (and even individual files) can have their own settings within the IIS configuration.

In the next step related to the IIS hardening, you should set master properties for the WWW services. Contrary to the default web site configuration, the IIS configuration is a hierarchical one, that is, any changes to the IIS configuration associated with the WWW Service Master Properties (W3SVC for short) can be inherited through the hierarchy of the embedded system components (sites, applications, directories and files). 

When you configure properties at the level of the IIS server, certain security-related settings will become the default settings for all web sites (the existing ones and those which are to be created). 

Backup IIS Configuration
Before attempting to change settings, ensure that you make a backup copy of the metabase (i.e. the IIS configuration). To do this, in the "Internet Services Manager" application, right mouse-click the server (not the web site!) and click on"Backup/Restore Configuration". The backup IIS copy management window will appear. Click on "Create backup", and insert the backup copy name (for example "First Configuration") and click OK. The backup copy has been stored to the file in the C:\WINNT\system32\inetsrv\MetaBack directory.

After making the backup copy, close the "Configuration Backup / Restore" and configure the W3SVC services. Right mouse click on the computer name and select "Properties". Under "Master Properties", click "Edit" next to the "WWW Service" tab. The window similar to the web site configuration will appear - it has its "Service" tab. Pay attention, that certain components are disabled (because they are consistent with individual web sites only). On the "Web Site" tab, select the "Enable Logging" check box and then select the format (I recommend that you select "W3C Extended Log File Format"). Pressing the "Properties" button can modify both the file rollover period (preferably leave "Daily") and the location of the log directory. Because a typical server can have logs measuring dozens of MB daily, it is a good idea to choose a directory on a dedicated disk, for example E:\LogFiles (remember to establish an appropriate directory on the selected partition). 

You may also enable local time logging (I don't recommend this), and select the scope of the logged information. My advice is to select all boxes excluding "Process accounting" on the "Extended Properties" tab. These options are useful at troubleshooting, detecting intrusions, examining traffic etc. The "Process Accounting" boxes allow one to analyze the server load resulting from individual HTTP requests, but I do not recommend that one use them during a normal operation of the server.

After enabling the logging feature (in the master properties of the W3SVC), change the Home Directory settings. In the "WWW Service Master Properties" window, select the "Home Directory" tab and then click on "Configuration ". The "Application Configuration" window will appear, it allows you to set up dynamic WWW pages that are files with specific extensions. Whenever they are called from the Web, they will be passed through the W3SVC service for execution by ISAPI applications, that is additional programs (more specifically - DLLs) installed on the WWW server. 

These programs are, for example, C:\WINNT\System32\inetsrv\asp.dll, ism.dll, httpodbc.dll, ssinc.dll and C:\WINNT\System32\msw3prt.dll, idq.dll and webhits.dll (within the same directory). You must remove all said programs, leaving only those using asp.dll (and also ssinc.dll if it is considered useful) - all others were used in the past for breaking into the IIS servers and infecting them with viruses (for example CodeRed that uses a known buffer overflow vulnerability contained in the idq.dll). Of course, given all these patches and updates installed previously, it is quite impossible to feel unsecure even with the entire set of ISAPI programs enabled. 

However, an experienced system administrator would know the old German saying, "once lost, confidence does not easily return" - particularly when the ism.dll application had "lost confidence" with its record-breaking negative events. One is advised to only leave enabled for use the asp.dll and possibly ssinc.dll - since they both also had security-related problems, but of considerably less importance and which were far more difficult to be exploited by hackers.

Files with .inc extensions will not be compiled, executed, or served with the default installation of IIS. In order to have ASP pages served, you will need to give all include files a .ASP extension and add these extensions to the Web Service Extensions list. Otherwise whenever any request is made for an .inc suffixed page, its code will be revealed for public viewing instead of executing it (even with errors, it is far better than publicizing dynamic pages code). Of course, the same procedure should be followed for any other extension scripts. Those who save ASP customization in the .txt files deserve to be given special attention from the system administrator.

In order to setup the extension service via ISAPI applications, click on the "Add" button and then fill in the boxes:

    Executable: C:\WINNT\System32\inetsrv\asp.dll
    Extension: .inc
    Limit to: POST, GET, and HEAD 

It is a good idea to provide each extension (those default included) with the "Check that file exists" option enabled - this setting implies that if the requested file doesn't exist, the usual error processing occurs ("404 Not Found") instead of producing the ISAPI application error.

The ISAPI msw3prt.dll functionality is dependent both on the IIS and "Web-based printing" setup in the group policy (defined on a local computer and the relevant GPO). It also depends on Print Spooler functionality - which was disabled while launching hisecweb.inf. When you intend to upgrade a Service Pack (sooner or later), the installer activates the Print Spooler service if it's not already running. However, if you have disabled the start-up type for this service, the service will fail to start. This is a strange but consistent requirement associated with the installation of all existing Windows upgrade packages.

The next important applications to be set up are listed in the tabs of the "Application Configuration" window. On the "App Options" tab, clear the "Enable parent paths" setting to ensure that the FileSystemObject started by an ASP application is limited to that application's defined directory. Another possible service to disable is the "Enable session state"to avoid overloading the server's memory at any ASP request. (Encourage the Webmaster to accept this change). On a cluster of Web servers (where many Web servers share the responsibility for responding to user requests), a Web page will not always function properly. This is because a single user session cannot be created on one server and then read and modified on another. With the advent of IIS 6 and its user session synchronizing support, this limitation will not longer be maintained.

On the "Process Options" tab you can either modify or disable the ASP file cache size - I would discourage you from enabling "Cache all requested ASP files" as the usage of server RAM for ASP session variables could become quite significant.

Lastly, on the "App Debugging" tab, ensure that the debugging options are unchecked and change "Send detailed ASP error messages to client" to "Send text error message to client". This will prevent potential attackers from compromising your website and then provide a simple text for error of WWW services with a possible email address included for reporting problems. With all applications set up as desired, click OK.

If at anytime during these steps you see the "Inheritance Overrides" properties box, this means that certain W3SVC components (web site etc.) have their own settings that are different from the master properties being applied. As you may remember, settings are inheritable, therefore you must decide whether to delete or maintain invariant certain settings as replicated ones. As the default web site is of concern, I suggest not to change anything, whilst for your own web sites use the documentation you are maintaining as guidance. Just click the OK button - do not touch the list! - The master properties will be modified but those previously set will remain unchanged.

After defining the default application settings, go to change the default WWW site settings. Select the "Directory Security" tab in the "WWW Service Master Properties" window, click on the upper button marked "Edit". The "Authentication Methods" window will appear with their enabled "Anonymous access" and "Integrated Windows authentication" options. 

It is advisable to uncheck the latter option in respect to commonly accessible WWW pages - it may allow "brute force" attacks from the Internet, targeted at unscrambling server (or related network) user passwords in transit. Unfortunately, this option is to be recurrently disabled, since it is activated by default whenever any new domain is opened. Also remember to uncheck the authentication options after installing SMTP and/or FTP services - this issue will be discussed later. After pressing OK, and then "Apply" you will again see the "Inheritance Overrides" window - do not enable any component belonging to the default web site (for example the .in. file localstart.asp file) and click OK again. 

The "Edit" button underneath allows defining of appropriate IP and domain restrictions - you might use it for a server that by default is designed for access by a selected group of users only (for example Intranet users or your company partners connected via ISDN). Remember that IP restrictions do not ensure high security level - today's IP protocol does not provide fully secure authentication of the connection source. If you want to have your server accessible from trusted sites only, take advantage of a Virtual Private Network (VPN) solution. 

On the "Documents" tab you can define default documents. If a domain or directory contains a file with its filename not listed here, the user will see the "403 Forbidden" error message (or the content of the entire directory if the "Directory browsing" has been enabled in the Home Directory option). It is good practice to consult the Webmaster about filenames to be placed on the list - for example, it may be required to add a name index.html.

Generally speaking, your IIS server is now fully set up. However don't forget to look at other tabs to ensure that the "Home Directory" tab has unchecked the "Read", "Write" or "Directory browsing" options, that the "Execute Permissions" (related to dynamic pages) are set to "None", and that "Log visits" is ON. As for the "Home Directory" settings, they will be re-visited after a new WWW site has been established.

MPLS LAYER 3 VPN

February 12, 2014, 9:37 pm
$
0
0
How to Configure MPLS Layer 3 VPN?
MPLS operates in the middle of the data link layer (Layer 2) and the network layer (Layer 3) hence it is considered to be a Layer 2.5 protocol. It operates using the protocol called LDP (Label Distribution Protocol) which assigns labels ranging from 16 to 1,048,575 (0-15 reserved and cannot be used in Cisco routers) to IP prefixes/subnets in the routing table. LDP relies on the routing table in order for it to form its LIB (Label Information Base) and LFIB (Label Forwarding Information Base). LSR (Label Switch Routers) are routers in the middle of the Service provider network that uses label to perform routing. LER (Label Edge Routers) are routers that are entry and exit points of the network. They are generally the Provider Edge (PE) routers.


The three general operations of LDP when dealing with labeling packets are PUSH, SWAP and POP. PUSH means that the incoming packet has no label and has to assign a new label to it. SWAP is basically changing the label to a different label. POP on the other hand, is to remove the label. LERs are usually the ones who PUSH labels to packets, LSRs do SWAP of the labels and the penultimate hop routers (Adjacent LSRs to the LERs, in our case Routers R2 and R3) do the POP operation. The feature where LSRs POP labels before it sends out to LERs is called PHP (Penultimate Hop Popping) with Implicit-null.


The LDP router-id needs to be reachable through the global routing table in order for LDP to form neighborship. The router-id election for LDP is the highest IP address of any loopback interface. If no loopback interfaces exist, it will be the highest IP address of any physical interface that is operational.

Configure MPLS LDP in the Service Provider network
R1(config)# int fa0/0
R1(config-if)# mpls ip
R1(config-if)# exit
R1(config)# mpls label ?
protocol Set platform default label distribution protocol
range Label range
R1(config)# mpls label range ?
Minimum label value
R1(config)# mpls label range 1000 1999
% Label range changes will take effect at the next reload.
R1(config)# mpls ldp router-id lo0 force
R2(config)# int fa0/0
R2(config-if)# mpls ip
R2(config-if)# int f0/1
R2(config-if)# mpls ip
R2(config-if)# mpls label range 2000 2999

R3(config)# int fa0/0
R3(config-if)# mpls ip
R3(config-if)# int fa0/1
R3(config-if)# mpls ip
R3(config-if)# mpls label range 3000 3999

R4(config)# int fa0/0
R4(config-if)# mpls ip
R4(config-if)# mpls label range 4000 4999


The command “mpls ip” is required to form LDP neighbors. It is only configured in interfaces that are inside the service provider network. Any interfaces such as loopbacks or those facing the customer are not required to be configured because LDP is not required between customer and PE routers. Though the customer is connected to the MPLS network, it is a common practice for service providers not to make their network visible to the customer.

The “mpls label range” command in the routers sets the number of labels only. I configured it that way so it will be easier to explain later how LDP works. In the example configuration above, the number of labels that can be assigned for each router only amounts to 1000. If the network has more than 1000 prefixes, the rest of the prefixes will not be labeled and will be routed using IP.

The “mpls ldp router-id loopback0 force” command enforces the LDP to use the IP address of Loopback0 as its ID. The “force” keyword will tear down existing LDP sessions and clear all the current bindings and applies the changes to the LDP ID. If “force” is not used, the router will wait until the current interface of the LDP ID goes down before it applies the new LDP ID specified in the command.

The routers have been restarted. Let’s check the LDP neighborship. Let’s use two examples for brevity.

R1#sh mpls ldp neigh
Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 1.1.1.1:0
TCP connection: 2.2.2.2.18805 - 1.1.1.1.646
State: Oper; Msgs sent/rcvd: 46/46; Downstream
Up time: 00:31:24
LDP discovery sources:
FastEthernet0/0, Src IP addr: 12.12.12.2
Addresses bound to peer LDP Ident:
12.12.12.2 2.2.2.2 23.23.23.2

R3#sh mpls ldp neigh
Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 3.3.3.3:0
TCP connection: 2.2.2.2.646 - 3.3.3.3.42778
State: Oper; Msgs sent/rcvd: 67/66; Downstream
Up time: 00:49:52
LDP discovery sources:
FastEthernet0/1, Src IP addr: 23.23.23.2
Addresses bound to peer LDP Ident:
12.12.12.2 2.2.2.2 23.23.23.2
Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 3.3.3.3:0
TCP connection: 4.4.4.4.59644 - 3.3.3.3.646
State: Oper; Msgs sent/rcvd: 67/67; Downstream
Up time: 00:49:51
LDP discovery sources:
FastEthernet0/0, Src IP addr: 34.34.34.4
Addresses bound to peer LDP Ident:
34.34.34.4 4.4.4.4

R1#show mpls forwarding-table
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
1000 Pop tag 2.2.2.2/32 0 Fa0/0 12.12.12.2
1001 Pop tag 23.23.23.0/24 0 Fa0/0 12.12.12.2
1002 2001 34.34.34.0/24 0 Fa0/0 12.12.12.2
1003 2002 3.3.3.3/32 0 Fa0/0 12.12.12.2
1004 2003 4.4.4.4/32 0 Fa0/0 12.12.12.2


As mentioned, the LDP ID will be the highest loopback IP address that is operational in the router. The LDP routers, before they form an LDP session, elect which router will be active and passive. The router chosen as active will initiate the LDP TCP connection. In our case, R2 initiated a connection using a random number which in this case is 18805, R1 responds back with the port 646, the TCP port that is assigned to LDP. The “Addresses bound to peer LDP Ident:” section specifies that the routes below are directly connected to the LDP neighbor. Directly connected routes to the neighbor by default will not have any label assigned in the LIB (Label Information Base).


The “show mpls forwarding-table” also called the LFIB, shows the actions which LDP will take when it receives a specific label. As you can see, it doesn’t put any labels to directly connected routes of its adjacent LDP neighbor which is R2.

Configure VRF in the Provider Edge (PE) Routers:
VRF (Virtual Routing and Forwarding) is comparable to a VLAN in a switch. VRF is used to create different routing tables that are separated from each other. Since one VRF can’t see what routes are in another VRF, the same IP prefix can exist in different VRFs. However, duplicate IP prefixes will have an issue when it comes to route-leaking between VRFs. 

R1(config)# ip vrf CUST-A
R1(config-vrf)# rd 65002:1
R1(config-vrf)# route
R1(config-vrf)# route-target import 65002:1
R1(config-vrf)# route-target export 65002:1

R4(config)# ip vrf CUST-A
R4(config-vrf)# rd 65002:1
R4(config-vrf)# route-target import 65002:1
R4(config-vrf)# route-target export 65002:1

Let’s apply the VRF into the interface facing the CE (customer edge) router.
R1(config-if)# ip vrf forwarding CUST-A
% Interface FastEthernet0/1 IP address 15.15.15.1 removed due to enabling VRF CUST-A
R1(config-if)# ip address 15.15.15.1 255.255.255.0

R4(config-if)# int fa0/1
R4(config-if)# ip vrf forwarding CUST-A
% Interface FastEthernet0/1 IP address 46.46.46.4 removed due to enabling VRF CUST-A
R4(config-if)# ip address 46.46.46.4 255.255.255.0


The VRF name is locally significant. It is not a transitive attribute that will be shared between routers. In fact, in an MPLS VPN network, as long as the RD (Route Distinguisher) and the RT (Route Target) values are configured correctly but the VRF names are different, the MPLS VPN service will work.


RD is what Multiprotocol BGP uses to distinguish and makes the route unique. The standard telco practice is to assign a unique RD for every customer. RT on the other hand, is an extended BGP community that marks, tags or classifies the prefix. The “export” keyword in the command means that the route will be marked and announced out with that value; “import” means put all the routes with that mark, into the VRF’s routing table specified above the command.

Configure BGP VPNv4 peering between R1 and R4:
VPNv4 is an address-family of Multiprotocol BGP. To explain it simply, VPNv4 is a collection of all routes from different VRFs that were marked with the extended community route-target. This is the address-family where route-leaking can be performed. Route-leaking is simply sharing a route from one VRF to another. Common application for this is, one company wants to connect to another company’s servers and they happen to be connected to the same MPLS provider. 

R1(config)# router bgp 65001
R1(config-router)# address-family vpnv4
R1(config-router-af)# neigh 4.4.4.4 activate

R1#sh run | inc router bgp | address-family vpnv4|neigh
router bgp 65001
bgp log-neighbor-changes
neighbor 4.4.4.4 remote-as 65001
neighbor 4.4.4.4 update-source Loopback0
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 next-hop-self
address-family vpnv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended

R4(config-if)# router bgp 65001
R4(config-router)# address-family vpnv4
R4(config-router-af)# neigh 1.1.1.1 activate

R4#sh ip bgp vpnv4 all sum
BGP router identifier 4.4.4.4, local AS number 65001
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.1 4 65001 116 116 1 0 0 00:01:09 0

In VPNv4 address-family configuration, you simply issue the neighbor statement and the keyword “activate”. The BGP peering configuration needs to be done outside the address-family. The router understands that VPNv4 peering needs to activate extended communities so it automatically configured the statement highlighted above. In regards to the VPNv4 BGP peering, we can’t see any prefixes for now since there is no peering yet between the PE s and CEs.


Configure Peering between PE routers R1 and R4 to customer routers CUST_A-R1 and CUST-A-R2. Announce Loopback 10 and 100 in the CE routers. Verify connectivity.

R1(config)# router bgp 65001
R1(config-router)# address-family vpnv4
R1(config-router-af)# address-family ipv4 vrf CUST-A
R1(config-router-af)# neighbor 15.15.15.5 remote-as 65002
R1(config-router-af)# neighbor 15.15.15.5 activate
R1(config-router-af)# neighbor 15.15.15.5 as-override

CUST_A-R1(config)# router bgp 65002
CUST_A-R1(config-router)# neighbor 15.15.15.1 remote-as 65001
CUST_A-R1(config-router)# network 5.5.5.5 mask 255.255.255.255
CUST_A-R1(config-router)# network 55.55.55.55 mask 255.255.255.255

R4(config)# router bgp 65001
R4(config-router)# address-family ipv4 vrf CUST-A
R4(config-router-af)# neighbor 46.46.46.6 remote-as 65002
R4(config-router-af)# neighbor 46.46.46.6 activate
R4(config-router-af)# neighbor 46.46.46.6 as-override

CUST_A-R2(config)# router bgp 65002
CUST_A-R2(config-router)# network 6.6.6.6 mask 255.255.255.255
CUST_A-R2(config-router)# network 66.66.66.66 mask 255.255.255.255
CUST_A-R2(config-router)# neighbor 46.46.46.4 remote-as 65001


The PE is configured with an “address-family ipv4 vrf” when peering with the CE routers. The “as-override” command replaces the AS of the route to circumvent the BGP loop prevention. BGP loop prevention blocks any route that it receives from an eBGP peer with its own AS (65002 in this case) inside it. The AS for the customer is 65002, but notice the output below, the PE’s replaced the AS to 65001 to enable communication between these two routers with the same AS inside an MPLS cloud. CUST_A-R2 is now able to see the CUST_A-R1 routes but with a different AS. Another way to do this is to configure a neighbor statement with “allowas-in” keyword.

R1#show ip bgp vpnv4 vrf CUST-A
BGP table version is 7, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 65002:1 (default for vrf CUST-A)
*> 5.5.5.5/32 15.15.15.5 0 0 65002 i
*>i6.6.6.6/32 4.4.4.4 0 100 0 65002 i
*> 55.55.55.55/32 15.15.15.5 0 0 65002 i

CUST_A-R2#sh ip bgp
BGP table version is 5, local router ID is 66.66.66.66
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 5.5.5.5/32 46.46.46.4 0 65001 65001 i
*> 6.6.6.6/32 0.0.0.0 0 32768 i
*> 55.55.55.55/32 46.46.46.4 0 65001 65001 i
*> 66.66.66.66/32 0.0.0.0 0 32768 i
Lets check and verify connectivity.
CUST_A-R2#traceroute 55.55.55.55 source l100

Type escape sequence to abort.
Tracing the route to 55.55.55.55

1 46.46.46.4 24 msec 28 msec 20 msec
2 34.34.34.3 88 msec 92 msec 100 msec
3 23.23.23.2 108 msec 92 msec 80 msec
4 15.15.15.1 80 msec 68 msec 72 msec
5 15.15.15.5 88 msec 88 msec 80 msec


As we can see, there is a full reachability between the CE routers but the traceroute shows the path it took inside the service provider core network. This is not an advisable behavior, normally service provider from the customer any information about its core network.

Let’s configure a way to do that.
R1(config)# no mpls ip propagate-ttl
R4(config)# no mpls ip propagate-ttl
Let’s test that again.
CUST_A-R2#traceroute 55.55.55.55 source l100

Type escape sequence to abort.
Tracing the route to 55.55.55.55

1 46.46.46.4 28 msec 16 msec 20 msec
2 15.15.15.1 80 msec 80 msec 80 msec
3 15.15.15.5 108 msec 104 msec 96 msec


Now, the service provider network has been hidden through the “no mpls ip propagate-ttl” command.

JUNIPER JUNOS TIME ZONES

February 13, 2014, 1:47 am
$
0
0
JUNIPER TIME ZONES
JUNIPER JUNOS OS TIME ZONES

To import and install time zone files, follow these steps:
Download the time zone files archive and untar them to a temporary directory such as /var/tmp:

    # mkdir -p /var/tmp/tz && cd /var/tmp/tz && rm *
    # wget 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz'
    # tar xvzf tzdata*.gz

    africa
    antarctica
    asia
    australasia
    europe
    northamerica
    southamerica
    pacificnew
    etcetera
    factory
    backward
    systemv
    solar87
    solar88
    solar89
    iso3166.tab
    zone.tab
    leapseconds
    yearistype.sh

Note: If needed, you can edit the above untarred files to create or modify time zones.

Select the names of time zone files to compile and feed them to the following script.

For example, to generate northamerica and asia tz files:

    # /usr/libexec/ui/compile-tz asia northamerica

Enable the use of the generated tz files using the CLI:

    # set system use-imported-time-zones

    # set system time-zone ?

This should show the newly generated tz files in /var/db/zoneinfo/.
Set the time zone and commit the configuration:

    # set system time-zone <your-time-zone>
    # commit

Verify that the time zone change has taken effect:

    # run show system uptime

Configuring a Custom Time Zone

To use a custom time zone, follow these steps:

Download a time zones archive (from a known or designated source) to the router or switch. Compile the time zone archive using the zic time zone compiler, which generates tz files.

Using the CLI, configure the router or switch to enable the use of the generated tz files as follows:

    user@host# set system use-imported-time-zones

    Display the imported time zones (saved in the directory /var/db/zoneinfo/):

    user@host# set system time-zone ?


If you do not configure the router to use imported time zones, the Junos OS default time zones are shown (saved in the directory /usr/share/zoneinfo/).

time-zone
Syntax
time-zone (GMT hour-offset | time-zone);

Description
Set the local time zone. To have the time zone change take effect for all processes running on the router or switch, you must reboot the router or switch.

Default
UTC

Options
GMT hour-offset—Set the time zone relative to UTC time.

Range: –14 through +12

Default: 0

time-zone—Specify the time zone as UTC, which is the default time zone, or as a string such as PDT (Pacific Daylight Time), or use one of the following continents and major cities:

Africa/Abidjan, Africa/Accra, Africa/Addis_Ababa, Africa/Algiers, Africa/Asmera, Africa/Bamako, Africa/Bangui, Africa/Banjul, Africa/Bissau, Africa/Blantyre, Africa/Brazzaville, Africa/Bujumbura, Africa/Cairo, Africa/Casablanca, Africa/Ceuta, Africa/Conakry, Africa/Dakar, Africa/Dar_es_Salaam, Africa/Djibouti, Africa/Douala, Africa/El_Aaiun, Africa/Freetown, Africa/Gaborone, Africa/Harare, Africa/Johannesburg, Africa/Kampala, Africa/Khartoum, Africa/Kigali, Africa/Kinshasa, Africa/Lagos, Africa/Libreville, Africa/Lome, Africa/Luanda, Africa/Lubumbashi, Africa/Lusaka, Africa/Malabo, Africa/Maputo, Africa/Maseru, Africa/Mbabane, Africa/Mogadishu, Africa/Monrovia, Africa/Nairobi, Africa/Ndjamena, Africa/Niamey, Africa/Nouakchott, Africa/Ouagadougou, Africa/Porto-Novo, Africa/Sao_Tome, Africa/Timbuktu, Africa/Tripoli, Africa/Tunis, Africa/WindhoekAmerica/Adak, America/Anchorage, America/Anguilla, America/Antigua, America/Aruba, America/Asuncion, America/Barbados, America/Belize, America/Bogota, America/Boise, America/Buenos_Aires, America/Caracas, America/Catamarca, America/Cayenne, America/Cayman, America/Chicago, America/Cordoba, America/Costa_Rica, America/Cuiaba, America/Curacao, America/Dawson, America/Dawson_Creek, America/Denver, America/Detroit, America/Dominica, America/Edmonton, America/El_Salvador, America/Ensenada, America/Fortaleza, America/Glace_Bay, America/Godthab, America/Goose_Bay, America/Grand_Turk, America/Grenada, America/Guadeloupe, America/Guatemala, America/Guayaquil, America/Guyana, America/Halifax, America/Havana, America/Indiana/Knox, America/Indiana/Marengo, America/Indiana/Vevay, America/Indianapolis, America/Inuvik, America/Iqaluit, America/Jamaica, America/Jujuy, America/Juneau, America/La_Paz, America/Lima, America/Los_Angeles, America/Louisville, America/Maceio, America/Managua, America/Manaus, America/Martinique, America/Mazatlan, America/Mendoza, America/Menominee, America/Mexico_City, America/Miquelon, America/Montevideo, America/Montreal, America/Montserrat, America/Nassau, America/New_York, America/Nipigon, America/Nome, America/Noronha, America/Panama, America/Pangnirtung, America/Paramaribo, America/Phoenix, America/Port-au-Prince, America/Port_of_Spain, America/Porto_Acre, America/Puerto_Rico, America/Rainy_River, America/Rankin_Inlet, America/Regina, America/Rosario, America/Santiago, America/Santo_Domingo, America/Sao_Paulo, America/Scoresbysund, America/Shiprock, America/St_Johns, America/St_Kitts, America/St_Lucia, America/St_Thomas, America/St_Vincent, America/Swift_Current, America/Tegucigalpa, America/Thule, America/Thunder_Bay, America/Tijuana, America/Tortola, America/Vancouver, America/Whitehorse, America/Winnipeg, America/Yakutat, America/YellowknifeAntarctica/Casey, Antarctica/DumontDUrville, Antarctica/Mawson, Antarctica/McMurdo, Antarctica/Palmer, Antarctica/South_PoleArctic/LongyearbyenAsia/Aden, Asia/Alma-Ata, Asia/Amman, Asia/Anadyr, Asia/Aqtau, Asia/Aqtobe, Asia/Ashkhabad, Asia/Baghdad, Asia/Bahrain, Asia/Baku, Asia/Bangkok, Asia/Beirut, Asia/Bishkek, Asia/Brunei, Asia/Calcutta, Asia/Chungking, Asia/Colombo, Asia/Dacca, Asia/Damascus, Asia/Dubai, Asia/Dushanbe, Asia/Gaza, Asia/Harbin, Asia/Hong_Kong, Asia/Irkutsk, Asia/Ishigaki, Asia/Jakarta, Asia/Jayapura, Asia/Jerusalem, Asia/Kabul, Asia/Kamchatka, Asia/Karachi, Asia/Kashgar, Asia/Katmandu, Asia/Krasnoyarsk, Asia/Kuala_Lumpur, Asia/Kuching, Asia/Kuwait, Asia/Macao, Asia/Magadan, Asia/Manila, Asia/Muscat, Asia/Nicosia, Asia/Novosibirsk, Asia/Omsk, Asia/Phnom_Penh, Asia/Pyongyang, Asia/Qatar, Asia/Rangoon, Asia/Riyadh, Asia/Saigon, Asia/Seoul, Asia/Shanghai, Asia/Singapore, Asia/Taipei, Asia/Tashkent, Asia/Tbilisi, Asia/Tehran, Asia/Thimbu, Asia/Tokyo, Asia/Ujung_Pandang, Asia/Ulan_Bator, Asia/Urumqi, Asia/Vientiane, Asia/Vladivostok, Asia/Yakutsk, Asia/Yekaterinburg, Asia/YerevanAtlantic/Azores, Atlantic/Bermuda, Atlantic/Canary, Atlantic/Cape_Verde, Atlantic/Faeroe, Atlantic/Jan_Mayen, Atlantic/Madeira, Atlantic/Reykjavik, Atlantic/South_Georgia, Atlantic/St_Helena, Atlantic/StanleyAustralia/Adelaide, Australia/Brisbane, Australia/Broken_Hill, Australia/Darwin, Australia/Hobart, Australia/Lindeman, Australia/Lord_Howe, Australia/Melbourne, Australia/Perth, Australia/SydneyEurope/Amsterdam, Europe/Andorra, Europe/Athens, Europe/Belfast, Europe/Belgrade, Europe/Berlin, Europe/Bratislava, Europe/Brussels, Europe/Bucharest, Europe/Budapest, Europe/Chisinau, Europe/Copenhagen, Europe/Dublin, Europe/Gibraltar, Europe/Helsinki, Europe/Istanbul, Europe/Kaliningrad, Europe/Kiev, Europe/Lisbon, Europe/Ljubljana, Europe/London, Europe/Luxembourg, Europe/Madrid, Europe/Malta, Europe/Minsk, Europe/Monaco, Europe/Moscow, Europe/Oslo, Europe/Paris, Europe/Prague, Europe/Riga, Europe/Rome, Europe/Samara, Europe/San_Marino, Europe/Sarajevo, Europe/Simferopol, Europe/Skopje, Europe/Sofia, Europe/Stockholm, Europe/Tallinn, Europe/Tirane, Europe/Vaduz, Europe/Vatican, Europe/Vienna, Europe/Vilnius, Europe/Warsaw, Europe/Zagreb, Europe/ZurichIndian/Antananarivo, Indian/Chagos, Indian/Christmas, Indian/Cocos, Indian/Comoro, Indian/Kerguelen, Indian/Mahe, Indian/Maldives, Indian/Mauritius, Indian/Mayotte, Indian/ReunionPacific/Apia, Pacific/Auckland, Pacific/Chatham, Pacific/Easter, Pacific/Efate, Pacific/Enderbury, Pacific/Fakaofo, Pacific/Fiji, Pacific/Funafuti, Pacific/Galapagos, Pacific/Gambier, Pacific/Guadalcanal, Pacific/Guam, Pacific/Honolulu, Pacific/Johnston, Pacific/Kiritimati, Pacific/Kosrae, Pacific/Kwajalein, Pacific/Majuro, Pacific/Marquesas, Pacific/Midway, Pacific/Nauru, Pacific/Niue, Pacific/Norfolk, Pacific/Noumea, Pacific/Pago_Pago, Pacific/Palau, Pacific/Pitcairn, Pacific/Ponape, Pacific/Port_Moresby, Pacific/Rarotonga, Pacific/Saipan, Pacific/Tahiti, Pacific/Tarawa, Pacific/Tongatapu, Pacific/Truk, Pacific/Wake, Pacific/Wallis, Pacific/Yap

CISCO SWITCH PORT ACLs

February 14, 2014, 6:03 am
$
0
0
How To Configure Switch Port ACLs?

ACLs can also be used to control traffic on VLANs. Switch port ACLs can only be applied to Layer 2 interfaces in the inbound direction, and this controls traffic via IP access Lists.

Switch port ACL application is usually effective when applied on a trunk port, be warned that, if applied on a port with voice VLAN, the ACL filters traffic on both data and voice VLANs. The switch examines ACLs associated with features configured on a given interface and either permits or denies packet forwarding based on the criteria found in the entries of the ACL. 

With switch port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic using MAC addresses.

We use the topology below as sample. follow me as we configure SW1 with ACLs to permit PC A to access Server A, and deny PC B from accessing the same network.


Complex ACLs

SW1(config)# mac access-list extended orbit123

SW1(config-ext-macl)# deny any host 000e.53ac.9b72

SW1(config-ext-macl)# permit any any

Switch(config)# int f0/3

Switch(config)# mac access-group orbit123 in

Looking at the configuration commands above, you can see that we created and extended named access list which is our only option. After creating the access list, we applied in on and interface (fa0/3). It more like the same with IP list, except that you start your command statement with mac.

Verify Configuration:
Use the Show access-list command to verify your configuration.

SW1#show access-list

ALIEN VAULT OSSIM INSTALLATION & CONFIGURATION

February 17, 2014, 6:32 pm
$
0
0
ALIEN VAULT OSSIM 4.3.4 INSTALLATION & CONFIGURATION

1. Download OSSIM from the below mentioned URL.
    http://www.alienvault.com/open-threat-exchange/projects#ossim-tab

2. write iso to cd using any iso burner (imgburn etc.)

3. Boot from CD and start installation of OSSIM 4.3.4
    There are two types of installation
    3.1USM (Unified Security Management)
    3.2 Sensor (log collector)
    
    I have to configure a server for analysis and reporting for that i selected 
    USM.

4. Select language which ever you needs to be default and press "continue"

5. Select you country, if you didn't find in list then goto other to select your 
    country and press "continue"

6. Select region in which your country exist and press "continue" 

7. Select you country and press "continue"

8. Select locale settings as default and press "continue"

9. Select your keyboard layout and press "Continue"

10. Add IP address (10.10.xxx.xxx) for your server and press "continue"

11. Add Netmask as per your IP scheme and press "continue"

12. Add default gateway IP for your server and press "continue"

13. Add the DNS address or use google dns e.g. 8.8.8.8 and press "continue"

14. Choose the password for your root account and press "continue"

15. Installer will configure all those settings and complete installation.

16. Login using root and password as you had chosen at the time of 
     installation.

17. AlienVault setup menu will be displayed, configure all required settings 
      as below. 
      System settings (network configuration, mail relay, local configuration, 
      Hostname)
      System Updates (update, upgrade)
      Configure Sensor (listening interface, server ip, Monitored networks, 
      data sources, netflow generator )
      Maintenance (repair database, change password, reboot or shutdown 
      appliance, services)
      Tools (tools to view logs or monitor server)
      Jailbreak this Appliance (get the shellprompt to customize)
      About (info about server)
       Apply changes (After completing configuration, apply all those settings)

18. To access the dashboard use URL with your management interface IP.
      https://10.10.x.x
Search

SHUN COMMAND TO BLOCK ATTACKER

February 18, 2014, 8:38 pm
$
0
0
Block Attacks with a Cisco ASA Firewall and IDS using the shun command:
An Intrusion Detection system as we know can either work in Inline Mode (IPS) or in promiscuous mode (IDS). In inline mode, the IPS sensor can detect and block attacks by itself since all traffic passes through the sensor. However, in promiscuous mode, the IDS sensor can not block attacks by itself, but has to instruct the firewall to block the attack.


The IDS sensor in blow diagram is connected in “parallel” (not inline) with the ASA firewall. The “Sensing Interface” of the IDS appliance is connected on the outside (Internet) network zone and is continuously monitoring traffic to detect attacks. The “Control Interface” of the IDS appliance is connected on the inside network zone and is used to communicate with the ASA firewall. If an attack is detected (e.g Attacker at address 100.100.100.1 is sending malicious traffic to Victim addrBlock Attacks with a Cisco ASA Firewall and IDS using the shun command.
An Intrusion Detection system as we know can either work in Inline Mode (IPS) or in promiscuous mode (IDS). In inline mode, the IPS sensor can detect and block attacks by itself since all traffic passes through the sensor. However, in promiscuous mode, the IDS sensor can not block attacks by itself, but has to instruct the firewall to block the attack.


The IDS sensor in our example is connected in “parallel” (not inline) with the ASA firewall. The “Sensing Interface” of the IDS appliance is connected on the outside (Internet) network zone and is continuously monitoring traffic to detect attacks. The “Control Interface” of the IDS appliance is connected on the inside network zone and is used to communicate with the ASA firewall. If an attack is detected (e.g Attacker at address 100.100.100.1 is sending malicious traffic to Victim address 200.200.200.1), the IDS sensor instructs the ASA firewall (using the “Control Interface”) to block the attacking connection. This is done by the IDS sensor by asking the firewall to use the “shun” command to block the connection.

What is a “shun” command:
The shun command on the ASA Firewall appliance is used to block connections from an attacking host. Packets matching the values in the command are dropped and logged until the blocking function is removed manually or by the Cisco IDS sensor.

The format of the command is as following:
ASA# shun [source IP] [destination IP] 

In our example scenario above, the IDS sensor will instruct the firewall to apply the following shun command:

shun 100.100.100.1 200.200.200.1


The above will block all communication from the attacker to the victim. Cisco IPS/IDS sensors have a timer with which you define how long the command will be active. After that time, the command is removed.ess 200.200.200.1), the IDS sensor instructs the ASA firewall (using the “Control Interface”) to block the attacking connection. This is done by the IDS sensor by asking the firewall to use the “shun” command to block the connection.

What is a “shun” command:
The shun command on the ASA Firewall appliance is used to block connections from an attacking host. Packets matching the values in the command are dropped and logged until the blocking function is removed manually or by the Cisco IDS sensor.

The format of the command is as following:
ASA# shun [source IP] [destination IP] 

In our example scenario above, the IDS sensor will instruct the firewall to apply the following shun command:

shun 100.100.100.1 200.200.200.1

The above will block all communication from the attacker to the victim. Cisco IPS/IDS sensors have a timer with which you define how long the command will be active. After that time, the command is removed.

DISABLE TOUCHPAD OF LAPTOP IN LINUX

February 20, 2014, 9:02 am
$
0
0
How to disable TouchPad of Laptop in Linux?

##use below command to list devices
xinput list

⎡ Virtual core pointer                    id=2[master pointer  (3)]
⎜   ↳ Virtual core XTEST pointer      id=4[slave  pointer  (2)]
⎜   ↳ PixArt USB Optical Mouse        id=9[slave  pointer  (2)]
⎜   ↳ PS/2 Mouse                          id=12[slave  pointer  (2)]
⎜   ↳ AlpsPS/2 ALPS GlidePoint        id=13[slave  pointer  (2)]
⎣ Virtual core keyboard                  id=3[master keyboard (2)]
    ↳ Virtual core XTEST keyboard    id=5[slave  keyboard (3)]
    ↳ Power Button                         id=6[slave  keyboard (3)]
    ↳ Video Bus                              id=7[slave  keyboard (3)]
    ↳ Power Button                         id=8[slave  keyboard (3)]
    ↳ CNA7157                               id=10[slave  keyboard (3)]
    ↳ AT Translated Set 2 keyboard   id=11[slave  keyboard (3)]
    ↳ Toshiba input device                id=14[slave  keyboard (3)]

## To disable "AlpsPS/2 ALPS GlidePoint" touchpad use below command.
xinput set-prop 13 "Device Enabled" 0


## To enable it again use below command.
xinput set-prop 13 "Device Enabled" 1


## To disable touchpad graphically, use below repository in Ubuntu, Linuxmint or Debian

sudo add-apt-repository ppa:atareao/atareao
sudo apt-get update
sudo apt-get install touchpad-indicator

WiMAX

February 21, 2014, 3:44 am
$
0
0
What is WiMAX?
WiMAX stand for "Worldwide Interoperability for Microware Access", a modern wireless network technology that enables fast internet connection even in remote areas. with WiMAX technology you are no longer dependent on a DSL infrastructure in your home or place of work. instead, you connect your PC or network wirelessly to radio stations operated in your region by your provider. As a result, wimax gives you fast, economical broadband internet access, even in places that are not connected to the DSL cable network.


The wimax standard IEEE 802.16 generally defines wimax technology. WiMAX is a wireless communications standard designed to provide 30 to 40 megabit-per-second data rates, with the 2011 update providing up to 1 Gbit/s for fixed stations.

WiMAX is expected to offer initially up to about 40 Mbps capacity per wireless channel for both fixed and portable applications, depending on the particular technical configuration chosen.

WiMAX MIMO refers to the use of Multiple-input multiple-output communications (MIMO) technology on WiMAX, which is the technology brand name for the implementation of the standard IEEE 802.16.

WiMAX implementations that use MIMO technology have become important. The use of MIMO technology improves the reception and allows for a better reach and rate of transmission.

The 802.16 defined MIMO configuration is negotiated dynamically between each individual base station and mobile station. The 802.16 specification supports the ability to support a mix of mobile stations with different MIMO capabilities



802.16 family of standards is officially called WirelessMAN in IEEE, it has been commercialized under the name "WiMAX" by the WiMAX Forum industry alliance. 

DHCP RELAY ON CISCO ASA FIREWALL

February 21, 2014, 6:47 pm
$
0
0
How to Configure DHCP Relay on Cisco ASA Firewall?
The ASA 5500 series firewall can work as DHCP relay agent which means that it receives DHCP requests from clients on one interface and forwards the requests to a DHCP server on another interface. Usually the DHCP server is located in the same layer 3 subnet with its clients. There are situations however where we have only one DHCP server but several layer 3 networks exist (on different security zones on a Cisco ASA) and dynamic IP allocation is required for those networks as well. With the DHCP relay feature, we can connect the DHCP server on one network zone and have the firewall forward all DHCP requests from the other network zones to the DHCP server.

Given diagram illustrates a simple network scenario with three security zones (network interfaces) and a single DHCP server. The three network zones are inside, outside and DMZ. The DHCP clients are connected to the inside network and the DHCP server on the DMZ network. The DHCP requests from the clients on the inside network will be relayed to the server on the DMZ network. The server will assign IP addresses in the range 192.168.1.0/24 to the clients.

Configuration:
First identify the DHCP server and the interface it Is connected to
ciscoasa# conf t
ciscoasa(config)# dhcprelay server 10.1.1.100 DMZ
ciscoasa(config)# dhcprelay timeout 90

Now enable the DHCP relay on the inside interface
ciscoasa(config)# dhcprelay enable inside

Assign the ASA inside interface IP as default gateway for the clients
ciscoasa(config)# dhcprelay setroute inside

Usage Guidelines:
You can add up to four DHCP relay servers per interface. You must add at least one dhcprelay server command to the ASA Firewall configuration before you can enter the dhcprelay enable command. You cannot configure a DHCP client on an interface that has a DHCP relay server configured.

You cannot enable DHCP relay under the following conditions:
  • You cannot enable DHCP relay and the DHCP relay server on the same interface.
  • You cannot enable DCHP relay and a DHCP server (dhcpd enable) on the same interface.

NAT STATE FULL FAILOVER ON CISCO

February 23, 2014, 9:12 pm
$
0
0
CISCO NAT Stateful Failover:
When the word "stateful" is mentioned in the networking world, it usually means that the router or a firewall keeps records of the sessions created. Stateful failover means that whatever sessions that have been recorded in one device the other backup device has a knowledge of it and can act as a backup without those sessions torn down in case the main device fails. It will function as the same as the primary one. NAT has also the failover functionality. This lab will focus on configuring Dynamic NAT failover.

R3 and R4 are NAT routers. R3 is the primary and R4 is the back up NAT router. These must be configured so that 
R4 will provide stateful failover. Subnets in R1 1.1.1.1/32 - 1.1.1.5/32 should be translated to 
123.123.123.1 - .5 /24. The host side ip address must match e.g. 1.1.1.1/32 = 123.123.123.1/32.

These have been preconfigured:
1. OSPF on all routers.
2. Default route and floating static default route in R5.(for 123.123.123.0/24 reachability)
3. Ip OSPF cost in the links from R2 to R3 and R3 to R5 to disable equal cost path load balancing.

1. First let's configure which is the inside and outside part in the NAT configuration.

R3(config)# int se0/2
R3(config-if)# description connected to R2
R3(config-if)# ip nat inside
R3(config-if)# int se0/3
R3(config-if)# description connected to R5
R3(config-if)# ip nat outside

R4(config)# int se0/2
R4(config-if)# description connected to R2
R4(config-if)# ip nat inside
R4(config-if)# int se0/0
R4(config-if)# description connected to R5
R4(config-if)# ip nat outside

2. Configure an access-list list that will match the IP addresses of Loopback0 in R1 and configure a NAT pool where we will get the translations.

Note: The "match-host" keyword makes it possible for exact host to host translation 1.1.1.1/32 = 123.123.123.1/32, .5 = .5 the 
last octet in the ip address will be the same value. It will match the host portion of the IP address.

R3(config)# access-list 1 permit 1.1.1.0 0.0.0.255
R3(config)# ip nat pool LOOPBACK 123.123.123.1 123.123.123.5 prefix-length 24 type match-host

R4(config)# access-list 1 permit 1.1.1.0 0.0.0.255
R4(config)# ip nat pool LOOPBACK 123.123.123.1 123.123.123.5 prefix-length 24 type match-host

3. Configure a NAT stateful ID. This is what makes the stateful failover possible. This configuration will determine which is the primary NAT router and the backup.

R3(config)# ip nat stateful id 1 ----------> This is locally significant.
R3(config-ipnat-snat)# primary 23.23.23.3
R3(config-ipnat-snat-pri)# peer 24.24.24.4
R3(config-ipnat-snat-pri)# mapping-id 1 ---------> This should match on the routers.
R3(config-ipnat-snat-pri)# exit

R4(config)# ip nat stateful id 1 ----------> This is locally significant.
R4(config-ipnat-snat)# backup 24.24.24.4
R4(config-ipnat-snat-pri)# peer 23.23.23.3
R4(config-ipnat-snat-pri)# mapping-id 1 ---------> This should match on the routers.
R4(config-ipnat-snat-pri)# exit

The "peer" keyword here will do that trick on making the 2 routers related. The ip addresses configured on the "primary" and "backup" parameters should be one of the IP addresses in the router which is configured with the "ip nat inside" command. Otherwise, you will get an error message that its not a match.If 2 backups are configured and they are peer with each other, they won't establish a relationship. A router can be configured as a primary for one mapping-id and back up for another.

After configuring these commands, let's see the logs created by the routers.

R3#
*Mar 1 01:36:33.783: %SNAT-5-PROCESS: Id 1, System start converging
*Mar 1 01:36:45.871: SNAT (Receive): CONVERGENCE Message for Router-Id: 1 from Peer Router-Id: 1's entries
*Mar 1 01:36:45.871: %SNAT-5-PROCESS: Id 1, System fully converged

R4#
*Mar 1 01:34:11.803: %SNAT-5-PROCESS: Id 1, System start converging
*Mar 1 01:34:11.811: %SNAT-5-PROCESS: Id 1, System fully converged
*Mar 1 01:34:48.767: %SNAT-5-PROCESS: Id 1, System start converging
*Mar 1 01:34:50.791: SNAT (Receive): CONVERGENCE Message for Router-Id: 1 from Peer Router-Id: 1's entries
*Mar 1 01:34:50.795: %SNAT-5-PROCESS: Id 1, System fully converged

Let's do a show command that will check the status of the Stateful Failover NAT.

R3#show ip snat distributed

Stateful NAT Connected Peers:

SNAT: Mode PRIMARY
: State READY
: Local Address 23.23.23.3
: Local NAT id 1
: Peer Address 24.24.24.4
: Peer NAT id 1
: Mapping List 1

R4#show ip snat distributed

Stateful NAT Connected Peers

SNAT: Mode BACKUP
: State READY
: Local Address 24.24.24.4
: Local NAT id 1
: Peer Address 23.23.23.3
: Peer NAT id 1
: Mapping List 1

4. Configure the IP NAT translation statement mapping access-list 1 and the NAT pool created.

R3(config)# ip nat inside source list 1 pool LOOPBACK mapping-id 1

R4(config)# ip nat inside source list 1 pool LOOPBACK mapping-id 1

5. Now let's test NATing by pingin 5.5.5.5 sourcing from the IP's on Loopback0 on R1. (Will not be shown) We can do "debug ip nat" on R3 and R4, but will only see output in R3 since the traffic passes there. For the sake of a shorter post I will not display the output.

6. Let's check the translation on R3, our main NAT router and afterwards check if R4 is getting the information from the NATing table.

R3#sh ip nat tran
Pro Inside global Inside local Outside local Outside global
icmp 123.123.123.1:20 1.1.1.1:20 5.5.5.5:20 5.5.5.5:20
--- 123.123.123.1 1.1.1.1 --- ---
icmp 123.123.123.2:19 1.1.1.2:19 5.5.5.5:19 5.5.5.5:19
--- 123.123.123.2 1.1.1.2 --- ---
icmp 123.123.123.3:18 1.1.1.3:18 5.5.5.5:18 5.5.5.5:18
--- 123.123.123.3 1.1.1.3 --- ---
icmp 123.123.123.4:17 1.1.1.4:17 5.5.5.5:17 5.5.5.5:17
--- 123.123.123.4 1.1.1.4 --- ---
icmp 123.123.123.5:16 1.1.1.5:16 5.5.5.5:16 5.5.5.5:16
--- 123.123.123.5 1.1.1.5 --- ---

R4#sh ip nat tran
Pro Inside global Inside local Outside local Outside global
icmp 123.123.123.1:20 1.1.1.1:20 5.5.5.5:20 5.5.5.5:20
--- 123.123.123.1 1.1.1.1 --- ---
icmp 123.123.123.2:19 1.1.1.2:19 5.5.5.5:19 5.5.5.5:19
--- 123.123.123.2 1.1.1.2 --- ---
icmp 123.123.123.3:18 1.1.1.3:18 5.5.5.5:18 5.5.5.5:18
--- 123.123.123.3 1.1.1.3 --- ---
icmp 123.123.123.4:17 1.1.1.4:17 5.5.5.5:17 5.5.5.5:17
--- 123.123.123.4 1.1.1.4 --- ---
icmp 123.123.123.5:16 1.1.1.5:16 5.5.5.5:16 5.5.5.5:16
--- 123.123.123.5 1.1.1.5 --- ---

Though the traffic did not pass through R4, it knows the translation. Notice that the host part of the original ip address and the translated ip address is the same. This is the result of the "match=host" keyword.
Let's see if the failover information by R3 is passed to R4 by a show command.

R4#sh ip snat peer 23.23.23.3

Show NAT Entries created by peer: 23.23.23.3

Pro Inside global Inside local Outside local Outside global
--- 123.123.123.1 1.1.1.1 --- ---
--- 123.123.123.2 1.1.1.2 --- ---
--- 123.123.123.3 1.1.1.3 --- ---
--- 123.123.123.4 1.1.1.4 --- ---
--- 123.123.123.5 1.1.1.5 --- ---
icmp 123.123.123.5:16 1.1.1.5:16 5.5.5.5:16 5.5.5.5:16
icmp 123.123.123.4:17 1.1.1.4:17 5.5.5.5:17 5.5.5.5:17
icmp 123.123.123.3:18 1.1.1.3:18 5.5.5.5:18 5.5.5.5:18
icmp 123.123.123.2:19 1.1.1.2:19 5.5.5.5:19 5.5.5.5:19
icmp 123.123.123.1:20 1.1.1.1:20 5.5.5.5:20 5.5.5.5:20


In the even that R3 and the traffic goes to R4, the sessions need not to be restarted as there are already existing translations on R4 which have been passed by R3. Let's shut down the interface in R3 and lets show how R4 reacts.

R4#
*Mar 1 02:11:15.819: %SNAT-5-ALERT: BACKUP staging recovery, replacing Primary
*Mar 1 02:11:15.819: %SNAT-5-PROCESS: Id 1, System start converging
*Mar 1 02:11:15.827: %SNAT-5-PROCESS: Id 1, System fully converged


It places itself as the primary NAT router but the translations that its learned from R3 will continue to be in place. Once R3 goes back up, it will put itself again the backup NAT router.

INTEL 3RD AND 4TH GENERATION PROCESSOR COMPARISON

February 25, 2014, 2:28 am
$
0
0
INTEL 3RD AND 4TH GENERATION MOBILE, DESKTOP AND SERVER PROCESSORS DETAILED COMPARISON.

INTEL 3RD AND 4TH GENERATION MOBILE PROCESSOR COMPARISON
Below Intel url will provide you full list of processors to select and compare detailed features.

INTEL 3RD AND 4TH GENERATION DESKTOP PROCESSOR COMPARISON

INTEL 3RD AND 4TH GENERATION SERVER PROCESSOR COMPARISON

MICROSOFT PATCH MANAGEMENT

February 26, 2014, 2:28 am
$
0
0
Microsoft Patch Management
Patch management is a circular process and must be ongoing. The unfortunate reality about software vulnerabilities is that, after you apply a patch today, a new vulnerability must be addressed tomorrow.

Develop and automate a patch management process that includes each of the following:

Detect:Use tools to scan your systems for missing security patches. The detection should be automated and will trigger the patch management process.

Assess:If necessary updates are not installed, determine the severity of the issue(s) addressed by the patch and the mitigating factors that may influence your decision. By balancing the severity of the issue and mitigating factors, you can determine if the vulnerabilities are a threat to your current environment.

Acquire:If the vulnerability is not addressed by the security measures already in place, download the patch for testing.

Test:Install the patch on a test system to verify the ramifications of the update against your production configuration.

Deploy:Deploy the patch to production computers. Make sure your applications are not affected. Employ your rollback or backup restore plan if needed.

Maintain:Subscribe to notifications that alert you to vulnerabilities as they are reported. Begin the patch management process again.

The Role of MBSA in Patch Management
The Microsoft Baseline Security Analyzer (MBSA) is a tool that is designed for two purposes:
1. To scan a computer against vulnerable configurations
2. To detect the availability of security updates those are released by Microsoft

MBSA scan options
When using the command line interface (Mbsacli.exe), you can use the following command to scan only missing security updates.

Mbsacli.exe /n OS+IIS+SQL+PASSWORD

The option /n specifies the checks to skip. The selection (OS+IIS+SQL+PASSWORD) skips the checks for vulnerabilities and weak passwords.
Search

POPULAR ISO STANDARDS

February 26, 2014, 4:33 am
$
0
0
POPULAR ISO STANDARDS

ISO 9000   Quality management
ISO 14000 Environmental management
ISO 3166   Country codes
ISO 26000 Social responsibility
ISO 50001 Energy management
ISO 31000 Risk management
ISO 22000 Food safety management
ISO 27001 Information security management
ISO 20121 Sustainable events

What is a standard?

A standard is a document that provides requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose.

How does ISO develop standards?
An ISO standard is developed by a panel of experts, within a technical committee. Once the need for a standard has been established, these experts meet to discuss and negotiate a draft standard. As soon as a draft has been developed it is shared with ISO’s members who are asked to comment and vote on it. If a consensus is reached the draft becomes an ISO standard, if not it goes back to the technical committee for further edits.

What are the benefits of ISO International Standards?
ISO International Standards ensure that products and services are safe, reliable and of good quality. For business, they are strategic tools that reduce costs by minimizing waste and errors, and increasing productivity. They help companies to access new markets, level the playing field for developing countries and facilitate free and fair global trade.

7 KEYS OF WORLDWIDE INTERNET SECURITY

March 2, 2014, 10:03 pm
$
0
0
Seven people who hold the keys to worldwide internet security

A group of people, from all over the world, who each hold a key to the internet. Together, their keys create a master key, which in turn controls one of the central security measures at the core of the web.

The key-holders have been meeting four times a year, twice on the east coast of the US and twice here on the west, since 2010. A selected group of security experts from around the world. All have long backgrounds in internet security and work for various international institutions. They were chosen for their geographical spread as well as their experience – no one country is allowed to have too many key-holders. They travel to the ceremony at their own, or their employer's, expense.

What these men and women control is the system at the heart of the web: the domain name system, or DNS. This is the internet's version of a telephone directory – a series of registers linking web addresses to a series of numbers, called IP addresses. Without these addresses, you would need to know a long sequence of numbers for every site you wanted to visit. To get to the Google, for instance, you'd have to enter "173.194.115.104" instead of google.com.

The master key is part of a new global effort to make the whole domain name system secure and the internet safer: every time the keyholders meet, they are verifying that each entry in these online "phone books" is authentic. This prevents a proliferation of fake web addresses which could lead people to malicious sites, used to hack computers or steal credit card details.

The east and west coast ceremonies each have seven keyholders, with a further seven people around the world who could access a last-resort measure to reconstruct the system if something calamitous were to happen. Each of the 14 primary keyholders owns a traditional metal key to a safety deposit box, which in turn contains a smartcard, which in turn activates a machine that creates a new master key. The backup keyholders have something a bit different: smartcards that contain a fragment of code needed to build a replacement key-generating machine. Once a year, these shadow holders send the organisation that runs the system – the Internet Corporation for Assigned Names and Numbers (Icann).

Who Maintaining the Process?
The US-based, not-for-profit organisation Icann

ISO 27001:2005 VS 27001:2013

March 3, 2014, 2:07 am
$
0
0
COMPARISON OF ISO 27001:2005 TO 27001:2013

This is to show changes introduced in ISMS standard ISO 27001:2013 with respect to ISO 27001:2005
27001:2005
27001:2013

A.5 Information Security Policy
A.5.1 Management Directions for Information Security
Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
A.5.1.1 Information security policy document
A.5.1.1 Policies for information security
A.5.1.2 Review of the information security policy
A.5.1.2 Review of the policies for information security

27001:2005
27001:2013

A.6 Organization of information security
A.6.1 Internal Organization
Objective: To establish a management framework to initiate and control the implementation of information security within the organization.
A.6.1.3 Allocation of information security responsibilities
A.6.1.1 Information security roles and responsibilities
A.8.1.1 Roles and responsibilities
A.6.1.6 Contact with authorities
A.6.1.2 Contact with authorities
A.6.1.7 Contact with special interest groups
A.6.1.3 Contact with special interest groups

A.6.1.4 Information security in project management
A.10.1.3 Segregation of duties
A.6.1.5 Segregation of duties

27001:2005
27001:2013
A.6.2 Mobile devices and teleworking
Objective: To ensure the security of teleworking and use of mobile devices.
A.11.7.1 Mobile computing and communications
A.6.2.1 Mobile device policy
A.11.7.2 Teleworking
A.6.2.2 Teleworking

27001:2005
27001:2013

A.7 Human Resource Security
A.7.1 Prior to employment
Objective: To ensure that employees, contractors and external party users understand their responsibilities and are suitable for the roles they are considered for.
A.8.1.2 Screening
A.7.1.1 Screening
A.8.1.3 Terms and conditions of employment
A.7.1.2 Terms and conditions of employment

27001:2005
27001:2013
A.7.2 During Employment
Objective: To ensure that employees and external party users are aware of, and fulfill, their information security responsibilities.
A.8.2.1 Management responsibilities
A.7.2.1 Management responsibilities
A.8.2.2 Information security awareness, education and training
A.7.2.2 Information security awareness, education and training
A.8.2.3 Disciplinary process
A.7.2.3 Disciplinary process

27001:2005
27001:2013
A.7.3 Termination and change of employment
Objective: To protect the organization’s interests as part of the process of changing or terminating employment.
A.8.3.1 Termination responsibilities
A.7.3.1 Termination or change of employment responsibilities

27001:2005
27001:2013

A.8 Asset Management
A.8.1 Responsibility for Assets
Objective: To achieve and maintain appropriate protection of organization assets.
A.7.1.1 Inventory of assets
A.8.1.1 Inventory of assets
A.7.1.2 Ownership of assets
A.8.1.2 Ownership of assets
A.7.1.3 Acceptable use of assets
A.8.1.3 Acceptable use of assets

27001:2005
27001:2013
A.8.2 Information classification
Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.
A.7.2.1 Classification guidelines
A.8.2.1 Classification of information
A.7.2.2 Information labeling and handling
A.8.2.2 Labeling of information
A.7.2.3 Information Handling procedures
A.8.2.3 Handling of assets
A.8.3.2 Return of assets
A.8.2.4 Return of assets

27001:2005
27001:2013
A.8.3 Media Handling
Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.
A.10.7.1 Management of removable media
A.8.3.1 Management of removable media
A.10.7.2 Disposal of Media
A.8.3.2 Disposal of media
A.10.8.3 Physical media in transit
A.8.3.3 Physical media transfer

27001:2005
27001:2013

A.9 Logical Security / Access Control
A.9.1 Business requirements of access control
Objective: To restrict access to information and information processing facilities.
A.11.1.1 Access control policy
A.9.1.1 Access control policy
A.11.4.1 Policy on use of network services
A.9.1.2 Policy on the use of network services

27001:2005
27001:2013
A.9.2 User access management
Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.
A.11.2.1 User registration
A.9.2.1 User registration and de-registration
A.11.5.2 User identification and authentication
A.11.2.2 Privilege management
A.9.2.2 Privilege management
A.11.2.3 User password management
A.9.2.3 Management of secret authentication information of users
A.11.2.4 Review of user access rights
A.9.2.4 Review of user access rights
A.8.3.3 Removal of access rights
A.9.2.5 Removal or adjustment of access rights

27001:2005
27001:2013
A.9.3 User responsibilities
Objective: To make users accountable for safeguarding their authentication information.
A.11.3.1 Password use
A.9.3.1 Use of secret authentication information
A.9.4 System and application access control
Objective: To prevent unauthorized access to systems and application
A.11.6.1 Information access restriction
A.9.4.1 Information access restriction
A.11.5.1 Secure log-on procedures
A.9.4.2 Secure log-on procedures
A.11.5.5 Session time-out
A.11.5.6 Limitation of connection time
A.11.5.3 Password management system
A.9.4.3 Password management system
A.11.5.4 Use of system utilities
A.9.4.4 Use of privileged utility programs
A.12.4.3 Access control to program source code
A.9.4.5 Access control to program source code

27001:2005
27001:2013

A.10 Cryptography
A.10.1 Cryptographic controls
Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information.
A.12.3.1 Policy on the use of cryptographic controls
A.10.1.1 Policy on the use of cryptographic controls
A.12.3.2 Key management
A.10.1.2 Key management

27001:2005
27001:2013

A.11 Physical and environmental security
A.11.1 Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.
A.9.1.1 Physical security perimeter
A.11.1.1 Physical security perimeter
A.9.1.2 Physical entry controls
A.11.1.2 Physical entry controls
A.9.1.3 Securing offices, rooms and facilities
A.11.1.3 Securing office, room and facilities
A.9.1.4 Protecting against external and environmental threats
A.11.1.4 Protecting against external end environmental threats
A.9.1.5 Working in secure areas
A.11.1.5 Working in secure areas
A.9.1.6 Public access, delivery and loading areas
A.11.1.6 Delivery and loading areas

27001:2005
27001:2013
A.11.2 Equipment
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations.
A.9.2.1 Equipment sitting and protection
A.11.2.1 Equipment siting and protection
A.9.2.2 Supporting utilities
A.11.2.2 Supporting utilities
A.9.2.3 Cabling security
A.11.2.3 Cabling security
A.9.2.4 Equipment maintenance
A.11.2.4 Equipment maintenance
A.9.2.7 Removal of property
A.11.2.5 Removal of assets
A.9.2.5 Security of equipment off-premises
A.11.2.6 Security of equipment and assets off-premises
A.9.2.6 Secure disposal or re-use of equipment
A.11.2.7 Security disposal or re-use of equipment
A.11.3.2 Unattended user equipment
A.11.2.8 Unattended user equipment
A.11.3.3 Clear desk and clear screen policy
A.11.2.9 Clear desk and clear screen policy

27001:2005
27001:2013

A.12 Operations Security
A.12.1 Operational Procedures and Responsibilities
Objective: To ensure the correct and secure operations of information processing facilities.
A.10.1.1 Documented operating procedures
A.12.1.1 Documented operating procedures
A.10.1.2 Change management
A.12.1.2 Change management
A.10.3.1 Capacity management
A.12.1.3 Capacity management
A.10.1.4 Separation of development, test and operational facilities
A.12.1.4 Separation of development, test and operational environments

27001:2005
27001:2013
A.12.2 Protection from Malware
Objective: To ensure that information and information processing facilities are protected against malware.
A.10.4.1 Controls against malicious code
A.12.2.1 Controls against malware
A.12.3 Back-up
Objective: To protect against loss of data.
A.10.5.1 Information back-up
A.12.3.1 Information backup

27001:2005
27001:2013
A.12.4 Logging and Monitoring To record events and generate evidence.
Objective:
A.10.10.1 Audit logging
A.12.4.1 Event logging
A.10.10.3 Protection of log information
A.12.4.2 Protection of log information
A.10.10.3 Protection of log information
A.12.4.3 Administrator and operator logs
A.10.10.4 Administrator and operator logs
A.10.10.6 Clock synchronization
A.12.4.4 Clock synchronization

27001:2005
27001:2013
A.12.5 Control of operational software
Objective: To ensure the integrity of operational systems.
A.12.4.1 Control of operational software
A.12.5.1 Installation of software on operational systems
A.12.6 Technical Vulnerability Management
Objective: To prevent exploitation of technical vulnerabilities.
A.12.6.1 Control of technical vulnerabilities
A.12.6.1 Management of technical vulnerabilities

A.12.6.2 Restrictions on software installation
A.12.7 Information Systems Audit Considerations
Objective: To minimize the impact of audit activities on operational systems.
A.15.3.1 Information system audit controls
A.12.7.1 Information systems audit controls

27001:2005
27001:2013

A.13 Communications Security
A.13.1 Network Security Management
Objective: To ensure the protection of information in networks its supporting information processing facilities.
A.10.6.1 Network controls
A.13.1.1 Network controls
A.10.6.2 Security of network services
A.13.1.2 Security of network services
A.11.4.5 Segregation in Network
A.13.1.3 Segregation in networks

27001:2005
27001:2013
A.13.2 Information transfer
Objective: To maintain the security of information transferred within an organization and with any external entity.
A.10.8.1 Information exchange policies and procedures
A.13.2.1 Information transfer policies and procedures
A.10.8.2 Exchange agreements
A.13.2.2 Agreements on information transfer
A.10.8.4 Electronic messaging
A.13.2.3 Electronic messaging
A.6.1.5 Confidentiality agreements
A.13.2.4 Confidentiality or non-disclosure agreements

27001:2005
27001:2013

A.14 System acquisition, development and maintenance
A.14.1 Security requirements of information systems
Objective: To ensure that security is an integral part of information systems across the entire lifecycle. This includes in particular specific security requirement for information systems which provide services over public networks.
A.12.1.1 Security requirements analysis and specification
A.14.1.1 Security requirements analysis and specification
A.10.9.1 Electronic commerce
A.14.1.2 Securing applications services on public networks
A.10.9.3 Publically available information
A.10.9.2 Online-transactions
A.14.1.3 Protecting application services transactions

27001:2005
27001:2013
A.14.2 Security in development and support processes
Objective: To ensure that information security is designed and implemented whithin the development lifecycle of information systems.

A.14.2.1 Secure development policy
A.12.5.1 change control procedures
A.14.2.2 Change control procedures
A.12.5.2 Technical review of applications after operating system changes
A.14.2.3 Technical review of applications after operating platform changes
A.12.5.3 Restrictions on changes to software packages
A.14.2.4 Restrictions on changes to software packages

A.14.2.5 System development procedures

A.14.2.6 Secure development environment
A.12.5.5 Outsourced software development
A.14.2.7 Outsourced development

A.14.2.8 System security testing
A.10.3.2 System Acceptance
A.14.2.9 System acceptance testing
A.14.3 Test data
Objective: To ensure the protection of data used for testing.
A.12.4.2 Protection of system test data
A.14.3.1 Protection of test data

27001:2005
27001:2013

A.15 Supplier relationships
A.15.1 Security in supplier relationship
Objective: To ensure protection of the organization’s information that is accessible by suppliers.
A.6.2.3 Addressing security in third party agreements
A.15.1.1 Information security policy for supplier relationships
A.6.2.3 Addressing security in third party agreements
A.15.1.2 Addressing security within supplier agreements

A.15.1.3 ICT Supply chain

27001:2005
27001:2013
A.15.2 Supplier service delivery management
Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.
A.10.2.2 Monitoring and review of third party services
A.15.2.1 Monitoring and review of supplier services
A.10.2.3 Managing changes to third party services
A.15.2.2 Managing changes to supplier services

27001:2005
27001:2013

A.16 Information Security Incident Management
A.16.1 Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
A.13.2.1 Responsibilities and Procedures
A.16.1.1 Responsibilities and procedures
A.13.1.1 Reporting information security events
A.16.1.2 Reporting information security events
A.13.1.2 Reporting security weakness
A.16.1.3 Reporting information security weaknesses

A.16.1.4 Assessment and decision of information security events

A.16.1.5 Response to information security incidents
A.13.2.2 Learning from information security incidents
A.16.1.6 Learning from information security incidents
A.13.2.3 Collection of evidence
A.16.1.7 Collection of evidence

27001:2005
27001:2013

A.17 Business Continuity
A.17.1 Information security aspects of business continuity management
Objective: Information security continuity should be embedded in organization’s business continuity management (BCM) to ensure protection of information at any time and to anticipate adverse occurrences.
A.14.1.2 Business continuity and risk assessment
A.17.1.1 Planning information security continuity

A.17.1.2 Implementing information security continuity
A.14.1.5 Testing, maintaining and re-assessing business continuity plans
A.17.1.3 Verify, review and evaluate information security continuity
A.17.2 Redundancies
Objective: to ensure availability of information processing facilities.

A.17.2.1 Availability of information processing facilities

27001:2005
27001:2013

A.18 Compliance
A.18.1 Information security reviews
Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures
A.6.1.8 Independent review of information security
A.18.1.1 Independent review of information security
A.15.2.1 Compliance with security policies
A.18.1.2 Compliance with security policies and standards
A.15.2.2 Technical compliance checking
A.18.1.3 Technical compliance inspection

27001:2005
27001:2013
A.18.2 Compliance with legal and contractual requirements
Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.
A.15.1.1 Identification of applicable legislation
A.18.2.1 Identification of application legislation and contractual requirements
A.15.1.2 Intellectual property rights (IPR)
A.18.2.2 Intellectual property rights (IPR)
A.15.1.3 Protection of organizational records
A.18.2.3 Protection of documented information
A.15.1.4 Data protection and privacy of personal information
A.18.2.4 Privacy and protection of personal information
A.15.1.6 Regulation of cryptographic controls
A.18.2.5 Regulation of cryptographic controls



MSTSC - REMOTE DESKTOP SESSION

March 4, 2014, 7:01 am
$
0
0
MSTSC - Remote Access
Creates connections to Remote Desktop Session Host (RD Session Host) servers or other remote computers, edits an existing Remote Desktop Connection (.rdp) configuration file, and migrates legacy connection files that were created with Client Connection Manager to new .rdp connection files.

Command Syntax
mstsc.exe [<Connection File>] [/v:<Server>[:<Port>]] [/admin] [/f] [/w:<Width> /h:<Height>] [/public] [/span]

mstsc.exe /edit <Connection File>

mstsc.exe /migrate

Parameters
Parameter
Description
<Connection File>
Specifies the name of an .rdp file for the connection.
/v:<Server[:<Port>]
Specifies the remote computer and, optionally, the port number to which you want to connect.
/admin
Connects you to a session for administering the server.
/f
Starts Remote Desktop Connection in full-screen mode.
/w:<Width>
Specifies the width of the Remote Desktop window.
/h:<Height>
Specifies the height of the Remote Desktop window.
/public
Runs Remote Desktop in public mode. In public mode, passwords and bitmaps are not cached.
/span
Matches the Remote Desktop width and height with the local virtual desktop, spanning across multiple monitors if necessary.
/edit <Connection File>
Opens the specified .rdp file for editing.
/migrate
Migrates legacy connection files that were created with Client Connection Manager to new .rdp connection files.
/?
Displays help at the command prompt.

Example:
mstsc /v:192.168.1.x

mstsc /v:192.168.1.x:3390

To open a file called filename.rdp for editing
mstsc /edit filename.rdp

PEN-TESTING

March 6, 2014, 3:24 am
$
0
0
What is Pen-Testing?
Penetration testing is the process of attempting to gain access to resources without knowledge of user-names, passwords and other normal means of access. If the focus is on computer resources, then examples of a successful penetration would be obtaining or subverting confidential documents, price lists, databases and other protected information.

The main thing that separates a penetration tester from an attacker is permission. The penetration tester will have permission from the owner of the computing resources that are being tested and will be responsible to provide a report. The goal of a penetration test is to increase the security of the computing resources being tested.

There are a wide variety of tools that are used in penetration testing. These tools are of two main types;
  1. Reconnaissance or vulnerability testing tools
  2. Exploitation tools
While penetration testing is more directly tied to the exploitation tools, the initial scanning and reconnaissance is often done using less intrusive tools. Then once the targets have been identified the exploitation attempts can begin. The line between these tools is very muddy. 

For example CORE IMPACT is a penetration testing tool butt it also has a strong reconnaissance piece. Metasploit 2.5 is clearly a penetration testing tool with almost not reconnaissance functionality but version 3.0 will be adding some reconnaissance features.

Nmap is clearly a reconnaissance tool and Nessus is mainly a reconnaissance tool but it has some penetration testing functionality. Many of the single-purpose tools fall more cleanly into either the reconnaissance or exploitation category.

Reconnaissance Tools:
Reconnaissance often begins with searches of internet databases including DNS registries, WHOIS databases, Google, on-line news sources, business postings, and many other on-line resources. The reconnaissance phase often includes print media as well, specifically electronically searchable archives that would be found at a college library or large public library.

Nmap
Nmap is a popular port scanning tool. Port scanning is typically a part of the reconnaissance phase of a penetration test or an attack. Sometimes attackers will limit their testing to a few ports while other times they will scan all available ports. To do a thorough job, a vulnerability scanner should scan all port and, in most cases, a penetration tester will scan all ports. An actual attacker may chose to not scan all ports if he finds a vulnerability that can be exploited because of the “noise” (excess traffic) a port scanner creates.

Another capability of nmap is its ability to determine the operating system of the target computer. Different networking implementations will respond differently to different network packets. Nmap maintains a type of database and will match the responses to make a guess at what type of operating system the target computer is running. This OS detection isn't perfectly accurate but it can help the attacker tailor his attack strategy, especially when coupled with other pieces of information.

Nessus
Nessus is a popular vulnerability scanner that many security professionals use regularly. Nessus has a huge library of vulnerabilities and tests to identify them. In many cases, Nessus relies on the responses from the target computer without actually trying to exploit the system. Depending on the scope of a vulnerability assessment, the security tester may choose an exploitation tool to verify that reported vulnerabilities are exploitable. Nessus includes port scanning and OS detection, so sometimes a vulnerability assessment will just use Nessus and let Nessus call nmap or other scanners for these components of the test. For a stealthy scan, a security professional or an attacker may choose to run these tools separately to avoid detection.

Packet Manipulation and Password Cracking Tools
There are many other reconnaissance tools within the penetration tester arsenal, but two categories bear special mention here: packet manipulation tools and password cracking tools. The former category includes tools like hping, that allows a penetration tester or attacker to create and send all types of specially crafted TCP/IP packets in order to test and exploit network-based security protections, such as firewalls and IDS/IPS. The password cracking category includes tools like John the Ripper or Cain and Able, which is used to detect and obtain weak password for multiple authentication mechanisms, such as the ones supported by most Unix and Windows operating systems.

Exploitation Tools
Exploitation tools are used to verify that an actual vulnerability exists by exploiting it. It’s one thing to have vulnerability testing software or banners indicate the possibility of an exploitable service, but quite another to exploit that vulnerability. Some of the tools in this category are used by both attackers and penetration testers. There are many more exploitation tools than the ones listed here. Many tools in this category are single-purpose tools that are designed to exploit one vulnerability on a particular hardware platform running a particular version of an exploitable system. The tools that we’ve highlighted here are unique in the fact that they have the ability to exploit multiple vulnerabilities on a variety of hardware and software platforms.

Metasploit Version 2.5
Metasploit is a relatively new addition to the penetration tester’s tool belt. It provides attack libraries attack payloads that can be put together in a modular manner. The main purpose of Metasploit is to get to a command prompt on the target computer. Once a security tester has gotten to a command-line, it is quite possible that the target computer will be under his total control in a short time. The currently released version of Metasploit Framework as of June, 2006 is version 2.5. Version 3.0 is expected out shortly. See the sidebar for some information about Metasploit Framework 3.0.

This is a tool that attackers would use to take over, or own, a computer. Once an attacker can gain this level of access to a computer, they would often install code that would allow them to get back onto the computer more easily in the future. In some cases, a penetration tester would also install tools on the computer, but often they would simply document the access and what data was available and move on to other testing. This would depend on the defined scope of the testing. The security professional also would want to be careful about causing data loss or server instability that may result in lost productivity. A malicious attacker may be more cavalier about using the computer without regard to lost productivity, though a highly skilled attacker targeting a specific company may be very careful not to damage the system so that they can avoid detection.

SecurityForest Exploitation Framework
Although still technically in Beta version, the SecurityForest Exploitation Framework is another open-source tool that can be leveraged by penetration testers. This framework leverages a collection of exploit code known as the ExploitTree, and the Exploitation Framework is a front-end GUI that allows testers to launch exploit code through a Web browser (similar to Metasploit’s Web interface). The Framework is very similar to Metasploit, in fact, with a few key differences. ExploitTree has a remarkable number of exploits included, but the vast majority of these are in pre-compiled format (most likely in a C file) or exist as Perl executables. They are also not natively integrated into the Framework. This framework is not nearly as extensible as
some other tools; it primarily functions as a GUI to launch attacks from.

CORE IMPACT (version 5.1)
CORE IMPACT is a commercial penetration testing tool that combines a healthy dose of reconnaissance with exploitation and reporting into one point and click penetration testing tool. The main purpose of CORE IMPACT is to identify possible vulnerabilities in a program, exploit those vulnerabilities without causing system outages, and clearly document every step along the way so that the entire procedure can be verified by another party.

The CORE IMPACT penetration testing tool makes is easy for a network administrator or penetration tester to run tests against a network or host without having a whole suite of security testing utilities. Overall, we found the program to do a good job of scanning the network for vulnerabilities, successfully exploiting them, and reporting on the results.

One really slick feature of CORE IMPACT is the ability to install an agent on a compromised computer and then launch additional attacks from that computer. This proved useful in an actual penetration testing assignment by allowing the tester to compromise one machine and from there run automated scans inside the network looking for additional machines. Those scans weren’t quite as good as actually being on-site, but it did allow us to discover internal hosts from outside the network.

For most systems, CORE IMPACT will work well, but as Core Security Technologies states in their documentation, it isn’t meant to be a replacement for an experienced penetration tester. One of the areas we ran into some trouble on was when a single IP address had different ports mapped to different servers with different operating systems. Sometimes CORE IMPACT would identify a host as having a given operating system and then refuse to launch a vulnerability against a service that did not match that operating system. In one tested network, a single public IP address was in use by three different computers: an Exchange server, an IIS web server, and a Linux computer running SSH. The OS had been identified as being in the Linux family so an attack against IIS vulnerability wasn’t an option. We were able to work around this by re-scanning the machine using only the ports that mapped to the Windows system.

As a commercial vendor, Core Security Technologies does a lot of testing of their exploit code to ensure that it will not adversely affect the target hosts. In testing CORE IMPACT, we found that it was rare for it to crash systems. There was one case where an unpatched Windows 2003 server rebooted a few times in different testing scenarios. Later, the same test was used to exploit the system and gain access to a command prompt. Other than this one test against an unpatched Windows 2003 server, we did not crash any systems. The reporting feature of CORE IMPACT is quite good. It includes an executive report, a report that lists vulnerabilities and all the machines affected by those vulnerabilities, a detailed report of all hosts and an exhaustive report of every test that was run, when it ran, how long it ran and detailed results of the running.

This last report is one that you don’t need very often but if you do need it, it has all the details do duplicate a test. Keeping accurate notes is one of the most difficult and time consuming tasks for a pen-tester because often many tests are attempted with small variations to the test. CORE IMPACT makes it easy to go back and find any steps that weren’t properly recorded.
Viewing all 195 articles
Browse latest View live
Search