Showing posts with label Security. Show all posts

Showing posts with label Security. Show all posts

Upgrade OS in Palo alto

by Shabeeribm

STEP 1 Take Backup

1. Select Device > Setup > Operations and Export "Export named configuration snapshot."
2. Select the XML file that contains your running configuration (for example, running-config.xml) and click OK to export the configuration file.
3. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.

STEP 2 : Make sure the firewall is running content release needed for the installation of required OS

1.Select Device > Dynamic Updates.
2.If the firewall is not running the minimum required update, Check Now to retrieve a list of available updates.
4.Locate and Download the appropriate update.
5.After the download completes, Install the update.

STEP 3: Determine the upgrade path.

1.Select Device > Software > Check now for the latest update
2.Locate and Download the version to which you intend to upgrade.
3.After the download completes, Install the update.
4.After the installation successfully completes, reboot using one of the following methods:
If you are prompted to reboot, click Yes.
If you are not prompted to reboot, select Device > Setup > Operations and Reboot Device (Device Operations section).

NOTE : You cannot skip installation of any major releases in the path to your target PAN-OS version. Therefore, if you intend to upgrade to a version that is more than one major release away, you must still download, install, and reboot the firewall for each intermediate major release along the upgrade path.

For example, if you want to upgrade from PAN-OS 6.0.11 to PAN-OS 7.1.5, you must:

Download and install PAN-OS 6.1.0 and reboot.
Download and install PAN-OS 7.0.1 and reboot (7.0.1 is the base image for the 7.0 release, not 7.0.0).
Download PAN-OS 7.1.0 (you do not need to install it).
Download and install PAN-OS 7.1.5 and reboot.

STEP 4: Verify that the firewall is passing traffic. Select Monitor > Session Browser.

Register and activate licenses in Palo Alto firewall

by Shabeeribm

Register the Firewall

STEP 1 Log in to the web interface of the firewall (https://<IP address>)
STEP 2 copy serial number of device from the General Information section of the Dashboard screen

STEP 3 Go to https://support.paloaltonetworks.com
STEP 4 Register and verify the email

Note : To register, you must provide your sales order number or customer ID, and the serial number of your firewall (which you can paste from your clipboard) or the authorization code you received with your order. You will also be prompted to set up a username and password for access to the Palo Alto Networks support community.
STEP 5 : Once email is verified,login to https://support.paloaltonetworks.com using the email address and password
STEP 6 : You will be prompted to choose two security questions and answers to use if you forget the password.
STEP 7 : Register new device by going to Asset tab > Devices > Register new device and fill the details needed

Activate Licenses and Subscriptions

STEP 1 : Locate the activation codes for the licenses you purchased from the registered email address you have provided while purchasing device.If you cannot locate this email, contact customer support to obtain your activation codes before you proceed.
STEP 2 : Launch the web interface and go to Device > Licenses
STEP 3 : Activate each license you purchased either by following method
Retrieve license keys from license server —Use this option if you activated your license on the support portal.

Activate feature using authorization code —Use this option to enable purchased subscriptions using an authorization code for licenses that have not been previously activated on the support portal. When prompted, enter the Authorization Code and then click OK.

Manually upload license key —Use this option if your device does not connected to internet. In this case, you must download a license key file from the support site on an Internet connected computer and then upload to the device.
STEP 4 : Verify that the license was successfully activated from Device > Licenses .You can see the issue and expiry date of the licenses here once its activated
STEP 5 : (WildFire subscriptions only) Perform a commit to complete WildFire subscription activation.

Different types of Attacks in Network security

by Shabeeribm

Denial-of-Service (DoS) Attacks
A DoS attack focuses on disrupting the service to a network. Attackers send high volumes of data or traffic through the network until the network becomes overloaded and can no longer function.

Distributed-denial-of-service (DDoS) attack. This involves the attacker using multiple computers to send the traffic or data that will overload the system. In many instances, a person may not even realize that his or her computer has been hijacked and is contributing to the DDoS attack.

An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization.

MiTM (Man in the middle) attacks
The man-in-the middle attack intercepts a communication between two systems. In this attack an hacker captures data from middle of transmission and changes it, then send it again to the destination. Receiving person thinks that this message came from original source and reply back

Brute force attack is a trial and error method used by application programs to decode encrypted data such as passwords or PIN .Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization's network security. A brute force attack may also be referred to as brute force cracking.

Spoof attack
In this kind of attack an hacker changes the sources address of packet so receiver assumes that packet comes from someone else. This technique is typically used to bypass the firewall rules.

Ping sweep attack
In this attack an attacker pings all possible IP addresses on a subnet to find out which hosts are up. Once he finds an up system, he tries to scan the listening ports. From listing ports he can learn about the type of services running on that system. Once he figures out the services, he can try to exploit the vulnerabilities associated with those services.

Phishing Attack
In this attack an hacker creates fake email address or website which looks like a reputed mail address or popular site. These emails contain convincing message, some time with a link that leads to a fake site. This fake site looks exactly same as original site. Without knowing the truth user tries to log on with their account information, hacker records this authentication information and uses it on real site.

Passive attack
In this attack an hacker deploys a sniffer tool and waits for sensitive information to be captured. This information can be used for other types of attacks. It includes packet sniffer tools, traffic analysis software, filtering clear text passwords from unencrypted traffic and seeking authentication information from unprotected communication. Once an hacker found information he needed, it will be used without the knowledge of the user.

Active Attack
In this attack an hacker does not wait for any sensitive or authentication information. He actively tries to break or bypass the secured systems. It includes viruses, worms, trojan horses, stealing login information, inserting malicious code and penetrating network backbone. Active attacks are the most dangerous in natures. It results in disclosing sensitive information, modification of data or complete data lost.

BlackNurse attack or the low-rate "Ping of Death" attack, the technique can be used to launch several low-volume DoS attacks by sending specially formed Internet Control Message Protocol (ICMP) packets, or 'pings' that overwhelm the processors on server protected by firewalls from Cisco, Palo Alto Networks, among others.
URL : http://blacknurse.dk/

Above list is not a complete .This will be updating periodically....Please let me know if i miss anything important

Short note on basic Cisco ISE (Identity Services Engine) Features

by Shabeeribm

Cisco ISE (Identity Services Engine) is a security policy management platform that provides secure access to network resources. Cisco ISE functions as a policy decision point and enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices.Cisco ISE Combines authentication, authorization, accounting (AAA), posture, and profiler into one appliance

Identity-Based Network Access

The Cisco ISE solution provides context-aware identity management in the following areas:
• Cisco ISE determines whether users are accessing the network on an authorized, policy-compliant device.
• Cisco ISE establishes user identity, location, and access history, which can be used for compliance and reporting.
• Cisco ISE assigns services based on the assigned user role, group, and associated policy (job role,location, device type, and so on).
• Cisco ISE grants authenticated users with access to specific segments of the network, or specific applications and services, or both, based on authentication results.

Basic User Authentication and Authorization

User authentication policies in Cisco ISE enable you to provide authentication for a number of user login session types using a variety of standard authentication protocols including, but not limited to, Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Protected Extensible Authentication Protocol (PEAP), and Extensible Authentication Protocol (EAP). Cisco ISE specifies the allowable protocol(s) that are available to the network devices on which the user tries to authenticate and specifies the identity sources from which user authentication is validated.

Cisco ISE supports 802.1X, MAC authentication bypass (MAB), and browser-based Web authentication login for basic user authentication and access via both wired and wireless networks.

Client Posture Assessment

To ensure that the imposed network security measures remain relevant and effective, Cisco ISE enables you to validate and maintain security capabilities on any client machine that accesses the protected network. By employing posture policies that are designed to ensure that the most up-to-date security settings or applications are available on client machines, the Cisco ISE administrator can ensure that any client machine that accesses the network meets, and continues to meet, the defined security standards for enterprise network access.

Posture assessment and compliance occurs using one of the following agent types available in Cisco ISE:
• Cisco NAC Web Agent—A temporal agent that the users install on their system at the time of login and that is no longer visible on the client machine once the login session terminates.
• Cisco NAC Agent—A persistent agent that, once installed, remains on a Windows or Mac OS X client machine to perform all security compliance functions.
• AnyConnect ISE Agent — A persistent agent that can be installed on Windows or Mac OS X client to perform posture compliance functions.

Profiled Endpoints on the Network

The Profiler service assists in identifying, locating, and determining the capabilities of all endpoints on your network (known as identities in Cisco ISE), regardless of their device types, to ensure and maintain appropriate access to your enterprise network. The Cisco ISE Profiler function uses a number of probes to collect attributes for all endpoints on your network, and pass them to the Profiler analyzer, where the known endpoints are classified according to their associated policies and identity groups.

The Profiler Feed service allows administrators to retrieve new and updated endpoint profiling policies and the updated OUI database as a feed from a designated Cisco feed server through a subscription in to Cisco ISE.

VPN Basics: Encryption and Security Protocols in a VPN

by Shabeeribm

Encryption is the process of encoding data so that only a computer with the right decoder will be able to read and use it.The most common forms of encryption are symmetric-key encryption or public-key encryption:

In symmetric-key encryption, all computers (or users) share the same key used to both encrypt and decrypt a message.

In public-key encryption, each computer (or user) has a public-private key pair. One computer uses its private key to encrypt a message, and another computer uses the corresponding public key to decrypt that message.

In a VPN, the computers at each end of the tunnel encrypt the data entering the tunnel and decrypt it at the other end. A site-to-site VPN could use either Internet protocol security protocol (IPSec) or generic routing encapsulation (GRE).

Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network.

IPSec (Internet Protocol Security) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPSec can encrypt data between various devices, including router to router, firewall to router, desktop to router, and desktop to server.

IPSec consists of two sub-protocols which provide the instructions a VPN needs to secure its packets:

Encapsulated Security Payload (ESP) encrypts the packet's payload (the data it's transporting) with a symmetric key.

Authentication Header (AH) uses a hashing operation on the packet header to help hide certain packet information (like the sender's identity) until it gets to its destination.

Networked devices can use IPSec in one of two encryption modes. In transport mode, devices encrypt the data traveling between them. In tunnel mode, the devices build a virtual tunnel between two networks

VPN Basics: Site-to-site VPN and Remote-access VPN

by Shabeeribm

Site-to-site VPN

A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world.

In a site-to-site VPN, hosts do not have VPN client software; they send and receive normal TCP/IP traffic through a VPN gateway(Example : Cisco ASA or Fortigate Firwall). The VPN gateway is responsible for encapsulating and encrypting outbound traffic, sending it through a VPN tunnel over the Internet, to a peer VPN gateway at the target site. Upon receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet towards the target host inside its private network.

There are two types of site-to-site VPNs:

Intranet-based -- If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.

Extranet-based -- When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies' LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranets.

Most VPNs rely on tunneling to create a private network that reaches across the Internet. Tunneling is the process of placing an entire packet within another packet before it's transported over the Internet. That outer packet protects the contents from public view and ensures that the packet moves within a virtual tunnel.This layering of packets is called "encapsulation"

Computers or other network devices at both ends of the tunnel, called tunnel interfaces, can encapsulate outgoing packets and reopen incoming packets.The tunnel interfaces are configured using tunneling protocol.The purpose of the tunneling protocol is to add a layer of security that protects each packet on its journey over the Internet.Even if a hacker got the packets they wont be able to read it

Remote-access VPN

A remote-access VPN allows individual users to establish secure connections with a remote computer network. For example, travelers and users working remotely who need to access their company's network securely over the Internet can use remote access VPN. In a remote access VPN, every host must have VPN client software(Example : CIsco Anyconnect software) .

Whenever the host tries to send any traffic, the VPN client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network. Upon receipt, that VPN gateway behaves as described above for site-to-site VPNs. If the target host inside the private network returns a response, the VPN gateway performs the reverse process to send an encrypted response back to the VPN client over the Internet.

What is the difference between IDS , IPS and Firewall ?

by Shabeeribm

A firewall is simply just a set of filters/rules that are matched against traffic. It can only detect malicious traffic trying to enter a computer system but can not detect anything which has entered the system. A firewall is considered a first line of defense in protecting private information. For greater security IDS and IPS systems should be used along with the firewall.

An IDS (Intrusion Detection System) is passive meaning it basically sits watching packets go through the network. It has a set of rules which it matches the packets against and sets off an alarm if it detects anything suspicious, usually the administrator is alerted. An IDS can detect several types of malicious traffic that would slip by a typical firewall, including network attacks against services, data-driven attacks on applications, host-based attacks like unauthorized logins, and malware like viruses, Trojan horses, and worms. Most IDS products use several methods to detect threats, usually signature-based detection, anomaly-based detection, and stateful protocol analysis.

An IPS (Intrusion Prevention System) has all the features of a good IDS, but can also stop malicious traffic from invading the enterprise. Unlike an IDS, an IPS sits inline with traffic flows on a network, actively shutting down attempted attacks as they’re sent over the wire. It can stop the attack by terminating the network connection or user session originating the attack, by blocking access to the target from the user account, IP address, or other attribute associated with that attacker, or by blocking all access to the targeted host, service, or application.

Cisco ASA - Remote Management (via TELNET)

by Shabeeribm

Cisco ASA - Remote Management (via TELNET)

1. Log on to the firewall > Go to enable mode > Go to configure terminal mode.

CiscoASA> enable
Password: ********
CiscoASA# configure terminal
CiscoASA(config)#

2. Syntax to configure TELNET is "telnet {ip address} {subnet mask} {interface that its connected to}.

The following will just allow one host (192.168.1.100).

CiscoASA(config)#telnet 192.168.1.100 255.255.255.255 inside

The following will just allow a whole network 192.168.1.1 to 254

CiscoASA(config)#telnet 192.168.1.0 255.255.255.0 inside

3. To set the password you use the "passwd" command (yes that's spelled correctly).

CiscoASA(config)# passwd PASSWORD123

4. By default the telnet session times out after 5 mins, To change it use below command

CiscoASA(config)# telnet timeout45 (set timeout to 45 min)

5. Don't forget to save the configuration

CiscoASA# write mem

Telnet - Via ASDM

1. Connect via ASDM > Navigate to Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH > Add > Select Telnet > Supply the IP and subnet > OK. (Note you can set the timeout on this page also).

NOTE: Be aware, all ASA devices running an operating system of 8.4(2) or newer, you can NO LONGER LOG IN WITH A USERNAME OF PIX, and the telnet password, you HAVE TO define a username and password, then enable AAA Authentication for SSH.

Cisco ASA Basic Notes – Configuration Modes

by Shabeeribm

A Cisco ASA security appliance has four main administrative access modes:

Monitor Mode:
Displays the monitor> prompt. This mode enables to update the image over the network or to perform password recovery. While in the monitor mode, you can enter commands to specify the location of a TFTP server and the location of the software image or password recovery binary image file to download. You access this mode by pressing the “Break” or “ESC” keys immediately after powering up the appliance.

Unprivileged Mode:
Displays the > prompt. This prompt will be available when you first access the appliance.In new Cisco ASA 5500 Series, the prompt is ciscoasa>
This mode provides restricted view of the security appliance. On this menu, you cannot configure anything from this mode. To get started with configuration, the first command you need to know is the enable command. Type enable and hit Enter. The initial password is empty, so hit Enter again to move on the next access mode (Privileged Mode).

ciscoasa> enable <–this is to enter to Unprivileged Mode
password: <– Enter a password here (initially its blank)
ciscoasa# <– Privileged Mode

Privileged Mode:
Displays the # prompt. Enables you to change the current settings. Any unprivileged command also works in this mode. From this mode you can see the current configuration by using show running-config. Still, you cannot configure anything yet until you go to Configuration Mode.You access the Configuration Mode using the “configure terminal” command from the Privileged Mode.

Configuration Mode:
This mode displays the (config)# prompt. Enables you to change all system configuration settings. Use exit from each mode to return to the previous mode.

ciscoasa> enable <– Unprivileged Mode
password: <– Enter a password here (initially its blank)
ciscoasa# configure terminal <– Privileged Mode
ciscoasa(config)# <– Configuration Mode
ciscoasa(config)# exit
ciscoasa# exit <– Back to Privileged Mode
ciscoasa> <– Back to Unprivileged Mode

The (config)# mode is usually called Global Configuration Mode. Some configuration commands from this mode enter a command-specific mode and the prompt changes accordingly. For example the interface command enters interface configuration mode as shown below:

ciscoasa(config)# interface GigabitEthernet 0/1
ciscoasa(config-if)# <– Configure Interface specific parameters

Basic Notes about VPN

by Shabeeribm

Basic Notes about VPN

A VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together.It works by encapsulating data for one network inside of an ordinary IP packet and transporting that packet to another network. When the packet arrives at the destination network, it is unwrapped and delivered to the appropriate host on the destination network. By encapsulating the data using cryptographic techniques, the data is protected from tampering and snooping while it is transported over the public network.

Through VPN you can access your private network in remote location over Internet without compromising the security. VPNs allow employees to securely access their company's Intranet while travelling outside the office. Similarly, VPNs securely connect different branch offices together via internet without dedicated lease line and its much cheaper than lease lines. VPNs also use strong encryption to provide privacy and strong authentication to guarantee identity, so they are more secure than traditional networks.By using a VPN, businesses ensure security,That means even if the data is hacked while sending through VPN, hacker can't read data as its in encrypted format.

Different VPNs used

VPNs can be either remote-access (connecting an individual computer to a network) or site-to-site (connecting two networks together). In a corporate setting, remote-access VPNs allow employees to access their company's Intranet from home or while travelling outside the office, and site-to-site VPNs allow employees in different geographically location to share one network.

One interesting thing to note about VPNs is that there are no standards about how to set them up. If you're establishing your own VPN, though, it's up to you to decide which protocols and components to use and to understand how they work together.

Five basic components of VPNs:

VPN Gateways:
A device used to connect an entire network to the VPN
VPN Client Software:
Software for individual PCs that allow them to connect to the VPN
Authentication Servers:
Systems such as certificate authorities and RADIUS servers that guarantee the identity of VPN Gateways and Clients
Manage Servers:
Systems that provide control, monitoring, alerting and reporting on the VPN
Physical Transport:
Any IP or Internet connection

Advantages of VPN

Security -- The VPN should protect data while it's travelling on the public network. If intruders attempt to capture the data, they should be unable to read or use it.
Reliability -- Employees and remote offices should be able to connect to the VPN with no trouble at any time (unless hours are restricted), and the VPN should provide the same quality of connection for each user even when it is handling its maximum number of simultaneous connections.
Scalability -- As a business grows, it should be able to extend its VPN services to handle that growth without replacing the VPN technology altogether.

Stop saving passwords in your browser

by Shabeeribm

Do you save passwords in your browser?

If answer is yes,its time to stop that.Both Firefox and Google chrome are saving passwords in clear text format and anyone who have physical (or remote) access to your computer can see your passwords without any hacking skills.

Type chrome://settings/passwords in Google Chrome browser if you don’t believe me.You can see all your Passwords saved in Chrome, in plain-text format.There’s no master password, no security, not even a prompt that “these passwords are visible”.

In Firefox, Options > Security tab > Saved passwords > 'show passwords' will display all your passwords and username in a neat list,that too in clear text format.Only added advantage is that you can (and right now should) set a master password, which you'll be asked for if you subsequently try to ,view those passwords. Chrome doesn't offer a master password

So if you are a person who leave your office / Personal laptop on your table without locking it,you are exposing all your passwords to a stranger.It will only take couple of seconds to gain access to all your important passwords for banking ,emails or social media.Anyone can do that.No need of any hacking skills

Try yourself
The simplest way to find out is to try it yourself. If you have Google Chrome or Mozilla Firefox installed, set yourself a challenge - how many passwords can you steal from your own computer in, say, one minute?

Solution

So how can you protect your passwords? You can delete them from Chrome. You can set a password on Firefox. More robustly, set up a screen lock on your computer and activate it before you walk away, no matter where you are. Don't let people use your user account - even people you regard as friends - if you're not watching them. You could also use software such as LastPass, which store your passwords and have their own master password. Some software can also sync with mobile devices.

Take care while using public wifi

by Shabeeribm

Public wifi can be very public

you are probably among the growing number of people who connect to public WiFi at the coffee shop,in an airport,or while you are out for shopping.No matter if its called public hotspot or "open wifi" the risks are the same.In this world there is nothing for free.I am not blaming all those who providing public wifi access.But there is a change that you are connecting to a potentially unsecured network where hackers can literally grab your information straight from the airwaves

The media now this days are full of stories about what can happen next.Your personal information including bank accounts,social media profiles,email accounts might be get compromised.Besides the potential for fraud ,the loss of money,the time it can take you to recover and clean up your identity will be big.

Below are the few steps you can follow

1. Connect to a trusted network

It is very frequent for malicious people to set up fake open wi-fi networks so as to attract innocents who would connect and navigate through their Facebook and/or bank account, unknowingly giving away their account information.

These people tend to create very general SSIDs such as Free Public Wi-Fi. Please avoid using such wi-fi networks for your internet banking or social networks.Dont trust 100% free/Open network.Nothing is free in this world!

The chances of if being a fake network are very high. Most serious networks have WPA2, WPA or WEP types of encryption that don’t allow everyone to connect.

2. Prioritize WPA2 encryption

Networks have different types of security protocols and certifications which allow your network to send encoded data from your device to the router. Choosing the weakest makes your device unsecured, thus, try to connect to a WPA2 encrypted network which is the safest. If that’s not possible, then another good option is WPA, and finally connect to a WEP encrypted network (the least secured). It’s also a good idea to set up your home router with WPA2 encryption.

3.Never access your bank or credit card information out of a trusted network

Wi-Fi hotspots are never 100% secure, thus, never access your bank account or use your credit cards while using public Wi-Fi. It is also a good idea to avoid using the same user/password combination in any other website.

4. Use SSL and HTTPS encryption

SSL (Secure Socket Layer) is a type of encryption which can be used whenever you navigate on the web. It encrypts your browsing information by adding an extra layer of protection. In order to use it, you only need to add an s after the http in the URL block, like this:

Sadly, not every website allows SSL type encryption. Nevertheless, the vast majority of the banking websites, social networks and e-mail clients do support SSL.

5. Always use firewall/Antivirus/Anti-Spam software

There are a lots of risks in using a Wi-Fi hotspot. You never know who else is connected to the same network and if someone is trying to monitor, or even worse, break into your computer’s services. A good way to keep your computer secure is by always having your firewall, antivirus and anti-spam software updated.

6. Password protect your files

If someone is able to reach your computer, it is a good idea to password protect your files, so that they can’t snatch your information. Some operating systems come with a feature that allows this, but there are also programs like TruCrypt for laptops, Gallery Lock Pro and File Cover for Android and Lockdown Pro and Locktopus for iOS among others.

Of course, you cannot have absolute security, but now you have the power to avoid the most common threats. Enjoy and Happy browsing !

Via : email

Cisco password recovery

by Shabeeribm

Password recovery
Switch on the router and press Ctrl + Break keys for 15 seconds.Then the router will enter to rommon mode.
Rommon1> config-register 0x2142
Rommon2> Reset
Router will start without loading prior values of NVRAM.
Router> enable
Router # copy start run
Router # show run
This will show us the pass word saved before.Next time when the router switching on
Press Ctrl + break keys for 15 seconds
Rommon1> config-register 0x2102
Rommon2>reset
Then the router will prompt for the password again.

Access List notes: Numbered and Named ACL

by Shabeeribm

Access Control Lists (ACLs)

Access control lists (ACLs) are set of rules which allows you to permit or deny packets based on source and destination IP address, IP protocol information, or TCP or UDP protocol information. You can configure the following types of ACLs:

• Standard – Permits or denies packets based on source IP address. Valid standard ACL IDs are 1 – 99
• Extended – Permits or denies packets based on source and destination IP address and also based on IP protocol information. Valid extended ACL IDs are a number from 100 – 199

Access-lists use wildcard masks to match traffic.Access control lists (ACLs) can be used for two purposes on Cisco devices:
• To filter traffic
• To identify traffic

When filtering traffic, access lists are applied on interfaces. As a packet passes through a router, the top line of the rule list is checked first, and the router continues to go down the list until a match is made. Once a match is made, the packet is either permitted or denied.

NOTE : There is an implicit ‘deny all’ at the end of all access lists. We cant delete it.So an access lists that contain only deny statements will prevent all traffic.If you want ACL to allow traffic there must be a permit statement

Access lists are applied either inbound (packets received on an interface, before routing), or outbound (packets leaving an interface, after routing). Only one access list per interface, per protocol, per direction is allowed.

Even filtering traffic is the primary use of access lists, there are several instances when it is necessary to identify traffic using ACLs, including:
• Identifying interesting traffic to bring up an ISDN link or VPN tunnel
• Identifying routes to filter or allow in routing updates
• Identifying traffic for QoS purposes

Types of Access List
There are two categories of access lists:

Numbered ACL .it is the basic one.You cannot remove individual lines from a numbered access list. The entire access list must be deleted and recreated. All new entries to a numbered access list are added to the bottom. Best practice is to use a text editor to manage your access-lists.
There are two common types of numbered access lists:

IP standard access lists
IP extended access lists

Named ACL provide more flexibility than Numbered access list.We can give names to identify your access-lists. individual lines can be removed from a named access-list. All new entries are added to the bottom of the access list like numbered ACL
There are two common types of named access lists:

IP standard named access lists
IP extended named access lists

How to permit or deny a specific host in Access list ?
we can use an example of 172.16.10.1 .As we want to block a specific address(host) in a network, we can use wildcard mask "0.0.0.0" .all octet in wildcard mask set to "0" means every octet must be matched.

There are actually two ways we can match a host:
• Using a wildcard mask "0.0.0.0" – 172.16.10.1 0.0.0.0
• Using the keyword “host” – host 172.16.10.1

Above method is use to match exactly a host.So how what we do to match the all address ?
There are actually two ways we can match all addresses:
• Using a wildcard mask "255.255.255.255" - 0.0.0.0 255.255.255.255
• Using the keyword “any” – any source or destination

Standard IP Access List
Syntax

access-list [1-99] [permit | deny] [source address] [wildcard mask]

Standard IP access-lists are based upon the source host or network IP address, and should be placed closest to the destination network. Range of standard access list is from 1-99
Example
Qn : Block network 172.20.0.0 from accessing the 172.19.0.0 network

Router(config)# access-list 20 deny 172.20.0.0 0.0.255.255

Router(config)# access-list 20 permit any

Note : Access list must be created on the router which is close to destination

First line deny all hosts on the 172.20.x.x network.
The second line uses a keyword of "any", which will match (permit) any other address.

Always remember that you must have at last one permit statement in your access list.otherwise all traffic will be blocked because of implicit deny at the end

Creating a access-list wont do anything it the network.It must be applied on an interface.To apply this access list, we would configure the following on Router:

Router(config)# int s0

Router(config-if)# ip access-group 20 in

To view all IP access lists configured on the router:

Router# show ip access-list

To view what interface an access-list is configured on:

Router# show ip interface

Router# show running-config

Extended IP Access List
Syntax

access-list [100-199] [permit | deny] [protocol] [source address] [wildcard mask] [destination address] [wildcard mask] [operator] [port]

Extended IP access-lists block based upon the source IP address, destination IP address, and TCP or UDP port number. Extended access-lists should be placed closest to the source network.
Example :

access-list 100 deny tcp host 1.1.1.1 host 2.2.2.2 eq 23

access-list 100 deny tcp 3.3.3.0 0.0.0.255 any eq 80

access-list 100 permit ip any any

The first line deny host 1.1.1.1 from accessing host 2.2.2.2 via telnet (port 23)
The second line deny http (eq port 80)access of 3.3.3.0 network
The third line allows all other traffic

Like our earlier example this ACL also be applied on interface to take effect.To apply this access list, we would configure the following command

int fa 0/0

ip access-group 100 in

In the above example we used eq port 80 to block http.Click here to view the list of common ports used

We can use several other operators for port numbers:

eq Matches a specific port
gt Matches all ports greater than the port specified
lt Matches all ports less than the port specified
neq Matches all ports except for the port specified
range Match a specific inclusive range of ports

The following will match all ports greater than 100:

Router(config)# access-list 101 permit tcp any host 172.16.10.10 gt 100

The following will match all ports less than 1024:

Router(config)# access-list 101 permit tcp any host 172.16.10.10 lt 1024

The following will match all ports that do not equal 443:

Router(config)# access-list 101 permit tcp any host 172.16.10.10 neq 443

The following will match all ports between 80 and 88:

Router(config)# access-list 101 permit tcp any host 172.16.10.10 range 80 88

Named Access Lists
Named access lists provide us with two advantages over numbered access lists. First, we can apply an identifiable name to an access list, for documentation purposes. Second, we can remove individual lines in a named access-list, which is not possible with numbered access lists.

Please note, though we can remove individual lines in a named access list, we cannot insert individual lines into that named access list. New entries are always placed at the bottom of a named access list

To create a standard named access list, the syntax would be as follows:

Router(config)# ip access-list standard NAME

Router(config-std-nacl)# deny 172.18.0.0 0.0.255.255

Router(config-std-nacl)# permit any

To create an extended named access list, the syntax would be as follows:

Router(config)# ip access-list extended NAME

Router(config-ext-nacl)# permit tcp 172.18.0.0 0.0.255.255 host 172.16.10.10 eq 80

Router(config-ext-nacl)# deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255

Router(config-ext-nacl)# permit ip any any

Troubleshooting

show access-lists [<number> | <name>]

show ip access-lists [<number> | <name>]

show ip access-lists interface <interface>

show ip access-lists dynamic

show ip interface [<interface>]

GNS3 Labs :

CCNP Note : MAC flooding attack

by Shabeeribm

Switches maintain a MAC Table that maps individual MAC addresses on the network to the physical ports on the switch. This allows the switch to direct data to the destination port as unicast messages and there by avoiding broadcasting all messages.

In MAC flooding attack, a switch is flooded with ethernet frames, each containing different source MAC addresses.This frames with unique invalid source MAC address flood the switch and exhaust CAM table space.The result is that new entireis cannot be inserted because of the exhausted CAM table space and traffic is subsequently flooded out all ports

The result of this attack causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out on all ports (Same as hub), instead of sending unicasts in normal operation. A malicious user could then use a packet sniffer to capture sensitive data from other computers, which would not be accessible were the switch operating normally.

MAC Flooding attack can be prevented by

Implement port security.
Implement VLAN access maps

What is VLAN Hopping

by Shabeeribm

VLAN Hopping

VLAN hopping is a security threat , a method of attacking networked resources on a Virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks is where a user can gain access to a VLAN not assigned to the switch port to which the user connects..

There are two primary methods of VLAN hopping: switch spoofing and double tagging. Both attacks can be easily mitigated with proper switchport configuration

The first and most commonly used VLAN hopping method is where the attacker makes his workstation act as a trunk port

To overcome this kind of VLAN hopping attack, you must follow below steps

1. Ensure that ports are not set to negotiate trunks automatically.

Switch(config-if)# switchport nonegotiate

2. Ensure that ports that are not meant to be trunks are explicitly configured as access ports

Switch(config-if)# switchport mode access

The second way an attacker can hop VLANs is by using double tagging. With double tagging, the attacker inserts a second 802.1q tag in front of the existing 802.1q tag. This relies on the switch stripping off only the first 802.1q tag and leaving itself vulnerable to the second tag. This is not as common a method of VLAN hopping as using trunking.

Mitigation

Simply do not put any hosts on VLAN 1 (The default VLAN). i.e., assign an access VLAN other than VLAN 1 to every access port

Switch(config-if)# switchport access vlan 2

Change the native VLAN on all trunk ports to an unused VLAN ID.

Switch(config-if)# switchport trunk native vlan 999

Explicit tagging of the native VLAN on all trunk ports.

Switch(config-if)# switchport trunk native vlan tag

Example
As an example of a double tagging attack, consider a secure web server on a VLAN called VLAN1. Hosts on VLAN1 are allowed access to the web server; hosts from outside the VLAN are blocked by layer 3 filters.

An attacking host on a separate VLAN, called VLAN2, creates a specially formed packet to attack the web server. It places a header tagging the packet as belonging to VLAN2 on top of another header tagging the packet as belonging to VLAN1. When the packet is sent, the switch on VLAN2 sees the VLAN2 header and removes it, and forwards the packet.

The VLAN2 switch expects that the packet will be treated as a standard TCP packet by the switch on VLAN1. However, when the packet reaches VLAN1, the switch sees a tag indicating that the packet is part of VLAN1, and so bypasses the layer 3 handling, treating it as a layer 2 packet on the same logical VLAN. The packet thus arrives at the target server as though it was sent from another host on VLAN1, ignoring any layer 3 filtering that might be in place.

Via :Wikipedia

What is Dynamic ARP Inspection (DAI) ?

by Shabeeribm

Dynamic ARP Inspection (DAI)

Several types of attacks can be launched against a host or devices connected to Layer 2 networks by “poisoning” the ARP caches. A malicious user could intercept traffic intended for other hosts on the LAN segment and poison the ARP caches of connected systems by broadcasting forged ARP responses.

Several known ARP-based attacks can have a devastating impact on data privacy, confidentiality, and sensitive information. To block such attacks, the Layer 2 switch must have a mechanism to validate and ensure that only valid ARP requests and responses are forwarded.

DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-the-middle attacks.

DAI ensures that only valid ARP requests and responses are relayed. The switch performs these activities:

•Intercepts all ARP requests and responses on untrusted ports

•Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination

•Drops invalid ARP packets

•It forwards all ARP packets received on a trusted interface without any checks

•DAI determines the validity of an ARP Packet based on the valid MAC address-to-IP address bindings stored in the DHCP snooping database

•DAI is supported on access ports,trunk ports,EtherChannels and private VLAN ports.

•DAI is an ingress security feature,it does not perform any egress checking.

•DAI is not effective for hosts connected to router that do not support DAI or do not have this feature enabled.

This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

Enable arp inspection

Switch(config)# ip arp inspection vlan <vlan-range>