Security on Aaron's Worthless Words

Junos Basics - OSPF

Wed, 01 Feb 2012 00:00:00 +0000

Oh, my. Another Junos post. Somebody stop me before I get my JNCIA!

This isn’t hard stuff at all. I’m sure there are a couple of cool tricks I don’t know yet, but let’s try anyway. I"m working on an SRX240 here running 11.1 and some change.

Let’s put interfaces ge-0/0/0.0 and lo0.0 in OSPF area 0. If you know the Junos configuration hierarchy, this will be very easy to you. Even if you don’t, you can stare at the config for a little bit and see what we’re doing.

Stubby Post - Changes to CCNA Voice, CCVP, and CCSP

Wed, 20 Oct 2010 00:00:00 +0000

I don’t usually cover news from Cisco, but they’ve changed some certification stuff around again, and I thought I would bring it up. This time they’ve changed the CCNA Voice, CCVP, and CCSP, so, if you’ve on those tracks, be careful what you’re studying!

CCNA Voice

Circle 28 February 2011 on your calendars. That’s when the CCNA Voice track gets a shakeup. The IIUC (640-460) exam will be no more, and passing CVOICE (642-436) will no longer be a valid way to get the cert. After the big day, you’ll have to take ICOMM (640-461). This seems to be a much broader exam instead of having the enterprise and commercial focuses in CVOICE and IIUC, respectively. Look out for both CME- and CUCM-based topics including a troubleshooting section.

ASA 8.3.1 – Smart Tunnel and NAT Changes

Fri, 12 Mar 2010 00:00:00 +0000

I’ll start off with a warning. I’ve been running 8.3.1 on my home 5505 for a few hours now. Not only is this not really enough time for a thorough review, it’s also not the environment to test enterprise-level configurations. There are also a lot of details missing that I just don’t know about yet, so please do some research on your own to figure out what’s going to break if you upgrade your ASA.

Convenience versus Security

Tue, 01 Dec 2009 00:00:00 +0000

I coworker sent over a link today that got me thinking about an old adage that I’ve been sharing for years. The link actually has nothing to do with the philosophy but did trigger a random spewing of words from my brain.

Here’s what I tell everyone. When I deliver these lines, I usually picture myself as Socrates talking to a bunch of Greeks in togas.

ISCW Notes - Role-based Views

Thu, 05 Nov 2009 00:00:00 +0000

I’m at training for the ISCW test this week, and this topic came up yesterday. Since it came up last week at the office, I figure it was a sign from $deity that it was time for a blog entry.

An admin in another business unit was trying to set up command access for some of his techs. He was going through a couple of routers and assigning commands to privilege levels so that his techs could access them. He was having a boat load of problems, though, and couldn’t get it to work

I've Been Hacked

Mon, 26 Oct 2009 00:00:00 +0000

It looks like one of those Russian b*%*#rds got me some time last week. I don’t know how long the site was down for sure, but I would guess that he first got access on Thursday, 22 October. Since we’re talking about WordPress here, I just restored back to 15 October to be safe, and it looks like we’re back in business.

As a precaution, I’ve reset some passwords and deleted a whole mess of accounts. I tried to leave the ones that look familiar to me like Blindhog and LBSources, but, if I killed your account, I apologize. I’m afraid you’ll have to sign up again for the sake of security.

Using SPF Records To Build Objects

Fri, 16 Oct 2009 00:00:00 +0000

My biggest complain about modern firewalls is their lack of the ability to create rules based on URLs or HTTP streams; you have to open access between IP addresses. Yes, I know there are other means to do that, but I want my ASA/PIX/FWSM to do it without making me do so much work.

Anyway, the fact that you have to use IPs brings up some interesting problems. Let’s say you have a server in a DMZ that needs to query Google for some content. Since you’re a hard-ass network guy like I am, you tell the admin that they have provide the data flow they want to use – source IP, destination IP, protocol, port. They come back and tell you that they need their server to connect via HTTP to 74.125.45.100. You put in the rules as given, but the IP has suddenly changed on you.

Filtering Out the Noise on the Edge

Wed, 21 Jan 2009 00:00:00 +0000

There’s a lot of noise on the Internet. I’m not talking about certain news sites, either; I’m talking about stuff like port scans or attempts on weak services from all sorts of bad people on the Internet. A large chunk of that noise can be filtered by the edge routers, taking some of the load off of the network and firewalls.

Here are a few things that we filter inbound on our Internet links. Your mileage will vary.

A Little Politics for the New Year

Mon, 29 Dec 2008 00:00:00 +0000

Stretch at Packetlife has a lively little write-up on the Australian government’s attempt to implement a nation-wide web filtering service.

From Packetlife.net:

Setting aside the myriad of technical barriers to implementing such a system, the most obvious question is, “who decides what gets blocked?” When a corporation implements a web filter, it does so in accordance with corporate policy – policy that is set by the owner of the network. But the Internet doesn’t belong to any one entity, be it governmental or commercial, so such an authority simply doesn’t exist at this scale. In a very Orwellian sense, this filtering initiative appears to want to create that authority out of thin air.

Filtering Outbound Traffic

Tue, 25 Sep 2007 00:00:00 +0000

I’ve seen a thousand [tag]firewalls[/tag] in my time, and nearly all of them are poorly configured. The biggest culprit? No [tag]outbound[/tag] [tag]filtering[/tag]. I guess a lot of people think that firewalls are there to protect the network from the Internet, but that’s only part of it. The firewall is to protect every segment from every other segment – all segments both inbound and outbound.

I guess that way back in the day that was true. You had your well-behaved network behind a firewall, and the only threat was from the evil hackers of the Internet. That’s not true any more, though. What about viruses? Or spyware? You don’t want those things spreading out from your network, do you? Think about liability, too. If you run a corporate network and an employee starts illegally downloading stuff from Kazaa, the company is liable for that, and the first step is to block any unneeded traffic from getting out.

SNMP v3 is Easy!

Sun, 16 Sep 2007 00:00:00 +0000

I finally got around to looking into [tag]SNMP[/tag] v3 and was shocked at how easy it actually is. When I first looked up info on it so many moons ago, I saw table after tables of views and privilege levels and thought I would have to put in a billion hours getting it customized. I settled down and went through some Google results and found a blog post by Richard Bejtlich that shows the simplest of configurations. Works like a champ!

Setting Up SSH on IOS Devices

Wed, 05 Sep 2007 00:00:00 +0000

By default, most Cisco [tag]IOS[/tag] devices come configured to be accessed via telnet. This is probably fine for your house, but I really cringe when I run across corporate networks that use [tag]telnet[/tag] to access the devices. Telnet is old and out-dated and can be very dangerous. It’s in plain-text, which means that anyone who sees the packets can get your username and password. It also has no remote identification mechanism, so you can’t guarantee you’re talking to the device you think you are; you could be telnetting to a rogue device on your network without knowing it. [tag]SSH[/tag] gives you both things and more.

Security for Unmanned Devices

Thu, 23 Aug 2007 00:00:00 +0000

I was talking to a coworker the other day about setting up his home network more securely. “No problem,” I said, and we started listing devices on his network to see what we needed to do. I was pretty surprised that he had so many things on his network. I mean, I was quite amazed. He had all sorts of stuff – from gaming consoles to guest machines to special-purpose Linux boxes to sewing machines. A sewing machine? Yes, a sewing machine.

Separation of Function

Wed, 15 Aug 2007 00:00:00 +0000

Separation of function is another important security concept that people often overlook. It can mean that a single person is only responsible for one part of a process. Or it can mean that one server only does one function. Or it can mean that one network is used for servers of one type. Or it can mean that a whole data center is for only one production and not development. It depends on your scope and your point of view.

Fallback IPtables

Sat, 11 Aug 2007 00:00:00 +0000

The hardest part of messing with firewall configs is knowing what is going to lock you out of the firewall itself. It doesn’t to me very often, but I’ve been doing firewalls for 10 years now. I was thinking about my own IPtables implementation at home and realized that I do most of my tweaking remotely. If I were to fat-finger something, I’d have to get on the console, and everything would be down until then. I don’t need a lot of uptime at my house, but I really can’t stand downtime, but I digress.

Port Knocking

Sat, 11 Aug 2007 00:00:00 +0000

A few months ago, a friend of mine told me about the concept of port knocking, where you send packets to a server on certain ports to authenticate access to the box. A daemon running on your server detects the sequence of packets that you send and runs a script (usually IPtables commands), waits a certain amount of time, then runs another script (usually to take the IPtables commands out). This seems like a good way to get access to your home firewall from anywhere without having to open up access to the whole Internet.

The Principle of Least Privilege

Fri, 10 Aug 2007 00:00:00 +0000

The Principle of Least Privilege says that users or applications should only have access to the what it needs to access and that access should be as limited as possible. This idea can be applied to any number of things, but it is a very important topic when talking about security.

The idea is that processes, users, modules, or whatever can only access what they need to in order to function. This keeps users in check since they don’t have any access to anything outside their home directories (or whatever). It keeps developers in check since their code can only access a small set of files or processes. It keeps hackers in check since the Apache server they’re hacking can’t access the password file. It even keeps administrators in check since it forces them to use sudo, which is logged to syslog.

Using an Old Server as a Home Firewall

Fri, 10 Aug 2007 00:00:00 +0000

You can use an old PC as a firewall at home (and at work, I guess). It’s not that hard to do if you have a basic knowledge of Linux, DHCP, and IPtables, but that may be saying a lot.

Why would anyone want to do this, though? If you’re like me, you like to know what’s going on in the network. One of the Linksys routers you buy at Best Buy or Circuit City just doesn’t let you monitor very well. You can’t get very good logs off of it, so you don’t really know what it’s doing or complaining about. It also doesn’t let you query the interfaces, so you really don’t know how much bandwidth you’re using. If you have a Linux box as your router/firewall/gateway, you can get really good logs, monitor the interfaces with SNMP, and have some really great, granular control over your network.