I've gotten emails from several past students regarding wireshark operations on OSX. Similar to the experiences in the classroom, when installing Wireshark into OSX you must also FOLLOW ALL OF THE DIRECTIONS ;).
If you are experiencing the following error:
“Insecure Startup Item disabled. – “/Library/StartupItems/ChmodBPF” has not been started because it does not have the proper security settings.
Pretty simple fix, just change the ownership of the ChmodBPF script to that of root in the wheel group.
To accomplish this:
cd /Library/StartupItems
sudo chown -R root:wheel ChmodBPF
Tuesday, December 7, 2010
Tuesday, October 26, 2010
Firesheep
Very cool new firefox plugin for sniffing credentials over HTTP for common online services such as twitter, facebook, and others that use HTTP logins STILL IN 2010.. Long overdue :)
I know that everyone reading this can decode HTTP logins, but this is a cool way to do it within a plugin!
Works over wifi, supports session hijacking (cookie theft).
Supports OSX! (win& linux too)
Might be worth checking out!
http://codebutler.com/firesheep
I know that everyone reading this can decode HTTP logins, but this is a cool way to do it within a plugin!
Works over wifi, supports session hijacking (cookie theft).
Supports OSX! (win& linux too)
Might be worth checking out!
http://codebutler.com/firesheep
Friday, September 3, 2010
Everquest 2 & Nvidia 3D Vision solved
I picked up an Nvidia 3D Vision headset about a month ago, and it's been very, very cool. The only problem is that while enjoy playing almost all video games, my favorite game (Everquest 2) did not seem to function properly with EQ2. The mouse pointer was in 3D but nothing else. I had searched the web, and even called tech support and nobody could tell me what the issue was. Latest drivers, game is patched, still no 3D. Well I was messing around with the settings today and there is a LETTERBOX function, which basically adds a strip of black to the top and bottom of the screen. This improves performance because the video card does not need to redraw, animate, anti-alias all of those extra pixels, and that area is full of spells, stats, and effects anyhow, so why not.
Well, after playing with various setting today I discovered that if you remove the letterbox completely that the 3D effects work perfect. This is great, because I shelled out quite a bit of cash for a new 3D card (GTX 480), a 3D monitor, and 3D glasses, so it was kind of miserable that it did not want to work with my favorite game. Anyhow, it's working now, just in time for a Double XP weekend :)
Well, after playing with various setting today I discovered that if you remove the letterbox completely that the 3D effects work perfect. This is great, because I shelled out quite a bit of cash for a new 3D card (GTX 480), a 3D monitor, and 3D glasses, so it was kind of miserable that it did not want to work with my favorite game. Anyhow, it's working now, just in time for a Double XP weekend :)
RAID 0 Good, SSD is great, but what about RAID 0 with SSD?
I had been putting off SSD for a while now, based on the high price, and the fact that most technologies need a bit of time to mature before they are worthwhile. Well, I finally broke down about two weeks ago and got my first SSD. I chose the OCZ Agility 2 based on performance / price combination. This model seems to be the best bang for the buck. Well, after adding it to my Alienware Aurora, which was already RAID 0 on WD 7200 RPM drives, I copied Everquest 2 to the new drive and launched it. Let me preface this by saying I had read many impressive reviews and my expectations were very high, however the SSD did not disapoint. My load times between zones were just great! When playing from a single 7200rpm drive on a different system a few nights later I realized what I must do next, and that was build a new box with 2 Agilty2 SSD's in RAID 0 .
Well the box has been built, I could try to describe it, but let my benchmarks speak for themselves. This is on an Asus P6T with onboard IHCR10 raid controller (nothing fancy).
BGP Looking glasses
I cover BGP in my migration course, however you don't really get the right feel for it in the small lab environment. I like to direct my students to various BGP looking glasses on the web to view what real tables look like. There is a site that contains a list of HTTP based data as well as live routers with public telnet access, this is much more interesting :).
Give it a shot, scroll down to category 2 and try to telnet into these devices. The "show ip bgp ?" command should get you started!
BGP Looking Glasses
Give it a shot, scroll down to category 2 and try to telnet into these devices. The "show ip bgp ?" command should get you started!
BGP Looking Glasses
Friday, August 20, 2010
Metasploit: The missing manual
While it would be difficult to find someone to disagree that the Metasploit Framework is one of the most powerful "hacking tools" of all time, it would be just as difficult to find someone that claimed to be a master of it. Metasploit has so many capabilities, it seems that nearly every class I take touches upon metasploit in someway that I hadn't seen before. Whether it's MITM attacks, or pattern creation used during buffer overflows, or token masquerading, etc. The problem has always been a source of useful documentation. I read the docs, I bought the Syngress Metasploit book (almost useless), and I follow the mailing-list which has been the most helpful until now. Well, the Metasploit Unleashed Class is online, it's provided by Hackers for Charity, and they ask for a $4 donation, which everyone should be more than happy to give. This is an awesome compilation of knowledge that would have been impossible to gather on your own.
Metasploit Unleashed
Metasploit Unleashed
Lockpicking
In all of my security classes we discuss the importance of physical security, I never get much resistance from students here, everyone seems to nod and agree. Outside of the classroom however, there are too many scenarios to count (Car dealerships, Sports arenas, hospitals, schools, etc) where network equipment is behind a locked door, in what used to be a broom closet. Not much thought is given to the locks. Well, at Defcon this year I brought the wifey by lockpicking village (her 3rd defcon, but 1st attempt at lockpicking) and long-story-short she took to lock picking like a duck to water.
One of the guys doing presentations has a website with excellent videos that I wanted to share. Also, if you make it out to Defcon be sure to stop by the lockpicking village!
Lockpicking Videos
One of the guys doing presentations has a website with excellent videos that I wanted to share. Also, if you make it out to Defcon be sure to stop by the lockpicking village!
Lockpicking Videos
Saturday, July 3, 2010
Update those ASA's guys..
To all of my past ASA students, and even those of you who aren't if you are running 5580's there were several ASA vulnerabilies posted last week. As you know the vulnerabilites have been there since the code shipped, but now the bad guys know about it and can DoS your firewalls with single malformed packets..
http://nvd.nist.gov/download/nvd-rss.xml
Also, some of the latest adobe exploits effect the Mac community now :(. When people tell me that Apple sucks, I generally just laugh internally and don't make an argument, the less people using it the better, as far as security through obscurity is concerned, looks like they are starting to become more of a target unfortunately.
http://nvd.nist.gov/download/nvd-rss.xml
Also, some of the latest adobe exploits effect the Mac community now :(. When people tell me that Apple sucks, I generally just laugh internally and don't make an argument, the less people using it the better, as far as security through obscurity is concerned, looks like they are starting to become more of a target unfortunately.
Friday, July 2, 2010
My favorite con of the year is less than a Month away, as you should know Defcon is the premiere hacking conference. Not the best on the east coast, or west, not the best in the US, but the best in the world! It follows Blackhat Las Vegas which is held at Caesars Palace just before the Defcon weekend (July 30-August 1). It will certainly be a great time this year, there are some really great looking talks. If any of my past students make it out, I'd like to buy a round of drinks so contact me if you're going!
Tuesday, June 8, 2010
Verizon blocking SMTP port 25
In an attempt to "protect you" as a Verizon customer you can no longer use traditional SMTP over port 25 with a "3rd party" email provider. In other words, if you have your own domain, use a "thick client" to access your email, or need to access email from ANYONE other than verizon.net it will now be "blocked for your protection". I discovered this, this morning while wasting about 90 minutes of my life trouble shooting services, firewalls, filtering, etc.
Their solution is:
1) Just use webmail
2) Just use verizon.net, scrap the other domain.
3) Buy a static IP, but first realize, this makes you a Verizon business customer, instead of residential, higher price, new contract, cancellation fees apply for moving from residential to business, not sure how their math worked on that one.
4) *Best* Send email on port 587 instead of 25, may require configuration changes on the server side, not bad if you run your own server but this may take some work as well.
This kind of reminds me of the time they blocked access to 4chan..
Kind of scary when you realize they can take away pieces of the internet at will.
Verizon blocks SMTP outbound (for your protection)
Their solution is:
1) Just use webmail
2) Just use verizon.net, scrap the other domain.
3) Buy a static IP, but first realize, this makes you a Verizon business customer, instead of residential, higher price, new contract, cancellation fees apply for moving from residential to business, not sure how their math worked on that one.
4) *Best* Send email on port 587 instead of 25, may require configuration changes on the server side, not bad if you run your own server but this may take some work as well.
This kind of reminds me of the time they blocked access to 4chan..
Kind of scary when you realize they can take away pieces of the internet at will.
Verizon blocks SMTP outbound (for your protection)
Wednesday, May 26, 2010
The H3C hardware looks pretty cool so far, but can it do Netflow?
In short, yes. Netflow was designed by Cisco, however many vendors support something similar, for instance Juniper uses Jflow, Foundry uses Sflow, and H3C/3com use something called NetStream.
NetStream supports version 5,8 and 9, which maps to NetFlow version 5,8 and 9 for the most part. While there are some differences in the H3C implementation, Plixer has overcome these inconsistencies and now supports NetStream in their awesome product Scrutinizer.
H3C also offers a monitoring module for the 7500E and 9500E switches, if you wanted to perform NetStream collection directly on the switch.
NetStream supports version 5,8 and 9, which maps to NetFlow version 5,8 and 9 for the most part. While there are some differences in the H3C implementation, Plixer has overcome these inconsistencies and now supports NetStream in their awesome product Scrutinizer.
H3C also offers a monitoring module for the 7500E and 9500E switches, if you wanted to perform NetStream collection directly on the switch.
Is it metasploitable?
Good news to those of you who were looking for a "punching-bag" without the labors of building your own, the Metasploit crew has released Metasploitable which is a purpose-built virtual machine chock-full of vulnerabilities that can be exploited by MSF. It's built on Ubuntu 8.04 which is good news for those of you that have only been working against Windows servers this whole time, you can try out some different payloads.
Grab the torrent!
Grab the torrent!
VMWare overhauls graphics performance in the latest build
If you've attended my hacking course in the past, you'll know that I like Mac's and you'll know why. While no operating system is perfect, OS X has been very good to me over the years. Fusion makes our lives a bit smoother by allowing to run Windows within OS X, so we can hang on to all of those apps that don't work in OS X (and without a reboot).
Well the latest Fusion update gives me support for all 8 CPUs on my MAC pro, even if you don't have 8 CPU's they clain 35% increase in application performance and 500% increase in 3D performance. As you may recall, 3.0 gave us the ability to run DirectX games within Windows 7 within our OS X. Yes the game would load, and it was fine for logging in to check the broker of a MMORPG, or some other brief activity but it's not something you'd want to spend a lot of time in. Well, with 3.1 I was able to launch TF2 via Steam within Windows 7, log into a server and quickly and smoothly make some kills. Very nice improvement. One thing to keep your eye on is the amount of RAM allocated to your virtual machine.
VMware also supports Unity, which is the ability to run a Windows application, in it's own window within OS X. In other words, the app, while running within the guest OS, appears in the host OS as though it's native.
There are many other new features as well, and it's a free upgrade if you're running 3.0 so go ahead an upgrade already!
It should also be noted that a similar upgrade is available for VMware Workstation (7.1) that boasts similar performance upgrades, based on optimizations for i3,i5, and i7 CPUs, also improved graphics support. Workstation costs approximately double what Fusion does, however you can deploy VM's to ESX from it with ease, and it supports snapshots, which are an essential feature for Malware Analysis. I've got both Workstation and Fusion and I'm very happy with each.
Well the latest Fusion update gives me support for all 8 CPUs on my MAC pro, even if you don't have 8 CPU's they clain 35% increase in application performance and 500% increase in 3D performance. As you may recall, 3.0 gave us the ability to run DirectX games within Windows 7 within our OS X. Yes the game would load, and it was fine for logging in to check the broker of a MMORPG, or some other brief activity but it's not something you'd want to spend a lot of time in. Well, with 3.1 I was able to launch TF2 via Steam within Windows 7, log into a server and quickly and smoothly make some kills. Very nice improvement. One thing to keep your eye on is the amount of RAM allocated to your virtual machine.
VMware also supports Unity, which is the ability to run a Windows application, in it's own window within OS X. In other words, the app, while running within the guest OS, appears in the host OS as though it's native.
There are many other new features as well, and it's a free upgrade if you're running 3.0 so go ahead an upgrade already!
It should also be noted that a similar upgrade is available for VMware Workstation (7.1) that boasts similar performance upgrades, based on optimizations for i3,i5, and i7 CPUs, also improved graphics support. Workstation costs approximately double what Fusion does, however you can deploy VM's to ESX from it with ease, and it supports snapshots, which are an essential feature for Malware Analysis. I've got both Workstation and Fusion and I'm very happy with each.
Tuesday, May 25, 2010
ASA 8.3, Firewall Technology update (another one)
In the new version of code for 8.3, you'll notice a few changes, perhaps most obviously the new memory requirements, the 5520s and 5540's for instance now require 4 GB of ram. Besides the new RAM requirements you'll find the following changes:
Wider support for IE8 (32& 64 / win 7, vista, xp) also officially support 10.6 OSX for SSL VPN.
Licensing is now aggregate, that is if you have 100 SSL VPN licenses on your active, and 100 on standby (this is required, even though only the active can terminate connections) starting with 8.3, your active ASA will support the aggregate (200) number of licenses. If there was ever a failure, and one is shipped back to Cisco, the other will support the aggregate for 30 days. That should be plenty of time to replace your backup.
You'll now use "objects" which is your IP to name mapping (think names). You can now define a server once, Mailserver=192.168.168.50, and put that MailServer in several different ACLs and NAT rules, you can then change the mapping and it will follow within the other portions of the configuration. The goal is to move towards a more object-oriented configuration, so it's simpler to configure things and make changes system-wide.
There is a new technique, where you can do a reverse many-to-one NAT, called one-to-many NAT. The idea is that you can have a single host on the inside, that is now matching multiple IP's on the outside, perhaps two different service providers.
ACLs now use a concept called REAL-IP, the idea of REAL-IP is that when you build that ACL for the outside interface, for server 192.168.168.50 that's being mapped to 50.50.50.50, you would previously think about what the packet looks like when it arrives on the interface. So think, on the outside, the packet is destined for 50.50.50.50 (there's a static NAT to the inside host). Well, now you'll use the REAL-IP, or the actual IP of the box. While frustrating for some of the veteran users, the idea is to make it easier for the new guys coming in. They can now look at access from a higher level, and permit or deny access to a server, or host regardless of thinking about the static NAT configuration.
There is also a concept of global ACLs, if you're familiar with Modular Policy Framework, think of a Policy-map that is applied globally. So the global ACL is that you can permit or deny traffic universally, ignoring the interfaces. This is a concept available on competitors products, so Cisco wanted to support it. The traditional ACL implementation is still supported, the idea though is if you have a lot of interfaces and you want to allow access to a specific host on all of them, you can write that rule in a global ACL and not have to create the same entry on every interface. While some of this seems frustrating for the veterans, the end goal is to make our lives easier.
Smart-call-home (introduced in 8.2.2) dumps stats and config (sanitized) details to Cisco, and you can login and view details about your equipment. You can see if there are TAC advisories for your versions of code, if there are issues you can open a TAC case from there. Another fun aspect is that you're looking at spec's on the box (CPU, Memory, Interface) and can log those periodically so it's great for base-lining and if you have an issue TAC can easily see the history right there.
Upgrading to 8.3 will perform a config-conversion, meaning your CLI configuration will look completely different from how it looked prior to upgrade. There will also be a file in flash that's basically a text file that shows any errors that occured in the upgrade.(I performed an upgrade of a fairly complex configuration without any errors by the way). If you're a CLI user, it will feel like you're on a different planet, if you're an ASDM user, you may not be real sure what's different, as the look, feel,and terminology is almost identical.
Your existing config is backed-up to flash, and there is actually a downgrade command, so if you do hate it you can roll back. *note* if you do use the downgrade command, realize that you must specify the name of the file which you can find in flash. (Similar to the downgrade process that appeared when moving from 6.3 to 7.0).
As you may recall from any of my classes, you can perform a zero-downtime upgrade, by moving one ASA at a time to 8.3 from 8.2 and you can have a fail-over pair on different code, and the 8.3 is no different. This should not be used for a long period of time however, it's recommended that you move one then the other as soon as you can. While they can run side-by-side you may get a copy of the 8.3 config (completely different core commands) pushed on top of the 8.2.
You can upgrade without the memory upgrade, and the code will load, but it throws an error. As you can imagine you will be forfeiting support if you chose to do this, as when you call TAC with a problem, they're going to point this out first :)
Wider support for IE8 (32& 64 / win 7, vista, xp) also officially support 10.6 OSX for SSL VPN.
Licensing is now aggregate, that is if you have 100 SSL VPN licenses on your active, and 100 on standby (this is required, even though only the active can terminate connections) starting with 8.3, your active ASA will support the aggregate (200) number of licenses. If there was ever a failure, and one is shipped back to Cisco, the other will support the aggregate for 30 days. That should be plenty of time to replace your backup.
You'll now use "objects" which is your IP to name mapping (think names). You can now define a server once, Mailserver=192.168.168.50, and put that MailServer in several different ACLs and NAT rules, you can then change the mapping and it will follow within the other portions of the configuration. The goal is to move towards a more object-oriented configuration, so it's simpler to configure things and make changes system-wide.
There is a new technique, where you can do a reverse many-to-one NAT, called one-to-many NAT. The idea is that you can have a single host on the inside, that is now matching multiple IP's on the outside, perhaps two different service providers.
ACLs now use a concept called REAL-IP, the idea of REAL-IP is that when you build that ACL for the outside interface, for server 192.168.168.50 that's being mapped to 50.50.50.50, you would previously think about what the packet looks like when it arrives on the interface. So think, on the outside, the packet is destined for 50.50.50.50 (there's a static NAT to the inside host). Well, now you'll use the REAL-IP, or the actual IP of the box. While frustrating for some of the veteran users, the idea is to make it easier for the new guys coming in. They can now look at access from a higher level, and permit or deny access to a server, or host regardless of thinking about the static NAT configuration.
There is also a concept of global ACLs, if you're familiar with Modular Policy Framework, think of a Policy-map that is applied globally. So the global ACL is that you can permit or deny traffic universally, ignoring the interfaces. This is a concept available on competitors products, so Cisco wanted to support it. The traditional ACL implementation is still supported, the idea though is if you have a lot of interfaces and you want to allow access to a specific host on all of them, you can write that rule in a global ACL and not have to create the same entry on every interface. While some of this seems frustrating for the veterans, the end goal is to make our lives easier.
Smart-call-home (introduced in 8.2.2) dumps stats and config (sanitized) details to Cisco, and you can login and view details about your equipment. You can see if there are TAC advisories for your versions of code, if there are issues you can open a TAC case from there. Another fun aspect is that you're looking at spec's on the box (CPU, Memory, Interface) and can log those periodically so it's great for base-lining and if you have an issue TAC can easily see the history right there.
Upgrading to 8.3 will perform a config-conversion, meaning your CLI configuration will look completely different from how it looked prior to upgrade. There will also be a file in flash that's basically a text file that shows any errors that occured in the upgrade.(I performed an upgrade of a fairly complex configuration without any errors by the way). If you're a CLI user, it will feel like you're on a different planet, if you're an ASDM user, you may not be real sure what's different, as the look, feel,and terminology is almost identical.
Your existing config is backed-up to flash, and there is actually a downgrade command, so if you do hate it you can roll back. *note* if you do use the downgrade command, realize that you must specify the name of the file which you can find in flash. (Similar to the downgrade process that appeared when moving from 6.3 to 7.0).
As you may recall from any of my classes, you can perform a zero-downtime upgrade, by moving one ASA at a time to 8.3 from 8.2 and you can have a fail-over pair on different code, and the 8.3 is no different. This should not be used for a long period of time however, it's recommended that you move one then the other as soon as you can. While they can run side-by-side you may get a copy of the 8.3 config (completely different core commands) pushed on top of the 8.2.
You can upgrade without the memory upgrade, and the code will load, but it throws an error. As you can imagine you will be forfeiting support if you chose to do this, as when you call TAC with a problem, they're going to point this out first :)
VTP vs GVRP, the winner? Neither..
In a large network, keeping VLANs synchronized can be a challenge. Having automatic tools to ensure automatic and correct distribution of VLANs helps to reduce the chance of some of our human errors and typo's, and also just to make our lives easier :)
Two fairly well-known protocols that are capable of automatic propagation of VLAN information are: VTP and GVRP. Both protocols provide similar functionality:
1. VTP is a proprietary protocol from Cisco. Which is great for distributing VLAN information between switches, so-long as it's an all Cisco network, things are great.
2. GVRP is a standards based solution, but suffers from a less widespread support, some vendors such as Cisco do not support GVRP (only on the old CatOS)
Either can work find if you only have a single vendor of switch to manage, however in a mixed environment you will likely need a SNMP Manamagent utility that can synchronize between the two, as there doesn't seem to be a Layer-2-protcol based solution, so keep your eyes open for plug-in's for your management applications, or support within the application for VLAN synchronization.
Two fairly well-known protocols that are capable of automatic propagation of VLAN information are: VTP and GVRP. Both protocols provide similar functionality:
1. VTP is a proprietary protocol from Cisco. Which is great for distributing VLAN information between switches, so-long as it's an all Cisco network, things are great.
2. GVRP is a standards based solution, but suffers from a less widespread support, some vendors such as Cisco do not support GVRP (only on the old CatOS)
Either can work find if you only have a single vendor of switch to manage, however in a mixed environment you will likely need a SNMP Manamagent utility that can synchronize between the two, as there doesn't seem to be a Layer-2-protcol based solution, so keep your eyes open for plug-in's for your management applications, or support within the application for VLAN synchronization.
Thursday, May 20, 2010
Useful protocol cheat sheets
I just wanted to share the link to www.packetlife.net this is a useful resource for anyone in the networking field. They have several different protocol "cheat sheets" that you can print and hang in the cube, or just review as needed. There are also notes from studying for different certification exams, which I imagine many of you will find useful.
Monday, January 11, 2010
ASA Technology Update
ASA Technology Update
For those of you who have taken the ASA course with me in the past (8.0 and earlier) this article will serve as a brief introduction to a few of the new features that Cisco has released recently that I thought you may be interested in. This may also prove helpful to those who have not taken the course but administer or are considering using the Cisco ASA 5500 series firewalls.
SNMP V3
Over the last several years when the topic of Simple Network Management Protocol (SNMP) was discussed by security engineers or auditors, the best practice was said to be disabling it. While this is not always an option due to the loss of functionality from a management perspective, it often proved to be a necessity from a security standpoint due to the lack of encryption of management traffic. While routers and switches have supported this functionality for quite some time it has just recently surfaced on the ASA.
As of version 8.2 of the ASA, SNMP V3 is supported, including support of DES, 3DES, and AES for protection of management data. This is great news to those of you who are required to support SNMP yet also expected to pass annual security audits. The only question that remains is whether or not your monitoring software supports SNMP V3.
Botnet Traffic Filter
Another very exciting feature released in the 8.2 release is the Botnet Traffic Filter. This new technology enables the ASA to monitor both inbound and outbound traffic and compare the external IP addresses and hostnames to a dynamic database of offensive IP addresses and domain names. Essentially, after purchasing the license for this feature (30 day trial available) your firewall gains insight to the latest known locations of botnet control points, SPAM distribution points, and other known hostile hosts.
The Cisco Security Intelligence Operations Group maintains this real-time blacklist. The CSIOG is comprised of hundreds of engineers and researches analyzing terabytes of data each day and building a global correlation rule set. Cisco has leveraged technologies that were originally part of the Ironport product (SenderBase) and is know referring to that technology as SensorBase
Imagine a scenario where a spear-phishing attack is used against an accountant or board-level executive. An attack that incorporates a new 0-day PDF exploit is run, which bypasses your antivirus, and the agent attempts to connect to a control point in Russia. If the control point is hosted in a known hostile net block, the ASA can prevent this connection from establishing and send a notification to the administrator of the attempted communication. This makes for a much happier ending that that of which you’ve been reading in the news stories lately.
AnyConnect Essentials
AnyConnect Essentials is a new licensing option for SSL VPN client on the ASA. With the introduction of SSL VPN, Cisco began charging “per connection fees” for remote VPN connections. This came as a shock to many of you who were accustomed to connecting as many users as the box allowed with IPSec and having never given a thought to licensing. The default WebVPN license on the ASA is 2 concurrent WebVPN users, each additional user requires additional licensing.
The traditional WebVPN licensing is a fairly cost prohibitive option for many of the customers I’ve spoken with, however it was only required if you were using WebVPN. The traditional IPSec VPN connections either site-to-site or remote access worked just as before with no licensing fees. The problem is that Cisco did not release a Windows 7 or a 64-bit windows IPSec client, which means for each remote user that has a 64 bit OS, you will need to have a license for each user if they will be connected to the ASA at the same time.
With the AnyConnect Essentials licensing you can purchase a reduced cost license that allows client-based users to build VPN connections if using the AnyConnect client. In other words, if you want to use the web portal (clientless) or support Cisco Secure Desktop you will need the traditional (more expensive) licenses. If you simply need to those 64bit Windows hosts to connect remotely while using a software client you can purchase the AnyConnect Essentials license (less expensive)
For those of you with Apple hardware running snow leopard (10.6) you will be relieved to know that even though you have a 64bit operating system there is built-in support for Cisco IPSec remote access, so you will not have to purchase any additional licensing or even install additional software as it’s built directly into the operating system (although a bit hidden). Simply add a new network interface, select VPN under interface and select CiscoIPSec under VPN Type. There is no need to launch a 3rd party application as done in the past.
Netflow (8.1)
Technically NetFlow support was introduced in 8.1, however I still consider it a very exciting, and relatively new feature. Also I’ve found that many administrators are not aware of it and it’s something I think you all should be using. As you may already know, Cisco Systems developed NetFlow as a way to export information regarding IP flows for detailed monitoring and auditing of network traffic. A flow is essentially the combination of the following pieces of information
• Source & destination IP address
• Source & destination port number
• IP protocol number
• Ingress interface
• Type of service
I like to compare NetFlow data to the detailed information that my cellular provider gives me each month on my bill. I can see whom I communicated with, how long I communicated to them, the times that the communication took place, and how Iwe communicated (whether it was a phone call or a text message). NetFlow is not a full IPlog or capture of all data, it is simply information about the flows of data. We collect these flows and then build detailed reports and statistics from data such as: when are your peak traffic hours, what are your top protocols, which are your top talkers, who’s moving the most data, which protocols or ports were seen today for the first time(botnet communication detection) etc.
NetFlow data is extremely useful to administrators, not only does it serve into a window of current network conditions, but once archived to a database you can gain insight to how long certain hosts have been communicating (days, weeks years) and how often. If there is a host that has been compromised and we see that it’s been communicating with a command & control point we can do a query against all recorded traffic and determine if other hosts are communicating with that same control point, how long this has been occurring, what data has been leaked etc.
It is my opinion that NetFlow collection could be useful to you, and while the full capabilities of NetFlow would be impossible to cover in this short article, I can only suggest you investigate these capabilities in the future. It may also be helpful to know that the ASA exports in a format called NetFlow V9 (or NetFlow Secure Event Logging). Without going into the differences in the different formats, I wanted to point out that the collector you use (central logging point) must support NetFlow V9. NetFlow V9 is not widely supported, however Plixar has a free product called Scrutinizer, which supports the ASA and NetFlow V9. I’ve used scrutinizer and I’m very happy with the results. Many of you will also be happy to know that Scrutinizer has a free version.
For those of you who have taken the ASA course with me in the past (8.0 and earlier) this article will serve as a brief introduction to a few of the new features that Cisco has released recently that I thought you may be interested in. This may also prove helpful to those who have not taken the course but administer or are considering using the Cisco ASA 5500 series firewalls.
SNMP V3
Over the last several years when the topic of Simple Network Management Protocol (SNMP) was discussed by security engineers or auditors, the best practice was said to be disabling it. While this is not always an option due to the loss of functionality from a management perspective, it often proved to be a necessity from a security standpoint due to the lack of encryption of management traffic. While routers and switches have supported this functionality for quite some time it has just recently surfaced on the ASA.
As of version 8.2 of the ASA, SNMP V3 is supported, including support of DES, 3DES, and AES for protection of management data. This is great news to those of you who are required to support SNMP yet also expected to pass annual security audits. The only question that remains is whether or not your monitoring software supports SNMP V3.
Botnet Traffic Filter
Another very exciting feature released in the 8.2 release is the Botnet Traffic Filter. This new technology enables the ASA to monitor both inbound and outbound traffic and compare the external IP addresses and hostnames to a dynamic database of offensive IP addresses and domain names. Essentially, after purchasing the license for this feature (30 day trial available) your firewall gains insight to the latest known locations of botnet control points, SPAM distribution points, and other known hostile hosts.
The Cisco Security Intelligence Operations Group maintains this real-time blacklist. The CSIOG is comprised of hundreds of engineers and researches analyzing terabytes of data each day and building a global correlation rule set. Cisco has leveraged technologies that were originally part of the Ironport product (SenderBase) and is know referring to that technology as SensorBase
Imagine a scenario where a spear-phishing attack is used against an accountant or board-level executive. An attack that incorporates a new 0-day PDF exploit is run, which bypasses your antivirus, and the agent attempts to connect to a control point in Russia. If the control point is hosted in a known hostile net block, the ASA can prevent this connection from establishing and send a notification to the administrator of the attempted communication. This makes for a much happier ending that that of which you’ve been reading in the news stories lately.
AnyConnect Essentials
AnyConnect Essentials is a new licensing option for SSL VPN client on the ASA. With the introduction of SSL VPN, Cisco began charging “per connection fees” for remote VPN connections. This came as a shock to many of you who were accustomed to connecting as many users as the box allowed with IPSec and having never given a thought to licensing. The default WebVPN license on the ASA is 2 concurrent WebVPN users, each additional user requires additional licensing.
The traditional WebVPN licensing is a fairly cost prohibitive option for many of the customers I’ve spoken with, however it was only required if you were using WebVPN. The traditional IPSec VPN connections either site-to-site or remote access worked just as before with no licensing fees. The problem is that Cisco did not release a Windows 7 or a 64-bit windows IPSec client, which means for each remote user that has a 64 bit OS, you will need to have a license for each user if they will be connected to the ASA at the same time.
With the AnyConnect Essentials licensing you can purchase a reduced cost license that allows client-based users to build VPN connections if using the AnyConnect client. In other words, if you want to use the web portal (clientless) or support Cisco Secure Desktop you will need the traditional (more expensive) licenses. If you simply need to those 64bit Windows hosts to connect remotely while using a software client you can purchase the AnyConnect Essentials license (less expensive)
For those of you with Apple hardware running snow leopard (10.6) you will be relieved to know that even though you have a 64bit operating system there is built-in support for Cisco IPSec remote access, so you will not have to purchase any additional licensing or even install additional software as it’s built directly into the operating system (although a bit hidden). Simply add a new network interface, select VPN under interface and select CiscoIPSec under VPN Type. There is no need to launch a 3rd party application as done in the past.
Netflow (8.1)
Technically NetFlow support was introduced in 8.1, however I still consider it a very exciting, and relatively new feature. Also I’ve found that many administrators are not aware of it and it’s something I think you all should be using. As you may already know, Cisco Systems developed NetFlow as a way to export information regarding IP flows for detailed monitoring and auditing of network traffic. A flow is essentially the combination of the following pieces of information
• Source & destination IP address
• Source & destination port number
• IP protocol number
• Ingress interface
• Type of service
I like to compare NetFlow data to the detailed information that my cellular provider gives me each month on my bill. I can see whom I communicated with, how long I communicated to them, the times that the communication took place, and how Iwe communicated (whether it was a phone call or a text message). NetFlow is not a full IPlog or capture of all data, it is simply information about the flows of data. We collect these flows and then build detailed reports and statistics from data such as: when are your peak traffic hours, what are your top protocols, which are your top talkers, who’s moving the most data, which protocols or ports were seen today for the first time(botnet communication detection) etc.
NetFlow data is extremely useful to administrators, not only does it serve into a window of current network conditions, but once archived to a database you can gain insight to how long certain hosts have been communicating (days, weeks years) and how often. If there is a host that has been compromised and we see that it’s been communicating with a command & control point we can do a query against all recorded traffic and determine if other hosts are communicating with that same control point, how long this has been occurring, what data has been leaked etc.
It is my opinion that NetFlow collection could be useful to you, and while the full capabilities of NetFlow would be impossible to cover in this short article, I can only suggest you investigate these capabilities in the future. It may also be helpful to know that the ASA exports in a format called NetFlow V9 (or NetFlow Secure Event Logging). Without going into the differences in the different formats, I wanted to point out that the collector you use (central logging point) must support NetFlow V9. NetFlow V9 is not widely supported, however Plixar has a free product called Scrutinizer, which supports the ASA and NetFlow V9. I’ve used scrutinizer and I’m very happy with the results. Many of you will also be happy to know that Scrutinizer has a free version.
Subscribe to:
Posts (Atom)
Posts
