In short, yes. Netflow was designed by Cisco, however many vendors support something similar, for instance Juniper uses Jflow, Foundry uses Sflow, and H3C/3com use something called NetStream.
NetStream supports version 5,8 and 9, which maps to NetFlow version 5,8 and 9 for the most part. While there are some differences in the H3C implementation, Plixer has overcome these inconsistencies and now supports NetStream in their awesome product Scrutinizer.
H3C also offers a monitoring module for the 7500E and 9500E switches, if you wanted to perform NetStream collection directly on the switch.
Wednesday, May 26, 2010
Is it metasploitable?
Good news to those of you who were looking for a "punching-bag" without the labors of building your own, the Metasploit crew has released Metasploitable which is a purpose-built virtual machine chock-full of vulnerabilities that can be exploited by MSF. It's built on Ubuntu 8.04 which is good news for those of you that have only been working against Windows servers this whole time, you can try out some different payloads.
Grab the torrent!
Grab the torrent!
VMWare overhauls graphics performance in the latest build
If you've attended my hacking course in the past, you'll know that I like Mac's and you'll know why. While no operating system is perfect, OS X has been very good to me over the years. Fusion makes our lives a bit smoother by allowing to run Windows within OS X, so we can hang on to all of those apps that don't work in OS X (and without a reboot).
Well the latest Fusion update gives me support for all 8 CPUs on my MAC pro, even if you don't have 8 CPU's they clain 35% increase in application performance and 500% increase in 3D performance. As you may recall, 3.0 gave us the ability to run DirectX games within Windows 7 within our OS X. Yes the game would load, and it was fine for logging in to check the broker of a MMORPG, or some other brief activity but it's not something you'd want to spend a lot of time in. Well, with 3.1 I was able to launch TF2 via Steam within Windows 7, log into a server and quickly and smoothly make some kills. Very nice improvement. One thing to keep your eye on is the amount of RAM allocated to your virtual machine.
VMware also supports Unity, which is the ability to run a Windows application, in it's own window within OS X. In other words, the app, while running within the guest OS, appears in the host OS as though it's native.
There are many other new features as well, and it's a free upgrade if you're running 3.0 so go ahead an upgrade already!
It should also be noted that a similar upgrade is available for VMware Workstation (7.1) that boasts similar performance upgrades, based on optimizations for i3,i5, and i7 CPUs, also improved graphics support. Workstation costs approximately double what Fusion does, however you can deploy VM's to ESX from it with ease, and it supports snapshots, which are an essential feature for Malware Analysis. I've got both Workstation and Fusion and I'm very happy with each.
Well the latest Fusion update gives me support for all 8 CPUs on my MAC pro, even if you don't have 8 CPU's they clain 35% increase in application performance and 500% increase in 3D performance. As you may recall, 3.0 gave us the ability to run DirectX games within Windows 7 within our OS X. Yes the game would load, and it was fine for logging in to check the broker of a MMORPG, or some other brief activity but it's not something you'd want to spend a lot of time in. Well, with 3.1 I was able to launch TF2 via Steam within Windows 7, log into a server and quickly and smoothly make some kills. Very nice improvement. One thing to keep your eye on is the amount of RAM allocated to your virtual machine.
VMware also supports Unity, which is the ability to run a Windows application, in it's own window within OS X. In other words, the app, while running within the guest OS, appears in the host OS as though it's native.
There are many other new features as well, and it's a free upgrade if you're running 3.0 so go ahead an upgrade already!
It should also be noted that a similar upgrade is available for VMware Workstation (7.1) that boasts similar performance upgrades, based on optimizations for i3,i5, and i7 CPUs, also improved graphics support. Workstation costs approximately double what Fusion does, however you can deploy VM's to ESX from it with ease, and it supports snapshots, which are an essential feature for Malware Analysis. I've got both Workstation and Fusion and I'm very happy with each.
Tuesday, May 25, 2010
ASA 8.3, Firewall Technology update (another one)
In the new version of code for 8.3, you'll notice a few changes, perhaps most obviously the new memory requirements, the 5520s and 5540's for instance now require 4 GB of ram. Besides the new RAM requirements you'll find the following changes:
Wider support for IE8 (32& 64 / win 7, vista, xp) also officially support 10.6 OSX for SSL VPN.
Licensing is now aggregate, that is if you have 100 SSL VPN licenses on your active, and 100 on standby (this is required, even though only the active can terminate connections) starting with 8.3, your active ASA will support the aggregate (200) number of licenses. If there was ever a failure, and one is shipped back to Cisco, the other will support the aggregate for 30 days. That should be plenty of time to replace your backup.
You'll now use "objects" which is your IP to name mapping (think names). You can now define a server once, Mailserver=192.168.168.50, and put that MailServer in several different ACLs and NAT rules, you can then change the mapping and it will follow within the other portions of the configuration. The goal is to move towards a more object-oriented configuration, so it's simpler to configure things and make changes system-wide.
There is a new technique, where you can do a reverse many-to-one NAT, called one-to-many NAT. The idea is that you can have a single host on the inside, that is now matching multiple IP's on the outside, perhaps two different service providers.
ACLs now use a concept called REAL-IP, the idea of REAL-IP is that when you build that ACL for the outside interface, for server 192.168.168.50 that's being mapped to 50.50.50.50, you would previously think about what the packet looks like when it arrives on the interface. So think, on the outside, the packet is destined for 50.50.50.50 (there's a static NAT to the inside host). Well, now you'll use the REAL-IP, or the actual IP of the box. While frustrating for some of the veteran users, the idea is to make it easier for the new guys coming in. They can now look at access from a higher level, and permit or deny access to a server, or host regardless of thinking about the static NAT configuration.
There is also a concept of global ACLs, if you're familiar with Modular Policy Framework, think of a Policy-map that is applied globally. So the global ACL is that you can permit or deny traffic universally, ignoring the interfaces. This is a concept available on competitors products, so Cisco wanted to support it. The traditional ACL implementation is still supported, the idea though is if you have a lot of interfaces and you want to allow access to a specific host on all of them, you can write that rule in a global ACL and not have to create the same entry on every interface. While some of this seems frustrating for the veterans, the end goal is to make our lives easier.
Smart-call-home (introduced in 8.2.2) dumps stats and config (sanitized) details to Cisco, and you can login and view details about your equipment. You can see if there are TAC advisories for your versions of code, if there are issues you can open a TAC case from there. Another fun aspect is that you're looking at spec's on the box (CPU, Memory, Interface) and can log those periodically so it's great for base-lining and if you have an issue TAC can easily see the history right there.
Upgrading to 8.3 will perform a config-conversion, meaning your CLI configuration will look completely different from how it looked prior to upgrade. There will also be a file in flash that's basically a text file that shows any errors that occured in the upgrade.(I performed an upgrade of a fairly complex configuration without any errors by the way). If you're a CLI user, it will feel like you're on a different planet, if you're an ASDM user, you may not be real sure what's different, as the look, feel,and terminology is almost identical.
Your existing config is backed-up to flash, and there is actually a downgrade command, so if you do hate it you can roll back. *note* if you do use the downgrade command, realize that you must specify the name of the file which you can find in flash. (Similar to the downgrade process that appeared when moving from 6.3 to 7.0).
As you may recall from any of my classes, you can perform a zero-downtime upgrade, by moving one ASA at a time to 8.3 from 8.2 and you can have a fail-over pair on different code, and the 8.3 is no different. This should not be used for a long period of time however, it's recommended that you move one then the other as soon as you can. While they can run side-by-side you may get a copy of the 8.3 config (completely different core commands) pushed on top of the 8.2.
You can upgrade without the memory upgrade, and the code will load, but it throws an error. As you can imagine you will be forfeiting support if you chose to do this, as when you call TAC with a problem, they're going to point this out first :)
Wider support for IE8 (32& 64 / win 7, vista, xp) also officially support 10.6 OSX for SSL VPN.
Licensing is now aggregate, that is if you have 100 SSL VPN licenses on your active, and 100 on standby (this is required, even though only the active can terminate connections) starting with 8.3, your active ASA will support the aggregate (200) number of licenses. If there was ever a failure, and one is shipped back to Cisco, the other will support the aggregate for 30 days. That should be plenty of time to replace your backup.
You'll now use "objects" which is your IP to name mapping (think names). You can now define a server once, Mailserver=192.168.168.50, and put that MailServer in several different ACLs and NAT rules, you can then change the mapping and it will follow within the other portions of the configuration. The goal is to move towards a more object-oriented configuration, so it's simpler to configure things and make changes system-wide.
There is a new technique, where you can do a reverse many-to-one NAT, called one-to-many NAT. The idea is that you can have a single host on the inside, that is now matching multiple IP's on the outside, perhaps two different service providers.
ACLs now use a concept called REAL-IP, the idea of REAL-IP is that when you build that ACL for the outside interface, for server 192.168.168.50 that's being mapped to 50.50.50.50, you would previously think about what the packet looks like when it arrives on the interface. So think, on the outside, the packet is destined for 50.50.50.50 (there's a static NAT to the inside host). Well, now you'll use the REAL-IP, or the actual IP of the box. While frustrating for some of the veteran users, the idea is to make it easier for the new guys coming in. They can now look at access from a higher level, and permit or deny access to a server, or host regardless of thinking about the static NAT configuration.
There is also a concept of global ACLs, if you're familiar with Modular Policy Framework, think of a Policy-map that is applied globally. So the global ACL is that you can permit or deny traffic universally, ignoring the interfaces. This is a concept available on competitors products, so Cisco wanted to support it. The traditional ACL implementation is still supported, the idea though is if you have a lot of interfaces and you want to allow access to a specific host on all of them, you can write that rule in a global ACL and not have to create the same entry on every interface. While some of this seems frustrating for the veterans, the end goal is to make our lives easier.
Smart-call-home (introduced in 8.2.2) dumps stats and config (sanitized) details to Cisco, and you can login and view details about your equipment. You can see if there are TAC advisories for your versions of code, if there are issues you can open a TAC case from there. Another fun aspect is that you're looking at spec's on the box (CPU, Memory, Interface) and can log those periodically so it's great for base-lining and if you have an issue TAC can easily see the history right there.
Upgrading to 8.3 will perform a config-conversion, meaning your CLI configuration will look completely different from how it looked prior to upgrade. There will also be a file in flash that's basically a text file that shows any errors that occured in the upgrade.(I performed an upgrade of a fairly complex configuration without any errors by the way). If you're a CLI user, it will feel like you're on a different planet, if you're an ASDM user, you may not be real sure what's different, as the look, feel,and terminology is almost identical.
Your existing config is backed-up to flash, and there is actually a downgrade command, so if you do hate it you can roll back. *note* if you do use the downgrade command, realize that you must specify the name of the file which you can find in flash. (Similar to the downgrade process that appeared when moving from 6.3 to 7.0).
As you may recall from any of my classes, you can perform a zero-downtime upgrade, by moving one ASA at a time to 8.3 from 8.2 and you can have a fail-over pair on different code, and the 8.3 is no different. This should not be used for a long period of time however, it's recommended that you move one then the other as soon as you can. While they can run side-by-side you may get a copy of the 8.3 config (completely different core commands) pushed on top of the 8.2.
You can upgrade without the memory upgrade, and the code will load, but it throws an error. As you can imagine you will be forfeiting support if you chose to do this, as when you call TAC with a problem, they're going to point this out first :)
VTP vs GVRP, the winner? Neither..
In a large network, keeping VLANs synchronized can be a challenge. Having automatic tools to ensure automatic and correct distribution of VLANs helps to reduce the chance of some of our human errors and typo's, and also just to make our lives easier :)
Two fairly well-known protocols that are capable of automatic propagation of VLAN information are: VTP and GVRP. Both protocols provide similar functionality:
1. VTP is a proprietary protocol from Cisco. Which is great for distributing VLAN information between switches, so-long as it's an all Cisco network, things are great.
2. GVRP is a standards based solution, but suffers from a less widespread support, some vendors such as Cisco do not support GVRP (only on the old CatOS)
Either can work find if you only have a single vendor of switch to manage, however in a mixed environment you will likely need a SNMP Manamagent utility that can synchronize between the two, as there doesn't seem to be a Layer-2-protcol based solution, so keep your eyes open for plug-in's for your management applications, or support within the application for VLAN synchronization.
Two fairly well-known protocols that are capable of automatic propagation of VLAN information are: VTP and GVRP. Both protocols provide similar functionality:
1. VTP is a proprietary protocol from Cisco. Which is great for distributing VLAN information between switches, so-long as it's an all Cisco network, things are great.
2. GVRP is a standards based solution, but suffers from a less widespread support, some vendors such as Cisco do not support GVRP (only on the old CatOS)
Either can work find if you only have a single vendor of switch to manage, however in a mixed environment you will likely need a SNMP Manamagent utility that can synchronize between the two, as there doesn't seem to be a Layer-2-protcol based solution, so keep your eyes open for plug-in's for your management applications, or support within the application for VLAN synchronization.
Thursday, May 20, 2010
Useful protocol cheat sheets
I just wanted to share the link to www.packetlife.net this is a useful resource for anyone in the networking field. They have several different protocol "cheat sheets" that you can print and hang in the cube, or just review as needed. There are also notes from studying for different certification exams, which I imagine many of you will find useful.
Subscribe to:
Posts (Atom)
Posts
