Recently in Security Category

Display Pre-Shared Keys in ASA Running Configuration

November 10, 2009 3:58 PM | 14 Comments

Simple tip to see pre-shared VPN keys:

CiscoASA# more system:running-configuration

Cisco Updates SAFE Design Guides

June 16, 2009 8:53 AM | 16 Comments

I'm a little behind on this (occured a couple months back)...but Cisco has updated their famous SAFE design guides. Excellent resource:

Cisco SAFE on Cisco.com

Download complete PDF from CiscoBlog

Template Parameter Access List

November 12, 2008 3:21 PM | 13 Comments

My friend Mike Storm has come up with a good "base" ACL for use on Internet facing routers and firewall devices. While he has it listed on his blog, I am referencing it here for my own future reference.

Assuming my PubNet range is a block of 32 66.238.29.0 - 31. See below

! no fragments
access-list 100 deny tcp any 66.238.29.0 0.0.0.31 log fragments
access-list 100 deny udp any 66.238.29.0 0.0.0.31 log fragments
access-list 100 deny icmp any 66.238.29.0 0.0.0.31 log fragments
! no snmp inbound from the Internet
access-list 100 deny udp any any eq snmp
access-list 100 deny udp any any eq snmptrap
! RFC 2827 Ingress, RFC 3804 Martian Filtering and RFC 1918 private Address Filtering
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 255.0.0.0 0.255.255.255 any log
access-list 100 deny ip 224.0.0.0 31.255.255.255 any log
access-list 100 deny ip host 0.0.0.0 any log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 192.0.2.0 0.0.0.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny ip 14.0.0.0 0.255.255.255 any log
access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
access-list 100 deny ip 198.18.0.0 0.0.255.255 any log
access-list 100 deny ip 66.238.29.0 0.0.0.31 any log
! no routing protocols inbound (unless needed)
access-list 100 deny tcp any any eq bgp log
access-list 100 deny tcp any eq bgp any log
access-list 100 deny ipinip any any
access-list 100 deny gre any any
access-list 100 deny pim any any
access-list 100 deny 90 any any
access-list 100 deny ospf any any log
access-list 100 deny eigrp any any log
access-list 100 deny udp any eq rip any log
access-list 100 deny udp any any eq rip log
access-list 100 permit now begins your permits...if any

Notes:
192.0.2.0 0.0.0.255 any log (range known to be used exploit default pw on WLA devices)
4.0.0.0 0.255.255.255 any log (Known as Net-14, a Public use network, possibly used by attackers)
69.254.0.0 0.0.255.255 any log (RFC2026 Link Local)
198.18.0.0 0.0.255.255 any log (block for benchmark tests of network interconnect devices, RFC2544)

Cisco Updates CCSP

September 26, 2008 12:15 PM | 3 Comments

It's official - the CCSP is updated. I'm really digging the "core exams + electives" option. Allows you to become a CCSP who specializes in some security technology (ASA, MARS, NAC) without requiring you to know everything to get a CCSP certification. Wish they'd do the same for the CCVP program...I'm sure they will...

Security Tools Galore

May 31, 2006 4:45 PM | 4 Comments

I'm working on recording a security video series right now and came across this link: http://www.insecure.org/tools.html. Can we say ROCK ON?!? This is a list of the top 75 security tools you can use to audit your network. This is guarentees at least two months of tinkering around with these widgets. My top 5 are:

#1 Ethereal (the ol' standby)
#2 Nessus (be your own auditing company)
#3 NMap (port scanning galore)
#4 Netcat (port redirection & general hacking widget)
#5 Snort (free IDS)

Guidelines on Firewalls and Firewall Policy

April 29, 2006 2:00 PM | 4 Comments

I just finished reading through the National Institute of Standards and Technology (NIST)'s Guidelines on Firewalls and Firewall Policy. It's actually very well written with casual-enough language to hold your attention. I thought I'd sum up some of the key points for blocking traffic in a good firewall design. The following traffic types should always be blocked:

  • Inbound traffic from a non-authenticated source system with a destination address of the firewall itself
  • Inbound traffic with a source address indicating that the packet originated on a network behind the firewall
  • Inbound traffic containing ICMP
  • Inbound or outbound traffic from a system using a source address that falls within the private address ranges show n in RFC 1918
  • Inbound traffic from a non-authenticated source system containing SNMP
  • Inbound traffic containing IP Source Routing information
  • Inbound or outbound traffic containing a source or destination address of 127.0.0.1
  • Inbound or outbound traffic containing a source or destination address of 0.0.0.0
  • Inbound or outbound traffic containing a directed broadcast address

Like I said, really good reading. The whole article can be found at this link:
http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf

« Routing | Main Index | Archives | Switching »

Search

About this Archive

This page is an archive of recent entries in the Security category.

Routing is the previous category.

Switching is the next category.

Find recent content on the main index or look in the archives to find all content.