Archive

Category Archives for "Security"

Collecting MAC and IP Adresses of Hosts Connected to Cisco Switches Using SNMP

The goal of this article is to introduce a script that automates a process of collecting MAC and IP address of hosts connected to Cisco switches using Simple Network Management Protocol (SNMP). We will configure SNMP version 2c and 3 on Cisco switches and create a BASH script that collects required data for us. For this purpose I have created a test network lab using GNS3. The topology consists of three Cisco virtual switch appliances running vIOS-L2 and one network management station (NMS) based on Kali Linux. Network hosts are simulated by Core Linux appliances connected to Cisco vIOS-l2 switches.

1. GNS3 Lab

1.1 List of software used for creating GNS3 lab

  • Host OS
    x86-64 Linux Fedora with installed GNS3 1.3.11 and Qemu1.4.0
  • Network Management Station
    Linux Kali 3.18.0-kali3-amd64
  • Swiches
    Cisco vIOS l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2
    Cisco Catalyst 3550 (C3550-IPSERVICESK9-M), Version 12.2(55)SE9
  • Network Host (End device)
    Linux Core 3.16.6-tinycore64

1.2 Network Topology Description

All virtual network and host devices are running inside GNS3 project and they are emulated by Qemu emulator and virtualizer. The only exception is a Cisco Catalyst 3550 switch that is connected to topology via GNS3 network Continue reading

Some notes on the eDellRoot key

It was discovered this weekend that new Dell computers, as well as old ones with updates, come with a CA certificate ("eDellRoot") that includes the private key. This means hackers can eavesdrop on the SSL communications of Dell computers. I explain how in this blog post, just replace the "ca.key" with "eDellRoot.key".

If I were a black-hat hacker, I'd immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone's encrypted communications. I suggest "international first class", because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking.

I point this out in order to describe the severity of Dell's mistake. It's not a simple bug that needs to be fixed, it's a drop-everything and panic sort of bug. Dell needs to panic. Dell's corporate customers need to panic.

Note that Dell's spinning of this issue has started, saying that they aren't like Lenovo, because they didn't install bloatware like Superfish. This doesn't matter. The problem with Superfish wasn't the software, but the private key. In this respect, Dell's error is exactly as bad as the Superfish error.

Worth Reading Roundup: Security and Privacy

“If I haven’t done anything wrong, then I don’t have anything to hide.” This is one of those bits of nonsense that never seems to lose it’s power regardless of how many times it’s been proven wrong in history. Privacy is one of the most important freedoms we enjoy — the privacy to try, the privacy to work things out among friends, and even the privacy to fail.

So what does the ‘net say about privacy this week?

One of the most disturbing things is the growing tendency to engineer people for greater efficiency. This trend started more than a hundred years ago — remember this?

But there is something fundamentally dehumanizing about people like machines out of whom you can squeeze infinite amounts of bandwidth — but it seems to be something we’re pushing towards almost as fast as we can, in both the corporate world and in government.

Digging into personal information in order to manipulate the environment for greater profit and productivity just seems a bit slimy. And I used the word manipulate (and slimy) on purpose. fistful of talent

Many countries are in the throes of a debate about the amount of surveillance a government Continue reading

The Next Horizon for Cloud Networking & Security

VMware NSX has been around for more than two years now, and in that time software-defined networking and network virtualization have become VMware Networking Expert Guido Appenzellerinextricably integrated into modern data center architecture. It seems like an inconceivable amount of progress has been made. But the reality is that we’re only at the beginning of this journey.

The transformation of networking from a hardware industry into a software industry is having a profound impact on services, security, and IT organizations around the world, according to VMware’s Chief Technology Strategy Officer for Networking, Guido Appenzeller.

“I’ve never seen growth like what we’ve found with NSX,” he says. “Networking is going through a huge transition.” Continue reading

Castle versus Cannon: It’s time to rethink security

P1120249In case you’re confused about the modern state of security, let me give you a short lesson.

Your network is pictured to the left. When I first started working on networks in the USAF we were just starting to build well designed DMZs, sort of a gate system for the modern network. “Firewalls” (a term I’m coming to dislike immensely), guard routers, VPN concentrators, and other systems were designed to keep your network from being “penetrated.” Standing at the front gate you’ll find a few folks wearing armor and carrying swords, responsible for letting only the right people inside the walls — policies, and perhaps even an IDS or two.

The world lived with castles for a long time — thousands of years, to be precise. In fact, the pride of the Roman Legion really wasn’t the short sword and battle formation, it was their ability to work in concrete. Certainly they had swords, but they could also build roads and walls, as evidenced by the Roman style fortifications dotting the entire world.

But we don’t live inside concrete walls any longer. Instead, our armies today move on small and large vehicles, defending territory through measure and countermeasure. They gather Continue reading

Five Functional Facts about TACACS+ in ISE 2.0

The oft-requested and long awaited arrival of TACACS+ support in Cisco’s Identity Services Engine (ISE) is finally here starting in version 2.0. I’ve been able to play with this feature in the lab and wanted to blog about it so that existing ISE and ACS (Cisco’s Access Control Server, the long-time defacto TACACS+ server) users know what to expect.

Below are five facts about how TACACS+ works in ISE 2.0.

Continue reading

Distributed Firewall ALG

In the last post, VMware NSX™ Distributed Firewall installation and operation was verified. In this entry, the FTP (file transfer protocol) ALG (Application Level Gateway) is tested for associating data connections with originating control connections – something a stateless ACL (access control list) can’t do.

An added benefit over stateless ACLs – most compliance standards more easily recognize a stateful inspection-based firewall for access control requirements.

To check ALG support for a particular NSX version, refer to the VMware NSX Administration manual. VMware NSX version 6.2 supports FTP, CIFS, ORACLE TNS, MS-RPC, and SUN-RPC ALGs. Do expect additional ALG protocol support with future versions of NSX.

Assuming a default firewall rulebase for simplicity, and a basic setup:

  • three ESXi vSphere 6.0 hosts in a cluster
  • NSX installed, with the NSX Manager installed on the first host 
  • two guest VMs running Centos: one running an FTP server, the other an FTP client

Simplified diagram, along with connections for the following test:

layout

Previously, an ESXi host command line was used to interact with the Distributed Firewall. Here, the NSX Manager Central CLI  – a new option with NSX 6.2 – is used. Slightly different incantations, but the same results can be Continue reading

CCDE – Firewall And IPS Design Considerations

Introduction

This post will discuss different design options for deploying firewalls and Intrusion Prevention Systems (IPS) and how firewalls can be used in the data center.

Firewall Designs

Firewalls have traditionally been used to protect inside resources from being accessed from the outside. The firewall is then deployed at the edge of the network. The security zones are then referred to as “outside” and “inside” or “untrusted” and “trusted”.

CCDE basic firewall inside and outside
CCDE basic firewall inside and outside

Anything coming from the outside is by default blocked unless the connection initiated from the inside. Anything from the inside going out is allowed by default. The default behavior can of course be modified with access-lists.

It is also common to use a Demilitarized Zone (DMZ) when publishing external services such as e-mail, web and DNS. The goal of the DMZ is to separate the servers hosting these external services from the inside LAN to lower the risk of having a breach on the inside. From the outside only the ports that the service is using will be allowed in to the DMZ such as port 80, 443, 53 and so on. From the DMZ only a very limited set of traffic will be allowed Continue reading

We should all follow Linus’s example

Yet another Linus rant has hit the news, where he complains about how "your shit code is fucking brain damaged". Many have complained about his rudeness, how it's unprofessional, and part of the culture of harassment in tech. They are wrong. Linus Torvalds is the nicest guy in tech. We should all try to be more like him.

The problem in tech isn't bad language ("your shit code"), but personal attacks ("you are shit").

A good example is Brendan Eich, who was fired from his position as Mozilla CEO because people disagreed with his political opinions. Another example is Nobel prize winner Tim Hunt who was fired because people took his pro-feminist comments out of context and painted him as a misogynist. Another example is Pax Dickinson, who was fired as CTO of Business Insider because of jokes he made before founding the company. A programmer named Curtis Yavin* was booted from a tech conference because he's some sort of monarchist. Yet more examples are the doxing and bomb threats that censor both sides of the GamerGate fiasco. The entire gamer community is a toxic cesspool of personal attacks. We have another class of people, the "SJW"s, Continue reading

The Godwin fallacy

As Wikipedia says:
Godwin's law and its corollaries would not apply to discussions covering known mainstays of Nazi Germany such as genocide, eugenics, or racial superiority, nor to a discussion of other totalitarian regimes or ideologies, if that was the explicit topic of conversation, because a Nazi comparison in those circumstances may be appropriate, in effect committing the fallacist's fallacy, or inferring that an argument containing a fallacy must necessarily come to incorrect conclusions.
An example is a discussion whether waving the Confederate flags was "hate speech" or "fighting words", and hence undeserving of First Amendment protections.

Well, consider the famous march by the American Nazi party through Skokie, Illinois, displaying the Swastika flag, where 1 in 6 residents was a survivor of the Holocaust. The Supreme Court ruled that this was free-speech, that the Nazi's had a right to march.

Citing the Skokie incident isn't Godwin's Law. It's exactly the precedent every court will cite when deciding whether waving a Confederate flag is free-speech.

I frequently discuss totalitarianism, as it's something that cyberspace can both enable and defeat. Comparisons with other totalitarian regimes, notably Soviet Russia and Nazi Germany, are inevitable. They aren't Godwin hyperbole, they are on point. Continue reading

CloudFlare is now PCI 3.1 certified

PCI Certified badge

The Payment Card Industry Data Security Standard (PCI DSS) is a global financial information security standard that keeps credit card holders safe. It ensures that any company processing credit card transactions adheres to the highest technical standards.

PCI certification has several levels. Level one (the highest level) is reserved for those companies that handle the greatest numbers of credit cards. Companies at level one PCI compliance are subject to the most stringent checks.

CloudFlare’s mission leads it to provide security for some of the most important companies in the world. This is why CloudFlare chose to be audited as a level one service provider. By adhering to PCI’s rigorous financial security controls, CloudFlare ensures that security is held to the highest standard and that those controls are validated independently by a recognised body.

If you are interested in learning more, see these details about the Payment Card Industry Data Security Standard.

This year’s update from PCI 2.0 to 3.1 was long overdue. PCI DSS 2.0 was issued in October 2010, and the information security threat landscape does not stand still—especially when it comes to industries that deal with financial payments or credit cards. New attacks are almost Continue reading

1 158 159 160 161 162 181