Search Anything You Like

Monday, March 26, 2012

The basics of a Cisco PIX firewall

A Cisco PIX firewall is meant to protect one network from another. There are PIX firewalls for small home networks and PIX firewalls for huge campus or corporate networks. In this example, we will be configuring a PIX 501 firewall. The 501 model is meant for a small home network or a small business.
PIX firewalls have the concept of inside and outside interfaces. The inside interface is the internal, usually private, network. The outside interface is the external, usually public, network. You are trying to protect the inside network from the outside network.

PIX firewalls also use the adaptive security algorithm (ASA). This algorithm assigns security levels to interfaces and says that no traffic can flow from a lower-level interface (like the outside interface) to a higher-level interface (like the inside interface) without a rule allowing it. The outside interface has a security level of zero and the inside interface has a security level of 100.


Here is what the output of the show nameif command looks like:
pixfirewall# show nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security100
pixfirewall#

Notice the ethernet0 interface is the outside interface (its default name) and the security level is 0. On the other hand, the ethernet1 interface is named inside (the default) and has a security level of 100.


Guidelines
Before beginning the configuration, your boss has given you some guidelines that you need to follow. Here they are:
  • All passwords should be set to "cisco" (in reality, you make these whatever you want, but not "cisco").
  • The inside network is 10.0.0.0 with a 255.0.0.0 subnet mask. The inside IP address for this PIX should be 10.1.1.1.
  • The outside network is 1.1.1.0 with a 255.255.255.0 subnet mask. The outside IP address for this PIX should be 1.1.1.1.
  • You want to create a rule to allow all inside clients on the 10.0.0.0 network to do port address translation and connect to the outside network. They will all share the global IP address 1.1.1.2.
  • However, clients should only have access to port 80 (Web browsing).
  • The default route for the outside (Internet) network will be 1.1.1.254.
The configuration
When you boot up your PIX firewall for the first time, you should see a screen like this:

You will be prompted to answer YES or NO as to whether or not you want to configure the PIX through interactive prompts. Answer NO to this question because you want to learn how to really configure the PIX firewall, not just answer a series of questions.
After that, you will be sent to a prompt that looks like this:
pixfirewall>
With the "greater than" symbol at the end of the prompt, you are in the PIX user mode. Change to privileged mode with the en or enable command. Press "enter" at the Password prompt. Here is an example:
pixfirewall>en
Password:
pixfirewall#


You now have administrative mode to show things but would have to go into global configuration mode to configure the PIX.
Now, let's move on to basic configuration of the PIX:
Basic PIX configuration
What I am calling basic configuration is made up of three things:
  • Set the hostname
  • Set passwords (login and enable)
  • Configure IP addresses on interfaces
  • Enable interfaces
  • Configure a default route
Before you can do any of these things, you need to go into global configuration mode. To do this, type:
pixfirewall# config t
pixfirewall(config)#


To set the hostname, use the hostname command, like this:
pixfirewall(config)# hostname PIX1
PIX1(config)#


Notice that the prompt changed to the name that you set.
Next, set the login password to cisco, like this:
PIX1(config)# password cisco
PIX1(config)#


This is the password required to gain any access to the PIX except administrative access.
Now, configure the enable mode password, used to gain administrative mode access.
PIX1(config)# enable password cisco
PIX1(config)#


Now we need to configure IP addresses on interfaces and enable those interfaces. The PIX, unlike a router, has no concept of interface configuration mode. To configure the IP address on the inside interface, use this command:
PIX1(config)# ip address inside 10.1.1.1 255.0.0.0
PIX1(config)#
Now, configure the outside interface IP address:
PIX1(config)# ip address outside 1.1.1.1 255.255.255.0
PIX1(config)#


Next, enable both the inside and outside interfaces. Make sure that the Ethernet cable, on each interface, is connected to a switch. Note that the ethernet0 interface is the outside interface, and it is only a 10base-T interface on a PIX 501. The ethernet1 interface is the inside interface, and it is a 100Base-T interface. Here is how you enable these interfaces:
PIX1(config)# interface ethernet0 10baset
PIX1(config)# interface ethernet1 100full
PIX1(config)#


Note that you can do a show interfaces command, right from the global configuration prompt line.
Finally, let's configure a default route so that all traffic sent to the PIX will flow to the next upstream router (the 1.1.1.254 IP address that we were given). Here is how you do this:
PIX1(config)# route outside 0 0 1.1.1.254
PIX1(config)#


The PIX firewall can, of course, support dynamic routing protocols as well (such as RIP and OSPF).
Now, let's move on to some more advanced configuration.
Network Address Translation
Now that we have IP address connectivity, we need to use Network Address Translation (NAT) to allow inside users to connect to the outside. We will use a type of NAT, called PAT or NAT Overload, so that all inside devices can share one public IP address (the outside IP address of the PIX firewall). To do this, enter these commands:
PIX1(config)# nat (inside) 1 10.0.0.0 255.0.0.0
PIX1(config)# global (outside) 1 1.1.1.2
Global 1.1.1.2 will be Port Address Translated
PIX1(config)#


With this, all inside clients are able to connect to devices on the public network and share IP address 1.1.1.2. However, clients don't yet have any rule allowing them to do this.
Firewall rules
These clients on the inside network have a NAT translation, but that doesn't necessarily mean that they are allowed access. They now need a rule to allow them to access the outside network (the Internet). That rule will also allow the return traffic to come back in.
To make a rule to allow these clients port 80 (Web browsing), you would type this:
PIX1(config)# access-list outbound permit tcp 10.0.0.0 255.0.0.0 any eq 80
PIX1(config)# access-group outbound in interface inside
PIX1(config)#


Note that PIX access lists, unlike router access lists, use a normal subnet mask, not a wildcard mask.
With this access list, you have restricted the inside hosts to accessing Web servers only on the outside network (routers).
Showing and saving the configuration
Now that you have configured the PIX firewall, you can show your configuration with the show run command.
Make sure that you save your configuration with the write memory or wr m command. If you don't, your configuration will be lost when the PIX is powered off.

Sunday, March 25, 2012

Configure SNMP on Cisco Devices


The Simple Network Management Protocol (SNMP) is a necessary tool for every network administrator. You can easily configure it with just a few commands. SNMP is still the most popular way to monitor the performance of network devices, including Cisco routers and switches. With an SNMP management station, you can graph the performance of network devices.

The Simple Network Management Protocol (SNMP) is a necessary tool for every network administrator. You can easily configure it with just a few commands.
 In addition, Cisco devices can send alerts (called traps) to the management station, which you can configure to alert you.

How does it work :-

There are three versions of SNMP — v1, v2, and v3. Each has more features than the next. Most network admins today use v2, but v3 offers many more security features.
How does SNMP work? SNMP devices contain configured SNMP agents. The network management system (NMS) talks to the SNMP agents on each device.
The NMS could be a huge system such as HP OpenView or an application that’s only there to track performance such as PRTG.

How can SNMP help me?

SNMP can do a variety of things. Here are some ways it has helped me:
  • It can graph Cisco router/switch bandwidth utilization over time, per interface, per direction, etc.
  • It can graph errors on network devices (e.g., CRC errors).
  • It can send alerts when an interface goes up or down.

Do I need an NMS?

Yes, you do need some kind of NMS to make SNMP useful. Configuring SNMP on its own really won’t tell you anything. You need an NMS that you can configure to receive, report, and graph the SNMP information.

How can I configure SNMP monitoring?

To configure SNMP, I suggest starting off with the optional step of identifying your device. Here’s an example:
Router(config)# snmp-server contact David Davis – Network Admin – 555-1212
Router(config)# snmp-server location Dallas, Texas, USA
Router(config)# snmp-server chassis-id Cisco2610-Router


Next, we need to configure SNMP so that the NMS can monitor it. There are a great many ways to configure SNMP. For this example, we’ll configure the bare minimum to allow you to manage a Cisco router or switch.

To do this, we’ll create a community string. Think of a community string as a password for certain types of access to the device. Let’s configure this device to have a community string good for both reading and writing to the device. Here’s an example:


Router(config)# snmp-server community MyCommunity972 RW

Now our NMS, wherever it is on the network, can both read (i.e., view) and write (i.e., change) device configurations and statistics. (With a more advanced NMS, you can use SNMP to make configuration changes on your device, but that isn’t SNMP’s most popular use.)
We set our community string to MyCommunity972 for this example. Of course, set it using your own internal complex password.

How can I configure SNMP to send alerts?

At this point, we could stop the configuration and still use the NMS like PRTG to begin graphing bandwidth utilization on router or switch interfaces. But let’s take it a step further and configure the router or switch to alert the NMS when an interface goes down or up. To do this, you could use a free open source NMS such as OpenNMS or a commercial NMS such as Ipswitch’s WhatsUp.

We’ll configure the router or switch to send an SNMP trap to host 192.168.1.23 (the NMS) with our community string so we know it’s authentic. We want SNMP to send these traps if the interfaces go down or go up, or if someone reboots the router. Here are the commands:


Router(config)# snmp-server host 192.168.1.23 version 2c MyCommunity972
Router(config)# snmp-server enable traps snmp linkdown linkup coldstart warmstart


There are some SNMP vulnerabilities in certain versions of the Cisco IOS 12.0 to 12.3, so be cautious. Make sure you aren’t using one of the vulnerable versions, and take steps to configure SNMP as securely as possible.
While it’s easy to configure SNMP, configurations can also get very complex. I highly recommend taking the first step of using SNMP to develop a baseline of your router’s WAN interface utilization over time. 

Saturday, March 17, 2012

ITIL V3 Exam Dump


QUESTION :1 Which of the following questions does guidance in Service Strategy help answer?

1: What services should we offer and to whom?
2: How do we differentiate ourselves from competing alternatives?
3: How do we truly create value for our customers?
A.1 only
B.2 only
C.3 only
D.All of the above
Answer: D

QUESTION :2. Which of the following is NOT a responsibility of the Service Design Manager?

A.Design and maintain all necessary Service Transition packages
B.Produce quality, secure and resilient designs for new or improved services, technology architecture, processes
or measurement systems that meet all the agreed current and future IT requirements of the organisation
C.Take the overall Service Strategies and ensure they are reflected in the Service Design process and the service
designs that are produced
D.Measuring the effectiveness and efficiency of Service Design and the supporting processes
Answer: A

QUESTION :3. Which of the following are valid examples of business value measures?

1: Customer retention
2: Time to market
3: Service Architecture
4: Market share
A.1 and 2 only
B.2 and 4 only
C.All of the above
D.1, 2 and 4 only
Answer: D

QUESTION :4. Understanding customer usage of services and how this varies over time is part of which process?
A.Service Portfolio Management
B.Service Level Management
C.Component Capacity Management
D.Demand Management
Answer: D

QUESTION :5. The MAIN objective of Service Level Management is:

A.To carry out the Service Operations activities needed to support current IT services
B.To ensure that sufficient capacity is provided to deliver the agreed performance of services
C.To create and populate a Service Catalogue
D.To ensure that an agreed level of IT service is provided for all current IT services
Answer: D
  
QUESTION :6. Which of the following are responsibilities of a Service Level Manager?

1: Agreeing targets in Service Level Agreements (SLAs)
2: Designing technology architectures to support the service
3: Ensuring required contracts and agreements are in place
A.All of the above
B.2 and 3 only
C.1 and 2 only
D.1 and 3 only
Answer: D

QUESTION :7. Which of the following is a good metric for measuring the effectiveness of Service Level Management?

A.Customer satisfaction score
B.Average number of daily Incidents managed by each service agent
C.Number of services in the Service Portfolio
D.Number of services deployed within agreed times
Answer: A
QUESTION :8. Major Incidents require:

A.Separate procedures
B.Less urgency
C.Longer timescales
D.Less documentation
Answer: A

QUESTION :9. Which of the following should be done when closing an Incident?

1: Check the Incident categorization and correct it if necessary
2: Decide whether a Problem needs to be logged
A.1 only
B.Both of the above
C.2 only
D.None of the above
Answer: B

QUESTION :10. Which of the following is NOT a valid objective of Request Fulfilment?

A.To provide information to users about what services are available and how to request them
B.To update the Service Catalogue with services that may be requested through the Service Desk
C.To provide a channel for users to request and receive standard services
D.To source and deliver the components of standard services that have been requested
Answer: B

QUESTION :11. Which of the following would NOT be a task carried out by the Request Fulfilment process?

A.The sourcing and delivering of the components of requested standard services (e.g. licenses and software media)
B.Provision of a channel for users to request and receive standard services for which a pre-defined approval and
qualification process exists
C.Provision of information to users and customers about the availability of services and the procedure for
obtaining them
D.Provision of information used to compare actual performance against design standards
Answer: D
QUESTION :12. How many numbered steps are in the Continual Service Improvement (CSI) process?

A.7
B.4
C.6
D.11
Answer: A

QUESTION :13. Which Functions are included in IT Operations Management?

A.Network Management and Application Management
B.Technical Management and Application Management
C.IT Operations Control and Facilities Management
D.Facilities Management and Technical Management
Answer: C

QUESTION :14. The ITIL CORE publications are structured around the Service Lifecycle. Which of the following statements about the ITIL COMPLEMENTARY guidance is CORRECT?

A.It is also structured around the Service Lifecycle
B.It provides guidance to specific industry sectors and types of organization
C.It consists of five publications
D.It provides the guidance necessary for an integrated approach as required by ISO/IEC 20000
Answer: B

QUESTION :15. Which of the following should be supported by technology?

1: Verification of Configuration Management System (CMS) data
2: Control of user desk-tops
3: Creation and use of diagnostic scripts
4: Visibility of overall IT Service performance
A.2, 3 and 4 only
B.1, 2 and 3 only
C.1, 3 and 4 only
D.All of the above
Answer: D
QUESTION :16. Which of the following CANNOT be provided by a tool?

A.Knowledge
B.Information
C.Wisdom
D.Data
Answer: C


QUESTION :17. The BEST Processes to automate are those that are:
A.Carried out by Service Operations
B.Carried out by lots of people
C.Critical to the success of the business mission
D.Simple and well understood
Answer: D

QUESTION :18. Which of the following areas would technology help to support during the Service Operation phase of the Lifecycle?

1: Identifying configuration of user desktop PCs when Incidents are logged
2: Control of user desk-top PCs
3: Create and use diagnostic scripts
4: Dashboard type technology
A.1, 2 and 3 only
B.All of the above
C.1, 3 and 4 only
D.2, 3 and 4 only
Answer: B

QUESTION :19. Which of the following are the two primary elements that create value for customers?

A.Value on Investment (VOI), Return on Investment (ROI)
B.Customer and User satisfaction
C.Understanding Service Requirements and Warranty
D.Utility and Warranty
Answer: D

QUESTION :20. What is the Service Pipeline?

A.All services that are at a conceptual or development stage, or are undergoing testing
B.All services except those that have been retired
C.All services that are contained within the Service Level Agreement (SLA)
D.All complex multi-user services
Answer: A

QUESTION :21. What are the types of activity within Demand Management?

A.Activity based, Access Management
B.Activity based, Business activity patterns and user profiles
C.Analytical based, Business activity patterns and user profiles
D.Analytical based, Shaping user behaviour
Answer: B

QUESTION :22. Which of the following is NOT a purpose of Service Transition?

A.To ensure that a service can be managed, operated and supported
B.To provide training and certification in project management
C.To provide quality knowledge of Change, Release and Deployment Management
D.To plan and manage the capacity and resource requirements to manage a Release
Answer: B


QUESTION :23. Which of the following statements BEST describes a Definitive Media Library (DML)?

A.A secure location where definitive hardware spares are held
B.A secure library where definitive authorised versions of all media Configuration Items (CIs) are stored and
protected
C.A database that contains definitions of all media CIs
D.A secure library where definitive authorised versions of all software and back-ups are stored and protected Answer: B

QUESTION :24. One organisation provides and manages an entire business process or function for another organisation. This is know as:

A.Business Process Management
B.Business Function Outsourcing
C.Business Process Outsourcing
D.Knowledge Process Outsourcing
Answer: C

QUESTION :25. Which Service Design process makes the most use of data supplied by Demand Management?

A.Service Catalogue Management
B.Service Level Management
C.IT Service Continuity Management
D.Capacity Management
Answer: D

Wednesday, March 14, 2012

Intrusion Detection System (IDS)


An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization.
IDPSes typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.

Terminology
§  Alert/Alarm: A signal suggesting that a system has been or is being attacked.
§  True Positive: A legitimate attack which triggers an IDS to produce an alarm.
§  False Positive: An event signaling an IDS to produce an alarm when no attack has taken place.
§  False Negative: A failure of an IDS to detect an actual attack.
§  True Negative: When no attack has taken place and no alarm is raised.
§  Noise: Data or interference that can trigger a false positive.
§  Site policy: Guidelines within an organization that control the rules and configurations of an IDS.
§  Site policy awareness: An IDS's ability to dynamically change its rules and configurations in response to changing environmental activity.
§  Confidence value: A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.
§  Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks.
§  Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information, inflict harm or engage in other malicious activities.
§  Masquerader: A user who does not have the authority to a system, but tries to access the information as an authorized user. They are generally outside users.
§  Misfeasor: They are commonly internal users and can be of two types:
1.     An authorized user with limited permissions.
2.     A user with full permissions and who misuses their powers.
§  Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being captured.

Types
§  For the purpose of dealing with IT, there are two main types of IDS:
§  Network intrusion detection system (NIDS) is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to a network hub, network switch configured for port mirroring, or network tap. In a NIDS, sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. Sensors capture all network traffic and  analyzes the content of individual packets for malicious traffic. An example of a NIDS is Snort.
§  Host-based intrusion detection system (HIDS) It consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability databases, Access control lists, etc.) and other host activities and state. In a HIDS, sensors usually consist of a software agent. Some application-based IDS are also part of this category. Examples of HIDS are Tripwire and OSSEC.
§  Stack-based intrusion detection system (SIDS) This type of system consists of an evolution to the HIDS systems. The packets are examined as they go through the TCP/IP stack and, therefore, it is not necessary for them to work with the network interface in promiscuous mode. This fact makes its implementation to be dependent on the Operating System that is being used.Intrusion detection systems can also be system-specific using custom tools and honeypots.

. In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console and or owner. In a reactive system, also known as an intrusion prevention system (IPS), the IPS auto-responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. The term IDPS is commonly used where this can happen automatically or at the command of an operator; systems that both "detect" (alert) and/or "prevent." 

Comparison with Firewalls
Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system that terminates connections is called an intrusion prevention system, and is another form of an application layer firewall.
All Intrusion Detection Systems use one of two detection techniques:

Statistical anomaly-based IDS

A statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal).

Signature-based IDS

Signature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures. The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat. During this lag time your IDS will be unable to identify the threat.

Intrusion Prevention Systems (IPS)


Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity.
Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected. More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address. An IPS can also correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, and clean up unwanted transport and network layer options. 
Classifications
Intrusion prevention systems can be classified into four different types:
Network-based intrusion prevention (NIPS): monitors the entire network for suspicious traffic by analyzing protocol activity.
Wireless intrusion prevention systems (WIPS): monitors a wireless network for suspicious traffic by analyzing wireless networking protocols.
Network behavior analysis (NBA): examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations.
Host-based intrusion prevention (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.
Detection Method
The majority of intrusion prevention systems utilize one of three detection methods: signature-based, statistical anomaly-based, and stateful protocol analysis.
Signature-Based Detection: This method of detection utilizes signatures, which are attack patterns that are preconfigured and predetermined. A signature-based intrusion prevention system monitors the network traffic for matches to these signatures. Once a match is found the intrusion prevention system takes the appropriate action. Signatures can be exploit-based or vulnerability-based. Exploit-based signatures analyze patterns appearing in exploits being protected against, while vulnerability-based signatures analyze vulnerabilities in a program, its execution, and conditions needed to exploit said vulnerability.
Statistical anomaly-based detection: This method of detection baselines performance of average network traffic conditions. After a baseline is created, the system intermittently samples network traffic, using statistical analysis to compare the sample to the set baseline. If the activity is outside the baseline parameters, the intrusion prevention system takes the appropriate action.
Stateful Protocol Analysis Detection: This method identifies deviations of protocol states by comparing observed events with “predetermined profiles of generally accepted definitions of benign activity.