Network Security Insider

show cpu
show processes cpu-usage

**This will tell us which process is consuming the most CPU.

**Dispatch Unit is the "packet processing" process of the ASA. If the Dispatch Unit is showing high utilization, take a packet capture (pcap) from the ASA and view it in Wireshark to see what traffic is causing the most load on the ASA.

----------------------------------
Enable CPU Profiling (to provide to Cisco TAC)
cpu profile activate 5000

Cisco ASA 8.2+:
show cpu profile dump

Pre 8.2:
show cpu profile

Saturday, November 6, 2010

Security Docs (Audio, Video, Text)

Excellent resources for security documentation including audio, video, and text.

http://secdocs.lonerunners.net/
http://www.sans.org/reading_room/

Wednesday, November 3, 2010

Fortinet - Free self-paced training online

Fortinet Recorded webinar sessions (under Self-paced Online Training ) :
http://campus.training.fortinet.com/

Customizing SSL VPN Portals
Directory Services Integration using FSAE

FortiAnalyzer Reporting

FortiGate-One Technical Overview

FortiGuard Web Filtering

FortiMail -- Authentication & Encryption

FortiOS Troubleshooting

High Availability Clusters - New !!!

Introduction to FortiGate (101) - New !!!

Introduction to FortiManager

IPSec VPN Design and Troubleshooting

Static Routing (Policy Routing, ECMP, RPF & Spillover)

Two-factor Authentication - NEW!!!

What's New in 4.0 MR2 (Part1)

What's New in 4.0 MR2 (Part2)

Free Fortinet endpoint firewall with IPS and AV (FortiClient)

Free endpoint firewall with IPS and AV
http://forticlient.com/

Packet Sniffing on a Fortinet/FortiGate Firewall

http://kb.fortinet.com/kb/viewContent.do?externalId=11186&sliceId=1#basic_command

Tips for troubleshooting Imperva WAF

Tips for troubleshooting Imperva WAF:

statistics.csv from Setup->Gateways->the relevant GW -> the rightmost panel.
get-tech-info
cat /opt/SecureSphere/etc/patch_level
download "imperva-stats-script" from Imperva site, and run script for 24 hours.

WAF - Relevant Questions to Ask

Relevant Questions to Ask for Implementing a new WAF (Imperva, Breach, etc.)

Web Server Information
----------------------
Application Name - IP Address & Port
SSL? (yes/no)
IP Type (Legal/NAT/Load Balanced)
Number of Physical Machines
Network Throughput
Web Server Vendor
Web Server Operating System
Web site type (static/dynamic)
Application Server
Web Application Vendor (custom, peoplesoft, etc..)
Web Application Language (.net, java, etc)"
Web Application Transactions per second

Database Information
------------------------------
Database Name
Machine Name or IP Address
Number of Database Servers (physical Database boxes)
Network Throughput
Database Vendor
Database Operating System type
Database Transactions per second

Imperva WAF - Export Full Config from CLI

Export the full config from the CLI of an Imperva WAF:

--
1) cd /tmp
2) full_expimp.sh

IPSO CLISH Interface Examples

clish - interface command examples:
set interface eth1 speed 100M duplex full auto-advertise on
add interface eth1c0 address 12.12.12.12/28 enable
delete interface eth-s1p2c0 address 12.12.12.12
delete interface eth4c0 address 12.12.12.12
set static-route default nexthop gateway address 12.12.12.11 priority 1 on

Tuesday, September 21, 2010

Nokia IPSO Status LEDs

Solid blue Power - On
Solid yellow - Appliance is experiencing an internal voltage problem.
Blinking yellow - Appliance is experiencing a temperature problem.
Solid red - One or more fans are not operating properly.
Blinking green - System activity indicator

Peer-to-Peer (P2P) Ports

Kazaa, Grokster, Morpheous
TCP 1214
UDP 1214

eDonkey
TCP 4661-4672
UDP 4661-4672

WinMX & Napster
TCP 6257
UDP 6257
TCP 6699
UDP 6699

BitTorrent
TCP 6881-6889
TCP 6969
UDP 6881-6889

Gnutella (Bearshare, Limewire)
TCP 6346, 6347, 6348
UDP 6346, 6347, 6348

Napster
TCP 4444, 5555, 6666, 7777, 8888
UDP 4444, 5555, 6666, 7777, 8888

tcpdump for ARP packets

tcpdump -lnni eth2 ether proto 0x0806

Tuesday, September 7, 2010

Enable AIP-SSM IPS Inspection on ASA

policy-map global_policy
class ips_class_map
ips inline fail-open

Or for passive:
ips promiscuous fail-open

Clear ACL Hit Counters

clear access-list <access-list name> counters

Enable VPN Keep Alive on Cisco ASA VPN Tunnel

Cisco PIX/ASA 7.x and later, for the tunnel group named 10.1.1.1
asa(config)#tunnel-group 10.1.1.1 ipsec-attributes
asa(config-tunnel-ipsec)#isakmp keepalive threshold 15 retry 10

Copy many routes from one Linux box to another

netstat -rn | grep ^[0-9] | awk '{printf "route add -net %-15s gw %-15s netmask %s\n", $1, $2, $3}' | sort > routing_table

CheckPoint Log Buffer Full

1. Create or modify (if the file exists) the $FWDIR/boot/modules/fwkern.conf file on the Security gateway.
2. Add the entry fw_log_bufsize=xxxxx, where xxxx is the desired size in bytes (default = 81920) - try to set it to 163840.
3. Reboot the Security gateway

Add the following to fwstart.conf:
----
$FWDIR/bin/fw ctl debug -buf 8192
fw ctl kdebug -f > /var/log/console.log &
echo "fw debug messages go to /var/log/console.log"

http://www.networking-tips.net/?p=323

http://www.cpug.org/forums/nokia-ipso/2385-log-buffer-full-errors.html

Commands to Troubleshoot CheckPoint HA Interface Issues

fw ctl iflist
cat $FWDIR/conf/discntd.if (interfaces commented out for HA monitoring)

cphaprob state
cphaprob -a if
cphaprob list

Clear CheckPoint NAT and State Table

fw tab -t sam_blocked_ips -x
fw tab -t fwx_alloc -x
fw tab -t connections -x

Troubleshoot traffic to an IP thru a CheckPoint Firewall

fw monitor -e "src=172.16.1.1 or dst=172.16.1.1;" > /tmp/fwmon-172.16.1.1.out &
tcpdump -w /tmp/traffic.cap -lnni any host 172.16.1.1 &
fw ctl zdebug drop > /tmp/conn.dbg &
fw log -ftn | egrep 172.16.1.1 >> /tmp/fw-log-172.16.1.1.log &

List the Top Connections on a CheckPoint Firewall

fw tab -t connections -u -f >> conns.txt
cat conn-ips.txt | sort | uniq -c | sort -n

How to run a CheckPoint Debug

fw ctl debug 0
fw ctl debug -buf 10000
fw ctl debug -m drop conn packet
fwaccel dbg -m general all
fw ctl kdebug -f >& fwconnchain.elg

Ctrl+C to stop the debug
fw ctl debug 0

NOKIA:
fw ctl debug 0
fw ctl debug -buf 8192
fw ctl debug + conn link drop
fw ctl kdebug -f >& fwconnchain.elg
fw ctl debug 0

Command to list CheckPoint Installed Products

cpprod_util CPPROD_GetKeyValues products 0

CheckPoint Failover Commands

Fail to FAILED:
cphaprob -d faildevice -s problem report

Fail to OK:
cphaprob -d faildevice -s ok report

Check sync stat:
cphaprob syncstat
cphaprob -reset syncstat

Troubleshoot:
fw ctl pstat
cphaprob -i list

-----------------------
Easier method to fail over:
cphastop (primary)
then cphaprob state (secondary)
then cphastart (primary)
should come back as primary standby.

Modify Failover Timeouts:
cphaprob -i list
cphaprob -d fwd -t 45 -s ok -p register
cphaprob -d cphad -t 15 -s ok -p register

Sunday, September 5, 2010

SQL Injection Cheat Seet

Good notes on SQL Injection:
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

Frequent SSL Troubleshooting Commands

Frequent SSL Troubleshooting commands from: http://shib.kuleuven.be/docs/ssl_commands.shtml

debug an SSL connection [server doesn't require certificate authentication]
openssl s_client -connect idp.example.be:443

debug an SSL connection with mutual certificate authentication
openssl s_client -connect idp.example.be:8443 -CAfile MY-CA-CERT.crt -cert MYCERT.crt -key MYKEY.key
- trust chain is in directory (hash format): replace -CAfile with -CApath /path/to/CAchainDir/
- send the starttls command (smtp or pop3 style): -starttls smtp or -starttls pop3

List the certificates inside a keystore
keytool -list -v -keystore KEYSTORE.jks

create self-signed certificate (can be used to sign other certificates)
openssl req -x509 -new -out MYCERT.crt -keyout MYKEY.key -days 365