Network Security Insider

Saturday, December 28, 2013

Myrtle Beach Homes/Condos

InfoSec friends, I have a new site - www.midtownmyrtlebeach.com. I look forward to helping you buy your dream ocean front home or condo in Myrtle Beach, South Carolina! If you've never been to Myrtle Beach, it's an awesome place to vacation, or to live!

Scroll down for my posts on InfoSec, Security, Linux, Firewalls, and IDS/IPS.

Wednesday, November 17, 2010

Helpful Bookmarks & Links

CheckPoint

https://supportcenter.checkpoint.com/ - CheckPoint Support Site

http://www.cpug.org/ - CheckPoint User Group / Forums

http://www.tla.ch/TLA/FW/FW1FAQ.html - CheckPoint FAQ (old but good)

Cisco

https://supportforums.cisco.com/ - Cisco Support Forums

http://www.cisco.com/univercd/home/home.htm - Cisco Documentation

http://blogs.cisco.com/security - Official Cisco Security Blog

http://ciskoblog.com/ - Cisco Blog

http://blog.priveonlabs.com/sec_blog.php/cisco-security/cisco-security-agent/ - Cisco Security Agent (CSA) Blog

http://tools.cisco.com/MySDN/Intelligence/searchSignatures.x - Cisco Signature Lookup

https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl - Output Interpreter for show commands

Juniper

http://kb.juniper.net/ - Juniper Knowledgebase

http://forums.juniper.net/ - Juniper Forums

http://juniperhowto.com/ - Juniper How-to Site

http://juniperhacks.wordpress.com/ - Juniper Hacks Blog

Sourcefire

http://sourcefirefaq.blogspot.com/ - Sourcefire Blog (old but good)

https://support.sourcefire.com/ - Sourcefire Support

http://vrt-sourcefire.blogspot.com/ - Sourcefire VRT Blog

TippingPoint

https://tmc.tippingpoint.com/TMC - TippingPoint Knowledgebase and Threat Mgmt Center

Monday, November 8, 2010

Troubleshooting High CPU on Cisco ASA

show cpu
show processes cpu-usage

**This will tell us which process is consuming the most CPU.

**Dispatch Unit is the "packet processing" process of the ASA. If the Dispatch Unit is showing high utilization, take a packet capture (pcap) from the ASA and view it in Wireshark to see what traffic is causing the most load on the ASA.

Enable CPU Profiling (to provide to Cisco TAC)
cpu profile activate 5000

Cisco ASA 8.2+:
show cpu profile dump

Pre 8.2:
show cpu profile

Saturday, November 6, 2010

Security Docs (Audio, Video, Text)

Excellent resources for security documentation including audio, video, and text.

http://secdocs.lonerunners.net/
http://www.sans.org/reading_room/

Wednesday, November 3, 2010

Fortinet - Free self-paced training online

Fortinet Recorded webinar sessions (under Self-paced Online Training ) :
http://campus.training.fortinet.com/

Customizing SSL VPN Portals
Directory Services Integration using FSAE

FortiAnalyzer Reporting

FortiGate-One Technical Overview

FortiGuard Web Filtering

FortiMail -- Authentication & Encryption

FortiOS Troubleshooting

High Availability Clusters - New !!!

Introduction to FortiGate (101) - New !!!

Introduction to FortiManager

IPSec VPN Design and Troubleshooting

Static Routing (Policy Routing, ECMP, RPF & Spillover)

Two-factor Authentication - NEW!!!

What's New in 4.0 MR2 (Part1)

What's New in 4.0 MR2 (Part2)

Free Fortinet endpoint firewall with IPS and AV (FortiClient)

Free endpoint firewall with IPS and AV
http://forticlient.com/

Packet Sniffing on a Fortinet/FortiGate Firewall

http://kb.fortinet.com/kb/viewContent.do?externalId=11186&sliceId=1#basic_command

Tips for troubleshooting Imperva WAF

Tips for troubleshooting Imperva WAF:

statistics.csv from Setup->Gateways->the relevant GW -> the rightmost panel.
get-tech-info
cat /opt/SecureSphere/etc/patch_level
download "imperva-stats-script" from Imperva site, and run script for 24 hours.

WAF - Relevant Questions to Ask

Relevant Questions to Ask for Implementing a new WAF (Imperva, Breach, etc.)

Web Server Information
----------------------
Application Name - IP Address & Port
SSL? (yes/no)
IP Type (Legal/NAT/Load Balanced)
Number of Physical Machines
Network Throughput
Web Server Vendor
Web Server Operating System
Web site type (static/dynamic)
Application Server
Web Application Vendor (custom, peoplesoft, etc..)
Web Application Language (.net, java, etc)"
Web Application Transactions per second

Database Information
------------------------------
Database Name
Machine Name or IP Address
Number of Database Servers (physical Database boxes)
Network Throughput
Database Vendor
Database Operating System type
Database Transactions per second

Imperva WAF - Export Full Config from CLI

Export the full config from the CLI of an Imperva WAF:

--
1) cd /tmp
2) full_expimp.sh

IPSO CLISH Interface Examples

clish - interface command examples:
set interface eth1 speed 100M duplex full auto-advertise on
add interface eth1c0 address 12.12.12.12/28 enable
delete interface eth-s1p2c0 address 12.12.12.12
delete interface eth4c0 address 12.12.12.12
set static-route default nexthop gateway address 12.12.12.11 priority 1 on

Tuesday, September 21, 2010

Nokia IPSO Status LEDs

Solid blue Power - On
Solid yellow - Appliance is experiencing an internal voltage problem.
Blinking yellow - Appliance is experiencing a temperature problem.
Solid red - One or more fans are not operating properly.
Blinking green - System activity indicator

Peer-to-Peer (P2P) Ports

Kazaa, Grokster, Morpheous
TCP 1214
UDP 1214

eDonkey
TCP 4661-4672
UDP 4661-4672

WinMX & Napster
TCP 6257
UDP 6257
TCP 6699
UDP 6699

BitTorrent
TCP 6881-6889
TCP 6969
UDP 6881-6889

Gnutella (Bearshare, Limewire)
TCP 6346, 6347, 6348
UDP 6346, 6347, 6348

Napster
TCP 4444, 5555, 6666, 7777, 8888
UDP 4444, 5555, 6666, 7777, 8888

tcpdump for ARP packets

tcpdump -lnni eth2 ether proto 0x0806

Tuesday, September 7, 2010

Enable AIP-SSM IPS Inspection on ASA

policy-map global_policy
class ips_class_map
ips inline fail-open

Or for passive:
ips promiscuous fail-open

Clear ACL Hit Counters

clear access-list <access-list name> counters

Enable VPN Keep Alive on Cisco ASA VPN Tunnel

Cisco PIX/ASA 7.x and later, for the tunnel group named 10.1.1.1
asa(config)#tunnel-group 10.1.1.1 ipsec-attributes
asa(config-tunnel-ipsec)#isakmp keepalive threshold 15 retry 10

Copy many routes from one Linux box to another

netstat -rn | grep ^[0-9] | awk '{printf "route add -net %-15s gw %-15s netmask %s\n", $1, $2, $3}' | sort > routing_table

CheckPoint Log Buffer Full

1. Create or modify (if the file exists) the $FWDIR/boot/modules/fwkern.conf file on the Security gateway.
2. Add the entry fw_log_bufsize=xxxxx, where xxxx is the desired size in bytes (default = 81920) - try to set it to 163840.
3. Reboot the Security gateway

Add the following to fwstart.conf:
----
$FWDIR/bin/fw ctl debug -buf 8192
fw ctl kdebug -f > /var/log/console.log &
echo "fw debug messages go to /var/log/console.log"

http://www.networking-tips.net/?p=323

http://www.cpug.org/forums/nokia-ipso/2385-log-buffer-full-errors.html

Commands to Troubleshoot CheckPoint HA Interface Issues

fw ctl iflist
cat $FWDIR/conf/discntd.if (interfaces commented out for HA monitoring)

cphaprob state
cphaprob -a if
cphaprob list

Clear CheckPoint NAT and State Table

fw tab -t sam_blocked_ips -x
fw tab -t fwx_alloc -x
fw tab -t connections -x

Troubleshoot traffic to an IP thru a CheckPoint Firewall

fw monitor -e "src=172.16.1.1 or dst=172.16.1.1;" > /tmp/fwmon-172.16.1.1.out &
tcpdump -w /tmp/traffic.cap -lnni any host 172.16.1.1 &
fw ctl zdebug drop > /tmp/conn.dbg &
fw log -ftn | egrep 172.16.1.1 >> /tmp/fw-log-172.16.1.1.log &

List the Top Connections on a CheckPoint Firewall

fw tab -t connections -u -f >> conns.txt
cat conn-ips.txt | sort | uniq -c | sort -n

How to run a CheckPoint Debug

fw ctl debug 0
fw ctl debug -buf 10000
fw ctl debug -m drop conn packet
fwaccel dbg -m general all
fw ctl kdebug -f >& fwconnchain.elg

Ctrl+C to stop the debug
fw ctl debug 0

NOKIA:
fw ctl debug 0
fw ctl debug -buf 8192
fw ctl debug + conn link drop
fw ctl kdebug -f >& fwconnchain.elg
fw ctl debug 0

Command to list CheckPoint Installed Products

cpprod_util CPPROD_GetKeyValues products 0

CheckPoint Failover Commands

Fail to FAILED:
cphaprob -d faildevice -s problem report

Fail to OK:
cphaprob -d faildevice -s ok report

Check sync stat:
cphaprob syncstat
cphaprob -reset syncstat

Troubleshoot:
fw ctl pstat
cphaprob -i list

-----------------------
Easier method to fail over:
cphastop (primary)
then cphaprob state (secondary)
then cphastart (primary)
should come back as primary standby.

Modify Failover Timeouts:
cphaprob -i list
cphaprob -d fwd -t 45 -s ok -p register
cphaprob -d cphad -t 15 -s ok -p register