Network technologies and trends


June 28, 2008  12:25 PM

How to configure ASA/PIX firewall to collect Net flow data from an external router to the netflow collector located in Inside Network.

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

This article provides an example of Net flow configurations in a Cisco Router, ASA/PIX firewall to collect the Net flow data in the internal network.
netflow1.jpg
Components Uses
The information in this document is based on following hardware and software versions
• Cisco Router 3745 – IOS version 12.3(17b. (Network 192.168.10.0)
• PIX 525 7.0.3 ( ASA can also be used) (Internal 10.0.0.2)
• Manage Engine Net flow Analyzer 6 ( Any net flow collector can be used)(

In this example let’s start by configuring Net flow in a Cisco Router

Cisco Router Configuration
Here the IP address for the interface is 192.168.10.1

Enabling Net flow in an Interface
Enter global configuration mode on the router and issue the following commands for each interface on which you want to enable Net Flow:

interface {interface} {interface_number}
ip route-cache flow
bandwidth
exit

After applying the commands the example will be as follows
router3745#configure terminal
router-3745(config)#interface FastEthernet 0/1
router-3745(config)#ip address 192.198.10.1 255.255.255.240
router-3745(config-if)#ip route-cache flow
router-3745(config-if)Bandwidth 1000
router-3745(config-if)#exit

Exporting NetFlow Data

Issue the following commands to export Net Flow data to the server on which NetFlow Analyzer is running:

ip flow-export destination {hostname|ip_address} 9996 ( Exports the NetFlow cache entries to the specified IP address. Use the IP address of the NetFlow Analyzer server and the configured NetFlow listener port. The default port is 9996. )

ip flow-export source {interface} {interface_number} (Sets the source IP address of the NetFlow exports sent by the device to the specified IP address. NetFlow Analyzer will make SNMP requests of the device on this address.)

ip flow-export version 5 [peer-as | origin-as] (Sets the NetFlow export version to version 5. Version 5,7 & 9 are available)

ip flow-cache timeout active 1 (Breaks up long-lived flows into 1-minute fragments. You can choose any number of minutes between 1 and 60. If you leave it at the default of 30 minutes your traffic reports will have spikes.It is important to set this value to 1 minute in order to generate alerts and view troubleshooting data.)

ip flow-cache timeout inactive 15 (Ensures that flows that have finished are periodically exported. The default value is 15 seconds. You can choose any number of seconds between 10 and 600. )

snmp-server ifindex persist (Enables ifIndex persistence (interface names) globally. This ensures that the ifIndex values are persisted during device reboots.)

The following example shows the above mentioned commands

router-3745(config)#ip flow-export destination 192.168.10.5 9996
router-3745(config)#ip flow-export source FastEthernet 0/1
router-3745(config)#ip flow-export version 5
router-3745(config)#ip flow-cache timeout active 1
router-3745(config)#ip flow-cache timeout inactive 15
router-3745(config)#snmp-server ifindex persist
router-3745(config)#^Z

Issue the following commands in normal (not configuration) mode to verify whether NetFlow export has been configured correctly:

show ip flow export (Shows the current NetFlow configuration)
show ip cache flow (These commands summarize the active flows and give an indication of how much NetFlow data the device is exporting

router-3745#show ip flow export
router-3745#show ip cache flow

The next step is make a Natting in ASA/PIX

pix-525# configure t
pix-525# (config)# static (inside,outside) 192.168.10.5 10.0.0.6 netmask 255.255.255.255 dns

In order to export to the netflow statistics to the netflow analyzer located in the internal network we have configure the following access-list and apply it to outside interface to allow the Netflow traffic

pix-525# configure t
pix-525# (config)#access-list NETFLOW extended permit udp any host 192.168.10.5 eq 9996
pix-525# (config)#access-list NETFLOW extended permit tcp any any

Apply the created access-list to the outside interface
pix-525# (config)#access-group NETFLOW in interface outside

Now install the Netflow Analyzer software and configure it to recieve the netflow statists from the external router.

Troubleshooting tips

Verify Netflow is working in Cisco Router

router-3745#sho ip cache flow
IP packet size distribution (78841980 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.003 .453 .023 .012 .008 .010 .004 .003 .003 .003 .004 .003 .003 .003 .004

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.003 .005 .022 .021 .401 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
548 active, 3548 inactive, 4045717 added
84147818 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 33416 bytes
548 active, 1500 inactive, 4045717 added, 4045717 added to flow
0 alloc failures, 0 force free
2 chunks, 14 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
——– Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 143 0.0 2 52 0.0 0.4 12.7
TCP-FTP 255 0.0 6 100 0.0 9.0 7.2
TCP-FTPD 15010 0.0 1 63 0.0 0.6 15.4
TCP-WWW 1100665 2.5 14 607 37.7 8.2 6.9
TCP-SMTP 171448 0.3 69 633 27.3 35.8 6.2
TCP-X 723 0.0 2 245 0.0 0.4 13.0
TCP-other 1966270 4.5 21 656 95.4 11.7 6.6
UDP-DNS 56825 0.1 12 66 1.5 20.5 11.6
UDP-NTP 8 0.0 1 76 0.0 0.0 15.5
UDP-Frag 1 0.0 1 1476 0.0 0.0 15.0
UDP-other 684203 1.5 11 319 17.9 4.8 14.9
ICMP 48198 0.1 1 78 0.2 1.6 15.4
GRE 1358 0.0 183 182 0.5 50.0 4.2
IP-other 62 0.0 83 108 0.0 53.4 3.2
Total: 4045169 9.2 19 601 180.9 10.6 8.3

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/1 192.168.10.5 Tu0 69.26.190.118 11 1705 0D96 8
Fa0/1 192.168.10.5 Tu0 65.55.111.92 06 0019 10EC 32
Fa0/1 192.168.10.5 Tu0 206.190.48.113 06 0019 714B 29

Check Nating is working in the Firewall

pix-525# show xlate
2in use, 417 most used
Global 192.168.10.5 Local 10.0.0.6

Check access -list is forwading the netflow traffic

pix-525# sho access-list NETFLOW
access-list NETFLOW; 2 elements
access-list NETFLOW line 1 extended permit udp any host 192.168.10.5 eq 9996 (hitcnt=7)
access-list NETFLOW line 2 extended permit ip any any (hitcnt=140861)

To know more about Netflow Analyzer and its configuration click this link Netflow.

5 Comments     RSS Feed     Email a friend

June 28, 2008  5:24 AM

Sample I.T Secuirty – Network Security

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

We are continuing our series on Sample I.T Security Policy, so far we have covered Physical, Human, User Secuity and Client. Today lets concentrate on Network security which is as follows

5‐NETWORK SECURITY
“IS” CONSIDERED THE FOLLOWING:
1. The network must be designed and configured to deliver high performance and reliability to meet the needs of business whilst providing a high degree of access control and range of privilege restrictions.
2. Inappropriate control over access to the network will threaten the confidentiality and integrity of Organisation data.
3. Apply Strong monitor and management utilities in Organisation network.
4. Never communicate between Organisation units over the Internet without using some form of encryption.Unencrypted packet headers contain valuable nuggets of information about the structure of the internal network.
5. Always use encrypted communications for data that flows over public networks like the Internet.
6. Locally control and administer all security services for the network.
7. Make telecommunications security an integral part of the network security if the network can be accessed via modems.
8. Use leased lines rather than encrypted tunnels whenever practical.
9. Monitor and Audit the logs for the internal routers and switches.
10. Install fiber cables instead of UTP cables.
11. All speed dialing facility create information security risks as confidential customer contact information can be accesses just by pressing telephone keys.

I.S issues concerned:
• Sensitive information may be stolen because caller masquerade as you over the
telephone
• Secure or unlisted phone numbers may be acquires from your stored information.
• Secure or unlisted phone numbers may be acquired from global information stored in PBX.

Yasir
Personel Website: www.yasirirfan.com


June 25, 2008  4:48 AM

Sample I.T Security Policy – CLIENT SECURITY

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Today there is a seminar organized by Cisco , Data Center 3.0 Statergy event at Meridian. Hopefully I get more info which I can post here. The last Cisco Expo I attended was held two months back. Which was simply outstanding. Ok now lets get back to out Series of Security Policies, today I am going to eloborate the Client Security policy.

CLIENT SECURITY

“IS” CONSIDERED THE FOLLOWING:
1. If attachment via the Internet is allowed, be absolutely certain that home users who attach via the Internet do not have file sharing turned on. For Windows clients, use automatic scanning software across the range of IP addresses attached to the network to make sure that no clients respond on TCP/IP port 139.
2. Instruct users to avoid inappropriate local access and creating or modifying shares.
3. Remove the remote access and dial-up connection services from clients on the network. There should be no need for remote access outbound connections from computers on networks that are connected to the Internet.
4. Organisation owned computers used by work-at-home telecommuters cannot be connected to the Internet or used by any family member other than the employee.
5. Employees shall use their own computers at home for entertainment or personal interests.
6. Client computers shall not be configured to use any sort of remote access software.
7. Clients shall not be configured to answer dial-in security connections.
8. Do not allow users to install software on their clients. Take removable media drives like floppy,CD-ROM, and Zip drives out of client computers since all authorized software installations can occur over the network.
9. Do not install file and print sharing on clients unless absolutely necessary. Encourage users to store all files on network file servers, and create server pools of resources.
10. Remove all modems and other alternative access devices from client computers.
11. Each client computer should have one-and only one-possible connection to any data network.
12. Restrict logon access to the network to the computers that an employee normally uses. This makes it impossible to exploit an account name and password from anywhere other than the user’s regular computer except nursing stations.
13. Disable all unused I/O ports, especially parallel ports, USB ports that are not attached to printers,since many alternate access devices are capable of attaching through the printer/USB port.
14. Disable unused serial /USB ports in the BIOS of client computers. But strong administrative passwords in the BIOS setup pages of client computers to maintain central control of network security.

Yasir
My Personel Website:www.yasirirfan.com

0 Comments     RSS Feed     Email a friend


June 24, 2008  1:19 PM

Cisco Cool tips- Series 3 -Show Controller Utilization

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Here is one more cool command which shows a summary of port utilization on all ports,including percentage and backplane/fabric utilization:

The show controllers utilization command on the Cisco catalyst 3560 (other IOS switches probably support
this) running Cisco IOS Software Release 12.2(44)SE1

MBGF-DAC-3560-AS02#sho controllers utilization
Port Receive Utilization Transmit Utilization
Gi0/1 0 0
Gi0/2 0 0
Gi0/3 0 0
Gi0/4 0 0
Gi0/5 0 0
Gi0/6 0 0
Gi0/7 0 0
Gi0/8 0 0

Total Ports : 52
Switch Receive Bandwidth Percentage Utilization : 0
Switch Transmit Bandwidth Percentage Utilization : 0

Switch Fabric Percentage Utilization : 0

MBGF-DAC-3560-AS02#


June 24, 2008  5:19 AM

Sample IT Security Policy – User Security

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

As promised I am trying to cover the topics I posted in my first post, now we are proceeding towards the User Security. We should consider the following while drafting the User Security policy.

3‐USER POLICY
“IS” CONSIDERED THE FOLLOWING:
1. Networked systems shall update regularly with the latest vendor patches for all software executed on Workstations and Servers.
2. Users shall select passwords that cannot be found in a dictionary and that are of sufficient length that the probability of determining the password over a network shall take at least 160 hours. Currently, this is at least 8 characters but shall be automatically increased as technology allows.
3. All users passwords attached to a network wherein a compromise has occurred or is suspect shall be changed immediately.
4. Enable client operating system user profiles so that specific users and groups have their own security settings that reflect their level of trust in the network.
5. Force password changes often. Passwords should be valid for no longer than 30 days.
6. Train users to prevent mishaps, by doing things such as turning off a workstation that holds shared data when it is not required.
7. Execute a virus scanner automatically whenever a user logs onto the computer.
8. Use workstation user accounts and system policies to prevent individual users from controlling the security of their workstations.
9. Disable password caching so passwords do not accumulate on client computers.
10. Client computers shall be restricted such that their network settings may not be modified by nonadministrative personnel. Implement the following specific policies:

* Disable the network control panel for all users except administrator and trusted knowledgeable users.
* Disable the registry editing tools for all users except system administrators.
* Enable the shell restrictions for accounts that serve a particular purpose, such as public e-mail accounts, public word-processing accounts, process control, etc.
* Hide the general and details pages for printers in the network, disable deletion of printers,and disable the addition of printers.
* Hide the remote administration page and the user profiles page for all users except administrators.

11. Disable booting the A: drive in the BIOS and apply a password to the BIOS to keep the user from using a DOS boot floppy.
12. Hide the display settings page from everyone except administrators.
13. Limit the rights of default Administrators group, and create a separate group with full access.
14. Provide periodic security training for new and established employees alike. A periodic refresher keeps users aware of security problems.
15. Require alphanumeric passwords so that a hacker cannot quickly determine the password to a user account simply by performing a “dictionary scan.”
16. Modify the client operating system to boot directly to the allowed application or a menu restricted to allowed applications.
17. All users of workstation and pc’s are to ensure that their screens are blank when not to be used
18. Approving Login procedures must be strictly observed a users leaving their screen unattended must firstly lock access to their workstation because may be unauthorized systems may be gained via a valid user is and password.
19. Managing user access must be authorized by the owner of the system and such access,including the appropriate access rights or privileges must be recorded in an access control list. Such records are to be regarded as high confidential documents.

Yasir
Personel Web Site:www.yasirirfan.com

0 Comments     RSS Feed     Email a friend


June 23, 2008  8:27 AM

Cisco Cools tips – Series 2,Using Privilege Mode Commands in Global Configuration Mode

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Begining with IOS version 12.3, Cisco has finally added a command to the IOS that allows you to view the configuration and statistics from within configuration mode.

Here’s a handy tip when using the show, ping, and telnet commands. Instead of switching back and forth between global configuration mode and privilege mode to use these commands, you can remain in global configuration mode and type the do command with the original syntax.

For example:

Switch(config)#do show running-config
or

Router(config)#do show ip route
or

Router(config)#do PING 192.168.0.1

or

Switch(config)#do show vtp status

Yasir
Personel Website:www.yasirirfan.com

0 Comments     RSS Feed     Email a friend


June 23, 2008  5:41 AM

Sample IT Security Policy – Human Security

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

In my previous post on IT Securty Policy I did discussed about the Physical Security, now we will continue our journey and lets see what things should be considered while drafting the Human Security Policy.

2‐HUMAN SECURITY
“IS” CONSIDERED THE FOLLOWING:
1. Several studies and experiences indicate that employee and other persons who are authorized to be on the company premises or who are in a trusted relationship commit most computer crimes.
2. Do complete background checks before hiring someone or allowing someone access to Organisaton resources.
3. In new employee indoctrination, stress the importance of proprietary data and that any compromise of proprietary data will result in discipline, termination, or prosecution.
4. Advise departing employees that it is against the law to take proprietary material, and that you will prosecute anyone caught taking any type of proprietary information.
5. Set up an easy-to-use system that allows employees to covertly or anonymously report suspicious behavior.
6. Develop a method to combat the belief by many employees that anyone who has worked on something has a right to take a copy. This feeling of ownership occurs regardless of the signing of non-disclosure agreements and ownership/invention agreements. One of the most common criminal defenses used is that the ex employee just wanted a sample of their work.
7. Control and approve any articles written about the Organization by employees.
8. Access to information shall rise with pay and with proven loyalty.
9. Employees are responsible for immediately reporting lost, misplaced, or unaccounted for networked systems.
10. When audit policy monitoring reveals that an employee is a security risk, that employee’s access to sensitive information shall immediately be downgraded.
11. Off-Site computer usage whether at home or at other locations may only authorized by the Manager.
12. Assignment of portable systems shall be limited to those who require portability to perform their work. Portable equipment is not perquisite due to the inherent security risk and the cost of replacement.
I.S concern is
a. It must be used for business only.
b. The use for unlicensed SW way be put the Organization in critical Condition.
c. Viruses, Worms, Trojans and other malicious code can corrupt both data and the system files.
d. Theft of the portable computer exposed Organization to the threat of disclosure of sensitive data.
e. A laptop connected to any network is open to hacking and is unlikely to have any effective security features enabled. Files and data could be stolen, damaged or corrupted.
f. Where a laptop is used by several persons old/State data may still present, risking unintentional actions / reactions to inaccurate data
13. Sudden changes in Appearance that might indicate an external factor at work in the employee’s life shall be noted and monitored by security personnel. Sudden changes in lifestyle, apparent income, or attitude may necessitate a security evaluation.
14. Personnel issued with Mobile Phones by the Organization are responsible for using them in manner consistent with the confidentially level.
15. Security checks in/check out and name tags are required for all personnel on the premises. Employees shall be issued permanent badges. Visitors shall be issued temporary badges for the duration of their visit only.
16. Employees shall not have access to secret or higher systems or information for a period of ninety days from their initial employment. The purpose of this policy is to prevent the employment of spies from competing organizations.
17. Animosity, aggression, or violence towards the Organization, its assets, or its employees is an indicator of serious security risk. Audit policy shall be used to monitoring the behavior of suspect individuals without alerting them to the fact that they are under observation. Instances of sabotage or other security violations are grounds for immediate dismissal.
18. Sensitive or confidential information must not record in answer machine or voice mail.

Yasir

Personel Website:www.yasirirfan.com

0 Comments     RSS Feed     Email a friend


June 22, 2008  12:59 PM

Cisco Cool Tips – Series 1-Cutting and Pasting config via Hyperterminal

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

If you cut and paste your config onto an IOS-based switch using Hyperterminal, it breaks down about midway. This occurs because Hyperterminal sends the text too quickly for the switch, particularly if a command returns a message, such as portfast. To avoid this, in Hyperterminal, select File – Properties; click the Settings tab, click the ASCII button, and add a character delay of 5 milliseconds. You should now be able to cut and paste your config successfully.

Yasir
Personel WebSite:www.yasirirfan.com

0 Comments     RSS Feed     Email a friend


June 22, 2008  6:08 AM

Sample I.T Security Policy

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Dear Folks

Now I am going to concentrate on the SAMPLE I.T. Security policy for any Organization, I will try to cover in brief some important aspects in the forthcoming weeks, as we all know how important a Security Policy is. I did get an inspiration to draft a sample security policy after reading Network Security Architecture by Sean Convery.

What is a Security Policy?
Security policies are a special type of documented business rule for protecting information and the systems which store and process the information. Information security policies are usually documented in one or more information security policy documents. Within an organization, these written policy documents provide a high-level description of the various controls the organization will use to protect information.
Written information security policy documents are also a formal declaration of management’s intent to protect information, and are required for compliance with various security and privacy regulations. Organizations that require audits of their internal systems for compliance with various regulations will often use information security policies as the reference for the audit.
(Source http://en.wikipedia.org/wiki/Information_security_policy)

I am planning to cover following things in coming weeks,

1- PHYSICAL SECURITY
2- HUMAN SECURITY
3- USER POLICY
4- CLIENT SECURITY
5- NETWORK SECURITY
6- SERVER SECURITY
7- DATA SECURITY
8- REMOTE ACCESS SECURITY
9- INTERNET POLICY

First of all I will start with Physical Security policy and later on I will proceed with the next policies.

1‐PHYSICAL SECURITY
“IS” CONSIDERED THE FOLLOWING:
1- Make sure that building security is adequate to prevent walk-up access to the workstations.
2- Employ a security officer or an “attack receptionist” to guard the front desk, and don’t allow
non-employees access beyond that point.
3- Physical access to high security areas is to be controlled with strong identification and
authentication techniques. Staffs with authorization to enter such areas are to be provided
with information on the potential security risks involved.
4- Make certain all servers are located in locked and secure rooms. Restrict access to
administrative personnel.
5- Make certain the servers are stored in an area that is secure from physical compromise under
all reasonable circumstances. Make sure all guests have an escort when they are in the room.
6- Sensitive and value material things must be stored securely. We could use lockable storage
cupboards.
7- Put the sensitive data, material in fire protected storage cabinets
8- The use of safe is must be in mind for saving sensitive material.

Cheers

Yasir
Personel Website: www.yasirirfan.com

0 Comments     RSS Feed     Email a friend


June 21, 2008  5:42 AM

What is SSH ? and how it can be configured in a Cisco Switch.

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Secure Shell (SSH) – TCP Port 22

SSH stands for “Secure Shell”. SSH commonly uses port 22 to connect your computer to another computer on the Internet. It is most often used by network administrators as a remote login / remote control way to manage their business servers. Examples would be: your email administrator needs to reboot the company email server from his home, or your network administrator needs to reset your office password while she is away at a conference.

If remote access to a switch is necessary, then consider using SSH instead of telnet. SSH provides encrypted connections remotely. However, only IOS versions that include encryption support SSH. Also, to include SSH capability the switch may need to have its IOS updated.

Before using SSH on the switch, the administrator must configure the switch with the following commands: hostname, ip domain-name, and crypto key generate rsa. The following example sets the hostname to Switch.

Switch(config)# hostname Switch
Refer to the previous subsection on DNS for an example using the ip domain-name command.
The crypto key generate rsa command depends on the hostname and ip domain-name commands. This crypto command generates a Rivest, Shamir, Adleman (RSA) key pair, which includes one public RSA key and one private RSA key.
The following example shows this crypto command, including the two parameters, the name for the keys
(e.g., switch.test.lab) and the size of the key modulus (e.g., 1024), that are prompted for.

Switch(config)# crypto key generate rsa
The name for the keys will be: switch.test.lab
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may
take a few minutes.
How many bits in the modulus[512]? 1024
Generating RSA keys…. [OK].

To restrict SSH access to the switch, configure an extended access-list (e.g., 101) that allows only the administrators’ systems to make these connections and apply this access-list to the virtual terminal lines. Allow only SSH connections to these lines by using the transport input ssh command. Set the privilege level to 0, and set the exec-timeout period to 9 minutes and 0 seconds to disconnect idle connections to these lines. Finally, use the login local command to enable local account checking at login that will prompt for a username and a password.

The following commands show the example configuration for SSH on the virtual terminal lines.

Switch(config)# no access-list 101
Switch(config)# access-list 101 remark Permit SSH access from
administrators’ systems
Switch(config)# access-list 101 permit tcp host 10.0.0.2 any eq 22 log
Switch(config)# access-list 101 permit tcp host 10.0.0.4 any eq 22 log
Switch(config)# access-list 101 deny ip any any log
Switch(config)# line vty 0 4
Switch(config-line)# access-class 101 in
Switch(config-line)# transport input ssh
Switch(config-line)# privilege level 0
Switch(config-line)# exec-timeout 9 0
Switch(config-line)# login local

The login local command cannot be used with AAA. Instead, use the login authentication command. Refer to the AAA section of this guide for more details.

Free SSH Clients
List of free SSH servers and Clients

Yasir

Personal Website: www.yasirirfan.com

0 Comments     RSS Feed     Email a friend


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: