I wanted to take a moment and give a well-deserved congratulations to the 2015 Cisco Learning Network Designated VIPs. These fine folks spend a ton of time giving back to the community by helping others in their learning process.
New VIPs for 2015
- Aref Alsouqi
- Darren Starr
- Joshua Johnson
- Milan Rai
Returning from Previous Year(s)
While working with firewalls for the last few years, I’ve seen many logs polluted with scanning traffic. Obviously this is the type of thing that I want to see when someone is legitimately scanning, or attempting to scan, through the firewall. However, there are a few cases that seeing this traffic is simply an indication of some other issue in the network.
An example I have seen on several occasions is someone configuring a network management station to discover 192.168.0.0/16, 172.16.0.0/12 or 10.0.0.0/8. If not properly handled in the routed network architecture, the associated traffic could make its way to the firewall or even to the ISP. An ASA might block the traffic due to policy, reroute it back toward the internal network, drop it due to the intra-interface hairpin configuration, or forward it onward. In most cases, this traffic will cause a lot of “noise” in the syslogs produced by the firewall.
To fully understand the problem, the diagram below can be used for discussion–
In this example, R1 has a static default route that points to the IP address of FW1. R1 advertises this via EIGRP to its internal neighbors. If a networked host attempts to reach a nonexistent subnet of 10.0.0.0/8, the traffic would follow the default route to FW1. This issue might also occur if something was communicating with a legitimate internal host and the destination network segment went down. One obvious example would be when a network management station is monitoring a portion of the network that goes offline. To get a baseline understanding, the output below shows the relevant configuration from R1. Continue reading
One of the the concepts that comes up occasionally is that of precedence. For example, one might consider the following routing table entries.
ip route 0.0.0.0 0.0.0.0 188.8.131.52 //default route
ip route 192.168.0.0 255.255.0.0 184.108.40.206 //supernet/cidr route
ip route 192.168.1.0 255.255.255.0 220.127.116.11 //network route
ip route 192.168.1.0 255.255.255.128 18.104.22.168 //subnet route
ip route 192.168.1.20 255.255.255.255 22.214.171.124 //host route
Questions often arise around which path a packet would take when it matches more than one entry. For example, a packet may have a destination address of 192.168.1.20. In this case it matches every single route entry. Continue reading
So I go to the IRS Page that allows taxpayers to check status of a refund. This is under the number “3” at the following URL–
The following banner pops up prior to setting a browser cookie.
I’m not a lawyer, so I have some questions regarding how to interpret this–
- Should this be read as–
- Use of this system constitutes consent to monitoring, interception, recording, reading, copying or capturing by authorized personnel of all activities. (or)
- Use of this system constitutes consent to monitoring, interception, recording, reading, copying or capturing by authorized personnel of all activities.
- And what does authorized personnel of all activities mean. If I use the system, I have to be authorized, or I’m breaking the law (as identified two sentences later–Unauthorized use is prohibited).
- So based on #2 above (authorized user). When I use that definition of authorized user in #1, the IRS isn’t accepting responsibility if I somehow happened to perform the following on another user’s information – monitoring, interception, recording, reading, copying or capturing. (doesn’t exclude my accountability, but it certainly alleviates the IRS accountability)
- “There is no right to privacy in this system“?
- So I’d hope the IRS can access my information, that is sort of the point of the system.
- But I also hope that data is private (meaning that the information isn’t publicly available), which is not what the banner states.
Posted in Rant, Technology
As a System Engineer, I do occasionally have to do real field work. When that happens, having access to a TFTP and FTP server is sometimes required. Although the [lack of] UI makes the use counterintuitive, these tools are available in OSX. This post includes the commands required to enable, confirm, and disable both TFTP and FTP in the native Mac environment.
//load the TFTP daemon (typically starts automatically)
sudo launchctl load -F /System/Library/LaunchDaemons/tftp.plist
//confirm that TFTP is listening (netstat)
netstat -atp UDP | grep tftp
udp6 0 0 *.tftp *.* //IPv6 Listening
udp4 0 0 *.tftp *.* //IPv4 Listening
//unload the TFTP daemon
sudo launchctl unload -F /System/Library/LaunchDaemons/tftp.plist
//confirm that TFTP is no longer listening (netstat)
netstat -atp UDP | grep tftp
- Default Directory is /private/tftpboot
- Copying a file from a device to the TFTP server requires it be “pre” created (Hint: sudo touch /private/tftpboot/<filename>)
- File permissions typically need to be modified (Hint: sudo chmod 766 /private/tftpboot/*)
- I just use my TFTP directory for transient file transfers
I just read a short post by Lindsay Hill titled Doing Community Programs Right. I think the points made are accurate and well-founded. Prior to working for Cisco, I was part of the “CLN Designated VIP Program”. I had the opportunity to connect with others in and around the industry. I think these online communities are great and there is a wealth of knowledge sharing that happens. During key conferences many of our paths cross and even more interesting conversations happen.
I’d personally like to bring some of those concepts into the local communities I work in. I think many of the same tenants would be important. I wouldn’t want a local group to be about any single vendor (even Cisco) or partner. It would be really interesting to just get a bunch of people together that wanted to share their technology challenges and how they are addressing them. Continue reading
Posted in Rant, Technology
I just wanted to take a moment and make a new podcast recommendation. This recommendation is the handiwork of several of our industry friends. The premise is around the unique use of technologies by small and medium business. This podcast should server as a good listen for everyone interested in SMB tech!
We all know that there are a lot of incomplete security models. Firesheep made this fact painfully obvious to those who regularly work from public hotspots. Although this issue extends beyond insecure wireless deployments, unencrypted hotspots are an easy target. When network traffic isn’t secured in the application layers AND that same traffic is not secured in the network or datalink layers, bad things can and do happen.
TLDR–This article solves this problem by utilizing a Meraki MX60 and the VPN client Native on OSX. To skip to the good stuff, click here.
One approach that some people decide to employ is utilizing a VPN connection for their Internet traffic when connected to untrusted networks. For years, enterprises have utilized these controls to allow secure access to corporate resources. A common trend to day includes utilizing “the cloud” for sensitive enterprise and personal data. While these systems *should* be appropriate resilient, we know that is not always the case. In addition to that, federated authentication schemes and password reuse can also pose additional risk to broken systems and less security conscious users.
Having easy access to some gear, I have been using a Meraki MX60 for a few months. This device makes the configuration simple for several reasons.
- Being a cloud managed platform, public IP changes are always tracked and available
- DNS “A” records have a configurable hostname and are maintained by the cloud management platform
- Standard Protocols are used and work natively with a wide variety of operating systems
A couple of weeks ago, a CLN Member Posted a question with the heading Does ASA drop active session.
The specific question was as follows–
I have a time based ACL configured on a Cisco ASA. I need to know if the active sessions are dropped by the ASA when the time limit is over.
For example, users are allowed to connect between 12 and 1 PM. If there are any active connections just before 1 PM then will they be dropped at 1 PM?
Many network and security administrators would blindly assume that a time-based ACL would block or allow traffic based on the time-range attached to the individual ACE. Having quite a lot of experience with the ASA, I was skeptical and assumed that any ongoing connections would continue to allow the flow of traffic. I decided to do a little testing and here is what I found. Continue reading
There’s nothing like taking a 12 hour road trip to help get caught up on podcasts. Even though I have a few more to go, I am feeling pretty accomplished with my progress.
One podcast episode jumped out at me as particularly interesting. This was the Risky Business 2014 [year] in review episode. This episode has the most interesting excerpts and commentary for breaches throughout this year. Have a listen by following the link below.
Risky Business #349 — 2014 in review | Risky Business
In an effort to educate myself on the inner workings of WebEx, I recently looked at a session with Wireshark. Knowing that WebEx audio has the ability to use UDP or TCP, I wanted to isolate the protocol being employed in my configuration. I watched for a new stream of traffic as I enabled the audio portion of a meeting. I found that the audio was using UDP port 9000.
I next applied a filter to see only this traffic. What immediately jumped out at me was what appeared to be malformed and fragmented packets. I also noticed a lot of strange IP addresses like 126.96.36.199, 188.8.131.52, 0.0.0.30, 0.0.0.31 and so on.
Knowing that the audio was working perfectly, I could have easily concluded that my eyes were deceiving me. When I looked closer, I quickly realized that Wireshark was recognizing and decoding this as if the packets were Lawful Intercept. Continue reading
I wanted to take a moment to wish all PacketU readers a Merry Christmas and a Happy New Year. With that, I leave you with a short video clip of my son playing Silent Night at a church program last week. Longtime friends know that we had a pretty serious health scare with him 5 years ago and we consider ourselves very blessed to have him in our life.