Network Security Insider

Myrtle Beach Homes/Condos

2013-12-28T21:48:00.001-05:00

InfoSec friends, I have a new site - www.midtownmyrtlebeach.com. I look forward to helping you buy your dream ocean front home or condo in Myrtle Beach, South Carolina! If you've never been to Myrtle Beach, it's an awesome place to vacation, or to live!

Scroll down for my posts on InfoSec, Security, Linux, Firewalls, and IDS/IPS.

Helpful Bookmarks & Links

2010-11-17T09:49:00.000-05:00

CheckPoint

https://supportcenter.checkpoint.com/ - CheckPoint Support Site

http://www.cpug.org/ - CheckPoint User Group / Forums

http://www.tla.ch/TLA/FW/FW1FAQ.html - CheckPoint FAQ (old but good)

Cisco

https://supportforums.cisco.com/ - Cisco Support Forums

http://www.cisco.com/univercd/home/home.htm - Cisco Documentation

http://blogs.cisco.com/security - Official Cisco Security Blog

http://ciskoblog.com/ - Cisco Blog

http://blog.priveonlabs.com/sec_blog.php/cisco-security/cisco-security-agent/ - Cisco Security Agent (CSA) Blog

http://tools.cisco.com/MySDN/Intelligence/searchSignatures.x - Cisco Signature Lookup

https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl - Output Interpreter for show commands

Juniper

http://kb.juniper.net/ - Juniper Knowledgebase

http://forums.juniper.net/ - Juniper Forums

http://juniperhowto.com/ - Juniper How-to Site

http://juniperhacks.wordpress.com/ - Juniper Hacks Blog

Sourcefire

http://sourcefirefaq.blogspot.com/ - Sourcefire Blog (old but good)

https://support.sourcefire.com/ - Sourcefire Support

http://vrt-sourcefire.blogspot.com/ - Sourcefire VRT Blog

TippingPoint

https://tmc.tippingpoint.com/TMC - TippingPoint Knowledgebase and Threat Mgmt Center

Troubleshooting High CPU on Cisco ASA

2010-11-08T17:57:00.001-05:00

show cpu
show processes cpu-usage

**This will tell us which process is consuming the most CPU.

**Dispatch Unit is the "packet processing" process of the ASA. If the Dispatch Unit is showing high utilization, take a packet capture (pcap) from the ASA and view it in Wireshark to see what traffic is causing the most load on the ASA.

Enable CPU Profiling (to provide to Cisco TAC)
cpu profile activate 5000

Cisco ASA 8.2+:
show cpu profile dump

Pre 8.2:
show cpu profile

Security Docs (Audio, Video, Text)

2010-11-06T22:22:00.001-04:00

Excellent resources for security documentation including audio, video, and text.

http://secdocs.lonerunners.net/
http://www.sans.org/reading_room/

Fortinet - Free self-paced training online

2010-11-03T14:25:00.000-04:00

Fortinet Recorded webinar sessions (under Self-paced Online Training ) :
http://campus.training.fortinet.com/

Customizing SSL VPN Portals
Directory Services Integration using FSAE

FortiAnalyzer Reporting

FortiGate-One Technical Overview

FortiGuard Web Filtering

FortiMail -- Authentication & Encryption

FortiOS Troubleshooting

High Availability Clusters - New !!!

Introduction to FortiGate (101) - New !!!

Introduction to FortiManager

IPSec VPN Design and Troubleshooting

Static Routing (Policy Routing, ECMP, RPF & Spillover)

Two-factor Authentication - NEW!!!

What's New in 4.0 MR2 (Part1)

What's New in 4.0 MR2 (Part2)

Free Fortinet endpoint firewall with IPS and AV (FortiClient)

2010-11-03T14:20:00.002-04:00

Free endpoint firewall with IPS and AV
http://forticlient.com/

Packet Sniffing on a Fortinet/FortiGate Firewall

2010-11-03T14:19:00.001-04:00

http://kb.fortinet.com/kb/viewContent.do?externalId=11186&sliceId=1#basic_command

Tips for troubleshooting Imperva WAF

2010-11-03T14:16:00.000-04:00

Tips for troubleshooting Imperva WAF:

statistics.csv from Setup->Gateways->the relevant GW -> the rightmost panel.
get-tech-info
cat /opt/SecureSphere/etc/patch_level
download "imperva-stats-script" from Imperva site, and run script for 24 hours.

WAF - Relevant Questions to Ask

2010-11-03T14:12:00.000-04:00

Relevant Questions to Ask for Implementing a new WAF (Imperva, Breach, etc.)

Web Server Information
----------------------
Application Name - IP Address & Port
SSL? (yes/no)
IP Type (Legal/NAT/Load Balanced)
Number of Physical Machines
Network Throughput
Web Server Vendor
Web Server Operating System
Web site type (static/dynamic)
Application Server
Web Application Vendor (custom, peoplesoft, etc..)
Web Application Language (.net, java, etc)"
Web Application Transactions per second

Database Information
------------------------------
Database Name
Machine Name or IP Address
Number of Database Servers (physical Database boxes)
Network Throughput
Database Vendor
Database Operating System type
Database Transactions per second

Imperva WAF - Export Full Config from CLI

2010-11-03T14:09:00.002-04:00

Export the full config from the CLI of an Imperva WAF:

--
1) cd /tmp
2) full_expimp.sh

IPSO CLISH Interface Examples

2010-11-03T14:07:00.000-04:00

clish - interface command examples:
set interface eth1 speed 100M duplex full auto-advertise on
add interface eth1c0 address 12.12.12.12/28 enable
delete interface eth-s1p2c0 address 12.12.12.12
delete interface eth4c0 address 12.12.12.12
set static-route default nexthop gateway address 12.12.12.11 priority 1 on

Nokia IPSO Status LEDs

2010-09-21T22:50:00.000-04:00

Solid blue Power - On
Solid yellow - Appliance is experiencing an internal voltage problem.
Blinking yellow - Appliance is experiencing a temperature problem.
Solid red - One or more fans are not operating properly.
Blinking green - System activity indicator

Peer-to-Peer (P2P) Ports

2010-09-21T22:45:00.002-04:00

Kazaa, Grokster, Morpheous
TCP 1214
UDP 1214

eDonkey
TCP 4661-4672
UDP 4661-4672

WinMX & Napster
TCP 6257
UDP 6257
TCP 6699
UDP 6699

BitTorrent
TCP 6881-6889
TCP 6969
UDP 6881-6889

Gnutella (Bearshare, Limewire)
TCP 6346, 6347, 6348
UDP 6346, 6347, 6348

Napster
TCP 4444, 5555, 6666, 7777, 8888
UDP 4444, 5555, 6666, 7777, 8888

tcpdump for ARP packets

2010-09-21T22:43:00.002-04:00

tcpdump -lnni eth2 ether proto 0x0806

Enable AIP-SSM IPS Inspection on ASA

2010-09-07T22:29:00.001-04:00

policy-map global_policy
class ips_class_map
ips inline fail-open

Or for passive:
ips promiscuous fail-open

Clear ACL Hit Counters

2010-09-07T22:09:00.002-04:00

clear access-list <access-list name> counters

Enable VPN Keep Alive on Cisco ASA VPN Tunnel

2010-09-07T22:00:00.002-04:00

Cisco PIX/ASA 7.x and later, for the tunnel group named 10.1.1.1
asa(config)#tunnel-group 10.1.1.1 ipsec-attributes
asa(config-tunnel-ipsec)#isakmp keepalive threshold 15 retry 10

Copy many routes from one Linux box to another

2010-09-07T21:56:00.000-04:00

netstat -rn | grep ^[0-9] | awk '{printf "route add -net %-15s gw %-15s netmask %s\n", $1, $2, $3}' | sort > routing_table

CheckPoint Log Buffer Full

2010-09-07T21:52:00.001-04:00

1. Create or modify (if the file exists) the $FWDIR/boot/modules/fwkern.conf file on the Security gateway.
2. Add the entry fw_log_bufsize=xxxxx, where xxxx is the desired size in bytes (default = 81920) - try to set it to 163840.
3. Reboot the Security gateway

Add the following to fwstart.conf:
----
$FWDIR/bin/fw ctl debug -buf 8192
fw ctl kdebug -f > /var/log/console.log &
echo "fw debug messages go to /var/log/console.log"

http://www.networking-tips.net/?p=323

http://www.cpug.org/forums/nokia-ipso/2385-log-buffer-full-errors.html

Commands to Troubleshoot CheckPoint HA Interface Issues

2010-09-07T21:48:00.002-04:00

fw ctl iflist
cat $FWDIR/conf/discntd.if (interfaces commented out for HA monitoring)

cphaprob state
cphaprob -a if
cphaprob list

Clear CheckPoint NAT and State Table

2010-09-07T21:47:00.001-04:00

fw tab -t sam_blocked_ips -x
fw tab -t fwx_alloc -x
fw tab -t connections -x

Troubleshoot traffic to an IP thru a CheckPoint Firewall

2010-09-07T21:44:00.001-04:00

fw monitor -e "src=172.16.1.1 or dst=172.16.1.1;" > /tmp/fwmon-172.16.1.1.out &
tcpdump -w /tmp/traffic.cap -lnni any host 172.16.1.1 &
fw ctl zdebug drop > /tmp/conn.dbg &
fw log -ftn | egrep 172.16.1.1 >> /tmp/fw-log-172.16.1.1.log &

List the Top Connections on a CheckPoint Firewall

2010-09-07T21:38:00.002-04:00

fw tab -t connections -u -f >> conns.txt
cat conn-ips.txt | sort | uniq -c | sort -n

How to run a CheckPoint Debug

2010-09-07T21:36:00.002-04:00

fw ctl debug 0
fw ctl debug -buf 10000
fw ctl debug -m drop conn packet
fwaccel dbg -m general all
fw ctl kdebug -f >& fwconnchain.elg

Ctrl+C to stop the debug
fw ctl debug 0

NOKIA:
fw ctl debug 0
fw ctl debug -buf 8192
fw ctl debug + conn link drop
fw ctl kdebug -f >& fwconnchain.elg
fw ctl debug 0

Command to list CheckPoint Installed Products

2010-09-07T21:34:00.002-04:00

cpprod_util CPPROD_GetKeyValues products 0