Explain Intrusion detection system (IDS)?? Types OF IDS...

An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization.

IDPSes typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g. reconfiguring a firewall), or changing the attack's content.

EBOOK - Installation And Configuration of R.S.A enVision

                                

"The Right Choice for Compliance and Security Success!". The RSA enVision platform provides collection, alerting and analysis of log data that enables organizations to simplify compliance and quickly respond to high-risk security events. The RSA enVision 3-in-1 platform offers an effective Security and Information Event Management (SIEM) and log management solution, capable of collecting and analyzing large amounts of data in real-time, from any event source and in computing environments of any size. RSA enVision is easily scalable - eliminating the need for filtering and to deploy agents.

Information System Auditing

1. What is informaton system?

Information system is any combination of information technology and human operation managemen and dececion making.

2. What is information system auditing?

Ron Weber opinion (1999,p.10), “EDP auditing is the process of collecting and evaluating evidence to determine whether a computer systems safeguard assets, and consumes resources effiently ”.Understanding in general is the process of collecting and evaluating evidence to determine whether a computerized application system has been set and implement the system, adequate internal controls, all assets are protected well / not abused, and ensuring data integrity, reliability and the effectiveness and efficiency of the system computer-based information.

CISA Review Manual 2012 - Powered By ISACA

The CISA Review Manual 2012 is a comprehensive reference guide designed to help individuals prepare for the CISA exam and understand the roles and responsibilities of an information systems (IS) auditor. The manual has been enhanced over the past editions and represents the most current, comprehensive, peer-reviewed IS audit, assurance, security and control resource available worldwide.

The 2012 manual is organized to assist candidates in understanding essential concepts and studying the following updated job practice areas:

1. The Process of Auditing Information Systems.
2. Governance and Management of IT.
3. Information Systems Acquisition, Development and Implementation.
4. Information Systems Operations, Maintenance and Support.
5. Protection of Information Assets.

Syness-The IT Regulatory and Standards Compliance Handbook: How to Survive Information Systems Audit and Assessments | For ISO 27001(BS7979), PCI-DSS, HIPPA, FISCAM, COBIT

The IT Regulatory and Standards Compliance Handbook: How to Survive Information Systems Audit and Assessments

Publisher: Syngress 2008 | 750 Pages | ISBN: 1597492663 | PDF | 11 MB

This book provides comprehensive methodology, enabling the staff charged with an IT security audit to create a sound framework, allowing them to meet the challenges of compliance in a way that aligns with both business and technical needs. This “roadmap” provides a way of interpreting complex, often confusing, compliance requirements within the larger scope of an organization’s overall needs.

Cisco Router - How to configure SSH

Below shows you how to enable SSH on your router using a username of "cisco" and a password of "network", allowing access from the fa0/0 interface.

Router(config)#ip ssh source-interface fastEthernet 0/0
Router(config)#ip ssh authentication-retries 3
Router(config)#ip ssh version 2

Router(config)#ip domain-name local.net
Router(config)#crypto key generate rsa modulus 768
Router(config)#username cisco password 7 network

Router(config)#line vty 0 15
Router(config-line)# transport input ssh
Router(config-line)# local login

Some Websites not open in SQUID Proxy

Websites not accessible via Squid

Problem

Some websites not accessible through Squid.

Following message is noticed in the browser

The following error was encountered: 

• Read Error

The system returned: 

    (104) Connection reset by peer

Environment

Squid 2.6.STABLE21-6 
Squid 3.1.10-1 

Resolution

Add the following to squid.conf  and restart squid service

via off
forwarded_for delete

Root Cause/Diagnostics

Site was accessible directly. Via squid, connection would reset abruptly

Only difference when accessed via squid and directly was the addition of

X-Forwarded-For and via headers in the HTTP request

X-Forwarded-for usually contains the IP address of the host that requested the website

Example:  

X-Forwarded-For: 192.168.0.1

VIA usually has information about the proxy server

Example:

via: example.com 

Documentation:  forwarded_for and via

By disabling via off and setting forwarded_for delete, we disabling these headers in the HTTP request.
Disabling this header should not have any negative impact.

-----------------------------------------------------------------------------------------------

Configuring the Cisco IDS Router / Switch Modules for Cisco 6500 Switch / 7200 Router

IDSM-2

The IDSM-2 Module is a Cisco IDS blade for the Cisco 6500 switch.
Once you install the module into the switch the module uses following logical ports :

Port 1	Used for TCP Resets (In Promiscuous Mode)
Port 2	Command and Control
Port 7	Sensing Port
Port 8	Sensing Port

Below details the steps required for configuring your switch / module for an inline setup. This includes obtaining the module number for the cisco ids running the setup wizard and then assigning the required ports for on the switch for ids sensing within an inline configuration. The clear trunk commands are required as by default the switch assigns the ports as trunk ports to every vlan.

Types of Firewalls

Firewalls are everywhere today even many home network have firewalls today. But there are several different types of firewalls. You have hardware, software firewalls, stateful, stateless firewalls, proxy, application, desktop, dual-homed, reverse, etc; 

Some of which are explained below:

How to configure a Cisco Layer 3 switch-InterVLAN Routing

Cisco Catalysts switches equipped with the Enhanced Multilayer Image (EMI) can work as Layer 3 devices with full routing capabilities. Example switch models that support layer 3 routing are the 3550, 3750, 3560 etc.

On a Layer3-capable switch, the port interfaces work as Layer 2 access ports by default, but you can also configure them as “Routed Ports” which act as normal router interfaces. That is, you can assign an IP address directly on the routed port. Moreover, you can configure also a Switch Vlan Interface (SVI) with the “interface vlan” command which acts as a virtual layer 3 interface on the Layer3 switch.

On this post I will describe a scenario with a Layer3 switch acting as “Inter Vlan Routing” device together with two Layer2 switches acting as closet access switches.

CheckPoint Having Acceleration and Clustering Software Blade

The Check Point Acceleration and Clustering Software Blade delivers a set of advanced technologies, SecureXL and ClusterXL, that work together to maximize performance and security in high-performance environments. These work with CoreXL, which is included with the blade containers, to form the foundation of the Open Performance Architecture, which delivers throughput designed for data center applications and the high levels of security needed to protect against today’s application-level threats.

How to Configure a Cisco ASA 5510 Firewall – Basic Configuration Tutorial

This article gets back to the basics regarding Cisco ASA firewalls. I’m offering you here a basic configuration tutorial for the Cisco ASA 5510 security appliance. This device is the second model in the ASA series (ASA 5505, 5510, 5520 etc) and is fairly popular since is intended for small to medium enterprises. Like the smallest ASA 5505 model, the 5510 comes with two license options: The Base license and the Security Plus license. The second one (security plus) provides some performance and hardware enhancements over the base license, such as 130,000 Maximum firewall connections (instead of 50,000), 100 Maximum VLANs (instead of 50), Failover Redundancy, etc. Also, the security plus license enables two of the five firewall network ports to work as 10/100/1000 instead of only 10/100.

Next we will see a simple Internet Access scenario which will help us to understand the basic steps needed to setup an ASA 5510. Assume that we are assigned a static public IP address 100.100.100.1 from our ISP. Also, the internal LAN network belongs to subnet 192.168.10.0/24. Interface Ethernet0/0 will be connected to the outside (towards the ISP), and Ethernet0/1 will be connected to the Inside LAN switch. 

Check Point : SecurePlatform (SPLAT) Backup Options Available.

One aspect of the Check Point SecurePlatform OS that I struggle to get my head around is backups. There are a few different options, and during the course of researching an upgrade I came across the best explanation I’ve seen yet.  I’ve decided to grab a copy of the relevant text and post it in my blog for future reference here.

Oversimplified Executive Summary

• upgrade_export contains just Check Point configuration
• A backup is an upgrade_export plus SPLAT OS configuration
• A snapshot is a backup plus binary files, both Check Point and SPLAT OS
• As a general rule of thumb, if your restoring on the same hardware a snapshot would be the easiest to use since it contains the most info and an upgrade_export would be the worst, since you’d have to manually restore the most stuff.

Checkpoint : Mount USB Memory Stick / Pen Drive to Splat

Ever wanted to use an USB stick on OpenServer using SPLAT or an appliance?

Just connect the device to an USB port of your choice.

1. Load the appropriate kernel module for handling the USB device.

* modprobe usb-storage

2. Check which new device was bound, for example "/dev/sda1".

* fdisk -l

3. Create a mount point.

* mkdir /mnt/usbdisk

4. Mount USB device.

* mount /dev/sdb1 /mnt/usbdisk

5. Use the device to transfer data as you like.   "[DATA Transafer]"

6. Unmount USB device.

* umount /mnt/usbdisk







How Traceroute Command Works ??

                                   Traceroute

What is Traceroute?

It is an application layer implementation to find the hops when a packet traverses to a destination.

What are the Protocols Used in Traceroute?

Traceroute works with combination of both ICMP and UDP. It mainly relies on ICMP Time-to-Live Exceeded (Type 11).

DDNS - Dynamic Domain Name System | What is DDNS , DNS

DDNS - Dynamic Domain Name System

We Know All before sending anything to his mail server, he will read the database from the public server for the latest ip address of mail server and put it as destination address.. But twas a small problem, at times after fetching the latest public ip of mail server, ISP DHCP renews the IP lease of mail server, hence the message lost.

Again after some time I started thinking about a vpn connectivity from an office which doesn't have public address, so the idea of DDNS came,

Before explaining DDNS, I hope you all have a good idea about DNS, For those who dont know, DNS is the one to one mapping between name to ip address. But in DNS its will not get updated dynamically and it may take even more than 24 hrs to get updated in the root DNS servers. Here come DDNS.

Top Ten Tips for Managing Your CheckPoint Firewall

This article discusses the Top ten tips that you can implement to best manage and fine tune your firewall. The purpose of this article is to get the best performance out of your firewall and increased security to your network.

1. Use the latest version of the OS software available for your particular firewall. Install the latest patches and if possible/applicable, the latest software version available.

2. Use a stealth Rule at the top of the rule base.

What is a stealth rule? A stealth rule is a rule which disallows any communication to the firewall itself from unauthorized networks/hosts. It is a rule to protect the firewall itself from attacks.

Different Types of Firewalls

Companies such as Cisco and other major vendors have introduced a multitude of firewall products that are capable of monitoring traffic using different techniques. Some of today's firewalls can inspect data packets up to Layer 4 (TCP layer). Others can inspect all layers (including the higher layers) and are referred to as deep packet firewalls. This section defines and explains these firewalls. 

The three types of inspection methodologies are as follows:

• Packet Filtering and Stateless Filtering.
• Stateful Filtering.
• Deep Packet Layer Inspection.

Blue Coat ProxySG - CLI Commands

Here is a list of Blue Coat ProxySG CLI commands, that I have compiled from my studies, Blue Coat documents, and places around the web. This is by no means an exhaustive or comprehensive list, but is rather meant to be a command line KB of sorts - mainly for my quick reference. The list is split into standard and privileged mode commands. If the list proves useful to you, please feel free to share the link with others. Also, if you see any typo's with anything, feel free to let me know!

Checkpoint - Log File Corrupted

When log files get corrupted and we get the following error in the SmartView Tracker : "Failed to read record number" …

Note: "To repare the log file we need to know the log file name and then from the CLI on the CLM/CMA or from the Smartcenter "


Then use the following command :

[Expert@mlm]# fw repairlog


******************************************************************************************************

****************************************************************************************************** 

What Is SIC (Secure Internal Communication) in Checkpoint Firewall

SIC - Encryption, Authentication and Secure Channel

The following security measures are taken to ensure the safety of SIC:

• Certificates for authentication.

• Standards-based SSL for the creation of the secure channel.

• 3DES for encryption.


******************************************************************************************************

****************************************************************************************************** 

Download Google Chrome Extension in CRX Format | How to Download Google Chrome CRX File

I wondered how to do this too. I always tried to download Google Chrome Extension (.CRX File) for Backup .But Its Always Download and Install , No Options for Backup Downloads.But After Some Time I tried this small Tricks and I wondered that Its Works...........

1. Find the ID of the extension you’re interested in. When on the details page of the extension, it will be something like

   bfbmjmiodbnnpllbbbfblcplfjjepjdn

   after

   https://chrome.google.com/webstore/detail/

Checkpoint Firewall Logs from CLI

Syntax

fw log displays the content of log files.

The full syntax of the fw log command is as follows:

fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-u unification_scheme_file] [-m unification_mode(initial|semi|raw)] [-a] [-k (alert_name|all)] [-g] [logfile]

How to Configure DHCP on Cisco Router 871 or 18xx or 21xx or 26xx .(Series)

DHCP stands for Dynamic Host Configuration Protocol. Basically it’s a mechanism which assigns IP addresses to computers dynamically. Usually DHCP is a service running on a server machine in the network in order to assign dynamic IP addresses to hosts. All Cisco 800 series models have the ability to work as DHCP servers, thus assigning addresses to the internal LAN hosts. Without a DHCP server in the network, you would have to assign IP addresses manually to each host. These manually assigned addresses are also called “static IP addresses”.

The PING of Death and Other DoS Network Attacks

What is known as Denial-of-Service (DoS) Attacks.?? Do You Prevent it or Not.? This Question Is Very Difficult.!!

I’m very disappointed to admit that in our days this type of attack is one of the most common attacks found in the network community. The intention of the attacker in this case is to stress the victim with a tremendous amount of spurious traffic so that the network has no more free resources to process normal legitimate traffic.

Learning about these types of network attacks — learning your enemy — will help you be prepared for the worst. Once you understand your enemy’s behavior and the different types of network threats we’ll move on to specific solutions and how to protect your network.

DoS Attacks - Denial-of-Service Attack

Denial of Service Attacks can take many forms. The most important ones are:

• SYN Flood
• UDP Flood
• ICMP Flood
• Land Attack
• Teardrop Attack

All these attacks have one thing in common which is nothing else than making their victim unable to serve legitimate traffic by filling up its session table with malicious connection attempts.

Check Point Authentication Methods

Authentication feature of checkpoint ensures the users trying to access resources in your network are actually authorized to do so.With this feature instead of simply allowing a client access a device, the administrator can request the client to authenticate first before permitting access..................

Checkpoint supports the following three types of authentication methods:
1.Checkpoint User Authentication.
2.Checkpoint Client Authentication.

3.Checkpoint Session Authentication.

1.Checkpoint User Authentication:

In this type of authentication, for every traffic that passes through the firewall, the client user needs to first authenticate.This ensures that only valid authenticated users only are able to access the destination resources. The limitation is user authentication only supports Telnet, HTTP, FTP and RLOGIN attempts.

Checkpoint : Nokia Hardware - Model - Serial Number

Check Nokia Hardware Model Number with Serial Number

FW [Admin]# cat /var/etc/.nvram

---------------------------------------------------------------------

Vendor Nokia
Chassis serialnum: 88064000318
Model IP560

---------------------------------------------------------------------

FW [Admin]#

How to Configure Cisco VTP – VLAN Trunk Protocol

In a previous post I explained how to configure VLANs on Cisco Switches. That was a simple scenario with just two switches connected with a trunk port and having shared VLANs belonging to both switches. Now, imagine the situation where you need to manage a huge Layer 2 switched network with tens or hundreds of switches and with VLANs spread across all switches in the network. This would be a daunting task for any network administrator as he would have to connect on all switches and add or remove VLANs accordingly every time a new vlan is required in the network.

List Of Checkpoint Ports - Port Used In CheckPoint

TCP Port 256 is used for three important things: Exchange of CA and DH keys in FWZ and SKIP encryption between two FireWall-1 Management Consoles SecuRemote build 4005 and earlier uses this port to fetch the network topology and encryption keys from a FireWall-1 Management Console When instaling a policy, the management console uses this port to push the policy to the remote firewall. TCP Port 257 (FW1_log) is used for logging purposes.

Checkpoint : SPLAT - Disable CD/DVD Rom | Disable CD/DVD Rom From SPLAT (Checkpoint Secure-Platform)

How to disable the "CD/DVD ROM" from "CLI"

FW [Admin]# cd /lib/modules/2.6.18-92cp/kernel/drivers/cdrom

FW [Admin]# mv cdrom.ko cdrom.ko.orig

FW [Admin]# Reboot

or

FW [Admin]# modprobe -r sr_mod

******************************************************************************************************

****************************************************************************************************** 

How to Configure VLANs on a Cisco Switch (All Series)

This post will deal with configuring Layer 2 VLANs on Cisco switches. Up to 4094 VLANs can be configured on Cisco catalyst switches. By default, only VLAN 1 is configured on the switch, so if you connect hosts on an out-of-the-box switch they all belong to the same Layer 2 broadcast domain.

The need to configure several Layer 2 VLANs on a switch arises from the need to segment an internal Local Area Network (LAN) into different IP subnetworks. If you want for example to separate the different departments of your enterprise into different IP subnetworks, then each department should belong to its own Layer 2 VLAN.

How to fix / repair a dead flash drive (or USB key)

One of my flash drives suddenly died today. It all happened when XP suddenly froze for some reason. after rebooting, the device was dead - XPdetected it as a 0mb device (and attempted to format it as such - which didn’t work).

Installation and Configuration of Linux DHCP Server

For a cable modem or a DSL connection, the service provider dynamically assigns the IP address to your PC. When you install a DSL or a home cable router between your home network and your modem, your PC will get its IP address from the home router during boot up. A Linux system can be set up as a DHCP server and used in place of the router.

OSPF - LSA Types ( 5 Types)

OSPF - LSA Types:

Type 1 - Sent by routers within the Area, including the list of directly attached links. Does not cross the ABR or ASBR.

Configuring Linux Samba (SMB) - How to Setup Samba (Linux Windows File Sharing)

Resource sharing, like file systems and printers, in Microsoft Windows systems, is accomplished using a protocol called the Server Message Block or SMB. For working with such shared resources over a network consisting of Windows systems, an RHEL system must support SMB. The technology used for this is called SAMBA. This provides integration between the Windows and Linux systems. In addition, this is used to provide folder sharing between Linux systems. There are two parts to SAMBA, a Samba Server and a Samba Client. When an RHEL system accesses resources on a Windows system, it does so using the Samba Client. An RHEL system, by default, has the Samba Client installed.

CBT-Nugget - Netmaster Class Cisco Pix Adaptive Security

Netmaster Class Cisco Pic Adaptive Security CBT

Description:

The Cisco PIX Firewall and/or the Adaptive Security Appliance (ASA) are the cornerstone of the Cisco Self Defending Network. This training package allows you to master these key Cisco security technologies in the most efficient manner possible.

The LEARNiT: PIX/ASA package includes the following:

- Extremely detailed Reference Sheets explaining all major features of the products.

- Video-On-Demand recordings by NetMasterClass instructors.

- Practice Exam Database.

This course is recommended for the following IT Professionals:

• Those that want to master the PIX/ASA devices for network implementations.
• Those that want to obtain the CCSP Certification.
• Those that want to begin CCIE Security track preparation.

EBook - Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance (2nd Edition) - 2009

Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance

Cisco Press | ISBN: 1587058197 | Dec 29, 2009 | 1152 pages | PDF | 25.7 MB

For organizations of all sizes, the Cisco ASA product family offers powerful new tools for maximizing network security. "Cisco ASA: All-in-One Firewall, IPS, Anti-X and VPN Adaptive Security Appliance" Second Edition, is Cisco's authoritative practitioner's guide to planning, deploying, managing, and troubleshooting security with Cisco ASA.

Written by two leading Cisco security experts, this book presents each Cisco ASA solution in depth, offering comprehensive sample configurations, proven troubleshooting methodologies, and debugging examples. Readers will learn about the Cisco ASA Firewall solution and capabilities; secure configuration and troubleshooting of site-to-site and remote access VPNs;Intrusion Prevention System features built into Cisco ASA's Advanced Inspection and Prevention Security Services Module (AIP-SSM); and Anti-X features in the ASA Content Security and Control Security Services Module (CSC-SSM).

IP Helper Address Command for Router (Used in DHCP Broadcast)

BOOTP/DHCP Server – Port 67

BOOTP/DHCP Client – Port 68

Configure router to pass DHCP requests from local clients to a centralized DHCP server

The traditional role of routers in DHCP has been simply to act as a proxy device, forwarding information between the client and server. Since IOS level 12.0(1)T, Cisco routers also have DHCP server and client features. But the DHCP proxy function is still the most common for routers.

Because the initial DHCP request comes from a client that typically doesn’t have an IP address, it must find the server using a Layer 2 broadcast. So, if the router was not able to function as a proxy for these broadcasts, it would be necessary to put a DHCP server on every network segment.