Skip to Content

Security

ASA5510 to ASA5505 Easy VPN Server / Client Configuration Sample

A recent configuration of mine...thought I would save the template for
future use. Useful if the ASA5505 has a dynamic IP where you can't build
a typical site-to-site VPN.

Data Loss Prevention on a Budget

Not every company has excess resources to invest in bleeding edge technology for the latest security trends. Companies make hard decisions on whether to spend money on equipment or staff to increase revenues. Supporting their network infrastructure is often a decision made in hindsight.  

Well, for all you network engineers out there working for companies operating on thin margins, here's some info for you. The guys over at sans.org ISC have posted an interesting write-up on Data Loss Prevention (DLP) on a shoestring budget. 

Cisco Announces New Security Specialist Certifications

Cisco Live in London is wrapping up today. As part of the show, Cisco announced a set of new Security focused certifications:

The Network Is Not Down

Prepare yourselves! Yesterday was the dreaded Microsoft patch Tuesday and that can only mean one thing, millions of PCs configured to automatically update themselves at 3:00am are potentially breaking themselves before end users get to their desks!

In all honesty though, there have been many support hours spent on troubleshooting problems that have been caused by patches being applied. Sometimes that server vulnerability was actually a feature being utilized by the primary application being hosted on the now "fixed" server. If users can't access the application, they'll let you know.

Google Sued for Trespassing

Google lost the lawsuit that alleged they trespassed while taking pictures for street view, according to an Associated Press report located here. In 2008, Aaron and Christine Boring brought the issue to court when Google trespassed on a private road in order to snap some photos of the couple's house to add to their maps website. 

After over two years of battling it out, Google finally conceded and agreed to pay the couple One US Dollar, a steep discount from the $25,000 in compensation the couple was originally seeking. Don't get any ideas kids, the lawyers fees are a lot more than what Google will be willing to pay you.

Clean up those firewall cobwebs

Stumbled upon an interesting article over on Tufin's blog that talks about cleaning up old firewall rulebases. If you manage a firewall for a larger organization, you are most likely accustomed to receiving frequent requests to modify it. In very large organizations, this typically involves an approval process, which might help keep approved requests in line with corporate policy, but doesn't mean the actual implementation of the rules are clean and not duplicated. 

IE Vulnerability

Microsoft announced they have a zero day vulnerability in versions 6, 7, and 8 of their famed browser. The majority of people use a combination of other browsers, but for everyone out there that prefer IE and throw caution to the wind, here's what you need to know. 

The vulnerability exists because some embedded feature that can be accessed in a certain way allows an attacker to execute arbitrary code (a.k.a. load viruses on your computer) and do their thing. If you are running recent versions of IE, stay away from questionable sites and don't click on spam email until Microsoft releases their patch for it. 

Cisco Works Vulnerability

Cisco released a security advisory late last week announcing a vulnerability in their management software, Cisco Works Common Services. Common Services is the core Cisco Works application that takes care of the common database and other data that is shared between all of the Cisco Works applications.  If you are running a relatively recent installation of any Cisco Works installation, including Cisco Security Manager (CSM), Telepresence Manager, or QoS Policy Manager (QPM),  you most likely have a vulnerable version running. 

Here's a synopsis of the vulnerability, take a quick look at your version to see if you are at risk: 

Versions affected: The announcement says Common Services version 3.05 and newer are vulnerable. Earlier releases and the 4.0 release are not vulnerable. 

Say Goodbye to CCVP and CCSP

Kiss the CCSP and CCVP titles goodbye. Cisco recently announced that the track specific professional certification exams are going to be changing their names. No more CCSP, it is now the CCNP Security. Same with the CCVP, it's now the CCNP Voice. Throw in the CCNP Service Provider Operations and CCNP Wireless, and you have yourself a plethora of professional tracks. 

The previous exam versions are still available for those of you out there who are halfway through completing the current Security and Voice tracks. Beginning next year, you'll start to see the current voice and security exams be replaced by updated versions. 

Online Investors Beware

cash_pile.JPG

I'm currently running a full system scan with my various anti-bad-stuff scanners to make sure my computers haven't been turned into mindless botnet zombies after reading Computerworld's most recent report. The word is that botnet gangs have turned their greedy gaze toward online investment accounts to help them fund their efforts. If you want some suggestions on how to defend yourself, read on.

How does this work?

Posing as LinkedIn emails, unsuspecting users who click on the links are sent to malicious sites that pose as the real sites. While viewing the bogus site, unpatched Windows machines can be pwnd. It sounds like a stretch, but there really are people that click on those links who have not run windows update in a while and also don't have any antivirus applications installed. 

Cisco IOS H.323 Denial of Service Vulnerabilities

Cisco recently announced a vulnerability in their IOS software related to H.323 that could be exploited to DoS your router with malformed packets. If you have a router running versions of code that are vulnerable (they range from 12.1 all the way to 15.0 code versions) AND you have the H323 process running, then someone could send malformed packets to the router and cause it to reboot. This could even happen by accident if you have video conferencing software that doesn't adhere to the H323 standard. 

VOIP Hacking - Not a good career path

prison.jpg

If you read How to hack IP voice and video in real-time, you might have realized that with the right tools, network engineers can gain access to a lot of things. You might even find yourself in a situation that allows you to overhear some important calls that include trade secrets or other secret information. Most large organizations realize this and require employees to swear to company oaths or sign waivers. I've personally been subject to background checks and even credit checks to make sure I'm not getting paid by foreign countries to do their bidding. (FYI to all you crooked politicians and evil countries out there, you can't buy me out).

How to hack IP voice and video in real-time

Network World has an interesting write up on the inherent vulnerabilities in Voice and Video over IP networks and how they can easily be compromised if security is not properly implemented. Securing IP networks has received a lot of attention over the last several years which has brought rise to many products, new standards, and even some new certifications

Does your organization have VOIP implemented securely or is it wide open for anyone to eavesdrop on calls? Or is your organization even more bleeding edge with video conference setups in every conference room, or everyone's desk? If so, I hope for your company's security sake that they have someone or a few someone's dedicated to this stuff.

Stop Site-to-Site VPN Drop

By default, site-to-site VPNs timeout after 30 minutes of idle time. This is a pain for me when I first try to access a site and have the first few packets of my Remote Desktop session or ping or whatever drop. (Yes - those 3 seconds of my life are EXTREMELY valuable). Here's the secret, straight from Cisco:

PIX/ASA 7.x and later

Enter the vpn-idle-timeout command in
group-policy configuration mode or in username configuration mode in
order to
configure the user timeout period:

hostname(config)#group-policy DfltGrpPolicy attributes
hostname(config-group-policy)#vpn-idle-timeout none

Configure a maximum amount of time for VPN connections with the
vpn-session-timeout command in group-policy
configuration mode or in username configuration mode:

Cisco iPhone Update

iphone

Anything Cisco or iPhone are always interesting. Anything Cisco AND iPhone are great! Two interesting updates from Cisco:

1. Apple announces the next iPhone software update (v4) will include Cisco SSL VPN support (If only those SSL VPN license upgrades weren't so freakin' expensive!)

2. iPhone Security Intelligence Operations (SIO) To Go Application gets upgraded to Version 3 (get security alerts as they happen)

Syndicate content


by Dr. Radut