ISE basic installation and configuration. Part 2

Image via CrunchBase

When something can go wrong it will, at the end our friend Murphy was right. So I passed the day to to solve a weird problem, and I have to thanks a couple of colleagues of mine that were able to sort out what was wrong.

By the way at the end I survived the effort and after a whole day of troubleshooting I just reinstalled the appliance from scratch and everything worked.

The Web Interface

 

Now we can go on and see what we can do.

open a supported browser and go to:

http://<IP address or host name>/admin/

once we have installed the appliance we can finally log I to the web interface that looks like this:

enter the credentials you have created to login.

the interface is quite clean and clear:

with a dashboard reporting the main index and with menu on the top that refers to the various function and operations you can perform on ISE.

 

on the right upper part there is the Task Navigator that show some standard “wizard style” task to perform.

 

Task Navigators do not retain information about the tasks you have completed. It is a visual
guide that takes you directly to the user interface screens where you perform its related tasks.

the tasks are:

• Setup—Perform the first part of the Cisco ISE setup process.
• Profiling—Profile endpoints.
• Basic User Authorization—Establish basic user authorization.
• Client Provisioning and Posture—Configure client provisioning and posture.
• Basic Guest Authorization—Establish basic guest authorization.
• Advanced User Authorization—Establish user authorization, along with client provisioning and posture.
• Advanced Guest Authorization—Establish guest authorization, along with client provisioning and posture.

ok it’s late and my arm hurts like hell so I will continue in the next post

Related articles

• ISE basic installation and configuration. Part 1 (aitechupdate.wordpress.com)
• Configure cisco ISE for Cisco Access Points (aitechupdate.wordpress.com)
• Configuration management benefits for everyone – Rudder @ FLOSSUK Spring Conference 2012 (slideshare.net)
• Ise Training day 2 (aitechupdate.wordpress.com)
• Cisco ASA CX – Next Generation Firewall? Or Star Trek: Enterprise Firewall? (networkingnerd.net)

ISE basic installation and configuration. Part 1

Ok since I have to do some activity on ISE I think would be nice to write a little journal that can be also used as a quick guideline.

ISE is the acronym for Identity Service Engine, an identity policy manager released by cisco, now in version 1.1 available also on cisco cco website.

It comes in different format, as appliances or as virtual machine on VMware, as well as as upgrade to other cisco engine.

I will not look at the other release I will play a bit with the appliance.

The Software Upgrade

First of all I have had to upgrade it to the latest release (1.1)

to do so you need an mastered ISO image of the software to put inside the ISE DVD reader. as simple as at, turn on the appliance and let the fun begin.

to connect to the appliance you have to use a serial connection (usual 8N1), of course since the serial port is not more available on most of our laptop (nor in mine) you will need an use-serial adapter.

Second advise, if you have a standard cisco serial cable you also need an adapter since the serial interface on ISE is the standard 9 pin interface.

so take a look at the front of the appliance:

here you can find:

1 Front USB port 1

2 Front USB port 2

3 Hard disk drive (HDD) bay 0

4 HDD bay 1

5 CD-ROM/DVD drive

It should not be hard for you to find the dvd bay where put the mastered dvd isn’t it?

Talking about led references is not the issue here but yes there are also some led blinking

On the rear panel we find:

1 AC Power supply cable socket

2 NIC 3 (eth2) add-on card

3 NIC 4 (eth3) add-on card

4 Serial port

5 Video port

6 NIC 2 (eth1) Gigabit Ethernet interface

7 NIC 1 (eth0) Gigabit Ethernet interface

8 Rear USB port 4

9 Rear USB port 3

so I used my serial connection and putty instead of monitor and keyboard, just because it would be easier .

After you installed the correct release the system will shut down and turn on again, please remember to remove the dvd otherwise you will start again the cycle of installation.

NOTE: I made a scratch installation of the appliance, and not the upgrade one. if you have an ISE with rules and other stuffs on would be better to run the upgrade iso dvd also available on cisco CCO website.

The First installation:

Now we can run the CLI wizard in order to make the first installation:

the data required will be

Hostname Must be not exceed 19 characters. Valid characters include
alphanumeric (A-Z, a-z, 0-9), hyphen (-), with a requirement that the
first character must be an alphabetic character.

(eth0) Ethernet interface address Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) interface.

Netmask Must be a valid IPv4 netmask.

Default gateway Must be a valid IPv4 address for the default gateway.

DNS domain name Cannot be an IP address. Valid characters include ASCII characters,
any numbers, hyphen (-), and period (.).

Primary name server Must be a valid IPv4 address for the primary name server.

Add/Edit another name server Must be a valid IPv4 address for an additional name server. (Optional) Allows you to configure multiple Name servers. To do so, enter y to continue.

Primary NTP server Must be a valid IPv4 address or hostname of an NTP server. (example:clock.nist.gov)

Add/Edit another NTP server Must be a valid NTP domain. (Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue.

System Time Zone Must be a valid time zone. For details, see Cisco Identity Services
Engine CLI Reference Guide, Release 1.0.4, which provides a list of time zones that Cisco ISE supports. You can run the show timezones command from the Cisco ISE CLI for a complete list of supported time zones.

Note: Changing the time zone on a Cisco ISE appliance after installation causes the Cisco ISE application on that node to be unusable. For details about the impact of changing time zones, see “clock time zone” in Appendix A in the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4.

Username Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default (admin), you must create a new username. The username must be from 3 to 8 characters in length, and be composed of valid alphanumeric
characters (A-Z, a-z, or 0-9).

Password Identifies the administrative password that is used for CLI access to the Cisco ISE system. You must create this password (there is no default). The password must be a minimum of six characters in length and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9).

Database Administrator Password Identifies the Cisco ISE database system-level password. You must create this password (there is no default). The password must be a minimum of 11 characters in length and must include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9). The allowed list of characters also include underscore (_) and pound (#) keys.

Note: All nodes in a distributed environment require the same password, so you must be sure to configure all of them by using the same entry. After you configure this password, Cisco ISE uses it “internally”; that is, you do not have to enter it when logging into the system.

Database User Password Identifies the Cisco ISE database access-level password. You must create this password (there is no default). The password must be a minimum of 11 characters in length and must include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9). The allowed list of characters also includes underscore (_) and pound (#) keys.

Note: All nodes in a distributed environment require the same password, so you must be sure to configure all of them using the same entry. After you configure this password, Cisco ISE
uses it “internally”; that is, you do not have to enter it when logging into the system.

 

The wizard will perform the required operations creating the database and the needed object. Some reboot are needed so be patient.

At the end you should be able to see something like a prompt requiring your username and password.

I use always user admin (lazy one ) . just to check if everything goes smoothly check ISE status with:

ise-server/admin# show application status ise

you should see something like:

ISE Database listener is running, PID: 4845
ISE Database is running, number of processes: 27
ISE Application Server is running, PID: 6344
ISE M&T Session Database is running, PID: 4502
ISE M&T Log Collector is running, PID: 6652
ISE M&T Log Processor is running, PID: 6738
ISE M&T Alert Process is running, PID: 6542
ise-server/admin#

next post will cover the User interface and go through the rest of the installation process…

NOTE: do not forget that for the installation you need a (better if) gigabit switch port (no trunk or whatsoever) and an IP able to access the internet and reach dns and ntp otherwise you will fail the installation

Related articles

• ISE basic installation and configuration. Part 1 (aitechupdate.wordpress.com)
• ISE basic installation and configuration. Part 2 (aitechupdate.wordpress.com)
• Network Time Protocol daemon (wiki.archlinux.org)
• Time Settings on Cisco Devices using NTP (learnnetworkingwithme.wordpress.com)
• Demystifying Time in your Domain (robsilver.org)
• How to setup NTP on Windows Server 2008 (michaeljlynch.wordpress.com)
• quick review of NTP, DHCP, Syslog (ccarunas.wordpress.com)
• Setting up NTP on Server 2008 (skavenger0.wordpress.com)
• A New Slim 1U Rackmount Dual Time Server from Galleon Systems (prweb.com)
• What has two cable modems and a GPS receiver? (rachelbythebay.com)

Rapport clusit sulla sicurezza informatica in italia

È uscito il rapporto clusit sulla sicurezza informatica in italia, una finestra autorevole per conoscere lo stato della cybersecurity nel nostro paese.

La documentazione si può scaricare direttamente e gratuitamente dal sito clusit 🙂 o direttamente dal link del security summit.

Related articles

• The First Italian Cybercrime Report is Available [Infographic] (hackmageddon.com)
• Forensic incident response to the fore (scmagazine.com)
• Browse with a shared device,but watch out! (smiley2.wordpress.com)
• Browse with a shared device,but watch out! (securitytoolbox.wordpress.com)
• Spending your 2012 IT Security budget – beware of cheap, look for value (h30499.www3.hp.com)
• How ICT World Lived By Q1 2012 (it-sideways.com)
• Business insurance news: IT security concerns UK firms (premierlinedirect.co.uk)
• Ex-employees ‘threaten business insurance holders’ security’ (premierlinedirect.co.uk)

It's Monday

How to have a better start the day: another surgery on my forearm :-).

This time the scar will be bigger 🙂 and a bit more painful… How hard is to look as a macho…:'(

Well the next tests on the removed flash will tell if the tumor has been completely removed. And,  of course, i will keep u on the Loop! 🙂
Ciao

Related articles

• It’s Monday (thepuchiherald.wordpress.com)
• Again on my forearm’s surgery: may be an Atypical Spitz tumor (thepuchiherald.wordpress.com)
• 4 stiches removed from my right forearm (thepuchiherald.wordpress.com)

Home

Home:

• Cisco Live VirtualGain knowledge and network without leaving your desk. Read More
• Social MediaBe a part of the online Cisco Live community today.  Read More
• Exhibit with Cisco LiveNowhere else is such a focused audience brought together under one roof.  Read More

Cisco Live Global Events

• Cisco Live, MelbourneMarch 20-23, 2012
  Melbourne, Australia. Event site.
• Cisco Live, USJune 10-14, 2012
  San Diego, California. Event site.
• Cisco Live, LondonJan 28 – Feb 1, 2013
  London, UK
  Event site.

ise training day 3

Posture posture and posture 🙂

interesting but long labs

Related articles

• Ise Training day 2 (aitechupdate.wordpress.com)
• ISE basic installation and configuration. Part 2 (aitechupdate.wordpress.com)
• ISE basic installation and configuration. Part 1 (aitechupdate.wordpress.com)
• Open a file in PowerShell ISE via cmdlet – Version 3 Update (powertoe.wordpress.com)
• Proliferation of “Bring Your Own Device” (houstonchannels.wordpress.com)

Ise Training day 2 « The Puchi Herald: A.I. Tech Update

Ise Training day 2 « The Puchi Herald: A.I. Tech Update

Ise Training day 2

March 20, 2012antonio ieranoEditLeave a commentGo to comments

Ok my turn to talk today:  We talked about one of the most interesting features of ISE, profiling.

Worth to explain a little what profiling is, and what discovery and classification means. it is a very useful and powerful engine but it needs to be understood, also on what it means and why should be used.

other great new, finally  ise 1.1 is available on CCO, worth the upgrade absolutely.

http://www.cisco.com/en/US/docs/security/ise/1.1/release_notes/ise1.1_rn.html

new stuffs:….

Related articles

• APTs, hacktivists have organizations in their crosshairs (portadiferro2.blogspot.com)
• Cisco study finds The Who was right! (portadiferro2.blogspot.com)
• Members of Congress Download A Lot of Illegal Torrents (portadiferro.blogspot.com)
• Cisco slurps News Corp’s telly software biz for $5bn (go.theregister.com)
• Anonymous Plans To Take Down The Internet? We’re Being Trolled (portadiferro.blogspot.com)
• City of Sacramento Website Hacked (portadiferro2.blogspot.com)
• Fingers Itch for a War on Iran (portadiferro2.blogspot.com)
• Chambers Reinventing Cisco, Or Recycling Tactics? (informationweek.com)
• New Cisco CCNA Certification Targets Service Provider Installs (crn.com)
• Configure cisco ISE for Cisco Access Points (aitechupdate.wordpress.com)

Ise Training day 2

Ok my turn to talk today:  We talked about one of the most interesting features of ISE, profiling.

Worth to explain a little what profiling is, and what discovery and classification means. it is a very useful and powerful engine but it needs to be understood, also on what it means and why should be used.

other great new, finally  ise 1.1 is available on CCO, worth the upgrade absolutely.

http://www.cisco.com/en/US/docs/security/ise/1.1/release_notes/ise1.1_rn.html

new stuffs:

– Support for IOS Sensor for advanced features and remote profiling on the switch.
– Active scan with NMAP.
– A new portal guest type Device Registration webauth (DRW) to allow guests to self-classify their equipment more immediate.
– Authentication of administrators by AD, LDAP, or RSA SecurID.
– Support of Online Certificate Status Protocol (OCSP) for validating client certificates as an alternative to CRLs.
– Improved management of access lists based on Security Group Tag (SGT) for full integration with the philosophy TrustSec.
– Internationalization automatic captive portal for guests according to the language of the browser.

Related articles

• Supporting The iPad – Answers To IT’s Top Five Questions (cultofmac.com)
• Symantec: Stripping online certificate revocation checks from Chrome is misguided (infoworld.com)
• Configure cisco ISE for Cisco Access Points (aitechupdate.wordpress.com)
• Canon Powershot SX210IS Best Buy (canondigitalslrcamerasbuy.wordpress.com)
• LDAP Proxy Increases Protection And Elevates AD Capabilities (pctechmojo.com)
• Squaring Numbers from 30-70 (mathema-tricks.blogspot.com)
• Beyonce is Back on Stage After Baby Blue Ivy Carter Birth, Starts Twitter Trend (celebs.gather.com)
• New IsDB aid supports Nigeria’s education sector (devex.com)
• Can SSL Certificate Checking System Be Saved? (informationweek.com)
• Good practice to delete rows from database by attribute(eg. is_removed) (stackoverflow.com)

CLUSIT Security Summit:domani al via l'edizione 2012!

CLUSIT Security Summit

 

Milano, 20-21-22 Marzo 2012 AtaHotel Executive – v.le Don Luigi Sturzo, 45 ore 9-18

 

Aggiornamento, formazione e informazione per manager e tecnici della ICT Security!

Today ISE training day 1

Image by Getty Images via @daylife

and the day is gonna be at its end for the first day of ISE training here, tomorrow I will have to talk about Profiling, we’ll see

Related articles

• Configure cisco ISE for Cisco Access Points (aitechupdate.wordpress.com)
• Fab Site: ThisIsAuto.com (fabsugar.com)
• Canon Powershot SX210IS Best Buy (canondigitalslrcamerasbuy.wordpress.com)
• Good practice to delete rows from database by attribute(eg. is_removed) (stackoverflow.com)
• Squaring Numbers from 30-70 (mathema-tricks.blogspot.com)
• How We’re Going Fix Online Identity and Reputation (readwriteweb.com)
• ΟΚ ĎƒĎ…ÎśÎˇĎ„ÎŽĎƒÎľÎšĎ‚ Οις (sxoliastesxwrissynora.wordpress.com)
• Method isEmpty for binary tree proble (stackoverflow.com)
• Double-Check the Accuracy of Your Clock at Time.is [Clocks] (lifehacker.com)
• It is’nt just shopping you know (donatefordebs2012.wordpress.com)

bad day :(

Ok some days are worse than others.

I mean, it is not only that I felt sick tonight, and believe me kidney pain is really painful, and I will not speak about the other symptoms that required frequent visit at the restroom .

 

Is that sometimes I find really hard to cope with some people, well I hope at least he enjoyed the ride and felt superior (any sarcasm here is understandable).

 

sayonara

Related articles

• bad day 🙁 (thepuchiherald.wordpress.com)

Configure cisco ISE for Cisco Access Points

Let’s say you have been asked to configure ISE to allow secured network access for Cisco Wireless Access Points.

To do so you should :

· Enable the ISE endpoint profile for Cisco Access Points

· Configure an Authorization Profile and Authorization Policy rule for Cisco Access Points

· Review the access switch configuration to authorize an access point using MAC Authentication Bypass (MAB).

· Verify proper authorization of a Cisco Access Point based on ISE policy

 

Login to ISE

The ISE Home Dashboard page should display. Navigate the interface using the multi-level menus.

Configure the Profiler Policy to assign endpoints matching a Cisco Access Point profile to an Identity Group  called  “Cisco-Access-Points” .

Navigate to Policy > Profiling and select Cisco-Access-Point from the list of Endpoint Policies, verify that the policy is enabled (Policy Enabled checkbox is checked) and check the option Create Matching Identity Group.

Do not forget to save otherwise it will not work

Now define an Authorization Profile for Cisco Access Points.

Navigate to Policy > Policy Elements > Results and double-click Authorization to expand its contents.

Select Authorization Profiles from the left-hand pane and click Add from the right-hand pane and enter the values for the Authorization Profile as shown below:

Attribute	Value
Name	Cisco_Access_Points
Description	Permit access to Cisco Access Points
Access Type	ACCESS_ACCEPT
Common Tasks
DACL Name	[ ✓ ] PERMIT_ALL_TRAFFIC
VLAN	90 (or 1:90)

The resultant Attribute Details should appear at the bottom of the page as the following:

Access Type = ACCESS_ACCEPT Tunnel-Private-Group-ID = 1:90 Tunnel-Type = 1:13 Tunnel-Medium-Type = 1:6 DACL = PERMIT_ALL_TRAFFIC

finally click Submit to apply your changes.

Now we should configure a new Authorization Policy rule to assign the new Cisco_Access_Points profile to endpoints that match the Identity Group named Cisco-Access-Point.

To do so go to Policy > Authorization and insert a new rule below the Profiled Cisco IP Phones rule as shown in the policy table below. Use the selector at the end of a rule entry to insert or duplicate rules.

Enter the following values for a new rule named Profiled Cisco Access Points:

Status	Rule Name	Identity Groups	Other Conditions	Permissions
	Profiled Cisco IP Phones	Cisco-IP-Phone	–	Cisco_IP_Phones
	Profiled Cisco Access Points	Cisco-Access-Point	–	Cisco_Access_Points
…

 

Don’t forget to  Save when finished making policy updates.

Hint: Verify proper authorization of the wireless access point.

check the status of the port, eventually give the No Shut command in the configuration mode for the selected interface.

check the auth status with:

cisco-access# show authentication sessions interface gi0/x

or

cisco-access(config-if)# do sh auth sess int gi0/x

keep in mind you could need a few minutes to allow the result to be shown (between bootstraps and stuffs…)

To display the current dACL applied to the interface using the command show ip access-lists interface GigabitEthernet 0/3. The output should appear similar to the following:

cisco-access(config-if)# do sh ip access-list int gi0/3 permit ip host 10.1.90.100 any

 

To verify the Cisco Wireless Access Point authentication in the ISE go to Monitor > Authentications log:

S	Username	Endpoint ID	IP Address	NAD	Device Port	AuthZ Profiles	Identity Group	Event
✓	#ACSACL#-IP-PERMIT_ALL_TRAFFIC			3k-access			Authorize Only	DACL Download
✓	nn:nn:nn:nn:nn:nn	nn:nn:nn:nn:nn:nn	10.1.10.100	3k-access	Gi0/3	Cisco_Access_Points	Cisco-Access-Point	Auth Succeeded

Note: The access point periodically attempts to renew its IP address if no network connectivity. The default port ACL on the switch allows access to DHCP services, so the access point initially receives an IP address in the default access VLAN 10 (10.1.100.10). Once authorized for VLAN 90, the access point will renew its IP address in the new VLAN (10.1.90.100).
The authentication event in the above log reflects the IP address learned at the time of authentication. The access list applied to this session reflects the final endpoint IP address using variable substitution of the “any” value in the dACL’s source IP address.

Related articles

• California Schools Deploy Wired/Wireless Solution Cost-Effectively (blogs.cisco.com)
• Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers (netsecurityit.wordpress.com)
• Revving for the Mobility Race (blogs.cisco.com)
• Cisco launches new Aironet wireless access points; Eyes more spatial streams (zdnet.com)
• Cisco first out the door with next-gen hotspot (gigaom.com)
• Cisco rolls out 4×4 MIMO Wi-Fi access point (nfcdata.com)
• Wireless access point with updates (ask.metafilter.com)
• Cisco rolls out 4×4 MIMO Wi-Fi access point (fiercebroadbandwireless.com)
• PCProfile Releases New Wi-Fi Software to Reduce Risk of Bandwidth Theft (prweb.com)
• Cisco Aims Wi-Fi Access Point at iPad Profusion (pcworld.com)

Introduction To Network Security - Part 1

Introduction To Network Security – Part 1:

Introduction

By Sahir Hidayatullah – Firewall.cx Security Advisor

As more and more people and businesses have begun to use computer networks and the Internet, the need for a secure computing environment has never been greater. Right now, information security professionals are in great demand and the importance of the field is growing every day. All the industry leaders have been placing their bets on security in the last few years.

All IT venodors agree today that secure computing is no longer an optional component, it is something that should be integrated into every system rather than being thrown in as an afterthought. Usually programmers would concentrate on getting a program working, and then (if there was time) try and weed out possible security holes.

Now, applications must be coded from the ground up with security in mind, as these applications will be used by people who expect the security and privacy of their data to be maintained.

This article intends to serve as a very brief introduction to information security with an emphasis on networking.

The reasons for this are twofold:

Firstly, in case you did not notice.. this is a networking website,

Secondly, the time a system is most vulnerable is when it is connected to the Internet.

For an understanding of what lies in the following pages, you should have decent knowledge of how the Internet works. You don’t need to know the ins and outs of every protocol under the sun, but a basic understanding of network (and obviously computer) fundamentals is essential.

If you’re a complete newbie however, do not despair. We would recommend you look under the Networking menu at the top of the site…where you will find our accolade winning material on pretty much everything in networking.

Hacker or Cracker?

There is a very well worn out arguement against using the incorrect use of the word ‘hacker’ to denote a computer criminal — the correct term is a ‘cracker’ or when referring to people who have automated tools and very little real knowledge, ‘script kiddie’. Hackers are actually just very adept programmers (the term came from ‘hacking the code’ where a programmer would quickly program fixes to problems he faced).

While many feel that this distinction has been lost due to the media portraying hackers as computer criminals, we will stick to the original definitions through these articles more than anything to avoid the inevitable flame mail we will get if we don’t !

On to the Cool Stuff!

This introduction is broadly broken down into the following parts :

• The Threat to Home Users
• The Threat to the Enterprise
• Common Security Measures Explained
• Intrusion Detection Systems
• Tools an Attacker Uses
• What is Penetration-Testing?
• A Brief Walk-through of an Attack
• Where Can I Find More Information?
• Conclusion

---

The Threat to Home Users

Many people underestimate the threat they face when they use the Internet. The prevalent mindset is “who would bother to attack me or my computer?”, while this is true — it may be unlikely that an attacker would individually target you, as to him, you are just one more system on the Internet.

Many script kiddies simply unleash an automated tool that will scan large ranges of IP addresses looking for vulnerable systems, when it finds one, this tool will automatically exploit the vulnerability and take control of this machine.

The script kiddie can later use this vast collection of ‘owned’ systems to launch a denial of service (DoS) attacks, or just cover his tracks by hopping from one system to another in order to hide his real IP address.

This technique of proxying attacks through many systems is quite common, as it makes it very difficult for law enforcement to back trace the route of the attack, especially if the attacker relays it through systems in different geographic locations.

It is very feasible — in fact quite likely — that your machine will be in the target range of such a scan, and if you haven’t taken adequate precautions, it will be owned.

The other threat comes from computer worms that have recently been the subject of a lot of media attention. Essentially a worm is just an exploit with a propagation mechanism. It works in a manner similar to how the script kiddie’s automated tool works — it scans ranges of IP addresses, infects vulnerable machines, and then uses those to scan further.

Thus the rate of infection increases geometrically as each infected system starts looking for new victims. In theory a worm could be written with such a refined scanning algorithm, that it could infect 100% of all vulnerable machines within ten minutes. This leaves hardly any time for response.

Another threat comes in the form of viruses, most often these may be propagated by email and use some crude form of social engineering (such as using the subject line “I love you” or “Re: The documents you asked for”) to trick people into opening them. No form of network level protection can guard against these attacks.

The effects of the virus may be mundane (simply spreading to people in your address book) to devastating (deleting critical system files). A couple of years ago there was an email virus that emailed confidential documents from the popular Windows “My Documents” folder to everyone in the victims address book.

So while you per se may not be high profile enough to warrant a systematic attack, you are what I like to call a bystander victim.. someone who got attacked simply because you could be attacked, and you were there to be attacked.

As broadband and always-on Internet connections become commonplace, even hackers are targetting the IP ranges where they know they will find cable modem customers. They do this because they know they will find unprotected always-on systems here that can be used as a base for launching other attacks.

---

The Threat to the Enterprise

Most businesses have conceded that having an Internet presence is critical to keep up with the competition, and most of them have realised the need to secure that online presence.

Gone are the days when firewalls were an option and employees were given unrestricted Internet access. These days most medium sized corporations implement firewalls, content monitoring and intrusion detection systems as part of the basic network infrastructure.

For the enterprise, security is very important — the threats include:

• Corporate espionage by competitors,
• Attacks from disgruntled ex-employees
• Attacks from outsiders who are looking to obtain private data and steal the company’s crown jewels (be it a database of credit cards, information on a new product, financial data, source code to programs, etc.)
• Attacks from outsiders who just want to use your company’s resources to store pornography, illegal pirated software, movies and music, so that others can download and your company ends up paying the bandwidth bill and in some countries can be held liable for the copyright violations on movies and music.

As far as securing the enterprise goes, it is not enough to merely install a firewall or intrustion detection system and assume that you are covered against all threats. The company must have a complete security policy and basic training must be imparted to all employees telling them things they should and should not do, as well as who to contact in the event of an incident. Larger companies may even have an incident response or security team to deal specifically with these issues.

One has to understand that security in the enterprise is a 24/7 problem. There is a famous saying, “A chain is only as strong as its weakest link”, the same rule applies to security.

After the security measures are put in place, someone has to take the trouble to read the logs, occasionally test the security, follow mailing-lists of the latest vulnerabilities to make sure software and hardware is up-to-date etc. In other words, if your organisation is serious about security, there should be someone who handles security issues.

Related articles

• Cyberterrorism threat shouldn’t be underestimated, some security experts say (networkworld.com)
• ICS-CERT: Exploit Tool Releases for ICS Devices Advisory (portadiferro2.blogspot.com)
• Juniper buys Mykonos to beat off web app attacks (go.theregister.com)
• 3 Ways For SMBs To Plug IPv6 Security Holes (informationweek.com)
• Hacking breach made us stronger says RSA (go.theregister.com)
• Adobe patches Flash Player for second time in 20 days (infoworld.com)
• Don’t underestimate cyber terrorism threat, security experts say (infoworld.com)
• 80 Percent of GSM Handsets Vulnerable To Hackers (toptechnews.com)
• Microsoft code not the security sieve sysadmins should be worried about (go.theregister.com)
• Hackers winning security war (echlinm.wordpress.com)

Introduction To Network Security - Part 2

Introduction To Network Security – Part 2:
By Sahir Hidayatullah – Firewall.cx Security Advisor

Tools An Attacker Uses

Now that we’ve concluded a brief introduction to the types of threats faced by both home users and the enterprise, it is time to have a look at some of the tools that attackers use.

Keep in mind that a lot of these tools have legitimate purposes and are very useful to administrators as well. For example I can use a network sniffer to diagnose a low level network problem or I can use it to collect your password. It just depends which shade of hat I choose to wear.

General Network Tools

As surprising as it might sound, some of the most powerful tools especially in the beginning stages of an attack are the regular network tools available with most operating systems. For example and attacker will usually query the ‘whois’ databases for information on the target. After that he might use ‘nslookup’ to see if he can transfer the whole contents of their DNS zone (called a zone transfer — big surprise !!). This will let him identify high profile targets such as webservers, mailservers, dns servers etc. He might also be able to figure what different systems do based on their dns name — for example sqlserver.victim.com would most likely be a database server. Other important tools include traceroute to map the network and ping to check which hosts are alive. You should make sure your firewall blocks ping requests and traceroute packets.

Exploits

An exploit is a generic term for the code that actually ‘exploits’ a vulnerability in a system. The exploit can be a script that causes the target machine to crash in a controlled manner (eg: a buffer overflow) or it could be a program that takes advantage of a misconfiguration.

A 0-day exploit is an exploit that is unknown to the security community as a whole. Since most vulnerabilities are patched within 24 hours, 0-day exploits are the ones that the vendor has not yet released a patch for. Attackers keep large collections of exploits for different systems and different services, so when they attack a network, they find a host running a vulnerable version of some service and then use the relevant exploit.

Port Scanners

Most of you will know what portscanners are. Any system that offers TCP or UDP services will have an open port for that service. For example if you’re serving up webpages, you’ll likely have TCP port 80 open, FTP is TCP port 20/21, Telnet is TCP 23, SNMP is UDP port 161 and so on.

A portscanner scans a host or a range of hosts to determine what ports are open and what service is running on them. This tells the attacker which systems can be attacked.
For example, if I scan a webserver and find that port 80 is running an old webserver — IIS/4.0, I can target this system with my collection of exploits for IIS 4. Usually the port scanning will be conducted at the start of the attack, to determine which hosts are interesting.

This is when the attacker is still footprinting the network — feeling his way around to get an idea of what type of services are offered and what Operating Systems are in use etc. One of the best portscanners around is Nmap https://nmap.org/). Nmap runs on just about every operating system is very versatile in how it lets you scan a system and has many features including OS fingerprinting, service version scanning and stealth scanning. Another popular scanner is Superscan https://www.mcafee.com/) which is only for the windows platform.

Network Sniffers

A network sniffer puts the computers NIC (network interface card or LAN card) into ‘promiscuous mode’. In this mode, the NIC picks up all the traffic on its subnet regardless of whether it was meant for it or not. Attackers set up sniffers so that they can capture all the network traffic and pull out logins and passwords. The most popular network sniffer is TCPdump as it can be run from the command line — which is usually the level of access a remote attacker will get. Other popular sniffers are Iris and Ethereal.

When the target network is a switched environment (a network which uses layer 2 switches), a conventional network scanner will not be of any use. For such cases, the switched network sniffer Ettercap https://ettercap.sourceforge.net/) and WireShark https://www.wireshark.org/) are very popular. Such programs are usually run with other hacking capable applications that allow the attacker to collect passwords, hijack sessions, modify ongoing connections and kill connections. Such programs can even sniff secured communications like SSL (used for secure webpages) and SSH1 (Secure Shell – a remote access service like telnet, but encrypted).

Vulnerability Scanners

A vulnerability scanner is like a portscanner on steroids, once it has identified which services are running, it checks the system against a large database of known vulnerabilities and then prepares a report on what security holes are found. The software can be updated to scan for the latest security holes. These tools are very simple to use unfortunately, so many script kiddies simply point them at a target machine to find out what they can attack. The most popular ones are Retina https://www.beyondtrust.com/), Nessus https://www.tenable.com/products/nessus) and GFI LanScan (http://www.gfi.com). These are very useful tools for admins as well as they can scan their whole network and get a detailed summary of what holes exist.

Password Crackers

Once an attacker has gained some level of access, he/she usually goes after the password file on the relevant machine. In UNIX like systems this is the /etc/passwd or /etc/shadow file and in Windows it is the SAM database. Once he gets hold of this file, its usually game over, he runs it through a password cracker that will usually guarantee him further access. Running a password cracker against your own password files can be a scary and enlightening experience. L0phtcrack cracked my old password fR7x!5kK after being left on for just one night !

There are essentially two methods of password cracking :

Dictionary Mode – In this mode, the attacker feeds the cracker a word list of common passwords such as ‘abc123’ or ‘password’. The cracker will try each of these passwords and note where it gets a match. This mode is useful when the attacker knows something about the target. Say I know that the passwords for the servers in your business are the names of Greek Gods (yes Chris, that’s a shout-out to you ;)) I can find a dictionary list of Greek God names and run it through the password cracker.

Most attackers have a large collection of wordlists. For example when I do penetration testing work, I usually use common password lists, Indian name lists and a couple of customized lists based on what I know about the company (usually data I pick up from their company website). Many people think that adding on a couple of numbers at the start or end of a password (for example ‘superman99’) makes the password very difficult to crack. This is a myth as most password crackers have the option of adding numbers to the end of words from the wordlist. While it may take the attacker 30 minutes more to crack your password, it does not make it much more secure.

Brute Force Mode – In this mode, the password cracker will try every possible combination for the password. In other words it will try aaaaa, aaaab, aaaac, aaaad etc. this method will crack every possible password — its just a matter of how long it takes. It can turn up surprising results because of the power of modern computers. A 5-6 character alphanumeric password is crackable within a matter of a few hours or maybe a few days, depending on the speed of the software and machine. Powerful crackers include l0phtcrack for windows passwords and John the Ripper for UNIX style passwords.

For each category, I have listed one or two tools as an example. At the end of this article I will present a more detailed list of tools with descriptions and possible uses.

---

What is Penetration-Testing?

Penetration testing is basically when you hire (or perform yourself) security consultants to attack your network the way an attacker would do it, and report the results to you enumerating what holes were found, and how to fix them. It’s basically breaking into your own network to see how others would do it.

While many admins like to run quick probes and port scans on their systems, this is not a penetration test — a penetration tester will use a variety of specialised methods and tools from the underground to attempt to gain access to the network. Depending on what level of testing you have asked for, the tester may even go so far as to call up employees and try to social engineer their passwords out of them (social engineering involves fooling a mark into revealing information they should not reveal).

An example of social engineering could be an attacker pretending to be someone from the IT department and asking a user to reset his password. Penetration testing is probably the only honest way to figure out what security problems your network faces. It can be done by an administrator who is security aware, but it is usually better to pay an outside consultant who will do a more thorough job.

I find there’s a lack of worthwhile information online about penetration testing — nobody really goes about describing a good pen test, and what you should and shouldn’t do. So I’ve hand picked a couple of good papers on the subject and then given you a list of my favourite tools, and the way I like to do things in a pen-test.

This is by no means the only way to do things, it’s like subnetting — everyone has their own method — this is just a systematic approach that works very well as a set of guidelines. Depending on how much information you are given about the targets as well as what level of testing you’re allowed to do, this method can be adapted.

Papers Covering Penetration Testing

I consider the following works essential reading for anyone who is interested in performing pen-tests, whether for yourself or if you’re planning a career in security:

Related articles

• Top 10 Security Assessment Tools (linuxforu.com)
• Uses of free Unix-based Security Tools to Develope Secure Systems – Part 3 (infosectutorials.com)
• Got remote access? Lock it down (infoworld.com)
• Tutorial: Test real hacking tools and keep your PC secure (techradar.com)
• Is Your Password ‘Password1’? Most Common Login, Study Finds (toptechnews.com)
• Nessus 5 Making My Pentesting Workflow Easier (pauldotcom.com)
• Le gang stalking c’est ça ……..et toujours pas de mots latins…..technique applicable dans l’étendue du spectre electromagnétique (gangstalkingbelgium.wordpress.com)
• Uses of free Unix-based Security Tools to Develope Secure Systems – Part 4 (infosectutorials.com)
• Three Types of Client-side Exploits (tenablesecurity.com)
• Utilities Facing Brute-Force Attack Threat (informationweek.com)