Monthly Archive: August 2015

Aug 26

Identity NAT vs NAT exempt on Cisco ASA

Identity NAT and NAT exempt are commonly considered the same kind of ‘no natting’ configuration when in practice both methods are configured slightly different as well as firewall’s internal processing. Identity NAT configuration nat (inside) 0 10.1.1.3 NAT Exempt configuration access-list NO_NAT extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0 nat(inside) 0 access-list NO_NAT Identity NAT: …

Continue reading »

Aug 25

TCP connection flags on Cisco ASA

asa_tcp_connection_states

During troubleshooting connectivity issues on Cisco ASA firewall it’s useful to understand TCP flags displayed in connection table. Example of connection table: TCP connection stages with corresponding flags: Flag types with brief description available on ASA firewall:

Aug 25

POODLE attack

poodle attack

A POODLE attack is an exploit that takes advantage of the way some browsers deal with encryption. POODLE (Padding Oracle On Downgraded Legacy Encryption) is the name of the vulnerability that enables the exploit. POODLE can be used to target browser-based communication that relies on the Secure Sockets Layer (SSL) 3.0 protocol for encryption and …

Continue reading »

Aug 24

Ports and purpose of these ports on Checkpoint firewall

PORT TYPE SERVICE DESCRIPTION 21 TCP ftp File transfer Protocol (control) 21 UDP ftp File transfer Protocol (control) 22 Both ssh SSH remote login 25 Both SMTP Simple Mail transfer Protocol 50 Encryption IP protocols esp – IPSEC Encapsulation Security Payload 51 Encryption IP protocols ah – IPSEC Authentication Header Protocol 53 Both Domain Name …

Continue reading »

Aug 24

ICMP messages and corresponding numbers on Cisco ASA

icmp

Below are displayed ICMP messages and corresponding numbers on Cisco ASA. Note: Only echo-reply (0), unreachable (3), echo (8) and time-exceeded (11) are allowed directly in access list. In order to use other messages use object-group icmp-type

Aug 21

DHCP Snooping on Cisco Catalyst Switch

dhcpsnooping

DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers. DHCP snooping performs the following activities: • Validates DHCP messages received from untrusted sources and filters out invalid messages. • Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses. • Uses the DHCP …

Continue reading »

Aug 21

PCI DSS vulnerability for SSL negotiation on Brocade ADX

Hardware application accelerators also called load balancers are commonly used for SSL offload as provide hardware acceleration for SSL processing. Additionally in many implementations process Application Layer (ISO/OSI Layer 7) information which require access to clear test data. In many cases device administrators configure SSL profiles to use “all-cipher-suites” command which allows ADX to negotiate …

Continue reading »

Aug 21

How to permit traffic on interfaces with the same security level on Cisco ASA

By default Cisco ASA design does not allow traffic to flow between two interfaces having the same security level not sourced and destined on the same interface. To ‘fix’ this issues there are two commands you can use. Configuration example: ASA# conf t ASA(config)# same-security-traffic permit ? configure mode commands/options: inter-interface Permit communication between different …

Continue reading »

Aug 21

How to insert HTTP header X-Forwarded-Proto for SSL traffic of F5 LTM

In our scenario we do SSL offload on the load balancer before inserting header for incoming request from client to physical server behind LB. To insert protocol information header you can configure a custom HTTP profile with ‘Request Header Erase’ set to X-Forwarded-Proto and ‘Request Header Insert’ set to ‘X-Forwarded-Proto: https’. This ensures that any …

Continue reading »

Aug 21

How to suppress reset flag for dropped packets on Cisco ASA firewall

Cisco ASA by default inspects incoming packets and if it match one of standard audit signatures performs three actions “alarm”, “drop” and “reset”. This is definitely good thing as protects our network against potential attackers but cause one significant issue. Many companies require to pass PCI DSS compliance or other similar security checks. Typical security …

Continue reading »

Older posts «