Re: What should I block???
Well, that depends. My first recommendation would be to review your company security policy which was signed off on by executive management. That policy should list what types of traffic, ports, etc. your company has deemed necessary and will allow into their environment. It should also dictate what types of traffic will be allowed *out* of your network. My first recommendation isn't probably terribly useful since I have found that most companies don't have a well defined security policy blessed by the CEO. This is, IMHO, a recipe for disaster. I would strongly recommend either having them come up with a security policy (which will then dictate what your ACL and FW rulebase look like), or you come up with one, but have them "bless" it. You should definitely set up access lists to protect the router itself (i.e. deny telnet, SNMP, etc.) Some people also "mirror" the security policy (i.e. rule base) on their firewall on the border router. This lets the router receive the brunt of most port scans, etc. I would also recommend blocking the receipt of any packet with a source address of any of the RFC 1918 addresses, any packet with a source address with a first octet of 255, etc. You can either block the RFC 1918 addresses with an ACL, or route them to Null0. I've seen both approaches used. Pick long, complex passwords for your border router and use "service password encryption" to encrypt them. Check your logs regularly. Be a good internet neighbor and set up outbound ACLs that only allow traffic that originated on your network out. This cuts down on spoofing. If your management won't sign off on whatever security policy you come up with, make sure you figure out in advance who is responsible/culpable when you get hacked. If you are new to Checkpoint Firewalls and Information Security, subscribe to the FW-1 mailing list on the Checkpoint web site. There are some great, knowledgeable guys and gals on that list. It is focused mainly on FW-1, but they also cover many general security concepts from time to time. Also, check out www.phoneboy.com/fw1 for FW-1 related "stuff." Marcus Ranum runs a good, vendor agnostic firewall mailing list at http://www.nfr.com/mailman/listinfo/firewall-wizards HTH, Jim <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi Group, > I know that this is going to be very broad but just bare with me on this one. We are switching over our firewall router from a bay to a cisco. The cisco one that I am going to work on is already pre-configured except for access-lists and filters. What they basically told me is that the checkpoint device behind it will take care of all of the intense blocking and forwarding, but on this FW-router we just want to block the basic things that are usually not allowed through. > Here's what I was hoping for. Just a basic list of things that are normally blocked on the router above the FW. For example, I know that I'm gonna set an inbound access-list denying telnet so that the checkpoint doesn't even have to worry about that. I am just looking for a list of services/ports/etc., that as a rule of thumb to you FW guru's, are usually denied. I know this is broad and I'll understand if I don't get much feedback. Gotta also find that whitepaper on FW's. Concidering this will be my first time coming anywhere near a FW (FW Virgin) I'm a little nervous and hope you guys can help out. Thanks all, =o) > > Mark Z... > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: What should I block???
SANS (www.sans.org) usually has some good resources. Here is the direct link to their sample security policies: http://www.sans.org/newlook/resources/policies/policies.htm Jim ""Tom"" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I've heard many things about a "security policy" and I understand what I > would specify on one, but could someone point me in a direction to check out > a "sample" security policy. At least I could look at what questions should > be answered by my policy. Just looking for some general guidelines. Even a > reference to a book or website would be welcome. > > Thanks, > > > > > Tom McNamara, MCSE, CCNA > McNamara Professional Services > (407)822-5199 Phone > > > > A bus station is where a bus stops. > A train station is where a train stops. > On my desk, I have a work station... > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Jim Deane > Sent: Thursday, February 01, 2001 1:28 PM > To: [EMAIL PROTECTED] > Subject: Re: What should I block??? > > > Well, that depends. > > My first recommendation would be to review your company security policy > which was signed off on by executive management. That policy should list > what types of traffic, ports, etc. your company has deemed necessary and > will allow into their environment. It should also dictate what types of > traffic will be allowed *out* of your network. > > My first recommendation isn't probably terribly useful since I have found > that most companies don't have a well defined security policy blessed by the > CEO. This is, IMHO, a recipe for disaster. I would strongly recommend > either having them come up with a security policy (which will then dictate > what your ACL and FW rulebase look like), or you come up with one, but have > them "bless" it. > > You should definitely set up access lists to protect the router itself (i.e. > deny telnet, SNMP, etc.) Some people also "mirror" the security policy > (i.e. rule base) on their firewall on the border router. This lets the > router receive the brunt of most port scans, etc. I would also recommend > blocking the receipt of any packet with a source address of any of the RFC > 1918 addresses, any packet with a source address with a first octet of 255, > etc. You can either block the RFC 1918 addresses with an ACL, or route them > to Null0. I've seen both approaches used. > > Pick long, complex passwords for your border router and use "service > password encryption" to encrypt them. > > Check your logs regularly. > > Be a good internet neighbor and set up outbound ACLs that only allow traffic > that originated on your network out. This cuts down on spoofing. > > If your management won't sign off on whatever security policy you come up > with, make sure you figure out in advance who is responsible/culpable when > you get hacked. > > If you are new to Checkpoint Firewalls and Information Security, subscribe > to the FW-1 mailing list on the Checkpoint web site. There are some great, > knowledgeable guys and gals on that list. It is focused mainly on FW-1, but > they also cover many general security concepts from time to time. Also, > check out www.phoneboy.com/fw1 for FW-1 related "stuff." > > Marcus Ranum runs a good, vendor agnostic firewall mailing list at > http://www.nfr.com/mailman/listinfo/firewall-wizards > > > HTH, > Jim > > > <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi Group, > > I know that this is going to be very broad but just bare with me on > this one. We are switching over our firewall router from a bay to a cisco. > The cisco one that I am going to work on is already pre-configured except > for access-lists and filters. What they basically told me is that the > checkpoint device behind it will take care of all of the intense blocking > and forwarding, but on this FW-router we just want to block the basic things > that are usually not allowed through. > > Here's what I was hoping for. Just a basic list of things that are > normally blocked on the router above the FW. For example, I know that I'm > gonna set an inbound access-list denying telnet so that the checkpoint > doesn't even have to worry about that. I am just looking for a list of > services/ports/etc., that as a rule of thumb to you FW guru's, are usually > denied. I know this is broad and I'll understand if I don't get much > feedback. Gotta also
Re: SysLog Server for NT / 2000
We use a product called SL4NT. It allows me to set up rules, and based on the source IP of the syslog message, I can send that message to different log files. So, I set up a loopback on each router, use the "logging source-interface Loopback0" command, and then SL4NT allows me to break each router's syslog messages out into a different log file. SL4NT also creates a new log file each night at midnight. Works really well for us. Here's the link: http://www.netal.com/sl4nt.htm HTH, Jim ""Johns, John A."" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello all, > > Does anybody know of a good SysLog server for Windows NT / 2000? > > Thanks in advance > > John A. Johns, CCDP, CCNP, MCSE, MCP+I, CCA, A+ > [EMAIL PROTECTED] > > > > The information contained in and transmitted with this e-mail is > confidential. It is intended only for the individual or entity so > designated above. You are hereby notified that any dissemination, > distribution, copying, or the use of or reliance upon the information > contained in and transmitted with this e-mail by or to anyone other than the > recipient(s) designated above is unauthorized and strictly prohibited. If > you have received this e-mail in error, please notify us immediately by > telephone at (412) 338-3535. Thank you. > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 1 Server, 2 Switches
Well, that depends :) You don't mention the OS on the server which will most likely make a difference in the answer to this question. For an NT server, you can use multiport cards. I know Adaptec and Intel make these types of cards. http://www.adaptec.com/products/overview/duo64.html http://www.intel.com/network/products/pro100dport.htm We use 2 Adaptec Duuo64 cards in our NT servers in order to get NIC, Cable, and switch redundancy. The Adaptec software lets you aggregate the four physical interfaces into one or two logical interfaces depending on how you configure it. Works pretty well for us. If you have Compaq servers with Compaq NICs, they have a feature called "teaming" that provides NIC redundancy. We haven't found any problems using these products with Catalyst switches. HTH, Jim ""Mellone, Jennifer"" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Can I connect a NIC on one server to a catalyst, and another NIC on the same > server to another catalyst? Reason: redundancy (in case we lose a switch or > a NIC). Also can I keep just 1 IP address for both NICs? Server doesn't run > VRRP. > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: sys log software config
Ravi, You will need to use an extended Access Control List to accomplish what you want to do. If you configure an extended ACL on one of the interfaces with the "log" parameter, you should get the information you desire. For example, (assuming 10.0.0.0/8 is the address of you internal network) this extended ACL applied inbound on the internal interface of your router: access-list 101 permit tcp 10.0.0.0 0.255.255.255 any eq 80 log access-list 101 permit ip any any will log the source and destination IP address that your users are trying to acess via http (TCP port 80). I don't know of a good way to resolve those addresses into their DNS name once they are in the syslog though. HTH, Jim "Ravi Kumar" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > hi friends > > I have a small problem > > I have 2600 series router throgh which my lan ti accessing internet. > > (64 KBPS leased line is connected to sync port of router and NAT is > configured) > > I got a third party sys log software installed on my windows-NT server. > > I want log all the web sites information accessed through my router to sys log > server. > > i configured the router. it is logging only general information like router > shut down time, restart time configuration change time. > > can any body tell me how to log web site information to my sys log server. > > tanx in advance > > bye > ravee > > > > Get free email and a permanent address at http://www.netaddress.com/?N=1 > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help about a technical interview I had PLEASE!
John, I'll leave the technical answers to others on the list who are more qualified, but here's my $0.02 on your situation. Even if you empirically prove that you are/were right and he is/was wrong, you probably don't want to work at this company or at least take this particular job. I'm assuming that since this person was interviewing you, you would be interacting with him in some way on the job. And I am assuming that since they had him interview you, he is most likely the "top dog" skills wise in that group, as well as the favorite of the hiring manager. So, even if you were to go back, correct this misunderstanding, and get the job; if you had to work with this guy every day, you would most likely be miserable in a short amount of time. If these questions are indicative of the skill set of their best technical guy, based on the intelligence of your answers, you would be frustrated quickly working with him. When I interview with a company, I interview the people I meet as hard or harder (in most cases) than they interview me. Even if you are up to this companies standards, they probably aren't up to yours, so I'd take a pass. There are many more jobs out there that you are clearly qualified for. Good Luck, Jim "John Barnes" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I had technical with a CCIE interview yesterday, and > I'm not really sure were to go with this. > > He asked me a lot of pretty high level questions and > some not so high level, the problem is, I feel some of > the answers he wanted were wrong. I'm going to post > the questions, the answers I gave, and the answers he > claimed to be correct. If I'm wrong on these, I'd > like to know. If I'm right, how would you deal with > this kind of thing? > > 1) What is the size of a token ring frame? > My answer: Token ring has a variable frame size. > His answer: 3 bytes.. > > Isn't that the size of the Token frame? > > 2) What the MTU of a token ring frame? (Isn't this > about the same question as #1?) > My answer: slightly larger that 16K (I couldn't > remember the exact number) > His answer: about 4470 bytes . > > Ahh... what? He claimed I was thinking about > FDDI.g Ah. Who's thinking about what? > > 3) What is the decision making process involved when a > packet enters a router? What three criteria are used > to make this decision? >My answer: It depends. Is this the first > packet with this destination to arrive at this router? > What switching mode is the router configured for. > >His answer: Forget about that stuff. how does > it determine which route to use. > >My answer: longest match in the routing table > >His answer: What if multiple routes exist in > the table. > >My answer: It depends. > >Ok...I'm gonna cut to the chase. The answer he > wanted was longest match, Administrative distance, > then metric. Ahh.. I'm pretty sure is wrong. The > router looks at AD and Metrics long before the packet > enters the router. The router uses AD and metric to > populate the routing table, and then longest match > from the routing table to make the decision once the > packet actually enters the router. Comparing AD and > metric on every known route every time would place > unnecessary burden on the CPU. Compare it once, make > the decision, and enter it in the RIT. Even in the > case of IGRP/EIGRP with variance, the next eligible > route is determined before the packet enters the > router. > > Maybe I should have picked up on this stuff when > the recruiter asked me with BGP was a DV or LS based > routing protocol. My answer. ahh.neither, it's path > vector. > > I'm basically sending this out to get thoughts, and > hopefully Howard, Priscilla or someone can tell me > wether I'm off technically or not. > > > THANKS! > > -john > > > __ > Do You Yahoo!? > Yahoo! Mail - Free email you can access from anywhere! > http://mail.yahoo.com/ > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cat 6509 IOS change
Steve, Here is the link to the release notes for IOS 12.1(2)E that details how to convert a 6509 from hybrid mode to native mode (may require CCO login): http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/ios121e/78_11047 .htm#xtocid2003532 This is a 26 step process, and some of the steps have to be done while the switch is in rommon mode. So, I don't see how you could perform this upgrade without downtime. Additionally, these items from the release notes may be of particular interest to you: Note: The system configuration is lost during the conversion to IOS. Reconfigure the switch after the conversion. We strongly recommend that you back up your supervisor engine Catalyst OS and your MSFC IOS configurations (for example to a TFTP server) before you begin the conversion. The MSFC IOS configuration can be used as a basis for configuring the newly converted system. Caution: Please note that you must follow this sequence exactly to successfully convert your system. Failure to follow these instructions exactly may result in an unusable system. See the "Feature Sets in Release 12.1(2)E" section for information about supported software images. Do not attempt these procedures with other software images. So, this doesn't look like a trivial task. We looked at the same option last week, but after what we learned from TAC and reading the release notes, we decided that HSRP would suit us just fine. Good Luck, Jim In theory, there is no difference between theory and practice, but in practice there is. - ""Donohue, Steve"" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > In my current environment we have just installed a 6509 with dual supervisor > modules. It is currently running a "hybrid" IOS (12.0(7)XE) which allows > the switch engine and the route processor to be configured, as separate > entities. With this IOS the configuration of the two modules does not sync. > The customer want the configs to sync as opposed to running HSRP on the two > route processors. In order to do this I must migrate to a "native" IOS > (12.0(7)XE1 for example) which makes the switch engine and the route > processor configuration occur at a single prompt.. This IOS migration will > result in the current configuration of the Catalyst being wiped out. Since > this switch is live on the network I am trying to minimize downtime. > > My questions to the group are; > > Has anyone done such an IOS migration? > > Is it be possible to re-boot the "secondary" module, load the new IOS via > the xmodem rommon command, configure that module, fail over to the newly > configured module, then perform the same function on the "master" module, > the whole time maintaining network functionality until the fail overs? > > Any and all suggestion that would minimize down time would be appreciated. > I currently do not have a second catalyst to perform the upgrade outside the > "live box." > > Thanks in advance for any and all ideas. > > Steve D. > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: collision
I have seen collisions like this as a result of a duplex mismatch between the router interface and the switch port. Autonegotiation doesn't always work reliably, especially between vendors. You may want to specify the speed and duplex of both the router's interface, and the switch port that the router is plugged into. HTH, Jim + "Cisco Study" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi all, > > could any one tell me why collisions counter increases > on ethernet port what should i do to prevent > this.Thanks in adv > * > sh int e 0/0 > Ethernet0/0 is up, line protocol is up > Hardware is AmdP2, address is 0010.7be1.6cc1 (bia > 0010.7be1.6cc1) > Internet address is 202.41.11.40/24 > MTU 1500 bytes, BW 1 Kbit, DLY 1000 usec, rely > 255/255, load 4/255 > Encapsulation ARPA, loopback not set, keepalive set > (10 sec) > ARP type: ARPA, ARP Timeout 04:00:00 > Last input 00:00:00, output 00:00:00, output hang > never > Last clearing of "show interface" counters 19:30:29 > Queueing strategy: fifo > Output queue 0/40, 54 drops; input queue 0/75, 0 > drops > 5 minute input rate 83 bits/sec, 126 packets/sec > 5 minute output rate 195000 bits/sec, 113 > packets/sec > 2135956 packets input, 1236837647 bytes, 0 no > buffer > Received 205775 broadcasts, 0 runts, 0 giants, 0 > throttles > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 > ignored, 0 abort > 0 input packets with dribble condition detected > 2503462 packets output, 859332285 bytes, 0 > underruns > 0 output errors, **305764 collisions**, 0 > interface resets > 0 babbles, 0 late collision, 35665 deferred > 0 lost carrier, 0 no carrier > 0 output buffer failures, 0 output buffers > swapped out > SPZRTR1# > > __ > Do You Yahoo!? > Kick off your party with Yahoo! Invites. > http://invites.yahoo.com/ > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
