So ... doesn't that give them enough supporting evidence all by itself?
If not, maybe it is a lost cause?
As an aside - a pix, if it was permitting the offending port through as
well, may not have stopped the worm either. Think Defense in Depth. A
firewall, while a necessity for
I would have to take issue with the following statement:
You should of course harden any Internet facing network device, however
the point is not really the type of server OS you run, or the Apps on
it, but how good you are at proactively keeping them patched.
-MANY- so-called vulnerabilities
Watch out for port specific settings (VLAN assignments, speed, duplex,
portfast, description/names, trunk settings, etc.) too; i.e. - once you
unplug everything you will need to either plug the cables into the same
ports or at the very least ensure the new port gets similar settings.
If this is
Dunno (if)/(how much) this helps - but I have heard similar complaints /
issues WRT the Nortel Contivity client and the Cisco VPN Client as well ...
Thanks!
TJ
[EMAIL PROTECTED]
-Original Message-
From: Robert Edmonds [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 27, 2003 10:59 AM
That all looks pretty good ...
On the MSFC/RSM - do a show interface: (edited for length)
Vlan8 is up, line protocol is up
Hardware is Cat6k RP Virtual Ethernet, address is 00d0.d335.6614
Vlan9 is up, line protocol is up
Hardware is Cat6k RP Virtual
A good, relevant quote from one of the SANS instructors: (Eric Cole, IIRC)
Prevention is ideal, but detection is a must
I.e. - stopping the attack altogether is the best possible outcome, but
failing that you must be able to know that something -has- happened or -is-
happening.
Blackholing is frequently used to block traffic to known 'bad' addresses, or
to alleviate a (D)DoS attack victim's woes.
Using ACL's is not the preferred way however - just route traffic to nul0
(use no icmp unreachables too ... )
Google can be your friend!
Thanks!
TJ
-Original Message-
!
TJ
-Original Message-
From: William [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 27, 2003 5:32 PM
To: 'Evans, TJ (BearingPoint)'; [EMAIL PROTECTED]
Subject: RE: NT4.0 password crack tool [7:61807]
One wordL0phtCrack
Will Gragido CISSP CCNP CIPTSS CCDA MCP
-Original
Why not use LinNT?
... boot off of a linux floppy, reset admin password and boot up with new
password.
Since you are (presumably) not trying to be sneaky _and_ you have direct
access to the machine changing the PW should not be a problem, yes?
Oh - and it is free, and works with WinNT4 - WinXP.
In the past I have just scripted telnet in a batch file; that has my pw
passed as a command line parameter and a device list / device type setting
to account for differences between IOS and CatOS
... oh yeah, and to 'script' telnet I used pushkeys ...
Thanks!
-Original Message-
From:
IMHO - it is all a question of usability/functionality vs. security ...
Ideally (from a security perspective) - you would not split tunnel; as the
hosts are then, in effect, multi-homed. In fact, ideally, you wouldn't VPN
at all ;
However, in the real world, there are issues with not
Nice...
FYI - Another painful thing like this can happen if you have an interface
disabled on one but not the other, or even worse - different #'s of ports
(i.e. - one with 6 ports and one with 4 ... doh!)
Thanks!
TJ
-Original Message-
From: Sam Sneed [mailto:[EMAIL PROTECTED]]
Sent:
Is your outside link up, and plugged into an enabled switch port that is on
the correct vlan/segment and set to correct speed/duplex?
Can other devices on same switch communicate with anyone else?
Thanks!
TJ
[EMAIL PROTECTED]
-Original Message-
From: Sam Sneed [mailto:[EMAIL
It is just a static NAT of the internal address to an external address, in
this case they happen to be the same address
... sometimes used in conjunction with conduits/ACL's to permit certain
monitoring/syslog/tftp/etc. traffic to external devices (edge routers, for
ex.) without exposing the
If there is no route for that block, including summarizations thereof (and
no interface in that subnet), then it shouldn't go anywhere / be reachable.
So the next question - does it work?
* Can that machine get out, and if so ... try
www.whatismyip.com
...
I wonder - is this a situation where specific code level, or the family of
products in question, etc., is causing a discrepancy?
I know the PIX (currently), for example, works as TLaWR states below ...
However, perhaps in IOS when you specify
ip nat pool overload (start) (finish)
And more importantly, from a semantics perspective - is a horrible kludge
a bad thing or a good thing? Or a case of two wrongs not making a right.
... double negatives are fun.
Thanks!
TJ
[EMAIL PROTECTED]
-Original Message-
From: Doug S [mailto:[EMAIL PROTECTED]]
Sent: Friday,
Minor comment - protocol 50 and 51, not port ...
Also - worth noting, using TCP for remote client VPN's is useful as well ...
like 443 since it will be permitted out from just about everywhere!
Thanks!
TJ
[EMAIL PROTECTED]
-Original Message-
From: Elijah Savage III [mailto:[EMAIL
Along with MAC tracing, using CDP to id next-hop switches, etc. you can also
try to us something like psloggedon (or psshutdown if you have something of
a mean-streak) from sysinternals.com. OR - if your domain is logging
successful logins, maybe you could look through them to see who is logging
Strangely, they also detect 'cable reconnects' and attempt to re-IP (via
DHCP, or autoconfig if enabled) you at that time.
Thanks!
TJ
-Original Message-
From: Larry Letterman [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 01, 2002 1:20 PM
To: [EMAIL PROTECTED]
Subject: Re: OT:
.
-Original Message-
From: Evans, TJ [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 01, 2002 1:49 PM
To: [EMAIL PROTECTED]
Subject: RE: OT: Serves Me Right - DHCP problem [7:54402]
Strangely, they also detect 'cable reconnects' and attempt to re-IP (via
DHCP, or autoconfig if enabled) you
Don't know if this came through already and I missed it, but FYI:
(little issues like DoS, info leaking, etc.)
* Advisory @
http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml
* SW @ http://www.cisco.com/cgi-bin/tablebuild.pl/vpn3000-3des
(Beware the warp on
Haven't had my coffee yet ...
*) couldn't you just be more explicit/specific in your ACLs when specifying
interesting/matching traffic? ... IOW, don't summarize the whole range :)
(or - to go a step further, could you do the summarization but precede it
with a deny that specifies the other
In case you use the VPN Client, and missed the bulletin ...
Thanks!
TJ
-Original Message-
From: CCO Field Notice [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 13, 2002 1:48 PM
To: [EMAIL PROTECTED]
Subject: Cisco Security Advisory: Cisco VPN Client Multiple Vulnerabilities
This
May not apply to your case, but good to keep in mind anyway :):
We have had issues creating VPN's between IOS-Routers+3DES and
VPN-Concentrators; the issue came down to a disagreement as to the default
DH group ... IOS defaulted to group 1 while Concentrator defaulted to group
2. Drove us
Is it also relevant/correct that in a case like this, just under normal TCP
operation, HostB would assumes HostA did not receive the ACK, which resulted
in HostA restransmitting the original packet ... and HostB re-ACK'ing it ...
etc. etc. ?
Thanks!
TJ
-Original Message-
From:
So it is trying to do some load balancing/sharing ... ?
... on Compaq's teaming driver, IIRC they say you need to group the ports
for the load sharing option to work ... ?
Most teaming driver do create a virtual MAC and
use that for normal traffic, and the heartbeats use 'true' Mac's for each
If I read this correctly ... (always a big assumption :) )
This may also arise when a network outgrows an initial IP range, and rather
than redesign/re-address every host they just hemorrhage another block ...
Or, the .100 box could be hosting a DMZ ?
Or, for some reason, it was decided that
I am not, by any stretch of the imagination, a lawyer ... however my
understanding of the current interpretation of the laws applicable to
WarDriving are that if the owner/operator does not make atleast some minimal
effort to secure the transmissions then it is considered 'for public use'.
So if
Ask Google ... he(she?) knows damn near everything.
Maybe Internet LineJACK fits the bill?
In general - looking for answers on your own is not a bad idea ...
Thanks!
TJ
-Original Message-
From: Osama Kamal [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 23, 2002 8:31 AM
To:
This is a case of Load Sharing vs. Load Balancing; very important
difference!
And unfortunately , this is
out of your control ... based totally on BGP hop
counts.
On a related note - I would like to drop a question to the group:
Similar situation; i.e. - we have dual frac-DS3's to two ISP's
The reply *should* come from the IP that the request arrived at ... ...
Thanks!
TJ
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 05, 2002 12:38 AM
To: [EMAIL PROTECTED]
Subject: Re: Pix NAT - Two to one [7:37179]
When the two outside
Last I heard / checked this is not an option on the PIX.
Documentation is very explicit - one for one mapping.
The typical workaround is to add a secondary ip address to the machine. We
have done this
repeatedly; for DNS changes, for ISP address space changes, etc.
Thanks!
TJ
Hmm .. never tried this , and
assuming it works I certainly would never recommend /do it ...
If you are truly desperate for telnet - would the pix allow you to make a
static external address for the inside interface of the pix itself, and
allow telnet to that and as part
of the telnet
Have you verified that broadcast traffic is not flowing?
Also - when you say directed IP is, you have done it host to hsot and not
just host to switch, yes?
To show up in Network Neighborhood I believe they will also need to be in
the same workgroup ... or pointing to a WINS server for name
The NSA 60 minute guide to Securing your network is useful ... and
recommends a pretty decent list of ports to block. Check google ...
Thanks!
TJ
-Original Message-
From: Vaas [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 01, 2002 2:07 AM
To: [EMAIL PROTECTED]
Subject: Standard
This has turned into a really long thread ... Anyway:
HSRP + BGP would be, IMHO, the best option. It would be graceful and
smooth, not to mention provide automatic failover.
The BIV CAVEAT - this is only true *IF* they can afford to UG their hardware
and if they can justify the IP address
Google
Netmeeting limitations
First hit = http://www.cwru.edu/net/csg/cmc/netmeeting.html
Click on limitations ...
4. NetMeeting Limitations
... NetMeeting limits the use of audio and/or video to two participants at
any one time. Using multipoint audio and/or video requires the use of
Footnote - I believe this would also permit 'crafted' packets with the ack
bit set ... which is why a good firewall is better .
Thanks!
TJ
-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 21, 2002 8:25 PM
To: [EMAIL PROTECTED]
Config net TFTP_IP:FILENAME ?
Thanks!
TJ
-Original Message-
From: BASSOLE Rock [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 13, 2002 9:07 AM
To: [EMAIL PROTECTED]
Subject:PIX information [7:35294]
Hello group,
What command can I use to copy a configuraton
I believe it sync's them auto-magically, or perhaps on a timed basis.
Regardless ... I always do a wr standby ... just to be sure.
Thanks!
TJ
-Original Message-
From: Hartnell, George [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 13, 2002 12:46 PM
To: [EMAIL PROTECTED]
Depends on the nature of your client and their network access patterns!
For example - http is very asynchronous traffic ...
always pulling more than pushing :).
Does this number remain consistently high, or just when you happened to
check it this time?
If it really bothers you, go to your
Are all of the routers identical ?
Are all of your Ethernet interfaces 100mb/full duplex.
Do you see any errors on them? ... collisions, FCS, etc.
Are the PC NIC's configured the same ?
Out Of Curiosity - what make/model are the NICs?
Are the PC's OS and software loads
I heard it put very well, and wish I could attribute it but I don't recall
the source:
To paraphrase, it goes something like this:
Think of what it is your company makes, does or sells ... or is planning on
doing so in the future.
... and how it makes it and/or does it, how much it costs
The NSA put together a 60 minute guide to securing your network; which has
an excellent breakdown of what ports you will want to block inbound and
outbound, It also breaks them up into should never be open, may be open
if needed, etc. type of categories.
The question I have is - What is going
IMHO the best place to do VPN termination is on a VPN Concentrator, but
there is obviously a not-too-insignificant cost involved there. In fact, to
then do that right you would need another FW ... or atleast a FW with
multiple interfaces to route the VPN traffic through .
When possible,
You can also get these nice kind of hard-to-troubleshoot issues if your
cables are not wired properly; i.e. 'crossed or mismatched pairs' on some
cable-testers.
Specifically - if the pinout is such that the wrong wires are being twisted
around each other ... would normally work just fine for
Although I am inclined to stay out of this, I would like to ask a question
of the heretofore nameless one ...
Most ISP's today ... that would imply that you have spoken with a
majority of all of the current ISP's
Have you done so? Or was this factoid picked up from a book somewhere?
Just my $.02 ... secondary addresses cover this quite well!!
, and then again as we phased providers out ...
Thanks!
TJ
-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 19, 2001 11:26 PM
To: [EMAIL PROTECTED]
Subject:
Don't forget about the latency involved in all packets traveling through
Springfield, or the frequent collisions that occur on these specific routes.
... I usually wish I *didn't* live in Springfield.
Thanks!
TJ
-Original Message-
From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED]]
As with most design issues, a lot of the answer will depend on individual
circumstances.
Including, but certainly not limited to:
Cost
Size of environment
Traffic Flow
Security Concerns
Summed up as what is your Overall Goal
If your primary
Rm -rf ...
rm remove
-r recursive
-f force
all together -- same effect as a deltree /y .; namely - everything on HDD
is no longer present :).
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and
Can the firewall ping your router?
Can the firewall ping the inside 'host'?
Did you create the NAT addresses / pool?
Do a show xlate ... what xlates
are listed?
Do you have an external route on your FW and is the def gateway
You also need to specify what is where ...
... AD servers in DMZ / outside or the client PC's in the DMZ / outside?
Hopefully, AD inside ... but then again, hopefully you would use a VPN for
the outside boxes to connect.
One possible, semi-allowable exception - multiple firewalls; either
As long as the PIX is 'pointed to' the inside Ethernet interface of the
router the PIX should never know about anything
past that.
Does your PIX point to the router as its DG?
Do you have the address space for your BGP AS# configured properly with your
ISP's?
Does this happen regardless of
Is the FTP server telling you someone is connected, or is the OS telling you
someone is connected ... ?
From what I am reading below it sounds more like the
OS is telling you someone is connected, a la terminal services or whatever
XP calls the built in remote control app. I would check your
Just go to google, type in your desired search words and add
site:cisco.com ...
Thanks!
TJ
-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 2:32
To: [EMAIL PROTECTED]
Subject:Re: Rapid spanning-tree 802.1w
With regards to reload - almost never required, a good wr mem and
sometimes a clear xlate .
With regards to ordering - within an individual portion they are just
sorted by order of entry ...
With regards to ping-ability - you have not listed a conduit permitting ping
... so by default it is
Blocking all access to port 80? ... must be nice to have that much leeway in
what you are able to block.
There are free scanners available to scan entire class-c equivalent network
blocks for vulnerable /or infected systems ... run
it, then patch/repair/reboot those machines.
Thanks!
TJ
Assuming you have a static statement for each server, *that part* is
correct.
However - the conduit lines will need a port# ... web tcp/80 ... smtp/pop
25/110.
Conduit permit tcp host __extIPaddress__ eq __port#__ any
External address of each server
At the very least, I would recommend using a secure way to get into your
network; SSH, VPN, etc.
And then, once inside, you could access switch by internal address.
In general - I would *almost* never make a switch have an external address,
and would certainly never telnet into it from outside
PGP also makes a 'pretty good' application/utility for encrypting email,
files, etc.
It *will* require you to have the public key of the person you are sending
to however and there are public/free servers for key exchange
PGP is free for personal use, but they do require corporate users to
... or you could try changing the SID just to see what happens ... there are
utils for that.
YMMV.
Thanks!
TJ
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Saturday, June 23, 2001 09:33
To: [EMAIL PROTECTED]
Subject:Re: Got A Side Job and
... I am running 5.3(1) on a PIX520UR and use nothing but conduits ... and
all of my conduits still function ...
Thanks!
TJ
-Original Message-
From: Chris Agnoli [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 11, 2001 20:20
To: [EMAIL PROTECTED]
Subject:Re: PIX
Is spanning-tree running?
... or, to phrase it a little differently, have you enabled portfast on the
port(s) in question?
Thanks!
TJ
-Original Message-
From: Larry Ogun-Banjo [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 12, 2001 11:30
To: [EMAIL PROTECTED]
Subject:
I'll take a stab at some of this ...
First - If I recall, and I may very well be wrong here, I though DNS
round-robin was solely for load-sharing, not redundancy.
Second - Regarding BGP multi-homing ... some gotchya's that we ran into:
You will need an ASN
Some ISP's have
I am pretty sure you can only have one outside interface ...
To achieve what you want, I would think you could connect it to an
intermediary router and let the *it*
make the routing decisions between which ISP traffic goes to ...
Thanks!
TJ
(2 * PIX = Pices?)
-Original Message-
Dunno' about when using Samba, but with FTP you can use the lcd command to
specify where 'get'/'mget' drops the files ...
Ex - lcd c:\temp would make it so that any file you download will be saved
in c:\temp.
Thanks!
TJ
-Original Message-
From: Mr. Oletu Hosea Godswill, CCNA
And to broaden the point a little:
Well, first - a disclaimer: Yes, certain fields pay more than others
or Football Player's salary to a
Police officers ... is it fair or right? ... not my call, although in
general I would say not really all that fair from a social aspect.
Having said
What sort of Issues?
... simple firewalling / port filtering?
What sot of VPNs?
... Pix 2 Pix?
... PPTP connections to PIX?
???
As far as a PIX and Win2k working together, just in general - my PIX's
haven't had any issues ...
Thanks!
TJ
-Original Message-
From: Pickard, Richard
Technically -
1 It isn't an html attachment, it's a vbs ...
2 The listserv is nice enough to filter it out, so even if you wanted to
you couldn't ...
Thanks!
TJ
-Original Message-
From: David Toalson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 10, 2001 10:43
To:
Use SSH ...
I don't believe the PIX supports telnet sessions on the outside interface,
something about security risks ... ;)
=
FOR SSH:
http://www.cisco.com/warp/public/110/authtopix.shtml#localSSH
slightly modified
Use SSH ...
I don't believe the PIX supports telnet sessions on the outside interface,
something about security risks ... ;)
=
FOR SSH:
http://www.cisco.com/warp/public/110/authtopix.shtml#localSSH
slightly modified excerpt:
If I recall correctly access to/through
the external addresses of internal machines from internal machines is a
no-no.
Internally - all should be well; i.e. - machines are able to communicate
openly with each other
Internal 2 External systems - all should be well, and if you have static
I suspect it is to prevent a DoS type attack; something like the PIX not
responding to ARP's that it announces.
It would make my life a lot easier if the PIX would be smart enough to
resolve it internally; we are having an issue now with inter-interface
communication that I suspect is related.
Another thing to keep in mind - typically NAV, by default, does not check
*all* files.
I always recommend everyone go into Options and set both
Auto-Protect and Scanner to All Files. Typically, I would also set the
Heuristics on the scanner to Highest .
Wow - this one does look nasty,
Some remote control software will allow you to
port-hop to a specific port ... but it is a major security risk :).
Thanks!
TJ
-Original Message-
From: Allen May [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 02, 2001 11:14
To: [EMAIL PROTECTED]
Subject:Re: Cisco
Also, one thing that caught us off guard was that one of our providers
required us to register with RADB as well.
to leave some static route entry for us, which
took priority over the BGP-provided route ... luckily we caught that before
we had a occasion requiring a failover.
Thanks!
TJ
We have seen this when servers' DNS server entries are incorrect /
unreachable.
Thanks!
TJ
-Original Message-
From: Luis Oliveira [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 12, 2001 16:27
To: [EMAIL PROTECTED]
Subject:Telnet and mail problems [7:392]
Fellow
~30 seconds or so is within reason ...
Thanks!
TJ
-Original Message-
From: Luis Oliveira [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 12, 2001 17:31
To: [EMAIL PROTECTED]
Subject:Re: Telnet and mail problems [7:392]
Should the logon time be so long even if I
I know that in our case, trying to use BGP for failover between two
providers, we
(a) were required to have a /24 UUnet ... no problem
(b) were required to have an AS#... no
problem
(c) PSI *required* us to 'take posssession' of the maintainer object for
One important distinction - AH and ESP are not on 'ports' per se, but
protocols...
i.e. - to allow AH thorugh PIX you *would not* use
conduit permit tcp host w.x.y.z eq AH any replacing
AH w/ 50 will also not work ... well, it will - but will allow
instead, the following
Drop the s in the middle ...
www.sureshhomepage.com
Thanks!
TJ
-Original Message-
From: Jack Nalbandian [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 27, 2001 15:11
To: [EMAIL PROTECTED]
Subject:RE: My CCNA test -Tips to follow
Paul,
The Suresh link didn't work
Although I agree on the PIX being able to handle the load; other
considerations may include:
* The traffic from the DMZ though the PIX to the internal servers ...
depending on how their applications/web servers work in conjunction with the
db servers there could be significant load there
Of
I was going to suggest the use of an access class similar to access
lists... applied to the vty lines ... but thanks for the transport input
line!
also - file under "related info" - it is my understanding that if we did
make a simple ACL applied to all incoming traffic blocking telnet on S0/0
for
85 matches
Mail list logo