Security Cisco
Tuesday, May 29, 2018
Wednesday, June 19, 2013
CCIE Security v4 is now official
CCIE Security v4 is now official
BIG Changes Announced !!! CCiE Security v4 Lab is now official here. For those who haven’t scheduled v3 lab yet, do it before November 18,2012 as there is a laundry list of changes in equipment list & blueprint for lab exam. Cisco Secure ACS 5.X, Cisco Identity Service Engine ISE) 1.X, ISR G2 , new 3750-X switch , completely revised ASA 8.4.x / 8.6.x (mainly due to NAT & IKEv2 changes) , WLC 2500 , Aironet APs etc. Here is the hardware & software list for new CCIE Security v4 Lab :
Hardware List:
- Cisco 3800 Series Integrated Services Routers (ISR)
- Cisco 1800 Series Integrated Services Routers (ISR)
- Cisco 2900 Series Integrated Services Routers (ISR G2)
- Cisco Catalyst 3560-24TS Series Switches
- Cisco Catalyst 3750-X Series Switches
- Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances
- Cisco IPS Series 4200 Intrusion Prevention System sensors
- Cisco S-series Web Security Appliance
- Cisco ISE 3300 Series Identity Services Engine
- Cisco WLC 2500 Series Wireless LAN Controller
- Cisco Aironet 1200 Series Wireless Access Point
- Cisco IP Phone 7900 Series
- Cisco Secure Access Control System 5X
Software List:
- Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T
- Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE
- Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x
- Cisco IPS Software Release 7.x
- Cisco VPN Client Software for Windows, Release 5.x
- Cisco Secure ACS System software version 5.x
- Cisco WLC 2500 Series software 7.x
- Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x)
- Cisco WSA S-series software version 7.x
- Cisco ISE 3300 series software version 1.x
You can find more details below:
Failover on Cisco ASA
Failover on Cisco ASA
Configuring high availability requires two identical ASAs connected to each other through a dedicated failover link and, optionally, a Stateful Failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.
The ASA supports two failover configurations, Active/Active failover and Active/Standby failover. Each failover configuration has its own method for determining and performing failover.
With Active/Active failover, both units can pass network traffic. This also lets you configure traffic sharing on your network. Active/Active failover is available only on units running in multiple context mode.
With Active/Standby failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby failover is available on units running in either single or multiple context mode.
Both failover configurations support stateful or stateless (regular) failover.
Hardware Requirements
The two units in a failover configuration must be the same model, have the same number and types of interfaces, and the same SSMs installed (if any).
If you are using units with different Flash memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough space to accommodate the software image files and the configuration files. If it does not, configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory will fail.
Although it is not required, it is recommended that both units have the same amount of RAM memory installed.
Software Requirements
The two units in a failover configuration must be in the same operating modes (routed or transparent, single or multiple context). They must have the same major (first number) and minor (second number) software version. However, you can use different versions of the software during an upgrade process; for example, you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active.
The two units in a failover pair constantly communicate over a failover link to determine the operating status of each unit. The following information is communicated over the failover link:
•The unit state (active or standby)
•Hello messages (keep-alives)
•Network link status
•MAC address exchange
All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If the ASA is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication with a failover key if you are using the ASA to terminate VPN tunnels.
You can use any unused Ethernet interface on the device as the failover link; however, you cannot specify an interface that is currently configured with a name. The LAN failover link interface is not configured as a normal networking interface; it exists for failover communication only. This interface should only be used for the LAN failover link (and optionally for the Stateful Failover link).
Connect the LAN failover link in one of the following two ways:
•Using a switch, with no other device on the same network segment (broadcast domain or VLAN) as the LAN failover interfaces of the ASA.
•Using a crossover Ethernet cable to connect the appliances directly, without the need for an external switch.
When you use a crossover cable for the LAN failover link, if the LAN interface fails, the link is brought down on both peers. This condition may hamper troubleshooting efforts because you cannot easily determine which interface failed and caused the link to come down.
The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a crossover cable or a straight-through cable. If you use a straight-through cable, the interface automatically detects the cable and swaps one of the transmit/receive pairs to MDIX.
Network Diagram Software
Network Diagram Software
Network Diagram
Network diagram is a schematic depicting the nodes and connections amongst nodes in a computer network or, more generally, any telecommunications network. Network diagrams are often drawn using software-based drawing software. The follow network diagrams was included in our network diagram software.
Network Diagram Software
Network Diagram Software is ideal for network engineers and network designers who need to draw detailed network documentation. Edraw Network Diagram is light-weight, yet incredibly powerful, and can be used to create the following network diagrams: basic network diagrams, Cisco network topology, logical network diagrams, physical network diagrams, LAN diagrams, WAN diagrams, LDAP, active directory and lots more.
Built-in network diagram icons representing computers, network devices and smart connectors, help you create accurate network diagrams to use in your network documentation project. Lot's of network diagram templates, network diagram symbols and network diagram examples will help to quickly create the most common network diagrams. An intuitive interface helps to create accurate diagrams in minutes. Just drag and drop pre-drawn shapes representing computers and network devices. Double click and set equipment data. Create detailed physical, logical and network architecture diagrams, using a comprehensive set of network and computer equipment shapes.
Free network diagram examples, icons and templates
In-depth tutorials to help you learn to draw network diagram.
Supports Windows 7, Vista, 2003, XP, 2000
Free maintenance update and free technology support.
Create professional looking computer network diagrams with minimal effort in no time! | ||
3D Network Diagram | Cisco Network Diagram | Basic Network Diagram |
Quickly and easily draw detailed computer network diagrams. Edraw is the ideal network drawing softwarethat helps you create professional looking network diagrams in minutes. It provides special libraries of templates, detailed symbols, graphics and shapes for devices such as switches, hubs, printers, servers, mainframes, routers, and face plates for computer and telecommunications networks. It can also export to common graphics formats, PDF, and HTML with hyperlinks.
Why Choose Edraw to Draw Computer Network Diagrams
Network Diagrams such as home network diagrams, wireless network, network cable, logical network, network wiring, LAN network, activity network, network topology, local area network, physical network diagrams, network security diagrams, network wan, network wiring cable, network cabling, and network voip diagrams are very complicated to draw by hand. Edraw provides an all-inclusive collection of templates,symbols and computer clip-art images to rapidly create all these diagrams, even Motherboards, Network Topologies, Peer-to-Peer (P2P), LAN/WAN Design and Network Cabling.
It will help you create computer network diagrams within minutes, comprises 2D and 3D networking symbols, block diagramming symbols and Cisco network symbols. It can create customized libraries of network components, and can draw detailed network diagrams showing placements of network equipment and their logical and physical connections and arrangement. Edraw enables shared network diagrams on via web or in a business presentation enhancing business communication.
Makes Your Network Topology Specialty with Network Diagram Software
Provides four sets of network diagram icons. Logical network diagram symbols, physical network devices, 3D network diagrams and Cisco network diagram icons.
Includes thousands of ready-made graphics and templates for computers, servers, hubs, switches, printers, mainframes, routers, cables, faxes and lots more.
A bundle of network diagram examples and templates. Network drawing does not need to start from scratch. Just drag the ready-made network symbols from the libraries and drop them on your page. Network drawing couldn't be easier!
You don't need to be an artist to create great-looking results! Edraw helps you align and arrange everything perfectly.
Common graphic format support and printing are WYSIWYG (What You See Is What You Get).
What you see is what you get. Zooming, scrolling, multi-selection and multi-level undo/redo supported. No network drawing artistic skills are required. Automatically aligns and arranges everything so your network drawing looks great.
Distinct colors, fonts, shapes, styles, pictures, text and symbols for each object of the diagram are available.
No Other Computer Network Diagram Software Gives you All This
Easy-to-use network diagram tool with rich examples and templates.
Great value for the money.
30 day product refunds guarantee.
Free update for ever, free technology support.
In-depth tutorials to help you learn to draw network diagrams.
Independent Reviews of Our Network Diagram Software
"Edraw is outstanding network drawing software. It's an excellent drawing tool, but better than Visio, and I created beautiful network diagrams in minutes. If network diagrams are the only thing you plan to use it for, Visio probably a little overkill, and Visio is too expensive for my taste. Now I've found Edraw, I've found my network document software!"
"This has to be one of the best network diagram tools I've come across by far - it's so simple! It has made my network schematics much more fun to do!"
"As a Network Engineer, I've used several expensive products to produce network diagrams. I just wanted to say that Edraw is just as good, only better value for money! It's idea for network planning and network design. Superb!"
Source :- http://www.edrawsoft.com
Port Detective
Port Detective
The Port Detective performs a remote port scan on your IP address. This scan helps you determine if you are properly secured, or if you have the proper ports available and open for hosting a server on your Cable or DSL modem. If you have a Cable Modem or xDSL modem, Port Detective will give you the details on what TCP/IP ports are open, in use or blocked. Why not run your own web server from your home? Port Detective will tell you if you can run a web server, FTP Server, Mail Server and just about any other type of Internet server!
Simply Download the Port Detective using the Link below, then run it on your PC that is connected to the Internet, and we do the rest! The Port Detective checks out your PC and let's you know the Port Status - Open, Blocked, or In Use. Try the Port detective yourself today!
See the table below for an explanation of Results:
Port is OPEN
This means the port is available and you can usually host the TCP/IP service on that port.
Port is BLOCKED
This means the port is blocked or restricted, and you CANNOT host the TCP/IP service on that port.
Port is IN USE
This means the port is currently in use. You can usually host the TCP/IP service on that port, although you should try again without the Service running
Download :- Port Detective
Free all IT certifications Exam Question and Answers
Free all IT certifications Exam Question and Answers
www.aiotestking.com
All in one TestKing (AIO TestKing) offers free IT exams, IT training, IT practice test, IT practice exams and IT questions daily.
This site is really great site for IT exam preparation.
Infographic: Botnets demystyfied and explained
Infographic: Botnets demystyfied and explained
McAfee has created a nice easy-to-understand Infographic explaining, what are botnets. With the rapid growth in malware and bot infections all around, it becomes important for all to understand what Botnets are and what Zombies are.
A botnet in simple words, is basically a collection of infected or compromised computers. These computers are called Bots. Such Bots are controlled by others and used for malicious purposes. Many such computers together comprise a Botnet. Such Botnets are controlled en masse via protcols such as IRC.
This Infographic nails the botnet lifecycle and economics just right… not too technical, not too simple.
Network Security Glossary part1
Network Security Glossary part1
A
ACL (Access Control List) :-
A method of keeping in check the Internet traffic that attempts to flow through a given hub, router, firewall, or similar device. Access control is often accomplished by creating a list specifying the IP addresses and/or ports from which permitted traffic can come. The device stops any traffic coming from IP addresses or ports not on the ACL.
Active mode FTP (File Transfer Protocol) :-
One of two ways an FTP data connection is made. In active mode, the FTP server establishes the data connection. In passive mode, the client establishes the connection. In general, FTP user agents use active mode and Web user agents use passive mode.
AH (authentication header)
An IPSec header used to verify that the contents of a packet have not been modified while the packet was in transit.
Algorithm (Encryption)
A set of mathematical rules (logic) for the process of encryption and decryption.
ARP (Address Resolution Protocol)
Each device on a network has at least two addresses: a media access control (MAC) address, and an Internet Protocol (IP) address. The MAC address is the address of the physical network interface card inside the device, and never changes for the life of the device. The IP address can change if the machine moves to another part of the network or the network uses DHCP. ARP, one of the IP protocols, is used to match, or resolve, an IP address to its appropriate MAC address (and vice versa). ARP works by broadcasting a packet to all hosts attached to an Ethernet. The packet contains the IP address the sender is interested in communicating with. Most hosts ignore the packet. The target machine, recognizing that the IP address in the packet matches its own, returns an answer.
ARP table
A table of IP addresses stored on a local computer, used to match IP addresses to their corresponding MAC addresses.
Asymmetric Keys
A pair of encryption keys, composed of one public key and one private key. Each key is one way, meaning that a key used to encrypt data cannot be used to decrypt the same data. However, information encrypted using the public key can be decrypted using the private key, and vice versa. This technology is commonly applied to e-mails, which are encrypted for confidentiality en route.
Attack
An attempt to break into a system.
Authentication
1. The process of identifying an individual, usually based on a user name and password. Authentication iusually requires something a person has (such as a key, badge, or token), something a person knows (such as a password, ID number, or mother's maiden name), or something a person is (represented by a photo, fingerprint or retina scan, etc). When authentication requires two of those three things, it is considered strong authentication.
2. A method of associating a user name with a workstation IP address, allowing the tracking of connections based on name rather than IP address. With authentication, you can track users regardless of which machine a person chooses to work from.
Autopartitioning
A feature on some network devices that isolates a node within the workgroup when the node becomes disabled, so as not to affect the entire network or group.
Authorization
To convey official access or legal power to a person or entity.
B
Backdoor
A design fault, planned or accidental, that allows the apparent strength of the design to be easily avoided by those who know the trick.
Block Cipher
A procedure that translates plain text into coded text, operating on blocks of plain text of a fixed size (usually 64 bits). Every block is padded out to be the same size, making the encrypted message harder to guess.
Blocked Port
A security measure in which a specific port is disabled, stopping users outside the firewall from gaining access to the network through that port. The ports commonly blocked by network administrators are the ports most commonly used in attacks.
Botnet
Collection of computers that are infected with small bits of code (bots) that allow a remote computer to control some or all of the functions of the infected machines. The botmaster who controls the infected computers has the ability to manipulate them individually, or collectively as bot armies that act in concert. Botnets are typically used for disreputable purposes, such as Denial of Service attacks, click fraud, and spam.
C
CBC (Cipher Block Chaining)
A technique commonly used by encryption algorithms like Data Encryption Standard (DES) - CBC, where a plain text message is broken into sequential blocks. The first block is encrypted using a given cipher, creating cipher text. That cipher text is used to encrypt the second block of plain text. This pattern continues, with each subsequent block of plain text being encrypted using the cipher text encrypted just before it.
CERTIFICATE AUTHORITY (CA)
A trusted third party (TTP) who verifies the identity of a person or entity, then issues digital certificates vouching that various attributes (e. g., name, a given public key) have a valid association with that entity.
CHAP (Challenge Handshake Authentication Protocol)
A type of authentication where the person logging in uses secret information and some special mathematical operations to come up with a number value. The server he or she is logging into knows the same secret value and performs the same mathematical operations. If the results match, the person is authorized to access the server. One of the numbers in the mathematical operation is changed after every log-in, to protect against an intruder secretly copying a valid authentication session and replaying it later to log in.
Cipher Text
The result of encrypting either characters or bits using some algorithm. Cipher text is unreadable until it is decrypted.
CRL (Certificate Revocation List)
An up-to-date list of previously issued certificates that are no longer valid.
Cross-Site Scripting
An attack performed through Web browsers, taking advantage of poorly-written Web applications. Cross-site scripting attacks can take many forms. One common form is for an attacker to trick a user into clicking on a specially-crafted, malicious hyperlink. The link appears to lead to an innocent site, but the site is actually the attacker's, and includes embedded scripts. What the script does is up to the attacker; commonly, it collects data the victim might enter, such as a credit card number or password. The malicious link itself might also collect the victim's cookie data.
Cryptanalysis
The art or science of transferring cipher text into plain text without initial knowledge of the key used to encrypt the plain text.
CRYPTOCard
One element in a proprietary authentication system, which uses an offline card containing a large secret key to answer security "challenges" from the network. The large number inside the card, called a key, is like a hard-to-guess password used in encrypting and decrypting. The key is never stored on a computer, which increases its safety against unauthorized discovery.
Cryptography
The art and science of encoding and decoding messages using mathematical algorithms that utilize a secret key. The concept has broadened to include managing messages that have some combination of: privacy (by being unreadable to anyone but the sender and receiver); integrity (not modified while en route), and non-repudiation (digitally signed in such a way that the originator cannot plausibly claim he or she did not originate it).
D
Decrypt
To decode data that has been encrypted, turning it back into plain text.
DENIAL OF SERVICE ATTACK (DOS)
A type of attack aimed at making the targeted system or network unusable, often by monopolizing system resources. For example, in February 2000 a hacker directed thousands of requests to eBay's Web site. The network traffic flooded the available Internet connection so that no users could access eBay for a few hours. A distributed denial of service (DDoS) involves many computer systems, possibly hundreds, all sending traffic to a few choice targets. The term "Denial of Service" is also used imprecisely to refer to any outwardly-induced condition that renders a computer unusable, thus "denying service" to its rightful user.
DES (Data Encryption Standard)
A commonly-used encryption algorithm that encrypts data using a key of 56 bits, which is considered fairly weak given the speed and power of modern computers. Until recently it was the US government's encryption standard, but it has largely been replaced by Triple-DES and AES.
Dictionary Attack
An attempt to guess a password by systematically trying every word in a dictionary as the password. This attack is usually automated, using a dictionary of the hacker's choosing, which may include both ordinary words and jargon, names, and slang.
Diffie-Hellman
A mathematical algorithm that allows two users to exchange a secret key over an insecure medium without any prior secrets. This protocol, named after the inventors who first published it in 1976, is used in Virtual Private Networking (VPN).
Digital Signature
An electronic identification of a person or thing, intended to verify to a recipient the integrity of data sent to them, and the identity of the sender. Creating a digital signature involves elaborate mathematical techniques that the sender and recipient can both perform on the transmitted data. Performing identical formulas on identical data should produce identical results at both the sending and receiving end. If the recipient's results do not equal the sender's results, the message may have been tampered with en route. If the message was modified after being sent -- even if all someone did was change the punctuation on a sentence, or added an extra space between two of the words -- you could tell. A digital signature typically depends upon three elements: public key encryption, a Certificate Authority, and a digital certificate.
DMZ (Demilitarized Zone)
A partially-protected zone on a network, not exposed to the full fury of the Internet, but not fully behind the firewall. This technique is typically used on parts of the network which must remain open to the public (such as a Web server) but must also access trusted resources (such as a database). The point is to allow the inside firewall component, guarding the trusted resources, to make certain assumptions about the impossibility of outsiders forging DMZ addresses.
DNS (Domain Name System)
A network system of servers that translates numeric IP addresses into readable, hierarchical Internet addresses, and vice versa. This is what allows your computer network to understand that you want to reach the server at 192.168.100.1 (for example) when you type into your browser a domain name such as www.ccnpsecurity.blogspot.com.
DNS cache poisoning
A clever technique that tricks your DNS server into believing it has received authentic information when, in reality, it has been lied to. Why would an attacker corrupt your DNS server's cache? So that your DNS server will give out incorrect answers that provide IP addresses of the attacker's choice, instead of the real addresses. Imagine that someone decides to use the Microsoft Update Web site to get the latest Internet Explorer patch. But, the attacker has inserted phony addresses for update.microsoft.com in your DNS server, so instead of being taken to Microsoft's download site, the victim's browser arrives at the attacker's site and downloads the latest worm.
DNS lookup
The Domain Name Service act of matching a friendly, readable domain name (such aswww.ccnpsecurity.blogspot.com) to its associated IP address
DNS spoofing
An attack technique where a hacker intercepts your system's requests to a DNS server in order to issue false responses as though they came from the real DNS server. Using this technique, an attacker can convince your system that an existing Web page does not exist, or respond to requests that should lead to a legitimate Web site, with the IP address of a malicious Web site. This differs from DNS cache poisoning because in DNS spoofing, the attacker does not hack a DNS server; instead, he inserts himself between you and the server and impersonates the server.
Domain Name Hijacking
An attack technique where the attacker takes over a domain by first blocking access to the victim domain's DNS server, then putting up a malicious server in its place. For example, if a hacker wanted to take over fnark.com, he would have to remove the fnark.com DNS server from operation using a Denial of Service attack to block access to fnark's DNS server. Then, he would put up his own DNS server, advertising it to everyone on the Internet as fnark.com. When an unsuspecting user went to access fnark.com, he would get the attacker's domain instead of the real one.
Subscribe to:
Posts (Atom)
Information Technology LAB 365
Deal followers, Please VISIT ITLab365
-
SMTP AND ESMTP INSPECTION feature in Cisco ASA Internet-based e-mail systems have been widely known to be an easy way of hackin...
-
Terminal Screen Format in Cisco ASA By default, all output from an ASA is displayed for a terminal session screen that is 80 ch...