PFS (Perfect Forward Secrecy)

Posted on by
Reply

PFS will ensure the same key will not be generated again, so forcing a new diffie-hellman key exchange. This would ensure if a hacker\criminal was to compromise a private key, they would only be able to access data in transit protected by that key and not any future data, as future data would not be associated with that compromised key.

PFS is enabled on an ASA with the crypto map set pfs command.

Both sides of the VPN must be able to support PFS in order for PFS to work. When PFS is turned on, for every negotiation of a new phase 2 SA the two gateways must generate a new set of phase 1 keys. This is an extra layer of protection that PFS adds, which ensures if the phase 2 SA’s have expired, the keys used for new phase 2 SA’s have not been generated from the current phase 1 keying material. Of course if PFS is not turned on then the current keying material already established at phase 1 will be used again to generate phase 2 SA’s.

Therefore using PFS provides a more secure VPN connection. Although using PFS does have its drawback. It will require more processing power, and take slightly longer for phase 1 and 2 to complete. PFS in general is known as a session key. A session key is a key just created for a particular session, and when the session is bought down, the key is destroyed and not used again. Next time a session is initiated a new and completely different session key is created.

You don’t have to use PFS if you don’t want to, just leave it disabled. However if you are protecting very sensitive data then maybe it should be enabled. It depends on your requirements and security policies. It depends on how sensitive your data is and how often you would like to renew these keys. What is the worst that could happen if a criminal did get their hands on this sensitive data? This should give you a good indication to whether you should have it enabled and for how long each key is renewed or disabled. Just remember having it enabled and renewing keys more often will have a little performance impact but provide further security.

So in a nutshell leaving PFS on will improve security forcing a new key exchange. It does this every so often depending on the configured time settings.

 

 

VSFTPD – Starting and Stopping

Posted on by
Reply

To start the server, as root type:

/sbin/service vsftpd start

To stop the server, as root type:

/sbin/service vsftpd stop

The restart option is a shorthand way of stopping and then starting vsftpd. This is the most efficient way to make configuration changes take effect after editing the configuration file for vsftpd.

To restart the server, as root type:

/sbin/service vsftpd restart

The condrestart (conditional restart) option only starts vsftpd if it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.

To conditionally restart the server, as root type:

/sbin/service vsftpd condrestart

How to reset Cisco ASA 5505 to factory default setting

Posted on by
Reply

How to reset Cisco ASA 5505 to factory default setting:

Step 1:
Go to global configuration mode by below command

ASA5505# config terminal
Step 2:
Now give below command to make firewall at default setting

ASA5505(config)# config factory-default 

If you want to get back to the prompt that looks like: ‘ciscoasa(config)#’
Then you have to follow third step

Step 3:

ASA5505(config)# reload save-config noconfirm

Now make sure that the outside line is plugged into port ethernet0, and your pc is plugged into any of the ports 1-7.

The Cisco ASA has been reset to factory settings. DHCP is enabled on the cisco device, and it’s internal IP address is now 192.168.1.1!

Adding a Guest VLAN to a network (and blocking access to other networks)

Posted on by
Reply

To be configured on switch, first create vlan (L2/L3)

(in config mode)

!
vlan 99
name Guest_LAN
!
interface Vlan99
description Guest VLAN
ip address 192.168.99.1 255.255.255.0

!

Create DHCP pool for Guest network

!
ip dhcp pool GUEST_LAN
network 192.168.99.0 255.255.255.0
dns-server 8.8.8.8 198.153.192.1
default-router 192.168.99.1

!

Exclude hosts if required, e.g.

!

ip dhcp excluded-address 192.168.99.1 192.168.99.10

!

Configure required ports for guest VLAN e.g 25 to 48

!
interface range GigabitEthernet1/0/25-48
description Guest User VLAN
switchport access vlan 99
spanning-tree portfast
!

We now need to prevent users from the Guest VLAN from accessing other networks (if required) so we need to first create an extended access list and then apply it to the Guest VLAN interface. We will call this guest-in for this example and we will block access to the networks below.

!
ip access-list extended guest-in
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
!

And that is the basic plumbing done for you Guest VLAN. Your router will also need a route to this network and access-list(s) configured.

 

Logging Cisco Login Attempts

Posted on by
Reply

Specifiy a syslog server on the router

Router(config)#logging a.b.c.d
Enable notification logging on the router
Router(config)#logging trap notifications

Enable logging for successfull and unsuccessfull login attempts

Router(config)#login on-success log
Router(config)#login on-failure log

You can also block login attempts to the device if numbers of failure occures during a specific amount of time (eg, block for 120 sec if 3 failure attempts within the 60 sec)

Router(config)#login block-for 120 attempts 3 within 60

If you like you can change the source address that will be shown on the syslog server

Router(config)#logging source-interface FastEthernet0/0

You can enable a specific amount of delay in seconds between logins to the router

Router(config)#login delay 5

If you would like to send a log of all changes that have been made on the router configuration to the syslog server as well, you need to do these steps:

!## Enter archive configuration mode

Router(config)# archive
!## Enter the configuration change logger mode
Router(config-archive)# log config
!## Enable logging for configuration change
Router(config-archive-log-config)# logging enable
!## Change the loggin queue size (Optional)
Router(config-archive-log-config)# logging size 200
!## Hide passwords from being sent to syslog in clear text (Optional)
Router(config-archive-log-config)# hidekeys
!## Send logs to syslog server
Router(config-archive-log-config)# notify syslog
Router(config-archive-log-config)# end

Cisco IP Inspect command explained

Posted on by
Reply

IP inspect helps a router act more like an ASA, so the goal is to only allow certain traffic inbound.

For example, lets consider an inbound access-list that is very restrictive or “deny ip any any”. Using this logic, the inside hosts can make requests to outside servers, but they don’t receive the responses. A TCP 3 way handshake can’t even happen. So what we can do is inspect traffic outbound. What that does is builds a state table in the router that allows the return traffic to bypass the inbound acl. The inspect actually does some protocol validation on the initial outbound traffic in this case. So a very simple configuration might look like the following.

ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT icmp
ip inspect name FWOUT ftp

//ftp is important to inspect because it can use a secondary port initiated from the outside

ip access-list extended INBOUND
deny ip any any

int fa0/0
description OUTSIDE
ip access-group INBOUND in
ip inpsect FWOUT out
ip address 1.1.1.1 255.255.255.0
ip nat outside

int fa0/1
description INSIDE
ip address 192.168.0.1 255.255.255.0
ip nat inside