Category Archives: Network Security

NordVPN CLI commands

Posted on by
Reply

Welcome to NordVPN Linux client app!

Version 3.7.4

Website: https://nordvpn.com

Usage: nordvpn [global options] command [command options] [arguments…]

Commands:

     account        Shows account information

     cities         Shows a list of cities where servers are available

     connect, c     Connects you to VPN

     countries      Shows a list of countries where servers are available

     disconnect, d  Disconnects you from VPN

     groups         Shows a list of available server groups

     login          Logs you in

     logout         Logs you out

     rate           Rate your last connection quality (1-5)

     register       Registers a new user account

     set, s         Sets a configuration option

     settings       Shows current settings

     status         Shows connection status

     whitelist      Adds or removes an option from a whitelist

     help, h        Shows a list of commands or help for one command

Global options:

   –help, -h     show help

   –version, -v  print the version

For more detailed information, please check manual page.

Find the WiFi password for current network using the command line

Posted on by
Reply

Open a DOS window then type the following substituting “INSERT SSID HERE” with your network’s SSID (no quotes)…

c:\users\SSID>netsh wlan show profile name=mywifinetwork key=clear

should produce an output which includes something similar to this…

Security settings
—————–
Authentication : WPA2-Personal
Cipher : CCMP
Security key : Present
Key Content : this_is_the _password

What does the error “IDS_ACCESS_FORBIDDEN” mean?

Posted on by
Reply
Environment: Cisco Web Security Appliance (WSA), AsyncOS version 6.0 and later, data filters enabled

Symptoms: Unable to upload files/document on a web site and users receive this error message. The error message is seen while logging into certain web sites.

AsyncOS Versions 6.0 and later provide a new feature called Data Security (IDS) filters. The IDS feature helps in blocking file uploads on certain web sites based on their WBRS score, URL category, or file size.

The notification message IDS_ACCESS_FORBIDDEN indicates that a file upload or access was blocked, based on the Data Security policy configuration.

Further, the BLOCK-WEBCAT code indicates that a particular URL category was configured to Block under:
GUI -> Security services -> Cisco Data Security

You can allow access by using either of these methods:
Monitor access in IDS policies

  1. Under GUI -> Web Security Manager -> Cisco Data Security
  2. Configure the particular URL category to Monitor
  3. Submit and Commit the changes

Allow access using a custom URL category

  1. Under GUI -> Web Security Manager -> Custom URL Categories
  2. Create a custom URL category for the web site (Include both domains like example.com, .example.com)
  3. Under GUI -> Web Security Manager -> Cisco Data Security
  4. Configure the above custom URL category to Monitor
  5. Submit and Commit the changes

Please note:
On AsyncOS versions 6.3 and later, the web site could also be categorized by Dynamic Content Analysis (DCA) engine. In order to verify this, please check if DCA is enabled under GUI -> Security services -> Acceptable Use Controls

Cisco vWLC CLI Password change (bold text)

Posted on by
Reply

Configuring Administrator Usernames and Passwords

You can configure administrator usernames and passwords to prevent unauthorized users from reconfiguring the controller and viewing configuration information. This section provides instructions for initial configuration and for password recovery.

Configuring Usernames and Passwords

To configure administrator usernames and passwords using the controller CLI, follow these steps:

Step 1 Configure a username and password by entering one of these commands:

config mgmtuser add username password read-write—Creates a username-password pair with read-write privileges.

config mgmtuser add username password read-only—Creates a username-password pair with read-only privileges.

Usernames and passwords are case-sensitive and can contain up to 24 ASCII characters. Usernames and passwords cannot contain spaces.

Note If you ever need to change the password for an existing username, enter the config mgmtuser password username new_password command.

Step 2 List the configured users by entering this command:

show mgmtuser

(Cisco Controller) >show mgmtuser

User Name Permissions Description Password Strength
———————– ———— ——————— —————- —
admin          read-write                          Strong
admin-wpe  read-write                          Strong
peters          read-write                          Strong
(Cisco Controller) >

SQUID ACCESS.LOG MEANING EXPLAINED

Posted on by
Reply

Squid Access.log Meaning Explained

Squid access log is very informative if you know how to dig something out of it. Following is an a line from access.log file.

1201172176.719 1190 127.0.0.1 TCP_MISS/200 529 GET http://www.blogger.com/status.g? – DIRECT/72.14.221.191 application/xml

This line can be written as:

Timestamp, Total time, Source, Action/Code, Size, Method, URL, Ident, Hierarchy/From, Content type

1: Timestamp Time when the request was completed.
2: Total time Total time taken to complete the request
3: Source IP address of the client
4: Action/Code Action taken for the request
5: Size Total size of the request in bytes
6: Method Whether the request was GET or POST
7: URL The actual request
8: Ident Usually –
9: Hierarchy/From How the object is fetched and from where
10: Content type Type of object

Action

“TCP_” refers to requests on the HTTP port (3128)
TCP_HIT A valid copy of the requested object was in the cache.
TCP_MISS The requested object was not in the cache.
TCP_REFRESH_HIT An expired copy of the requested object was in the cache. Squid made an If-Modified-Since request and the response was “Not Modified.”
TCP_REFRESH_FAIL_HIT An expired copy of the requested object was in the cache. Squid attempted to make an If-Modified-Since request, but it failed. The old (stale) object was delivered to the client.
TCP_REFRESH_MISS An expired copy of the requested object was in the cache. Squid made an If-Modified-Since request and received a new, different object.
TCP_CLIENT_REFRESH The client issued a request with the “no-cache” pragma. (“reload” – handled as MISS)
TCP_IMS_HIT An If-Modified-Since GET request was received from the client. A valid copy of the object was in the cache (fresh).
TCP_IMS_MISS An If-Modified-Since GET request was received from the client. The requested object was not in the cache (stale).
TCP_SWAPFAIL The object was believed to be in the cache, but could not be accessed.
TCP_DENIED Access was denied for this request.


“UDP_” refers to requests on the ICP port (3130)
UDP_HIT A valid copy of the requested object was in the cache
UDP_HIT_OBJ Same as UDP_HIT, but the object data was small enough to be sent in the UDP reply packet. Saves the following TCP request.
UDP_MISS The requested object was not in the cache
UDP_DENIED Access was denied for this request
UDP_INVALID An invalid request was received.
UDP_RELOADING The neighbor cache is reloading its disk store metadata and does not want any TCP requests for MISSES until it is finished.


Errors
ERR_READ_TIMEOUT The remote site or network is unreachable – may be down.
ERR_LIFETIME_EXP The remote site or network may be too slow or down.
ERR_NO_CLIENTS_BIG_OBJ All Clients went away before tranmission completed and the object is too big to cache.
ERR_READ_ERROR The remote site or network may be down.
ERR_CLIENT_ABORT Client dropped connection before transmission completed. Squid fetches the Object according to its settings for `quick_abort’.
ERR_CONNECT_FAIL The remote site or server may be down.
ERR_INVALID_REQ Invalid HTTP request
ERR_UNSUP_REQ Unsupported request
ERR_INVALID_URL Invalid URL syntax
ERR_NO_FDS Out of file descriptors
ERR_DNS_FAIL DNS name lookup failure
ERR_NOT_IMPLEMENTED Protocol Not Supported
ERR_CANNOT_FETCH The requested URL can not currently be retrieved.
ERR_NO_RELAY There is no WAIS relay host defined for this cache.
ERR_DISK_IO The system disk is out of space or failing.
ERR_ZERO_SIZE_OBJECT The remote server closed the connection before sending any data.
ERR_FTP_DISABLED This cache is configured to NOT retrieve FTP objects.
ERR_PROXY_DENIED Access Denied. The user must authenticate himself before accessing this cache.


CODE

Code Reason phrase RFC 2616 section
0 No Response Received (Squid-specific) N/A
1xx Informational 10.1
100 Continue 10.1.1
101 Switching Protocols 10.1.2
2xx Successful 10.2
200 OK 10.2.1
201 Created 10.2.2
202 Accepted 10.2.3
203 Non-Authoritative Information 10.2.4
204 No Content 10.2.5
205 Reset Content 10.2.6
206 Partial Content 10.2.7
3xx Redirection 10.3
300 Multiple Choices 10.3.1
301 Moved Permanently 10.3.2
302 Found 10.3.3
303 See Other 10.3.4
304 Not Modified 10.3.5
305 Use Proxy 10.3.6
306 (Unused) 10.3.7
307 Temporary Redirect 10.3.8
4xx Client Error 10.4
400 Bad Request 10.4.1
401 Unauthorized 10.4.2
402 Payment Required 10.4.3
403 Forbidden 10.4.4
404 Not Found 10.4.5
405 Method Not Allowed 10.4.6
406 Not Acceptable 10.4.7
407 Proxy Authentication Required 10.4.8
408 Request Timeout 10.4.9
409 Conflict 10.4.10
410 Gone 10.4.11
411 Length Required 10.4.12
412 Precondition Failed 10.4.13
413 Request Entity Too Large 10.4.14
414 Request-URI Too Long 10.4.15
415 Unsupported Media Type 10.4.16
416 Requested Range Not Satisfiable 10.4.17
417 Expectation Failed 10.4.18
5xx Server Error 10.5
500 Internal Server Error 10.5.1
501 Not Implemented 10.5.2
502 Bad Gateway 10.5.3
503 Service Unavailable 10.5.4
504 Gateway Timeout 10.5.5
505 HTTP Version Not Supported 10.5.6
6xx Proxy Error N/A
600 Unparseable Response Headers (Squid-specific) N/A

Methods

GET Request URL
HEAD Request only HTTP headers of the supplied URL and no document body
POST Transfer data to the supplied URL
PUT Store data under the supplied URL
CONNECT Forward data to SSL-Server:Port
ICP_QUERY Request from a Parent/Neighbor for the supplied URL
NONE Request of an unsupported method

Hierarchy

NONE The object requested by a sibling, was not in my cache.
DIRECT The object has been requested from the origin server.
SIBLING_HIT The object was requested from a neighbor cache which replied with a UDP_HIT (formerly logged as NEIGHBOR_HIT).
PARENT_HIT The object was requested from a parent cache which replied with a UDP_HIT.
DEFAULT_PARENT The object was requested from a default parent cache appropriate for this URL.
SINGLE_PARENT The object was requested from the only parent cache appropriate for this URL.
FIRST_UP_PARENT The object has been requested from the first available parent in your list.
NO_PARENT_DIRECT The object was requested from the origin server because no parent caches exist for the URL.
FIRST_PARENT_MISS The object has been requested from the parent cache with the fastest weighted round trip time.
ROUNDROBIN_PARENT No ICP queries were received from any parent caches. This parent was chosen because it was marked as ‘default’ in the config file and it had the lowest round-robin use count.
CLOSEST_PARENT_MISS This parent was selected because it included the lowest RTT measurement to the origin server. This only appears with ‘query_icmp on’ set in the config file.
CLOSEST_DIRECT The object was fetched directly from the origin server because this cache measured a lower RTT than any of the parent caches.
LOCAL_IP_DIRECT The object has been requested from the origin server because the origin host IP address matched your ‘local_ip’ list.
FIREWALL_IP_DIRECT The object has been requested from the origin server because the origin host IP address is inside your firewall.
NO_DIRECT_FAIL The object could not be requested because of firewall restrictions and no parent caches were available.
SOURCE_FASTEST The object was requested from the origin server because the ‘source_ping’ reply arrived first.
SIBLING_UDP_HIT_OBJ The object was received in a UDP_HIT_OBJ reply from a neighbor cache (formerly logged as UDP_HIT_OBJ).
PARENT_UDP_HIT_OBJ The object was received in a UDP_HIT_OBJ reply from a parent cache (formerly logged as UDP_HIT_OBJ).
PASSTHROUGH_PARENT The neighbor or proxy defined in the config option ‘passthrough_proxy’ was used.
SSL_PARENT_MISS The neighbor or proxy defined in the config option ‘ssl_proxy’ was used.

About Diffie-Hellman Groups

Posted on by
Reply
About Diffie-Hellman Groups

Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. Higher group numbers are more secure, but require additional time to compute the key.

Firebox or XTM devices support Diffie-Hellman groups 1, 2, and 5:

  • DH Group 1: 768-bit group
  • DH Group 2: 1024-bit group
  • DH Group 5: 1536-bit group

Both peers in a VPN exchange must use the same DH group, which is negotiated during Phase 1 of the IPSec negotiation process. When you define a manual BOVPN tunnel, you specify the Diffie-Hellman group as part of Phase 1 of creating an IPSec connection. This is where the two peers make a secure, authenticated channel they can use to communicate.

DH groups and Perfect Forward Secrecy (PFS)

In addition to Phase 1, you can also specify the Diffie-Hellman group in Phase 2 of an IPSec connection. Phase 2 configuration includes settings for a security association (SA), or how data packets are secured when they are passed between two endpoints. You specify the Diffie-Hellman group in Phase 2 only when you select Perfect Forward Secrecy (PFS).

PFS makes keys more secure because new keys are not made from previous keys. If a key is compromised, new session keys are still secure. When you specify PFS during Phase 2, a Diffie-Hellman exchange occurs each time a new SA is negotiated.

The DH group you choose for Phase 2 does not need to match the group you choose for Phase 1.

How to Choose a Diffie-Hellman Group

The default DH group for both Phase 1 and Phase 2 is Diffie-Hellman Group 1. This group provides basic security and good performance. If the speed for tunnel initialization and rekey is not a concern, use Group 2 or Group 5. Actual initialization and rekey speed depends on a number of factors. You might want to try DH Group 2 or 5 and decide whether the slower performance time is a problem for your network. If the performance is unacceptable, change to a lower DH group.

Performance Analysis

The following table shows the output of a software application that generates 2000 Diffie-Hellman values. These figures are for a 1.7GHz Intel Pentium 4 CPU.

DH Group No. of key pairs Time required Time per key pair
Group 1 2000 43 sec 21 ms
Group 2 2000 84 sec 42 ms
Group 5 2000 246 sec 123 ms