Cisco Iron Port TAIL Command

Posted on June 18, 2013 by otrdemo — Leave a comment

Description Continuously display the end of a log file. The tail command also accepts the

name or number of a log to view as a parameter: tail 9 or tail mail_logs.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto).

This command requires access to the local file system.

Batch Command: This command does not support a batch format.

Trap target: snmp-monitor.example.com

EXAMPLE

tail error_logs

Currently configured logs:

1. “antispam” Type: “Anti-Spam Logs” Retrieval: FTP Poll

2. “antivirus” Type: “Anti-Virus Logs” Retrieval: FTP Poll

3. “asarchive” Type: “Anti-Spam Archive” Retrieval: FTP Poll

4. “authentication” Type: “Authentication Logs” Retrieval: FTP Poll

5. “avarchive” Type: “Anti-Virus Archive” Retrieval: FTP Poll

6. “bounces” Type: “Bounce Logs” Retrieval: FTP Poll

7. “cli_logs” Type: “CLI Audit Logs” Retrieval: FTP Poll

8. “encryption” Type: “Encryption Logs” Retrieval: FTP Poll

9. “error_logs” Type: “IronPort Text Mail Logs” Retrieval: FTP Poll

10. “euq_logs” Type: “IronPort Spam Quarantine Logs” Retrieval: FTP Poll

11. “euqgui_logs” Type: “IronPort Spam Quarantine GUI Logs” Retrieval: FTP Pol

12. “ftpd_logs” Type: “FTP Server Logs” Retrieval: FTP Poll

13. “gui_logs” Type: “HTTP Logs” Retrieval: FTP Poll

14. “mail_logs” Type: “IronPort Text Mail Logs” Retrieval: FTP Poll

15. “reportd_logs” Type: “Reporting Logs” Retrieval: FTP Poll

16. “reportqueryd_logs” Type: “Reporting Query Logs” Retrieval: FTP Poll

17. “scanning” Type: “Scanning Logs” Retrieval: FTP Poll

18. “slbld_logs” Type: “Safe/Block Lists Logs” Retrieval: FTP Poll

19. “sntpd_logs” Type: “NTP logs” Retrieval: FTP Poll

20. “status” Type: “Status Logs” Retrieval: FTP Poll

21. “system_logs” Type: “System Logs” Retrieval: FTP Poll

22. “trackerd_logs” Type: “Tracking Logs” Retrieval: FTP Poll

23. “updater_logs” Type: “Updater Logs” Retrieval: FTP Poll

Enter the number of the log you wish to tail

Tagged with: cli, errors, ironport, logs, tail, tools, usage
Posted in Cisco

Site-2-Site VPN with ASA + No NAT rule (Post 8.3)

Posted on June 17, 2013 by otrdemo — Leave a comment

Initial Configurations

F1:

interface Vlan1
 nameif outside
 security-level 0
 ip address 172.16.1.2 255.255.255.252
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 10.0.1.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

F2:

interface Vlan1
 nameif outside
 security-level 0
 ip address 172.16.2.2 255.255.255.252
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 10.0.2.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 172.16.2.1 1

Step 1: ISAKMP Policy

First we need to define an ISAKMP policy. ISAKMP is used to establish the initial asymmetrically encrypted channels between the two endpoints so that they can securely negotiate a pair of one-way IPsec security associations (SAs). For more background on IPsec fundamentals, see my IPsec quick and dirty article.

For simplicity, we’ll use a static pre-shared key for ISAKMP authentication (which will be defined in step four).

F1(config)# isakmp policy 1
F1(config-isakmp-policy)# authentication pre-share
F1(config-isakmp-policy)# encryption aes-256
F1(config-isakmp-policy)# hash sha
F1(config-isakmp-policy)# group 2
F1(config-isakmp-policy)# lifetime 86400
F1(config-isakmp-policy)# exit
F1(config)# isakmp enable outside

The finished configuration can be copied verbatim from F1 to F2:

crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

Step 2: IPsec Transform Set

An IPsec transform set establishes the encryption and authentication (HMAC) methods to be employed by the IPsec SAs. While it is possible to enable several options, both sides of our VPN will be configured to support only 256-bit AES and SHA-1. Our transform set is named L2L.

F1(config)# crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac

F2(config)# crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac

Step 3: Create an ACL to Match Traffic

Next we need to create an access list to match plain (unencrypted) traffic which should be encrypted and routed through the IPsec tunnel between the two LANs. This access list will be referenced by the crypto map we’ll create in step five. In the real world, crypto map ACLs can be quite complex. For our purposes, however, we only need to match traffic going between the 10.0.1.0/24 and 10.0.2.0/24 networks.

F1(config)# access-list LAN_Traffic extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

We flip the addresses on F2 to match traffic heading the opposite direction:

F2(config)# access-list LAN_Traffic extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

Step 4: Create a Tunnel Group

A tunnel group holds tunnel configuration parameters, namely the connection type and authentication method. Since we’re using pre-shred key authentication, we need to name our tunnel group as the IP address of the remote peer. Also, notice that we must define the connection type (ipsec-l2l) before we can configure the pre-shared key.

F1(config)# tunnel-group 172.16.2.2 ?

configure mode commands/options:
  type  Enter the type of this group-policy
F1(config)# tunnel-group 172.16.2.2 type ipsec-l2l
F1(config)# tunnel-group 172.16.2.2 ?

configure mode commands/options:
  general-attributes  Enter the general-attributes sub command mode
  ipsec-attributes    Enter the ipsec-attributes sub command mode
F1(config)# tunnel-group 172.16.2.2 ipsec-attributes
F1(config-tunnel-ipsec)# pre-shared-key ThisIsAWeakKey

The tunnel group configuration on F2 is identical except that its name changes to 172.16.1.2 (F1’s outside interface):

tunnel-group 172.16.1.2 type ipsec-l2l
tunnel-group 172.16.1.2 ipsec-attributes
 pre-shared-key ThisIsAWeakKey

Step 5: Create and Apply a Crypto Map

Finally, we need to create a crypto map (named L2L) to tie together the IPsec transform set, access list, and tunnel group configured in the previous steps. First we match LAN-to-LAN traffic using our access list:

F1(config)# crypto map L2L 1 match address LAN_Traffic

Then we set the VPN peer and IPsec transform set to use:

F1(config)# crypto map L2L 1 set peer 172.16.2.2
F1(config)# crypto map L2L 1 set transform-set L2L

The corresponding crypto map on F2 looks like this:

crypto map L2L 1 match address LAN_Traffic
crypto map L2L 1 set peer 172.16.1.2
crypto map L2L 1 set transform-set L2L

All that’s left now is to apply the crypto map to the outside interface on each firewall:

F1(config)# crypto map L2L interface outside

F2(config)# crypto map L2L interface outside

Reference document for “Nat Exemption” (aka “nonat” or “nat 0” in earlier releases) for basic L2L or basic RA setup.
L2L Example

Topology:

192.168.1.x/24 inside(ASA1)outside ===VPN===outside(ASA2)inside 192.168.2.0/24

If you were configuring ASA1 nat exemption for this L2L tunnel, it would look like this:

object network obj-local

subnet 192.168.1.0 255.255.255.0

object network obj-remote

subnet 192.168.2.0 255.255.255.0

nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote

RA Example

Topology:

192.168.3.0/24 (vpnclient pool) ===VPN===outside(ASA1)inside 192.168.1.0/24

If your were configuring ASA1 nat exemption for this RA tunnel, it would look like this:

object network obj-vpnpool

subnet 192.168.3.0 255.255.255.0

nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool

*Note: Due to bug CSCtf89372, I use the “1” in the command above to put the nat exemption statement at the top of all my nat statements.

Using Management-access Inside

In all the above cases, when you convert the nat 0 command in pre 8.3 code to post 8.3 code, you’ll probably notice that you’re converting it from being a nat exemption to static identity nat. Just like in pre 8.3 code, post 8.3 static nats also don’t do a route lookup for an ingress packet. Instead they forcibly place the packet on the egress interface defined in the static command. If you use the packet tracer you’ll see something like this:

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network obj_RDP

nat (inside,outside) static interface service tcp 3389 3389

Additional Information:

NAT divert to egress interface inside

Untranslate 64.102.156.87/3389 to 192.168.1.5/3389

Notice how it says “NAT divert”, well what that means is the ASA just skipped a route-lookeup for the address you’re trying to reach and used the NAT statement to decide how to route that packet. Sometimes this can be a good thing and can be used for various hacks( refer Loadbalancing DUAL ISP on ASA), unfrotunately, if you’re using the VPN to manage your firewall, then you don’t want packets destined to the ASA itself to be “NAT diverted” out some interface. You want those packets to be process by the ASA itself, so in these situations you want to configure the nat command as:

nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool route-lookeup

This command makes the ASA do the route-lookup instead of blindly routing the packets.

Tagged with: Cisco, No NAT, post 8.3, security, site 2 site, vpn
Posted in Cisco

How Email works and flows

Posted on June 17, 2013 by otrdemo — Leave a comment

Whenever you send a piece of e-mail, your e-mail client interacts with the SMTP server to handle the sending. The SMTP server on your host may have conversations with other SMTP servers to deliver the e-mail.

Let’s assume that I want to send a piece of e-mail. My e-mail ID is brain, and I have my account on howstuffworks.com. I want to send e-mail to jsmith@mindspring.com. I am using a stand-alone e-mail client like Outlook Express.

When I set up my account at howstuffworks, I told Outlook Express the name of the mail server — mail.howstuffworks.com. When I compose a message and press the Send button, here’s what happens:

Outlook Express connects to the SMTP server at mail.howstuffworks.com using port 25.
Outlook Express has a conversation with the SMTP server, telling the SMTP server the address of the sender and the address of the recipient, as well as the body of the message.
The SMTP server takes the “to” address (jsmith@mindspring.com) and breaks it into two parts: the recipient name (jsmith) and the domain name (mindspring.com). If the “to” address had been another user at howstuffworks.com, the SMTP server would simply hand the message to the POP3 server for howstuffworks.com (using a little program called the delivery agent). Since the recipient is at another domain, SMTP needs to communicate with that domain.
The SMTP server has a conversation with a Domain Name Server, or DNS (see How Web Servers Work for details). It says, “Can you give me the IP address of the SMTP server for mindspring.com?” The DNS replies with the one or more IP addresses for the SMTP server(s) that Mindspring operates.
The SMTP server at howstuffworks.com connects with the SMTP server at Mindspring using port 25. It has the same simple text conversation that my e-mail client had with the SMTP server for HowStuffWorks, and gives the message to the Mindspring server. The Mindspring server recognizes that the domain name for jsmith is at Mindspring, so it hands the message to Mindspring’s POP3 server, which puts the message in jsmith’s mailbox.

If, for some reason, the SMTP server at HowStuffWorks cannot connect with the SMTP server at Mindspring, then the message goes into a queue. The SMTP server on most machines uses a program called sendmail to do the actual sending, so this queue is called the sendmail queue. Sendmail will periodically try to resend the messages in its queue. For example, it might retry every 15 minutes. After four hours, it will usually send you a piece of mail that tells you there is some sort of problem. After five days, most sendmail configurations give up and return the mail to you undelivered.

The SMTP server understands very simple text commands like HELO, MAIL, RCPT and DATA. The most common commands are:

HELO – introduce yourself
EHLO – introduce yourself and request extended mode
MAIL FROM: – specify the sender
RCPT TO: – specify the recipient
DATA – specify the body of the message (To, From and Subject should be the first three lines.)
RSET – reset
QUIT – quit the session
HELP – get help on commands
VRFY – verify an address
EXPN – expand an address
VERB – verbose

Great article from ;

http://computer.howstuffworks.com/e-mail-messaging/email2.htm

Tagged with: client, DNS, email, How, lookup, pop, server, smtp, tcp 110, tcp 25, works
Posted in Useful Tools

Checkpoint VPN Debugging

Posted on June 14, 2013 by otrdemo — Leave a comment

DEBUGGING INSTRUCTIONS:

From the command line ( if cluster, active member )

vpn debug on
vpn debug ikeon
vpn tu
select the option to delete IPSEC+IKE SAs for a given peer (gw)
Try the traffic to bring up the tunnel
vpn debug ikeoff
vpn debug off

Log Files are

$FWDIR/log/ike.elg
$FWDIR/log/vpnd.elg

COMMON MESSAGES:

According to the Policy the Packet should not have been decrypted

The networks are not defined properly or have a typo
Make sure VPN domains under gateway A are all local to gateway A
Make sure VPN domains under gateway B are all local to gateway B

Wrong Remote Address

Failed to match proposal

sk21636 – cisco side not configured for compression

No response from peer

check encryption domains.
remote end needs a decrypt rule
remote firewall not setup for encryption
somethign is blocking communication between VPN endpoints
Check UDP 500 and protocol 50

No Valid SA

both ends need the same definition for the encrytpion domain.
sk19243 – (LAST OPTION) use debedit objects_5_0.c, then add subnets/hosts in users.def
likely phase2 settings
cisco might say ‘no proxy id allowed”
Disable NAT inside VPN community
Support Key exchange for subnets is properly configured
Make sure firewall external interface is in public IP in general properties

No Proposal chosen

sk19243 – usually cuased when a peer does not agree to VPN Domain or subnet mask
make sure that encryption and hash match as well in Phase 2 settings

Cannot Identify Peer (to encryption connection)

sk22102 – rules refer to an object that is not part of the local firewalls encryption domain
may have overlapping encryption domains
2 peers in the same domain
sk18972 – explains overlapping

Invalid ID

sk25893 – Gateway: VPN-> VPN Advanced, Clear “Support key exhcnage for subnets”, Install policy

Authentication Failure

Payload Malformed

check pre shared secrets

RESPONDER-LIFETIME

As seen in ike debugs, make sure they match on both ends

Invalid Certificate

sk17106 – Remote side peer object is incorrectly configured
sk23586 – nat rules are needed
sk18805 – multiple issues, define a static nat, add a rule, check time
sk25262 – port 18264 has problems
sk32648 – port 18264 problems v2
sk15037 – make sure gateway can communicate with management

No Valid CRL

sk32721 – CRL has expired, and module can’t get a new valid CRL

AddNegotiation

FW-1 is handling more than 200 key negotiations at once
vSet maximum concurrent IKE connections

Could not get SAs from packet

FW MONITOR NOTES

packet comes back i I o O
packet will be ESP between o and O

BASIC STUFF TO CHECK IN THE CONFIGURATION:

Accept FW-1 Control Connections

VPN domains

setup in the topology of that item
using topology is recommended, but you must define
looking for overlap, or missing networks.
Check remote and local objects.

Encryption Domains

your firewall contains your networks
their firewall contains their networks

Rule Setup

you need a rule for the originator.
Reply rule is only required for 2 way tunnel

Preshared secret or certificate

Make sure times are accurate

Security rulebase

make sure there are rules to allow the traffic

Address Translation

be aware that this will effect the Phase 2 negotiations
most people disable NAT in the community

Community Properties

Tunnel management, Phase1 Phase2 encrypt settings.

Link selection

Routing

make sure that the destination is routed across the interface that you want it to encrypt on
you need IP proto 50 and 51 fo IPSEC related traffic
you need port 500 UDP for IKE
netstat -rn and look for a single valid default route

Smartview Tracker Logs

purple = encrypted
red = dropped
green = no encryption

TRADITIONAL MODE NOTES

can’t VPN Route
encryption happens when you hit explicit rule
rules must be created

SIMPLIFIED MODE NOTES

VPN Communities
Encryption happens at rule 0
rules are implied

CHECKLIST

Define encryption domains for each site
Define firewall workstation objects for each site
Configure the gateway objects for the correct encryption domain
Configure the extranet community with the appropriate gateways and objects
Create the necessary encryption rules.
Configure the encryption properties for each encryption rule.
Install the security Policy

IKE PACKET MODE QUICK REFERENCE

– > outgoing
< – incoming

PHASE 1 (MAIN MODE)

1 > Pre shared Secrets, Encryption & hash Algorithims, Auth method, inititor cookie (clear text)
2 < agree on one encryption & hash, responder cookie (clear text)
3 > random numbers sent to prove identity (if it fails here, reinstall)
4 < random numbers sent to prove identity (if it fails here, reinstall)
5 > authentication between peers, peers ip address, certificates exchange, shared secrets, expired certs, time offsets
6 < peer has agreed to the proposal and has authenticated initiator, expired certs, time offsets

PHASE 2 (QUICK MODE)

1 > Use a subnet or a host ID, Encryption, hash, ID data
2 < agrees with it’s own subnet or host ID and encryption and hash
3 > completes IKE negotiation

GREAT ARTICLE FROM;

Check Point VPN Debugging Guide

Tagged with: commands, debugging, guide, steps, vpn
Posted in CheckPoint

CCNA Security Vid04

Posted on June 11, 2013 by otrdemo — Leave a comment

Tacas+ / RADIUS / AAA key points table

When utilizing AAA you can use RADIUS or TACACS. When we mention either of these we are talking about the conversation between a network device i.e. Router, Switch or Firewall (in this case) for authenticating with either a RADIUS server or TACACS server. Router, Switch or Firewall being the client, when trying to authenticate, authorize or account a user trying to login, issue certain commands and of course record this activity (AAA).

essentially it boils down to this when it comes to AAA;

aaa new-model [command used to turn on aaa]

R8(config)#enable secret cisco

R8(config)#username admin privilege 15 secret cisco

R8(config)#username user1 privilege 1 secret cisco

R8(config)#aaa authentication login default group tacacs+ local enable [This is creating a “default” method list for “authentication” which will apply on all lines if no “custom” list is present. this default method list also says, use tacacs server first, local database 2nd and enable password 3rd]

R8(config)#tacacs-server host 10.10.10.10 key 0 cisco [This defines the TACACS server along with the key to use when the router trys to communicate with the TACACS server]

R8#debug tacacs authentication

R8#debug aaa authentication

R8(config-line)#line console 0

R8(config-line)#login authentication default

R8(config-line)#line aux 0

R8(config-line)#login authentication default

R8(config-line)#line vty 0 4

R8(config-line)#login authentication default

R8#telnet 10.10.10.20

Trying 10.10.10.20 … Open

*Mar 1 00:19:40.627: AAA/BIND(00000006): Bind i/f
*Mar 1 00:19:40.631: AAA/AUTHEN/LOGIN (00000006): Pick method list ‘default’
*Mar 1 00:19:40.639: TPLUS: Queuing AAA Authentication request 6 for processing
*Mar 1 00:19:40.639: TPLUS: processing authentication start request id 6
*Mar 1 00:19:40.643: TPLUS: Authentication start packet created for 6()
*Mar 1 00:19:40.643: TPLUS: Using server 10.10.10.10
*Mar 1 00:19:40.651: TPLUS(00000006)/0/NB_WAIT/650E43A4: Started 5 sec timeout

TACACS SERVER CANNOT BE REACHED! so 2nd in the default method list is to use LOCAL DATABASE!(prompt for username then password, from local database)

User Access Verification

Username:
*Mar 1 00:19:45.647: TPLUS(00000006)/0/NB_WAIT/650E43A4: timed out
*Mar 1 00:19:45.647: TPLUS(00000006)/0/NB_WAIT/650E43A4: timed out, clean up
*Mar 1 00:19:45.647: TPLUS(00000006)/0/650E43A4: Processing the reply packet

USING debug authentication / authorization / accounting you can see the value and get an understanding of how it all works.

and below is a CUSTOM method list same a default but you give it a name and apply it to a LINE;

aaa authentication login CUSTOM-METHOD-LIST group tacacs+ local enable

R8(config-line)#login authentication CUSTOM-METHOD-LIST

so you can see above the custom method list named “CUSTOM-METHOD-LIST” has been applied to line vty 0 4 .

!SAME GOES FOR ALL 3 PARTS OF aaa (authentication, authorization and accounting)!

Tagged with: AAA, radius, tacacs
Posted in CCNA Security Notes

CCNA Sec Vid03

Posted on June 11, 2013 by otrdemo — Leave a comment

CCNA Sec Vid03 securing the management plane

Typing enable takes you to priviledge level 15, by default > you’re at privledge 1

you can create levels with custom commands for that level.

AAA = Authentication, Authorisation, Accounting

better way of cteating usernames passwords and levels of access.

rather than; (which just prompts for password once connected to the line)

line console 0
password cisco
login

line aux 0
login
password cisco

line vty 0 4
password cisco
login

AAA is better than the next way too, which is using the local database (router config)

line console 0
password cisco
login local

line aux 0
login local
password cisco

line vty 0 4
password cisco
login local

username admin privledge 15 secret 0 cisco

turning on AAA is easy!

basically saying the default way to login is using the local database;

aaa new-model

aaa uses method lists (basically list of authenticationmethods to try befor authenticating a user)
This is called default method list
i.e. when a user tries to authenticate, try [1st, AAA Server, 2nd local database, 3rd enable secret]
aaa new-model [This turns on AAA services. The rouetr can now use AAA]
aaa authentication login default group tacacs+ local enable [This is the defaul method list, this is chosen by default, if no other CUSTOM method list is configured.
If you do have a custom method list created the router will always follow this over the default]

aaa authentication login VTY-LIST local [This is a customer list called VTY-LIST, which I could apply on the VTY lines, as it is a custom list this will be chosen over a default as it is custom
and specially applied to the vty lines, you can do this for any line, and create any list.]

aaa new-model [says we have anew paradym of authentication, authorization and accounting]

defualt method list [applies to all logical interfaces where aaa can be applied]

custom method lists [allows you to apply aaa to individual interfaces as you like, and for which
ever piece of aaa.]

Tagged with: 03, ccna, notes, security
Posted in CCNA Security Notes

CCNA Sec Vid02 NFP

Posted on June 11, 2013 by otrdemo — Leave a comment

NFP Notes;

Video 02 CCNA Security

Network Foundation Protection NFP

made up of 3 parts;

Management Plane
Control Plane
Data Plane

NFP picture

MANAGEMENT PLANE

dont he give people more access than they need
NTP for accurate logs
timeouts
AAA for controlling who can manage the devices

CONTROL

If a network device has to think about something
i.e. someone ssh’s to it, or it recieves a route update
keepalives, or traffic directed to it’s own IP
address, these are example of the control plane.

Control plane (Any time the CPU on the device has to get involved in processing something)
you can limit amount of session to be open etc so people can not just keep
opening SYN’s for SSH sessions for example.
control plane protection

DATA

The data plane is actually when your device is either
forwarding pakcets or frames for others. I.e. transit packet
securing the data is ually done via ACL’s , IDS/IPS
firewall, port security.

Main benefit of ALL this is (CONCIOUSNESS of these security areas)
C3PL= Cisco Common Clasification Policy Lanuage

MPF = Modular policy framework

MQC = Modular QoS CLI

HAVE IN COMMON;

Common logic to accomplish tasks via;

class maps job = identify traffic, (http. icmp,ssh etc)
policy maps job = action to take , police it, drop, prioritize also work with class map rate limit
service policies job = where the policy map is going to do it’s action (where? control plane)

Tagged with: ccna security, foundation protection, Network
Posted in CCNA Security Notes

Diffrence between SSL and TLS

Posted on June 11, 2013 by otrdemo — Leave a comment

Great article from;

SSL versus TLS – What’s the difference?

SSL versus TLS

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications in scenarios where that data is being sent across an insecure network, such as checking your email (How does the Secure Socket Layer work?). The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1. With this said though, is there actually a difference between the two?

Is one more secure than the other?

While SSL and TLS differ in ways that make them inoperable with each other, they are generally considered equal in terms of security. The main difference is that, while SSL connections begin with security and proceed directly to secured communications, TLS connections first begin with an insecure “hello” to the server and only switch to secured communications after the handshake between the client and the server is successful. If the TLS handshake fails for any reason, the connection is never created.

Both Internet security protocols ensure that your data is encrypted as it is transmitted across the Internet. They also both enable you to be sure that the server that you are communication with is the server you intend to contact and not some “middle man eavesdropper”. This is possible because servers that support SSL and TLS must have certificates issued to them by a trusted third party, like Verisign or Thawte. These certificates verify that the domain name they are issued for really belongs to the server. Your computer will issue warnings to you if you try to connect to a server and the certificate that it gets back is not trusted or doesn’t match the site you are trying to connect to.

If you are mostly concerned about your level of security, you can’t really go wrong choosing either SSL or TLS.

So then, should I choose to connect with TLS or SSL?

The main benefit in opting for TLS over SSL is that TLS was incepted as an open-community standard, meaning TLS is more extensible and will likely be more widely supported in the future with other Internet standards. TLS is even backwards compatible, possessing the ability to “scale down” to SSL if necessary to support secure client-side connections that only understand SSL.

Another more immediate benefit, however, is that TLS allows both secure and insecure connections over the same port, whereas SSL requires a designated secure-only port. For users connecting to an email server via POP or IMAP, this means that using TLS will allow you to opt for secure connections but easily switch to insecure connections if necessary without needing to change ports. This is not possible with SSL.

However, as discussed in the previous section, it really doesn’t matter which one is used in terms of security.

What happens if I do not use either security protocol?

If neither SSL nor TLS is used, then the communications between you and the server can easily become a party line for eavesdroppers. Your email data and your login information are sent in plaintext for all to see, and there is no guarantee that the server you connect to is not some middle man or interloper.

Tagged with: between, Diference, SSL, TLS
Posted in Useful Tools

How SSL Works

Posted on June 11, 2013 by otrdemo — Leave a comment

Best article on how SSL works on the web from;

How Does Secure Socket Layer (SSL or TLS) Work?

The Secure Socket Layer, SSL for short, is a protocol by which many services that communicate over the Internet can do so in a secure fashion. Before we discuss how SSL works and what kinds of security it provides, let us first see what happens without SSL.

Life on the Internet without SSL

Let us compare communications between computers on the Internet and communications between people over the telephone. Without SSL, your computer-to-computer communications suffer from the same security problems from which your telephone communications suffer:

Who are you talking to? In a phone conversation, how can you be sure that the person who picks up the phone at the other end is really the person you are trying to call (especially if you have never spoken to them before)? What if your phone call was intercepted or re-routed, or what if someone else is answering your call recipient’s phone? There really is no way to be sure you have reached the right person, especially if they are actively trying to fool you.
Eavesdropping? As you are aware of from watching TV or reading, it is very easy to tap phone lines: the police and spies do this all the time to covertly gather information. It is not easy to detect if your lines are tapped. The same applies with communications over the Internet — how can you be sure that your communications are not being “tapped” and recorded? This is especially problematic in public wifi hotspots.

This results in two very real security issues for communications over the Internet: 1. knowing for sure that you are connecting to the right servers (i.e. those at your bank and not those at a hacker’s or phisher’s web site), and 2. knowing that your data is safe from prying eyes during transit to those computers. This is where SSL comes in.

Enter the Secure Socket Layer (SSL)

To solve these problems to a large degree, most Internet services support use of SSL as a mechanism for securing communications. To illustrate how SSL works, let us use another analogy.

Client wants to communicate with a company to send important information back and forth. Client wants to be 100% sure that s/he is communicating with this particular company and that no one can eavesdrop on or intercept the communications. How can s/he do this?

Client sends a courier to the company’s address.
The company has envelopes that, when closed, can only be opened by the company. The company and the courier go together to a trusted third party — a notary — which makes the company provide documentation to prove its identity. The notary certifies the company’s secure envelopes and the courier takes these back to the client.
The client gets the envelopes and, if it trusts the notary’s reputation, can be sure that they are actually from the company indicated.
The client also has secure envelopes that, once sealed, only the client can open. It puts some of these in one of the company’s secure envelopes and sends them back to the company.
The company gets the sealed secure envelope. It opens the envelope (as only it can). It now has the client’s secure envelopes.
The company has another kind of envelope that can be opened and sealed only by using a special combination. The company puts this special envelope with the combination lock, together with the combination, into one of the client’s secure envelopes. The company seals the envelope.
The company has another type of secure envelope that anyone can open, but which only the company can seal. If you open one of these sealed envelopes, you know for sure that it was sent by the company. The company puts the whole package inside this and sends it to the client.
When the client gets the secure envelope, it opens it and thus knows that it came from the company. It then opens the next secure envelope inside that can only be opened by the client. Inside it gets out the combination-envelope and the combination itself.
The client the puts his data in the combination envelope, seals it and sends it to the company.
The company receives it, opens it, and puts the response in the same secure envelope and sends it back.
The procedure is repeated as often as necessary for required communications.

SSL relies on the concept of “public key cryptography” to accomplish these tasks. In normal encryption, the two parties communicating share a “password” and that password is used to both encrypt and decrypt messages. While this is fast and efficient, how do you communicate these passwords to people you have not yet met in a way that is itself secure?

In “public key cryptography”, each person has two keys — a “public” key and a “private” key. Anything encrypted with the user’s public key can only be decrypted with the private key and vice versa. Each person then tells the world what his public key is and keeps his private key safe and secure, and private.

If John sends Mary a message encrypted with Mary’s public key, then only Mary can open it, as only she has her private key. This is like an envelope that anyone can seal but which only Mary can open.

If John sends Mary a message encrypted with John’s private key, then anyone can open it, as everyone has access to John’s public key. However, successfully opening the message proves that it was sent by John and no one else, as only John has access to his private key. This is like an envelope that only John can seal, but which anyone can open and thus prove that John sealed it.

SSL in Action

So, let’s see how SSL actually works for securing your communications over the Internet. Before the communications occur, the following takes place:

A company wishes to secure communications to their server company.com.
They create a public and private key for company.com (this is also known as as “SSL Certificate“).
They go to a trusted third party company such as Thawte or Verisign: Thawte makes the company prove its identity and right to use the company.com domain. This usually involves a lot of paperwork and paying a hefty fee.
Once the verification is complete, Thawte gives the company a new public key that has some additional information in it. This information is the certification from Thawte that this public key is for the company and company.com and that this is verified by Thawte. This certification information is encrypted using Thawte’s private key… we will see why below.

Then, when Client wishes to communicate with the company at company.com,

Client makes a connection to company.com with its computer. This connection is made to a special “port” (address) on company.com that is set up for SSL communications only.
When Client connects to company.com on its SSL-secured port, the company sends back its public key (and some other information, like what Ciphers it supports).
Client gets the public key and decides if it is OK…
- If the public key has expired, this could be a problem
- If the public key claims to be for some domain that is not company.com that could be a problem.
- Client has the public key for Thawte (and many other third party companies) stored in its computer — because these come with the computer. Thus, client can decrypt the validation information, prove the validation is from Thawte and verify that the public key is certified by Thawte. If Client trusts Thawte, then Client can trust that he/she is really communicating with Company. If Client doesn’t trust Thawte, or whatever Third Party company is actually being used, then the identity of who is running the computers to which Client is connecting is suspect.
If client decides to trust the public key, then Client will send to the company the Client’s public key.
The company will then generate a “password” and encrypt it using both Client’s public key and Company’s private key, in succession, and send it back to the client.
Client will decrypt the password. This process proves that the company sent the password and that only Client was able to read it.
If the client doesn’t trust the server, then the communication is terminated.
If the client has its own SSL certificate installed, it may send that to the server at this point to see if the server trusts the client. Client-side SSL certificates are not commonly used, but provide a good way for the client to authenticate itself with the server without using a username or password. In the case where this is used, the server would have to know about the client’s certificate and verify it in a similar way to how the client verified the server. If this fails, the connection is terminated. If a client-side certificate is not needed, this step is skipped.
Once the client is happy with the server (and the server with the client, if needed), then the client choose an SSL Cipher to use from the list of encryption methods provided by the server, and generates a “symmetric key” (password) for use with that Cipher. The client encrypts this password using the server’s public key and sends it back to the server. The server (and only the server) can decrypt this message and get this password, which is now shared by both the client and server.
The client will then start communicating with the company by encrypting all data using this password and the chosen Cipher. Normal “symmetric” (password-based) encryption takes place from this point forward because it is much faster than using the public and private keys for everything. These keys were needed to enable the company (and possibly the client) to prove its identity and right to domain.com and to enable the client and server to generate and securely communicate a common password.

So, Are there Limitations to This Process?

This all sounds great — what are the down sides? There are a few.

Key Length: The statement that “only someone with the private key can decrypt something encrypted with the public key” is true so long as the private key cannot be “guessed”. Hackers may try to do this by trying all possible private key combinations. Older “40bit” keys can be broken by trial and error if one has access to vast computer resources and a good amount of time. These days, keys used in SSL are 128bit or better. There are so many possible keys with 128bit that it would take significantly longer than the age of the universe to “guess” one.

Trust: While use of SSL ensures that your communications cannot be spied on, it comes down to trust to ensure that you are actually communicating with your intended company. This is reflected in the validation of company.com and your trust of the third party organization. Some “secure sites” do not bother to get a third party’s approval and have their keys approved by “themselves”. Others use third parties that are almost free and which spend very little effort in validating the company. In these cases, SSL provides you with no real assurance that you are really talking to your intended company and not some hacker trying to forge their identity to communicate with you in a manner in which you think you are safe.

For defensive use of the web, you should pay attention to warnings generated by SSL when you connect to secure sites. Such warnings include “expired certificates”, “domain name mismatches” — where the domain name presented by the company is different than the one to which you are connecting, and “non trusted certificates” — where the public key (certificate) presented by the company was not validated by a third party that your computer trusts. In all of these cases, you should be wary.

Ciphers: SSL uses one of a large variety of possible “ciphers” to perform the symmetric encryption. Use of a poor/weak cipher can result in fast SSL that is easily compromised. Currently, it is recommended that one use 128-bit or stronger AES encryption as your cipher. See: 256-bit AES Encryption for SSL and TLS: Maximal Security.

What Services Can be Protected With SSL?

Almost any Internet service can be protected with SSL. Common ones include WebMail and other secure web sites such as banking sites and corporate sites, POP, IMAP, and SMTP.

Tagged with: How, SSL, works
Posted in Useful Tools

Cisco ASA upgrade CLI

Posted on June 11, 2013 by otrdemo — Leave a comment

Example:

ASA5510#copy tftp disk0:

Address or name of remote host []? 172.16.31.1
Source filename []? asa722-k8.bin
Destination filename [asa722-k8.bin]?
Accessing tftp://172.16.31.1/asa722-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa722-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
8312832 bytes copied in 163.350 secs (50998 bytes/sec)

ASA5510#show disk0:
-#- --length-- -----date/time------ path
  6 5124096    Jan 01 2003 00:06:22 asa702-k8.bin
  7 5623108    Feb 12 2007 00:23:48 asdm-522.bin
 10 5539756    Feb 12 2007 00:14:18 asdm-521.bin
 11 8294400    Dec 07 2006 05:47:20 asa721-24-k8.bin
 12 6002680    Dec 21 2006 03:58:30 asdm-52034.bin
 13 8312832    Feb 12 2007 22:46:30 asa722-k8.bin

23949312 bytes available (38932480 bytes used)

!--- Command to set "asa722-k8.bin" as the boot image.

ASA5510(config)# boot system disk0:/asa722-k8.bin

!--- Command to set "asdm-522.bin" as the ASDM image.

ASA5510(config)# asdm image disk0:/asdm-522.bin
ASA5510# write memory
ASA5510# reload

Note: When you try to upgrade the image on the ASA from an FTP server, you can use the copy ftp flash command. This command allows you to specify parameters, such as remote IP address and source file name. This procedure is similar to TFTP. However, one limitation with is that you can not modify the remote IP/source interface (like you can with TFTP). In TFTP mode, options specified with the tftp-server command can be pulled and executed. But with FTP, there is no such option. The source interface should always be the outside by default, which cannot be modified. That is, the FTP server should be reachable from the outside interface.

Tagged with: asa, Cisco, cli, example, Upgrade
Posted in Cisco