Академический Документы
Профессиональный Документы
Культура Документы
Network Shield
This blog is specially dedicated to those people who are keen learner of networking. You can learn lots of about networking and network
security here. We will share basic networking concept to complex networking, troubleshooting steps here. Also, we will share network security
questions and other stuffs here.
IP Subnet
Captive Portal Fails to Load Properly or Returns 404 Calculator
IP Subnet Calculator
Captive Portal Fails to Load Properly or Returns 404
This article describes how to fix the issue whereby captive portal fails to load, is returned only partially without the user/pass fields Local Weather
or returns a 404 error. This also mitigates issues with: slow access to a Mobile Access gateway on wireless or lossy networks. Report
The mechanism responsible for the problems is SACK an acronym for Selective acknowledgment. The SACK-permitted Know Your Local Weather
Report
option and SACK option alter the acknowledgment behavior of TCP:
A packet capture on the client or gateway will typically show many retransmitted packets and ends with the client eventually sending Data Interview Question
SACK F5 (2)
Home
The SACK option allows the receiver to modify the acknowledgment field to describe noncontinuous blocks of received data so VPN Videos
that the sender can retransmit only what is missing at the receivers end.
Solution
Disable Selective-ACK by setting the value of cpas_tcp_do_sack kernel parameter to 0 (zero).
Procedure:
Edit the $FWDIR/boot/modules/fwkern.conf file using Vi editor to add a line with the format
parameter_name=value", in this case:
cpas_tcp_do_sack=0
Notes:
Disabling Selective-ACK can impact networking throughput when client/server are using large TCP Windows and there is
packet loss between these hosts.
In Cluster, perform the procedure on all cluster members\
Reactions: funny (0) interesting (0) cool (0)
No comments:
Labels: Checkpoint
Checkpoint: Change the Default Shell for admin in Gaia and SecurePlatform
This article details how to change the default shell for both Gaia and SecurePlatform (SPlat)
systems.
SecurePlatform
In SecurePlatform, all we need to do is log in to expert mode and use the change shell command chsh:
Shell changed.
Gaia
The above will also work in Gaia but will not survive a reboot the shell will default back to clish. Doing a cat on /etc/shells in
expert mode will show you what is available:
myfirewall> expert
Enter expert password:
No comments:
Labels: Checkpoint
Affected Versions/Systems/Devices
Windows
Affected Regions
Global
Detailed Summary:
It has been reported that a new wave of spam mails are circulating with common subject lines to spread variants of Locky ransomware. Reports
indicate that over 23 million messages have been sent in this campaign. The messages contain common subjects like "please print",
"documents", "photo", "Images", "scans" and "pictures". However, the subject texts may change in targeted spear phishing campaigns.
The messages contain "zip" attachments with Visual Basic Scripts (VBS) embedded in a secondary zip file. The VBS file contains a downloader
which polls to domain "greatesthits[dot]mygoldmusic[dot]com" (please do not visit this malicious website) to download variants of Locky.
The emails were botnet-based, and they came from various IP addresses around the world. The message-ID header was spoofed so that it
ended with @us-west-2.amazonses.com>.
Please find below sample spoofed header:
Date/Time start: Thursday 2017-08-31 as early as 23:50 UTC
Date/Time finish: Friday 2017-09-01 as late as 01:41 UTC
Sender (spoofed): "Dropbox" <no-reply@dropbox.com>
Subject: Please verify your email
Executive Summary Several security researchers have discovered a new type of malware that jumps onto the Ransomware bandwagon,
encrypting victims' files and then demanding a payment of half a Bitcoin for the key. Named "Locky," the malware depends on a rather low-tech
installation method to take root in a user's system: it arrives courtesy of a malicious macro in a Word document.
Security Advisory (20170903) New Ransomware Variant Locky 2017.docx
When we try to open link it will present with option to update font. This page is design to execute Win.JSFontlib09.js. That JavaScript file is
designed to download and install Locky ransomware.
Shown below: Bogus site with a HoeflerText popup when viewing it in Chrome.
Please find below screenshot after infection of Locky.
If the system is infected by Locky all files are encrypted and string with random numbers with extension [.]lukitus or [.]diablo6 is appended
to the encrypted files. It may be noted that earlier variants of Locky add extension .locky to the encrypted files. After encryption, desktop
background is changed with instructions and a htm file with a name Lukitus[dot]htm. The instructions contain installation of TOR browser
and visiting .onion sites and demanding ransom of .5 Bitcoins
It is also reported that a spam campaign showing links to fake dropbox sites is being used to spread Locky variants.
If the pages are viewed in Chrome or Firefox, they show a fake notification stating you don't have the HoeflerText font. These fake
notifications had an "update" button that returns a malicious JavaScript (.js) file.
Users are advised to exercise caution while opening emails and organizations are advised to deploy anti spam solutions and update spam
block lists.
As with previous versions, the initial attack vector is through malspam campaigns in which phishing emails contain a zipped attachment with
malicious javascript that downloads the Locky payload.
Once the Locky payload is dowloaded, it encrypts the users files with .diablo6 and .Lukitus, respectively.
Then it changes the desktop background and provides the rescue pages diablo6.htm and
lukitus.htm, which are identical.
Following whats been standard for years, the Locky ransomware instructs the user to install a Tor
Browser, then navigate to your unique .onion address to pay the ransom.
Indicators of Compromise:
(Block the below malicious domains/IPs at the perimeter)
greatesthits[dot]mygoldmusic[dot]com
files with extension [.]lukitus or [.]diablo6
file Win[.]JSFontlib09[.]js
hxxp://geocean.co[.]id/657erikftgvb??pGDIWEKDHD=pGDIWEKDHD
Locky ransomware post-infection URL: hxxp://46.183.165.45/imageload.cgi
Fake dropbox sites:
hxxp://albion-cx22.co[.]uk/dropbox.html
hxxp://ambrogiauto[.]com/dropbox.html
hxxp://arthurdenniswilliams[.]com/dropbox.html
hxxp://autoecoleathena[.]com/dropbox.html
hxxp://autoecoleboisdesroches[.]com/dropbox.html
hxxp://autoecoledufrene[.]com/dropbox.html
hxxp://avtokhim[.]ru/dropbox.html
hxxp://bayimpex[.]be/dropbox.html
hxxp://binarycousins[.]com/dropbox.html
hxxp://charleskeener[.]com/dropbox.html
hxxp://campusvoltaire[.]com/dropbox.html
hxxp://dar-alataa[.]com/dropbox.html
hxxp://flooringforyou.co[.]uk/dropbox.html
hxxp://gestionale-orbit[.]it/dropbox.html
hxxp://griffithphoto[.]com/dropbox.html
hxxp://jakuboweb[.]com/dropbox.html
hxxp://jaysonmorrison[.]com/dropbox.html
hxxp://patrickreeves[.]com/dropbox.html Cad Training
hxxp://potamitis[.]gr/dropbox.html
hxxp://tasgetiren[.]com/dropbox.html
hxxp://willemshoeck[.]nl/dropbox.html CAD DESK is
leaders in the eld
of CAD CAM
training institutes
Users and administrators are advised to take the following preventive measures to
protect their computer networks from ransomware infection/ attacks:
Perform regular backups of all critical information to limit the impact of data or
system loss and to help expedite the recovery process. Ideally, this data should Subnet
be kept on a separate device, and backups should be stored offline. Calcula
Keep the operating system third party applications (MS office, browsers, browser tor
Plugins) up-to-date with the latest patches.
(CIDR)
Maintain updated Antivirus software on all systems
Don't open attachments in unsolicited e-mails, even if they come from people in Home
your contact list, and never click on a URL contained in an unsolicited e-mail, Checkpoint
even if the link seems benign. In cases of genuine URLs close out the e-mail and
ASA
go to the organization's website directly through browser
Follow safe practices when browsing the web. Ensure the web browsers are Interview
Question
secured enough with appropriate content controls.
Establish a Sender Policy Framework (SPF) for your domain, which is an email F5
validation system designed to prevent spam by detecting email spoofing by Sunbnet
which most of the ransomware samples successfully reaches the corporate email Calculator
boxes. Download
Check regularly for the integrity of the information stored in the databases.
Regularly check the contents of backup files of databases for any unauthorized
encrypted contents of data records or external elements, (backdoors /malicious
scripts.)
Ensure integrity of the codes /scripts being used in database, authentication and
sensitive systems
Application white listing/Strict implementation of Software Restriction Policies
(SRP)to block binaries running from %APPDATA% and %TEMP% paths.
Ransomware sample drops and executes generally from these locations.
Network segmentation and segregation into security zones - help protect
sensitive information and critical services. Separate administrative network from
business processes with physical controls and Virtual Local Area Networks.
Disable ActiveX content in Microsoft Office applications such as Word, Excel, etc.
Disable remote Desktop Connections, employ least-privileged accounts. Limit
users who can log in using Remote Desktop, set an account lockout policy.
Ensure proper RDP logging and configuration.
Restrict access using firewalls and allow only to selected remote endpoints, VPN
may also be used with dedicated pool for RDP access
Use strong authentication protocol, such as Network Level Authentication (NLA)
in Windows.
Additional Security measures that may be considered are
Use RDP Gateways for better management
Change the listening port for Remote Desktop
Tunnel Remote Desktop connections through IPSec or SSH
Two-factor authentication may also be considered for highly critical
systems
No comments:
ASA 1:
ASA02
object network net-local
subnet 192.168.102.0 255.255.255.0
object network net-remote
subnet 192.168.101.0 255.255.255.0
access-list outside_1_cryptomap permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
tunnel-group 192.168.0.11 type ipsec-l2l
tunnel-group 192.168.0.11 ipsec-attributes
pre-shared-key pass1234
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.0.11
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
route outside 0 0 192.168.0.1
1 comment:
1. Power-cycle your security appliance by removing and re-inserting the power plug at the power strip.
2. When prompted, press Esc to interrupt the boot process and enter ROM Monitor mode. You should immediately see a rommon prompt (rommon #0>).
3. At the rommon prompt, enter the confreg command to view the current configuration register setting: rommon #0>confreg
4. The current configuration register should be the default of 0x01 (it will actually display as 0x00000001). The security appliance will ask if you want to make changes
to the configuration register. Answer no when prompted.
5. You must change the configuration register to 0x41, which tells the appliance to ignore its saved (startup) configuration upon boot: rommon #1>confreg 0x41
7. Notice that the security appliance ignores its startup configuration during the boot process. When it finishes booting, you should see a generic User Mode prompt:
ciscoasa>
8. Enter the enable command to enter Privileged Mode. When the appliance prompts you for a password, simply press (at this point, the password is blank):
ciscoasa>enable Password: ciscoasa#
9. Copy the startup configuration file into the running configuration with the following command: ciscoasa#copy startup-config running-config Destination filename
[running-config]?
10. The previously saved configuration is now the active configuration, but since the security appliance is already in Privileged Mode, privileged access is not
disabled. Next, in configuration mode, enter the following command to change the Privileged Mode password to a known value (in this case, we'll use the password
system): asa#conf t asa(config)#enable password system
11. While still in Configuration Mode, reset the configuration register to the default of 0x01 to force the security appliance to read its startup configuration on boot:
asa(config)#config-register 0x01
12. Use the following commands to view the configuration register setting: asa(config)#exit asa#show version
13. At bottom of the output of the show version command, you should see the following statement: Configuration register is 0x41 (will be 0x1 at next reload)
14. Save the current configuration with the copy run start command to make the above changes persistent: asa#copy run start Source filename [running-config]
15. Reload the security appliance: asa# reload System config has been modified. Save? [Y]es/[N]o:yes
2149 bytes copied in 1.480 secs (2149 bytes/sec) Proceed with reload? [confirm]
When your security appliance reloads, you should be able to use your newly reset password to enter privileged mode.
1 comment:
Labels: ASA
NAT (Network Address Transla on) can be congured in our Checkpoint FW in 2 two dierent ways: Manual or Automa c
Automa c NAT
To congure the automa c NAT, the SERVER object proper es has a NAT sec on.
So for example, if we want our host with internal private IP 10.10.50.50 to be published in Internet with public IP 80.80.100.100:
(I we onl y wa nted to a ppl y outbound IP ma s quera di ng, we s houl d have a ppl i ed hide NAT type.
In thi s exa mpl e, we a re a l s o tryi ng to publ i s h to Internet to recei ve i ncomi ng connec ons , s o sta c NAT type.)
For more details, visit my post Checkpoint Hide NAT vs Sta c NAT
A er applying the automa c NAT congura on, the rewall will start reply to the ARP request asking for the 80.80.100.100 public IP. Then the
rewall will 'NAT' the packet and route it to the proper gateway or to the nal des na on.
Its very important to apply the NAT sec on of the host only to the gateway we want (Instead of all, the default op on)
Otherwise, in a VSX environment, all VS rewalls can start to reply those ARP request, and so, steal packets among them.
Manual NAT
To congure manual NAT, instead of using the NAT sec on of our HOST object we can add rules on the NAT sec on of our rewall policy.
To recreate the same NAT congura on as the previous example, there must also be another HOST object with the public IP congured
Some mes we need to perform NAT based on des na on port (or any combina on based on the source IP, des na on IP, port)
For example:
When accesing the public IP, the des na on internal IP the rewall NATs to depends on the des na on port:
Or this rule allows us to access three dierent internal servers on the same port with a single public IP (based on the original packet des na on
port)
So, if the NAT rule is simple, be er use Automa c NAT. Otherwise, your only op on is using the Manual NAT method.
No comments:
Labels: Checkpoint
Solution
Policy installation flow:
1. Assuming the initiation was made by the SmartDashboard, as opposed to using command line options, such as fwm load (on Management Server)
or fw fetch (on Security Gateway), the Check Point Management Interface (CPMI) policy installation command is sent to FWM process on the
Management Server where the verification and compilation takes place.
2. FWM process is responsible for code generation and compilation.
3. FWM process invokes the Check Point Policy Transfer Agent (CPTA) command that sends the policy to all applicable Security Gateways.
4. CPD process on the Security Gateway receives the policy and verifies its integrity.
5. FWD process on the Security Gateway updates all of the user-mode processes responsible for enforcement aspects. These include VPND process for
VPN issues, FWSSD processes for Security Server issues, and so on. Once complete, the CPD process then initiates the update for Check Point
kernel.
6. The new policy is prepared, and the Check Point kernel holds the current traffic and starts queuing all incoming traffic.
7. The Atomic Load takes place. This process should take a fraction of a second.
Note: During Atomic Load, SecureXL is disabled and re-enabled afterwards.
8. The traffic queue is released, and all of the packets are handled by the new security policy.
Click Here to Watch Video on Policy Installation process:
Click Here
No comments:
Labels: Checkpoint
Conditions