More Next Blog

Network Shield
This blog is specially dedicated to those people who are keen learner of networking. You can learn lots of about networking and network
security here. We will share basic networking concept to complex networking, troubleshooting steps here. Also, we will share network security
questions and other stuffs here.

IP Subnet
Captive Portal Fails to Load Properly or Returns 404 Calculator
IP Subnet Calculator
Captive Portal Fails to Load Properly or Returns 404
This article describes how to fix the issue whereby captive portal fails to load, is returned only partially without the user/pass fields Local Weather
or returns a 404 error. This also mitigates issues with: slow access to a Mobile Access gateway on wireless or lossy networks. Report
The mechanism responsible for the problems is SACK an acronym for Selective acknowledgment. The SACK-permitted Know Your Local Weather
Report
option and SACK option alter the acknowledgment behavior of TCP:

SACK-permitted Network World

Checkpoint
The SACK-permitted option is offered to the remote end during TCP setup as an option to an opening SYN packet. The SACK
Checkpoint Firewall
option permits selective acknowledgment of permitted data. The default TCP acknowledgment behavior is to acknowledge the Troubleshooting
highest sequence number of in-order bytes. This default behavior is prone to cause unnecessary retransmission of data, which can Interview Question
exacerbate a congestion condition that may have been the cause of the original packet loss. ASA (7)

A packet capture on the client or gateway will typically show many retransmitted packets and ends with the client eventually sending Data Interview Question

RST packets to the gateway. Checkpoint Firewall Training

(2)

SACK F5 (2)
Home
The SACK option allows the receiver to modify the acknowledgment field to describe noncontinuous blocks of received data so VPN Videos
that the sender can retransmit only what is missing at the receivers end.

Solution
Disable Selective-ACK by setting the value of cpas_tcp_do_sack kernel parameter to 0 (zero).

Procedure:

To Disable Selective-ACK on-the-fly, run:

[Expert@gateway]# fw ctl set int cpas_tcp_do_sack 0

Check that the value was accepted:

[Expert@gateway]# fw ctl get int cpas_tcp_do_sack

To disable the parameter permanently:

Edit the $FWDIR/boot/modules/fwkern.conf file using Vi editor to add a line with the format
parameter_name=value", in this case:

cpas_tcp_do_sack=0

Reboot the gateway after any changes to the file $FWDIR/boot/modules/fwkern.conf.

Notes:
Disabling Selective-ACK can impact networking throughput when client/server are using large TCP Windows and there is
packet loss between these hosts.
In Cluster, perform the procedure on all cluster members\
Reactions: funny (0) interesting (0) cool (0)

No comments:

Labels: Checkpoint

Checkpoint: Change the Default Shell for admin in Gaia and

SecurePlatform
CHECKPOINT

Checkpoint: Change the Default Shell for admin in Gaia and SecurePlatform

This article details how to change the default shell for both Gaia and SecurePlatform (SPlat)
systems.

SecurePlatform
In SecurePlatform, all we need to do is log in to expert mode and use the change shell command chsh:

myfirewall > expert

Enter expert password:
myfirewall # chsh -s /bin/bash admin<

Shell changed.

This permanently changes the shell and will survive a reboot.

Gaia
The above will also work in Gaia but will not survive a reboot the shell will default back to clish. Doing a cat on /etc/shells in
expert mode will show you what is available:

myfirewall> expert
Enter expert password:

Warning! All configuration should be done through clish

You are in expert mode now.

[Expert@myfirewall:0]# cat /etc/shells

/bin/sh
/bin/bash
/sbin/nologin
/usr/bin/scponly
/bin/tcsh
/bin/csh
/etc/cli.sh
[Expert@myfirewall:0]#
To effect the change we use the set user command, in this example we will set it to the bash shell:

myfirewall> set user admin <tab to show options:>

force-password-change - Force the user to change their password
gid - User's group ID
homedir - User's home directory
info - DEPRECATED synonym for 'realname'
lock-out - Unlock a locked out user
newpass - User's new password
password - User's password
password-hash - User's password hash
realname - User's real name or other informative label
shell - User's login shell
uid - User's numeric user ID
myfirewall> set user admin shell /bin/bash
myfirewall> save config
myfirewall>

Reactions: funny (0) interesting (0) cool (0)

No comments:

Labels: Checkpoint

Security Advisory New Ransomware Variant Locky 2017.docx

Criticality
High

Affected Versions/Systems/Devices
Windows

Affected Regions
Global

Detailed Summary:

It has been reported that a new wave of spam mails are circulating with common subject lines to spread variants of Locky ransomware. Reports
indicate that over 23 million messages have been sent in this campaign. The messages contain common subjects like "please print",
"documents", "photo", "Images", "scans" and "pictures". However, the subject texts may change in targeted spear phishing campaigns.
The messages contain "zip" attachments with Visual Basic Scripts (VBS) embedded in a secondary zip file. The VBS file contains a downloader
which polls to domain "greatesthits[dot]mygoldmusic[dot]com" (please do not visit this malicious website) to download variants of Locky.
The emails were botnet-based, and they came from various IP addresses around the world. The message-ID header was spoofed so that it
ended with @us-west-2.amazonses.com>.
Please find below sample spoofed header:
Date/Time start: Thursday 2017-08-31 as early as 23:50 UTC
Date/Time finish: Friday 2017-09-01 as late as 01:41 UTC
Sender (spoofed): "Dropbox" <no-reply@dropbox.com>
Subject: Please verify your email
Executive Summary Several security researchers have discovered a new type of malware that jumps onto the Ransomware bandwagon,
encrypting victims' files and then demanding a payment of half a Bitcoin for the key. Named "Locky," the malware depends on a rather low-tech
installation method to take root in a user's system: it arrives courtesy of a malicious macro in a Word document.
Security Advisory (20170903) New Ransomware Variant Locky 2017.docx
When we try to open link it will present with option to update font. This page is design to execute Win.JSFontlib09.js. That JavaScript file is
designed to download and install Locky ransomware.
Shown below: Bogus site with a HoeflerText popup when viewing it in Chrome.
Please find below screenshot after infection of Locky.
If the system is infected by Locky all files are encrypted and string with random numbers with extension [.]lukitus or [.]diablo6 is appended
to the encrypted files. It may be noted that earlier variants of Locky add extension .locky to the encrypted files. After encryption, desktop
background is changed with instructions and a htm file with a name Lukitus[dot]htm. The instructions contain installation of TOR browser
and visiting .onion sites and demanding ransom of .5 Bitcoins
It is also reported that a spam campaign showing links to fake dropbox sites is being used to spread Locky variants.
If the pages are viewed in Chrome or Firefox, they show a fake notification stating you don't have the HoeflerText font. These fake
notifications had an "update" button that returns a malicious JavaScript (.js) file.
Users are advised to exercise caution while opening emails and organizations are advised to deploy anti spam solutions and update spam
block lists.
As with previous versions, the initial attack vector is through malspam campaigns in which phishing emails contain a zipped attachment with
malicious javascript that downloads the Locky payload.
Once the Locky payload is dowloaded, it encrypts the users files with .diablo6 and .Lukitus, respectively.
Then it changes the desktop background and provides the rescue pages diablo6.htm and
lukitus.htm, which are identical.
Following whats been standard for years, the Locky ransomware instructs the user to install a Tor
Browser, then navigate to your unique .onion address to pay the ransom.

Indicators of Compromise:
(Block the below malicious domains/IPs at the perimeter)
greatesthits[dot]mygoldmusic[dot]com
files with extension [.]lukitus or [.]diablo6
file Win[.]JSFontlib09[.]js
hxxp://geocean.co[.]id/657erikftgvb??pGDIWEKDHD=pGDIWEKDHD
Locky ransomware post-infection URL: hxxp://46.183.165.45/imageload.cgi
Fake dropbox sites:
hxxp://albion-cx22.co[.]uk/dropbox.html
hxxp://ambrogiauto[.]com/dropbox.html
hxxp://arthurdenniswilliams[.]com/dropbox.html
hxxp://autoecoleathena[.]com/dropbox.html
hxxp://autoecoleboisdesroches[.]com/dropbox.html
hxxp://autoecoledufrene[.]com/dropbox.html
hxxp://avtokhim[.]ru/dropbox.html
hxxp://bayimpex[.]be/dropbox.html
hxxp://binarycousins[.]com/dropbox.html
hxxp://charleskeener[.]com/dropbox.html
hxxp://campusvoltaire[.]com/dropbox.html
hxxp://dar-alataa[.]com/dropbox.html
hxxp://flooringforyou.co[.]uk/dropbox.html
hxxp://gestionale-orbit[.]it/dropbox.html
hxxp://griffithphoto[.]com/dropbox.html
hxxp://jakuboweb[.]com/dropbox.html
hxxp://jaysonmorrison[.]com/dropbox.html
hxxp://patrickreeves[.]com/dropbox.html Cad Training
hxxp://potamitis[.]gr/dropbox.html
hxxp://tasgetiren[.]com/dropbox.html
hxxp://willemshoeck[.]nl/dropbox.html CAD DESK is
leaders in the eld
of CAD CAM
training institutes

Actions/Re comme ndations/Counte rme asure s:

Users and administrators are advised to take the following preventive measures to
protect their computer networks from ransomware infection/ attacks:
Perform regular backups of all critical information to limit the impact of data or
system loss and to help expedite the recovery process. Ideally, this data should Subnet
be kept on a separate device, and backups should be stored offline. Calcula
Keep the operating system third party applications (MS office, browsers, browser tor
Plugins) up-to-date with the latest patches.
(CIDR)
Maintain updated Antivirus software on all systems
Don't open attachments in unsolicited e-mails, even if they come from people in Home
your contact list, and never click on a URL contained in an unsolicited e-mail, Checkpoint
even if the link seems benign. In cases of genuine URLs close out the e-mail and
ASA
go to the organization's website directly through browser
Follow safe practices when browsing the web. Ensure the web browsers are Interview
Question
secured enough with appropriate content controls.
Establish a Sender Policy Framework (SPF) for your domain, which is an email F5
validation system designed to prevent spam by detecting email spoofing by Sunbnet
which most of the ransomware samples successfully reaches the corporate email Calculator
boxes. Download
Check regularly for the integrity of the information stored in the databases.
Regularly check the contents of backup files of databases for any unauthorized
encrypted contents of data records or external elements, (backdoors /malicious
scripts.)
Ensure integrity of the codes /scripts being used in database, authentication and
sensitive systems
Application white listing/Strict implementation of Software Restriction Policies
(SRP)to block binaries running from %APPDATA% and %TEMP% paths.
Ransomware sample drops and executes generally from these locations.
Network segmentation and segregation into security zones - help protect
sensitive information and critical services. Separate administrative network from
business processes with physical controls and Virtual Local Area Networks.
Disable ActiveX content in Microsoft Office applications such as Word, Excel, etc.
Disable remote Desktop Connections, employ least-privileged accounts. Limit
users who can log in using Remote Desktop, set an account lockout policy.
Ensure proper RDP logging and configuration.
 Restrict access using firewalls and allow only to selected remote endpoints, VPN
may also be used with dedicated pool for RDP access
Use strong authentication protocol, such as Network Level Authentication (NLA)
in Windows.
Additional Security measures that may be considered are
Use RDP Gateways for better management
Change the listening port for Remote Desktop
Tunnel Remote Desktop connections through IPSec or SSH
Two-factor authentication may also be considered for highly critical
systems

If not required consider disabling, PowerShell / windows script hosting.

Restrict users' abilities (permissions) to install and run unwanted software
applications.
Enable personal firewalls on workstations.
Implement strict External Device (USB drive) usage policy.
Employ data-at-rest and data-in-transit encryption.
Consider installing Enhanced Mitigation Experience Toolkit, or similar host-level
anti-exploitation tools.
Block the attachments of file types,
exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
Carry out vulnerability Assessment and Penetration Testing (VAPT) and
information security audit of critical networks/systems, especially database servers
from CERT-IN empaneled auditors. Repeat audits at regular intervals.
Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report such instances of
fraud to CERT-In and Law Enforcement agencies
SIEM Monitoring:
Team added/updated all the malicious URLs/Domains & IP address in monitoring.
References -
https://blog.appriver.com/2017/08/locky-ransomware-attacks-increase/
https://www.webroot.com/blog/2017/08/17/locky-ransomware-resurges-diablo-lukitus/
https://isc.sans.edu/forums/diary/Malspam+pushing+Locky+ransomware+tries+HoeflerText+notifications+for+Chrome+and+FireFox/22776/
http://www.zdnet.com/article/this-giant-ransomware-campaign-just-sent-millions-of-malware-spreading-emails/
https://www.forbes.com/sites/leemathews/2017/08/31/massive-ransomware-attack-unleashes-23-million-emails-in-24-hours/#30cc2155394b
https://www.databreachtoday.com/blogs/locky-ransomware-returns-two-new-variants-p-2528
https://twitter.com/peterkruse/status/903538736599891969

Reactions: funny (0) interesting (0) cool (0)

No comments:

ASA Firewall Site 2 Site VPN Configuration

ASA 1:

object network net-local

subnet 192.168.101.0 255.255.255.0
object network net-remote
subnet 192.168.102.0 255.255.255.0
access-list outside_1_cryptomap permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
tunnel-group 192.168.0.12 type ipsec-l2l
tunnel-group 192.168.0.12 ipsec-attributes
pre-shared-key pass1234
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.0.12
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
route outside 0 0 192.168.0.1

ASA02
object network net-local
subnet 192.168.102.0 255.255.255.0
object network net-remote
subnet 192.168.101.0 255.255.255.0
access-list outside_1_cryptomap permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
tunnel-group 192.168.0.11 type ipsec-l2l
tunnel-group 192.168.0.11 ipsec-attributes
pre-shared-key pass1234
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.0.11
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
route outside 0 0 192.168.0.1

Reactions: funny (0) interesting (0) cool (0)

1 comment:

When no Output Comes in Cisco ASA Firewall or Want to password

recover.
The following steps were designed using a Cisco ASA 5505 Security Appliance. They are not appropriate for a Cisco PIX Firewall appliance.

1. Power-cycle your security appliance by removing and re-inserting the power plug at the power strip.

2. When prompted, press Esc to interrupt the boot process and enter ROM Monitor mode. You should immediately see a rommon prompt (rommon #0>).

3. At the rommon prompt, enter the confreg command to view the current configuration register setting: rommon #0>confreg

4. The current configuration register should be the default of 0x01 (it will actually display as 0x00000001). The security appliance will ask if you want to make changes
to the configuration register. Answer no when prompted.

5. You must change the configuration register to 0x41, which tells the appliance to ignore its saved (startup) configuration upon boot: rommon #1>confreg 0x41

6. Reset the appliance with the boot command: rommon #2>boot

7. Notice that the security appliance ignores its startup configuration during the boot process. When it finishes booting, you should see a generic User Mode prompt:
ciscoasa>

8. Enter the enable command to enter Privileged Mode. When the appliance prompts you for a password, simply press (at this point, the password is blank):
ciscoasa>enable Password: ciscoasa#

9. Copy the startup configuration file into the running configuration with the following command: ciscoasa#copy startup-config running-config Destination filename
[running-config]?

10. The previously saved configuration is now the active configuration, but since the security appliance is already in Privileged Mode, privileged access is not
disabled. Next, in configuration mode, enter the following command to change the Privileged Mode password to a known value (in this case, we'll use the password
system): asa#conf t asa(config)#enable password system
11. While still in Configuration Mode, reset the configuration register to the default of 0x01 to force the security appliance to read its startup configuration on boot:
asa(config)#config-register 0x01

12. Use the following commands to view the configuration register setting: asa(config)#exit asa#show version

13. At bottom of the output of the show version command, you should see the following statement: Configuration register is 0x41 (will be 0x1 at next reload)

14. Save the current configuration with the copy run start command to make the above changes persistent: asa#copy run start Source filename [running-config]

15. Reload the security appliance: asa# reload System config has been modified. Save? [Y]es/[N]o:yes

Cryptochecksum: e87f1433 54896e6b 4e21d072 d71a9cbf

2149 bytes copied in 1.480 secs (2149 bytes/sec) Proceed with reload? [confirm]

When your security appliance reloads, you should be able to use your newly reset password to enter privileged mode.

Article Source: http://EzineArticles.com/664795

Reactions: funny (0) interesting (0) cool (0)

1 comment:

Labels: ASA

Checkpoint Automatic NAT vs Manual NAT

Checkpoint Automa c NAT vs Manual NAT

NAT (Network Address Transla on) can be congured in our Checkpoint FW in 2 two dierent ways: Manual or Automa c

Automa c NAT

To congure the automa c NAT, the SERVER object proper es has a NAT sec on.
So for example, if we want our host with internal private IP 10.10.50.50 to be published in Internet with public IP 80.80.100.100:
(I we onl y wa nted to a ppl y outbound IP ma s quera di ng, we s houl d have a ppl i ed hide NAT type.
In thi s exa mpl e, we a re a l s o tryi ng to publ i s h to Internet to recei ve i ncomi ng connec ons , s o sta c NAT type.)

For more details, visit my post Checkpoint Hide NAT vs Sta c NAT

This NAT congura on automa cally performs 2 ac ons:

1. Crea on of the corresponding NAT rule

Original Packet Translated Packet

Source Destination Service Source Destination Service

Any 80.80.100.100 Any Original 10.10.50.50 Original

2. Congura on of the corresponding Proxy ARP

A er applying the automa c NAT congura on, the rewall will start reply to the ARP request asking for the 80.80.100.100 public IP. Then the
rewall will 'NAT' the packet and route it to the proper gateway or to the nal des na on.

Its very important to apply the NAT sec on of the host only to the gateway we want (Instead of all, the default op on)

Otherwise, in a VSX environment, all VS rewalls can start to reply those ARP request, and so, steal packets among them.

Manual NAT
To congure manual NAT, instead of using the NAT sec on of our HOST object we can add rules on the NAT sec on of our rewall policy.
To recreate the same NAT congura on as the previous example, there must also be another HOST object with the public IP congured

And then we can create the NAT rule:

As I said, the automa c NAT method congures the proxy ARP automa cally.
When using manual NAT, the proxy ARP must be added manually. Check this post "Checkpoint Proxy ARP for manual NAT on VSX" for more
informa on

Manual NAT vs Automa c NAT

Then, if manual NAT requires more congura ons, why should I use it?? Good ques on.

Some mes we need to perform NAT based on des na on port (or any combina on based on the source IP, des na on IP, port)

For example:

When accesing the public IP, the des na on internal IP the rewall NATs to depends on the des na on port:

Or this rule allows us to access three dierent internal servers on the same port with a single public IP (based on the original packet des na on
port)

So, if the NAT rule is simple, be er use Automa c NAT. Otherwise, your only op on is using the Manual NAT method.

Reactions: funny (0) interesting (0) cool (0)

No comments:

Labels: Checkpoint

Checkpoint Firewall Policy installation flow process

Policy installation flow process

Solution
Policy installation flow:

1. Assuming the initiation was made by the SmartDashboard, as opposed to using command line options, such as fwm load (on Management Server)
or fw fetch (on Security Gateway), the Check Point Management Interface (CPMI) policy installation command is sent to FWM process on the
Management Server where the verification and compilation takes place.
2. FWM process is responsible for code generation and compilation.
3. FWM process invokes the Check Point Policy Transfer Agent (CPTA) command that sends the policy to all applicable Security Gateways.
4. CPD process on the Security Gateway receives the policy and verifies its integrity.
5. FWD process on the Security Gateway updates all of the user-mode processes responsible for enforcement aspects. These include VPND process for
VPN issues, FWSSD processes for Security Server issues, and so on. Once complete, the CPD process then initiates the update for Check Point
kernel.
6. The new policy is prepared, and the Check Point kernel holds the current traffic and starts queuing all incoming traffic.
7. The Atomic Load takes place. This process should take a fraction of a second.
Note: During Atomic Load, SecureXL is disabled and re-enabled afterwards.
8. The traffic queue is released, and all of the packets are handled by the new security policy.
 Click Here to Watch Video on Policy Installation process:
Click Here

Reactions: funny (0) interesting (0) cool (1)

No comments:

Labels: Checkpoint

Home Older Posts

Subscribe to: Posts (Atom)

Conditions

Made in and of Switzerland. Manchester

Enjoyed by and around the world. from
42300 INR

Checkpoint Firewall Training.

***WelCome to CheckPoint Firewall Training Series*** Yes, Finally we are going to start our checkpoint firewall train...

Complete VPN Series Videos

Welcome to VPN Series: Lecture 1: About VPN and Component used to create a successful VPN. Lecture 2: ...

Download CheckPoint IOS Image for Lab

To Download Checkpoint Firewall IOS image for Lab. Just Click on below link: Check_Point_R77.10_T151_Install_and_Upgrade.Gaia (Server 1...