Monday, 19 May 2014

HOW TO CONFIGURE SSH ON A CISCO SWITCH

How to Configure SSH on a Cisco Switch?
Telnet is a widely used protocol for accessing and administering Cisco devices. But this protocol is not exactly secure and transmits data over a network in plain text. 

SSH is a secure protocol and it’s best practice to secure your access to all devices. Configuring SSH on most Cisco switch models is a straightforward process. You will need to generate a key and it is recommended to enable the aaa (Authentication, Authorization and Accounting) model.

Here are the steps:
Switch# config t
Switch(config)# ip domain-name demo.net
Switch(config)# crypto key generate rsa

At this point, you will be prompted to enter a modulus number for the key generation:

Switch(config)# username admin privilege 15 secret ‘password’ (you could create more usernames)
Switch(config)# aaa new model (To enable the aaa model on the switch)
Switch(config)# line vty 0 15
Switch(config-line)# transport input ssh
Switch(config-line)# no password
Switch(config-line)# transport preferred ssh
Switch(config-line)# exit
Switch(config)# exit
Switch# copy run start (To save the configuration changes) 

After these steps, the cisco device could be access using tools such as Putty, Cygwin. Cygwin could also be configured to integrate with your PowerShell interface and save you the time involved in switching between shells. You could also configure the Start-Transcript cmdlet in your PowerShell profile to keep a log of your commands if necessary.

Sunday, 18 May 2014

VLAN DIFFERENCE BETWEEN JUNIPER AND CISCO

VLAN Difference between Juniper and Cisco Switches
A VLAN (Virtual Local Area Network) is a logical LAN segment which have unique broadcast domain. Basically, VLAN divides one physical switch to multiple logical switch. You can configure hundreds of VLANs in one EX series switch. No matter if its EX4200, EX3200 or EX2200. Today I will show you VLAN difference between Juniper and Cisco switches.

There are two port modes in Juniper switch i.e. access mode or trunk mode. The interface in access mode connects to a network device, such as laptop or an IP phone. The interface in trunk mode connects to other switches in the network. 

There are many differences between Juniper and Cisco switches.

1. In Cisco switches the default port mode is dynamic desirable auto but in Juniper switch the default port mode is access mode.
2. In Cisco switches the default VLAN is untagged and is the native VLAN i.e. VLAN 1 but in Juniper there is no default native VLAN. You must configure it manually.
3. In Cisco switches the trunk ports accept all VLANs in the range of 1 to 4095 by default but in Juniper, trunk ports do not support any VLANs. You have to make it support manually.
4. In Juniper switches, VLAN named Default is present by default and all the interfaces are under this default VLAN.
5. Unlike Cisco switches Juniper switches doesn’t support VTP (VLAN Trunking Protocol) or DTP (Dynamic Trunking Protocol). Juniper switches support GVRP (Generic Attribute Registration Protocol) though.
6. Juniper switches has two port modes i.e. access and trunk mode. Cisco switches have five port modes i.e. dynamic desirable auto, dynamic desirable, access, trunk and nonegotiate mode.
7. Juniper switches support 802.1Q protocol for trunk ports. Cisco switches support both 802.1Q and ISL (Inter Switched Link) protocols.


Friday, 16 May 2014

COMMAND TO LIST ALL SHARED FOLDERS ON WINDOWS SERVER

How to List down shared folders on a windows server?

Below are the powershell commands to list the shared folders and access rights of shared folders.

open powershell with Administrator privileges and paste below command in it.
//To list the shared folders on localhost
gwmi -Class Win32_Share -ComputerName localhost | sort name

//To list the shared folders on remote server
gwmi -Class Win32_Share -ComputerName 10.10.1.x | sort name

//To save shared folders list to a file
gwmi -Class Win32_Share -ComputerName localhost | sort name | out-file C:\TS1.txt

//To list the access rights of a shared folder
Get-Acl D:\TestShare | select -exp Access | out-file C:\TS1\TS1permissions.txt

//To list the access rights of a shared folder and save it to a file.
Get-Acl D:\TestShare | select -exp Access | out-file C:\TS1\TS1permissions.txt


TO LIST DOWN SHARE FOLDERS AND ACCESS RIGHTS IN WINDOWS SERVER 2003

Open command prompt with "Run as" administrator
//To list all the share folders on a server
wmic /output:filename.txt share get caption,name,path

//To list Access rights of a share folder
icacls  sharefoldername /save ts21share.txt

//To list the Access rights of a share folder
cacls sharename 

Saturday, 10 May 2014

DIFFERENCE BETWEEN IDS AND IPS

What is an IDS?
IDS (Intrusion Detection System) are systems that detect activities that are inappropriate, incorrect or anomalous in a network and report them. Furthermore, IDS can be used to detect whether a network or a server is experiencing an unauthorized intrusion. IPS (Intrusion Prevention System) is a system that actively disconnects connections or drops packets, if they contain unauthorized data. IPS can be seen as an extension of IDS.

IDS
IDS monitor the network and detect inappropriate, incorrect or anomalous activities. There are two main types of IDS. First one is the Network intrusion detection system (NIDS). These systems examine the traffic in the network and monitor multiple hosts for identifying intrusions. Sensors are used to capture the traffic in the network and each packet is analyzed to identify malicious content. The second type is the Host-based intrusion detection system (HIDS). HIDS are deployed in host machines or a server. They analyze data that are local to the machine such as system log files, audit trails and file system changes to identify unusual behavior. HIDS compare the normal profile of the host with the observed activities to identify potential anomalies. In most places, IDS installed devices are placed in between the boarder router and the firewall or outside the boarder router. In some cases IDS installed devices are placed outside the firewall and boarder router with the intension of seeing the full breadth of attempted attacks. Performance is a key issue with IDS systems since they are used with high bandwidth network devices. Even with high performance components and updated software, IDS tend to drop packets since they cannot handle the large throughput.

What is an IPS?
IPS
IPS is a system that actively takes steps to prevent an intrusion or an attack when it identifies one. IPS are divided in to four categories. First one is the Network-based Intrusion Prevention (NIPS), which monitors the entire network for suspicious activity. The second type is the Network Behavior Analysis (NBA) systems that examine the traffic flow to detect unusual traffic flows which could be results of attack such as distributed denial of service (DDoS). The third kind is the Wireless Intrusion Prevention Systems (WIPS), which analyzes wireless networks for suspicious traffic. The fourth type is the Host-based Intrusion Prevention Systems (HIPS), where a software package is installed to monitor activities of a single host. As mentioned earlier, IPS takes active steps such as dropping packets that contain malicious data, resetting or blocking traffic coming from an offending IP address.

What is the difference between IPS and IDS?
An IDS is a system that monitors the network and detects inappropriate, incorrect or anomalous activities, while an IPS is a system that detects intrusion or an attack and takes active steps to prevent them. Main deference between the two is unlike IDS, IPS actively takes steps to prevent or block intrusions that are detected. These preventing steps include activities like dropping malicious packets and resetting or blocking traffic coming from malicious IP addresses. IPS can be seen as an extension of IDS, which has the additional capabilities to prevent intrusions while detecting them.

Wednesday, 7 May 2014

ENCRYPT THE DATA YOU STORE

ENCRYPT THE DATA YOU STORE
This protects your data from being read by people with access to your computer.

Encrypt your hard drive so that if you lose your computer or you get hacked, your information will be safe. Most recent Apple Macintosh computers contain a built-in encryption system called FileVault that is simple to use. Some versions of Microsoft's Windows 7 also contain a built-in encryption system called BitLocker. Another popular solution is the free, open-source program TrueCrypt, which can either encrypt individual files or entire partitions of your computer or an external hard drive.

Encrypt your smartphone's hard drive. Yes — your smartphone has a hard drive much like your computer has. In fact, your phone probably contains as much — or more — sensitive information about you as your computer does. Apple doesn't let you encrypt your smart phone's hard drive or the files on it, though it allows encryption of your phone's backup files on iTunes or iCloud. You can also use Find my iPhone to remotely "wipe," or delete the data on your iPhone or iPad if it is lost or stolen. Google's Android operating system lets you encrypt your phone hard drive.

Encrypt the data you store in the cloud. I use the SpiderOak encrypted cloud service. If an encrypted cloud service were somehow forced to hand over their servers, your data would still be safe, because it's encrypted using a key stored only on your computer. However, this also means that if you lose your password, they can't help you. The encrypted data would be unrecoverable.

Encrypt the data you transmit. The Snowden revelations have revealed that U.S. and British spy agencies are grabbing as much unencrypted data as they can find as it passes over the Internet. Encrypting your data in transit can protect it against spy agencies, as well as commercial data gatherers.

Install HTTPS Everywhere on your Web browser. This encrypts your Web browsing sessions, protecting you from hackers and spy agencies that scoop up unencrypted traffic across the Internet. Not every site works properly with HTTPS Everywhere, though an increasing number do.

Use encrypted texting apps with friends who install the same apps on their phones. On the iPhone, Silent Circle and Wickr offer apps for encrypted texting. On Android, the TextSecure app encrypts texts in transit and when they are stored on your device.

Use the Off-the-Record Messaging protocol to encrypt your instant messaging conversations. You can still use your favorite instant-messaging service, such as Gchat or AIM, though you'll need to use a software client that supports the Off-the-Record protocol. On Macs, free software called Adium can enable OTR chats, and on Windows, you can use Pidgin. Once you've set up OTR and gone through a simple verification step, you can IM as you usually do. Both parties have to use OTR for the encryption to work.

Use Gnu Privacy Guard to encrypt your email conversations. Like OTR, if you're using GPG you'll need the people you email with to use it as well in order to encrypt your conversations. I use free software called GPG Tools with Enigmail and Postbox. GPG Tools also works directly with Apple's built-in Mail program.

GPG has some shortcomings — it's difficult-to-impossible to use it with the mail program built into most smartphones, and you can't use it easily with webmail like Gmail. (Although there are some new web-based mail programs that use GPG called Mailvelope and StartMail that I haven't had a chance to try yet.)

The most difficult part of GPG is that, unlike the encrypted texting and instant messaging programs, you have to generate a secret key and keep it somewhere secure (usually on your computer or on a USB stick). This often means you can only send GPG mail when you have your key with you. Even so, it is incredibly satisfying once you send your first message and watch it transform into a block of numbers and letters when you click "encrypt."

Monday, 5 May 2014

SNORT AND OSSEC FEATURES

SNORT AND OSSEC FEATURES

SNORT:
Snort is an open source network intrusion prevention and detection system, IDS and IPS. This tool developed by Sourcefire team, combining the benefits of signature, protocol, and anomaly-based inspection. This is very powerful tool and more useful for Penetration Testers, and Security Reasercher.

Snort can perform protocol analysis and content searching/matching. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. It uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients. Snort has three primary uses: a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc), or a full-blown network intrusion prevention system.
OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

Manager
The manager is the central piece of the OSSEC deployment. It stores the file integrity checking databases, the logs, events and system auditing entries. All the rules, decoders and major configuration options are stored centrally in the manager, making easy to administer even a large number of agents.

Agents
The agent is a small program installed on the systems you desire to monitor. It will collect information on real time and forward to the manager for analysis and correlation. It has a very small memory and CPU footprint by default, not affecting with the system’s usage.
Agent security: It runs with a low privilege user (created during the installation) and inside a chroot jail isolated from the system. Most of the agent configuration is pushed from the manager, with just some of them are stored locally on each agent. In case these local options are changed, the manager will receive the information and will generate an alert.

Agentless
For systems that you can’t install an agent, OSSEC allows you to perform file integrity monitoring on them without the agent installed. It can be very useful to monitor firewalls, routers and even Unix systems where you are not allowed to install the agent.

Virtualization/Vmware
OSSEC allows you to install the agent on the guest operating systems or inside the host (Vmware ESX). With the agent installed inside the VMware ESX you can get alerts about when a VM guest is being installed, removed, started, etc. It also monitors logins, logouts and errors inside the ESX server. In addition to that, OSSEC performs the CIS checks for Vmware, alerting if there is any insecure configuration option enabled or any other issue.

Firewalls, switches and routers
OSSEC can receive and analyze syslog events from a large variety of firewalls, switches and routers. It supports all Cisco routers, Cisco PIX, Cisco FWSM, Cisco ASA, Juniper Routers, Netscreen firewall, Checkpoint and many others.