Tuesday, May 31, 2016

Cisco Firewall: What Is That "passwd" In CLI?

I was tasked to clear up an issue on an ASA running 9.4 code.  The issue?  There was a default password left on the ASA, that should be deleted out.  In CLI, you will see a command "passwd ...". That is the default password for telnet and ssh.  See from Cisco's documentation below:

The login password is used for Telnet and SSH connections. By default, the login password is "cisco." To change the password, enter the following command:
hostname(config)# {passwd | password} password
You can enter passwd or password. The password is a case-sensitive password of up to 16 alphanumeric and special characters. You can use any character in the password except a question mark or a space.
The password is saved in the configuration in encrypted form, so you cannot view the original password after you enter it. Use the no password command to restore the password to the default setting.

Friday, May 27, 2016

Career Related: Busy Or Productive?

I always find visuals interesting. What does work look like for you?

Monday, May 16, 2016

Check Point Firewall: Rulebase Audit

So I'm at my new job, and I'm really liking it so far. One of the tasks I've been given is to audit a company's check point firewalls, to see what security items need to be looked at.

Here is a good copy and paste from the best practices sk106597.
  • The Business related rules section contains the rules that regulate your business traffic.
    Business related rules should be grouped together in logical sub-sections to make the format of the rulebase easy to understand. The sub-sections that are most heavily used should be placed highest in the rulebase (so long as doing this does not compromise SecureXL tuning).
  • The blue coded rules are the Implied Rules (Policy > Global Properties > Firewall Implied Rules).
    The enabled default Implied rules can be selectively turned off if not required or if the administrator has created specific rules to replace them. This is often done to harden or 'nail-down' the rulebase.
  • The green coded rules are VPN, management and noise rules.
    The admin and management rules control access to the firewall e.g. SSH, HTTPS etc. If the implied rules have been disabled then specific rules to permit all required connections to and from the firewalls will be required.
  • The purpose of the Noise rule is to drop unwanted traffic such as NetBIOS traffic as high up in the rulebase as possible.
    The use of a Noise rule helps to make the firewall more efficient by dropping unwanted traffic high up in the rulebase instead of at the bottom of the rulebase (clean-up rule).
    If the 'noise' traffic is mixed with 'useful' traffic then additional noise rules can be placed within the Business related rules section to drop the unwanted noise traffic once the useful traffic has been matched.
  • The Stealth rule should be located as early as possible in the policy, typically placed immediately after the management rules.
    The purpose of the Stealth rule is to drop unauthorized connections destined to the firewall; protecting the firewall from being scanned and attacked.
    The rulebase is likely to be constantly evolving so the effectiveness of the Stealth rule should be periodically tested; it may need to be re-positioned to maintain effectiveness.
  • The clean-up rule is the last rule in the rulebase and is used to drop and log explicitly unmatched traffic.
    To improve the rulebase performance, noise traffic that is logged in the Clean-up rule should be included in the Noise rule so it is matched and dropped higher up in the rulebase.

Sunday, May 15, 2016

Sunday Thought: Man, Do What You Said You Would Do

I have this contractor that has been doing some work for me on that old house I've been redoing. He is a youth minister at a church somewhere, but I'll tell you, it turns out his work ethic stinks. In fact, he took my money and didn't finish the work he was supposed to do.
Now this really gets under my skin. I have come to learn in life that you can't really even trust your brothers and sisters in Christ any more than the world. And I think there is something wrong with that.  I think of Jesus's words in Matthew 5:37:
37 But let your ‘Yes’ be ‘Yes,’ and your ‘No,’ ‘No.’ For whatever is more than these is from the evil one.
Maybe you can say that's about lying or even something else, but I think you can include being a man of your word also in this. 

Monday, May 2, 2016

Check Point Firewall: Last Day On The Job Experience

I thought I would post about a data center move experience I had.  I'm missing this blogging thing, and I'll probably be coming back some while I get settled in at the new job. 
Its funny to me, that sometimes your last day at your employer can be one of the most pressured days. I had a customer that was doing a large data center move over the weekend.  New gear in the data center and then moving a large number of servers and some partial existing network gear for special purpose situations.  There were two of us that has split up some security roles between us.  My goal was to get the HA pair of Check Points up and running while the other engineer worked on a couple of other things in the network.  Well, we both ran into issues that we didn't necessarily need that night.  His BlueCat DHCP management server ended up with a corrupted database during the physical move and one of my HA Check Point enforcement modules started going non-responsive.  Both of us had to do reinstalls.  Him the BlueCat management server and me the primary Check Point enforcement module (4800).  It seems things always seem to go like this in an important move.
So, for my part in this.  During my troubleshooting of this enforcement module, I was not getting anywhere really fast.  So I decided to get the other enforcement module up and running, which I did.  Then I came back to the primary enforcement module and did a reinstall from scratch on it.
Boot to USB, do the install.
Go through the initial setup for IP connectivity and establish SIC.
Make sure all physical connections are correct and push policy.
Back up and running in HA again.

It just goes to show, you never know what to expect on a move like this.