Network Security

6K

Solutions

27

Articles & Videos

8K

Contributors

Network security consists of the policies adopted to prevent and monitor authorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, and covers a variety of computer networks; conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access.

Share tech news, updates, or what's on your mind.

Sign up to Post

Dear zealots, I am configuring Routers and Switch to mitigate DDoS attacks, following this article: http://www.infosecwriters.com/Papers/HChau_Cisco-DoS-DDoS.pdf

However, when I enter "no ip directed-broadcast" into Router and Switch's interface mode, then it cannot be displayed when I hit "show run". Do you know why? My devices' version is 12.2 (Switch 3750/3560) and 15.1 (Router 3925)

And should I apply this command on VLAN interfaces in Switches?
0
Ransomware-A Revenue Bonanza for Service Providers
LVL 4
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

I have 300 Ubuntu 14 PC's that I block all internet except a whitelist - I do this by disabling dns, and have the central server do dns lookups for everything on whitelist and put it in a hosts file and have all the hosts use that. Obviously, this is a bit hacky but it worked.

The problem now - I have a need to whitelist *.slack.com. Slack says subdomains change too much, they cant provide a static list, or even a current list and then let me update it.

So I guess I need to enable DNS - what might be easy ways to still restrict to a whitelist of domains? I can easily run shell scripts on all 300 machines. (they check in with central server and grab a script and run it regularly). So anything I can install/configure via script is a viable option...

If it's not too hard I could set up an ubuntu machine to be a dns server.

Basically what I want is whatever is easiest so that I can just provide a whiltelist, that is allowed to have wild cards like *.slack.com and block everything else. I suppose it doesn't actually have to be a DNS based block if there is some client app.

Whatever it is, I am OK to set up a server myself - but the clients, it needs to be scriptable install/config.

I want to be able to update the whitelist easily/quickly.

Any ideas/suggestions?
0
Can you please suggest best IT security vulnerability reporting software like hackerone which will be also cost effective.
0
Hello Everyone!

We had some security cameras installed and the installer asked me to open port 8000 for the dvr.  We have a Sonicwall 1260 Pro and I followed the instructions for port forwarding.  I created the service for both TCP/UDP, port 8000 and then created the group.  I used the public server wizard to allow public access to the camera ip.  After everything was complete I used the site, http://www.yougetsignal.com/, to check if port 8000 was open.  Unfortunately, the port is still closed.  I'm stuck figuring what I could be doing wrong.  We do have 2 static ips for the site.  The other ip is used for the fax machine line.  i don't know if this could cause the problem.  Any help is appreciated.

Router: SonicWall 1260 Pro
ISP: Cox
WAN: 72.205.202.66
Camera IP: 192.168.168.62
Port: 8000
img.png
0
We recently migrated from SBS 2003 to Server 2012 R2. I have a user who frequently gets locked out of her account. She's the only one having the problem. It happens for reasons we cannot account. This morning she attempted to log in and couldn't. I was able to log into the machine as the domain admin. She logged in on the first attempt (so we know it's not password-related). We disabled the password policy, I unlocked her account on the server, she logged in on the first attempt, had her restart, she got locked out again. (Windows 7 workstation in case that makes any difference.)

I changed the domain security policy to disable lockouts (at least I think I did). I tried doing the same thing locally, but mmc (with the security policy snap in), and gpmc and secpol all had all lockout policy options greyed out.

No other users are having the problem, but I'd like to nip it in the bud just in case someone starts to have it. We never had any similar issue on SBS 2003. (Then again, 2003 probably had very little security.).

I've looked at several Microsoft articles, and most of them tell me to go to settings that are grayed out.

Anyone have any thoughts? Thanks. (If you could detail steps for what to do, please do so. I'm not super-familiar with the security components of WIndows Server.
0
Hi,
 
I have a Windows 2016 Hyper-V server box that came with two network cards. First NIC is connected to internal LAN (192.168.1.x) and 2nd NIC is connected directly to ISP Internet modem (therefore, it receives a dynamic public IP address given by ISP DHCP server). On 2nd NIC,  I intend to create a virtual machine ("TESTVM") where I like to try to open some suspicious email attachments or click on website links (to find out whether they are malicious). I have installed Malwarebytes Anti-Exploits/Anti-Malware/Ransomware on this VM and it sends me email alerts whenever it detects "suspecious" activity.
I plan on connecting to this VM thru remote desktop connection program (port# 3389, 3390 .. etc) using Dynamic DNS.
Having said that, I know a lot of experts would go against the idea of exposing the server to public internet.

I know that I could put another router (192.168.2.x) between 2nd NIC and ISP internet modem to enhance security, but what I like to know is how am I venerable as it is?
How could hackers penetrate to this server when the only account is "administrator" with secure password?

Thanks you for your insight.
0
I have 5 IP/s available from my ISP. One IP is for am internal website (registered at godaddy) and we are using 1 for our router IP that I plan to use for port forwarding (VPN, RDP). I am unable to assign the Wan interface to 2 different IP's. Could not find answer in manual.
0
We developed some apps for our customers.  Besides scanning our mobile/IOS
website, auditors have required that we scan the IOS/Android apps that we have
developed for our customers IOS devices.

Q1:
is this a feasible or common practice to scan the apps running on clients IOS?

Q2:
What are some of these scanning tools that anyone can suggest?

Q3:
My view is to scan the mobile portal that we offers, not client's mobiles/iPad
0
Q1:
Does anyone scan Disaster recovery site, UAT, SIT & Development
sites?  

Q2:
For cold DR site that uses the same public & even the same
internal IP (as in ours) & same URL, I presume external it's not
possible as we'll hv duplicate IP.  One PCI-DSS doc suggests to
do VA & PT scans only for warm & hot sites: is this the common
practice?

Q3:
What about internal VA?  Do we do it on UAT, SIT & cold DR?

Q4:
Assuming cold site DR is powered down / isolated (ie not used
by even internal users), still worth doing external pentest &
internal VA?  When we apply fixes/patches/address vulnerabilities,
we propagate to our cold DR

Any best practice papers / authoritative links will be appreciated
1
I have a hacker who has compromised my network, devices and my life for over a year. I have found various devices connected to my lab top via blue tooth, unknown devices on my wifi network and have collected a bunch of networking logs and see things on there that shouldn't be there, I believe. It's a lot of information that I really don't know how to read and I don't know what information is important. So I'm looking to hire somebody to review the logs and information that I found and tell me what information should be looked at more closely, what information needs to be investigated further, etc.

Definitely willing to pay.. Contact me privately if you have history in this area.
0
Threat Trends for MSPs to Watch
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Hi,

I am working on a tenable nessus audit file for ibm aix.

What i am trying to achieve is 2 compliance check on the /etc/hosts.equiv file:

1. To find all UID less that 100 and UID not equals to the default system user ids (0,1,2,3,4,5)

2. To find all GID less that 100 and GID not equals to the default system group ids (0,1,2,3,4,5)

<custom_item>
type: CMD_EXEC
description: "UID less than 100 and not system default UID"
cmd: ""
expect: ""
</custom_item>

<custom_item>
type: CMD_EXEC
description: "GID less than 100 and not system default GID"
cmd: ""
expect: ""
</custom_item>

I am really new to working with tenable and also new to aix.

Really apperciate if anyone can help me out with what i should put for the cmd and expect statement on how to make the compliance check work.

Thanks really apperciate it!

Link: https://www.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.security/passwords_etc_passwd_file.htm
0
We need to have a standalone IPS solution put in.  We currently run two pfSense firewalls in an HA setup.  I was looking around on eBay and saw a Tipping Point 210E (two of them).  Are they still good with updates to definitions?  Any other less cost recommendations?
pfSense HA works a little odd too, so I'm not sure if this will even work.
Firewall 1 WAN IP x.x.x.1
Firewall 2 WAN IP x.x.x.2
Firewall Shared WAN IP x.x.x.3

Same setup with internal LAN IPs.  Each firewall has its own physical connection to the modem via ethernet for the WAN side and LAN side.
0
I plan to give a contractor TeamViewer access to my Windows 10 computer, which accesses my Windows Server 2012 via RDP.

If Windows Server 2012 has FTP disabled or NOT installed, can the contractor download huge 10GB+ files to his computer without me knowing?

If so, how can I prevent this?
0
There have been vendors accesses via Rdp & Teamviewer with internal staffs help :
staff use a broadband (Guest network & 4G) to connect their laptop to & their LAN
to the corporate network.

How can I thoroughly trace these down & block them?

Certainly they'll need sort of accounts to login, right?
0
Hi,

We are looking for recommendations for a network level internet filter.
At the moment, we are using OpenDNS or draytek content filter, but neither are particularly robust.

Our main requirement is that it be a network filter in the true sense, in that there is no need to install an agent on the end-user device or have to deploy proxy settings. The above filters work at the router level.

Another nice feature, but not as essential, would be to have granular controls, rather than one policy for all.

Does anyone have any recommendations?

Thanks!
0
Hopefully, someone may have a little bit of input, or knowledge regarding such a rare setup,

We deployed an open-source network monitoring tool called "NetForce Defender" by a company called MainNerve.

In order to comply with the developer's prerequisites, we built a server running Ubuntu Linux server and installed the software on there. We also needed to dedicate two NIC interfaces, one with a static IP address that is used as a management port, and the other as the monitoring port (we connected this port directly to our default gateway on a port that the main uplink port to our ASA is being mirrored/spanned to in order for the NetForce server to monitor all inbound/outbound traffic. The second NIC interface is configured as IDS/promiscuous mode.

In order to view the output/events/statistics being monitored, you would enter the IP of the management NIC into a web browser and a gui will pop up (it's called Kibana).

I see no evidence that the firewall is actually being monitored/audited... not sure if I am looking in the wrong place, the port mirroring on our gateway is not properly set up, or I goofed up somewhere in the process of installing NetForce defender. It's a very complicated process configuring everything and it took me literally a week.

If there is a way to verify that the ASA is even being monitored, any tips would be appreciated.
0
I have a hacker who is aggressively attacking my network and need advice on which router is the most secure/encrypted?
0
Hi Experts,

I need to set up MAB authentication on Cisco ACS 5.6 for one of our wireless networks.

Can someone please outline the steps I need to take?

I have attempted to set it up using tutorial videos and forum answers but can't get it working.
0
We have a sonicwall firewall (DELL Sonicwall TZ600), that is restricting access to pinterest.com.  We have both pinterest.com and pin.it listed as sites to always be allowed by our content filtering.  Is there anyway to get pinterest to come through, without allowing all social media?  We have confirmed different PCs with different Windows OS versions and different browsers (firefox, chrome, IE, and Edge) cannot get into the site.  They get to the pinterest login screen, but then after that they get an empty screen, and do not get access to the site.
0
Threat Trends for MSPs to Watch
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Our Security groups wants us to use a new CA and I need to update our Cisco ACS cluster. The current CA cert has the box checked for
"Trust for client with EAP-TLS". I have only a small group currently using EAP TLS for WiFi and I can work through those folks. My question is - could there be any way that unchecking that box and/or adding the new CA certificate could impact radius or tacacs authentication - each of which point to Active Directory for auth. I think the answer is No. But is there's an expert with more insight I'd appreciate your insight. TY
0
We have several clients who all run Microsoft Windows Servers, typically 2012 / 2016 with 2 x Hyper-v's providing a domain controller and Exchange server facilities. They range in size from 10 to 40 users, so small to medium size usage.

We are looking for some software that we can standardize on that will allow us to monitor and control/block the internet activity for each user. Being able to block things like facebook and inappropriate sites would be helpful.

Does anyone have any experience of a good value product that is not over complex, that we can take a look at, as to be honest on starting my investigations, I was blown away by the number of products and massive variation in price.

Any suggestions would be much appreciated.

Many thanks
0
Currently our Proofpoint can take from a few minutes to 3 hours before it detects new
emails containing certain attachments & links (ie new threats) are 'malicious' or spam.
To claw back malicious emails 2-3 hours later is rather late. Wud rather have late delivery.

Our Bluecoat MAA that protects against malicious downloading (or malicious sites) can
take up to several minute : just encountered one case yesterday where malicious .eot
files were downloaded by several users before it blocked users from downloading.
This Bluecoat MAA is supposed to protect against 0-day and unknown threats as well
but we have got quite a few infections/downloads in the past: possibly its 'sandboxing'
is not real-time / fast enough.

I'm hesistant to deploy endpoint IPS (HIPS) on workstations at this moment so skip
this for the time being as HIPS can impact legit services/apps if not tested thoroughly
while network based tools like MAA (& Trendmicro Discovery) are less disruptive.

Besides educating users (which we have done quite a lot), I'm looking for sandboxing
products that could perform much faster : I read one academic article that products
that implement 'prefetching' using multi layer of caches are much faster.  If they use
SSD, wud it be faster?

In particular against ransomware as one highly successful one as extracted below:

Sky News Technology Correspondent Tom Cheshire described the attack as "unprecedented". The ransomware appears to use NSA 0-day …
0
We have a user who is unable to communicate when "switchport port-security" is turned on on his port.  The port itself doesn't go into an error disabled state when port-security is turned on but, as soon as I do, the client stops responding.  As soon as I turn it back off, the client is able to communicate again.  I don't have to shut, no shut the port.

Whilst port-security is turned on, all I see in WireShark is the client trying to resolve the MAC address (arp) of the default gateway and getting no response.

I'm stumped, please help.

This is what I got when turning on port-security debugging:

202157: HPSECURE HRPC: sending req(HRPC_HPSECURE_CONFIG:blocking) size(12) to(2)
202158: Got responses for 4 request from switch: 2
 error code : 0,  handler code : 0
202159: hpsecure_addr_list_modify action(0) hwidb(Gi1/0/1) mac(1111.1111.1111) vlan(111) type(2) age(0)
202160: HPSECURE HRPC: sending req(HRPC_HPSECURE_ADDR:non-blocking) size(28) to(2)
202161: hpsecure_hrpc_event_list_process processed 28 bytes in 1 messages
0
i hve try to this type of configuration my  current set up is 1x Layer 3 switch and 4x Layer 2 switches as a distribution layer. I want to add another Layer 3 in case the other fails so everyone can still get out on the net.

My question is really is this set up possible? Because the routing vlan's are on 1 L3 switch only, as soon as that switch dies, everyone will loose their default gateways.

Is there a way the 2 L3 switches in the core layer be configured for redundancy in case the other switch fails? guide me for this type of configuration
0
Without logging into the server, is there a way to scan if the server
has Apache Struts in it?

Do quote any free tools.  Will the commandline wget or curl help?

We have McAfee Vulnerability Manager but seems like it's specific to
certain CVEs but what we want is not to establish if the Struts version is
vulnerable (or has been patched), just to know if Struts is present.
0

Network Security

6K

Solutions

27

Articles & Videos

8K

Contributors

Network security consists of the policies adopted to prevent and monitor authorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, and covers a variety of computer networks; conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access.