[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Network Security

Network security consists of the policies adopted to prevent and monitor authorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, and covers a variety of computer networks; conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access.

Share tech news, updates, or what's on your mind.

Sign up to Post

Was told Exabeam UEBA  charges based on # of staff & no agent needs
to be installed in endpoints as it correlates/uses Splunk's data.

Since this is "user behavior", should we pipe users PCs/laptops events
to the SIEM (hv Splunk in mind) or in general, people only pipe servers
& network devices events to Splunk (ie PCs events are not piped)?

Splunk gave me a spreadsheet for sizing which did not have a column
to input # of PCs/laptops while in the bank I worked for previously,
PCs/laptops events are not piped to SIEM.   As Exabeam correlates/
analyses users' activities, shouldn't the PCs events get piped as well?
Amazon Web Services
LVL 12
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Please help identify any valuable conferences in the US that an IT Supervisor like myself should consider attending.
Topics could be general in nature on security or cloud systems and even as detailed as VMWare tech training or other useful courses/ trainings.

My employer is willing to allocate some funds but wants to know which  conferences, summits, events etc should be considered and I'm not familiar. Microsoft Ignite is one example I am aware of. A topic choice for my question did not exist so chose what closely matches, but is not what I am limiting the question to.
Hi guys

We have an application on our work premises that people externally use VPN to access. The port has been set to 'ANY'. However, if I wanted to lock this port down, I have some issues as there is no documentation on what the ports are. When I look at the firewall logs, I can see that the source port always changes but the destination port stays the same. What does this mean if the source port changes but the destination port is the same? I assume the destination port is the port on the application on our side and therefore we can lock the VPN ports down to this destination port?

Thanks for helping
We are moving some of our apps/systems to the cloud.
However, some vendors for the cloud projects came back to
say that the OS is a stripped down Linux which is hardened
& that it's not applicable to install/run AV.

In view of high profile attacks and audit requirements, I
loathe to raise exemption/deviation even if the cloud VM
is not accessible to public (ie firewalled to our corporate
only).  I noticed that AWS & another vendor that uses VM
on WIndows guest offers AV

Is there a quick/easy way for me to verify that the 'strip-
down Linux OS' the vendor uses in the cloud truly could
not support AV?  Guess by running 'uname -a' is not
enough.  Or is there a script for me to verify?
Or can I verify by checking what are the past patches
they had been applying?  If it's all RedHat/Rhel patches
then, it's just simply a hardened RHEL which should
support many AV

What are the usual audit requirements for AV for a custom
Linux VM in the cloud?  Don't really need an AV under what

If it's truly a stripped-down Linux say based on CentOS or
FreeBSD, can I assess the patch requirements based on
CentOS & FreeBSD?  I recall when running a VA scan
against a PABX that's based on RHEL, all vulnerabilities
for RHEL are applicable & the PABX vendor produces
the patches though they are behind RedHat by a few
months in coming out with the patches.

This reminds me of IOT, many of which are appliances
that customizes their OS from …
Wonder if anyone have experience with this and if any input?  Or if there better things out there.
Is it a good option for okta security?
What are the categories of syslog messages/events that
are typically forwarded to SIEM?

Guess we can filter off  Informational, Warning.  What
about Error?

We are using a low-end SIEM & it freezes if we pipe all
events to it
We have a new 2nd building on property we own.  someone got verizon fios at the 2nd building (it was already in the 1st building).  They are about 1,200 feet apart with line of sight.

We need the 2nd building to be able to access the network in the first building (and minimize costs).   the 2nd building will have 1 -2  users and MAYBE some file transfers between the 2 buildings, but mostly email, web surfing

I'm trying to see the costs for connecting the 2nd building to our existing network / do we need fios at that 2nd building

Some options I thought of?

1) Setup a VPN - we have a watchguard at building 1 already and that has a VPN to another office in another state.  So add a Watchguard unit for $500? at building 2 and some config time / costs.  and still have the fios ongoing costs.  Anyone know the throughput of a vpn using Verizon fios at both ends?  it's lower than the speed you are paying for from verizon, right?

2) wireless? Maybe Unifi Nanobeam 5AC gen 2  


$113 each and we need 2 of them, plus time / moneh for hardware, mounting poles, etc. That  Would get 400Mbit which is fine (mostly email / web surfing etc at the far end).  But What if we want gigabit on wireless?  Is that doable at a reasonable cost? And can cancel the FIOS

3)  Fiber? I called Lanshack.com and they are saying the fiber cable would need to be outdoor rated (regardless of being …
Hi.  I am trying to map ports to an internal IP from any outside IP on a Watchguard firewall.  Version 11.9 Firewire XTM Web UI.  No matter what I do, these ports will not open.  Unfortunately, not as familiar with Watchguard as I should be.
Any idea why they will not go through from the attached file?
I've got a question here related to Splunk logging of Exchange Server data that I hope someone can help with. We've got several on-prem Exchange servers in a DAG that are running 2013, and some in our parent company that are on an earlier version - 2010 to be exact. Before Exchange 2013, some other roles and features were available such as CAS server and hub transport, but many of these features have been folded or changed. As a result, the Splunk monitoring utility that my company uses only works properly on our Exchange 2010 servers in our parent company's office.

I know nothing about Splunk, but apparently its looking for powershell scripts to run, but these have been moved or renamed. Corporate Security told me:  "It supports collection of data from Exchange Server 2007 and Exchange Server 2010. Exchange Server 2013 does not have this role, as it has been integrated into the Client Access and Mailbox Server roles.” Because of this fields seem to be “off”, more or less the same data is there but under new names / sourcetype. (New sourcetype=MSExchange:2013:MessageTracking).

The scripts it is looking for exist in Exchange 2010 but cannot be found by Splunk in 2013; does anyone have any insight how how to make Splunk work with Exchange 2013?

[script://.\bin\exchangepowershell.cmd v15 get-mailboxstats_2010_2013.ps1]

[script://.\bin\exchangepowershell.cmd v15 get-folderstats_2013.ps1]
we need to set up within 8 weeks a small SIEM for 30 servers  n hopefully its something low-cost, fast to set up n easy to use/manage.

Solarwinds, ManageEngine, Websense or ?
Turn Raw Data into a Real Career
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

There's request to set up a dedicated Internet Wifi hotspot
that will be used to connect up IoT : one such item in mind
is power meter.

We are not a financial/banking/healthcare organization but
still need to adhere to government guideline on cybersecurity.

I can only think of the following if this is to be granted:

a) restrict it to IoTs only ie corporate laptops/PCs/user devices
    can't connect to it : so what kind of mechanisms out there
    can stop corporate PCs/laptops and user BYODs from

b) we'll make the SSID unscannable

c) as many IoTs have been known to be compromised, such
    as Mirai, botnets attacks, how shall we mitigate these as
    the IoT is exposed to risks from Internet.
d) any other mitigations?
Our server (running win server 2008 R2) has been plagued with two errors in Event Viewer-->System:
Event 36888, Schannel
"The following fatal alert was generated: 40.  The internal error state is 1205."

Event 36874, Schannel
"An TLS 1.2 connect request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server.  The SSL connection request has failed."

Not sure what's causing these errors.
I have a T70 device I'd like connect up via BOVPN with a XTM2 device (with wireless) at a home office location.  In front of the XTM2 I will have an AT&T uverse router in bridged mode.

I'd like all of the data from one port on the xtm2 to go back and forth over the BOVPN.  I'd like all of the wireless traffic to travel out to the internet.  

Can someone please tell me if this is possible and point me in the right direction for accomplishing this?   I've setup BOVPN's between two devices before but it was moving all traffic between both devices and I need to keep the wireless (home users) traffic off the VPN.
Attached is an SSL scan report (by Qualys) of 2 portals:

a) will such deficiencies flagged by Qualys be flagged by a blackbox pentest as well (tester is using Nessus Tenable)?

b) for the items highlighted in yellow, if we place a WAF & CDN in front of the portal, can the items be remediated?
    I heard F5 WAF could 'block' off SSLv3, TLS1.0 & 1.1 as a way of mitigating but what about the weak ciphers etc?

Have a Checkpoint NIDS as well if this is of any help.

We can obtain a fresh cert if needed  but concerns are:
a) we don't plan to change the A10 loadbalancer (that's used for the 2 portals): understand a number of what's flagged is due to this A10 LB
b) the applications team can't amend the codes within the short term (but we have only a couple months to remediate)
In one presentation by an IT regulator & Cyber Security Agency,
one slide mentioned about reviewing "Netflow" & a couple of
slides later, it require us is to perform periodic "review of
information flow" :

though I raised if these are related ie by reviewing "Cisco Netflow",
we are deemed to have addressed the requirement to "review
information flow" : the presenter doesn't quite seem to know,
thus I'm clarifying here:
does Cisco Netflow offers a form of documenting information
One of the monthly IT Security metrics in my previous place is
to show  # of 'High' DDoS alerts for the month (leaving out the
Med & Low ones), extracted from Arbor Peakflow of cleanpipe.

Attached is how one such extraction looks like: basically we'll
count the # of 'High' alerts.

In new place, question was raised how this data can be useful
as IT Security metric.

My guess is Audit wants to see a trend (of 6-12 months) of the
# of 'High' alerts for DDoS: if it's always about the same, no
alarm but, say for a particular month, it triples, it's a concern?

Anyone has any clue how this data (or any other Peakflows'
data) could be useful for presentation to serve as IT Security

Anyone has any Application DDoS security metrics that could
be useful as IT Security metrics?
I'm looking for samples/templates/checklists that cover the following 3 areas:
anyone can point me to the sources or share?  Planning to host some apps in AWS

• Recommended Due Diligence Activities – specifies the necessary due diligence
to be done in selecting cloud service provider.

• Recommended Key Controls for Cloud Outsourcing Arrangement – Highlights
list of recommended controls that Cloud Service Provider (CSP) should have in
place. Projects/Systems with specific needs should liaise with their CSP to
implement any additional specific requirements.

• Cloud Risk Management – highlights the potential risks of cloud and the
measures to be taken to mitigate risks.
If the last security policy in a zone pair on a Juniper SRX is a permit - is traffic between those zones still DENIED by default?
e.g. if the policy below was the last and only policy for the zone-pair - would all other traffic between those zones get denied?
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match source-address td-edgenode01
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match destination-address felinni01
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match application tcp-21300
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match application tcp-22217
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 then permit

Refer to above link: it's said Barracuda has a list of bad IP : how can we download it?
I would also like to download for SpamHaus & CBL & any other if possible?
Get Cisco Certified in IT Security
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

We are considering Splunk, ELK or Apache Metro Hadoop  for SIEM.

I've encountered nightmares with a top-end SIEM in the past when
querying/retrieving data : takes days & even crash : which of the
above has excellent super-speed log management & querying?

I was told by an ex-colleague that Arcsight/Splunk requires CEF
(Common Event Format or syslog format) to be piped to them
as they can't accept any other format.  A vendor using QRadar
told me QRadar requires syslog/CEF format inputs too.
I've SNMP traps / MIBS events (eg: from Cisco & proprietary
devices) that my ex-colleague told me can't be accepted by
Splunk/Arcsight, so would like to know if any of the 3 above
tools are more readily able to accept other SNMP/other
event formats

Heard that ELK lacks policies which in the long run will be
costlier if we get consultants to customize : do the other
2 products have this concern.  
Also, Splunk Enterprise goes by amount of logs & we're
concerned that too much logs (can be 500MB/month)
 will make the cost high:  weighing between customization
/set-up PS efforts & licensing costs based on amount of
logs (which I guess we can archive off older logs to reduce
the license cost), which of the 3 are more cost-effective?
what are some of the small business routers that will be recommended to come with guest wifi, vpn plus range of security features?
I'm drafting an SOP doc & need to spell out the specific roles/duties of
Firewall admins vs IT Security (governance) :

I'm not sure if RBAC (Role Based Access Control) comes into play here
but my view is:

a) all Firewall rules requests as well as proxy requests (say to whitelist
    a URL or permit certain file types to be saved/downloaded) are to
    be reviewed & approved by the IT Security governance as well as
    requestor's managers  while Firewall admins implement them:
    is this what's generally practised?

b) reviews of Firewall logs/events are jointly done by a network admin
     or lead or manager who is not an implementer of firewall rules &
     counter-reviewed by IT Security gov : certainly we hope to automate
     this by SIEM with UEBA but Audit still requires such events/logs reviews
     to be signed off by 2 parties

c) What about firewall rules review : which parties should review them?
    Certainly not firewall admins as they're the creator of the rules so
     they'll just sign off as "No issue" : it's a conflict of interest.  We had
     run into case where a critical & sensitive Prod server was permitted
     for access to entire organization.  Tools like Tuffin only review for
     "dormant" rules but not such rules created for "testing" but forgot
     to be removed.   Any tools could help with such detection?
Our users are MFA'd but Azure reports: "Sign-ins from IP addresses that are anonymous, such as Tor IP addresses."

How is that possible?

I have 3 different users reporting this for location = Chelsea, NY, USA

hi guys

We've had an email that looks like it has come from a bank claiming that one of their customers have had a fraudulent transaction on their card from one of our stores. I'm almost certain it is a phishing email of some sort.

I wanted to verify with you guys whether it is likely that the email address has been spoofed.

I won't be able paste the email address it is coming from. But as it claims to be from a bank, the sending server was the following:

Connection  Accepted
Sending Server (mail-eopbgr100089.outbound.protection.outlook.com)
Sending Server HELO
Connection Started
28 Sep 2018 5:45:45 PM GMT+01
Connection Finished
28 Sep 2018 5:45:45 PM GMT+01

Am I right to assume that any 'Bank' that is using Outlook as its sending server is using spoofing tactics?

If we don't subscribe to among the lowest-end  O356 Exchange Online,
how can we further secure our email defenses (if we don't purchase
filtering tools like IronPort & Proofpoint)?

I've heard in Postfix forum that they link Postfix server to SpamHaus,
CBL (pls suggest more free Site Reputation services for emails):    can
 Exchange Online implement this?  Can we integrate with Virustotal?

Based on threat intels we get, can we add the hashes into our NIDS
CHeckpoint (assuming email payloads pass through it or in practice
people don't do this?) or Exchange Online??

Will hardening our Outlook client, MS Office, Pdf reader (& all the
'Mobile Codes' softwares) help?

Network Security

Network security consists of the policies adopted to prevent and monitor authorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, and covers a variety of computer networks; conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access.