Monday, October 18, 2010

Confused with Alerts Terminology?

Are you also confused with IPS alert terminology or sometimes just get confused between false positive & true negative etc etc....
  • False Positive
  • False Negative
  • True Positive
  • True Negative
There are four types of alerts/alarms/events or notifications that can be generated. Before i explain each one of them lets break the terminology to understand it in a better way so that its easy to remember whats what.

~~~~~~~~~     ##############
False/True    --  Positive/Negative
~~~~~~~~~     ##############

>> False/True : False means something wrong which an admin would not expect or is not expected from the device. True is good condition/scenario where device (IPS) is working as expected.

>> Positive/Negative : This part of the terminology has to do with whether alert/event was raised or not. Positive means alert was raised/generated. Negative means alert was not raised/generated.

False Positive : Device failed to recognize the attack traffic or offending packets correctly & alarm was raised. Regular or benign traffic detected as attack traffic. [When any IPS generates false positive & if blocking is configured for that signature. Major concern is that legitimate traffic will get blocked & many organizations consider blocking legitimate traffic much more serious problem than generating false alerts.]

True Positive : Device recognized attack pattern, attack traffic or packets & alert was raised correctly.
[This is the strength of any IPS & depends on which signatures are enabled & available. It becomes the selling point for many deals.]

False Negative : Device fails to recognize attack traffic or offending packets & no alert is raised by IPS
[This is the worst among all & can be a deal breaker initially [PoC] & can be a waste of cost/time if the device is deployed but not configured correctly to avoid false negatives.]

True Negative
 : Normal or non-offending traffic for which no alert is raised.
[Regular benign traffic.]

If you have any better technique or suggestions then do share the same in comments.

Dream Scenario : As any IPS/WIPS admin/operator your target should be to get rid of  False (Positive + Negative)'s and reach a state of when alerts are either True Positives or True Negatives.

ToD # Most of the alerts is an alert to cause an alert for the admin to be alert :-)
~ @Sorabhk5

Monday, September 14, 2009

Phew… How many ACRONYMS?

Here i am putting up list of new acronyms learned while studying/preparing for SNRS. Don't know how many more will follow & when dictionary will run out of acronyms but for now they seem to be coming along steadily apart from regular (not so acronym anymore) TCP,UDP, IP, FTP, SSH, HTTPS, SMTP, SNMP etc

So here we go
AAA ► Authentication, Authorization, Accounting
AES ► Advanced Encryption Standard 
CBAC ► Context Based Access Control
CEF ► Cisco Express Forwarding
CSACS ► Cisco Secure Access Control Server [aka ACS]
CPPr ► Control Plane Protection
CoPP ► Control Plane Policing
CIFS ► Common Internet File System 
CRL ► Certification Revocation List
DPD ► Dead Peer Detection 
DH ► Diffie-Hellman 
DMVPN ► Dynamic Multipoint VPN
DES ► Data Encryption Standard
3DES ► Triple-DES
EAP ► Extensible Authentication Protocol
                 {{ Challenge Response based }}
    EAP-MD5 ► EAP Message Digest 5
    EAP-MSCHAPv2 ► EAP-Microsoft Challenge Handshake Authentication Protocol
    LEAP ► Cisco Lightweight EAP
                 {{ Tunneling methods }}
    PEAP ► Protected EAP
    EAP-FAST ► EAP Flexible Authentication via Secure Tunnelling
    EAP-TTLS ► EAP Tunneled Transport Layer Security
                 {{ Cryptographic based }}
    EAP-TLS ► EAP Transport Layer Security
                 {{ Generic Token based }}
    EAP GTC ► EAP-Generic Token Card
ESP ► Encrypted Security Payload
FPM ► Flexible Packet Matching
GPI ► Granular Protocol Inspection
GRE ► Generic Route Encapsulation
HMAC ► Hash-based Message Authentication Code
IFS ► Cisco IPS File System
ISAKMP ► Internet Security Association & Key Management Protocol
IKE ► Internet Key Exchange
IBNS ► Identity Based Networking Services  
ISM ► Integrated Service Module
ISA ► Integrated Service Adapter
MARs ► Machine Access Restrictions
MPP ► Management Plane Protection
MQC ► Modular QoS CLI
mGRE ► Multipoint Generic Route Encapsulation
NAS ► Network Access Server
NAD ► Network Access Device
NAP ► Network Access Profile
NAC ► Network Admission Control
NHRP ► Next Hop Resolution Protocol
NFP ► Network Foundation Protocol
NAT-T ► Network Address Translation Traversal 
PAM ► Port to Application Mapping
PHDFs ► Protocol Header Data Files
PKI ► Public Key Infrastructure
RRI ► Reverse Route Injection
RTSP ► Real-Time Streaming Protocol
RSA ► Rivest, Shamir, and Adelman
SCCP ► Skinny Client Control Protocol
SCEP ► Simple Certificate Enrollment Protocol
SDEE ► Security Device Event Exchange
SME ► Signature Micro Engines
SMIL ► Synchronised Multimedia Integration Language
SHA1 ► Secure Hash Algorithm 1
SDF ► Signature Definition File
uRPF ► Unicast Reverse Path Forwarding 
VAM ► VPN Acceleration Module 
VPNSM ► VPN Services Module
VRF ► VPN Routing & Forwarding

OMG, sure i have missed many but wonder how long their TTL will be for my mind?? For now let just say TTL != 0 :)  Share below if you know more acronyms related to SNRS.

Happy Learning ….
>> sorabhk5 <<

Here's the Delicious Stuff for the week via

Monday, August 24, 2009

Layer 2 Security >> Imagine Unmanaged switch….

Ok i have finished the “Layer 2 security” topic of the SNRS exam & posting the abridged learning's for reference.
How to find out vulnerabilities in any network
Check (lookout) for the following:
- Written Security Policies (Big trouble, if an organisation don't have one)
- Patch Management System
- OS & application vulnerabilities (e.g. IE6,
conficker etc)
- Protocols used & their weaknesses (e.g: ICMP)
- Network Configuration errors (e.g: weak passwords, default config’s)
- Last but not least user awareness (many social engg. attacks start here)  

Types of Layer 2 Attacks
# Cam Table overflow (flood switch with fake MAC addresses) 
# VLAN hopping 
# STP manipulation 
# DHCP Attacks
    - DHCP Starvation
    - Rogue DHCP Server
# PVLAN attacks 
# MAC address spoofing
Mitigating Layer 2 Attacks
# Cam Table Overflow: When attacker sends/floods the port with fake MAC’s so that switch can start working as hub or start broadcasting all packets for the VLAN to which the attacker is connected.
       Mitigation >>  Configure
Port Security
Switch(config-if)# switchport port-security [mac-address mac-address] |
 [mac-address sticky [mac-address]] | [maximum value] |
 [violation {protect |restrict|shutdown}]

# VLAN Hopping : attacker trying to behave like a switch by negotiating trunk port so that he/she can send & receive data among other VLAN’s 
       Mitigation >> Configure access ports for all users & move unused ports to an unused VLAN

# STP manipulation : attacker tries to change the topology of a network by attacking/ sending STP BPDU with a higher priority to appear as the root bridge or by manipulating STP root bridge calculations & forcing recalculations.
       Mitigation >>  Configure root guard & bpdu guard

Switch(config)# spanning-tree portfast bpduguard default  
On an interface
Switch(config-if)# spanning-tree guard root

# DHCP Attacks
    - DHCP Starvation: broadcasting DHCP requests with spoofed MAC addresses. 
    - Rogue DHCP Server: Attackers provide clients their own system as default gateway and DNS server resulting in man in the middle (MITM) attacks. 
       Mitigation >> 
Port Security & DHCP Snooping

switch(config)# ip dhcp snooping
switch(config)# ip dhcp snooping vlan <vlan range>
switch(config)# interface <interface-id>
switch(config-if)# ip dhcp snooping trust
switch(config-if)# ip dhcp snooping limit rate <rate>
switch(config-if)# end
switch#show ip dhcp snooping
switch#show ip dhcp snooping binding

# PVLAN Attacks : Frames are forwarded to host connected to promiscuous port (e.g: router) using source IP and MAC of attacker device, a destination IP of the target but destination MAC address of router/gateway. These attacks are normally unidirectional but could be bidirectional if both hosts are compromised.
       Mitigation >> ACL for PVLAN subnet

# MAC Spoofing : (aka MITM attacks) attacker use the a known MAC address of another host in attempt to make switch forward the forward packets destined for the known (authentic) host to attacker. Done by sending a single frame with source Ethernet address of known host which results in CAM table change/update.
       Mitigation >>  Configure
Port Security

Some Facts & Figures

>> Cisco Catalyst 6000 series switch contains 1,28,000 CAM entries divided into 8 pages of 16,000 each.
>> Exhausting of all DHCP addresses is not required to introduce a rogue DHCP server. Client request mechanism are implementation dependent. RFC –2131
>> Option 82 (Data insertion feature) is not supported when DHCP relay agent is enabled but DHCP snooping is disabled.

Will post the related lab for the same by next week. Well, maybe :)

If you know any good books, or DOC pages related to the topic…. Share the name/link in comments. THX

Checkout, some Delicious Stuff
Network Access Restrictions White Paper - Cisco Systems
Infiltrating a Botnet - Cisco Systems
Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS Configuration Example - Cisco Systems
HowStuffWorks "How Internet Cookies Work"
Code_Bleu » Remote RDP & Socks Proxy using Reverse SSH Tunneling

& do checkout Google Results for “Layer 2 attacks”, some good PDF’s.

Keep Learning…… because once you fix it, vulnerabilities gonna come knocking another door ~ sorabhk5

Wednesday, April 8, 2009

Route to CCSP-SNRS [642-504]

SNRS – Securing network with (CISCO) routers and switches is one of the required exams towards CCSP certification along with 3 others. (3 required + 1 elective)

Its goanna be my first exam towards CCSP series again :-) since having SND certification (which was one of the exam of CCSP track earlier) is now pre-requisite for CCSP [[CCNA + SND or CCNA Security]]

It largely covers

  • Layer 2 attacks
  • IOS Firewall/IPS
  • Trust and Identity – AAA, ACS, IBNS
  • Cisco Network Foundation Protection using CLI
  • Secured Connectivity – IPSec, VPN

Having gone through few of the topics in SND is surely going to help but now the game is for next level so more details and in depth with more hands-on/labs/practical. SND was more or less theory based exam but hoping SNRS asks for lots of lab (ing) & Sim’s in the exam to make it interesting.

What to Study/Resources available

Where to practice and tools available

Which forums can be helpful?

            Cisco Study Network
            Networking-forum etc

Preparation Strategy [2H2D/w]

2H2D/w --> 2 hours daily (weekdays) & 2 days (weekend) per week. Simple & works for me :)

Everyone should plan or decide the strategy according to your personal, work commitments and target to be achieved. There is no single remedy that can outfit everyone

Check out these links to plan/decide your schedule or strategy

Ethereal Mind
Route My World

I am hoping to finish all the study/practice within 3 months then schedule the exam with a gap of 2 or 3 weeks at nearest VUE centre (works online thx @PearsonVUE). During that time just do practice & practice e.g: quiz, flash cards, CISCO online FAQ’s, Documentation, online practice tests etc

Resources for CCSP esp. on SNRS look like scare on the www, I will try to post my learning’s and experience for others going on same road.

Be SAFE :)

>> Sorabh Kalra >>