Skip navigation

I have recently started to script in Python and created some easy tools which make life easier. Given Python is so high level, even if I a no programmer the logic can be undertood very easily. There are many examples on the net and eventually customising the code to your liking becomes easy.

I started with integrating tools I use everyday such as “nslookup” . This tool is simply an interactive nslookup utility, which asks you to insert the host name and the server name to issue an “all” query.

The source code can be found here –

# Import the module
import subprocess

# Ask the user for input
host = raw_input(“Enter a host to lookup: “)
server = raw_input(“Enter a server to query: “)

# Set up the nslookup command and direct the output to a pipe
p1 = subprocess.Popen([‘nslookup’, ‘-querytype=all’, host, server], stdout=subprocess.PIPE)

# Run the command
output = p1.communicate()[0]

print output

import sys
f = open(‘nslookup.txt’, ‘w’)
sys.stdout = f
print output

raw_input()

Another utility i required was a reverse DNS tool. The source code can be found here –

import socket

add = raw_input(“Enter IP to reverse lookup: “)
reversed_dns = socket.gethostbyaddr(add)
print reversed_dns

raw_input()

I created many others such as Ping and port scanning utilities but these two are the two i used most.

 

 

Those of you who have been working in the IT security field, at some point would have definitely come across some terms which at first glance, (inspite the apparent obvious similarity) seem to imply the same thing.

Sometimes it is also the case that such terms are even erroneously used interchangeably, which creates confusion on what is exactly required. Such confusion not only creates a communication barrier between different levels of management but also leaves people in a state of limbo as to where to begin to tackle the problem.

I am talking about Risk Analysis and Risk Assessment, Vulnerability testing and Penetration testing.

 Imagewww.risk.net

 

One fine morning, everything seemed normal, however, once I reached the office, it was not quite so. The day has come when management realised that their trusty firewall might not be enough to protect the business assets, despite ongoing recommendations. Geared up for this day, I immediately triggered the plan in motion and proposed the way forward. Unfortunately risk confusion kicked in and this is where terms such as Risk analysis, Risk assessment Vulnerability and Penetration tests were thrown at me all in once sentence.

Management’s expectations were that all would be done by the end of the day (or two), which was far from the case. I immediately hit the brakes and ran an intervention with management to explain that all those terms actually mean different things and also pointed out that all would yield different results. It was therefore necessary to explain what is what and what comes before what to achieve the required objectives.

Risk Analysis comes before anything. Risk analysis is a process which is performed to gather the threats and associate vulnerabilities your business assets are exposed to. This is a holistic process which would return a cost/benefit analysis. Risk analysis takes into consideration the type of business and the most/least probable threats such a business (whether financial, retail, manufacturing etc.) is exposed to.

Risk Assessment follows. A Risk Assessment is a method of focusing on where the business is with respect to the level of risk exposure and where the business wants to be in the future. During this process the business’ existing security controls are examined to ensure that they do provide the expected level of security.

To further provide a meaningful risk assessment strategy, vulnerability and penetration testing could take place, but which one? Once again, both vulnerability and a penetration tests are terms which are used interchangeably but they do not necessary imply the same thing. By performing a vulnerability test, one is assessing the level of probability that a threat agent can expose a weakness in the business’ security infrastructure. A penetration test, goes a step further, by not only exposing such weakness but by taking advantage of it and attempting to expose further any vulnerabilities that were not identified by the initial vulnerability test. As an example, let us assume a website which is vulnerable to an SQL injection attack and once compromised, by the attacker, the database data is also successfully extracted and copied on a remote destination belonging to the said attacker.

However, while actually performing this attack during a penetration test, it emerged that during the process of performing the SQL injection and copying the database; the original database was left in an inconsistent state and has been corrupted. This not only proved that there has been an information breach due to the unauthorised disclosure and duplication of the database but also it was discovered that the original database had been left in an inconsistent state which also creates availability issues for the business. To summarise, the vulnerability test identified an SQL Injection vulnerability but a penetration test also revealed that and a denial of service attack was also possible.

Any weakness in the business’ existing (or lack of) security controls will emerge during a risk assessment and such risk will then be remediated through the risk management program to achieve the desired level of risk acceptance by the business.

Although it may not be including as one of the buzz words, Risk Management is the final but ongoing process required to bring the business risks down to an acceptable level. This means that if for example a technical security control is not present, a business policy might be issued as a corrective control to counteract the lack of a technical control through an administrative one. The process of ensuring constant policy compliancy is also part of Risk Management and it can be said that the Risk Management process is never ending, as long there are assets to protect.

lab_end_2013

Unfortuntely I didn’t have much time to update my blog over the year as I had originally planned. This year I replaced the Cisco XL 2924 switch with a Cisco SF300. The reason for this is that the old switch did not support 802.1x authentication and I had wanted to try it out. In fact, some interesting projects that i have successfully completed on my lab throughout this year include:

1) 802.1x wired (cisco SF300) and wireless (AP bridges) authentication. Windows server 2008 server was used as the authentication server, the radius server and the internal Certificate Authority. The setup works quite well. There are some issues though, such as sometimes the laptop NIC doesn’t authenticate properly but once i unplug and plug in again the network cable it successfully connects. I read somewhere that it could be a bug and which needs to be addressed on some systems. However on mine, it didn’t seem to work.

2) Squid Transparent Proxy. I setup squid on ubuntu and through WCCP, redirected HTTP taffic entering the ASA to the proxy server and back. This allowed to proxy all my http traffic for every client, being tablet, laptop, mobile. However i did come across some limitations. For example, the proxy server had to be in the same vlan/network that the “proxy-ed” clients are in. If you try placing it in some management vlan,(and provide routing for it) it will not work. Apparently, this limitation is present only with ASAs, since with a bare cisco router, i was told it worked fine.

3) Cluster NTP Server. I used two ubuntu machines to setup a clustered NTP Server. No rocket science but it worked very well. Heartbeat was the package which allowed server clustering.

That is about it. Time permitting i will include the configurations of the three projects on the blog.

Merry Christams!

The WordPress.com stats helper monkeys prepared a 2012 annual report for this blog.

Here’s an excerpt:

600 people reached the top of Mt. Everest in 2012. This blog got about 6,700 views in 2012. If every person who reached the top of Mt. Everest viewed this blog, it would have taken 11 years to get that many views.

Click here to see the complete report.

I saved another 2 PIXs 515E from the skip and decided to give them a new home. They turned out to be 2 PIXes with 16/128 flash/RAM and with Unrestricted licenses. That was a lucky find. These boxes can support IOS 8.0.4 and run as an Active/Active cluster. They also support 6 NICs and they came with a PCIX Quad NIC. Enough said, I was pleased with them.
I was also motivated to upgrade one of them to 8.0.4, so it is now somewhat equivalent to an ASA and also installed ASDM. Youtube is your friend, there are videos which explain the upgrade procedure. The “new” PIX 515E already replaced my 515E restricted PIX. ASDM, although i don’t fancy it much, makes life easier when it comes to those on the fly configurations. Also some nice statistics can be gathered. I also configured the modem as a PPPoE client to ensure all internet traffic hit the PIX first. No more ISP pro-modems for me, I prefer this setup.

Image

Managed to get hold of another x2 DL 360, so now i have 3x DL 36Os and each server having two quad cores. One server has been beefed up with 16Gb of RAM, 1x300GB Sata drive, 4x 146GB SAS drives. That is the ESX 5i server.

The other two are handling 8Gb of Ram and 1x72Gb SAS for ad hoc testing labs, such as Check Point and GNS3 labs.

Cabinet (June 2012)

The other DL 360 G5s…

Another addition to my home lab is the HP DL360 G5. The specs are following:

2x Quad Core 3.0 Ghz CPUs

8Gb Ram

3x 146Gb SAS drives

1x Dual PCI-e NIC card.

2x PSUs

HP DL360  G5 (front)

HP DL360 G5 (rear)

I already installed ESXi5 on it,  conveniently the hardware is fully supported. It will probably used to host Check Point SPLAT firewall setups including a basic LDAP server.  I will then trunk the NICs to the Cisco switches to expand the environment. Fun stuff! 🙂

Recently i noticed that SAS and SATA are in fact compatible. SATA drives can be used to replace SAS drives but not vice versa. In fact, i decided to replaced one of the HP 146GB drives with a 300GB SATA Samsung i had running around. I can confirm it worked perfectly. What is important to note though, is the difference in rps the drives support. The SAS/HP drives are 10,000 while the ordinary 2.5′ drivers come in 5,400 or 7,200 which could make a significant performance difference in a production environment. However, in my case a 5400 rpm drive was enough for my lab, so long i increased the disk to a 300G. I haven’t tried the SATA drives with the HP smart array though –  this might introduce some issues.

Hi all,

It has been a while since i wrote on my blog. I have been busy with work, studies and life in general i guess.  I have dedicated myself mostly to security than networking over these years and i foresee more to come.

Anyway, i’ll leave you with a teaser of my current Lab setup.. i got hold of 3 Cisco Pixs to play around with and a 27U Cabinet. Fits perfectly in my room! 😉

27U Cabinet

Have you ever wondered how mobiles are capable of rendering website so perfectly on such small devices and most important of all, it is safe as though you are using your PC.

I decided to investigate on this mobile browsing technique and user security (privacy).

My Test Environment

I currently have two phones in hand. My iPAQ running Windows Mobile 6.1 and a Blackberry Gold. Both devices are connect to my internal Wifi with a public address. (obtained by browsing to http://www.myipaddress.com)

myipaddesswifi

Once i setup both phones to connect to my internal WiFi i opened both mobile phone browsers and browsed to the same site mentioned above on each phone respectively.

Note: Since IE cannot render websites correctly on the iPAQ, I installed Skyfire as a browser . (www.skyfire.com) On the other hand, the Blackberry is black box and the software is proprietary –  meaning that such software has been produced specifically for BlackBerry and no further information is available.

The result:

HP iPAQ Windows Mobile 6.1 –  Skyfire

IP Address: 212.118.x.x

BlackBerry Bold

IP Address: 93.186.x.x

What in the hell are these IP Addresses?

Good question, a trace route reveilles more information.

Trace HP iPAQ (Skyfire) IP Address:

trace02

Trace BlackBerry IP Address:

trace01

What does this mean?

This means that mobile phones browsers, route all traffic through a proxy service which converts the actual web page  (which was designed for a regular PC screen) to a mobile phone screen. Without this proxy service, it would not be possible for a common phone browser to handle such web pages, especially since websites have evolved from the days of basic HTML.

Does this mean that every web page I view is going through a third party?

Yes indeed. Hold your horses before you start to freak out. With Skyfire, you are told that there is this third party which handles the connection but customer’s privacy is guaranteed. With Blackberry i do not know. *honestly* I happened to stumble across this test to  clear my suspicion and i was hoping that since Skyfire is a freeware, such work around is acceptable  –  but for BlackBerry  – i not sure if i am pleased with this solution. Well, given that there seems no other method for such good website rendering (since BlackBerry also adopted this method), i guess we would have to lump it.

I did not bother browsing to the BlackBerry website to check if the we are informed of this technique. I was expecting that the first time the browser is opened on the blackberry, the user is notified of the third party you are about to connect to. Once you accept this, you may proceed with your happy internet mobile browsing.

So next time you think of viewing any naughty things on your mobile phone –  including facebook or email, remember that there is a third party recording every move but thanks to the Data Protection Act, you are safe! *for now*.

Ok, I have decided to include my views about this simply because many have do so and i haven’t managed to find anyone with whom i really agree. I am going to be straight to the point here.

  1. Windows should be the choice for desktops.
  2. Linux should not be a choice for desktops.
  3. Windows should not be in a server environment.
  4. Linux should be in a server environment.
  5. Windows is less time consuming to configure. (desktops)
  6. Linux – how much time to you think i have on my hands to get everything to work for a system which will need to be upgraded due to the so many kernel releases / distribution updates?
  7. Windows is easy to setup but final product is no way rewarding – slow downs experienced too early.
  8. Linux is not easy to setup but final product is very rewarding – it does not slow down – ever.
  9. Windows has a good GUI.
  10. Linux has an amazing GUI – BUT ..if not configured correctly can be very problematic – Linux should have never touched GUI – keep it CLI.