Archive for May, 2010

Securing Routers and Switches

May 10, 2010 1 comment

Like every financial firm we get our share of audits. Most audits are scheduled but once in a while you can get a surprise visit – someone knock on your door and say:
“hello, we’re here for an audit”.

Part of my job is making sure my network is ready for D-day. If the auditors ask about network security I should have all the answers and preferably have a working implementation to prove my story.

So the day has come and I was asked about my network security with routers and switches at the heart of the audit. As a proud CCNP I had good answers and could easily prove my case to the required extent.  In this post I want to go over some basic steps that make a difference not just at audit day but everyday.

Physical Security – That is the physical access to the router (which result in console cable access). While most companies secure their communication rooms\closets there is one item many fail to secure: Access Switches. Many networks hold an access switch per department or floor, they put the switch on a randomly available shelf, on top of a PC or under a desk. This is a huge hole as anyone can access the switch and plug to any of its ports.

Access Lock down – If you failed to secure access to the switch or if for any reason you are forced to do so, there are few steps you can take to block intruders:

Security Monitoring – Building a second layer of security using some easy to configure tools. Enable logging and make sure the time is set to either local time or UTC so you can have accurate data. If a Syslog server is available, use it to keep track of all your logs (and avoid the misfortune of power loss on the router).

Use Access Lists – ACL is a powerful tool that can help you manage access by port, source or destination addresses. Build different access-lists for different connections and block any unnecessary traffic. Make sure you apply each access-list to the proper interface (and correct direction). Check this video on using ACL to harden IOS security.

One more reference: Cisco’s guide to harden Cisco IOS devices.


Computer and Communication Networks – book review

May 8, 2010 2 comments

Now that I covered CCNP topics ranging from switches and routers to security and quality of service, my next book come as a great overall review.

Computer and Communication Networks

Pearson’s Computer and Communication Networks by Nader F. MIR is a comprehensive book that cover many networking topics. While it doesn’t pretend to be a study guide, it does cover many topics and can be a great resource for those who already completed their studies, professionals who lack the official certifications but have good networking knowledge and even new comers without the basic knowledge.

The book has two parts: Fundamental concepts and Advanced concepts.
The fundamental concepts are great for either new comers or those who want to refresh their knowledge. It is updated to the 2010 networking state of mind and cover the basics. The advanced concepts are more complicated and you should have some prior knowledge to make the most out of it. As someone who just completed CCNP and has most of the theory (still) fresh in his head I found it comprehensive but not too deep (that is why we have certification exams ;))

Part I – Fundamental Concepts start with the basic protocol and packet concepts. It covers devices and transmission options and explain LAN, Wireless and Routing. The end of this part cover the most common protocols (such as TCP, UDP and DNS) and network security.

Part II – Advanced Concepts, cover some of the more complex networking ideas like QoS, Switch fabrics, optical networks and multicasting. The last few chapters explain VPNs and tunneling, data compression (video and voice), VoIP, Mobile and Wireless.

I really like the RFCs list in Appendix B. When you study\read\research a new topic and look for some extra information, RFCs are the best place to start. This list can save you the search time and point you directly to the RFC number you need.

This is a good book to keep in your library, one day you’ll need something and will definitely find it in this book.

Check all my reviews here

40-year-old virus

No, I’m still alive and though disappeared from your mailbox or RSS feed, everything is good on my end. I was busy with few personal issues and hope to get back on track in few days.

Today I had to upgrade my anti-virus server. Using ESET’s NOD32 for years I found these upgrades to be easy, straight forward and short. This specific version upgrade from 3.x to 4.x add the ability to restore quarantined files directly from the management console (and few more major changes), sweet joy!

As expected the upgrade was easy and I had no issues but I did find something interesting when the installation completed:

Yes, on a brand new clean installation that had no previous data, a 40-year-old quarantined file show on the list…

The source computer is my (Trend Micro IMSS) spam filter.
This is the properties screen:

Hope you all have a good weekend!

OFF TOPIC – Five Boro Bike Tour

May 2, 2010 3 comments

As I mentioned in my CCNP completion post (which seem to be ages ago), this week’s focus was New York’s five boro 42 mile (67.6km) tour.

New York's Five Boro Bike Tour

It started just before 6am this morning when my alarm clock buzzed. An hour later I was already in downtown Manhattan where thousands of bikers waited in line to start the tour.

Bike tours have their own QoS system: pay more for VIP access and earn a spot at the front of the line (unlike regular admission that uses the FIFO method), someone stop and all the bike packets queue behind. Downtown Manhattan with 30,000 bikers was so tight that we had to slowly walk part of the route, as we did in big parts of Central Park, as the huge crowd squeezed into the park. The small size pipe and the bikers DoS on Manhattan opened as we crossed to The (Internet) Bronx and back via FDR Drive.

Riding on the FDR Drive is an exciting experience and with the BQE and Verrazano bridge on the menu, the tour’s never open to bikers roads gave the extra thrill. It is the one time a year you get access to the major highways, just like getting a fiber for a day when you’re used to slow connections.

Great weather, nice ride and 42 miles later I was packed in one of Staten Island’s Ferries on my way back to the city. Overall, it was fun and not as difficult as I thought, I will try to add longer rides to my workout though I doubt my schedule will be cooperative…

You can check my performance in this RunKeeper map.
Some of the photos I took available here.

Starting tomorrow I’m back in business and will make my decision on the next step of my studies.