Дано: базовая топология для рассмотрения концепта работы HSRP. Базовые интерфейсы роутеров и свитчей уже настроены и здесь не рассматриваются подробно.
Приступим.
вторник, 23 сентября 2014 г.
HSRP basic example 2 routers
Дано: базовая топология для рассмотрения концепта работы HSRP. Базовые интерфейсы роутеров и свитчей уже настроены и здесь не рассматриваются подробно.
Приступим.
среда, 3 сентября 2014 г.
ASA policy
Yea, yea, yea. ASA policy. Yes :)
■ Class map: Which traffic will be matched?
■ Policy map: What action will be taken on each class of traffic?
■ Service policy: Where will the policy map be applied?
■ Class map: Which traffic will be matched?
■ Policy map: What action will be taken on each class of traffic?
■ Service policy: Where will the policy map be applied?
802.1p
Стандарт IEEE 802.1p специфицирует метод указания приоритета кадра, основанный на использовании новых полей, определенных в стандарте IEEE 802.1Q.
К кадру Ethernet добавлены четыре бита, которые содержат информацию о принадлежности кадра Ethernet к VLAN и о его приоритете. Говоря точнее, тремя битами кодируется один из восьми уровней приоритета, а последние 12 бит относят трафик к одному из 4096 VLAN.
Восемь различных классов для 3-битового поля PCP в заголовке IEEE 802.1Q:
К кадру Ethernet добавлены четыре бита, которые содержат информацию о принадлежности кадра Ethernet к VLAN и о его приоритете. Говоря точнее, тремя битами кодируется один из восьми уровней приоритета, а последние 12 бит относят трафик к одному из 4096 VLAN.
Восемь различных классов для 3-битового поля PCP в заголовке IEEE 802.1Q:
| PCP | Priority | Acronym | Traffic Types |
|---|---|---|---|
| 1 | 0 (lowest) | BK | Background |
| 0 | 1 | BE | Best Effort |
| 2 | 2 | EE | Excellent Effort |
| 3 | 3 | CA | Critical Applications |
| 4 | 4 | VI | Video, < 100 ms latency and jitter |
| 5 | 5 | VO | Voice, < 10 ms latency and jitter |
| 6 | 6 | IC | Internetwork Control |
| 7 | 7 (highest) | NC | Network Control |
пятница, 29 августа 2014 г.
ASA memo-simple tutorial
Firewall Techniques
network layer access control
decisions based on Layers 2 through 4, or the data link, network, and transport layers.
application layer access control
Layers 5 through 7, or the session, presentation, and application layers.
четверг, 28 августа 2014 г.
IPS False Positives and Negatives
False Positives
False positives are events where the sensor reacts or responds to traffic that is not malicious. This would represent an error in the network environment the sensor is in. For two different networks, the attack might be a false positive in one and correct in the other. It depends on what type of traffic is permitted or acceptable on each network. A false positive can be caused by signatures that are too general in their attack-matching criteria and fire off on both malicious and nonmalicious traffic.
False Negatives
False negatives are events where the sensor doesn’t fire off any alerts, or produce any actions, even when the sensor has seen malicious traffic. One network’s malicious traffic can be a different network’s acceptable traffic. This would represent an error from an IPS perspective and can be caused by a signature that is too specific in its matching criteria. This could also be caused by evasion techniques the attacker is using or by signatures being disabled that might have been able to identify the attack. Table 13-2 shows some examples of false positives.
False positives are events where the sensor reacts or responds to traffic that is not malicious. This would represent an error in the network environment the sensor is in. For two different networks, the attack might be a false positive in one and correct in the other. It depends on what type of traffic is permitted or acceptable on each network. A false positive can be caused by signatures that are too general in their attack-matching criteria and fire off on both malicious and nonmalicious traffic.
False Negatives
False negatives are events where the sensor doesn’t fire off any alerts, or produce any actions, even when the sensor has seen malicious traffic. One network’s malicious traffic can be a different network’s acceptable traffic. This would represent an error from an IPS perspective and can be caused by a signature that is too specific in its matching criteria. This could also be caused by evasion techniques the attacker is using or by signatures being disabled that might have been able to identify the attack. Table 13-2 shows some examples of false positives.
| ICMP Network Sweep w/Echo | ICMP reconnaissance | Network mapping tools being run by management host |
| Failed Login | Brute-force attack or password guessing | Valid user forgot password and was making several attempts |
| UDP Flood | UDP DoS attack | Video or voice calls, using lots of UDP |
воскресенье, 24 августа 2014 г.
IPS Custom Signatures
| Traffic Analysis Method | Cisco IPS Inspection Engines |
| Packet header matching | Atomic |
| Packet content matching | Atomic |
| Stateful content matching | String |
| Protocol decoding | Service |
| Rate analysis | Flood |
| Traffic correlation | Sweep |
| Event correlation | Meta |
Creating Custom Signature Guidelines:
IPS anomaly overview and components
Anomaly Detection Overview
The IPS anomaly detection feature is a statistical anomaly-based system. Its purpose is to identify and prevent scanning network worms. A scanning network worm spreads by blindly scanning a network to find victims and then compromising those victims through network attacks. These attacks are typically against exposed network services.
Подписаться на:
Сообщения (Atom)