Best IT Blog

Word Document – Understanding Network Access Control

Posted in Data Center - SOC - NOC,Networking (340),Security (1500) by Guest on the November 1st, 2018

Understanding Network Access Control


Comments Off on Word Document – Understanding Network Access Control

Sample Visio – Load Balancer Design

Sample Visio – Load Balancer Design


Comments Off on Sample Visio – Load Balancer Design

Sample Visio – High Level Network Service Request

Posted in Data Center - SOC - NOC,Networking (340),Visio Samples - Stencils (457) by Guest on the February 12th, 2015

Free Visio Document download

High Level Network Service Request

Comments Off on Sample Visio – High Level Network Service Request

Sample Excel – Radware Monitoring Parameters OIDs

Posted in Networking (340),Sample - IT Spreadsheets - PowerPoints (251) by Guest on the February 7th, 2015

Free Excel document download

Radware Monitoring Parameters OIDs

Comments Off on Sample Excel – Radware Monitoring Parameters OIDs

Sample Excel – Sample Network Wiring Request

Free Excel document download

Sample Wiring Request

Comments Off on Sample Excel – Sample Network Wiring Request

Sample – Network UAT Change Policy

Posted in Compliances (1300),Networking (340),Security (1500) by Guest on the January 29th, 2015

Network Services is requiring User Acceptance Testing (UAT) on all high risk/high impact changes and/or changes that will result in a known impact or system degradation. The risk scoring of the change is based on information entered in the change record as well as the Enterprise model used for scoring changes.

The change is to be thoroughly researched as to impact, proper notifications made to the Lines of Business, and testing coordinated.  The intent of the UAT requirement is to ensure that applications and servers impacted by a change validate their applications during the change window by executing tests and checks that the teams deem appropriate to verify that the applications are working as expected.

The name and email address of the line of business tester will be required to be documented in the long-description section of the change record.  For those changes that are on shared devices and that impact multiple lines of business, the project manager or technology project manager will be expected to coordinate the UAT.

The UAT is to be done during the approved change window so that should there be issues, they can be resolved prior to the start of the production day.

Some lines of business will not be able to test during this period due to services/exchanges needed to test not being available.  For these types of situations, the teams can follow their normal process for validating changes and will not be required to submit a waiver accompanied by Lines of Business approvals.

Issues reported outside of the change window will be handled as break-fix subject to normal SLA’s for incident restoral.

If the client decides they do not want to provide user acceptance testing, they must provide a UAT waiver email with Lines of Business approval attached to the change record.

Other relevant conditions that apply are outlined below:

  • Vendors in some cases are approved to test on behalf of the lines of business. That is acceptable as long as there is a detail test plan that covers all features and functionality associated with the device being changed.
  • Low risk- repeatable type changes, although not subject to this requirement, should be validated by the line of business as well.
  • Firewall rules changes are many times bundled into one change.   It is expected that the Service Request submitter will perform the UAT.
  • Non-prod devices, labs, and lower level development platforms are out of scope.


Comments Off on Sample – Network UAT Change Policy

Sample Excel – SNMP Fireeye MIB

Posted in Networking (340),Sample - IT Spreadsheets - PowerPoints (251) by Guest on the January 18th, 2015

Free Excel document download

SNMP Fireeye MIB

Comments Off on Sample Excel – SNMP Fireeye MIB

Sample Excel – DNS Change Form

Free Excel document download

 DNS Change Form


Comments Off on Sample Excel – DNS Change Form

Sample Visio – Bluecoat Proxy Stencils

Comments Off on Sample Visio – Bluecoat Proxy Stencils

Sample – High Level LAN Architecture Considerations

Posted in Compliances (1300),Data Center - SOC - NOC,Networking (340) by Guest on the December 14th, 2014

Standards-based: Implementation, Monitoring and Break / Fix.

  1. Green Initiatives – reduce power, space, & cable plant requirements.
  2. High Speed Backup Infrastructure design.
  3. Wireless Standards for Trusted Laptops and BYOD.
  4. Deployment in new office build-outs.
  5. Implement Global LAN Multicast Architecture
  6. Migrate LAN infrastructure of recently acquired sites to corporate standards.
  7. Evaluate NextGen Data Center Network Architecture.
  8. Enhance Wireless and BYOD standards for Guest Workers.
  9. Develop Port-Level Authentication Control Architecture.
  10. Support Network Security objectives for segmentation and role-based access to network resources.

WAN MPLS Architecture

Standards-based Architecture in place.

  1. Client Connectivity Service Models Established.
  2. IPSEC encryption service offering available where required.
  3. Implement Global WAN Multicast Architecture.
  4. Enhance QOS architecture for Voice & Video.
  5. Evaluate GET VPN for NextGen Encryption Standard.
  6. Enhance traffic classification.
  7. and prioritization across WAN.
  8. Deploy NextGen encryption standard.

Extranet / Internet Architecture

Standard Extranet & Internet infrastructure deployed globally.

  1. Data Services consolidated regionally.
  2. Continue support for Global DC Consolidation Projects.
  3. Enhance FlexWorker Remote Access service models.
  4. Implement Out of Region Recovery Requirements for Inter-Agency applications.
  5. Provide a consistent infrastructure for system access across the global enterprise via secure private and public network access.

Network Security Architecture

  1. Next Gen architecture for Firewall, Intrusion Detection, Vulnerability Scanning, Web Proxy, DNS and Remote Access installed Globally.
  2. Centralized logging of network access for employees, clients and vendors in place.
  3. Evaluate Intrusion Prevention/Anomaly Detection Solutions
  4. Develop Cyber Security Architecture (DD0S).
  5. Implement NextGen Load Balancing Architecture.
  6. Enhance Risk Management processes in support of Compliance and Audit Requirements.
  7. Implement controls to protect voice services.
  8. Migrate from Device based to Entitlement based access controls for network resources.
  9. Integrate Logging Data Sources to support Event Correlation capability.


Comments Off on Sample – High Level LAN Architecture Considerations

Internetworking Challenges

Posted in Networking (340) by Guest on the October 25th, 2014

Implementing a functional Internetwork poses many challenges. These challenges fall into four major categories:

Connectivity — The challenge of connectivity is to support communication between disparate technologies, such as different media types or speeds.


Reliability — Reliable service is a must in any Internetwork. Individual users and whole organizations are dependent on getting consistent, reliable access to network resources.


Management — Network management must provide centralized support and troubleshooting capabilities in an Internetwork. Configuration, security, performance, and other issues must be adequately addressed in order for the Internetwork to function smoothly.


Flexibility — Flexibility is a necessity in the face of network expansion, new applications and services, and other such factors.


Comments Off on Internetworking Challenges

Our Cisco Switching Notes

Posted in Networking (340),Security (1500) by Guest on the September 12th, 2014
  • Switching is ASIC (hardware) –based, as opposed to bridges (software).
    • Otherwise, a switch is like a bridge with many more ports.
  • A L3 “intelligent” switch is faster than a router and can sort by L3 addresses.
  • Switches perform address learning by reading frames’ source addresses.
  • They make forward-or-filter decisions whereby broadcasts (all 1s), multicasts (host address = all 1s), and frames for unknown destinations go out all ports.
  • This breaks up collision domains by sending only needed frames out each port.
  • BUT it does not break up broadcast domains because broadcasts go out all ports.
  • Switches practice loop avoidance to stop broadcast storms, duplicate frames, and confusion in their filter tables caused by multiple paths.
  • The key method for loop avoidance is Spanning Tree Protocol (STP) using Bridge Protocol Data Unit (BPDU) multicasts exchanged every 2 seconds.
  • STP (IEEE 802.1d) is a messy protocol that causes lots of delays and recalculates the entire tree every time the network configuration changes.
  • STP elects a root bridge based on its 8-Byte bridge ID (derived from its device priority and its MAC ID).  Priorities are compared (32,768 is the default) and the lowest value wins.  If tied, the lowest MAC address wins.
  • Root bridge decides ports settings on remaining devices:  open (designated) or blocked (non-designated).  Lowest cost ports leading back to the root bridge are called “root ports” and become the path for communications with the root.
  • Designated ports are chosen by lowest cost path, using links’ accumulated BWs.
  • When network topology changes, all data stops for 50 seconds (“convergence time”) while STP re-configures all ports.  Port transitions go as follows:
    • Blocking
    • Listening (exchanging BPDUs and checking for loops) – “forwarding delay”
    • Learning all MAC addresses – a period also called a “forwarding delay”
    • Forwarding 

Three Frame Handling Modes

  • Cut-through:  fastest possible; only destination header is checked (1st 13 Bytes)
  • Fragment Free:  (default mode for Catalyst 1900 switches) reads 1st 64B checking for collision damage before forwarding
  • Store-and-forward:  entire frame checked; rejected if too short (<64B) or long (>1518B) or if it has a CRC failure; method with greatest “latency” (delay).


Comments Off on Our Cisco Switching Notes

Sample Visio – NAS Visio Drawing

Posted in Networking (340),Visio Samples - Stencils (457) by Guest on the July 28th, 2014

Free sample document NAS – Network-attached storage Visio Download



Comments Off on Sample Visio – NAS Visio Drawing

Network Manager Reports

Posted in Networking (340) by Guest on the June 24th, 2014

The purpose of the network manager reports is for network managers to get an overview of the network as well as problem areas in the network so he / she can focus on areas to keep the network up & running.

  • Overall health & availability reports for all devices
  • Health & availability reports for individual devices
  • Web links to report on Router health, for exception reporting at the device level status
  • Overall & individual segment utilization reports
  • Segment level protocol distribution reports (based on RMON)
  • Segment level Top conversation reports (based on RMON)
  • Worse performing health devices (overall & at device level)


Comments Off on Network Manager Reports

Sample WatchGuard Option Profile — Additional Options

Posted in Firewalls (75),Networking (340),Security (1500) by Guest on the January 28th, 2014

There are additional options that affect how the service performs host discovery for maps and scans and how the service interacts with your Firewall, IPS / IDS configurations. These options appear on the Additional tab when you create or edit an option profile.

The initial settings are best practice in most cases. These settings should only be customized under special circumstances. For example, changing the Host Discovery setting may result in live hosts going undetected, and thus not being scanned for vulnerabilities.

To customize additional options, create a new option profile or edit an existing profile. Then apply the customized profile to on-demand or scheduled map and scan tasks.

Option Description
Host Discovery Specify which probes are sent and which ports are scanned during host discovery. This option affects both map and scan tasks. The service pings every target host using ICMP, TCP, and UDP probes and then analyzes the packets sent in response to determine which hosts are “alive”.Note that by changing the default settings, the service may not detect all live hosts, and hosts that go undetected cannot be scanned for vulnerabilities. These settings should only be customized under special circumstances. For example, to add ports that are not included in the Standard port list, remove probes that will trigger your firewall/IDS, or only discover live hosts that respond to an ICMP ping.Initial Settings: TCP & UDP – Standard Scan, ICMP – Enabled
Blocked Resources Specify ports that are blocked and IP addresses that are protected by your firewall/IDS. This option only affects scan tasks. If the scanning process triggers your IDS, then it will likely be firewalled and we won’t be able to continue our search for vulnerabilities on your network. Therefore, we need to know which IPs you have protected and which ports are blocked. This will help us prevent triggering your IDS.Optionally, if you don’t want a host to be scanned at all, then add the host’s IP address to the excluded hosts list. No scanning traffic, including ICMP, TCP and UDP probes, will be sent to excluded hosts. Configure the list of excluded hosts on the Excluded Hosts Setup page (Setup—>Excluded Hosts).Another method for allowing our scanning engine to probe your network without triggering your firewall/IDS is to add our scanner IP addresses to your firewall/IDS configuration. This list of friendly IPs is commonly known as a white list or exception list. For example, if you are using WatchGuard, add our scanner IP addresses to the “Blocked Sites Exception” list. This list is configured in the System Configuration for the WatchGuard Firebox Vclass series, and in the Policy Manager for the WatchGuard Firebox System series. Refer to your firewall/IDS documentation for specific details on how to configure an exceptions list. You can view a current list of IP addresses for the service’s external scanners on the About page (Help—>About).Note that the “WatchGuard default blocked ports” option is only applicable to the WatchGuard Firebox System series. Setting this option is not necessary if you added our scanner IP addresses to the WatchGuard exception list.Initial Setting: Disabled
Ignore RST packets Some filtering devices, such as firewalls, may cause a host to appear “alive” when it isn’t by sending TCP Reset packets using the host’s IP address.When enabled, all TCP Reset packets are ignored for scan tasks and TCP Reset packets generated by one or more filtering devices are ignored for map tasks. In other words, hosts will not be detected as being “alive” if the only responses from them are TCP Reset packets that seem to have originated from a filtering device.  Initial Setting: Disabled
Ignore firewall-generated SYN-ACK packets Some filtering devices, such as firewalls, may cause a host to appear “alive” when it isn’t by sending TCP SYN-ACK packets using the host’s IP address.When enabled, the service attempts to determine if TCP SYN-ACK packets are generated by a filtering device and ignores all SYN-ACK packets that appear to originate from such devices.Initial Setting: Disabled
Do not send ACK or SYN-ACK packets during host discovery Some firewalls are configured to log an event when out of state TCP packets are received. Out of state TCP packets are not SYN packets and do not belong to an existing TCP session. If your firewall is configured in this manner and you do not want such events logged, then you can enable this option to suppress the service from sending out of state ACK and SYN-ACK packets during host discovery for map and scan tasks. If you enable this option and you also enable the “Perform 3-way handshake” option on the Scan tab, then the “Perform 3-way handshake” option takes precedence and this option is ignored.Initial Setting: Disabled
Comments Off on Sample WatchGuard Option Profile — Additional Options

VPN’s Use IPSec to Protect Users against the following attacks

Spoofing – One machine or user on a network masquerades as another

Sniffing – An eavesdropper listens in on a transmission between users

Hijacking – Spoofing and other techniques are used to take control of a communications session, allowing the attacker to masquerade as one of the communicating parties 

Protecting the perimeter

For the purposes of this discussion we will focus on Firewall and Intrusion detection deployments – an integral part of any security policy, the effective deployment of these internet security appliances create a trusted network environment for business. 

Installing a firewall is critical as the first line of defense, both at the corporate campus and remote sites including the homes of mobile workers. A firewall will inspect the connection and assure that it is allowable within a defined policy.  However, firewalls only inspect connections, they do not look for abnormalities in the packet header or malicious code within the data portion of the packet.  

For maximum perimeter protection, network intrusion detection sensors should be strategically located to monitor and protect the firewall and internal network.  The best coverage is obtained by placing NIDS / IPS sensors both inside and outside the firewall.  The external sensor detects attacks on the firewall and monitors for denial-of-service, probes and firewall exploits.  The internal sensor detects unusual activity such as trojan horse and back door infections and other externally addressed traffic. 

Another critical element of perimeter protection is using a NIDS on VPN and WAN links.  Hackers will often target branch offices – which tend to have lax security policy adherence and poor physical security – to attack an organization’s network resources.  In this way, a hacker can bypass a firewall by accessing the network through the VPN or WAN.


Comments Off on VPN’s Use IPSec to Protect Users against the following attacks

PowerPoint – SNMP In Depth

Free PowerPoint document download

SNMP In Depth


Comments Off on PowerPoint – SNMP In Depth

Network Security Scan Types and Considerations

Network Scan Types and Scope
This network scanning recommendations defines network scan types, identifies reasons for scanning, identifies times when network scanning is allowed, who should approve network scanning, and specifies who should be notified when network scanning is done.

Network device location scan – This scan may use different means to determine IP addresses of active devices on the network. Methods:

ARP Scan – An ARP broadcast can be sent to network IP addresses asking what is are the responses

MAC address of the host with IP address x.x.x.x. If a response occurs, there is an active host at that address.

Internal full port scan – Checks to determine what services are running on each host. This may be done against selected hosts or all hosts including servers and workstations.


Socket connect scan – Tries to complete a socket connection to a port on a host computer.

This scan allows the host computer to log the connection.

SYN scan – Sends a SYN packet to the host indicating that it wants to open a socket. But when the host responds it does not finishing establishing the connection.

FIN scan – Sends a FIN packet to a host port. If a service is not running, the port responds with a reset signal. If the port has a service running on it, the signal is ignored.

External full port scan – Checks to determine what services are running on each host. This test is done from outside the firewall and is directed toward any IP addresses owned by the organization being tested. It may use the socket connect scan method, the SYN scan method, or the FIN scan method.

Internal vulnerability scan – Tests the server to see if it is vulnerable to known flaws in the operating system, services, and applications that are running. This test may be directed toward one or more hosts including servers and workstations. This test goes beyond performing a full port scan. It attempts to get information about the operating system and services running on the host. It will attempt to determine the version of the services running on the host. and may even do a penetration test.

External vulnerability scan – Same as the internal vulnerability scan except it is done from outside the organization network and is directed toward any IP addresses owned by the organization being tested.

Internal Denial of service scan – This is a scan using packets which are intentionally designed to make a system crash or tie up resources. The scan is directed against ports but the data sent is usually misconfigured in some unusual way.

External denial of service scan – Similar to the internal denial of service scan except it is directed against IP addresses owned by the organization being tested.

Password Cracking – This test may send default passwords and brute force password guessing against accounts on specified systems. This is really not like a network scan but is covered in this recommendation since it could potentially disrupt service depending on the password policies of the organization. 

Many scanning services will offer some combinations of these types of scans. This recommendation covers all types of network and host scanning.

Network Scanning Reasons

Network scanning may be performed for several reasons

To determine whether computer systems are vulnerable to attack and fix them.

To show companies you may interact with that our servers are reasonably secure.

To fulfill regulatory requirements.

Network scanning shall not be performed without written permission.

Network Scanning Disruptions
Network scanning can be very disruptive to both a network and hosts that are operating on a network. No network scanning shall be allowed without close adherence to this recommendation and the associated procedures. Network scanning can cause systems to crash and network devices to become unreliable which can become very disruptive to the business operations.

Comments Off on Network Security Scan Types and Considerations

Cisco – Short Cryto PIX commands

Posted in Networking (340) by Guest on the May 18th, 2013

PIX IPSEC Commands 

isakamp enable interface-name

isakamp policy policy-number, authentication pre-share

isakamp policy policy-number, encryption 3des

isakamp policy policy-number, hash md5

isakamp policy policy-number group 1

isakamp policy policy-number lifetime 1000

crypto ipsec transform-set set-name esp-3des esp-md5-hmac

crypto map name priority set peer peer-address

crypto map name priority set transform-set set-name

access-list name / number permit ip local-network mask remote-network-mask

crypto map name priority match address access-list

crypto map name interface interface-name


domain-name domain-name

ca generate rsa key 1024

ca save all


crpto map name priority ipsec-isakamp

crypto map name priority set peer peer-address


PIX Show Commands

show crypto map

show crypto map –  show’s all current IKE SA’s at a peer

show crypto isakamp sa

show crypto ipsec sa – displays eccypted sessions

 debug crypto commands

debug crypto isa

debug crypto engine – display’s debug messages about crypto engines, which perform encryption and de-cryption

debug crypto isakamp – displays messages IKE events 

clear crypto commands

clear crypto ipsec sa –  to reset the ipsec association after a failed attempt to negotiate a VPN tunnel.

clear crypto isakamp sa – to reset the Internet Security Association and key management protocol (ISAKAMP) security association after failed attempts to negotiate a VPN tunnel


Comments Off on Cisco – Short Cryto PIX commands

Sample Word – Job Roles VOIP Segregation of Duties

Posted in Networking (340),Security (1500) by Guest on the May 12th, 2013
Comments Off on Sample Word – Job Roles VOIP Segregation of Duties

Sample Visio – PSTN DSL

Posted in Networking (340),Security (1500) by Guest on the April 29th, 2013
Comments Off on Sample Visio – PSTN DSL

IT Business Risk Impact Considerations

Posted in Networking (340),Security (1500) by Guest on the April 29th, 2013

Risk is based on a systematic examination of assets, threats, and vulnerabilities that provides the foundation for the development of an appropriate IT Security Program.  Adequate risk analysis is the key to determining the level of protection required for all computing assets such as networks, applications, systems, facilities and other enterprise assets.  A risk analysis will:

  • Identify dependence on existing IT assets.
  • Identify vulnerabilities of existing IT assets.
  • Assess the probabilities of threats occurring to existing IT assets.
  • Determine the impact of losses if they do occur.
  • Identify the value of safeguards or countermeasures designed to reduce the threats and vulnerabilities to an acceptable level. 

Identify dependence on existing IT Assets. Identify vulnerabilities of existing IT  Assets. Assess the probabilities of threats occurring to existing IT assets. Determine the impact of losses if they do occur. Identify the value of safeguards or countermeasures designed to reduce the threats and vulnerabilities to an acceptable level. 

The goal of the risk analysis process is to determine an acceptable level of risk that considers security, the security of shared resources business strategy and the overall cost of countermeasures.  Conducting an adequate risk analysis will aid efforts to better apply available resources to their security program. 

To conduct a risk analysis, Organizations shall complete the following steps: 

A.   Information Asset Review

An information asset review shall be performed to identify, at a minimum, those information assets that are critical to ongoing operations or which contain confidential or critical data.  The criteria for this inventory assessment shall be documented.  

B.   Business Impact Analysis

A business impact analysis shall be performed for all information assets identified in the Information Asset Review.  The purpose of the business impact analysis is to document the potential impact of loss of the assets.  Consideration shall be given to operational, financial, and legal impacts. 

C.   Vulnerability Analysis

A vulnerability analysis is used to identify vulnerabilities associated with information assets.  The vulnerability analysis shall identify specific vulnerabilities related to information assets identified in the information asset review, as well as where those vulnerabilities exist. 

D.   Threat Analysis

A threat analysis shall be conducted to identify threats that could result in the intentional or accidental destruction, modification or release of data, computer, or telecommunication resources.

E.   Risk Analysis

A risk analysis is a collective review of the vulnerabilities and threats to all identified assets to determine the likelihood and impact.  This analysis forms the foundation for security program planning. 

While no specific format is required for the risk analysis, instructions and suggested formats, as well as links to risk analysis resources, can be found in the Information Technology Security Guidelines.  Organizations may also consider leveraging disaster recovery reviews, specifically relating to critical assets and business impact, when completing IT security risk assessments.


Comments Off on IT Business Risk Impact Considerations

SPLAT – Nokia Appliances IP / IPSO Security Configuration Standards


This document will provide standards for the configuration of Nokia IP Security Appliances.  These standards will provide continuity across the enterprise for all Nokia Appliances. 


Nokia IP Security Appliances are purpose built security devices, which are deployed at strategic locations throughout the Corporate Security to run Check Point Firewall-1.  These appliances run a hardened operating system called IPSO which is a derivative of FreeBSD Unix.  It is important to note that some configurations will be device dependant due differences in the Nokia models. 

InterFace Configuration

Each interface that configured will:

  • Have Link Speed and Duplex Hardcoded
  • Have Autoadvertise and Flow Control disabled

Each interface that not configured will:

  • Be disabled in the physical and logical configurations 


Static ARP configurations will be network design dependant. 

Transparent Mode/Link Aggregation/FWVPN Tunnels

  • Not Configured 

System Configuration

  • Not Configured 

Disk Mirroring

Device Dependant:  Disk based systems with two hard drives will have disk mirroring configured. 

Optional Disk

Device Dependant:  Flash based systems which are purchased with an hard drive will be configured in Hybrid mode with Optional Disk parameter. 

System Failure Notification/Mail Relay

  • Not Configured 


  • All Corporate Security devices are set to GMT 

Host Address

The Host Address will be set to the Management interface of the firewall. 

System Logging

Network Logging:

  • Set to On
  • Primary Log Server: XXX.XXX.XXX.XXX
  • Threshhold 0% 

Local Logging

  • Set to Off
  • Flush Frequency: 4 Hours 

System Configuration Audit Logs

  • Logging of Transient and Permanent Changes 

System Voyager Audit Logs

  • Enabled 

Core Dump Server

  • Not Configured 


The Hostname is configured as part of the initial setup and should not be changed. 

Configuration Sets

Left to default configuration of “initial” 

Job Scheduler

A Cron called Delete_Old_Backups is set to run on the 6th day of each week at 23:00. 


A backup the default directories, /config and /var/cron is set to run on the 6th day of each week at 23:15 


  • Only one IPSO image will be kept on the system  


  • Only the Check Point and CPInfo packages will be Enabled 


Authentication of users will be facilitated by the following radius servers



SNMP v1/v2/v3

Read Only Community String: U4Ria$a

  • Trap Receiver: XXX.XXX.XXX.XXX 

Trap Community String: $Shadow!r3m0N


  • Enable linkUp/linkDown traps
  • Enable systemTrapConfigurationChange traps
  • Enable systemTrapConfigurationFileChange traps
  • Enable systemTrapConfigurationSaveChange traps
  • Enable systemTrapNoDiskSpace traps
  • Enable systemTrapDiskFailure traps
  • Enable vrrpTrapNewMaster traps
  • Enable systemFanFailure traps
  • Enable systemOverTemperature traps
  • Enable Authorization traps 

High availability


VRRP will be configured using Legacy Mode.

  • Accept Connections to VRRP IPs: Enabled
  • Monitor Firewall State: Enabled
  • Each Clustered Interface will be set as a Monitored Circuit
  • Priority: 100 & 95 on the Primary and Secondary respectively
  • Hello Interval 1
  • VMAC Mode: VRRP
  • Preempt Mode: Enabled
  • Each Cluster Interface will be monitored by all other Cluster Interfaces
  • Priority Delta 10
  • Auto-deactivation: Disabled
  • Authentication: Simple
  • Password:  Firewall Name.Interface Name 

Security And access


The Following Accounts will be created on each Firewall

  • Fwbackup (Used to pull System Backup files)
  • User1
  • User2
  • User3
  • User4 – 8

Network Access and Services

  • The only Network Access that is enabled is “Allow Admin Network Login”
  • All Services are Disabled 

Voyager Web Access

  • Voyager Web Access is set to;
    • “Require 128 Bit Encryption or Higher”
  • Encryption use a Self-Signed 1024 Bit X509 Certificate 


  • SSH is enabled to allow SSH v2 only


  • All Routing configuration will be network design dependant. 

Traffic Management

  • Not Configured 

Router Services

  • Router Services will be network design dependant 


NTP Masters are:

  • Xxx.Xxx.Xxx.Xxx
  • Xxx.Xxx.Xxx.Xxx


Comments Off on SPLAT – Nokia Appliances IP / IPSO Security Configuration Standards

Enterprise IT Incident Response – Network Forensic Considerations

Network Forensics allows your organization to capture valuable, actionable intelligence to help secure your network and help ensure its availability. By capturing raw network data and using advanced forensics analysis, your IT and security staff can effectively identify how your business assets are affected by network exploits, internal data theft, and security or HR policy violations.  Network Forensics helps your organization mitigate risk, comply with regulations, and reduce analysis and investigation cost through its patented technology that allows you to visualize network activity, uncover anomalous traffic and investigate security breaches. 

Network Forensics effectively answers the question – often recurring in the aftermath of a security incident – What happened?. It tackles the difficult task of capturing, analyzing and visualizing intelligence regarding anomalous network activity, and aiding to ensure organization-wide and regulatory compliance.  Network Forensics is a passive network monitoring solution that integrates both security and network management disciplines. 

Enterprise Infrastructure Management strategy, is a network-based technology which captures network traffic in near real-time, proactively recording this into a knowledge base that can be queried. It visualizes network activity by creating a dynamic picture of communication flows to swiftly expose break-in attempts, vulnerabilities, abnormal usage, policy violations and misuse, anomalies, and more before, during and after an incident.  Operating like a surveillance camera, Network Forensics can play back events from thousands of communications to validate system threats. It can identify the offender or rings of perpetrators, and help you mitigate the recurrence of the same security incident. Its advanced forensics, content and pattern analysis; reporting; and visualization tools can create a complete view of how network communications are affecting the security and availability of network resources. This enables security professionals to rapidly and efficiently build crucial, actionable intelligence about network usage, thereby reducing investigation cost, while improving operational efficiencies in virtually all phases of security planning, deployment and recovery, as well as creating valuable information that directly contributes towards demonstrable compliance to internal policies and government regulations. 


  • Network Forensics delivers a unique value to an organization’s security infrastructure by providing a dynamic and comprehensive picture of network communications. As a result, network security professionals can build crucial intelligence about network asset utilization, validate existing architecture and security policies, comply with an auditor’s requirements and enable forensics network analysis. 
  • Network Forensics provides a common ground for the capture, analysis and visualization of enterprise security and network data to support an organization’s effort to protect critical intellectual property, content control and privacy. 
  • Network Forensics capability to import data from third-party firewalls, intrusion detection systems, and other blocking or alerting devices it can support proactive prevention efforts, and rapidly perform further drill-down, targeted investigations. 

Key Feature considerations:

Network Traffic Recording, Analysis and Visualization

  • Visualizes network activity
  • Uncovers anomalous traffic
  • Real-time taxonomy and recording of packet headers and full content sessions
  • Dynamic graphical representations can rapidly identify abnormal network behaviors
  • Build crucial intelligence about network usage
  • Provide the means for anomaly detection through advanced visualization rendering
  • Offers incident response teams a graphical representation of anomalous activities, providing visibility into network communications before, during and after a suspicious event
  • Records network traffic and analyses for later playback and scrutiny
  • Displays a holistic view of security events and animates sequences of attacks
  • Shows logical network connections and their interdependencies 

Communications Knowledge Base

  • Creates and stores valuable information that directly contributes towards demonstrable compliance 

Network Forensics Investigation and Reporting

  • Perform network forensic investigations to identify incidents and preclude reoccurrence
  • Solves specific problem areas with general audits and targeted investigations
  • Enables security due diligence and provides effective answers to common, but difficult-to-answer questions, including:
  • Who is on your network?
  • When are they there?
  • What do they do?
  • Where are the breaches?
  • How is your network being exploited?
  • Supplements true security management with a powerful investigative tool
  • Investigates security breaches
  • Exposes abnormal usage 

Pattern and Content Analysis

  • Distinguish between diversionary and truly malicious incidents
  • Spot potential threats
  • Visualizes behavioral patterns
  • Analyzes emails, keywords, binary files, or other references to reveal improper data exchange or leakage 

Architecture Flexibility considerations

  • Enhances current security perimeter solutions (such as firewall and intrusion detection systems) by providing additional insight into network data that caused a system alert
  • Correlates log data from various systems over the period of time surrounding a suspicious event to facilitate more holistic investigations

What business value does Network Forensics provide?

  • Reduce analysis time
  • Non-invasive investigation
  • Portable, convenient solution (optional)
  • More investigations done with the same number of investigators
  • Faster data capture and information analysis and visualization than traditional means
  • Quickly identifies the perpetrator, and finds when and where the incident occurred
  • Increase response time by reconstructing network events
  • Solid ROI – time and cost savings in planning, deploying and maintaining security
  • Enable security due diligence
  • Quantify security risk
  • Utilize existing investments
  • Support audit or compliance requirements
  • Increase effectiveness and efficiency of IT and security staff
  • Faster identification of network security issues that impact your business
  • Improve enterprise security awareness to recurring exploits of identified security flaws
  • Better use of security resources leaving staff to focus on business-critical projects


Comments Off on Enterprise IT Incident Response – Network Forensic Considerations

Cisco PIX – Logging Command Reference Shortcuts

Posted in Networking (340),Security (1500) by Guest on the April 26th, 2013


Logging Message Filtering

No logging message buffer-number:
Do not manages with “number x”


Logging Message Filtering


Configuration mode
change messages








Privilege Level Change Message

611103 – 611104

User Logout Messages


HTTP Path Messages

Pix Logging – Syntax:

  • loggin on
  • enable logging 

Cisco Pix Logging Levels


0 – Emergencies


System Un-usable

Syslog Definition



1 – Alerts Immediate action needed LOG_ALERT
2 – Critical Critical Conditions LOG_CRIT
3 – Errors Error Conditions LOG_ERR
4 – Warnings Warning Conditions LOG_WARNING
5 – Notification Normal but Significant Conditions LOG_NOTICE
6 – Informational Informational Messages Only LOG_INFO
7 – Debugging Debugging Messages LOG_DEBUG


Comments Off on Cisco PIX – Logging Command Reference Shortcuts
Next Page »