Internets of Interest:9 Mar 10

Collection of use­ful, rel­ev­ant or inane places on the the Internets for 9 Mar 10:

Blessay:Firewalls Are Like Noses:Everyone’s Got One.

The thing about fire­walls is that all net­works have them. Once, fire­wall expert­ise was rare and a spe­cial job focus. Now, fire­walls are like noses — everyone’s got one.

Cisco IPSec VPN Client — 64 Bit — in Beta

Cisco has released a new beta of their IPSec VPN cli­ent includ­ing a 64-​​bit for Windows.

Internets of Interest:12 Feb 10

Collection of use­ful, rel­ev­ant or inane places on the the Internets for 12 Feb 10:

DDOS — a Problem Bigger Than You Can Ever Be

Taking data from the Arbor Networks DDOS report for 2009 and apply­ing it to real life makes for some ugly choices.

Cisco Releases BETA IPSec VPN Client for Windows 7

I recently stated the Cisco IPsec VPN Client would have no future devel­op­ment. Cisco has released a Beta ver­sion for Windows 7 and look­ing for feed­back from Windows users.

Internets of Interest: 16^th Aug

Collection of use­ful, rel­ev­ant or inane places on the the Internets for 16^th Aug:

Design: Cisco Firewall Services Module Virtualization Design Traps

The Cisco Firewall Service Modules (FWSM) has a design lim­it­a­tion based on its abil­ity to dis­crim­in­ate packet for­ward­ing between mul­tiple con­texts. It also applies to ASA/​PIX soft­ware. Lets review this in detail and learn the evil consequences.

Blessay: Designing Enterprise DMZ and Multilayer Firewall Clusters

In mod­ern Enterprise net­works, you typ­ic­ally have many clusters of fire­walls pro­tect­ing assets in your net­work. Since we use two or more lay­ers of fire­walls, we can put our DMZ for inter­me­di­ate secur­ity zones in dif­fer­ent places in our net­work. Lets gather together the dif­fer­ent options and con­sider the mer­its or not, and some­times how they ‘self-​​build’.

Blog:a Lot of Major Security Annoucements — Strangely Buried in One Big Press Release.

New ASA 8.2 with bot­net and new VPN func­tions, Major ver­sion of IPS firm­ware — V7.0. New SAFE Design Guides. Really import­ant new fea­tures, bur­ied in a press release.

IP Addressing for HA Links for ASA/​FWSM/​ACE Etc– Poll

What IP address­ing do you use for the sync /​ fail­over /​ HA links between your highly avail­able devices ?

Rant:D-Link Hijacks Your Internets — in FIRMWARE

Ubersource points out the D-​​​​Link router/​​modem firm­ware forces you to go their web­site and receive spam­vertising about secur­ity soft­ware. You have to login to the router, go Advanced and OPT OUT to stop this.
This is very poor prac­tice. Opt-​​​​out is NEVER ACCEPTABLE, and using a piece of hard­ware that is fully paid for to perform […]

I Believe That There Should Be a Security Design Team and a Security Audit Team. All Security Operations Should Be Performed by Network Operations.

I believe that there should be a Security Design team and a Security Audit team. All secur­ity oper­a­tions should be per­formed by Network Operations.

TCP SYN Cookies — DDoS Defence

A TCP SYN Cookie is typ­ic­ally used in DDoS engines and load bal­an­cers to cre­ate another level of pro­tocol secur­ity for Denial of Service attacks. Lets take a quick dive through the technology.

Why Use Two Routing Processes in a Firewall ?

In a recent post on Two OSPF Processes on an ASA fire­wall Christian asked why you would want to do this. Here is one case of a design that needs secure routing :

Cisco ASA Supports Two OSPF Processes

Sometimes, think­ing too much stops you from check­ing the basics. I have often wished that the Cisco ASA sup­por­ted more than one rout­ing pro­cess like the Juniper Netscreen does (which does this bril­liantly). Why didn’t I look for this sooner ?-

Cisco ASA and IOS Command Tip — Test Aaa-​​Server

I have been work­ing on a VPN setup that loads the Group Policy from a CiscoSecure ACS server. During the pro­cess I dis­covered the test aaa-​​​​server com­mand. Its very handy tool when you are doing this kind of stuff.
Read on.….