My EtherealMind» Security

Why Firewalls Don’t Have Telnet or SSH Clients

Greg Ferro — Fri, 13 May 2011 03:37:13 +0000

I found this on Cyber Corner blog:

Another missing ASA-feature: telnet and ssh client: " Every single decent Cisco-device on earth has the ability to make an CLI-user jump to another device with telnet or ssh. Except the ASA. I really wish that this feature could be added. Right now I am troubleshooting a firewall and from where I am right now the only way in is to SSH to the ASA. I can do whatever I want inside the firewall from my SSH-window, but I need to access a router inside of that firewall, and if this feature wasn´t missing i could simply run 'ssh ip-address' to jump to the switch´s CLI. Am I the last CLI-.guy on this planet? Please, Cisco?

Internets of Interest:21 Apr 11

bookmarks — Thu, 21 Apr 2011 15:12:24 +0000

Collection of useful, relevant or inane places on the the Internets for 21 Apr 11:

Outburst: Cisco Catalyst 6500 ASA Services Module

Greg Ferro — Thu, 31 Mar 2011 17:00:00 +0000

The Cisco C6500 ASA Service Module finally announced. It's been a long wait, here are my review notes for what little information we have on the product.

Cisco SecureX – Nothing but Empty Words ?

Greg Ferro — Tue, 29 Mar 2011 21:38:08 +0000

Apparently SecureX is "Context Aware Enforcement". It's also Cisco's current security strategy ( is that three or four in the last three years ? ). So it's something we should probably be aware of. Right ? I'm coming up with nothing.

Citrix Branch Repeater Authentication With Cisco TACACS+

John McManus — Fri, 04 Mar 2011 17:04:55 +0000

I have been looking about for documentation on how to configure TACACS authentication with a Citrix Branch Repeater, however so far I have only been able to find documentation for NetScaler. So I have setup a LAB and decided to write the documentation myself. For those who cannot be bothered to read this post there [...]

Verifiying IPsec and SSL Performance of ASA Firewall

Greg Ferro — Sun, 27 Feb 2011 15:37:30 +0000

It’s difficult to a get any documentation from Cisco that confirms the forwarding performance of the ASA firewall. However, once you have got a unit, the “show crypto acclerator statistics” is a handy way to verify and check the hardware performance of your ASA. I think that most of this output is self-explanatory so I’m [...]

End of Life Notice for Cisco CS-MARS Questions CiscoíS Commitment to Security.

Greg Ferro — Wed, 08 Dec 2010 11:43:12 +0000

Cisco announces End Of Life for CS-MARS. Whither goes Cisco's commitment to Security ?

Internets of Interest:2 Sep 10

bookmarks — Fri, 03 Sep 2010 09:45:02 +0000

Collection of useful, relevant or inane places on the the Internets for 2 Sep 10:

Show 15 ñ Saving the Web With Dinky Putt Putt Firewalls

Greg Ferro — Sun, 08 Aug 2010 22:29:43 +0000

Web Application Firewalls, Talking Puppets, ATM to IP migration and Dinky Putt Putt Firewalls.

Internets of Interest:30 Jul 10

bookmarks — Fri, 30 Jul 2010 14:49:18 +0000

Collection of useful, relevant or inane places on the the Internets for 30 Jul 10:

Packet Pushers Podcast – Show 12 – Get on the Ring!

Greg Ferro — Sun, 18 Jul 2010 19:16:31 +0000

Short, sharp and awesome. And covering more about FibreChannel over Token Ring.

Cisco and Their Security Strategy

Greg Ferro — Sat, 03 Jul 2010 15:24:17 +0000

Recently, the Security Strategy from Cisco has become vague and ill defined.

Packet Pushers Show 6 – Chewing on DDOS

Greg Ferro — Sat, 05 Jun 2010 13:51:40 +0000

We had planned a number of topics this week. Once we started on DDOS we didn't stop before the time was up.

Packet Pushers – Show 3 – Defense in Depth – Phase Alpha

Greg Ferro — Sat, 15 May 2010 17:30:50 +0000

Ethan, Dan and Greg are Deep Diving into the Security Topic of “Defense in Depth” and what it really means. We had an open discussion that really didn't go far enough. That's why it's Phase Alpha.

Cisco ASA Failover License Changes in Version 8.3

Greg Ferro — Wed, 28 Apr 2010 06:15:02 +0000

Quick notes on the Virtual Context licensing requirements when using a Active/Standby (Failover) pair and looking for gotchas and traps.

Google: Meet Skipfish, Our Automated Web Security Scanner. Security Industry – You Failed.

Greg Ferro — Sun, 21 Mar 2010 17:36:32 +0000

Google releases Skipfish into open source for automated web security scanning. The fact that this exists is an inditement on IT Security and their failure to address threats.

Internets of Interest:9 Mar 10

bookmarks — Wed, 10 Mar 2010 09:01:29 +0000

Collection of useful, relevant or inane places on the the Internets for 9 Mar 10:

Blessay:Firewalls Are Like Noses:Everyone’s Got One.

Greg Ferro — Sun, 07 Mar 2010 08:10:13 +0000

The thing about firewalls is that all networks have them. Once, firewall expertise was rare and a special job focus. Now, firewalls are like noses - everyone's got one.

Cisco IPSec VPN Client – 64 Bit – In Beta

Greg Ferro — Sat, 20 Feb 2010 19:06:23 +0000

Cisco has released a new beta of their IPSec VPN client including a 64-bit for Windows.

Internets of Interest:12 Feb 10

bookmarks — Fri, 12 Feb 2010 14:21:27 +0000

Collection of useful, relevant or inane places on the the Internets for 12 Feb 10:

DDOS – A Problem Bigger Than You Can Ever Be

Greg Ferro — Sun, 17 Jan 2010 19:29:30 +0000

Taking data from the Arbor Networks DDOS report for 2009 and applying it to real life makes for some ugly choices.

Cisco Releases BETA IPSec VPN Client for Windows 7

Greg Ferro — Wed, 30 Sep 2009 12:15:59 +0000

I recently stated the Cisco IPsec VPN Client would have no future development. Cisco has released a Beta version for Windows 7 and looking for feedback from Windows users.

Internets of Interest: 16th Aug

bookmarks — Sun, 16 Aug 2009 23:00:00 +0000

Collection of useful, relevant or inane places on the the Internets for 16th Aug:

Design: Cisco Firewall Services Module Virtualization Design Traps

Greg Ferro — Thu, 13 Aug 2009 20:31:50 +0000

The Cisco Firewall Service Modules (FWSM) has a design limitation based on its ability to discriminate packet forwarding between multiple contexts. It also applies to ASA/PIX software. Lets review this in detail and learn the evil consequences.

Blessay: Designing Enterprise DMZ and Multilayer Firewall Clusters

Greg Ferro — Sun, 02 Aug 2009 15:44:46 +0000

In modern Enterprise networks, you typically have many clusters of firewalls protecting assets in your network. Since we use two or more layers of firewalls, we can put our DMZ for intermediate security zones in different places in our network. Lets gather together the different options and consider the merits or not, and sometimes how they 'self-build'.