Sunday, 22 April 2007

Cisco PIX NAT

In this example well deal with using a pool of addresses from 195.184.199.3-6

Define a single outside global address to PAT into:

global (outside) 1 195.184.199.6 netmask 255.255.255.248

Statically Translate the inside hosts to public IP Addresses this will convert the traffic from that NAT address to the public IP you can check that this is working by visiting web sites that display your public IP, but you will not be able to except inbound traffic to the address yet.

static (inside, outside) 195.184.199.3 "internal IP" netmask 255.255.255.255
static (inside, outside) 195.184.199.4 "internal IP" netmask 255.255.255.255
static (inside, outside) 195.184.199.5 "internal IP" netmask 255.255.255.255

Perform the Translation on inbound traffic going out (the statics will occur first and all other hosts will be NAT effected)

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Then you need to create an access-list that allows the outside traffic to hit the public addresses of 195.184.199.3, 195.184.199.4 by default PIX boxes do not except traffic to hit the public interface so you have to create the exceptions you need e.g. allows http, smtp and ftp access.

ip access-list Outside_in permit tcp any host 195.184.199.3 eq 80
ip access-list Outside_in permit tcp any host 195.184.199.4 eq 25
ip access-list Outside_in permit tcp any host 195.184.199.3 eq 21

Now Apply the access list to the outside interface for it to take effect access-group Outside_in in interface outsidenow you have access to the servers on those inbound ports and IP’s

Saturday, 14 April 2007

CRM, SharePoint and Dynamics

SYMPTOMS

One or more users can not logon to your site

You have an error in the event log with a source of Source DCOM – please note this is just a sample error and the CLSID unique to each server.

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.

When you explorer the DCOM you find it matches the IIS WAMREG Admin Service and the permissions are correct to start but still you have this error.

CAUSE

This can relate to NTLM permissions in IIS for that or even all sites stopping that application pool from starting correctly you can fix this by resetting the NTLM permissions on the IIS server and therefore the application pool as well.

FIX

Start a command prompt.

Locate and then change to the directory that contains the Adsutil.vbs
file. By default, this directory is C:\Inetpub\Adminscripts.

Type the following command, and then press ENTER:

cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"

To verify that the NtAuthenticationProviders metabase property is set to NTLM, type the following command, and then press ENTER:

cscript adsutil.vbs get w3svc/NTAuthenticationProviders

The following text should be returned:

NTAuthenticationProviders : (STRING) "NTLM"

Now clear your event log and restart your server when it starts up you should have a clean event log.

Friday, 13 April 2007

Externally accessing OWA (Outlook Web Access)

You may have check the NTLM is correct a you can log on to other sites but not the OWA

Option One
The first thing you can try is to install fix 831464 - FIX: IIS 6.0 Compression Corruption Causes Access Violations however this might not work.


Here is Option Two.
Clear the IIS server files by going to your Windows\IIS Temporary Compressed Files directory.

Select all of the content in this directory and delete it, then ether go to a command prompt, type "iisreset" or the IIS MMC and restart it from there.

And lastly you must make sure you clear the browser history and cashe, then retry logging on.

Thursday, 12 April 2007

Using SSH on Cisco Routers

In the days we live in you never know who is monitoring traffic on your LAN your WAN or just plain internet.

Now you want to still administer your routers and switches without someone logging your password, since telnet sends the username and password in clear unencrypted text it’s not very secure, the answer to this is to use SSH (Secure Shell) to do this you will need to setup SSH on your router or switch.

To start you will need to login, and get to enable mode.

We are going to make the router in our example then name gatekeeper.cisco.com

hostname gatekeeper

Now your router or switch is called gatekeeper, personal I would use something a bit more inventive, next we need to set the domain normally this would be your domain but in this example cisco.com

Ip domain-name cisco.com

Now you a encryption level recommended is 1024 bit but you can use between 512 and 2048 for this example we’ll use 1024

crypto key generate rsa 1024

Next we will set the SSH time out for 60 seconds to login with username and password before it times out, the max setting for this is 120 seconds or 2 minute in English.

ip ssh timeout 60

and last of all we’ll set the number of password try’s before it disconnects the user, in this example 3

ip ssh authentication-retries 3

And that’s how simple it is, the only think that remains is to use a SSH client you can find many of them around for all platforms I personal quite like PuTTY.

You can also use the show ssh and show ip ssh commands

show ssh shows the active sessions

show ip ssh shows the status and version running on the router

Sunday, 8 April 2007

Cisco Access lists part 2

Cisco Access lists part 2

Ok last time we looked at access lists for blocking and permitting traffic now we’ll look at their uses with route-map command we are going to cover some NAT (Network Address Translation)and even some VPN so let’s look at how access list can help with NAT.

This is the basic network address translation command note how it looks to list 1 for the IP range to translate.


ip nat inside source list 1 interface Dialer0 overload


access-list 1 remark The local LAN.
access-list 1 permit 192.168.1.0 0.0.0.255


Now let’s look at another kind of NAT using route-map to translate the IP range, the route map name is NONAT in this case it defines a list of addresses not to be translated to the outside world, in this example traffic heading to 192.168.55.0 subnet does not enter the public internet, but all other traffic does.

ip nat inside source route-map NONAT interface Dialer0 overload

route-map nonat permit 10
match ip address 125

access-list 125 deny ip 172.16.0.0 0.0.0.255 192.168.55.0 0.0.0.255
access-list 125 permit ip 172.16.0.0 0.0.255.255 any


Now we have a look at the role access list play in a VPN first of all you need encryption in this case I’ve decided on 3 DES and to use pre shared keys so that the encryption password is not sent over the public internet.

crypto isakmp policy 2
encr 3des
authentication pre-share
group 2

crypto isakmp key ENA8LE address 195.168.235.17 no-xauth

crypto ipsec transform-set My-VPN esp-3des esp-md5-hmac


Now you have picked an encryption type you need to use it below there is a statement to you the encryption type and to the IP address the only thing left to know is what addresses are public and private, this is defined by the match address command that here match to list 110 also since we’re using NAT still we have list 105 for all other transitions.

crypto map cm-cryptomap 110 ipsec-isakmp
set peer 195.168.235.17
set transform-set My-VPN
match address 110

ip nat inside source list 105 interface Dialer0 overload

access-list 105 remark Traffic to NAT
access-list 105 deny ip 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 permit ip 172.16.1.0 0.0.0.255 any

access-list 110 remark Site to Site VPN
access-list 110 permit ip 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 deny ip 172.16.1.0 0.0.0.255 any


Now you see how an access list fits into a VPN and NAT this still doesn’t fully explore their full range of abilities as there are many other functions they can be used with as well such as routing protocols and rate limit.

Saturday, 7 April 2007

Cisco Access-lists

Access list in a Cisco is a way of bunching together IP and Ports into a Do and Do Not list and Where To Go and Not Go.

Note all of the commands used in this example are for 12.4 IOS
Let’s being with the most basic of access lists IP access lists these run between the numbers of 1 and 99 most common in permit and deny to router for telnet, NAT (Network Address Translation) commands and Route Maps.

First we’ll show an example with putting an access list on the router to allow telnet to it only from permitted locations in this case the local LAN (Local Area Network) and Remote Admin Office.

Create the access list.

access-list 2 remark The local LAN.
access-list 2 permit 172.16.1.0 0.0.0.255

access-list 2 remark Remote Admin Office.
access-list 2 permit 195.184.235.17


Now tell it to use the access list for remote connections

line vty 0 4
access-class 2 in

Now only people on the LAN and at the remote IP can access the router, now let’s look at building access list for traffic from the internet to the router for this we want to control the network using Ports TCP/UDP and ICMP you do this by using 100 to 199 and/or 2000 to 2699 numbered access lists, your interface may change depending on how you’re connected as an example if you’re using an ATM (Asynchronous Transfer Mode)terminated on RJ11 there are other kinds of termination but for this example I’m going to use a PPPoA (Point-to-Point Protocol over ATM) because that’s what we use here in England for ADSL (Asymmetric Digital Subscriber Line)

access-list 101 remark permit domain lookups
access-list 101 permit udp any eq domain any

access-list 101 remark permit web browsing lookups
access-list 101 permit tcp any eq 80 any

access-list 101 remark permit SSH
access-list 101 permit tcp any any eq 22

access-list 101 remark permit telnet
access-list 101 permit tcp any any eq telnet

access-list 101 remark deny ping to your router but not from it
access-list 101 deny icmp any any echo

access-list 101 remark deny all other traffic and log it
access-list 101 deny ip any any log

Now you have to set the interface this applies to in this case dialer0

interface dialer0
ip access-group 101 in

Now you have a list you might need to debug it from time to time

If you’re watching the console you can see traffic by using the Terminal monitor command from your deny log you can see things like this

01:05:28: %SEC-6-IPACCESSLOGP: list 101 denied tcp 24.118.18.108(37845) -> 195.184.85.134(62227), 1 packet

To help you debug this i’ll translate for you.
The message reads Time then it say IP log then the number of the access list in this case 101 then the status of the data denied the protocol in this case TCP the IP it came from then port number, then destination ie your router and the port number it was going to on your router.

So this reads access-list 101 stopped TCP from 24.118.18.108 on port 37845 to 195.184.85.134 on port 62227

In the extend IP access list 100-199 2000-2699 you can use ports, host and IP ranges and times in the standard IP 1-99 group you can only use Host, IP ranges.

For those of you reading closely you’ll have noticed I said time ranges without having given you an example well that because we’ve not got that far yet, I strongly recommend if you’re not 100% sure what traffic your looking to allow and block that you read up on the 7 Layer ISO right now.

Ok now that I’ve mentioned time lists I might as well continue, yes not only can you block ports and ranges you can make exceptions based on times of day or even day of the week make sure your router time is setup right or is using you network as the server or you may have some interesting cut off times.

time-range no-http
periodic weekdays 8:00 to 18:00

time-range udp-yes
periodic weekend 12:00 to 20:00

ip access-list 102 deny tcp any any eq 80 time-range no-http
ip access-list 102 permit udp any any time-range udp-yes

interface ethernet0
ip access-group 102 in

Now you begin to see how you can use even times of day to permit traffic or access, you might deny FTP and Telnet sessions after work hours so you know someone is not trying to access your network while you’re at home.

And there is something else you can to with access lists you can name them to make them more friendly, this use full if you don’t like numbers much so here are some more examples


Example one

ip access-list standard prevention
deny 171.69.0.0 0.0.255.255

interface ethernet0/1
ip access-group prevention in


Example two

time-range no-http
periodic weekdays 8:00 to 18:00

time-range udp-yes
periodic weekend 12:00 to 20:00

ip access-list extended strict
deny tcp any any eq http time-range no-http
permit udp any any time-range udp-yes

interface ethernet0
ip access-group strict in

this covers most of the basic access lists now there is one last thing to think of we have been looking at traffic entering an interface but you can also control the traffic leaving the interface as well in fact you can do both at the same time

ip access-list extended internet
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit tcp any any eq 1723
permit gre any any
permit tcp any any eq 22
permit tcp any any eq telnet
deny icmp any any echo
deny ip any any log

ip access-list extended lan-network
permit tcp any any eq 80
permit udp any any eq 53
deny ip any any log

interface dialer0
ip access-group internet in
ip access-group lan-network out

This ends this brings an end to our talk about access lists today I will hope to write more on access lists in the coming month.

If you have question on this feel free to drop me a line, I’m also open to suggestions on how to make this more user friendly to understand.

Thursday, 5 April 2007

Securing your web server

OK for anyone that hasn’t yet read or understand the basics of protecting your web server here are some rules.
One if anyone can see the web server on non public ports such as Microsoft SQL, MySQL,NetBIOS, Telnet, SSH and RDP other than you then there is a risk of being hacked or attacked be virus’s, worms or denial of service attacks.
If your web server sits on your Company LAN your system administrator will have most likely taken steps to secure it from attacks but when it is off site you must take some kind of protection most Co-locations or hosted servers have some form of firewall but not all also if your like me and trust no one, not even your ISP then there are some more things you can consider.
First Way
Make sure only ports you want the external public use to see ie HTTP HTTPS are open you can do this in a few ways, with windows you can configure the network adapter to allow only port 80 and 443, this may cause some problem with logon and other services the way around this is to add a virtual adapter ie the Microsoft Loopback Adapter so that other services that need to interact with the OS can use that adapter and not the physical adapter and IP, only problem is that this also prevents access to the server from any other locations as well making very secure but hard to update or fix remotely.
Second Way
You can use a firewall device to limit the traffic to the web server and provide VPN access to the local LAN allowing you to update and make changes without compromising the security of the server, I personal use either a Cisco PIX or LAN Cisco router for this but I know most of you will use what you know best.
These are not the only ways and far from a complete list.

Monday, 2 April 2007

Network Control

Here is a good rule to remember if it’s made it to the server it’s got too far.

let’s look at what that means, the easy its way is to imagine your dangerous data packet if you come from the internet we want to know you’re not going to get to the server where you might do some harm, so the first and last point you should reach is the firewall, but what if you make it past that? Is there anything else to stop you? 9 times out of 10 the answers is no but lets imagine you don’t come from the internet for a second lets imagine you come from that local LAN… has this just filled you with a feeling of doom and dread? Well if it has you’re not alone this is often over looked.

Here is a quick check list for you.

1. How many protocols are you running? IPX, Apple Talk, NetBIOS, TCP/IP first see if you and reduce the number to one where possible as it will make your life easier, most hardware uses TCP/IP so this isn’t a question that comes up much these days.

2. What are the ports you really need open for your services to run try to make a list and then what servers and service they relate to, ICMP, SMTP, TFTP, FTP, POP, HTTP, HTTPS, SMB, RPC, RDP, TELNET, SNMP these are the most widespread.

3. Are you running two or more network adapters, can you allow one type of permitted traffic on the LAN and another type for the Internet

4. Can you move the servers to a safe zone like a DMZ (De-military Zones) so even LAN traffic is checked by the firewall? This might sound a bit extreme never the less it’s a good way to protect them from all kinds of DOS (Denial of service) attacks

Now you’re thinking this as all very extreme and only for the big boys in the blue chip companies and PLC’s well believe it or not I’m talking about a small 20 user company with ADSL and windows 2003 one maybe two servers, Shock horror I’m talking about your size business!!!!!!!!! Well if your reading this then yes I most likely am talking about your business and if you’re from a big blue chip or PLC’s don’t be shy if you need help just drop me a line I never tell anyone who I’ve worked for.