Monday, January 11, 2010

Blog moved to

I've moved my blog to here. Thank you


Saturday, January 9, 2010

Can firewall or router modify data?

I’ve heard someone saying that firewall corrupted a file sent by FTP and they have to deliver it on tapes… so can firewall or router modify/change data ? Cisco Flexible Packet Matching (FPM) can match every bit of the payload but cannot modify it. So it’s not possible to configure per say a substitute regex. But Firewall or IOS packet inspection feature can drop certain packets not compliant with corresponding RFC.

Tuesday, December 29, 2009

Auditing routers and firewall configs

There are several free tools available on net for router and firewall config auditing. I focus on tools which are able to work on the config file pulled from the router/firewall and placed in the local directory of the PC. See the short list below:


  • NIPPER – can be downloaded from after free registration. It can be used to audit configuration files of Cisco, Juniper and Checkpoint, SonicWall, and many others. It produces nice reports.
  • CCSAT (Cisco Configuration Security Auditing Tool) see The tool is based upon industry best practices, including Cisco, NSA, and SANS security guides and recommendations
  • RATS - Rough Auditing Tool for Security - is an open source tool developed and maintained by Secure Software security engineers acquired by Fortify, see

It is easy and practical to put configuration files in local directory and run ad hoc 'grep' command. I did it once with simple grep 'any\|telnet\|timeout\|floodguard\|server\|logging\|auth\|audit\|pdm'  * > output . And if network admin is reluctant to send config files for auditing he can run such command by himself. And send you just 'output' file for further analysis. Or provide you 'nipper' report or 'ccsat' output. Good luck !

What is Auto-MDIX ?

Always surprised …, to be honest I’ve never heard about Auto-MDIX. I thought that this is important to remember which cable to use: straight-through or crossover. So automatic medium-dependent interface crossover (Auto-MDIX) is a feature that allows the switch interface to detect the required cable connection type (straight-through or crossover) and automatically configure the connection appropriately. With Auto-MDIX enabled, you can use either a straight-through or crossover type cable to connect to the other device, and the interface automatically corrects for any incorrect cabling. It works on 2940, 2970 and 3750 Series Switches.

Saturday, December 26, 2009

How to write up Network Security , part II ?

This is continuation of part I
  • Consultant/guest access to network - How they separate guest/consultant subnet from the rest of the network ? Well, VLAN is not a good answer. One of the best is probably use of VRF Lite (creating virtual routers, virtual routing tables for guest traffic) for traffic and host segmentation. It's very important from PCI standpoint