Skip to main content

Posts

Upgrade Catalyst C9500

Upgrading Catalyst 9500 series switch is relatively easy. The one that I'm going to upgrade today is on Install mode containing packages.conf file. Install mode consumes far less resources in compared to the traditional bundle mode and has some advantage like auto upgrade when configured in stacked mode. We can talk about the difference between bundle and install mode later on. Let's focus on upgrading the Catalyst 9500 switch. Switch I am trying to upgrade is in 17.03.03 which has some bugs and security vulnerabilities. I am upgrading it from 17.03.03 to 17.6.5(MD) golden image present in the cisco download site for C9500 series switch and also reading down the linked document from cisco that is what they recommend. You can have a look at it . https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9300-series-switches/221498-recommended-releases-for-catalyst-9200-9.html We will first need to create FTP username and password in the switch. The username and password must b...

What will happen if we make local DNS root DNS ?

 DNS is the backbone of internet. We will simply find lots of blog about DNS mentioning about it being a phonebook also helps to find out  the authoritative IP for the querying domain name. DNS itself is quite a vast topic and there are different entities associated with it. There are things like recursive query , iterative query, forward zone, reverse zone, forwarding, conditional forwarding and so on.  Let me know briefly describe about adding a root zone that I recently came across and some interesting changes that I came across after adding it. Root hints are a list of the DNS servers on the Internet that your DNS servers can use to resolve queries for names that it does not know. When a DNS server cannot resolve a name query by using its local data, it uses its root hints to send the query to a DNS serve. We can also find the root DNS screenshot below. Root DNS are used in conjunction with recursion and if recursion is not used then it will only be able to answe...

Palo Alto - Security Profiles

 Having multiple layer of defense in depth is a great idea.  Top firewall vendor always has mixture of different security profiles which helps against malware infection. Palo Alto also has different flavors of protection from Anti Virus to DOS attack prevention. The main advantage of Palo Alto in compared to other firewall is making use of SP3 also know as Single Pass Parallel Processing Architecture. SP3 provides parallel processing which significantly reduces latency and overhead. We will talk about SP3 in some other blog. Let me know briefly describe about some of the security profiles that Palo Alto provides. 1. Anti Virus Anti Virus in Palo Alto Network firewall is an inline layer security profile that will stop any viruses trying to enter the network or also try to identify and block any outgoing traffic. Antivirus in Palo Alto is a licensed feature and threat prevention license  needs to be purchased. Antivirus also needs to be updated regularly. Antivirus can be p...

Application vs Ports Based Security

 Next Generation firewall is all about inspecting the payload at Layer 7 or also called application layer. The content payload must be checked in order to fully utilize the privilege of NGFW. So what ultimate is the difference between application layer inspection and port based protection. Let me briefly describe the difference. Port Based Security   Port based security or policy will allow anyone who matches TCP port traffic along with source and destination . Providing protection based on port protection is just a legacy way of protecting any application or end host. NGFW is not required to make use of port based security. Protecting based on service will only provide protection till layer 4 and will not be able to see the underlying application which could be tunneled and lead to attack or to unintended destination as well. We will also loose the ability to become more granular. For example  we only want to allow some specific application on port 80 to be allowed and n...

High Availability Palo Alto (Active/Standby)

 High Availability is usually performed in most of the data centers networks today which ensures application availability . High Availability is usually achieved in case one of the appliance goes down or have some physical or logical connectivity issues.  Achieving high availability in Palo Alto firewall is relatively very easy. Palo Alto firewall can work in both Active/Standby mode or in Active/Active. We will basically be talking about Active/Standby mode in this article. There are basically two links that needs to be configure in Palo Alto for HA. 1. Control Links Control Links are associated with control plane traffic which is mainly used for heartbeat exchanged, configuration synchronization. Dedicate HA ports are available in higher series of Palo Alto or even a HA interface can be created for some inband ports.   2. Data Links Data Links are mainly used for session synchronization, forwarding table synchronization. Dedicated HSCI Ports are available for highe...

Upgrading Palo Alto

 Upgrading Palo Alto is very easy in compared to any other next generation firewall. We just need to be careful with few of the things  1. Downloading software Go to Device > Software and we will need to check which software version are we trying to upgrade to. Note : We cannot directly jump for one major version to another like from 9.1.x to 10.1.x. We will need to go from 9.1.x to 10.0.x. This is how it normally works in most of the firewall. We now need to select the version we want to install it and directly download it to our software repository. As our PA 3220 is in HA we can also directly sync the downloaded software to our secondary PA 3220. 2. Installing Software Once we download the software we can now install the software. The software upgradation process does take around 10-15 mins approximately. Palo Alto will reboot and gets started automatically. 3. Verification Palo Alto has now rebooted and is upgraded as well.

6 tupples

 When the first TCP packet is received (SYN), the firewall must setup a session. Since the application can not be detected on a TCP session until at least one data packet traverses the device, the application will be incomplete.  For the firewall to determine if it should even allow the SYN packet through it must do a security policy lookup. Because the application is not known when the SYN packet is received the application portion of the security policies can not be applied. As a result, the security policy lookup is performed against the 6 tuples of the session, source and destination IP and port, ingress interface (actually zone) and protocol. The first policy, which matches these 6 tuples, will be used to allow the SYN and any additional packets that traverse the firewall before the application is identified. It is always a good idea to look at any new application details first to determine what the security rule might need to allow the application to work properly. Also,...

BIG IP F5 AWAF Fundamentals

 Big IP F5 AWAF ( Advanced Web Application Firewall) formerly known as ASM ( Application Security Manager ) provides great enhanced web application security protecting against sophisticated attacks like Cross Site Scripting Attack, Cross Site Request Forgery Attack, SQL injection and so on.  Big IP F5 works along with both negative and positive security model.  Deploying F5AWAF Let me talk about some of the key security features that F5 provide right from the go. Attack Signatures

BIG IP F5 DataSafe

 DataSafe is all about malware and the threat malware posses. Malware is usually injected in end host and the username, password, social security number , credit card number is usually theft making use of it. End User accesses any application like internet banking and this the point when malware get activated. DataSafe is all about protecting user while data is in use which basically means protecting while used is inputting username and password in case of internet banking.  DataSafe Benefits 1. Protects data-in-use input fields 2. Protects against keyboard logging 3. Dynamically obfuscates HTML form fields 4. Performs encryption of data ( such as passwords) in real time. Fraud Protection Service (FPS) license is required for using DataSafe profile. DataSafe profile is located under Security > Data Protection > DataSafe Profiles . DataSafe Profile once configured must be applied under Virtual Server like we do for Application Security Profile. Before DataSafe 1. No Encry...

In-Band vs Out of Band Management

There are always multiple ways of allocating IP address when it comes to management of routers and switches. There are dedicated management port as well as things like SVI ( Switch Virtual Interface) can always come into handy. Why to us SVI when you have a dedicated management port might always come into mind. Let me shortly explain the difference between SVI and dedicated management port and also its use case. Out of Band Management Dedicated management port with dedicate management plane  Better in terms of security More preferable In-Band Switch Virtual Interface (SVI) needs to be created  Data Plane is used instead of dedicated management plane. Not preferable in case of security kept in mind. So why In-Band is required ? So , recently I came across a scenario where I had to connect back to back management port for vPC in Nexus 9000 series switch for peer link connectivity. So, I had to create a SVI interface for managing the device . This can be one of the scenario. The ...