Cisco 1100 *basic* security

Similar Messages

• Cisco Ironport Email Security inline with Microsoft Forefont

  Hi,
  We are going to deploy Cisco C370 Email security appliance as new email relay in our DMZ. Currently Microsoft Forefont is already doing the same functionality and new Ironport email security appliance will be added as 1st layer of email security. 
  I would like to know what are the changes that we should consider in this deployment in order to forward mail to Forefont, is there any specific configuration on both products and what is the best method of deployment etc.
  Also I would appreciate if there is any Cisco/Microsoft documentation available for such deployment senario.
  thanks in advance.

  Hello pemasirid,
  as far as I can see from your description is that you add the ESA C370 as an additional gateway, so I would say there is little you need to change in your current network design. As this is all about SMTP getting forwarded, you basically just need to take care of the following things:
  On Forefront: Allow injections from the ESA(s) and forward all outbound messages to the ESA
  On the ESA(s): Insert the Forefront IPs into the RELAYLIST of the private listener to allow outbound messages. Also set up an SMTP route to forward inbound messages to the Forefront server.
  Also change public DNS to point to the public IPs of the ESAs, in case they are different from what you have used before
  A good starting point for deploying would be the Quickstart Guide for C370, that you can find in the support section for email security on Cisco.com. Also, the user guide, which is also available on the GUI of every email appliance (GUI: Help and Support -> Online Help).
  Hope that helps,
  Andreas

• Securing WebService with Basic Security Profile

  Hi,
  I'm trying to write a WebService on EJB 3.0 that is secured with Basic Security Profile. Every message is signed with x509 certificate.
  I'm new in Java WebServices and I really don't know how to do it. Can anybody help me?
  WebService will be deployed on JBoss 4.2.1 GA with java jdk 1.6

  Hi,
  I'm trying to write a WebService on EJB 3.0 that is secured with Basic Security Profile. Every message is signed with x509 certificate.
  I'm new in Java WebServices and I really don't know how to do it. Can anybody help me?
  WebService will be deployed on JBoss 4.2.1 GA with java jdk 1.6

• Cisco ASA ( Adaptiv Security Algorithm )?

  Hello,
  Im french so sorry for my english , i will do my best to explain my question.
  Im actually working on Cisco PIX 501 ( for school ).
  I have to do some test on it , search what is able to do and how to proove it...
  My question is about Cisco ASA ( Adaptiv Security Algorithm ) , what is it doing? i mean it just simply stop every information coming from outside to inside(security 0 to 100) or is it doing more? is it searching wrong/good packets or just stop everything?and if it's doing that , how it's done?
  My question could be : what cisco ASA doing more than ACL?
  I hope im clear enough in my questions,i search a lot on internet but didnt find an answer.
  Thank you!
  Amaury

  if i understand good what you mean , ASA/algorithm is a part of different processes which are part of stateful inspection
  not really,  I would say that stateful inspection is part of the adaptive security algorithm.  The algroithm goes through processes such as ACL check, NAT..etc. and based on these check makes entries in the state table.
  ( by the way stateful inspection = stateful firewalling , right?)
  Kind of.  Stateful inspection is what the stateful firewall does and not what it is if you can understand that.  A stateful firewall performs stateful inspection.  So stateful inspection is not a firewall.
  when you said "showing tcp  connections and NAT xlate table entries at  the firewall CLI before and  after" , iam ok with that but what are the  command to check table entries? i cant find it.
  show conn protocol tcp will show you the TCP connections through the firewall and show xlate will show you the NAT translation that are currently active.
  Aswell i will need the commands to configure ( if possible ) stateful  inspection and traffic inspection , but i will try search by myself  because i didnt start yet
  Again, stateful inspection is not something you configure but is what the ASA does based on configured rules.  so all you need to do is configure ACLs and NAT rules and routing and the ASA does all the stateful inspection stuff on its own.
  Please remember to rate and select a correct answer

• Separate VLAN for WPA - Cisco 1100

  Hello,
  Cisco 1100 :
  First config. : no vlan with WEP for access network
  But when you create a vlan for wpa-psk with simple config (no server manager, no radius, no eap), have you to modify the other peripherals networks (router...).
  For example to declare the vlan.
  I did not find this information in the documentation of the aironet 1100.
  Thank you for your help.
  Eddy

  There is a good document on Cisco.com which explains how to configure WPA-PSK. The document is available at
  http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml#pers
  If you are still having issues configuring wpa-psk, please post the configuration so that we can troubleshoot the issue.

• Providing basic security to webservice

  Hi
    I m trying to provide basic security to my webservice.I selected http authentication- with basic user/password option.
    But where should i specify appropriate user/pwd at the time of webservice exposure,so that only the authorised user can access my webservice.
  Thanks in advance
  DhanyaR Nair

  Hi Nair,
  you will not directly deal with users usually. Instead this is done using roles and persmissions. If you want to limit access, to your webservice, a good start may be the docs at http://help.sap.com/saphelp_nw04/helpdata/en/9e/a7d13f83a14d21e10000000a1550b0/frameset.htm
  Hope this helps.
  Regards,
  Patrick

• Wait, so I have to spend $4500 on FMIS instead of $995 on FMSS just to get basic security features?

  So I have been navigating this forum looking for a tutorial on how to prevent unauthorized people from being able to publish streams to my server, but apparently this feature is not available in FMSS? I have to upgrade to FMIS for this option alone?
  All I'm doing is live broadcasting, and this very basic security feature is not available?
  This is a definite deal-breaker, and will cause me to purchase Wowza instead.

  Hi there,
  You're running an old version of Safari. Before troubleshooting, try updating it to the latest version: 6.0. You can do this by clicking the Apple logo in the top left, then clicking Software update.
  You can also update to the latest version of OS X, 10.8 Mountain Lion, from the Mac App Store for $19.99, which will automatically install Safari 6 as well, but this isn't essential, only reccomended.
  Thanks, let me know if the update helps,
  Nathan

• Cannot get Shockwave playver 12 to work with users that have basic security

  Good Day,
  I've pushed out Shockwave player 12 to 2 test units that are Win 7 and IE 10.. I can log in with my account (ADmin access ) and 2 other accounts (1 Student and 1 Teacher) that have basic security access  and run a web page that will play properly.. I ran the testy and it came back as everything is ok...
  I created 2 other accounts with same access as the teacher and Student (basic domain access) and logged in to the same unit.. and the web page won't play... I ran the Adobe test and it tells me The Version 12 Shockwave is installed incorectly..
  As a test, I removed the 2 working profiles from a PC..., then re logged in, it worked...
  Tried removing shockwave player and re-installing, still fails for the 2 student and teacher (and all other accounts).. I've verified IE settings (as they are controlled via group policy..) everything is the same...
  Searched the WEB and seems to be acomon issue, any ideas?

  Hello,
  It was sorted out.. (somewhat)..  the fix for a specific website was to add it to the trusted list of sites..
  Could never figure out the blocking though… of IE10 and settings..
  Ron

• Cisco IronPort Web Security 7.5 (Async OS).

  Hi All,
  Can anybody provide me the W3C sample logs of Cisco IronPort Web Security 7.5 (Async OS).
  Thanks,
  Sachin.

  "05/Oct/2012:10:17:00 +0200" 2152 NONE - 10.0.0.1 NONE 504 0 GET http://www.cisco.com/index.html - ALLOW_CUSTOMCAT_11-Intranet_Access-Intranet_Access_RD-NONE-NONE-NONE-Intranet  "Intranet"

• WS-C2960S-24TS-S and WS-C2960S-24TS-S Basic Security configuration.

  Greeting's, I would like to start by apologizing. I have absolutely no knowledge in switch security management but I've been tasked with it given the shortage of personnel. I have a WS-C2960S-24TS-S and a WS-C2960S-24TS-S switch that needs to be securely configured. I've done the basic  of upgrading the firmware to the latest. Given my lack of any experience whatsoever, please include complete procedures (hand holding, I'm sorry).
  I wanted step-by-step guidance of:
  1. Locking down ports by MAC address.
  2. DDoS protection.
  3. Lock down login from all but 1 IP and only allow browser based SSL login. No TELNET, SSH or other method.
  4. Shutting down any services on the switch.
  5. Shutting down password recovery.
  Any other recommended security steps to secure the switch.
  Thanking in advance,
  Parth

  Hi Parth,
  I'm not sure if you got this figured out or not but a lot of the stuff you need can be found here: Cisco Guide to Harden Cisco IOS Devices
  Regarding the "locking down ports by MAC address", you should think about Port-security.

• WS-C2960S-24TS-S and WS-C2960X-24TS-L Basic Security configuration.

  Greeting's, I would like to start by apologizing as I would require hand-holding, given my lack of experience in Cisco (or any other switches). I have absolutely no knowledge in switch security management but I've been tasked with it given the shortage of personnel. I have a WS-C2960S-24TS-S and WS-C2960X-24TS-L switch that needs to be securely configured. I've done the basics of upgrading the firmware to the latest. Given my lack of any experience whatsoever, please include complete procedures
  I wanted step-by-step guidance of:
  1. Locking down ports by MAC address.
  2. DDoS protection.
  3. Lock down login from all but 1 IP and only allow browser based SSL login. No TELNET, SSH or other method.
  4. Shutting down any services on the switch.
  5. Shutting down password recovery.
  6. Enabling highest supported encryption for sensitive (passwords). While I'm posting this I've just read that level 7 encryption can be cracked.
  Any other recommended security steps to secure the switch.
  Thanking in advance,
  Parth

  Hello, Parth Maniar.
  1. look at the command "switchport port-security" inside interfaces (documentation: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.pdf ).
  2. There is not much you can do for DDoS protection. Also it depend on IOS version (is your IOS lite or base). You can use a command from 1 point, also use a commands of "storm-control" (inside interface), "switchport block [type]" (inside interface), and if your IOS is not lite you can also use arp-spoofing protection and dhcp-spoofing protection.
  3. To turn off ssh and telnet:
  line vty 0 4
   transport input none
  exit
  line vty 5 15
   transport input none
  exit
  For turning off http access: no ip http server
  To limit access only from 1 IP address to HTTPS server:
  access-list 1 remark ------- ACL for HTTPS access ------------------------
  access-list 1 permit [permited IP]
  access-list 1 deny any log
  access-list 1 remark ------- END of ACL for HTTPS access -----------------
  ip http access-class 1
  And for configuration HTTPS server: http://www.cisco.com/c/en/us/td/docs/ios/termserv/command/reference/tsv_book/tsv_s1.pdf
  4. Use the command "service ?" to see all possible services for your swith. And with "no" before the command you can turn off all service that is no need for you (for example "no service dhcp").
  5. You can't shut it down because you can recover password only by rebooting switch and pushing "mode" button after this. Here is procedure for recovery password: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2950-series-switches/12040-pswdrec-2900xl.html
  After reading it you can undenstand why you can't turn it off.
  6. Yes, level 7 encryption can be cracked. So you can store your passwords as md5. You can use commands:
  enable secret [password]
  username [name] secret [password]
  After this cisco will encrypt your password by md5 hash and at configuration you'll see it as "username [name] secret 5 [md5 hash]"
  What else you can use for securety matters:
  - logging (command "login on-failure log every [numbers of fails]" must be!). Documentation: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swlog.html
  Also you can use a configuration bellow to log all changes at configuration:
  archive
    log config
   exit
  exit
  - turn off lldp and cdp protocols to the end users sides (you can google it).
  - use SNMP for getting status of the switch and ports and analyse it for anomalies.
  - use a command inside interfaces: "spanning-tree guard root" (don't use this connamd at the ports where is connected your another switches) and "spanning-tree bpduguard enable" (use a second command if you are not planing to connect another switch to this port).
  - use a command " switchport nonegotiate" at the all ports.
  - also you can use this commands:
  no ip source-route
  ip arp proxy disable
  no ip icmp redirect

• I got problems using oc4j basic security, anybody can help me?

  hi guys
  i was trying the Orion security Primer (site www.jollem.com) i'm quite
  sure to have done all the "Setting up access
  restrictions"correctly here is the principals.xml (included in the
  addressbook.ear META-INF) , the
  orion-application.xml file (included in the addressbook.ear META-INF) ,
  the application.xml (included in the
  addressbook.ear META-INF), and the web.xml(included in the
  addressbook-web.war WEB-INF) about "Applying
  Basic Authentication" i added the lines :
  <login-config>
  <auth-method>BASIC</auth-method>
  </login-config>
  the web.xml file.
  then i deployed the .ear file and it worked fine.
  the problem is: when i try to access the bookstore application the web
  container ask me for username and pwd (BASIC
  auth), i give him the username/pwd set in the principals.xml and i got
  back :Authorization failed.
  am i missing some basic step?
  thanks
  bye
  Paol

  Further to my previous posting... I've achieved some success.
  There is a file under home/application-deployments/addressbook/addressbook-web called orion-web.xml, which I assume is auto-generated when an application is deployed. Within this file are a set of <security-role-mapping> entries as per my settings in orion-application.xml, but without the <group-name> subtags.
  On a whim, I added the <group-name> entries to orion-web.xml and now the bloody thing works. I made the same changes to my own application (which was exhibiting the same problem, which is why I tried the addressbook) and now it works as well.
  I should be content, but... why weren't the <group-name> tags added to the file? Can someone shed some light on this?
  cheers,
  randall

• CS Mars, Cisco Works and Security Manager

  If we wanted to get all three applications, do cisco bundle it into one package? Or does it have to be purchased separately?

  do we need a NetFlow card or is the service implemented by default in Cat4500. Is MARS & CSM suitable solution for main configuring, incident monitoring and evaluation of ASA5520 & Cat4500?
  Yes, you need WS-F4531= card (Netflow is not available in Cat IOS as a service/command), which works with Cat 4500 Sup IV/V.
  MARS is a monitoring device, and CSM is a management device. You can get critical NBA (Network Behaviour Analysis) alerts from MARS, and from CSM you can get configuration backups/audit/bulk administration (of security devices only).
  Hope that helps.

• Cisco Aironet 1400 - security

  Dear all,
  I'm currently configuring 2 Cisco 1400 Bridges. One is the root bridge the other the non-root bridge (ok logic :-) ).
  I wanted to know what is possible for using certificates for the non-root bridge or to use the local radius on the root bridge to increase the security level of the wlan network.
  I tried to reach the local radius on the root bridge, but I'm always getting a 404 error. After reading some Cisco docs, it said that we need to use AAA new model from the CLI, I did it without success.
  What would you recommend to ensure a good security level for the wireless link?
  I'm open to use certificates or a Radius (local or IAS) or any suggestions you may have.
  Any help or or suggestions are very welcomed...
  Thanks per advance,
  Regards

  The only EAP types supported by BR1410 is LEAP. You should able to configure LEAP client on the non-root bridge:
  http://www.cisco.com/en/US/docs/wireless/access_point/12.2_15_JA/configuration/guide/s15rep.html#wp1036921
  The above URL is for repeater; however, it is the same for non-root bridge.
  You may already know. If you want to set up local radius server, the following URL should be useful:
  http://www.cisco.com/en/US/docs/wireless/access_point/12.2_15_JA/configuration/guide/s15local.html

• Cisco 350 WB security

  I need info on the security issues and solutions for a building to building wireless wan using Cisco 350 Wireless Bridges. Everything I'm finding on the subject is for WLAN applications.

  Access points and bridges use the same radio technology, so security concerns as far as physical location are similar.