Secure L2 Switch

Similar Messages

• Unwanted ok Prompt via Secure Console Switch?

  We have 2 CS800's by Lightwave (now Lantronix)
  I merged them into 1 Lantronix SCS3205.
  16 devices, 1/2 HP-UX 1/2 SUN Solaris.
  HP boxes are fine.
  Solaris boxes are at ok prompts! All I did was unplug from one console switch to the other. Done this 1000 times with a laptop.
  Lantronix says to do this with the power off (I haven't had to in the past) or disable the "Hardware Break Feature" on the Sun box, but wouldn't this stop my use of stop+a ?
  Sun has no idea what to do, help?

  kbd -a alternate
  .. will make the system use the alternate break sequence, and disable the ordinary stop+a and serial BREAK signal, instead it will use <enter> ~ <ctrl + b>
  .7/M.

• CC equivalent of security related switchs

  Hi,
  Are there any compiler or linker options that perform similar to:
  1) Buffer overflow detection (Microsoft's /GS and GNU's -fstack-protector)
  2) Prevent data execution (Microsoft's /NXCOMPAT)
  3) Position independent executables ( Microsoft's /DYNAMICBASE and GNU's -fpie)
  I'm using Solaris Studio 12.2 and not seeing anything in the compiler's documentation. Are there any recommendations hardening executables during the build process? Thanks for any help.
  Peter

  Hi,
  These might be what you're after:
  1) -xcheck=stkovf
  You should look at using using discover for memory access error detection, the stack overflow checking only checks for running out of stack space, not errors in accessing data held on the stack.
  2) -M /usr/lib/ld/map.noexdata
  This is a linker mapfile that makes the data segment non-executable.
  3) -xcode=pic32
  Generates 32-bit position independent code.
  HTH,
  Darryl.

• Is it possible to switch the security context while in a process task?

  I have a process task which needs to perform some tasks that require a higher level of permissions than the current user has. So, I am looking for a way to switch to another security context using the credentials of another user account, like xelsysadm, and then using the OIMClient class, perform a logon as that other user and then call the necessary oimClient.getService(class) methods as needed.
  My first problem is where do I store these other credentials? I was hoping to use the Security Credentials MAP as set up in the Enterprise Manager console and access this map using the oracle.security.jps series of classes. However, I am getting access denied when I try to access the Credentials Map.
  Here is the code snippet I am using:
  JpsContext ctx = JpsContextFactory.getContextFactory().getContext();
  CredentialStore cs = ctx.getServiceInstance(CredentialStore.class);
  CredentialMap cmap = cs.getCredentialMap("oracle.oim.sysadminMap"); // This statement throws an Access Denied exception
  Credential cred = cmap.getCredential("sysadmin");
  // Ensure the credential is a Password credential
  if (cred instanceof PasswordCredential) {               
  PasswordCredential pcred = (PasswordCredential) cred;
  rawPwd = pcred.getPassword();
  password = new String(rawPwd);
  userName = pcred.getName();
  Am I doing something wrong here or is what I am trying to do not allowed from within a Resource Object's process task?
  Thank you for any suggestions.
  -Dave Herrmann
  Edited by: user552098 on Jul 3, 2012 2:50 PM

  Bikash,
  Our Oracle Consultants have told me that I should not make a call to OIMClient.logon() from within an OIM process task. They say that on the server side I should only call Platform.getService() not OIMClient.getService() so I guess I won't be needing any userid/pwds to be stored in the Security Credential Map store.
  But then that begs the question: How do I make a security context switch from within a process task java method if I cannot use OIMClient? Is there a way to impersonate another user using OIM APIs?
  Any ideas on how to do this?
  Thank you for any help.
  -Dave

• Switch/Router can only use PAP to communicate with IAS

  I was securing my switches to allow users to login using radius and notice that I have to set the IAS server to PAP for the Cisco equipment to authenticate. Is there an alternative to this since PAP is clear text.
  [ PC ]__SSH__[Switch]___PAP___[ IAS ]

  When using SSH to the switch for switch based authentication you need to
  enable PAP on the Radius policy.
  Telnet/SSH work on PAP only.
  Regards,
  ~JG
  Do rate helpful posts

• Filtering mac on switch

  Hi everyone,
  i have a two switches for two seperate depts,i would like to configure mac address filtering on the switch so that users cannot communicate with each other.can someone help with configuration guide.

  Hi,
  Not sure but i know two ways in which this can be done.
  1] access-list ranges 700-799 and 1100-1199 are reserved for MAC addresses.
  it would go something like;
  access-list 701 deny abcd.abcd.abcd 0000.0000.0000
  access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
  2] Port security.
  Switch)# config t
  Switch(config)# int fa0/18
  Switch(config-if)# switchport port-security ?
  aging Port-security aging commands
  mac-address Secure mac address
  maximum Max secure addresses
  violation Security violation mode
  Switch(config-if)# switchport port-security
  Switch(config-if)#^Z
  http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_6_ea2c/configuration/guide/swgports.html#wp1043892
  http://articles.techrepublic.com.com/5100-10878_11-6123047.html
  Hope this helps.
  Regards,
  Pravin

• Cannot print wirelessly via AirPort Express with WPA2 Personal security

  Recently decided to tighten security by switching to WPA2 Personal from WEP on our WDS wired/wireless home network. Main base station is Airport Extreme, WDS remote base station is an Airport Exress, both configured using Airport Setup Assistant. Printers are hardwired through the switch. No problem printing wirelessly when in range of the main base station, but when connected through the WDS remote base station, get the following error: "Unable to open [printername]: No route to host". Interestingly, if I first print when connected (wirelessly) through the main base station, I can then print wirelessly through the remote base station. When I go back to WEP security there is no problem. Anyone have any suggestions?

  You may need to update your AirPort base station firmware to support WPA/WPA2 over WDS. (ref: http://docs.info.apple.com/article.html?artnum=107791)

• Securing SG300 28P PoE Swtich.

  Greeting's, I would like to start by apologizing. I have absolutely no knowledge in switch security management but I've been tasked with it given the shortage of personnel. I have a SG300-28P-PoE switch that needs to be securely configured. I've done the basics of upgrading the firmware to the latest. Given my lack of any experience whatsoever, please include complete procedures (hand holding, I'm sorry).
  I wanted step-by-step guidance of:
  1. Locking down ports by MAC address.
  2. DDoS protection.
  3. Lock down login from all but 1 IP and only allow browser based SSL login. No TELNET, SSH or other method.
  4. Shutting down any services on the switch.
  Any other recommended security steps to secure the switch.
  Thanking in advance,
  Parth

  Hello Parth,
  Thank you for using the Cisco Small Business forums. I am a eContent developer and part of the Small Business Support Community.
  Looking over the questions that you've asked, I found a few articles that might help you with the configuration changes you'd like to make:
  As Brandon mentioned, the Knowledge Base contains many documents with step-by-step procedures and screenshots for common tasks. Port-security is an excellent solution for the first problem. You can configure ports to lock down when a MAC address is changed:
  Port Security
  The SG300 security suite has many options for protecting against DDOS attacks:
  DDOS
  In regards to disabling/enabling services and restricting access to the web console, this article provides some guidance (uncheck the services that you do not wish to use-- in relation to your question, uncheck all except HTTPS):
  Enabling SSH/Telnet/HTTP
  I hope that these articles help to answer your question. Please remember to mark this question as answered and rate it if it helps to address your issue so other users can benefit from it, and feel free to ask any further questions you might have!
  Best,
  Gunner Grim
  Cisco eContent Developer

• WS-C2960S-24TS-S and WS-C2960S-24TS-S Basic Security configuration.

  Greeting's, I would like to start by apologizing. I have absolutely no knowledge in switch security management but I've been tasked with it given the shortage of personnel. I have a WS-C2960S-24TS-S and a WS-C2960S-24TS-S switch that needs to be securely configured. I've done the basic  of upgrading the firmware to the latest. Given my lack of any experience whatsoever, please include complete procedures (hand holding, I'm sorry).
  I wanted step-by-step guidance of:
  1. Locking down ports by MAC address.
  2. DDoS protection.
  3. Lock down login from all but 1 IP and only allow browser based SSL login. No TELNET, SSH or other method.
  4. Shutting down any services on the switch.
  5. Shutting down password recovery.
  Any other recommended security steps to secure the switch.
  Thanking in advance,
  Parth

  Hi Parth,
  I'm not sure if you got this figured out or not but a lot of the stuff you need can be found here: Cisco Guide to Harden Cisco IOS Devices
  Regarding the "locking down ports by MAC address", you should think about Port-security.

• HP iLO Override Switch

  Hi All,
  I have been using the HP iLO Online Configuration Tool to configure iLO on servers that my company supports. I have successfully configured it on many of the servers but on one particular server (Proliant ML350 G6) I am unable to save any settings and keep getting an error message which says to check a log file in C:\Program Files\HP\hponcfg but the log file doesn't give me any information.
  When selecting Settings - Configure iLO I receive an error message informing me that iLO functionality has been disabled and I need to use the override switch in the server to enable it.
  The server is in another city and I would prefer to not have to travel there to do this - is there any way of enabling iLO functionality without having to use the override switch?
  Thanks

  Hi,
  you'll need the Physical access to server to enable the iLO functionality. There is no other way.
  If iLO functionality is disabled, you must use the server Security Override Switch to
  enable iLO. See the server documentation to locate the
  Security Override Switch, and then set it to Override. Power
  up the server, and then use the iLO RBSU to set iLO
  Functionality to Enabled.
  Regards,
   Dilip

• WS-C2960S-24TS-S and WS-C2960X-24TS-L Basic Security configuration.

  Greeting's, I would like to start by apologizing as I would require hand-holding, given my lack of experience in Cisco (or any other switches). I have absolutely no knowledge in switch security management but I've been tasked with it given the shortage of personnel. I have a WS-C2960S-24TS-S and WS-C2960X-24TS-L switch that needs to be securely configured. I've done the basics of upgrading the firmware to the latest. Given my lack of any experience whatsoever, please include complete procedures
  I wanted step-by-step guidance of:
  1. Locking down ports by MAC address.
  2. DDoS protection.
  3. Lock down login from all but 1 IP and only allow browser based SSL login. No TELNET, SSH or other method.
  4. Shutting down any services on the switch.
  5. Shutting down password recovery.
  6. Enabling highest supported encryption for sensitive (passwords). While I'm posting this I've just read that level 7 encryption can be cracked.
  Any other recommended security steps to secure the switch.
  Thanking in advance,
  Parth

  Hello, Parth Maniar.
  1. look at the command "switchport port-security" inside interfaces (documentation: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.pdf ).
  2. There is not much you can do for DDoS protection. Also it depend on IOS version (is your IOS lite or base). You can use a command from 1 point, also use a commands of "storm-control" (inside interface), "switchport block [type]" (inside interface), and if your IOS is not lite you can also use arp-spoofing protection and dhcp-spoofing protection.
  3. To turn off ssh and telnet:
  line vty 0 4
   transport input none
  exit
  line vty 5 15
   transport input none
  exit
  For turning off http access: no ip http server
  To limit access only from 1 IP address to HTTPS server:
  access-list 1 remark ------- ACL for HTTPS access ------------------------
  access-list 1 permit [permited IP]
  access-list 1 deny any log
  access-list 1 remark ------- END of ACL for HTTPS access -----------------
  ip http access-class 1
  And for configuration HTTPS server: http://www.cisco.com/c/en/us/td/docs/ios/termserv/command/reference/tsv_book/tsv_s1.pdf
  4. Use the command "service ?" to see all possible services for your swith. And with "no" before the command you can turn off all service that is no need for you (for example "no service dhcp").
  5. You can't shut it down because you can recover password only by rebooting switch and pushing "mode" button after this. Here is procedure for recovery password: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2950-series-switches/12040-pswdrec-2900xl.html
  After reading it you can undenstand why you can't turn it off.
  6. Yes, level 7 encryption can be cracked. So you can store your passwords as md5. You can use commands:
  enable secret [password]
  username [name] secret [password]
  After this cisco will encrypt your password by md5 hash and at configuration you'll see it as "username [name] secret 5 [md5 hash]"
  What else you can use for securety matters:
  - logging (command "login on-failure log every [numbers of fails]" must be!). Documentation: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swlog.html
  Also you can use a configuration bellow to log all changes at configuration:
  archive
    log config
   exit
  exit
  - turn off lldp and cdp protocols to the end users sides (you can google it).
  - use SNMP for getting status of the switch and ports and analyse it for anomalies.
  - use a command inside interfaces: "spanning-tree guard root" (don't use this connamd at the ports where is connected your another switches) and "spanning-tree bpduguard enable" (use a second command if you are not planing to connect another switch to this port).
  - use a command " switchport nonegotiate" at the all ports.
  - also you can use this commands:
  no ip source-route
  ip arp proxy disable
  no ip icmp redirect

• Redeploy changes security provider

  Hi,
  I'm using Oracle 10.1.3.3. I initially deployed an EAR with no <jazn> element in the orion-application.xml file and, as documented, the default file-based security provider was assigned. I then changed to an external LDAP security provider and restarted the application. All was well. Later I made some code changes so had to redeploy the application, and - to my surprise - the security provider switched back to the default file-based provider.
  Does this mean I have to redo the security provider configuration every time I deploy the same app? Is there a better way, such as setting up an external LDAP security provider for the whole instance and all apps deployed to it?
  Thanks,
  Gerald

  Hello kyle12k,
  Thanks for using Apple Support Communities.
  For more information on this, take a look at:
  Rescue email address and how to reset Apple ID security questions
  http://support.apple.com/kb/HT5312
  Best of luck,
  Mario

• "Secure Zone" is coming in Lenovo Vibe Z2 Pro

  In the incoming Lenovo flagship Vibe Z2 Pro(K920), we are introducing a new feature: Secure Zone
  In order to protect sensitive application & data on the phone, users set up all kinds of lock screen. However, once lock screen is set, user must unlock the phone before using everything, including accessing insensitive app&data.
  Open Zone & Secure Zone
  In Vibe Z2 Pro, we have two zones: open zone and secure zone. Every app can be run in open zone while only trusted app will be run in secure zone to protect sensitive application & data for user. User can easily switch between open zone and secure zone by only "one click".  In secure zone, it is safer, freer and easier.
  How to use "Secure Zone"
  Enable "Secure Zone"
  Confiture "Secure Zone"
  Switch Zone
  Enjoy your safer, freer and easier app runtime in our "Secure Zone" for new flagship Lenovo Vibe Z2 Pro.
  Any comment about "Secure Zone" is welcome. Please feel free to contact us.

  Hi
  Did you had this issue from day 1 ?
  Could be a software issue(the OS isn't installed correctly) or may be a hardware issue.
  You should take it to a Lenovo service center for a check-up.Your warranty should cover this.
  Really sorry about this.
  Regards.
  Did someone help you today? Press the star on the left to thank them with a Kudo!
  If you find a post helpful and it answers your question, please mark it as ''ACCEPT AS SOLUTION"! 
  Unsolicited PM's will not be answered! ....Please post your question/s in the appropriate forum board.
  English Community   Deutsche Community   Comunidad en Español   Русскоязычное Сообщество

• My efforts to remove malware from a network external hard drive connected to my Intel based iMac is now causing programs to hang when I try to open them.

  I own an iMac, recently updated with OSX 10.75. It is the core computer on a home network shared with an iPad, Apple TV, two network printers,my wife's laptop, two iPhone, a BlackBerry and a BlackBerry Playbook. I am experiencing three if not four problems that are overwhelming.
  My original problem is associated with Windows emails files or documents  stored on my external network  hard drive. One or more has malware and is sending malware laced files across the Internet to points unknown.  As someone pointed out in a forum my iMac may be hosting,sharing and propagating Windows malware.  I originally used Trend Micro software on my IMac to monitor any viral activity. Two weeks ago I noticed a number of notices from servers around the world saying my message was not undelivered. Since I had sent messages to the people I simply deleted the emails. Next I noticed the emails on my BlackBerry and my BlackBerry playbook.I configured the Trend to do a complete scan and although it did a complete scan it did not perform a full network scan. It did identify a series of .x27 document files with the same name tbut each had a sequential number. I assumed hat these were the source files that had  sent out the email documents selling Viagara and othernproducts.  I manually deleted thousands of the source documents and the files. This caused some disruption to my computer but it did not produce a hardware or software problem. By following this effort in conjunction with security scans I do believe the malware was activated by Iranian students who were able to activate the malware through my BlackBerry and BlackBerry Playbook.  I learned this from an encounter I had when trying tondelete these files on my computer and my BlackBerry.
  When using my PlayBook after deleting the files from my computer I noticed more messages being returned from servers.  I realized that email accounts connected to my BlackBerry and BB Playbookn were not protected from this problem. As I searched for remedies I learned about turning on the firewall in the previous version of Lion but that did not stop the BlackBerry problem. Each time I deleted a source file on my computer more documents were released. I eventually received McAfee from my ISP. It provided security on the entire network. My first full scan of my external drive identified two malware files. One of them was associated with the Cialis ad the other was from a firm in the Middle East called ADP.  it could not remove the latter file.
  Moreover each time I attempted to remove the source file from my hard drive a file labeled A239A076F would show up on my Blackberry.  As I removed them thousands of these files would show up.  Ultimately I eventually disconnected the external hard drive and removed the battery from the phone and not use the email accounts these messages had used to enter my iMac.  I am contacting ATT about BlackBerry data security and switching to a different phone for business purposes. I will probably change to an iPhone or Android phone for business purposes.  I am also looking at ways to resolve the malware on that drive. There are a number of business and personal files on thatbdrive that I hope to keep. I dread having to pay McAfee to configure the software to eradicate the malware.
  Moving on...last week I updated my iMac to 10.75. It simultaneously updated every Apple based program as promised. It did not update the non-Apple programs.  I am not an IT professional and assumed that it had done so.  On Saturday I attempted to download a file associated with my router extender using my untethered Playbook and BlackBerry desktop software. The program hung. I attempted a reboot and it reopened with the hung program.  It created an alias file on the desktop.  My inclination led to put the alias file in the trash can and delete it. My computer did not respond well to that action. It has been rebooted with Cmd-s-esc tens of time to see if that would activate a file check. It did not. I was able to run a disk utility check. And in spite of the hung process it eventually said the drive was okay.
  Long story in a nutshell. My iMac is responding as if it is looking for a subprogram to complete its a function. Or it is attempting to finish the BlackBerry operation it began on Saturday. I hope this makes sense to someone and the know how I can restore functionality to my iMac.
  Thank you.

  I think the McAfee suite will do the trick when I pay them a one-time fee of $69 or $179 for a year for unlimited support.
  Your call of course but IMO a waste of money. Please read this first:
  There are many forms of ‘Malware’ that can affect a computer system, of which ‘a virus’ is but one type, ‘trojans’ another. Using the strict definition of a computer virus, no viruses that can attack OS X have so far been detected 'in the wild', i.e. in anything other than laboratory conditions. The same is not true of other forms of malware, such as Trojans. Whilst it is a fairly safe bet that your Mac has NOT been infected by a virus, it may have another security-related problem, but more likely a technical problem unrelated to any malware threat.
  You may find this User Tip on Viruses, Trojan Detection and Removal, as well as general Internet Security and Privacy, useful:
  https://discussions.apple.com/docs/DOC-2435
  The User Tip (which you are welcome to print out and retain for future reference) seeks to offer guidance on the main security threats and how to avoid them.
  More useful information can also be found here:
  http://www.reedcorner.net/mmg/

• Itunes won't open, tried all the suggestions here

  Usual problem. itunes 6 loads once upon installation then no more. I double click, see the hourglass briefly and nothing more.
  To speed things up, no I do not have any antivirus software running.
  Yes, I've deleted that SC info file.
  Yes I've been through the msconfig fudge and stopped other services and startup items.
  And yes I've cleaned the system and reinstalled as directed countless times.
  None of this works. itunes 6 is still frustrating me by not starting. I wish I'd checked these forums before upgrading as it sounds like a premature release.
  Can anyone help me?
  Thanks in advance,
  TC

  hi Scott!
  Now when I try to launch, it says "ITunes cannot run because some of its required files are missing. Please reinstall iTunes."
  you probably overshot with your system restore. that's the message people get when they system restore over top of an installation. installation entries for itunes and qt just get stripped out under those circumstances. here's a reference on what system restore does and doesn't do for you:
  http://www.microsoft.com/technet/prodtechnol/winxppro/plan/faqsrwxp.mspx
  best to uninstall completely and start again. try following these instructions:
  first try heading to Windows Update to make sure you're up-to date in that regard. also
  b make sure you have your antivirus and antispyware switched off during uninstalls and installs.
  now use the instructions given here to completely remove your existing itunes and quicktime:
  http://docs.info.apple.com/article.html?artnum=93976
  if you run into trouble on the uninstall, use the Windows Cleanup utility:
  http://support.microsoft.com/kb/290301/
  then try a careful standalone QT 7.0.3 install. download and save the installer to the hard drive. we'll run the install from there rather than online.
  b remember, security software switched off prior to the install:
  http://www.apple.com/quicktime/download/standalone.html
  then try an itunes install, taking the same precautions as you took for the qt install.
  b if you get an error message at any step of the way, tell us which uninstall/install you got it on, what the error message says, and what error message numbers you get.
  keep us posted.
  love, b