Security guidelines in switches.

Similar Messages

• Oracle 8i Operational Security Guidelines Check

  I am new at Oracle and I want to check the if an existing Oracle Database conforms with the suggested Operational Security Guidelines (Initialization Parameters, File Permissions, Authentication Modes, Account Security etc...) where do you guys suggest I start? Is there something like a configuration file where I can check these settings?
  Thanks guys!Hope to hear from you soon!

  ORA-205: Oracle can't find its database files. If you're trying to bring up
  a database for the first time, then the easiest solution is to just
  re-install the initial database that comes with Oracle. If you moved a
  database file that belongs to an existing database, do an ALTER DATABASE
  RENAME FILE command (see your DBA Guide for more info) to tell the database
  where to find the files now. If you deleted a database file, then restore
  them from backups.
  good luck
  [email protected]

• Security guidelines for SBO

  Hi Forum
  I'm struggling with a task where I have to evaluate if our SBO installation is set up according to best practice and with the proper security settings, but I can't find any guidelines, in the SBO documentation.
  I'm seaching for, some kind of tasklist to check, if e.g. default password has been changed, protection of the link to the database, check if the production client has been closed for customiziong, etc.
  Does anyone in here have some ideas where I could find this.
  Best regards
  Henrik A. Christiansen
  Edited by: Philip Eller on Jul 2, 2008 12:44 PM

  Yes, but is there a client security requirements.  I have a client that has their local workstations locked down.  This means the user can not run the upgrade from their workstation and a network administrator must walk around to each workstation and upgrade them with an administrator userid.
  Is there some security settings so that the network user can install the upgrade without giving them "power user" so they would be able to install all kinds of software?
  I have checked the administrator guide and a few other places, but no luck.

• Physical port security on Cisco switching

  We have a security problem I would like to resolve. Like most sites our wired network has live ports that periodically, non corporate PCs and laptops connect up to without our knowledge. In our network we do not filter for valid MAC addresses although Ive learned this is a poor approach to security as MAC can be changed in about 10 seconds.
  I would like a solution that would validate corporate systems and let them through the Cisco layer 3 switching and block out all other devices which attempt connection. We do not currently have IDS or IPS and are not likely to in short term.
  Is there a hardware or software or combination solution out there that works well for this ?
  Thank you

  Steve
  2 solutions spring to mind
  1) 802.1x authentication. Microsoft XP/Vista has built in 802.1x supplicant and Cisco switches support Network EAP used to pass the 802.1x messages. What you also need is an authentication server such as Cisco Secure ACS server although Microsoft IAS server also supports 802.1x.
  Basically before a client is allowed access to the network they have to authenticate to the network with valid credentials otherwise the port is shutdown.
  2) NAC - Network Admission Control. This goes one step further than 1) whereby the client is also checked to see if it conforms to company policy eg. does it have the right virus checker on it etc.. and if it doesn't the client can be quarantined.
  A search on Cisco's website for both NAC and 802.1x will provide a lot of useful links.
  Jon

• Securing Internet Edge Switch

  I am fairly familiar with hardening of Cisco routers acting as an internet gateway, like enabling SSH and blocking inbound access to private range IP addressing via ACLs, disabling , but what about switches?   Is there a best practice on configuring a switch that is being used as a L3 device for internet access?
  Thanks...
  Andy

  Hi,
  For L3 switch @ internet edge, you can use the similar security restrictions (ACLs, disabling services that is not needed etc) and inaddition 'admin down' the ports that are not being used. In addition to that if the switch IP not required to advertise to interenet, do not add the default route (you may need this incase of L3 behaviour, but you can judge better).
  hth
  MS

• Enable port security between Two switches

  Hi Everyone,
  I connected two switches together  via below config
  Switch A
  int gi0/1
  switch mode access
  switchport access vlan 10
  Switch B
  int gi0/1
  switch mode access
  switchport access vlan 10
  They work fine with above config.
  I did the Test below
  However when i changed Config of Switch B  as below
  int gi0/1
  switch mode access
  switchport access vlan 10
  switchport port-security  
  Switch B is unable to ping its default gateway.
  Also Switch B is not reachable via SSH.
  Port is up up and in STP forwarding state.
  Switch B can see Switch A as a neighbour.
  Also Switch B is not reachable via SSH.
  I know that switchport port-security we use only when connecting to PC.
  S does this mean that  on above scenario layer 1 and layer 2 are up but layers beyond 3 and above are not reachable like ping,ssh etc??
  Regards
  MAhesh

  I was just trying to see how the switches behave with this config.Nothing much just  exploring the options in the network world
  Ideally if you want to connect two switches together in Layer 2, Dot1Q trunking is the way to go.  You do not want to put port security because it is useless. 

• Automatic setup security enough or switch to WEP?

  Been a while since I've had a wireless and I'm wondering if I should set up a WEP or leave the WPA2 Personal key in place?  Also any other added security measures I should do to protect my router?  (Don't need the how-to's just the you-should's)  I remember on my D-Link I checked off an option to refuse pings from outside the system (I think, it was a long time ago).  It was to protect against outside computers pinging a router repeatedly until the router simply resets all the basic settings, including admin passwords, is this something I need to do on my Linksys WRT54G2?
  Message Edited by Dorainet on 05-29-2009 07:01 AM

  Hello Dorainet, WPA2 Personal is much more secure than WEP. You can leave it to that security mode. But the downside of this if you have old wireless device that doesn't support WPA2 Personal might encounter problem connecting to your network. In that case then just use WEP and use 128bit for your encryption. To secure the settings of your router, just create a router password and not use the default which is admin. You can also enable the Block Anonymous Internet Requests inside the Security tab. By enabling the Block WAN Request feature, you can prevent your network from being "pinged," or detected, by other Internet users. The Block WAN Request feature also reinforces your network security by hiding your network ports. Both functions of the Block WAN Request feature make it more difficult for outside users to work their way into your network. This feature is enabled by default. That's about it for the securities in your router.
  Beside setting up securities in your router, you can also limit the Maximum Number of  DHCP Users to the numbers of your PC's only. By default your router's Maximum Number of  DHCP Users is set to 50.
  Hope that helps.
  "Nankurunaisa" "It will all work out just fine!"

• Reporting Auths get switched on automatically?

  We have 0COMP_CODE made "authorization relevant" in our BW system, and have set up a custom auth object in RSSM, switched it on for specific InfoProviders ("Check for InfoCubes".  We do not have it switched on system-wide, only in specific cubes.
  Everything works as we expect, except that whenever new InfoProviders are created that contain 0COMP_CODE, it seems that the RSSM "Check for InfoCubes" automatically gets switched on for that cube!  Is this what others of you have observed?  What has sometimes happened to us then is the InfoCube gets transported with this switch turned on even if we never intended the authorization to be active in this cube.
  Just wondering if this is the way it is supposed to work - if others of you have faced this issue.
  Thanks,
  Chris

  hi Chris,
  yes, it's the way it works,
  oss note 746811
  Automatic assignment of Custom Auth objects to new infoproviders
  Symptom
  If an InfoProvider is recreated and then activated, all of the relevant reporting authorization objects are automatically activated for this InfoProvider.
  Other terms
  Authorization object, create, activate, InfoProviders, InfoCubes, RSSM RSSTOBJDIR
  Reason and Prerequisites
  <b>This is due to strict security guidelines</b>, which prohibit data from being displayed until it is explicitly permitted.
  Solution
  The security guidelines cannot be altered.
  If you do not require an authorization check, you must once again deselect the reporting authorization objects that were made; make this deselection in transaction RSSM under "Check for InfoProviders" --> "Change".

• SAP Cookies does not have secure attribute

  Cookies remain without Secure Attribute after changing ticket_only_by_https = 1, SystemCookiesHTTPSProtection=true, and ume.logon.security.enforce_secure_cookie=True.
  1.)ABAP: sap-appcontext cookies
  2.)Portal: com.sap.engine.security.authentication.original_application_url   
  Security guidelines advice us to put all cookies into secure flag.
  1.) What are these cookies, the information it contain and how are they use?
  2.) Is it necessary to set this cookies to secure flag? If not is how does SAP handles possible cookie hijacking?

  Hi Jason,
  The cookie "com.sap.engine.security.authentication.original_application_url" is used to remember the originally called URL, when - to retrieve this URL - a logon is needed. After the successful login, it is used to redirect to the originally called application URL (and will be deleted then).
  It is also (mis)used to interpret for the SPNego login module if there already was a failed approach to login via SPNego. So if the auth request sees this cookie, it does not try to run SPNego but skips it.
  The value is encoded; only the information if the initial request was GET or POST is put in clear text in front of the value, separated by a "#" char.
  The code setting the cookie can be found in class com.sap.engine.interfaces.security.auth.AbstractWebCallbackHandler in line 1200++ - there someone could add the secure flag.
  Hope it helps
  Detlev

• Can we set up a forum for Security related issues?

  I know many of us think security is a Windows related issue, but from time to time there are security issues that may come up. I had a question so I looked and couldn't find a forum, so I posted in one of the OS X 10.6 sub forums.
  Thanks!

  I am a co-founder of Calendar of Updates http://www.calendarofupdates.com/updates/index.php?act=idx This is a site that is primarily a Windows based security forum (I switched about 4-5 years ago). Over the years, I've tried to grow the Mac side of our forum, but, as you may know, there is little or no interest in security within the Mac community. For many, the feel security is a Windows issue.
  It's a free site, so don't think I have a vested interest in growing the membership, I'm not an owner, either.
  I just created an *Apple OS X Security Issues* forum http://www.calendarofupdates.com/updates/index.php?showforum=209
  Right now it's an empty forum since it was created 10 minutes ago. Please feel free to join the forum and share security related issues and questions.
  I am not aware of any other forums that deal with OS X security issues
  exclusively, so this forum could be a good place to bookmark and visit from time to time.

• Oracle Security : what do you think about the following policy violation ?

  If you install OEM10, you will be able to see if you violate some security guidelines :
  Interresting is revoking UTL_FILE from public, which is critical. Also revoke UTL_TCP and UTL_SMTP. This is going to upset an expert I know...
  Take care about the failed login attempts. If you set it to 10 to the default profile, and if your DBSNMP password is NOT the default password, then Oracle will lock your account after node discovery!
  In Solaris, you can disable execution of the user stack with the system parameters set noexec_user_stack=1
  set noexec_user_stack_log=1. I did not find how to do it on AIX. However, those settings may have side effects.
  About the ports, it complains about open ports, even if this is the port oracle listener is using! Simply ignore most of the violations there.
  About JAccelerator (NCOMP), it is located on the "companion" CD.
  Ok, Waiting for your feedback
  Regards
  Laurent
  [High]      Critical Patch Advisories for Oracle Homes     Configuration     Host     Checks Oracle Homes for missing critical patches          
  [High]      Insufficient Number of Control Files     Configuration     Database     Checks for use of a single control file          
  [High]      Open ports     Security     Host     Check for open ports          
  [High]      Remote OS role     Security     Database     Check for insecure authentication of remote users (remote OS role)          
  [High]      EXECUTE UTL_FILE privileges to PUBLIC     Security     Database     Test for PUBLIC having EXECUTE privilege on the UTIL_FILE package          
  [High]      Listener direct administration     Security     Listener     Ensure that listeners cannot be administered directly          
  [High]      Remote OS authentication     Security     Database     Check for insecure authentication of remote users (remote OS authentication)          
  [High]      Listener password     Security     Listener     Test for password-protected listeners          
  [High]      HTTP Server Access Logging     Security     HTTP Server     Check that HTTP Server access logging is enabled          
  [High]      Web Cache Access Logging     Security     Web Cache     Check that Web Cache access logging is enabled          
  [High]      Web Cache Dummy wallet     Security     Web Cache     Check that dummy wallet is not used for production SSL load.          
  [High]      HTTP Server Dummy wallet     Security     HTTP Server     Check that dummy wallet is not used for production SSL load.          
  [High]      Web Cache owner and setuid bit'     Security     Web Cache     Check that webcached binary is not owned by root and setuid is not set          
  [High]      HTTP Server Owner and setuid bit     Security     HTTP Server     Check the httpd binary is not owned by root and setuid bit is not set.          
  [High]      HTTP Server Directory Indexing     Security     HTTP Server     Check that Directory Indexing is disabled on this HTTP Server          
  [High]      Insufficient Redo Log Size     Storage     Database     Checks for redo log files less than 1 Mb          
  [Medium]      Insufficient Number of Redo Logs     Configuration     Database     Checks for use of less than three redo logs          
  [Medium]      Invalid Objects     Objects     Database     Checks for invalid objects          
  [Medium]      Insecure services     Security     Host     Check for insecure services          
  [Medium]      DBSNMP privileges     Security     Database     Check that DBSNMP account has sufficient privileges to conduct all security tests          
  [Medium]      Remote password file     Security     Database     Check for insecure authentication of remote users (remote password file)          
  [Medium]      Default passwords     Security     Database     Test for known accounts having default passwords          
  [Medium]      Unlimited login attempts     Security     Database     Check for limits on the number of failed logging attempts          
  [Medium]      Web Cache Writable files     Security     Web Cache     Check that there are no group or world writable files in the Document Root directory.          
  [Medium]      HTTP Server Writable files     Security     HTTP Server     Check that there are no group or world writable files in the Document Root directory          
  [Medium]      Excessive PUBLIC EXECUTE privileges     Security     Database     Check for PUBLIC having EXECUTE privileges on powerful packages          
  [Medium]      SYSTEM privileges to PUBLIC     Security     Database     Check for SYSTEM privileges granted to PUBLIC          
  [Medium]      Well-known accounts     Security     Database     Test for accessibility of well-known accounts          
  [Medium]      Execute Stack     Security     Host     Check for OS config parameter which enables execution of code on the user stack          
  [Medium]      Use of Unlimited Autoextension     Storage     Database     Checks for tablespaces with at least one datafile whose size is unlimited          
  [Informational]      Force Logging Disabled     Configuration     Database     When Data Guard Broker is being used, checks primary database for disabled force logging          
  [Informational]      Not Using Spfile     Configuration     Database     Checks for spfile not being used          
  [Informational]      Use of Non-Standard Initialization Parameters     Configuration     Database     Checks for use of non-standard initialization parameters          
  [Informational]      Flash Recovery Area Location Not Set     Configuration     Database     Checks for flash recovery area not set          
  [Informational]      Installation of JAccelerator (NCOMP)     Installation     Database     Checks for installation of JAccelerator (NCOMP) that improves Java Virtual Machine performance by running natively compiled (NCOMP) classes          
  [Informational]      Listener logging status     Security     Listener     Test for logging status of listener instances          
  [Informational]      Non-uniform Default Extent Size     Storage     Database     Checks for tablespaces with non-uniform default extent size          
  [Informational]      Not Using Undo Space Management     Storage     Database     Checks for undo space management not being used          
  [Informational]      Users with Permanent Tablespace as Temporary Tablespace     Storage     Database     Checks for users using a permanent tablespace as the temporary tablespace          
  [Informational]      Rollback in SYSTEM Tablespace     Storage     Database     Checks for rollback segments in SYSTEM tablespace          
  [Informational]      Non-System Data Segments in System Tablespaces     Storage     Database     Checks for data segments owned by non-system users located in tablespaces SYSTEM and SYSAUX          
  [Informational]      Users with System Tablespace as Default Tablespace     Storage     Database     Checks for non-system users using SYSTEM or SYSAUX as the default tablespace          
  [Informational]      Dictionary Managed Tablespaces     Storage     Database     Checks for dictionary managed tablespaces (other than SYSTEM and SYSAUX)          
  [Informational]      Tablespaces Containing Rollback and Data Segments     Storage     Database     Checks for tablespaces containing both rollback (other than SYSTEM) and data segments          
  [Informational]      Segments with Extent Growth Policy Violation     Storage     Database     Checks for segments in dictionary managed tablespaces (other than SYSTEM and SYSAUX) having irregular extent sizes and/or non-zero Percent Increase settings

  Interresting is revoking UTL_FILE from public, which is critical. Also revoke UTL_TCP and UTL_SMTP. This is going to upset an expert I know...Okay, as this is (I think) aimed at me, I'll fall for it ;)
  What is the point of revoking UTL_FILE from PUBLIC? Yes I know what you think the point is, but without rights on an Oracle DIRECTORY being able to execute UTL_FILE is useless. Unless of course you're still using the init.ora parameter
  UTL_FILE_DIR=*which I sincerely hope you're not.
  As for UTL_SMTP and UTL_TCP, I think whether a program is allowed to send e-mail to a given SMTP server is really in the remit of the e-mail adminstrator rather than the DBA.
  Look, DBAs are kings of their realm and can set their own rules. The rest of us have to live with them. A couple of years ago I worked a project where I was not allowed access to the USER_DUMP_DEST directory. So every time I generated a TRC file I had to phone up the DBA and a couple of hours later I got an e-mail with an attachment. Secure yes, but not very productive when I was trying to debug a Row Level Security implementation.
  I have worked on both sides of the DBA/Developer fence and I understand both sides of the argument. I think it is important for developers to document all the privileges necessary to make their app run. Maybe you don't have a better way of doing that than revoking privileges from PUBLIC. Or maybe you just want to generate additional communication with developers. That's fine. I know sometimes even DBAs get lonely.
  Cheers, APC

• New Branch Office - High Security

  Hello
  we plan to have 5 branch offices each with around 40 users. All branches will be in different geographical locations. Best Security needs to be implemented in all branches. All services email, SAP, Portals are hosted in the HeadOffice Datacenter. Each Branch will have dedicated internet 5MB for Voice and DATA
  Guidelines for security  -
  ensure users cannot insert usb or cd on laptops /desktops
  laptops/desktops are allowed to access restrictive internet from Office
  Outside Laptops / Tablets not allowed to connect to network but allowed internet via wireless using Guest
  to access internet from home or Cafe users needs to connect to office VPN and then access from local Internet server (Proxy)
  vendors proposed following ;-
  3921 router for branch
  ASA 5510 for branch
  3945 router for HeadOffice ( VPN )
  Filtering - Web Washer - Mcafee
  Experts can advice what hardware will best fit on branches, what other devices I need to achieve the above goals
  Thanks
  Vishal

  Hello Vishal,
  I would recommend the following:
  For Branches:
  1-  Cisco : 2921 : Voice Licensed (you dont need a higher end above this series for 40 users).
  2-  Cisco ASA 5510: (This will be your Security appliance at each branch).
  For Head Quarter:
  1-  Cisco ASA 5520: (This Will be Your HQ Security Appliance).
  2-  Cisco 3925 or 3945 router (Voice Licensed).
  For Your Security Guidelines, here is my answers:
  ensure users cannot insert usb or cd on laptops /desktops
  FOr this purpose, you Can disable the administrative privelege on the Notebooks and PCs for All users and remove the software driver for thier USPs.
  laptops/desktops are allowed to access restrictive internet from Office
  FOr this Purpose, I would recommend using Cisco IronPort WebFiltering, it Can be easily Integrated with your Active Directory and Enforces all Filtering Policy you would require.
  Outside Laptops / Tablets not allowed to connect to network but allowed internet via wireless using Guest
  For this Purpose, I would recommend deploying Wireless LAN Controller at your HQ to have benefit and full advantage of managing your Wireless Infrastructure.
  to access internet from home or Cafe users needs to connect to office VPN and then access from local Internet server (Proxy)
  FOr this Purpose , I would also say Your Best Option is to have Remote Access VPN & (VPN Client) deployed at all employee's Notebook. Though, You Can have another Option which to have SSL-VPN deployed at your HQ, but this will have additional cost as its added value featured licensed per number of users.
  Let me Know if this answers your Question Or if you require additional assistance.
  Regards,
  Mohamed

• Switch from classic to Extended Classic Scenario- Impact

  Hello,
  We are proposing to switch from Classic to Extended Classic Scenario.
  We are on SRM_SERVER 550,Sp7 and SAP 4.7 backend.
  We want to know if this is technically feasible to switch and have less/no impact on existing transactional data and master data.
  Main concerns are: Existing open Shopping carts and PO's.
  We are also modifying the WF by including buyer completion WF.
  Will the carts created in classic scenario and 'awaiting approval' work similarly in ECS?
  Can we copy old carts (created in classic scenario) into new ones in ECS?
  Are there any other issues like the ones above which people have come across?
  Is there any standard SAP material/Consulting note available
  which gives some guidelines for switching scenarios?
  Regards,
  Srivatsan

  Hello,
  You can switch from the classic to the extended classic scenario by making the global settings in the IMG.
  But it would be better if you can decide if only a particular set of categories need ECS.
  If you wish to have both the scenarios,the deciding factor is the product category.
  You can also activate a  BADI for the control of ECS despite the above Global settings.
  Reward if answer is helpful,
  Thanks & Regards,
  Nagarajan

• SECURITY CODE CHANGED IN NOKIA 5300 XPRESSMUSIC

  Hey everybody, this is my damn NOKIA 5300 XpressMusic and dont know who changed the security code.
  Now I m getting 1dum tension, please help me.
  None of the following gets me off the problem:
  I need a security code
  to switch off
  to switch ON/to enter desktop
  to connect to computer via PC
  to use bluetooth
  in fact without security I can't get anything.
  moreover the IMIE number is damn confusing it goes under the battery.
  Let me see if this is the real support from whole of the NOKIA company!
  Moderator Note: IMIE number removed
  Message Edited by kenken on 21-Feb-2008 12:09 PM
  Solved!
  Go to Solution.

  You should never post your IMEI number on the internet as criminals can use it for dodgy purposes.
  The default security code is 12345, if this has been changed and you have forgotten the code then you will need to visit a nokia care point/service centre.
  They will be able to reset the code but you will lose all stored data. They will need to see proof of purchase before performing this procedure to ensure that you are it's rightful owner.
  It is not possible to reset it yourself.
  Care points:
  UK
  http://www.nokia.co.uk/A4228006
  Europe:
  http://europe.nokia.com/A4388379
  Elsewhere:
  http://www.nokia.com and select your country.

• Can a Nexus 1000v be configured to NOT do local switching in an ESX host?

  Before the big YES, use an external Nexus switch and use VN-Tag. The question is when there is a 3120 in a blade chassis that connects to the ESX hosts that have a 1000v installed on the ESX host. So, first hop outside the ESX host is not a Nexus box.
  Looking for if this is possible, if so how, and if not, where that might be documented. I have a client who's security policy prohibits switching (yes, even on the same VLAN) within a host (in this case blade server). Oh and there is an insistance to use 3120s inside the blade chassis.
  Has to be the strangest request I have had in a while.
  Any data would be GREATY appreciated!

  Thanks for the follow up.
  So by private VLANs, are you referring to "PVLAN":
  "PVLANs: PVLANs are a new feature available with the VMware vDS and the Cisco Nexus
  1000V Series. PVLANs provide a simple mechanism for isolating virtual machines in the
  same VLAN from each other. The VMware vDS implements PVLAN enforcement at the
  destination host. The Cisco Nexus 1000V Series supports a highly efficient enforcement
  mechanism that filters packets at the source rather than at the destination, helping ensure
  that no unwanted traffic traverses the physical network and so increasing the network
  bandwidth available to other virtual machines"