Layer by Layer Troubleshooting with a Cisco Router

OSI Model - Bottom Up Troubleshooting

If you will recall, the OSI model starts with the physical layer (layer 1) and goes up to layer 7 (application). When troubleshooting with a Cisco router, much of your time will be spent working in layers 1-3. They are:

• Layer 3 - Network
• Layer 2 - Data Link
• Layer 1 - Physical

Because these layers build on each other, Layer 1 is most critical, without layer 1, layer 2 will not function. Without layer 1 & 2, layer 3 will not function, and so on. For this reason, I start troubleshooting at layer 1, physical, and move on up from there.

Here is what you look for:

• Is the interface UP?
• Is the line protocol UP?
• If both the interface and line protocol are NOT up, your connection is never going to work.
• To resolve a line down, I look at the cable or the keepalives
• To resolve a line protocol down, check to make sure that the protocols match on each side of the connection(notice the "line protocol" on each of the interfaces above).
• Are you taking input, CRC, framing, or other errors on the line (notice how the serial interface above does show errors)? If so, check your cable or contact your provider.

In general, verify that you have a good cable on each side, verify that line protocols match, and that clocking settings are correct.

If this is an Ethernet connection, is there a link light on the switch?

If this is a serial connection, do you have an external CSU/DSU? If it is an external CSU, check that the Carrier Detect (CD) light & data terminal ready (DTR) lights are on. If not, contact your provider. This also applies if you have an internal Cisco WIC CSU card. If that is the case, take a look at this Cisco link on understanding the lights on that card.

You can, of course, use the Cisco IOS test commands to test your network interfaces with internal staff and with your telecommunications providers.

Do not proceed to upper level layers until your Physical interface on the router shows as being UP and your line protocol is UP. Until then, don't worry about IP addressing, pinging, access-lists or anything like that.

I would recommend taking this interface configuration and comparing it, side by side, with the remote WAN connection to ensure they are the same. Ask yourself questions like:

• Are these interfaces on the same IP network?
• Do these interfaces have the same subnet mask?
• Are there any access-lists (ACL) that are blocking your traffic?
• Can you remove all optional IP features to make sure that the basic configuration works before adding additional features that could be causing trouble?

Router Troubleshooting at OSI Layer 3 - Network

Once you have Layers 1 & 2 working (your show interface command shows the line is "UP & UP", it is time to move on to layer 3 - the OSI Network layer. The easiest thing to do here to see if layer 3 is working is to ping the remote side of the LAN or WAN link from this router. Make sure you ping as close as possible to the router you are trying to communication with - from one side across to the other side.

Router Troubleshooting at OSI Layer 1 & 2 - Physical & Data link

Remember, if Layer 1 isn't up, nothing else will work so make sure you start here. Examples of layer 1 are your T1 circuit or your Ethernet cable - physical connectivity. I usually troubleshoot layer 1 and layer 2 in union because they are so closely paired. Examples of layer 2 - data link - are your line protocol (such as Ethernet, ATM, 802.11, PPP, frame-relay, HDLC, or PPP).

To troubleshoot at these layers, the first thing I would do on your router is a show interface. 

Router Troubleshooting at OSI Layers 4 - 7

Now, let's say that you have made it to the point where you can ping from LAN to LAN, through your WAN. Congratulations - that is a very good sign. If you are still having trouble, it must be in OSI Layers4-7. Here are those layers listed out and possible issues you might experience in each layer:

• Layer 4 - Transport - in the transport layer are TCP and UDP - you could be have an ACL or QoS feature blocking or slowing this traffic. Your TCP traffic could also be fragmented to the point that it could not be reassembled. Another option is that you may not be receiving an ACK back from your traffic that was successfully sent.

• Layer 5 - Session - in the session layer are protocols like SQL, NFS, SMB, or RPC - you could be taking errors on any one of these session protocols. I would recommend using a protocol analyzer like Wireshark to analyze your session data.

• Layer 6 - Presentation - in the Presentation layer are data encryption, compression, and formatting - your VPN tunnel could be failing or perhaps you are sending one type of data (like a MPEG) and the receiver is trying to view it as a WMV file.

• Layer 7 - Application - in the Application layer are, of course, your applications like FTP, HTTP, SCP, TFTP, TELNET, SSH, and more - you could be trying to connect to a telnet server with the SSH protocol, for example.

• Layer 8 - End User - the standing joke is that "Layer 8" is the user - the user could be just mistyping their username or password or you, the network admin, could have been troubleshooting the wrong IP address all along.

Summary

In summary, using the OSI model to troubleshoot connectivity issues is the fastest and most efficient way to troubleshoot any network issue. Even if someone calls you to work on a Windows share problem, all of the same principles in this article apply to that troublesooting process. So remember, the next time you work on a network issue - remember the OSI model and how to use the bottom-up approach to troubleshooting! It could same you a while lot of time!

What is Spanning Tree? What is PortFast?

Question
What is Spanning Tree and Portfast ?

Answer

The Spanning-Tree Protocol (STP) was created to overcome the problems of transparent bridging in redundant networks. The purpose of STP is to avoid and eliminate loops in the network by negotiating a loop-free path through a root bridge. This is done by determining where there are loops in the network and blocking links that are redundant.

Spanning-Tree Protocol executes an algorithm called the Spanning-Tree Algorithm (STA). In order to find redundant links, STA will choose a reference point called a Root Bridge, and then determines all the available paths to that reference point. If it finds a redundant path, it chooses for the best path to forward and for all other redundant paths to block. This effectively severs the redundant links within the network.

All switches participating in STP gather information on other switches in the network through an exchange of data messages. These messages are referred to as Bridge Protocol Data Units (BPDUs). The exchange of BPDUs in a switched environment will result in the election of a root switch for the stable spanning-tree network topology, election of designated switch for every switched segment, and the removal of loops in the switched network by placing redundant switch ports in a backup state.

During the execution of the Spanning-Tree Algorithm, Spanning-Tree will force the ports to go into five different states:

• Blocked
• Listen
• Learn
• Forward
• Disabled

A Description of each state follows:

• Blocked—All ports start in the blocked mode in order to prevent the switch from creating a loop.
• Listen—The port transitions from the blocked state to the listen state. It uses this time to attempt to learn whether there are any other paths to the root bridge. This state is really used to indicate that the port is getting ready to transmit but it would like to listen for a little longer to make sure it does not create a loop.
• Learn—When in this state, the switch will add information it has learned through the listening process to its address table. It is still not allowed to send data.
• Forward—This state means the port can send and receive data.
• Disabled—The switch can disable a port for a variety of reasons including: hardware failure, deletion of the ports native VLAN, and being administratively disabled.

The transitioning period from state to state takes the following times by default:

• From blocking to listening: 20 seconds
• From listening to learning: 15 seconds
• From learning to forwarding: 15 seconds

Spanning-Tree protocol is running by default on all ports of the switch. The spanning-tree protocol makes each port wait up to 50 seconds before data is allowed to be sent on the port. This Delay in turn can cause problems with some applications/protocols (PXE, Bootworks, etc.). To alleviate the problem, Porfast was implemented on Cisco devices, the terminology might differ between different vendor devices.

PortFast causes a port to enter the forwarding state almost immediately by dramatically decreasing the time of the listening and learning states. Portfast minimizes the time it takes for the server or workstation to come online, thus preventing problems with applications such as DHCP, DNS, Novell IPX, PXE, BootWorks, etc.

The spanning-tree protocol is always running even when the port is in forwarding state so that it can still detect loops, however the use of Portfast should only be implemented when the port on the switch is directly connected to a server/workstation and never to another hub/switch.

To enable portfast on Cisco switches you must enter the following command:

On set based switches: at the Switch>(enable)" prompt: 

Set Spantree portfast <mod_number/port_number>

on IOS based switches: at the "switch(config-if)#" prompt: 

spantree start-fowarding 

Interview Questions for Check Point Firewall Technology

Question 1 – Which of the applications in Check Point technology can be used to configure security objects?

Answer:SmartDashboard

Question 2 – Which of the applications in Check Point technology can be used to view who and what the administrator do to the security policy?

Answer:SmartView Tracker

Question 3 – What are the two types of Check Point NG licenses?

Answer:Central and Local licenses

Central licenses are the new licensing model for NG and are bound to the SmartCenter server. Local licenses are the legacy licensing model and are bound to the enforcement module.

Question 4 – What is the main different between cpstop/cpstart and fwstop/fwstart?

Answer:Using cpstop and then cpstart will restart all Check Point components, including the SVN foundation. Using fwstop and then fwstart will only restart VPN-1/FireWall-1.

Question 5 – What are the functions of CPD, FWM, and FWD processes?

Answer:CPD – CPD is a high in the hierarchichal chain and helps to execute many services, such as Secure Internal Communcation (SIC), Licensing and status report.

FWM – The FWM process is responsible for the execution of the database activities of the SmartCenter server. It is; therefore, responsible for Policy installation, Management High Availability (HA) Synchronization, saving the Policy, Database Read/Write action, Log Display, etc.

FWD – The FWD process is responsible for logging. It is executed in relation to logging, Security Servers and communication with OPSEC applications.

Question 6 – What are the types of NAT and how to configure it in Check Point Firewall?

Answer:Static Mode (Manually Defined)

Intrusion Detection Systems Interview Questions

This section is also a very good resource for preparation of job interviews for IDS.

What is Intrusion Detection?

Intrusion Detection is the active process to document and catch attackers and malicious code on a network. It is described in two types of software: Host based software and Network based software.

Why is an Intrusion Detection System (IDS) important?

Computers connected directly to the Internet are subject to relentless probing and attack.While protective measures such as safe configuration, up-to-date patching, and firewalls are all prudent steps they are difficult to maintain and cannot guarantee that all vulnerabilities are shielded. An IDS provides defense in depth by detecting and logging hostile activities. An IDS system acts as "eyes" that watch for intrusions when other protective measures fail.

What is the difference between a Firewall and a Intrusion Detection System?

A firewall is a device installed normally at the perimeter of a network to define access rules for access to particular resources inside the network. On the firewall anything that is not explicitly allowed is denied. A firewall allows and denies access through the rule base.

An Intrusion Detection System is a software or hardware device installed on the network (NIDS) or host (HIDS) to detect and report suspicious activity.

In simple terms you can say that while a firewall is a gate or door in a superstore, a IDS device is a security camera. A firewall can block connection, while a IDS cannot block connection. An IDS device can however alert any suspicious activities.

An Intrusion Prevention System is a device that can start blocking connections proactively if it finds the connections to be of suspicious in nature.

If an IDS device cannot prevent a hack, then why have IDS devices?

Agreed that an IDS device cannot prevent a hack and can only alert any suspicious activities. However, if we are to go by past experiences, hacks and system compromises are not something that happens over night. Planned compromise attempts can take several days, weeks, months and in some cases even years. So a IDS device can alert you so that you can take the desired precaution in protecting the resources.

What is a network based IDS system?

An IDS is a system designed to detect and report unauthorized attempts to access or utilize computer and/or network resources. A network-based IDS collects, filters, and analyzes traffic that passes through a specific network location.

< Are there other types of IDS besides network based?

The other common type of IDS is host-based. In host-based IDS each computer (or host) has an IDS client installed that reports either locally or to a central monitoring station. The advantage of a host-based IDS is that the internal operation and configuration of the individual computers can be monitored.

What is the difference between Host based (HIDS) and Network based IDS (NIDS)?

HIDS is software which reveals if a machine is being or has been compromised. It does this by checking the files on the machine for possible problems. Software described as host based IDS could include File Integrity checkers (TripWire), Anti-virus software (Norton AV, MacAfee), Server Logs (Event viewer or syslog), and in some ways even backup software can be a HIDS. ISS Realsecure has many HIDS products.

NIDS is software which monitors network packets and examines them against a set of signatures and rules. When the rules are violated the action is logged and the Admin could be alerted. Examples of NIDS software are SNORT, ISS Real Secure, Enterasys Dragon and Intrusion.

Are there are any draw backs of host based IDS systems?

There are three primary drawbacks of a host-based ID:

(1) It is harder to correlate network traffic patterns that involve multiple computers;

(2) Host-based IDSs can be very difficult to maintain in environments with a lot of computers, with variations in operating systems and configurations, and where computers are maintained by several system administrators with little or no common practices;

(3) Host-based IDSs can be disabled by attackers after the system is compromised.

Why, when and where to use host based IDS systems?

Host based IDS systems are used to closely monitor any actions taking place on important servers and machines. Host based IDS systems are used to detect any anomalies and activities on these important and critical servers. You use Host based IDS systems when you cannot risk the compromise of any server. The server has to be very important and mission critical to use Host based IDS systems on these servers. Host based IDS systems are agents that run on the critical servers. The agent is installed on the server that is being monitored.

What is a Signature?

A signature is Recorded evidence of a system intrusion, typically as part of an intrusion detection system (IDS). When a malicious attack is launched against a system, the attack typically leaves evidence of the intrusion in the system’s logs. Each intrusion leaves a kind of footprint behind (e.g., unauthorized software executions, failed logins, misuse of administrative privileges, file and directory access) that administrators can document and use to prevent the same attacks in the future. By keeping tables of intrusion signatures and instructing devices in the IDS to look for the intrusion signatures, a system’s security is strengthened against malicious attacks.

Because each signature is different, it is possible for system administrators to determine by looking at the intrusion signature what the intrusion was, how and when it was perpetrated.

What are the common types of attacks and signatures?

There are three types of attacks:

Reconnaissance These include ping sweeps, DNS zone transfers, e-mail recons, TCP or UDP port scans, and possibly indexing of public web servers to find cgi holes.

Exploits Intruders will take advantage of hidden features or bugs to gain access to the system.

Denial-of-service (DoS) attacks Where the intruder attempts to crash a service (or the machine), overload network links, overloaded the CPU, or fill up the disk. The intruder is not trying to gain information, but to simply act as a vandal to prevent you from making use of your machine.

Note:The signatures are written based on these types of attacks.

ROUTING - Inetview Questions

ROUTING

Default Administrative distance :
Connected Interface – 0
Static Route - 1
External BGP -20
Internal EIGRP -90
IGRP – 100
OSPF-110
IS-IS- 115
RIP V1, V2-120
External EIGRP-170
IBGP-200
Unknown-255

Distance vector Protocol:
It finds best path by using distance i.e Hops. Ex: RIP, IGRP

Link State Protocol:
Using 3 tables finds best path (Neighbor Table, Topology Table, and Routing Table).( OSPF,IS-IS).
Link state protocols using Area architecture.
The link state Protocol advertise its all routes to neighbor, even though the neighbors not using those routes.

Hybrid Protocol:
Mixing of Distance vector and Link state. (EIGRP).
EIGRP advertise only the best route about its neighbors, to its neighbor. So that only EIGRP is not coming under Link state routing protocol.

ROUTING Preference
1. Specific subnet Mask
2. Administrative difference
3. Metric

EIGRP - Network Interview Questions

EIGRP

I ) EIGRP Features

1. Fast convergence –It is using DUAL (Diffusing update algorithm). Router running Eigrp stores backup route (feasible successor).
2. Minimum Bandwidth usage- It does not make periodic updates (NON PERIODIC). It partial updates when the topology changes and Bounded.
3. Multiple Network layer protocol support- It supports IPX/SPX, Apple talk.
4. It supports VLSM, classless routing.
5. It supports load balancing of equal and unequal cost paths (up to 6 paths. Default is 4)
6. Use multicast (224.0.0.10) instead of broadcast
7. Summarization can do any router running in EIGRP. But in OSPF only in ABR and ASBR.
8. Combines best of distance vector and link state
9. hello packets from any EIGRP - 5 sec, hold-on time is 3 times to hello
10. Hello Packet on NBMA is - 60 sec and hold-on time is 3 times (180 sec)

II) Advertisement distance :Cost between next hop router and destination router.

Feasible Distance : Cost between next hop router and destination router (AD) + Cost between local router and next hop router. Lowest FD is the best path (successor).

Successor: Best route stored in routing table and Topology table.

Feasible successor: Backup route stored in Topology table.To be considered A feasible successor, the AD must be less than the FD of the successor. Because of prevent the loop.

Passive Route: Passive state is a state when the router has identified the successor(s) for the destination.

Active Route: Active state when current successor no longer satisfies the Feasibility Condition.

Neighbor Table: List of directly connected routers.
Topology Table: List of routers learned from each neighbor.
Routing Table: List of best routes.

Neighbor table update the routing information in Topology table and routing table is created taking the best paths form the topology table

EIGRP Packets:

Hello- Establish neighbor relationships ( multicast)
Update- send routing updates
Query-Ask neighbors about routing information.
Reply- Respond to query
Ack- Acknowledge all reliable pocket except Hello pocket.

Note: No auto-summary command prevents to advertisement all interfaces in the router. Also it turns on Classless characteristics of EIGRP.

Metric: Bandwidth, Delay, Reliability ,Loading, MTU

Real (default) Metric : 256* (BW+Delay)
BW= 10^7/BW
Delay= Delay in Micro seconds.


If want to change the other metrics manually use this command.This command is not in Cisco website; Very rarely known and used.

#router eigrp 10
#metric weights (tos) k1 k2 k3 k4 k5
Tos- Type of service. It always 0.

Trouble shooting commands:
Show IP EIGRP topology, Show IP EIGRP neighbor, Show IP EIGRP traffic

Summarization:
#IP summary-address EIGRP 1 172.16.0.0 255.255.255.248

Unequal cost load balancing:

#Variance 2 (2 is multiplier)
#Variance 1 ( equal cost load balancing)

Stuck in Active:A router sends query message for identify the backup route to other routers through its active interfaces. The router will wait for 3minits to get reply messages from all routers even though it gets a backup route from any of one routers.

Methods to Prevent STA : 1) Summary route 2) Stub configuration

NewYork#sh ip eigrp neighbor

IP-EIGRP neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.16.251.2 Se0/1 10 00:17:08 28 2604 0 7
0 172.16.250.2 Se0/0 13 00:24:43 12 2604 0 14.

Router# show ip eigrp topology
IP-EIGRP Topology Table for process 77
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - Reply status
P 172.16.90.0 255.255.255.0, 2 successors, FD is 0
via 172.16.80.28 (46251776/46226176), Ethernet0
via 172.16.81.28 (46251776/46226176), Ethernet1
via 172.16.80.31 (46277376/46251776), Serial0
P 172.16.81.0 255.255.255.0, 1 successors, FD is 307200
via Connected, Ethernet1
via 172.16.81.28 (307200/281600), Ethernet1
via 172.16.80.28 (307200/281600), Ethernet0
via 172.16.80.31 (332800/307200), Serial0

CHECK POINT FIREWALL-1: EXTENSIBLE STATEFUL INSPECTION

Check Point FireWall-1’s Stateful Inspection architecture utilizes a unique,patented INSPECT™ Engine which enforces the security policy on the gateway on which it resides. The INSPECT Engine looks at all communication layers and extracts only the relevant data, enabling highly effi cient operation, support for a large number of protocols and applications, and easy extensibility to new applications and services.

The INSPECT Engine is programmable using Check Point’s powerful INSPECT Language. This provides important system extensibility, allowing Check Point, as well as its technology partners and end users, to incorporate new applications, services, and protocols, without requiring new software to be loaded. For most new applications, including most custom applications developed by end users, the communication-related behavior of the new application can be incorporated simply by modifying one of FireWall-1’s built-in script templates via the graphical user interface. Even the most complex applications can be added quickly and easily via the INSPECT Language. Check Point provides an open application

programming interface (API) for third-party developers .

Ref - www.checkpoint.com

Network and Security interview questions (Cisco)

Cisco Firewall


0.What is Stateful Inspection & Packet Filtering.Whats the difference ?
1.What is Adaptive Security Algorithm?
2.what are the default security levels for interfaces in firewall?
2.How would the firewall treat a TCP and UDP packets when it crosses the firewall ?
3.Tell me abt the different types of NAT?
3.What is the order of NAT ?
4.what is NAT Control ?
5.What are the troubleshooting mechanism to be followed in Cisco Firewalls?
a) different flow lookups in the output of Packet Tracer?
6.What is Stateful Failover ? (command to enable failover)
7.what is Transparent Firewall ?
8.how to check the the connections and NAT Translations?
9.How would you trouble shoot the high utilization issue in firewall ?
10.one of the best issues u have troubleshooted with firewall ?
11.Diff between a IPS & Firewall ?


VPN


1.What is Site-Site and Remote Access VPN?
2.What is phase 1 tunnel and the paramters involved ?
3.What is phase 2 tunnel and the paramters involved ?
4.What is PFS ?
5.Why would a DH is required ?
6.How to check the status of the tunnel in phase 1 & 2 ?
7.what are the commands required to troubleshoot VPN?
8.what is GRE and why its required?
9.How can we carry routing updates via IPSEC without GRE?
10.What is NAT Traversal?
11.What are the ports involved in NAT Traversal ?


General


1.Diff between TCP & UDP?
2.What is ARP & RARP?
3.Firewall works at what Layer?
4.What is DNS doctoring?
5.What is proxy & Gratituous ARP?
6.Active & Passive FTP?
7.What is DHCP relay agent ? if DHCP server locates in a different subnet , how would the process works?
8 What is MTU and fragmentation ?
9.What is DoS Attack , Spoofing attack ? how can be Prevented?




Routing


1.What is Subneting and Superneting ?
2.What is Static Route and a Default Route ?
3.What is Classful and Class less Routing
4.what is Dynamic Routing? 


A)OSPF

1.Metric Used for OSPF?
2.What are the Parameters required for OSPF neighbourship?
3.What is NSSA , stubby ,total stubby ?
4.How would the cost of the interfaces is calculated?
5.Commands to view the OSPF neighbour?


B)EIGRP


1.Metric for EIGRP and its AD ?
2.What is stuck in active?
3.How would the un equal load balancing works with EIGRP?
4.diff between EIGRP and OSPF ?
5.Commands to view the eigrp neighbour ?


C)BGP


1.What is IBGP and EBGP ?
2.What is LOcal prefernce and MED?
3.What is BGP synchronization ?
4.what is AD of IBG and EBGP?
5.we have two entries in the routing table , say for an example


192.168.1.0 /24 --> 1.1.1.1
192.168.1.128/25 --->2.2.2.2


what is the next hop to reach 192.168.1.200 ?


6.Why is Redistribution required?
7.How would you filter the routes being Redistributed?


Cisco IPS


1.What is IPS and IDS .Tell me the difference between them ?
2.What are the IPS modules you have worked?
3.What is AIP-SSM?
4.What is Promiscuous and Inline Mode?
5.What is a Signature ?Tell me some signature engines?
6.How would you implement an IPS in a Network?
7.How would you manage IPS?
8.What is False Positive and False Negative?
9.What are the event action involved in Inline Mode?

STATEFUL INSPECTION TECHNOLOGY

Stateful Inspection, invented by Check Point Software Technologies, has emerged as the industry standard for enterprise-class network security solutions. Stateful Inspection is able to meet all the security requirements defi ned above while traditional fi rewall technologies, such as packet fi lters and application-layer gateways, each fall short in some areas. With Stateful Inspection, packets are intercepted at the network layer for best performance (as in packet fi lters), but then data derived from all communication layers is accessed and analyzed for improved security (compared to layers 4–7 in application-layer gateways). Stateful Inspection then introduces a higher level of security by incorporating communication- and application-derived state and context information which is stored and updated dynamically. This provides cumulative data against which subsequent communication attempts can be evaluated. It also delivers the ability to create virtual session information for tracking connectionless protocols (for example, RPC and UDP-based applications), something no other firewall technology can accomplish.

Ref - www.checkpoint.com

Network Security Tools list

Penetration Testing Tools


1. Nmap Port scanner - Windows & Linux

2. Nessus Vulnerability Scanner - Windows & Linux
3. Xprobe Operating System detection - Linux
4. Ethereal Packet Sniffer - Windows & Linux
5. J2SDK and JRE Java framework needed for many tools to run - Windows & Linux
6. Citrix client Client used to connect to Citrix instance if running - Windows
7. MySQL client Client used to connect to running MySQL database - Windows & Linux
8. VNC Client Client used to connect to a running VNC server - Windows
9. OAT Oracle enumeration toolkit - Windows & Linux
10. Tnscmd.pl Oracle enumeration tool - Windows & Linux
11. Wget Website downloader - Windows & Linux
12. Tsgrinder Terminal Services brute force password cracker - Windows
13. SqlPing3 MS-SQL enumeration - Windows
14. Orabf Oracle brute force password crackers - Windows & Linux
15. Checkpwd Oracle brute force password crackers - Windows & Linux
16. Explore2fs Copying files on local Linux partition to - Windows 
17. Getif SNMP enumeration - Windows
18. Enum Check for null session establishment - Windows
19. Site-Digger Google hacking - Windows
20. httprint Web server fingerprinting - Windows
21. Cerebrus FTP server Simple FTP server used when you need to upload tools on to the server - Windows
22. Netcat Create a listener on remote host once you’re in - Windows & Linux
23. Screenshooter Used to take quick screenshots using predefined hotkeys- Windows
24. Resource Kit tools Numerous windows tools to enumerate various service offered by the Windows - Windows
25. Lsnrcheck Enumerate Oracle listener - Windows
26. Putty Establish connections to open ports - Windows
27. Cain and Abel ARP poisoning and brute forcing various types of passwords among many others - Windows
28. Adfind and LdapMiner Enumerate Active Directory objects - Windows
29. Nikto Web vulnerability scanner - Windows & Linux
30. P0f Passive OS fingerprinting - Windows & Linux
31. Metasploit Canned exploit tool - Windows & Linux


Application Security Assessment Tools

1. Paros Web proxy interceptor and editor - Windows
2. WinHex RAM content viewer  - Windows
3. WpePro Real time Packet editor (Thick client ) - Windows
4. EchoMirage Function call interceptor (Thick client ) - Windows
5. ITR Application traffic interceptor (Thick client ) - Windows
6. FileMon Identifies files that the application accesses while running - Windows
7. RegMon Identify registry keys that the application accesses while running  - Windows
8. DllHell Identify DLL files that the application uses to run - Windows
9. TcpView Identifies connections to and from local running processes - Windows
10. JsView Firefox extension which picks out all the running Javascripts on that web page - Windows & Linux
11. View_source_chart Firefox extension which displays HTML source cleanly - Windows & Linux
12. Smbrelay Intercepts SMB traffic - Windows

Cisco PIX or ASA vs. Checkpoint Firewall

Introduction

Firewall technology ranges from packet filtering to application-layer proxies, to Stateful inspection; each technique gleaning the benefits from its predecessor.

Stateful inspection works at the network layer and does not require a separate proxy for each application. This technology does not suffer from the same degradation in performance as application-level technology (proxies), which involves the extra overhead of transporting data up to the application layer. And on the contrary of packet filters it has the ability to maintain session state and therefore increase the security level of a network transaction.

Checkpoint Firewall-1

Checkpoint FW-1 has been the firewall market leader since shortly after its introduction in 1994/95. Its well-designed GUI interface was, and still is, the best visual interface to any firewall product. This intuitive interface makes FW-1 easy to work with even for those new to firewalls.

FireWall-1 is based upon Stateful Inspection technology, the de facto standard for firewalls. Invented by Check Point, Stateful Inspection provides the highest level of security. FireWall-1’s scalable, modular architecture enables an organization to define and implement a single, centrally managed Security Policy. The enterprise Security Policy is defined on a central management server trough a GUI and downloaded to multiple enforcement points (Inspection Modules) throughout the network.

The FireWall-1 Inspection Module is located in the operating system (NT or UNIX operating systems) kernel at the lowest software level. The Inspection Module analyzes all packets before they reach the gateway operating systems. Packets are not processed by any of the higher protocol layers unless FireWall-1 verifies that they comply with the Inspection Module security policy (it examines communications from any IP protocol or application, including stateless protocols, such as UDP and RPC)

FW-1 Pros:


1) Very functional GUI interface.
2) Based on Stateful inspection like PIX, but can off-load layer 7 inspection to other servers if required.
3) Lots of features for complex environments like: large protected DMZ, Windows VPN support, firewall synchronization, bi-directional NAT, etc.
4) Can be used to control bi-directional traffic.
5) Complex logging provided on management station.


FW-1 Cons:


1) Must account for OS vulnerabilities as well as FW-1 vulnerabilities.
2) Performance on NT not as good as on UNIX or the PIX.
3) Support is only through re-sellers, very expensive (Contracts start at 50% of the price of the original software per year) and needed for products upgrades.
4) OS boot-time errors possibilities.


Note: PIX can filter java but no ActiveX or JavaScript filtering yet. (Although FW-1 can)

PIX Firewall

Originally designed to be a network address translator, Cisco introduced the Private Internet Exchange (PIX) Firewall series in 1994. The PIX Firewall is a high-performance firewall that uses Stateful packet filtering. The PIX Firewall is essentially a firewall appliance"--it has its own integrated hardware/software solution (Intel hardware / proprietary OS). The PIX Firewall is not UNIX or NT-based, but is based on a secure, real-time embedded system, known as the Adaptive Security Algorithm (ASA), which offers Stateful inspection technology. ASA tracks the source and destination address, TCP sequence numbers, port numbers, and additional TCP flags. All inbound and outbound traffic is controlled by applying the security policy to connection table entries, which house the information. Access is permitted through the PIX Firewall only if a connection has been validated or if it has been explicitly configured.

Comparison

PIX and checkpoint FW-1 are using similar technologies in that both use smart packet filtering technologies (Stateful technology).

There are several key differences: one is that FW1 uses a general-purpose operating system while Cisco's PIX uses an embedded operating system. Another is that the PIX are essentially a "diode": you define a security level for an interface, and anything from a higher (internal=100) to a lower (external=0) is allowed while lower (external) to higher (internal) is blocked (with coding for exception); with FW1 there are no native directions, and everything must be coded. (For this reason, FW1 can be found much more flexible)

The license structure on the PIX is per-connection; the license structure on FW1 is per protected host. All other things being equal, maintenance is much easier on the PIX, and performance is higher on the PIX. Cisco has recently released a host-to-LAN encryption solution; FW1 has such a solution for a long time now (SecuRemote for windows boxes). FW1 has extra features such as bandwidth management (floodgate) or content vectoring servers and others (see OPSEC products).

Note that FW1 is developed in a UNIX environment. The UNIX implementation is more efficient, more mature, and more stable. It is wrong to go with NT unless the client swears he can support NT and is afraid of UNIX. Also, comparing FW1 on a switch or on a NOKIA box versus the PIX could be kind of an interesting comparison.

PIX Pros:

1) Minimal configuration if you have few or zero internal devices that needs to be accessed directly from the Internet (i.e. web servers on a protected DMZ) and want to allow everything outbound.

2) Complete hardware/software solution, no additional OS vulnerabilities or boot-time errors to worry about.

3) Cisco support, which is generally very good.

4) Performance, probably the best in the business.

5) No special client side software other than telnet, tftp or serial port terminal software.

6) Lots of detailed documentation.

7) Free upgrades

PIX Cons:

1) Difficult to manage if you have many servers on a protected DMZ (lots and lots of conduit statements) or many firewalls to manage.

2) Routing limitation in complex network architectures (Need to add a router for EACH segment).

3) Command line (IOS style) based. Cisco GUI manager (PIX Firewall Manager) is currently in its early releases and not as functional as FW-1's.

4) No ability to off-load layer 7 services like: virus scanning, URL filtering, etc. You can filter on outgoing traffic, but the process is not dynamic.

5) Requires a separate syslog server for logging.

6) No source port filtering.

7) No clear documentation (Cisco's documentation is often conflicting, fails to explain which version of the PIX OS a certain configuration will or will not work under, and seems to be constantly changing).

Conclusion

In the simplest terms, FW-1 can be considered much more functional than the PIX, while the PIX have better performance and support. If your particular environment requires a lot of functionality, the best choice is the FW-1 solution, although you might want to consider running it on a UNIX platform rather than a NT platform. If your environment is pretty simple, PIX is a solid solution with very good performance.