Interview Questions for Check Point Firewall Technology

Question 1 – Which of the applications in Check Point technology can be used to configure security objects?

Answer:SmartDashboard

Question 2 – Which of the applications in Check Point technology can be used to view who and what the administrator do to the security policy?

Answer:SmartView Tracker

Question 3 – What are the two types of Check Point NG licenses?

Answer:Central and Local licenses

Central licenses are the new licensing model for NG and are bound to the SmartCenter server. Local licenses are the legacy licensing model and are bound to the enforcement module.

Question 4 – What is the main different between cpstop/cpstart and fwstop/fwstart?

Answer:Using cpstop and then cpstart will restart all Check Point components, including the SVN foundation. Using fwstop and then fwstart will only restart VPN-1/FireWall-1.

Question 5 – What are the functions of CPD, FWM, and FWD processes?

Answer:CPD – CPD is a high in the hierarchichal chain and helps to execute many services, such as Secure Internal Communcation (SIC), Licensing and status report.

FWM – The FWM process is responsible for the execution of the database activities of the SmartCenter server. It is; therefore, responsible for Policy installation, Management High Availability (HA) Synchronization, saving the Policy, Database Read/Write action, Log Display, etc.

FWD – The FWD process is responsible for logging. It is executed in relation to logging, Security Servers and communication with OPSEC applications.

Question 6 – What are the types of NAT and how to configure it in Check Point Firewall?

Answer:Static Mode (Manually Defined)

Intrusion Detection Systems Interview Questions

This section is also a very good resource for preparation of job interviews for IDS.

What is Intrusion Detection?

Intrusion Detection is the active process to document and catch attackers and malicious code on a network. It is described in two types of software: Host based software and Network based software.

Why is an Intrusion Detection System (IDS) important?

Computers connected directly to the Internet are subject to relentless probing and attack.While protective measures such as safe configuration, up-to-date patching, and firewalls are all prudent steps they are difficult to maintain and cannot guarantee that all vulnerabilities are shielded. An IDS provides defense in depth by detecting and logging hostile activities. An IDS system acts as "eyes" that watch for intrusions when other protective measures fail.

What is the difference between a Firewall and a Intrusion Detection System?

A firewall is a device installed normally at the perimeter of a network to define access rules for access to particular resources inside the network. On the firewall anything that is not explicitly allowed is denied. A firewall allows and denies access through the rule base.

An Intrusion Detection System is a software or hardware device installed on the network (NIDS) or host (HIDS) to detect and report suspicious activity.

In simple terms you can say that while a firewall is a gate or door in a superstore, a IDS device is a security camera. A firewall can block connection, while a IDS cannot block connection. An IDS device can however alert any suspicious activities.

An Intrusion Prevention System is a device that can start blocking connections proactively if it finds the connections to be of suspicious in nature.

If an IDS device cannot prevent a hack, then why have IDS devices?

Agreed that an IDS device cannot prevent a hack and can only alert any suspicious activities. However, if we are to go by past experiences, hacks and system compromises are not something that happens over night. Planned compromise attempts can take several days, weeks, months and in some cases even years. So a IDS device can alert you so that you can take the desired precaution in protecting the resources.

What is a network based IDS system?

An IDS is a system designed to detect and report unauthorized attempts to access or utilize computer and/or network resources. A network-based IDS collects, filters, and analyzes traffic that passes through a specific network location.

< Are there other types of IDS besides network based?

The other common type of IDS is host-based. In host-based IDS each computer (or host) has an IDS client installed that reports either locally or to a central monitoring station. The advantage of a host-based IDS is that the internal operation and configuration of the individual computers can be monitored.

What is the difference between Host based (HIDS) and Network based IDS (NIDS)?

HIDS is software which reveals if a machine is being or has been compromised. It does this by checking the files on the machine for possible problems. Software described as host based IDS could include File Integrity checkers (TripWire), Anti-virus software (Norton AV, MacAfee), Server Logs (Event viewer or syslog), and in some ways even backup software can be a HIDS. ISS Realsecure has many HIDS products.

NIDS is software which monitors network packets and examines them against a set of signatures and rules. When the rules are violated the action is logged and the Admin could be alerted. Examples of NIDS software are SNORT, ISS Real Secure, Enterasys Dragon and Intrusion.

Are there are any draw backs of host based IDS systems?

There are three primary drawbacks of a host-based ID:

(1) It is harder to correlate network traffic patterns that involve multiple computers;

(2) Host-based IDSs can be very difficult to maintain in environments with a lot of computers, with variations in operating systems and configurations, and where computers are maintained by several system administrators with little or no common practices;

(3) Host-based IDSs can be disabled by attackers after the system is compromised.

Why, when and where to use host based IDS systems?

Host based IDS systems are used to closely monitor any actions taking place on important servers and machines. Host based IDS systems are used to detect any anomalies and activities on these important and critical servers. You use Host based IDS systems when you cannot risk the compromise of any server. The server has to be very important and mission critical to use Host based IDS systems on these servers. Host based IDS systems are agents that run on the critical servers. The agent is installed on the server that is being monitored.

What is a Signature?

A signature is Recorded evidence of a system intrusion, typically as part of an intrusion detection system (IDS). When a malicious attack is launched against a system, the attack typically leaves evidence of the intrusion in the system’s logs. Each intrusion leaves a kind of footprint behind (e.g., unauthorized software executions, failed logins, misuse of administrative privileges, file and directory access) that administrators can document and use to prevent the same attacks in the future. By keeping tables of intrusion signatures and instructing devices in the IDS to look for the intrusion signatures, a system’s security is strengthened against malicious attacks.

Because each signature is different, it is possible for system administrators to determine by looking at the intrusion signature what the intrusion was, how and when it was perpetrated.

What are the common types of attacks and signatures?

There are three types of attacks:

Reconnaissance These include ping sweeps, DNS zone transfers, e-mail recons, TCP or UDP port scans, and possibly indexing of public web servers to find cgi holes.

Exploits Intruders will take advantage of hidden features or bugs to gain access to the system.

Denial-of-service (DoS) attacks Where the intruder attempts to crash a service (or the machine), overload network links, overloaded the CPU, or fill up the disk. The intruder is not trying to gain information, but to simply act as a vandal to prevent you from making use of your machine.

Note:The signatures are written based on these types of attacks.

ROUTING - Inetview Questions

ROUTING

Default Administrative distance :
Connected Interface – 0
Static Route - 1
External BGP -20
Internal EIGRP -90
IGRP – 100
OSPF-110
IS-IS- 115
RIP V1, V2-120
External EIGRP-170
IBGP-200
Unknown-255

Distance vector Protocol:
It finds best path by using distance i.e Hops. Ex: RIP, IGRP

Link State Protocol:
Using 3 tables finds best path (Neighbor Table, Topology Table, and Routing Table).( OSPF,IS-IS).
Link state protocols using Area architecture.
The link state Protocol advertise its all routes to neighbor, even though the neighbors not using those routes.

Hybrid Protocol:
Mixing of Distance vector and Link state. (EIGRP).
EIGRP advertise only the best route about its neighbors, to its neighbor. So that only EIGRP is not coming under Link state routing protocol.

ROUTING Preference
1. Specific subnet Mask
2. Administrative difference
3. Metric

EIGRP - Network Interview Questions

EIGRP

I ) EIGRP Features

1. Fast convergence –It is using DUAL (Diffusing update algorithm). Router running Eigrp stores backup route (feasible successor).
2. Minimum Bandwidth usage- It does not make periodic updates (NON PERIODIC). It partial updates when the topology changes and Bounded.
3. Multiple Network layer protocol support- It supports IPX/SPX, Apple talk.
4. It supports VLSM, classless routing.
5. It supports load balancing of equal and unequal cost paths (up to 6 paths. Default is 4)
6. Use multicast (224.0.0.10) instead of broadcast
7. Summarization can do any router running in EIGRP. But in OSPF only in ABR and ASBR.
8. Combines best of distance vector and link state
9. hello packets from any EIGRP - 5 sec, hold-on time is 3 times to hello
10. Hello Packet on NBMA is - 60 sec and hold-on time is 3 times (180 sec)

II) Advertisement distance :Cost between next hop router and destination router.

Feasible Distance : Cost between next hop router and destination router (AD) + Cost between local router and next hop router. Lowest FD is the best path (successor).

Successor: Best route stored in routing table and Topology table.

Feasible successor: Backup route stored in Topology table.To be considered A feasible successor, the AD must be less than the FD of the successor. Because of prevent the loop.

Passive Route: Passive state is a state when the router has identified the successor(s) for the destination.

Active Route: Active state when current successor no longer satisfies the Feasibility Condition.

Neighbor Table: List of directly connected routers.
Topology Table: List of routers learned from each neighbor.
Routing Table: List of best routes.

Neighbor table update the routing information in Topology table and routing table is created taking the best paths form the topology table

EIGRP Packets:

Hello- Establish neighbor relationships ( multicast)
Update- send routing updates
Query-Ask neighbors about routing information.
Reply- Respond to query
Ack- Acknowledge all reliable pocket except Hello pocket.

Note: No auto-summary command prevents to advertisement all interfaces in the router. Also it turns on Classless characteristics of EIGRP.

Metric: Bandwidth, Delay, Reliability ,Loading, MTU

Real (default) Metric : 256* (BW+Delay)
BW= 10^7/BW
Delay= Delay in Micro seconds.


If want to change the other metrics manually use this command.This command is not in Cisco website; Very rarely known and used.

#router eigrp 10
#metric weights (tos) k1 k2 k3 k4 k5
Tos- Type of service. It always 0.

Trouble shooting commands:
Show IP EIGRP topology, Show IP EIGRP neighbor, Show IP EIGRP traffic

Summarization:
#IP summary-address EIGRP 1 172.16.0.0 255.255.255.248

Unequal cost load balancing:

#Variance 2 (2 is multiplier)
#Variance 1 ( equal cost load balancing)

Stuck in Active:A router sends query message for identify the backup route to other routers through its active interfaces. The router will wait for 3minits to get reply messages from all routers even though it gets a backup route from any of one routers.

Methods to Prevent STA : 1) Summary route 2) Stub configuration

NewYork#sh ip eigrp neighbor

IP-EIGRP neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.16.251.2 Se0/1 10 00:17:08 28 2604 0 7
0 172.16.250.2 Se0/0 13 00:24:43 12 2604 0 14.

Router# show ip eigrp topology
IP-EIGRP Topology Table for process 77
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - Reply status
P 172.16.90.0 255.255.255.0, 2 successors, FD is 0
via 172.16.80.28 (46251776/46226176), Ethernet0
via 172.16.81.28 (46251776/46226176), Ethernet1
via 172.16.80.31 (46277376/46251776), Serial0
P 172.16.81.0 255.255.255.0, 1 successors, FD is 307200
via Connected, Ethernet1
via 172.16.81.28 (307200/281600), Ethernet1
via 172.16.80.28 (307200/281600), Ethernet0
via 172.16.80.31 (332800/307200), Serial0

CHECK POINT FIREWALL-1: EXTENSIBLE STATEFUL INSPECTION

Check Point FireWall-1’s Stateful Inspection architecture utilizes a unique,patented INSPECT™ Engine which enforces the security policy on the gateway on which it resides. The INSPECT Engine looks at all communication layers and extracts only the relevant data, enabling highly effi cient operation, support for a large number of protocols and applications, and easy extensibility to new applications and services.

The INSPECT Engine is programmable using Check Point’s powerful INSPECT Language. This provides important system extensibility, allowing Check Point, as well as its technology partners and end users, to incorporate new applications, services, and protocols, without requiring new software to be loaded. For most new applications, including most custom applications developed by end users, the communication-related behavior of the new application can be incorporated simply by modifying one of FireWall-1’s built-in script templates via the graphical user interface. Even the most complex applications can be added quickly and easily via the INSPECT Language. Check Point provides an open application

programming interface (API) for third-party developers .

Ref - www.checkpoint.com

Network and Security interview questions (Cisco)

Cisco Firewall


0.What is Stateful Inspection & Packet Filtering.Whats the difference ?
1.What is Adaptive Security Algorithm?
2.what are the default security levels for interfaces in firewall?
2.How would the firewall treat a TCP and UDP packets when it crosses the firewall ?
3.Tell me abt the different types of NAT?
3.What is the order of NAT ?
4.what is NAT Control ?
5.What are the troubleshooting mechanism to be followed in Cisco Firewalls?
a) different flow lookups in the output of Packet Tracer?
6.What is Stateful Failover ? (command to enable failover)
7.what is Transparent Firewall ?
8.how to check the the connections and NAT Translations?
9.How would you trouble shoot the high utilization issue in firewall ?
10.one of the best issues u have troubleshooted with firewall ?
11.Diff between a IPS & Firewall ?


VPN


1.What is Site-Site and Remote Access VPN?
2.What is phase 1 tunnel and the paramters involved ?
3.What is phase 2 tunnel and the paramters involved ?
4.What is PFS ?
5.Why would a DH is required ?
6.How to check the status of the tunnel in phase 1 & 2 ?
7.what are the commands required to troubleshoot VPN?
8.what is GRE and why its required?
9.How can we carry routing updates via IPSEC without GRE?
10.What is NAT Traversal?
11.What are the ports involved in NAT Traversal ?


General


1.Diff between TCP & UDP?
2.What is ARP & RARP?
3.Firewall works at what Layer?
4.What is DNS doctoring?
5.What is proxy & Gratituous ARP?
6.Active & Passive FTP?
7.What is DHCP relay agent ? if DHCP server locates in a different subnet , how would the process works?
8 What is MTU and fragmentation ?
9.What is DoS Attack , Spoofing attack ? how can be Prevented?




Routing


1.What is Subneting and Superneting ?
2.What is Static Route and a Default Route ?
3.What is Classful and Class less Routing
4.what is Dynamic Routing? 


A)OSPF

1.Metric Used for OSPF?
2.What are the Parameters required for OSPF neighbourship?
3.What is NSSA , stubby ,total stubby ?
4.How would the cost of the interfaces is calculated?
5.Commands to view the OSPF neighbour?


B)EIGRP


1.Metric for EIGRP and its AD ?
2.What is stuck in active?
3.How would the un equal load balancing works with EIGRP?
4.diff between EIGRP and OSPF ?
5.Commands to view the eigrp neighbour ?


C)BGP


1.What is IBGP and EBGP ?
2.What is LOcal prefernce and MED?
3.What is BGP synchronization ?
4.what is AD of IBG and EBGP?
5.we have two entries in the routing table , say for an example


192.168.1.0 /24 --> 1.1.1.1
192.168.1.128/25 --->2.2.2.2


what is the next hop to reach 192.168.1.200 ?


6.Why is Redistribution required?
7.How would you filter the routes being Redistributed?


Cisco IPS


1.What is IPS and IDS .Tell me the difference between them ?
2.What are the IPS modules you have worked?
3.What is AIP-SSM?
4.What is Promiscuous and Inline Mode?
5.What is a Signature ?Tell me some signature engines?
6.How would you implement an IPS in a Network?
7.How would you manage IPS?
8.What is False Positive and False Negative?
9.What are the event action involved in Inline Mode?

STATEFUL INSPECTION TECHNOLOGY

Stateful Inspection, invented by Check Point Software Technologies, has emerged as the industry standard for enterprise-class network security solutions. Stateful Inspection is able to meet all the security requirements defi ned above while traditional fi rewall technologies, such as packet fi lters and application-layer gateways, each fall short in some areas. With Stateful Inspection, packets are intercepted at the network layer for best performance (as in packet fi lters), but then data derived from all communication layers is accessed and analyzed for improved security (compared to layers 4–7 in application-layer gateways). Stateful Inspection then introduces a higher level of security by incorporating communication- and application-derived state and context information which is stored and updated dynamically. This provides cumulative data against which subsequent communication attempts can be evaluated. It also delivers the ability to create virtual session information for tracking connectionless protocols (for example, RPC and UDP-based applications), something no other firewall technology can accomplish.

Ref - www.checkpoint.com

Network Security Tools list

Penetration Testing Tools


1. Nmap Port scanner - Windows & Linux

2. Nessus Vulnerability Scanner - Windows & Linux
3. Xprobe Operating System detection - Linux
4. Ethereal Packet Sniffer - Windows & Linux
5. J2SDK and JRE Java framework needed for many tools to run - Windows & Linux
6. Citrix client Client used to connect to Citrix instance if running - Windows
7. MySQL client Client used to connect to running MySQL database - Windows & Linux
8. VNC Client Client used to connect to a running VNC server - Windows
9. OAT Oracle enumeration toolkit - Windows & Linux
10. Tnscmd.pl Oracle enumeration tool - Windows & Linux
11. Wget Website downloader - Windows & Linux
12. Tsgrinder Terminal Services brute force password cracker - Windows
13. SqlPing3 MS-SQL enumeration - Windows
14. Orabf Oracle brute force password crackers - Windows & Linux
15. Checkpwd Oracle brute force password crackers - Windows & Linux
16. Explore2fs Copying files on local Linux partition to - Windows 
17. Getif SNMP enumeration - Windows
18. Enum Check for null session establishment - Windows
19. Site-Digger Google hacking - Windows
20. httprint Web server fingerprinting - Windows
21. Cerebrus FTP server Simple FTP server used when you need to upload tools on to the server - Windows
22. Netcat Create a listener on remote host once you’re in - Windows & Linux
23. Screenshooter Used to take quick screenshots using predefined hotkeys- Windows
24. Resource Kit tools Numerous windows tools to enumerate various service offered by the Windows - Windows
25. Lsnrcheck Enumerate Oracle listener - Windows
26. Putty Establish connections to open ports - Windows
27. Cain and Abel ARP poisoning and brute forcing various types of passwords among many others - Windows
28. Adfind and LdapMiner Enumerate Active Directory objects - Windows
29. Nikto Web vulnerability scanner - Windows & Linux
30. P0f Passive OS fingerprinting - Windows & Linux
31. Metasploit Canned exploit tool - Windows & Linux


Application Security Assessment Tools

1. Paros Web proxy interceptor and editor - Windows
2. WinHex RAM content viewer  - Windows
3. WpePro Real time Packet editor (Thick client ) - Windows
4. EchoMirage Function call interceptor (Thick client ) - Windows
5. ITR Application traffic interceptor (Thick client ) - Windows
6. FileMon Identifies files that the application accesses while running - Windows
7. RegMon Identify registry keys that the application accesses while running  - Windows
8. DllHell Identify DLL files that the application uses to run - Windows
9. TcpView Identifies connections to and from local running processes - Windows
10. JsView Firefox extension which picks out all the running Javascripts on that web page - Windows & Linux
11. View_source_chart Firefox extension which displays HTML source cleanly - Windows & Linux
12. Smbrelay Intercepts SMB traffic - Windows

Cisco PIX or ASA vs. Checkpoint Firewall

Introduction

Firewall technology ranges from packet filtering to application-layer proxies, to Stateful inspection; each technique gleaning the benefits from its predecessor.

Stateful inspection works at the network layer and does not require a separate proxy for each application. This technology does not suffer from the same degradation in performance as application-level technology (proxies), which involves the extra overhead of transporting data up to the application layer. And on the contrary of packet filters it has the ability to maintain session state and therefore increase the security level of a network transaction.

Checkpoint Firewall-1

Checkpoint FW-1 has been the firewall market leader since shortly after its introduction in 1994/95. Its well-designed GUI interface was, and still is, the best visual interface to any firewall product. This intuitive interface makes FW-1 easy to work with even for those new to firewalls.

FireWall-1 is based upon Stateful Inspection technology, the de facto standard for firewalls. Invented by Check Point, Stateful Inspection provides the highest level of security. FireWall-1’s scalable, modular architecture enables an organization to define and implement a single, centrally managed Security Policy. The enterprise Security Policy is defined on a central management server trough a GUI and downloaded to multiple enforcement points (Inspection Modules) throughout the network.

The FireWall-1 Inspection Module is located in the operating system (NT or UNIX operating systems) kernel at the lowest software level. The Inspection Module analyzes all packets before they reach the gateway operating systems. Packets are not processed by any of the higher protocol layers unless FireWall-1 verifies that they comply with the Inspection Module security policy (it examines communications from any IP protocol or application, including stateless protocols, such as UDP and RPC)

FW-1 Pros:


1) Very functional GUI interface.
2) Based on Stateful inspection like PIX, but can off-load layer 7 inspection to other servers if required.
3) Lots of features for complex environments like: large protected DMZ, Windows VPN support, firewall synchronization, bi-directional NAT, etc.
4) Can be used to control bi-directional traffic.
5) Complex logging provided on management station.


FW-1 Cons:


1) Must account for OS vulnerabilities as well as FW-1 vulnerabilities.
2) Performance on NT not as good as on UNIX or the PIX.
3) Support is only through re-sellers, very expensive (Contracts start at 50% of the price of the original software per year) and needed for products upgrades.
4) OS boot-time errors possibilities.


Note: PIX can filter java but no ActiveX or JavaScript filtering yet. (Although FW-1 can)

PIX Firewall

Originally designed to be a network address translator, Cisco introduced the Private Internet Exchange (PIX) Firewall series in 1994. The PIX Firewall is a high-performance firewall that uses Stateful packet filtering. The PIX Firewall is essentially a firewall appliance"--it has its own integrated hardware/software solution (Intel hardware / proprietary OS). The PIX Firewall is not UNIX or NT-based, but is based on a secure, real-time embedded system, known as the Adaptive Security Algorithm (ASA), which offers Stateful inspection technology. ASA tracks the source and destination address, TCP sequence numbers, port numbers, and additional TCP flags. All inbound and outbound traffic is controlled by applying the security policy to connection table entries, which house the information. Access is permitted through the PIX Firewall only if a connection has been validated or if it has been explicitly configured.

Comparison

PIX and checkpoint FW-1 are using similar technologies in that both use smart packet filtering technologies (Stateful technology).

There are several key differences: one is that FW1 uses a general-purpose operating system while Cisco's PIX uses an embedded operating system. Another is that the PIX are essentially a "diode": you define a security level for an interface, and anything from a higher (internal=100) to a lower (external=0) is allowed while lower (external) to higher (internal) is blocked (with coding for exception); with FW1 there are no native directions, and everything must be coded. (For this reason, FW1 can be found much more flexible)

The license structure on the PIX is per-connection; the license structure on FW1 is per protected host. All other things being equal, maintenance is much easier on the PIX, and performance is higher on the PIX. Cisco has recently released a host-to-LAN encryption solution; FW1 has such a solution for a long time now (SecuRemote for windows boxes). FW1 has extra features such as bandwidth management (floodgate) or content vectoring servers and others (see OPSEC products).

Note that FW1 is developed in a UNIX environment. The UNIX implementation is more efficient, more mature, and more stable. It is wrong to go with NT unless the client swears he can support NT and is afraid of UNIX. Also, comparing FW1 on a switch or on a NOKIA box versus the PIX could be kind of an interesting comparison.

PIX Pros:

1) Minimal configuration if you have few or zero internal devices that needs to be accessed directly from the Internet (i.e. web servers on a protected DMZ) and want to allow everything outbound.

2) Complete hardware/software solution, no additional OS vulnerabilities or boot-time errors to worry about.

3) Cisco support, which is generally very good.

4) Performance, probably the best in the business.

5) No special client side software other than telnet, tftp or serial port terminal software.

6) Lots of detailed documentation.

7) Free upgrades

PIX Cons:

1) Difficult to manage if you have many servers on a protected DMZ (lots and lots of conduit statements) or many firewalls to manage.

2) Routing limitation in complex network architectures (Need to add a router for EACH segment).

3) Command line (IOS style) based. Cisco GUI manager (PIX Firewall Manager) is currently in its early releases and not as functional as FW-1's.

4) No ability to off-load layer 7 services like: virus scanning, URL filtering, etc. You can filter on outgoing traffic, but the process is not dynamic.

5) Requires a separate syslog server for logging.

6) No source port filtering.

7) No clear documentation (Cisco's documentation is often conflicting, fails to explain which version of the PIX OS a certain configuration will or will not work under, and seems to be constantly changing).

Conclusion

In the simplest terms, FW-1 can be considered much more functional than the PIX, while the PIX have better performance and support. If your particular environment requires a lot of functionality, the best choice is the FW-1 solution, although you might want to consider running it on a UNIX platform rather than a NT platform. If your environment is pretty simple, PIX is a solid solution with very good performance.

DNS and Forensic tools resources

DNSMap - DNS Subdomain Brute-force Tool
• Dnsgrep - DNS Enumeration Tool
• txdns - Aggressive Multithreaded DNS digger/brute-forcer
• Mscan 1.0
• FoFuS - PoC bot using DNS cover channel
• spoofer2.pl.txt
• dnsstat
• Tools to manage DNS
• DNSSEC Software, DNSSEC Tools, DNSSEC Utilities

DNS Dump
https://www.astalavista.net/member/index.php?cmd=forum&act=topic_show&tid=16477

Koders
http://www.koders.com/default.aspx?s=reverse+dns+lookup&btn=&la=C&li=*
http://www.koders.com/default.aspx?s=proxy+lookup&la=C&li=*

Sourceforge
http://sourceforge.net/search/?type_of_search=soft&words=reverse+dns+proxy

Google CodeSearch
http://www.google.com/codesearch?q=proxy+lookup+.c&hl=en
http://www.google.com/codesearch?hl=en&lr=&q=reverse+dns+.c

http://linux.softpedia.com/get/System/Networking/MassResolve-29981.shtml

http://www.pentester.com.au/downloads/rdns.exe

https://www.astalavista.net/member/index.php?cmd=forum&act=topic_show&tid=16477

Koders
http://www.koders.com/default.aspx?s=reverse+dns+lookup&btn=&la=C&li=*
http://www.koders.com/default.aspx?s=proxy+lookup&la=C&li=*

Sourceforge
http://sourceforge.net/search/?type_of_search=soft&words=reverse+dns+proxy

Google CodeSearch
http://www.google.com/codesearch?q=proxy+lookup+.c&hl=en
http://www.google.com/codesearch?hl=en&lr=&q=reverse+dns+.c

http://linux.softpedia.com/get/System/Networking/MassResolve-29981.shtml

http://www.google.com/codesearch?hl=en&lr=&q=reverse+dns+.c

http://www.google.com/codesearch?hl=en&q=show:FwzQRvnL2P8:Jt60AsYNq9I:JsKUtuOcjdo&sa=N&ct=rd&cs_p=ftp://ftp.sunfreeware.com/pub/freeware/SOURCES/gnupg-1.4.7.tar.gz&cs_f=gnupg-1.4.7/util/ttyio.c
http://www.forensics.nl/presentations

More Resources
Forensic Tools| Training| Resources| Publications| Groups|

Want to post a link or make an announcement? Send it to contact@knujon.com
________________________________________
Forensic Tools
"Illicit traffic is not about products, it's about transactions." - Moisés Naím, Illicit
• veresoftware.com
Vere Software is dedicated to creating a "more safe" online environment. We specialize in software applications that can be used to help your investigations maintain structure while properly gathering evidence that can be used in court. Our clients include law enforcement agencies and special investigators. Our products are designed as a tool for the investigator to collect evidence of online criminal activity. We will help you, the investigator, "make the internet your regular beat" .
• Maresware/dmares.com
Maresware: The Suite
Maresware: Linux Computer Forensics
Validation Tools and other products
• ProDiscover/Techpathways.com
Investigator
Forensics
Incident Response
Other tools
• Paraben Corporation/paraben.com
P2 Power Pack

Hard Drive Forensics
Forensic Replicator Complete bit-stream acquisition software for hard drives and media
P2 eXplorer Mount almost any forensic image as a virtual drive
Forensic Sorter Save time by sorting your evidence into workable categories
E-mail Examiner A full featured e-mail examination tool for over 30 popular e-mail formats
Network E-mail Examiner Examine large network e-mail stores including Exchange, Notes, and GroupWise
Text Searcher Perform advanced, fast text searching through indexing
Registry Analyzer Analyze entire Windows registry files
Chat Examiner Examine chat log files for Yahoo, MSN, ICQ, and more
Decryption Collection Break passwords for over 35 types of encrypted files
Case Agent Companion View over 250 different file formats for detailed analysis & reporting of digital evidence

Enterprise Forensics
Enterprise Forensics

Moble Devices
Cell Seizure v3.0 ADVANCED MOBILE PHONE FORENSIC SOFTWARE
SIM Card Seizure v1.0.2131
ComputraceComplete laptop security
Computrace Data Protection
• Guidance Software/guidancesoftware.com
EnCase Enterprise
Field Intelligence Model
• AccessData Corp/accessdata.com
The Ultimate Toolkit
Forensic Toolkit
Password Recovery Toolkit
Registry Viewer
• Wetstone/wetstonetech.com
Gargoyle Investigator
DETS
• Determina/determina.com
Determina VPS
Determina Memory Firewall
Determina LiveShield
• EnterEdge/enteredge.com
Intrusion Protection Solutions
EnterEdge Vulnerability Management Service (VMS)
• Digital Intelligence/digitalintelligence.com
Intrusion Protection Solutions
EnterEdge Vulnerability Management Service (VMS)
• DocuLex/doculex.com
Litigation Support
Electronic Discovery
• snort.org
In 1998, Martin Roesch wrote an open source technology called Snort, which he termed a "lightweight" intrusion detection technology in comparison to commercially available systems. Today that moniker doesn't even begin to describe the capabilities that Snort brings to the table as the most widely deployed intrusion prevention technology worldwide. Over the years Snort has evolved into a mature, feature rich technology that has become the de facto standard in intrusion detection and prevention. Recent advances in both the rules language and detection capabilities offer the most flexible and accurate threat detection available, making Snort the "heavyweight" champion of intrusion prevention.
• bleedingthreats.net
Bleeding Edge Threats is a center for Open Security Research. We produce data feeds regarding new and up to the minute threats and research, and a number of other related security projects. Bleeding Edge Threats brings together the most experienced, and the least experienced security professionals.
• wiresharktraining.com/wiresharkU.com
The Wireshark Certification Program strives to test a candidate's knowledge and ability to troubleshoot, optimize and secure a network based on evidence found by analyzing the traffic.
• cacetech.com
CACE (Creative, Advanced Communication Engineering) Technologies is dedicated to enhancing the Wireshark user experience. Our staff of accomplished computer scientists and engineers has created Wireshark®, the world’s most popular network analyzer, WinPcap™, the industry-standard open source packet capture library for Windows, and AirPcap™ Product Family 802.11 WLAN packet capture devices for Wireshark. Our collective experience and talents combine to offer exciting networking products as well as a broad range of engineering, development, and consulting services.
• packet-level.com
The four Wireshark University courses were written by Laura - these courses include new trace files, more details on troubleshooting techniques and case studies. In addition, Laura has hand-picked instructors to teach the courses - these instructors have years of packet-level experience and are some of the best instructors in the industry. Laura (and the WSU advisory committe) are developing the certification test to validate candidate capabilities in the area of troubleshooting and securing networks using Wireshark. Laura works closely with Gerald Combs (original author of Wireshark) and Loris Degioanni (original author of WinPcap) to build the most current and complete educational materials to support Wireshark.
• insecure.org
Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available.
• netscantools.com
NetScanTools Pro is an ideal tool for those who work in the network security, administration, training, internet forensics or law enforcement internet crimes fields.
• mjmenz.com
“Finding the Truth, One bit at a Time”
• cyberevidence.com
CyberEvidence, Inc. is a leading provider of computer forensics. The concepts of digital data investigation and security will be an ever expanding part of the future.The need for professional, proficient and highly trained investigative resources dedicated to this fast developing industry is evident. CyberEvidence, Inc. addresses this need in three primary ways:

1. providing clients with a range of digital data incident response, investigative and consulting services;
2. providing industry leading training to individuals and organizations involved in digital forensics; and
3. developing partnerships with institutions of higher learning to help move the digital forensics industry into the academic mainstream.
• infobin.org
DeepDarkAbyss, ForensicsWeb, and the main Infobin site, as well as an updated Jatero.Com site.
• hightechcrimecops.org
To train, support and encourage investigators through information sharing to preserve, recover, and analyze digital evidence in a forensically sound manner for criminal, civil and administrative purposes. To provide digital crime prevention education to the public. To promote knowledge of the impact of digital crime among senior leaders, both in the public and private sectors.
• tucofs.com
TUCOFS, or T.U.C.O.F.S., stands for The Ultimate Collection of Forensic Software. This site places all Law Enforcement Personnel in touch with the latest and greatest Internet based resources for High Tech Law Enforcement purposes. Resource types include files, sofware, websites and documentation. TUCOFS can be used as an index pointing you to various resources, allowing you to quickly find exactly what you are looking for.
• wotsit.org
Programmer's file and data format resource. This site contains information on hundreds of different file types, data types, hardware interface details and all sorts of other useful programming information; algorithms, source code, specifications, etc.
• DFLabs
DFLabs is an ISO9001 certified consulting company founded by Dario Forte, CISM, CFE, specializing in Information Security Risk Management. Our mission is: Supporting Information Security Strategies and Guarenteeing Business Security.Proud of its professional experience, DFLabs provides consulting services in the following areas: Information Security Strategy, Incident Prevention and Response, Digital Forensics, Infosecurity Training, Intrusion Prevention, Log and Vulnerability Management. We are based in Northern Italy, and we perform our operations worldwide.
• PTK a new advanced interface for “The Sleuth Kit”
PTK is an alternative advanced interface for the suite TSK (The Sleuth Kit). PTK was developed from scratch and besides providing the functions already present in Autopsy Forensic Browser it implements numerous new features essential during forensic activity. PTK is not just a new graphic and highly professional interface based on Ajax technology but offers a great deal of features like analysis, search and management of complex cases of digital investigation. The core component of the software is made up of an efficient Indexing Engine performing different preliminary analysis operations during importing of every evidence. PTK allows the management of different cases and different levels of multi-users. It is possible to allow more than one investigators to work at the same case at the same time. All the reports generated by an investigator are saved in a reserved section of the Database. PTK is a Web Based application and builds its indexing archive inside a Database MySQL, using thus the construction LAMP(Linux-Apache-MySql-PHP).
• 10-23 On-Scene Investigator
This toolkit was created for the non-technical first responder to a computer incident involving a Windows computer. It is remastered from Knoppix a bootable distribution of Linux. The toolkit runs completely off of the CD and out of RAM and does not touch the suspect hard drive(s). This was verified by SHA256 hashes of before and after the toolkit was used on a Windows system. As reported by Ernie Baca here there is an issue with Linux (and therefore KNOPPIX) where a bit is changed on journaling filesystems when mounted (even read-only). Therefore caution should be exercised when using 10-23 on a Linux system.
• THE FARMER'S BOOT CD (FBCD)
FBCD provides you with an environment to safely and quickly preview data stored within various storage media (hard drives, USB thumbdrives, handheld music players such as iPods, digital camera media, etc.), enabling you to identify and locate data of interest.
• crackpdf.com
PDF Password Cracker is an utility to remove the security on PDF documents (of course, you should have the right to do it, for example, in case of forgotten user/owner password). Only standard PDF security is supported, neither third-party plug-ins nor e-books.
• americantower.com
Locate Cell Phone Towers
• cellreception.com
Find Cell Tower Locations
• searchbug.com
Find and investigate people, locate businesses, verify phone numbers and addresses

• techcrime.com
Massive list of useful sites
• KBSolutions Inc/kbsolutions.com
KBSolutions provides computer forensic investigations as well as consultation and training in various aspects of cyber crime. We specialize in sex offender management as it relates to cyber criminal activities. We do not provide forensic services in civil matters or do defense work.
• wigle.net
Wireless Geographic Logging Engine
• OnScene Investigator/forensicsmatter.com
OnScene Investigator is a cost effective, simple to use tool for quickly searching and/or imaging computers (in Encase format). It is ideal for on scene triage of computers to identify relevant evidence before imaging . OnScene Investigator is suitable for all Intel PCs, especially Apple Macbook, Macbook Pro and PPC Imac and Powerbook G4.
• zillow.com
Zillow.com is an online real estate service dedicated to helping you get an edge in real estate by providing you with valuable tools and information.
• centralops.net
This site is a collection of Internet utilities developed by Hexillion using its HexGadgets components. Most of the utilities have ASP or ASP.NET source code available.
• ic3.gov
The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C).
• Better Business Bureau
U.S. and Canada
United States

________________________________________
Training
• Cell Phones
ohiohtcia.org
forensicts.co.uk
• Computer Forensics
Maresware Training Seminars
Mississipi State Center for Computer Sercurity Research
AccessData
Paraben
iacis.info
newhorizons.com
wetstonetech.com
cftco.com
securityuniversity.net
Apple Mac OS X
vigilar.com
wright.edu
CCE Bootcamp
• Fingerprints
FBI Fingerprint Training
• Hacking Investigations
newhorizons.com
• Security
Learning Tree
newhorizons.com
• Steganography
GaryKessler.Net
wetstonetech.com

________________________________________
Resources
dshield.org
FBI: HAS YOUR BUSINESS BEEN HACKED?
itsecurity.com
FBI Computer Analysis and Response Team
techpathways.com
Back to Information Security Basics
security-books.com
NSA Information Assurance
Hetherington Information Services
Laboratoire d'EXpertise en Sécurité Informatique
PEI Systems
AlliedBarton Security Services
securityhorizon
Mandiant(formerly Red Cliff)
Mares and Company
Medford Police
LAPD Online
LAPD Crimemaps
computer-forensic.com
forensicts.co.uk
tucofs.com
CygnaCom Solutions
MITRE
Password Recovery Pro recovers hidden passwords by simply holding the mouse cursor over the asterisks field
Hidden Keyboard Memory Mod

• Computer Forensics
Maresware Training Seminars
Mississipi State Center for Computer Sercurity Research
AccessData
Paraben
iacis.info
newhorizons.com
wetstonetech.com
cftco.com
securityuniversity.net
Apple Mac OS X
vigilar.com
wright.edu
CCE Bootcamp

Career with Network and Information security ?

You can make career with Network and Information security for those career map is like this :

For Freshers - :

1) Anyone who have completed graduation  (B.Sc/B.Com/B.A) or B.Tech/B.E etc.
2) Basic Networking course like (CCNA).
3) Start career with Network or System engineer.

For Experience - :

After having three years of experience you have to choose one specific work area either network or security.

For Network Experience people - CCNA--->CCNP-->CCIE

For Network Security Experience peoples- CCNA--->CCNA Security -->CCSP-->CCIE security.

You can also do specific product certification also like --

Checkpoint firewall - CCSA-->CCSE-->CCMSE-->CCMA-->CCEPE
For Information Security process -:

Here i want to tell you very clearly that people who have already with 2+ years of experience then only get into this line. Certification are mentioned below --

1.for auditing puropse - CISA

2.Information Security process - CISSP (Min.3 years of exp is mandatory.
3.Certified Ethical Hackers - CEH.
4.For Security Management - CISM