≡ Menu

Allowing Specific DNS Servers on ASA Firewall

The following post shows how to specifically allow specific DNS servers on a Cisco ASA firewall. In this example, I am using Google DNS to be allowed through the firewall.

object-group service DNS-PORTS
 service-object udp destination eq domain 

object-group network GOOGLE-DNS
 network-object host 8.8.8.8
 network-object host 8.8.4.4

access-list ACL_in extended permit object-group DNS-PORTS NETWORK 255.255.255.0 object-group GOOGLE-DNS

The design of Windows 10 allows the Operating System to send DNS queries to all the available interfaces on the machine. The OS does not take into account the network interface priority nor does it take into account any default route.

This design is somewhat okay until we face a VPN scenario where the DNS request has to go through the VPN tunnel for security reasons and this will allow a hacker to intercept a DNS request and modify the reply to perform a man-in-the-middle attack.

The easy fix it to add a DWORD name of DisableSmartNameResolution with a value of 0 under the following path.

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient

How to restrict WordPress login to specific IPs

This involves adding the following code to the .htaccess file within the root of the WordPress installation directory and add each IP addresses to a new line and IP subnet in the CIDR format.

The below code is displayed as an image due to WordPress limitation.

Screen Shot 08-04-15 at 10.17 AM

A Closer Look at LG G4

I have had the pleasure to be given the opportunity to participate in the #TryLGG4 program. I am someone who usually change my phone every 9-12 months and am currently a LG G3 user. I was not looking for any upgrade because I felt that all current devices on the market can’t match what a G3 offers. This all changed when I had the chance to use the LG G4. Here are my thoughts of the device as I opened the box.

1) Lightweight
2) Ergonomic design
3) Interchangeable battery
4) Expandable storage

The device feels extremely lightweight with an ergonomic design. This is something everyone will look for from a phone and I am very impressed to see how LG has perfected the overall design of G4 while giving the user an option to change battery and expandable storage. Since I am usually in the move through out the day, I always look for a phone with interchangeable battery and expandable storage for my photos and videos. This is by far one of attraction point of the G3 and now the G4. Every users requirement of a phone is different and for me point 3) and 4) are the deal breakers.

The 5.5 inch screen of this device is exceptionally well calibrated and stands out among all the devices in the market. The quantum display will definitely beat any device on the current market.

The camera on the LG G4 is absolutely brilliant and I can’t think of any device on the the current market which can beat the G4’s photo quality. The overall quality is not only great on moderate light area but it is performing exceptionally well on low light area. The camera application itself is very intuitive and gives the user to quickly change the mode according to his/her liking. This is something any user would prefer to take the perfect snap on a given moment in time.

Battery life of the G4 is average and being a power user, I can pretty much use it for an entire day with a full charge. If you are a power user who wouldn’t get to charge the device at night, then I would recommend taking advantage of the option to interchange battery and a spare battery would definitely give you the peace of mind.
To add to the G4, I have had the chance to use it with the LG Bluetooth Infinim which Performance, Style/Design, easy to use, Features/Settings, Quality, excellent audio quality goes hand in hand with the G4.

To conclude, overall design and the software on the LG G4 is what I expected from LG. The 3GB RAM upgrade on the G4 does help the software to run smoothly. I would definitely recommend LG G4 to anyone who wants to have best phone of 2015.

Filtering unwanted traffic from the Internet

The following post will explain one of the recommended method of filtering unwanted traffic from the internet to the internal network.

Most administrators filter RFC-1918 traversing from the internet to internal networks, while they are allowing a list of bogons prefixes which is defined in RFC-3330. These addresses are _not_ publically assigned, therefore should not see them as source IP destined to your internal network. Furthermore, it is a best practice from a security prospective to filter these ranges in case you are targeted with a spoofing attack.

As a reference to this post, please check RFC-3330 which contains all the prefixes in question.

The following configuration example shows RFC-3330 filtering on a Cisco ASA Firewall.

object-group network RFC-3330
   network-object 0.0.0.0 255.0.0.0
   network-object 10.0.0.0 255.0.0.0
   network-object 14.0.0.0 255.0.0.0
   network-object 24.0.0.0 255.0.0.0
   network-object 39.0.0.0 255.0.0.0
   network-object 127.0.0.0 255.0.0.0
   network-object 128.0.0.0 255.255.0.0
   network-object 169.254.0.0 255.255.0.0
   network-object 172.16.0.0 255.240.0.0
   network-object 191.255.0.0 255.255.0.0
   network-object 192.0.0.0 255.255.255.0
   network-object 192.0.2.0 255.255.255.0
   network-object 192.88.99.0 255.255.255.0
   network-object 192.168.0.0 255.255.0.0
   network-object 198.18.0.0 255.254.0.0
   network-object 223.255.255.0 255.255.255.0
   network-object 224.0.0.0 240.0.0.0
   network-object 240.0.0.0 240.0.0.0

CREATE ACCESSLIST, where the ACL name INTERNET define OUTSIDE interface.

access-list INTERNET deny ip object-group RFC-3330 any

When it comes to Cisco ASA, both Port-Object and Service-Object achieve the same result. However, application of extended Access Control List (ACL) and calling the Port-Object or Service-Object would differ in the ACL statement.

Below, we look at two tcp protocols, namely www and https defined using Port-Object and Service-Object as follows…

Port Object

object-group service WEB-PORTS tcp
 port-object eq www
 port-object eq https

Service Object

object-group service WEB-PORTS
 service-object tcp eq 80
 service-object tcp eq 443

The port-object defines the object name and the protocol in the object statement, while the service-object defines the protocol and the port together. The following ACL explains that…

Port-Object within an extended ACL
The port-object is defined at the end of the ACL.

access-list ACL_in extended permit tcp NETWORK SUBNET any object-group WEB-PORTS

Service-Object within an extended ACL
While the service-object statement is replaced as a substitute for the protocol with the ACL.

access-list ACL_in extended permit object-group WEB-PORTS NETWORK SUBNET any
Previous Posts

Copyright © Nish Vamadevan 2002-2015. All Rights Reserved. Terms and Policies.