Skip to content

Security

How to fix the Windows 10 DNS resolver DNS Leaks

The design of Windows 10 allows the Operating System to send DNS queries to all the available interfaces on the machine. The OS does not take into account the network interface priority nor does it take into account any default route. This design is somewhat okay until we face a VPN scenario where the DNS request has to go through the VPN tunnel for security reasons and this will allow a hacker to intercept a DNS request and modify the reply to perform a man-in-the-middle attack. The easy fix it to add a DWORD name of DisableSmartNameResolution with a value of `` under the following path. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient

RFC 3330 Traffic Filtering From The Internet

The following post will explain one of the recommended method of filtering unwanted traffic from the internet to the internal network.

Most administrators filter RFC-1918 traversing from the internet to internal networks, while they are allowing a list of bogons prefixes which is defined in RFC-3330. These addresses are _not_ publically assigned, therefore should not see them as source IP destined to your internal network. Furthermore, it is a best practice from a security prospective to filter these ranges in case you are targeted with a spoofing attack.

As a reference to this post, please check RFC-3330 which contains all the prefixes in question.

Read more

How to Configure Failover on Cisco ASA Firewall

Configuring a Cisco ASA firewall to achieve resiliency is straightforward. Implementing the failover feature in the firewall to be on Active Standby mode can achieved by the following commands.

Please note that it is not recommended to use the Management interface for failover purposes, especially for stateful failover in which the security appliance constantly sends the connection information from one security appliance to the other.

Furthermore, we have to consider the future implication of using such Management Interface, as you may be want to create a completely new network for the Out Of Bound (OOB) access where the Management Interface on each device will participate. Therefore, using a Management Interface might cause design issues in the future.

On this example below, I will be using GigabitEthernet0/5 on both devices as the Failover interface.

Read more

How to Configure Firewall on Linux

Below I will go over three easy steps on Configuring IPTables Firewall on Linux Environment. The following configuration was tested on 64 Bit Debian.

The firewall itself consists of two configuration files located in the following location.

/etc/default/firewall-rules consist the firewalls rules which are editable by the user.
/etc/init.d/firewall is the script for start|stop|restart|status of the firewall.

Below you can see Sample Firewall Rules. This script resides in /etc/default/firewall-rules

Please use this as a template and replace the EXIF, EXTIP and other IP Address / Ranges.

Read more

DNSSec Effect on ASA / PIX Firewalls & FWSMs

As of 5th May 2010 All 13 DNS ROOT Server will consist of a signed digital signature with every replied query. This has been ruled out to tackle any man-in-middle attack similar to Dan Kaminsky’s exploit. Is it going to break the internet? It is only going to affect if the firewalls & FWSM are not configured correctly to allow DNSSEC signed packets. The answer being, as we already know DNS uses UDP packets for query replies; and most firewalls are going to drop any packets larger than 512bytes. Having been said, the DNSSEC signed replies are going to have an extra layer of encryption, thus increasing the packet size up to 4KB (4096) and the firewalls & FWSMs needs to be configured to allow such larger packets through. What needs to be configured on the Firewall? The firewall needs to have the following settings to allow larger UDP packets through… Read more

How to Configure IPSec VPN

I have come across an odd scenario on pre-share key based IPSec tunnels…

The question being, when an IPSec tunnel is active (Phase 1 and 2 are UP) and the pre-share key is changed, does this tear down the tunnel?

The tunnel configuration on R4 follows…

!
crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key fnode address 192.168.1.5
!
!
crypto ipsec transform-set FNODE1 esp-3des esp-sha-hmac
!
crypto map FNODE1 1 ipsec-isakmp
 set peer 192.168.1.5
 set transform-set FNODE1
 match address 120
!

!
interface Ethernet0/0
 ip address 192.168.1.4 255.255.255.0
 full-duplex
 crypto map FNODE1
!

access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!

The tunnel configuration on R5 follows…

Read more

DNS Cache Poisoning Bug

When a Name Server looks up a domain for the IP address, it stores the information into the cache so it doesn’t have to look it up every single time a request is made. For example, if someone looks for www.nishv.com the DNS server will look up the domain and stores the IP address 72.52.178.35 into the cache for a given time so it doesn’t have to look up that domain again for a given period of time. DNS cache poisoning (also known as DNS cache pollution) is a maliciously created or unintended situation that provides data to a DNS Server that did not originate from authoritative DNS sources. It happens when an attacker sends malicious data in response to a DNS query. For example, DNS query for www.nishv.com can be redirected to another website. This method is taking the phishing scam to another level, you might be visiting your bank’s website but without you realising it, you will actually be putting in all the login information into some hackers servers which made it look exactly like the bank’s website. Read more

OpenDNS

OpenDNS is a free DNS provider who does the Web-content filtering on their end. You don’t need to install any software to filter any content. All you need to do is register and follow the setup instructions, once that is done you will have access to your own area where you can filter phishing sites, give you the power to filter out adult sites and proxies among more than 40 categories, and provide the precision to block individual domains. All you have to do is, set the DNS server to 208.67.222.222 & 208.67.220.220 and do the content filtering on your very own control panel! Also this is a great advantage to parents and you will save a lot of money on buying content filtering software like Net Nanny etc… Everything you need to know can be found on http://www.opendns.com/ and I highly recommend anyone to use this Free service.

Security Software (Antivirus / Firewall)

Antivirus This is one of the most important software one should have, even though I prefer to use GPL / Free software but when it comes to Antivirus, I fully support a paid version of Antivirus or a Security Suit which consists of Antivirus, Firewall etc compared to a Free version. If you are going to pay for an Anti-Virus, I would recommend Kaspersky Internet Security (Currently Version 7.0) this cost around £25 per year with 3 licences, so you can install it up to 3 PCs, and if you prefer to have one licence, it cost around £18/Year. This will include an All-In-One protection suit which consists of an Anti-Virus, Firewall, and Intrusion Protection and so on… I have used a lot of Anti-Virus software in the past and Kaspersky is definitely the far most advanced AV I have ever come across, I would personally say away from Norton because it is… Read more