Using Nitro to monitor Domain Admin Password Changes
We had a requirement to monitor when Domain Admins changed their password so that we could pass our PCI Audit for this year. Mostly the issue came out of the fact that a hacker could just as easily change a domain admin password as they could create a new account in domain admins. I was already monitoring domain admins for new accounts getting created, this just seemed like the next step.
I came up with this method to be able to monitor with Nitro and then send me a report.
1. Create a Watchlist
call it whatever you want, but make it a destination user type and then choose an assignee.
2. Input all of your Domain Admins into the Watchlist
3. After creating the watchlist, then go into Alarms and create a new alarm.
Give it a name
choose an assignee
4. Go to the Condition tab and choose “specified event rate”, set the event count to “1”, and choose the time frame as 10 minutes. This is needed to trigger the alarm when you need it to fire.
5. then click on the filter icon, for your query filter choose the following:
signature id: 43-211006270,43-211006280,43-263047230
destination user: WL:(name of watch lists)
Under select a device, choose all of your domain controllers. We have two domains so we are monitoring several machines.
6. Now here is where the magic comes in and the best alerting you can setup. Under actions, choose Generate Report and then click configure
Here you are going to create a new report that lists the userid field and any other information you want. You will also choose your email recipients here so that you can be notified of when a domain admins password has changed. Since the parameters from the alarm will not be passed to the report you will need to choose a few things for the filter at the bottom to keep it to what you are looking for.
signature id: 43-211006270,43-211006280,43-263047230
destination user: WL:(name of watch lists)
set the time range to the last 10 minutes
7. click Finish, you now have an alarm that will be triggered when a domain admin changes their password.
Dynamic Arp Inspection/DHCP Snooping
In trying to remove Man in the Middle attacks for my network I started looking at Dynamic Arp Inspection(DAI) and DHCP Snooping. I brought them home to my lab and started to play. Here is what I read up on to figure out what to do and how to implement:
Research:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/configuration/guide/swdynarp.html#wp1039773
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dynarp.html
http://packetlife.net/blog/2010/aug/18/dhcp-snooping-and-dynamic-arp-inspection/
How to configure:
First turn on DHCP SNOOPING on the switch or switches:
“ip dhcp snooping”
“ip dhcp snooping vlan (vlan to monitor)”
Let it run for a while and populate the dhcp snooping binding database. This database is extremely important as only the bindings in here will be allowed to arp on the network.
To view the database you can use the following:
“show ip dhcp snooping binding”
Uplink ports and ports that will have dhcp servers will need to have the following put onto the interfaces or you won’t be able to get addresses:
“ip dhcp snooping trust”
Before you turn on Dynamic Arp Inspection you need to track down any dumb switches(switches that don’t support DAI) or hosts with a static IP address.
I recommend removing any dumb switches from the network as they just create security holes and will cause you nothing but problems.
Here is one solution, but I think it is better to get rid of them and easier to deal with:
As for the static hosts you can do “ip arp inspection trust”, however I think a better method is to create a static ip address to arp address binding with the following:
“ip source binding (mac add) vlan (vlan to monitor) (ip address) interface (interface of host)”
This way someone can’t just remove the static host and take over their ip address. Another option would be to change all hosts at the Distribution/Access layer to DHCP and put static bindings into the DHCP server for them to ensure their ip addresses don’t change.
To turn on Dynamic Arp Inspection
Identify your uplink ports and use the following command on them:
“ip arp inspection trust”
When ready to turn on DAI then run:
“ip arp inspection vlan (vlan to monitor)”
By default all ports are untrusted and should have 1 host to 1 network port.
If you have more than one host to a port with a dumb switch you need to use “ip arp inspection trust”, or else the switch will drop all of the hosts on that port.
Switch Replacements
My company is still in the stone age in some ways, we have the latest and greatest in some things. However when it comes to our switching environment someone made the foolish decision of putting 2’x2′ holes into the concrete and then mounting switches into the floor. This idea was stupid as hell, because unfortunately there are very few switches that we can use in these holes. So when I have a chance to actually replace switches with something that works better and isn’t ready to be decommissioned I am happy. This was one of those weekends where I got to replace some of our old 3524 switches and bring us into the 2013 with some nice and shiny new 3750x stack switches. The only downside of this upgrade was that I had to do it 30 feet in the air on top of one of our conference buildings. So getting up there required the use of a lift and getting myself extremely dirty while digging through a bunch of equipment.
The upgrade took about 4 hours, mostly due to balancing and trying to not fall through the roof into the conference room below. Once they were mounted and connected back to our core the connections came up and started working well. I know that there are some that don’t like the 3750x stack switches, but I have to say I have had very good luck with them and they all have worked very well for me. Plus the additional advantage is that I only have to manage one switch and I got to replace two other management headaches.
I really wish I could find a good solution though for the switches that are sitting in the floor, there are so many problems with them that I am afraid I am going to run out of 3524 replacements to go in there.
Nitro…err Mcafee Enterprise Security Manager
We purchased the Nitro Logging Appliance and fell in love with some of it’s features. Right as we purchased it though Mcafee came in and purchased the company because it was a great product. While Mcafee is all over the product now it doesn’t seem to be lacking in features or functionality. I have found quite a few things that don’t really seem to be documented anywhere else that I will start putting into my blog. The first of which on this post will be common commands to run to find out what is going on with the appliance and to make sure that it is working.
Check that logs are coming in:
single host:
tcpdump -nnXi eth0 host (ip of host) and port (syslog port) -s0
Subnet:
tcpdump -nnxi eth0 src net (subnet)/24 and port (syslog port) -s0
The logs won’t be human readable but at least you can see that data is coming in.
Stop and start the Services(this is case sensitive):
NitroStop –nod
NitroStart –nod
I will continue to put up posts and log important stuff here as time goes on.
Underwater Navigation Course
In my pursuit for my Dive Master certification I decided to take the Underwater Navigation course. The course consisted of 1 class session, 1 pool session, and in my case 2 ocean dives. The class session was a couple of hours just mostly going through the book and the knowledge reviews you were supposed to have done. We also did a little bit of house keeping and administrative stuff at that time.
At a later date we had the pool session which was really nothing more than the Instructor testing out our skills and making sure we were comfortable in the water. We then spent the rest of the pool session out on dry land practicing our compass work. I had purchased a wrist mounted compass for this course thinking that would be better to use than a console one. I had some problems with my console compass not being able to come up far enough for me to read it with the lanyard for it. The wrist compass however turned out to not be a great option and I think I will be switching over to a compass on a retractor. We spent several hours on land mapping out courses and doing different exercises. It had been a long time since I had done any compass work so it was really good to get comfortable with doing it again.
We then did two dives at North Crescent Bay in Laguna. The first one we did a 100 foot swim so we could figure out our length for a kick cycle, this would then play into the rest of the tasks we would do for the class. We then followed a mapped out course that we had been provided with ahead of time and written on our slates. After doing that a couple of times we then got out switched tanks and went back in and followed a course that had tags out on the ground that had been setup ahead of time by the dive instructor. The tags were set with a heading and a distance. We had two courses, one that was shorter and then one that was really long. The shorter course was a little easier to follow, the longer course I had some issues with getting off by a few degrees and then not being able to find the next tag after 160ft.
Overall this was a great course and I highly recommend for anyone that needs 1 a refresher for compass work or 2 is working on their Dive Master cert.
EFR Course Completed
The next step in my goal towards Dive Master is now complete. I completed my EFR course, which was really a refresher for me as my last one was a couple of years ago. This course had one book with a couple of knowledge reviews and then we watched a video in class and went through some scenarios. Just a one day class which was nice, granted it wasn’t really the way I wanted to spend a Sunday, but at least it is done now and I can get ready for my DM class that is starting in January.
rx/tx load cheatsheet
During the holiday season this year I found myself in need of looking at the bandwidth metrics and needed to figure out load on the fly. Rather than do the math and possibly make a mistake I decided to use excel to my advantage and figure it out ahead of time. So taking this:
reliability 255/255, txload 201/255, rxload 49/255
And then compare it to this:
rx/tx Total Percentage
255 255 100.00%
254 255 99.61%
253 255 99.22%
252 255 98.82%
251 255 98.43%
250 255 98.04%
249 255 97.65%
248 255 97.25%
247 255 96.86%
246 255 96.47%
245 255 96.08%
244 255 95.69%
243 255 95.29%
242 255 94.90%
241 255 94.51%
240 255 94.12%
239 255 93.73%
238 255 93.33%
237 255 92.94%
236 255 92.55%
235 255 92.16%
234 255 91.76%
233 255 91.37%
232 255 90.98%
231 255 90.59%
230 255 90.20%
229 255 89.80%
228 255 89.41%
227 255 89.02%
226 255 88.63%
225 255 88.24%
224 255 87.84%
223 255 87.45%
222 255 87.06%
221 255 86.67%
220 255 86.27%
219 255 85.88%
218 255 85.49%
217 255 85.10%
216 255 84.71%
215 255 84.31%
214 255 83.92%
213 255 83.53%
212 255 83.14%
211 255 82.75%
210 255 82.35%
209 255 81.96%
208 255 81.57%
207 255 81.18%
206 255 80.78%
205 255 80.39%
204 255 80.00%
203 255 79.61%
202 255 79.22%
201 255 78.82%
200 255 78.43%
199 255 78.04%
198 255 77.65%
197 255 77.25%
196 255 76.86%
195 255 76.47%
194 255 76.08%
193 255 75.69%
192 255 75.29%
191 255 74.90%
190 255 74.51%
189 255 74.12%
188 255 73.73%
187 255 73.33%
186 255 72.94%
185 255 72.55%
184 255 72.16%
183 255 71.76%
182 255 71.37%
181 255 70.98%
180 255 70.59%
179 255 70.20%
178 255 69.80%
177 255 69.41%
176 255 69.02%
175 255 68.63%
174 255 68.24%
173 255 67.84%
172 255 67.45%
171 255 67.06%
170 255 66.67%
169 255 66.27%
168 255 65.88%
167 255 65.49%
166 255 65.10%
165 255 64.71%
164 255 64.31%
163 255 63.92%
162 255 63.53%
161 255 63.14%
160 255 62.75%
159 255 62.35%
158 255 61.96%
157 255 61.57%
156 255 61.18%
155 255 60.78%
154 255 60.39%
153 255 60.00%
152 255 59.61%
151 255 59.22%
150 255 58.82%
149 255 58.43%
148 255 58.04%
147 255 57.65%
146 255 57.25%
145 255 56.86%
144 255 56.47%
143 255 56.08%
142 255 55.69%
141 255 55.29%
140 255 54.90%
139 255 54.51%
138 255 54.12%
137 255 53.73%
136 255 53.33%
135 255 52.94%
134 255 52.55%
133 255 52.16%
132 255 51.76%
131 255 51.37%
130 255 50.98%
129 255 50.59%
128 255 50.20%
127 255 49.80%
126 255 49.41%
125 255 49.02%
124 255 48.63%
123 255 48.24%
122 255 47.84%
121 255 47.45%
120 255 47.06%
119 255 46.67%
118 255 46.27%
117 255 45.88%
116 255 45.49%
115 255 45.10%
114 255 44.71%
113 255 44.31%
112 255 43.92%
111 255 43.53%
110 255 43.14%
109 255 42.75%
108 255 42.35%
107 255 41.96%
106 255 41.57%
105 255 41.18%
104 255 40.78%
103 255 40.39%
102 255 40.00%
101 255 39.61%
100 255 39.22%
99 255 38.82%
98 255 38.43%
97 255 38.04%
96 255 37.65%
95 255 37.25%
94 255 36.86%
93 255 36.47%
92 255 36.08%
91 255 35.69%
90 255 35.29%
89 255 34.90%
88 255 34.51%
87 255 34.12%
86 255 33.73%
85 255 33.33%
84 255 32.94%
83 255 32.55%
82 255 32.16%
81 255 31.76%
80 255 31.37%
79 255 30.98%
78 255 30.59%
77 255 30.20%
76 255 29.80%
75 255 29.41%
74 255 29.02%
73 255 28.63%
72 255 28.24%
71 255 27.84%
70 255 27.45%
69 255 27.06%
68 255 26.67%
67 255 26.27%
66 255 25.88%
65 255 25.49%
64 255 25.10%
63 255 24.71%
62 255 24.31%
61 255 23.92%
60 255 23.53%
59 255 23.14%
58 255 22.75%
57 255 22.35%
56 255 21.96%
55 255 21.57%
54 255 21.18%
53 255 20.78%
52 255 20.39%
51 255 20.00%
50 255 19.61%
49 255 19.22%
48 255 18.82%
47 255 18.43%
46 255 18.04%
45 255 17.65%
44 255 17.25%
43 255 16.86%
42 255 16.47%
41 255 16.08%
40 255 15.69%
39 255 15.29%
38 255 14.90%
37 255 14.51%
36 255 14.12%
35 255 13.73%
34 255 13.33%
33 255 12.94%
32 255 12.55%
31 255 12.16%
30 255 11.76%
29 255 11.37%
28 255 10.98%
27 255 10.59%
26 255 10.20%
25 255 9.80%
24 255 9.41%
23 255 9.02%
22 255 8.63%
21 255 8.24%
20 255 7.84%
19 255 7.45%
18 255 7.06%
17 255 6.67%
16 255 6.27%
15 255 5.88%
14 255 5.49%
13 255 5.10%
12 255 4.71%
11 255 4.31%
10 255 3.92%
9 255 3.53%
8 255 3.14%
7 255 2.75%
6 255 2.35%
5 255 1.96%
4 255 1.57%
3 255 1.18%
2 255 0.78%
1 255 0.39%
Tells me load is about 79%, fast easy and not likely to get messed up.
Upgrading Tippingpoint SMS to 3.5
Today I upgraded our SMS server for Tippingpoint to version 3.5. While this should have been a straight forward upgrade, it nevertheless wasn’t. First of all I had to upgrade to patch 7 of the 3.2 release so that I could supposedly easily make the upgrade to 3.5. I did that upgrade and didn’t have any problems with it However when I tried to use the automated upgrade within the SMS to 3.5 it kept downgrading itself to 3.2 without the patches. I looked through the release notes and couldn’t find anything about this except that there was no upgrade to 3.5 form anything below 3.3, so I tried a few more times to do the update with no success. Finally I just gave up and downloaded the 933Mb full install package from the TMC.tippingpoint.com website and ran the install from that. The install took about 10 minutes.
After letting the full install package run I then logged into the website for the SMS and was able to download the 32bit windows client, I was also pleasantly surprised to find that there is now a Mac OS X client. I loaded the mac client up and was able to login to my SMS with no problems. While I think the interface overall could use some usability enhancements, I was at least happy to find that it kept parity with the Windows version as far as features and functionality. This is now one less reason I need to keep a Windows box around if I can get a VIC client for vmware when 5.1 comes out then I will be extremely happy.
Useful UCS Links
I have been in the process of upgrading our UCS to firmware version 2.0.3b. While I read through the Cisco doc I still didn’t have a great feel for what the upgrade would entail. I did some searching and found the following two links which I think lay out the process really well and make it easy to understand along with some concepts that aren’t as straight forward as I thought they could be.
Actual upgrade of a chassis:
http://terenceluk.blogspot.com/2011/10/updating-cisco-ucs-b-series.html
Difference between Activate and Update on the firmware management tab.
I hope this help someone else out and make life easier for them.
Joseph Jenkins 