Messages

If you swap in the spare does it have the same problem?

-Otanx

Even 10 years ago that router was old. Considering how old that is I would assume it is just failing slowly. If it is really important then spend some money and replace it.

-Otanx

If you go to that level of detail that is true. The way I handle it is to put a real firewall between clients and servers. Do most of the filtering there. Then the port based ACLs can be permits to IPs, and a deny for all others to block east/west. Usually only 5 or 6 lines at that point. So a remediation ACL would look something like:

10 permit ip any AD_Server
20 permit ip any Patching_Server
30 permit ip any AV_Server
40 permit ip any Web_Proxy
50 deny ip any any

The normal ACL we used was just a deny to the /16 for client networks, and a permit any. That way a workstation couldn't go to another workstation, and then everything else was handled by the firewall. We also had different ACLs for printers that locked them down to just the print server. We didn't do any guest wired normally, but we did have an ACL with just the Web_Proxy for the few times we needed it.

There are a couple downsides. One is no logging on port based ACLs so that blinds you to some things. Also there is no good way for help desk to identify if a system is in quarantine or not without looking at the switch, or RADIUS logs. The IP is the same so that isn't a clue anymore. Same with log correlation in the SIEM. You need to bring in the RADIUS logs to identify host profiles because the source IP is the same for all clients.   

-Otanx

This is why I propose port based ACLs instead of vlan changes when doing 802.1x. Too many variables to handle to make the vlan change work.

-Otanx

Welcome to the club. Not one you really want to be in, but it happens. I have not had to do a DDoS incident response yet, but have done a few incident response to other things that have made the news. I remember my first was in a medium sized town, company hit over the weekend. We got sent out and got to town late Monday. In the morning doing the hotel breakfast I see the company on the morning news. They were one of if not the largest employer in the town, and had sent everyone home Monday and didn't expect to recall anyone Tuesday.

If you haven't already document everything you remember. Especially anything you did to try to handle the incident if it worked or not. One is for identifying anything weird that shows up in the next few weeks from changes made during the incident. Two is for the next time it happens.

-Otanx

I don't have an ASA anymore so I can't test, but I found this in the configuration guide. It looks pretty straight forward, but we all know how that goes.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa922/configuration/general/asa-922-general-config/route-ospf.html

-Otanx

Should work from the PT side. Some of the information you can pull is sensitive like key expiration.

For the mibs they give you info on all the custom info you can pull and the formats it gets returned in. The key expiration stuff I remember being weird. Something like it was returned in mmyyyy but in hex.

Next week I will be back home and can get better info rather than going on memory.

-Otanx

Yes you can. On the KG configure your SNMP server as a GEM server. It only does SNMPv3. I don't remember for sure but I think it was using AES128/SHA for protocols. Also the MIBS can be found on one of the CDs either the KG firmware one or the GEM install one.

-Otanx

They also stated they are collapsing their network, security, and collaboration teams into one. I feel the collaboration group will end up with the short end of the stick on that one.

-Otanx

I don't know about any practice exams, but what I would do is start labbing stuff up based on the certification blueprint. GNS3 has come a long way in usability, but you do need to get your own copies of the images. CML is the official way, but isn't free. Doing hands on labs is much more interesting than just reading a book. If you find yourself stuck on the lab then you know what to spend time reading about.

-Otanx

Yep, woke up to this. Glad we didn't get hit ourselves. Several of my wife's coworkers are supposed to be traveling today, but can't. The airline told them probably tomorrow... maybe. The only good thing was that for one of her coworkers they still had their hotel room because the hotel couldn't check them out when they left.

-Otanx

Sounds like there is a misconfiguration in the IAM system. I can see valid use cases for someone that can create or write to S3 not being allowed to delete. However, I will agree with you on the lack of support from AWS. I never get responses to emails. I had two users locked out of training. Emailed support, and never heard back. Luckily it wasn't important training, and a few weeks later it just started working. If you are not big enough to have a named point of contact the team monitoring the generic email addresses seem to not exist. Same with their documentation which is what the AI support is using. They change things so fast that the documentation is always outdated.

-Otanx

Forgot you were down that way. Glad you guys got skipped. I did see an article that people were tracking the power outages using the Whataburger app. Apparently the power company does not have an outage map, but the Whataburger app shows which stores are open or closed and because they are normally 24x7 they could track where the power outages were.

-Otanx

My old place is finishing up their migrations. They have to do STIG instead of CIS, and they are doing ASA to Palo, but it is all the same at the end of the day. If it wasn't for those details I would guess you worked there. They had a window to do a big cut over on Saturday after the 4th. It took them a little longer than expected, but it was successful. I think they only have two HA pairs left to migrate which will close out a 2 year plus migration. Then they get to move on to the switching refresh. Both data center and access are hitting at EOL near the same time so it will be a lot of work.

Are you planning to migrate to FTD at some point? We looked at it when it first came out as the obvious replacement for ASA and it was missing a lot of features, but I heard it is much more feature complete now.

-Otanx

I like it. That was what I was planning for my old gig before I moved to the dark side. If they end up hiring my new company it will still be what I suggest. The goal was to use the same technologies for both access and data center. The same team is managing both parts of the network so making them match helps with operations.

Using spine/leaf does not really change much for monitoring. If you have a requirement for FPC or DPI you probably already have everything in place already. Depending on the details of where the existing capture points are it may just mean making sure the monitoring tools understand the new vxlan headers, and how to parse/strip/inspect them.

-Otanx