Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Otanx

#1
There are a few ways even a small company can identify using a VPN to hide locations. One specifically is looking at latency between your device and the server. Say someone is complaining that the server is slow. The server team of course blames the network. The network guys start looking, and see that all the remote users are showing 1 or 2 ms of latency. Except you. Yours is 15ms. Now they need to figure out why so they can tell the server teams it isn't the network. That was without even trying to find you. If as you mention in your post HR asks IT to look then they can focus on you and done.

Also you need to be 100% sure in your config for the IPSec tunnel. What happens if the tunnel goes down for some reason? Does your traffic fail to a local out? Then it becomes trivial to see it. You show up from a local IP, then in seconds you traveled to a different IP in a city hundreds of miles away. My wife had this happen. Her IT noticed she was logged in at home, and then 2 minutes later logged in from LA which is a 4 hour drive away. They flagged her account for suspicious activity almost immediately. It was nothing malicious it was just we had a outage of our local ISP, and we failed over to a backup ISP that is from LA.

-Otanx
#2
Wireless / Re: Wireless AP upgrade
March 04, 2024, 05:58:10 PM
I don't even want to think of changing wireless at my house. Figuring out all the IOT items that need to be updated with the new SSID and password would be a pain. Last time I updated I configured the new to match the old, and crossed my fingers.

-Otanx
#3
How long is the delay between the last two packets. Is ISE taking too long to return the valid authentication, and devices are timing out? Are the devices configured for multiple tac_plus servers, and those are timing out before it tries the one you are looking at? Also re-reading your original post what are the AAA configs on the devices, is that initial failure coming from the local database, and then it tries tac_plus?

I am not sure on how to decrypt at SSH session using wireshark. You could try enabling telnet to bypass the whole issue of decrypting it, but I would doubt it would show you much.

Thanks,
-Otanx
#4
Management Tools / Re: Switch SNMP Connectivity Issue
February 09, 2024, 09:05:05 AM
Most systems won't like some special characters. For linux try to stay away from any quotes " ' ` slashes /\ ampersand & dollar sign $. All of those have special meaning and have to be escaped to work, but it is just easier to not use em at all.

-Otanx
#5
Not sure why your book says it is a broadcast. The ACK is a Unicast back to the client. However, even if it is a broadcast the DHCP packet contains the Client MAC address. See the Wireshark Wiki here: https://wiki.wireshark.org/DHCP

The first capture file on that page has a basic DHCP session. You can see the Discover and Request are both broadcasts. However, the Offer and Ack are both Unicast.

-Otanx
#6
Management Tools / Re: Switch SNMP Connectivity Issue
February 06, 2024, 09:37:02 AM
If nobody can agree on the password is then that is probably your issue. Using SNMPv3 there are five items you need to make sure all match.

- Username: kind of obvious
- Password: kind of obvious
- Encryption Key: This is different than the password. The password authenticates the user, the key encrypts the data.
- hashing algo: This is how the password will be hashed. MD5, SHA, etc. Not all systems support the same algorithm so you need to pick one that all the systems can do. If it only says SHA it is probably SHA1, and not SHA2/SHA256.
- encryption algo: The is the encryption that will be used. 3DES, AES, etc. Same as hashing. Not all support the same ones. Also if the choice is just "AES" it is probably AES128 not AES256.

If you are getting credential failure then the encryption algo and key are probably OK. It has to decrypt the packet to authenticate. Then check hashing, password, and username. If you can get a pcap wireshark can decrypt SNMP you just have to supply the info under the protocol preferences.

-Otanx
#7
Do you have the budget to stand up the new place first and migrate? That is how we ended up doing it. We built out the new data center network, and some new hypervisors and storage. We connected it to the old facility with a temporary circuit, and started migrating systems from one to the other. Once we thought we were done we shut off the link to the old space, and did a scream test. Took a couple tries. Once done we excessed most of the gear at the network gear at the old site. It was pretty old anyway.

Issues we had:
- Servers not installed correctly: We had servers sitting on top of other servers. No rails to be found. This caused some issues with order of operations. I can't move the server on the bottom until we move the other servers. After the move those all got flagged for replacement.
- Drive failures: Make sure you have good backups. Drives are going to fail. If you have a lot of the same drives see if you can get the vendor to send some ahead of time for swaps. Otherwise you move a server, and the drive fails. You RMA it, and wait for the RAID rebuild before doing the second server in the HA pair. Or you accept risk and move the second server while the first one is still in a degraded state.
- Other failures: Drive failures are not the only thing that will fail. Power supplies, fans, full systems. Moving systems will break them. When possible virtualize, and move, or build on new hardware, and decom.
- Link speed: We built out new, and migrated. We found we still had 3 devices that only would do 100M, and didn't have a way to support them on the new gear that did 1/10G.
- Misc parts: Stock up on cables of different types and lengths, power cables, SFPs, cage nuts, screws, etc. You don't want to scrounge up cables because the server was installed 2U below the switches in the old place, but is now at the bottom of the rack. This also includes extra tools for mounting gear. If you don't know there is a tool for installing cage nuts so you don't rip your fingers apart. Get a bunch.

-Otanx
#8
There are a few items you need to consider:
1. Will the GPON hand out addresses to both the openwrt and PFsense routers at the same time? Some ISPs limit customers to a single device, and if so you will not get any failover.
2. How do you plan on handling the inside to outside traffic flow? Assuming the openwrt router is the default gateway how will the endpoints know to start using the PFSense router instead?
3. You will still have a lot of single points of failures, and this setup only protects you from a failure of the openwrt router. If that is worth it is up to you. I would probably not bother, and if I was having issues with the openwrt router I would just replace it instead of trying to add redundancy.
4. Understand that you will still take an outage on failover because the NAT and connection tables will end up blank.

-Otanx
#9
Depending on how many credits you need there are 28 free ones on u.cisco.com. The DEVNAE and SDWFND trainings are free. Just have to take the time to do it.

-Otanx
#10
For the first time in awhile I actually got most of my goals this year. Renewed both CISSP, and CCNP. The CCNP was close I didn't end up with enough credits from Cisco Live, and had to do some online training through U.Cisco to get the last few. The CPEs didn't actually get processed until after the CCNP expired, but they date them to when you took it, and it reactivated. I was a little worried for awhile. I also passed the CCNA-DevNet test. It wasn't too hard.

Now to figure out 2024 goals.

-Otanx
#11
If you can't do ICS/NAT on the Windows box then you will need to look at the config on the box with the IP 192.168.255.34, and put a default route on it pointed back to the Windows box. I think this is where the issue is. The Windows box is forwarding the traffic through just fine, but nothing on the IOT network knows where to send the return traffic.

-Otanx
#12
Are you NATing the traffic on the Windows box, or is it going out with the original IP. If no NAT does the device at 192.168.255.34 know how to route back to the 10.91 IP?

-Otanx
#13
Forum Lobby / Re: What Are You Gaming Right Now?
August 23, 2023, 08:47:58 AM
Playing Borderlands 3 right now. Local split screen co-op so both my wife and I can play. Finished story line the other day. Now working through the side quests, and achievement hunting. I started playing it becasue it was a free download with the PS subscription. The free play ended this month. Went to buy a copy to keep playing, but it was $60. So instead we drove halfway across town to a Gamestop that had a used copy in stock for $2.

-Otanx
#14
You also have to watch the wording on that. "The DHCP server typically attempts to verify..." So not always, and it may not work. Your quote gives one example of why. The static assigned host may not be online when it attempts to verify. It could also have a firewall between the DHCP server, and the static host that blocks the attempt. Also remember DHCP servers are programmed and configured by humans, and we make mistakes. So maybe it does not do the verification correctly, or not at all. There could be a bunch of reasons why the duplicate address detection (DAD) feature may not work. So it is easier to just avoid it all together and don't put statically assign hosts IPs inside the DHCP range. Let DAD just be the backstop in case someone misconfigures something instead of relying on it for normal operations.

-Otanx
#15
Forum Lobby / Re: Facebook Scammer Account
June 14, 2023, 09:17:10 AM
I don't do social media. I have a LinkedIn which I keep updated, but don't use very often. My wife on the other hand is really involved in it. She acts as the social media manager for two or three non profits she is involved with as well as her own. She is constantly having to deal with scams, bots, and impersonation. Seeing her have to deal with all that is enough for me to just stay away. Also being in cyber security makes me paranoid in sharing anything anywhere.

-Otanx