Thursday, 24 March 2011

Fraudulent Digital Certificates

Hi every one As all of you must have seen some alerts to download latest
update on your computers because Microsoft has issued a Security Advisory
warning that fraudulent digital certificates were issued by the Comodo
Certificate Authority.
This would allow hackers to spoof very trusted and commonly visited
websites, including Google,Yahoo! Windows Live.

The advisory states how 9 certificates were fraudulently issued by

Comodo for the following names:




* (3 certificates)



* "Global Trustee"

The major issue is that Comodo is a trusted root authority on all

default Windows and OS X installations. This means that an attacker could
easily masquerade a malicious website as one of the above with the HTTPS
authentication succeeding.

This kind of power would have any internet miscreant drooling over the
opportunity to construct phishing sites, perform man-in-the-middle attacks,
and any other content-spoofing attack that can be dreamed up.

Trust is transitively passed down the certificate chain, where as compromise at
any level breaks the chain completely -- and every chain has its weakest link.

The suggestion from experts are to enable certificate revocation checking in your browser

Tuesday, 1 March 2011

Cisco zone Based Firewall

Zone based firewalls

New concept to introduced stateful packet inspection in routers after CBAC

Any two interfaces in same zone can transfer traffic
And two interfaces not in any security zone can share traffic
but zone 1 and Zone two intrefaces cannot share traffic untill unless we do the foloowing

1. create zone pair
2. create service policy whihc traffic to allow through

we use same old MQC framework class map and policy map and service policy

an additional thing is Paramater Map

to apply policy map

class-map type inspect match all CMAP_TCP
match protocol TCP
match access group 999

parapameter-map type inspect myparams
audit-trail on
max-incomplete high 1000

policy-map type inspect PMAP_OUT
class type inspect CMAP_TCP
inspcect myparams

zone security INSIDE
zone security OUTSIDE

interface fa0/0
zone-member security INSIDE

interface fa0/1
zone-member security OUTSIDE

zone-pair security OUTBOUND INSIDE dest OUTSIDE
service-policy type inspect PMAP_OUT

So finally all tcp and access list 999 traffic will make

sh zone security
sh zone-pair security
show policy-map type inspect zone-pair sessions
show class-map type inspect