As of 5th May 2010 All 13 DNS ROOT Server will consist of a signed digital signature with every replied query. This has been ruled out to tackle any man-in-middle attack similar to Dan Kaminsky’s exploit.

Is it going to break the internet?

It is only going to affect if the firewalls & FWSMs are not configured correctly to allow DNSSec signed packets.

The answer being, as we already know DNS uses UDP packets for query replies; and most firewalls are going to drop any packets larger than 512bytes.

Having been said, the DNSSec signed replies are going to have an extra layer of encryption, thus increasing the packet size up to 4KB (4096) and the firewalls & FWSMs needs to be configured to allow such larger packets through.

What needs to be configured on the Firewall?

The firewall needs to have the following settings to allow larger UDP packets through…

message-length maximum 4096

We can either hard-code the maximum-length or use other methods to tackle this issue.

Take a look at the following post for a detailed explanation at http://etherealmind.com/dnssec-and-why-the-internet-probably-wont-break-today/ and more info about DNSSec can be found on http://www.root-dnssec.org or simply typing the word on Google.

I have come across an odd scenario on pre-share key based IPSec tunnels…

The question being, when an IPSec tunnel is active (Phase 1 and 2 are UP) and the pre-share key is changed, does this tear down the tunnel?

The tunnel configuration on R4 follows…

!
crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key fnode address 192.168.1.5
!
!
crypto ipsec transform-set FNODE1 esp-3des esp-sha-hmac
!
crypto map FNODE1 1 ipsec-isakmp
 set peer 192.168.1.5
 set transform-set FNODE1
 match address 120
!

!
interface Ethernet0/0
 ip address 192.168.1.4 255.255.255.0
 full-duplex
 crypto map FNODE1
!

access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!

The tunnel configuration on R5 follows…

!
crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key fnode address 192.168.1.4
!
!
crypto ipsec transform-set FNODE1 esp-3des esp-sha-hmac
!
crypto map FNODE1 1 ipsec-isakmp
 set peer 192.168.1.4
 set transform-set FNODE1
 match address 120
!

!
interface Ethernet0/0
 ip address 192.168.1.5 255.255.255.0
 full-duplex
 crypto map FNODE1
!

access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

Bringing the tunnel up by pinging the Peer from R4

R4#ping 192.168.1.5 so e0/0

As you can see below, the Tunnel is now UP/UP, and 4 packets have been encrypted / decrypted.

R4#sh cry isa sa
dst             src             state          conn-id slot status
192.168.1.5     192.168.1.4     QM_IDLE              1    0 ACTIVE

R4#
R4#sh cry ip sa

interface: Ethernet0/0
    Crypto map tag: FNODE1, local addr 192.168.1.4

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 192.168.1.5 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 192.168.1.4, remote crypto endpt.: 192.168.1.5
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x82E8BCA5(2196290725)

     inbound esp sas:
      spi: 0x267E7582(645821826)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: 1, crypto map: FNODE1
        sa timing: remaining key lifetime (k/sec): (4484045/3526)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x82E8BCA5(2196290725)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: 2, crypto map: FNODE1
        sa timing: remaining key lifetime (k/sec): (4484045/3524)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
R4#

Lets change the Pre-Share Key on R4

R4(config)#no crypto isakmp key fnode address 192.168.1.5
R4(config)#
R4(config)#crypto isakmp key fnode@@@_@ address 192.168.1.5

Now, I have changed the key and pinged the remote peer again… Then checked whether the tunnel has gone down…?

As you can see below, there were 9 packets been encrypted and decrypted and tunnel is still UP/UP!

R4#sh cry isa sa
dst             src             state          conn-id slot status
192.168.1.5     192.168.1.4     QM_IDLE              1    0 ACTIVE

R4#

R4#sh cry ip sa | i pkts
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
R4#

Now, we will clear ISAKMP and Crypto MAP…

R4#clear cry isa
R4#clear crypto sa map FNODE1

Now, as we expect, the tunnel is brought down…

R4#sh cry isa sa
dst             src             state          conn-id slot status

R4#

R4#sh cry ipsec sa

interface: Ethernet0/0
    Crypto map tag: FNODE1, local addr 192.168.1.4

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 192.168.1.5 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.4, remote crypto endpt.: 192.168.1.5
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
R4#

As expected, when we sent interesting traffic, the tunnel did not come up due to mis-match of pre-share key… “MM_KEY_EXCH”

R4#sh cry isa sa
dst             src             state          conn-id slot status
192.168.1.5     192.168.1.4     MM_KEY_EXCH          1    0 ACTIVE

R4#

Now, we set the key back to the original one…

R4(config)#no crypto isakmp key fnode@@@_@ address 192.168.1.5
R4(config)#crypto isakmp key fnode address 192.168.1.5

As expected, the tunnel comes back up when we sent interesting traffic…

R4#sh cry ip sa

interface: Ethernet0/0
    Crypto map tag: FNODE1, local addr 192.168.1.4

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 192.168.1.5 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 6, #recv errors 0

     local crypto endpt.: 192.168.1.4, remote crypto endpt.: 192.168.1.5
     path mtu 1500, ip mtu 1500
     current outbound spi: 0xE15525F6(3780453878)

     inbound esp sas:
      spi: 0x3D15E740(1024845632)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: 2, crypto map: FNODE1
        sa timing: remaining key lifetime (k/sec): (4578721/3577)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xE15525F6(3780453878)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: 1, crypto map: FNODE1
        sa timing: remaining key lifetime (k/sec): (4578721/3576)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
R4#

The fact of the matter is, whenever there is a change is pre-share key and such, the tunnel MUST be cleared to take effect, otherwise it will _not_ come back up.

In another word, when there is an active tunnel and such modifications are made to the configuration, clearing ISAKMP and Crypto MAP is a must.

I have been going through YouYube and found this great video about IPSec…

www.youtube.com/watch?v=DH1zI8QYi4A

When a Name Server looks up a domain for the IP address, it stores the information into the cache so it doesn’t have to look it up every single time a request is made. For example, if someone looks for www.nishv.com the DNS server will look up the domain and stores the IP address 72.52.178.35 into the cache for a given time so it doesn’t have to look up that domain again for a given period of time.

DNS cache poisoning (also known as DNS cache pollution) is a maliciously created or unintended situation that provides data to a DNS Server that did not originate from authoritative DNS sources.

It happens when an attacker sends malicious data in response to a DNS query. For example, DNS query for www.nishv.com can be redirected to another website.

This method is taking the phishing scam to another level, you might be visiting your bank’s website but without you realising it, you will actually be putting in all the login information into some hackers servers which made it look exactly like the bank’s website. Yes, this is very serious!

How do you patch it?

On the client side (we are talking about Microsoft Windows here), your machines should have been patches automatically if you set the Auto-Update option. If not, I recommend you check the available updates and patch it as soon as possible.

If you use a DNS Server, my recommendation is to use the following command to figure out whether it has been patched or not. If it is not, STOP using it and have a look at this post on OpenDNS for more info.

Use the following DIG command on UNIX


dig +short @{name-server-ip} porttest.dns-oarc.net txt
dig +short @ns1.example.com porttest.dns-oarc.net txt
dig +short @208.67.222.222 porttest.dns-oarc.net txt


and you should get a result similar to this…


nishv@nishv.com [~]# dig +short @208.67.222.222 porttest.dns-oarc.net txt
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"208.67.217.8 is GREAT: 26 queries in 2.1 seconds from 26 ports with std dev 20119"

Or something like this…

nishv@nishv.com [~]# dig +short @4.2.2.2 porttest.dns-oarc.net txt
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"209.244.4.25 is GOOD: 26 queries in 1.9 seconds from 26 ports with std dev 3880"


If you don’t get GREAT or GOOD and gets something like POOR, you should immediately stop using it.

If you manage that DNS server, patch it or decommission it!

This is how to check on Windows

Open up command prompt by going Start --> Run --> CMD or on Vista typing CMD on the Start Search box


nslookup -type=txt -timeout=30 porttest.dns-oarc.net
nslookup -type=txt -timeout=30 porttest.dns-oarc.net ns1.your-isp.com
nslookup -type=txt -timeout=30 porttest.dns-oarc.net NS-SERVER-IP


You must see the GREAT or GOOD, if not your DNS Server is compromised.

You can see Dan Kaminsky’s presentation below…

www.youtube.com/watch?v=B0dHDD9fFM4

This is a controversial question among people whether UK should monitor all Internet and communication activates like the USA. When this subject is brought up, people automatically go on the defensive and starts to argue the fact about privacy and human rights; Granted, privacy is a major issue, and when it involves national security, it will spark some inimitable questions among us.

I am not in favour of the Government breaching privacy and human rights issues; on the contrary, in my opinion, national security should be given priority among other things.

This is a very sensitive issue and when this subject is brought up, people seem to think that all their internet activities are going to be watched, including their internet shopping. This is not the case here, and if the government goes ahead and do such monitoring system, it will cost billions.

I think the word monitoring should be redefined when it comes to this topic and should be balanced in a way that it does not interfere with people’s privacy issues, thus a flagging system to use for such monitoring would an ideal choice. This way, people’s privacy won’t be compromised and at the same time it would allow the government to monitor the internet.

All we see in the news lately is terrorist activities directly linked to the internet and how they used the net to communicate with each other. So, if such system was in place, in theory the chances of stopping such thing would be extremely high.

I think it’s safe to say, UK should monitor all Internet and communication activities so they can rule out terrorism in their home soil.

In this post I will only be covering how you are connected to the interent, and most users are connected to the internet via a router and connected via an Ethernet Cable (Cat5/Cat6). It is definitely the best way to connect to the internet because when you use a router, it doesn’t normally expose your PC to the internet. By using a router, a user is reducing the risk of being vulnerable on the internet.

When you are using a Router, your PC is not directly connected to the Internet but the router handles the connection. Most routers nowadays have some sort of protection system by default. It is typically used when there are multiple computers sharing one Internet connection.

Cable and some DSL providers only give their users an Ethernet Modem, in some case a USB modem. When you use such devices, you are directly connected to the Internet and your computer is exposed unless the PC is fully configured and there is a Firewall present to block all the unwanted activities. It is recommended to use a router with the modem to minimize the risk when you use the internet.

If you use an ADSL USB modem, I would recommend you to get an ADSL Modem Router and replace the USB Modem; and If you are using an Ethernet Modem, I would recommend you to get a Broadband Router and use it with the Ethernet Modem.

OpenDNS is a free DNS provider who does the Web-content filtering on their end. You don’t need to install any software to filter any content. All you need to do is register and follow the setup instructions, once that is done you will have access to your own area where you can filter phishing sites, give you the power to filter out adult sites and proxies among more than 40 categories, and provide the precision to block individual domains.

All you have to do is, set the DNS server to 208.67.222.222 & 208.67.220.220 and do the content filtering on your very own control panel!

Also this is a great advantage to parents and you will save a lot of money on buying content filtering software like Net Nanny etc…

Everything you need to know can be found on http://www.opendns.com/ and I highly recommend anyone to use this Free service.

Antivirus

This is one of the most important software one should have, even though I prefer to use GPL / Free software but when it comes to Antivirus, I fully support a paid version of Antivirus or a Security Suit which consists of Antivirus, Firewall etc compared to a Free version.

If you are going to pay for an Anti-Virus, I would recommend Kaspersky Internet Security (Currently Version 7.0) this cost around £25 per year with 3 licences, so you can install it up to 3 PCs, and if you prefer to have one licence, it cost around £18/Year. This will include an All-In-One protection suit which consists of an Anti-Virus, Firewall, and Intrusion Protection and so on…

I have used a lot of Anti-Virus software in the past and Kaspersky is definitely the far most advanced AV I have ever come across, I would personally say away from Norton because it is…

• A Resource Hog, i.e. It takes a lot of time to start up, which will dramatically slow down your PC.
• It is very expensive, simply because Norton is a well known brand compared to Kaspersky or Avast.
• Detection rate: Unfortunately Norton does a sloppy job at detecting a lot of Worm / Trojans (Mainly comes from P2P software like Limewire) compared to Kaspersky / Avast Pro.

See the following URL for more info http://www.kaspersky.com/kaspersky_internet_security

If you are going to use a Free Version, I would recommend Avast, only thing you have to do is, register with them for Home use and you will get a Free Key. Please see the following URL for more info… http://www.avast.com/eng/avast_4_home.html 

Firewall

There are many standalone Firewall software around but for an average user, it is recommend to get a Firewall integrated into with the Antivirus Software such as Kaspersky Internet Security.  If you are connected to the Internet via a Router, you are pretty much covered and the Router will act as a Firewall up to a certain point preventing unauthorised access to the computers connected to the Router.

This doesn’t mean you don’t need a firewall, you still need a firewall to stop unauthorised access from your computer in case you’re infected with a Virus / Trojan.

It is pretty easy when it comes to gaining root password to any Linux System as long as you have physical access.

This is how to change Fedora’s ROOT Password.

When your box starts up, You will see the GRUB screen…

What you need to do is, press the a Key instead of Enter

You will see something like the following…

kernel /vmlinuz-2.6.9-1.667 ro root=LABEL=/ acpi=on rhgb quiet

Add 1 at the end of that… So it looks like the following…

kernel /vmlinuz-2.6.9-1.667 ro root=LABEL=/ acpi=on rhgb quiet 1

This will make the box boot into Runlevel 1

You simply type

passwd

Enter the new ROOT password and reboot the machine.

Same thing goes for Any Linux System as welll… All you got to do is, add the following kernel argument…

init=/bin/bash

And then just change the password…

There is this pretty nifty software I’ve came across of, which encrypts the messages you sent via your IM clients. Meaning, this will prevents eavesdroppers from reading your MSN Messenger conversations.

SimpLite-MSN is free for personal use at home or at the office. However, only one product from the SimpLite family can be launched at the same time on your computer.Which means, You can only use SimpLite-MSN… If you use YahooIM, you will need to kill SimpLite-MSN and launch SimpLite-Yahoo, which can be pain on the neck… Unless you have Simp-Pro. Here is a screenshot of my Simp.

You can get the SimpLite Version for FREE at http://www.secway.fr/us/products/all.php