Tag: cisco

TCP, NAT and 2MSL mismatch

We have a client that connects over the NHS internal network to a server hosted at our site. We have lots of clients like this, but these are slightly different because they NAT all their machines to one IP before it gets to us.

Recently they complained about connection problems and after lots of investigation we managed to get a packet capture of the problem (IPs changed of course):

 1  0.00 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [SYN]
 2  0.00 10.0.0.254 -> 192.168.0.1 TCP 80 > 2268 [SYN, ACK]
 3  0.01 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [ACK]
 4  0.08 192.168.0.1 -> 10.0.0.254 HTTP POST
 5  0.24 10.0.0.254 -> 192.168.0.1 TCP 80 > 2268 [ACK]
 6  0.23 192.168.0.1 -> 10.0.0.254 HTTP Continuation
 7  0.24 10.0.0.254 -> 192.168.0.1 HTTP HTTP/1.1 200 OK 1365
 8  0.24 10.0.0.254 -> 192.168.0.1 HTTP Continuation
 9  0.24 10.0.0.254 -> 192.168.0.1 TCP 80 > 2268 [FIN, ACK]
10  0.29 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [ACK]
11  0.31 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [FIN, ACK]
12  0.31 10.0.0.254 -> 192.168.0.1 TCP 80 > 2268 [ACK]
13  0.34 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [ACK]
14 68.26 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [SYN]
15 71.18 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [SYN]
16 77.13 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [SYN]
17 98.25 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [RST, CWR]


(more…)

mac/arpwatcher firestorm preprocessor and PIX tomfoolery

I’m currently working on a preprocessor for the Firestorm NIDS to detect dodgy looking arp activity. So far it keeps track of hardware and protocol addresses in arp packets and alert if things change. It will soon monitor IP traffic too (and IPX/Appletalk etc. I guess) and detect a bunch of other ettercap style trickery.

I’m also working with some Cisco PIX firewalls to make them play nice with FreeS/WAN on Linux. I’ll put some example configs up here at some point. I’m going to take the Cisco VPN exam and be one step closer to a CCSP (I’m really not sure if this is a good or a bad thing career-wise). The original Cisco press VPN book has some serious problems with factual content. The authors seems to have little understanding of the underlying technology. I guess you don’t need to know it to parrot-type the Cisco commands in (or copy and paste them, as I often see) and charge 200 quid an hour, but it would be nice to be a bit professional about things.

My Mozilla/Galeon is broken on Debian unstable. Using gdb I found /usr/lib/mozilla/components/libimglib2.so to be the culprit, so just moved it out the way. I now have Galeon working with no images which suits me fine. In fact, as everything loads so quickly and is far less offensive to the eye, I may keep it this way permanently.

Program received signal SIGSEGV, Segmentation fault.
0x0de9de98 in NSGetModule () from/usr/lib/mozilla/components/libimglib2.so

Websense WISP and IPX updates

Gianni, Matt and I spent a little time poking around at the Websense WISP protocol to see how likely it would be to get Squid working with it. We observered a Cisco PIX communicating with a Websense service running Linux. It seems pretty easy (which was strange as we’ve heard to the contrary from Websense themselves). Gianni has knocked up a tool that can query a Websense server with a url to see if it is blocked. If we need it we’ll build a squid redirector. (see http://www.scaramanga.co.uk )

New patch for IPX support on Firestorm. Fixes a few lame bugs and possible remote DoSs Gianni pointed out to me. Also improved the SAP support a little.