I’ve been having problems getting my Cisco MARS Local and Global controllers to synchronise their topologies. This error message vexed me for a few days, but thankfully Cisco’s TAC solved it for me.

If you read Ciscos troubleshooting guides they will tell you to check that the MARS Local & Global controllers are running the same version, and to check that the SSL certificates are copied/pasted correctly.

If after checking the above Cisco recommendations and the additional basics ( network connectivity / ntp / timezones etc) check that both MARS boxes are running and have downloaded the same version of IPS signatures; under Admin -> IPS Signature Dynamic Update Settings -> Update Now.

Why can’t I remember this command?

In order to remove the entire access list, use the clear configure access-list command

I’ve been implementing a few Cisco ASA’s recently, and I blogged about this strange behavior; well I came across another one yesterday.

Take a look at this debug arp….

Note to self, the ports I need to allow thru the Un-Authenticated ACL for Active Directory SSO to work…

TCP 88,135,389,636,445,1025,1026
UDP 88,389,636 

I came accross something odd the other day, I had some Cisco IP Phones on a DMZ interface and the Call Manager was behind the inside interface. If you made a call from a 7940 to a 7940 everything worked fine, if you made a call from a 7905 to a 7940 it failled!

I ran a packet capture and found that the phone was “bouncing” the RTP stream off the firewall rather than connecting directly to the peer phone… very weird! The problem was solved by enabling…

same-security-traffic permit intra-interface

I thought I post this for some future googlers!

I tweeted a little while ago about Nokia recently supporting interface failover within IPSO, well it looks like Cisco’s ASA Version 8 software can do it now too!

The following example creates two redundant interfaces:

asa(config)# interface redundant 1
asa(config-if)# member-interface gigabitethernet 0/0
asa(config-if)# member-interface gigabitethernet 0/1
asa(config-if)# interface redundant 2
asa(config-if)# member-interface gigabitethernet 0/2
asa(config-if)# member-interface gigabitethernet 0/3

Reference: Adding a Redundant Interface

If you saw this tweet, you’ll see that a little while ago I had some fun with Playstation 3 online gaming; it’s probably my own fault because I’m possibly the only person with a version 6 Cisco Pix Firewall at home in front of their playstation.

If you want to get online gaming working though your firewall there’s a really good online reference here and my specific grumble about having to open up a shed load of ports for EA’s Burnout paradise is documented in their support area.

To summarize, this is what I’ve got open:

Here’s the story, moons ago when I started in security somebody told me all about Pretty Good Privacy (PGP) in my enthusiasm I got straight on to downloading a copy; now this was a long time ago and I can’t remember if it was freeware or a trial from pgp.com, but either way I got straight onto generating a public/private key pair.

Seahorse is a cracking GnuPG implementation for Gnome.

Just like GnuPG it also requires secure memory to get the best privacy; I can never remember how to set this up, fortunately there’s an faq on gnupg.org so a quick…

sudo chmod 4755 /usr/bin/seahorse*

and we’re done, no more error messages

Recently I was asked if I could help setup a VPN connection between an Apple iPhone and a Cisco VPN Concentrator 3000, my 1st round of googling didn’t look good, there’s a discussion here complaining about how crap vpn support on the iphone is; further searching lead me to a Cisco document which specifically targets mac clients, this document is for ASA configuration, but if you look carefully* everything you need is in there.

*No, I didn’t get this working 1st time, it took me a good couple of hours of googling, but looking back I can see that all the info is there.

I’ve had a new request in recently, as part of a move to SCEP + Certificates (away from pre-shared keys) a customer has asked if we could use the PKI CA build into Cisco’s router IOS. Now is this is a new idea to me; in the past people have either “plumped” for Microsofts CA implementation or cooked something up themselves with openssl.

Cisco’s IOS Security Guide (you may need a CCO Login) clearly states that it’s possible and that it supports SCEP auto-enrolment, so I thought I’d give it a go!

I’ve been offline for a while, but I’ve just seen this:

The Associated Press: New Antivirus Software for Playstation 3
The company bills the software as the first of its kind for a home gaming system. It was released earlier this month as part of a PS3 upgrade and will be free until April.

This is a really positive thing to see; by the fact that there is a market there shows that “Joe gamet” is thinking about security , it’s a shame that sony aren’t giving this away for free but I guess that business .

I’ve been following the activity over at blogsecurity, their activities are very interesting and quite commendable. After some shameless delay I decided to read though their WP Security White Paper and apply some of the steps… yes I did say some, harden security folk will insist that you should follow all of the whitepaper to be security, which is probably true, but one should never forget that security is about risk… and in basic terms accessibility vs security, for example I won’t ever lock my wp-admin down to a single IP as I’ve been know to blog at work, home, around my parents place and even moderate comments on the train! Thus my wp-admin isn’t as secure as someone who did lock it down, but this is a risk I’m willing to live with.

I found this on redhat.com the other day….

It is now possible to limit yum to install security updates only. To do so, simply install the yum-security plugin and run the following command:

yum update –security

Hopefully this will allow fedora users to have the option of running a “stable” install

This is interesting….

ITN - Man arrested for stealing broadband

A man who was spotted in the street using his laptop to access an unsecured wireless connection has been arrested.

The 39-year-old man was seen sitting on a wall outside a home in Chiswick, west London, by two community support officers.
Dishonestly obtaining free internet access is an offence under the Communications Act 2003 and a potential breach of the Computer Misuse Act

When questioned he admitted using the owner’s unsecured wireless internet connection without permission and was arrested on suspicion of stealing a wireless broadband connection.