Disclaimer

The content of this material are challenges faced onsite and how I personally resolved them. Please be noted that solutions posted here

1> should not be considered as ultimate. The material may be considered for reference only.

2> should not be considered as guarantee that solutions may work. Contact Cyberoam support before making any changes.

3> blog does NOT belong to the Cyberoam. It's a blog...a personal blog.

Changes done after referring this site may seriously damage the network. So...

........DO CHANGES AT YOUR OWN RISK

(please contact cyberoamsupport before implementing any changes)

Saturday, 28 June 2014

Which comes first : Compliance or Security?

Recently I was browsing through my linkedin profile and I see lot number of security professionals drawn towards this question:

What comes first Compliance or Security?

I have given a long thought on this question and I asked myself few more questions pertaining to the above question:

1> Can an organisation be secure without a compliance? Answer is reasonably simple yes.
2> does man secures himself or searches for compliance when in wild? obviously Security

on contrary I also asked myself questions to contradict above answers

1> How can an organisation find itself secure without a framework? a compliance is necessary
2> How can a large society function without a framework? yes its necessary.

But again I thought, let's bring it down to basics

1> what would I require to keep my data safe? security
2> how could I say that my data is safe in the current security? a compliance

Aha...so, I believe security must be build before we go for compliance or compliance auditing.
However, from above we can also conclude that security and compliance should complement each other to build a strong security and to strategize spending of limited budget.

Friday, 27 June 2014

Is finding first the new security trend?

I have been thinking about this for sometime now, if finding the vulnerability first is the new security trend?

After browsing through various public vulnerability exploit database, my answer to the question was simple to find.

First lets find a vendor whose application is vulnerable and check when exactly it was publicly available. Let's check IE

 Let's check when when it became public. Published on 24th of June2014.

 Let's now check when vendors in the market has released a patch for the same:


When was it exactly?



Cool, our customers are safe even before it was public!!!

(only if they have applied it in IPS policy....this makes me realize how many customers are really following these vulnerabilities and applying them timely. Or what if we can automate these new fixes based on policy they have applied. I am sure most vendor should have implemented long ago.)



Thursday, 13 March 2014

How to check IPSec - Phase 2 logs in Cyberoam

Mar 13 19:53:33 "VPN_1-5"[7] xx.yy.zz.aa #1780: responding to Quick Mode {msgid:6fbca545}
Mar 13 19:53:33 "VPN_1-5"[7] xx.yy.zz.aa #1780: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 13 19:53:33 "VPN_1-5"[7] xx.yy.zz.aa #1780: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 13 19:53:33 "VPN_1-5"[7] xx.yy.zz.aa #1780: Dead Peer Detection (RFC 3706): enabled
Mar 13 19:53:33 "VPN_1-5"[7] xx.yy.zz.aa #1780: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 13 19:53:33 "VPN_1-5"[7] xx.yy.zz.aa #1780: STATE_QUICK_R2: IPsec SA established {ESP=>0xc3d2c8ac <0x58bb2aa2 xfrm=AES_128-HMAC_MD5 NATD=xx.yy.zz.aa:4500 DPD=enabled}

Mar 13 20:53:33 "VPN_1-1"[7] xx.yy.zz.aa #1760: received Delete SA(0xc3d2c8ac) payload: deleting IPSEC State #1780


1780 is connected and after an hour phase 2 negotiated..and generated delete SA for the 1780