@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
What's the reason for adding firewalling in the middle of your network? Hostile hosts?
To lock some down, more layers = good. We have for example database server on te1. If we can deny all, but then only allow access to that server for webserver, and wsus... if any machine is compromised or what not, its somewhat restricted.
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
So, turns out from the testing I've done, that once an ACL is applied to an interface, all traffic to that interface will drop. Even if no drop rules are added. Its all = deny as soon as ACL is added to te1.
Seems like that should happen. If you apply an ACL and it doesn't do that, what good is the ACL?
Agree. It works.
... I've at least got it working. Its just, not ideal, I will contact Dell as it doesn't sound correct.
So, turns out from the testing I've done, that once an ACL is applied to an interface, all traffic to that interface will drop. Even if no drop rules are added. Its all = deny as soon as ACL is added to te1.
You have to specifically add a rule to allow something through. I have added IP for another machine on the LAN 2.x to be allowed to 2.41, and that one machine can contact 2.41.
The server 2.117 cannot, which is correct. But I cant imagine adding everything that needs access is manageable or maintainable...
@dafyre said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
You should have both source AND destination set to host.
They are. Both source and destination are set to host.
@dafyre said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@Jimmy9008 Is the traffic still being dropped?
Yep. Sadly. Should be a simple rule. Think host has to be fqdn?
@EddieJennings said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@Jimmy9008 Why not turn on logging, and see if that shows you what's matching the rule.
Logging is enabled now. But, no logs are being generated showing the dropped traffic.
So... VMs moved. Rule applied based only on host.... and 3... 2... 1... still brought down everything trying to connect to anything on te1... current rule:
Ideas? Must be missing something obvious. Or is the dell firmware buggered!
@dafyre said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@EddieJennings said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
I thought it was the order of the ACLs (at least on Cisco stuff). Once there is a match, everything else is ignored.
I think you may well be right. But like I said above -- it has been a while for me.
Best I can tell @Jimmy9008 is to try it and let us know what happens, ha ha ha.
Once the critical VMs are moved, I shall have a play and see.
@dafyre said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@EddieJennings said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
So, select host only, and use the machine FQDNs?
And you'll probably have to change the wildcard mask to match all parts of the IP of the host.
Can ip be used with host selected, but mask left empty you think?
With host selected, wild card is defaulted to 0.0.0.0 and disabled. So cannot edit that anyway with host selected.
That's probably the option you are looking for then.
*puts on a dang helmet and hides under desk.*
Ready when you are!
Have to move some critical VMs off of that interface before trying again first.
With the N2048's, does deny take precedence over allow?
For example, can I deny range 192.168.2.60 - 80 first. Then next following rule allow 192.168.2.69 only? Or would deny stick?
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@EddieJennings said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
So, select host only, and use the machine FQDNs?
And you'll probably have to change the wildcard mask to match all parts of the IP of the host.
Can ip be used with host selected, but mask left empty you think?
With host selected, wild card is defaulted to 0.0.0.0 and disabled. So cannot edit that anyway with host selected.
@EddieJennings said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
So, select host only, and use the machine FQDNs?
And you'll probably have to change the wildcard mask to match all parts of the IP of the host.
Can ip be used with host selected, but mask left empty you think?
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
So, select host only, and use the machine FQDNs?
Yep, will do. I shall move critical VMs to the te2 and then try.
So, select host only, and use the machine FQDNs?
I actually have not tried yet and wanted to do some research first before killing production again 
This is the rule, applying the rule to te1 is done on a different page. But is literally selecting the interface and the rule, and clicking apply. So wont bother with that image.
Hey folks,
I'm setting up ACL on Dell N2048 switch.
I have host hooked up to te1 (10 GbE Interface 1). That host has a VM. The VM has IP 192.168.2.41/24.
We have another server 192.168.2.117/24. This connects to the N2048 via one of the 1GbE interfaces.
I setup the ACL rule based on IP, and applied to te1 as below:
Looks simple enough to me. Source 2.117, deny, destination 2.41, on te1...
Yet, upon applying the rule... all VMs sitting on the host plugged in to te1 become unavailable to all devices on the LAN, not just 2.117. Removal of the rule restored access instantly. So yah, killed part of my live network - but, I cannot see why. The screenshot looks simple enough but I must be missing something.
In the documentation 0.0.0.255 should be used for /24.
So, what am I missing?
Ta,
Jim
@IRJ said in Pentest - Who would you recommend?:
@Jimmy9008 said in Pentest - Who would you recommend?:
@IRJ said in Pentest - Who would you recommend?:
@scottalanmiller said in Pentest - Who would you recommend?:
@IRJ said in Pentest - Who would you recommend?:
@scottalanmiller said in Pentest - Who would you recommend?:
@Carnival-Boy said in Pentest - Who would you recommend?:
@IRJ said in Pentest - Who would you recommend?:
You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.
Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?
One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.
Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.
Both are valuable, but one tells you a lot more, typically.
Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.
Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.
Especially in an org that I am assuming has not run any vuln scans. They are going to have over a year's worth of work if they are lucky.
We would like to see what could be cone 'as is'. Just because we have not had a security report done, does not mean one should assume we would fail it. We have a lot in place and fixed processes, of course, nowhere is 100%, but i'd like to see what an external tester could do with nothing more than the company name. That's all an actual attacker would have.
I suppose it's possible, but I have never seen that to be the case. If you aren't looking for vulnerabilities how are you addressing them?
If they can get in using their various techniques... that shows the vulnerability.
@scottalanmiller said in Tracking user steps on files:
@Joel said in Tracking user steps on files:
@gjacobse said in Tracking user steps on files:
Server details?
OS version?
Windows Server 2012 R2
Audit records will tell you everything that can be told. Copy, however, doesn't have an "action" with it so there is no means of tracking that. The server isn't told when a copy is made, so there is no way to log that.
Will that record access if say, viewed in preview pane, rather than opened fully? Would be good to setup prtg to look in event log for that on specific files, if possible.
@NattNatt said in Pentest - Who would you recommend?:
@Jimmy9008 said in Pentest - Who would you recommend?:
@IRJ said in Pentest - Who would you recommend?:
@scottalanmiller said in Pentest - Who would you recommend?:
@IRJ said in Pentest - Who would you recommend?:
@scottalanmiller said in Pentest - Who would you recommend?:
@Carnival-Boy said in Pentest - Who would you recommend?:
@IRJ said in Pentest - Who would you recommend?:
You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.
Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?
One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.
Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.
Both are valuable, but one tells you a lot more, typically.
Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.
Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.
Especially in an org that I am assuming has not run any vuln scans. They are going to have over a year's worth of work if they are lucky.
We would like to see what could be cone 'as is'. Just because we have not had a security report done, does not mean one should assume we would fail it. We have a lot in place and fixed processes, of course, nowhere is 100%, but i'd like to see what an external tester could do with nothing more than the company name. That's all an actual attacker would have.
Unless the attacker was an internal attacker//had links to someone internal to know a bit more...? Never forget that the biggest vulnerability in any business is the fleshy thing in front of the screen.
Yes, we are aware of this - however that is not the test. We have to trust employees. If we didn't, they would be gone.
Internally, nobody has admin access, only IT have creds that can be admin and elevate when approved. Servers only allow 3389 on the LAN from specific IPs on our network. Creds have to be changed regularly for all users, including domain admin accounts. Workstations likewise use internal WSUS for updates, and are behind proxy for content inspection/etc.
Even so, the test is still:
Or does nowhere offer that?