First, after you install the system, go to your network scripts folder.

cd /etc/sysconfig/network-scripts

Then, edit your ifcfg-int file. For this example, I’m only use eth0, but you can easily use eth1, etc.

vi ifcfg-eth0

Enter the following for a static IP:

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
BROADCAST=broadcastIP
NETWORK=network address
NETMASK=netmast
IPADDR=IPAddress
USERCTL=no

Then, edit your network file.

vi /etc/sysconfig/network

Add your default gateway along with your local hostname.

NETWORKING=yes
HOSTNAME=host.name
GATEWAY=gatewayIPAddress

Open your resolv.conf file.

vi /etc/resolv.conf

Finally, add one (or more) DNS Servers to your resolv.conf file.

nameserver 4.2.2.1
nameserver 8.8.8.8

Restart your network service.

service network restart

You should be all set. Perform a ping on a target IP and a target host to verify IP and DNS functionality.

[root@demobox sysconfig]# ping 4.2.2.1
PING 4.2.2.1 (4.2.2.1) 56(84) bytes of data.
64 bytes from 4.2.2.1: icmp_seq=1 ttl=60 time=2.92 ms
64 bytes from 4.2.2.1: icmp_seq=2 ttl=60 time=2.92 ms
64 bytes from 4.2.2.1: icmp_seq=3 ttl=60 time=3.05 ms
64 bytes from 4.2.2.1: icmp_seq=4 ttl=60 time=3.02 ms
^C
— 4.2.2.1 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3494ms
rtt min/avg/max/mdev = 2.923/2.982/3.054/0.088 ms
[root@demobox sysconfig]# ping google.com
PING google.com (74.125.45.113) 56(84) bytes of data.
64 bytes from yx-in-f113.1e100.net (74.125.45.113): icmp_seq=1 ttl=56 time=3.77 ms
64 bytes from yx-in-f113.1e100.net (74.125.45.113): icmp_seq=2 ttl=56 time=3.85 ms
64 bytes from yx-in-f113.1e100.net (74.125.45.113): icmp_seq=3 ttl=56 time=3.91 ms
64 bytes from yx-in-f113.1e100.net (74.125.45.113): icmp_seq=4 ttl=56 time=3.90 ms
^C
— google.com ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3361ms
rtt min/avg/max/mdev = 3.770/3.862/3.914/0.072 ms
[root@demobox sysconfig]#

First, security. As a SPAN port allows you to view traffic running through your switch, you can monitor said traffic for violations and threats. The classic example is attaching a sniffer/IDS to the span port of the switch closest to your egress point. In the example below, you’ll want to monitor the trunk port (FE0/24) that connects the switch the edge router.

Second, performance monitoring. You can use the span port in conjunction with something like TCPDump or Wireshark to monitor the packets running across the network. You can thereby see if you duplicate or unexpected traffic, errors and other potential issues inside the network. You can also utilize certain software tools which monitor packets and generate traffic/packet statistics (such as NTOP).

Finally, troubleshooting. You can use the SPAN port to troubleshoot network issues. If you’re trying to ensure that multicast traffic traverses your switch, you can monitor the SPAN port with TCPDump/Wireshark to see if the traffic goes through. While you can do the same with debug commands on the routers, sometimes it’s valuable to see the traffic as it comes across the switch directly.

That’s it for a quick intro. I’ll post more example diagrams and the configs later.

Example 1: Basic setup. Monitoring a single port on the same VLAN.
Switch Type: Cisco 3750 running 12.2(35)SE5
Target port: FastEthernet1/0/18
Monitoring Port: FastEthernet1/0/8

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#monitor session 1 source interface fastethernet1/0/18
Switch(config)#monitor session 1 destination interface fastethernet1/0/8
Switch(config)#end
Switch#show monitor session 1
Session 1
———
Type : Local Session
Source Ports :
Both : Fa1/0/18
Destination Ports : Fa1/0/8
Encapsulation : Native
Ingress : Disabled

Switch#sh int fa1/0/8
FastEthernet1/0/8 is up, line protocol is down (monitoring)
Hardware is Fast Ethernet, address is 001f.6c6b.0f0a (bia 001f.6c6b.0f0a)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:23, output hang never
Last clearing of “show interface” counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 11000 bits/sec, 5 packets/sec
1210 packets input, 119091 bytes, 0 no buffer
Received 762 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
(SNIP)

To test this, fire up Wireshark on your monitoring computer. You should be able to monitor packets from your target at this point. As you can see in the screenshot below, I pinged 1.2.3.4 and 5.6.7.8; Wireshark picked up these packets (among others) on the monitoring computer.

A remote code execution vulnerability exists in the Windows TCP/IP stack due to the processing of a continuous flow of specially crafted UDP packets. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Bad news.

In a nutshell:
– Incorporates the same source code as Stuxnet, but with a different payload
– Could have existed as early as late 2010
– Captures keystrokes and system info, among others
– Mainly targeted at manufacturers of Industrial Control Systems
– Used a stolen valid driver signing cert (which has since been revoked)

The most common way to enable this feature is found below:

Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# mdix auto
Switch(config-if)# end
Switch#

The switch configuration guides for the three models can be found below.

2940
2970
3750

You can find additional configuration guides here. Pull the guide for your specific switch and IOS version to find the exact command; the auto mdix command appears to be universal for most access switches, however.

To enable a simple community and activate the SNMP Server on a Cisco router, enter the following:

Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#sn
Router(config)#snmp-server com
Router(config)#snmp-server community SNMP_RO_COMMUNITY ro
%SNMP-5-WARMSTART: SNMP agent on host Router is undergoing a warm start
Router(config)#exit
Router#

You can then verify that the SNMP server is operational by executing:

Router#sh snmp

If the server is up and responding to SNMP requests, you should see the SNMP Packets Input counter increment at the same rate as your SNMP Packets Output counter.

Sample output from a 3825 and a 7206vxr is below.

3825#sh snmp
Chassis: XXXXXXXXXX
154994 SNMP packets input
0 Bad SNMP version errors
12 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
154002 Number of requested variables
0 Number of altered variables
135469 Get-request PDUs
19513 Get-next PDUs
0 Set-request PDUs
0 Input queue packet drops (Maximum queue size 1000)
154982 SNMP packets output
0 Too big errors (Maximum packet size 1500)
980 No such name errors
0 Bad values errors
0 General errors
154982 Response PDUs
0 Trap PDUs
SNMP Dispatcher:
queue 0/75 (current/max), 0 dropped
SNMP Engine:
queue 0/1000 (current/max), 0 dropped

SNMP logging: disabled
3825#

7206vxr#sh snmp
Chassis: xxxxxxxxxxxxx
10044977 SNMP packets input
0 Bad SNMP version errors
8 Unknown community name
4 Illegal operation for community name supplied
0 Encoding errors
17715858 Number of requested variables
0 Number of altered variables
5504338 Get-request PDUs
4437461 Get-next PDUs
0 Set-request PDUs
10063141 SNMP packets output
0 Too big errors (Maximum packet size 1500)
4 No such name errors
0 Bad values errors
0 General errors
10044969 Response PDUs
18172 Trap PDUs

SNMP logging: enabled
Logging to xxxxxxxx, 0/10, 17954 sent, 218 dropped.

Full Disclosure Post

This thing is wicked. It exploits a bad handling of the byte-range response in httpd servers, and causes them to hang, requiring intervention to kill and restart the process. Spiderlabs has a more complete write-up.

Spiderlabs Entry

Here’s the Apache advisory:

Advisory CVE-2011-3192

There’s more info on their past works at Zone-H.

That is…stop being so damn secretive! I’ve looked over a few of the cables, and have tried to keep up with the news as much as possible. There’s no reason any of the ones I’ve heard about should have been classified. In fact, some of the more scandalous ones we, the public, HAVE to know about.

For example…most people suspected that the ChiCom government was behind the attack on Google. Turns out, there appears to be some hard evidence backing that suspicion. What, we, the People, don’t deserve to know when a foreign government launches an attack (cyber or otherwise) on an American company?

Take the one dealing with the nuclear material in Qadafi’s hands. It appears that Lybia is starting to come around, in some respects. Libia wants our trade money, but is going to dick around with transfering nuclear stockpiles out of the country for some trade concessions?

This is NEWS. This is the precisely the stuff that we, the Citizens, need to know about…not who won Dancing with the Stars, nor that Arnold got a parking ticket.

Take a lesson from the Open Source community. There are some secrets, but the entire foundation is based on openness. I think having the ability to collaborate with people working on similar projects can be an invaluable asset to any technology professional. If you build the technology right, if you design secure systems from the ground up, and if you continually strive to improve them, you have nothing to fear from having your systems exposed.