How to use a Cisco ASA as a sniffer.

Today I learned a cool firewall trick. If you're not technical, you can stop reading right here, just trust me that it's nerdcool.

You can use a Cisco ASA as a sniffer, and it will display the captured traffic in a format you can open in a packet analyzer.

First, create an access list to define the interesting traffic, like IP traffic from 192.168.1.1 to 192.168.2.2, for example:

access-list sniffer permit ip host 192.168.1.1 host 192.168.2.2

Second, start the capture on the interface where the traffic passes:

capture testcap access-list sniffer interface inside

Be sure ADSM is installed, and "http server enable" is in your config, and http and https are allowed in your interface ACL to allow you to access it. If you already use the ADSM you’re already set up. If ASDM is running, you can now browse to the results.

https://securityappliance-ip-address/capture/capture_name

Put /pcap on the end if you want a version of the capture to load into ethereal or packetbuilder or some other packet analyzer.

Use the no syntax to stop the capture:

no capture testcap

Note that hackers could use this feature to PWN your servers or capture sensitive info, so be sure your ASDM interface on your ASA is locked down pretty good. Enjoy.

Some technical mumbo jumbo. It's what I do.

For my job, I was calculating the maximum latency for TCP connections from a server running Windows Server at 10 Gigabits/s. It is 0.52ms. If the latency is any greater than that, a TCP connection can’t fully use a pipe that big. The rules of TCP were written for sharing a big network among a lot of hosts, not fully utilizing the big dedicated pipes you might find in a data center environment or a high speed WAN.

Windows Server 8 has RFC 1323 RWIN scaling, which increases the speed for higher latencies (LFN problem solved). This only works if the machine on the other end of the TCP connection is also using RWIN scaling. If not, the connection might actually be slower than without scaling, because the scaling factor is being ignored. Windows XP does not have it (unless you install service packs and do the registry tweaks). Windows 7 and Vista do. Linux kernels after 2.6.8 have it enabled by default. This is a bigger issue now that more machines will have the feature than not, and the data center pipes are getting larger, but many WAN connections are not. It is also an issue because some firewalls manipulate these values and cause performance problems. Other performance issues have arisen because now TCP doesn't share the bandwidth very well and can fill up network links that previously ran without congestion.

SSL MITM vulnerability revealed.

Some security analysts in Overland Park found a vulnerability in *every* SSL implementation. http://www.phonefactor.com/sslgap/ We'll be patching that for months to come. Job security! But scary for internet users. That little lock in the corner of your browser means just a little bit less, until it's fixed on every secure server on the Internet. Wow!

First Day

When you start a new job, and there's this massive knowledge transfer, and you *know* you're not going to remember everything or everyone's name. It's a bit intimidating. I'm taking notes.

New toy.

Well, I finally got fed up with my good ol' dinosaur HTC Pocket PC phone. The battery is giving out, it's getting long in the tooth, some of the keys on the keyboard are starting to flake out, and the Sprint service centers stopped restocking the batteries. The closest store which has one is in Blue Springs, which isn't that far, but there's more. I was on the phone with Sprint tech support over a messaging issue, and they said the problem is probably device related. I hopped on Craigslist to see what a newer, but used, smart phone goes for. I'm carrier agnostic, although my name is in the hat for a Sprint job. The G1 phones are still high, iPhones are still kinda high, the Palm Pre is steep. The RIM Blackberry is obtuse after having a nice sized touch screen and slide out keyboard. The same goes for the new Motorola phones. I found the Sprint Mogul for $80. I called, then I met the guy at the Sprint store and got my number switched to the Mogul. It's very much like what I'm used to. Windows Mobile 6.1 is alright. I was hoping it was upgraded to 6.5. Over lunch, I setup my gmail. Later, I got m.google.com setup as my Exchange server in Active Sync, so I could get my contacts and calendar entries onto it from Google, too. Sprint's Vision Services setup software doesn't do that for you. Only a few contacts appeared. I found out the hard way that I had only ever been synchronizing my Google calendar, not my contacts. When I got home, I connected the old device to the wifi and pushed the contacts to my gmail account, then did a pull from the new device. It worked. I didn't have to install any crazy software. 573 contacts transferred. Names, numbers, email addresses, you name it. Done. Complete. Finito.

As soon as I connected the new device to my home PC, it grabbed my browser favorites and Outlook/Google tasks, and prompted me to setup Media Player Sync with the new device. Once I did, it pushed a gig of music onto my new device. The adapter to connect it to my Jeep stereo is a different shape than the old one, so I have to spend $7 for a new one. This smart phone already does more, takes better pics and video, has a better keyboard, and is smaller and thinner. I need to see if I can get my tasks over the air from Google, too. I think I would still be fighting with entering all my contacts, calendar entries, tasks, email, and browser favorites if I had gotten an iPhone. And I think the whole mess would have been difficult if I didn't have everything sync'd up with my Google account. There's a beta Google Sync app for it, but I think I'll wait for the release. Outlook connects to gmail okay without it. Maybe, if I install the beta, it will get my tasks over the air, finally. Next, I need to figure out the GPS stuff, and get a new version of Tom Tom. After I install a Nintendo or Sega emulator, I'll be playing video games on it, just like the old device. Although, now I tend to look at Twitter and Facebook before breaking out the games, if at all.

New phone: http://www.engadget.com/media/2007/06/sprintmogul.jpg

Critique My Resume

Today, I'm meeting with a recruiter in Corporate Woods at 10. My resume seems to be working for getting me interviews. I've done a few over the phone. I learned that my Cisco certifications expired in July, though. I'll be a test taking machine for a while to get them renewed. Those Cisco money grubbers have raised the test prices. Ouch.

The resume probably needs some additional improvement. I'm accepting input, so leave a comment. Please send your critiques and job leads or ideas. Or, feel free to email me.

MY RESUME:



H. Charles Hill, Jr.
4209 Arlington Ave.
Kansas City, MO 64133
816-651-1900
Charles.Hill@gmail.com

Objective:


Degrees and Certifications:
Received a Bachelor of Science Degree in Computer Science from Oklahoma Christian University of Science and Arts in May 1993.
Cisco Certified Network Associate (CCNA) certification.
Currently enrolled in Keller Graduate School to receive a Masters of Information Systems Management in 2010.

Key Skills:
• Highly experienced in IP routing and switching using Cisco and Juniper routers, switches, and firewalls.
• Very familiar with routing protocols including BGP, OSPF, and RIP. Also familiar with IS-IS and EIGRP.
• Familiar with VLAN switching protocols including VTP, STP, ISL, and 802.1q.
• Experienced in Unix shell scripting, Perl, and CGI, in addition to C programming on a variety of Unix platforms.
• Familiar with Linux, Solaris 8/9/10, BSD, Windows 2000/XP and other operating systems as well as PC and Sun hardware.
• Experienced in database application development using FoxPro, Access, and MySQL.
• Developed and maintained web interfaces using Perl, and PHP.
• Performed network support for SAP BASIS infrastructure, including saprouter connectivity and security.
• Excellent written and verbal communication skills.

Work History:
Dec. 2006 - Present Capgemini, Network Engineer III
• Conducted site surveys and generated network documentation for existing enterprise networks.
• Configured firewall instances on a 6500 platform with a PIX firewall service module to secure corporate servers in a virtualized data center environment.
• Led a team of engineers during a large WAN deployment.
• Set up WAN routers in a fault tolerant manner and recommended network enhancements.
• Created exhaustive network design documents and participated in multi-day white board sessions with network architects.
• Supported a virtualized MPLS network with BGP and LDP.
• BASIS network support for an SAP implementation, including EDI and security.

Sept. 2006 - Dec. 2006 Sprint Nextel, Network Control Technician II
• Performed network monitoring, troubleshooting, and trouble ticket management using the Clarify ticketing system.
• Tested network functionality and customer experience at regular intervals.
• Facilitated conference calls between various fix agents to keep the nationwide wireless data network functioning as expected.
• Met short-fused event notification and trouble ticketing requirements in a fast-paced environment.

March. 1999 – May 2006 Time Warner Cable / Road Runner, Sr. Network Engineer
• Assisted with the deployment, quality assurance testing, and launch of the earliest DOCSIS networks in eight different Time Warner division networks made up of Cisco routers and switches which now reliably carry over a million users’ internet and phone traffic.
• Assisted with the deployment, testing, and launch of VoIP services in five Time Warner division networks across the region, including the installation of Cisco BTS gear, softswitches, session border controllers for SIP, and others.
• Worked with a quality team of engineers who performed scheduled deployments and maintenance on a region-wide network consisting of hundreds of routers, switches and WAN connections among cities in the Central and Mid-Atlantic regions, including SONET (POS, DPT/SRP), T-carrier (HDLC/T3), and DWDM WAN technologies.
• Performed BGP load balancing for several OC48 (and smaller) connections, a regional iBGP mesh, and several regional autonomous systems.
• Regularly made BGP adjustments to shift hundreds of megabits of internet traffic to avoid network congestion, meet contractual obligations with other internet backbone providers, and mitigate customer impacting outage situations.
• Was selected to serve on the Governance Committee in the Broadband Network Services Division and used my familiarity with all aspects of successful internet service provision to help develop tools and standards which were further improved and used company-wide with great success.
• Developed quality PERL and PHP network troubleshooting tools with web interfaces which are easy for customer service representatives to use on an Apache/Solaris platform.
• Helped build a regional DWDM ring using Cisco ONS15454 equipment and dark fiber.
• Gained a thorough knowledge of PIX 535, PIX 515 and Juniper 208 firewall configuration and troubleshooting.
• Built VPNs using PPTP, IPSec, and various authentication and key exchange protocols.
• Performed server load balancing in a data center environment for various web and mail servers using Cisco Local Director, Cisco SLB, and F5 Networks BigIP solutions.
• Received Foundstone Ultimate Hacking training for improving network security through penetration testing.
• Assisted with law enforcement cooperation projects involving Fiducianet/Neustar to implement wiretap capabilities and respond quickly to FBI and Secret Service subpoenas to intercept data and voice traffic.
• Quickly responded to, troubleshot, and isolated complex, potentially service affecting conditions that require a broad and in-depth level of technical knowledge.
• Partnered with peers and technical support organizations to manage trouble events, develop technical solutions, and restore services, while updating the Remedy ticketing system to communicate the progress in a timely fashion.
• Developed network design improvements, submitted purchase order requests, created yearly budget forecasts for network growth, and helped evaluate new technologies and features for continuous network improvement and fault tolerance.

Sept. 1995 – Feb. 1999 PSINet, Sr. Network Engineer
• Installed and tested new DSL, Frame Relay, T1, DS3, BRI, PRI, and other telecommunication services.
• Installed, maintained, and managed large modem pools, network access servers, Cisco and 3Com routers, and WAN connections in several cities across the Central U.S.
• Became familiar with all aspects of successful internet service provision, having started in a sales/customer service role to eventually help build and maintain a large-scale ISP network from the ground up.

Aug. 1994 - Sept. 1995 Winslow Associates, Programmer/Technician
• Performed network maintenance in a Novell LAN environment.
• Completed various programming tasks on a DOS/Windows/Novell and FoxPro platform.
• Set up an online service for clients to transmit specifications for their orders.

They're like Lego's for building a real house.

The Germans have created a system of ecologically friendly non-toxic building blocks for making houses by stacking the interlocking blocks on a slab. I think it's fascinating. The resulting houses are hurricane proof and very well insulated.

http://www.hib-system.com/

I think I like this idea better than the whole yurt thing.