Monday, November 23, 2009

How to use a Cisco ASA as a sniffer.

Today I learned a cool firewall trick. If you're not technical, you can stop reading right here, just trust me that it's nerdcool.

You can use a Cisco ASA as a sniffer, and it will display the captured traffic in a format you can open in a packet analyzer.

First, create an access list to define the interesting traffic, like IP traffic from to, for example:

access-list sniffer permit ip host host

Second, start the capture on the interface where the traffic passes:

capture testcap access-list sniffer interface inside

Be sure ASDM is installed, and "http server enable" is in your config, and http and https are allowed in your interface ACL to allow you to access it. If you already use the ASDM you’re already set up. If ASDM is running, you can now browse to the results.


Put /pcap on the end if you want a version of the capture to load into ethereal or packetbuilder or some other packet analyzer.

Use the no syntax to stop the capture:

no capture testcap

Note that hackers could use this feature to PWN your servers or capture sensitive info, so be sure your ASDM interface on your ASA is locked down pretty good. Enjoy.

NOTE: If you want to watch the traffic in real-time (and you have CPU to spare), use this variation:

capture testcap access-list sniffer interface inside real-time

Tuesday, November 17, 2009

Some technical mumbo jumbo. It's what I do.

For my job, I was calculating the maximum latency for TCP connections from a server running Windows Server at 10 Gigabits/s. It is 0.52ms. If the latency is any greater than that, a TCP connection can’t fully use a pipe that big. The rules of TCP were written for sharing a big network among a lot of hosts, not fully utilizing the big dedicated pipes you might find in a data center environment or a high speed WAN.

Windows Server 8 has RFC 1323 RWIN scaling, which increases the speed for higher latencies (LFN problem solved). This only works if the machine on the other end of the TCP connection is also using RWIN scaling. If not, the connection might actually be slower than without scaling, because the scaling factor is being ignored. Windows XP does not have it (unless you install service packs and do the registry tweaks). Windows 7 and Vista do. Linux kernels after 2.6.8 have it enabled by default. This is a bigger issue now that more machines will have the feature than not, and the data center pipes are getting larger, but many WAN connections are not. It is also an issue because some firewalls manipulate these values and cause performance problems. Other performance issues have arisen because now TCP doesn't share the bandwidth very well and can fill up network links that previously ran without congestion.

Thursday, November 5, 2009

SSL MITM vulnerability revealed.

Some security analysts in Overland Park found a vulnerability in *every* SSL implementation. We'll be patching that for months to come. Job security! But scary for internet users. That little lock in the corner of your browser means just a little bit less, until it's fixed on every secure server on the Internet. Wow!