Cisco Security :: 1023 / Securing And Restricting Access To A FTP?
Nov 6, 2012
I have an ASA firewall and I have never configured an FTP server for a large scale network (well large in my opinion). I want to ensure we have the highest level of security available for the FTP and to limit only the specific users designated by an ACL. Would SFTP be the best available option for security measures? Should I only use Passive FTP and what range of ports above 1023 should I open for only 1 or 2 FTP clients at a time? Also if I use Passive mode do I need to use protocol inspection for FTP?Also, Currently I'm unsure of what files need to be accessed on our network but should the SFTP Server always only be installed within the DMZ?
I have 2800 series router which is directly connected to ISP. How can secure the router from outside access; I am totally new to the security concepts.
Is it possible to allow certain websites to bypass the web authentication pages, so that they do not need to authenticate to get to our own website, but do have to if they wish to go anywhere else?Looking at a 5508 model at the moment
I am trying to block access to facebook and twitter on my router, to a certain range of ips, 192.168.1.8 - 254. I have been digging around and trying stuff but all I do seems to restrict everyone access to the internet.
Not sure If I am asking this correct. I want to install a wireless access point into a switch and out the WAN. Going to PW access into the wireless access point. Can I restrict the user from entering the LAN from wireless access point? Change subnets, what to do? Would not mind resticting speed, etc. I think I can through my switch.
I have installed a video security system into my home/office and several IP cameras are connected via my wired cat5 network which connects to my router and switcher into a PC with internet access. This will allow me to record any break ins and alert me of this event and view it in real time.I would like to restrict access to these devices for anyone else on the network, with either dedicated access or password protection.
got myself the Netgear internal PCI wifi adapter today & it works just fine on my Windows XP SP3 desktop.
The only problem I have is the question of restricting complete internet access to kids @ home. If it was an external USB adapter, I could have just taken it away but the concern is the device being an internal & always available one.
The user configuration on the PC is such that there is 1 main administrator (The actual windows "administrator" account) that no one uses. Apart from that,
- 1 user with admin privileges (me)
- 1 limited account for the kid
- 1 admin privilege account for the kid again (for purposes like installation of games which require an admin account as mandatory)
I would like for the wifi PCI card to work only when I login to my user account. There must be someway by which I could disable the device or make the internet inaccessible in the other accounts,, (but pls bear that 1 of the account that the kid uses also has admin privilege)
I tried disabling the device from control panel but in vain.. (tried something like the sys admins do in corporates ..) disabling the usb ports on the PC's in my office..!
This is my scenario. I have my IP as 172.16.1.1 (aaaa.bbbb.cccc.dddd) which has full internet access. Now when i am not available in the office, i noticed some one assigning my IP in to his workstation and gaining full internet access. How do i restrict such things? i.e. even if some one assigning my IP on the network, they shouldnt access LAN or WAN.I tried 'arp 172.16.1.1 aaaa.bbbb.cccc.dddd arpa' configuring on my L3 Cisco 3750X switch assuming i can acheive, but that did not work.
I have Configured a WLAN with WiSM2 Controller installed on a 6500 series, Aironet 3600series APs and ACS 5.3 for userauthentication. The ACS is connected to Active directory so users are authenticating using the AD (802.1x is used and not a pre-shared key) on SSID A. I have created a separate SSID B for guest users. I have put restrictions on this SSID. Guest users are also created on the same AD where internal users are created. How can I force Guest users to connect to SSID B and not be able to connect to SSID A? Currently they can connect to both.
I have a Cisco 2901 Terminal server with AAA authentication via ACS server. I create twoaccounts on the acs server, cciesec2011 and vendor. Both accounts can log into the Cisco 2901 Terminal Server without any issues. By the way, I am NOT using AAA authorization on the Cisco Terminal Server. Once cciesec2011 or vendor accounts are authenticated, theseaccounts can access all the async line on the Cisco Terminal Server.
Now I have a new requirements. I would like to allow cciesec2011, once this account is successfully authenticated, this account has access to ALL async line on the Terminal Server. The "vendor" account, I want to restrict this account access only to async line 35 (there are 32 async lines available on the Cisco Terminal Server) and nothing else.
How can I accomplish without using AAA authorization on the Cisco Terminal Server?Is it possible to use "privlege level" to accomplish this? if so, how?
We have recently ordered a laptop along with a docking station with the intention of connecting it with the desktop PC in the office. We want the documents folders of both computers to be synchronized and to that end we want to share the folders between each computer. However, to do so we will have to connect the laptop to the larger network in our office. Given the sensitive nature of the documents we only want the desktop PC and the laptop to be able to access these files and synchronize them.
Is there anyway in Windows 7 to specify exactly which computers are allowed access to shared folders on a computer? What's the best way to achieve the file synchronization between the two?
Is there a way to restrict wireless access to my router from wireless pc's in my home. Two grandsons are off from school now, and are playing online games to the wee hours of the morning. Can I do something to have the routher shut off their connection at a certain time? Is that possible. If I have to go back to dd-wrt to do that, fine. I have lynksis wrt54g with their 4.2.1 firmware.
Using 'debug ip packet acl# det on a 2911. On an older Cisco router you could set up an ACL
access-list 150 permit tcp any any eq 1023 and then run debug ip packet 151 det and this would give a good debug output for any traffic matching a TCP port of 1023.Now when I try this on a 29xx ( Version 15.1(4)M3 ) I get the screen filling with a lot of multicats HSRP communications.
I have tried rewriting the acl to have other deny statements after the permit to limit the source or destination hosts and/or the ports but the HSRP data is still there.
like this access-list 150 permit tcp any any eq 1023 access-list 150 deny udp any any eq 1985(code)
I realize what the error message says but I was not aware that there is a class-map limit? This is on a ISR 3845 router.Is there a limit on the amount of class maps that can be configured on the router?
Is it the amount of times class maps are used (as I do not think my client has 1023 class maps but they are used several times each)?
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
I have a site that is connected to the internet via T1 into 2811 runing C2800NM-ADVENTERPRISEK9-M), Version 12.4(11)X. I have noticed that when i do a port scan on the outside nat pool i see well know ports in the closed state .ie...7,21,22,23,25,99,100,80,443. These pools for end users to access internet. Does this pose a security risk? What can i change to provide end user access to web but not let these well know ports open?
We have a leased line from one office to a DR site which we use to back up our data. We are using Cisco 7204 and and OC3 circuit. The data is sent in blocks (SRDF) and we are sending changes only. However, we are getting requests from compliance to further secure this connection since it is a leased line. I guess I need to know how secure SRDF traffic is and then if required, how to secure it.
Can we create a simple VPN between the two routers without having to use a VPN concentrator or Firewall? If so, what IOS would be required? How much impact will the VPN have on current bandwidth?
In my building there are 2 wireless access points connected directly via switch into the router.So the problem is i dont want to set a password for the wireless but i want to be able to filter all computers that are connected wireless to my internet because many of them are mass-downloading torrents movies etc. and it slows the internet massively. What do i need to do to make it like a filter , which would be like a ISA server or something.
Need securing a wireless environment in a hotel? The SSID has to be broadcast of course but how can we protect guests from man in the middle attacks, etc.? Currently the environment is all AP1200s with no hardware upgrades in the near future. There is also a 2811 router in place but nothing else. We would love to be able to force users to authenticate with a password in order to get out to the Internet as well.
Besides MAC address filtering, is there another good / easier way to keep visiting laptops etc from plugging in a CAT cable and accessing a LAN protected by a perimeter firewall?
I have a VPN on my ASA 5510 between (A)192.168.255.0/24 and (B)172.20.2.0./24. The purpose of the tunnel is to send kerberos tickets from our domian controller on the A side, across to a server at B, and receive a respose. I want to lock down inbound traffic to the A network, but not sure of best method.
I initially tried using an ACL filtering on ports, but soon realised the incoming traffic uses a wide range of ports so this is not really possible.Seeing as the A side will always be initiating the conversation, I was wondering if I could use the 'established' option on the inbound ACL for the ASA at A side, so that it would block any flows that are not initiated by the A side.
I have run three computers on my wireless network for a few years now, and have an HP OfficeJet 6500 Wireless printer that has worked seamlessly on all computers. That is, until I secured my router. I had an open wireless connection that I changed to secure (WPA) a couple of weeks ago and have been unable to connect to my printer wirelessly to print. It will print if connected to USB. The first day I was able to enter in my WPA key just fine, but not since. It doesn't appear to be finding my connection. Oddly enough one of our computers (a laptop) is able to print to this printer so I am not sure. All computers are running Windows XP, I believe with SP3. I use a D-link wireless router. I have tried using the HP solutions to no avail and have checked in the documentation that came with the printer.As an aside, I now appear to also have another wireless connection which is a "computer-to-computer" connection, I believe an ad-hoc connection?
We are using ACS 5.1 in our network. We have created users and grouped them as per the requirements. We want to restrict the user sessions in the network. A user should authenticate and able to access a network resource. But when he is active with that session, we need to block him from another successful authentication. We want to avoid multiple users using same user credentials for logging into the devices. whether this can be achieved by making configuration changes in ACS.
I have a neighbor, whom I barely know, (don't know his name even) ask if I would be willing to give him the number off of my modem so he can cannot wireless to my internet. I believe that is a bad idea. For one I don't know him but if it was possible and I did that, would he be able to access my account? or start more trouble? He at first said If I give him the numbers off of my router but then I stopped him because I have a modem not a router. So I would never let him but was curious if someone can tap into a signal of mine from a laptop next door to me using wireless signal? And if so can that person see all of my stuff? Would my computer and I be at risk?
I am currently running a guest wireless network using 4404 controllers on the wireless side and a 4402 as an anchor controller, all running 7.0.98.0 and all is working fine. Accounts being created via the WCS lobby admin and applied to the 4402.The question I have is, is there any way of restricting the use of an account to 1 device at a time. I am currently seeing evidence of password sharing and my boss would like to make sure that everyone who use the system has their own credentials.
I use a mail filtering service that delivers mail to me via SMTP on standard port 25 on one of my 5 static external IP's. I wish to restrict this to their IP's only (they have two) and I am unsure on how to do so? As it stands now, anything on the net can talk to my mailserver and my logs are filling quickly with failed attempts as a result. Here's my setup and what I am trying to accomplish:
mail filtering service -> my public ip:25 -> internal mailserver at 10.0.10.2:25, deny everything inbound except traffic from the mail filtering service, I am thinking an ACL would fit the bill here, but unsure of how to implement. Router is an 1811 with version 15.1(4)M3 IOS. WAN is on fa0, lan is on fa1.
I am a networking student so have access to a free copy of Windows Server 2012. I want to setup and get experience with AD, DHCP, and DNS, among other services. Right now I have a Netgear router attached to a Cisco switch. (studying for CCENT cert) I have my desktop and server plugged into switch. I want my desktop to connect to the domain for testing and messing aroudn with. My wife has a netboook, smartphone, and wireless ipod. I'd like her 3 devices to get an IP from the DHCP server without having her authenticate to the server. Will the Netgear router allow this since wirless access is on? Or will she need to authenticate with the server to get a DHCP IP? I am gonig to disable the router's DHCP service.
First I tried restricting all computers from accessing the internet from 11:00PM to 6:00 through access control. I enabled it and set up the schedule but it does not cut off the internet. I went through create a new schedule and did that but again it still connects. Then, in access control, I selected always and put in my son's IP address and created a schedule for him but it won't allow him any internet access.
I just started configuring AnyConnect with ASA 5520 that uses Cisco SecureACS to pass radius authentication. I configured two profiles with different split tunnel restrictions and what I discovered is that when the client connects to the ASA, they are provided a choice of these two groups (I guess there is no way to restrict this) and I can log into either one with any user account. How do I restrict this so that the user can only use one profile? Currently users capable of VPN would be placed in one specific AD group so that is what SecureACS checks. Is there a sample configuration guide to handle multiple profiles with different levels of access?
I have a 2900 router at branch office. This router has a 4 port switch card and two gigabyte ports. The gigabyte port is use for wan connection and the 4 port switch card is use for lan connection. I have two separate networks on my lan side. (network 1 and network 2)
I have assigned port 0,1 of the switch card to vlan1 for network 1 Ports 2,3 of the switch card is assigned vlan 20 for network 2
My problem is I would like to applied a bandwidth restriction for all data coming out from vlan20 capping same to 384 kb.
Note I do not want use QOS because this will only kickin when saturation occurs,
I have a customer that wants to restrict SSIDs that groups get based on their AD credentials. Currently, he is using Windows 2008 Radius Server and AD with Cisco 5508 WLCs. I found examples that shows this is possible but my question is if I have 2 user groups (teachers and students) in AD and apply a policy for the Radius to send SSID x to teachers and SSID y to students. Upon successfully authentication, would this deny teachers access to SSID y and students access to SSID x?
We want to permit certain mac addresses on the cat 4506 switch wherein only those mac addresses will get access to network.
Configuration Planned: For testing purpose we have created mac access list on cat 4506 and deny laptop mac address in this access list. The mac access group is applied to the port where the laptop is connected to cat 4506.Even after applying the mac access group on the port, the laptop is able to ping the vlan ip of cat 4506 [code]
laptop with ip address 192.168.10.2/24 connected to port 2/1 is able to ping 192.168.10.1 even after applying the mac access-group
Note-we have tested same configuration on cat 3560 and its working fine. We apply the mac access-group command on interface and clear the arp-cache and we are not able to ping vlan interface ip. The moment we remove the mac access-group,ping starts again.
