Tips in Facebook Security and Privacy

Hello readers! Once again your friendly neighborhood has come back and I'm going to teach you on how to use your Facebook account safely. We're going to tackle about "privacy on Facebook" since this application is very popular and has vast amount of users around the world. This article is very useful for less tech-savvy people who had a little knowledge on the impact of "Identity Theft".

Below are facts that could happen if someone wants to hurt you indirectly using your facebook profile:

1. This is the best tool for hackers in "Fingerprinting" or should I say "information gathering" for their specific target/victim.

2. Malicious strangers can use your full profile to fool others, thus hurting your reputation.

3. Displaying your full profile to public including your email address will be the first step for a hacker to make a brute force attack on your password and if successful, you'll soon staring your ceiling and crying for your applications such as Restaurant City, Farmville, Cafe world etc.

4. Assuming that your account has been compromised. If your Facebook account email address and password are associated with your other online accounts such as bank account, personal email address etc. then you need to act fast and try to inform your bank and recover it as soon as possible.

Of course, you don't want to experience what I have written above so now it's time to learn! I've provided easy tips below on how to enjoy Facebook while securing your identity/account.

1. Know who you will accept as your friend. Don't be so excited when a stranger added you as a friend, they might give you something special. :((

2. Be aware and sensitive on your friend's post. Don't assume a link (URL) is safe just because it's from your friend. Instantly clicking posts that contain internet URL is a big risk. Are you familiar with malware "KoobFace"? It is a worm that targets social networking sites. Once your computer is infected, it hijacks the Facebook account and sends messages to other friends of the poor victim, encouraging them to click on a link (URL).

3. Configure settings who can see your profile. At the upper right portion of Facebook, Go to "Settings" -> and click "Privacy Settings" from the list that will appears. On the next page, click "Profile." This will take you to a web page where you can configure who can see certain bits of your profile such as personal info, status, education and work etc. On the drop-down list, I would recommend to use the setting "Only Friends" so that only your friends can see your profile.

4. Hide your Facebook account on search engines such as Yahoo!, Google and etc. Go to "Settings" -> "Privacy Settings" -> then click "Search". On "Public search results" field uncheck the checkbox "Allow".

I found useful links and references below which discuss Facebook security and practices, read them and I'm sure it will help.

Using Facebook and Twitter safely --
http://news.cnet.com/8301-27080_3-10420861-245.html
How to use facebook 5 tips for better social networking --
http://www.readwriteweb.com/archives/how_to_use_facebook_5_tips_for_better_social_networking.php
How to Avoid Malware on Facebook and Twitter: 8 Best Practices --
http://www.readwriteweb.com/archives/how_to_avoid_malware_on_facebook_and_twitter_8_best_practices.php


We reached the end of my article and I hope you enjoyed every detail of it. Always remember, human brain gets more complex every day and hackers are evolving. Enjoy Facebooking!


Cheers,

Engr. Ralph Christian Payumo CCNA, CCSP, Security+
Security Analyst

Packet Forensics Part One: The Packet Anatomy

Introduction.

Computer attacks have grown to be overwhelmingly sophisticated. I don't mean it in a way that it's because current attacks are carried by ready-made programs, but rather because of the technique itself that is used to launch a successful attack today is quite extra-ordinary. As security measures evolve, new and smarter techniques are born. With most attacks, they are usually done remotely (unless the hacker is great with social engineering and gets a pass into the organization's system). When we approach a computer network breach, we most definitely need to know exactly what has happened --trying to find out what are the steps taken and tools used by the attacker. Moreover, it's to find out what is indeed lacking on the target's security.

I'm writing this article in order to arm you with the basic knowledge to perform packet forensics which will allow you to understand what is really going on on your network. This will also be one of the indicators if there's a breach on your network. Consider this as "part one" of an entire write-up about packet forensics wherein the scope of this article would only be on how to dissect packets and understanding the packet structure. The analysis of the application layer data would be on a separate document--part 2. And a simple installation and usage of Snort to monitor your network on part 3. Again, this article would focus on the basics --the knowledge that you require in order to conduct packet forensics.

What is packet forensics? (What is the purpose of packet forensics? Why do we do such?)

Packet forensics is the process of analyzing packet captures (and binary log files), even live packets, to find out the nature of the attacks that occurred on the network. It includes building up the details of how the attack was conducted, technique and tools used, and any factors that would have an effect towards the success of the attack. Packet forensics is somehow deriving the whole picture with just the use of the packet captures you have.

Well, it's not always the case wherein you get your analysis right all the time (like those in crime investigations). You can only come as close as what you have unearthed with the packet capture data you have with you. Moreover, different analysts will have their own idea on how the attack came about. That is why it's always good to ask for consults with your peers as it might help you connect the dots and see the bigger picture.

What are the information or "evidences" we analyze?

As said, packet forensics would deal with packet capture files or binary log files from different devices (depending if the devices are capable of producing one). The terms packet capture files or binary logs files can be used interchangeably, and for this article I will use the term packet capture files to refer to such. Packet capture files are snapshots of the network traffic taken by an interface (in promiscuous mode) at a specific location on the network. It enables us to "rewind" back to see what conspired on your network at a given location. The packet capture file format that we'll be using is the libpcap file format (which if not most, all packet capturing device and software use) and they can be read by well-known packet sniffers like Wireshark, Ethereal, Tcpdump, and Windump. Having a standard log file format and function library allows us to use many different tools to analyze a single log capture.

What are the cases wherein packet forensics can be conducted?

Any attacks that involves network traversal can be analyzed by packet forensics. Then again, you're analysis and conclusion can only go as much as what your data provides you. So one simple piece of advice, place your sniffers/sensors (you are not limited to just using one sniffer) on strategic locations wherein it can sniff all the packets coming in and out of your network.

What are the tools needed?

No proprietary software or hardware will be needed in order for you to conduct packet forensics. You just need some tools that will aid you in getting the necessary answers you need. The set of tools that we will be using are as follows:

* tcpdump/windump - sniffer [tcpdump and windump website]
* Wireshark/Ethereal - sniffer and protocol analyzer (we won't be using Wireshark/Ethereal for this article, but you are free to use it to look how a packet looks like) [Wireshark and Ethereal website]
* Snort - IDS [www.snort.org] With this article, we won't be covering all the features of each tool that we will be using, but just the essential features that will aid us in accomplish our task. For more information about each of the tools here, check out their respective website.

The Packet Anatomy.

To fully understand packets, one must have basic understanding of how the IP and TCP protocols work. These include understanding IP addresses, TCP flags (states), sequence and acknowledgment numbers, and the TCP three-way handshake. Generally, its knowing how IP addressing works, communication between hosts, etc. Let's get down to business. Below are Figure 1.1 and Figure 1.2 that shows how a packet looks like logically.

FIGURE 1.1. Packet Logical Structure (IP)

FIGURE 1.2. Packet Logical Structure (TCP)

For more details about the logical structures (field values, etc), you can review it here.

Using TCPDUMP.

So how does a packet look like on the wire? What we will do next is to open a packet capture file using tcpdump with the appropriate switches to see how a packet looks like. Like I said, for this article, I won't be using Wireshark or Ethereal to show you how a packet looks like. Wireshark and Ethereal will provide you a better way of presenting you the structure of a packet. I just choose to use tcpdump because I prefer working on a shell (don't let my preference hinder yours, it's up to you if you want to use Wireshark or Ethereal).

tcpdump can be used to read packet capture files and sniff on a given interface. To enable tcpdump to read a packet capture file, we use the -r switch followed by the packet capture file. Here is an example.

ice@thesecuredbox ~$ tcpdump -r samplecapture.pcap

To enable tcpdump to sniff on an interface, we use the -i switch followed by the name of the interface (for Linux, it will be the name of the interface. For Windows, it will be the number). Here is an example.

ice@thesecuredbox ~$ tcpdump -i eth0 (Linux)
or
C:\> tcpdump -i 1 (Windows)

Here is the simple explanation of the switches that I'll be using to get an output below.
* -n : Don't resolve IP to hostnames.
* -X : Show the packet's contents in both hex and ASCII.
* -vvv : Increase the amount of packet information you get back.
* -c : Only get x number of packets and then stop.
* -S : Print absolute sequence numbers.

ice@thesecuredbox ~$ tcpdump -nvvvXS -r samplecapture.pcap

tcpdump provides simple ways of decoding what they have captured on the wire or in the capture file. In Figure 2. The lines that are highlighted in orange are the decode hex values of the packet done by tcpdump. The lines that are highlighted in yellow are the source and destination IP addresses, and the lines that are highlighted in red are the source and destination ports respectively. With the proper labels, you can easily determine what the field is and its value. What we will be concerned with are the lines that are in hex values. The hex values are the raw values of the packet.

FIGURE 2 TCPDUMP output

So okay, what does this output of ours mean? Okay, let's take this byte per byte. This output of ours is 48 bytes long. A packet is divided into chunks of 32 bits (8 bytes) as shown in Figure 1. If you would notice the way the packet is addressed, if it were in memory, are in increments of 16 bytes. 0x0000 to 0x0010 translates to byte 0 to byte 16 when converted to decimal numbers. tcpdump shows us the raw packet in chunks of 64 bits (16 bytes).

Now, Figure 3 will match the logical structure of the packet, to how it really looks like, raw.

FIGURE 3. Packet Structure

Conclusion.

This article mainly discussed the structure of a TCP/IP packet and how it looks like on the wire. What we will discuss in the Part Two of Packet Forensics series is the different factors that affect packet forensics. This will entail us in looking at the SEQ and ACK numbers, ports, IP addresses, activity duration, and packet payload. Finally, after performing all of these steps to gather vital information, we will finally perform analysis to determine what application or tool was used and what malicious payload are seen.

If you have any questions, inquiries, or suggestions, feel free to leave a comment and we'll be happy to respond.

IT Security Basics: Protecting a PC against computer virus injection from USB drive

Preface

I wrote this article to educate computer users on how to stop computer viruses spreading from their USB flash drive to their PC in simplest ways.

Introduction

What is a USB? It is a set of connectivity specifications developed by Intel in collaboration with industry leaders. USB allows high-speed, easy connection of peripherals to a PC. When plugged in, everything configures automatically. USB is the most successful interconnect in the history of personal computing and has migrated into consumer electronics (CE) and mobile products. With this technology, USB flash drives was developed and it allowed consumers to one can transfer and store large files from one PC to another. Honestly, I really love my 16GB USB pen drive because it's really handy and it can store my favorite songs, pictures and PC applications. Done with my story, let's go to our main topic which is the basic tips yet effective on how to protect your PC from virus infection when using USB flash drive.

Security Tips:

• First of all, always have updated antivirus software. If you want free antivirus software, go to websites below:

http://www.avira.com - Avira
http://www.grisoft.com - AVG

• Disable the feature "AutoRun". To avoid viruses automatically injecting themselves to your PC (Windows XP), just follow the simple steps below:

1. Click the Start button, then Run and enter "gpedit.msc" without the quotes
2. Go to Computer Configuration -> Administrative Templates -> System
3. Scroll down to "Turn off Autoplay" and double click on it
4. Click on the "Enabled" radio button, then for "Turn off Autoplay on" select "All drives"

• In case you don't want to perform the second tip above, just keep holding the "Shift" key when you insert a USB flash drive, this will cancel the "autorun" feature. Nice isn't it?

• Remember the rule of thumb "Always scan all removable storage when inserted".

• If you want to permanently disable USB feature on your PC, follow the steps below:
1. Open Registry Editor. Go to Start->Run then type “regedit”
2. In Registry Editor, navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR
3. Locate the following value (DWORD): "Start" and give it a value of "4".
4. Close the Registry Editor. No need to reboot the PC for the changes to apply.
5. If you want to enable the USB feature again, just locate the value (DWORD) "Start" and put back the original value "3".

– This is very helpful in situation wherein your brother/sister sneaks to your computer to install unwanted software when you're not around. It happened to me thrice, trust me...

Once again, thank you for your time and I hope this article widened your IT security knowledge. Please pass it to your friends!


Cheers,

Engr. Ralph Payumo, CCNA CCSP Security+
Security Analyst


References:
http://www.intel.com/technology/usb/
http://www.petri.co.il/disable_usb_disks.htm

IT Security Basics: Tips in Safekeeping and Protecting your Password

Preface

The main reason I wrote this article is to educate computer users to protect their username or password or simply “identity” in digital world against the eyes of malicious minds. Education and awareness are the best tools that you’ll ever have in this modern world.

Introduction

To start the new year, let us have a short discussion with something basic in IT field and it's about "Safekeeping and Protecting Your Password". Passwords are strings of characters used to authenticate/authorize a user to gain access to computer networks and services. This password could be your personal/corporate accounts, online bank accounts, email accounts, desktop accounts and etc. A poorly created password gives a false sense of security. You might already know this stuff and you might say these thoughts "This is BASIC”,” I know this stuff since I was in grade school". I admit this is too redundant but not all people out there are taking this seriously (trust me). In this article, I'll share some of my basic tips yet effective in safekeeping and protecting your password.

TIPS:

• Golden Rule “Don’t share your username and password to anyone”.

• Use a strong password. Passwords should be 8-16 or more characters mixed with alphanumeric (A-Z, 0-9) and special characters such as (! #,@,%,&,*) to make it hard for the hackers to crack by any means ex. Brute force attack. In hacking term, brute force attacks are done using automated software specifically to try every possible code, combination, or password until you find the match one. Try to check the software applications “Brutus” and “Rainbow Crack”. No password is guaranteed secure but having a long password will take millions of years for a hacker to crack, thus increasing your password security.

• You can use the technique “passphrase” in creating a cool password that you can remember. I’ll cite an example -- “Il0p1&sp” which was derived from “I l0ve p1zza & sPaggeti. You can actually create cool sentences then apply the “passphrase”.

• Never use a password based on yourself or family such as birth date, age, parent’s name, home address and other personal information. By simple guess based on your personal information and if successful, one can access your account. Social Engineering is the best way to gather this information, usually used by attackers.

• Never use a password formed out of dictionary such as money, love, food, sex, glory and etc.

• Never write your password anywhere. Writing your username and password at the back of your keyboard, mouse, and monitor on your home/workplace is a big "NO". To conclude, always remember your password in your head.

• Regularly change your password. Always make it a routine to change your password once a month or every quarter of the year. Losing your personal email is a shame.

• Don’t use your previous passwords. Changing your password regularly and using the past passwords is useless.

• Based on my personal experiences, it would still be advisable to use your own computer than renting in a computer rental shop. Why I said this? Simply, you don’t know if the computer shop manager is well versed with IT security or a computer Trojan virus might be residing within the network. Moreover, a potential hacker can install a keylogger application to steal usernames and passwords without the awareness of people renting in the computer rental shop. Of course, you don’t want to wake up early in the morning staring at your ceiling because your personal email address was hacked. This is only my point of view and I’m not against with computer shop owners. I admit that computer rental is unavoidable especially to students who can’t afford to buy a computer but this is the reality.

Thank you for giving your time in reading my article and I hope you learned something. Please share it with your friends and let us make IT fun and better.

Cheers,

Engr. Ralph Christian Payumo, CCNA CCSP Security+
Security Analyst

Unicode Directory Traversal Attack

Preface
The reason I research about this topic is to have a strong understanding about Unicode Directory Traversal Attack and to know what are the techniques the attacker can do to obfuscate the attack.

Introduction
Manipulation of URL in such a way that can access restricted files by backtracking through a computer's directories. Any device or application that used an HTTP based interface is potentially vulnerable to Directory Traversal Attack.

Most of web servers have restriction to a specific portion of the filesystem, typically called "root directory" in which the users are confined.

For Linux/Unix, the apache document root directory is by default in the line:
DocumentRoot "/var/www/html"

For Windows, the IIS default document root directory is in:
c:\Inetpub\wwwroot

Depending on how the web server is setup the attacker will execute commands that can step out of the root directory and access other parts of the file system that can lead to a full compromise.

What is Directory Traversal Attack?
Directory Traversal also known as Path Traversal or dot dot slash attack (../) is an HTTP exploit which allow attackers to access restricted directories/files, view data and execute commands outside of the web server's root directory. This vulnerability can exist either in the web server software itself like apache/IIS or in the web application code by taking advantage of improper handling of user supplied input that may allow to execute arbitrary commands.

The main objectives of this attack is to have access to a file or program that is not intended to be accessible on the web server.

How does it work?
In order to perform a directory traversal attack, an attacker needs is a web browser and constructing a URL that would navigate to desired folder in the same drive. This can be achieved using Unicode character representations of dot("."), forward slash("/") and backslash("\"). According to RFC 2396 URI may be encoded using the percent sign (%) and hexadecimal characters.

Different type of Unicode encoding.

1. Hex Encoding - The simplest method of encoding a URL in IIS and Apache, consisting of the percent character "%" followed by the ASCII equivalent in hexadecimal digits.

%2e%2e%2f becomes ../ on the first decoding

2. Double Percent Hex Encoding - This encoding is supported by Microsoft IIS. The first percent is encoded using hex encoding followed by the hexadecimal byte value to be encoded.

%252e %252e %252f becomes "%2e %2e %2f" on the first decoding and "../" on the second decoding.

3. Double Nibble Hex Encoding - This encoding is supported by Microsoft IIS, each hexadecimal digit is encoded using the standard hex encoding.

Now we start with %%32%65 %%32%65 %%32%66 which becomes %2e %2e %2f on its first decoding and ../ on its second decoding.

Attack : http://server.com/scripts/%%32%65%%32%65%%32%66/Windows/System32/cmd.exe?/c+dir+c:\

4. First Nibble Hex Encoding - This encoding is supported by Microsoft IIS, only the first nibble is encoded in the following example :

%%32e %%32e %%32f becomes %2e %2e %2f on its first decoding and ../ on its second decoding

Attack : http://www.victim.com/userdata.php?file=%%32e%%32e%%32f%%32e%%32e%%32f%%32e%%32e%%32fwinnt/system32/cmd.exe?/c+dir

5. Second Nibble Hex Encoding - This encoding is supported by Microsoft IIS, same with first nibble hex encoding, the only difference is that the second hexadecimal digit is encoded.

%2%65 %2%65 %2%66 becomes %2e %2e %2f and ../ on its second decoding.

Attack : http://www.victim.com/shows.asp?view=%2%65%2%65%2%66%2%65%2%65%2%66%2%65%2%65%2%66Windows/system.ini

6. Microsoft %u Encoding - Microsoft IIS server supports a non-standard method of encoding web requests, known as '%u' encoding. Because %u method is non-standard, most network intrusion detection systems may not detect attacks encoded using this method.

URL requests in a format that uses "%uXXXX" where "XXXX" represent hexadecimal for example %u002e %u002e %u002f becomes ../

Attack : http://www.victim.com/userdata.php?file=%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002fetc/passwd

7. Null Byte Encoding - an evasion technique effective againt application developed using C based programming languages. When a URL-encoded null byte it will treated as the end of the string.

(, or 0x00 in hex)

Normal : http://www.victim.com/userdata.php?file=mydata.dat
Attack : http://www.victim.com/userdata.php?file=../../../etc/passwd

How do I protect?
- Apply the most up-to-date security patches
- Setup the web root directory on a non-system partition
- Any user input must be filter

References

http://en.wikipedia.org/wiki/Directory_traversal
http://www.imperva.com/resources/glossary/directory_traversal.html
http://www.acunetix.com/websitesecurity/directory-traversal.htm
http://www.securityfocus.com/bid/1806/exploit
http://www.owasp.org/index.php/Path_Traversal
http://www.webappsec.org/projects/threat/classes/path_traversal.shtml
http://www.mysecurecyberspace.com/encyclopedia/index/directory-traversal-attack.html
http://www.ietf.org/rfc/rfc2396.txt
http://www.cert.org/advisories/CA-2001-12.html

QoS on Cisco ASA

Ang sulating ito ang naglalayong turuan ang mga Network Administrators kung paano magconfigure ng
QOS o Quality of Service sa Cisco ASA. Ang QOS ay isang paraan upang masulit ang paggamit ng bandwidth
at matiyak na ang mahahalagang traffic ay nauunang ipadala kaysa sa ibang normal o d gaanong importanteng
impormasyon. Simple naming ipapaliwanag ang mga suportadong
mekanismo at magbibigay ng mga halimbawa kung paano ito gamitin.

Ang mga sumusunod ay ang iba't-ibang paraan paano gagamitin ang QOS sa network.

Traffic Policing:

Kung ang kabuuang traffic ay lumalagpas sa itinakdang hangganan, kadalasan, mas
nakabubuting ito ay bantayan o i-police. Sa ganitong paraan, ang bandwidth ay hindi lamang
nagagamit o nauubos ng isang user or program; paghihigpit ng traffic ay isinasagawa upang
ito ay hindi maganap. Ang ASA ay may kakayanang i-police ang mga pumapasok at lumalabas na
traffic papunta at galing sa interface. Maaari nating i-configure ang ASA na harangan o
payagan ang mga sobrang traffic na dadaloy sa ASA.

Traffic Shaping

Ang Traffic Shaping ay kabilang sa mga tampok ng bersyong 7.2.4 ng ASA. Ibig sabihin,ito
rin ay maaring gawin sa mga bersyong 8.0 at 8.1, kasama ang mga 'trains' nito. Sa traffic
shaping, ang mga traffic na lalagpas sa itinakdang hangganan ay ipipila muna at maipapadala
lamang kung ang traffic ang bumaba na sa itinakdang threshold. Ang mga traffic na ito ay
hindi haharangin or ibabagsak ng ASA. Ito ay nakabubuti sa mga program na laging apektado
ng pagkawala ng packet.

Priority Queueing

Ang Priority Queueing ay may kakayanang unahin ang mga packet na importante sakaling
magsabay-sabay ang mga ito. Kabilang sa mga ito ay ang voice. Ang firewall ay limitado sa
Low Latency Queueing. Hindi tulad ng mga router na may kakayanang gawin ang mga
sopistakadong prioritization mechanisms.

Mga Dapat Isaalang-alang

1. Ang mga traffic na nakarating sa interface ng ASA ay nakagamit na ng bandwidth.

2. Ang Priority Queueing ay dapat gamitin kasabay ng policing o traffic shaping sa
kadahilanang hangga't ang link ng LLQ ay puspos, ang packet ay hindi mapapriorita. Ang
interfaces ng ASA ay karaniwang 100Mbps, 1Gbps o higit pa kaya ang pagkabisi or pagkakapuno
nito ay malayong mangyari, o kung mangyari man, sa mga bibihirang pagkakataon lamang. Sa
pagsasagawa ng policing o traffic shaping kahanay ng LLQ, ang LLQ ang masusunod kapag ang
hangganan ng policing o shaping ay naabot na.

3. Kung isinasagawa ang priority queueing sa mga program na tumatakbo sa gitna ng dalawang
pook, ipinapayo ang paglalagay ng prioritization sa mga mga traffic ng parehong pook. Ito
ay sa kadahilanang kung sa isang pook mo lamang isinagawa ang pagprapriorita, ang pabalik
na traffic ay maaaring mahuli rin. Ibig sabihin, para ka ring walang prioritization.

Traffic Policing kasabay ng Prioritization

Isipin natin na mayroon tayong ASA na nagpapadaan ng voice traffic sa VPN tunnel at gusto
natin mauuna lagi o i-prioritize yung voice traffic sa mga dadaaan sa VPN tunnel. Nais rin
natin i-police yung mga hindi voice traffic at iba pang TCP traffic.

Sabihin natin na ang upload bandwidth para sa outside interface ay 1Mbps. Maguukol tayo ng
300Kbps sa VPN, 100Kbps nito ay nakalaan para sa voice. Ibig sabihin ang natitirang 200Kbps
ay para sa traffic na hindi voice. 500Kbps ay para sa tcp traffic at 200Kbps para sa iba
pang traffic na hindi nabanggit. Ang voice traffic sa halimbawang ito ay nakaflag ng dchp
field ef (ito ang karaniwang default kadalasan)

Ang pangalan ng tunnel group sa halimbawang ito ay tunnel-grp1. Hindi kabilang ang
configuration ng buong VPN upang makaiwas sa pagkalito.

ASA(config)# priority-queue outside

ASA(config)# access-list tcp-traffic-acl permit tcp any any
ASA(config)# class-map tcp-traffic-class
ASA(config-cmap)# match access-list tcp-traffic-acl

ASA(config)# class-map TG1-voice-class
ASA(config-cmap)# match tunnel-group tunnel-grp1
ASA(config-cmap)# match dscp ef

ASA(config-cmap)# class-map TG1-rest-class
ASA(config-cmap)# match tunnel-group tunnel-grp1
ASA(config-cmap)# match flow ip destination-address

ASA(config)# policy-map police-priority-policy
ASA(config-pmap)# class tcp-traffic-class
ASA(config-pmap-c)# police output 500000
ASA(config-pmap-c)# class TG1-voice-class
ASA(config-pmap-c)# priority
ASA(config-pmap-c)# class TG1-rest-class
ASA(config-pmap-c)# police output 200000
ASA(config-pmap-c)# class class-default
ASA(config-pmap-c)# police output 200000
ASA(config-pmap-c)# service-policy police-priority-policy interface outside


Traffic Shaping kasabay ng Prioritization

Isipin nating mayroon tayong parehong ASA na nabanggit sa taas. Ngayon, nais nating
i-traffic shape lahat ng dumaraang packet at unahin ang voice sa VPN tunnel. sa madaling
salita, maguukol tayo ng 900Kbps para sa hindi voice at ang natitirang 100Kbps ay gagamitin
lamang ng voice. Ang voice traffic ulet sa halimbawang ito ay nakaflag ng dchp field ef
(ito ang karaniwang default kadalasan) at ang pangalan ng tunnel group ay tunnel-grp1.
Hindi pa rin kabilang ang configuration ng buong VPN.

ASA(config)# priority-queue outside

ASA(config)# class-map TG1-voice-class
ASA(config-cmap)# match tunnel-group tunnel-grp1
ASA(config-cmap)# match dscp ef

ASA(config-cmap)# policy-map priority-policy
ASA(config-pmap)# class TG1-voice-class
ASA(config-pmap-c)# priority

ASA(config-pmap-c)# policy-map shape-priority-policy
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# shape average 900000
ASA(config-pmap-c)# service-policy priority-policy

ASA(config-pmap-c)# service-policy shape-priority-policy interface outside

Pagtingin sa Estatistika ng QOS

Maari nating gamitin ang show commands sa baba. Ang mga ulat sa baba ay hindi kaugnay ng
mga nasa taas at ginamit lamang bilang halimbawa.

Para sa Policing:

ASA# show service-policy police

Global policy:
Service-policy: global_fw_policy
Interface outside:
Service-policy: qos
Class-map: browse
police Interface outside:
cir 56000 bps, bc 10500 bytes
conformed 10065 packets, 12621510 bytes; actions: transmit
exceeded 499 packets, 625146 bytes; actions: drop
conformed 5600 bps, exceed 5016 bps
Class-map: cmap2
police Interface outside:
cir 200000 bps, bc 37500 bytes
conformed 17179 packets, 20614800 bytes; actions: transmit
exceeded 617 packets, 770718 bytes; actions: drop
conformed 198785 bps, exceed 2303 bps

Para sa Prioritization:

ASA# show service-policy priority

Global policy:
Service-policy: global_fw_policy
Interface outside:
Service-policy: qos
Class-map: TG1-voice-class
Priority:
Interface outside: aggregate drop 0, aggregate transmit 9383

Para sa Shaping:

ASA# show service-policy shape

Interface outside:
Service-policy: shape
Class-map: class-default
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 2000000, bc 16000, be 16000
Service-policy: voip
Class-map: voip
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: class-default
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

Ang mga halimbawang output na ginamit sa sulating ito ay mula sa www.cisco.com.

In Promiscuous Mode

Since we can foresee that we'll be having a lot of research based on packets, payloads, and logs from different network devices, we have dedicated a blog site for that. You guys can check out In Promiscuous Mode for more information.