Saturday, October 31, 2009

Security Services

Went through sdm one-touch lockdown, and scanned with nmap. Also used cli's autosecure mechanism. Both actually work pretty nicely. Then did a brief "Services" lab where the portfolio had me disable services globally, and on an interface. Here is the code:


Router(config)#no ip finger
Router(config)#no service udp-small-servers
Router(config)#no service tcp-small-servers
Router(config)#service tcp-keepalives-in
Router(config)#service tcp-keepalives-out
Router(config)#no cdp run
Router(config)#no service pad
Router(config)#no ip bootp server
Router(config)#no ip http server
Router(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

*Mar 1 07:06:02.235: %SSH-5-ENABLED: SSH 1.99 has been enabled

Router(config)#no ip source-route
Router(config)#no ip gratuitous-arps
Router(config)#int fa0/0
Router(config-if)#no ip redirects
Router(config-if)#no ip proxy-arp
Router(config-if)#no ip unreachables
Router(config-if)#no ip directed-broadcast
Router(config-if)#no ip mask-reply
Router(config-if)#no mop enabled


Read about what each of these items was in the book. Hopefully I can use this page as notes later to quiz myself. LAB 5-3 ISCW portfolio

Friday, October 30, 2009

IPSEC VTI (virtual tunnel interface)



So imagine R2 in the middle there is the ISP, and the two bottom routers...we will call them R1 and R2 are the customer.  They both have an internet connection, but they also have a leased line inbetween them for internal communications.  Basically this IPSEC VTI we are going to use, is an encrypted tunnel over the internet that is used ONLY IF the leased line is down for some reason.  It is a brilliant idea really, and worked quite flawlessly.  Basically just set up a regular isakmp and ipsec profiles/transform-sets.  I then, instead of creating a crypto map, created a crypto profile, and then a modified tunnel interface config.  It went something like this:


R1(config)#crypto ipsec profile myprofile
R1(ipsec-profile)#set transform-set mytrans

R1(config)#int tunnel 0
R1(config-if)#ip address 172.16.113.1 255.255.255.0
R1(config-if)#tunnel source serial 0/0
R1(config-if)#tunnel destination 192.168.23.3
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile myprofile


So, the preferred path to the loopback off of R3 learned via eigrp, was over the leased line (obviously because of the lower bandwidth and delay value for the ethernet connection).  But when the ethernet interface was severed, eigrp recalculated and inserted the feasible successor into the routing table with the path over the encrypted tunnel.  Brilliant!

Wednesday, October 28, 2009

Securing MGMT Protocols, IPS, Cisco Firewall

Got to be honest, didn't take real good notes here.  I have seen this stuff before, and basically just played along on my home router while watching the videos.  I REALLY need to get caught up on my reading.  I have been slacking on that the past couple of days.  I may hash out some labs to do tomorrow night, and try to read some during the day tomorrow at work.  We will see.  I did learn that there can be in-band and out-of-band management networks.  Out-of-band is completely segregated from the production network.  I personally work in an in-band mgmt network.  It is integrated into our day to day production network.  The differences between the two were pretty interesting, and Jeremy even spoke of putting the different servers into private vlan to segregate them even within their parent vlan.  We spoke about ssh, and how to enable it requires a host and domain name.  You can specify timeout and authentication parameters by saying:
ip ssh timeout [#] //idle logon timeout value
ip ssh authentication-retries [#] //specifies how many times a person can attempt continous logons

LOGGING
logging buffered [level]
logging [ip]
logging trap [level]
logging origin-id hostname \\specifies a hostname instead of ip address]
logging facility [type] \\specifies another virtual log table for organizational efforts

SNMP
snmp-server community [word [ro/rw] [acl]
snmp-server engineID [word]
snmp-server group [word] v3 [authentication]
snmp-server user [word] [group] v3 ...

NTP
ntp server [ip]
show ntp association
ntp master [stratum number]
ntp authentication-key [#] [word]
ntp peer [ip] key [#]
ntp trusted key [#]

IP INSPECT
show ip insepect sessions
ip inspect [word] [rule] [option]
(config-if)ip insepct [word] in/out

IPS
Actions of IPS
  1. alarm
  2. drop
  3. reset
Configuring
  1. Download/install sdf file
  2. create ips rule
  3. adjust ips settings
  4. apply to interface
  5. configure logging (SDEE, security device event exchange)
(no) ip ips sdf builtin
ip ips sdf location flash://[file]
ip ips name [word] [acl]
ip ips signature [#]
(config-if)ip ips [name] in/out
ip ips notify [log, sdee]


Sorry so brief.....need the post for notes!

Monday, October 26, 2009

Random Security Measures

security password min-length [0-16] \\sets a minimum password length for all future passwords
no service password-recovers \\very dangerous...you cant recover passwords or ios's after this point
security authentication failure rate [#] log \\locks user out for x seconds if failed login x times
login block-for [seconds] attemps [#] within [seconds] \\blocks a user for x seconds after x attempts within x seconds...
login quiet-mode access-class [name] \\if login is blocked...this sets an acl that still allows groups of users access
login delay [#] \\sets a delay after a failed login
login on-failure log \\logs login failures after # attempts
show login

motd options ( $(line)  $(domain)   $(hostname) )

ENABLING VIEWS
aaa new-model \\enable aaa
enable view (enter secret password at prompt)
parser view [name]
secret [password]
(configure options)

secure boot-image \\locks ios image
secure boot-config \\locks config file
no secure [option] \\requires console access

reload in [minutes]  \\good if entering say access lists on a remote router
reload cancel

ACL TYPES
standard
extended
dynamic
established
time-based
context based

cool command of the day
ip access-list resequence [name/num] [start num] [variance]

time-range [name]
absolute/periodic

Sunday, October 25, 2009

P2P IPSEC CLI Config & Automatic Device Lockdown Methods

Did the point to point ipsec cli config tonight.  I covered it in another post, but had some trouble tonight right off of the bat.  I think it was because I manually deleted yesterdays config instead of wiping my routers clean.  Something must have messed up todays config...but I wr erased, reloaded, and re-configd' and all was well in the world of ipsec tunnels.

I also watched the nuggets regarding cisco's auto secure, sdm one-touch, and step-by-step security audits.  Now, I had known about the sdm's functionality, but the auto secure is pretty neat as well.  Basically just type:
# auto secure
and follow the prompts.  Pretty good stuff!

Saturday, October 24, 2009

GRE Tunnel....Experimenting with different routing instances






This was my diagram.  I started by assigning ip addresses to all links, and loopbacks on the spoke routers.  I ran eigrp as 1 over all the connected links, and did not advertise the loopbacks.  Then configured the GRE tunnels as follows (I give you one...the other is a mirror):

int tunnel 0
tunnel source serial 0/0
tunnel destination 192.168.23.3
ip address 172.16.13.1 255.255.255.0

After configuring the other side I tested with pings to the other tunnel interface....success.

Then I configured eigrp as 2, and advertised those loopbacks, and the tunnel interfaces (which happened to all be covered by the network statement 172.16.0.0).  A show ip eigrp neighbors 2 confirmed the adjancency, and a show ip route eigrp 2 confirmed the updated routes.  I can see how this could be useful over a public link, and especially encrypted within an IPSEC tunnel.

I also did the P2P IPSEC SDM config tonight.  Not as much fun as the CLI....not at all.  But the SPAN setup was cool, and capturing...actually seeing the encrypted data was really neat.

Friday, October 23, 2009

Cisco's EasyVPN Server SDM Setup & KISS

Went through the cert guide's chapter on easy vpn server setup, and IPSEC failover.  Probably need to read the IPSEC failover chapter again, but I got the just of it.  The easy vpn server stuff in the book was VERY vague, but the nuggets covered it well, and I worked along with my local router and SDM.  Split tunneling was a misunderstood issue for me, but now it makes sense.  Basically allowing a user to split the tunnel; the admin can say WHAT is secured through the tunnel, and what is still accessed via the users local  lan.  Cool feature that can be supported via ACL's. 

Then KISS, or keeping it simply secure....ha Here are the common security vulnerabilities described in the nugs...
  1. Physical
  2. Environmental/Maintenance
  3. Reconnaissance (sniffers, sweepers, scanners)
  4. Access attacks
  5. DOS
  6. Virus's/Worms/Trojans
  7. Management protocol attacks (telnet, ssh, syslog, snmp, tftp, ntp, etc..)
He discussed both the attacks, and mitigation techniques.  I should be able to remember these...we will see!

Thursday, October 22, 2009

IPSEC, SDM, GRE over IPSEC...or vice-versa!

So I actually read about 2 more chapters in the Official Exam Cert Guide today, and watched two nuggets.  I reinforced what I learned last night about IPSEC tunnel CLI configuration on GNS3 at work today.  I actually configured everything from memory, and got it correct the first time!  Again the order is:
  1. Configure ISAKMP SA (P1)
  2. Configure IPSEC SA (P2)
  3. Define interesting traffic via extended ACL
  4. Configure Crypto map
  5. Bind crypto map to interface
  6. (Configure NAT ACL as necessary)
So I was actually pretty proud of that, and everything made perfect sense as I was configuring it.  So today I finished up the IPSEC chapters in the book, and watched the SDM IPSEC Tunnel config, and the GRE/IPSEC videos.  Basic GRE tunnel is as follows:

int tunnel [number]
ip address [ip] [netmask]
tunnel source [int type][num]
tunnel destination [ip]
tunnel mode [type][type] //default is gre ip

So GRE is great in that it can transport routing protocols, which IPSEC cannot do.  However it is inherently insecure, and so IPSEC over GRE is a great option.  GRE adds about 24 bytes to the header, and has an additional 12 bytes it can add as well as optional attributes.  Some of the newer IOS versions do allow the passing of multicast traffic through an IPSEC tunnel.  I will be configuring a IPSEC/GRE tunnel via cli later, but tonight was over the SDM config of the tunnel.  Good stuff, can wait to dive into the labs for these sections.

Wednesday, October 21, 2009

Site 2 Site IPSEC Tunnel CLI Config

Well, IPSEC tunnels tonight guys and gals!  There are five increments that a router goes through in regards to IPSEC tunnels:
  1. Define interesting traffic
  2. IKE Phase 1 ISAKMP SA
  3. IKE Phase 2 IPSEC SA
  4. Data is transmitted through IPSEC tunnel
  5. Tunnel is tore down
The steps to get this thing going in the CLI are as follows:

SET ISAKMP POLICY
crypto isakmp policy [policy number (lowest to highest)]
authentication [pre-share, rsa, etc...]
encryption [aes, des, 3des]
group [1, 2, 5] \\defines DH group
hash [sha, md5]
lifetime [0-86400] \default is 24 hours or 86400
crypto isakmp key 0 [word] [ address] [ip] [no-xauth]

SET IPSEC TRANSFORM SET
cryptp ipsec transform-set [word] [encryption] [authentication]

DEFINE INTERESTING TRAFFIC
ip access-l ext 101
permit ip [source] [destination]

SET CRYPTO MAP
crypto map [word] [sequence num] [ipsec-isakmp]
set peer [ip address]
set transform-set [t-set]
match address [access-list]

APPLY CRYPTO MAP TO INTERFACE
crypto map [name]

IF NATTING!!!!
\\deny source-destination in nat access-list

show crypto isakmp sa
show crypto ipsec sa

Tuesday, October 20, 2009

MPLS wrap-up & IPSEC Intro.

Well I finished up MPLS today by finishing the rest of my reading, looking over weak areas, and doing shows and debugs from my already constructed labs. Trying to explain everything to another guy on the networking team felt like it helped my understanding out as well. We looked through the MPLS VPN lab, and traced labels throughout the topology, and also verified them against the routes in the routing tables (both the main routing table, and the vrf's). Very much worth the time! Also, by chance, learned that the command show ip protocols vrf [name] had ALOT of pertinent information in it...especially regarding redistributed protocols/AS's as well as neighbors.

Then I watched the nuggets regarding IPSEC introduction.  Much of it a review for me at this point, but still learned some good stuff.  IPSEC attempts to achieve:
  1. Authentication
  2. Data Integrity (SHA1 -{160 bit}, MD5 {128 bit}, etc...)
  3. Confidentiality (DES, 3DES, AES, RSA)
  4. Anti-replay
These are negotiated via IKE (internet key exchange)

There are 2 IPSEC modes:
Transparent and Tunnel

Symmetric encryption == both ends have the same keys (DES, 3DES, AES)
Asymmetric encryption == public/private keys (RSA, DH)

IPSEC is a "protocol suite"

Monday, October 19, 2009

MPLS

So...I am trying to MASTER the MPLS portion of the ISCW before moving on to the next topic.  I have spent about 3 days on it thus far, and will probably give it through tomorrow.  I have read all the MPLS chapters in the ISCW Authorized Self Study guide, watched the nuggets, and completed the labs in the portfolio.  Man, I really dont even know where to begin...there is soooo much with MPLS, and only a portion of it is even covered by this exam.  I do however feel that my knowledge on the matter is growing, and it is something that peaks my interest.  Lets go over the labs first:

4-1 Frame Mode MPLS
Diagram (sorry!):
[R1]----------[R2]----------[R3]

Easy enough!  Started by configuring loopbacks and serial IP's to the interfaces.  I then ran eigrp on the interfaces and advertised all loopbacks and serials.  Ensured end-to-end connectivity by pinging from R1's loopback to R3's loopback interfaces, checking routing tables, and show ip eigrp commands.  Then configured MPLS as follows:
 (config) ip cef  \\enabled cisco express forwarding
(config-if) mpls ip \\enabled mpls on all mpls interfaces
(config-if) mpls label protocol ldp \\set ldp as the label distro. protocol
(config-if) mpls mtu 1512 \\set the mtu to 12 > than 1500 to accomodate 3 X 4 byte labels

Verified with:

show mpls ldp bindings
show mpls forwarding-table
show mpls interfaces [type] [number] [detail]
This was a basic frame mode mpls configuration.  As you can tell this is done over ethernet, thus the "frame" mode.  This is opposed to mpls over atm; which is known as mpls cell mode.

The next lab was a bit more challenging....guess thats why it is called the "challenge" lab.
Lab 4-2 MPLS VPN's
[HQ]-------[SP1]-------[SP2]--------[SP3]---------[Branch]

This is hard to even explain....
  1. Set up interfaces with loopbacks, ip's, etc...
  2. Configured ospf over service provider network
  3. configured MPLS in SP domain
  4. Configured a virtual routing and forwarding table for the "customer"
    1. ip vrf "name"
    2. rd 100:1  \\route distinguisher...unique for each "customer"
    3. route-target both 1:100  \\will help if the customer uses multiple vpn's
    4. (config-if) ip vrf forwarding "name"  \\do this on the customer facing interface
      1. Verify with ping vrf "name" [ip]
  5. Configured eigrp AS 1 on both customer routers advertising networks
  6. Configured eigrp AS 100 on PE routers SP1 and 3 and then set up the ipv4 vrf
    1. address-family ipv4 vrf customer
    2. autonomous-system 1  \\customers as
    3. no auto
    4. network [ip]
      1. Verify with show ip route vrf "name"
  7. BGP setup on PE routers SP1 and SP3
    1. router bgp as
    2. neighbor [ip] remote-as [as]
    3. neighbor [ip] update-sourec loop0
    4. address-family vpnv4
    5. neighbor [ip] activate
    6. neighbor [ip] send-community both
    7. exit
    8. address-family ipv4 vrf customer
    9. redistribute eigrp 1
  8. Redistribute bgp routes into eigrp
    1. address-family ipv4 vrf customer
    2. redistribute bgp [as] metric 64 1000 255 1 1500

And done....that one was a real brainwasher. Made me re-evaluate everything I thought that I knew about MPLS. Like I said...I will do some re-study tomm. and probably move on to the next topic by Wednesday.

Friday, October 16, 2009

MPLS

LSR - Label Switch Router
LIB - Label Information Base
LFIB (Action table) - Label Forwarding Information Base
PE - Provider Edge
LDP - Label Distribution Protocol
VRF - Virtual Routing and Forwarding

Placing the label = "Pushing" the lable
Removing the label = "Popping" the label

Control Plane - L3 routing exists here, label exchanging protocols LDP operates here
Data Plane -  "Forwarding plane", send data at L2/L3, and does the label swapping

I'm tired....


MPLS FRAME MODE CONFIGURATION...
(config) ip cef
(config-if) mpls ip
(config_if)mpls label protocol ldp
(config-if)mpls mtu 1512

show mpls ldp neighbor
show mpls ldp bindings


Route Distinguisher - 64 bit tag prepened to IPv4 address and routes that works to identify a particular customer (i.e. "customer1", "cust23")
Route Target - allows a customer to belong to multiple vpns....need to look more into this...

Good night...i'm exhausted from work and study and family

Thursday, October 15, 2009

ISCW Chapters 1, 2, 3

I went with the official exam certification guide again for this exam.  I have officially conquered chapters 1, 2, and 3...which I have to say were boring as shit.  All about SONA, IIN, and  cable/dsl technologies.   I also watched the Nugget vids on the topics as well, which in fact, cheered me up a bit about it all.  Also, went through a basic PPPoE config that went as follows:

int dialer [#] - (1-255) Creates the virtual dialer interface
ip address negotiation (negotiates with carrier for ip address)
ecapsulation ppp (designates encap type)
ip mtu 1492 (interstingly enough ethernet is 1500, but dsl adds an 8 byte header...this proves more effecient)
ip nat outside (do it here rather than the physical interface)
ppp authentication [pap/chap] callin (the "callin ensures that you are not authenticating the ISP)
ppp [pap/chap] sent-username [word] password [word]
dialer pool [#] - assign everything to a pool that you can reference on the physical interface
interface [physical wan connection]
pppoe enable
pppoe dial-pool-name [# from above dial-pool callout]
debug ppoe event
debug ppp authentication
show pppoe session

And that was pretty much it...except for the rest of the internal NAT stuff that remains to be completed.  Showed some good debug output in the videos, and hopefully this stuff will sink in...I will start labbing in about 1 week I think. 

Monday, October 12, 2009

The Great ISCW Race!

Well I started tonight on the adventures of the ISCW.  Due to the pending changes in the CCNP curriculum, looks like I have to finish by March 2010 with the ONT/ISCW combo.  Shouldn't be really difficult..but we will see.  I will post more tomorrow now that my introductory nuggets are done!

Saturday, October 10, 2009

ISCW

Update:  I did pass the BCMSN and am going to start the ISCW on Monday.  More posts to follow...go CCNP!