Thursday, May 28, 2009
Thursday, May 21, 2009
Wednesday, May 20, 2009
Narbik's Bootcamp In India This Year
Narbik Kocharians
CCIE#12410 (R&S, SP, Security) CCSI# 30832
Narbik has over 30 years of experience in the industry. Narbik has designed, implemented and supported numerous enterprise networks. Some of the companies that Narbik has worked for are IBM, Carlton United Breweries, Australian cable and wireless, BP, and in US, 20th Century Ins., Home Saving of America, Verizon, TTI, Trinet Inc, and many more. Narbik has been a dedicated CCIE instructor for over 10 years.
http://www.micronicstraining.com/ccie-routing-switching-lab.html
CCIE#12410 (R&S, SP, Security) CCSI# 30832
Narbik has over 30 years of experience in the industry. Narbik has designed, implemented and supported numerous enterprise networks. Some of the companies that Narbik has worked for are IBM, Carlton United Breweries, Australian cable and wireless, BP, and in US, 20th Century Ins., Home Saving of America, Verizon, TTI, Trinet Inc, and many more. Narbik has been a dedicated CCIE instructor for over 10 years.
http://www.micronicstraining.com/ccie-routing-switching-lab.html
IPSEC Basics
The IPsec standard provides a method to manage authentication and data
protection between multiple crypto peers engaging in secure data transfer.
IPsec includes the Internet Security Association and Key Management Protocol
(ISAKMP)/Oakley and two IPsec IP protocols: Encapsulating Security Protocol
(ESP) and Authentication Header (AH).
IPsec uses symmetrical encryption algorithms for data protection. Symmetrical
encryption algorithms are more efficient and easier to implement in hardware.
These algorithms need a secure method of key exchange to ensure data protection.
Internet Key Exchange (IKE) ISAKMP/Oakley protocols provide this capability.
This solution requires a standards-based way to secure data from eavesdropping
and modification. IPsec provides such a method. IPsec provides a choice of
transform sets so that a user can choose the strength of their data protection.
IPsec also has several Hashed Message Authentication Codes (HMAC) from
which to choose, each giving different levels of protection for attacks such as
man-in-the-middle, packet replay (anti-replay), and data integrity attacks.
Best Regards,
Deepak Arora
protection between multiple crypto peers engaging in secure data transfer.
IPsec includes the Internet Security Association and Key Management Protocol
(ISAKMP)/Oakley and two IPsec IP protocols: Encapsulating Security Protocol
(ESP) and Authentication Header (AH).
IPsec uses symmetrical encryption algorithms for data protection. Symmetrical
encryption algorithms are more efficient and easier to implement in hardware.
These algorithms need a secure method of key exchange to ensure data protection.
Internet Key Exchange (IKE) ISAKMP/Oakley protocols provide this capability.
This solution requires a standards-based way to secure data from eavesdropping
and modification. IPsec provides such a method. IPsec provides a choice of
transform sets so that a user can choose the strength of their data protection.
IPsec also has several Hashed Message Authentication Codes (HMAC) from
which to choose, each giving different levels of protection for attacks such as
man-in-the-middle, packet replay (anti-replay), and data integrity attacks.
Best Regards,
Deepak Arora
Tuesday, May 19, 2009
Zone-Based Policy Firewall (ZFW)
Cisco IOS® Software Release 12.4(6)T introduced Zone-Based Policy Firewall (ZFW), a new configuration model for the Cisco IOS Firewall feature set. This new configuration model offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic.
Nearly all classic Cisco IOS Firewall features implemented before Cisco IOS Software Release 12.4(6)T are supported in the new zone-based policy inspection interface:
-
Stateful packet inspection
-
VRF-aware Cisco IOS Firewall
-
URL filtering
-
Denial-of-Service (DoS) mitigation
Cisco IOS Software Release 12.4(9)T added ZFW support for per-class session/connection and throughput limits, as well as application inspection and control:
-
HTTP
-
Post Office Protocol (POP3), Internet Mail Access Protocol (IMAP), Simple Mail Transfer Protocol/Enhanced Simple Mail Transfer Protocol (SMTP/ESMTP)
-
Sun Remote Procedure Call (RPC)
-
Instant Messaging (IM) applications:
-
Microsoft Messenger
-
Yahoo! Messenger
-
AOL Instant Messenger
-
-
Peer-to-Peer (P2P) File Sharing:
-
Bittorrent
-
KaZaA
-
Gnutella
-
eDonkey
-
Cisco IOS Software Release 12.4(11)T added statistics for easier DoS protection tuning.
Some Cisco IOS Classic Firewall features and capabilities are not yet supported in a ZFW in Cisco IOS Software Release 12.4(15)T:
-
Authentication proxy
-
Stateful firewall failover
-
Unified firewall MIB
-
IPv6 stateful inspection
-
TCP out-of-order support
ZFW generally improves Cisco IOS performance for most firewall inspection activities.
Neither Cisco IOS ZFW or Classic Firewall include stateful inspection support for multicast traffic.
Best Regards,
Deepak Arora
Monday, May 18, 2009
Some more ARP detials
Gratituos arp is nothing but a arp packets which checks and validates the ip address given to the system is not given for any other system . this is done by sending a arp packet which contains its own ip address , so if a duplicate system is present it responds to it so that it can be corrected
Proxy arp if we know about router converting or routing different netwoks its the same , the router gives its own mac address of the interface without forewarding the broadcast as arp is based on broadcast
arp headers dosent contain any info on protocols such as tcp udp and ip headers so it basically cannot be read by devices which looks for ip headers
Proxy arp if we know about router converting or routing different netwoks its the same , the router gives its own mac address of the interface without forewarding the broadcast as arp is based on broadcast
arp headers dosent contain any info on protocols such as tcp udp and ip headers so it basically cannot be read by devices which looks for ip headers
Friday, May 15, 2009
ASA Order of Operation
This is the complete ASA Order of Operation in Routed Mode:
- Virtual Firewall Classification
- Layer 2 validation
- Layer 3 validation
- IP packet security checks
- Fragmented IP traffic handling
- INPUT L2 ACL - Unlike L3/4 ACL, L2 ACL is per packet
- Packet capture
- Flow look-up - If Fails, Continue; If Success, jump to Input QoS
- Additional packet security checks
- NAT untranslate
- RPF Checks
- Input Route lookup
- Addtional packet security checks (thru the box only)
- Crypto checks
- ACL Check
- WCCP Redirection
- TCP Intercept
- IP Options permit check
- Validate IPSec SPI
- Flow Creation
- Global Classification
- Input QOS
- IPSec Tunnel Procesing
- TCP Intercept Processing
- TCP Security Engine
- IP Option Processing
- NP Inspect Engine Processing (ICMP/DNS/RTP/RTCP)
- DNS Guard
- Pinhole Processing
- Multicast processing
- CSC Module Processing (optional)
- Inspection Engine Processing/AAA punts/IPsec over TCP punts
- IPSec NAT-T Processing
- Decrypt
- Address Update and Checksum Adjustments
- TCP Security Engine
- IPS - AIP Module processing (optional)
- Adjacency Look-up if necessary
- Output QOS
- Encrypt
- Fragment
- Output Capture
- Output L2 ACL
- Queue processing and Transmit
ASA & PIX Quick Learning Modules
I know many of the people including me are still looking for some nice ASA tutorials. So here they are...
http://www.cisco.com/E-Learning/bulk/public/celc/Cisco_QLM10_ASA_beta/course_skin.html
Best Regards,
Deepak Arora
http://www.cisco.com/E-Learning/bulk/public/celc/Cisco_QLM10_ASA_beta/course_skin.html
Best Regards,
Deepak Arora
Thursday, May 14, 2009
Embedded Event Manager (EEM) Scripting Community
EEM is a flexible system designed to customize IOS & NX-OS
Automate tasks, perform minor enhancements and create workarounds. Develop and run scripts in your own environment, program your own custom actions using Tcl and share your scripts with others by uploading them here. Download examples and useful scripts submitted by others for customization and use in your environment
http://forums.cisco.com/eforum/servlet/EEM?page=mainBest Regards,
Deepak Arora
Login Password Retry Lockout
In IOS ver 12.3(14)T This feature was introduced.
The Login Password Retry Lockout feature allows system administrators to lock out a local AAA user account after a configured number of unsuccessful attempts by the user to log in using the username that corresponds to the AAA user account. A locked-out user cannot successfully log in again until the user account is unlocked by the administrator.
The Login Password Retry Lockout feature allows system administrators to lock out a local AAA user account after a configured number of unsuccessful attempts by the user to log in using the username that corresponds to the AAA user account. A locked-out user cannot successfully log in again until the user account is unlocked by the administrator.
A system message is generated when a user is either locked by the system or unlocked by the system administrator. The following is an example of such a system message:
%AAA-5-USER_LOCKED: User user1 locked out on authentication failure.
The system administrator cannot be locked out.
To configure Login Password Retry Lockout, perform the following steps. 1. 2. 3. 4. 5. 6. SUMMARY STEPS
Example: Router (config)# username user1 privilege 15 password 0 cisco
Router (config)# aaa new-model
Router (config)# aaa local authentication attempts max-fail 3
Router (config)# aaa authentication login default local
To unlock the locked-out user, perform the following steps
clear aaa local user lockout {username username | all}
Example:Router# clear aaa local user lockout username user1
Best Regards,
Important Show Command - show aaa local user locked
Deepak Arora
Wednesday, May 13, 2009
Enhanced Password Security
The feature Enhanced Password Security, introduced in Cisco IOS Software Release 12.2(8)T, allows an administrator to configure MD5 hashing of passwords for the username command. Prior to this feature, there were two types of passwords: Type 0, which is a cleartext password, and Type 7, which uses the algorithm from the Vigenère cipher. The Enhanced Password Security feature cannot be used with protocols that require the cleartext password to be retrievable, such as CHAP.
In order to encrypt a user password with MD5 hashing, issue the username secret global configuration command.
!
username secret
!
Order Of Operation While Configuring CBAC & NAT Togather
While configuring CBAC and NAT on a router, the NAT order of operation plays an important role.
For inside-to-outside traffic, perform these steps:
- Check input ACL.
- Perform NAT inside to outside.
- Check output ACL.
For outside-to-inside traffic, perform these steps:
- Check input ACL.
- Perform NAT outside to inside.
- Check output ACL.
For filtering inside-to-outside traffic on the inside interface, the inside hosts should be specified by their actual IP addresses.
Similarly, for filtering outside-to-inside traffic on the outside interface, the inside hosts should be specified by their translated addresses (inside global).
Tuesday, May 12, 2009
Difference between interface service policy(QOS) and inter-zone security policy(ZBF)
The zone-based firewall uses security policy-maps to specify how the flows between zones should be handled based on their traffic classes. The obvious actions that you can use in the security policy are pass, drop and inspect, but there’s also the police action and one of the interesting question is: “why would you need the police action in the security policy if you already have QoS policing”.
The difference between interface service policy and inter-zone security policy is in the traffic aggregation: the interface service policy works on traffic classes entering or leaving a single interface and the inter-zone policy works on aggregate traffic between zones, including the return traffic if you’ve used the inspect command to configure stateful inspection of the traffic class.
For example, you could limit the amount of HTTP traffic between your internal clients and your DMZ segment to prevent the internal users from overloading your public web servers.
Tuesday, May 5, 2009
Cisco Revising CCIE R&S Certification
NEW: Troubleshooting
Beginning October 18, 2009, the CCIE R&S lab exam will feature a two-hour troubleshooting section. Candidates will be presented with a series of trouble tickets for preconfigured networks and need to diagnose and resolve the network fault or faults. As with the configuration section, the network must be up and running for a candidate to receive credit. Candidates who finish the troubleshooting section early may proceed on to the configuration section, but they will not be allowed to go back to troubleshooting since their equipment will need to be reinitialized for the configuration portion.
Beginning October 18, 2009, the CCIE R&S lab exam will feature a two-hour troubleshooting section. Candidates will be presented with a series of trouble tickets for preconfigured networks and need to diagnose and resolve the network fault or faults. As with the configuration section, the network must be up and running for a candidate to receive credit. Candidates who finish the troubleshooting section early may proceed on to the configuration section, but they will not be allowed to go back to troubleshooting since their equipment will need to be reinitialized for the configuration portion.
Subscribe to:
Posts (Atom)