Archive

Archive for April, 2009

Yet another Internetwork Expert Promo

April 30th, 2009 No comments

I just got this mail from Internetwork Experts which is quite cool:

Hello Cisco Certified Users:

If you are considering CCIE
certification, TODAY is the day to get the CCIE training materials/Bootcamps
that you need and save some money at the same time!

25% off all training
Today Only (April 30th, 2009)!

Discount Code: APR30X

http://www.internetworkexpert.com 

Training available for: CCIE (R&S, Voice, Security,
Service Provider), CCIE R&S Written, CCENT.

Please contact me with
any questions.

Best regards,
Stan

Stan Yee
Corporate &
Channel Sales Manager
syee@INE.com

Internetwork Expert,
Inc.
http://www.InternetworkExpert.com 
Toll
Free: 877.224.8987 x709
Direct/Outside US: +1.775.785.3026
Online
Community: http://www.IEOC.com 
CCIE Blog: http://blog.internetworkexpert.com 

Follow us on Twitter for updates, special promotions/offers:
http://twitter.com/inetraining

Just watching the twitter link gives me the impression that day have everyday kind of a “sale”-day ,-)

Securing Cisco Devices: Part III – CBAC

April 28th, 2009 2 comments

Cisco developped Context-based Access Control to intelligently filtering TCP and UDP packets based on application-layer protocols. You can inspect traffic for sessions that originate from any side of the firewall (can be an internal or external interface).

Without CBAC your filtering abilities is limited to pure access-lists which are examining the packets at network or transport layer. However CBAC gives you the ability to analyze also the application-layer protocol information. By example CBAC can detect the FTP connection informations and open also the correct ports for active FTP.

CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when specified traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session as the original traffic that triggered CBAC when exiting through the firewall.

cbac1

You can inspect the traffic at any point of the router:

  • Inbound or outbound traffic on the internal interface
  • Inbound or outbound traffic on the external interface

It is important to note that CBAC operates at interface level.

Read more…

Securing Cisco Devices: Part II – Reflexive ACLs

April 27th, 2009 No comments

Reflexive Access-Lists are adding kind of a stateful logic to your access-list. When using normal access-lists you have to be quite detailled, what you need to open e.g. for surfing the web:

reflacl1

In this example we would have to place a access-list like:

inACL:

ip access-list standard inACL
   permit tcp 192.168.1.0 0.0.0.255 any eq 80
   permit udp 192.168.1.0 0.0.0.255 any eq 53
   permit tcp 192.168.1.0 0.0.0.255 any eq 53
   deny ip any any

outACL:

ip access-list standard outACL
   permit tcp any eq 80 192.168.1.0 0.0.0.255
   permit udp any eq 53 192.168.1.0 0.0.0.255
   permit tcp any eq 53 192.168.1.0 0.0.0.255
   deny ip any any

Remark: I know that this list is not complete to surf the internet. But as an example it should be enough.

But we can easily replace this access-list when adding some stateful features to it…

Read more…

ACL Maths

April 21st, 2009 No comments

Today I thought, it would be nice to show the people out there, how an ACL can be computed to fit specific requirements.

Cisco explains quite good how to use ACLs:

But do you know how to calculate an access-list which matches 10.20.30.40 and 40.30.20.10?

Read more…

Securing Cisco Devices: Part I – ACLs

April 20th, 2009 3 comments

Some think: I know all about ACLs. Right? Well, lets see.
I will not bother you with standard stuff which can be found on any how-to-use-an-acl-website.

Playing around with Sequence Numbers

You probably have noticed that since some IOS release you see some sequence numbers:

Router#sh access-lists
Standard IP access list 99
    10 permit 212.90.198.7
    20 permit 192.168.12.0, wildcard bits 0.0.0.255
    30 permit 193.100.0.0, wildcard bits 0.0.0.15
    40 deny   any

Your problem: You need to put another permit statment at the very beginning of the ACL.
The ACL is attached on an interface – you should know what happens if remove the ACL (no access-list 99; access-list 99 permit …) to update it. Yes: you will probably shoot yourself into the foot. Bad idea.

By using sequence numbers you can – guess what – add another sequence:

Router(config)#ip access-list standard 99
Router(config-std-nacl)#5 permit 1.1.1.1

Router#sh access-lists
Standard IP access list 99
5 permit 1.1.1.1
10 permit 212.90.198.7
20 permit 192.168.12.0, wildcard bits 0.0.0.255
30 permit 193.100.0.0, wildcard bits 0.0.0.15
40 deny   any

You can also remove a sequence:

Router(config)#ip access-list standard 99
Router(config-std-nacl)#no 5

In case you have no sequence numbers left where you want to put something in between, you may renumber / resequence the list:

Router(config)#ip access-list resequence 99 100 50
Router(config)#do sh access-list 99
Standard IP access list 99
100 permit 1.1.1.1
150 permit 212.90.198.7
200 permit 192.168.12.0, wildcard bits 0.0.0.255
250 permit 193.100.0.0, wildcard bits 0.0.0.15
300 deny   any

In this example 100 is the startnumber and 50 the step.

Access list & Interfaces?

If you want to know which access-lists are applied on a specific inteface: just ask your device!

Router#show ip access-lists interface loop22 
Extended IP access list T2 in
    10 permit tcp any host 1.2.3.4 eq smtp
Extended IP access list T1 out
    10 permit icmp any any

TCP-Flags & TTL

Cisco became more flexible in 12.4(something)T when you want to filter by TTL, DSCP values or even TCP flags:

Router(config)# ip access-list extended T3
Router(config-ext-nacl)#permit icmp any any ttl lt 20
Router(config-ext-nacl)#permit udp any any dscp af31
Router(config-ext-nacl)#permit tcp any any match-all +ack +fin -psh

The first example permits all ICMP packets with a TTL less or equal than 20, the second example matches any UDP traffic with a DSCP value of AF31 and the last example permits TCP traffic with an ACK, FIN but without any PSH bit set.

Using Objects?

If you’re used about using object groups: Cisco IOS 12.4(22)T is allowing to use it:

Router(config)#  ip access-list standard SERVERS
Router(config-std-nacl)#permit 1.1.1.1
Router(config-std-nacl)#permit 2.2.2.2
Router(config-std-nacl)#  ip access-list extended FWPOLICY 
Router(config-ext-nacl)#permit icmp any object-group SERVERS

Cisco ACL Editor

If you google around there are plenty of tools like FWBuilder or Gareth’s Cisco ACL Editor and Simulator which you may use to compile your access-list which fits your requirements.

Securing Cisco Devices

April 19th, 2009 No comments

I got quite some mails in the past of people, asking me how creative we might be to filter traffic and perform some kind of security on a Cisco device.

Probably the most interesting features are:

I will try to hightlight some of them within my next posts and show you how to solve standard problems within a service provider network.

If you have special requests just drop me some comments.

Cisco Design Secrets

April 17th, 2009 No comments

About one or two weeks ago, we’re thrashing some cisco switches, because they didn’t survived our office move. We opened one of those devices and found out, that some guys we’re placing some kind of easter-eggs on a platine of a cisco 2950 switch:

cisco secrets

Categories: Humour

Ping Horse repeat 10000

April 16th, 2009 2 comments

Well, some webdevelopers make me laugh.

While checking the access logfile from this blog I saw some strange logs:

sesamnet-fw.senselan.ch - - [16/Apr/2009:14:23:37 +0200] "GET /fileadmin/scripts/gatag.js HTTP/1.1" 404 2330
"http://test.riderschallenge.ch/organisation/zahlen-und-fakten.html"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729)"

Checking out the source code of the website showed me why this happend:

<!--Google Analytics Code -> ACHTUNG! error404.html auch anpassen! -->
"http://www.kunde.ch/fileadmin/scripts/gatag.js" type="text/javascript"></script><!--www.kunde.ch ersetzen-->

Funny guys, ok, let’s have fun I said to myself. I wrote a mail to the hostmaster of the provider explaining the problem. After a while I saw that they haven’t changed nothing. Ok, fun time: Let’s create that javascript file ,-)

The javascript:

alert("Hello programmierer. Fix endlich deine dummen placeholder! ,-) Der owner von kunde.ch dankt dir recht herzlich.
Vielleicht sollte ich noch nen malicious code einbauen? kontakt findest du unter http://www.kunde.ch")
window.location.href = 'http://www.cyberkoch.ch/warmes/pfefilebasel220207.shtml';

Check out the comments for a reaction …

Categories: Humour

Page Update: Online Tools

April 16th, 2009 No comments

I’ve added some tools to this page:

I like the config auditor which is using nipper to do a basic security audit of the configuration.

Categories: Online Tools

Internetwork Expert April Sales

April 16th, 2009 No comments

Internetwork Expert is having also a sales promo. If you use the coupon code APRIL09 you get 20% off everything (material, courses, rack rentals, …).