Archive for the ‘Security’ Category

GNS3 0.7.1 now working on Mac OS X

May 3rd, 2010 No comments

Update on my previous post. GNS3 will now work under Mac OS X – but there are some steps to do:

  1. Download the version with Python included
  2. Once installed, use the old dynamips from 0.5 (or at least the last working one for you)
    Click on your old (working) GNS3 -> show package contents -> Contents/Resources and copy the to the corresponding folder in your new GNS3 package.

Now start GNS3 and see if everything is working. It is, at least for me.

Cisco VPN Client reaches release (not beta anymore!)

April 15th, 2010 No comments

It seems that the VPN client for Windows 7 / XP has now reached final version.

Highlights from the release notes:

VPN Client 5.0.07 supports the following Microsoft OSs:
- Windows 7 on x64 (64-bit)
- Windows 7 on x86 (32-bit) only
- Windows Vista on both x86 (32-bit) and  x64
- Windows XP on x86

To avoid problems with the TCP/IP Registry Compatibility service and the VPN Virtual Adaptor, it’s recommended that Windows Vista users install Vista SP2 or later.

Before you install the VPN client, please check wether some of the problems are fixed for you, or if the known problems will affect you.

Cisco VPN Client for 64bit (Vista & Windows 7) now Beta

February 23rd, 2010 No comments

It looks like there’s now a 64bit version of the cisco VPN client:

vpnclient-winx64-msi- - Vista, Windows 7 - 64bit only.

I think important to know:

The new client beta requires a kernel patch, KB952876, from Microsoft before
installing first installing the actual client.  It is also suggested that 
Service Pack 2 for Vista be installed.


VPN Client takes longer to connect on Vista compared to XP. This is due to
new features in Vista.

The Cisco VPN Client for Windows Vista and Windows 7 does NOT support 
the following:
* System upgraded from Windows XP to Vista or Windows 7 
  (clean OS installation required).
* Start Before Logon
* Integrated Firewall - See workaround below.
* InstallShield
* 64bit support
* AutoUpdate
* Translated Online Help - Provided only in English

If you are experiencing a BlueScreen on XP related to the VPN client built-in
Firewall client, please follow the workaround below.(check out release notes).

Check out the release notes for any details.

Securing Cisco Devices: Part III – CBAC

April 28th, 2009 No comments

Cisco developped Context-based Access Control to intelligently filtering TCP and UDP packets based on application-layer protocols. You can inspect traffic for sessions that originate from any side of the firewall (can be an internal or external interface).

Without CBAC your filtering abilities is limited to pure access-lists which are examining the packets at network or transport layer. However CBAC gives you the ability to analyze also the application-layer protocol information. By example CBAC can detect the FTP connection informations and open also the correct ports for active FTP.

CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when specified traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session as the original traffic that triggered CBAC when exiting through the firewall.


You can inspect the traffic at any point of the router:

  • Inbound or outbound traffic on the internal interface
  • Inbound or outbound traffic on the external interface

It is important to note that CBAC operates at interface level.

Read more…

Securing Cisco Devices: Part II – Reflexive ACLs

April 27th, 2009 No comments

Reflexive Access-Lists are adding kind of a stateful logic to your access-list. When using normal access-lists you have to be quite detailled, what you need to open e.g. for surfing the web:


In this example we would have to place a access-list like:


ip access-list standard inACL
   permit tcp any eq 80
   permit udp any eq 53
   permit tcp any eq 53
   deny ip any any


ip access-list standard outACL
   permit tcp any eq 80
   permit udp any eq 53
   permit tcp any eq 53
   deny ip any any

Remark: I know that this list is not complete to surf the internet. But as an example it should be enough.

But we can easily replace this access-list when adding some stateful features to it…

Read more…

ACL Maths

April 21st, 2009 No comments

Today I thought, it would be nice to show the people out there, how an ACL can be computed to fit specific requirements.

Cisco explains quite good how to use ACLs:

But do you know how to calculate an access-list which matches and

Read more…

Securing Cisco Devices: Part I – ACLs

April 20th, 2009 No comments

Some think: I know all about ACLs. Right? Well, lets see.
I will not bother you with standard stuff which can be found on any how-to-use-an-acl-website.

Playing around with Sequence Numbers

You probably have noticed that since some IOS release you see some sequence numbers:

Router#sh access-lists
Standard IP access list 99
    10 permit
    20 permit, wildcard bits
    30 permit, wildcard bits
    40 deny   any

Your problem: You need to put another permit statment at the very beginning of the ACL.
The ACL is attached on an interface – you should know what happens if remove the ACL (no access-list 99; access-list 99 permit …) to update it. Yes: you will probably shoot yourself into the foot. Bad idea.

By using sequence numbers you can – guess what – add another sequence:

Router(config)#ip access-list standard 99
Router(config-std-nacl)#5 permit

Router#sh access-lists
Standard IP access list 99
5 permit
10 permit
20 permit, wildcard bits
30 permit, wildcard bits
40 deny   any

You can also remove a sequence:

Router(config)#ip access-list standard 99
Router(config-std-nacl)#no 5

In case you have no sequence numbers left where you want to put something in between, you may renumber / resequence the list:

Router(config)#ip access-list resequence 99 100 50
Router(config)#do sh access-list 99
Standard IP access list 99
100 permit
150 permit
200 permit, wildcard bits
250 permit, wildcard bits
300 deny   any

In this example 100 is the startnumber and 50 the step.

Access list & Interfaces?

If you want to know which access-lists are applied on a specific inteface: just ask your device!

Router#show ip access-lists interface loop22 
Extended IP access list T2 in
    10 permit tcp any host eq smtp
Extended IP access list T1 out
    10 permit icmp any any

TCP-Flags & TTL

Cisco became more flexible in 12.4(something)T when you want to filter by TTL, DSCP values or even TCP flags:

Router(config)# ip access-list extended T3
Router(config-ext-nacl)#permit icmp any any ttl lt 20
Router(config-ext-nacl)#permit udp any any dscp af31
Router(config-ext-nacl)#permit tcp any any match-all +ack +fin -psh

The first example permits all ICMP packets with a TTL less or equal than 20, the second example matches any UDP traffic with a DSCP value of AF31 and the last example permits TCP traffic with an ACK, FIN but without any PSH bit set.

Using Objects?

If you’re used about using object groups: Cisco IOS 12.4(22)T is allowing to use it:

Router(config)#  ip access-list standard SERVERS
Router(config-std-nacl)#  ip access-list extended FWPOLICY 
Router(config-ext-nacl)#permit icmp any object-group SERVERS

Cisco ACL Editor

If you google around there are plenty of tools like FWBuilder or Gareth’s Cisco ACL Editor and Simulator which you may use to compile your access-list which fits your requirements.

Securing Cisco Devices

April 19th, 2009 No comments

I got quite some mails in the past of people, asking me how creative we might be to filter traffic and perform some kind of security on a Cisco device.

Probably the most interesting features are:

I will try to hightlight some of them within my next posts and show you how to solve standard problems within a service provider network.

If you have special requests just drop me some comments.