Monthly Archives: December 2013

Special Use IPv4 Addresses – RFC5735

Address Block Present Use  Reference 0.0.0.0/8           “This” Network             RFC 1122, Section 3.2.1.3 10.0.0.0/8          Private-Use Networks       RFC 1918 127.0.0.0/8         Loopback                   RFC 1122, Section 3.2.1.3 169.254.0.0/16      Link Local                 RFC 3927 172.16.0.0/12       Private-Use Networks       RFC 1918 192.0.0.0/24        IETF Protocol Assignments  RFC 5736 192.0.2.0/24        TEST-NET-1                 RFC 5737 192.88.99.0/24      6to4 Relay Anycast         RFC 3068 192.168.0.0/16      Private-Use Networks       RFC 1918 198.18.0.0/15       Network Interconnect RFC 2544    Device Benchmark Testing   RFC 2544 198.51.100.0/24     TEST-NET-2                 RFC 5737 203.0.113.0/24      TEST-NET-3                 RFC 5737 224.0.0.0/4         Multicast                  RFC 3171 240.0.0.0/4         Reserved for Future Use    RFC 1112, Section 4 255.255.255.255/32   Limited Broadcast          RFC 919, Section 7     RFC 922, Section 7

By |December 30th, 2013|Uncategorized|0 Comments

Cisco ACS Initial Setup

localhost login: setupEnter hostname[]: acs-server-1Enter IP address[]: 209.165.200.225Enter IP default netmask[]: 255.255.255.0Enter IP default gateway[]: 209.165.200.1Enter default DNS domain[]: mycompany.comEnter Primary nameserver[]: 209.165.200.254Add/Edit another nameserver? Y/N : nEnter username [admin]: adminEnter password:Enter password again:Pinging the gateway…Pinging the primary nameserver…Do not use `Ctrl-C’ from this point on…Appliance is configuredInstalling applications…Installing acs…Generating configuration…Rebooting…After the ACS server is installed, the system reboots automatically.Verify that the application has been installed properly by entering show application. Check the release and ACS version installed  by entering show application version acsCheck the status of ACS processes, at the system prompt by entering show application status acs   Password Reset – Power up the appliance.– Insert the ACS 5.3 Recovery DVD. The console displays:       Welcome to Cisco Secure ACS 5.3 Recovery                                  To boot from hard disk press <Enter>.                                           Available boot options:                                                           [1] Cisco Secure ACS 5.3 Installation (Keyboard/Monitor)                        [2] Cisco Secure ACS 5.3 Installation (Serial Console)                          [3] Reset Administrator Password (Keyboard/Monitor)                             [4] Reset Administrator Password (Serial Console)                               <Enter> Boot from hard disk In my case I used option 4 since I was connected via console. The console displays: ————————————————————————-  ———————— Admin Password Recovery ————————  ————————————————————————-   This utility will reset the password for the specified admin username.  At most the first five admin usernames will be listed. Enter Ctrl-C  to abort without saving changes and reboot.   ————————————————————————-   Admin Usernames :      [1] admin   Enter number of admin for password recovery: 1  Password:   Verify password:   Save changes and reboot? [y/n]: y     Source: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/guide/csacs.pdf

By |December 30th, 2013|Cisco, Security|0 Comments

IKE v1 vs. IKE v2

IKE Properties – Negotiate SA attributes, determine transforms, hashing and more – Generate and refresh keys using DH – Authenticate peer devices using attributes like IP, FQDN, LDAP DN and more – It has two phases IKE v1 (Phase 1 and 2) IKE v2 (Init and Auth) – Main mode & aggressive mode – ISAKMP negotiates SA for IPSEC. Quick mode & sdoi mode   IKE v2 Advantages – Simplifies the existing IKEv1 – Single RFC, including NAT-T, EAP and remote address acquisition – Replaces the 8 initial exchanges with a single 4 message exchange – Reduces the latency for the IPSEC SA setup and increases connection establishment speed. – Increases robustness against DOS attack. – Improves reliability through the use of sequence numbers, acknowledgements, and error correction. – Forward Compatibility – Simple cryptographic mechanisms – Traffic selector negotiation: – IKEv1: Responder can just say yes/no. IKEv2: Negotiation ability added – Reliability – All messages are request/response. – Initiator is responsible for retransmission if it doesn’t receive a response.   IKE v1 IKE v2 Developed in 1998, based on RFC 4995 Developed in 2006, based on RFC 5996 Pre-shared key and certificate for authentication Pre-shared key, certificate and EAP variants. Supports  for asymmetric authentication. Side A Preshared Key and Side B Certificates. No reliability Reliable. Introduces retransmission and acknowledgement functions. ack and sequenced Phase 1 generates 6 messages (main mode) 3 messages (aggressive mode) Reduced bandwidth requirements. generates only 4 messages at all. When EAP is used in IKEv2, an additional 2 messages may be required. Negotiation of the first CHILD_SA required 3 messages. Subsequent CHILD_SAs require 3 messages Negotiation of the first CHILD_SA required no messages since it is piggybacked onto the negotiation of the […]

By |December 30th, 2013|Cisco, Security|0 Comments