Application-layer management protocol used for monitoring and administration. SNMP operates by sending information to Network Management Servers (NMS). The NMS learns about problems in the network by receiving traps or inform messages generated by the individual device running SNMP or what is more commonly called the managed device.   SNMP Operations – Agents listen to UDP port 161 for messages sent by the NMS – Responses are sent back to the originating NMS port from a dynamic port. Many agents use port 161 also for this target – Traps are received on port 162 of a NMS   The first two variants of SNMP have pretty much the same protocol structure.  (V3 is shown below.) This means that each of them will encapsulate the same general message format into a UDP packet. This message will be similar to this:   SNMP Message Sequence Diag   SNMP Message Diagram   Shark Capture showing Version, String and PDU   SNMP Version field will be an integer value and it should be noted that both the NMS and the agent must agree on the version of SNMP being used to communicate.   SNMP community string is best described as a string value used for the password check for the NMS before the managed device will allow it to access or manipulate the agent process.   SNMP Protocol Data Unit (PDU). The actual communication of information in the SNMP Protocol is performed through the exchange of SNMP messages. These messages are sometimes called protocol data units or PDUs. The PDU is the higher-layer data that SNMP encapsulates; The values applied to this field represent various PDU types and formats.   See SNMP Versions for SNMP PDUs     […]

By |September 27th, 2013|CCIE, Cisco|0 Comments

RIP Authentication

RIPv1 does not support authentication. If you are sending and receiving RIP v2 packets, you can enable RIP authentication on an interface. The key chain determines the set of keys that can be used on the interface. Authentication, including default authentication, is performed on that interface only if a key chain is configured. Cisco supports two modes of authentication on an interface on which RIP is enabled: plain-text authentication and message digest algorithm 5 (MD5) authentication. Plain-text authentication is the default authentication in every RIPv2 packet. Do not use plain text authentication in RIP packets for security purposes, because the unencrypted authentication key is sent in every RIPv2 packet. Use plain-text authentication when security is not an issue; for example, you can use plain-text authentication to ensure that misconfigured hosts do not participate in routing. Specifying a RIP Version and Enabling Authentication Configuration example: ! router rip version {1 | 2} interface type number ip rip send version [1] [2] ip rip receive version [1] [2] ip rip authentication key-chain name-of-chain ip rip authentication mode {text | md5} ! Note: Key Chain needs to be configured for this to work. Troubleshoot: debug ip rip

By |September 4th, 2013|CCIE, Cisco, Security|0 Comments

Cisco Key Chains

To define an authentication, a key chain needed to enable authentication for routing protocols. To enter key-chain configuration mode, use the `key chain` command in global configuration mode. Only DRP Agent, Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains. It is useful to have multiple keys on a key chain so that the software can sequence through the keys as they become invalid after time, based on the accept-lifetime and send-lifetime key chain key command settings. If the last key expires, authentication will continue and an error message will be generated. To disable authentication, you must manually delete the last valid key key chain commandkey chain name-of-chain no key chain name-of-chain  Configuration example ! key chain MD5 key 1 key-string MD5HASH accept-lifetime 13:30:00 Jan 25 1996 duration 7200 send-lifetime 14:00:00 Jan 25 1996 duration 3600 exit ! key chain TEXT key 1 key-string CLEARTEXT key 2 key-string KEY2 !

By |September 4th, 2013|CCIE, Cisco|0 Comments

Web Security Appliance (WSA)

The WSA main features are  L4 Traffic Monitor and Web Proxy. Other features are – URL filtering – Web usage controls – Application visibility & control – Anti-Malware scanning (Sophos, McAfee, Webroot) Secure web proxy monitors and scans web traffic for malicious  content. When you enable the web proxy, you can configure it to be in transparent or explicit forward  mode The L4 Traffic Monitor detects and blocks rogue traffic across all ports and IP addresses. The L4 Traffic Monitor listens to network traffic that comes in over all ports and IP addresses on the appliance and matches domain names and IP addresses against entries in its own  database tables to determine whether to allow outgoing traffic. L4 Traffic Monitor deployment is independent of the Web Proxy deployment. You can connect the L4 Traffic Monitor to a network tap or the mirror/span port of a switch. When you enable the web proxy, you can configure it to be in transparent or explicit forward mode. Deployment Features you enable determine how you deploy and physically connect the appliance to the network. Two main deployment methods are Explicit forward proxy and Transparent Proxy. Explicit Forward Proxy: Client applications, such as web browsers, are aware of the Web Proxy and must be configured to point to a single Web Security appliance. This deployment requires a connection to a standard network switch. When you deploy the Web Proxy in explicit forward mode, you can place it anywhere in the network. IP spoofing is disabled by default ON – IP address of original source is maintained. OFF – Changing IP address to WSA IP address Automatic: Configure each client application to use a PAC file to detect the appliance Web […]

By |August 13th, 2013|CCIE, Cisco, Security|0 Comments