Cisco

Cisco ACS Initial Setup

localhost login: setupEnter hostname[]: acs-server-1Enter IP address[]: 209.165.200.225Enter IP default netmask[]: 255.255.255.0Enter IP default gateway[]: 209.165.200.1Enter default DNS domain[]: mycompany.comEnter Primary nameserver[]: 209.165.200.254Add/Edit another nameserver? Y/N : nEnter username [admin]: adminEnter password:Enter password again:Pinging the gateway…Pinging the primary nameserver…Do not use `Ctrl-C’ from this point on…Appliance is configuredInstalling applications…Installing acs…Generating configuration…Rebooting…After the ACS server is installed, the system reboots automatically.Verify that the application has been installed properly by entering show application. Check the release and ACS version installed  by entering show application version acsCheck the status of ACS processes, at the system prompt by entering show application status acs   Password Reset – Power up the appliance.– Insert the ACS 5.3 Recovery DVD. The console displays:       Welcome to Cisco Secure ACS 5.3 Recovery                                  To boot from hard disk press <Enter>.                                           Available boot options:                                                           [1] Cisco Secure ACS 5.3 Installation (Keyboard/Monitor)                        [2] Cisco Secure ACS 5.3 Installation (Serial Console)                          [3] Reset Administrator Password (Keyboard/Monitor)                             [4] Reset Administrator Password (Serial Console)                               <Enter> Boot from hard disk In my case I used option 4 since I was connected via console. The console displays: ————————————————————————-  ———————— Admin Password Recovery ————————  ————————————————————————-   This utility will reset the password for the specified admin username.  At most the first five admin usernames will be listed. Enter Ctrl-C  to abort without saving changes and reboot.   ————————————————————————-   Admin Usernames :      [1] admin   Enter number of admin for password recovery: 1  Password:   Verify password:   Save changes and reboot? [y/n]: y     Source: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/guide/csacs.pdf

By |December 30th, 2013|Cisco, Security|0 Comments

IKE v1 vs. IKE v2

IKE Properties – Negotiate SA attributes, determine transforms, hashing and more – Generate and refresh keys using DH – Authenticate peer devices using attributes like IP, FQDN, LDAP DN and more – It has two phases IKE v1 (Phase 1 and 2) IKE v2 (Init and Auth) – Main mode & aggressive mode – ISAKMP negotiates SA for IPSEC. Quick mode & sdoi mode   IKE v2 Advantages – Simplifies the existing IKEv1 – Single RFC, including NAT-T, EAP and remote address acquisition – Replaces the 8 initial exchanges with a single 4 message exchange – Reduces the latency for the IPSEC SA setup and increases connection establishment speed. – Increases robustness against DOS attack. – Improves reliability through the use of sequence numbers, acknowledgements, and error correction. – Forward Compatibility – Simple cryptographic mechanisms – Traffic selector negotiation: – IKEv1: Responder can just say yes/no. IKEv2: Negotiation ability added – Reliability – All messages are request/response. – Initiator is responsible for retransmission if it doesn’t receive a response.   IKE v1 IKE v2 Developed in 1998, based on RFC 4995 Developed in 2006, based on RFC 5996 Pre-shared key and certificate for authentication Pre-shared key, certificate and EAP variants. Supports  for asymmetric authentication. Side A Preshared Key and Side B Certificates. No reliability Reliable. Introduces retransmission and acknowledgement functions. ack and sequenced Phase 1 generates 6 messages (main mode) 3 messages (aggressive mode) Reduced bandwidth requirements. generates only 4 messages at all. When EAP is used in IKEv2, an additional 2 messages may be required. Negotiation of the first CHILD_SA required 3 messages. Subsequent CHILD_SAs require 3 messages Negotiation of the first CHILD_SA required no messages since it is piggybacked onto the negotiation of the […]

By |December 30th, 2013|Cisco, Security|0 Comments

SNMP

  Application-layer management protocol used for monitoring and administration. SNMP operates by sending information to Network Management Servers (NMS). The NMS learns about problems in the network by receiving traps or inform messages generated by the individual device running SNMP or what is more commonly called the managed device.   SNMP Operations – Agents listen to UDP port 161 for messages sent by the NMS – Responses are sent back to the originating NMS port from a dynamic port. Many agents use port 161 also for this target – Traps are received on port 162 of a NMS   The first two variants of SNMP have pretty much the same protocol structure.  (V3 is shown below.) This means that each of them will encapsulate the same general message format into a UDP packet. This message will be similar to this:   SNMP Message Sequence Diag   SNMP Message Diagram   Shark Capture showing Version, String and PDU   SNMP Version field will be an integer value and it should be noted that both the NMS and the agent must agree on the version of SNMP being used to communicate.   SNMP community string is best described as a string value used for the password check for the NMS before the managed device will allow it to access or manipulate the agent process.   SNMP Protocol Data Unit (PDU). The actual communication of information in the SNMP Protocol is performed through the exchange of SNMP messages. These messages are sometimes called protocol data units or PDUs. The PDU is the higher-layer data that SNMP encapsulates; The values applied to this field represent various PDU types and formats.   See SNMP Versions for SNMP PDUs     […]

By |September 27th, 2013|CCIE, Cisco|0 Comments

Filtering Routes on IOS

Route filtering with RIP & RIPNG– Passive interface (passive-interface)– Distribute-list (distribute-list 2 [in|out])– Offset list (offset-list)– Administrative distance (distance) Route filtering with EIGRP & EIGRP V6– Passive interface (passive-interface)– Distribute-list [in|out] – IPV4 ACLs only– Prefix-list (prefix prefix-list-name[in|out])– Route-map  (route-map map-tag [permit|deny] [sequence-number])– Administrative distance (distance) Route filtering with OSPF– Stub area (area stub & area nssa)– LSA Type 3 filtering (area filter-list) – IPV4 only– Summarization (area range/summary address [not-advertise])– Redistribution (redistribute protocol route-map) Route filtering with BGP & BGP for IPV6– Prefix list (neighbor prefix list [in|out])– Distribute list (neighbor distribute list [in|out])– Filter list (neighbor filter list [in|out])– Route maps (neighbor route-map [in|out]) Regex characters on IOS“.”         – match any character“|”         – concatenates constructs. matches one of the characters or character patterns on either side of the vertical bar.“[]”        – matches the character following the backslash“[0-9]”   – match any single digit“[a-z]”   – match any lower case“[A-Z]   – match any upper case“_”        – replaces a long regular expression list by matching a comma (,), left brace ({), right brace (}), the beginning of the input string, the end of the input string, a space or the end of an AS Path.“^”       – match the beginning of a string.“$”       – match the end of a string“\”        – matches the character following the backslash and also escapes special characters. Regex Occurrence Modifiers on IOS“?”     – means 0 or 1 times. matches zero or one occurrence of the pattern“*”     – mean 0 or any times. matches zero or one occurrence of the pattern“+”     – means 1 or any times. matches zero or one occurrence of the pattern Source:IP Expert VODCisco Doc: Additional and Legacy Protocols/Terminal Services Configuration Guide, Cisco IOS Release

By |September 27th, 2013|Cisco|0 Comments

RIP Authentication

RIPv1 does not support authentication. If you are sending and receiving RIP v2 packets, you can enable RIP authentication on an interface. The key chain determines the set of keys that can be used on the interface. Authentication, including default authentication, is performed on that interface only if a key chain is configured. Cisco supports two modes of authentication on an interface on which RIP is enabled: plain-text authentication and message digest algorithm 5 (MD5) authentication. Plain-text authentication is the default authentication in every RIPv2 packet. Do not use plain text authentication in RIP packets for security purposes, because the unencrypted authentication key is sent in every RIPv2 packet. Use plain-text authentication when security is not an issue; for example, you can use plain-text authentication to ensure that misconfigured hosts do not participate in routing. Specifying a RIP Version and Enabling Authentication Configuration example: ! router rip version {1 | 2} interface type number ip rip send version [1] [2] ip rip receive version [1] [2] ip rip authentication key-chain name-of-chain ip rip authentication mode {text | md5} ! Note: Key Chain needs to be configured for this to work. Troubleshoot: debug ip rip

By |September 4th, 2013|CCIE, Cisco, Security|0 Comments

Cisco Key Chains

To define an authentication, a key chain needed to enable authentication for routing protocols. To enter key-chain configuration mode, use the `key chain` command in global configuration mode. Only DRP Agent, Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains. It is useful to have multiple keys on a key chain so that the software can sequence through the keys as they become invalid after time, based on the accept-lifetime and send-lifetime key chain key command settings. If the last key expires, authentication will continue and an error message will be generated. To disable authentication, you must manually delete the last valid key key chain commandkey chain name-of-chain no key chain name-of-chain  Configuration example ! key chain MD5 key 1 key-string MD5HASH accept-lifetime 13:30:00 Jan 25 1996 duration 7200 send-lifetime 14:00:00 Jan 25 1996 duration 3600 exit ! key chain TEXT key 1 key-string CLEARTEXT key 2 key-string KEY2 !

By |September 4th, 2013|CCIE, Cisco|0 Comments

Web Security Appliance (WSA)

The WSA main features are  L4 Traffic Monitor and Web Proxy. Other features are – URL filtering – Web usage controls – Application visibility & control – Anti-Malware scanning (Sophos, McAfee, Webroot) Secure web proxy monitors and scans web traffic for malicious  content. When you enable the web proxy, you can configure it to be in transparent or explicit forward  mode The L4 Traffic Monitor detects and blocks rogue traffic across all ports and IP addresses. The L4 Traffic Monitor listens to network traffic that comes in over all ports and IP addresses on the appliance and matches domain names and IP addresses against entries in its own  database tables to determine whether to allow outgoing traffic. L4 Traffic Monitor deployment is independent of the Web Proxy deployment. You can connect the L4 Traffic Monitor to a network tap or the mirror/span port of a switch. When you enable the web proxy, you can configure it to be in transparent or explicit forward mode. Deployment Features you enable determine how you deploy and physically connect the appliance to the network. Two main deployment methods are Explicit forward proxy and Transparent Proxy. Explicit Forward Proxy: Client applications, such as web browsers, are aware of the Web Proxy and must be configured to point to a single Web Security appliance. This deployment requires a connection to a standard network switch. When you deploy the Web Proxy in explicit forward mode, you can place it anywhere in the network. IP spoofing is disabled by default ON – IP address of original source is maintained. OFF – Changing IP address to WSA IP address Automatic: Configure each client application to use a PAC file to detect the appliance Web […]

By |August 13th, 2013|CCIE, Cisco, Security|0 Comments