Thursday, April 29, 2010

CCNA Security 10

When it comes to cryptographic systems, there are two words which you will no doubt encounter: Cryptography and Cryptanalysis. Those two words are opposites of each other. Cryptography is the art of code generation, while Cryptanalysis is the art of code breaking. Cryptography and Cryptanalysis makes up Cryptology.
There are many types of methods to break code. Cryptanalysis (remember, code breaking) can be done through the following ways:
-Brute Force
Brute Force is the most basic way to crack a code. It theoretically is able to break any cryptographic system, but here comes the problem of practicality. Modern crytosystems would take anywhere ranging from months to trillions of years to crack through brute force. In cases where brute force is not feasible, other mathematical analytical methods are used.

This method involves statically analyzing a large collection of ciphertext created by the cryptosystem. For example, we know that RSTLNE are the most common letters used in English. It is then likely that the most commonly occurring symbol in the (English-based) ciphertext represents the letter R. This method worked very well when cryptosystems did not use pseudorandom output. Modern cryptosystems use pseudorandom output to resist statistical analysis.

This method is used when you know the plaintext and the ciphertext. A bruteforce algorithm is then used to attempt to deduce the key used for the encryption. Unlike a normal bruteforce attack, this is actually more practical than it seems. This is because Known-plaintext attacks have a much smaller universe of possibilities (you know the character set, key-length, encryption algorithm and so on), so the result can be achieved much quicker than a normal bruteforce attack.

This method is used to break data that are encrypted with two independent keys. If brute-forcing a cipher takes 2^(n) time with a key of n bits, then brute-forcing a double-encrypted cipher would take 2^(2n) time. What Meet-in-the-middle does is that it encrypts the known-plaintext from one side, and decrypt the ciphertext from the other side. All the results are stored in memory for comparison. This effectively reduces the time needed from 2^(2n) to 2^(n+1).

Chosen-plaintext is the method used when attackers can gain access to the cryptosystem. An attacker is then able to specify their own plaintext to analyze the output.

This is similar to chosen-plaintext where an attacker gains access to the cryptosystem. However, it differs from chosen-plaintext as it now deals with the decryption side of things.

The birthday attack makes use of a vulnerability of hashing functions to collisions. Collisions happens when f(x1) = f(x2) where x1 and x2 are different values. In this case, the probability of a collision is 1.2√k where k is the total number of values that causes a collision.

For a cryptosystem to ensure confidentiality, there must be some sort of encryption scheme. Encryption is done using two main types of systems: Symmetrical and Asymmetrical. Symmetrical system involves only one key for encryption and decryption. Symmetrical systems are fast and are strong as long as the key can be safely exchanged between the peer.

One might think that transfer of keys over the internet is insane. Anyone sniffing in transit would be able to nab the keys and begin decrypting and encrypting packets. This was what security experts in the past thought. This is where asymmetrical keys come into play.

Asymmetrical keys involves a key pair. When one encrypts with either of the key, the other key in the pair is used to decrypt it. The key pair is known as a public and private key pair. Like its name, the public key pair can be safely sent out into the internet, but the private key should only be available to the owner of the key pair.

When encrypting a message with the private key, the encrypted message is known as a signed message. Other parties must decrypt the signed message with the user's public key. Such a signed system ensures origin authenticity.

On the other hand, if a message is only meant for a particular person, then the message should be encrypted with his private key. This ensures that only the person with the private key can decrypt and read the message. This accounts for confidentiality.

In this case, the symmetrical key is encrypted with the public key of the receiver before it is sent across the internet. Once both parties have the symmetrical key, they can establish a secure channel in which confidentiality and authenticity are both guaranteed while the key hasn't expired.

There are a variety of symmetrical keys available on a Cisco router. The most basic key is the DES. DES stands for Data Encryption Standard and is based on a fixed 56-bit key. In the past, DES was considered uncrackable. However, DES was cracked by Biham and Shamir in 1992 through differential cryptanalysis.

In 1998, 3DES was created. 3DES is pronounced "triple-DES". In this case, three separate DES keys were used. Since three keys are used, the effective key strength is 168-bits. However, instead of encrypting the data three times, the data is actually encrypted, decrypted, then encrypted. If you actually encrypt a piece of data three times, then the resulting key strength would only be 112-bits.

AES is an encryption standard created during a NIST competition in 2001. AES stands for Advanced Encryption Standard, and is considered to be less computationally complex but stronger than 3DES bit-wise. AES comes in 128, 192 and 256-bit variants. Although theoretically AES beat 3DES hands down, 3DES is still preferred over AES in the industry due to its long trusted history.

RC series is another widely implemented algorithm. It is not a bad algorithm, but the implementation can make it a weak system. An example of a poorly implemented RC scheme is WEP. WEP uses RC4, but due to the poor implementation of the WEP protocol, the RC4 key can be cracked quickly remotely. The standardized RC variants are:
-RC2 - 40 and 64-bits
-RC4 - 1 to 256-bits
-RC5 - 0 to 2040-bits
-RC6 - 128, 192 and 256-bits

Other symmetrical encryption algorithms include 128-bit IDEA (International Data Encryption Algorithm) and 160-bit SEAL (Software Encryption Algorithm).

As previously mentioned, asymmetrical keys allow transfer of data over unsafe territories like the internet. RSA was invented in 1997 by Rivest, Shamir and Adelman (and was thus named RSA). RSA used digital signatures for authentication and non-repudiation. Non-repudiation simply means that the key guarantees origin authentication if all conditions are ideal. RSA is known to be the first asymmetrical key system that allows both signing and encryption. However, since RSA is 100 times slower than DES in hardware, and 1000 slower in software, it is not recommended for large quantities of data.

DH is a key exchange algorithm that describes a method for generating a shared encryption key in a secure fashion over untrusted territories like the internet. DH stands for Diffie-Hellman. DH uses the peer's public and private keys as part of its key exchange algorithm. It is commonly used by IKE Phase 1 during the establishment of IPSec VPNs. DH ranges from 512 to 4096-bits. The common DH variants are:
-DH1 - 768-bits
-DH2 - 1024-bits
-DH5 - 1536-bits

ElGamal is another symmetric encryption algorithm based on DH and is first described by Taher Elgamal in 1984.

Ciphers can be divided into two types, block and stream ciphers. Block ciphers parse data into fixed-length blocks before transforming it into ciphertext of the same length. Because the block sizes have to be uniform, padding is common. The size of the block varies with the cipher (for example, DES uses 64-bit blocks). The resulting ciphertext is usually longer than the plaintext. Stream ciphers on the other hand work on bits and feedback. Since it does not require fixed-length blocks, padding is not required. The size of the message is also not changed after they are transformed.

When we talk about hashing, we talk about data integrity. MD5 and SHA-1 are examples of hashing functions that can generate a fixed-length digest from a variable-length input. This digest is usually appended to a message, and the same algorithm is then run on the other end to check if the output is the same. In this case, we can guarantee that the data hasn't been altered in transit.

However, what exactly is it that stops hackers from simply modifying the data, then recalculating the hash? Well... NOTHING! However, the hash used during VPN connections isn't just any ordinary hash, it's a HMAC. HMAC stands for Hashed Message Authentication Code. HMACs use standard hashing functions like MD5 and SHA-1. The special feature of HMAC is that it hashes the message together with a pre-shared key. The attacker has a 50% chance of guessing the hashing algorithm but it will take them more effort to guess the key hashed with the message.

Public and private keys are difficult to manage, especially for large enterprises. To ensure the proper management of keys, a PKI should be employed. PKI can be employed in a variety of ways. The most common PKI topologies are the central (single-root) and the hierarchical topology.

In the central model, there is only one main CA. This is suitable for small deployments only, because there are certain vulnerabilities and scalability issues with it. In this model, there is only one single point of failure. If the root certificate is compromised, then all certificates issued by the root certificate authority cannot be trusted. Also, because there is one CA, you would need a centralized administration team and delegation to different departments is difficult.

Large enterprises typically implement a hierarchical model. In a hierarchical model, the root CA delegates its authority to subordinate CAs. All subordinate CAs have public keys that are ultimately signed by the root CA. This chain of logic is called the certification path. However, in this case, if a compromise occurs, only the certificates signed by the compromised subordinate needs to be revoked. Also, you can have different administration teams for different departments.

Elements within a PKI need to have a way to communicate with each other. PKCS (also known as the Public Key Cryptography Standards) is a method of encapsulating information exchanged between PKI peers to promote interoperability. The 4 most common PKCS standards are:
PKCS #1 - RSA Cryptography
PKCS #2 - DH Key Agreement
PKCS #7 - Cryptographic Message Syntax
PKCS #10 - Certificate Request Syntax

For example, a certificate request is encapsulated in a PKCS #10 message. This message is then encapsulated inside a PKCS #7 message. When the CA enrolls the certificate, it is encapsulated as the payload of a #7 message and sent back to the requester.

Wednesday, April 28, 2010

CCNA Security 09

When you ask security analysts what a firewall is, you'd be surprised how many different answers can come up. A firewall can be a static packet-filtering firewall, an application layer gateway, a stateful packet-filtering firewall, an application inspection firewall or a transparent firewall. Due to the different uses for each of them, Cisco decided to generalize the definition of firewall:
"A firewall is a system or a group of systems that enforce an access control policy between two networks"

A good firewall is a firewall that is the only transit point between networks. An ideal firewall mitigates risk of network compromise through enforcement of access control policies. Since a firewall (remember, a system of devices) is the first line of defense, it must be hardened against attacks.

The most basic form of firewall, a static packet-filtering firewall, is implemented through access lists. Typically, to ensure layer 4 filtering, extended lists must be used. For example, to allow only HTTP traffic from the 192.168.0-3.0/24 subnet to go through F0/0 interface outwards (to the internet or something), the implementation would be:
ip access-list extended STATICHTTPFIREWALL
permit tcp any eq www
in f0/0
ip access-group STATICHTTPFIREWALL out

If you wish to only allow TCP traffic established outwards, but not the other way round, you can make use of something known as a Reflexive/Established Access-List. This reflexive access list only allows TCP traffic with the established flag coming from outside in. This means that the session must first be established inside-out. To create such an access-list an to apply it to the F0/0 interface facing the internet, type:
ip access-list extended REFLEXIVEESTABLISHED
permit tcp any any established
in f0/0

Unknown to many, IP actually has a protocol ID (also known as PID) field to identify the upper layer encapsulation used. Below is a list of common protocol IDs:
ICMP - 1
TCP - 6
UDP - 17
GRE - 47
ESP - 50
EIGRP - 88

It is best practice to filter commonly spoofed IP. These addresses are:
- for source
-Any address that starts with a 0
-Any multicast address
-Addresses from reserved ranges

Zone-based Policy Firewall is the replacement for Cisco IOS Firewall (which is a replacement for CBAC). Zone-based Policy Firewall allows you to group interfaces together into zones. The zones can then be manipulated as if they were individual interfaces. This significantly reduces the number of access lists required to filter traffic between them.

Rules for traffic going between interfaces are defined using C3PL, which stands for Cisco Common Classification Policy Language.

Implementation of ZPF is simple. You begin by creating zones. Zones are groups of interfaces which you can name. For example, if you have two interfaces connecting to different DMZ subnets, then you can group them as a DMZ zone. Similarly, you can group all internal interfaces as an INSIDE zone. Finally, the internet interface can be in its own INTERNET zone.

By default ZPF denies all traffic. To allow traffic you have to explicitly specify them. This is done by creating zone pairs. A zone pair consists of a source and destination zone. For example, if we have a DMZ, INSIDE and INTERNET zone, we will typically have these pairs:

You can then create inspection policies for each direction through C3PL. Depending on the policies, a traffic can be subject to one of three actions:
-Inspect - Similar to CBAC/Cisco IOS Firewall Operation. Performs stateful inspection to the traffic to make sure that the TCP sessions are valid.
-Drop - Drop traffic, similar to a deny
-Pass - Allow traffic, similar to a permit

An inbound ACL is applied before ZPF policies. An outbound ACL is applied after ZPF policies. Traffic from a zone cannot traverse to an interface that is not in a zone. If that's the case, I bet you're wondering about the traffic originating from the router. Router traffic are considered to be in the "self" zone. The "self" zone is treated like any other zones.

CCNA Security 08

When setting up technical controls in support of secure logging, there are a few questions that you must ask yourself. How do we ensure the confidentiality of the logs? Would logging be done to a central location or should the logs be stored in the individual devices? Which of the events should have priority?
When logging in a production network, it is recommended that logging traffic (as well as all management traffic) be sent out-of-band. When traffic is in-band, the traffic is said to traverse the same logical path as the production traffic. Having management traffic in-band introduces various security threats. For management traffic to be out-of-band, you can either create a totally separate interface (or sub), or deploy a new VLAN.

A commonly overlooked part of security is the synchronization of clock between network devices. Device clocks are one of the last things a typical administrator would worry about, but having clocks that are not synchronized would introduce a variety of problems. First of all, time-based access-lists would not work properly. Key-chains may expire at the wrong time thus causing various services like routing protocol authentication to break. A general management guideline is to ensure that clocks on network devices are synchronized with at least a time source, whether internal or external.

Time sources are devices running protocols like SNTP and NTP. Time sources are categorized into different strata. Each the stratum level defines the accuracy of the time source. Think of clock strata as a hierarchical structure, with the stratum increasing every step down. For example, an atomic clock is usually stratum 0, with the server synchronizing with it a stratum 1. Computers synchronizing with such servers over the internet through NTP become stratum 2, and network devices synchronizing with such a server would then be stratum 3.

SNTP stands for Simple NTP, where NTP is Network Time Protocol. SNTP is considered less secure than NTP as it does not support cryptographic facilities featured in NTPv3. Authentication capabilities in NTPv3 are also not present in SNTP. SNTP is only meant for simple, non-production, lab setups.

Syslog is a logging facility installed on a host or server in the network. Syslog servers can be deployed with programs like TFTPD32. In syslog, each logged item is categorized into a logging level. The logging level determines the severity (higher the logging level, lower the security). When a logging level is chosen on a device, all events with an equal or higher severity level (lower logging level) are logged. The logging levels are:

Another way an administrator can track their network devices is to make use of SNMP. SNMP stands for Simple Network Management Protocol. SNMP differs from Syslog in that it pulls data on demand instead of waiting for data to be pushed to it. SNMP makes use of an MIB. MIB stands for Management Information Base and it defines the information database that can be read from the device. Using one of the many MIBs, the SNMP server (also known as an NMS, Network Management Server) sends sets and gets to pull data from the device (which in this case is an Agent). Examples of SNMP servers are MRTG and Cacti, with the former being easier to set up.

Being in line with the policy of least privileges, unused router interface and services should be turned off. Cisco's steps to secure vulnerable interfaces/services are:
1) Disable unnecessary services and interface
-Disable router interfaces
in f0/0

-Disable bootstrap protocol (BOOTP)
no ip bootp server
ip dhcp bootp ignore

-Disable CDP
no cdp run
in f0/0
no cdp run

-Disable Autoloading
no service config
-Disable FTP server
no ftp-server enable
-Disable TFTP server
no tftp-server
-Disable NTP Server
ntp disable
-Disable TCP and UDP minor services
no service tcp-small-servers
no service udp-small-servers

-Disable MOP
no mop enabled
2) Disable commonly configured management services.
-Disable SNMP
no snmp-server
-Disable HTTP/HTTPS server
no ip http server
no ip http secure-server

-Disable domain lookup
no ip domain-lookup
3) Ensure path integrity.
-Disable ICMP redirects
in f0/0
no ip redirects

-Disable IP source routing
no ip source-route
4) Disable probes and scans.
-Disable Finger Service
no service finger
-Disable ICMP Unreachable Notifications
no ip unreachables
-Disable ICMP Mask Reply
no ip mask-reply
5) Ensure terminal access security.
-Disable IDENT
no ip identd
-Enable TCP Keepalives
service tcp-keepalives
6) Disable gratuitous and proxy ARP.
no ip gratuitous-arp
no ip proxy-arp

7) Disable IP directed broadcasts.
no ip directed-broadcast

This seems like a great list to remember. Luckily, Cisco introduced a feature known as AutoSecure. AutoSecure automatically reads the router configuration and attempts to apply the best security practices, mostly those discussed above. In SDM, you can run the Cisco SDM Security Audit Wizard or the One-Step Lockdown based on AutoSecure. Security Audit Wizard steps the administrator through each recommendation while One-Step Lockdown automatically applies all safest policies. Auto-secure is invoked from privileged mode through:
auto secure ?

More information about auto secure can be found at Cisco's official documentation.

Monday, April 26, 2010

Misc 22

Here are the common ways which you can perform IOS recovery. I'm going to go through this rather quickly because I'll have to complete my CCNA Security. First of all, I'll go through a quick example on how to recover a router's password should you be locked out.
In a Cisco router exists a configuration register. This configuration register is looked at to determine how the router should boot. By default, the configuration register (which would be abbreviated to "confreg" from here on) is set to 0x2102. This value sets the router to a baud rate of 9600bps for the console port and allows the router to read from NVRAM for configuration.

Here is a list of confreg values. What we are interested here is the 0x2142 value, which causes the router to ignore the startup configuration stored in the NVRAM.

To actually configure the configuration register with no access to the terminal, you would have to enter ROMMON. ROMMON is activated by hitting the Break key on your keyboard during router POST. This brings you to a ROMMON prompt.

To change the confreg, simply type:
confreg 0x2142

When you're done, boot the router up with:

Now you should be able to take a peek at the router configuration once your router boots up. Simply type:
show startup

To change the confreg back to the default value, simply type:
conf t
config-register 0x2102

Now let's say that you want to change IOS versions. The first thing you'll need to do is to be able to make a backup of your IOS to a server somewhere. The server we're going to use is TFTPD32 which runs a variety of protocols including TFTP. TFTP is a UDP-based application layer protocol that listens to port 69. TFTP supports acknowledgment on the application layer, but has a limited window size. TFTP trades off its speed (compared to FTP) with its simplicity. Assuming you have TFTPD32 running at, to make a backup of your IOS, simply type:
copy flash:c[TAB] tftp://

Now that you've backed up your IOS, it's time to replace the existing IOS with a newer one. To do this, place the new IOS into the folder where TFTPD32 reads from. Then load the IOS into flash like this:
copy tftp:// flash

Once you reboot, you should be running on the newer version. If you wish to revert to a previous version, simply use the "copy tftp flash" command again.

Now comes the question: What if the IOS totally screws up and the router is unable to boot. To fix this, can do two things: Initiate a TFTP transfer from ROMMON, or do a xmodem. I'll go through TFTP first. To do this, simply go into ROMMON and type in:


Do not fear the long syntax. You can always use the ? command to give you some form of context sensitive help. For a start, I'll recommend:
tftpdnld ?

Now, what if TFTP (or any LAN communication) is not an option? You can always use something called the xmodem protocol. xmodem is not supported on PuTTY. To use xmodem, you'll have to use something like HyperTerminal or Tera Term. To initiate an xmodem transfer, type the following command in ROMMON:
xmodem -c c2600-js-mz.120-3.T3.bin

Once the prompt tells you that a transfer is possible, browse around your terminal client and you should find an option to send a file. Note that xmodem takes forever on an old router due to the capped speed of 9600bps including overhead. On a newer router, you can set the speed like this:
xmodem -cfs 115200 c2600-js-mz.120-3.T3.bin

Sunday, April 25, 2010

CCNA Security 07

The best practices for security are:Physical Security - Lock servers, routers and switches up. No one should be able to plug or remove wires from your devices.

Passwords - Set passwords that are 8 characters and above and include upper- and lower-case alphabets, numbers and symbols.

Different Privilege Levels - The amount of access the user receives must be the lowest he can get to complete his job.

Remote Access - Grant access to only those who absolutely, positively need it.

A switch has more VTY lines than a router. Apart from the basic 0-4, a switch has 5-15. To set passwords on all lines, use:
line vty 0 15
password cisco

All passwords appear in clear-text except the enable secret. To encrypt those passwords using a weak algorithm, use:
service password-encryption

The "login" command is to REQUIRE login instead of allowing it. "no login" means DO NOT REQUIRE LOGIN instead of DISALLOW LOGIN. When you type "no login", you would have access to the prompt once the telnet session is up.

In a privilege 1 telnet session, the user would not be able to access exec mode if an enable secret or password is not set. To automatically move into exec mode, either set privilege level in the VTY, or on the local account.

In this article I'll be focusing on Layer 2 security. We'll start with the CAM table. CAM stands for Content Addressable Memory. It is also known as the MAC Address Table. The CAM table is a table with different source addresses associated to the ports. To view the CAM table, use:
show mac address-table
show mac-address-table

When the CAM table is full, the switch goes into Failover mode. In failover mode, the switch forwards every frame, whether unicast or broadcast, out of all ports. Essentially the switch turns into an expensive hub.

There are many ways we can protect switchports. All these are consolidated into a port-security suite. To enable port-security on a switchport, use:
switchport port-security

Port-security can only be enabled on an access port. Trunks are not eligible to be a secure port. There are four options in port-security:
Aging - Remove a MAC address after some time of inactivity
MAC-Address - Secure MAC addresses allowed, and sticky options
Maximum - Maximum number of MAC addresses allowed on a port (Maximum is 132 for low-end switches, and 1024 for high-end switches)
Violation - Action to take if a violation occurs

The sticky option allows learning of the currently plugged in devices as secure devices. The sticky command is to be entered when the device is in a stable state where there are no rogue devices. By default, maximum is set to 1. To enable sticky, use:
switchport port-security mac-address sticky

There are three types of violation. Protect would simply drop the offending frames. Restrict would drop the offending frames and increment the port's security violation counter. Shutdown would put the port into err-disable state and log an SNMP trap. The default is Shutdown.

To manually configure a MAC address, use:
in f0/0
switchport port-security
switchport port-security mac-address aaaa.bbbb.cccc

To see a port's port-security, use:
show port-security interface f0/1

Port status can be Secure-Up, Secure-Down, Secure-ShutDown or Err-Disabled. Secure-Up means that the port is up and running. Secure-Down means that either the port status or line protocol is down. Secure-ShutDown means that it is Administratively Shutdown. Err-Disabled means that a violation has occurred.

There are 2 kinds of aging. There are absolute and inactivity. Absolute starts counting once the MAC address is learned, while inactivity starts counting from the last time the MAC address was received. The default is absolute. To change the type, use:
switchport port-security aging type inactivity

To change the aging time, use:
switchport port-security aging time 5

The time is specified in minutes.

Port-security cannot be run on:
-Trunk ports
-Etherchannel ports
-Destination SPAN ports
-802.1x ports

You can use SNMP to notify of new or deleted MAC-addresses. To do this, go to global configuration and type:
mac address-table notification
snmp-server enable traps mac-notification

Next, go into the interface and type:
snmp trap mac-notification added
snmp trap mac-notification removed

Prior to 12.11, commands referring to the MAC address table uses "mac-address-table". After 12.11, the commands become "mac address-table" without the hyphen.

IEEE 802.1x can be configured on a switchport. Dot1x only supports RADIUS (TACACS or TACACS+ cannot work). The host and the switch must be configured for EAPOL (EAP over LAN, where EAP stands for Extensible Authentication Protocol).

In a Dot1x deployment, you'll encounter these terms:
Supplicant - Dot1x-PC
Authenticator - Dot1x-Switch
Authentication Server - RADIUS Server

The supplicant's ports are divided into two ports by dot1x. This is similar to sub-interfaces, but dot1x actually handles them for us. The controlled port is where the data is sent out. The only kind of data that can pass through the uncontrolled port is EAPOL, STP and CDP. Once authenticated, the controlled port can then send data.

To configure dot1x, AAA must be enabled and configured. A method list for dot1x must be configured:
aaa authentication dot1x default group radius local

To turn on Dot1x globally, use:
dot1x system-auth-control

The other commands are done in the interfaces. There are three modes for an interface to be in:
Force-Authorized - Always authenticated
Force-Unauthorized - Always unauthenticated
Auto - Only allows EAPOL frames, and can only transmit when authentication is complete

To change a port's mode, go under the interface and use:
dot1x port-control auto

EAP is a framework. There are over 40 methods of EAP. The EAP methods tested in the exam are:
-Cisco LEAP

Cisco LEAP stands for Lightweight Extensible Authentication Protocol. LEAP is Cisco-proprietary but third-party vendors can support it via Cisco Compatible Extension Program. In LEAP, the RADIUS server will authenticate the client. Once the client is authenticated, the client will authenticate the server. This is a strong 2-way authentication system.

EAP-FAST stands for Flexible Authentication via Secure Tunneling. FAST allows establishment of a secure tunnel to perform authentication. You cannot configure certificates with EAP-FAST though. FAST has three phrases:
Phase Zero - Get a PAC on the client (Optional, as it is dynamically created)
Phase One - Encryption tunnel is established
Phase Two - Credentials are exchanged and mutual authentication is performed.

For extra security, the PAC can be configured on both sides.

PEAP is a combination of Cisco and Microsoft technology. PEAP is a strong, open-standard security scheme. PEAP comes in two flavors:

A secure digital certificate is involved in both flavors. A certificate for the client is optional, but a certificate for the authentications server is mandatory.

EAP-TLS is an open-standard protocol, but you'll need to have a certificate on both your client and your server.

To attach a device such as an IDS or a packet analyzer, you'll need to mirror traffic to a port. SPAN is such a tool. There are very different types of SPAN. The most common one is the Local SPAN, in which the source port and the destination port is on the same switch.

Remote SPAN is when the source port and the destination port are on different switches. VLAN span is when all traffic from a specific VLAN is sent to a destination port.

To start a SPAN session, use the command:
monitor session

In Remote SPAN, both switches (and any switches between it) need to be configured. A separate VLAN would be created to carry the mirrored frames (they need to cross the trunk). VTP treats the remote SPAN VLAN as a normal VLAN. VTP Pruning also affects it. MAC address learning is disabled for the RSPAN VLAN.

We will now look at creating a local SPAN session. To do this, we'll need to type:
monitor session 1 source interface f0/1 - 3
monitor session 1 destination interface f0/4

You can have up to 2 sessions on a C2950, and the source and destination can be a range.

To see monitor session statistics, use:
show monitor

Suppose now that we have two switches, S1 and S2. S1 is the switch with the source ports, and S2 is the destination port. To configure remote SPAN on R1, type:
vlan 30
monitor session 1 source interface f0/1 - 3
monitor session 1 destination remote vlan 30 reflector-port f0/12

On R2, type:
monitor session 1 source remote vlan 30
monitor session 1 destination interface f0/4

R1 Ports F0/1 - 3 are the source ports, R1 and R2 Port F0/12 are trunked, and R2 Port F0/4 is the destination. A source port can belong to multiple SPAN sessions, but a source port cannot be a destination port. A destination port can participate in only one SPAN session, cannot be a source port, and cannot be part of an Etherchannel. A destination port also cannot participate in STP, CDP, VTP, PaGP, LAP, or DTP.

Trunk ports can be configured as the source/destination SPAN port. The default behavior will result in the monitoring of all active VLANs on the trunk.

Inter-VLAN traffic can be filtered by using an ACL at a router-on-a-stick or applying an ACL in a multilayer switch. However, it's difficult to manage traffic within the same VLAN. To do this, we'll need to make use of a VACL.

In a multilayer switch, the CAM holds the addresses learned, and the TCAM (Ternary CAM) stores the next action to take to reduce the number of times an address must be compared to an ACL. In a Layer 2 switch, something similar can happen using a VACL.

Even though a VACL is used in the actual filtering, an ACL is required to be applied in a VACL. Suppose that we want to restrict - 3 from communicating with other hosts and each other in the VLAN. To do this, we first create an extended ACL:
ip access-list ext ACL_DENY
permit ip

Next, we create a VLAN Access Map:
vlan access-map VACL_DENY 10
match ip address ACL_DENY
action drop
vlan access-map VACL_DENY 20
action forward

The first thing traffic in the VLAN will encounter is sequence 10. In 10, the IP is matched against the access-list. If it's matched, it is dropped. If there is no match, sequence 20 is matched. Sequence 20 is similar to a "permit any" because there is an implicit deny at the bottom of the VACL.

To apply the VACL, go into global configuration and type:
vlan filter VACL_DENY vlan-list 100

VACLs can also be used to filter bridged traffic as well as non-IP and non-IPX traffic. VACLs run from top to bottom until a match occurs. There is an implicit deny at the end. If traffic is not expressly forwarded, it is implicitly denied. Only one VACL can be applied to a VLAN, and the sequence numbers allow you to go back to add lines. A routing ACL can be applied to an SVI to filter in/outbound traffic.

If a VACL and ACL is both applied (one to the VLAN, and one to the SVI), then the VACL is matched first before the ACL.

An alternative to VACLs is the Private VLAN. Hosts can be placed into a secondary VLAN which can result in three effects:
-Community Private VLAN - hosts will be able to communicate with other hosts in the secondary VLAN and with the primary VLAN but not with other secondary VLANs.
-Isolated Private VLAN - hosts will be able to communicate with the primary VLAN but not other hosts.

You can also configure a Promiscuous port which can communicate with all hosts in the primary and secondary VLAN.

To configure VLAN 45 as a community-PVLAN, use:
vlan 45
private-vlan community

To configure VLAN 50 as an isolated-PVLAN, use:
vlan 50
private-vlan isolated

To associate a private VLAN with a primary VLAN 10, use:
vlan 10
private-vlan association 45,50

To associate ports to PVLANs, use:
in ran f0/1 - 6
switchport mode private-vlan host
switchport private-vlan host-association 10 45
in ran f0/7 - 11
switchport mode private-vlan host
switchport private-vlan host-association 10 50

To configure a port as promiscuous, use:
in f0/12
switchport mode private-vlan promiscuous
switchport private-vlan mapping 10 45,50

Traffic crossing the trunk from all VLANs would appear as VLAN 10.

PVLAN can only be configured when VTP is in transparent mode. To do this, type:
vtp mode transparent

DHCP can be used for network attacks. If a rogue DHCP server is put on the subnet, he can offer a legitimate IP address but send out a fake default gateway option. DHCP snooping classifies ports into trusted and untrusted. Trusted ports allow DHCP offers to go through, while untrusted ports are put in err-disable when an offer is received from it (indicating that there's a rogue DHCP server).

To turn on DHCP snooping, use:
ip dhcp snooping
ip dhcp snooping vlan 10

All ports in VLAN 1 (default) and 10 are now considered untrusted. To trust the port with your DHCP server, use:
in f0/1
ip dhcp snooping trust

To enable DHCP option 82 (DHCP Relay Agent), use:
ip dhcp snooping information option

ARP Poisoning is a very powerful way to perform a MITM attack. ARP Poisoning is also known as ARP Spoofing. ARP is the mechanism used to resolve IP addresses to MAC addresses. An intruder makes use of Gratuitous ARP to tell hosts that they are another host. They can effectively trick the host and the default gateway to send data through the intruder.

In Dynamic ARP Inspection, packets are checked for IP-MAC mappings. If the IP-MAC mapping is wrong on an untrusted interface, the frame is dropped. DHCP snooping has to be enabled to use DAI. To configure DAI, use:
ip dhcp snooping
ip arp inspection vlan 10

Now that all ports are enabled for ARP inspection, it's time to make ports trusted:
in f0/1
ip arp inspection trust

In DAI, you can specify the validation of more fields:
ip arp inspection dst-mac
ip arp inspection src-mac
ip arp inspection ip

You can show DAI status through:
show ip arp inspection

Cisco's recommended configuration is to have all host ports untrusted and all ports connecting to switches/routers trusted.

IP Source Guard prevents a host from using a statically assigned address or another host's address. It makes use of DHCP snooping so it must be turned on beforehand. Only addresses assigned by DHCP servers can be used. To enable IP Source Guard, use:
ip dhcp snooping
in ran f0/1 - 12
ip verify source port-security

VLAN Hopping is when a frame is double-tagged with Dot1q. For VLAN hopping to work, the intruder's host device must be attached to an access port. The VLAN used by the access port must also be the native VLAN.

The rogue transmit the frame that is double-tagged with VLAN 10 and VLAN 20. VLAN 10 is the native-VLAN. The first tag seen by the switch is VLAN 10 and it is removed because it is the native VLAN. Now the VLAN 20 tag is left and when the packet leaves a trunk, the other switches see the frame as coming from VLAN 20.

Switch spoofing allows the host to be a member of all VLANs. By default, Cisco switches are running in Dynamic Desirable mode. Dynamic Desirable mode has DTP running in an aggressive mode to actively form a trunk. Rogues connecting to a dynamic desirable port can negotiate the link into a trunk, and in turn allowing the rogue to connect to all VLANs.

There are two defenses for VLAN hopping attacks. Firstly, all host ports should be hardcoded into access ports. DTP should also be disabled. To see all switchport modes, use:
show int trunk

These are the two commands to prevent switch spoofing attacks:
switchport mode access
switchport nonegotiate

Intruders can attach a switch into a switched network with a very low priority to make themselves the root bridge. They then enable SPAN to sniff information. To prevent this, we'll have to use BPDU Guard and Root Guard.

Root Guard prevents a superior BPDU from coming in from a port (it is enabled on a per-port basis). Root Guard will block the BPDU and temporarily disables the port (goes into Root Inconsistent state). To configure Root Guard, use:
in f0/1
spanning guard root

BPDU guard is to prevent BPDUs from ever being received from a portfast port. When a BPDU is received from a BPDU guard interface, it is put into err-disable state. To enable BPDU guard on a port, use:
spanning-tree bpduguard enable

There is a command to enable all interfaces running on portfast to have BPDU guard. To do this, go to global configuration and type:
spanning-tree portfast bpduguard default

CCNA Security 06

In AAA (Authentication, Authorization, Accounting), the first A (Authentication) is the most commonly tested in the CCNA Security exam. Authorization and Accounting are mostly tested in CCIE Security.
AAA is enabled using:
aaa new-model

The three parts of AAA are:
Authentication - Who can access the system?
Authorization - What resources can he access?
Accounting - What did they use and how did they use it?

Creating a user account in a local database and using it for AAA authentication results in a self-contained AAA deployment. External AAA can be done through the following protocols:
-RADIUS - Cisco Proprietary, TCP-based (49)
-TACACS+ - Open Standard, UDP-based (1812 or 1645 (Old))

TACACS+ encrypts the entire packet, while RADIUS only encrypts the password fields. RADIUS combines the authentication and authorization process. TACACS+ considers Authentication, Authorization and Accounting to be separate processes. You can use them separately in a TACACS+ implementation.

RADIUS does not support NASI (Novell Async Services Interface) protocol, NetBIOS Frame Protocol Control protocol, X.25 Packet Assembler/Disassembler (PAD), AppleTalk Remote Access Protocol (ARA or ARAP). TACACS+ supports all of these. RADIUS can't control authorization level of users and router commands, but TACACS+ can.

In a TACACS+ authentication process, the router asks the TACACS+ server what credentials to ask for. For example, when a user tries to authenticate, the router asks the server what to ask for. The server then tells the router to ask for username, and the request is passed through the router to the user. After the user supplies the password, the server then tells the router to ask for the password.

The TACACS+ server can then choose one of four replies: ACCEPT, REJECT, CONTINUE or ERROR. ACCEPT or REJECT is self-explanatory. CONTINUE means that some more information is required. ERROR means that there is some form of communication error.

To configure the server to use a TACACS+ server, use:
tacacs-server host key cisco

You can also set up RADIUS authentication like this:
radius-server host key cisco

We can set it up to use the RADIUS server first, then the TACACS+server if the RADIUS is down. Finally if both are down, forward the request to the local database. To do this, type:
aaa authentication login default group radius group tacacs+ local

The default group is used for every authentication that does not refer to a named list. Authentication lists are also known as method lists in the examination. You can use 4 different methods for authentication per list.

AAA new-model overrides every previously configured authentication method for router lines (VTY, etc). If AAA new-model is not entered, you would have to choose between "local" and "tacacs" when setting up login method in VTY lines. When AAA new-model is set, you would have to choose a method list.

Note that typing aaa new-model would automatically use the local database for authentication. Any line password previously set would not work. You would be locked out if your local database is empty. The following is an AAA implementation with a named list:
aaa authentication login AAA_VTY local
user cisco pass cisco
line vty 0 4
login authentication AAA_VTY

You can password-protect AAA by setting the "aaa authentication enable" option. You can only make a default list here. You can also set authentication lists for ppp like this:
aaa authentication ppp default group radius

In this case, the RADIUS server would need to have both router's credentials for authentication to work.

AAA Accounting allows tracking of EXEC commands, EXEC logins, outbound connections, network resources, system, etc. Commands logs information about EXEC commands issued by a user. Connection logs all outbound telnet connections from the router. EXEC logs information about exec terminal sessions. Network logs all PPP, ARAP and SLIP sessions. Resource logs authentications and system logs system-level events.

If we want to enable auditing of EXEC commands, use:
aaa accounting commands 15 default start-stop group radius

AAA Accounting is rarely used in production networks, but it will be tested in the examination.

User mode privilege level is 1, and exec mode is 15. To show the privilege level, use:
show privilege

There is a level 0 which allows only four commands: exit, logout, disable, enable. Levels 2-14 are custom levels which can be defined by the administrator. We can do things like restrict ping to only level 5 and above. To do this, we need to use the privilege command like this:
privilege exec level 5 ping

Ping commands are allowed to be executed by users in privilege level 5 and above.

Configuration of AAA in SDM are done from Configure > Additional Tasks > AAA. From the AAA Servers section, we can add RADIUS and TACACS+ servers. AAA Server Groups require AAA servers to be set up first. Login, NAC and 802.1x method lists can be configured in their respective sections. Default Local is the default for Login.

CCNA Security 05

SDM is an integral part of the CCNA Security examination. If you were following the CCNA articles, SDM stands for Security Device Manager. SDM is a GUI-based configuration tool for Cisco routers. The GUI is accessed through a web-browser.
SDM allows the use of various wizards such as a One-Step Lockdown or a Security Audit. SDM is a tremendous learning tool and contains a lot of "How Do I..." help topics to aid in your tasks. SDM allows preview of commands before they are sent to the router.

The three commands required to activate SDM are:
ip http server
ip http secure-server
ip http authentication local

You would also need to have a privilege level 15 account for SDM:
user cisco privilege 15 pass cisco

SDM can be installed on the computer or the router. For a router installation, the files required in the flash are:

In the SDM CD, the First-Time Router Setup guide steps you through the cabling and setting-up of the router. When SDM is first started, you would have a "SDM Launcher" window as shown:

You can connect through HTTPS or HTTP depending on your requirements. After connecting to the router, you would have to login with the privilege 15 account. Logging in to a non-privileged account would not work.

When you are logged in, you would have two windows that must be up for SDM to work. The "Launch Page" should not be closed as it actually spawns the main SDM window. At the main window, we would see information like Model Type, Memory, Flash, IOS version and an overview of the configuration (Interfaces, VPN, Routing, IPS, etc.).

IPS can be configured through SDM, but not all routers support it. If that's the case, you would see "IPS Not Supported" in the IPS tab at the main window. IPS requires a minimum of 128MB of RAM.

In the User Preferences screen, you can enable the option to preview commands before delivering to router. This allows you to learn the commands.

The configure window is where we do most of our tasks. In most tabs, you would encounter a use-case scenario which represents what you are about to do. The use-case scenario changes depending on the option selected.

The SDM QoS configuration also requires an image that supports MQC (Modular QoS CLI). Otherwise, you would have to manually configure QoS the old way.

NAC stands for Network Access Control. NAC allows you to specify certain requirements for clients to connect. For example, a client must have an antivirus and firewall installed before being allowed in.

There is an "Additional Tasks" tab that allows setup of various management configurations (Telnet, SNMP, Logging, etc). You can also set up things like DHCP, DNS and AAA.

It is best practice to do saving manually. To do this, leave "save running-config to startup config" unchecked in the User Preferences.

Finally, there is a Monitor tab in SDM. Monitoring is not very important in the CCNA Security, but is very useful in real-life.

CCNA Security 04

There are a lot of types of hackers. The commonly stereotyped hackers in the media are known as black hat hackers. Black hat hackers strive to benefit financially from compromising others.
Hackers who hack to test network security are white hat hackers. White hat hacking is typically done to your own network or a network of someone who hired you.

A white hat hacker who leaves backdoors for himself later on would be known as a grey hat hacker because he is a combination of the above two.

Hackers who hack to make free or cheap phonecalls are called phreakers. Phreakers are people who experiment with or hack telecommunication systems.

Finally, a person who hacks for a cause or belief is known as a hacktivist.

Data can be categorized into many different classifications. For example the United States use Top Secret, Secret and Confidential to define the actions required to carry out when a particular data is compromised.

Security is wrapped around an industry standard term known as the CIA. CIA stands for Confidentiality, Integrity and Availability. Confidentiality involves encryption to ensure that the data cannot be read by a third party. Integrity involves HMACs which makes sure that the data is not altered in transit. Availability involves redundancy and resistance to Denial of Service attacks.

A good network security administrator is one who keeps up with the latest security threats. You need to be dynamic, and so do the security policies.

Typically a network attacker performs a reconnaissance attack prior to the main attack. In reconnaissance, an attacker gains information about the network devices, topology, operating systems and vendors which would help them perform vendor-specific attacks.

When people want to prevent intruders from entering their homes, they typically install locks on their doors. However, there will always be some sort of windows or back doors which an intruder can climb in. A backdoor installed in a network would allow attacks to happen from the inside.

Social engineering attacks are those where the hacker gains information or access socially. An example is a receptionist resetting a password, or a network administrator giving out topology information.

Privilege escalation are attacks that allows software to be executed at a higher privilege than the logged in user is at. Privilege escalation can be horizontal or vertical. Horizontal attacks allow access to files of other users of the same privilege level, while vertical attacks allow a user to gain access to resources only available to someone of a higher privilege.

Network security requirements are always changing. We need to be proactive. A security analyst needs to find ways to hack their own networks before a real hacker does.

Thursday, April 22, 2010

Misc 21

Notice that I left a RADIUS server in the previous topology. I left it there intentionally so that I can use it for Remote Access VPN Authentication (AAA). The configuration is exactly the same for the VPN initiation part. The only thing that we need to change now is the AAA lines and the addition of a RADIUS server:aaa authentication login VPNAUTHEN gr rad local
radius-server host acct-port 1813 auth-port 1812 key cisco

Notice that I didn't change the authorization to use RADIUS. This should be local unless you have a good reason to change it. If your RADIUS server is properly configured, the connection should be working now. However, if you haven't done your RADIUS server, I'll walk you through. In this article I'll be using NPS. NPS is Windows Server 2008's implementation of RADIUS. It was previously known as IAS in 2003. This picks up from a clean Active Directory install. NPS is installed as a role:

Now the only thing left is to configure the NPS server. To do this, go to:
Start > Administrative Tools > Network Policy Server

The first thing you want to do is to add your RADIUS client. To do this, right-click on RADIUS Clients and click on Add new RADIUS Client.

Add a RADIUS client as shown:

Now, browse on down to Network Policies and change the Deny policies to Grant policies like this:

Finally, head on over to the Constraints tab and allow PAP authentication:

Right now you should be able to Authenticate with your RADIUS server.

I noticed that I actually missed out client configuration in the previous article, so I'll touch on that now. The Cisco VPN client can actually be downloaded here. To get to the downloads, look at the right navigation bar and hit "Download Software". You would actually need a CCO contract so you'll have to get your friends to help you with it.

After launching the application, you should be at this page:

Click on the New button and configure your VPN as follows:

You would have a new entry in your list. Right-click and select Connect and you would be asked for credentials and hopefully be connected.

Misc 20

One of the emerging trends in the industry is the rise of mobile workers. Mobile workers, otherwise known as teleworkers are employees who work away from the office. A typical teleworker would require resources in the office, but that would mean that he would have to traverse the internet. Due to this, a form of VPN known as a Remote Access VPN has to be implemented.
Today we'll look at a topology similar to this:

In this scenario, the home user wants to access the subnet containing the RADIUS server from home (imagine there's some other servers there as well). To do this, he would have to establish a VPN Remote Access connection with the VPN Concentrator. This can be done with Cisco's VPN Client.

This article assumes that connectivity between your client and the VPN Concentrator is set up. Now the first thing we want to do is to set up AAA on the VPN Concentrator. The concept is extremely similar to previous articles. In this case, we'll be using the local database:
aaa new-model
aaa authentication login VPNAUTHEN local
aaa authorization network VPNAUTHOR local
user cisco pass 0 cisco

That's really all for AAA. Now we'll begin setting up the cryptographic services. If you recall from the VPN Introduction article, we have to first set up Phase 1 of the connection which is ISAKMP. To do this, enter the following:
crypto isa pol 1
hash sha
auth pre
group 2
life 1800
encr 3des

Recall the HAGLE ("Haggle") sequence (Hash, Authentication, Group, Life, Encryption). This is the part that deters from the Site-to-Site design. In a normal Site-to-Site design, the peers are hardcoded in. However, in a Remote Access design, we do not know who our peers are. We have to go through an extra step in Phase 1. First we designate the traffic that are interesting:
ip access-l ext VPNINTERESTING
permit ip
permit ip

We create a pool of addresses to assign:
ip local pool VPNPOOL

And finally we create a client group to consolidate the settings:
crypto isakmp client config group VPNCLIENTGROUP
key cisco
domain kelvin.com

That's it for Phase 1. Now we move on to Phase 2. Recall that I said that we can't hardcode peers here. To get around this, we'll need to use something known as a dynamic map. A dynamic map is a map that is similar to a normal crypto map, except that it does not have a peer-matching statement. We'll first create the transform set we need to use:
crypto ipsec transform TRANSFORM esp-3des esp-md5-hmac

Then we apply it in the dynamic map like this:
crypto dynamic VPNDYNAMIC 10
set transform TRANSFORM

Note that there is a command known "reverse-route". Reverse-route adds a routing entry for each connected Remote Access client. This is required for two way communication. Finally we create the crypto map:
crypto map MAP client authentication list VPNAUTHEN
crypto map MAP isakmp authorization list VPNAUTHOR
crypto map MAP client configuration address respond
crypto map MAP 10 ipsec-isakmp dynamic VPNDYNAMIC

Over here, the AAA lists are specified for authentication and authorization, and the VPNDYNAMIC map is used in the crypto map. This is all the setting we need. We'll now have to apply the map onto the interface. We'll also need to use virtual-reassembly to reassemble fragmented segments:
in s0/0
ip virtual-reassembly
crypto map MAP
in f0/0
ip virtual-reassembly

In most implementations, the packets would be routed through a NAT. IPSec VPN traffic is particularly sensitive to NAT. To go past the NAT, we'll have to have an access-list that looks like this:
ip access-l ext NAT
deny ip
deny ip
permit ip any any

This prevents any traffic destined for the network (VPN clients) to be NATted. Now we implement NAT:
in s0/0
ip nat inside
in f0/0
ip nat outside
ip nat source list NAT interface s0/0 overload

Tuesday, April 20, 2010

Misc 19

WebVPN is Cisco's implementation of a web HTTP/S proxy. What WebVPN does is that it proxies any requests from the client through SSL layer security. WebVPN is typically used to access intranet sites from the internet. Clients would typically be presented with a page similar to this:

After they log on, they would be able to access intranet sites through the page. An intranet site accessed through WebVPN would look like this:

Notice the URL of the page.

Typically WebVPN would be applied in a scenario like this:

In this scenario, the client would have to first establish a WebVPN session with the WebVPN router before using the interface to access the Internal Application Server.

Right now we'll use a topology like this. This isn't what you'd typically encounter in a production network, but you would be able to learn the basic configuration of WebVPN with minimal equipment.

In this case, some form of security can be applied to the Gateway router, such as only allowing the WebVPN Router to go through. Since all traffic through the WebVPN site would appear to be from the WebVPN Router, this would effectively force everyone to use the WebVPN for surfing.

First off, we'll need some form of authentication. This is done through AAA. However, a real RADIUS server is not required for this exercise. We can fall back to the local database for authentication. We'll set up AAA like this:
aaa new-model
aaa authentication login default local

We'll add in some test user accounts:
user cisco pass cisco

Next, we'll need a certificate to support the SSL security associations during connection. To do this, we can either import one from a TFTP server or create a self-signed certificate. To do a self-signed certificate, enter the following commands:
crypto pki trust LOCAL
enroll selfsigned
crypto pki enroll LOCAL

Next, we'll set up some connectivity information:
ip name-server
ip domain name syraxius.ath.cx

Now we're done with the initial configuration. We can now focus on configuring WebVPN itself. To do this, we'll have to first set up the gateway address. This address would be your outside interface address. Set it up as follows:
webvpn enable gateway-addr

Now we'll be able to customize how the WebVPN interface would look. To do this, go into the WebVPN prompt through:

Things that typically are changed that can be changed are:
title "Kelvin's WebVPN"
login-message "Please enter the correct credentials!"
title-color white
secondary-color white
text-color black
secondary-text-color black
idle-timeout 180
ssl encryption 3des-sha1
ssl trustpoint LOCAL

Tuesday, April 6, 2010


We'll now set up IPv6 and some routing between them with a simple topology as shown:

This would be the addressing scheme used:
SubnetA: fd00:0001::/32
SubnetB: fd00:0002::/32
Link: fd00:0003::/32

To begin, we'll need to start all our routers to do IPv6 routing. To do this, go under Global Configuration of all routers and type:
ipv6 unicast-routing

Now we can begin assigning IP addresses. For the LANs, we'll be using Loopbacks. For RA, do this:
in f0/0
ipv6 add fd00:3::1/32
no shut
in lo0
ipv6 add fd00:1::1/32
no shut

Similarly, on RB, do this:
in f0/0
ipv6 add fd00:3::2/32
no shut
in lo0
ipv6 add fd00:2::1/32
no shut

We can now ping across the link by typing:
ping fd00:1::1

Right now, as expected, we can only ping links that are directly connected. We'll have to turn on routing protocols. These are the routing protocols that can support IPv6:
-EIGRP for IPv6
-IS-IS for IPv6

Right now, we'll configure RIPng. The configuration is different in that you won't have any network statement:
ipv6 router rip 1

To turn on RIP, you have to go under the interfaces:
in f0/0
ipv6 rip 1 en
in lo0
ipv6 rip 1 en

When the same has been done on both routers, you can see the route by typing:
show ipv6 route

You can also verify your interfaces using:
show ipv6 int br

There are currently many migration strategies for IPv6 to provide a smooth, non-pressured transition. The strategies are:
-Dual-stack routers
-NAT - Protocol Translation (NAT-PT)

Dual-stacking means that the routers will use IPv4 and IPv6 together. Clients using IPv4 will connect out through IPv4 and IPv6 clients will connect out through IPv6. If a version 4 client wants to communicate with a version 6 web site, the ISPs can actually automatically NAT the address to an IPv6 address. The same can be said for the other way round.

Tunneling allows IPv4 hosts to communicate through the IPv6 internet by encapsulating the IPv4 packets in IPv6 headers as it enters the IPv6 network and decapsulating the packet as it returns to IPv4. You can also run IPv6 through IPv4 by encapsulating IPv6 packets with a IPv4 header.

NAT-PT is a type of NATting that allows IPv4 addresses to be translated into IPv6. Similar can be said for IPv6 clients who want to access IPv4 networks. NAT still works exactly the same, it's just using a different translation pool. Static NAT, NAT overload and so on will still work the same.


I'll now touch on IPv6. We'll first ask: Is there a need to upgrade to IPv6? We've survived this far, will we ever need it? That is a definite yes! There is an address shortage in places like Virginia, and Asia! IP addresses are also poorly allocated. Agencies needing class C asked for class B. Estimates on IPv4 estimation largely debated and is expected to be around 2009 to 2041.
There are more and more new network devices on the rise. Sooner or later, everything would have an IP address associated to it. NAT is now seen as a hindrance to innovation.

IPv6 natively supports IPsec. IPv6 also supports mobility where the IP address would be portable everywhere. IPv6 also has a simpler header compared to IPv4.

IPv6 moved from 32-bit to 128-bit. In the 32-bit IPv4, there were 4294967296 address combinations. In IPv6, there are 3.4028236692093846346337460743177*10^38 addresses. IPv6 addresses are written in 8 groups of 4 hex characters each. Instead of dots, they are separated by colons.

There are some rules to make IPv6 more manageable. Let's take this IP:

You can eliminate groups of zeroes with two colons:

You can also drop leading zeroes:

Along with more addresses, the IPv6 also have a simpler header. The 20-byte IPv4 header is made up of:
Version|Header length|ToS|Total length|Identification|Flags|Fragment offset|TTL|Protocol|Header checksum|32-bit source|32-bit destination|Options|Padding

Length wise, IPv6 headers are longer due to the size. However, it has less fields and is thus easier to process:
Version|Traffic class|Flow label|Payload length|Next header|Hop limit|128-bit source|128-bit destination

In IPv4, there are three different ways to send packets:
Unicast - Send to one
Multicast - Send to group
Broadcast - Send to all

In IPv6, there are still three, but broadcast has been removed:
Unicast - Send to one
Multicast - Send to group
Anycast - Send to closest

Anycast can be used by giving more than 1 website server the same IP address. The routing protocols will then route you to the nearest website with that address. This will automatically load balance you to the closest server.

There are three scopes in IPv6:
Link-local - Layer 2 domain. For people who are plugged in the same switch or two routers on the same link, then the link local is used.

Unique-local (Previously called Site-local) - Similar to RFC1918 private addresses. They are unique in an organization. Site-local scope addresses are optional.

Global - Addresses for the Internet 2. These are fully routable in the internet.

Link Local addresses are automatically generated as an IPv6 host comes online. This is similar to the 169.254.x.x addresses of IPv4. Link local addresses will always begin with FE8 followed by 52 bits of zeroes (it is compulsory for the first 10 bits to be 1111111010). The last 64-bits is the 48-bit MAC address with FFFE squeezed in the middle. For example, if my MAC address is: 1234.5678.90AB

Then my link local address would be:

FE8 = 12-bits
MAC+FFFE = 64-bits
Zeroes = 52-bits
Total = 128-bits

Unique local RFC4193 addresses (previously known as Site-local RFC3513) are used to identify the boundary of organization networks. It uses the following format:

The first 8-bits of a Unique-local address is:

X will be 1 if locally assigned by an Administrator. Setting it to 0 is for future use, so the first 8 bits should start with FD00::/8.

The structure of a unique-local address should be:
FD00|40-Bit Global ID|16-bit Subnet ID|64-bit Interface ID

Finally, Global Addresses have their high-level 3 bits set to 001. This means that addresses will start with 2000::/3. The global routing prefix is 48-bits or less. The subnet ID is 64-bits minus the global routing prefix. The primary addresses expected to comprise the IPv6 internet will start with the 2001::/16 subnet.


Right now I'm going to walk through the configuration of a Frame Relay network using both multi-point and point-to-point configurations. For this article, I'll be using this topology:

First of all, back on R1, set the IP and change the serial interface encapsulation to Frame Relay:
ip add
encap frame
no shut

Now, if you're on an older router, you'll need to manually configure the LMI type:
frame lmi-type cisco

To see LMI information, use:
show frame-relay lmi

To see the PVCs connected, use:
show frame-relay pvc

In a multi-point configuration, you'll have to use the frame-relay map command. To do this, type:
frame map ip 102 broadcast
frame map ip 103 broadcast
frame map ip 104 broadcast

The broadcast means that any broadcast traffic should be forwarded to R2 as a unicast packet. Frame Relay is a NBMA network, so broadcast traffic are blocked.

You can list Frame Relay maps like this:
show frame map

There are three status that maps can be in:
Inactive - Local is set up, remote is down
Active - Local and remote are both set up
Deleted - Invalid DLCI number

Right now the configuration should be:
ip add
encap frame
frame map ip 102
frame map ip 103
frame map ip 104
no shut

ip add
encap frame
frame map ip 201
no shut

ip add
encap frame
frame map ip 301
no shut

ip add
encap frame
frame map ip 401
no shut

Right now the spokes can ping the hub but cannot ping each other. To fix this, you'll have to map all the other spokes using the same DLCI that points to the hub. For example, back on R2, I'll type this:
frame map ip 201 br
frame map ip 201 br

After doing this, you should be able to ping everyone from everywhere. This, however, causes problems with split horizon where only the hub would have all the routes.

Right now I'll clear the configurations on the interface, and replace them with point-to-point. To do this, use:
default int s0/0

Then on R1, I'll use the following configuration:
in s0/0
encap frame
no shut
in s0/0.2 point-to-point
frame int 102
ip add
in s0/0.3 point-to-point
frame int 103
ip add
in s0/0.4 point-to-point
frame int 104
ip add

Then on R2, do this:
in s0/0
encap frame
no shut
in s0/0.1 point-to-point
frame int 201
ip add

On R3, do this:
in s0/0
encap frame
no shut
in s0/0.1 point-to-point
frame int 301
ip add

Finally, on R4, do this:
in s0/0
encap frame
no shut
in s0/0.1 point-to-point
frame int 401
ip add

From here, a routing protocol should be able to bring the routing up automatically. There will be no split horizon problems.


Frame Relay was invented as the result of ISPs monitoring leased lines. They found out that leased lines are rarely fully used. Frame Relay is a class of packet switched technology. Frame Relay came from X.25, and later evolved into ATM. The concept behind Frame Relay is later used to develop MPLS.
Frame Relay terminologies are:
CIR - Committed Information Rate
The CIR is the minimum bandwidth that the provider guarantees. You can't go lower than it. At times you can actually burst above the CIR.

LAR - Local Access Rate
This is literally how fast the circuit can go. This is the real clocking rate of the circuit. If you're paying for a CIR that's lower than the LAR, you can only output short bursts of data that averages to your CIR.

LMI - Local Management Interface
The language that the router speaks between the router and the service provider. It is a signaling protocol that the provider can use to send statistics about the line. LMI also gives DLCI information.

DLCI - Data Link Connection Identifier
DLCI is the Frame Relay's equivalent of MAC addresses. DLCIs are locally significant and is used to identify the local "gate" to get to the other end. DLCI numbers go up to 1024.

Suppose that a RA has DLCI 102, 103, RB has DLCI 201, and RC has DLCI 301. They are connected by a Frame Relay PVC. For RA to reach RB, he would have to send his packet to DLCI 102. From the perspective of RB, the packet would be coming from DLCI 201. Similarly, when RC sends a packet to RA, he would send it to a destination of 301. However, from RA, the packet would be seen coming from DLCI 103.

PVC - Permanent Virtual Circuit
Frame Relay operates through Frame Relay switches. When you sign up for Frame Relay, a path is programmed into the Frame Relay switches which your packets can flow through. Since PVCs have recurring fees, companies use a hub and spoke topology to connect their sites.

There are three types of topology:

The hub-and-spoke topology is the cheapest out of all the topologies because it requires the least PVCs. However, you now have a single point of failure and VoIP calls may get higher latency.


A partial mesh usually starts out as a hub and spoke. As it grows, the important sites get more links and the less important sites get less links.


Full mesh is when all sites have direct connectivity to each other. This may become expensive and unmanageable as the number of sites increase. The formula for finding the number of links in a full mesh topology is: n(n-1)/2.

For the interfaces in a Frame Relay topology, you have two choices. You can either use a multi-point design, or a point-to-point design.

In a multi-point design, all routers are on the same subnet. Multiple DLCIs are mapped to an interface. The routers will think that they can reach all routers directly like in an Ethernet network, but only the hub of the topology can do that. This can cause problems with split horizon with DV routing protocols.

In a typical split horizon problem scenario, the hub would have all routes, while the spokes would only have their own routes. This is because the hub will not send updates back out of the interface it received it from. The solution in a multi-point design is to turn off split horizon.

The other way is the point-to-point design. In a point-to-point design, all routers are on different subnets. For each DLCI, a new sub-interface is created. There are no problems with split-horizon. The choice of point-to-point and multi-point is made by the network administrator. There is no need to coordinate with the ISP.


For a leased line to work, you would somehow have to connect out to the ISP. There are two ways to connect to an ISP. First one is through a serial port.
For a serial port to work, you'll have to connect it to a CSU/DSU like this:

Notice that there are a lot of components involved. You'll need a WIC1T card, and a DB60-V.35, then you'll need a CSU/DSU and an Ethernet cable. Cisco came up with a better way of connecting to a leased line through the WIC-1DSU-T1-V2 card, like this:

There are two common leased line languages. It is:
1) High-Level Data Link Control (HDLC)
-Cisco proprietary
-Extremely low overhead

2) Point-to-Point Protocol (PPP)
-Industry standard
-Moderate overhead
-A lot of features

PPP supports authentication. Authentication requires one side or both sides to provide credentials. This is rarely used because they would have to take off the router on the other end to actually be able to gain access to the WAN link. PPP authentication is typically used in dial-ups.

You can do transparent compression on the PPP link. This however is only recommended on slow links as it has high CPU utilization.

Callback is primary used on modems. When a person dials in and authenticate, the line would be hang up and be dialed back. This ensures that only the specified location can be connected. This is also used for consolidating long-distance fees (when dialing back, the company foots the bill, and they probably get it cheaper).

The most popular feature of PPP is the multilink PPP. It allows to combine links of the same speed into one large bundle. Multilink PPP exactly load balances by the bit. Multilink PPP needs to be properly configured on both sides to work.

We'll go back on the topology we had before:

We'll go back on R3. To see exactly what encapsulation the link is using, use:
show int s0/0

To see which side is the router connected to, use:
show control s0/0

By default a link is configured as HDLC, so it won't appear when you do a "show run". To show just an interface, use:
show run int s0/0

To turn on PPP, use:
encap ppp

We'll need to turn on PPP on both sides. If only one side is on PPP, notice that the status would be up (Physical), but the protocol is down (Data Link).

LCP stands for the Link Control Protocol. LCP negotiates PPP features. If there were some kind of problem with the features, it would show PPP Closed in the interface information (otherwise it would be Open).

IPCP is the protocol that allows IP to work over PPP. CDPCP is the protocol that allows CDP to work over PPP.

There are two types of PPP authentication:
-PAP, Password Authentication Protocol (Clear-text)
-CHAP, Challenge Handshake Authentication Protocol (Hashed)

CHAP would send the user name in clear-text, but hashes the password when it sends it over. When CHAP receives a hash, it would hash its own side and see he get the same hash. CHAP uses md5 for hashing.

There are two steps to turn on authentication:
1) Create user accounts
2) Turn on authentication

For this purpose, we'll turn on authentication first so that we can see how it looks like if authentication fails. To do this, we'll need to go under both sides and type:
ppp authe chap

Now you'll notice that the link goes down. Check the interface information and you would see that the side that first required authentication would have "LCP TERMsent", and the side that got terminated would have "LCP Listen".

Now, create user accounts. If you're on R3, create one for R2. If you're on R2, create one for R3. To do this, type:
user R3 pass cisco


VPN is one of the newer topics in CCNA. Together with VPN is Wireless and IPv6. However, only the theory is tested in the certification. VPN allows you cheaper connections and is available anywhere the Internet is available. VPN is heavily encrypted and secured and you can do many-to-many connections.
VPN allows you cheaper connections in the sense that instead of a private line (like a T1 line), you can create your own private lines through the internet. A T1 link costs $2000 a month, but a typical internet connection is just a mere $50 a month.

VPN allows you to link offices together, and even allow SOHO offices to join the corporate network. The heavy encryption allows for privacy even on the internet, and is not easy to break into. This gives rise to the concept of teleworkers.

Any offices connected via the internet can connect to each other. This is what it means by having many-to-many connections. However, due to the heavy encryptions, there will be much CPU overhead compared to private T1 lines.

VPN connections come in two major styles:
-Site-to-Site (L2L or Lan-to-Lan)

In a site-to-site VPN, data within a site are cleartext (typically, or can be encrypted with an internal scheme) but once it leaves the internet, it would be encrypted till it reaches the other terminating router. The routers are responsible for encryption.

-Remote Access

Remote access VPN is when the client itself connects to the terminating router. The client is responsible for the encryption here. Technologies like WebVPN allows this sort of connection. WebVPN is established through a browser and data are sent through an SSL tunnel.

IPSec is the security protocol of VPNs. IPSec can be broken up into 4 parts:
Negotiation Protocol




IPSec is a suite of protocols. When you want to use IPSec, you'll have to first build it back up using the components. Encryption is there for confidentiality (end-to-end). Authentication is there for Integrity (source integrity). Protection is the method used to exchange the encryption key. The negotiation protocol is like a framework where the components plug into. AH couldn't do authentication, so ESP was used to replace it.

For encryption to work properly, you'll have to exchange the symmetric keys. Symmetric keys are keys that can be used to both encrypt and decrypt data. Symmetric keys are bit-wise stronger than asymmetric keys. Symmetric keys are also faster.

In a Diffie-Hellman scenario, the keys are asymmetric. Each host has two keys, one for encryption (public) and one for decryption (private). Let's see a scenario:

Two hosts, RA and RB, want to exchange shared secret keys (AES symmetric key):
RA: PublicA PrivateA Shared
RB: PublicB PrivateB
First thing that happens is that they exchange public keys:
RA: PublicA PrivateA SharedA PublicB
RB: PublicB PrivateB SharedB PublicA
Now after the exchange, they would encrypt their own shared key with the other side's public key:
RA: PublicA PrivateA SharedA PublicB SharedA'B
RB: PublicB PrivateB SharedB PublicA SharedB'A
Now they send it back to each other:
RA: PublicA PrivateA SharedA PublicB SharedA'B SharedB'A
RB: PublicB PrivateB SharedB PublicA SharedB'A SharedA'B
Finally they decrypt the opposite's shared keys with their own private key:
RA: PublicA PrivateA SharedA PublicB SharedA'B SharedB'A Shared B
RB: PublicB PrivateB SharedB PublicA SharedB'A SharedA'B Shared A
For more theory (not covered in CCNA), refer to the VPN Introduction article.

Monday, April 5, 2010


We will now configure NAT overload on R1 so that all inside devices are NATted out. To do this, we will need to identify the inside and outside interfaces. To do this, go into f0/0 and type:ip nat outside

Next, go into any other interfaces (and sub-interfaces) and type:
ip nat inside

Right now we'll have to create access-lists to identify the networks that are allowed out. In this example, I'm going to deny Host C's network from being NATted, and allow everything else. I'll do this with a standard access-list:
ip access-l standard INSIDE
permit any

Finally, we'll activate the NAT process to translate the addresses specified in the list into the interface address with overload:
ip nat inside source list INSIDE int f0/0 overload

Now let's say I want Host A to be permanently assigned to, and allow it to be accessed from the outside. To do this, simply do a static NAT mapping:
ip nat inside source static

Right now I'll be able to ping by pinging from outside. To specify a port, simply put the "tcp" keyword after static. For example, if I have a web server on Host A, and an email server on Host B, and I want to use the interface IP, then I can use:
ip nat inside source static tcp 80 int f0/0 80
ip nat inside source static tcp 80 int f0/0 25

This is actually what happens when you do port-forwarding on a home router like one from Linksys.

Finally, we'll set up dynamic NAT with overload. Suppose you are given a public IP pool of to We'll first create the pool like this:
ip nat pool OUTSIDE prefix-length 24

Next, we will turn the NAT on like this:
ip nat inside source list INSIDE pool OUTSIDE overload

In this case, the first address is used till a port conflict occurs before it fails over to the second address.


The most basic type of NAT is the dynamic NAT. The dynamic NAT is a one-to-one NATting where one internal address directly translates to an external address for a given session. Dynamic NAT can only support as many hosts as there are addresses in the pool at a given time.
Dynamic NAT can actually be used to fix problems with overlapping addresses. Two organizations can be using 10.x.x.x networks. But when they communicate with each other, they would appear as 172.16 at one side and 172.17 at the other. Dynamic NAT is the least common form used.

The most common form of NAT is the NAT overload, which is commonly called PAT. This allows to overcome the shortage of IP addresses on the internet by translating all internal addresses into one single external addresses with different ports. It is rumored that Microsoft came up with the term "PAT". NAT Overload is actually the technically correct term.

PAT translates the internal IP to the external IP, keeping the same port number. If somehow two devices use the same port numbers to communicate, the later device would have its external port number incremented by 1.

For inside to outside, you'll need to use PAT. For outside to inside, you'll have to use static NATs. Static NAT can either be done for certain ports (e.g. port 80 goes to the web server, and port 25 goes to another server), or the entire IP address other than the already overloaded ports. You don't have to use the WAN interface address for NAT.


In extended access-lists, you can specify specific protocols. The most common ones are IP (all IP protocols), TCP, UDP and ICMP. TCP and UDP allows specification of port. ICMP is commonly used to specify the blocking of pings.

Now we'll need to make an extended access-list to prevent Host A from accessing R2's WAN link (the entire link). Remember that extended access-lists are to be placed nearest to the source. We want to deny from accessing

Even though Host A is on the same switch connected to R2, Host A needs to go through R1 before it can go into R2. So the access-list is to be put in R1:
access-list 100 deny ip host
access-list 100 permit ip any any

Next, apply the access-list in F0/1.20 inwards:
in f0/1.20
ip access-g 100 in

Finally we'll need to deny Host B from accessing www.google.com. To do this we'll need to squeeze in one more entry into the list. This is because you can only apply one ACL per direction per interface. We'll remove the list first, then add in the entry:
no access-l 100
access-list 100 deny ip host
access-list 100 deny tcp host host www.google.com eq www
access-list 100 permit ip any any

Using the host keyword allows automatic resolution of the IP. We have not set up NAT yet, so it won't be able to access that site in the first place, but this is the way to do it and we would test it when we have NAT set up.

Now, notice that we had to actually remove the whole access-list before retyping the whole thing. Wouldn't it be good if we can actually slip some entries into the access-list without deleting the whole thing? Well, recently, that's a possibility! It's done with the named access-list. Let's redo the extended list with the named access-list. To do this, type:
ip access-l ext EXTLIST
deny ip host
permit ip any any

Now if you actually do a "show access-l", you'll see an output like this:
Extended IP access list 100
    10 deny ip host
    20 permit ip any any
Now, you if you actually want to insert an entry between the two, just type:
15 deny tcp host host www.google.com eq www

The you can also remove a line. For example, to remove line 10:
no 10

Now I'll walk you through with the creation of a simple established access list. To do this, create a list as shown:
ip access-l ext ESTABLISHED
permit tcp any any established

Now, you would have to apply this list to the internet interface inbound:
in f0/0
ip access-g ESTABLISHED in

This would require an internal host to establish a connection to an outside host before an outside host can come back in.


Right now we'll make use of access lists to do some access control. We'll have four requirements as follows:
1) Standard - Prevent Host B from accessing Host C.
2) Standard - Prevent Host B from using Telnet or SSH protocols to communicate with R1.
3) Extended - Prevent Host B from accessing R2 WAN link.
4) Extended - Prevent Host B from accessing www.google.com

To set up an access-list, there are two ways. The old way is the numbered access-list. The syntax is as follows:
access-list 1 permit deny

For numbered lists, 1-99 are standard and 100-199 are extended.

Another newer method is the IP access list, which is created through:
ip access-l standard LIST

To see existing access lists:
show access-l

A rule of thumb is that standard ACLs are to be placed as near to the destination as possible, while extended should be placed nearer to the source.

For scenario 1, we actually need to put the access-list in R3's F0/0 interface going outbound. We'll need to first make this access-list:
access-l 1 deny
access-l 1 permit any

Now we'll need to apply it outbound:
conf t
in f0/0
ip access-g 1 out

Now the pings between Host B and C should be failing. Everything else should be able to ping C.

Now we'll work to deny Host B from Telnetting or SSHing into R1. To do this, we use the access-list in the VTY lines instead. Go onto R1, and create the same access-list:
access-l 1 deny
access-l 1 permit any

Go into the line and apply it:
line vty 0 4
access-class 1 in

Everything should be able to telnet into R1 except Host B.


ACLs stand for Access Control Lists. It is more commonly referred to it as Access-Lists. Access-Lists can be used for permitting network access, but can also be used to identify traffic to be affected by services. Access lists can be used for:-Access control
-Demand Dial Routing
-Policy Routing
-Route Filtering

ACLs are read from top to bottom. It stops at the first match. If nothing is matched, there is an implicit DENY at the bottom. When used for access control, it is applied to an interface inbound or outbound.

An ACL applied inbound on an interface catches anything coming in from external sources. An ACL applied outbound catches anything about to leave out of that interface.

There are different types of access lists:
-Context-Based Access Control (Cisco IOS Firewall, then Zone Based Firewall)

Dynamic access-lists can allow authentication. For example, an employee can be let through after telnetting in and authenticating. Time-based makes use of the router's time and comes into effect at certain times.

-Matches based on source address
-Lower processor utilization

-Matches based on protocol, S/D address and S/D port number
-Higher processor utilization

-Allows return traffic for internal requests