...

Monday, May 24, 2010

Misc 27

At times when your network undergoes a major software upgrade, it is actually unfeasible to connect computers individually to the repositories. This can be both time and bandwidth consuming and causes scalability issues for the network.
Apt-proxy turns your computer into a caching server, and all clients in turn connect to the computer instead of the repository. In this case, each package only needs to be downloaded once and stored. Subsequent requests for the cached package would be retrieved from the caching server.

In this case, we'll run a simple topology to demonstrate how apt-proxy works. Suppose we have a topology that looks like this:


In this topology, we have the apt-proxy, and two clients in the same subnet. They don't necessarily need to be. All traffic is to go through the HTTP proxy.

We'll first set up the caching server. The package we need to install is:
apt-get install apt-proxy

At this point, apt-proxy is functional if your client uses the US server with no HTTP proxy required. However, since our topology requires a HTTP proxy, we'll have to do some setting up.

The first thing we need to modify is the configuration file. The file is located at /etc/apt-proxy/apt-proxy-v2.conf:
nano /etc/apt-proxy/apt-proxy-v2.conf

There are a few parameters we need to modify. Notice that there is an "address" parameter. If you do not specify it, the server will listen to all available interfaces. By default, it will listen to port 9999, but you can change it there as well. The first parameter we'll modify is the http_proxy parameter. Since our http_proxy is at 192.168.1.2:80, we'll modify it as shown:
http_proxy = 192.168.1.2:80

The proxy can also be a DNS name instead of an IP address.

Scroll down and you'll find a section for backends. This is where you'll add your alternate mirrors. For this purpose, I'll leave it with the defaults. If you wish to add more repositories, you can do so like this:
backends =
http://mirror.nus.edu.sg/Debian


Now it's time to set up the client. To do this, we'll modify the sources.list file:
nano /etc/apt/sources.list

Modify it to reflect the IP address of the apt-proxy like this:
deb http://192.168.2.2:9999/debian lenny contrib main non-free

Do an update and it should be working like as if it's directly connected to the internet.

Steering a little off topic. Suppose that you wish to have something start up automatically for all users. The file you would want to edit is the /etc/environment file. A good thing to add in there is a HTTP proxy like this:
export http_proxy=http://proxy.tp.edu.sg:80/
export no_proxy=localhost,127.0.0.0/8,152.226.152.0/21


An alternate file would be the .bashrc under your home directory. However, it only affects the particular user so it's not very useful for exporting proxy settings.

Friday, May 21, 2010

Misc 26

WDS is Microsoft's implementation of PXE. It is a direct replacement for Windows Server 2003's RIN. WDS is optimized for use with Vista and above.
WDS requires the computer to be a DC or joined to an AD domain. A DHCP server must be available on either the same computer or a different computer. The DHCP server and WDS server need not be in the same subnet, though having it in the same subnet will shorten the configuration a lot. Also, the router must allow traffic from port 67 (DHCP/WDS) and port 4011 (PXE Proxy DHCP).

I'll begin with a vanilla Windows Server 2008 x64 with ADDS role installed. The architecture will not matter so these instructions work for both x86 and x64. From here I'll assume you have control of the Administrator account or an account in Domain Admins.



In this topology, the WDS/DHCP Server has the interface IP of 4.4.4.2. R1 has an IP of 4.4.4.1 on F0/0 and 5.5.5.1 on F0/1. All subnets are /24. We'll first set up local WDS services, then we'll set up WDS for other subnets. For simplicity sake, the WDS and DHCP are on the same server.



You'll have to install DHCP BEFORE or WITH WDS. This is so that if WDS detects the DHCP role in the computer, it can automatically do the necessary changes. I will not walk through DHCP configuration, but here are the parameters for the two scopes:
VMnet4
IP Range: 4.4.4.10 - 4.4.4.254
Mask: 255.255.255.0
Gateway: 4.4.4.1

VMnet5
IP Range: 5.5.5.10 - 5.5.5.254
Mask: 255.255.255.0
Gateway: 5.5.5.1

Global
DNS: 4.4.4.2

The 5.5.5.0/24 scope is not required right now, but just put it in anyway because you'll have to set it up to give an IP for VMnet5 clients later on.

Now move on to Start - Administrative Tools - Windows Deployment Services. At this point you shouldn't have anything running in the server. Your WDS console would look like this:



Right-click on your server and click on Configure Server to launch the initialization wizard. Click next till you're at this screen:



This is the folder where WDS would store your images. When we talk about Unattended installations later on, this is also where we store the .xml configuration files. They do not recommend storing these files on the primary HDD but we're going to do that anyway.

In the next window, you'll have the option to add Option 60 and to Ignore Port 67. We will need to tick both since WDS and DHCP are running on the same server.



For simplicity sake, select to allow all clients at the next window.

Now we'll have to put in Install and Boot images. These images can be found on the operating system's respective CD/DVDs. For our case, we'll deploy Windows Server 2008 x64 servers, so pop the W2K8x64 DVD into the drive.

To add Install images, right click on Install Images and click Add Install Images. Next, browse to X:\sources\ and select install.wim where X is your DVD drive name. Follow through the Wizard and you should end up with an image group and some images in it.



Do the same for Boot Images, except that now you select X:\sources\boot.wim.



Right now you should be able to deploy your first PXE client. We'll try to do one in the same subnet first. When booting up, hit F12 to boot from network. You should boot into the boot.wim image automatically. The client we're using is labeled Internal PXE on the topology.



Now that we're done with internal clients, how about external ones? Since PXE relies on DHCP, you'll have to do a relaying of the packets to both the DHCP and PXE clients for external clients like how you would normally do: through ip helper-address:
in f0/1
ip helper-address 4.4.4.2


Boot up an external client at the location labeled External PXE and it should be working fine!

Thursday, May 20, 2010

Misc 25

By default only the Administrator user has a mailbox. Now we'll go through a quick example to create a mailbox for a user, then go through setting up of two clients.
In versions of Exchange prior to 2007, mailboxes used to be defined from within Active Directory Users and Computers. In 2007, they decided to separate management of Exchange into its own console. For 2010, we'll have to use the Exchange Management Console accessible from the Start menu.



From here, click on the second item and wait for the server to initialize itself. When it's done, browse on over to Recipient Configuration - Mailbox. Click on New Mailbox. The following wizard should be quite simple to follow through.



Now you should have two mailboxes which you can play with. I'll assume that you've set your DNS appropriately (e.g. to the Domain Controller of your site). Now we'll proceed to a client computer and launch Microsoft Office Outlook 2007.

From the New Email Account wizard, select the first option to connect to an Exchange server.



Select manually configure and proceed.



Finally, click on Microsoft Exchange and complete the form that follows. It should be pretty self-explanatory for you.



Now your computer should be connected to the Exchange Server. Mails can now be sent and received. You can first try to send yourself one.



Now, it's the ultimate test. First send a mail to the Administrator account using the format Administrator@yourdomain.com. How do you check it? You can use another computer's Outlook, or you can use this as a good chance to test your Exchange Web App. To access Exchange Web App, simply use https://yourdomain.com/owa/ or any other format you've specified during installation. Remember that HTTPS is required on 2007 and 2010 by default. You would not be able to connect through HTTP.

Now, if you left the settings at default, OWA should be using form-based login like Hotmail.



Check out your achievements!

Wednesday, May 19, 2010

Misc 24

For this entry or perhaps the next one, I will go into installation and perhaps setting up of a simple Exchange Server. For this purpose, I will be using a vanilla Windows Server 2008 Enterprise x64 and Exchange Server 2010.
For your Exchange Server to store user information, it needs a database. This database comes in the form of Microsoft's Active Directory. The first thing you need to do for a vanilla Windows Server 2008 Enterprise x64 is to set up the ADDS (Active Directory Domain Services) role.

For this simple example, I will be using the domain controller hostname of DC01. The domain I will be using is syraxius.com. The domain controller is in the 152.226.152.x/21 network and it has the IP address of 152.226.152.33.

At first when you pop the Exchange Server 2010 CD into the system, you will be presented with an autorun page with various steps. You'll have to fulfill all but the last step for Exchange Server to properly handle your mails.

I'll now break down the steps and consolidate the resources. The first step is to install .NET Framework 3.5 SP1. This part is pretty straightforward. Simply get the installation file from here. This file, of course, was obtained from this page.

Next, you would have to download Windows Management Framework Core for Windows Server 2008 x64. This installs PowerShell 2.0 and the ISE.

Choose your language options and continue. This is all, right? No. If you proceed with the installation, you would be prompted to upgrade to SP2. Move along and grab your update from here. It will take forever so go grab a bag of chips and watch a movie in the process.

You shouldn't continue reading until you're on SP2 and above.

So now that you're reading this paragraph... Congratulations! It's time to proceed to the next phase of torture... I mean installation. Now, begin the installation process and you'd be prompted for some details. For our purpose, select Typical Installation.



The next question asks for the name of your organization. For our purpose I'll use Syraxius. You can choose anything you like. Note that this name will appear in some of your certificates.



Now you'll need to set the compatibility option for older Outlook versions. If you belong to the newer generation, select No.



Next we choose the URL where clients will access the web interface from. This is optional but in this case I'll enter one for the next article.



Skip ahead by pressing Next a few more times and you would be presented with a list of TODOs. Hah, didn't think it would be so easy did you? Now, here's a list of things you need to install:

IIS Role
IIS 7 .NET Extensibility
IIS 7 Basic Authentication
IIS 7 Windows Authentication
IIS 7 Digest Authentication
IIS 7 Static Content Compression
IIS 7 Dynamic Content Compression
IIS 6 Metabase Compatibility
IIS 6 Management Console

Features
.NET Framework 3.0 Features\WCF Activation\HTTP Activation

As for Net. Tcp Port Sharing service, click on Start and type Services.msc in the search bar. Change Net. Tcp Port Sharing service to automatic from the properties page.

Finally, move over to Microsoft's site to grab 2007 Office System Converter: Microsoft Filter Pack.

You're done! Complete the installation and I'll see you in the next article.

Monday, May 17, 2010

Misc 23

IPTables was designed together with Netfilter. It is a replacement for the legacy IPChains. IPTables is compiled into the kernel and cannot be removed unless the kernel is recompiled.
IPTables is used primarily for filtering. There are two main paths a packet can take. Below is a simplified flowchart:



Notice that there is only two main paths a packet can take:
1) For packets destined FOR the machine, it would move through PREROUTING - INPUT - Program. Packets originating from the machine would move through Program - OUTPUT - POSTROUTING.
2) For packets destined THROUGH the machine, it would move through PREROUTING - FORWARD - POSTROUTING.

When a packet first enters the system, it would go into the PREROUTING chain. INPUT, OUPUT, FORWARD and POSTROUTING are also chains. For a packet to be successfully transmitted, it must be accepted in ALL chains. Therefore, for a packet to be forwarded through the system, it must be accepted by PREROUTING, FORWARD and POSTROUTING chains.

In each chain, there exists an implicit policy. The policy can either be ACCEPT or DENY. This is similar to the implicit deny entries at the bottom of every Cisco ACLs, except that you may change it to an implicit permit. If there is no match in all entries through the chain, the default policy is applied. This is an example on how to change INPUT's policy to ACCEPT and OUTPUT's policy to DROP:
iptables -P INPUT ACCEPT
iptables -P OUTPUT DROP


Now we'll begin to work through examples with this topology shown here:


In this topology, we have a Webserver in the inside network that runs both HTTP and HTTPS services. The Routing Server acts as the firewall between the Webserver and the hostile internet network. Here is the breakdown of the interfaces:
Routing Server - eth0 - 152.226.152.33
Routing Server - eth1 - 192.168.1.1
Webserver - eth0 - 192.168.1.2

Before we begin, we must load some modules into the kernel. To do this, we first generate .dep files for all modules. Type this as a privileged user:
depmod -a

Now that all modules are probed, we can enable the modules. We will be doing routing, PAT and Static NAT, so we'll enable these modules:
modprobe ip_tables
modprobe ip_conntrack
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ipt_LOG
modprobe ipt_limit
modprobe ipt_state
modprobe ipt_MASQUERADE


Finally, we'll enable IPv4 routing by writing a "1" to the IP Forward process file like this:
echo "1" > /proc/sys/net/ipv4/ip_forward

Right now we can test connectivity by attempting to ping the internet interface of the Routing Server from the Webserver:
ping 152.226.152.33

You should get replies at this point. If you don't, make sure that the Webserver has the correct default gateway set. However, pings will not work to the 152.226.64.11 server because it does not know how to route back to 192.168.1.2. At this point, we'll need to do some NATting.

Before we do anything, we'll set up the policies. It is best practice to set INPUT, OUTPUT and FORWARD to DROP by default. Then ACCEPT the protocols that you need. First we'll flush all chains of all entries, then set the policy to DROP:
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP


At this point your pings will no longer go through because there is nothing that ACCEPTs it. We'll create a new chain that permits ICMP. We first create the new chain with the -N parameter like this:
iptables -N ACCEPTICMP

Next we add the entry with the -A parameter, and specify that we ACCEPT ICMP as the transport protocol:
iptables -A ACCEPTICMP -p icmp -j ACCEPT

The -p specifies the transport protocol. Other options include tcp and udp. The -j option means JUMP. You can JUMP to an action (ACCEPT/DROP) or to another chain which I would demonstrate later. Right now we have a new chain named ACCEPTICMP that specifies to accept packets using ICMP transport.

Now we'll make another entry that permits HTTP and HTTPS traffic for both source and destination ports:
iptables -N ACCEPTWEB
iptables -A ACCEPTWEB -p tcp --sport 80 -j ACCEPT
iptables -A ACCEPTWEB -p tcp --dport 80 -j ACCEPT
iptables -A ACCEPTWEB -p tcp --sport 443 -j ACCEPT
iptables -A ACCEPTWEB -p tcp --dport 443 -j ACCEPT


To specify the source port (--sport) and destination port (--dport), you'll need to specify the protocol as well.

Now we'll insert the chain in INPUT, OUTPUT and FORWARD like this:
iptables -A INPUT -j ACCEPTICMP
iptables -A INPUT -j ACCEPTWEB
iptables -A OUTPUT -j ACCEPTICMP
iptables -A OUTPUT -j ACCEPTWEB
iptables -A FORWARD -j ACCEPTICMP
iptables -A FORWARD -j ACCEPTWEB


In this way, instead of directly accepting the packet, it goes into the ACCEPTICMP chain. If there is no ACCEPT in ACCEPTICMP chain, it would then move on to the ACCEPTWEB chain. If there is still no ACCEPT matches, it uses the default policy.

Now you should be able to ping the internet interface of the Routing Server once again, but you're short of one more thing: PAT. To do PAT, you'll typically have to do it in the POSTROUTING chain. To enable PAT/NAT, you'll have to jump the packet to an action called "MASQUERADE". This is the typical implementation:
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

What the line says is that in the NAT table (-t nat) of the POSTROUTING chain, if the output interface (-o) is actually eth0, then masquerade (NAT) it. Recall that the output interface is eth0. The only time a packet is going out of eth0 is when a packet is destined for the internet, so the packet will only be masqueraded when it's destined for the outside.

Notice that I mentioned the NAT table of the POSTROUTING chain. What!? First there's chains, now there's tables!? It is actually part of a deeper concept which is omitted from the simplified diagram.

Now pinging and HTTP/HTTPS access should work as the outgoing packets will be translated into the interface IP of Routing Server's eth0 (152.226.152.33).

Now, notice that the inside server is actually a WEB server. This means that it must actually be accessible from outside for it to be of any use. In a Cisco router, this is done through a static NAT. In this case, we make use of the DNAT action. The DNAT action allows you to specify conditions for a packet's destination to be translated to a specified IP. In this case, anything reaching 152.226.152.33 from eth0 with the destination port of 80 or 443 should have the destination translated to 192.168.1.2. These two lines does this perfectly:
iptables -A PREROUTING -t nat -p tcp --dport 80 -i eth0 -j DNAT --to-destination 192.168.1.2
iptables -A PREROUTING -t nat -p tcp --dport 443 -i eth0 -j DNAT --to-destination 192.168.1.2


When you're done, use the command:
iptables-save > Save.ipt

The next time you want to run iptables, simply type:
iptables-restore Save.ipt

Sunday, May 16, 2010

CCNA Security 12

In network security, you would encounter both the IDS and the IPS. IDS stands for Intrusion Detection System, and IPS stands for Intrusion Prevention System. From what it sounds like, IDS sounds like it could only detect intrusion, while IPS can actually stop it. This, however, is a misconception.
Both the IDS and IPS can mitigate intrusions. According to Cisco, an IDS is a device that does not sit inline with traffic, and an IPS is a device that does. Since the IPS is inline with the traffic, it would be able to deal with malicious traffic. On the other hand, IDS typically notifies another device to take action when malicious traffic is detected.

Note that being inline means that it is in the direct flow of the traffic. An IPS being inline with traffic means that the traffic actually passes through it. IPS reads the actual data, while IDS reads a mirror of the data. An IDS is said to be running in promiscuous mode.

IDS and IPS identify the traffic based on:
Policy - A configured policy may ban an IP address, port, or URL.
Signature - A signature matches byte patterns of known attacks.
Anomaly - A baseline of "normal" traffic is taken and deviations trigger the device.

Signature matching is the most widely deployed detection method. There are different types of signatures such as DoS signatures, Exploit signatures and Connection signatures (stateful inspection). String signatures make use of regular expression to detect suspicious activity.

Signatures are stored as SDF files (Signature Detection Files). These files are dynamically updated to protect against new threats. You can also use an attack-drop.sdf which are designed to fight the latest network threats. attack-drop.sdf is a static file. You can load SDFs from flash memory or a URL.

A group of related signatures make up an SME. SME stands for Signature MicroEngine. When a packet is deemed malicious, there are a few actions that can be taken:
Drop - Drop the packet
Reset - Reset the TCP session
Block - Block the IP address
Log - Send a syslog, SNMP or SDEE trap. SDEE is an application-layer protocol designed to carry IPS messages between a client and a server.

A signature can be edited in SDM. This is known as signature tuning. Signature tuning is necessary when there are too much false positives. Signatures can be disabled and enabled on an individual basis in SDM.

There are two places you can deploy an IPS: In a network device, or in a host. When deployed in a network device, it's known as a NIPS (Network IPS). Likewise, when deployed in a host, you have a HIPS (Host IPS).

A honeypot is a device created to invite attacks on a server. A honeypot lures attackers away from production servers. A honeypot is also useful for gathering statistics about new attacks and for creating signatures.

IPS requires a minimum of 128MB of memory on your router. In this case, a 2811XM is perfect.
SDMSCREEN

IPS can be configured from the Configure tab. To begin, click on Launch IPS Rule Wizard.


When you first click on Launch IPS Rule Wizard, it would tell you that SDEE will be enabled.


The IPS Policies Wizard will be run. Note the inconsistency of the window names.


Next, you would have to select the outside interface.


The next page would be where you select your SDF files. If you do not add SDF files, it would use the IOS built-in signatures as backup. You can actually load an SDF from a network location.


Note that there is an autosave option. The autosave option will automatically try to save the signature file when there is a signature change.

The commands to enable IPS on a router are:
!Specify the location of the SDF file
ip ips sdf location flash://256MB.sdf

!Enable SDEE notification
ip ips notify SDEE

!Name the IPS rule
ip ips name IPS_RULE

!Enable Virtual Reassembly on interfaces
interface Loopback0
ip virtual-reassembly
interface FastEthernet0/0
ip virtual-reassembly

!Apply IPS rule to F0/1
interface FastEthernet0/1
ip ips IPS_RULE
ip virtual-reassembly


An IDS/IPS would not be able to properly match a signature if an attacker heavily fragments packets. VFR, or otherwise "Virtual Fragmentation Reassembly", is a feature that allows fragmented packets to be reassembled on the device before being forwarded. When the heavily fragmented packets are reassembled on the router, it would allow signatures to be matched. VFR protects against Tiny Fragment attacks, Overlapping Fragment attacks and Buffer Overflow attacks.

When IPS is compiling a new signature for an engine, it allows packets to pass through the router. A well-informed attacker may take the opportunity to slip some packets into the network. To prevent this, you can tell the IPS to block all traffic while the SMEs are being recompiled. To do this, Enable Engine Fail Closed mode from Configure - Intrusion Prevention - Edit IPS - Global Settings - Global Engine.


As mentioned earlier, you can log into SDEE. The SDEE log can be found in Monitor - IPS Status - SDEE Log.


You can also proceed to Monitor - Logging - SDEE Message Log


You can modify certain IPS signature settings from Configure - Intrusion Prevention - Edit IPS.


Notice the severity column. The severity is the severity of the logging.

In IOS, you can see a summary of applied IPS settings using:
show ip ips configuration

Note that IPS Ver 4.x are being discontinued. The new 5.x signature format is in effect as of IOS 12.4(11)T.

Monday, May 3, 2010

CCNA Security 11

We have two options for configuring the enable password (Privileged Mode Password. These are:enable password cisco
enable secret cisco


The difference between the two is that enable password is stored in plaintext in the running-configuration, while enable secret stores a hashed (MD5) copy of the password.

When both the enable password and secret are enabled, the secret will precede it. The only reason why enable password is left in the IOS is for backward compatibility with old configurations.

There are several security features in IOS password fields:
1) No echoing of the password
2) Timeout after inactivity
3) Maximum retries

When the enable secret is enabled, you will receive a "% Bad secrets" message for a failed privilege mode login. This will not appear if you only use enable password.

Passwords like enable password, VTY/CON/AUX and local database passwords are shown in cleartext in configuration. To prevent shoulder surfing attacks, we should use Cisco's built-in password encryption service:
service password-encryption

However, this uses Cisco's Type-7 (Vigenere) encryption which is easily reversible using online tools like IFM - Cisco Password Cracker.

A good password is a password that has a minimum length of 8 characters with alphanumeric upper/lower case characters with symbols. It is more effective to have numbers throughout the password than only to have them at the back.

To set the minimum length in IOS, go to global configuration and type:
security password min-length 8

To create a user with secret in the local database, use:
username cisco secret 0 cisco

MD5, otherwise known as Message-Digest Algorithm 5, is considered partially insecure by some security experts. It produces a 128-bit hash value from a variable-length data string. MD5 was preceeded by MD4 which was a non-secure algorithm.

There are readily-available "rainbow tables" online which could reverse MD5 hashes. Salting is adding of random bits to the password before hashing to defend against "rainbow tables" and bruteforce.

Adding a few extra bits into the password would result in a dramatically different output. This is due to MD5's avalanche effect. This is also one of the characteristics of block ciphers discussed in the previous article.

Time synchronization is very important in routers. Having synchronized time allows you to troubleshoot much easier with logging services like syslog. AAA's logging is also dependent on the router's time. Digital certificates also rely on accurate, synchronized time.

Time synchronization is typically done through NTP. NTP uses UDP port 123. A Cisco router can act as a NTP server, client or peer. NTP uses a hierarchical structure for time propagation. At the top of the hierarchy is a stratum 0 atomic clock. A Cisco router cannot get its time from a stratum 0 clock. Typically, a stratum 1 time server synchronizes with an atomic clock, and a Cisco router in turn gets its time from such a time server making it stratum 2.

The NTP server is the one which gives NTP clients the correct time. NTP clients can synchronize with multiple servers to get an averaged time. NTP peers are clients which synchronize with each other.

Recall that digital certificates rely on accurately synchronized time. A known DoS attack is to attempt to desynchronize the authentication server's time by spoofing NTP packets. To protect against spoofed packet, NTPv3 should be used. NTPv3 can do authentication with cryptographic capabilities.

If you should use one of your routers as the NTP master, you can use NTP authentication and/or ACLs to prevent hackers from synchronizing with or desynchronizing your clock or desynchronizing them.

To verify the system's clock, use:
show clock

You can change your timezone using:
conf t
clock timezone SGT +8


To set daylight saving time, use:
clock summer-time EST recurring

To change the system clock, use:
clock set 17:56:45 May 03 2010

To set up the router as NTP master (server), use:
ntp master

To set up authentication, turn it on with:
ntp authenticate

Then set the authentication-key with:
ntp authentication-key 1 md5 cisco

Now we have a working NTP master server. We are now going to set up authentication on another client. It is known for NTP synchronization to take a long time. In a production environment it may take up to tens of minutes. To debug NTP, type:
debug ntp events

To specify an NTP server from a client, use:
ntp server 192.168.1.1

At this point, your clock should be authenticated and synchronized even without setting up authentication. To check the NTP servers you have synchronized with, use:
show ntp associations

NTP authentication is actually different from other authentications. Instead of the server authenticating the clients, the clients actually authenticate the server. This allows the clients to validate the genuineness of the time-source.

Now we're going to set up NTP peering between R1 (172.16.1.1) and R2 (172.16.1.2). To do this, go to R1 and type:
ntp peer 172.16.1.2

Then go to R2 and type:
ntp peer 172.16.1.1

If you have multiple NTP clocks, you can use the prefer command to prefer a more accurate clock:
ntp server 192.168.1.1 prefer

UTC stands for Coordinated Universal Time. If you're wondering why it isn't CUT: English speakers wanted CUT, while French speakers wanted TUC. The compromise was UTC.

Telnet is a versatile tool to communicate with any terminal-enabled device like routers or Linux systems. However, Telnet communication is done in cleartext and is prone to MITM.

SSH is like Telnet but has encrypted traffic. In Cisco routers, SSH needs to use the local database or AAA for authentication. SSH does not allow a simple password. To configure the local database, use:
line vty 0 4
login local
transport input ssh


We then create a simple username/password database:
user cisco pass cisco

For SSH to really work, you need to set your domain and generate a key. To set a domain, use:
ip domain syraxius.ath.cx

To generate a key, use:
crypto key gen rsa

A minimum secure key length should be 1024 bits and above. Each bit increased in a key size would double the security. This is because the number of iterations required during brute-force is 2^n where n is the key size.

There are various SSH commands. You can set the time-out value in SSH. Time-out in SSH is specified for the negotiation phases (certificate exchange, login, etc). Once the EXEC session starts, standard timeout values specified in VTY configuration applies. To set the time-out, type:
ip ssh time-out 20

You can also set the maximum login retries through:
ip ssh authentication-retries 5

You can still use the access-class command to restrict who can telnet/SSH in. To do this, specify the allowed traffic:
ip access-l standard SSHPERMIT
permit ip 192.168.1.0 0.0.0.255
line vty 0 4
access-class SSHPERMIT in


There are a few reasons to create network banners. Banners can be used to notify users of various planned network outages. Banners can also be used to warn potential attackers and specify penalties for unauthorized access.

To set a banner, use:
set banner motd $
====================================================
Network is going down tonight at 8PM for maintenance
====================================================$


The banner MOTD is shown regardless of whether login is required. If both a banner MOTD and login is set, then the MOTD is shown first. To set a login banner:
banner login $Unauthorized login is not allowed!$

After a user is successfully authenticated, the EXEC banner is shown. To do an EXEC banner, use:
banner exec $
You have logged into the system.
If you do not have permission to
be at this prompt, log off imme-
diately.


The industry-standard Security triad is:
C - Confidentiality
I - Integrity
A - Availability

Confidentiality attacks involve two kinds of confidentiality: A compromise of the system's data confidentiality, and the confidentiality of the attack.

Integrity attacks are attacks that modifies data while in transit. This is typical in a MITM attack.

Attacks against availability are attacks that cause a server to not be able to handle requests from legitimate users. DoS attacks are attacks against availability.

DoS attack is an attack designed to prevent legitimate users from accessing network resources. DDoS is an attack that does exactly the same thing, but is launched from multiple sources.

DDoS typically infects a large numbers of computers. These computers are referred to as zombies. A collection of these zombies are known as botnets. The infected computers would launch a coordinated attack at a target from multiple sources at a pre-programmed time.

A typical DoS attack is a SYN-flooding attack. SYN-flooding attack sends multiple SYN packets to a server with spoofed source IP addresses. The server would have a large amount of half-open connections which takes up resources. When there are enough of these connections, the server would not be able to handle new requests.

TCP intercept is a defense against SYN flooding. The router helps the server answer SYN requests. The router then establishes a session with the server to merge the established connection. To turn on intercept mode, use:
ip tcp intercept mode intercept

There are two modes that TCP intercept can be in. The default is the intercept mode which is described above. The other mode, the watch mode, allows the SYN packets to pass through. If the connection isn't completed within 30 seconds (by default), it sends a RST packet to the server to clear resources. To change the watch timer, use:
ip tcp intercept watch-timeout 15

You have to specify the packets to be intercepted. To intercept all packets going to a particular server, first create an extended access-list like this:
ip access-list ext TCPINTERCEPT
permit ip any host 192.168.1.1


Then apply the access-list to the TCP intercept process:
ip tcp intercept list TCPINTERCEPT

The maximum number of incomplete connections allowed in intercept mode is 1100. By default, the oldest connections would be dropped once it exceeds 1100. You can also change the dropping of connections to be random by using:
ip tcp intercept drop-mode random>

There are certain TCP intercept issues in production. It is recommended to check documentations before using it in your network.

Pings can be really innocent things, but they can also be used for sweeping. A Ping Sweep (using programs like Angry IP Scanner) is used to ping an entire segment for live hosts. A Ping Sweep is known as a vertical scan.

Another attack used with a Ping Sweep is a Port Sweep. Port Sweeps are typically done using programs like NMAP. NMAP allows scanning of a host's open port as part of reconnaissance. This information can then be used to determine the operating system in use, and the exploits which could be launched on them.

Ping of Death is a type of pinging which uses 65535 byte packets. Some Ping of Death attacks allow usage of larger than 65535 byte packets (which is segmented before being sent) which could cause serious problems like BSODs on the receiving machine.

Invite of Death is named after the POD but it's a type of attack on Voice networks.

Ping floods can harm the intended target by taking up bandwidth. The target would also need to use up its resources to process the Echo Packets and craft the corresponding Echo Reply packet. The resulting Echo Reply uses up even more bandwidth.

A Smurf attack uses the IP address of the intended victim as the source address of a flood of ICMP Echo packets. A Smurf attack can be used to send ICMP packets to a directed broadcast address, which causes all hosts in the subnet to send Echo Replies to the intended victim.

The first step in any security policy is to start locking up equipments.

IP Spoofing can be used against your network in a few ways. IP Spoofing can be used to inject malicious codes or commands into your network, or to trick legitimate hosts into sending sensitive data to the attacker. IP Spoofing can also be used as part of a reconnaissance attack.

A person can hijack an existing TCP session by listening to the sequence numbers of a current TCP session. If an attacker sends in an ACK before another legitimate ACK, he can take over another host's connection. The host's connection would then be invalidated due to wrong sequence numbers.

If the attacker is in the same subnet as the target, he is likely to use non-blind spoofing. If the attacker is external, he can make guesses to the sequence numbers, and is therefore known to be doing blind spoofing.

To defend against spoofing, we should block all packets with source RFC 1918 from the ingress interface. The entire list of prohibited addresses are defined in RFC 3704:
-0.0.0.0/8
-10.0.0.0/8
-127.0.0.0/8
-172.16.0.0/12
-192.168.0.0/16
-224.0.0.0/4
-240.0.0.0/4

This blocking method is sometimes referred to as "2827 filtering" or "3704 filtering". The exam would require you to know the source addresses to block but would not test on the details in the RFCs. The general guideline is to do RFC 3704 Filtering on the outside network, and do encryption and authentication inside.

IP Source Routing allows the sender to change the path a packet takes to arrive to the destination and to return to the source. IP Source Routing is enabled by default on all Cisco routers, so it should be disabled if it's not in use. To disable IP Source Routing, type:
no ip source-route

There are two kinds of source routing defined in RFC 791. Loose Source Routing is so that only a portion of the end-to-end path is hardcoded, and Strict Source Routing has the entire end-to-end path hardcoded.

Packet Sniffers allow attackers to pick packets off wires for examination. Packets that are plaintext are most prone to sniffing. Protocols like HTTP, Telnet and PAP are examples of cleartext protocols.

Queries allow attackers to do enumeration on the network. Queries such as DNS queries, SQL queries and Internet Information queries are examples of query types that can be used for enumeration.

Apart from high-tech attacks, we can do employ techniques like social engineering, shoulder surfing and dumpster diving to gain access to a network. People like Jerry Schneider actually could start companies using equipment obtained from dumpster diving.

Password attack is an overall term used for illegally obtaining a password. This was covered in the previous article. A brute-force attack is an attack that uses a program to try out all possible combination. Deterrence to a brute-force attack is to use long passwords with a large character sets.

A dictionary attack is an attack that makes use of a list of common words. These words are typically tried for case and numbers are typically appended at the back.

A trojan horse is any program that is disguised as a legitimate program. Trojan horses can do things like capturing passwords. Trojan horses can perform data diddling, in which what is shown on the screen is not what is actually done and saved.

Keyloggers can also capture passwords, but they typically turn sessions into transcripts before sending it to the attacker.

A salami attack is a combination of small attacks that adds up over time. A salami attack works on the thought that you can steal a thin slice of salami daily without the owner noticing the missing salami. Over time you can make up a whole salami.

A trust exploitation is when an attacker uses an already-existing trust relationship within a network. Using a web-server in the DMZ to attack the datastore is an example of a trust exploitation. Another type of trust exploitation is Port redirection.

In Cisco, you can actually make use of a privilege level system to work with privilege levels between 0 and 15. Privilege levels allows assignment of commands to a level, and each command can only belong to one level. A user logged into a particular level can use commands available for his current level and below.

An alternative to privilege levels is the Role-based CLI. To create views, we need to enable AAA. This is done with the same old:
aaa new-model

A Superview can be a child of more than one View. Logging into a Superview allows that user to execute all commands contained in all Views that the Superview is a child of. However, deleting the Superview will not affect the Views. Commands can only be assigned to Views, not Superviews.

For example, you can make two views:
View #1: show ip route
View #2: show running-config

Views are not limited to only one command, but in this case it is to simplify things. We can create a Superview to be a child of View #1 and #2 to allow an administrator to run both "show ip route" and "show running-config".

AutoSecure was introduced in IOS 12.3. There are two modes:
-Interactive allows the administrator to customize certain elements. He will be prompted for inputs similar to running Setup mode. This allows you to configure things like SSH, enable secrets etc.
-Non-interactive, on the other hand, uses all Cisco's recommended settings. Depending on your company's security policies, this may be too secure for your network.

By default, Finger, PAD, BOOTP, HTTP Services, IDENT, CDP, NTP, IP Source Routing, TCP and UDP Small Servers are disabled by AutoSecure.

Interface-level services like Proxy ARP, IP Directed Broadcasts, MOP, ICMP Redirects, Unreachables and Mask Replies are also disabled.

Services like password-encryption and TCP Keepalives are enabled by AutoSecure. AutoSecure also sets logging buffer size, logging sequence numbers and provides console log. AutoSecure also prompts to create a banner and passwords are applied to all lines.

If SNMP is not in use, Interactive would ask if the admin would want to disable SNMP. If Non-Interactive mode is used, SNMP would be disabled if community strings are default.

If AAA is not already in use, it will be enabled and Accounting would have sequence numbers and timestamps enabled. The logging console critical, logging buffered and logging trap disabled commands are also enabled.

CEF is also enabled if available and 3704 Filtering is applied. Default route would point to Null0 if not already configured, and TCP Intercept would be enabled if available.

The two ways to run auto-secure are:
auto secure full
auto secure nointeract


Apart from CLI solutions, you can also automatically secure your router through the SDM. There are two tools available: One-Step Lockdown and Security Audit. Both can be accessed from Configure > Security Audit.

Security Audit would present you with a checklist of recommendations, while One-step Lockdown would perform similar to AutoSecure Non-Interactive mode.

You can undo Security Audit/One-step Lockdown settings from SDM as well.

AAA configuration is not supported in SDM Security Audit. AAA will enable and prompt you to create a local database.

SNMP is meant to carry management data. SNMP also allows NMS to send writes into the device to change configuration. This makes SNMP a very sensitive protocol. SNMP v1 till v2c has community strings sent in cleartext. Community strings are like passwords and there is an authority level associated with them (Read, Write, or Read+Write). SNMPv3 uses hash algorithms to protect SNMP messages and should be used whenever possible.

Syslog has many configurable options. First, to enable syslog, we need to specify the location of the logging server. To do this, type:
logging 192.168.1.1

If you've read the previous articles, you'll know the severity level of the messages. Below is a list:
7 - Debugging
6 - Informational
5 - Notifications
4 - Warning
3 - Error
2 - Critical
1 - Alert
0 - Emergencies

To set the logging level, use:
logging trap error

In this case, anything from error's level and below will be logged.

Viruses and worms are often used interchangeably. However, these two terms refer to different things. A worm is a virus that is able to propagate itself to other hosts without human intervention. Of course, most worms would not execute themselves, so users still need to run them.

There is a relatively new feature from Cisco that is able to deter brute force attacks. When there are more than a specified failed attempts, the router would no longer accept any logins even if it is legitimate. To enable such a security feature, type:
login block-for 60 attempts 5 within 30

This will trigger a quiet period of 60 seconds if there are 5 failed attempts within 30 seconds. To verify login configuration, type:
show login

The quiet mode can be used as a DoS attack to prevent administrators from logging into the router simply by spamming logins. To fix this, we can define IP addresses to be exempt from quiet-mode with an access-list. For example, if we want to exempt 192.168.1.0/24 from quiet-mode, we should use:
ip access-list standard EXEMPTQUIET
permit 192.168.1.0 0.0.0.255
login quiet-mode access-class EXEMPTQUIET


You can also log failed/succeeded logins using:
login on-failure
login on-success


By default it would generate SNMP traps.

Most application layer vulnerabilities are classified under buffer overflows. Even Cisco has been plagued with buffer overflow problems with their Firewall Authentication Proxy in 2005.

A buffer overflow is caused by applications that tries to store data beyond the capacity of the buffer. The extra data would be written to adjacent memory, which could be another buffer, or an execution space.

Deep packet inspection at the network can prevent buffer overflows. The CSA (Cisco Security Agent) can also prevent buffer overflows from the end-system.

To lock up configuration and image, you can make use of Cisco IOS Resilient Configuration. To do this, type:
secure boot-config
secure boot-image


Only platforms with PCMCIA ATA support IOS Resilient Configuration. The files are not visible using "show flash". To see the backed-up files, use:
show secure bootset

By default, all lines have an inactivity timer of 10 minutes. To prevent this timer from expiring and kicking you out to login, you can go under config-line and use:
exec-timeout 0
<