Archive for the ‘Cisco’ Category

ASCII art for MOTD

June 18, 2015 Leave a comment

Awesome website – (the link opens in new window)

No more boring disclaimers on your Cisco and Linux boxes!


Categories: Cisco, Linux Tags: ,

How to automate a change of NetBIOS settings in properties of a network connection in Windows

June 4, 2015 2 comments

NetBIOS and LLMNR protocols is a really bad legacy in Windows (from security perspective). They should be disabled in all networks where DNS is sufficient means of name resolution.

There are three options:
Read more…

Recalling the basics – L2/L3 security

March 12, 2015 Leave a comment

One person has just inspired me to resurrect in my memory some basics of LAN security.

It actually appeared to be quite challenging to get from L4-L7 issues (which I have been working with on a daily basis for the last couple of years) down to L2/L3 issues which certainly had been part of my CCNP related studies a while ago but then gave way to a risk-based approach. The latter as you may know assumes tackling all security issues in order decreasing from those presenting the highest business risk to those of a lower priority. This makes perfect sense to any sensible person 🙂 including myself but, despite the fact that L2 challenges are nowhere close to the top of my list of priorities in the current company, my ashamed engineering ego required satisfaction after struggling to recall on the spot some basics about IOS features related to DHCP Snooping.

So here we go – my refresher on DHCP Snooping, Dynamic ARP Inspection and IP Source Guard.

Read more…

Categories: Cisco, LAN, Security Tags: ,

Cisco VTY equals Telnet? Not really :)

March 11, 2015 Leave a comment

One person has recently asked me about securing VTY access on Cisco routers/switches and it seemed (could be a false impression though) that he believed that VTY equals Telnet (= plain text) access. I did not argue at the time (just said to him that certainly you would not want to have telnet access left open and you need to use SSH where possible) but now being curious I have checked what acronym VTY really means and come across this post. I always enjoy Etherealmind posts but this one really made me smile! (the original “teletype” piece of hardware)

And, of course, a VTY line can have either Telnet or SSH as its transport (or both).

As it’s not something I do on a regular basis here is my quick refresher on the SSH config: Read more…

Categories: Cisco Tags:

Cisco IOS Hardening

March 11, 2015 Leave a comment

I always wanted to bookmark this one 🙂 so doing this now with a short extract here to save me googling and scrolling on the original page next time: Read more…

Categories: Cisco, LAN, Security Tags: ,

TCP throughput vs. Delay and Window Size

March 2, 2015 Leave a comment

TCP throughput (bits per second) = Window Size (bits) / Latency (seconds)

Optimal TCP Window Size (bits) = Bandwidth (bits per second) * RTT latency (seconds)

Maximum RTT latency for desired throughput = Window size (bits) / Desired throughput (bits per second)

some good explanations can be found here

Categories: Cisco, LAN, Windows Tags:

Modern firewalls and IPS evasion techniques

September 16, 2014 Leave a comment

I have just had a quick glance on Internet (God bless Google) looking for reviews of evasion techniques to bypass modern firewalls. It’s amazing how vendible all these “independent” security laboratories are! The amount of s$$t some companies manage to pour onto their competitors is beyond any imagination. But as soon as you see some good results you either cannot find exact conditions and configurations used in a test or (surprise!) the winning firewall appears to be manufactured by the same company that created the testing tool and paid for the test 🙂

Though, to be fair, the Evader, being made by Stonesoft (now McAfee), is the most popular tool used to practice IPS evasion techniques.

I found only one resource clearly explaining test conditions and, as a result, the outcome of the test looked fair.

Here is a quick list of popular techniques (details are in the whitepaper referenced above).

  1. Payload obfuscation and encoding (overcoming simple string matching filters)
  2. Encryption and tunneling
  3. Wrapping TCP sequence numbers
  4. Fragmentation (splitting malicious packets into smaller fragments)
  5. Protocol violations and decoy trees

So, long story short, if you have an IPS protecting a host you should not assume it’s unbreakable because of this fact and does not require any patching. If you have an unpatched vulnerability exposed to attacks, it’s sudden death is only a matter of time – easy peasy lemon squeezy with most modern IPSes. Here comes a concept of multi-layer protection – use a firewall, IPS, load balancer, web application firewall, patching, secure coding techniques and hardening altogether. Not to mention compulsory professional pen. tests (screw dumb ASV scans! :)) Then you should be good (though it’s all likely to be expensive as you may guess).

Multicast on Checkpoint R76 Gaia + Palo Alto and Cisco

May 21, 2014 Leave a comment

Just finished troubleshooting of multicast issues (no traffic received at all) with a subscriber sitting on a DMZ behind Checkpoint Gaia R76 and source being a couple of hops away behind another firewall – a Palo Alto box. Both firewalls were sitting on top of L2 Cisco kit (Catalysts & Nexuses)

Long story short here are few things to take away from the exercise:

  • IPS on that stupid Checkpoint even being globally disabled on the firewall is blocking PIM traffic (hello packets) and thus neighbour relationships do not form on PIM. Solution: enable IPS, find the rule blocking PIM, disable it, disable IPS. LOL!!!
  • When you enable IGMP on Gaia boxes which are part of HA group (in this case it was VRRP; ClusterXL might be different) declare your multicast group as local and specify VRRP VIP, not the IP of the box itself;
  • Enable PIM not only on the interface facing PIM next hop but also  on the interface facing the subscriber (alongside with IGMP) otherwise it looks like Cisco kit is not aware where to send IGMP Joins (which are destined to puts them into a sink hole;
  • Pay attention to the IGMP version that you enable on Checkpoint interfaces facing the client. Do a packet capture to double-check. In my case the subscriber was sending v.3 despite the rest of the setup configured for ASM.

As a bonus here is a couple of commands useful on Palo Alto box for some light multicast troubleshooting:

 show routing multicast pim neighbour – to see your neighbours

show routing multicast pim statistics – to see your hello packets (both received and sent)

show routing multicast pim state – to see PIM state for your groups

(sorry, omitting Checkpoint stuff as it’s too much writing and I do not really like them – notes above should be sufficient to make it work anyway)

Configuration change monitoring and configuration backup on Cisco routers and switches

March 25, 2013 Leave a comment

Here is a nice and easy way to keep track of configuration changes which take place on your Cisco IOS routers and switches. This configuration keeps all configuration commands logged on your syslog and also automatically backs up the latest version of your configuration as soon as you issue copy run start command. It will also automatically create a configuration backup at specified intervals (time-period).

 log config
  logging enable
 path ftp://<username>:<pass>@<ftp-server-ip>/$h/config
 time-period 43200

Depending on configuration of your FTP server you may need to create necessary folders in advance ($h in the path command above will translate into the router’s hostname). There is also a variable $t which you can use BUT not with Windows FTP server as colons used by Cisco in time stamps are not accepted by Windows file system, unfortunately.

With regard to the above you may also find these commands useful:

ip ftp source-interface <ifname>
logging source-interface <ifname>

Then it will be your headache to make sure that your FTP server is sound and secure and nobody can access the configuration files in transit and at rest. Also keep in mind that your FTP password is transmitted in clear text. You may be able to use HTTPS as transport for configuration backup (depends on your IOS version).

Categories: Cisco

How to backup guest users on Cisco WLC (SRE based)

February 14, 2013 Leave a comment

Surprisingly, but magic command

config passwd-cleartext enable

did not appear to be 100% working on firmware 7.0.116 on my ISM-SRE-300-based WLC. It shows net users on the exported config but only those with temporary accounts! I.e. an account appears on the exported config only if  you set its lifetime to a non-zero value. Thus to backup local user database prior to a firmware upgrade you have to go through all guest user accounts and set their lifetime to a big value (a couple of days). As soon as the upgrade is completed you can go through all of them again and revert TTLs back to zero.

Categories: Cisco, LAN, Security, Wireless Tags: , ,