Archive

Posts Tagged ‘Cisco’

ASCII art for MOTD

June 18, 2015 Leave a comment

Awesome website – http://patorjk.com/software/taag (the link opens in new window)

No more boring disclaimers on your Cisco and Linux boxes!

ASCII-ART

Advertisements
Categories: Cisco, Linux Tags: ,

How to automate a change of NetBIOS settings in properties of a network connection in Windows

June 4, 2015 2 comments

NetBIOS and LLMNR protocols is a really bad legacy in Windows (from security perspective). They should be disabled in all networks where DNS is sufficient means of name resolution.

There are three options:
Read more…

Recalling the basics – L2/L3 security

March 12, 2015 Leave a comment

One person has just inspired me to resurrect in my memory some basics of LAN security.

It actually appeared to be quite challenging to get from L4-L7 issues (which I have been working with on a daily basis for the last couple of years) down to L2/L3 issues which certainly had been part of my CCNP related studies a while ago but then gave way to a risk-based approach. The latter as you may know assumes tackling all security issues in order decreasing from those presenting the highest business risk to those of a lower priority. This makes perfect sense to any sensible person 🙂 including myself but, despite the fact that L2 challenges are nowhere close to the top of my list of priorities in the current company, my ashamed engineering ego required satisfaction after struggling to recall on the spot some basics about IOS features related to DHCP Snooping.

So here we go – my refresher on DHCP Snooping, Dynamic ARP Inspection and IP Source Guard.

Read more…

Categories: Cisco, LAN, Security Tags: ,

Cisco VTY equals Telnet? Not really :)

March 11, 2015 Leave a comment

One person has recently asked me about securing VTY access on Cisco routers/switches and it seemed (could be a false impression though) that he believed that VTY equals Telnet (= plain text) access. I did not argue at the time (just said to him that certainly you would not want to have telnet access left open and you need to use SSH where possible) but now being curious I have checked what acronym VTY really means and come across this post. I always enjoy Etherealmind posts but this one really made me smile! (the original “teletype” piece of hardware)

And, of course, a VTY line can have either Telnet or SSH as its transport (or both).

As it’s not something I do on a regular basis here is my quick refresher on the SSH config: Read more…

Categories: Cisco Tags:

Cisco IOS Hardening

March 11, 2015 Leave a comment

I always wanted to bookmark this one 🙂 so doing this now with a short extract here to save me googling and scrolling on the original page next time: Read more…

Categories: Cisco, LAN, Security Tags: ,

How to backup guest users on Cisco WLC (SRE based)

February 14, 2013 Leave a comment

Surprisingly, but magic command

config passwd-cleartext enable

did not appear to be 100% working on firmware 7.0.116 on my ISM-SRE-300-based WLC. It shows net users on the exported config but only those with temporary accounts! I.e. an account appears on the exported config only if  you set its lifetime to a non-zero value. Thus to backup local user database prior to a firmware upgrade you have to go through all guest user accounts and set their lifetime to a big value (a couple of days). As soon as the upgrade is completed you can go through all of them again and revert TTLs back to zero.

Categories: Cisco, LAN, Security, Wireless Tags: , ,

Cisco WLC on ISM-SRE-300 module hosted by ISR2 router without EtherSwitch module

December 27, 2012 Leave a comment
ism-sre-300-k9

ism-sre-300-k9

To my surprise such a nice module as ISM-SRE-300-K9 comes with a very poorly written documentation when it comes to deploying it in a “non-standard” configuration. You can find it here .

Apparently, Cisco’s preferred way (and it’s indeed quite easy to do) of provisioning WLC on this module is to use a switching module within the same ISR2 chassis. In that case it’s really easy to switch necessary VLANs via MGF to an EtherSwitch module and then down to your network.

If you do not have a switching module then your options are NAT (this one is briefly explained in the aforementioned configuration guide) and bridging. I personally do not like the idea of NAT-ing packets out of WLC here as it’s Layer 3 and it is not the same thing as Layer 2, you know. I like thinking about wireless traffic as L2 frames  which get from their WLANs into relevant VLANs on the wired network. In this case you can deal with them the same way as with all other traffic – switch accordingly and then route IP encapsulated into these frames via your normal L3 device and apply all necessary security/QoS policies in the same place with all other traffic.

This leaves us with “classic” bridging option and a couple of problems associated with it.  Read more…

Categories: Cisco, LAN Tags: ,

Simple configuration of Anycast RP

July 12, 2012 Leave a comment

MSDP is invaluable protocol when you need to keep your multicast flowing no matter what happens to your RP – just keep few of them up and running at all times.

On RP1:


ip pim rp-address 10.10.10.1
!
Interface loopback 0
Ip address 10.10.10.1 255.255.255.255
!
Interface loopback 1
Ip address 10.11.11.1 255.255.255.255
!
Ip msdp peer 10.11.11.2 connect-source loopback 1
Ip msdp originator-id loopback 1

On RP2:
ip pim rp-address 10.10.10.1
!
Interface loopback 0
Ip address 10.10.10.1 255.255.255.255
!
Interface loopback 1
Ip address 10.11.11.2 255.255.255.255
!
Ip msdp peer 10.11.11.1 connect-source loopback 1
Ip msdp originator-id loopback 1

Obviously you can have more then 2 RPs – analogy is clear.

Configuration on all other routers would be:


Ip pim rp-address 10.10.10.1
No ip pim dm-fallback

Categories: Cisco, LAN Tags: , ,

L2 Security vulnerabilities and tools to exploit them

April 16, 2012 Leave a comment

Excellent summary about L2 vulnerabilities (and tools to exploit them) which exist in pretty much any Ethernet switched environment “by default”. Good one to show your line manager if he/she keeps ignoring your concers and keeps postponing all security related projects and even simple changes like switching off DTP and implementation of DHCP snooping and CAM poisoning protection measures.

The article is available here (opens in new window).

Categories: Cisco, LAN Tags: ,

Free TACACS+ Server

March 5, 2012 2 comments

Free TACACS+ Server

This one seems to be a very nice project. It’s a pity there in nothing similar for Windows…

Has anyone heard of a good freeware version for Windows???

Categories: Cisco, Linux Tags: ,