Security | IPNET

Cisco Hosts Webcast: Cisco Security Strategy

Cisco Today, Cisco delivers a webcast and corresponding slide presentation highlighting its security vision, market opportunity and expansion of its security and collaboration portfolio.

Who: co-hosted by Cisco executives, Doug Dennerline, senior vice president and general manager of Collaboration Software Group and Tom Gillis, vice president and general manager, Security Business Group – to discuss Cisco’s security and collaboration strategy. Following a brief presentation, a question & answer session will be held.

Listen and watch via the Internet:

Please listen to the webcast online at http://www.cisco.com/go/investors. An audio broadcast of the webcast, with synchronized slides is available on this site.

Source: cisco.com

Cisco: How to use reflexive access-list and why they are useful

Reflexive access-list are one of the method that help us achive firewall functionality with a router hardware. The other methods that serve to the same purpose are Context-Based Access Control (CBAC) and TCP Intercept. For an introduction to CBAC with example please check my older post Cisco: Use CBAC to achieve firewall functionality on router device . For TCP Intercept check my blog in the next weeks.

Today, I will present Reflexive access-list and how can take advantage of their specific behavior. Reflexive access list commands are used to configure IP session filtering. IP session filtering provides the ability to filter IP packets based on upper-layer protocol “session” information. They are generally used to allow outbound traffic and to limit inbound traffic in response to sessions that originate inside the router. E.g. you want to allow a TCP connection from outside only is the initall packet was send from the inside. Take FTP active mode session on data port TCP 20. If you are doing FTP from inside the LAN port 20 will be allowed outbound and also inbound. But if somebody from outside try to reach one device on your LAN on port 20, the session will be dropped due to Access-list implemenation.

Reflexive ACLs can be defined only with extended named IP ACLs. They cannot be defined with numbered or standard named IP ACLs, or with other protocol ACLs. Reflexive ACLs can be used in conjunction with other standard and static extended ACLs. As a syntax Reflexive access-list are presented exactly like any normal ACL, with the implementation of two parameters “reflect” and “evaluate”.

Let have a look to this example topology. R2 will be the router where the Reflexive ACL has to be implemented. The implementation is quite simple. You configure an outbound access-list which permit tcp sessions from any subnet to any subnet. The difference from this outbound ACL and a normal one, will be the “reflect” parameter at the end on the permit line. The “reflect” parameter will have the name OUT (it can be any name you want).

After the outbound list is completed configured, then we will configure an inbound access-list with a “permit tcp any any” statement followed by the parameter “evaluate OUT”. Below it’s a simple example how to configure this Reflexive ACL on the topology presented above, to permit UDP and TCP inside only if the session was initiated from inside:

ip access-list extended OUTBOUND
permit tcp any any reflect TO_REFLECT
permit udp any any reflect TO_REFLECT

ip access-list extended INBOUND
evaluate TO_REFLECT

interface Serial1/0
ip access-group OUTBOUND out
ip access-group INBOUND in

So, the INBOUND ACL will evaluate OUTBOUND ACL to permit or deny TCP packet from outside. Remember that by default, packets generated by the router itself will not be
reflected. This is why if you have a routing protocol running towards outside, on your router you have to permit static those packets. Let’t take the example of the BGP routing protocol. Assume that you have a BGP peering between R2 and R3. On R2 you will have to permit static the BGP packets from outside, like in the example below:

ip access-list extended OUTBOUND
permit tcp any any reflect TO_REFLECT
permit udp any any reflect TO_REFLECT

ip access-list extended INBOUND
permit tcp any any eq bgp
permit tcp any eq bgp any
evaluate TO_REFLECT

interface Serial1/0
ip access-group OUTBOUND out
ip access-group INBOUND in

In this way the BGP packets local generated on the router, will be allowed IN and OUT on the WAN interface. You will proceed in the same way for other packets that are generated on the router and you want to allow them to pass through WAN interface.

For a live example please see the video presentation below. If you did not had a look to the example topology, now it would be a good time to do it. Already I have preconfigured BGP AS 300 on router R3 and BGP AS100 on R2 and R1, so the conectivity from R1 to R3 is not a problem. Also R1 and R3 have a Loopback interface which is advertised into BGP. After implementing the Reflexive ACL on R2 I will be allow to telnet from R1 to R3, but not viceversa. Also the BGP packets between R2 and R3 will be static permited in ACL.

I hope that I could helped you to understand the importance on the Reflexive ACL. Sometime simple ACL would do the job and then I would suggest not to complicate things. But if you have something tricky to solve regarding access in your LAN, or you prepare for some exam like CCIE, then Reflexive ACL are quite useful and important.

Cisco: How to configure privileges for local users

I believe that all of you are familiar with privilege levels (0-15) on Cisco IOS. The most useful for network engineers is level 15 and the highest one as it will allow you full access to all IOS features, but in most networks only a few persons have this privilege level. In my opinion is normal to be like this, as with this limitation in, the risk that somebody will login and configure something that will lead to a system failure is minimized. Also true is that this will limit the troubleshooting on the network in case of an issue.

Let’s take the following scenario:
– you are the network engineer and you have privilege level 15 access;
– somewhere in your remote network there is a device that has a failure and you need somebody on site to tell you some informations about the device;|
– the local administrator does not have access (e.g to read running-config) on that Cisco device as you don’t want him to break something by some misconfiguration that she / he applies;

In this scenario you are either stuck with the problem and you have to travel to remote location to fix the problem or to give user access. I will chose from this a middle path. Give a user limited access just to read information that might be useful for you like IP address assigned on interfaces, access-lists or routing table (of course you have to do this before you have a problem on some remote device and possible a connection lost).

In the example below I will show you how you can configure an user with limited access just to read the running-config and in this file just the following information: hostname, interfaces (and here only IP addresses assigned to the interfaces) and routing protocols (with networks advertised into specific network protocol). This is just a basic example, but the privilege levels can be customized as you need.

Please check the presentation below:

Multiple Vulnerabilities in Cisco Wireless LAN Controllers

Cisco WiMAX Multiple vulnerabilities exist in the Cisco Wireless LAN Controllers (WLCs), Cisco Catalyst 6500 Wireless Services Modules (WiSMs), and Cisco Catalyst 3750 Integrated Wireless LAN Controllers. This security advisory outlines details of the following vulnerabilities:

* Denial of Service Vulnerabilities (total of three)
* Privilege Escalation Vulnerability

These vulnerabilities are independent of each other.

Cisco has released free software updates that address these vulnerabilities.

There are no workarounds available for these vulnerabilities.

Cisco: FWSM CPU stress test how-to

Sometime ago I had to do a stress test for a Cisco FWSM (Firewall Service Module) to see how the resources are consumed and if some potential traffic can temporarly affect the behavior of this device. For those of you who have don’t know what is a Cisco FWSM, here comes the definition: “Cisco Firewall Services Module (FWSM)—a high-speed, integrated firewall module for Cisco Catalyst 6500 switches and Cisco 7600 Series routers—provides the fastest firewall data rates in the industry: 5-Gbps throughput, 100,000 CPS, and 1M concurrent connections”.

Since I didn’t had a hardware packets generator, I had to use a software one: IPerf . This is a tool that measure the maximum TCP or UDP bandwidth performance. Iperf allows the tuning of various parameters and UDP characteristics. Iperf reports bandwidth, delay jitter, datagram loss.Also it can run under Linux, Mac and Windows so the platform shouldn’t be a problem for you. As i said before, I used for testing my notebook as packet generator and a Linux server with DNS service enable as destination. Every packet from source (notebook) to destination (DNS server) was passing through FWSM, where it was inspect at OSI Layer 7 (DNS Application). Please check the topology file to have an idea about the configuration. Please be aware that if the packets (in our case DNS) are not to be inspected by FWSM, than the resource utilization of the FWSM is not so high, even in case of big traffic flow.

Please have a look below for the video presentation of the tutorial:

If you cannot see the video tutorial above, please check this text file which present in text mode everything needed to configure to do a stress test tool.