Tag: Security

Live digital threats

I wanted to bring these free tools to my blog to keep track of them, as most probably I will forget about, and to share with anybody interested in gathering information in the security areas.

First tool was revealed to my in tweet from Greg Ferro:

https://twitter.com/etherealmind/status/392606499044098049

As usually I trust his words, I said to give it a try. I can tell that this tool is very interesting. According to the explanation found on http://www.digitalattackmap.com/faq/ :

The Digital Attack Map presents data gathered and published by Arbor Networks ATLAS® global threat intelligence system. ATLAS sources its data worldwide from 270+ ISP customers who have agreed to share anonymous network traffic and attack statistics. Data is updated hourly and can also be found in Arbor’s ATLAS Threat Portal.

Below you have an embedded version of this map, but better access the Digital Attack Map website.

Second tool caught my attention from the Digital Attack Map explanation and it’s called Arbor’s ATLAS Threat Portal.

Atlat Threat Portal

This tool is explained as:

The ATLAS portal today is a public resource that delivers a sub-set of the intelligence derived from the ATLAS sensor network on host/port scanning activity, zero-day exploits and worm propagation, security events, vulnerability disclosures and dynamic botnet and phishing infrastructures.

If the first tool is related to network attacks, the second one is covering more topics like botnets, phishing, scans and more.
You can access Arbor’s ATLAS Threat Portal here.


Cisco QoS at-a-glance

Stephan, a  colleague of mine,  found the following documents digging through multiple pages of Cisco.com. The documents present a nice view of different QoS approaches and the most  important information. Somehow like “cheatsheets”. They were helpful to us when need to implement QoS in some parts of the network that we administer. I hope they will help you as well.

Maybe you’re wondering why I’m adding them here, since the documents are already somewhere in Cisco.com. As you probably know, Cisco has constantly changing their website in the last months and a lot of documentation is misplaced in the Cisco.com sitemap. We already had problems finding all links, so I said why not share it here as they are already public made by Cisco.

You’ll find a Download button under each document, for PDF version and at the end of this post there is a Link to download all documents in an archive. If somebody needs only one document and has a poor Internet connection why to force them to download the full archive.

Cisco's Campus QoS Design
Cisco – Campus QoS Design

Cisco's Branch QoS Design
Cisco – Branch QoS Design

Cisco IPv6 QoS

Cisco – IPv6 QoS

Cisco's QoS Best Practices

Cisco – QoS Best Practices

Cisco QoS Design for IPsec VPNs

Cisco – QoS Design for IPsec VPNs

Cisco's QoS Design For MPLS VPN Service Providers

Cisco – QoS Design for MPLS VPN Service Providers

QoS Strategy for DoS Worm Attack Mitigation

Cisco – Scavenger class – QoS Strategy for DoS Worm Attack

Cisco's QoS Design for MPLS VPN Subscribers

Cisco – QoS Design for MPLS VPN Subscribers

QoS Baseline

Cisco – QoS-Baseline

Cisco's WAN QoS Design

Cisco – WAN QoS Design

As said in the beginning, if you’d prefer, you download all QoS graphs in one archive.

Let me know your opinions on the above approach on QoS from Cisco. Is is accurate? Do you apply them in your organization weather for Campus, WAN, VPN or even Security?

Cisco PPP Authentication

As a network engineer, you most probably already had to do with PPP authentication at least once or two times in your daily operation.  Even more, if you are going for a Cisco certification (and not only) you should know some stuff about PPP authentication. For today, I’ve planned to deal with back-to-back PPP authentication.

For this back to back scenario, we have the following simple topology:

When we talk about PPP authentication on a end-to-end line we are dealing with 3 major authentication method:

PAP

CHAP

EAP

Now, when we think at security, we can easily observe that PAP is the less secure one and CHAP or EAP are the strongest one.

PAP (Password Authetication Protocol) transmits unencrypted ASCII passwords over the network and is therefore considered insecure. It should be used only as a last resort when the remote server does not support a stronger authentication protocol, like CHAP or EAP.
CHAP (Challenge-Handshake Authentication Protocol) is a more secure protocol as it uses a three-way handshake and the shared secret (password) is never sent on the wires. Instead a MD5 hash checksum is calculated based on the share secret and this one is sent as a challenge to the other peer.
EAP (Extensible Authentication Protocol) is an authentication framework, not a specific authentication mechanism. It provides some common functions and negotiation of authentication methods called EAP methods. There are currently about 40 different methods defined.

When we think of PPP authentication direction there are 2 types:

– one way authentication

– two ways authentication

Pretty obvious, no?

OK, enough with the theory. If you need some more deep understanding of PPP, there is always Internet. Next, I will show you some simple example with PPP authetication using PAP, CHAP and EAP.

PAP type authentication

Let’s assume that in the scenario above, R1 is sending a challenge to R2. Very important! From PPP authentication configuration, you don’t have to do anything to response to a challenge. This is done automatically.

R1
username R2 password cisco
int s0/0
encapsulation ppp
ppp authentication pap

R2
int s0/0
encapsulation ppp
ppp pap sent-user R2 password cisco

Actually that’s it. As I said, pretty simple. You configure R1 to send an authentication challenge to R2 with “ppp authentication pap”. R2 has to reply to this challenge with a username and a password defined with “ppp pap sent-user R2 password cisco”. This username and password have to be defined on R1. No matter what user and password you define on challenged part to be sent back, that information you have to define on challenger.

CHAP authentication type

Configuring CHAP is even easier. In the example below, I will configure R2 to send a CHAP challenge to R1

R1
username R2 password cisco
int s0/0
encapsulation ppp

R2
username R1 password cisco
int s0/0
encapsulation ppp
ppp authentication chap

By default, CHAP is sending the router hostname the user in the three-way handshake process, so there is no need to specify what user to send like in PAP method. As I said before, this method is more secure than PAP.

EAP authetication type

To be honest I didn’t saw too many PPP connections being authenticated with EAP, but is there and I saw some CCIE lab topics so, you should keep an eye on it. Like the other two method this one is easy to implement and is offering more secure level of authetication than PAP.

R1
username R2 password cisco
int s0/0
encapsulation ppp
ppp authentication eap
ppp eap identity R1
ppp eap password cisco
ppp eap local

R2
username R1 password cisco
int s0/0
encapsulation ppp
ppp authentication eap
ppp eap identity R2
ppp eap password cisco
ppp eap local

I believe that the command syntax is telling pretty much all there is. With “identity” you define the user to be send to the peer, “password” it what word is saying and last option “local” is the quite important. By default EAP needs a RADIUS server for authentication. If you don’t have one (exams, quick testing…) then you want EAP to use local database instead of RADIUS.

This  are the basics of PPP authentication. Even if there are not so much in use, try to remember this small steps as you might need them sometimes.

Other Authentication Related Articles in Internet

Converting from old to new with the PIX to ASA Migration Tool

Digging through Internet I’ve found a very good article from David Davis explaining how to make your life easier when migrating from PIX to ASA.

The important thing to note about PIX and ASA configurations are that they are different. In other words, to do one thing on a PIX requires a different command on an ASA. The ASA uses a more “IOS-like” configuration where the PIX has its own “PIX-OS” configuration. Here are just some of the differences between the two:

  • The ASA is different hardware and has different interface names.
  • The ASA uses sub-interface commands, like the Cisco IOS.
  • A PIX will use FIXUP commands for application inspection whereas the ASA will use policy maps.
  • On the PIX,outbound and conduit commands are used versus access lists on the ASA.

There are two ways to perform this conversion — manually or by using the automatic migration tool. You may want to perform the conversion manually if you want more granular control, but Cisco offers a PIX to ASA Migration Tool that can perform this automatically. Let’s look at how it works.

Read the full article at: Converting from old to new with the PIX to ASA Migration Tool


Multiple Vulnerabilities in Cisco ASA 5500 Series

Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:

* TCP Connection Exhaustion Denial of Service Vulnerability
* Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities
* Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
* WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability
* Crafted TCP Segment Denial of Service Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
* NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability

These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others.

There are workarounds for some of the vulnerabilities disclosed in this advisory.

Cisco has released free software updates that address these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml