Tag: Security

Cisco: The basics about VRF implementation

VRF, meaning Virtual Routing and Forwarding, is a technology implemented in the IP network routers that allows multiple instances of a routing table to exist on the same router in the same time. Since each VRF is independent, the same IP subnet can exist in 2 different VRFs. Basically you can overlap one IP address in 2 VRFs but without conflicting with each other. Even this is possible, I would not suggest doing so, unless you have a very good reason to do it.

Another meaning of VRF is VPN Routing and Forwarding which is a key element in Cisco’s MPLS (Multiprotocol Label Switching) VPN technology. Internet service providers often take advantage of VRF to create separate virtual private networks (VPNs) for customers. Some advantages of  using this technology is than an ISP can provision scalable IP  MPLS VPN services, generate reports (e.g. audit for services), Service Level Agreements (SLA) contracts and more…

To summarize, virtual networks enable administrators to split a physical link into multiple virtual links completely isolated one from the others. Typically, a virtual network will be dedicated to traffic from a specific application or from a specific users / customers.


Now that we clarify the basic of what is and how it works, let’s see where is VRF used the most. As you maybe guess already, this is in the MPLS VPN environment, due to the fact that in today’s business granularity is very important and VRF help network engineers to isolate and provide security for its customers in an ISP environment or to separate services in an Intranet environment. As you probably already know, MPLS functionality is based on P (Provider) routers, PE (Provider edge) routers and CE (Customer edge) routers. Each of these routers must be configured in order for MPLS to work within an enterprise’s architecture. I describe a little bit the MPLS technology, so you can understand better the topology presented below and then following configuration example:

VRF Implementation As you can see from the topology, one PE router can hold and manage multiple virtual routing table, one for each customer that an ISP have. If you are running in a private environment (e.g. Intranet), you can use MPLS VPN to separate services (e.g. office, development…) The  basic functionality is the same and I’ll show you below how to implement VRFs.

The actual configuration of VRFs  is not a complicate task to achieve. There are two main components to a VRF: The route distinguisher(RD) and the route target(RT).

The route distinguisher (RD) is a number which help identify a VPN in a provider’s network and allow for overlapping IP space.

The route target (RT) indicates the VPN membership of a route and allows VPN routes to be imported or exported into or out of your VRFs. The RT functions a little like a routing policy — determining how routes are distributed throughout the particular VPN.

The RD / RT is a 8-byte (64-bits) number which can be written down as follow:

16-bit AS number: your 32-bit number
(e.g.) 65000:100

or

32-bit IP address: your 16-bit number
(e.g) 192.168.0.1:10

Usually the first method is used more often.

For some very basic VRF configuration follow the steps:
1. Enters VRF configuration mode and assigns a VRF name.

Router(config)#ip vrf vrf-name

2. Creates a VPN route distinguisher (RD) following one of the 16bit-ASN:32bit-number or 32bit-IP:16bit-number explained above

Router(config-vrf)#rd route-distinguisher

3. Creates a list of import and/or export route target communities for the specified VRF.

Router(config-vrf)# route-target {import | export | both} route-distinguisher

4. (Optional step) Associates the specified route map with the VRF.

Router(config-vrf)# import map route-map

5. Specifies an interface and enters interface configuration mode.

Router(config)# interface type number

6. Associates a VRF with an interface or subinterface.

Router(config-vrf)# ip vrf forwarding vrf-name

To check your configuration, you can use ping or traceroute tools under Cisco CLI, but remember that you have to use “vrf vrf-name” parameter:

Router# ping vrf vrf-name IP-address

Also you can check the virtual routing table:

Router# show ip route vrf vrf-name

In some of the following posts, I will present a VRF implementation following a real environment topology, but until then I hope you understood the basics of VRF functionality. It’s not hard to implement (from case to case it might be due to local topologies and technology) but it can help you to have a more granular connections and makes troubleshooting more easy, especially in the environments which have a lot of IP addresses under management.

Cisco IOS Software BGP 4-Byte AS Number Vulnerabilities

Recent versions of Cisco IOS Software support RFC4893 (“BGP Support for Four-octet AS Number Space”) and contain two remote denial of service (DoS) vulnerabilities when handling specific Border Gateway Protocol (BGP) updates.

These vulnerabilities affect only devices running Cisco IOS Software with support for four-octet AS number space (here after referred to as 4-byte AS number) and BGP routing configured.The device is vulnerable if it is running affected Cisco IOS version and has BGP configured, regardless of whether the device is configured with a 2 or 4 byte AS number under the router bgp configuration command

The first vulnerability could cause an affected device to reload when processing a BGP update that contains autonomous system (AS) path segments made up of more than one thousand autonomous systems.

The second vulnerability could cause an affected device to reload when the affected device processes a malformed BGP update that has been crafted to trigger the issue.

Cisco has released free software updates to address these vulnerabilities.

No workarounds are available for the first vulnerability.

A workaround is available for the second vulnerability. For the second vulnerability, configuring “bgp maxas-limit [value]” on the affected device does mitigate this vulnerability. Cisco is recommends using a conservative value of 100 to mitigate this vulnerability.

This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtm

Routing + QoS + Security all free for you and your small business

OK, you catch me as this is not from Cisco, but is related to networking and security, so I believe it fit in the idea of this blog. What I’m talking about here?! Well, let’s assume that you are the IT guy of one small business or even your home network, and like all of us, you want what’s the best for your network. With today’s key words (even I don’t understand why) like saving, cost reduction, zero budget for new deployments no manager will approve new hardware to be bought. And to be fair enough why would you like to buy an expensive Cisco 6500 if you have 50 PCs in your network and some servers? Cisco and other brands in the same line are good, actually very good, and money worth spending to have them, but only if they are really required. Continuing on this idea, somebody asked me to find a solution for his small to medium business as he has a small user network and some servers. Of course he wanted all the possible features and security but without investing too much, or if possible nothing. To keep everything into this limits, I had the idea to use a Linux box with 3 NICs and a bunch of software for achieving the other features like QoS, routing and so on. But I found something better to manage and to maintain over the time.

The product is called Untangle and I found out to be perfect for my solution and maybe for yours if you want to give it a try. Among the other good features that it has integrated, you will see that this is a FREE product. Of course nothing is just white and black, and if you want some features you have to pay for them. Anyway I managed to do everything without paying anything. Untangle can be installed on a dedicated machine or as an application in Windows. Installing on Windows is …how can I say…useless, at least from my point of view. I mean who put the trust of his network gateway on a Windows machine?!  As a dedicated machine is one of the best solutions that I tested.

As explained on the Untangle documentation, this solution can be installed on any regular Intel / AMD machine with some decent configuration. If you want to keep this solution for a longer time and logs I would recommend something dual core with 2 GB of memory and at least 80GB hard-disk capacity. The minimum requirements from the developers would be a 800Mhz processor with 512KB of memory and 20GB hard-drive, if you plan to run this for a network with less than 50 stations. The process is very simple, you download an image, burn it on a disc and then install it. If you ever installed another OS, you will handle this for sure.

The new device can be deployed as a router or as a transparent bridge:
untangle-deployment On my private installation I deployed it as a router, as I wanted this to be the main gateway and to separate the LAN from the DMZ area.  After you configure the basic stuff, you may want to choose what services you will use on this machine. Everything is modular. You have a virtual rack in which you insert free or paid applications. Maybe you are wondering which are the free applications. Here is the list: Web Filter, Virus Blocker, Spam Blocker, Ad Blocker, Attack Blocker, Phish Blocker, Spyware Blocker, Firewall, Routing & QoS, Intrusion Prevention, Protocol Control, OpenVPN, Reports. This covers most of my basics needs for a small network. If you want advanced features like WAN Load Balancer, WAN Failover or Remote Access Portal than you have to buy this applications. Of course I would preferred to have this also for free, but as I said in other articles, nothing is 100% free on this world.

Every module is than configured in a graphical interface with easy to understand and follow menus. You can choose what to activate, what traffic to be inspected, what packets to be subject of QoS and may more. One thing before you proceed to test this. By routing please don’t understand Dynamic Routing Protocol or other advanced features. Like I said before this solution is for small to medium sites which does not have to support complex routing environment. However it does support basic routing and it can be installed as a router. Regarding the support you get for this product there is good forum and also a Wiki page

Below I prepared a small gallery with screenshots from Untangle. The screenshots are copyrighted to Untangle.com and can be found on there site together with a some nice video presentations of the product.

Please be aware that this site is not affiliated in any way with Untangle.com. The opinion presented here represent my own experience with Untagle product.

[nggallery id=16]

Cisco releases patch for critical flaw in CiscoWorks

Cisco has released a patch that fixes a vulnerability in CiscoWorks Common Services that could allow an unauthenticated remote attacker to access application and host operating system files. The exploitability of this flaw is rated as high. Note that only CiscoWorks Common Services systems that run on Microsoft Windows are vulnerable. The Solaris version is not affected.

Specifically the following Cisco products that use CiscoWorks Common Services as their base are affected by this vulnerability.

* Cisco Unified Service Monitor versions 1.0, 1.1, 2.0, and 2.1
* CiscoWorks QoS Policy Manager versions 4.0 and 4.1
* CiscoWorks LAN Management Solution versions 2.5, 2.6, 3.0, and 3.1
* Cisco Security Manager versions 3.0, 3.1, and 3.2
* Cisco TelePresence Readiness Assessment Manager version 1.0
* CiscoWorks Voice Manager versions 3.0 and 3.1
* CiscoWorks Health and Utilization Monitor versions 1.0 and 1.1
* Cisco Unified Operations Manager versions 1.0, 1.1, 2.0, and 2.1
* Cisco Unified Provisioning Manager versions 1.0, 1.1, 1.2, and 1.3

Source: NetworkWorld.com

Encryption and decryption half century ago

enigmaI know that it’s not the latest discovery in cryptography area, but still this device amazed me with it’s ingenious construction and way of utilization.

An Enigma machine is any of a family of related electro-mechanical rotor machines used for the encryption and decryption of secret messages. The first Enigma was invented by German engineer Arthur Scherbius at the end of World War I. This model and its variants were used commercially from the early 1920s, and adopted by military and government services of several countries — most notably by Nazi Germany before and during World War II. A range of Enigma models was produced, but the German military model, the Wehrmacht Enigma, is the version most commonly discussed.

The machine has become notorious because Polish mathematicians-cryptographers and then Allied cryptographers were able to cryptanalyze, and thus decrypt, a vast number of messages which had been enciphered using the Enigma. The intelligence gleaned from this source, codenamed ULTRA by the British, was a substantial aid to the Allied war effort. The exact influence of ULTRA is debated, but an oft-repeated assessment is that decryption of German ciphers hastened the end of the European war by two years.

Though the Enigma cipher had cryptographic weaknesses, in practice it was only in combination with other factors (procedural flaws, operator mistakes, occasional captured hardware and key tables, etc.) that those weaknesses allowed Allied cryptographers to cryptanalyze so many messages.

Enigma cryptanalysis contributed greatly to the success of Allied war efforts—in the Battle of Matapan in March 1941; in course of the Battle of the Atlantic, beginning in the latter part of 1941; in Rommel’s efforts to capture Cairo in 1942; in the invasion of Sicily (1943) and mainland Italy (1943–44); in the planning and execution of Operation Overlord (the Allied invasion of France, 1944); and in the subsequent drive to and through Germany. Evidence suggests that Soviet strategy and tactics against Nazi Germany likewise benefited from Ultra intelligence, conveyed to the Soviets by a variety of conduits.

Below you can see a demonstration of how Enigma was used to encrypt and decrypt messages thanks to NetworkWorld.com:

For more detailed presentation please read:
http://en.wikipedia.org/wiki/Enigma_machine
http://en.wikipedia.org/wiki/Cryptanalysis_of_the_Enigma

Brought to you by NetworkWorld.tv and FirstDigest