UPDATE ( 26 Nov 2009 ): I finished Queuing, so here are the notes. I’ll post shaping and policing by tomorrow.

UPDATE ( 30 Nov 2009 ) : I’ve scratched out the concepts that i’ve finished. I’ll be linking them to some points that i noted down, regarding them. I didn’t work on the weekend ( Don’t ask my why, i just don’t know! ) . So , this is taking a little longer than expected, but this is interesting and i can’t nail this!

UPDATE ( 1 DEC 2009 ) : Most of the topics for done ( as you can notice by seeing the scratches ) . Once i finish it all ( by tomorrrow ) i will link the notes to the particular task.

Good morning folks!

Today i spent  a good amount of time on the Advanced Security and Attack mitigation section of the CCIE-lab v3 syllabus. What i usually do is i learn the technology, then i head over the INE vol 1 labs where i do some configuration. But i noticed that the vol 1 workbook didn’t cover all the attack types/mitigation techniques which are present in the CCIE v3 blue-print  , which you can find HERE. The link will point to InternetworkExpert’s expanded Blueprint, which i feel is better than Cisco’s blueprint.

I’m slowly ticking my way through the sections. To get myself committed and focused on the challenge, i’m going to list all the topics here and mark-them off, one-by-one, when i complete the task. I will also add notes and articles against any task that i find challenging. With that said, here’s the list

Configure Advanced Security

A. Configure mitigation techniques to respond to network attacks
B. Configure packet marking techniques
C. Implement security RFCs (RFC1918/3330, RFC2827/3704)
D. Configure Black Hole and Sink Hole solutions
E. Configure RTBH filtering (Remote Triggered Black Hole)
F. Configure Traffic Filtering using Access-Lists
G. Configure IOS NAT
H. Configure TCP Intercept
I. Configure uRPF
J. Configure CAR
K. Configure NBAR
L. Configure NetFlow
M. Configure Anti-Spoofing solutions
N. Configure Policing
O. Capture and utilize packet captures
P. Configure Transit Traffic Control and Congestion Management
Q. Configure Cisco Catalyst advanced security features
R. IOS Security Features

1. DHCP Secured/Authorized ARP
2. Router IP Traffic Export
3. Virtual Fragmentation and Reassembly

Identify and Mitigate Network Attacks

A. Identify and protect against fragmentation attacks
B. Identify and protect against malicious IP option usage
C. Identify and protect against network reconnaissance attacks
D. Identify and protect against IP spoofing attacks
E. Identify and protect against MAC spoofing attacks
F. Identify and protect against ARP spoofing attacks
G. Identify and protect against Denial of Service (DoS) attacks
H. Identify and protect against Distributed Denial of Service (DDoS) attacks
I. Identify and protect against Man-in-the-Middle (MiM) attacks
J. Identify and protect against port redirection attacks
K. Identify and protect against DHCP attacks
L. Identify and protect against DNS attacks
M. Identify and protect against Smurf attacks
N. Identify and protect against SYN attacks
O. Identify and protect against MAC Flooding attacks
P. Identify and protect against VLAN hopping attacks
Q. Identify and protect against various Layer2 and Layer3 attacks

So untill i finish all of these ( i predict by this weekend ) , i will not add any new-post. But what i’ll do is , as soon as i complete a task, i will write the challenges i faced in it and link that to the corresponding task here.

That way, when you need to search for an article based on a particular task,you can use this blog to navigate.

What i’m doing now is i’m sitting with a CCIE-R&S book and reading the QOS chapter. I’m also making notes as i go and i’ll post them up as soon as they’re done. I’m doing this because i felt it’s about time i understood the concepts behind Policing threshold, burst excess , burst allowed, etc. So stay tuned for that!

 <PERSONAL BLOG >

And finally, HAPPY THANKSGIVING to all! Some of you might celebrate it, some might not..but since it’s an occasion where one feels thankful for the people who’ve been there for him/her, i celebrate it too!   Thanks to my parents for giving me all that i’ve ever wanted and for tolerating me.( Trust me , i’ve been an major Pain in the ass! ) , and to neetha , who’s supported me through my worst times and the best of times. <3 you girl!

</PERSONAL BLOG>

Cheers,

TacACK.

This is wierd I’m posting the article much after the date has gone by , but nevertheless , i want to post some of the issues that i encountered when i was configuring SSL VPN

My agenda for the day was as follows

• Webvpn’s on IOS,ASA
• Port-forwarding on IOS,ASA
• Anyconnect VPN on IOS,ASA
• Smart tunnel on ASA

After one full day of configuration, i can say that i’ve finally understood what each component in the WEBVPN configuration does. I’ll write an article about this later, but for now , let me list out some notes that i made during the configuration

• I do lotsa labbing on Dynamips/GNS3 . So i tried this on Dynamips too! There were a couple of irregularities which i noticed when working on Dynamips. They are as follows :
  • Anyconnect VPN client transfer
    • I transferred AnyVPN client to “flash:” through tftp. After which when i tried to install the package , i got an error saying that the file could not be renamed to “flash:/webvpm/svc.pkg”
    • I tried seeing if the file was “read-only” ,etc . But that didn’t work.
    • So finally when i copied to file directly from the tftp server ( MY PC ) to the router, i copied it to the foder “flash:/webvpn” and named the file svc.pkg .
    • After this, it started working.
    • Again, please note that all these irregularities were observed on my GNS3, but when i did the same lab on actual equipment, this problem doesn’t exist.
  • Anyconnect VPN client installation
    • After copying the Anyconnect VPN client into a router’s flash memory, we use the command
      #webvpn install svc flash:/<FILENAME>.pkg
    • But when i tried with using the 3725 running 12.4-15.T10 on GNS3, i always got an error which said installation was’nt successful.
    • So what i did was i headed over the properties of the router( Right click->properties)  and i increased the RAM size ,NVRAM size and the PCMCIA disk0 size to double of what it was originally.
    • After this i restarted the router and then the webvpn install command started working.
    • I don’t know if this will work universally, but i’m posting what i found interesting
• On the ASA,IOS , when configuring WEBVPN , you can choose to use the locally configured WEBVPN context configuration , or you can download the group-policies from the ACS.
  • The latter method can be accomplished by creating an username in ACS and then adding webvpn av-pairs to the the users profile.
  • But when i tried doing this through GNS3, the “aaa authorization..” command , which is required for accepting the webvpn av-pairs from the ACS , was not showing up. But i tried this on actual equipment and it worked fine..? Wierd? I have no explanation as to how this happened.
• In webvpn, we usually specify a url-list to be displayed to the user after he/she logs in.
  • Suppose we have a condition that the url of “http://www.cisco.com” should be resolved to some address, then make sure you create the host to address translation entry , either on the same router/asa or another router acting as the DNS server.
  • And remember that , when we create the mapping , the mapping needs to look like this “#ip host www.cisco.com 10.0.0.100″ and not “#ip host http://www.cisco.com 10.0.0.100″ .
• There was a task where i had to block certain url’s from being accessed. Ex : Block all URL’s which are not in the “.com” or “.net” domain. I set this up and to test it i tried some urls like www.google.org . I was getting and error which said something like there might be a dns error , or this url might be blocked. I am supposed to get a message which says -> “the request to http://www.google.org/ is not allowed , WEBVPN has dropped the request”.
  • But i wasn’t getting that. So what i did was, i created a dns entry for www.google.org in the router that i’m using as the DNS server. After this i started getting the message that i was expecting . The sites were actually getting blocked.
  • I find this a little wierd. I mean, why does one have to create url-listing for the websites that he wants to block?
  • I tried this both on actual / GNS3 , i got the same results.
  • If anyone else has configured this without entering the dns entries for www.google.org , please comment on this or email me with the solution.
• When configuring GETVPN COOP KS, make sure that both the KS’s have the same RSA key-pair configured on them.
  • To achieve this , create the key on one KS ( like you normally would ) using the command #crypto key generate rsa modulus 1024 label RSA exportable .
  • After this enter the command “crypto key export rsa RSA pem terminal 3des <KEY> ” . This will display the Public and private rsa keys on the terminal(console).
  • Now head over to the secondary KS and enter the command “crypto key import rsa RSA pem exportable terminal <SAME-KEY> ” This will prompt you for the public key and the private keys. Copy these keys from the output on the First Key server and paste it onto the second key server.
  • Make sure you’ve entered the same KEY on both the import and export commands.
  • As a result of this operation , we will have the same rsa-keypair on both the KS’s and this ensures that the rekey messages can be signed by either.
• During WEBVPN configuration on the ASA, don’t forget to enter the command “http 0 0 outside“, this allows HTTP connections to the ASA from anyone present on the outside interface. Of-course, you must also permit http on the outside ACL.
• When configuring Port-forwarding on the ASA , and if you already have configured a “webtype acl” , make sure you permit the traffic which you want to enable through port-forwarding
  • ex: suppose you want to configure port-forwarding to enable you to telnet to a local router through the VPN, enter the following line
  • #access-list VPN_ACL webtype permit tcp any any eq 23
  • This will permit telnet to pass through. As you all might be knowing, on the ASA, the webtype ACL is used for specifying URL blocks, etc.
• When you are permitting certain URL’s to be allowed within a given “time-range” , it’s a common mistake , that the clock time on the router is not set , so this configuration will not take effect and we’ll end up confused and frustrated.
  • SO make sure that you check what the system time and date is.
  • This is a “gotcha” ( as @packetu would say )
• On the ASA , don’t forget the “group-alias” command in the tunnel “webvpn” submenu configuration .If you don’t do this, you can’t see the GROUP selection drop-down list during the login even if you’ve configured “tunnel-group-list enable” in the webvpn configuration sub-menu.

Again, if you notice any mistakes , please feel to buzz me , so that we can all learn in the process!

Cheers,

TacACK

Today , i started the journey into the unfamiliar world of using AAA with VPN’s. My goal by the end of the day was to learn these following things

• How to perform XAUTH for all the ezvpn clients logging in using Radius.
• How to get all the group configuration parameters from the ACS server using radius
• Learn how to use Certifiacates as an Identity for the Ezvpn connections
• Learn how to configure EZVPN remote.

Doing Xauth using AAA worked out to be easy. It was very straight forward and i’m guessing it should be done it about 5-10 mins time.

However the things i would ask you to be careful about is :

• The AAA client’s address. Make sure the address is configured correctly. For ease of use : make sure you source the radius requests from a loopback interface and add the loopback interface as the address of the client on the ACS. This will ensure that we do not have to worry about from which interface from which the AAA requests are coming from . This can be achieved using the command “ip radius source-interface x.x.x.x “
• I know this sounds trivial, but make sure you select the correct type of RADIUS or TACACS+ for the client which you’re using , because there are so many types in the list.

Coming to the next topic, the task of getting the group parameters from the ACS , when the user logs in. This task has 2 steps in it.

• make sure the AAA authorization mechanism points to the AAA server for getting all the group parameters.
  • This can be achieved using the command “ aaa authorization network default group radius“  .
  • After defining the method being used, we can either get into isakmp-profile submenu and enter the command “isakmp authorization …”, or stay in global configuration and enter the command “crypto map isakmp authorization…”  followed by the list to apply this aaa list which you have created for remote authorization.
• Step 2 is configuring the ACS server to do authorization. Now the ACS behaves in a wierd way. It’s too detailed to explain here, so have a look at this configuration guide from Cisco.

Although i did everything, i couldn’t make it work.The problems i faced was.

When i connected to the VPN server using my ezvpn client, it successfully authenticated the user against the group and also passed all the Cisco AV-Pairs ( pool , split-acl , etc ) to the router as planned. I observed this using wireshark. However ,after that it doesn’t go into the XAUTH phase at all.

When i look at the debug crypto isakmp , it kept saying, INVALID hash. I have no idea what that means and this is definitely going up on CLND Soon with my group-lock question.

All i can say is i’m sick of this and i’m going to shift topics. I’ll get back to this later.

So tomorrow ( i.e Monday ) i’m going to start doing SSL VPN’s. I’m excited about this as i find this topic to be VERY cool and i know that this is definitely going to replace EZVPN’s in the future.

Do buzz me with any comments regarding better ways to do this , etc. And look out for CLND threads on this very soon.

Cheers,

TacACK

Yep! You heard me right!…I started today with the same enthusiasm i had yesterday and it was going well till untill i hit the dreaded “ACS”  <Insert “The Lord of the rings , Mordor” music here>.

The day started off with some DMVPN configuration. It went by well and i was happy that i didn’t take much time with it. The nhrp adjacencies worked as expected and i had a spoke-to-spoke tunnel working perfectly.

After which, i started EZVPN’s

The first task was an IOS based ezvpn with local authentication and group configuration. I had made a small list of points to remember during this configuration

• Make sure you enter the command ” reverse-route ” in the crypto map configuration menu . This ensures that a static route is configured on the EZVPN server for each client which VPNs in.
• After this, make sure you “redistribute” this static route to all the internal hosts running an routing protocol. This is to ensure that the VPN client is reachable by all the internal routers.
  • EZVPN_SERVER(config)#crypto map VPN_MAP 10
  • EZVPN_SERVER(config-map)#reverse-route
• We can specify an ACL to be delivered to the EZVPN client , so that only certain traffic ( i.e the traffic destined to the corporate network) can be encrypted , whereas all other traffic can be sent to the internet in clear text. This ACL is called an Split ACL. And it can be defined like this
  • (config)#ip access-list extended SPLIT_ACL
  • (config-acl)#permit ip <THE INTERNAL SUBNET> <THE EZVPN CLient’s POOL address>
  • After creating this, apply it in the crypto map configuration sub-menu.

Now let’s start talking about the problems. Everything was up and running, the client connected and i checked the statistics on the ezvpn client and it showed that traffic destined to the Corporate network would be encrypted, and when i pinged an internal router, i could see packets being encrypted, whereas if i just browsed the internet, no packets were being encrypted.

So that worked out, BUT, i didn’t receive any echo-replies to those pings i sent out. For some reason, the packets were just not reaching my internal nodes. I tried a ping from inside to the VPN client, it was’nt going through either. Apparently there was something blocking the pings and it appeared to be the EZVPN server. I checked the routes on all the routers, any ACL’s preventing this, i also made sure the VPN pool addresses were different from the addresses of the local subnet , etc. I even fired up wireshark on the client PC, and i could only see the ECHO-request packets going out, but no incoming echo-replies.

I dunno why this is happening. I tried googling it. I came across a website which said that this is caused by VMWare network adapters or something ( Dunno how much of that is true ). If you guys know how to work this, Please post it in the comments section, or shoot me an e-mail and i’ll update this post.

Then came group lock configuration. It’s supposed to be very straight forward. There are only 2 steps involved

• Make sure the username ( in case of local authentication ) is of the form “username@group” with any password.
  • When the IOS  reads this, it figures out this user is meant to be only logging in under the group specified after the @ symbol. So when you try and connect using the VPN client, it reads the username and the group and matches it against the “username” configuration.
• We need to configure the command #group-lock in the group configuration submenu on the EZVPN server . This will ensure that only users who are assigned to a particular group are allowed to login.

This sounds pretty straight-forward right..? Apparently not. It didn’t work for me. When it tried connecting using just the “username” , it didn’t connect. I kept getting a message saying “invalid username” or something similar. This meant that just by typing in “username” ( which is the right method ), i was failing authentication. Maybe the IOS wasn’t recognizing the “@” operator as a special character indicating the presence of a group-name after it. So i changed it to other characters like ‘%’, ‘/’ , etc but none-of them worked

I couldn’t resolve this issue no matter what , so i’ll post this as a question on CLND soon. Stick around for the answer.

I started ACS , but i was too exhausted so i didn’t bother to go ahead. I’m going to be doing that tomorrow.

Cheers,

TacACK