Archive for the ‘CISCO stuff’ Category

Despre VPN…

Posted: aprilie 21, 2010 in CISCO stuff, pseudohacking, Vulnerabilitati
Etichete:,

…sau cat de sigure sunt ele, mai ales atunci cand sunt prost configurate…

Se da urmatorul exemplu:

Avem un domeniu guvernamental… sa “zicem” ca ar fi home.fnal.gov . Care domeniu are si un mic intranet accesibil prin VPN.

Mai avem si un administrator complet idiot, care ne ofera acces la urmatorul fisier pcf… (Cine a mai lucrat cu cisco stie ca este vorba despre un fisier de configurare al unui VPN CISCO) :

[main]
Description=
Host=131.225.15.49
AuthType=1
GroupName=CMS2006
GroupPwd=
enc_GroupPwd=68C5730C268E5722C1B9FA63247B01B63BBF99317CFBFEEF393299B041D165ADA3DE3B0D7E556EE784628ED7849CA9F1C859763381AFDDF9
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPPhonebook=
ISPCommand=
Username=
SaveUserPassword=0
UserPassword=
enc_UserPassword=
NTDomain=
EnableBackup=0
BackupServer=
EnableMSLogon=1
MSLogonType=0
EnableNat=1
TunnelingMode=0
TcpTunnelingPort=10000
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
SendCertChain=0
PeerTimeout=90
EnableLocalLAN=0

Cu putin ajutor din partea lui Cain&Abel aflam ca:

Ramane la latitudinea voastra ce se poate face mai departe… :)

Apropo, acelasi tip de admin idiot poate fi gasit si la Universitatea “Politehnica” Timisoara… :) Si nu numai!

Configuratie Pix cu suport VPN

Posted: ianuarie 14, 2010 in CISCO stuff, Networking
Etichete:,

PIX Version 5.3(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password BGogFIdB6jmwTyg7 encrypted
passwd BGogFIdB6jmwTyg7 encrypted
hostname hostname-pix
domain-name hostname.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
access-list incoming-outside permit tcp any host 195.12.20.155 eq smtp
access-list incoming-outside permit icmp any any echo-reply
access-list vpn-nonat permit ip 192.9.200.0 255.255.255.0 192.10.200.0 255.255.255.0
pager lines 24
logging on
no logging timestamp
no logging standby

logging console debugging
logging monitor debugging

no logging buffered
no logging trap
no logging history

logging facility 20
logging queue 512

interface ethernet0 auto
interface ethernet1 auto

mtu outside 1500
mtu inside 1500

ip address outside [OUTSIDE_IP] 255.255.255.248
ip address inside [INSIDE_IP] 255.255.255.0

ip audit info action alarm
ip audit attack action alarm

ip local pool remote-vpn 192.10.200.1-192.10.200.100

arp timeout 14400

global (outside) 1 [OUTSIDE_IP]

nat (inside) 0 access-list vpn-nonat
nat (inside) 1 192.1.1.0 255.255.255.0 255 2024

static (inside,outside) [OUTSIDE_IP] [INSIDE_IP] netmask 255.255.255.255 0 0

access-group incoming-outside in interface outside

route outside 0.0.0.0 0.0.0.0 [DEFAULT_GATEWAY] 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

no snmp-server location
no snmp-server contact

snmp-server community public
no snmp-server enable traps
floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set transset1 esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set transset1
crypto map remotemap 10 ipsec-isakmp dynamic dynmap
crypto map remotemap client configuration address initiate
crypto map remotemap client configuration address respond
crypto map remotemap interface outside

isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local remote-vpn outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

telnet timeout 5

ssh [AMIN_IP] 255.255.255.255 outside
ssh timeout 10

ImportantUrmatoarea configuratie nu este recomandata pentru a fi
folosita intr-o retea in productie…Este doar un exemplu
de la care se poate pleca in designul protectie unei retele.
¡Atentie! Daca nu stiti ce faceti, mai bine nu va apucati
de configurarea unui firewall. Unul prost configurat este
mai periculos decat lipsa lui…

Explicatii

In acest exemplu nu este configurata o conexiune externa
care sa va permita accesul la router din afara retelei
(remote acces). Poate fi configurata separat o conexione
SSL, dar un face obiectul acestui articol.
Totodata exemplul de mai jos nu va explica cu puteti
avea acces la firewall. Daca un stiti… apucati-va de
preparat clatite si ocoliti firewall-ul.

Urmatoarele 2 linii definesc numele si nivele de
incredere intre interfetele fizice ale unui firewall.
Numerele definesc securitatea unei retele, 0 fiind limita
de jos iar 100 apartinand unei retele in care aveti incredere
(ex. Reteaua interna).
Fluxul de date va circula intotdeauna de la o retea cu
nivel mare la una cu nivel mai mic, inversul fiind
definit de regulile firewall-ului

nameif ethernet0 outside security0
nameif ethernet1 inside security100
Cisco Pix are 2 nivele de securizare a parolelor, asemanator
unui router.

enable password BGogFIdB6jmwTyg7 encrypted
passwd BGogFIdB6jmwTyg7 encrypted
Numele firewall-ului nu este foarte important, dar intr-o
retea mare e bine sa stii exact unde este fiecare dispozitiv.

hostname xxxxxxxxxxfixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
namesListele de acces vor permite conexiunile catre dispozitivele din reteaua interna

access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host eq 443
access-list 100 permit tcp any host eq www
Numarul de linii pe care consola le poate afisa fara paginare.

pager lines 24

Configuratia de logging nu e diferita de alte produse cisco:

logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
logging buffered errors
logging trap notifications
no logging history

logging facility 20
logging queue 512
Nota: Interfetele sunt, prin definitie, inchise, chiar si
dupa configurare. O comanda show interface ar fi o idée buna .
La fel si definirea unui MTU, acesta fiind 1500 pentru ethernet.

interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
Adresa Ip pentru interfata outside a firewall-ului:

ip address outside

Adresa Ip a interfetei inside, aceasta fiind gateway pentru
dispozitivele interne ale retelei

ip address insideip audit info action alarm
ip audit attack action alarm

arp timeout 14400Adresa globala a firewall-ului folosita pentru NAT

global (outside) 1
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Spatiul de adrese publicate folosite de reteaua interna
pentru a permite traficul de informatii prin firewall.
Acestea nu garanteaza accesul global ci doar seteaza
o conexiune intre IP-uri

static (inside,outside) netmask 255.255.255.255 255 0
static (inside,outside) netmask 255.255.255.255 255 0
access-group 100 in interface outside
Ruta de baza trebuie indreptata catre router-ul conectat
direct( next hop router)

route outside 0.0.0.0 0.0.0.0 1

Timeout pentru translatiile de NAT si conexiunile
prin firewall, toate default

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp
0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00
sip_media 0:02:00
timeout uauth 0:05:00 absolute
Setarile standard pentru anumite aspecte ale unui PIX,
multe dintre ele nefolosite in mod obisnuit.

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet timeout 5
ssh timeout 5
terminal width 80
Asa cum va spuenam la inceputul articolului, este doar o

configuratie de baza care se poate adapta la orice retea.

Routing, Switching si CCNA

Posted: ianuarie 12, 2010 in CISCO stuff, Networking

O serie de informatii compilate de diversi pentru deliciul amatorilor de cisco:

CCNA – CCNA Notes

Routing – Routing Notes

Switching – Switching Notes

In curand si CCNA security, dar mai dureaza putin pentru ca pregatesc fisierul pe baza notitelor pe care le-am luat la curs…

Update: VLSM Cheatsheet : vlsm (varianta corecta)

MUlti stiu, putini cunosc cat de usor se poate configura un kron 
astfel incat, la intervale stabilite de voi
sa se salveze configuratia unui router intr-o 
locatie aleasa.

De exemplu, avem nevoie ca respectiva configuratie sa fie salvata la
fiecare 2500 de minute:

archive
path disk0:/config-archive
maximum 14
time-period 2500
log config
notify syslog

FTP Kron Policy

kron occurrence ftpconfig_occur in 1:0:0 recurring
policy-list ftpconfig
!
kron policy-list ftpconfig
cli copy running-config
ftp://192.168.1.74/configs/router.cfg //IP e ales aleator... se poate 
inlocui cu IP-ul unui
 server de ftp agreat de voi

Router#show archive
There are currently 3 archive configurations saved.
The next archive file will be named disk0:/config-archive-4
Archive # Name
0
1 disk0:/config-archive-1
2 disk0:/config-archive-2
3 disk0:/config-archive-3
…

Router#show kron schedule
Kron Occurrence Schedule
ftpconfig_occur inactive, will run again in 0 days 23:54:17

… poti sa ai probleme. Cam asa se intampla cu Telefonica, una dintre cele mai mari companii de comunicatii din lume, care, culmea, imprumuta si configureaza routere pentru diverse alte companii…

Sa vedem cam cum arata configuratia unuia dintre routerele lor:

Using 5298 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname ibemnapacc
!
boot-start-marker
boot-end-marker
!
logging buffered 100000 debugging
no logging console
enable secret 5 $1$u1X7$fFHQopGMm7UVDpXOvTnPE1
enable password 7 04480E0F0135484B
!
clock timezone MET 1
clock summer-time DST recurring last Sun Mar 2:00 last Sun Oct 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa session-id common
ip subnet-zero
ip cef
!
!
!
!
ip ftp source-interface Loopback400
ip ips po max-events 100
ip tftp source-interface Loopback400
no ip domain lookup
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key ADSLREMOTA address 172.99.1.1
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set IBER esp-3des esp-sha-hmac
!
crypto map ADSLREMOTA local-address Loopback20
crypto map ADSLREMOTA 10 ipsec-isakmp
set peer 172.99.1.1
set transform-set IBER
match address 110
!
!
!
interface Loopback20
ip address 172.99.1.254 255.255.255.255
!
interface Loopback400
description Gestion InterLAN
ip address 172.30.153.130 255.255.255.255
!
interface ATM0
description ADSL: 948258057
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode ansi-dmt
!
interface ATM0.1 point-to-point
description Conexion con NRI: 31712712 dlci 69
ip address 172.55.3.78 255.255.255.252
crypto map ADSLREMOTA
pvc 8/32
encapsulation aal5snap
!
!
interface BRI0
no ip address
shutdown
!
interface FastEthernet0
ip address 89.31.29.1 255.255.255.248 secondary
ip address 89.102.10.60 255.255.0.0
shutdown
speed auto
!
router eigrp 1
network 89.0.0.0
network 172.55.0.0
network 172.99.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
no ip http server
no ip http secure-server
ip tacacs source-interface Loopback400
!
!
access-list 3 permit 89.0.4.164
access-list 50 remark GESTION SNMP SOLO LECTURA
access-list 50 permit 172.24.7.128 0.0.0.63
access-list 50 permit 213.0.254.0 0.0.0.63
access-list 50 permit 213.0.190.192 0.0.0.63
access-list 50 permit 213.0.187.192 0.0.0.63
access-list 51 remark GESTION PERMISO ESCRITURA Y TFTP
access-list 51 permit 172.24.7.128 0.0.0.63
access-list 51 permit 213.0.254.0 0.0.0.63
access-list 51 permit 213.0.190.192 0.0.0.63
access-list 51 permit 213.0.187.192 0.0.0.63
access-list 52 permit 172.55.3.77
access-list 52 remark ACCESO TELNET
access-list 52 permit 172.24.7.128 0.0.0.63
access-list 52 permit 213.0.254.0 0.0.0.63
access-list 52 permit 213.0.190.192 0.0.0.63
access-list 52 permit 213.0.187.192 0.0.0.63
access-list 53 remark ACCESO NTP
access-list 53 permit 172.24.7.128 0.0.0.63
access-list 53 permit 213.0.254.0 0.0.0.63
access-list 53 permit 213.0.190.192 0.0.0.63
access-list 53 permit 213.0.187.192 0.0.0.63
access-list 110 permit ip 89.102.0.0 0.0.255.255 any
access-list 110 permit ip 89.31.29.0 0.0.0.7 any
snmp-server community GESTION RO 50
snmp-server community ESCRITO RW 51
snmp-server community IBERMUTUA RO 3
snmp-server ifindex persist
snmp-server trap-source Loopback400
snmp-server location IBERMUTUAMUR –> Sancho Ramirez 15   bj IRUQA NAVARRA
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps isdn call-information
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps atm pvc
snmp-server host 172.24.7.174 GESTION
snmp-server host 89.0.4.164 IBERMUTUA
snmp-server tftp-server-list 51
tacacs-server host 172.24.7.171
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key 7 132435312F29220D
!
control-plane
!
banner motd ^CC
********************************************************************
********************************************************************
********************************************************************
**    Esta usted accediendo a una maquina privada propiedad de    **
**                     TELEFONICA DATA ESPAQA S.A.          ,
**   sin autorizacion, podra estar incurriendo en una violacion   **
**  que podria suponer la posible comision de una falta o delito  **
********************************************************************
**                  Telefonica Data España S.A.                   **
********************************************************************
**          Grupo de Gestion Servicio InterLAN de TDE             **
********************************************************************
********************************************************************^C
!
line con 0
exec-timeout 5 0
password 7 1044081100161E
line aux 0
access-class 52 in
exec-timeout 5 0
password 7 045205130C29435D
modem InOut
no exec
stopbits 1
flowcontrol hardware
line vty 0 4
!
end

Router#

Router#

Nu intrebati cum am obtinut-o, bine? :)

CONVENTII DE NUME PENTRU CISCO IOS

Posted: septembrie 26, 2009 in CISCO stuff

Foarte util atunci cand trebuie sa stim ce servicii ne aduce o varianta sau alta de IOS.

Ne permite sa citim numele versiunilor anterioare 12.3 (incepand cu aceasta versione IOS-urile se divid in 8.

Daca, de exemplu avem un Cisco IOS c7200-ajs40-mz, utilizand lista putem sti ca:

c7200: E vorba de un IOS pentru un Router Cisco 7200.

a: APPN (Advanced Peer to Peer Networking).

j: Entreprise.

s: NAT, ISL, IBM, MMP, VPDN/L2F.

40: criptare pe 40 de biti.

m: software-ul se executa in RAM.

z: arhivat zip.

A

a

APPN

a2

ATM

a3

APPN replacement

B

b

Appletalk

boot

boot image

C

c

Comm-server/Remote Access Server
(RAS) subset (SNMP, IP, Bridging, IPX, Atalk, Decnet, FR, HDLC, PPP,
X,25, ARAP, tn3270, PT, XRemote, LAT) (non-CiscoPro)

c

CommServer lite (CiscoPro)

c2

Comm-server/Remote Access
Server
(RAS) subset ( SNMP,
IP, Bridging,
IPX, Atalk, Decnet, FR, HDLC, PPP, X,25, ARAP, tn3270, PT, XRemote, LAT)
(CiscoPro)

c3

clustering

D

d

Desktop subset ( SNMP, IP, Bridging,
WAN, Remote Node, Terminal Services, IPX,
Atalk, ARAP) (11.2 – Decnet)

d2

reduced Desktop subset (SNMP,
IP, IPX, ATALK, ARAP)

diag

IOS based diagnostic images

E

e

IPeXchange (no longer used in 11.3 and later) – StarPipes
DB2 Access – Enables Cisco
IOS
to act as a “Gateway” to

all IBM DB2 products for downstream clients/servers in 11.3T

eboot

ethernet boot image for mc3810
platform

F

f

FRAD subset (SNMP,
FR, PPP, SDLLC, STUN)

f2

modified FRAD subset, EIGRP, Pcbus, Lan Mgr removed, OSPF
added

G

g

ISDN subset (SNMP,
IP, Bridging,
ISDN, PPP, IPX, Atalk)

g2

gatekeeper proxy, voice and video

g3

ISDN subset for c800 (IP, ISDN, FR)

H

h

For Malibu(2910), 8021D, switch functions, IP Host

hdiag

Diagnostics image
for Malibu(2910)

I (used for image
names of platforms c2500 and large)

i

IP subset (SNMP,
IP, Bridging,
WAN, Remote Node, Terminal
Services
)

i2

subset similar to IP subset for system controller image
(3600)

i3

reduced IP subset with BGP/MIB, EGP/MIB, NHRP, DIRRESP
removed.

i4

subset of IP (5200)

ipss7

IP subset with SS7 (2600)

J

j

enterprise subset (formerly bpx, includes protocol
translation)

*** not used until 10.3 ***

K

k

kitchen sink (enterprise for high-end) (same as bx) (Not
used after 10.3)

k1

Baseline Privacy key encryption (On 11.3 and up)

k2

high-end enterprise w/CIP2 ucode (Not used after 10.3)

k3

Triple DES (On 11.3 and up)

k4

56bit SSH encryption

k5

168bit SSH encryption

k6

Reserved for future encryption capabilities (On 11.3 and
up)

k7

Reserved for future encryption capabilities (On 11.3 and
up)

k8

Reserved for future encryption capabilities (On 11.3 and
up)

k9

Reserved for future encryption capabilities (On 11.3 and
up)

L

l

IPeXchange IPX, static routing, gateway

M

m

RMON (11.1 only)

m

Catalyst 2820-kernel, parser, ATM signaling, Lane Client, bridging

N

n

IPX

O

o

Firewall (formerly IPeXchange Net Management)

o2

Firewall (3xx0)

o3

Firewall with ssh (36×0 26×0)

P

p

Service Provider (IP
RIP/IGRP/EIGRP/OSPF/BGP, CLNS ISIS/IGRP)

p2

Service
Provider
w/CIP2 ucode

p3

as5200 service
provider

p4

5800 (Nitro) service
provider

p5

Service
Provider
(6400 NRP)

p7

Service
Provider
with PT/TARP (2600, 3640)

Q

q

Async

q2

IPeXchange Async

R

r

IBM base option (SRB, SDLLC, STUN, DLSW, QLLC) – used with
i, in, d (See note below.)

r2

IBM variant for 1600 images

r3

IBM variant for Ardent images (3810)

r4

reduced IBM subset with BSC/MIB, BSTUN/MIB, ASPP/MIB,
RSRB/MIB removed

S

s

source route switch (SNMP,
IP, Bridging,
SRB) (10.2 to 11.1)

s

Additions by Platform via PLUS packs

c1000

(OSPF, PIM, SMRP, NLSP, ATIP, ATAURP, FRSVC, RSVP, NAT)

c1005

(X.25, full WAN, OSPF, PIM, NLSP, SMRP, ATIP, ATAURP, FRSVC,
RSVP, NAT)

c1600

(OSPF, IPMULTICAST, NHRP, NTP, NAT, RSVP,
FRAME_RELAY_SVC)

AT “s” images also have: (SMRP,ATIP,AURP)

IPX “s” images also have: (NLSP,NHRP)

c2500

(NAT, RMON, IBM, MMP, VPDN/L2F)

c2600

(NAT, IBM, MMP, VPDN/L2F, VOIP and ATM)

c3620

(NAT, IBM, MMP, VPDN/L2F) In 11.3T added VOIP

c3640

(NAT, IBM, MMP, VPDN/L2F) In 11.3T added VOIP

c4000

(NAT, IBM, MMP, VPDN/L2F)

c4500

(NAT, ISL, LANE, IBM, MMP, VPDN/L2F)

c5200

(PT, v.120, managed modems, RMON, MMP, VPDN/L2F)

c5300

(MMP, VPDN, NAT, Modem Management, RMON, IBM)

c5rsm

(NAT, LANE and VLANS)

c7000

(ISL, LANE, IBM, MMP, VPDN/L2F)

c7200

(NAT, ISL, IBM, MMP, VPDN/L2F)

rsp

(NAT, ISL, LANE, IBM, MMP, VPDN/L2F)

T

t

AIP w/ modified Ucode to connect to Teralink 1000 Data
(11.2)

t

Telco return (12.0)

U

u

IP with VLAN RIP (Network Layer 3 Switching Software,
rsrb, srt, srb, sr/tlb)

V

v

VIP and dual RSP (HSA) support

v2

Voice V2D

v3

Voice Feature Card

v4

Voice (ubr920)

W

w

WBU Feature Sets

i

IISP

l

LANE & PVC

p

PNNI

v

PVC trafffic shaping

w2

Cisco Advantage ED train Feature Sets

a

IPX, static routing, gateway

b

Net Management

c

FR/X25

y

Async

w3

Distributed Director Feature Sets

X

x

X.25 in 11.1 and earlier releases and on c800 in 12.0T

x

FR/X.25 in 11.2 (IPeXchange)

x

H.323 Gatekeeper/Proxy in 11.3 and later releases for
2500, 3620, 3640, mc3810

Y (used for image
names of platforms smaller than c2500)

y

reduced IP (SNMP,
IP RIP/IGRP/EIGRP, Bridging,
ISDN, PPP) (C1003/4)

y

reduced IP (SNMP,
IP RIP/IGRP/EIGRP, Bridging,
WAN – X.25) (C1005) (11.2 – includes X.25) (c1005)

y

IP variant (no Kerberos, Radius, NTP, OSPF, PIM, SMRP,
NHRP…) (c1600)

y2

IP variant (SNMP,
IP RIP/IGRP/EIGRP, WAN – X.25, OSPF, PIM) (C1005)

y2

IP Plus variant (no Kerberos, Radius, NTP, …) (c1600)

y3

IP/X.31

y4

reduced IP variant (Cable, Mibs, DHCP, EZHTTP)

y5

reduced IP variant (Cable, Mibs, DHCP, EZIP) Home Office

y6

reduced IP variant(c800)

Z

z

managed modems

0-9

40

40 bit encryption

56

56 bit encryption

56i

56 bit encryption with IPSEC

Obsolet

h

reduced desktop subset (SNMP,
IP RIP/IGRP/EIGRP, Bridging,
ISDN, PPP, IPX, Atalk) 1003/4

h

reduced desktop subset (SNMP,
IP RIP/IGRP/EIGRP, Bridging,
WAN – X.25, IPX, Atalk) 1005

In acest articol voi recompila cateva truciri pentru a asegura un router Cisco.
Inainte de toate, tot ceea ce urmeaza este evidente…sau poate un…

Utilizarea protocoalelor sigure

Conexiunile TELNET,HTTP,FTP,etc. Pot fi interceptate si citite pentru ca totul se transmite in text plan. Alternativele sunt SSH,HTTPS,FTPS, etc.

Activarea SSH y SCP:

Nu toate  IOS-urile  soporta SSH, SCP sau HTTPS

ip domain-name domeniultau.net
!
crypto key generate rsa modulus 2048
!
ip ssh time-out 60
ip ssh authentication-retries 3
ip ssh source-interface Loopback0
ip scp server enable
!
line vty 0 4
 transport input ssh

Activarea HTTPS:

crypto key generate rsa modulus 2048
!
ip http secure-server

Utilizarea unui syslog centralizat

Putem trimite mesajele de log unei statii de lucru folosing urmatoarea comanda:

logging host <directie-ip>

Utilizarea parolelor bazate pe hash

Comanda secret poate fi o idee buna.

Dezactivarea serviciilor nesigure sau neutilizate

Cateva exemple:

no ip http server
no service tcp-small-servers
no service udp-small-servers
no ip finger
no ip bootp server
no mop enabled
no ip domain-lookup
no service pad
no service config
no cdp run
no lldp run global

Dezactivarea  TCL

Daca avem un IOS recent, avem si posibilitatea de a lucra cu scripturi TCL. Daca nu stim sa le folosim, ar fi recomandata dezactivarea

no scripting tcl init
no scripting tcl encdir

Comenzile nu vor putea fi vazute in  running-config, dar e bine sa nu uitam de ele.

Asigurarea terminalelor

Timeout pentru lipsa de activitate

Daca avem activata o consola de administrare, aceasta se poate incide automat dupa o anumita perioada de timp:

line con 0
 exec-timeout <minute> [secunde]
line vty 0 4
 exec-timeout <minute> [secunde]

Dezactivarea portului AUX

line aux 0
 transport input none
 transport output none
 no exec
 exec-timeout 0 1
 no password

Alta posibilitate e aceea de a-i pune o parola, la fel ca la portul de consola .

Dezactivarea recuperarii parolei

Un este o idee rea in conditiile in care cineva ar putea avea acces la consola si ar putea schimba registrul de configurare si avea acces la NVRAM

Dar, daca ai uitat parola… atunci ai o problema:

no service password-recovery

Configurarea algoritmului Nagle

Ar trebui activat in toate routerele pentru eficienta sesiunilor Telnet:

service nagle

Configurarea keepalives pentru serviciile TCP

service tcp-keepalives-in
service tcp-keepalives-out

Folosirea loopbacks pentru management

Fiind vorba de interfete virtuale, au avantajul ca sunt intotdeauna disponibile:

interface Loopback0
 description Loopback de management
 ip address 192.168.254.254 255.255.255.255
!
ip ftp source-interface Loopback0
ip tftp source-interface Loopback0
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
logging source-interface Loopback0
ntp source Loopback0

Pragurile de memorie

SUnt disponibile incepand cu versiunea 12.3(4)T de IOS.

Ne permite realizarea diferitelor actiuni atunci cand un dispunem de memorie suficienta in router. Exista doua metode pentru realizarea lor:

Notificarea pragurilor de memorie:

Genereaza un log in care avizeaza ca s-a ajuns sub pragul stabilit in configuratie:

memory free low-watermark processor <prag>
memory free low-watermark io <prag>

Rezervarea de memorie pentru procesele importante:

memory reserve critical <valor>

Pentru consola:

Disponibil incepand cu versiunea 12.4(15)T de IOS.

memory reserve console <valoare>

Access Lists

O idee despre ce liste de acces ar trebui sa avem configurate in router:

ip access-list extended ACL-UN NUME-IN
 permit tcp host <peer-bgp> host <directie-locala-bgp> eq 179
 permit tcp host <peer-bgp> eq 179 host < directie-locala -bgp>
 permit tcp host <pc-ul-administratorului> any eq 22
 permit udp host <server-de-monitorizare> any eq 161
 permit icmp host <retea-de-incredere> any echo
!
 deny ip any <retea-de-dispozitive-de-infrastructura> <wilcard>
!
 permit ip any any

Cateva idei mai aparte

Nu sunt foarte cunoscute dar pot fi de mare ajutor in anumite cazuri. In altele insa, pot da probleme.

Filtrarea fragmentelor

In general, datorita particularilatilor fragmentelor, acestea sunt permise in acces-list. Fragmentarea este uneori folosita in cazul incercarilor de a pacali IDS-ul:

ip access-list extended ACL-ALTNUME-IN
 deny tcp any any fragments
 deny udp any any fragments
 deny icmp any any fragments
 deny ip any any fragments
 !
 permit ip any any

Filtrarea pe baza valorilor de TTL

Se pot filtra pachetele care vin din reteaua proprie sau de la directie apropiata, dar are o valoare de TTL foarte mica. Sau clar, in cazul in care originea este departe:

ip access-list extended ACL-ALTALTNUME-IN
 deny ip <reteaua-mea> any ttl lt 30

Filtrarea in functie de Optiunea de pachet IP (traducere aproximativa J)

Optiunile IP sunt un real pericol deoarece sunt tratate ca exceptii, si prin urmare procesate. Asta inseamna CPU mai incarcat. Prezenta optiunii intr-un pachet poate insemna si ca se incearca eludarea controlului de securitate sau alterarea caracteristicilor de tranzit:

ip access-list extended ACL-NUME-IN
 deny ip any any option any-options
 !
 permit ip any any

Daca avem IOS 12.3(4)T, 12.0(22)S, sau de la 12.2(25)S si inainte, putem folosi comanda:

ip options drop

Si astfel toate pachetele care contin optiuni IP sunt aruncate.

Management Plane Protection

Disponibil incepand cu versiunea 12.4(6)T de IOS

Permite ca un administrador sa restranga accesul la o interfata care permite traficul de Management.

Exemplu:  se permite  https si ssh doar pe  GigabitEthernet 0/1:

control-plane host
 management-interface GigabitEthernet 0/1 allow ssh https

Activarea DHCP snooping

Putem filtra toate pachetele DHCP in vlan-ul ales si definim in switch in ce port putem avea un DHCP :

ip dhcp snooping vlan 1
interface FastEthernet0/1
 description DHCP Server
 ip dhcp snooping trust

Se va actualiza….

Cum sa gasesti IOS-uri cu Google

Posted: septembrie 18, 2009 in CISCO stuff
Etichete:, , ,

Am primit cateva mail-uri in care mi se cereau diferite variante de IOS. Asa cum am scris si in respectivele mailuri, va spun si voua ca IOS-urile nu sunt gratuite. Sunt sisteme proprietare si e normal sa coste bani, in functie de caracteristici si implementari.

Totusi, daca vrei sa inveti cate ceva despre CISCO, un simulator nu iti este intotdeauna suficient. Asa ca apelezi la routere fizice sau la emulatoare tip GNS3. IAr pentru ele ai nevoie de IOS-uri.

Nu incurajez pirateria, ci doar ofer cateva sugestii, cum ar fi de exemplu amicul nostru Google, suficient de destept incat sa gaseasca ce ai nevoie…

De ex., o cautare generala dupa IOS ar putea avea urmatoarea sintaxa:

intitle:index.of ios parent directory bin

Bineinteles ca poti cauta si ceva mai specific, cum ar fi o anumita generatie de IOS-uri:

intitle:index.of c7200*.bin -site:cisco.com

sau

intitle:index.of c3640*.bin -site:cisco.com

Sa nu uitam nici de firewall:

intitle:index.of cisco pix*.bin -site:cisco.com

Sper ca v-am fost de ajutor! :)

CISCO ASA – vulnerabilitati

Posted: iunie 29, 2009 in CISCO stuff
Etichete:, ,

Cisco a confirmat zilele trecute existenta a doua vulnerabilitati in platforma de securitate. Una dintre ele, destul de grava, profita de o greseala de validare in momentul procesarii URL-urilor codificate cu Rot13 in SSL VPN. Teoretic, se poate folosi vulnerabilitatea pentru a initia un atac  de Cross Site Scripting.

Cea de-a doua vulnerabilitate, destul de asemanatoare, se foloseste de o greseala de programare in validarea intrarilor in WebVPN. Tot teoretic, se poare rescrie primul caracter hexadecimal al unui URL Cisco… Restul vi-l imaginati singuri…

ORicum, problemele au fost rezolvate in versiunile 8.0.4.34 si 8.1.2.25, care pot fi decarcate de la:

http://www.cisco.com/public/sw-center
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT