Tuesday, September 16, 2014

Secure the Router - Part 1


YOUR ROUTER, able to TELNET via INTERNET?
READ THIS BEFORE YOU SLEEP


Some enterprise routers are open to telnet from internet. (from interface with public ip)
The possible reason is the implementer do not have sufficient security knowledge.
This mean someone can easily attack the router and take control.
When the router is compromised the whole LAN network is vulnerable, because the attack is expendable to other network devices by using the router's LAN ip. (LAN ip = trusted ip)

The best practice is DO NOT allow the management plane via public facing interfaces.

If remote access via public ip is a must, use SSH and lock down the source public ip address.

The following Cisco script is one of the mitigation techniques from those attacks.

!define the access-list
!in this example only 1 host is allowed for telnet session
# access-list 1 permit 10.10.10.10  (public or private ip)
access-list 1 deny any

!apply the access-list in line vty
# line vty 0 4
# access-class 1 in
# transport input ssh 
# exec-timeout 5 0
# login local
# end



Notes:
Attack = brute-force attack/ dictionary attack ...
LAN ip = trusted ip
other network devices = core_switch / access_switch / routers/ servers / ...
Posted by at No comments:
Labels: , ,

Implementing Cisco ASA, part 1 (basic configuration)

ASA routed firewall topology
! Implementing SINGLE ROUTED ASA firewall

! define outside interface
# interface g0/0
# nameif outside
# ip address 192.168.2.2 255.255.255.252
# security-level 0
# no shut

 !define inside interface
# interface g0/1
# nameif inside
# ip address 10.10.10.1 255.255.255.0
# security-level 100
# no shut

 !define dmz interface (if any)
# interface g0/2
# nameif dmz
# ip address 172.16.2.1 255.255.255.0
# security-level 50
# no shut

 !define route
# route outside 0 0 192.168.2.1 1
# route inside 10.10.10.0 255.255.255.0 10.10.10.2 1

 !define management access
# ssh 10.10.10.10 255.255.255.255 inside

 # http server enable
# http 10.10.10.10 255.255.255.255 inside

Posted by at No comments:
Labels: ,

5 steps, adding a firewall rule to permit internet access in Cisco ASA.(ASDM)



step - 1
step - 2
step - 3
step - 4
step - 5


Posted by at No comments:
Labels: , ,

Sunday, September 14, 2014

MPLS command line interface (implementation)

MPLS topology


The most busiest terminal for MPLS is PE (provider edge routers).
Multiple customer links may connect to a PE.
The core network, P to PE routers, uses OSPF/EIGRP for connectivity (in this example).
The following are the step-by-step on MPLS implementation.

!step-1 enable mpls globally and interface level:
!similar logic apply to all PE:
R1-PE(config)# ip cef
R1-PE(config)# mpls label range 100 999
R1-PE(config)# mpls ip

R1-PE(config)# interface GigabitEthernet 1/0
R1-PE(config-if)# mpls ip

====================================================

!step-2 creating vrf:
!similar logic apply to all PE:
R1-PE(config)# vrf definition x.x.x.x:abc
R1-PE(config-vrf)# rd 1.1.1.1:1
R1-PE(config-vrf)# address-family ipv4
R1-PE(config-vrf-af)# route-target export 1.1.1.1:101
R1-PE(config-vrf-af)# route-target import 5.5.5.5:101
R1-PE(config-vrf-af)# exit

 you may use "vrf definition x.x.x.x:abc" or "ip vrf x.x.x.x:abc"
"vrf definition x.x.x.x:abc" supports both ipv4 and ipv6
"ip vrf x.x.x.x:abc" supports ipv4 only
====================================================

!step-3 assign vrf to specific interface (customer facing) :
!similar logic apply to all PE:
R1-PE(config)# int fa2/0
R1-PE(config-if)# description connection to customer site 1
R1-PE(config-if)# vrf forwarding x.x.x.x:abc
R1-PE(config-if)# ip address 172.16.101.1 255.255.255.252
R1-PE(config-if)# no shut


!step-4 assign vrf to specific interface (customer facing) :
!similar logic apply to all PE:
R5-PE(config)# int fa3/0
R5-PE(config-if)# description connection to customer site 2
R5-PE(config-if)# vrf forwarding x.x.x.x:abc
R5-PE(config-if)# ip address 192.168.101.1 255.255.255.252
R5-PE(config-if)# no shut

====================================================

!step-5 setup CE (customer edge 1)
!!similar logic apply to all CE:
customer-edge-1(config)# int fa2/0
customer-edge-1(config-if)# description connection PE
customer-edge-1(config-if)# ip address 172.16.101.2 255.255.255.252
customer-edge-1(config-if)# no shut
customer-edge-1(config)# ip route 0.0.0.0 0.0.0.0 172.16.101.1 

====================================================

!step-6 setup routing / static route / BGP / EIGRP / OSPF ...
!redistribution / route leaking ...
!!similar logic apply to all PE:

!static route
ip route vrf 1.1.1.1:abc 172.16.101.0 255.255.255.0 172.16.101.2

 ---------------------------------------------------------------------------------------
!EIGRP
 router eigrp 1

 address-family ipv4 vrf yyy autonomous-system 102
  redistribute bgp 65536 metric 1 1 1 1 1
  network 172.16.0.0
 exit-address-family

router ospf 101 vrf xxx
 redistribute bgp 65536 subnets
 network 172.16.101.1 0.0.0.0 area 0

---------------------------------------------------------------------------------------
!BGP
router bgp 65536
 bgp log-neighbor-changes
 neighbor 5.5.5.5 remote-as 65536
 neighbor 5.5.5.5 update-source Loopback0
 !
 address-family vpnv4
  neighbor 5.5.5.5 activate
  neighbor 5.5.5.5 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf 1.1.1.1:abc
  redistribute ospf 101
 exit-address-family
 !
 address-family ipv4 vrf 2.2.2.2:xyz
  redistribute eigrp 102
 exit-address-family
=======================================================

Notes:
most commonly uses ROUTING PROTOCOLS @ CE are :
  • STATIC ROUTE 
  • BGP

 Route leaking is uses, when 2 different (VPN) customers want to share their resources. 
It can be all of the routes or specific routes only.
Posted by at No comments:
Labels: , ,

MPLS command line interface (troubleshooting)

show mpls ip binding
show mpls ldp binding
show mpls ldp binding local
show mpls ldp binding x.x.x.x
show mpls forwarding-table x.x.x.x
show mpls forwarding-table vrf x.x.x.x
show mpls ldp neighbor 
show ip cef
show vrf
show ip route vrf xxx
ip route vrf xxx 10.10.10.0 255.255.255.0 192.168.1.1

 telnet 1.1.1.1 vrf/ xxx
traceroute vrf xxx 10.10.10.10
ping vrf xxx 1.1.1.1

ping mpls ipv4 x.x.x.x/yy
traceroute mpls ipv4 x.x.x.x 255.255.255.255

show ip bgp neighbors
show bgp vpnv4 unicast vrf
...

remarks
xxx = vrf instance (1.1.1.1:abc {or} 101:abc)
x.x.x.x = destination ip address
yy = CIDR

Example:

R1-PE# ping vrf 101:ACME 192.168.202.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.202.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/104/124 ms

=====================================================

R1-PE# traceroute vrf 101:ACME 192.168.202.2
Type escape sequence to abort.
Tracing the route to 192.168.202.2
VRF info: (vrf in name/id, vrf out name/id)
  1 10.14.0.2 [MPLS: Labels 201/508 Exp 0] 108 msec 80 msec 96 msec
  2 10.23.0.3 [MPLS: Labels 302/508 Exp 0] 92 msec 84 msec 84 msec
  3 10.34.0.4 [MPLS: Labels 402/508 Exp 0] 76 msec 112 msec 80 msec
  4 192.168.202.1 112 msec 80 msec 120 msec
  5 192.168.202.2 128 msec 144 msec 156 msec

=====================================================

R1-PE#show ip route vrf 101:ACME

Routing Table: 101:ACME

      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C        172.16.101.0/30 is directly connected, FastEthernet2/0
L        172.16.101.1/32 is directly connected, FastEthernet2/0
O        172.16.111.2/32 [110/2] via 172.16.101.2, 00:04:25, FastEthernet2/0
      192.168.111.0/32 is subnetted, 1 subnets
B        192.168.111.2 [200/1] via 5.5.5.5, 00:03:58
      192.168.202.0/30 is subnetted, 1 subnets
B        192.168.202.0 [200/0] via 5.5.5.5, 00:03:58



Posted by at No comments:
Labels: ,

Thursday, September 11, 2014

MPLS topology & terminology




Terminology
  • Terminal
    • P = provider (router)
    • PE = provider edge (router)
    • CE = customer edge (router)
    • RR= Route Reflector (router)
    • MPLS domain = Core = P + PE + RR
  • Functional
    • RR = to advertise BGP routes
    • P = to provide core connectivity
    • PE = provide connectivity between "P" and "CE"
    • CE = provide connectivity between "PE" and customer network.
  • Logical
    • cef = cisco express forwarding
    • Router-id = represent a router in both control plane an data plane.
    • VRF = virtual routing & forwarding
      • one physical router hosting multiple virtual routing table and forwarding table
      • one VRF = one customer's network
Posted by at No comments:
Labels: , ,

MPLS overview

MPLS is (virtually) fully mesh VPN network.
Also named as MPLS cloud/ IPVPN. (AT&T called it AVPN)
Mainly use for business network within a city/country (within a same service provider, mostly).


Business use case:

  • coffee shops to connect all the branches for data network.
    • example
    • Point of sale connect to database servers
    • Credit Card terminal connecting to bank's database for billing purposes
  • Most of the retailer and organization using service provider based MPLS.
    • LOW impact on customer network (end users may not notice their network is attach to MPLS network for connectivity).
    • customer always refer to VPN number and circuit number
    • subscription based / bill monthly / per link
    • Lower cost of ownership
  • Some sensitive business organization builds their own MPLS network.
    • example, Banks
    • The reasons to build own MPLS network is highly concern security over shared resources and manageability. 
    • required more skilled workers/resources to maintain/operate the network.


Technology overview

  • most of the time, MPLS refer to service provider network.
  • using both Layer 2 and Layer 3 technologies, hence sometimes know as Layer 2.5
  • multiple network devices is used.
  • multiple routing protocols involved.
  • both ipv4 & ipv6 are supported.
  • BGP/OSPF/EIGRP/VRF/route redistribution/ PBR/ prefix-list are heavily involved.
  • route leaking/TE/QoS/multicast are good to know for advanced level.


Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)