|
|
|
Written by Paul Stewart
|
|
Friday, 04 June 2010 |
|
By default, a Cisco IOS device performs authentication based on a line password and authorization based on a level 15 enable password. This is a problem for any organization that desires granularity or the ability to track activities back to one of multiple users. The solution to this is AAA, an acronym for Authentication, Authorization and Accounting. This allows an administrator to configure granular access and audit ability to an IOS device. To enable this more advanced and granular control in IOS, we must first use the "aaa new-model" command. |
|
Read more...
|
|
|
Written by Paul Stewart
|
|
Monday, 31 May 2010 |
|
A little while back, I wrote about the basic application of extended IP Access-lists. There are a couple of points that I hope everyone fully grasped the significance of. The first point is that nearly all traffic is bidirectional in nature. Thus two-way communication is almost always required. The second point is that when access-lists are applied, each packet is compared and evaluated. This creates a bit of dilemma when we try to create a firewall using an IOS based router. If we want to block all traffic coming into our network, a “deny ip any any” will do the trick. However, when we consider the implications we soon realize that return will be blocked. Let’s take a look. |
|
Read more...
|
|
|
Written by Paul Stewart
|
|
Saturday, 15 May 2010 |
|
This blog entry is a little bit different than other recent posts. The original intent of Packetu.com was to help people understand how networks operate and function. During my recent studies, it morphed into a CCIE blog. This article is a bit more basic, but contains some really good foundational information that should be understood prior to implementing features including access-lists and CBAC (ip inspects). Access-lists come in many flavors, including standard and extended IP access-lists as well as access-lists capable of identifying other characteristics in non-IP traffic. Access-lists, also known as ACLs, can be named or numbered. Identification or matching of traffic is a key concept of access-lists and is performed with each line in the ACL. These lines or entries are also known as ACEs or Access Control Entries. It is easy to think of access-lists as filters, but they are really a way to match or identify characteristics of a packet. How they are then applied can make them a filter or something else. If an access-list is identified, any traffic not matching an ACE will have an implicit deny or negative match applied to it. Therefore if the ACL is used for filtering, anything not matched will be dropped. This article will focus on IP Extended access-lists and how they are used to filter traffic going through a router. In the future, I may expand on the other uses for an access-list. |
|
Read more...
|
|
|
Written by Paul Stewart
|
|
Sunday, 11 April 2010 |
|
I appeared for the CCIE Security lab on April 8th in San Jose and am thrilled to announce that I am now CCIE #26009. I would like to take a few minutes to give thanks where thanks are due. I first want to thank God for the opportunities, the supportive family environment I have had throughout this process, and the many blessings through an otherwise tough year. Without the exposure of many real world scenarios and support from those around me, this would have been an all but impossible task. I wish to extend special thanks my family for putting up with me and for my lack of availability for the last twelve months as I went through this process. |
|
Read more...
|
|
|
Written by Paul Stewart
|
|
Sunday, 04 April 2010 |
|
Flexible Packet Matching is one of those new technologies that is certainly fair game on the CCIE Security exam. I'm sure if there are any questions in the lab, the gear would have the correct IOS to work properly with what is being asked. However due to the somewhat unstable nature of this technology, it is difficult to lab. Unfortunately, I keep thinking I understand FPM, but then something just doesn't work as expected. Sometimes my issues are with the buggy software, sometimes it's my configuration. Anyway, there are a lot of potential areas for problems. I have worked through many scenarios of my own design. I decided to post some of the examples that I have created and that I believe to work properly on 12.4(15)T.
|
|
Read more...
|
|
|
Written by Paul Stewart
|
|
Wednesday, 31 March 2010 |
|
Now I seriously doubt that any serious CCIE Security candidate is going to go into the Lab with the intent on using 'Auto Secure" for a configuration. However, like 'vpnetup' on the ASA, it can be used to quickly jog the memory about something that you might need, or even to create a checklist. So how can this help. Auto secure can be ran without applying it to the configuration. Just start out in privilege exec mode by typing "auto secure". Answer a few questions and when it gets to the end, enter no for "Do you want to apply this to your running configuration". Alternatively, if you want an expensive ($1400) joke in which you won't be present for the punch line (proctor grading an auto-secured router), I suppose you could enter yes. So exactly what does this produce?
|
|
Read more...
|
|
|
Written by Paul Stewart
|
|
Tuesday, 30 March 2010 |
Recently a very extensive list was published as the CCIE Security Lab Exam v3.0 Checklist. It can be seen over on Cisco Learning network, but requires a logon first. There are a few things that piqued my interest in this document. The thing that leads me to write this short blog post in the midst of my last week of studies is item “6.17-The Generalized TTL Security Mechanism known as ‘BGP TTL Security Hack’ (BTSH)”. What is this? What does it mean? I’ve done about a half an hour or so of research and would like to post what I found. |
|
Read more...
|
|
|
Written by Paul Stewart
|
|
Saturday, 05 December 2009 |
RFC3330 is the list of bogons, or ip addresses that we should not see as the source addresses coming into our networks. Furthermore it is named in the CCIE Security Blueprint and therefore a topic that we must be familiar with. I would certainly read through all of the RFC's mentioned in the blueprint for some general familiarity. When it comes to RFC3330 the address ranges cannot be found in the online DocCD therefore, it seems that there is some daunting memorization that is necessary. However, there is really not that much to memorize. The problem is the order in which the address ranges are listed is numeric order instead of grouping them in a logical way that is easy to memorize. Let's simplify this a bit. |
|
Read more...
|
|
| << Start < Prev 1 2 3 4 5 Next > End >>
| | Results 1 - 8 of 35 |
|
|
