Your source for real world packet analysis training by example. http://packetu.com Sat, 31 Jul 2010 00:44:28 +0100 FeedCreator 1.7.2 http://packetu.com/content/view/60/ By default, a Cisco IOS device performs authentication based on a line password and authorization based on a level 15 enable password. This is a problem for any organization that desires granularity or the ability to track activities back to one of multiple users. The solution to this is AAA, an acronym for Authentication, Authorization and Accounting. This allows an administrator to configure granular access and audit ability to an IOS device. To enable this more advanced and granular control in IOS, we must first use the aaa new-model command.... Blogs - General Blogs Fri, 04 Jun 2010 22:15:49 +0100 http://packetu.com/content/view/59/ A little while back, I wrote about the basic application of extended IP Access-lists. There are a couple of points that I hope everyone fully grasped the significance of. The first point is that nearly all traffic is bidirectional in nature. Thus two-way communication is almost always required. The second point is that when access-lists are applied, each packet is compared and evaluated. This creates a bit of dilemma when we try to create a firewall using an IOS based router. If we want to block all traffic coming into... Blogs - General Blogs Mon, 31 May 2010 15:36:46 +0100 http://packetu.com/content/view/58/ This blog entry is a little bit different than other recent posts. The original intent of Packetu.com was to help people understand how networks operate and function. During my recent studies, it morphed into a CCIE blog. This article is a bit more basic, but contains some really good foundational information that should be understood prior to implementing features including access-lists and CBAC (ip inspects). Access-lists come in many flavors, including standard and extended IP access-lists as well as access-lists capable of identifying other characteristics in non-IP traffic.... Blogs - General Blogs Sat, 15 May 2010 12:53:53 +0100 http://packetu.com/content/view/57/ I appeared for the CCIE Security lab on April 8th in San Jose and am thrilled to announce that I am now CCIE #26009. I would like to take a few minutes to give thanks where thanks are due. I first want to thank God for the opportunities, the supportive family environment I have had throughout this process, and the many blessings through an otherwise tough year. Without the exposure of many real world scenarios and support from those around me, this would have been an all but impossible task. I wish... Blogs - General Blogs Sun, 11 Apr 2010 16:47:50 +0100 http://packetu.com/content/view/56/ Flexible Packet Matching is one of those new technologies that is certainly fair game on the CCIE Security exam. I'm sure if there are any questions in the lab, the gear would have the correct IOS to work properly with what is being asked. However due to the somewhat unstable nature of this technology, it is difficult to lab. Unfortunately, I keep thinking I understand FPM, but then something just doesn't work as expected. Sometimes my issues are with the buggy software, sometimes it's my configuration. Anyway, there are a lot of potential areas for... Blogs - General Blogs Sun, 04 Apr 2010 15:55:06 +0100 http://packetu.com/content/view/55/ Now I seriously doubt that any serious CCIE Security candidate is going to go into the Lab with the intent on using 'Auto Secure for a configuration. However, like 'vpnetup' on the ASA, it can be used to quickly jog the memory about something that you might need, or even to create a checklist. So how can this help. Auto secure can be ran without applying it to the configuration. Just start out in privilege exec mode by typing auto secure . Answer a few questions and when it gets to the end,... Blogs - General Blogs Wed, 31 Mar 2010 22:33:28 +0100 http://packetu.com/content/view/54/ Recently a very extensive list (https://learningnetwork.cisco.com/docs/DOC-6861) was published as the CCIE Security Lab Exam v3.0 Checklist. It can be seen over on Cisco Learning network, but requires a logon first. There are a few things that piqued my interest in this document. The thing that leads me to write this short blog post in the midst of my last week of studies is item “6.17-The Generalized TTL Security Mechanism known as ‘BGP TTL Security Hack’ (BTSH)”. What is this? What does it mean? I’ve done about a half an hour or so of research... Blogs - General Blogs Tue, 30 Mar 2010 20:57:28 +0100 http://packetu.com/content/view/52/ RFC3330 (http://www.rfc-editor.org/rfc/rfc3330.txt) is the list of bogons, or ip addresses that we should not see as the source addresses coming into our networks. Furthermore it is named in the CCIE Security Blueprint and therefore a topic that we must be familiar with. I would certainly read through all of the RFC's mentioned in the blueprint for some general familiarity. When it comes to RFC3330 the address ranges cannot be found in the online DocCD therefore, it seems that there is some daunting memorization that is necessary. However, there is really not that much to memorize.... Blogs - General Blogs Sat, 05 Dec 2009 20:05:59 +0100 http://packetu.com/content/view/51/ I posted a couple of questions to Twitter this morning as both a challenge and a learning experience for myself and others. These two questions were as follows: How does the ASA in transparent mode know which interface remote networks should be reached through?What is permitted at layer 2 disregarding- layer 3 restrictions? In addition, I’d like to pose one more question: In what case does the ASA in Transparent mode drop the first packet? I promised an answer, but Twitter just didn’t allow enough characters to describe the behavior well.... Blogs - General Blogs Fri, 20 Nov 2009 15:55:17 +0100 http://packetu.com/content/view/50/ The Cisco ASA has some interesting characteristics when dealing with traceroute. With most traffic, including ICMP echo, outbound traffic can be inspected to allow the incoming traffic associated with the same flow. Inspecting “ICMP” or even “ICMP Error” does not result in traceroute functioning through the ASA. Blogs - General Blogs Fri, 09 Oct 2009 17:03:19 +0100 http://packetu.com/content/view/49/ Do you have a CCIE Blog? The Packet University would love to hear from you. Promote you CCIE related blog below. In 600 characters or less, tell the world about your CCIE Blog and post a link by clicking add comment below. Include a link in the comment by choosing the link option on the toolbar. Also make sure that you Do the math to prove yourself human before choosing post. Blogs - General Blogs Fri, 04 Sep 2009 16:56:33 +0100 http://packetu.com/content/view/48/ According to CCIE Security Proctor Yusuf Bhaiji in his recent Ask The Expert Q A (http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=73605F039B89C558D1F5F2CE1D6FAA6E.SJ1A?page=netprof forum=Career%20Certifications topic=Certifications topicID=.ee702b1 fromOutline= CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cd3f173) , the Microsoft CA server is no longer on the lab. He also names IOS as the Certificate Authority server in the Security Lab. It also leaves a remote possibility that an ASA could be used as a CA server. Additionally Bhaiji notes that there will be no direct access to the ACS server. Certain scenarios could require a certificate be placed on the ACS server so how is this possible? This post will... Blogs - General Blogs Fri, 28 Aug 2009 21:10:32 +0100 http://packetu.com/content/view/46/ Quick Tips 8/4/09--Zone based firewalls. Zone based firewalls are incredibly flexible, but with flexibility comes complexity. When inspecting, there is a process that is used to determine what type of inspection should be performed on a flow. When inspecting keep in mind how the match will influence the inspection. When a flow is analyzed against the class-map, it will be inspected based on what criteria is matched when there is enough information to arrive at a positive match. match only access-group -- inspect based on PAM tablematch not protocol -- inspect based on PAM tablematch protocol tcp --... Blogs - General Blogs Tue, 04 Aug 2009 03:29:49 +0100 http://packetu.com/content/view/45/ As most who follow this blog or my twitter account know, I am in pursuit of CCIE Security and plan to clear the v3 lab soon. The purpose of this blog entry is a repository for two or three line quick tips that may help others pass their lab. Explanations will not be well polished, but if you are also pursuing the lab, these will make sense. Some you may already be familiar with, others you may not. If you want to add to the list, please use the comment feature below. Check... Blogs - General Blogs Thu, 30 Jul 2009 23:00:00 +0100 http://packetu.com/content/view/42/ Last night I had the opportunity to experiment a bit with Cisco's Flexible Packet matching. What really happened was I was going through IPExpert's Security Workbook 7a and found a task that I thought would fit the bill for something that was posted on Group Study a couple of weeks ago. I took an hour or so messing around with the two scenarios and it really helped me understand how Cisco's new and very special class and policy type access-control works. I really think getting sidetracked helped me understand this flexible way of parsing traffic.... Blogs - General Blogs Sat, 13 Jun 2009 15:22:46 +0100 http://packetu.com/content/view/41/ I am later than many to follow all of the trends of social networking. I do use a little bit of Twitter, Facebook, LinkedIn as well as do some Blogging and Forum Posting. The purpose of this page is to simply explain how I use the Internet and Social Networking sites. This is not a page providing recommendation of how others should use such sites. I just wanted a place to list all of the sites in which I am involved in one way or another. Blogs - Non Published Blogs Fri, 08 May 2009 20:03:29 +0100 http://packetu.com/content/view/40/ How many times have you been using Wireshark to capture traffic and wanted to narrow down to a range or subnet of IP addresses? There is an “ip net” capture filter, but nothing similar for a display filter. Unfortunately, this functionality is often needed after the traffic has been captured. With a little bit of familiarity with the display filters, this goal can be easily achieved anyway. Blogs - General Blogs Thu, 07 May 2009 17:21:25 +0100 http://packetu.com/content/view/39/ I was introduced to the ASA VPNSETUP command by a Matt over on IPExeperts Online Study List . Its a different type of command that whan we normally find in Cisco gear. Basically it allows you to see all of the commands necessary to build a very basic VPN. If you find yourself in a position where documentation is not readily available, you can output this command to a text file. Then just tweak it around to your liking and paste it back into the configuration. Thanks Matt. Take a look... Blogs - General Blogs Sat, 18 Apr 2009 20:16:39 +0100 http://packetu.com/content/view/38/ I have worked in technology full-time for about eleven years. Prior to this, I built PCs and was somewhat of a technical hobbyist. Occasionally, I am faced with the question, “How does one get into computers?” or “How can I get into computer networking?” There are many paths and correct answers to these questions. However, the question that the individual should first ask is the uncomfortable question, “Should, I get into technology?”. The general field of technology can be rewarding both personally and financially. However, it is not a field that... Blogs - General Blogs Fri, 17 Apr 2009 21:00:59 +0100 http://packetu.com/content/view/37/ Roughly a week ago, The Packet University posed the following question in the form of a poll, I am pursuing or will likely pursue the following CCIE Track . I was quite pleased to have 15 CCIE Candidates respond to the poll. Although this is not a large enough pool of participants to establish a trend, it did give a small sampling of what tracks are being pursued. Within the poll, the following answers were permitted: Blogs - General Blogs Sun, 28 Dec 2008 15:56:51 +0100 http://packetu.com/content/view/36/ NTP Authentication was introduced in NTP Version 3 with RFC1305. The reason I placed “Cisco’s Implementation” in parenthesis is due to the fact that RFC did not specify the hashing algorithm that was to be used to compute the hash that is used to verify the NTP message. Microsoft does not provide authentication using MD5 in the same manner that Cisco does. In this article, I would like to show two things. First, I will show how an authenticated NTP Client/Server relationship differs in configuration from a non authenticated client... Blogs - General Blogs Sun, 28 Dec 2008 12:40:39 +0100 http://packetu.com/content/view/35/ The CCIE Security (and all CCIE Tracks for that matter) are certifications of a different breed. There are no books that inclusively cover the entire blueprint. However, I am sure there are books and other materials that stand out in the minds of those who are pursuing or have recently received their CCIE Security Certification. I would love to hear what others are doing, so if anyone has recomendations, please comment below. Blogs - General Blogs Wed, 24 Dec 2008 19:09:30 +0100 http://packetu.com/content/view/34/ If you are like me, you may be cutting corners by using Dynamips and GNS3 with at least some of your preparation for the CCIE Lab. For those of you who are not familiar with Dynamips and GNS3 and are interested in an actual Cisco Hardware virtualization platform, you should check it out here (http://www.gns3.net). Please note that not all platforms are emulated and they do not make the actual OS images available from the site for licensing reasons. Blogs - General Blogs Sun, 21 Dec 2008 12:22:37 +0100 http://packetu.com/content/view/33/ Wednesday, December 17, 2008 it is! That is the day I passed my CCIE Written and the day I am officially considering the start my CCIE Security journey. At this point the focus will change and intensify. I know the lab is a completely different animal than the written exam. As a result, I am going to put all of my efforts into lab time and work through every conceivable scenario I can think of. Blogs - General Blogs Wed, 17 Dec 2008 18:11:19 +0100 http://packetu.com/content/view/32/ Cisco MARS is an interesting product. As compared to Cisco Works VMS, I find its monitoring capabilities far more complete and useful. I am fairly new to MARS and some of the concepts. That being said, the more I use it, the more useful I find it. However, there are a few items that I think could be improved on. Some of these items should be very easy to add into the web interface. Others I’m not completely sure how they could be accomplished, but would be nice... Blogs - General Blogs Thu, 11 Dec 2008 18:51:39 +0100