Your source for real world packet analysis training by example. http://packetu.com Wed, 10 Mar 2010 01:34:01 +0100 FeedCreator 1.7.2 http://packetu.com/content/view/52/ RFC3330 (http://www.rfc-editor.org/rfc/rfc3330.txt) is the list of bogons, or ip addresses that we should not see as the source addresses coming into our networks. Furthermore it is named in the CCIE Security Blueprint and therefore a topic that we must be familiar with. I would certainly read through all of the RFC's mentioned in the blueprint for some general familiarity. When it comes to RFC3330 the address ranges cannot be found in the online DocCD therefore, it seems that there is some daunting memorization that is necessary. However, there is really not that much to memorize.... Blogs - General Blogs Sat, 05 Dec 2009 20:05:59 +0100 http://packetu.com/content/view/51/ I posted a couple of questions to Twitter this morning as both a challenge and a learning experience for myself and others. These two questions were as follows: How does the ASA in transparent mode know which interface remote networks should be reached through?What is permitted at layer 2 disregarding- layer 3 restrictions? In addition, I’d like to pose one more question: In what case does the ASA in Transparent mode drop the first packet? I promised an answer, but Twitter just didn’t allow enough characters to describe the behavior well.... Blogs - General Blogs Fri, 20 Nov 2009 15:55:17 +0100 http://packetu.com/content/view/50/ The Cisco ASA has some interesting characteristics when dealing with traceroute. With most traffic, including ICMP echo, outbound traffic can be inspected to allow the incoming traffic associated with the same flow. Inspecting “ICMP” or even “ICMP Error” does not result in traceroute functioning through the ASA. Blogs - General Blogs Fri, 09 Oct 2009 17:03:19 +0100 http://packetu.com/content/view/49/ Do you have a CCIE Blog? The Packet University would love to hear from you. Promote you CCIE related blog below. In 600 characters or less, tell the world about your CCIE Blog and post a link by clicking add comment below. Include a link in the comment by choosing the link option on the toolbar. Also make sure that you Do the math to prove yourself human before choosing post. Blogs - General Blogs Fri, 04 Sep 2009 16:56:33 +0100 http://packetu.com/content/view/48/ According to CCIE Security Proctor Yusuf Bhaiji in his recent Ask The Expert Q A (http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=73605F039B89C558D1F5F2CE1D6FAA6E.SJ1A?page=netprof forum=Career%20Certifications topic=Certifications topicID=.ee702b1 fromOutline= CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cd3f173) , the Microsoft CA server is no longer on the lab. He also names IOS as the Certificate Authority server in the Security Lab. It also leaves a remote possibility that an ASA could be used as a CA server. Additionally Bhaiji notes that there will be no direct access to the ACS server. Certain scenarios could require a certificate be placed on the ACS server so how is this possible? This post will... Blogs - General Blogs Fri, 28 Aug 2009 21:10:32 +0100 http://packetu.com/content/view/46/ Quick Tips 8/4/09--Zone based firewalls. Zone based firewalls are incredibly flexible, but with flexibility comes complexity. When inspecting, there is a process that is used to determine what type of inspection should be performed on a flow. When inspecting keep in mind how the match will influence the inspection. When a flow is analyzed against the class-map, it will be inspected based on what criteria is matched when there is enough information to arrive at a positive match. match only access-group -- inspect based on PAM tablematch not protocol -- inspect based on PAM tablematch protocol tcp --... Blogs - General Blogs Tue, 04 Aug 2009 03:29:49 +0100 http://packetu.com/content/view/45/ As most who follow this blog or my twitter account know, I am in pursuit of CCIE Security and plan to clear the v3 lab soon. The purpose of this blog entry is a repository for two or three line quick tips that may help others pass their lab. Explanations will not be well polished, but if you are also pursuing the lab, these will make sense. Some you may already be familiar with, others you may not. If you want to add to the list, please use the comment feature below. Check... Blogs - General Blogs Thu, 30 Jul 2009 23:00:00 +0100 http://packetu.com/content/view/42/ Last night I had the opportunity to experiment a bit with Cisco's Flexible Packet matching. What really happened was I was going through IPExpert's Security Workbook 7a and found a task that I thought would fit the bill for something that was posted on Group Study a couple of weeks ago. I took an hour or so messing around with the two scenarios and it really helped me understand how Cisco's new and very special class and policy type access-control works. I really think getting sidetracked helped me understand this flexible way of parsing traffic.... Blogs - General Blogs Sat, 13 Jun 2009 15:22:46 +0100 http://packetu.com/content/view/41/ I am later than many to follow all of the trends of social networking. I do use a little bit of Twitter, Facebook, LinkedIn as well as do some Blogging and Forum Posting. The purpose of this page is to simply explain how I use the Internet and Social Networking sites. This is not a page providing recommendation of how others should use such sites. I just wanted a place to list all of the sites in which I am involved in one way or another. Blogs - Non Published Blogs Fri, 08 May 2009 20:03:29 +0100 http://packetu.com/content/view/40/ How many times have you been using Wireshark to capture traffic and wanted to narrow down to a range or subnet of IP addresses? There is an “ip net” capture filter, but nothing similar for a display filter. Unfortunately, this functionality is often needed after the traffic has been captured. With a little bit of familiarity with the display filters, this goal can be easily achieved anyway. Blogs - General Blogs Thu, 07 May 2009 17:21:25 +0100 http://packetu.com/content/view/39/ I was introduced to the ASA VPNSETUP command by a Matt over on IPExeperts Online Study List . Its a different type of command that whan we normally find in Cisco gear. Basically it allows you to see all of the commands necessary to build a very basic VPN. If you find yourself in a position where documentation is not readily available, you can output this command to a text file. Then just tweak it around to your liking and paste it back into the configuration. Thanks Matt. Take a look... Blogs - General Blogs Sat, 18 Apr 2009 20:16:39 +0100 http://packetu.com/content/view/38/ I have worked in technology full-time for about eleven years. Prior to this, I built PCs and was somewhat of a technical hobbyist. Occasionally, I am faced with the question, “How does one get into computers?” or “How can I get into computer networking?” There are many paths and correct answers to these questions. However, the question that the individual should first ask is the uncomfortable question, “Should, I get into technology?”. The general field of technology can be rewarding both personally and financially. However, it is not a field that... Blogs - General Blogs Fri, 17 Apr 2009 21:00:59 +0100 http://packetu.com/content/view/37/ Roughly a week ago, The Packet University posed the following question in the form of a poll, I am pursuing or will likely pursue the following CCIE Track . I was quite pleased to have 15 CCIE Candidates respond to the poll. Although this is not a large enough pool of participants to establish a trend, it did give a small sampling of what tracks are being pursued. Within the poll, the following answers were permitted: Blogs - General Blogs Sun, 28 Dec 2008 15:56:51 +0100 http://packetu.com/content/view/36/ NTP Authentication was introduced in NTP Version 3 with RFC1305. The reason I placed “Cisco’s Implementation” in parenthesis is due to the fact that RFC did not specify the hashing algorithm that was to be used to compute the hash that is used to verify the NTP message. Microsoft does not provide authentication using MD5 in the same manner that Cisco does. In this article, I would like to show two things. First, I will show how an authenticated NTP Client/Server relationship differs in configuration from a non authenticated client... Blogs - General Blogs Sun, 28 Dec 2008 12:40:39 +0100 http://packetu.com/content/view/35/ The CCIE Security (and all CCIE Tracks for that matter) are certifications of a different breed. There are no books that inclusively cover the entire blueprint. However, I am sure there are books and other materials that stand out in the minds of those who are pursuing or have recently received their CCIE Security Certification. I would love to hear what others are doing, so if anyone has recomendations, please comment below. Blogs - General Blogs Wed, 24 Dec 2008 19:09:30 +0100 http://packetu.com/content/view/34/ If you are like me, you may be cutting corners by using Dynamips and GNS3 with at least some of your preparation for the CCIE Lab. For those of you who are not familiar with Dynamips and GNS3 and are interested in an actual Cisco Hardware virtualization platform, you should check it out here (http://www.gns3.net). Please note that not all platforms are emulated and they do not make the actual OS images available from the site for licensing reasons. Blogs - General Blogs Sun, 21 Dec 2008 12:22:37 +0100 http://packetu.com/content/view/33/ Wednesday, December 17, 2008 it is! That is the day I passed my CCIE Written and the day I am officially considering the start my CCIE Security journey. At this point the focus will change and intensify. I know the lab is a completely different animal than the written exam. As a result, I am going to put all of my efforts into lab time and work through every conceivable scenario I can think of. Blogs - General Blogs Wed, 17 Dec 2008 18:11:19 +0100 http://packetu.com/content/view/32/ Cisco MARS is an interesting product. As compared to Cisco Works VMS, I find its monitoring capabilities far more complete and useful. I am fairly new to MARS and some of the concepts. That being said, the more I use it, the more useful I find it. However, there are a few items that I think could be improved on. Some of these items should be very easy to add into the web interface. Others I’m not completely sure how they could be accomplished, but would be nice... Blogs - General Blogs Thu, 11 Dec 2008 18:51:39 +0100 http://packetu.com/content/view/31/ It has been painfully obvious to anyone who has been following this site that new posts have been few and far between. In the beginning I had an idea of what I wanted this site to be. Unfortunately, I grossly underestimated the effort that was going to be necessary to get it up and keep it going. My desire was that this site becomes a resource where aspiring technicians and engineers can pick up a little bit of knowledge. I still have a strong desire to help people understand how things work, specifically protocols. Blogs - General Blogs Sat, 06 Dec 2008 18:39:20 +0100 http://packetu.com/content/view/30/ I have pondered quite a bit here lately on the impact of SSL or Secure Sockets Layer on our culture. It is used for nearly every eCommerce site including huge players like Amazon, eBay, Paypal, and Bank of America. There are no realistic alternatives for SSL and HTTPS for securing web nformation in transit. The beauty of SSL is the fact that it allows a web user to verify or authenticate that they are actually connecting to the web site that they think they are. It does this by using a list of trusted digital... Blogs - General Blogs Thu, 04 Sep 2008 17:56:36 +0100 http://packetu.com/content/view/29/ Packet captures can often give us immediate insight into potential trouble spots on our networks. One of the biggest issues I find is having to get up from my desk, and possibly get in my car in order to get physically connected where I need to pull the packets from. One key place that we often need to look at packets is at the firewall. I have for some time knew about some of the capturing capabilities of the Cisco ASA. In the later code and ASDM (ASA Device Manager), this has become really user friendly. Blogs - General Blogs Wed, 20 Aug 2008 18:35:28 +0100 http://packetu.com/content/view/28/ Path MTU discovery is an often misunderstood aspect of networking. As we begin to really tighten the security of our networks, we must understand this process in order leave the network fully functional. Additionally, we may often come upon a situation where a network seems to work, but there are issues accessing a site. In any case, the Path MTU Discovery process is important to understand. Packetcasts - Main Fri, 15 Aug 2008 23:00:00 +0100 http://packetu.com/content/view/27/ I recently had a conversation as to whether or not troubleshooting methodology could be taught or not. It is hard to change the way people approach problems. I do believe that in order to properly troubleshoot technological issues, it is very important that we have a structured approach. Too many technicians fall into the trap of simply changing things until they work. After a problem has been resolved, the engineer will likely not understand exactly what resolved the problem and may not understand the inner workings of the system any more than they did before the... Blogs - General Blogs Sat, 02 Aug 2008 16:49:55 +0100 http://packetu.com/content/view/26/ Server virtualization has became commonplace over the past couple of years. Many organizations started out using VMWare and other virtualization products in lab environments and for utility type servers and workstations. Many virtual server deployments were implemented for internal web servers, ftp servers and other light use servers. As confidence increased in these deployments, more mainstream and business critical applications have made their way into the virtual environment. Since this is a progression over time, many organizations have not really considered the security ramifications of this shift in paradigm.... Blogs - General Blogs Sat, 19 Jul 2008 16:42:18 +0100 http://packetu.com/content/view/25/ I originally started building this PacketCast to discuss Path MTU discovery and the implications surrounding not allowing certain types of ICMP traffic to flow freely through a network. I quickly realized that I needed to break the discussion into separate parts and decided to start with a discussion of what IP MTU is. Packetcasts - Main Wed, 25 Jun 2008 07:40:56 +0100