RIPng

RIPNg Routing Protocol
RFC 2080 defines Routing Information Protocol next generation (RIPng) as a simple routing protocol based on RIP (based on RIPv2. has the same features such as, a distance vector routing protocol, max of 15 hops, split horizon and poison reverse). RIPng is no more less and powerfull than RIP, it supports IPv6 network without having to build a new routing protocol.
RIPng has the following features:
  • Based on RIPv2 and is similar to it
  • Uses IPv6 to transport
  • Includes IPv6 prefix and next-hop IPv6 address
  • uses the multicast group FFo2::9 address (IPv6 multicast address identifying all RIPng routers on link) to send updates. this is similar to broadcast function in RIP.
  • sends updates on UDP port 521

RIPng is supported by Cisco IOS Release 12.2.(2)T and later. in dual-stacked deployments, both RIP and RIPng are required.

Configuring IPv6 addresses
first we must enable IPv6 traffic-forwarding in Cisco router (by default this feature is disabled) by entering the command "ipv6 unicast-routing" at the global configuration level. then you can configure the address of the interface by using the manual configuration or the eui-64 standard (see above).
  • - manual interface ID assignment. one way to statically define the IPv6 address for a device is to manually configure both the network (prefix) and the interface ID to the device. to assign an IPv6 address to an interface in Cisco router, enter the following command in the interface configuration level
ipv6 address ipv6-address/prefix-length
ipv6-address: the address of the interface in IPv6 notation, example 2001:A58E:9CD:2947::49
prefix-length: the length of the prefix (network) portion. example /64

  • EUI-64 interface ID assignment. EUI-64 standard define the way to stretch the MAC address, which is 48 bits, of the interface to a 64 bits interface ID used for IPv6. the convertion is done by inserting the 4 hexadecimal values of "FFFE" at the 24th bit of the MAC address. example, a MAC address of 00:0c:4F:90:27:FC is converted to 00:0c:4F:FF:FE:90:27:FC. to assign an IPv6 with the EUI-64 scheme to an interface in Cisco router. enter the following command at the interface configuration level.
ipv6 address ipv6-prefix/prefix-length eui-64
ipv6-prefix: the network (prefix) portion of the address
prefix-length: the length of the prefix (network) portion
example,

ipv6 address 2001:A58E:9CD:2947::/64 eui-64


Cisco IOS IPv6 Name Resolution
two ways to perform name resolution in Cisco IOS
  • Statically define a name for an IPv6 address. use the following command at global configuration level
ipv6 host name [port] ipv6addr [{ipv6addr}..]
name : name of the ipv6addr
port : telnet port to be used for the associated host
ipv6addr: the address of the hostname. there can be up to four addresses for a given hostname
example,
ipv6 host router1 2001:A58E:9CD:2947::1

  • Define a DNS server to query. the hostname database is not located at local router but at a particular server. use the following command at the global configuration level
ip name-server address

address: the address of the server
example,
ip name-server 2001:A58E:9CD:2947::1



Configuring RIPng
first use the command "ipv6 unicast-routing" to enable IPv6 traffic-forwarding. then create a RIPng process by using the command
ipv6 router rip name
name: name/identifier of the RIPng process
the command is to be entered at global configuration level. next, give each interface required to join in RIPng an IPv6 address. after that, instead of using the "network" command to make a particular interface participate in RIP process, RIPng use the command
ipv6 rip name enable
name: name of the RIPng process that the interface to be participate in

enter the command at the interface configuration level (at the interface required to participate in RIPng). the name must match with the name in the "ipv6 router rip" command. enabling RIP on an interface dynamically creates a "router rip" process if necessary.


example,
enable RIPng on a Cisco router named RIP1. give FastEthernet0/0 an IPv6 address of 2001:9cd:1:3::10, and FastEthernet0/1 an address of 2001:9cd:1:2::10 make inteface FastEthernet0/0 and FastEthernet0/1 participate in the RIP1 process. the commands are
ipv6 unicast-routing
ipv6 router rip RIP1


interface FastEthernet0/0
ipv6 address 2001:9cd:1:3::10/64 eui-64
ipv6 rip RIP1 enable

interface FastEthernet0/1
ipv6 address 2001:9cd:1:2::10/64 eui-64
ipv6 rip RIP1 enable





instead of using "show ip" command, you can use the "show ipv6" (there will be some next command options such as "show ipv6 route", "show ipv6 interface" and "show ipv6 traffic", try the "?") to see the configuration related to ipv6.

Read more...
IPv4 provides appoximately 3.7 billion assignable addresses of all 4,296,967,296 available addresses. this is because IPv4 divides addresses into classes and some of these classes are used for multicasting, research and testing and other reserved uses. in 2007 there are about 2.4 billion of IPv4 addresses that has been used. newer technology requires more addresses, including mobile users (PDA, new mobile phone), transportation (allow remote monitoring and maintenance), electronics (home appliances).


Europe, Japan and Asia-Pacific region has started to begin the transition from IPv4 to IPv6. Japan officially started to move in 2000 and set a deadline in 2005 to upgrade existing systems in every sector. this is followed by Korea, China and Malaysia. DOD mandated at early 2003, that all new equipment must be ip-enabled and compatible to IPv6.

IPv5 was used to define an experimental real-time streaming protocol.

not only IPv6 provides more addresses than IPv4, but also IPv6 is easier to use, has a simplified header and more secure. devices has been evolving from stationary devices into moving devices. in IPv6, mobile devices can roam into network reqions without breaking the network connection. the simplified header offers several advantages:
  • Better routing efficiency
  • no broadcasts, avoid potential threat of broadcast storm.
  • no checksum processing
  • flow labels field, no need to open the inner packet to identifiy various traffic flow.


IPv6 Representation
IPv6 is 128-bit length. it's represented as a series of eight 16-bit fields, each seperated by a colon. example, 1031:40BF:A03C:0000:5031:04DE:0000:0000. the representation can be shortened by using the following rules:
  • leading zeros are optional to be written. the field 04DE can be written as 4DE. field 0000 can be written as 0
  • successive zeros can be represented as two colons "::". the field 0000:0000 can be written as :: .

from the example above, it can be shortened as 1031:40BF:A03C:0:5031:4DE:: .


Global Unicast Address
IPv6 has a block of global unicast address. that is, addresses that are globally unique and are able to be routed. this address typically consists of a 48-bit global routing prefix and followed by a 16-bit subnet ID. an Organization can divide a given global unicast address into subnets with a maximum number of 65,535 subnets for each address. currently, IANA uses the range of addresses that starts with binray value 001 (2000::/3), which is 1/8 of the total IPv6 addresses. IANA is allocating the addresses in the ranges 2001::/16 to the five RIR (ARIN, RIPE, APNICm LACNIC, AfriNIC).

Reserved Address
IETF has reserved 1/256 of the total IPv6 addresses for various uses, both present and future.

Private Address
IPv6 has private addresses (just as in IPv4) for use in local needs only and not to be routed outside a particular private network. these addresses start with the first octet value of "FE" in hexadecimal notation and the next hexadecimal digit being a value between 8 and F.
these addresses are further divided into two types:
  • Site-Local addresses. the same as private addresses stated in RFC 1918 for IPv4. the scope of these addresses is an entire site. however, the use of site-local addresses is problematic and is being deprecated as stated by RFC 3879 in 2003. site-local addresses begin with the first two hexadecimal value of "FE" and the third being a value from "C" - "F".
  • Link-local addresses. link-local addresses are new concept to IP networking. these addresses have a smaller scope than site-local addresses. they refer only to a physical network (physical link). routers won't forward packets containing these addresses. they are used for link communications such as automatic address configuration, neighbor discovery and router discovery. Many IPv6 routing protocols also use link-local addresses. these addresses begin with the first two hexadecimal value of "FE" and the third being a value from "8" - "B".

Loopback Address
the concept is the same as a loopback address in IPv4. however in IPv6, there is just on address instead of a whole block for this function. the loopback address in IPv6 is 0:0:0:0:0:0:0:1 or also expressed as ::1.

Unspecified Address
in IPv4, a device that doesn't know its IP address will set the source address as all zeroes value. this is formalized in IPv6. the all-zeroes address is named "unspecified" and typically used in the source field of a datagram that is sent by a device that seeks to have its IP address configured. also expressed as ::.


IPv6 addresses have a portion that serves the same functionality of the host portion of IPv4 addesse, which is called the interface identifier. this portion is always 64 bits length and can be dynamically derived from a layer 2 address (MAC). this portion can be defined statically or dynamically. two ways to statically define IPv6 addresses ID are:
  • manual interface ID assignment. one way to statically define the IPv6 address for a device is to manually configure both the network (prefix) and the interface ID to the device. to assign an IPv6 address to an interface in Cisco router, enter the following command in the interface configuration level
ipv6 address ipv6-address/prefix-length

ipv6-address: the address of the interface in IPv6 notation, example 2001:A58E:9CD:2947::49
prefix-length: the length of the prefix (network) portion. example /64


  • EUI-64 interface ID assignment. EUI-64 standard define the way to stretch the MAC address, which is 48 bits, of the interface to a 64 bits interface ID used for IPv6. the convertion is done by inserting the 4 hexadecimal values of "FFFE" at the 24th bit of the MAC address. example, a MAC address of 00:0c:4F:90:27:FC is converted to 00:0c:4F:FF:FE:90:27:FC. to assign an IPv6 with the EUI-64 scheme to an interface in Cisco router. enter the following command at the interface configuration level.
ipv6 address ipv6-prefix/prefix-length eui-64
ipv6-prefix: the network (prefix) portion of the address
prefix-length: the length of the prefix (network) portion

example,
 
ipv6 address 2001:A58E:9CD:2947::/64 eui-64



two ways to dynamically define IPv6 addresses ID are:
  • Stateless autoconfiguration. this is the plug-and-play feature of IPv6. this enables devices to connect to the network without the needs of any configuration and any servers.
  • DHCPv6 (statefull). this uses a DHCP server to pass address parameter configuration to IPv6 devices. it provides automatic address allocation of reusable addresses and additional configuration flexibility. this feature can be used concurrently with stateless autoconfiguration feature in IPv6.


IPv6 Transition
there are many transition mechanisms that enable smooth integration of IPv4 and IPv6. different situations require different strategis. the commonc techniques are (recall the advice "Dual stack where you can, tunnel where you must". these two are the most common techniques used.):
  • Dual stacking. routers and switches are configured to implement and provide connectivity for both IPv4 and IPv6 with IPv6 being the preferred protocol. this is the recommended option.
  • Tunneling. serveral tunneling techniques available are"
  • manual IPv6-over-IPv4 tunneling. encapsulates IPv6 packets within IPv4 protocol. this requires dual-stack routers.
  • Dynamic 6to4 tunneling. automatically establish conneciton between IPv6 networks over a IPv4 network (usually the internet). this dynamically applies a valid IPv6 prefix for each IPv6 network which enables fast deployment of IPv6 in a corporate network without the need of address retrieval from ISPs or registries.
  • Intra-Size Automatil Tunnel Addressing Protocol (ISATAP) tunneling. this uses the underlying IPv4 network as a link layer for IPv6. this allows IPv4 or IPv6 dual-stack hosts within a site to communicate with other such hosts on a virtual link, creating IPv6 network using the IPv4 infrastructure.
  • Teredo tunneling. this is an automatic host-to-host tunneling instead of gateway tunneling. this passes unicast IPv6 traffic when dual-stacked hosts are located behind one or multiple IPv4 NATs.
  • NAT-Protocol Translation (NAT-PT). this allows direct communication between hosts that use different IP protocol version. this translation is more complex than IPv4 NAT. at this time, this approach is the least favorable and should be used as a last resort(included in Cisco IOS releas 12.3.(2)T and later releas with the appropriate feature set).

Cisco IOS Dual Stack
dual stack is an integration method allowing a node to provides connectivity for both IPv4 and IPv6. each node has two protocol stacks with the configuration on the same interface or multiple interfaces. a dual-stack node should prefer IPv6 when it is available. old IPv4 applications continue to work as before. Cisco IOS Release 12.2(2)T and later (with appropriate feature set) are IPv6-ready. in order for Cisco routers to be able to forward IPv6 datagramse, use the global command "ipv6 unicast-routing". then configure every interface that forward IPv6 traffic with an IPv6 address.

example, configure interface FastEthernet0/1 to support both IPv4 and IPv6.
ipv6 unicast-routing
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
ipv6 address 2001:A58E:9CD:2947::49/64


when both protocols are configured on the interface, the interface is considered dual-stacked


IPv6 Tunneling
tunneling is an integration method by encapsulating IPv6 packets within another protocol, such as IPv4 protocol (when encapsulated into IPv4 protocol, a protocol type of 41 is specified at the IPv4 header). this enables connecting IPv6 networks without converting any intermediary networks to IPv6. tunneling requires the end routers to be dual-stacked (both border routers must support IPv4 and IPv6 and have their interfaces configured for IPv4 and IPv6 addresses). tunneling has two issues, it decreases the MTU by 20 octets because of the IPv4 header, tunneled networks are often difficult to troubleshoot. tunneling should not be considered as a final solution. a native IPv6 architecture should be the end goal.


Routing Consideration in IPv6
review of router's functionality in a network:
  • the control plane. handles the interaction of a the router with other network elements, providing needed information and control the overall router operation. this playe runs routing protocols and network management processes.
  • the data plane. this forward packets from a source interface to another interface. this involves switching mechanisms such as Cisco Express Forwarding (CEF) and process switching.
  • Enhanced services. advanced features such as ACL, QoS, encryption, etc.

Challenges in IPv6 routing
IPv6 Control Plane
  • IPv6 address size. address size affects the routing performance. in the same CPU environment, IPv6 takes more time to process source and destination address information. if routers relying only on software processing, they are likely to perform slower in IPv6 environment.
  • IPv6 routing protocols. more address size means, messages between routing procotols will be larger than messages in IPv4 environment.
  • Multiple IPv6 node addresses. IPv6 nodes may have multiple IPv6 unicast addresses, memory consumption on Neighbor Discovery cache may be affected.
  • Routing table size. increased IPv6 total address leads to larger routing table. this may require more memory to support it.

IPv6 Data Plane
the data plane forwards IP packet based on the decisions made by the control plane.
  • Parsing IPv6 extension headers. IPv6 packets may have some additional headers. these headers sometimes used by application in IPv6 environment. this additional fields require additional processing. if the length of the extension header exceeds the hardware register limits, the packet may be given to software switching or dropped. this somehow affect forwarding performance.
  • IPv6 address lookup. most routers today perform lookups using an Application Specific Integrated Circuit (ASIC) which is originally designed to work in IPv4 environment. when this is used to process IPv6 packets which have larger address size, this could result in punting the packets into software processing or dropping the packets.

Cisco IOS IPv6 Name Resolution
two ways to perform name resolution in Cisco IOS
  • Statically define a name for an IPv6 address. use the following command at global configuration level
ipv6 host name [port] ipv6addr [{ipv6addr}..]
name : name of the ipv6addr
port : telnet port to be used for the associated host
ipv6addr: the address of the hostname. there can be up to four addresses for a given hostname

example,

ipv6 host router1 2001:A58E:9CD:2947::1


Read more...

Network Address Translation

RFC 1918 defines private IP addresses. private IP addresses are a reserverd block of numbers that can be used by onyone. these addresses can be used only in private networks and are not to routed in the internet. this way, onyone can use private IP addresses for his internal needs, without worrying the same address will be used by someone else. since packets containing private ip addresses are not to be routed in public networks (internet). blocks of reserved number used for private ip addresses are:
  • Class A. 10.0.0.0 - 10.255.255.255. prefix length /8
  • Class B. 172.16.0.0 - 172.31.255.255. prefix length /12
  • Class C. 192.168.0.0 - 192.168.255.255. prefix length /16

unlike private ip addresses, public ip address must be registered with a Regional Internet Registry (RIR). Organizations can lease public addresses from an ISP. those RIRs are:
  • ARIN, America
  • RIPE, Europe
  • APNIC, Asia
  • LACNIC, South America
  • AfricNIC, Africa

in the old days, a device that needs to access the internet must be assigned with a public IP address. since there are not enough public addresses, there's no way an organization will assign each of its devices a public address. Network Address Translation provides a mechanism to enable private ip address devices to access the internet with only using one public address.

a NAT-enabled router has a pool of public IP addresses. these addresses can be used by the inside hosts when they want to communicate with a host outside the network (at the internet). the router will maintain a translation table. this table contains the inside local address, inside global address, outside global address. the router will act as a forwarder for the inside host, it will alter the source address of the packet sent to the outside network to one of the public address that it has. when the router receives a packet destined for a particular public address, it looks up at the table and find the corresponding inside local address. this allow the router to forward the packet to the correct host at the inside network.

some NAT terminologies:
  • inside local address. actual address of inside host, most likely a private address.
  • inside global address. public address given to an inside host when it wants to communicate with outside network.
  • outside global address. public address assigned to a host in the internet.
  • outside local addess. private address assigned to a host on the outside network. in most cases this is the same as outside global address.

the "inside" of a NAT is not synonymous with private addresses as defined by RFC 1918. "non-routable" means that it's not routable on the internet.


Types of NAT
Static NAT. one-to-one mapping, a particular inside host will always be given the same public address. this mapping remain constant. this is usually usefull for hosts that need a consistent public address (might be enterprise servers or networking devices).

Dynamic NAT. first-come, first-served basis mapping. when an inside host wants to communicate with outside network, it will be assigned with one of the public address from the pool that is available (not used by any other host yet).

NAT overload, also called Port Address Translation (PAT). maps multiple private addresses to a single public address or a few addresses. a PAT-enabled assigns a source port number to TCP/IP sessions opened by inside hosts. the router also ensures that every hosts use a different source port number. when reply messages come from the internet, the router will check the destination port of the messages and do a look up at the table to forward the message to the correct host at the inside network.

NAT overload assigns a next-available port if the port chosen by an inside host is already used by another host. if an inside host opens a session with outside network and choose port 1221 as it source port, NAT router will try not to alter the source port of inside local address, however if 1221 is already used by another host, NAT router will use the next available port (in this case 1222, if not used yet) for the inside global address of this session. it will choose a port number starting from appropriate port group 0-511, 512-1023, 1024-65535. if every ports has been used and there's more than one public ip addess, NAT router will use the next public address.


Configuring Static NAT
static NAT allows connections initiated by external devices to inside hosts. for example you may want to map an inside global address to your web server inside local address. the steps for configuring static NAT are:
  • step 1. establish a static translation between an inside local address and an inside global address.
ip nat inside source static local-ip global-ip

local-ip: inside local address of a specific device
global-ip: public address available for the local device

  • step 2. specify the inside interface.
interface type number
ip nat inside
type: the type of the interface [FastEthernet | Serial]
number: interface number

  • step 3. specify the outside interface
interface type number
ip nat outside

type: the type of the interface [FastEthernet | Serial]
number: interface number


Configuring Dynamic NAT
dynamic NAT translates private addresses to public addresses from a pool. the steps are:
  • step 1. Define a pool of global addresses to be allocated as needed.
ip nat pool name start-ip end-ip {netmask netmask-number|prefix-length pref-length}
name: word. name of the pool
start-ip: lowest public address to be available in the pool
end-ip: highest public addess to be available in the pool
netmask-number: subnet mask of the public addresses
pref-length: prefix length of the public addresses


  • step 2. create a standard access-list permitting the addresses to be translated.
access-list acl-number permit source [ source-wildcard ]
acl-number: a number that identifies the the standard acl
source: private address/network to be permitted
source-wildcard: wildcard of the source permitted (see ACL)

  • step 3. establish dynamic translation between private addresses and public addresses
ip nat inside source list acl-number pool name
acl-number: the number of ACL which permits private addresses to be translated
name: name of the pool that contains public addresses

  • step 4. specify the inside interface.
interface type number
ip nat inside

type: the type of the interface [FastEthernet | Serial]
number: interface number

  • step 5. specify the outside interface
interface type number
ip nat outside
type: the type of the interface [FastEthernet | Serial]
number: interface number


Configuring NAT overload
there are two ways to configure overloaded NAT. it depends on how many public address is given by the ISP. if only one address is given, the steps are:
  • step 1. create a standard access-list permitting the addresses to be translated.
access-list acl-number permit source [ source-wildcard ]
acl-number: a number that identifies the the standard acl
source: private address/network to be permitted
source-wildcard: wildcard of the source permitted (see ACL)

  • -step 2. establish overload translation.
ip nat inside source list acl-number interface interface-type/number overload
acl-number: the number of ACL which permits private addresses to be translated
interface-type/number: specify the interface that is assigned the public address (typically, address given by the ISP)

the "overload" keywords enables the addition of the source port number to the translation.

  • step 3. specify the inside interface.
interface type number
ip nat inside

type: the type of the interface [FastEthernet | Serial]
number: interface number

  • step 4. specify the outside interface
interface type number
ip nat outside

type: the type of the interface [FastEthernet | Serial]
number: interface number

to configure overloaded NAT with more than one public ip address:
  • step 1. create a standard access-list permitting the addresses to be translated.
access-list acl-number permit source [ source-wildcard ]

acl-number: a number that identifies the standard acl
source: private address/network to be permitted
source-wildcard: wildcard of the source permitted (see ACL)

  • step 2. Specify the global addresses as a pool.
ip nat pool name start-ip end-ip {netmask netmask-number|prefix-length pref-length}
name: word. name of the pool
start-ip: lowest public address to be available in the pool
end-ip: highest public addess to be available in the pool
netmask-number: subnet mask of the public addresses
pref-length: prefix length of the public addresses

  • step 3. establish overload translation
ip nat inside source list acl-number pool name overload
acl-number: the number of ACL which permits private addresses to be translated
name: name of the pool that contains public addresses

  • step 4. specify the inside interface.
interface type number
ip nat inside

type: the type of the interface [FastEthernet | Serial]
number: interface number

  • step 5. specify the outside interface
interface type number
ip nat outside

type: the type of the interface [FastEthernet | Serial]
number: interface number


by default translation will time out after 24 hours, you can change the timers with the command "ip nat translation timeout timeout-seconds".

you can see the NAT you've configured using the command "show run". to verify NAT operations use the command "show ip nat translations [verbose]". the command "show ip nat statistics" displays information about total number of active translations, NAT configuration parameters, total addresses in the pool, and allocated addresses from the pool.

you can debug NAT operations using the command "debug ip nat".


Port Forwarding
port forwarding enables external users (from outside network) to initiate a connection to inside hosts. Port Forwarding does this by translating received messages destined to a specified port, to a particular host and destination port number at inside network.

for example, you have a web server in you inside network of which ip address is 192.168.1.252, if you want to enable external users to access your web server you can configure port forwarding HTTP traffic from your border router to the web server. you can specify traffic received at the WAN interface destined to port 80 (HTTP works at port 80), to be forwarded to inside interface with destination address 192.168.1.252 and destination port is 80. in this case, the external port and the internal port are the same. you can change the external port and the internal port to something else. if you change the external port, the external users must know the specific port number you use.

Read more...

Configure DHCP

Configuring DHCP Server
a Cisco router running IOS can be configured as a DHCP server. the steps to configure a Cisco router to be a DHCP server are:
  • step 1. Define a range of addresses that should not be used for address allocation. this could be some static ip addresses assigned to servers or printers, switch management IP address and gateway/router address. the command to specify the excluded addresses are
ip dhcp excluded-address low-addess [high-address]

low-address: the (lowest) address of the reserved address that should not be used for DHCP address allocation.
highest-address: optional, if you want to specify a range of reserved address, this should be the highest address of the range.

a best practice is to configure these reserved addresses first at the global configuration level to prevent DHCP assigns these reserved addresses accidentally.

  • step 2. create a DHCP pool. using the command
ip dhcp pool pool-name

pool-name : the name of the pool te be created.

after entering the command, you'll be at the DHCP configuration level. at this configuration level you can configure specifics of the pool

  • step 3. configure the specifics of the pool. here you need to configure the network address the pool is assigned to, and the gateway address of the network. to define the network of the pool use the command
network network-number {mask | /prefix-length}

network-number : the network address
mask : subnet mask of the address

to define a default gateway for the network enter the following command
default-router address {address2 .. address8}

typically the gateway address is the address of the router's LAN interface connected to the network. at least one address is required but you can list up to eight addresses.
there are some optional configurations for the DHCP pool. some of those optional commands are
  •  define DNS server
dns-server address {address2 .. address8}
  • define the domain name
domain-name domain
  • define the duration of the lease
lease { days [hours] [minutes] | infinite }
  • define the NetBIOS WINS server
netbios-name-server address {address2 .. address8}



here is an example to configure DHCP for network 192.168.10.0/24. with 192.168.10.1 - 192.168.10.10 and 192.168.10.100 addresses should not be used in DHCP address allocation. here we create a DHCP pool named "pool1"

ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 192.168.10.100
ip dhcp pool pool1
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
end


to verify the DHCP configuration you can use the command "show ip dhcp binding" at privileged EXEC mode. it will show information of current bindings of the addresses in the pool to clients. use the command "show ip dhcp server" to see DHCP statistic and message received/sent by the server. to see information of the pools that have been created use the command "show ip dhcp pool".

administrators can also specify which MAC addresses to service and assign them the same address everytime they boot.

DHCP services can be disabled with the command "no service dhcp". reenable it with the command "service dhcp".

you can also configure a router to be a DHCP server using SDM. click the configure tab, in the task list. click the DHCP folder > DHCP pool and click the add button. a dialog box will appear with some text-fields that you can fill in to specify the pool parameters such as the pool's name, pool network, starting and ending address of the pool, lease time, etc.. when you've finished specifying the parameters, klik the ok button. SDM automatically exclude IP address used by the interface connected to the LAN of the pool.

Configure DHCP Client
sometimes, Cisco routers on a SOHO network needs to get its IP address automatically assigned by the ISP. this could be done, by using the command "ip address dhcp" at the interface that should get its address from a DHCP server.
example, a cisco router is connected to an ISP through the interface Serial0/0/0. ISP will automatically assign this interface an address, so this interface address should not be configured manually. the commands are
interface serial0/0/0
ip address dhcp
no shutdown


DHCP Relay
in most enterprise environments, servers are located in a seperate network (the server farm) including the DHCP server. a problem arise as when a client need an address from a DHCP server on a seperate network. DHCPDISCOVER message is a broadcast message and a router won't forward the message to any other network. (this problem is not specific only to DHCP service, some other services use broadcasts. Cisco routers and other devices use broadcast to locate a TFTP server or an authentication server, eg TACACS server).
the problem can be solve by configuring intervening routers and switches to act as a DHCP relay agent with the Cisco IOS helper address feature. this enable routers to forward DHCP messages to the DHCP servers. to configure a router as a relay agent, use the following command at the interface receiving the broadcast (nearest/directly connected to the client)
ip helper-address forward-address

forward-address : an ip address to which broadcasts will be forwarded.

using that command, broadcasts received at the interface will be forwarded to the specified address as a unicast.

example, host1 on subnet 192.168.10.0 needs to renew its address from a DHCP server on subnet 192.168.20.0. both devices are seperated by a router. host1 (subnet 192.168.10.0) is connected to the router by the FastEthernet0/0 interface. the DHCP server address is 192.168.20.254. assume that you're at the global configuration level of the router. enter the following commands at the router.
interface FastEthernet0/0
ip helper-address 192.168.20.254


as default, ip helper-address forward the follwoing eight UDP services:
  • Port 37: time
  • Port 49: TACACS
  • Port 53: DNS
  • Port 67: DHCP/BOOTP client
  • Port 68: DHCP/BOOTP server
  • Port 69: TFTP
  • Port 137: NetBIOS name service
  • Port 138: NetBIOS datagram service

to add additional services to be forwarded use the command "ip forward-protocol".

Read more...
routers, servers and any other devices of which location is usually not te be moved or changed physically/logically may be given static IP address. however, client workstations in an organization are likely to be moved physically/logically. this can be a burden for network administrators having to give a new IP address for those workstations everytime they are moved. DHCP services help network administrator do this task. with DHCP services, IP addressing can be made automatically and transparently. usually network administrators use a seperate server for offering DHCP services. in a small organization or SOHO envinronment, a cisco router can be used as a DHCP server. IOS has a feature set called Easy IP offers full-featured DHCP server.

DHCP servers assign not only IP address to a client but also the subnet mask, a gateway address and also DNS server address. DHCP works in a client/server environment.

The main task of a DHCP server is to provide IP addressess to clients. DHCP includes three different IP address alocation mechanism:
  • Manual allocation. the Administrator assigns a pre-allocation IP address for a corresponding workstation. DHCP will only allocate the address to the specified client.
  • Automatic allocation. DHCP automatically assigns an IP address selected from a pool to a device. there's no lease and the address is permanently assigned to the device
  • Dynamic allocation. DHCP automatically assigns an IP address selected from a pool to a device. the given IP address is leased to the device for a period of time or until the client tells that it's no longer needs the address. this ensures that hosts moved or no longer needs the address don't hold the addresses. when the lease time expires, DHCP server returns the address to the pool for reallocations. clients must contact the DHCP server periodically to extend the lease (when the lease time expires).


DHCP Operations
  • Discover. when a client boots or wants to join a network, it will send a DHCPDISCOVER message to find a DHCP server in the network. because the client doesn't have a valid address. it uses an L2 or L3 broadcast addresses to communicate with the server.
  • Offer. when the DHCP server receives the DHCPDISCOVER message, it will find an available IP address from the pool and try to offer it to the requesting client. the offer will be sent as a DHCPOFFER message to client as a unicast packet (under some circumstances, the packet is broadcasted rather than unicasted) using the L2 MAC address of the server as the source and the L2 MAC address of the requesting client as the destination.
  • Request. after the client receives the DHCPOFFER, it sends back a DHCPREQUEST message. this message has two purposes, it's used as a lease origination and lease renewal and verification. when used as a lease origination, the DHCPREQUEST sent request that the IP information be verified after it has been assigned. this provide error checking so that the assignment is valid. DHCPREQUEST also serves as a binding acceptance notice to the selected server and an implicit decline to any other servers that may have provided the host a binding offer (many organizations use multiple DHCP servers).
  • Acknowledge. after receiving the DHCPREQUEST message, the DHCP server then will send a DHCPACK message to the requesting client. the DHCPACK message is a duplicate of the DHCPREQUEST message with just a simple change in the message type field. when the client receives the DHCPACK message, it will then logs the configuration information and sends an ARP broadcast to the network for the leased IP, if there's no reply then the client knows that it's a valid ip address and start using it. the time that the address is leased is different as network administrators set it at the server, the default time is three days.



BOOTP
BOOTP (RFC 951) is a predecessor of DHCP and share some operational characteristics (both BOOTP and DHCP are client/server based and use UDP ports 67 and 68). BOOTP is a way to download address and boot configurations for diskless workstations (example, automated cash register system at super market). three primary differences between DHCP and BOOTP are:
  • BOOTP is used for manual pre-configuration while DHCP is used for dynamic address allocation. when a client requests an address from a BOOTP server, the server searches the client MAC address, if it exists in the server database, the server will give the address and configuration to the client bound to the client's MAC. this means that, the binding must be configured/entered manually to the server.
  • DHCP uses leasing system. a client is given a leased address for a period of time. when the time is over. the address can be allocated to any other client. while BOOTP has its clients reserved IP address which cannot be allocated to any other client.
  • BOOTP only supports 4 configuration parameters. DHCP supports over 20 configuration parameters (domain name, WINS).

For compatibility reason, DHCP messages have the same format as BOOTP messages. except that DHCP messages have additional fields called DHCP options which varies in length. the fields in a DHCP message are:
  • Operational Code (OP). 1 byte. specifies the general type of the message. 1 indicates a request mesasge, 2 is a reply message.
  • Hardware Type. 1 byte. indicates the type of the hardaware used in the network. example, 1 is ethernet, 15 is frame relay and 20 is a serial line. this is the same code used in ARP messages.
  • Hardware Address legnth. 1 byte. specify the length of the hardware address.
  • Hops. 1 byte. set to 0 by clients before transmitting a request and used by realy agents to control the forwarding of DHCP messages.
  • Transaction Identifier. 4 bytes. generated by a client to match its request with the replies from the server.
  • Seconds. 2 bytes. number of seconds elapsed since a client attempt to request or renew its address. DHCP servers use this to prioritize clients requests.
  • Flags. 2 bytes. only one bit is used, the broadcast bit. the client that doesn't know its address sends a request setting the broadcast bit to 1. the receiving server will send the reply as a broadcast message.
  • Client IP address. 4 bytes. sets by the client when it has a valid and usable address while in the bound state. otherwise it is set to 0. (the client cannot use this during the process of acquiring an address.
  • Your IP Address. 4 bytes. IP address the server offers to the client.
  • Server IP Address. 4 bytes. address of the server, the server always includes its IP address in a field called the Server Identification DHCP Option. the client should set this address it has known the address of the server.
  • Gateway IP Address. 4 bytes. routes DHCP messages between different networks. this facilitate DHCP communication between different subnets or networks.
  • Client Hardware Address. 16 bytes. the Physical layer address of the client.
  • Server Name. 64 bytes. a server sending DHCPACK or DHCPOFFER message may include its name in this field. the name could be its nickname or its DNS domain name.
  • Boot Filename. 128 bytes. optionally, used by a client to request a particular type boot file in a DHCPDISCOVER message. used by a serer to fully specifies a boot file directory and filename in a DHCPOFFER message.
  • Options. variable length. holds some option parameters, used by DHCP. both client and server may use this field.


if a client is configured to acquire its address automatically, it will send a DHCPDISCOVER when it boots or senses an active network connection. because the client has no idea the subnet that it belongs to, it sends the DHCPDISCOVER message as an IP broadcaset (address of 255.255.255.255). the source IP address (the client address) is set to 0.0.0.0. the server notes the Gateway Address of the message sent from the client, if it's undefined then the server knows that the client is on the same subnet as the server. clients send mesages to the server on port 67, servers send messages to the client on port 68.

Read more...

VPN

Tunneling enable users to access private networks from public networks. tunneling encapsulates an entire packet within another packet and sends the new composite packet over a network. three classes of tunneling protocol:
  • Carrier protocol. the protocol over which the information is travelling (Frame-relay, ATM, MPLS)
  • Encapsulating protocol. the protocol that wraps around the original data (GRE, L2F, L2TP)
  • Passenger protocol. the protocol over which the original data was sent over (IPv4, AppleTalk, IPv6, IPX)


Tunneling works as the original data is wrapped by the encapsulating protocol, then as leaving the VPN gateway ("tunnel interfaces"), the data will be encapsulated by the carrier protocol with the source and destination adress are the "tunnel interface"s address, when the data arrived at the other end of the VPN gateway, the original data will be extracted and sent over the destination.

for the message to be private, it must be encrypted. VPN encryption rules include an algorithm and a key. the message will be encrypted using the combination of the algorithm and the key. the result is a cipher text, that's very difficult if not impossible to be decrypted without the correct key. there are two kinds of encryption algorithm, symmetric algorithm which uses the same key for the encryption and decryption process, and asymmetric algorithm that uses different keys for the encryption and decryption process. some common used encryption algorithm are:
  • Data Encryption Standard (DES). a symmetric key encryption. developed by IBM, uses 56-bit key giving high-performance encryption.
  • Triple DES (3DES). developed from DES. a symmetric key cryptosystem. it encrypts a message with one key, decrypts it with another key and finally encrypts it with another different key. this provides more strength than DES.
  • Advanced Encryption Standard (AES). developed by the National Institute of Standards and Technology. replacing DES. it offers more strength than DES and more efficient than 3DES. it offers using three different key-lengths: 128, 192 and 256 bit keys.
  • Rivest, Shamir, and Adleman (RSA). named as its founders. this is an asymmetric cryptosystem. it uses a key bit length of 512, 768, 1024 or larger.

a Hash is a string generated from a text. it's generated using algorithms that there will be no two different texts that will produce the same hash value. the hash is smaller than the text. it can be used to guarantee that a message hasn't been modified. the sender can generate a hash of the message and send it along with the message to the receiver. the receiver then receive the message and will generate a hash value from the message again. the result then will be matched with the hash value sent by the sender. if both hashes are the same, then the message hasn't been changed/modified.

a keyed hashed message authentication code (HMAC) is a data integrity algorithm that guarantees the integrity of the message. a HMAC has two parameters: a message input and a secret key known only to the sender and the receiver of the message. two commons HMAC algorithm are:
  • Message Digest 5 (MD5), uses 128-bit shared key. the 128-bit key is combined through the message and produces a 128-bit hash. the hash is appended with the message and sent to the destination.
  • Secure Hash Algorithm 1 (SHA-1), uses 160-bit shared key. the 160-bit key is combined through the message and produces a 160-bit hash. the hash is appended with the message and sent to the destination.

both ends on VPNs connectin must be authenticated. so that a secure connection and communication can be made. two peer authentication in VPNs are:
  • Pre-Shared Key (PSK), a secret key shared between the two parties. a PSK is entered manually at each party and is used to authenticate the peer. it uses symmetric key cryptosystem. the key shared is combined with other information to form the authentication key.
  • RSA signature, exchange digital certificates to authenticate the peers. local device (local end) derives a hash and encrypts it with its private key. the encrypted hash (digital signature) is sent along with the message. the remote end will decrypt the hash using the public key of the local end. if the decrypted hash matched the recomputed hash, the signature is genuine.

Internet is a public network and it reaches almost everwhere in the world. the fact that internet is a worldwide network, makes internet an option for oranizations and corporations to connect their teleworkers with the organization's private network. but the fact that it is a public network, makes it fragile to security risks. with VPN technology, organizations can create a private network from the internet and can safely transfer their private data over the internet from branches and remote teleworkers. instead of using a dedicated layer 2 connection, such as a leased line, a VPN uses virtual connections that are routed over the internet.

the benefits of using VPN are:
  • cost saving. unlike a leased line which requires an expensive cost to establish a connection between sites. VPN uses the public network Internet, which is cheaper.
  • security. VPN encrypts and authenticates its data. protecting the data from unauthorized access.
  • scalability. anyone, anywhere within an ISP area can connect to the VPN. organizations can add new users, big or small organizations without adding significant infrastructure.


Types of VPN:
  • site-to-site VPN. a site-to-site VPN is used to connect between company intranets or a company intranet with a business partner extranet. for example it can connect a branch with the headquarter office. a site-to-site VPN uses a VPN gateway at each site to send and receive TCP/IP traffic. a VPN gateway in a site-to-site VPN could be a router, PIX firewall appliance or an Adaptive Security Appliance (ASA). the VPN gateway is responsible for encrypting outgoing traffic and decrypting incoming traffic.
  • remote access VPN. remote access VPNs are used to connect mobile users and teleworkers as well as extranet consumer-to-business. since most teleworkers have access to the internet, they can establish a remot VPN connection to the company. each host typically has a VPN client software. this software will encrypts/decrypts incoming/outgoing traffic. at the company site, a VPN gateway which could be a PIX firewall, a router, an ASA or a VPN concentrator will do the encrypts and decrypts tasks.


a VPN creates a virtually private network which must maintain confidentiality and security. it must protect data against sniffing activity, sender authentication and message integrity.
typically a VPN would require the following components:
  • a network with servers and workstations.
  • an access to the internet.
  • VPN gateway capable devices, such as routers, firewalls, VPN concentrators and ASAs. at the endpoints that establish and manage VPN connections.
  • appropriate software to create and manage VPN tunnels.


Most VPN can do both
  • Encapsulation. also called as tunneling, this enables data to be transferred between private networks over a shared public network.
  • Encryption. codes data to another format using a secret key. decryption decodes the encrypted data to its original format.


Keypoints of security in VPNs are:
  • data confidentiality. guarantees that data are not stolen as they travel across a shared networks. VPNs achieve this using encapsulation and encryption.
  • data integrity. guarantees that the data received by the receiver are the same as the data sent by the sender. this means that data are not modified. VPNs usually use hashes to ensure data integrity. a hash is like a seal that guarantees that no one has read the content of the message.
  • authentication. this guarantees that only authorized users may participate in the private network. unauthorized users must not be given access to the private network. VPNs achieve this by using passwords, digital certificates or other authenticate mechanisms.

IPsec is a protocol suite for securing communications in IP networks. there are two frameworks for IPsec:
  • Authentication Header (AH), provides authentication and integrity. use this when confidentiality (ecnryption) is not needed or permitted. this makes AH weaker, that's why AH is often used along with ESP.
  • Encapsulation Security Payload (ESP), provides authentication, integrity and confidentiality (encryption). although encryption and and authentication are optional, at a minimum, one of them must be selected.

we can choose and implement standards for encrytion, authentication and key exchange
IPsec Framework Choices

IPsec Protocol - ESP, AH, ESP + AH
Encryption - DES, 3DES, AES
Authentication - MD5, SHA
DH - DH1, DH2, DH5

DH allows two parties to establish a shared secret key used for the encryption and hash algorithm.

Read more...

Configuring SSH on a Router

How to enable SSH on a router
1. set router hostname
hostname R2

2. set a domain name
enter the following command at the global level to set the domain name to cisco.com
ip domain-name cisco.com

3. generate asymmetric keys
to generate a key that the router uses to encrypt its SSH management traffic, enter the command "crypto key generate rsa". you'll be asked to enter the size of the key modulus in range of 360 - 2048. for best practice, cisco recommends a minimum length of 1024. longer means more security. AFTER YOU GENERATE THE KEY, YOU WILL NOTICE THAT SSH HAS BEEN ENABLED.

4. configure local authentication and vty
to simplify the example, we will use local username (you can use third party authentication server such as TACACS+ or RADIUS) first you must create a local user. to create a username student with the encrypted password cisco, enter the command "username student secret cisco" at the global configuration level.  next enter the vty line configuration "line vty 0 4", enable login to look for local "login local", set the transport to ssh "transport input ssh".

5. configure SSH timeouts (optional)
this provides additional security. enter both command at global configuration level
ip ssh time-out 15
ip ssh authentication-retries 2



to connect to the router using SSH then you must connect to it with a SSH client (PuTTY, TeraTerm). you'll be prompted for username and password, enter the password and username you've configured. in the above example you enter the local created username (student with password cisco).

Read more...
Routers role in security
  • advertise networks and filter who can use them
  • provide access to network segment and subnetworks

Routers can be attacked in these puposes:
  • compromising the access control can expose network configuration details, facilitating attacks against other network components.
  • compromising the route tables can reduce performance, deny network communication services and expose sensitive data.
  • misconfiguring a router traffic filter can expose internal network components to scans and attacks, making it easier for attackers to avoid detection.

Securing routers at the network perimeter is an important first step in securing a network.
some concerns securing a router:
  • physical security
  • update router IOS whenever possible
  • backup router configuration and IOS
  • harden the router to eliminate the potential abuse of unused ports and services

some steps securing a router
1. manage router security
use strong password, to avoid the expose of passwords use "enable secret" instead of "enable password". secret means the password is encrypted using md5 (type 5). while entering the global command "service password-encryption" will encrypt passwords with simple algorithm, which cisco called type 7. cisco recommends type 5 than type 7.

2. secure remote administrative access to routers
remote access to routers is preffered when there are so many routers and switches. security should be controlled for VTY, TTY (asynchronous access through modem) and AUX lines. ensure that connections through those lines require password.
You can PREVENT CONNECTION to any line by entering the command "login" and "no password".
VTY line can be configured to receive just connections that are using the specified protocol. use the command "transport input". for example to allow VTY connection using SSH only enter the command "transport input ssh".
cisco IOS device has a limit number of VTY lines, usually 5. this can be DoS attacked. to avoid this, you can configure one of the VTY line to be set just accept connection from a single, specific administrative workstation. this is achieved by using ACL and "ip access-class" command at the line configuration. other way is to set VTY timeouts using the "exec-timeout" command. this will close idle connections passed the time configured.
Other concern is to encrypt traffic of the remote connections. to achieve this use SSH instead of telnet. not all cisco images support SSH. cisco routers can act as a SSH client and server, by default both mode are enabled when SSH is enabled.

3. logging router activity
logging can give you records of what has happened to a router. a log can be saved to the router memory or to a log host. a log host is preferable because it provides a central place for logging. logging can be one of eight levels, with level 7 means the system is unstable and will include all router information. logs should be reviewed regularly, this will give you the sense of your usual network activity. you may also want to use the NTP to get the time of the events, this makes troubleshooting easier.

4. sercure vulnerable router services and interfaces
Cisco routers support some network services. these services sometimes are good for nothing. General security practice for routers is to configure the router to only support needed traffic and services. You can entirely disabled a service on a router or restricting its access. if a particular portion of a network segment needs a service but the rest doesn\ not, the restriction features should be employed to limit the scope of the service. Some services that is recommended to be disabled are:
  • TCP small servers
  • UDP small servers
  • CDP (if there are some IP phone, consideration should be taken before turning off this service)
  • Finger
  • HTTP server
  • Proxy ARP
  • IP Mask reply, etc..
commands needed to turn off a service usually started with the "no" command followed by the service name, for example:
no service tcp-small servers
no ip http server
no cdp run


some services that should be secured if needed are:
  • SNMP, use versions 3. version 1 and 2 pass managemenet information and password in clear text
  • NTP, to reject NTP message at a particular interface, use an access-list
  • DNS, name queries are sent to broadcast address, fake name server could reply to a query. Explicitly specify the name server addresses using the command
ip name-server addresses

5. secure routing protocols
Routers are also at risk from attacks. Anyone with a packet sniffer can read information propagating between routers. Two kinds of attack in general:
  • Disruption of peers
  • Falsification of routing information

disruption of peers is less critical, because routing protocol can heal themselves, getting backup route. Falsification of routing information is done by giving false routing update to a router. this can be protected by authenticating routing protocol information. Authentication through MD5 consists of 3 key elements, the key (similar to a password), the data and the signature (result of the combination of the key and the data through MD5 algorythm). RIPv2, EIGRP, OSPF, IS-IS and BGP support various forms of MD5 authentication.

securing RIPv2 routing protocol
step 1. Prevent RIP routing update propagation. First set ALL INTERFACES in a router into passive mode. Then bring up only those interfaces that are required for sending and receiving RIP updates. Passive interface receives updates but does not send them.
passive-interface default

that command entered at the global level configuration will disable routing advertisements on all interfaces. to bring up a particular interface enter the command enter the command
no passive-interface serial0/0/0

that command will bring up interface serial0/0/0 to send routing updates.

step 2. Prevent Unauthorized Reception of RIP Updates. This can be done by setting up MD5 authentication to routing updates. To enable the encryption, first you must create a key for the md5 and then apply each interface participating in routing updates to send encrypted updates. The commands to create MD5 key are:
key chain RIP_KEY
key 1
key-string cisco

"key chain RIP_KEY", will create a key named RIP_KEY. we can create multiple key, but in the example "key 1" is used to create the key 1, "key-string cisco" tells that key 1 is contain a key string "cisco".

the commands to implement MD5 authentication on an interface are (entered at interface level configuration):
ip rip authentication mode md5
ip rip authentication key_chain RIP_KEY

the command "ip rip authentication mode md5" tells that rip will use md5 authentication while "ip rip authentication key_chain RIP_KEY" tells to use the RIP_KEY that has been created.
ONCE THIS AUTHENTICATION IS CONFIGURED ON A ROUTER THE REST PARTICIPATING ROUTERS MUST BE CONFIGURED WITH THE SAME CONFIGURATION AND KEY.

step 3. Verify the Operation of RIP Routing. this is done to check wether routing updates are propagated properly. This can be done with the "show ip route" command.


securing EIGRP routing protocol. the steps are similar to RIP steps (create key chain, apply authentication mode to interfaces). the difference is on the applying the authentication mode to an interface. the commands to configure md5 authentication in eigrp process 1 are:
key chain EIGRP_KEY
key 1
key-string cisco

interface s0/0/0
ip authentication mode eigrp 1 md5
ip authentication key-chaing eigrp 1 EIGRP_KEY


securing OSPF routing protocol. The logic of the steps is still the same with RIP and EIGRP. But the commands are different. the commands to configure md5 authentication on ospf process 10 area 0 are:
interface s0/0/0
ip ospf message-digest-key 1 md5 cisco
ip ospf authentication message-digest

router ospf 10
area 0 authentication message-digest


6. control and filter network traffic



Cisco provides an auto secure to enable you to use a single command to disable processes and services not needed. you can enter the command "auto secure" at privileged EXEC mode. this command has two modes, interactive mode and non-interactive mode. with interactive mode you'll be asked several question to enable or disable services and other security feature. Non-interactive mode will auto configure the router with the recommended Cisco default settings. default mode is interactive mode.

Read more...
Three types of vulnerability
  • Technology vulnerability. vulnerability at the design of the technology (HTTP, FTP, ICMP vulnerability)
  • Configuration vulnerability. easy guessed password, misconfiguration, lack of security default setting
  • Policy vulnerability. lack of written policy, bad logical access control


Types of network attacks
  • Reconnaissance. information gathering. precedes another type of attack.Internet Queries (nslookup, whois), ping sweeps (fscan, gscan), port scans (nmap, superscan), packet sniffers (wireshark)
  • Access, getting access. usually involve running a hack, script, tool that exploits vulnerability. Password attacks, brute forcing (cain, l0phtcrack) Trust exploitation, compromise another system by a mean to compromise other system.Port redirection, a type of trust exploitation. using a software to alter traffic to access another system through a system that has been compromised (netcat) Man-in-the-middle,
  • Denial of service. corrupt system, service with the purpose of crashing the system to deny user request. Syn-flood. TCP threeway handshake, attacker floods a server with syn TCP message, the server replies with a SYN-ACK message for each SYN message. the server will provides resources for each request. while the attacker never finish the threeway handshake mechanism, running out the resources of the server DDoS (SMURF, MyDoom, Trible flood network)
  • Malicious scripts/softwares. worms, viruses, trojan horses.  damaging hosts / corrupting a system and replicate itself.

*****************
Physical security
*****************
  • Hardware. lock access to physical equipment, disallow unauthorized access.
  • Environment. temperature control, humidity
  • Electrical. install UPS and generator in condition of power loss. avoid voltage spikes
  • Maintenance. neat cabling and labeling.

Security should be the main concern whenever designing a network. a firewall alone is not enough. an integrated approach involving firewall, intrusion prevention and VPN.
the PIX has evolved to what is called Cisco Adaptive Security Appliance (ASA). Cisco ASA integrates firewall, void security, SSL and IPsec VPN, IPS and content security services.


**********************
Network Security Wheel
**********************
Step 1.  Secure
Create the security policy. some concerns:
  • threat defense
  • stateful inspection and packet filtering
  • intrusion prevention system
  • vulnerability patching
  • disable unnecessary services
  • VPN
  • truns and identity, systems on the outside of the firewall should never be absolutely trusted by systems on the inside of a firewall.
  • autehtication
  • policy enforcement, ensure that users and end devices are in compliance with the corporate policy.

step 2. Monitor
active monitor by auditing log files even to the host level (some OS includes auditing functionality). passive monitor by using IDS devices, this requires less attention from network administrator.

step 3. Test
actively test the network. try to penetrate the network, using some tools (Nessus, Nmap).

step 4Improve
analyze the data colected during the monitoring and testing phases. and augment necessary improvement.

to keep the network as secure as possible, the cycle of the security wheel must be continually repeated.


Read more...

Complex Access List

complex ACL can be based on standard and extended ACLs. complex ACLs provide more functionality. Kinds of complex ACLs are:
  • Dynamic ACL (lock-and-key): create dynamic entries on the run. each user whose traffic wants to be passed through a router, must be authenticated through a telnet connection to the corresponding router.
  • Reflexive ACL: inbound traffic is limited to only traffic in response to sessions that originate from inside the router.
  • Time-based ACL: enable you to control traffic based on the time of day and week.


Dynamic ACL
dynamic ACLs are sometimes called lock-and-key ACLs. Dynamic ACLs are dependant to telnet authentication (local or remote) and extended ACLs. Dynamice ACL starts from an extended ACL applied to block traffic through the router. until users who want their traffic to be passed through the router must telnet to the router and authenticate. then a single-entry dynamic ACL is added to the extended ACL. this entry will exist for a particular period of time (absolute timeouts and idle time are possible). Dynamic ACL is available for IP traffic only.

you can use dynamic ACLs when you want to grant access to a remote host/a group of remote hosts to a host within you network. Before the 'outside' hosts given the permission to access you 'inside' host, they must first authenticate theirselves at the firewall router. it can also be applied when some of your 'inside' hosts want to connect to a remote (outside) host.

the steps of configuring a dynamic ACL are:
  • step 1. create a user, this user can be created at local or on a remote server (RADIUS or TACACS+). username and password of this user will be used to connect to the router using telnet (vty).
  • step 2. create the dynamic ACL. remember that dynamic ACLs are extended ACLs.
  • step 3. apply the ACL at the correct interace.
  • step 4. configure telnet connection. with "login" command to specify where to search for userlist (local/remote) and "autocommand" to enable the dynamic ACL.

example scenario

         H1 ---------------- R1 --------------- R2 -------------- H2
192.168.10.10                                            192.168.20.20

we want to enable H1 to connect to H2 by creating a dynamic ACL. assume that R2 is connected to R1 from interface FastEthernet0/1, then we can apply the dynamic ACL at 'inbound' FastEthernet0/1 of R2 and ip address of FastEthernet0/1 is 192.168.15.1. and for simplicity we use local authentication. enter R2 CLI, the commands are:
  • step 1. create a local user
username joe password 0 cisco

  • step 2. create dynamic ACL
access-list 101 permit any host 192.168.15.1 eq telnet
access-list 101 dynamic testlist timeout 15 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
first entry allow telnet connections to the R2 from Fa0/1. second entry is the dynamic ACL, which allow traffic from network 192.168.10.0 to 192.168.20.0, and when an authentication is made, it will exist for 15 minutes and will be closed whether in used or not.
  • step 3. apply ACL.
interface FastEthernet0/1
ip access-group 101 in

  • step 4. configure telnet connection
line vty 0 4
login local
autocommand access-enable host timeout 5

the "autocommand" will be executed once a telnet connection is made and the telnet session is dropped. the user can connect to 192.168.20.0 network, if user idle for 5 minutes, the connection is closed.


Reflexive ACL
reflexive ACL used to allow IP traffic for sessions originating from your inside network while denying sessions from outside of your network.this limits inbound IP traffic to only traffic in response to session that originates from inside. even if reflexive ACLs seems to be the same as extended ACLs that use the "established" keyword, the differ in that "established" parameter only work for TCP traffic while a reflexive ACL works for any IP traffic (TCP, UDP, ICMP). "established" option also doesn't work with applications that dynamically alter the source port for the session.

reflexive ACL works by examining the outbound traffic pass a router. when the router sees a new outbound connection, it adds an entry to a temporary ACL that allow replies back in. Reflexive ACLs contain only temporary entries. when the session ends, the entries are removed.

reflexive ACL can only be defined with extended named IP ACLs. it can be used for any other protocols and extended numbered ACLs. reflexive ACLs are not applied directly to an interface but are "nested" within an extended named ACL.

steps to create a reflexive ACL are:
  • step 1. create an extended named ACL, which keeps track of traffic from inside.
  • step 2. create another extended named ACL, which will permit traffic from outside that are in response to sessions initiated from insdie.
  • step 3. apply both ACLs at the correct interface in opposite direction.

example scenario,

               Inside network
       SW1 --------------------- R1 -------------------- Internet
                192.168.10.0

a network administrator wants to allow inside hosts to only browse web, while traffic from internet may enter his network only if the traffic is a reply for a session requested from a host inside his network. assume that R1 is connected to the Internet through the serial0/0/0 interface. and he wants to apply the ACLs in that interface, the commands are:
  • step 1. create ACL, which keeps track traffic from inside
ip access-list extended HTTP_OUTBOUND
permit tcp 192.168.10.0 0.0.0.255 any reflect TCPTRAFFIC

  • step 2. create ACL, permit traffic from outside in response of sessions from inside
ip access-list HTTP_INBOUND
evaluate TCPTRAFFIC

  • step 3. apply both ACL
interface serial0/0/0
ip access-group HTTP_OUTBOUND out
ip access-group HTTP_INBOUND in


Time-Based ACL
time-based ACL has similar function with extended ACL, except that time-based ACL has the ability to do access control based on time (the time could be time of day and week). Time-based ACLs are implemented by first creating a time range that defines a specific times of day and week. This time range is idientified with a name and we refer to it by a fungction.

steps to implement a time-based ACL are:
  • step 1. Define the time range of when the ACL will operate.
  • step 2. Create the ACL and apply the time range to the corresponding entry.
  • step 3. Apply the ACL to the interface.

example scenario,
a network administrator allow telnet connection from internet to inside network (192.168.10.0) only on Sunday at 7:00 to 15:00. this ACL will be implemented at interface serial0/0/0 which is the interface of the firewall router that directly connected to outside network. the commands are
  • step 1. Define the time range
time-range EVERYSUNDAY
periodic Sunday 7:00 to 15:00

  • step 2. create the ACL
access-list 101 permit tcp any 192.168.10.0 0.0.0.255 eq telnet time-range EVERYSUNDAY

  • step 3. apply the ACL
interface serial0/0/0
ip access-group 101 in

Read more...
extended ACLs provide a greater range of criteria when filtering packets. while standard ACLs only filter for source IP address. Extended ACLs filter packets from source/destination IP address, source/destination port number (service) and protocol used. extended ACLs are numbered from 100-199 and 2000-2699. extended ACLs can be named as well.

extended ACLs has the ability to filter packets from their source/destination port number. you can specify the port number as a number or the name of a well-known port. for example the following access-lists have the same function
access-list 110 permit tcp 206.124.16.0 0.0.0.255 any eq 21
and
access-list 110 permit tcp 206.124.16.0 0.0.0.255 any eq ftp

both permit packets from network 206.124.16.0 to any host that are destined to port 21 (ftp runs on port 21).


you may notice the "eq" keyword on both of the access-list before the port number. "eq" means equal. the available keywords are:
  • eq : equal, use this to permit/deny packets of which source/destination port number is equal to the specified number
  • lt : lower than, use this to permit/deny packets of which source/destination port number is lower than the specified number
  • gt : greater than, use this to permit/deny packets of which source/destination port number is greater than the specified number
  • neq : not equal, use this to permit/deny packets of which source/destination port number is not equal to the specified number

the complete syntax is
access-list access-list-number {deny|permit|remark} protocol source [source-wildcard][operator operand] [port port-number or name] destination [destination-wildcard][operator operand] [port port-number or name] [established]

access-list-number:a number identifying the access-list. for extended ACL, this could be 100 to 199 or 2000 to 2699.
deny: drop the packet if the condition matches
permit: pass the packet if the condition matches
remark: this is used for documentation, this add a remark about entries in the access-list to make it easier to be read
protocol: the protocol of the packet. name this with one of TCP, UDP, ICMP, etc. to match every internet protocol, fill it with IP.
source: address of the network or host from which the packet is sent, two ways to specify the source
  • 32bit, four part dotted-decimal format
  • any, don't care about the source address. abbreviation of source and source-wildcard 0.0.0.0 and 255.255.255.255
source-wildcard: wildcard bits for the source IP address. two ways to specify source-wildcard
  • 32bit, four part dotted-decimal format
  • any, abbreviation of source and source-wildcard 0.0.0.0 and 255.255.255.255
destination: address of the network or host that the packet is destined to, two ways to specify the source
  • 32bit, four part dotted-decimal format
  • any, don't care about the source address. abbreviation of source and source-wildcard 0.0.0.0 and 255.255.255.255
destination-wildcard: wildcard bits for the destination IP address. two ways to specify destination-wildcard
  • 32bit, four part dotted-decimal format
  • any, abbreviation of source and source-wildcard 0.0.0.0 and 255.255.255.255
operator: optional, this will be used to compares source or destination ports. fill this with one of eq, gt, lt, neq.
port: optional, the port (source/destination) number or name of the service of the packet.
established: optional for TCP packets only. a match occurs the TCP packet has the ACK or RST bits set, which indicates that the packet belongs to an existing connection.


here is an example of allowing only host in network 192.168.1.0 to allow only web browsing (http).
access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 115 permit tcp any 192.168.1.0 0.0.0.255 established

the "access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 443" is required for https. while the "access-list 115 permit tcp any 192.168.1.0 0.0.0.255 established" is required because http traffic flows in two direction. you request a page and the server sends you the page. this ACL enables you to receive the page that have been requested by you (this actually pass every tcp packets that belongs to any existing connection, since there can be only http/https traffic going out from the network, theorotically there can be only http/https connection made from inside).

after creating the ACLs, you can apply the extended ACL the same way as you apply a standard ACL to an interface. from the example above, you can apply both ACL in an interface with one at a direction and the other for the opposite direction depends on which interface you are trying to apply those ACLs. assume that we want to apply both ACLs to interface FastEthernet0/1 which is directly connected to network 192.168.1.0 then the commands would be:
interface FastEthernet0/1
ip access-group 110 in
ip access-group 115 out


you can create a named IP extended ACL the same way as you create one for the standard ACL.
the steps are:
  • step 1. at the global configuration level. enter the command "ip access-list extended name" with name is the name of the extended ACL you want to be.
  • step 2. after entering the command you'll be at the ACL configuration level. create statements and conditions as required with the permit/deny/remark keywords. the syntax is the same as creating a statement in extended ACL, except that you don't have to specify the "access-list access-list-number" anymore.
  • step 3. you can verify the ACL that you've created with the command "show access-lists name" at the pivileged EXEC mode.

Read more...
to create a statement of standard ACL, enter the following command at global configuration level
access-list access-list-number [deny|permit] [remark] source source-wildcard [log]

access-list-number: number of the access list, this can be 1-99 or 1300-1999 (standard ACL)
deny: drop the packet if the condition matches
permit: pass the packet if the condition matches
remark: this is used for documentation, this add a remark about entries in the access-list to make it easier to be read.
source: address of the network or host from which the packet is sent, two ways to specify the source
  • 32bit, four part dotted-decimal format
  • any, don't care about the source address. abbreviation of source and source-wildcard 0.0.0.0 and 255.255.255.255
source-wildcard: wildcard bits for the source address. two ways to specify source-wildcard
  • 32bit, four part dotted-decimal format
  • any, abbreviation of source and source-wildcard 0.0.0.0 and 255.255.255.255
log: logs information about packets that match the entry, logs are sent to the console (level of the details the messages shown in the console is controlled by the "logging console" command)


Removing an ACL
enter the following command at the global configuration level
no access-list access-list-number

access-list-number:number of the access list to be removed, this can be 1-99 or 1300-1999 (standard ACL)


Wildcard Mask
wildcard mask and subnet mask are both 32bits long, subnet mask is used to determine parts of the ip address to be the network id and the host id. wildcard mask is used to filter ip adresses to determine whether to permit or deny the pakcets. subnet mask uses binary 1s to make a match while 0s means not a match. wildcard mask uses binary 1s to ignore the corresponding ip address bit while 0s means that the corresponding bit should match.
example:
00000000 -> all address bit should match
00001111 -> matches first four bits, ignores four last bit
11110000 -> ignores first four bits, matches four last bit
11111111 -> ignore all bits in this octet

you can calculate a wildcard mask easily by subtracting the subnet mask from 255.255.255.255. example:
1. say that you want to filter the whole network of 192.168.1.0 because its subnet mask is 255.255.255.0, you can do
255.255.255.255
255.255.255.000 -
---------------
000.000.000.255 -> wildcard mask

2. you want to filter only the first 14 hosts of 192.168.1.0
255.255.255.255
255.255.255.240 -
---------------
000.000.000.015

3. you want to filter hosts from network 192.168.1.0 and 192.168.2.0, because bits of the network part that's the same between 192.168.1.0 and 192.168.2.0 is the first 22bits, you can do
255.255.255.255
255.255.252.000 -
---------------
000.000.003.255



you can avoid calculating the wildcard mask by using the host and any keyword:
  • host, is a substitute of the 0.0.0.0 means that all bits of the ip address should match. is used when you just want to filter a single host.
  • any, is a substitute of the 255.255.255.255 means to ignore all bits. used when you don't care from which the packet is sent.

example
access-list 1 permit any
access-list 1 permit host 192.168.10.10


Applying access-list to an interface
enter the following command at the interface configuration level
ip access-group [access-list-number | access-list-name] [in|out]

access-list-number: the number of the access-list that you want to apply
access-list-name: the name of the access-list that you want to apply
in : apply the access-list at inbound direction
out: apply the access-list at outbound direction

for example, let's say that you want to apply access-list 1 on interface Serial0/0 at outbound direction, you would enter the command
interface serial0/0/0
ip access-group 1 out


in addtion to restricting the remote connection through SSH only, you can also increase security by applying an access-list to the vty lines, the command is
access-class access-list-number [in [vrf-also] | out]

access-list-number: the number of the access-list that you want to apply
in : restricts incoming connection between a particular Cisco device and the addresses in the access-list.
out: restricts outgoing connections between a particular Cisco device and the addresses in the access list.

somethings to note about applying access-list on vty lines are:
  • apply the access-list to all of the lines. users can connect to any of it.
  • only numbered access-list can be applied at the vty lines.

example applying access-list 1 to incoming connection of vty 0-4.
line vty 0 4
login
password cisco
access-class 1 in


Editing Numbered Access-List
there's no built in editing feature to edit a change in an ACL. you cannot selectively insert or delete lines. to edit a numbered ACL, do the following:
  • step 1. show the ACL to be edited from the running-configuration with the command "show running-configuration | include access-list", the "include access-list" is used to only show access-list configuration.
  • step 2. select all the lines of the ACL that you want to be edited, copy it to a text editor. edit the ACL as required in the text editor.
  • step 3. back to the CLI. in global configuration mode, delete the ACL using "no access-list access-list-number" command. then paste the edited ACL from the text editor to the CLI.

Creating Named Access-List
first, you can create a named ACL with a command entered at the global configuration level, the syntax is:
ip access-list [standard | extended] name

name: the name of the access-list

then you will be in the access list configuration level. you can create statements for the ACL. to create a statement use the "permit" or "deny" command. you can also create a comment for each statment using the "remark" command. the syntax is:
[permit | deny | remark] {source [source-wildcard]} [log]

then you can apply the ACL to an interface by first enter the corresponding interface configuration level and enter the following command:
ip access-group name [in | out]

name: the name of the access-list


after you create an ACL (numbered or named) you can verify the ACL by using the command "show access-list" at the privileged EXEC mode.


Editing Named Access List
since Cisco IOS Software Realese 12.3, named ACLs are easier to be edited. you can edit individual entries in a named ACL. when you use the "show access-list" command, you can see that each entry in a named ACL, has a sequence number in front of it (the number usually starts from 10 and has an interval of 10 for the next entry). you can delete an entry or insert an entry without remaking the whole ACL.

let's say you want to insert an entry between the first entry and the second entry. you can enter the ACL configuration level using the command "ip access-list [standard | extended] name" command, and then enter the following
sequence-number [permit | deny] {source [source-wildcard]} [log]

sequence-number: a number that will determine the order of the statement in the list. if you want this entry to be between the first and the second entry, enter a number between 10 and 20.

Read more...
top