AlexWitherspoon.com A Guy With A Computer

19Feb/100

Cisco IPSEC 64bit VPN Client is out in the wild… about time…

Today Cisco Released a BETA version of their IPSEC VPN Client that will run on windows 7 in 64 bit mode.  It appears to be working, and has been long in waiting... Finally we can upgrade corporate users to 64bit code.

vpnclient-winx64-msi-5.0.07.0240-k9-BETA.exe
Release Date: 18/Feb/2010
BETA VPN Client Software for x86 64bit version of Windows 7 - Microsoft Installer
Size: 4898.50 KB (5016064 bytes)

The Disco Download Link: http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=5.0.7+Beta&mdfid=281940730&sftType=VPN+Client+Software&optPlat=Windows&nodecount=6&edesignator=null&modelName=Cisco+VPN+Client+v5.x&treeMdfId=268438162&modifmdfid=&imname=&treeName=Security&hybrid=&imst=

Tagged as: , , , , No Comments
12Feb/100

CCIE: Security Study – Day 5

Day 5, it is Friday, and it is time to rock it. I am working on ASA training still, with today's topics covering ASA fail over, as well as lab time with IPExpert to get some familiarity with the ASAs. The session starts at 9:00PM Pacific, and then me and my study partner will work through the night until 2AM.

With active - standby configurations, the standby will become the active including the MAC and IP address.

-ip address [active_addr] [netmask] [standby]

Tonight I will leave the notes a little short, since I will be spending most of my time on the racks. I will catch up tomorrow.

UPDATE - Just some sample config from some of the ASA work... Can you spot these juvenile errors? I certainly did(after making them)! Now on to learning more ASA Firewall Context Jargon.

!
!
!
config t
int e0/0
ip addr 136.1.0.12 255.255.255.0
nameif outside
security 0
no shut
int e0/1
ip addr 136.1.121.12 255.255.255.0
nameif inside
no shut
int e0/2.120
vlan 120
ip addr 10.0.0.12 255.255.255.0
nameif dmz1
security-level 75
no shut
int e0/2.124
vlan 124
ip addr 136.1.124.12 255.255.255.0
nameif dmz2
security-level 50
no shut
end
!
!
!
config t
router rip
version 2
no auto-summary
network 136.1.0.0
network 10.0.0.0
passive-interfa default
no passive-interf inside
no passive-interf dmz1
end
!
!
!
config t
router ospf 1
network 136.1.0.0 255.255.255.0 area 0
network 136.1.124.0 255.255.255.0 area 1
router-id 150.1.12.12
end
!
!
!
config t
router ospf 1
no network 136.1.124.0 255.255.255.0 area 0
router eigrp 1
network 136.1.124.0 255.255.255.0
end
!
!
!
config t
router ospf 1
redist rip subnets
redist eigrp 1 subnets
router rip
default-infor originate
router eigrp 1
redi static
end
!
!
!
config t
access-list OUTSIDE_IN exte permi tcp any host 10.0.0.100 eq www
access-list OUTSIDE_IN exte permi tcp any host 10.0.0.100 eq ftp
access-list OUTSIDE_IN exte permi udp any host 10.0.0.100 eq ntp
access-list OUTSIDE_IN exte permi icmp any any echo
access-list OUTSIDE_IN exte permi icmp any any echo-reply
access-list OUTSIDE_IN exte permi icmp any any time-exceed
access-list OUTSIDE_IN exte permi icmp any any unreachable
access-list OUTSIDE_OUT exte permi icmp any any echo
access-list OUTSIDE_OUT exte permi icmp any any echo-reply
access-list OUTSIDE_OUT exte permi udp any any range 33434 33464
access-list OUTSIDE_OUT exte permi tcp any any eq ftp
access-list OUTSIDE_OUT exte permi tcp any any eq telnet
access-list OUTSIDE_OUT exte permi tcp any any eq www
end
!
!
!
config t
object-group network ROUTERS
network-object 136.1.121.0 255.255.255.0
object-group network SERVERS
network-object host 10.0.0.100
object-group icmp-type COMMON_ICMP
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
object-group service TRC_PORTS udp
port-object range 33434 33464
object service SERVER_PORTS tcp
port-object eq www
port-object eq ssh
port-object eq 7001
clear config access-list OUTSIDE_IN
access-list OUTSIDE_IN permi icmp any any obj COMMON_ICMP
access-list OUTSIDE_IN permi udp any any obj TRC_PORTS
access-list OUTSIDE_IN permi tcp any object SERVERS obj SERVER_PORTS
access-list OUTSIDE_IN permi tcp any object ROUTERS_PORTS
access-list OUTSIDE_OUT permi icmp any any obj COMMON_ICMP
access-list OUTSIDE_OUT permi tcp any any obj TRC-PORTS
access-list OUTSIDE_IN permi tcp any any obj SERVER_PORTS
access-list OUTSIDE_IN permi tcp any any obj ROUTER_PORTS
end
!
!
!
config t
icmp permi any echo-reply outside
icmp permi any echo-reply inside
icmp permi any echo-reply dmz
icmp permi any time-excee outside
icmp permi any uncreach outside
icmp permi any time-excee inside
icmp permi any unreach inside
icmp permi any time-exceed dmz
icmp permi any unreach dmz
end
!
!
!
config t
nat-control
router rip
passive-inter outside
global (outside) 1 136.1.122.100-136.1.122.110
global (outside) 1 interface
global (dmz) 1 interface
global (outside) 2 136.1.122.200-136.1.122.209
global (outside) 2 136.1.122.210
nat (inside) 1 136.1.121.0 255.255.255.0
nat (dmz) 2 10.0.0.0 255.255.255.0
end
!
!
!
config t
clear conf nat
clear conf glob
clear conf stat
static (dmz,outside) 136.1.122.100 10.0.0.100
static (inside,outside) tcp inter 23 136.1.121.1 23
static (outside,inside) udp inter 53 136.1.122.2 53
nat (inside) 1 0 0
global (outside) 1 inter
clea config access-list OUTSIDE_IN
access-list OUTSIDE_IN exte permi ip any host 136.1.122.100
access-list OUTSIDE_IN exte permi tcp any host 136.1.122.12 eq telnet
access-group OUTSIDE_IN in interface outside
end
!
!
!
config t
clear conf nat
clear conf glob
clear conf stat
access-list ICMP exte permi icmp any any
access-list TELNET exte permi tcp any any eq telnet
nat (inside) 1 access-list ICMP
nat (inside) 2 access-list TELNET
nat (inside) 3 0 0
global (outside) 1 136.1.122.100
global (outside) 2 136.1.122.101
global (outside) 3 interface
access-list OUTSIDE_IN exte permi icmp any any
access-group OUTSIDE_IN in interface outside
end
!
!
!
config t
clear conf nat
clear conf glob
clear conf stat
access-list VLAN122 permi tcp host 136.1.121.1 eq 23 136.1.122.0 255.255.255.0
static (inside,outside) tcp 10.0.0.100 150.1.2.0 255.255.255.0 eq 80
static (inside,outside) tcp inte 23 access-list VLAN122
static (dmz,o) tcp inter 80 access-list LO0
access-list OUTSIDE_IN permit tcp any host 136.1.122.12 eq 80
access-list OUTSIDE_IN permit tcp any host 136.1.122.12 eq 23
access-group OUTSIDE_IN pin interface outside
end
!
!
!
config t
nat-control
clear config alias
clear config nat
clear config static
clear config global
static (dmz,outside) 136.1.122.100 10.0.0.100 dns
nat (dmz) 1 0 0
global (outside) 1 interface
end
!
!
!
config t
clear config access-list
access-list OUTSIDE_IN permit icmp any any
access-list OUTSIDE_IN interface outside
fragment chain 1 outside
fragment chain 1 dmz
end
!
!
!

Tagged as: , , No Comments
11Feb/100

CCIE: Security Study – Day 4

Ok, so this page somehow was lost to the sands of time. It is ok, you didn't miss too much. I worked to finish some firmware updates, and then worked on more ASA information with 'advanced routing'. I will need to freshen up a little on some of these protocols, but nothing too bad yet...

Updates tomorrow.

Tagged as: , No Comments
10Feb/100

CCIE: Security Study – Day 3

CCIE Mantra - Practice, Practice, Perfect

Today's tasks include working on a second video training session of the CCIE ASA overview. I will be working on configuring basic network interactions with ASA units, and how various networking protocols can be routed through this device with various restrictions and network shaping.

Key Things to keep in mind with ASA units, Syntax varies from 5505s to 5510s, and various other units, however, keeping mind the logical topology of the network, differences such as trunking ASA ports in a 5505 as opposed to the 5510 sub interface style handling achieve a similar end result.

I discussed with my study partner the implications of attempting the test, and how chasing after the initial VLAN arrangements and core routing should be the primary concern when entering the test. Keeping in mind for the security track that connections such as VPNs, and Protocol traffic will be fragile to network changes later on int he test, that are designed to break your earlier configurations without the implicit planning.

We are studying remotely today since the lab is now accessible via the web on an 2511 terminal server.  Also for those wondering how to make all your own rolled over cables for a Cisco terminal server using RJ45, use this diagram: RJ45 Serial Connector Cabling

For now I am concentrating on speeding up my terminal responsiveness. I am working on accurately inputing correct vlan ids, trunk access, and on ASAs nameifs and similar in quick, but accurate fashion, and working out understanding the fastest and best methods for thorough and quick connectivity checks.

That is all for Day 3... Time for sleep...

Tagged as: , , No Comments
10Feb/101

Google Wave ~

Google Wave is an interesting take on the convention we call email. Email was first created to emulate the mail we all know. The idea was simple, give everyone an address to receive at, and then spam cannon send away.

For starters lets look at what Google Wave does do, firstly it did away with all the need for applications and configuration. To start waving, just create your account, log in and awave you go.

My thought on the matter is that while they "re-invented" email, they seemed to leave out the core piece, EMAIL... To make Google Wave immediately usable, the inclusion of the ability to deal with and handle normal conventional email side by side with the new wave format would be key. The problem is that at this point Google Wave is an inclusive club, by allowing Google wave to be another method to inter operate normal email with Google wave, and enable when present rich media layers, more users could be drawn to actively use wave inclusively in their digital presence, without alienating and loosing touch with the masses that still email.

Just my thoughts on the whole matter.

-AW


Tagged as: , , , , , 1 Comment
9Feb/100

CCIE: Security Study – Day 2

It is a bright second day, and while the weather is great outside, I am busy working on finishing up firmware upgrades on our gear. I am reminded just how hard this test can be, and to share that, be sure to read this link: http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/news/2006/022006-widernet-ccie.html&pagename=/news/2006/022006-widernet-ccie.html&pageurl=http://www.networkworld.com/news/2006/022006-widernet-ccie.html&site=printpage

The lab exam is difficult because it tests practical, problem-solving skills. Test takers have eight hours in the lab to properly configure and troubleshoot Cisco network gear. They need to get 80% of the possible points to pass.

This will be very hard, so let's get to it, below are the activities I performed during today's session. Including some example command line and study goals.

I am working to speed up my command line configuration by working on memorizing the command schemes so I can more effectively commit to muscle memory the command shorthand such as "conf t" for configure terminal, and "clea li 3" for "Clear Line 3" on the Cisco 2511 Terminal server. As silly as all that sounds, it is absolutely true, that extra time will be a convenience not experienced during this test.

Another thing I am working on is delving into the ASA configuration command line. Experience here has been largely self taught, and so gap filling and understanding the implications of the commands comes into play heavily.

For today's lessons:

In order to change the vlan on a port on an IOS based switch do the following:

Where interface x is the port you’re changing the vlan on, and vlan y is the vlan you’re moving the port into.

1. Telnet to the switch and login
2. Go into configuration mode by typing “config t”
3. Go into interface configuration mode by typing “interface interface x”
4. Change the VLAN on the port by typing “switchport access vlan y”
5. Exit interface configuration mode by typing “exit”
6. Exit configuration mode by typing “exit”
7. Type “show run interface x” to verify your configuration
8. Once configuration is verified type “write mem” to save the configuration.

The next bit starts on ASAs

A firewall must be virtual if it is Active - Active. Outside Interfaces should have a security level of 0 while the inside is 100. Security numbers enforce traffic flow, by allowing more secure (lan) to flow freely to less secure networks. Less secure networks (wan) does not freely flow. An ACL can be created to allow the traffic to travel up the security chain. This is tracked in the state table of the ASA. Traffic of the same security level is not allowed to talk between each other by default.

CTRL-Z will stop a command while logged into an IOS switch.

An ASA will not allow traffic on it's ports without a proper NAMEIF command which also populates the security level.

Port Redundancy now available, by making an "int redundant 1" very similar to v-lans, member-interface member eth0/0 and similar.

That is all for tonight, video one is done,  39 more to go. :)

Tagged as: , , No Comments
9Feb/105

CCIE: Security Study – Day 1

Yesterday I started my endeavor to study for a CCIE Security Certification from Cisco.  Th initial phases involved getting a working test rack operational, and updating the switches to their proper firmware versions to match our study material.

While this entry will be a little bland, In the future I will be documenting all the steps I go through to learn and practice for the exam each day as I do them.

These are the required knowledge items for the test per Cisco:

CCIE SECURITY TRACK

Written Exam Blueprint v2.x

The Security written exam (350-018) has 100 multiple-choice questions and is two hours in duration. The topic areas listed are general guidelines for the type of content that is likely to appear on the exam. Please note, however, that other relevant or related topic areas may also appear.

  1. General Networking
    1. Networking Basics
    2. OSI Layers
    3. TCP/IP Protocols
    4. Switching (VTP, VLANs, Spanning Tree, Trunking, etc.)
    5. Routing Protocols (RIP, EIGRP, OSPF, and BGP)
    6. IP Multicast
  2. Security Protocols, Ciphers and Hash Algorithms
    1. RADIUS
    2. TACACS+
    3. Ciphers RSA, DSS, RC4
    4. Message Digest 5 (MD5)
    5. Secure Hash Algorithm (SHA)
    6. EAP PEAP TKIP TLS
    7. Data Encryption Standard (DES)
    8. Triple DES (3DES)
    9. Advanced Encryption Standard (AES)
    10. IP Security (IPSec)
    11. Authentication Header (AH)
    12. Encapsulating Security Payload (ESP)
    13. Internet Key Exchange (IKE)
    14. Certificate Enrollment Protocol (CEP)
    15. Transport Layer Security (TLS)
    16. Secure Socket Layer (SSL)
    17. Point to Point Tunneling Protocol (PPTP)
    18. Layer 2 Tunneling Protocol (L2TP)
    19. Generic Route Encapsulation (GRE)
    20. Secure Shell (SSH)
    21. Pretty Good Privacy (PGP)
  3. Application Protocols
    1. Hypertext Transfer Protocol (HTTP)
    2. Simple Mail Transfer Protocol (SMTP)
    3. File Transfer Protocol (FTP)
    4. Domain Name System (DNS)
    5. Trivial File Transfer Protocol (TFTP)
    6. Network Time Protocol (NTP)
    7. Lightweight Directory Access Protocol (LDAP)
    8. Syslog
  4. Security Technologies
    1. Packet Filtering
    2. Content Filtering
    3. URL Filtering
    4. Authentication Technologies
    5. Authorization technologies
    6. Proxy Authentication
    7. Public Key Infrastructure (PKI)
    8. IPSec VPN
    9. SSL VPN
    10. Network Intrusion Prevention Systems
    11. Host Intrusion Prevention Systems
    12. Event Correlation
    13. Adaptive Threat Defense (ATD)
    14. Network Admission Control (NAC)
    15. 802.1x
    16. Endpoint Security
    17. Network Address Translation
  5. Cisco Security Appliances and Applications
    1. Cisco Secure PIX Firewall
    2. Cisco Intrusion Prevention System (IPS)
    3. Cisco VPN 3000 Series Concentrators
    4. Cisco EzVPN Software and Hardware Clients
    5. Cisco Adaptive Security Appliance (ASA) Firewall
    6. Cisco Security Monitoring, Analysis and Response System (MARS)
    7. Cisco IOS Firewall
    8. Cisco IOS Intrusion Prevention System
    9. Cisco IOS IPSec VPN
    10. Cisco IOS Trust and Identity
    11. Cisco Secure ACS for Windows
    12. Cisco Secure ACS Solution Engine
    13. Cisco Traffic Anomaly Detectors
    14. Cisco Guard DDoS Mitigation Appliance
    15. Cisco Catalyst 6500 Series Security Modules (FWSM, IDSM, VPNSM, WebVPN, SSL modules)
    16. Cisco Traffic Anomaly Detector Module & Cisco Guard Service Module
  6. Cisco Security Management
    1. Cisco Adaptive Security Device Manager (ASDM)
    2. Cisco Router & Security Device Manager (SDM)
    3. Cisco Security Manager (CSM)
  7. Cisco Security General
    1. IOS Specifics
    2. Routing and Switching Security Features: IP & MAC Spoofing, MAC Address Controls, Port Security, DHCP Snoop, DNS Spoof.
    3. NetFlow
    4. Layer 2 Security Features
    5. Layer 3 Security Features
    6. Wireless Security
    7. IPv6 Security
  8. Security Solutions
    1. Network Attack Mitigation
    2. Virus and Worms Outbreaks
    3. Theft of Information
    4. DoS/DDoS Attacks
    5. Web Server & Web Application Security
  9. Security General
    1. Policies - Security Policy Best Practices
    2. Information Security Standards (ISO 17799, ISO 27001, BS7799)
    3. Standards Bodies
    4. Common RFCs (e.g. RFC1918, RFC2827, RFC2401)
    5. BCP 38
    6. Attacks, Vulnerabilities and Common Exploits - recon, scan, priv escalation, penetration, cleanup, backdoor
    7. Security Audit & Validation
    8. Risk Assessment
    9. Change Management Process
    10. Incident Response Framework
    11. Computer Security Forensics
Tagged as: , , 5 Comments
25Jan/100

Funny Exam Answers

I originally found this gallery of 25 exam answers at: http://www.holytaco.com/25-clever-exam-answers , and wanted to re-post them for posterity sake.

Make sure to click each one to get the full size effect. Many of these are fairly childish, I suspect because they were written by children, but I can't help by remember some of the things I did like this when I was younger. The first act of rebellion that came to mind was a state benchmark, discussing if children should be allowed to work at a young age, in which I went into explicit detail explaining my "home life" as a coal miner, trying to find coal in the backyard with no end. I also recall a paper about the potential for pants to be radioactive, and to avoid them at all costs, when someone was to place plutonium in the pants.

Any cool stories out there from those who read this?

Tagged as: , , , , , , No Comments
20Jan/100

Nuclear Fallot Signage – Portland, Oregon

Nuclear Fallout Sign

This is a funny sign I saw originally at: http://blog.makezine.com/archive/2010/01/awesomemorbid_cold_war_era_civil_de.html

Tagged as: , , , , , No Comments
20Jan/101

Crazy Trimet Stories #1

Crazy Old Man on Trimet Bus

Crazy Old Man on Trimet Bus

It all started on my way to work. I was ready to get on the bus and everything would be just fine... UNTIL A CRAZY OLD MAN APPEARED!!! Make sure to click the image for the full sized version...

In any case, this guy started to go on about how he had been kicked off of Trimet for 2 years, and how he tricked the young ones (I assume bus drivers) to let him on since they didn't know him as well. He then said he didn't make the court date ... began working cleaning toilets with his bare nails ... was making a movie on Trimet and how drivers should beat their riders ... I should help him make the movie ...

After all the talk, the Bus finally came, and he tricked the 'young one' to let him on... Very Weird indeed... Oh yeah, and then a washed up Army private committed a hate crime on the bus... Only another day on TriMet...

Tagged as: , , , , , 1 Comment
   Older Entries »

Categories

Topics

Answers API Apple badass Bus CCIE CDN Comedy Content Delivery Network Coral cover Crazy Development duck Education email Exam fallot Firewalls Free funny google Humor iPad iPhone iSlate iTablet Management Mockup nuclear Oregon Photo Portland Reviews Security signage Stories Study Tablet Tests Trimet UTM VMware VSphere week

Recent Comments

RSS News I am Reading: