This is a very common question that comes up when engineers are deploying a new ASA in an environment, “why can’t I ping outbound from the inside network?” although this is something all experienced engineers may already know, I think it’s time to demonstrate this for people that do not know and would like to understand… Read More »
GNS3 has been around for a while and is a fantastic tool to virtually create labs and test out Cisco technology, as it has evolved GNS3 has become better at providing support for many new devices. In older versions of GNS3 – running an ASA was very CPU intensive as the image used was initially… Read More »
Root Guard is a layer 2 security mechanism designed to protect the “Root Bridge” and ensure it remains as the “Root” in the spanning tree topology. Root guard can protect against mis-configurations and mitigate MiM type attacks. Lets say in the topology below “SW-1” has been elected as the “Root Bridge” with the default priority… Read More »
Loop Guard and UDLD (Uni-directional Link Detection) are two ways to protect networks against loops. Loop guard is a spanning-tree optimisation protocol and can work with both Fibre and UTP cables while UDLD only works with fibre and is a layer 1/2 protocol (unrelated to spanning-tree) that protects the upper layer protocols from causing loops.… Read More »
Spanning-tree “BPDU Filter” works similar to “BPDU Guard”, as it allows you to block BPDU’s. The major difference is that “BPDU Guard” will place an interface that receives the BPDU into an “err-disabled” state pretty much protecting the violating port while “BPDU Filter” just “filters” it leaving the port to stay up. If a user… Read More »
BPDU Guard, BPDU Filter, Root Guard and Loop Guard are all considered spanning tree security features, they all have different characteristics as to what they protect and how they work. Spanning tree attacks can harm the data-plane at Layer 2 therefore using spanning tree security we can mitigate “Man in the Middle” type attacks, protect… Read More »
VLAN hopping is a Layer 2 attack that uses exploits to attack a network with multiple VLANS, the attacker would normally deploy frames into the switch port to either Double Tag – Use double tags and attack a real VLAN via the native VLAN Switch Spoofing – attempt and negotiate a trunk and gain access… Read More »
Dynamic ARP Inspection is a security feature that rejects invalid and malicious ARP packets, by using DAI we can prevent ARP Poisoning/Spoofing Attacks. The Address Resolution Protocol works the following way “192.168.0.1” wants to communicate with “192.168.0.50” however the switch does not know how to reach the layer 3 address as switches only understands L2… Read More »
Private VLANs are basically VLANs within a VLAN, they partition a regular VLAN domain into sub-domains. A sub-domain is represented by a “Primary” VLAN and a “Secondary” VLAN, this is called a “VLAN pair”. You can have multiple VLAN pairs for example one VLAN pair for each sub-domain. All VLAN pairs share the same primary VLAN. The secondary VLAN… Read More »
DHCP Snooping is a layer 2 security technology built into the IOS of a switch. The switch will drop DHCP Server messages in order to prevent unauthorized/rogue DHCP servers from offering IP addresses to DHCP clients. This is a very valuable security measure that can be used to help mitigate the network from attacks. DHCP… Read More »
Cisco port security is a layer 2 traffic control feature used to protect the network from unknown devices which may be plugged into the network either via a network point in a publicly available space or by a malicious user who has physical access to a network point. Port security works by first setting a… Read More »
Checkpoint is known as being a next generation firewall vendor due to being able to support advanced features up to layer 7 of the OSI model, these include “Application Filtering”, “Deep Packet Inspection(DPI)”, “IPS”, “SSL Inspection”, “AV scanning”, “Identity Management”, “URL Filtering” and many more. Checkpoint Firewalls are not zone based Firewalls unlike your Cisco or… Read More »
IP Spoofing is a technique of generating IP packets with a source address that belongs to someone else. Spoofing creates a danger when hosts on the LAN permit access to their resources and services to trusted hosts by checking the source IP of the packets. Using spoofing, an intruder can fake the source address of… Read More »
The Cisco ASA 5505 doesn’t have a built in feature for URL filtering, nowadays most next generation firewalls will have a URL filtering option built in – which can be licensed and used without the need of a separate device. Commonly this type of deployment would act as a transparent proxy. Using regular expressions with the modular policy… Read More »
Smoothwall Express is a open source project setup in year 2000 to develop a free firewall that includes its own security-hardened GNU/Linux operating system and easy to use web interface. This product is not to be mistaken for the commercial corporate product “smoothwall” which is a a very powerful web filtering and security appliance that can be… Read More »
EAP-TLS can be deployed a number of ways in “Deploying EAP-TLS Wireless Solution in an Enterprise Environment” we demonstrated RADIUS authentication using a Microsoft Server 2012 R2 as a AAA server. In this example we will use the WLC to perform the authentication centrally instead of forwarding the requests. Although it is better and more secure to… Read More »
EAP TLS is one of the most secure methods of deploying wireless solutions in an organisation. It uses certificate based authentication both on the server side and client side to authenticate each other, the internal CA is responsible for issuing certificates to the users and computers. There are a number of ways to deploy EAP-TLS, using… Read More »
Microsoft’s Certification Authority is designed on Public Key Infrastructure, the CA is responsible for attesting to the identity of users, computers and organizations. the CA authenticates an entity and vouches for an identity by issuing a digital certificate which is signed by the CA. The CA also manages the revocation and renewal of certificates. Certificates… Read More »
In this step-by-step guide we will setup NPS as a RADIUS server to authenticate users for our Cisco 3560X switch, this process will work on most Cisco switches and routers. In this example we will be using two AD security groups to define level 15 and level 1 user access. This is a good practice, for… Read More »
NPS (Network Policy Server) is also known as RADIUS, NPS allows you to create and configure network access policies for client health, connection request authentication, and connection request authorization. NPS can also be used to set-up a RADIUS proxy, which is used to forward remote access connection requests to another RADIUS server that can authorize or… Read More »
EAP-FAST – Flexible Authentication via Secure Tunnelling is a proprietary 802.11X authentication method from Cisco. FAST does not require certificates, the protocol creates a tunnel between the user and AAA server and uses PAC – Protected Access Credentials as part of the algorithm, clients must support this in order to be compatible. Not all clients will… Read More »
In this Step-by-Step guide we will set-up central authentication on the vWLC using PEAP – Protected Extensible Authentication Protocol, this type of authentication uses a certificate on the server side, which we validate – this must be from a valid CA on our PKI, however in this example we will use a self signed certificate… Read More »
EAP is the Extensible Authentication Protocol which can be setup on the Cisco WLC for authenticating users centrally. in 802.1x when a user connects to an AP, the AP doesnt move any data traffic for the user until it can prove who the user is, the user normally supplies a set of credentials to validate… Read More »
FlexConnect also known previously as H-REAP – “Hybrid Remote Edge Access Point” is usually set-up for branch sites which are connected via a WAN link, FlexConnect access points have the ability to perform local switching and authentication, which means they can make layer 2 forwarding decisions without having to send them up to the WLC… Read More »
In this step by step guide I will show you how to deploy a Virtual Wireless LAN Controller and complete the initial setup process. Deploy the Cisco vWLC OVF Template 1. Download the vWLC OVF template from the Cisco website and save it in a suitable place, you can download a trial version valid for up… Read More »
If you have installed a Checkpoint management server on a Windows platform, you may notice that after adding the relevant gateways and creating access rules you are not seeing any logs from any of the gateways in Smartview Tracker. Only the management server traffic is visible. I came across this issue in a lab environment… Read More »
Cisco Configuration Professional is a Windows GUI application that network security administrators can use to deploy and manage multiple routers in a single environment. It can be used to configure and monitor Cisco routers without using the Cisco IOS Command Line Interface. There are two versions currently available on the market – Cisco Configuration Professional is… Read More »