Tuesday, August 27, 2013

Route Redistribution

This is the concept when routing information must be exchanged between different protocols or routing domains. Only routes that are in the routing table and learned via the specified protocol are redistributed. 

Redistribution Characteristics

RIP - Default metric is Infinity. Metric must be set, except when redistributing static or connected routes, which have a metric of 1.
OSPF - Default metric is 20. Can specify the metric type; the default is E2. Must use subnets keyword or only classful networks are redistributed.
EIGRP - Default metric is Infinity. Metric must be set, except when redistributing static or connected routes, which get their metric from the interface. Metric value is "bandwidth, delay, reliability, load, MTU." Redistributed routes have a higher administrative distance than internal ones.
Static/Connected - To include local networks not running the routing protocol, you must redistribute connected interfaces. You can also redistribute static routes into a dynamic protocol.
BGP - Metric (MED) is set to IGP metric value.

Command:
Router(config-router)# redistribute {route-source} [metric metric] [route-map tag]

OSPF: Establishing Neighbors and Exchanging Routes

Step #1: Down state: OSPF process not yet started. No Hello packet sent.
Step #2: Init state: Hello packets have been sent to all OSPF interfaces.
Step #3: Two-way state: Router has received a Hello packet from another router that contains its own router ID in the neighbor lost. All parameters match, so routers can become neighbors.
Step #4: Exstart state: If routers become adjacent (exchange routes), they determine which one starts the exchange process.
Step #5: Exchange state: Routers exchange DBDs listing the LSAs in their LSD by RID and sequence number.
Step #6: Loading state: Each router compares the DBD received to the contents of its LS database. It then sends a LSR for missing or outdated LSAs. Each router responds to its neighbor's LSR with a Link State Update. Each LSU is acknowledged.
Step #7: Full state: The LSDB has been synchronized with the adjacent neighbor.


OSPF Packets

Hello: Identifies neighbors and serves as a keepalive.
Link State Request (LSR): Request for a Link State Update (LSU). Contains the type of LSU requested and the ID of the router requesting it.
Database Description (DBD): A summary of the LSDB, including the RID and sequence number of each LSA in the LSDB.
Link State Update (LSU): Contains a full LSA entry. An LSA includes topology information; for example, the RID of this router and the RID and cost to each neighbor. One LSU can contain multiple LSAs.
Link State Acknowledgment (LSAck): Acknowledges all other OSPF packets (except Hellos).


Tuesday, August 20, 2013

CCNP ROUTE - EIGRP Characteristics

EIGRP used to be a Cisco-proprietary protocol which means it could be only used with cisco routers. Cisco however, in order to help companies operate in multi-vendor environment, opened up EIGRP as an open standard protocol. Some of its characteristics are:
1. Support for variable-length subnet masking (VLSM).
2. Fast converge after topology changes through its backup routes.
3. It sends routing updates if and only if there is a change in the network topology.
4. Its updates contain only the routes that have been changed and not the entire routing table.
5. Support Appletalk, IP, and IPX.
6. Using packets multicast to 224.0.0.10 to discover neighbors.
7. The updates go only to the routers that actually need them.

CCNP ROUTE - Administrative Distance (AD)

In some cases, usually when we are talking for WAN topology, there is a huge chance to have more than one path from the source to destination. Router has to decide which path is the best, that will be shown in its routing table. To make this decision a router goes through a four-step process. First, the route with the longest prefix length takes the place of the best route. Second, if both routes have the same prefix length, then the router with the lowest administrative distance is used. Third, if the previous two steps are exactly the same, then the route with the lowest metric becomes the best route. Fourth, if again, all the previous steps are exactly the same, then all of these routes will be used in load balancing based on which protocol is used. 

Administrative Distance Metric
Directly Connected--- 0
Static Route--- 1
EIGRP Summary--- 5
Internal EIGRP--- 90
OSPF--- 110
RIP--- 120
External EIGRP--- 170
Internal BGP--- 200

Monday, August 19, 2013

RIPv1&RIPv2 (Review from CCNA)

The Routing Information Protocol (RIPv1) is a distance-vector routing protocol, which uses the hop count as a routing metric. It broadcasts updates every 30 seconds and each update carries the entire routing table. It does not recognize VLSM. It uses the Bellman-Ford algorithm and there is no routing update authentication available. The maximum hop count is 15 and its updates carry 25 routes maximum. Also it has equal-cost load shared by default.

The upgraded RIPv2 offers routing update authentication and supports VLSM. It also multicasts updates every 30 seconds to 224.0.0.9.

Cisco Pyramid


Sunday, August 18, 2013

CCNA Security - Packet filter firewall

The packet filters allow the administrator to permit or deny the communication based on the following criteria:
1. the physical network interface that the packet arrives on.
2. the source IP address.
3. the destination IP address.
4. the type of transport layer.
5. the transport layer source port.
6. the transport layer destination port.

Saturday, August 17, 2013

CCNA Security - IP Spoofing (no blind)

When we are talking about communication between two devices we refer to a sender and a receiver. In TCP communication we have the three-way handshake between these two devices before we establish a communication. The sender sends the SYN package to the receiver, then the receiver sends back the SYN/ACK package and then the sender sends the ACK package back to the receiver. This is called the three-way handshake communication. In the IP Spoofing attack we have the three-way handshake communication between two devices but on the last step the attacker who is on the same network with the sender and receiver, predicts the TCP sequence number and responses as if he was the sender. After that the receiver trust the attacker who has the same Layer 3 address but different Layer 2 address from the real sender.

Thursday, August 15, 2013

CCNA Security - RADIUS and TACACS+

1. TACACS+ uses TCP and RADIUS uses UDP.
2. TACACS+ encrypts the entire body of the packet and RADIUS encrypts only the password.
3. TACACS+ uses the AAA technology by separating authentication, authorization and accounting, on the other hand, RADIUS  combines authentication and authorization.
4. TACACS+ supports AppleTalk, NetBIOS and IPX
5. TACACS+ uses multiple challenge response for each of the AAA processes. RADIUS uses only one challenge response.

Wednesday, August 14, 2013

CCNA Security - Type of "Hacker"

White hat hacker - a white hat hacker has the ability to get into your network and do damage but he uses his skills to help an organization to improve it's network security.

Black hat hacker - a black hat hacker uses his knowledge for unethical reasons.

Gray hat hacker - a gray hat hacker is something like white hat hacker however when he gets the permission to access a particular network he finds an opportunity for personal gain.

Phreaker - a phreaker is a hacker who breaks into a telephone system.

Script kiddy - a script kiddy is a type of a hacker who downloads hacking software and uses it to launch attacks.

Hacktivist - a hacker who goes against a political party by attacking a particular website.
Academic hacker - an academic attacker is usually coming from an institution of higher education and launching an attack from the institution's computing resources.

Friday, August 9, 2013

CCNA Security - Rules for applying Zone-based policy firewall

1. A zone must be configured before interfaces can be assigned to the zone.
2. An interface can be assigned to only one security zone.
3. All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone, except traffic to and from interfaces in the same zone, and traffic to any interface on the router.
4. Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone.
5. In order to permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.
6. The self zone is the only exception to the default deny all policy. All policy to any router interface is allowed until traffic is explicitly denied.
7. Traffic cannot flow between a zone member interface and any interface that is not a zone member. Pass, inspect, and drop actions can only be applied between two zones.
8. Interfaces that have not been assigned to a zone function as classical router ports and might still use classical stateful inspection/CBAC configuration.
9. If it is required that an interface on the box not be part of the zoning/firewall policy. It might still be necessary to put that interface in a zone and configure a pass all policy (sort of a dummy policy) between that zone and any other zone to which traffic flow is desired.
10. From the preceding it follows that, if traffic is to flow among all the interfaces in a router, all the interfaces must be part of the zoning model (each interface must be a member of one zone or another).
11. The only exception to the preceding deny by default approach is the traffic to and from the router, which will be permitted by default. An explicit policy can be configured to restrict such traffic.


(Reference: Cisco.com)

CCNA Security - CAM table overflow attack

Switches deliver all frames based on mac address. CAM table maps what mac addresses are connected to what ports. It helps switches to send a frame uniquely to a certain MAC address. Without the help of CAM table the switch does not know where to forward a particular frame. The problem with the CAM table is that when the addresses go over the limit the switch floods out all the traffic in that VLAN as a broadcast. (Or we can say that the switch starts behaving like a hub.) An attacker can flood the switch with random mac address until the CAM table limit is reached. This kind of an attack occurs due to lack of authentication for the switch clients. A CAM overflow attack turns a switch into a hub, which enables the attacker to eavesdrop on a conversation and perform man-in-the-middle attacks.

Thursday, August 8, 2013

CCNA Security - Symmetric Encryption Algorithm

We usually call it private-key encryption where sender and receiver share the same secret key. In other words, the same key used in both encryption and decryption. The longest the key the stronger the encryption. Typical key lengths are 40-256 bits where key lengths greater or equal to 80 bits can be trusted and key lengths of less than 80 bits are considered weak, regardless of the strength of the algorithm. Symmetric algorithms are usually fast and are based on simple mathematical operations. Examples of symmetric encryption algorithm are DES, 3DES, AES, IDEA, RC2/4/5/6, and Blowfish.

Data Encryption Standard (DES) - It takes as input a 64 bit key, of which only 56 bits are used. From these 56 bits, 16 48 bit subkeys are created. The message is divided into 64 bit chunks, and a complex series of steps enciphers the message using each subkey.

Triple DES - It is very similar to DES, except everything is done three times. So triple DES expects 24 bytes (192bit) key, of which 168 bits are used. Every eight bytes of the message are operates on three times (encrypt, decrypt, encrypt) before being appended to the result.

RC2 - Designed as a drop-in replacement for DES, RC2 is a variable key-sized cipher.
RC4 - Often used in file encryption products, as well as for secure communication, such as in Secure Socket Layer (SSL), RC4 is a variable key-size stream cipher.
RC5 - This fast block cipher has a variable block size and variable key length. With its 64-bit block size, it may be used as a drop-in replacement for DES.
RC6 - Based on RC5, this block cipher has as its main design goal meeting the requirement of AES.

Tuesday, August 6, 2013

CCNA Security - Cisco IOS zone-based policy firewall actions

The Cisco IOS zone-based policy firewall can take three possible actions when you configure it using Cisco SDM:
1. Inspect : This action configures Cisco IOS stateful packet inspection.
2. Drop : This action is analogous to deny in an ACL.
3. Pass : This action is analogous to permit in an ACL. The pass action does not track the state of connections or sessions within the traffic; pass allows the traffic only in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction.

CCNA Security - Internet Key Exchange (IKE)

IKE Phase 1: IKE phase 1's purpose is to establish a secure authenticated communication channel by using the Diffie–Hellman key exchange algorithm to generate a shared secret key to encrypt further IKE communications. This negotiation results in one single bi-directional ISAKMP Security Association (SA). The authentication can be performed using either pre-shared key (shared secret), signatures, or public key encryption. Phase 1 operates in either Main Mode or Aggressive Mode. Main Mode protects the identity of the peers; Aggressive Mode does not.

IKE Phase 2: During IKE phase 2, the IKE peers use the secure channel established in Phase 1 to negotiate Security Associations on behalf of other services like IPsec. The negotiation results in a minimum of two unidirectional security associations (one inbound and one outbound). Phase 2 operates only in Quick Mode.

CCNA Security - Fibre Channel Authentication Protocol (FCAP)

FCAP relies on an underlying public key infrastructure (PKI) to provide enterprise-class security. By using PKI, often present in more security-conscious organizations, as a foundation element, along with a certificate-based protocol, FCAP provides numerous advantages. Central among these are strong authentication and management data integrity. For some organizations, the complexities associated with a PKI can be daunting. Thi is the only significant argument against FCAP.


(Reference: Cisco.com)

CCNA Security - Vishing

Voice phishing (vishing) uses telephony to steal private information, such as account number, social security number etc, directly from users. Because many users tend to trust the security of a telephone versus the security of the web, some users are more likely to provide confidential information over the telephone. User education is the most effective method to combat vishing attacks.