GNS3 with Tabbed Terminal in Mac OSX Lion

Posted on May 15, 2012 by Paul Stewart, CCIE 26009 (Security)

I have used GNS3 off and on for a long time. Over time, I struggled with the stability of the product. Prior to switching to the Mac, a fellow Ascolta Instructor–Patrick Geschwindner, clued me in on something. He had experimented with many IOS images and found some to be more stable than others in GNS3. One that worked particularly well for him was Advanced IP Services 12.4 for the 2691. I unpacked a 12.4-25d Advanced IP Service image and was very pleased. I could run many routers for long periods of time with no issues. This was on Windows 7. However one frustration that continued was the difficulty managing multiple Putty Windows.

Continue reading

Posted in Uncategorized | 4 Comments

Multiple Protocols over IPSec

Posted on May 8, 2012 by Paul Stewart, CCIE 26009 (Security)

Last week we examined a Cisco VPN construct called SVTI. This is basically using a “tunnel interface” in conjunction with an IPSec Protection profile. One of the limitations I mentioned was that, in comparison to GRE based tunnel interfaces, VTI would not allow the transport of multiple protocols. This week we will expand our use of the tunnel interface and use GRE, or generic routing encapsulation.

Continue reading

Posted in Uncategorized | Leave a comment

Avantages of Using SVTI Based VPNs

Posted on May 1, 2012 by Paul Stewart, CCIE 26009 (Security)

Starting in version 12.3T (which is some time ago), Cisco started offering an alternative for configuring IOS based VPN’s. This method is called SVTI, or static virtual tunnel interfaces. SVTI is one category of VTI that is basically a configuration alternative for Lan to Lan VPNs. There is also a variant called DVTI, or dynamic virtual tunnel interface, that is a alternative for remote access VPNs. From the perspective of the wire, SVTI based VPN packets look similar to traditional “crypto-map” based VPN traffic. However, the configuration is based on a virtual interface as opposed to using crypto map based configuration. This virtual interface gives some distinct advantages. Additionally, the use of this configuration modifies the phase 2 sa’s to match all traffic. Any traffic steered through this virtual interface is encrypted based on an encryption profile. Continue reading

Posted in network, security | Tagged | 4 Comments

Congrats to Kevin Wallace — CCIE x2

Posted on April 26, 2012 by Paul Stewart, CCIE 26009 (Security)

Just a few weeks ago, fellow Kentuckian Kevin Wallace passed his Voice CCIE Lab. That means that our rural state now has at least two individuals who have multiple CCIE’s. The other CCIE in Kentucky is Scott Morris, who has currently has four CCIE’s. There may be others, but those are the ones I know about. In any case, I wanted to give a big “shout-out” to Kevin Wallace, CCIE #7945 (R&S, Voice).  Kevin created the video below to help other with the daunting task of passing the CCIE Voice lab. Continue reading

Posted in career | 3 Comments

Protecting Insecure Protocols

Posted on April 24, 2012 by Paul Stewart, CCIE 26009 (Security)

Last week I wrote an article that demonstrated the grievous security oversight in the Telnet protocol. Telnet, being a clear text protocol, exposes the entire contents of any session to anyone who can gain access to the traffic. Telnet is not the only management protocol that lacks built in encryption capabilities. Other protocols, including but not limited to SNMP (versions 1 and 2), http, syslog and ftp, have similar shortcomings. This article addresses, at a high level, some of the techniques that can be used when an insecure protocol is the only option.

Continue reading

Posted in career | Leave a comment

What’s Wrong With Telnet?

Posted on April 17, 2012 by Paul Stewart, CCIE 26009 (Security)

We have all heard that telnet is bad. We have heard that it is an insecure protocol that sends information in clear text. Conceptually, that sounds simple. However, let’s take a look at what this really means. To demonstrate what is meant by clear text, let’s telnet to device and then look at the information passed in a packet capture.

The image below shows a telnet connection between two routers, R1 and R3. Subsequently, it shows entering privilege exec mode with the “enable” command. Notice that the passwords aren’t shown in the user interface. Some implementation of telnet may echo back an asterisk for each character.  Continue reading

Posted in Uncategorized | Leave a comment

Certifications for the SMB Network Technician

Posted on April 10, 2012 by Paul Stewart, CCIE 26009 (Security)

Small to Medium Businesses (SMB) have unique challenges from the perspective of technical expertise. The challenges are more related to the limited number of employees that work for or service businesses that meet this criteria. I often find organizations with a hundred (or more employees) that have a single technical resource on staff. This person may be responsible for everything from backups and business continuity planning to Firewall design and configuration.

Continue reading

Posted in career | Leave a comment

» Cisco Live Attendee Expectations — FryGuy’s Blog

Posted on April 6, 2012 by Paul Stewart, CCIE 26009 (Security)

I’ve had a request or two regarding what to expect at Cisco Live. If you are planning to attend Cisco Live 2012 and this is your first time to Cisco Live (formerly known as networkers, the article below is for you.

» Cisco Live Attendee Expectations — FryGuy’s Blog.

Worth noting, Cisco Live is at San Diego this year instead of Las Vegas. The weather is typically beautiful in this part of southern California. If you are attending, look me up. I’ll be tweeting as @packetu. Make sure you have plenty of spare room in your luggage (there’s typically a lot of freebies!).

Posted in Uncategorized | Leave a comment

Span Port on the ASA 5505

Posted on April 3, 2012 by Paul Stewart, CCIE 26009 (Security)

There are a few ASA features that are specific to the 5505. This small business version of the Cisco firewall works a little different than the higher performance models. The ASA 5505 is basically an 8 port switch with the ASA logic functioning between VLANs. As such, you can do “switch stuff” that you cannot do on other versions. The feature that we are going to talk about today is called span, port monitoring, or port mirroring.

Continue reading

Posted in security | Tagged | 1 Comment

IP Helper Address on the ASA

Posted on March 27, 2012 by Paul Stewart, CCIE 26009 (Security)

In a branch office environment, it is often desirable to backhaul DHCP requests to a centralized DHCP server. DHCP request are initially sent to a broadcast address and therefore do not typically get forwarded through a router or other layer 3 device. Many realize that it is possible to overcome this challenge by configuring a helper address on a router. However, fewer realize this can be done on the ASA firewall as well. Continue reading

Posted in Uncategorized | 10 Comments

IP Fragmentation and MTU

Posted on March 20, 2012 by Paul Stewart, CCIE 26009 (Security)

Earlier this week, someone asked me a simple question about the “Fragment Offset” in an IP Packet Header. I have to admit that my understanding this field was slightly incorrect. Before I come clean with my misinterpretation, I wanted to throw out a challenge. Review the image below, then answer the question that follows. Continue reading

Posted in network | Tagged | Leave a comment

Classifying IPSec Traffic for Hierarchical Priority Queuing with the ASA

Posted on March 13, 2012 by Paul Stewart, CCIE 26009 (Security)

This past weekend I wrote an article that demonstrated the use of hierarchical priority queuing with the ASA. The last example in that article showed that this qos method properly with the IPSec encapsulated traffic as well. Today’s article started out as an attempt at demonstrating several different classification examples that could be used with hierarchical priority queuing. What I found was that there were more restrictions than I expected when this qos method is used with IPSec encapsulated traffic. Continue reading

Posted in security | Tagged , , | Leave a comment