Network Security Notes::About Network Security, Network Labs, Cisco, Microsoft...: 2011

Sunday 30 October 2011

Network Security Notes: Attackers trick Facebook users into exposing secret security codes

This blog is created for network security review, study and understanding about network related issues only! The blog is mainly focus on Network Security Notes about Network, Network Security, Network Technology, Network Labs review related Cisco and Microsoft technology ,Network Threats, Types of Network Threats, Network Alerts, Enterprise Security Policy and Audits, Security Policy and Audits,Logical Security, Physical and Logical Security, Physical Security,Cisco Products Review, Microsoft Products review, Cisco Routers, Routers Security, Console Access, Telnet Access, Network Attack, Network Attack report, Network management, Anti-virus, Network Security with Anti-virus, and All About Network Security... Thanks for your visit!

Network Security Notes: Attackers trick Facebook users into exposing secret security codes

This post regarding network security, the Internet network security relevant to Facebook users, we should be aware of this problem...

Facebook

Attackers trick Facebook users into exposing secret security codes

New social engineering attacks are tricking Facebook users into exposing anti-CSRF tokens associated with their sessions. These security codes allow attackers to make unauthorized requests through the victim's browser.

Cross-site request forgery (CSRF) is an attack technique that abuses the trust relationship between websites and authenticated users. Because of the way the Web works, a page can theoretically force a visitor's browser to issue a request to a third-party site where the user is authenticated, thus piggybacking on their active session.

In order to prevent this from happening, websites embed unique authorization codes known as anti-CSRF tokens into forms. Since these are not available to attackers, rogue requests can no longer be triggered successfully.

However, security researchers from Symantec have detected a new type of Facebook attack in which victims are tricked into handing over such tokens manually by going through a fake verification process....

Read more at...Attackers trick Facebook users into exposing secret security codes

Other sites you may want to see:

WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

If you like this post, please subscribe below,thanks!

Thursday 8 September 2011

Network Security Notes: Configuring Route Filtering

As my previous post about Understanding Route Filtering, this post I would like to introduce for more details about the Route Filtering, but with the Route Filtering configuration.

Network Security Notes: Route Filtering

Route filters work by regulating what networks a router will advertise out of an interface to another router or what networks a router will accept on an interface from another router. Route filtering can be used by administrators to manually assure that only certain routes are announced from a specific routing process or interface. This feature allows administrators to configure their routers to prevent
malicious routing attempts by intruders.

You can configure route filtering in one of two ways:

* Inbound route filtering: The router can be configured to permit or deny routes advertised by a neighbor from being installed to the routing process.

* Outbound route filtering: The route filter can be configure to permit or deny routes from being advertised from the local routing process, preventing neighboring routers from learning the routes.

I. Configuring Inbound Route Filters:

The steps for configuring inbound route filters are as follows:

1. Use the access list global configuration command to configure an access−list that permits or denies the specific routes that are being filtered.

2. Under the routing protocol process, use the following command:

distribute−list in [interface−name]

For Example: I want to configure inbound route filter on Router-B (Router-B is a name of my router). The following steps should be configured:

1. Create an access-list: Configure access-list by access-list command:

Router-B#config t
.......
Router-B(config)#access-list 120 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

For this command of access-list:
- Access-list number is 120
- Permission: permit
- Source Network: 192.168.1.0/24
- Destination Network: 172.16.1.0/24

2. Configure command inbound route filter under a routing protocol:

Router-B(config)#router rip
Router-B(config-router)#network 192.168.1.0
Router-B(config-router)#network 172.16.1.0
Router-B(config-router)#distribute−list 120 in Serial 0/0

For the above command, I configure inbound route filter on Router-B:
- Protocol: RIP version 1
- Network: 192.168.1.0 and 172.16.1.0
- Access-list: applied access-list 120 as already configured on step 1
- Interface: Serial 0/0

After configure the two steps above, Router will allow/permit only inbound traffic from network 192.168.1.0/24 to destination network 172.16.1.0/24 via Interface Serial 0/0 of Router-B.

II. Configuring Outbound Route Filters:

The steps to configure outbound route filters are described here:

1. Use the access−list global configuration command to configure an access list that permits or denies the specific routes that are being filtered.

2. Under the routing protocol process, use the following command:

distribute−list out [interface−name| −
routing − process|autonomous−system−number]

For Example: I want to configure outbound route filter on Router-B (Router-B is a name of my router). The following steps should be configured:

1. Create an access-list: Configure access-list by access-list command:

Router-B#config t
.......
Router-B(config)#access-list 110 deny ip 192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255

For this command of access-list:
- Access-list number is 110
- Permission: deny
- Source Network: 192.168.10.0/24
- Destination Network: 172.16.10.0/24

2. Configure command Outbound route filter under a routing protocol:

Router-B(config)#router rip
Router-B(config-router)#network 192.168.10.0
Router-B(config-router)#network 172.16.10.0
Router-B(config-router)#distribute−list 120 out Serial 0/0

For the above command, I configure inbound route filter on Router-B:
- Protocol: RIP version 1
- Network: 192.168.10.0 and 172.16.10.0
- Access-list: applied access-list 110 as already configured on step 1
- Interface: Serial 0/0

After configure the two steps above, Router will deny only outbound traffic from network 192.168.10.0/24 to destination network 172.16.10.0/24 via Interface Serial 0/0 of Router-B.

Any questions or comments, please leave below...Thanks!

Other sites you may want to see:

WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
Network Security: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

If you like this post, please subscribe below,thanks!

Monday 18 July 2011

Network Security Notes: Network Security News: Be Aware of Dangerous vulnerability in Skype

Skype is a software application that allows users to make voice and video calls and chats over the Internet. Calls to other users within the Skype service are free, while calls to both traditional landline telephones and mobile phones can be made for a fee using a debit-based user account system. Skype has also become popular for its additional features which include instant messaging, file transfer, and video conferencing. Skype has 663 million registered users as of 2010. The network is operated by Skype Limited, which has its headquarters in Luxembourg. Most of the development team and 44% of the overall employees of Skype are situated in the offices of Tallinn and Tartu, Estonia.

Skype

Unlike other VoIP services, Skype is a peer-to-peer system rather than a client–server system, and makes use of background processing on computers running Skype software; the original name proposed – Sky peer-to-peer – reflects this.

Some network administrators have banned Skype on corporate, government, home, and education networks, citing reasons such as inappropriate usage of resources, excessive bandwidth usage, and security concerns.

On 10 May 2011, Microsoft Corporation agreed to acquire Skype Communications, S.à r.l for US$8.5 billion. The company is to be incorporated as a division of Microsoft, and Microsoft will acquire all of the company's technologies, including Skype, with the purchase.

Registered users of Skype are identified by a unique Skype Name, and may be listed in the Skype directory. Skype allows these registered users to communicate through both instant messaging and voice chat. Voice chat allows telephone calls between pairs of users and conference calling, and uses a proprietary audio codec. Skype's text chat client allows group chats, emoticons, storing chat history, offline messaging (since version 5) and editing of previous messages. The usual features familiar to instant messaging users — user profiles, online status indicators, and so on — are also included.

The Online Number, a.k.a. SkypeIn, service allows Skype users to receive calls on their computers dialled by conventional phone subscribers to a local Skype phone number; local numbers are available for Australia, Belgium, Brazil, Chile, Colombia, Denmark, the Dominican Republic, Estonia, Finland, France, Germany, Hong Kong, Hungary, Ireland, Italy, Japan, Mexico, New Zealand, Poland, Romania, South Africa, South Korea, Sweden, Switzerland, the Netherlands, the United Kingdom, and the United States. A Skype user can have local numbers in any of these countries, with calls to the number charged at the same rate as calls to fixed lines in the country.

Video conferencing between two users was introduced in January 2006 for the Windows and Mac OS X platform clients. Skype 2.0 for Linux, released on 13 March 2008, also features support for video conferencing. Version 5 beta 1 for Windows, released 13 May 2010, offers free video conferencing with up to five people.

Skype for Windows, starting with version 3.6.0.216, supports "High Quality Video" with quality and features, e.g., full-screen and screen-in-screen modes, similar to those of mid-range videoconferencing systems.[14] Skype audio conferences currently support up to 25 people at a time, including the host.

Skype does not provide the ability to call emergency numbers such as 911 in the United States and Canada, 999 in the United Kingdom and many other countries, 111 in New Zealand, 000 in Australia, or 112 in Europe. The U.S. Federal Communications Commission (FCC) has ruled that, for the purposes of section 255 of the Telecommunications Act, Skype is not an "interconnected VoIP provider". As a result, the U.S. National Emergency Number Association recommends that all VoIP users have an analog line available as a backup.

In 2011, Skype partnered with Comcast to bring its video chat service to Comcast subscribers via their HDTV sets.

Be Aware of Dangerous vulnerability in Skype

According to NetworkWorld posted on 15 July 2o11, Researcher found dangerous vulnerability in Skype. A security consultant has notified Skype of a cross-site scripting flaw that could be used to change the password on someone's account, according to details posted online.

The consultant, Levent Kayan, based in Berlin, posted details of the flaw on his blog on Wednesday and notified Skype a day later. He said on Friday he hasn't heard a response yet.

The problem lies in a field where a person can input their mobile phone number. Kayan wrote that a malicious user can insert JavaScript into the mobile phone field of their profile.

When one of their contacts comes online, the malicious user's profile will be updated, and the JavaScript will be executed when the other contact logs in. Kayan wrote that the other person's session could be hijacked, and it may be possible to gain control of that person's computer. An attacker could also change the password on someone's account.

There are some mitigating factors, such as that the attacker and victim must be friends on Skype. Also, the attack may not immediately execute when the victim logs in. Kayan said he noticed the behavior happened only after the victim logged in several times. But he said in an e-mail that once it happens the first time, "it happens with each re-login."

Skype should be checking the input into the mobile phone field and validating that it is indeed a phone number and not executable code. The problem affects the latest version of Skype, 5.3.0.120, on Windows XP, Vista and 7 as well as Mac OS X operating system.

Source credited to NetworkWorld.com

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

If you like this post, please subscribe below,thanks!

Network Security Notes: Understanding Route Filtering

Network Security Notes: Understanding Route Filtering

What is Routing?

Routing or routering is the process of selecting paths in a network along which to send network traffic. Routing is performed for many kinds of networks, including the telephone network (Circuit switching) , electronic data networks (such as the Internet), and transportation networks. This article is concerned primarily with routing in electronic data networks using packet switching technology.

Network Security Notes: Route Filtering

In packet switching networks, routing directs packet forwarding, the transit of logically addressed packets from their source toward their ultimate destination through intermediate nodes, typically hardware devices called routers, bridges, gateways, firewalls, or switches. General-purpose computers can also forward packets and perform routing, though they are not specialized hardware and may suffer from limited performance. The routing process usually directs forwarding on the basis of routing tables which maintain a record of the routes to various network destinations. Thus, constructing routing tables, which are held in the router's memory, is very important for efficient routing. Most routing algorithms use only one network path at a time, but multipath routing techniques enable the use of multiple alternative paths.

Routing, in a more narrow sense of the term, is often contrasted with bridging in its assumption that network addresses are structured and that similar addresses imply proximity within the network. Because structured addresses allow a single routing table entry to represent the route to a group of devices, structured addressing (routing, in the narrow sense) outperforms unstructured addressing (bridging) in large networks, and has become the dominant form of addressing on the Internet, though bridging is still widely used within localized environments.

What is Route filtering?

In the context of network routing, route filtering is the process by which certain routes are not considered for inclusion in the local route database, or not advertised to one's neighbours. Route filtering is particularly important for BGP on the global Internet, where it is used for a variety of reasons.

What is BGP?

The Border Gateway Protocol (BGP) is the protocol backing the core routing decisions on the Internet. It maintains a table of IP networks or 'prefixes' which designate network reachability among autonomous systems (AS). It is described as a path vector protocol. BGP does not use traditional Interior Gateway Protocol (IGP) metrics, but makes routing decisions based on path, network policies and/or rulesets. For this reason, it is more appropriately termed a reachability protocol rather than routing protocol.

BGP was created to replace the Exterior Gateway Protocol (EGP) protocol to allow fully decentralized routing in order to transition from the core ARPAnet model to a decentralized system that included the NSFNET backbone and its associated regional networks. This allowed the Internet to become a truly decentralized system. Since 1994, version four of the BGP has been in use on the Internet. All previous versions are now obsolete. The major enhancement in version 4 was support of Classless Inter-Domain Routing and use of route aggregation to decrease the size of routing tables. Since January 2006, version 4 is codified in RFC 4271, which went through more than 20 drafts based on the earlier RFC 1771 version 4. RFC 4271 version corrected a number of errors, clarified ambiguities and brought the RFC much closer to industry practices.

Most Internet service providers must use BGP to establish routing between one another (especially if they are multihomed). Therefore, even though most Internet users do not use it directly, BGP is one of the most important protocols of the Internet. Compare this with Signaling System 7 (SS7), which is the inter-provider core call setup protocol on the PSTN. Very large private IP networks use BGP internally. An example would be the joining of a number of large OSPF (Open Shortest Path First) networks where OSPF by itself would not scale to size. Another reason to use BGP is multihoming a network for better redundancy either to multiple access points of a single ISP (RFC 1998) or to multiple ISPs.

What is Internet?

The Internet is a global system of interconnected computer networks that use the standard Internet Protocol Suite (TCP/IP) to serve billions of users worldwide. It is a network of networks that consists of millions of private, public, academic, business, and government networks, of local to global scope, that are linked by a broad array of electronic, wireless and optical networking technologies. The Internet can also be defined as a worldwide interconnection of computers and computer networks that facilitate the sharing or exchange of information among users. The Internet carries a vast range of information resources and services, such as the inter-linked hypertext documents of the World Wide Web (WWW) and the infrastructure to support electronic mail.

Most traditional communications media including telephone, music, film, and television are reshaped or redefined by the Internet, giving birth to new services such as Voice over Internet Protocol (VoIP) and IPTV. Newspaper, book and other print publishing are adapting to Web site technology, or are reshaped into blogging and web feeds. The Internet has enabled or accelerated new forms of human interactions through instant messaging, Internet forums, and social networking. Online shopping has boomed both for major retail outlets and small artisans and traders. Business-to-business and financial services on the Internet affect supply chains across entire industries.

The origins of the Internet reach back to research of the 1960s, commissioned by the United States government in collaboration with private commercial interests to build robust, fault-tolerant, and distributed computer networks. The funding of a new U.S. backbone by the National Science Foundation in the 1980s, as well as private funding for other commercial backbones, led to worldwide participation in the development of new networking technologies, and the merger of many networks. The commercialization of what was by the 1990s an international network resulted in its popularization and incorporation into virtually every aspect of modern human life. As of 2009, an estimated quarter of Earth's population used the services of the Internet.

The Internet has no centralized governance in either technological implementation or policies for access and usage; each constituent network sets its own standards. Only the overreaching definitions of the two principal name spaces in the Internet, the Internet Protocol address space and the Domain Name System, are directed by a maintainer organization, the Internet Corporation for Assigned Names and Numbers (ICANN). The technical underpinning and standardization of the core protocols (IPv4 and IPv6) is an activity of the Internet Engineering Task Force (IETF), a non-profit organization of loosely affiliated international participants that anyone may associate with by contributing technical expertise.

How many Types of filtering?

There are two times when a filter can be naturally applied: when learning routes from a neighbour, and when announcing routes to a neighbour.

Input filtering

In input filtering, a filter is applied to routes as they are learned from a neighbour. A route that has been filtered out is discarded straight away, and hence not considered for inclusion into the local routing database.

Output filtering

In output filtering, a filter is applied to routes before they are announced to a neighbour. A route that has been filtered out is never learned by a neighbour, and hence not considered for inclusion in the remote route database.

Why Need Filtering?

Reasons to filter

Economic reasons

When a site is multihomed, announcing non-local routes to a neighbour different from the one it was learned from amounts to advertising the willingness to serve for transit, which is undesirable unless suitable agreements are in place. Applying output filtering on these routes avoids this issue.

Security reasons

An ISP will typically perform input filtering on routes learned from a customer to restrict them to the addresses actually assigned to that customer. Doing so makes address hijacking more difficult.

Similarly, an ISP will perform input filtering on routes learned from other ISPs to protect its customers from address hijacking.

Technical reasons

In some cases, routers have insufficient amounts of main memory to hold the full global BGP table. A simple work-around is to perform input filtering, thus limiting the local route database to a subset of the global table. This can be done by filtering on prefix length (eliminating all routes for prefixes longer than a given value), on AS count, or on some combination of the two.

This practice is not recommended, as it can cause suboptimal routing or even communication failures with small networks, and frustrate the traffic-engineering efforts of one's peers.

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
Network Security: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

If you like this post, please subscribe below,thanks!

Network Security Notes: Network Protocols: Configuring OSPF Authentication Protocol

As my previous post about the Understanding OSPF Protocol and the OSPF Protocol on CISCO Routing Protocol and Concepts, you may already know much details about the OSPF Protocol. And here this post I would like to introduce you about Configuring OSPF Authentication Protocol...

Open Shortest Path First (OSPF) supports two forms of authentication: plain text and MD5. Plain text authentication should be used only when neighboring devices do not support the more secure MD5 authentication. To configure plain text authentication of OSPF packets, follow these steps:

In interface configuration mode, use the ip ospf authentication−key [key] command. The key that is specified is the plain text password that will be used for authentication.

1. Enter OSPF configuration mode using the router ospf [process id] command. Then use the area [area−id] authentication command to configure plain text authentication of OSPF packets for an area.

Referring to Figure Image below, we will configure Router A and Router B for plain text authentication of OSPF packets. Listing A and Listing B below display each router's configuration.

Figure Image:

Figure: Router A and Router B Configured for OSPF Authentication

Listing A: Router A configured to authenticate OSPF packets using plain text authentication

interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf authentication−key visaadmin
clockrate 64000
router ospf 60
area 0 authentication
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Listing B: Router B configured to authenticate OSPF packets using plain text authentication

interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip ospf authentication−key visaadmin
router ospf 50
area 0 authentication
network 10.10.12.0 0.0.0.255 area 12
network 10.10.13.0 0.0.0.255 area 13
network 192.168.10.0 0.0.0.255 area 0

In Listing A and Listing B, plain text authentication is configured to authenticate updates across area 0. By issuing the show ip ospf command, you can determine if plain text authentication is properly configured for each area. Here is an example of the output for the show ip ospf command:

Router−B#show ip ospf 50
Routing Process "ospf 50" with ID 10.10.13.1
......
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has simple password authentication
SPF algorithm executed 7 times

Configure MD5 authentication of OSPF packets

To configure MD5 authentication of OSPF packets, follow the steps outlined here:

1. From interface configuration mode, enable the authentication of OSPF packets using MD5 with the following command:

ip ospf message−digest−key [key−id] md5 [key]

The value of the key−id allows passwords to be changed without having to disable authentication.

2. Enter OSPF configuration mode using the router ospf [process id] command. Then
configure MD5 authentication of OSPF packets for an area using this command:

area [area−id] authentication message−digest

This time, Routers A and B will be configured to authenticate packets across the backbone using the MD5 version of authentication. Listing C shows the configuration for Router A, and Listing D shows Router B's configuration.

Listing C: Router A configured for MD5 authentication

interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf message−digest−key 15 md5 visa
clockrate 64000
router ospf 60
area 0 authentication message−digest
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Listing D: Router B configured for MD5 authentication

interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip ospf message−digest−key 15 md5 visa
router ospf 50
area 0 authentication message−digest
network 10.10.12.0 0.0.0.255 area 12
network 10.10.13.0 0.0.0.255 area 13
network 192.168.10.0 0.0.0.255 area 0

When you use the ip ospf message−digest−key command, the key value allows the password to be changed without having to disable authentication.

Note For OSPF, authentication passwords do not have to be the same throughout the area, but the key id value and the password must be the same between neighbors.

Using the show ip ospf [process−id] command again, you can see that it now states that MD5 authentication is being used across area 0:

Router−A#sh ip ospf 60
Routing Process "ospf 60" with ID 10.10.11.1
......
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has message digest authentication
SPF algorithm executed 4 times

As noted earlier, the key id value and the passwords must be the same between neighbors. If you change the key id value to a number other than 15 on Router A, authentication should not take place and OSPF should get mad. Here is the changed configuration:

interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf message−digest−key 30 md5 visa
clockrate 64000
router ospf 60
area 0 authentication message−digest
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Notice that it has been changed to a value of 30. The following lines show what OSPF has to say
about this:

Router−A#debug ip ospf events
OSPF events debugging is on
Router−A#
00:03:58: OSPF: Send with youngest Key 30
00:04:04: OSPF: Rcv pkt from 192.168.10.2, Ethernet0/0 :
Mismatch Authentication Key − No message digest key 15 on Interface

OSPF is obviously not happy. If you change the key value back, everything should again be all right.

As mentioned earlier, the key id value allows passwords to be changed without having to disable authentication. Listing E and Listing F display the configuration of Router A and Router B with multiple keys and passwords configured.

Listing E: Router A configured with multiple keys and passwords

interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf message−digest−key 15 md5 visa
ip ospf message−digest−key 20 md5 littleboy
clockrate 64000
router ospf 60
area 0 authentication message−digest
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Listing F: Router B configured with multiple keys and passwords

interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip ospf message−digest−key 15 md5 visa
ip ospf message−digest−key 20 md5 littleboy
router ospf 50
area 0 authentication message−digest
network 10.10.12.0 0.0.0.255 area 12
network 10.10.13.0 0.0.0.255 area 13
network 192.168.10.0 0.0.0.255 area 0

As a result of this configuration, Routers A and B will send duplicate copies of each OSPF packet out of their serial interfaces; one will be authenticated using key number 15, and the other will be authenticated using key number 20. After the routers each receive from each other OSPF packets authenticated with key 20, they will stop sending packets with the key number 15 and use only key number 20. At this point, you can delete key number 15, thus allowing you to change passwords without disabling authentication.

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

If you like this post, please subscribe below,thanks!

Tuesday 12 July 2011

Network Security Notes: Cisco Intrusion Prevention System-Cisco IPS

Network Security Notes: Cisco Intrusion Prevention System (Cisco IPS)

In this post, I would like to share with you a very great important video regarding network security in the Cisco IPS.

Cisco Intrusion Prevention System-Cisco IPS

Before you learn the video about the Cisco IPS, you should know what IPS is...

What is Intrusion Prevention System-IPS?

Intrusion Prevention Systems (IPS), also known as Intrusion Detection and Prevention Systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity.

Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected. More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address. An IPS can also correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, and clean up unwanted transport and network layer options.

IPS Classifications:

Intrusion prevention systems can be classified into four different types:

Network-based Intrusion Prevention (NIPS): monitors the entire network for suspicious traffic by analyzing protocol activity.

Wireless Intrusion Prevention Systems (WIPS): monitors a wireless network for suspicious traffic by analyzing wireless networking protocols.

Network Behavior Analysis (NBA): examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations.

Host-based Intrusion Prevention (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.

How the IPS Detection methods work?

The majority of intrusion prevention systems utilize one of three detection methods: signature-based, statistical anomaly-based, and stateful protocol analysis.

Signature-based Detection: This method of detection utilizes signatures, which are attack patterns that are preconfigured and predetermined. A signature-based intrusion prevention system monitors the network traffic for matches to these signatures. Once a match is found the intrusion prevention system takes the appropriate action. Signatures can be exploit-based or vulnerability-based. Exploit-based signatures analyze patterns appearing in exploits being protected against, while vulnerability-based signatures analyze vulnerabilities in a program, its execution, and conditions needed to exploit said vulnerability.

Statistical Anomaly-based Detection: This method of detection baselines performance of average network traffic conditions. After a baseline is created, the system intermittently samples network traffic, using statistical analysis to compare the sample to the set baseline. If the activity is outside the baseline parameters, the intrusion prevention system takes the appropriate action.

Stateful Protocol Analysis Detection: This method identifies deviations of protocol states by comparing observed events with “predetermined profiles of generally accepted definitions of benign activity.”

In the video you will learn three main points about the Cisco IPS: Threat Intelligence, Advanced Inspection Protection, Repulation Technology.

Why the IPS of Cisco?

As I think, Cisco is the king company in producing network devices products. The world's using Cisco Routers, Cisco Switch.....

As you know, new threats and vulnerabilities present challenges to network security. Cisco intrusion prevention systems use global threat intelligence to help meet these challenges. Learn more about Cisco IPS solutions...

** Cisco Intrusion Prevention System:

Security is ever changing...

New Vulnerabilities...

New Vectors...

Zero Day Threats...

How do we solve this?

...from complexity to simplicity

It's more than just strength...Speed Agility and Intelligence.

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

If you like this post, please subscribe below,thanks!

Thursday 23 June 2011

Network Security Notes: Network Protocols: OSPF Protocol on CISCO Routing Protocols and Concepts

I have already posted about Understanding OSPF Protocol. And here this post, you can find out more about OSPF on CISCO Routing Protocols and Concepts Chapter 13...

Let me quote some:

Exploration Routing Protocols and ConceptsChapter 11 - Presentation Transcript

1. OSPF Routing Protocols and Concepts – Chapter 11
2. Objectives
* Describe the background and basic features of OSPF.
* Identify and apply the basic OSPF configuration commands.
* Describe, modify and calculate the metric used by OSPF.
* Describe the Designated Router/Backup Designated Router (DR/BDR) election process in multiaccess networks.
* Describe the uses of additional configuration commands in OSPF.
3. Introduction
4. Introduction to OSPF
* Background of OSPF
o Began in 1987
o 1989 OSPFv1 released in RFC 1131
o This version was experimental & never deployed
o 1991 OSPFv2 released in RFC 1247
o 1998 OSPFv2 updated in RFC 2328
o 1999 OSPFv3 published in RFC 2740
5. Introduction to OSPF
* OSPF Message Encapsulation
o OSPF packet type
+ There exist 5 types
o OSPF packet header
+ Contains - Router ID and area ID and Type code for OSPF packet type
o IP packet header
+ Contains - Source IP address, Destination IP address, & Protocol field set to 89
6. Introduction to OSPF
* OSPF Message Encapsulation
o Data link frame header
o Contains - Source MAC address and Destination MAC address
7. Introduction to OSPF
* OSPF Packet Types
8. Introduction to OSPF
* Hello Protocol
* OSPF Hello Packet
o Purpose of Hello Packet
+ Discover OSPF neighbors & establish adjacencies
+ Advertise guidelines on which routers must agree to become neighbors
+ Used by multi-access networks to elect a d esignated r outer and a b ackup d esignated r outer
9. Introduction to OSPF
* Hello Packets continued
o Contents of a Hello Packet router ID of transmitting router
* OSPF Hello Intervals
o Usually multicast (224.0.0.5)
o Sent every 30 seconds for NBMA segments
* OSPF Dead Intervals
o This is the time that must transpire before the neighbor is considered down
o Default time is 4 times the hello interval
10. Introduction to OSPF
* Hello protocol packets contain information that is used in electing
o Designated Router (DR)
+ DR is responsible for updating all other OSPF routers
o Backup Designated Router (BDR)
+ This router takes over DR’s responsibilities if DR fails
11. Introduction to OSPF
* OSPF Link-state Updates
o Purpose of a Link State Update (LSU)
+ Used to deliver link state advertisements
o Purpose of a Link State Advertisement (LSA)
+ Contains information about neighbors & path costs
12. Introduction to OSPF
* OSPF Algorithm
* OSPF routers build & maintain link-state database containing LSA received from other routers
o Information found in database is utilized upon execution of Dijkstra SPF algorithm
o SPF algorithm used to create SPF tree
o SPF tree used to populate routing table
13. Introduction to OSPF
* Administrative Distance
o Default Administrative Distance for OSPF is 110
14. Introduction to OSPF
* OSPF Authentication
o Purpose is to encrypt & authenticate routing information
o This is an interface specific configuration
o Routers will only accept routing information from other routers that have been configured with the same password or authentication information
15. Basic OSPF Configuration
* Lab Topology
* Topology used for this chapter
o Discontiguous IP addressing scheme
o Since OSPF is a classless routing protocol the subnet mask is configured in
16. Basic OSPF Configuration
* The router ospf command
* To enable OSPF on a router use the following command
o R1(config)# router ospf process-id
o Process id
+ A locally significant number between 1 and 65535
+ This means it does not have to match other OSPF routers
17. Basic OSPF Configuration
* OSPF network command
o Requires entering:
+ network address
+ wildcard mask - the inverse of the subnet mask
+ area-id - area-id refers to the OSPF area – OSPF area is a group of routers that share link state information
o Example: Router(config-router)# network network-address wildcard-ask area area-id
18. Basic OSPF Configuration
* Router ID
o This is an IP address used to identify a router
o 3 criteria for deriving the router ID
+ Use IP address configured with OSPF router-id command
# Takes precedence over loopback and physical interface addresses
+ If router-id command not used then router chooses highest IP address of any loopback interfaces
+ If no loopback interfaces are configured then the highest IP address on any active interface is used
19. Basic OSPF Configuration
* OSPF Router ID
* Commands used to verify current router ID
o Show ip protocols
o Show ip ospf
o Show ip ospf interface
20. Basic OSPF Configuration
* OSPF Router ID
* Router ID & Loopback addresses
o Highest loopback address will be used as router ID if router-id command isn’t used
o Advantage of using loopback address
+ The loopback interface cannot fail  OSPF stability
* The OSPF router-id command
o Introduced in IOS 12.0
o Command syntax
+ Router(config)#router ospfprocess-id
+ Router(config-router)#router-idip-address
* Modifying the Router ID
o Use the command Router #clear ip ospf process
21. Basic OSPF Configuration
* Verifying OSPF
* Use the show ip ospf command to verify & trouble shoot OSPF networks
* Command will display the following:
o Neighbor adjacency
+ No adjacency indicated by
# Neighboring router’s Router ID is not displayed
# A state of full is not displayed
+ Consequence of no adjacency
# No link state information exchanged
# Inaccurate SPF trees & routing tables
22. Basic OSPF Configuration
* Verifying OSPF - Additional Commands
Displays hello interval and dead interval Show ip ospf interface Displays OSPF process ID, router ID , OSPF area information & the last time SPF algorithm calculated Show ip ospf Displays OSPF process ID, router ID , networks router is advertising & administrative distance Show ip protocols Description Command
23. Basic OSPF Configuration
* Examining the routing table
* Use the show ip route command to display the routing table
o An “O’ at the beginning of a route indicates that the router source is OSPF
o Note OSPF does not automatically summarize at major network boundaries
24. OSPF Metric
* OSPF uses cost as the metric for determining the best route
o The best route will have the lowest cost
o Cost is based on bandwidth of an interface
+ Cost is calculated using the formula
# 10 8 / bandwidth
o Reference bandwidth
+ Defaults to 100Mbps
+ Can be modified using
+ Auto-cost reference-bandwidth command
25. OSPF Metric
* COST of an OSPF route
o Is the accumulated value from one router to the next
26. OSPF Metric
* Usually the actual speed of a link is different than the default bandwidth
o This makes it imperative that the bandwidth value reflects link’s actual speed
+ Reason: so routing table has best path information
* The show interface command will display interface’s bandwidth
o Most serial link default to 1.544Mbps
27. Basic OSPF Configuration
* Modifying the Cost of a link
* Both sides of a serial link should be configured with the same bandwidth
o Commands used to modify bandwidth value
+ Bandwidth command
# Example: Router(config-if)# bandwidth bandwidth-kbp s
+ ip ospf cost command – allows you to directly specify interface cost
# Example: R1(config)#interface serial 0/0/0
# R1(config-if)#ip ospf cost 1562
28. Basic OSPF Configuration
* Modifying the Cost of the link
* Difference between bandwidth command & the ip ospf cost command
o Ip ospf cost command
+ Sets cost to a specific value
o Bandwidth command
+ Link cost is calculated
29. OSPF and Multiaccess Networks
* Challenges in Multiaccess Networks
* OSPF defines five network types:
o Point-to-point
o Broadcast Multiaccess
o Nonbroadcast Multiaccess (NBMA)
o Point-to-multipoint
o Virtual links
30. OSPF in Multiaccess Networks
* 2 challenges presented by multiaccess networks
o Multiple adjacencies
o Extensive LSA flooding
31. OSPF in Multiaccess Networks
* Extensive flooding of LSAs
o For every LSA sent out there must be an acknowledgement of receipt sent back to transmitting router
o Consequence: lots of bandwidth consumed and chaotic traffic
32. OSPF in Multiaccess Networks
* Solution to LSA flooding issue is the use of
o Designated router (DR)
o Backup designated router (BDR)
* DR & BDR selection
o Routers are elected to send & receive LSA
* Sending & Receiving LSA
o DR others send LSAs via multicast 224.0.0.6 to DR & BDR
o DR forward LSA via multicast address 224.0.0.5 to all other routers
33. OSPF in Multiaccess Networks
* DR/BDR Election Process
o DR/BDR elections DO NOT occur in point to point networks
34. OSPF in Multiaccess Networks
* DR/BDR elections will take place on multiaccess networks as shown below
35. OSPF in Multiaccess Networks
* Criteria for getting elected DR/BDR
o DR: Router with the highest OSPF interface priority
o BDR : Router with the second highest OSPF interface priority
o If OSPF interface priorities are equal , the highest router ID is used to break the tie
36. OSPF in Multiaccess Networks
* Timing of DR/BDR Election
o Occurs as soon as 1 st router has its interface enabled on multiaccess network
+ When a DR is elected it remains as the DR until one of the following occurs
# The DR fails
# The OSPF process on the DR fails
# The multiaccess interface on the DR fails
37. OSPF in Multiaccess Networks
* Manipulating the election process
o If you want to influence the election of DR & BDR then do one of the following:
+ Boot up the DR first, followed by the BDR, and then boot all other routers
+ OR
+ Shut down the interface on all routers, followed by a no shutdown on the DR, then the BDR, and then all other routers
38. OSPF in Multiaccess Networks
* OSPF Interface Priority
* Manipulating the DR/BDR election process continued
o Use the ip ospf priority interface command.
o Example:Router(config-if)# ip ospf priority { 0 - 255 }
+ Priority number range 0 to 255
# 0 means the router cannot become the DR or BDR
# 1 is the default priority value
39. More OSPF Configuration
* Redistributing an OSPF Default Route
* Topology includes a link to ISP
o Router connected to ISP
+ Called an autonomous system border router
+ Used to propagate a default route
# Example of static default route:
# R1(config)# ip route 0.0.0.0 0.0.0.0 loopback 1
# Requires the use of the default-information originate command
# Example of default-information originate command:
# R1(config-router)# default-information originate
40. More OSPF Configuration
* Fine-Tuning OSPF
* Since link speeds are getting faster it may be necessary to change reference bandwidth values
o Do this using the auto-cost reference-bandwidth command
o Example:
+ R1(config-router)# auto-cost reference-bandwidth 10000
41. More OSPF Configuration
* Fine-Tuning OSPF
* Modifying OSPF timers
o Reason to modify timers
+ Faster detection of network failures
o Manually modifying Hello & Dead intervals
+ Router(config-if)# ip ospf hello-interval seconds
+ Router(config-if)# ip ospf dead-interval seconds
o Point to be made
+ Hello & Dead intervals must be the same between neighbors
42. Summary
* RFC 2328 describes OSPF link state concepts and operations
* OSPF Characteristics
o A commonly deployed link state routing protocol
o Employs DR s & BDR s on multi-access networks
+ DRs & BDRs are elected
+ DR & BDRs are used to transmit and receive LSAs
o Uses 5 packet types:
+ 1: HELLO
+ 2: D ATA B ASE D ESCRIPTION
+ 3: L INK S TATE R EQUEST
+ 4: L INK S TATE U PDATE
+ 5: L INK S TATE A CKNOWLEDGEMENT
43. Summary
* OSPF Characteristics
o Metric = cost
+ Lowest cost = best path
* Configuration
o Enable OSPF on a router using the following command
+ R1(config)# router ospf process-id
o Use the network command to define which interfaces will participate in a given OSPF process
+ Router(config-router)# network network-address wildcard-mask area area-id
44. Summary
* Verifying OSPF configuration
o Use the following commands:
+ show ip protocol
+ show ip route
+ show ip ospf interface
+ show ip ospf neighbor

More details about OSPF Protocol on CISCO Routing Protocols and Concepts...Please visit directly here...

Exploration Routing Protocols and ConceptsChapter 11

View more presentations from Jozef Janitor

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

If you like this post, please subscribe below,thanks!

Tuesday 14 June 2011

Network Security Notes: Network Protocols: Understanding OSPF Protocol

As my previous post about Understanding EIGRP and IGRP Protocols. This post I want to learn about OSPF protocol.

Open Shortest Path First (OSPF) is an adaptive routing protocol for Internet Protocol (IP) networks. It uses a link state routing algorithm and falls into the group of interior routing protocols, operating within a single autonomous system (AS). It is defined as OSPF Version 2 in RFC 2328 (1998) for IPv4. The updates for IPv6 are specified as OSPF Version 3 in RFC 5340 (2008). Research into the convergence time of OSPF can be found in Stability Issues in OSPF Routing (2001).

OSPF is perhaps the most widely-used interior gateway protocol (IGP) in large enterprise networks. IS-IS, another link-state routing protocol, is more common in large service provider networks. The most widely-used exterior gateway protocol is the Border Gateway Protocol (BGP), the principal routing protocol between autonomous systems on the Internet.

OSPF is an interior gateway protocol that routes Internet Protocol (IP) packets solely within a single routing domain (autonomous system). It gathers link state information from available routers and constructs a topology map of the network. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets. OSPF was designed to support variable-length subnet masking (VLSM) or Classless Inter-Domain Routing (CIDR) addressing models.

OSPF detects changes in the topology, such as link failures, very quickly and converges on a new loop-free routing structure within seconds. It computes the shortest path tree for each route using a method based on Dijkstra's algorithm, a shortest path first algorithm.

The link-state information is maintained on each router as a link-state database (LSDB) which is a tree-image of the entire network topology. Identical copies of the LSDB are periodically updated through flooding on all OSPF routers.

The OSPF routing policies to construct a route table are governed by link cost factors (external metrics) associated with each routing interface. Cost factors may be the distance of a router (round-trip time), network throughput of a link, or link availability and reliability, expressed as simple unitless numbers. This provides a dynamic process of traffic load balancing between routes of equal cost.

An OSPF network may be structured, or subdivided, into routing areas to simplify administration and optimize traffic and resource utilization. Areas are identified by 32-bit numbers, expressed either simply in decimal, or often in octet-based dot-decimal notation, familiar from IPv4 address notation.

By convention, area 0 (zero) or 0.0.0.0 represents the core or backbone region of an OSPF network. The identifications of other areas may be chosen at will; often, administrators select the IP address of a main router in an area as the area's identification. Each additional area must have a direct or virtual connection to the backbone OSPF area. Such connections are maintained by an interconnecting router, known as area border router (ABR). An ABR maintains separate link state databases for each area it serves and maintains summarized routes for all areas in the network.

OSPF does not use a TCP/IP transport protocol (UDP, TCP), but is encapsulated directly in IP datagrams with protocol number 89. This is in contrast to other routing protocols, such as the Routing Information Protocol (RIP), or the Border Gateway Protocol (BGP). OSPF handles its own error detection and correction functions.

OSPF uses multicast addressing for route flooding on a broadcast network link. For non-broadcast networks special provisions for configuration facilitate neighbor discovery. OSPF multicast IP packets never traverse IP routers, they never travel more than one hop. OSPF reserves the multicast addresses 224.0.0.5 for IPv4 or FF02::5 for IPv6 (all SPF/link state routers, also known as AllSPFRouters) and 224.0.0.6 for IPv4 or FF02::6 for IPv6 (all Designated Routers, AllDRouters), as specified in RFC 2328 and RFC 5340.

For routing multicast IP traffic, OSPF supports the Multicast Open Shortest Path First protocol (MOSPF) as defined in RFC 1584. Neither Cisco nor Juniper Networks include MOSPF in their OSPF implementations. PIM (Protocol Independent Multicast) in conjunction with OSPF or other IGPs, (Interior Gateway Protocol), is widely deployed.

The OSPF protocol, when running on IPv4, can operate securely between routers, optionally using a variety of authentication methods to allow only trusted routers to participate in routing. OSPFv3, running on IPv6, no longer supports protocol-internal authentication. Instead, it relies on IPv6 protocol security (IPsec).

OSPF version 3 introduces modifications to the IPv4 implementation of the protocol. Except for virtual links, all neighbor exchanges use IPv6 link-local addressing exclusively. The IPv6 protocol runs per link, rather than based on the subnet. All IP prefix information has been removed from the link-state advertisements and from the Hello discovery packet making OSPFv3 essentially protocol-independent. Despite the expanded IP addressing to 128-bits in IPv6, area and router identifications are still based on 32-bit values.

What is Link-state routing protocol?

A link-state routing protocol is one of the two main classes of routing protocols used in packet switching networks for computer communications (the other is the distance-vector routing protocol). Examples of link-state routing protocols include OSPF and IS-IS.

The link-state protocol is performed by every switching node in the network (i.e. nodes that are prepared to forward packets; in the Internet, these are called routers). The basic concept of link-state routing is that every node constructs a map of the connectivity to the network, in the form of a graph, showing which nodes are connected to which other nodes. Each node then independently calculates the next best logical path from it to every possible destination in the network. The collection of best paths will then form the node's routing table.

This contrasts with distance-vector routing protocols, which work by having each node share its routing table with its neighbors. In a link-state protocol the only information passed between nodes is connectivity related.

Link state algorithms are sometimes characterized informally as each router 'telling the world about its neighbors'.

Learn about Shortest Path First Algorithm:

OSPF uses a shorted path first algorithm in order to build and calculate the shortest path to all known destinations.The shortest path is calculated with the use of the Dijkstra algorithm. The algorithm by itself is quite complicated. This is a very high level, simplified way of looking at the various steps of the algorithm:

1. Upon initialization or due to any change in routing information, a router generates a link-state advertisement. This advertisement represents the collection of all link-states on that router.

2. All routers exchange link-states by means of flooding. Each router that receives a link-state update should store a copy in its link-state database and then propagate the update to other routers.

3. After the database of each router is completed, the router calculates a Shortest Path Tree to all destinations. The router uses the Dijkstra algorithm in order to calculate the shortest path tree. The destinations, the associated cost and the next hop to reach those destinations form the IP routing table.

4. In case no changes in the OSPF network occur, such as cost of a link or a network being added or deleted, OSPF should be very quiet. Any changes that occur are communicated through link-state packets, and the Dijkstra algorithm is recalculated in order to find the shortest path.

The algorithm places each router at the root of a tree and calculates the shortest path to each destination based on the cumulative cost required to reach that destination. Each router will have its own view of the topology even though all the routers will build a shortest path tree using the same link-state database. The following sections indicate what is involved in building a shortest path tree.

What about OSPF Cost?

The cost (also called metric) of an interface in OSPF is an indication of the overhead required to send packets across a certain interface. The cost of an interface is inversely proportional to the bandwidth of that interface. A higher bandwidth indicates a lower cost. There is more overhead (higher cost) and time delays involved in crossing a 56k serial line than crossing a 10M ethernet line. The formula used to calculate the cost is:

*cost= 10000 0000/bandwith in bps

For example, it will cost 10 EXP8/10 EXP7 = 10 to cross a 10M Ethernet line and will cost 10 EXP8/1544000 = 64 to cross a T1 line.

By default, the cost of an interface is calculated based on the bandwidth; you can force the cost of an interface with the ip ospf cost interface subconfiguration mode command.

How about Shortest Path Tree?

Assume we have the following network diagram with the indicated interface costs. In order to build the shortest path tree for RTA, we would have to make RTA the root of the tree and calculate the smallest cost for each destination.

Now Let's Compare OSPF and RIP protocols:

The rapid growth and expansion of today's networks has pushed RIP to its limits. RIP has certain limitations that can cause problems in large networks:

* RIP has a limit of 15 hops. A RIP network that spans more than 15 hops (15 routers) is considered unreachable.

* RIP cannot handle Variable Length Subnet Masks (VLSM). Given the shortage of IP addresses and the flexibility VLSM gives in the efficient assignment of IP addresses, this is considered a major flaw.

* Periodic broadcasts of the full routing table consume a large amount of bandwidth. This is a major problem with large networks especially on slow links and WAN clouds.

* RIP converges slower than OSPF. In large networks convergence gets to be in the order of minutes. RIP routers go through a period of a hold-down and garbage collection and slowly time-out information that has not been received recently. This is inappropriate in large environments and could cause routing inconsistencies.

* RIP has no concept of network delays and link costs. Routing decisions are based on hop counts. The path with the lowest hop count to the destination is always preferred even if the longer path has a better aggregate link bandwidth and less delays.

* RIP networks are flat networks. There is no concept of areas or boundaries. With the introduction of classless routing and the intelligent use of aggregation and summarization, RIP networks seem to have fallen behind.

Some enhancements were introduced in a new version of RIP called RIP2. RIP2 addresses the issues of VLSM, authentication, and multicast routing updates. RIP2 is not a big improvement over RIP (now called RIP 1) because it still has the limitations of hop counts and slow convergence which are essential in todays large networks.

OSPF, on the other hand, addresses most of the issues previously presented:

* With OSPF, there is no limitation on the hop count.

* The intelligent use of VLSM is very useful in IP address allocation.

* OSPF uses IP multicast to send link-state updates. This ensures less processing on routers that are not listening to OSPF packets. Also, updates are only sent in case routing changes occur instead of periodically. This ensures a better use of bandwidth.

* OSPF has better convergence than RIP. This is because routing changes are propagated instantaneously and not periodically.

* OSPF allows for better load balancing.

* OSPF allows for a logical definition of networks where routers can be divided into areas. This limits the explosion of link state updates over the whole network. This also provides a mechanism for aggregating routes and cutting down on the unnecessary propagation of subnet information.

* OSPF allows for routing authentication by using different methods of password authentication.

* OSPF allows for the transfer and tagging of external routes injected into an Autonomous System. This keeps track of external routes injected by exterior protocols such as BGP.

For more other details about OSPF protocol, you can find document at IETF.Org

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

If you like this post, please subscribe below,thanks!

Wednesday 8 June 2011

Network Security Notes: Top 100 Network Security Tools

My previous post: Cisco Network Security Certification Training

This post, related to network security, I would like to share you a great video that shows you Top 100 Network Security Tools...Please check and learn from the video...

***Top 100 Network Security Tools:

If you like this post, please subscribe below,thanks!

Wednesday 11 May 2011

Network Security Notes: Cisco Network Security Certification Training

I have archived few certificates related to Microsoft like MCSA 2003, MCSE 2003 and Cisco like CCNA. But in my future I want to gain more certificates of CISCO related to network security like Cisco IOS Security, Adaptive Security Appliance, VPN 3000 Concentrator, Network Intrusion Detection, Host Intrusion Detection, End-to-End Security Implementation...

Cisco Certificates: CCNA, CCNP, CCIE logos

* Cisco IOS Security: Securing Networks with Cisco Routers and Switches (SNRS), Network Administration Control (NAC), Securing Cisco Routers (SECR)

* Adaptive Security Appliance: Securing Networks with PIX and ASA (SNPA)

* VPN 3000 Concentrator: Cisco Secure Virtual Networks (CSVPN)

* Network Intrusion Detehttp: Implementing Cisco Intrusion Prevention System (IPS)

* Host Intrusion Detection: Securing Hosts Using Cisco Security Agent (HIPS)

* End-to-End Security Implementation: Securing Cisco Network Devices (SND)

I am really want to gain more certificates related to CISCO Network Security! But now I need to earn more money to get training and to do examination to complete the test requirements....

For more details about the Network Security Certification Training , please visit here...

If you like this post, please subscribe below,thanks!

Network Security Notes: Network Protocols: Configuring EIGRP Authentication Protocol

As my previous post about Understanding EIGRP protocol, this post I would like to share you about configuring EIGRP Authentication....

EIGRP Authentication between Router A and Router B

EIGRP authentication of packets has been supported since IOS version 11.3. EIGRP route authentication is similar to RIP version 2, but EIGRP authentication supports only the MD5 version of packet encryption.

EIGRP's authentication support may at first seem limited, but plain text authentication should be configured only when neighboring routers do not support MD5. Because EIGRP is a proprietary routing protocol developed by Cisco, it can be spoken only between two Cisco devices, so the issue of another neighboring router not supporting the MD5 cryptographic checksum of packets should never arise.

The steps for configuring authentication of EIGRP updates are similar to the steps for configuring RIP version 2 authentication:

1. Define the key chain using the command key−chain < name> in global configuration mode. This command transfers you to the key chain configuration mode.

2. Specify the key number with the key command in key chain configuration mode. You can configure multiple keys.

3. For each key, identify the key string with the key−string command.

4. Optionally, you can configure the period for which the key can be sent and received. Use the
following commands:

accept−lifetime {infinite|end−time|duration −seconds}
send−lifetime {infinite|end−time|duration seconds}

5. Exit key chain configuration mode with the exit command.

6. Under interface configuration mode, enable the authentication of EIGRP updates with this
command:

ip authentication key−chain eigrp

7. Enable MD5 authentication of EIGRP updates using the following command:

ip authentication mode eigrp md5

With the command below shows you how Router A should be configured to authenticate updates from Router B using EIGRP MD5 authentication,

Command Listing A: Router A's configuration with MD5 authentication:

key chain router−a
key 1
key−string eigrp
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip authentication mode eigrp 2 md5
ip authentication key−chain eigrp 2 router−a
clockrate 64000
!
router eigrp 2
network 10.0.0.0
network 192.168.10.0
no auto−summary
eigrp log−neighbor−changes

And the next below command here shows the configuration for Router B.

Command Listing B: Router B's configuration with MD5 authentication:

key chain router−b
key 1
key−string eigrp
!
interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip authentication mode eigrp 2 md5
ip authentication key−chain eigrp 2 router−b
clockrate 64000
!
router eigrp 2
network 10.0.0.0
network 192.168.10.0
no auto−summary
eigrp log−neighbor−changes

The Command Listing A configures Router A with a key chain value of router−a, a key value of 1, and a key−string value of eigrp. The Command Listing B configures Router B with a key chain value of router−b, a key value of 1, and a key−string value of eigrp. Notice again that the key chain need not match between routers; however, the key number and the key string associated with the key value must match between routers configured to use that key value. Although debugging of encrypted EIGRP packets is somewhat limited, a few commands can be used to verify that packet encryption is taking place correctly. Two of those commands are debug eigrp packet and show ip route. The debug eigrp packet command informs you if the router has received a packet with the correct key value and key string. The output of issuing this command can be seen here:

Router−A#debug eigrp packet
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK)
Router−A#
EIGRP: received packet with MD5 authentication
EIGRP: received packet with MD5 authentication

Router A is receiving MD5−authenticated packets from it neighbor, Router B. However, we cannot fully determine whether or not the authentication is taking place correctly without issuing the show ip route command on Router A. This allows us to look at the route table and determine that packet authentication is taking place correctly because the routes that Router B has sent to Router A are installed into the route table. Listing 1.7 displays the output of the show ip route command.

Listing Command C: Route table of Router A with correct authentication configured:

Router−A#sh ip route
...
C 192.168.10.0/24 is directly connected, Ethernet0/0
C 10.10.10.0 is directly connected, Loopback0

C 10.10.11.0 is directly connected, Ethernet0/0
D 10.10.12.0 [90/409600] via 192.168.10.2, 00:18:36, Serial0/0
D 10.10.13.0 [90/409600] via 192.168.10.2, 00:18:36, Serial0/0
Router−A#

You can change Router A's key−string value for key 1 to see what kind of an effect this will have.
The following lines will change the key−string value for key 1 on Router A to ospf:

Router−A#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router−A(config)#key chain router−a
Router−A(config−keychain)#key 1
Router−A(config−keychain−key)#key−string ospf
Router−A(config−keychain−key)#end
Router−A#

Now that Router A has a different key string associated with key 1, you would assume that packet authentication is not taking place correctly. By issuing the debug eigrp packet command, you can see that there is indeed a problem with authentication:

Router−A#debug eigrp packet
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK)
Router−A#
EIGRP: received packet with MD5 authentication
EIGRP: ignored packet from 192.168.10.2 opcode = 5 (invalid
authentication)

Taking a quick look at the route table confirms that the authentication is incorrectly configured. Now that the key strings are different, no routes from Router B are installed into the route table of Router A. Listing Command C: displays the routing table of Router A.
Listing Command C:: Route table of Router A with incorrect authentication configured.

Router−A#sh ip route
...
C 192.168.10.0/24 is directly connected, Ethernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.10.10.0 is directly connected, Loopback0
C 10.10.11.0 is directly connected, Loopback1
Router−A#

NOTE: You can also issue the show ip eigrp neighbor command to determine if authentication is configured correctly. If authentication is correctly configured, the neighboring router will be displayed in the output of the command. If authentication is incorrectly configured, the neighbor will not be displayed in the output.

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

If you like this post, please subscribe below,thanks!

Network Security Notes::About Network Security, Network Labs, Cisco, Microsoft...

Link Promotion

Categories

My Community

Counter

Popular Posts

Sunday 30 October 2011

Network Security Notes: Attackers trick Facebook users into exposing secret security codes

Thursday 8 September 2011

Network Security Notes: Configuring Route Filtering

Monday 18 July 2011

Network Security Notes: Network Security News: Be Aware of Dangerous vulnerability in Skype

Network Security Notes: Understanding Route Filtering

Network Security Notes: Network Protocols: Configuring OSPF Authentication Protocol

Tuesday 12 July 2011

Network Security Notes: Cisco Intrusion Prevention System-Cisco IPS

Thursday 23 June 2011

Network Security Notes: Network Protocols: OSPF Protocol on CISCO Routing Protocols and Concepts

Tuesday 14 June 2011

Network Security Notes: Network Protocols: Understanding OSPF Protocol

Wednesday 8 June 2011

Network Security Notes: Top 100 Network Security Tools

Wednesday 11 May 2011

Network Security Notes: Cisco Network Security Certification Training

Network Security Notes: Network Protocols: Configuring EIGRP Authentication Protocol

Subscribe posts

Recent Posts

Site Links

Blog Archive

My Blog List

Live Traffic Feed