Network Security Notes::About Network Security, Network Labs, Cisco, Microsoft...

Network Security Notes: Network Security News: President Obama on Cisco Networking Academy

2012-01-25T17:41:00.000+07:00

Network Security Notes: Network Security News: President Obama on Cisco Networking Academy

Cisco is an American multinational corporation headquartered in San Jose, California, United States, that designs and sells consumer electronics, networking, voice, and communications technology and services. Cisco has more than 60,000 employees and annual revenue of US$ 40.0 billion as of 2010. The stock was added to the Dow Jones Industrial Average on June 8, 2009, and is also included in the S&P 500 Index, the Russell 1000 Index, NASDAQ 100 Index and the Russell 1000 Growth Stock Index.

On July 14th, 2009, Cisco launched a new jobs training program in Michigan that was cited by President Barack Obama. The program is designed to upgrade skills and create new job opportunities and will focus on broadband, network security and healthcare IT training. More info here: http://blogs.cisco.com/news/comments/how_can_technology_help_upgrade_skills/

Watch out video below to see the US President Obama...

Other sites you may want to see:

WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Network Security Notes: Network Security Training: Network Security Module

2012-01-24T18:04:00.001+07:00

Network Security Notes: Network Security Training: Network Security Module

This podcast will allow students to learn basic network vulnerabilities, weaknesses attacks and threats caused by malicious codes or software such as Virus, Worm, Trojans and backdoors. The modules in the podcast also explain the methods to protect the network against these types of attacks by implementing various types of security.

Other sites you may want to see:

WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Network Security Notes: OpenDNS for Network Security

2012-01-10T16:54:00.003+07:00

Network Security Notes: OpenDNS for Network Security

Well, here this post is related to network security or any security reasons...If you are using OpenDNS, this post would be very useful or important to you...

Yeah, At first you should know what is the DNS???

The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most importantly, it translates domain names meaningful to humans into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide.

An often-used analogy to explain the Domain Name System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames into IP addresses. For example, the domain name www.example.com translates to the addresses 192.0.32.10 (IPv4) and 2620:0:2d0:200::10 (IPv6).

The Domain Name System makes it possible to assign domain names to groups of Internet resources and users in a meaningful way, independent of each entity's physical location. Because of this, World Wide Web (WWW) hyperlinks and Internet contact information can remain consistent and constant even if the current Internet routing arrangements change or the participant uses a mobile device. Internet domain names are easier to remember than IP addresses such as 208.77.188.166 (IPv4) or 2001:db8:1f70::999:de8:7648:6e8 (IPv6). Users take advantage of this when they recite meaningful Uniform Resource Locators (URLs) and e-mail addresses without having to know how the computer actually locates them.

The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses by designating authoritative name servers for each domain. Authoritative name servers are assigned to be responsible for their particular domains, and in turn can assign other authoritative name servers for their sub-domains. This mechanism has made the DNS distributed and fault tolerant and has helped avoid the need for a single central register to be continually consulted and updated.

In general, the Domain Name System also stores other types of information, such as the list of mail servers that accept email for a given Internet domain. By providing a worldwide, distributed keyword-based redirection service, the Domain Name System is an essential component of the functionality of the Internet.

Other identifiers such as RFID tags, UPCs, international characters in email addresses and host names, and a variety of other identifiers could all potentially use DNS.

The Domain Name System also specifies the technical functionality of this database service. It defines the DNS protocol, a detailed specification of the data structures and communication exchanges used in DNS, as part of the Internet Protocol Suite.

How about the OpenDNS???

OpenDNS is a DNS (Domain Name System) resolution service. OpenDNS extends DNS adding features such as misspelling correction, phishing protection, and optional content filtering. It provides an ad-supported service "showing relevant ads when we [show] search results" and a paid advertisement-free service.

OpenDNS provides the following recursive nameserver addresses for public use, mapped to the nearest operational server location by anycast routing:

208.67.222.222 (resolver1.opendns.com)
208.67.220.220 (resolver2.opendns.com)
208.67.222.220
208.67.220.222

OpenDNS also provides the following recursive nameserver addresses as part of their FamilyShield parental controls which block pornography, proxy servers, phishing sites and some malware:

208.67.222.123
208.67.220.123

IPv6 addresses (experimental)

2620:0:ccc::2
2620:0:ccd::2

OpenDNS for Network Security: Watch video below to know details for the network security with OpenDNS...

Other sites you may want to see:

WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Network Security Notes: Cisco - Security Training Video

2012-01-10T16:13:00.003+07:00

Network Security Notes: Cisco - Security Training Video

Video used for internal training at Cisco. The basics of Security. Shot a few years ago but still pretty relevant.

++++++++++I LOVE CISCO++++++++++

Other sites you may want to see:

WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Network Security Notes: Attackers trick Facebook users into exposing secret security codes

2011-10-30T19:21:00.005+07:00

Network Security Notes: Attackers trick Facebook users into exposing secret security codes

This post regarding network security, the Internet network security relevant to Facebook users, we should be aware of this problem...

Facebook

Attackers trick Facebook users into exposing secret security codes

New social engineering attacks are tricking Facebook users into exposing anti-CSRF tokens associated with their sessions. These security codes allow attackers to make unauthorized requests through the victim's browser.

Cross-site request forgery (CSRF) is an attack technique that abuses the trust relationship between websites and authenticated users. Because of the way the Web works, a page can theoretically force a visitor's browser to issue a request to a third-party site where the user is authenticated, thus piggybacking on their active session.

In order to prevent this from happening, websites embed unique authorization codes known as anti-CSRF tokens into forms. Since these are not available to attackers, rogue requests can no longer be triggered successfully.

However, security researchers from Symantec have detected a new type of Facebook attack in which victims are tricked into handing over such tokens manually by going through a fake verification process....

Read more at...Attackers trick Facebook users into exposing secret security codes

Other sites you may want to see:

WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Network Security Notes: Configuring Route Filtering

2011-09-08T08:16:00.003+07:00

As my previous post about Understanding Route Filtering, this post I would like to introduce for more details about the Route Filtering, but with the Route Filtering configuration.

Network Security Notes: Route Filtering

Route filters work by regulating what networks a router will advertise out of an interface to another router or what networks a router will accept on an interface from another router. Route filtering can be used by administrators to manually assure that only certain routes are announced from a specific routing process or interface. This feature allows administrators to configure their routers to prevent
malicious routing attempts by intruders.

You can configure route filtering in one of two ways:

* Inbound route filtering: The router can be configured to permit or deny routes advertised by a neighbor from being installed to the routing process.

* Outbound route filtering: The route filter can be configure to permit or deny routes from being advertised from the local routing process, preventing neighboring routers from learning the routes.

I. Configuring Inbound Route Filters:

The steps for configuring inbound route filters are as follows:

1. Use the access list global configuration command to configure an access−list that permits or denies the specific routes that are being filtered.

2. Under the routing protocol process, use the following command:

distribute−list in [interface−name]

For Example: I want to configure inbound route filter on Router-B (Router-B is a name of my router). The following steps should be configured:

1. Create an access-list: Configure access-list by access-list command:

Router-B#config t
.......
Router-B(config)#access-list 120 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

For this command of access-list:
- Access-list number is 120
- Permission: permit
- Source Network: 192.168.1.0/24
- Destination Network: 172.16.1.0/24

2. Configure command inbound route filter under a routing protocol:

Router-B(config)#router rip
Router-B(config-router)#network 192.168.1.0
Router-B(config-router)#network 172.16.1.0
Router-B(config-router)#distribute−list 120 in Serial 0/0

For the above command, I configure inbound route filter on Router-B:
- Protocol: RIP version 1
- Network: 192.168.1.0 and 172.16.1.0
- Access-list: applied access-list 120 as already configured on step 1
- Interface: Serial 0/0

After configure the two steps above, Router will allow/permit only inbound traffic from network 192.168.1.0/24 to destination network 172.16.1.0/24 via Interface Serial 0/0 of Router-B.

II. Configuring Outbound Route Filters:

The steps to configure outbound route filters are described here:

1. Use the access−list global configuration command to configure an access list that permits or denies the specific routes that are being filtered.

2. Under the routing protocol process, use the following command:

distribute−list out [interface−name| −
routing − process|autonomous−system−number]

For Example: I want to configure outbound route filter on Router-B (Router-B is a name of my router). The following steps should be configured:

1. Create an access-list: Configure access-list by access-list command:

Router-B#config t
.......
Router-B(config)#access-list 110 deny ip 192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255

For this command of access-list:
- Access-list number is 110
- Permission: deny
- Source Network: 192.168.10.0/24
- Destination Network: 172.16.10.0/24

2. Configure command Outbound route filter under a routing protocol:

Router-B(config)#router rip
Router-B(config-router)#network 192.168.10.0
Router-B(config-router)#network 172.16.10.0
Router-B(config-router)#distribute−list 120 out Serial 0/0

For the above command, I configure inbound route filter on Router-B:
- Protocol: RIP version 1
- Network: 192.168.10.0 and 172.16.10.0
- Access-list: applied access-list 110 as already configured on step 1
- Interface: Serial 0/0

After configure the two steps above, Router will deny only outbound traffic from network 192.168.10.0/24 to destination network 172.16.10.0/24 via Interface Serial 0/0 of Router-B.

Any questions or comments, please leave below...Thanks!

Other sites you may want to see:

WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
Network Security: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Network Security Notes: Network Security News: Be Aware of Dangerous vulnerability in Skype

2011-07-18T10:15:00.007+07:00

Skype is a software application that allows users to make voice and video calls and chats over the Internet. Calls to other users within the Skype service are free, while calls to both traditional landline telephones and mobile phones can be made for a fee using a debit-based user account system. Skype has also become popular for its additional features which include instant messaging, file transfer, and video conferencing. Skype has 663 million registered users as of 2010. The network is operated by Skype Limited, which has its headquarters in Luxembourg. Most of the development team and 44% of the overall employees of Skype are situated in the offices of Tallinn and Tartu, Estonia.

Skype

Unlike other VoIP services, Skype is a peer-to-peer system rather than a client–server system, and makes use of background processing on computers running Skype software; the original name proposed – Sky peer-to-peer – reflects this.

Some network administrators have banned Skype on corporate, government, home, and education networks, citing reasons such as inappropriate usage of resources, excessive bandwidth usage, and security concerns.

On 10 May 2011, Microsoft Corporation agreed to acquire Skype Communications, S.à r.l for US$8.5 billion. The company is to be incorporated as a division of Microsoft, and Microsoft will acquire all of the company's technologies, including Skype, with the purchase.

Registered users of Skype are identified by a unique Skype Name, and may be listed in the Skype directory. Skype allows these registered users to communicate through both instant messaging and voice chat. Voice chat allows telephone calls between pairs of users and conference calling, and uses a proprietary audio codec. Skype's text chat client allows group chats, emoticons, storing chat history, offline messaging (since version 5) and editing of previous messages. The usual features familiar to instant messaging users — user profiles, online status indicators, and so on — are also included.

The Online Number, a.k.a. SkypeIn, service allows Skype users to receive calls on their computers dialled by conventional phone subscribers to a local Skype phone number; local numbers are available for Australia, Belgium, Brazil, Chile, Colombia, Denmark, the Dominican Republic, Estonia, Finland, France, Germany, Hong Kong, Hungary, Ireland, Italy, Japan, Mexico, New Zealand, Poland, Romania, South Africa, South Korea, Sweden, Switzerland, the Netherlands, the United Kingdom, and the United States. A Skype user can have local numbers in any of these countries, with calls to the number charged at the same rate as calls to fixed lines in the country.

Video conferencing between two users was introduced in January 2006 for the Windows and Mac OS X platform clients. Skype 2.0 for Linux, released on 13 March 2008, also features support for video conferencing. Version 5 beta 1 for Windows, released 13 May 2010, offers free video conferencing with up to five people.

Skype for Windows, starting with version 3.6.0.216, supports "High Quality Video" with quality and features, e.g., full-screen and screen-in-screen modes, similar to those of mid-range videoconferencing systems.[14] Skype audio conferences currently support up to 25 people at a time, including the host.

Skype does not provide the ability to call emergency numbers such as 911 in the United States and Canada, 999 in the United Kingdom and many other countries, 111 in New Zealand, 000 in Australia, or 112 in Europe. The U.S. Federal Communications Commission (FCC) has ruled that, for the purposes of section 255 of the Telecommunications Act, Skype is not an "interconnected VoIP provider". As a result, the U.S. National Emergency Number Association recommends that all VoIP users have an analog line available as a backup.

In 2011, Skype partnered with Comcast to bring its video chat service to Comcast subscribers via their HDTV sets.

Be Aware of Dangerous vulnerability in Skype

According to NetworkWorld posted on 15 July 2o11, Researcher found dangerous vulnerability in Skype. A security consultant has notified Skype of a cross-site scripting flaw that could be used to change the password on someone's account, according to details posted online.

The consultant, Levent Kayan, based in Berlin, posted details of the flaw on his blog on Wednesday and notified Skype a day later. He said on Friday he hasn't heard a response yet.

The problem lies in a field where a person can input their mobile phone number. Kayan wrote that a malicious user can insert JavaScript into the mobile phone field of their profile.

When one of their contacts comes online, the malicious user's profile will be updated, and the JavaScript will be executed when the other contact logs in. Kayan wrote that the other person's session could be hijacked, and it may be possible to gain control of that person's computer. An attacker could also change the password on someone's account.

There are some mitigating factors, such as that the attacker and victim must be friends on Skype. Also, the attack may not immediately execute when the victim logs in. Kayan said he noticed the behavior happened only after the victim logged in several times. But he said in an e-mail that once it happens the first time, "it happens with each re-login."

Skype should be checking the input into the mobile phone field and validating that it is indeed a phone number and not executable code. The problem affects the latest version of Skype, 5.3.0.120, on Windows XP, Vista and 7 as well as Mac OS X operating system.

Source credited to NetworkWorld.com

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Network Security Notes: Understanding Route Filtering

2011-07-18T09:41:00.004+07:00

Network Security Notes: Understanding Route Filtering

What is Routing?

Routing or routering is the process of selecting paths in a network along which to send network traffic. Routing is performed for many kinds of networks, including the telephone network (Circuit switching) , electronic data networks (such as the Internet), and transportation networks. This article is concerned primarily with routing in electronic data networks using packet switching technology.

Network Security Notes: Route Filtering

In packet switching networks, routing directs packet forwarding, the transit of logically addressed packets from their source toward their ultimate destination through intermediate nodes, typically hardware devices called routers, bridges, gateways, firewalls, or switches. General-purpose computers can also forward packets and perform routing, though they are not specialized hardware and may suffer from limited performance. The routing process usually directs forwarding on the basis of routing tables which maintain a record of the routes to various network destinations. Thus, constructing routing tables, which are held in the router's memory, is very important for efficient routing. Most routing algorithms use only one network path at a time, but multipath routing techniques enable the use of multiple alternative paths.

Routing, in a more narrow sense of the term, is often contrasted with bridging in its assumption that network addresses are structured and that similar addresses imply proximity within the network. Because structured addresses allow a single routing table entry to represent the route to a group of devices, structured addressing (routing, in the narrow sense) outperforms unstructured addressing (bridging) in large networks, and has become the dominant form of addressing on the Internet, though bridging is still widely used within localized environments.

What is Route filtering?

In the context of network routing, route filtering is the process by which certain routes are not considered for inclusion in the local route database, or not advertised to one's neighbours. Route filtering is particularly important for BGP on the global Internet, where it is used for a variety of reasons.

What is BGP?

The Border Gateway Protocol (BGP) is the protocol backing the core routing decisions on the Internet. It maintains a table of IP networks or 'prefixes' which designate network reachability among autonomous systems (AS). It is described as a path vector protocol. BGP does not use traditional Interior Gateway Protocol (IGP) metrics, but makes routing decisions based on path, network policies and/or rulesets. For this reason, it is more appropriately termed a reachability protocol rather than routing protocol.

BGP was created to replace the Exterior Gateway Protocol (EGP) protocol to allow fully decentralized routing in order to transition from the core ARPAnet model to a decentralized system that included the NSFNET backbone and its associated regional networks. This allowed the Internet to become a truly decentralized system. Since 1994, version four of the BGP has been in use on the Internet. All previous versions are now obsolete. The major enhancement in version 4 was support of Classless Inter-Domain Routing and use of route aggregation to decrease the size of routing tables. Since January 2006, version 4 is codified in RFC 4271, which went through more than 20 drafts based on the earlier RFC 1771 version 4. RFC 4271 version corrected a number of errors, clarified ambiguities and brought the RFC much closer to industry practices.

Most Internet service providers must use BGP to establish routing between one another (especially if they are multihomed). Therefore, even though most Internet users do not use it directly, BGP is one of the most important protocols of the Internet. Compare this with Signaling System 7 (SS7), which is the inter-provider core call setup protocol on the PSTN. Very large private IP networks use BGP internally. An example would be the joining of a number of large OSPF (Open Shortest Path First) networks where OSPF by itself would not scale to size. Another reason to use BGP is multihoming a network for better redundancy either to multiple access points of a single ISP (RFC 1998) or to multiple ISPs.

What is Internet?

The Internet is a global system of interconnected computer networks that use the standard Internet Protocol Suite (TCP/IP) to serve billions of users worldwide. It is a network of networks that consists of millions of private, public, academic, business, and government networks, of local to global scope, that are linked by a broad array of electronic, wireless and optical networking technologies. The Internet can also be defined as a worldwide interconnection of computers and computer networks that facilitate the sharing or exchange of information among users. The Internet carries a vast range of information resources and services, such as the inter-linked hypertext documents of the World Wide Web (WWW) and the infrastructure to support electronic mail.

Most traditional communications media including telephone, music, film, and television are reshaped or redefined by the Internet, giving birth to new services such as Voice over Internet Protocol (VoIP) and IPTV. Newspaper, book and other print publishing are adapting to Web site technology, or are reshaped into blogging and web feeds. The Internet has enabled or accelerated new forms of human interactions through instant messaging, Internet forums, and social networking. Online shopping has boomed both for major retail outlets and small artisans and traders. Business-to-business and financial services on the Internet affect supply chains across entire industries.

The origins of the Internet reach back to research of the 1960s, commissioned by the United States government in collaboration with private commercial interests to build robust, fault-tolerant, and distributed computer networks. The funding of a new U.S. backbone by the National Science Foundation in the 1980s, as well as private funding for other commercial backbones, led to worldwide participation in the development of new networking technologies, and the merger of many networks. The commercialization of what was by the 1990s an international network resulted in its popularization and incorporation into virtually every aspect of modern human life. As of 2009, an estimated quarter of Earth's population used the services of the Internet.

The Internet has no centralized governance in either technological implementation or policies for access and usage; each constituent network sets its own standards. Only the overreaching definitions of the two principal name spaces in the Internet, the Internet Protocol address space and the Domain Name System, are directed by a maintainer organization, the Internet Corporation for Assigned Names and Numbers (ICANN). The technical underpinning and standardization of the core protocols (IPv4 and IPv6) is an activity of the Internet Engineering Task Force (IETF), a non-profit organization of loosely affiliated international participants that anyone may associate with by contributing technical expertise.

How many Types of filtering?

There are two times when a filter can be naturally applied: when learning routes from a neighbour, and when announcing routes to a neighbour.

Input filtering

In input filtering, a filter is applied to routes as they are learned from a neighbour. A route that has been filtered out is discarded straight away, and hence not considered for inclusion into the local routing database.

Output filtering

In output filtering, a filter is applied to routes before they are announced to a neighbour. A route that has been filtered out is never learned by a neighbour, and hence not considered for inclusion in the remote route database.

Why Need Filtering?

Reasons to filter

Economic reasons

When a site is multihomed, announcing non-local routes to a neighbour different from the one it was learned from amounts to advertising the willingness to serve for transit, which is undesirable unless suitable agreements are in place. Applying output filtering on these routes avoids this issue.

Security reasons

An ISP will typically perform input filtering on routes learned from a customer to restrict them to the addresses actually assigned to that customer. Doing so makes address hijacking more difficult.

Similarly, an ISP will perform input filtering on routes learned from other ISPs to protect its customers from address hijacking.

Technical reasons

In some cases, routers have insufficient amounts of main memory to hold the full global BGP table. A simple work-around is to perform input filtering, thus limiting the local route database to a subset of the global table. This can be done by filtering on prefix length (eliminating all routes for prefixes longer than a given value), on AS count, or on some combination of the two.

This practice is not recommended, as it can cause suboptimal routing or even communication failures with small networks, and frustrate the traffic-engineering efforts of one's peers.

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
Network Security: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Network Security Notes: Network Protocols: Configuring OSPF Authentication Protocol

2011-07-18T08:25:00.005+07:00

As my previous post about the Understanding OSPF Protocol and the OSPF Protocol on CISCO Routing Protocol and Concepts, you may already know much details about the OSPF Protocol. And here this post I would like to introduce you about Configuring OSPF Authentication Protocol...

Open Shortest Path First (OSPF) supports two forms of authentication: plain text and MD5. Plain text authentication should be used only when neighboring devices do not support the more secure MD5 authentication. To configure plain text authentication of OSPF packets, follow these steps:

In interface configuration mode, use the ip ospf authentication−key [key] command. The key that is specified is the plain text password that will be used for authentication.

1. Enter OSPF configuration mode using the router ospf [process id] command. Then use the area [area−id] authentication command to configure plain text authentication of OSPF packets for an area.

Referring to Figure Image below, we will configure Router A and Router B for plain text authentication of OSPF packets. Listing A and Listing B below display each router's configuration.

Figure Image:

Figure: Router A and Router B Configured for OSPF Authentication

Listing A: Router A configured to authenticate OSPF packets using plain text authentication

interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf authentication−key visaadmin
clockrate 64000
router ospf 60
area 0 authentication
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Listing B: Router B configured to authenticate OSPF packets using plain text authentication

interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip ospf authentication−key visaadmin
router ospf 50
area 0 authentication
network 10.10.12.0 0.0.0.255 area 12
network 10.10.13.0 0.0.0.255 area 13
network 192.168.10.0 0.0.0.255 area 0

In Listing A and Listing B, plain text authentication is configured to authenticate updates across area 0. By issuing the show ip ospf command, you can determine if plain text authentication is properly configured for each area. Here is an example of the output for the show ip ospf command:

Router−B#show ip ospf 50
Routing Process "ospf 50" with ID 10.10.13.1
......
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has simple password authentication
SPF algorithm executed 7 times

Configure MD5 authentication of OSPF packets

To configure MD5 authentication of OSPF packets, follow the steps outlined here:

1. From interface configuration mode, enable the authentication of OSPF packets using MD5 with the following command:

ip ospf message−digest−key [key−id] md5 [key]

The value of the key−id allows passwords to be changed without having to disable authentication.

2. Enter OSPF configuration mode using the router ospf [process id] command. Then
configure MD5 authentication of OSPF packets for an area using this command:

area [area−id] authentication message−digest

This time, Routers A and B will be configured to authenticate packets across the backbone using the MD5 version of authentication. Listing C shows the configuration for Router A, and Listing D shows Router B's configuration.

Listing C: Router A configured for MD5 authentication

interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf message−digest−key 15 md5 visa
clockrate 64000
router ospf 60
area 0 authentication message−digest
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Listing D: Router B configured for MD5 authentication

interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip ospf message−digest−key 15 md5 visa
router ospf 50
area 0 authentication message−digest
network 10.10.12.0 0.0.0.255 area 12
network 10.10.13.0 0.0.0.255 area 13
network 192.168.10.0 0.0.0.255 area 0

When you use the ip ospf message−digest−key command, the key value allows the password to be changed without having to disable authentication.

Note For OSPF, authentication passwords do not have to be the same throughout the area, but the key id value and the password must be the same between neighbors.

Using the show ip ospf [process−id] command again, you can see that it now states that MD5 authentication is being used across area 0:

Router−A#sh ip ospf 60
Routing Process "ospf 60" with ID 10.10.11.1
......
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has message digest authentication
SPF algorithm executed 4 times

As noted earlier, the key id value and the passwords must be the same between neighbors. If you change the key id value to a number other than 15 on Router A, authentication should not take place and OSPF should get mad. Here is the changed configuration:

interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf message−digest−key 30 md5 visa
clockrate 64000
router ospf 60
area 0 authentication message−digest
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Notice that it has been changed to a value of 30. The following lines show what OSPF has to say
about this:

Router−A#debug ip ospf events
OSPF events debugging is on
Router−A#
00:03:58: OSPF: Send with youngest Key 30
00:04:04: OSPF: Rcv pkt from 192.168.10.2, Ethernet0/0 :
Mismatch Authentication Key − No message digest key 15 on Interface

OSPF is obviously not happy. If you change the key value back, everything should again be all right.

As mentioned earlier, the key id value allows passwords to be changed without having to disable authentication. Listing E and Listing F display the configuration of Router A and Router B with multiple keys and passwords configured.

Listing E: Router A configured with multiple keys and passwords

interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf message−digest−key 15 md5 visa
ip ospf message−digest−key 20 md5 littleboy
clockrate 64000
router ospf 60
area 0 authentication message−digest
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Listing F: Router B configured with multiple keys and passwords

interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip ospf message−digest−key 15 md5 visa
ip ospf message−digest−key 20 md5 littleboy
router ospf 50
area 0 authentication message−digest
network 10.10.12.0 0.0.0.255 area 12
network 10.10.13.0 0.0.0.255 area 13
network 192.168.10.0 0.0.0.255 area 0

As a result of this configuration, Routers A and B will send duplicate copies of each OSPF packet out of their serial interfaces; one will be authenticated using key number 15, and the other will be authenticated using key number 20. After the routers each receive from each other OSPF packets authenticated with key 20, they will stop sending packets with the key number 15 and use only key number 20. At this point, you can delete key number 15, thus allowing you to change passwords without disabling authentication.

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Network Security Notes: Cisco Intrusion Prevention System-Cisco IPS

2011-07-12T08:03:00.005+07:00

Network Security Notes: Cisco Intrusion Prevention System (Cisco IPS)

In this post, I would like to share with you a very great important video regarding network security in the Cisco IPS.

Cisco Intrusion Prevention System-Cisco IPS

Before you learn the video about the Cisco IPS, you should know what IPS is...

What is Intrusion Prevention System-IPS?

Intrusion Prevention Systems (IPS), also known as Intrusion Detection and Prevention Systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity.

Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected. More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address. An IPS can also correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, and clean up unwanted transport and network layer options.

IPS Classifications:

Intrusion prevention systems can be classified into four different types:

Network-based Intrusion Prevention (NIPS): monitors the entire network for suspicious traffic by analyzing protocol activity.

Wireless Intrusion Prevention Systems (WIPS): monitors a wireless network for suspicious traffic by analyzing wireless networking protocols.

Network Behavior Analysis (NBA): examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations.

Host-based Intrusion Prevention (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.

How the IPS Detection methods work?

The majority of intrusion prevention systems utilize one of three detection methods: signature-based, statistical anomaly-based, and stateful protocol analysis.

Signature-based Detection: This method of detection utilizes signatures, which are attack patterns that are preconfigured and predetermined. A signature-based intrusion prevention system monitors the network traffic for matches to these signatures. Once a match is found the intrusion prevention system takes the appropriate action. Signatures can be exploit-based or vulnerability-based. Exploit-based signatures analyze patterns appearing in exploits being protected against, while vulnerability-based signatures analyze vulnerabilities in a program, its execution, and conditions needed to exploit said vulnerability.

Statistical Anomaly-based Detection: This method of detection baselines performance of average network traffic conditions. After a baseline is created, the system intermittently samples network traffic, using statistical analysis to compare the sample to the set baseline. If the activity is outside the baseline parameters, the intrusion prevention system takes the appropriate action.

Stateful Protocol Analysis Detection: This method identifies deviations of protocol states by comparing observed events with “predetermined profiles of generally accepted definitions of benign activity.”

In the video you will learn three main points about the Cisco IPS: Threat Intelligence, Advanced Inspection Protection, Repulation Technology.

Why the IPS of Cisco?

As I think, Cisco is the king company in producing network devices products. The world's using Cisco Routers, Cisco Switch.....

As you know, new threats and vulnerabilities present challenges to network security. Cisco intrusion prevention systems use global threat intelligence to help meet these challenges. Learn more about Cisco IPS solutions...

** Cisco Intrusion Prevention System:

Security is ever changing...

New Vulnerabilities...

New Vectors...

Zero Day Threats...

How do we solve this?

...from complexity to simplicity

It's more than just strength...Speed Agility and Intelligence.

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Network Security Notes: Network Protocols: OSPF Protocol on CISCO Routing Protocols and Concepts

2011-06-23T13:26:00.003+07:00

I have already posted about Understanding OSPF Protocol. And here this post, you can find out more about OSPF on CISCO Routing Protocols and Concepts Chapter 13...

Let me quote some:

Exploration Routing Protocols and ConceptsChapter 11 - Presentation Transcript

1. OSPF Routing Protocols and Concepts – Chapter 11
2. Objectives
* Describe the background and basic features of OSPF.
* Identify and apply the basic OSPF configuration commands.
* Describe, modify and calculate the metric used by OSPF.
* Describe the Designated Router/Backup Designated Router (DR/BDR) election process in multiaccess networks.
* Describe the uses of additional configuration commands in OSPF.
3. Introduction
4. Introduction to OSPF
* Background of OSPF
o Began in 1987
o 1989 OSPFv1 released in RFC 1131
o This version was experimental & never deployed
o 1991 OSPFv2 released in RFC 1247
o 1998 OSPFv2 updated in RFC 2328
o 1999 OSPFv3 published in RFC 2740
5. Introduction to OSPF
* OSPF Message Encapsulation
o OSPF packet type
+ There exist 5 types
o OSPF packet header
+ Contains - Router ID and area ID and Type code for OSPF packet type
o IP packet header
+ Contains - Source IP address, Destination IP address, & Protocol field set to 89
6. Introduction to OSPF
* OSPF Message Encapsulation
o Data link frame header
o Contains - Source MAC address and Destination MAC address
7. Introduction to OSPF
* OSPF Packet Types
8. Introduction to OSPF
* Hello Protocol
* OSPF Hello Packet
o Purpose of Hello Packet
+ Discover OSPF neighbors & establish adjacencies
+ Advertise guidelines on which routers must agree to become neighbors
+ Used by multi-access networks to elect a d esignated r outer and a b ackup d esignated r outer
9. Introduction to OSPF
* Hello Packets continued
o Contents of a Hello Packet router ID of transmitting router
* OSPF Hello Intervals
o Usually multicast (224.0.0.5)
o Sent every 30 seconds for NBMA segments
* OSPF Dead Intervals
o This is the time that must transpire before the neighbor is considered down
o Default time is 4 times the hello interval
10. Introduction to OSPF
* Hello protocol packets contain information that is used in electing
o Designated Router (DR)
+ DR is responsible for updating all other OSPF routers
o Backup Designated Router (BDR)
+ This router takes over DR’s responsibilities if DR fails
11. Introduction to OSPF
* OSPF Link-state Updates
o Purpose of a Link State Update (LSU)
+ Used to deliver link state advertisements
o Purpose of a Link State Advertisement (LSA)
+ Contains information about neighbors & path costs
12. Introduction to OSPF
* OSPF Algorithm
* OSPF routers build & maintain link-state database containing LSA received from other routers
o Information found in database is utilized upon execution of Dijkstra SPF algorithm
o SPF algorithm used to create SPF tree
o SPF tree used to populate routing table
13. Introduction to OSPF
* Administrative Distance
o Default Administrative Distance for OSPF is 110
14. Introduction to OSPF
* OSPF Authentication
o Purpose is to encrypt & authenticate routing information
o This is an interface specific configuration
o Routers will only accept routing information from other routers that have been configured with the same password or authentication information
15. Basic OSPF Configuration
* Lab Topology
* Topology used for this chapter
o Discontiguous IP addressing scheme
o Since OSPF is a classless routing protocol the subnet mask is configured in
16. Basic OSPF Configuration
* The router ospf command
* To enable OSPF on a router use the following command
o R1(config)# router ospf process-id
o Process id
+ A locally significant number between 1 and 65535
+ This means it does not have to match other OSPF routers
17. Basic OSPF Configuration
* OSPF network command
o Requires entering:
+ network address
+ wildcard mask - the inverse of the subnet mask
+ area-id - area-id refers to the OSPF area – OSPF area is a group of routers that share link state information
o Example: Router(config-router)# network network-address wildcard-ask area area-id
18. Basic OSPF Configuration
* Router ID
o This is an IP address used to identify a router
o 3 criteria for deriving the router ID
+ Use IP address configured with OSPF router-id command
# Takes precedence over loopback and physical interface addresses
+ If router-id command not used then router chooses highest IP address of any loopback interfaces
+ If no loopback interfaces are configured then the highest IP address on any active interface is used
19. Basic OSPF Configuration
* OSPF Router ID
* Commands used to verify current router ID
o Show ip protocols
o Show ip ospf
o Show ip ospf interface
20. Basic OSPF Configuration
* OSPF Router ID
* Router ID & Loopback addresses
o Highest loopback address will be used as router ID if router-id command isn’t used
o Advantage of using loopback address
+ The loopback interface cannot fail  OSPF stability
* The OSPF router-id command
o Introduced in IOS 12.0
o Command syntax
+ Router(config)#router ospfprocess-id
+ Router(config-router)#router-idip-address
* Modifying the Router ID
o Use the command Router #clear ip ospf process
21. Basic OSPF Configuration
* Verifying OSPF
* Use the show ip ospf command to verify & trouble shoot OSPF networks
* Command will display the following:
o Neighbor adjacency
+ No adjacency indicated by
# Neighboring router’s Router ID is not displayed
# A state of full is not displayed
+ Consequence of no adjacency
# No link state information exchanged
# Inaccurate SPF trees & routing tables
22. Basic OSPF Configuration
* Verifying OSPF - Additional Commands
Displays hello interval and dead interval Show ip ospf interface Displays OSPF process ID, router ID , OSPF area information & the last time SPF algorithm calculated Show ip ospf Displays OSPF process ID, router ID , networks router is advertising & administrative distance Show ip protocols Description Command
23. Basic OSPF Configuration
* Examining the routing table
* Use the show ip route command to display the routing table
o An “O’ at the beginning of a route indicates that the router source is OSPF
o Note OSPF does not automatically summarize at major network boundaries
24. OSPF Metric
* OSPF uses cost as the metric for determining the best route
o The best route will have the lowest cost
o Cost is based on bandwidth of an interface
+ Cost is calculated using the formula
# 10 8 / bandwidth
o Reference bandwidth
+ Defaults to 100Mbps
+ Can be modified using
+ Auto-cost reference-bandwidth command
25. OSPF Metric
* COST of an OSPF route
o Is the accumulated value from one router to the next
26. OSPF Metric
* Usually the actual speed of a link is different than the default bandwidth
o This makes it imperative that the bandwidth value reflects link’s actual speed
+ Reason: so routing table has best path information
* The show interface command will display interface’s bandwidth
o Most serial link default to 1.544Mbps
27. Basic OSPF Configuration
* Modifying the Cost of a link
* Both sides of a serial link should be configured with the same bandwidth
o Commands used to modify bandwidth value
+ Bandwidth command
# Example: Router(config-if)# bandwidth bandwidth-kbp s
+ ip ospf cost command – allows you to directly specify interface cost
# Example: R1(config)#interface serial 0/0/0
# R1(config-if)#ip ospf cost 1562
28. Basic OSPF Configuration
* Modifying the Cost of the link
* Difference between bandwidth command & the ip ospf cost command
o Ip ospf cost command
+ Sets cost to a specific value
o Bandwidth command
+ Link cost is calculated
29. OSPF and Multiaccess Networks
* Challenges in Multiaccess Networks
* OSPF defines five network types:
o Point-to-point
o Broadcast Multiaccess
o Nonbroadcast Multiaccess (NBMA)
o Point-to-multipoint
o Virtual links
30. OSPF in Multiaccess Networks
* 2 challenges presented by multiaccess networks
o Multiple adjacencies
o Extensive LSA flooding
31. OSPF in Multiaccess Networks
* Extensive flooding of LSAs
o For every LSA sent out there must be an acknowledgement of receipt sent back to transmitting router
o Consequence: lots of bandwidth consumed and chaotic traffic
32. OSPF in Multiaccess Networks
* Solution to LSA flooding issue is the use of
o Designated router (DR)
o Backup designated router (BDR)
* DR & BDR selection
o Routers are elected to send & receive LSA
* Sending & Receiving LSA
o DR others send LSAs via multicast 224.0.0.6 to DR & BDR
o DR forward LSA via multicast address 224.0.0.5 to all other routers
33. OSPF in Multiaccess Networks
* DR/BDR Election Process
o DR/BDR elections DO NOT occur in point to point networks
34. OSPF in Multiaccess Networks
* DR/BDR elections will take place on multiaccess networks as shown below
35. OSPF in Multiaccess Networks
* Criteria for getting elected DR/BDR
o DR: Router with the highest OSPF interface priority
o BDR : Router with the second highest OSPF interface priority
o If OSPF interface priorities are equal , the highest router ID is used to break the tie
36. OSPF in Multiaccess Networks
* Timing of DR/BDR Election
o Occurs as soon as 1 st router has its interface enabled on multiaccess network
+ When a DR is elected it remains as the DR until one of the following occurs
# The DR fails
# The OSPF process on the DR fails
# The multiaccess interface on the DR fails
37. OSPF in Multiaccess Networks
* Manipulating the election process
o If you want to influence the election of DR & BDR then do one of the following:
+ Boot up the DR first, followed by the BDR, and then boot all other routers
+ OR
+ Shut down the interface on all routers, followed by a no shutdown on the DR, then the BDR, and then all other routers
38. OSPF in Multiaccess Networks
* OSPF Interface Priority
* Manipulating the DR/BDR election process continued
o Use the ip ospf priority interface command.
o Example:Router(config-if)# ip ospf priority { 0 - 255 }
+ Priority number range 0 to 255
# 0 means the router cannot become the DR or BDR
# 1 is the default priority value
39. More OSPF Configuration
* Redistributing an OSPF Default Route
* Topology includes a link to ISP
o Router connected to ISP
+ Called an autonomous system border router
+ Used to propagate a default route
# Example of static default route:
# R1(config)# ip route 0.0.0.0 0.0.0.0 loopback 1
# Requires the use of the default-information originate command
# Example of default-information originate command:
# R1(config-router)# default-information originate
40. More OSPF Configuration
* Fine-Tuning OSPF
* Since link speeds are getting faster it may be necessary to change reference bandwidth values
o Do this using the auto-cost reference-bandwidth command
o Example:
+ R1(config-router)# auto-cost reference-bandwidth 10000
41. More OSPF Configuration
* Fine-Tuning OSPF
* Modifying OSPF timers
o Reason to modify timers
+ Faster detection of network failures
o Manually modifying Hello & Dead intervals
+ Router(config-if)# ip ospf hello-interval seconds
+ Router(config-if)# ip ospf dead-interval seconds
o Point to be made
+ Hello & Dead intervals must be the same between neighbors
42. Summary
* RFC 2328 describes OSPF link state concepts and operations
* OSPF Characteristics
o A commonly deployed link state routing protocol
o Employs DR s & BDR s on multi-access networks
+ DRs & BDRs are elected
+ DR & BDRs are used to transmit and receive LSAs
o Uses 5 packet types:
+ 1: HELLO
+ 2: D ATA B ASE D ESCRIPTION
+ 3: L INK S TATE R EQUEST
+ 4: L INK S TATE U PDATE
+ 5: L INK S TATE A CKNOWLEDGEMENT
43. Summary
* OSPF Characteristics
o Metric = cost
+ Lowest cost = best path
* Configuration
o Enable OSPF on a router using the following command
+ R1(config)# router ospf process-id
o Use the network command to define which interfaces will participate in a given OSPF process
+ Router(config-router)# network network-address wildcard-mask area area-id
44. Summary
* Verifying OSPF configuration
o Use the following commands:
+ show ip protocol
+ show ip route
+ show ip ospf interface
+ show ip ospf neighbor

More details about OSPF Protocol on CISCO Routing Protocols and Concepts...Please visit directly here...

Exploration Routing Protocols and ConceptsChapter 11

View more presentations from Jozef Janitor

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Network Security Notes: Network Protocols: Understanding OSPF Protocol

2011-06-14T11:47:00.004+07:00

As my previous post about Understanding EIGRP and IGRP Protocols. This post I want to learn about OSPF protocol.

Open Shortest Path First (OSPF) is an adaptive routing protocol for Internet Protocol (IP) networks. It uses a link state routing algorithm and falls into the group of interior routing protocols, operating within a single autonomous system (AS). It is defined as OSPF Version 2 in RFC 2328 (1998) for IPv4. The updates for IPv6 are specified as OSPF Version 3 in RFC 5340 (2008). Research into the convergence time of OSPF can be found in Stability Issues in OSPF Routing (2001).

OSPF is perhaps the most widely-used interior gateway protocol (IGP) in large enterprise networks. IS-IS, another link-state routing protocol, is more common in large service provider networks. The most widely-used exterior gateway protocol is the Border Gateway Protocol (BGP), the principal routing protocol between autonomous systems on the Internet.

OSPF is an interior gateway protocol that routes Internet Protocol (IP) packets solely within a single routing domain (autonomous system). It gathers link state information from available routers and constructs a topology map of the network. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets. OSPF was designed to support variable-length subnet masking (VLSM) or Classless Inter-Domain Routing (CIDR) addressing models.

OSPF detects changes in the topology, such as link failures, very quickly and converges on a new loop-free routing structure within seconds. It computes the shortest path tree for each route using a method based on Dijkstra's algorithm, a shortest path first algorithm.

The link-state information is maintained on each router as a link-state database (LSDB) which is a tree-image of the entire network topology. Identical copies of the LSDB are periodically updated through flooding on all OSPF routers.

The OSPF routing policies to construct a route table are governed by link cost factors (external metrics) associated with each routing interface. Cost factors may be the distance of a router (round-trip time), network throughput of a link, or link availability and reliability, expressed as simple unitless numbers. This provides a dynamic process of traffic load balancing between routes of equal cost.

An OSPF network may be structured, or subdivided, into routing areas to simplify administration and optimize traffic and resource utilization. Areas are identified by 32-bit numbers, expressed either simply in decimal, or often in octet-based dot-decimal notation, familiar from IPv4 address notation.

By convention, area 0 (zero) or 0.0.0.0 represents the core or backbone region of an OSPF network. The identifications of other areas may be chosen at will; often, administrators select the IP address of a main router in an area as the area's identification. Each additional area must have a direct or virtual connection to the backbone OSPF area. Such connections are maintained by an interconnecting router, known as area border router (ABR). An ABR maintains separate link state databases for each area it serves and maintains summarized routes for all areas in the network.

OSPF does not use a TCP/IP transport protocol (UDP, TCP), but is encapsulated directly in IP datagrams with protocol number 89. This is in contrast to other routing protocols, such as the Routing Information Protocol (RIP), or the Border Gateway Protocol (BGP). OSPF handles its own error detection and correction functions.

OSPF uses multicast addressing for route flooding on a broadcast network link. For non-broadcast networks special provisions for configuration facilitate neighbor discovery. OSPF multicast IP packets never traverse IP routers, they never travel more than one hop. OSPF reserves the multicast addresses 224.0.0.5 for IPv4 or FF02::5 for IPv6 (all SPF/link state routers, also known as AllSPFRouters) and 224.0.0.6 for IPv4 or FF02::6 for IPv6 (all Designated Routers, AllDRouters), as specified in RFC 2328 and RFC 5340.

For routing multicast IP traffic, OSPF supports the Multicast Open Shortest Path First protocol (MOSPF) as defined in RFC 1584. Neither Cisco nor Juniper Networks include MOSPF in their OSPF implementations. PIM (Protocol Independent Multicast) in conjunction with OSPF or other IGPs, (Interior Gateway Protocol), is widely deployed.

The OSPF protocol, when running on IPv4, can operate securely between routers, optionally using a variety of authentication methods to allow only trusted routers to participate in routing. OSPFv3, running on IPv6, no longer supports protocol-internal authentication. Instead, it relies on IPv6 protocol security (IPsec).

OSPF version 3 introduces modifications to the IPv4 implementation of the protocol. Except for virtual links, all neighbor exchanges use IPv6 link-local addressing exclusively. The IPv6 protocol runs per link, rather than based on the subnet. All IP prefix information has been removed from the link-state advertisements and from the Hello discovery packet making OSPFv3 essentially protocol-independent. Despite the expanded IP addressing to 128-bits in IPv6, area and router identifications are still based on 32-bit values.

What is Link-state routing protocol?

A link-state routing protocol is one of the two main classes of routing protocols used in packet switching networks for computer communications (the other is the distance-vector routing protocol). Examples of link-state routing protocols include OSPF and IS-IS.

The link-state protocol is performed by every switching node in the network (i.e. nodes that are prepared to forward packets; in the Internet, these are called routers). The basic concept of link-state routing is that every node constructs a map of the connectivity to the network, in the form of a graph, showing which nodes are connected to which other nodes. Each node then independently calculates the next best logical path from it to every possible destination in the network. The collection of best paths will then form the node's routing table.

This contrasts with distance-vector routing protocols, which work by having each node share its routing table with its neighbors. In a link-state protocol the only information passed between nodes is connectivity related.

Link state algorithms are sometimes characterized informally as each router 'telling the world about its neighbors'.

Learn about Shortest Path First Algorithm:

OSPF uses a shorted path first algorithm in order to build and calculate the shortest path to all known destinations.The shortest path is calculated with the use of the Dijkstra algorithm. The algorithm by itself is quite complicated. This is a very high level, simplified way of looking at the various steps of the algorithm:

1. Upon initialization or due to any change in routing information, a router generates a link-state advertisement. This advertisement represents the collection of all link-states on that router.

2. All routers exchange link-states by means of flooding. Each router that receives a link-state update should store a copy in its link-state database and then propagate the update to other routers.

3. After the database of each router is completed, the router calculates a Shortest Path Tree to all destinations. The router uses the Dijkstra algorithm in order to calculate the shortest path tree. The destinations, the associated cost and the next hop to reach those destinations form the IP routing table.

4. In case no changes in the OSPF network occur, such as cost of a link or a network being added or deleted, OSPF should be very quiet. Any changes that occur are communicated through link-state packets, and the Dijkstra algorithm is recalculated in order to find the shortest path.

The algorithm places each router at the root of a tree and calculates the shortest path to each destination based on the cumulative cost required to reach that destination. Each router will have its own view of the topology even though all the routers will build a shortest path tree using the same link-state database. The following sections indicate what is involved in building a shortest path tree.

What about OSPF Cost?

The cost (also called metric) of an interface in OSPF is an indication of the overhead required to send packets across a certain interface. The cost of an interface is inversely proportional to the bandwidth of that interface. A higher bandwidth indicates a lower cost. There is more overhead (higher cost) and time delays involved in crossing a 56k serial line than crossing a 10M ethernet line. The formula used to calculate the cost is:

*cost= 10000 0000/bandwith in bps

For example, it will cost 10 EXP8/10 EXP7 = 10 to cross a 10M Ethernet line and will cost 10 EXP8/1544000 = 64 to cross a T1 line.

By default, the cost of an interface is calculated based on the bandwidth; you can force the cost of an interface with the ip ospf cost interface subconfiguration mode command.

How about Shortest Path Tree?

Assume we have the following network diagram with the indicated interface costs. In order to build the shortest path tree for RTA, we would have to make RTA the root of the tree and calculate the smallest cost for each destination.

Now Let's Compare OSPF and RIP protocols:

The rapid growth and expansion of today's networks has pushed RIP to its limits. RIP has certain limitations that can cause problems in large networks:

* RIP has a limit of 15 hops. A RIP network that spans more than 15 hops (15 routers) is considered unreachable.

* RIP cannot handle Variable Length Subnet Masks (VLSM). Given the shortage of IP addresses and the flexibility VLSM gives in the efficient assignment of IP addresses, this is considered a major flaw.

* Periodic broadcasts of the full routing table consume a large amount of bandwidth. This is a major problem with large networks especially on slow links and WAN clouds.

* RIP converges slower than OSPF. In large networks convergence gets to be in the order of minutes. RIP routers go through a period of a hold-down and garbage collection and slowly time-out information that has not been received recently. This is inappropriate in large environments and could cause routing inconsistencies.

* RIP has no concept of network delays and link costs. Routing decisions are based on hop counts. The path with the lowest hop count to the destination is always preferred even if the longer path has a better aggregate link bandwidth and less delays.

* RIP networks are flat networks. There is no concept of areas or boundaries. With the introduction of classless routing and the intelligent use of aggregation and summarization, RIP networks seem to have fallen behind.

Some enhancements were introduced in a new version of RIP called RIP2. RIP2 addresses the issues of VLSM, authentication, and multicast routing updates. RIP2 is not a big improvement over RIP (now called RIP 1) because it still has the limitations of hop counts and slow convergence which are essential in todays large networks.

OSPF, on the other hand, addresses most of the issues previously presented:

* With OSPF, there is no limitation on the hop count.

* The intelligent use of VLSM is very useful in IP address allocation.

* OSPF uses IP multicast to send link-state updates. This ensures less processing on routers that are not listening to OSPF packets. Also, updates are only sent in case routing changes occur instead of periodically. This ensures a better use of bandwidth.

* OSPF has better convergence than RIP. This is because routing changes are propagated instantaneously and not periodically.

* OSPF allows for better load balancing.

* OSPF allows for a logical definition of networks where routers can be divided into areas. This limits the explosion of link state updates over the whole network. This also provides a mechanism for aggregating routes and cutting down on the unnecessary propagation of subnet information.

* OSPF allows for routing authentication by using different methods of password authentication.

* OSPF allows for the transfer and tagging of external routes injected into an Autonomous System. This keeps track of external routes injected by exterior protocols such as BGP.

For more other details about OSPF protocol, you can find document at IETF.Org

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Network Security Notes: Top 100 Network Security Tools

2011-06-08T08:35:00.002+07:00

My previous post: Cisco Network Security Certification Training

This post, related to network security, I would like to share you a great video that shows you Top 100 Network Security Tools...Please check and learn from the video...

***Top 100 Network Security Tools:

Network Security Notes: Cisco Network Security Certification Training

2011-05-11T10:30:00.003+07:00

I have archived few certificates related to Microsoft like MCSA 2003, MCSE 2003 and Cisco like CCNA. But in my future I want to gain more certificates of CISCO related to network security like Cisco IOS Security, Adaptive Security Appliance, VPN 3000 Concentrator, Network Intrusion Detection, Host Intrusion Detection, End-to-End Security Implementation...

Cisco Certificates: CCNA, CCNP, CCIE logos

* Cisco IOS Security: Securing Networks with Cisco Routers and Switches (SNRS), Network Administration Control (NAC), Securing Cisco Routers (SECR)

* Adaptive Security Appliance: Securing Networks with PIX and ASA (SNPA)

* VPN 3000 Concentrator: Cisco Secure Virtual Networks (CSVPN)

* Network Intrusion Detehttp: Implementing Cisco Intrusion Prevention System (IPS)

* Host Intrusion Detection: Securing Hosts Using Cisco Security Agent (HIPS)

* End-to-End Security Implementation: Securing Cisco Network Devices (SND)

I am really want to gain more certificates related to CISCO Network Security! But now I need to earn more money to get training and to do examination to complete the test requirements....

For more details about the Network Security Certification Training , please visit here...

Network Security Notes: Network Protocols: Configuring EIGRP Authentication Protocol

2011-05-11T08:55:00.005+07:00

As my previous post about Understanding EIGRP protocol, this post I would like to share you about configuring EIGRP Authentication....

EIGRP Authentication between Router A and Router B

EIGRP authentication of packets has been supported since IOS version 11.3. EIGRP route authentication is similar to RIP version 2, but EIGRP authentication supports only the MD5 version of packet encryption.

EIGRP's authentication support may at first seem limited, but plain text authentication should be configured only when neighboring routers do not support MD5. Because EIGRP is a proprietary routing protocol developed by Cisco, it can be spoken only between two Cisco devices, so the issue of another neighboring router not supporting the MD5 cryptographic checksum of packets should never arise.

The steps for configuring authentication of EIGRP updates are similar to the steps for configuring RIP version 2 authentication:

1. Define the key chain using the command key−chain < name> in global configuration mode. This command transfers you to the key chain configuration mode.

2. Specify the key number with the key command in key chain configuration mode. You can configure multiple keys.

3. For each key, identify the key string with the key−string command.

4. Optionally, you can configure the period for which the key can be sent and received. Use the
following commands:

accept−lifetime {infinite|end−time|duration −seconds}
send−lifetime {infinite|end−time|duration seconds}

5. Exit key chain configuration mode with the exit command.

6. Under interface configuration mode, enable the authentication of EIGRP updates with this
command:

ip authentication key−chain eigrp

7. Enable MD5 authentication of EIGRP updates using the following command:

ip authentication mode eigrp md5

With the command below shows you how Router A should be configured to authenticate updates from Router B using EIGRP MD5 authentication,

Command Listing A: Router A's configuration with MD5 authentication:

key chain router−a
key 1
key−string eigrp
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip authentication mode eigrp 2 md5
ip authentication key−chain eigrp 2 router−a
clockrate 64000
!
router eigrp 2
network 10.0.0.0
network 192.168.10.0
no auto−summary
eigrp log−neighbor−changes

And the next below command here shows the configuration for Router B.

Command Listing B: Router B's configuration with MD5 authentication:

key chain router−b
key 1
key−string eigrp
!
interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip authentication mode eigrp 2 md5
ip authentication key−chain eigrp 2 router−b
clockrate 64000
!
router eigrp 2
network 10.0.0.0
network 192.168.10.0
no auto−summary
eigrp log−neighbor−changes

The Command Listing A configures Router A with a key chain value of router−a, a key value of 1, and a key−string value of eigrp. The Command Listing B configures Router B with a key chain value of router−b, a key value of 1, and a key−string value of eigrp. Notice again that the key chain need not match between routers; however, the key number and the key string associated with the key value must match between routers configured to use that key value. Although debugging of encrypted EIGRP packets is somewhat limited, a few commands can be used to verify that packet encryption is taking place correctly. Two of those commands are debug eigrp packet and show ip route. The debug eigrp packet command informs you if the router has received a packet with the correct key value and key string. The output of issuing this command can be seen here:

Router−A#debug eigrp packet
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK)
Router−A#
EIGRP: received packet with MD5 authentication
EIGRP: received packet with MD5 authentication

Router A is receiving MD5−authenticated packets from it neighbor, Router B. However, we cannot fully determine whether or not the authentication is taking place correctly without issuing the show ip route command on Router A. This allows us to look at the route table and determine that packet authentication is taking place correctly because the routes that Router B has sent to Router A are installed into the route table. Listing 1.7 displays the output of the show ip route command.

Listing Command C: Route table of Router A with correct authentication configured:

Router−A#sh ip route
...
C 192.168.10.0/24 is directly connected, Ethernet0/0
C 10.10.10.0 is directly connected, Loopback0

C 10.10.11.0 is directly connected, Ethernet0/0
D 10.10.12.0 [90/409600] via 192.168.10.2, 00:18:36, Serial0/0
D 10.10.13.0 [90/409600] via 192.168.10.2, 00:18:36, Serial0/0
Router−A#

You can change Router A's key−string value for key 1 to see what kind of an effect this will have.
The following lines will change the key−string value for key 1 on Router A to ospf:

Router−A#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router−A(config)#key chain router−a
Router−A(config−keychain)#key 1
Router−A(config−keychain−key)#key−string ospf
Router−A(config−keychain−key)#end
Router−A#

Now that Router A has a different key string associated with key 1, you would assume that packet authentication is not taking place correctly. By issuing the debug eigrp packet command, you can see that there is indeed a problem with authentication:

Router−A#debug eigrp packet
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK)
Router−A#
EIGRP: received packet with MD5 authentication
EIGRP: ignored packet from 192.168.10.2 opcode = 5 (invalid
authentication)

Taking a quick look at the route table confirms that the authentication is incorrectly configured. Now that the key strings are different, no routes from Router B are installed into the route table of Router A. Listing Command C: displays the routing table of Router A.
Listing Command C:: Route table of Router A with incorrect authentication configured.

Router−A#sh ip route
...
C 192.168.10.0/24 is directly connected, Ethernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.10.10.0 is directly connected, Loopback0
C 10.10.11.0 is directly connected, Loopback1
Router−A#

NOTE: You can also issue the show ip eigrp neighbor command to determine if authentication is configured correctly. If authentication is correctly configured, the neighboring router will be displayed in the output of the command. If authentication is incorrectly configured, the neighbor will not be displayed in the output.

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Network Security Notes: Network Protocols: Understanding EIGRP and IGRP Protocols

2011-02-04T08:41:00.004+07:00

Network Security Notes: Network Protocols: Understanding EIGRP and IGRP Protocols

Enhanced Interior Gateway Routing Protocol - (EIGRP) is a Cisco proprietary routing protocol loosely based on their original IGRP. EIGRP is an advanced distance-vector routing protocol, with optimizations to minimize both the routing instability incurred after topology changes, as well as the use of bandwidth and processing power in the router. Routers that support EIGRP will automatically redistribute route information to IGRP neighbors by converting the 32 bit EIGRP metric to the 24 bit IGRP metric. Most of the routing optimizations are based on the Diffusing Update Algorithm (DUAL) work from SRI, which guarantees loop-free operation and provides a mechanism for fast convergence.

What is IGRP?

Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing data within an autonomous system.

IGRP is a proprietary protocol. IGRP was created in part to overcome the limitations of RIP (maximum hop count of only 15, and a single routing metric) when used within large networks. IGRP supports multiple metrics for each route, including bandwidth, delay, load, MTU, and reliability; to compare two routes these metrics are combined together into a single metric, using a formula which can be adjusted through the use of pre-set constants. The maximum hop count of IGRP-routed packets is 255 (default 100), and routing updates are broadcast every 90 seconds (by default).

IGRP is considered a classful routing protocol. Because the protocol has no field for a subnet mask, the router assumes that all interface addresses within the same Class A, Class B, or Class C network have the same subnet mask as the subnet mask configured for the interfaces in question. This contrasts with classless routing protocols that can use variable length subnet masks. Classful protocols have become less popular as they are wasteful of IP address space.

What is Distance-vector routing protocol?

In computer communication theory relating to packet-switched networks, a distance-vector routing protocol is one of the two major classes of routing protocols, the other major class being the link-state protocol. A distance-vector routing protocol uses the Bellman-Ford algorithm to calculate paths.

A distance-vector routing protocol requires that a router informs its neighbors of topology changes periodically and, in some cases, when a change is detected in the topology of a network. Compared to link-state protocols, which require a router to inform all the nodes in a network of topology changes, distance-vector routing protocols have less computational complexity and message overhead.

Distance Vector means that Routers are advertised as vector of distance and direction. 'Direction' is represented by next hop address and exit interface, whereas 'Distance' uses metrics such as hop count.

Routers using distance vector protocol do not have knowledge of the entire path to a destination. Instead DV uses two methods:

1. Direction in which or interface to which a packet should be forwarded.
2. Distance from its destination.

Examples of distance-vector routing protocols include Routing Information Protocol Version 1 & 2, RIPv1 and RIPv2 and IGRP. EGP and BGP are not pure distance-vector routing protocols because a distance-vector protocol calculates routes based only on link costs whereas in BGP, for example, the local route preference value takes priority over the link cost.

A link-state routing protocol is one of the two main classes of routing protocols used in packet switching networks for computer communications, the other major class being the distance-vector routing protocol. Examples of link-state routing protocols include OSPF and IS-IS.

The link-state protocol is performed by every switching node in the network (i.e. nodes that are prepared to forward packets; in the Internet, these are called routers). The basic concept of link-state routing is that every node constructs a map of the connectivity to the network, in the form of a graph, showing which nodes are connected to which other nodes. Each node then independently calculates the next best logical path from it to every possible destination in the network. The collection of best paths will then form the node's routing table.

This contrasts with distance-vector routing protocols, which works by having each node share its routing table with its neighbors. In a link-state protocol the only information passed between nodes is connectivity related.

Link state algorithms are sometimes characterized by the ‘Each router tells the world about its neighbors’.

Understanding About Diffusing Update Algorithm (DUAL):

DUAL, the Diffusing Update ALgorithm, is the algorithm used by Cisco's EIGRP routing protocol to ensure that a given route is recalculated globally whenever it might cause a routing loop. According to Cisco, the full name of the algorithm is DUAL finite-state machine (DUAL FSM). EIGRP is responsible for the routing within an autonomous system and DUAL responds to changes in the routing topology and dynamically adjusts the routing tables of the router automatically.

EIGRP uses a feasibility condition to ensure that only loop-free routes are ever selected. The feasibility condition is conservative: when the condition is true, no loops can occur, but the condition might under some circumstances reject all routes to a destination although some are loop-free.

When no feasible route to a destination is available, the DUAL algorithm invokes a Diffusing Computation to ensure that all traces of the problematic route are eliminated from the network. At which point the normal Bellman-Ford algorithm is used to recover a new route.

!!! DUAL Operation:

DUAL uses three separate tables for the route calculation. These tables are created using information exchanged between the EIGRP routers. The information is different than that exchanged by link-state routing protocols. In EIGRP, the information exchanged includes the routes, the "metric" or cost of each route, and the information required to form a neighbor relationship (such as AS number, timers, and K values). The three tables and their functions in detail are as follows:

* Neighbor table contains information on all other directly connected routers. A separate table exists for each supported protocol (IP, IPX, etc). Each entry corresponds to a neighbour with the description of network interface and address. In addition, a timer is initialized to trigger the periodic detection of whether the connection is alive. This is achieved through "Hello" packets. If a "Hello" packet is not received from a neighbor for a specified time period, the router is assumed down and removed from the neighbor table.
* Topology table contains the metric (cost information) of all routes to any destination within the autonomous system. This information is received from neighboring routers contained in the Neighbor table. The primary (successor) and secondary (feasible successor) routes to a destination will be determined with the information in the topology table. Among other things, each entry in the topology table contains the following:

"FD (Feasible Distance)": The calculated metric of a route to a destination within the autonomous system.
"RD (Reported Distance)": The metric to a destination as advertised by a neighboring router. RD is used to calculate the FD, and to determine if the route meets the "feasibility condition".
Route Status: A route is marked either "active" or "passive". "Passive" routes are stable and can be used for data transmission. "Active" routes are being recalculated, and/or not available.

* Routing table contains the best route(s) to a destination (in terms of the lowest "metric"). These routes are the successors from the topology table.

DUAL evaluates the data received from other routers in the topology table and calculates the primary (successor) and secondary (feasible successor) routes. The primary path is usually the path with the lowest metric to reach the destination, and the redundant path is the path with the second lowest cost (if it meets the feasibility condition). There may be multiple successors and multiple feasible successors. Both successors and feasible successors are maintained in the topology table, but only the successors are added to the routing table and used to route packets.

For a route to become a feasible successor, its RD must be smaller than the FD of the successor. If this feasibility condition is met, there is no way that adding this route to the routing table could cause a loop.

If all the successor routes to a destination fail, the feasible successor becomes the successor and is immediately added to the routing table. If there is no feasible successor in the topology table, a query process is initiated to look for a new route.

Do you know SRI?

SRI International, founded as Stanford Research Institute, is one of the world's largest contract research institutes. Based in the United States, the trustees of Stanford University established it in 1946 as a center of innovation to support economic development in the region. It was later incorporated as an independent non-profit organization under U.S. and California laws. SRI's headquarters are in Menlo Park, California, near the Stanford University campus. Curtis Carlson, Ph.D., is SRI's president and CEO. Year 2009 revenue for SRI, including its subsidiary, Sarnoff Corporation, was approximately $470 million. As of 2010, SRI and Sarnoff employ about 1,700 staff members combined.

SRI's mission is discovery and the application of science and technology for knowledge, commerce, prosperity, and peace. It performs client-sponsored research and development for government agencies, commercial businesses, and private foundations. It also licenses its technologies, forms strategic partnerships, and creates spin-off companies. SRI's focus areas include communications and networks, computing, economic development and science and technology policy, education, energy and the environment, engineering systems, pharmaceuticals and health sciences, homeland security and national defense, materials and structures, and robotics. SRI has been awarded more than 1,000 patents and patent applications worldwide.

Understanding About Convergence (routing protocol):

Convergence is an important notion for a set of routers that engage in dynamic routing. For a set of routers to have converged, they must have collected all available topology information from each other via the implemented routing protocol, the information they gathered must not contradict any other router's topology information in the set, and it must reflect the real state of the network. In other words: In a converged network all routers "agree" on what the network topology looks like.

All Interior Gateway Protocols rely on convergence to function properly; it is the normal state of an operational autonomous system. The Exterior Gateway Routing Protocol BGP typically never converges because the Internet is too big for changes to be communicated fast enough.

Convergence process:

When a routing protocol process is enabled, a router will attempt to exchange information about the topology of the network. The extent of this information exchange, the way it is sent and received, and the type of information required vary widely depending on the routing protocol in use, see e.g. RIP, OSPF, BGP4.

A state of convergence is achieved once all routing protocol-specific information has been distributed to all routers participating in the routing protocol process. Any change in the network that affects routing tables will break the convergence temporarily until this change has been successfully communicated to all other routers.

Basic operation of EIGRP:

The data EIGRP collects is stored in three tables:

* Neighbor Table: Stores data about the neighboring routers, i.e. those directly accessible through directly connected interfaces.

* Topology Table: Confusingly named, this table does not store an overview of the complete network topology; rather, it effectively contains only the aggregation of the routing tables gathered from all directly connected neighbors. This table contains a list of destination networks in the EIGRP-routed network together with their respective metrics. Also for every destination, a successor and a feasible successor are identified and stored in the table if they exist. Every destination in the topology table can be marked either as "Passive", which is the state when the routing has stabilized and the router knows the route to the destination, or "Active" when the topology has changed and the router is in the process of (actively) updating its route to that destination.

* Routing table: Stores the actual routes to all destinations; the routing table is populated from the topology table with every destination network that has its successor and optionally feasible successor identified (if unequal-cost load-balancing is enabled using the variance command). The successors and feasible successors serve as the next hop routers for these destinations.

Unlike most other distance vector protocols, EIGRP does not rely on periodic route dumps in order to maintain its topology table. Routing information is exchanged only upon the establishment of new neighbor adjacencies, after which only changes are sent. Also, it uses route tagging.

Another useful link about EIGRP and IGRP:

Introduction to EIGRP (CISCO)

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Network Technology: Network Security: A Security Primer

2011-01-07T10:26:00.006+07:00

A Security Primer

As you already know, security is very important to secure your network life. With this post I would to like to share you a slide show presents you about a Security Primer. The slide show presented by Venkatesh Iyer created on 30/11/2005.

The topic of the slide show will cover about:

- PGP S/MIME, SSL TLS, IPSEC, Cryptography (Symmetric key, Public key)..
- Need for Message Security: Privacy, Authentication, Integrity, Non-repudiation..
- Digital signatures..
- Key management..
- Certificate...
- Security at IP level: IPEC Security
- Security at Transport Layer: Security Socket Layer(SSL), Transport Layer Security (TLS)
- Security at Application Layer: Pretty Good Privacy(PGP),

....

For more details about Security Primer, Please visit the slide show below:

Network Security Primer

View more presentations from rvenkatesh25.

Network Technology: Network Security: How to Configuring RIP Authentication

2010-10-25T09:38:00.005+07:00

As my previous post about RIP Protocol, here this post I want to show you how to configure RIP Authentication...

Generally, There are two versions of Routing Information Protocol (RIP): version 1 and version 2. RIP version 1 does not support authentication of routing updates; however, RIP version 2 supports both plain text and MD5 authentication.

The Picture Figure below shows two routers, Router A and Router B, that exchange
RIP version 2 MD5 authentication updates.

Router A and Router B configured for RIP authentication

Configuring authentication of RIP version 2 updates is fairly easy and very uniform. The basic configuration includes the following steps:

1. Define the key chain using the command key−chain <> in global configuration mode. This command transfers you to the key chain configuration mode.

2. Specify the key number with the key <> command in key chain configuration mode.You can configure multiple keys.

3. For each key, identify the key string with the key−string <> command.

4. Configure the period for which the key can be sent and received. Use the following
commands:

accept−lifetime {infinite|end−time|duration −
seconds}
send−lifetime {infinite|end−time|duration seconds}

5. Exit key chain configuration mode with the exit command.

6. Under interface configuration mode, enable the authentication of RIP updates with this command:

ip rip authentication key−chain

This command is all that is needed to use plain text authentication.

7. Optionally, under interface configuration mode, enable MD5 authentication of RIP updates using the ip rip authentication mode md5 command.

The listings that follow show how Router A and Router B in Figure 1.3 should be configured to authenticate updates from one another using RIP MD5 authentication. Listing 1.1 shows the configuration of Router A, and Listing 1.2 shows the configuration of Router B.

Listing 1.1: Router A's configuration with MD5 authentication:

key chain systems
key 1
key−string router
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip rip authentication mode md5
ip rip authentication key−chain systems
clockrate 64000
!
router rip
version 2
network 10.0.0.0
network 192.168.10.0
no auto−summary

Listing 1.2: Router B's configuration with MD5 authentication:

key chain cisco
key 1
key−string router
!
interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip rip authentication mode md5
ip rip authentication key−chain cisco
!
router rip
version 2
network 10.0.0.0
network 192.168.10.0
no auto−summary

The configuration in Listing 1.1 displays Router A's MD5 configuration. Router A is configured with a key chain value of systems, a key value of 1, and a key−string value of router. Listing 1.2 displays Router B's MD5 configuration. Router B is configured with a key chain value of cisco, a key value of 1, and a key−string value of router.

Note Notice that the key−chain command of each router can have a different value; however, the key−string command must match for each key that is configured on each neighbor.

You can use the command debug ip rip to examine how RIP receives the encrypted routing updates. Entering this command on Router A and Router B displays the output shown in Listing 1.3 and Listing 1.4, respectively.

Listing 1.3: The output of the command debug ip rip displays how Router A receives RIP routing
updates from Router B:

Router−A#debug ip rip
RIP protocol debugging is on
Router−A#
RIP: received packet with MD5 authentication
RIP: received v2 update from 192.168.10.2 on Serial0/0
10.10.12.0/24 −> 0.0.0.0 in 1 hops
10.10.13.0/24 −> 0.0.0.0 in 1 hops

Listing 1.4: The output of the command debug ip rip displays how Router B receives RIP routing
updates from Router A:

Router−B#debug ip rip
RIP protocol debugging is on
Router−B#
RIP: received packet with MD5 authentication
RIP: received v2 update from 192.168.10.1 on Serial0/0
10.10.10.0/24 via 0.0.0.0 in 1 hops
10.10.11.0/24 via 0.0.0.0 in 1 hops

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Network Technology: Network Security: Understanding OSI Network Layer- Model

2010-09-22T16:19:00.007+07:00

The Open Systems Interconnection model (OSI model) is a product of the Open Systems Interconnection effort at the International Organization for Standardization. It is a way of sub-dividing a communications system into smaller parts called layers. A layer is a collection of conceptually similar functions that provide services to the layer above it and receives services from the layer below it. On each layer an instance provides services to the instances at the layer above and requests service from the layer below.

OSI Model Network Layers

For example, a layer that provides error-free communications across a network provides the path needed by applications above it, while it calls the next lower layer to send and receive packets that make up the contents of the path. Conceptually two instances at one layer are connected by a horizontal protocol connection on that layer.

Description of OSI layers:

Layer 1: Physical Layer

The Physical Layer defines the electrical and physical specifications for devices. In particular, it defines the relationship between a device and a transmission medium, such as a copper or optical cable. This includes the layout of pins, voltages, cable specifications, hubs, repeaters, network adapters, host bus adapters (HBA used in storage area networks) and more.

To understand the function of the Physical Layer, contrast it with the functions of the Data Link Layer. Think of the Physical Layer as concerned primarily with the interaction of a single device with a medium, whereas the Data Link Layer is concerned more with the interactions of multiple devices (i.e., at least two) with a shared medium. Standards such as RS-232 do use physical wires to control access to the medium.

The major functions and services performed by the Physical Layer are:

* Establishment and termination of a connection to a communications medium.
* Participation in the process whereby the communication resources are effectively shared among multiple users. For example, contention resolution and flow control.
* Modulation, or conversion between the representation of digital data in user equipment and the corresponding signals transmitted over a communications channel. These are signals operating over the physical cabling (such as copper and optical fiber) or over a radio link.

Parallel SCSI buses operate in this layer, although it must be remembered that the logical SCSI protocol is a Transport Layer protocol that runs over this bus. Various Physical Layer Ethernet standards are also in this layer; Ethernet incorporates both this layer and the Data Link Layer. The same applies to other local-area networks, such as token ring, FDDI, ITU-T G.hn and IEEE 802.11, as well as personal area networks such as Bluetooth and IEEE 802.15.4.

Layer 2: Data Link Layer

The Data Link Layer provides the functional and procedural means to transfer data between network entities and to detect and possibly correct errors that may occur in the Physical Layer. Originally, this layer was intended for point-to-point and point-to-multipoint media, characteristic of wide area media in the telephone system. Local area network architecture, which included broadcast-capable multiaccess media, was developed independently of the ISO work in IEEE Project 802. IEEE work assumed sublayering and management functions not required for WAN use. In modern practice, only error detection, not flow control using sliding window, is present in data link protocols such as Point-to-Point Protocol (PPP), and, on local area networks, the IEEE 802.2 LLC layer is not used for most protocols on the Ethernet, and on other local area networks, its flow control and acknowledgment mechanisms are rarely used. Sliding window flow control and acknowledgment is used at the Transport Layer by protocols such as TCP, but is still used in niches where X.25 offers performance advantages.

The ITU-T G.hn standard, which provides high-speed local area networking over existing wires (power lines, phone lines and coaxial cables), includes a complete Data Link Layer which provides both error correction and flow control by means of a selective repeat Sliding Window Protocol.

Both WAN and LAN service arrange bits, from the Physical Layer, into logical sequences called frames. Not all Physical Layer bits necessarily go into frames, as some of these bits are purely intended for Physical Layer functions. For example, every fifth bit of the FDDI bit stream is not used by the Layer.

WAN Protocol architecture

Connection-oriented WAN data link protocols, in addition to framing, detect and may correct errors. They are also capable of controlling the rate of transmission. A WAN Data Link Layer might implement a sliding window flow control and acknowledgment mechanism to provide reliable delivery of frames; that is the case for SDLC and HDLC, and derivatives of HDLC such as LAPB and LAPD.

IEEE 802 LAN architecture

Practical, connectionless LANs began with the pre-IEEE Ethernet specification, which is the ancestor of IEEE 802.3. This layer manages the interaction of devices with a shared medium, which is the function of a Media Access Control sublayer. Above this MAC sublayer is the media-independent IEEE 802.2 Logical Link Control (LLC) sublayer, which deals with addressing and multiplexing on multiaccess media.

While IEEE 802.3 is the dominant wired LAN protocol and IEEE 802.11 the wireless LAN protocol, obsolescent MAC layers include Token Ring and FDDI. The MAC sublayer detects but does not correct errors.

Layer 3: Network Layer

The Network Layer provides the functional and procedural means of transferring variable length data sequences from a source to a destination via one or more networks, while maintaining the quality of service requested by the Transport Layer. The Network Layer performs network routing functions, and might also perform fragmentation and reassembly, and report delivery errors. Routers operate at this layer—sending data throughout the extended network and making the Internet possible. This is a logical addressing scheme – values are chosen by the network engineer. The addressing scheme is not hierarchical.

Careful analysis of the Network Layer indicated that the Network Layer could have at least 3 sublayers: 1.Subnetwork Access - that considers protocols that deal with the interface to networks, such as X.25; 2.Subnetwork Dependent Convergence - when it is necessary to bring the level of a transit network up to the level of networks on either side; 3.Subnetwork Independent Convergence - which handles transfer across multiple networks. The best example of this latter case is CLNP, or IPv7 ISO 8473. It manages the connectionless transfer of data one hop at a time, from end system to ingress router, router to router, and from egress router to destination end system. It is not responsible for reliable delivery to a next hop, but only for the detection of errored packets so they may be discarded. In this scheme, IPv4 and IPv6 would have to be classed with X.25 as Subnet Access protocols because they carry interface addresses rather than node addresses.

A number of layer management protocols, a function defined in the Management Annex, ISO 7498/4, belong to the Network Layer. These include routing protocols, multicast group management, Network Layer information and error, and Network Layer address assignment. It is the function of the payload that makes these belong to the Network Layer, not the protocol that carries them.

Layer 4: Transport Layer

The Transport Layer provides transparent transfer of data between end users, providing reliable data transfer services to the upper layers. The Transport Layer controls the reliability of a given link through flow control, segmentation/desegmentation, and error control. Some protocols are state and connection oriented. This means that the Transport Layer can keep track of the segments and retransmit those that fail. The Transport layer also provides the acknowledgement of the successful data transmission and if no error free data was transferred then sends the next data.

Although not developed under the OSI Reference Model and not strictly conforming to the OSI definition of the Transport Layer, typical examples of Layer 4 are the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).

Of the actual OSI protocols, there are five classes of connection-mode transport protocols ranging from class 0 (which is also known as TP0 and provides the least features) to class 4 (TP4, designed for less reliable networks, similar to the Internet). Class 0 contains no error recovery, and was designed for use on network layers that provide error-free connections. Class 4 is closest to TCP, although TCP contains functions, such as the graceful close, which OSI assigns to the Session Layer. Also, all OSI TP connection-mode protocol classes provide expedited data and preservation of record boundaries, both of which TCP is incapable. Detailed characteristics of TP0-4 classes are shown in the following table:

Perhaps an easy way to visualize the Transport Layer is to compare it with a Post Office, which deals with the dispatch and classification of mail and parcels sent. Do remember, however, that a post office manages the outer envelope of mail. Higher layers may have the equivalent of double envelopes, such as cryptographic presentation services that can be read by the addressee only. Roughly speaking, tunneling protocols operate at the Transport Layer, such as carrying non-IP protocols such as IBM's SNA or Novell's IPX over an IP network, or end-to-end encryption with IPsec. While Generic Routing Encapsulation (GRE) might seem to be a Network Layer protocol, if the encapsulation of the payload takes place only at endpoint, GRE becomes closer to a transport protocol that uses IP headers but contains complete frames or packets to deliver to an endpoint. L2TP carries PPP frames inside transport packet.

Layer 5: Session Layer

The Session Layer controls the dialogues (connections) between computers. It establishes, manages and terminates the connections between the local and remote application. It provides for full-duplex, half-duplex, or simplex operation, and establishes checkpointing, adjournment, termination, and restart procedures. The OSI model made this layer responsible for graceful close of sessions, which is a property of the Transmission Control Protocol, and also for session checkpointing and recovery, which is not usually used in the Internet Protocol Suite. The Session Layer is commonly implemented explicitly in application environments that use remote procedure calls.

Layer 6: Presentation Layer

The Presentation Layer establishes context between Application Layer entities, in which the higher-layer entities may use different syntax and semantics if the presentation service provides a mapping between them. If a mapping is available, presentation service data units are encapsulated into session protocol data units, and passed down the stack.

This layer provides independence from data representation (e.g., encryption) by translating between application and network formats. The presentation layer transforms data into the form that the application accepts. This layer formats and encrypts data to be sent across a network. It is sometimes called the syntax layer.[citation needed]

The original presentation structure used the basic encoding rules of Abstract Syntax Notation One (ASN.1), with capabilities such as converting an EBCDIC-coded text file to an ASCII-coded file, or serialization of objects and other data structures from and to XML.

Layer 7: Application Layer

The Application Layer is the OSI layer closest to the end user, which means that both the OSI application layer and the user interact directly with the software application. This layer interacts with software applications that implement a communicating component. Such application programs fall outside the scope of the OSI model. Application layer functions typically include identifying communication partners, determining resource availability, and synchronizing communication. When identifying communication partners, the application layer determines the identity and availability of communication partners for an application with data to transmit. When determining resource availability, the application layer must decide whether sufficient network or the requested communication exist. In synchronizing communication, all communication between applications requires cooperation that is managed by the application layer. Some examples of application layer implementations include Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP) and X.400 Mail.

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Network Technology: Network Security: Learning About RIP (Routing Information Protocol)

2010-09-09T12:11:00.005+07:00

The Routing Information Protocol (RIP) is a dynamic routing protocol used in local and wide area networks. As such it is classified as an interior gateway protocol (IGP). It uses the distance-vector routing algorithm. It was first defined in RFC 1058 (1988). The protocol has since been extended several times, resulting in RIP Version 2 (RFC 2453). Both versions are still in use today, however, they are considered to have been made technically obsolete by more advanced techniques such as Open Shortest Path First (OSPF) and the OSI protocol IS-IS. RIP has also been adapted for use in IPv6 networks, a standard known as RIPng (RIP next generation), published in RFC 2080 (1997).

The routing algorithm used in RIP, the Bellman-Ford algorithm, was first deployed in a computer network in 1967, as the initial routing algorithm of the ARPANET.

The earliest version of the specific protocol that became RIP was the Gateway Information Protocol, part of the PARC Universal Packet internetworking protocol suite, developed at Xerox Parc. A later version, named the Routing Information Protocol, was part of Xerox Network Systems.

A version of RIP which supported the Internet Protocol (IP) was later included in the Berkeley Software Distribution (BSD) of the Unix operating system. It was known as the routed daemon. Various other vendors would create their own implementations of the routing protocol. Eventually, RFC 1058 unified the various implementations under a single standard.

RIP is a distance-vector routing protocol, which employs the hop count as a routing metric. The hold down time is 180 seconds. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops allowed for RIP is 15. This hop limit, however, also limits the size of networks that RIP can support. A hop count of 16 is considered an infinite distance and used to deprecate inaccessible, inoperable, or otherwise undesirable routes in the selection process.

RIP implements the split horizon, route poisoning and holddown mechanisms to prevent incorrect routing information from being propagated. These are some of the stability features of RIP. It is also possible to use the so called RIP-MTI (Minimal Topology Information) algorithm to cope with the count to infinity problem. With its help, it is possible to detect every possible loop with a very small computation effort.

Originally each RIP router transmitted full updates every 30 seconds. In the early deployments, routing tables were small enough that the traffic was not significant. As networks grew in size, however, it became evident there could be a massive traffic burst every 30 seconds, even if the routers had been initialized at random times. It was thought, as a result of random initialization, the routing updates would spread out in time, but this was not true in practice. Sally Floyd and Van Jacobson showed in 1994 that, without slight randomization of the update timer, the timers synchronized over time. In most current networking environments, RIP is not the preferred choice for routing as its time to converge and scalability are poor compared to EIGRP, OSPF, or IS-IS (the latter two being link-state routing protocols), and (without RIP-MTI) a hop limit severely limits the size of network it can be used in. However, it is easy to configure, because RIP does not require any parameters on a router unlike other protocols.

RIP is implemented on top of the User Datagram Protocol as its transport protocol. It is assigned the reserved port number 520.

RIP Versions:

There are three versions of the Routing Information Protocol: RIPv1, RIPv2, and RIPng.

RIP version 1

The original specification of RIP, defined in RFC 1058, uses classful routing. The periodic routing updates do not carry subnet information, lacking support for variable length subnet masks (VLSM). This limitation makes it impossible to have different-sized subnets inside of the same network class. In other words, all subnets in a network class must have the same size. There is also no support for router authentication, making RIP vulnerable to various attacks.The RIP version 1 works when there is only 16 hop counts(0-15).If there are more than 16 hops between two routers it fails to send data packets to the destination address.

RIP version 2

Due to the deficiencies of the original RIP specification, RIP version 2 (RIPv2) was developed in 1993 and last standardized in 1998. It included the ability to carry subnet information, thus supporting Classless Inter-Domain Routing (CIDR). To maintain backward compatibility, the hop count limit of 15 remained. RIPv2 has facilities to fully interoperate with the earlier specification if all Must Be Zero protocol fields in the RIPv1 messages are properly specified. In addition, a compatibility switch feature allows fine-grained interoperability adjustments.

In an effort to avoid unnecessary load on hosts that do not participate in routing, RIPv2 multicasts the entire routing table to all adjacent routers at the address 224.0.0.9, as opposed to RIPv1 which uses broadcast. Unicast addressing is still allowed for special applications.

(MD5) authentication for RIP was introduced in 1997.

RIPv2 is Internet Standard STD-56.

Route tags were also added in RIP version 2. This functionality allows for routes to be distinguished from internal routes to external redistributed routes from EGP protocols.

RIPng

RIPng (RIP next generation), defined in RFC 2080,[8] is an extension of RIPv2 for support of IPv6, the next generation Internet Protocol. The main differences between RIPv2 and RIPng are:

* Support of IPv6 networking.
* While RIPv2 supports RIPv1 updates authentication, RIPng does not. IPv6 routers were, at the time, supposed to use IPsec for authentication.
* RIPv2 allows attaching arbitrary tags to routes, RIPng does not;
* RIPv2 encodes the next-hop into each route entries, RIPng requires specific encoding of the next hop for a set of route entries.xxx

...

Top Five Network Security Concerns You Should Learn

2010-07-23T09:23:00.004+07:00

Top Five Network Security Concerns You Should Learn

Getting into establishing a stable network is one concert. After the network already built is another one concern. The concern is about the Security. To keep network run stable and available, the network need to be secured.

Here's the Top 5 Network Security Concerns You Should Learn...

Visit here...

Configuring SNMP Security

2010-05-30T17:39:00.003+07:00

There is no specific command that you use to enable SNMP. To configure SNMP support, perform the tasks described in the following steps, only the first two steps are mandatory:

1.Enable the SNMP community string to define the relationship between the network
management station and the agent with the following command:

snmp−server community {ro|rw} {number}

The number value references an optional access−list.

2.Use this command to configure the router to send traps to an NMS host:

snmp−server host host [version {1|2c}]

3.Configure the type of traps for which a notification is sent to the NMS. You do so with the following command:

snmp−server enable traps [notification type] –
[notification option]

4.Set the system contact, location, and serial number. You can set the systems contact with the snmp−server contact [text] command. You set the location with the snmp−server location [text] command, and you set the serial number with the snmp−server chassis−id [text] command.

5.Use the access−list command to specify a list of hosts that are allowed read−, read/write, or write−only access to the router.

The picture below: shows Router 1, which is configured to allow SNMP read−only access and read/write access from two separate hosts. Router 1 is also configured to send SNMP trap information to the same two hosts. The following lines show how Router 1 should be configured so SNMP access from both host 192.168.10.1 and 192.168.10.2 is allowed and SNMP trap information is sent to both hosts:

access−list 12 permit 192.168.10.1
access−list 13 permit 192.168.10.2
snmp−server contact VISA
snmp−server location Network Engineers
snmp−server chassis−id 200000444
snmp−server community observe RO 12
snmp−server community adjust RW 13
snmp−server host 192.168.10.1 observe snmp
snmp−server host 192.168.10.2 adjust snmp

Router 1 configured for SNMP

Hey, Your Facebook ID was HACKED?

2010-04-24T18:17:00.006+07:00

Facebook is one of the most popular social networking sites that people use to connect each other. Each person needs to have a unique Facebook ID to Login to their account. What's UP if your facebook ID was Hacked? The Hacker will use your ID to do what they want.

I'm really concerned about that because I'm also using Facebook for networking with my friends.

According to The Network World, 1.5 million Facebook IDs were stolen and were ready up for sale. More about Facebook IDs were stolen and up for Sale Read here...

To make sure that your ID was hacked or not. Check any strange activities that may happen on your Facebook account that were not done by you...

How to Configuring Banner Messages on Cisco Router

2010-02-22T16:40:00.003+07:00

My Previous Post: About How to Configuring Password Encryption on Cisco Router
This post: About How to Configuring Banner Messages on Cisco Router:

There are four types of banner messages:

---> Message of the Day (MOTD): Displayed at login. Useful for sending messages that affect all network users.
---> Login: Displayed after the Message of the Day banner appears and before the login
prompts.
---> EXEC: Displayed whenever an EXEC process is initiated.
---> Incoming: Displayed on terminals connected to reverse Telnet lines.

The process for configuring banner messages is fairly simple. Enter the following command in global configuration mode:

banner {exec|motd|login|incoming} [delimited character] –
[delimited character]

Here is a sample MOTD banner:

CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#banner motd #
Enter TEXT message. End with the character '#'.
*****************************************************
* WARNING...WARNING...WARNING...WARNING
* YOU HAVE ACCESSED A RESTRICTED DEVICE
* USE OF THIS DEVICE WITHOUT PRIOR AUTHORIZATION
* OR FOR PURPOSES WHICH AUTHORIZATION HAS NOT BEEN
* GRANTED IS STRICTLY PROHIBITED!!!
*****************************************************
#
CiscoRouter(config)#end
CiscoRouter#

The results of setting the MOTD banner message can be seen by using the show running−config command or by logging into the router. The following is an example of logging into the router from the console port:

CiscoRouter con0 is now available
......
Press RETURN to get started.
......
******************************************************
* WARNING...WARNING...WARNING...WARNING
* YOU HAVE ACCESSED A RESTRICTED DEVICE
* USE OF THIS DEVICE WITHOUT PRIOR AUTHORIZATION
* OR FOR PURPOSES WHICH AUTHORIZATION HAS NOT BEEN
* GRANTED IS STRICTLY PROHIBITED!!!
******************************************************
CiscoRouter>

EXEC banner messages, as mentioned earlier, are invoked when a user attempts to gain access into privileged mode. Industry−standard best practices recommend configuring a MOTD banner message as well as an EXEC banner message. Working still on the same router, here's how to configure an EXEC banner to complement the MOTD banner. This can be accomplished using the following configuration:

CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#banner exec #
Enter TEXT message. End with the character '#'.
*******************************************************
* WARNING...WARNING...WARNING...WARNING
* THIS IS A REMINDER...THIS IS A REMINDER
* YOU HAVE ACCESSED A RESTRICTED DEVICE
* USE OF THIS DEVICE WITHOUT PRIOR AUTHORIZATION
* OR FOR PURPOSES WHICH AUTHORIZATION HAS NOT BEEN
* GRANTED IS STRICTLY PROHIBITED!!!
*******************************************************
#
CiscoRouter(config)#end
CiscoRouter#

The results of setting the EXEC message can be seen by using the show running−config
command or by using the telnet command to remotely connect to a router with the EXEC banner enabled. The results of configuring both the MOTD banner and the EXEC banner can be seen here:

R1#telnet 192.168.10.1
Trying 192.168.10.1 ... Open
*******************************************************
* WARNING...WARNING...WARNING...WARNING
* YOU HAVE ACCESSED A RESTRICTED DEVICE
* USE OF THIS DEVICE WITHOUT PRIOR AUTHORIZATION
* OR FOR PURPOSES WHICH AUTHORIZATION HAS NOT BEEN
* GRANTED IS STRICTLY PROHIBITED!!!
23
*******************************************************
User Access Verification
Username: Visa
Password:
*******************************************************
* WARNING...WARNING...WARNING...WARNING
* THIS IS A REMINDER...THIS IS A REMINDER
* YOU HAVE ACCESSED A RESTRICTED DEVICE
* USE OF THIS DEVICE WITHOUT PRIOR AUTHORIZATION
* OR FOR PURPOSES WHICH AUTHORIZATION HAS NOT BEEN
* GRANTED IS STRICTLY PROHIBITED!!!
*******************************************************
CiscoRouter>en
Password:
CiscoRouter#

Notice that the EXEC banner is displayed after the user has passed the local authentication phase on the router.

How to Configuring Password Encryption

2010-02-08T14:57:00.005+07:00

As my previous post about How to Configure Privilege Levels for Users on Cisco Router.
Today this post I'd like to show you how to configure Password Encryption on Cisco Router.

Well, It's relatively simple to configure password encryption on Cisco routers. When password encryption is configured, all passwords that are configured on the router are converted to an unsophisticated reversible cipher. Although the algorithm that is used to convert the passwords is somewhat unsophisticated, it still serves a very good purpose. Intruders cannot simply view the password in plain text and know what the password is. To enable the use of password encryption, use the command service password−encryption.

The following example shows a router configuration prior to enabling password encryption. An enable password, a console password, and a Telnet password is configured:

CiscoRouter#show running−config
!
enable password Cisco
!
line con 0
password NetVisa
!
line vty 0 4
password Security
!

The following example shows the command you would use to enable password encryption on the router:

CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#service password−encryption
CiscoRouter(config)#end
CiscoRouter#

The results of enabling password encryption can be seen in the following example. Notice that each
password is now represented by a string of letters and numbers, which represents the encrypted format of the password:

CiscoRouter#show running−config
!
enable password 7 05280F1C2243
!
line con 0
password 7 04750E12182E5E45001702
!
line vty 0 4
password 7 122A00140719051033
!

Note: Password encryption does not provide a very high level of security. There are widely available passwords crackers that can reverse the encryption. I do, however, recommend using the password encryption command on all routers. I also recommend that you take additional security measures to protect your passwords.

How to Configure Privilege Levels for Users on Cisco Router

2010-01-25T15:58:00.007+07:00

As my previous post about Disabling Password Recovery on Cisco Router. Today, with this post, I'd love to show you the way to Configure Privilege Levels for Users on Cisco Router.

Commands entered into the IOS can be associated with each privilege level. You
configure the privilege level for a command using the global configuration command privilege
level . The exact syntax of this command is as follows:

privilege mode level level command | reset command

The Image.1 below displays three users, Googla, Visa, and Yaha, connected to a local segment. Googla is the network engineer; he has full control over Cisco Router. Visa and Yaha are system administrators; they need only limited functionality on Cisco Router. Here is an example of the configuration that meets this requirement:

enable secret Googla
enable secret level 3 Visa
enable secret level 2 Yaha
privilege exec level 3 debug
privilege exec level 3 show running−config
privilege exec level 3 telnet
privilege exec level 2 ping
privilege exec level 2 sh int ser0
privilege exec level 2 sh ip route
line con 0
login
Figure

Image.1: Using privilege levels to create administrative levels.

This configuration provides Googla with the default full administrative rights to the router. Visa is given access to all features that are allowed with administrative level 3 and can perform the commands that are listed with a privilege level of 3. Yaha is assigned a privilege level of 2 and is given access to all features and allowed to perform the commands listed with a privilege level of 2.

The key is that each user must use the enable command from the user mode prompt and log in with the password assigned for that level. An example is provided here:

CiscoRouter>
CiscoRouter>enable 3
Password: Visa
CiscoRouter#

How to Disabling Password Recovery

2009-12-28T14:53:00.003+07:00

Why you need to set passwords on routers?

--> To defense against intruders

Why the passwords must be recovered?

>>> Sometimes passwords are forgotten. There are, however, some instances in which the widely known password recovery procedures should be disabled. When physical security is not possible or in a network emergency, password recovery can be disabled.

What is the key to recovering a password on a Cisco router?

>>> The key to recovering a password on a Cisco router is through manipulation of the configuration registers of the router. All router passwords are stored in the startup configuration, so if the configuration registers are changed properly, the startup configuration with the passwords stored within them can be bypassed.

What happens if you disable the password recovery?

>>> If you have disabled the password recovery mechanisms, you will not
be able to perform password recovery on the router. Disabling the password recovery procedure of a Cisco router is a decision that must be thought out ahead of time because the command used to disable password recovery also disables ROMMON.

How you can disable the password recovery?

>>> You can disable the Cisco password recovery procedure by issuing the no service
password−recovery command in global configuration mode:

CiscoRouter#config t
Enter configuration commands, one per line. End with CNTR/Z.
SecureRouter(config)#no service password−recovery
WARNING:
Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for
password recovery.
Are you sure you want to continue? [yes/no]: yes

As you can see, the IOS reminds you of how serious disabling the password recovery procedures are with a warning message and a prompt allowing you to change your mind. To see the results of changing the password recovery feature, issue the show running−config command. The effects of issuing the command can be seen in the following configuration:

CiscoRouter#show run
Building configuration...
Current configuration:
!
version 12.0
service password−encryption
no service password−recovery
!
hostname CiscoRouter

After password recovery has been disabled and the configuration has been saved, the widely available password recovery procedure will not be available on the router. The following output verifies that password recovery is indeed disabled:

CiscoRouter#reload
Proceed with reload? [confirm]
00:14:34: %SYS−5−RELOAD: Reload requested
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
PC = 0xfff14ee8, Vector = 0x500, SP = 0x680127b0
C2600 platform with 49152 Kbytes of main memory
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x80008000, size: 0x928024
Self decompressing the image : #######################....

If the no service password−recovery command has been issued on a Cisco router and the
passwords have been forgotten, you must contact your Cisco Technical Support Engineer to obtain help in gaining access into the router and enabling the password recovery process again.

http://networksecuritynotes.blogspot.com/2009/12/how-to-disabling-password-recovery.html

Learn to Configure Enable Mode Security on Cisco Router

2009-07-17T02:06:00.004+07:00

To configure enable mode access, you can use one of two commands: enable password or enable secret. Both commands accomplish the same thing, allowing access to enable mode. However, the enable secret command is considered to be more secure because it uses a one−way encryption scheme based on the MD5 hashing function. Only use the enable password command with older IOS images and/or boot ROMs that have no knowledge of the newer enable secret command.

You configure an enable password by entering the enable password command in global configuration mode:

CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#enable password VisaGoogla
CiscoRouter(config)#end
CiscoRouter#

The preceding configuration sets the enable password to VisaGoogla. The result of setting the enable password can be seen in the following output. From the user mode prompt, you must enter the enable command to gain access into privileged mode:

CiscoRouter>enable
Password: VisaGoogla
CiscoRouter#

Note: After you enter the enable command, the password you type at the password prompt will not be displayed. Be sure to type the password exactly as it is configured in the enable password command.

You configure an enable secret password by entering the following command in global configuration mode:

CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#enable secret VisaGooglaSec
CiscoRouter(config)#end
CiscoRouter#

The preceding configuration sets the enable secret password to VisaGooglaSec. The result of setting the enable secret password can be seen in the following output. From the user mode prompt, you must enter the enable command to gain access into privileged mode, as follows:

CiscoRouter>enable
Password: VisaGooglaSec
CiscoRouter#

Note: After you enter the enable command, the password you type at the password prompt will not be displayed. Be sure to type the password exactly as it is configured in the enable password command.

Note: For security reason, we recommend you to use "enable secret password", because the secret password uses MD5 hashing function to encrypt your password, so it is more secure than "enable password"!!!

Learn to configure Telnet Security on Cisco Router

2009-07-03T01:38:00.005+07:00

As you know, directly connecting to the console of a router is generally a relatively easy method for gaining access to the device; however, this method is inconvenient and not abundantly scalable. If console access is the only method available to gain access into the device, an administrator must always walk, drive, or fly to the physical location of the router and plug into the device's console port. Fortunately, there are methods for gaining access into the router from a remote location. The most common method of remote administration for a Cisco router is to use a Telnet session. Unlike with console access, there are four configuration requirements that must be met before you can use this method of access:

1. An enable password must be supplied.
2. The router must have an IP address assigned to a routable interface.
3. The routing table of the router must contain a route for the source of the Telnet packet.
4. Under line configuration mode, a vty password must be supplied.

The steps involved in defining Telnet security are similar to the steps used to configure console security. An example of configuring the fourth requirement (after the first three have been met) can be seen here:

CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#line vty 0 4
CiscoRouter(config−line)#password CisViSa
CiscoRouter(config−line)#login
CiscoRouter(config−line)#end
CiscoRouter#

As mentioned in my previous post about learning to configure Console Security, Cisco routers also maintain a local user authentication database, which can be used to authenticate users who directly connect to the console port of a router. Here is an example of configuring the router to use the local user database for uthentication of users who attempt to access the router via the console:

!
username Visa privilege 15 password 0 Vipsw
username Googla privilege 12 password 0 Goopsw
username Yaha privilege 8 password 0 Yapsw
!
line vty 0 4
login local

The result is that, when a user telnets to the router with this configuration, they will be prompted to enter a username and password before being allowed to gain access into the router.

Routers can also restrict Telnet access to authorized users with the use of an access list. The access list is then applied to the virtual terminal ports of the router with the access−class command. This allows you to restrict Telnet access from a particular IP address or a subnet of IP addresses. Use the following steps to this method of security:
Use the access−list global configuration command to configure an access list that permits the specific hosts that are allowed Telnet access.

1. Use the access−class access−list−number {in|out} command to apply the access list to the virtual terminal ports.
2. In the following example, the router is configured to allow only three hosts Telnet access on each of the available virtual terminal ports:

CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#access−list 20 permit 192.168.0.10
CiscoRouter(config)#access−list 20 permit 192.168.0.11
CiscoRouter(config)#access−list 20 permit 192.168.0.12
CiscoRouter(config)#line vty 0 4
CiscoRouter(config−line)#access−class 20 in
CiscoRouter(config−line)#end
CiscoRouter#

Note: Console and Telnet security is not preconfigured for you by default. One of your first configuration steps when you initially set up your router should be to configure each of these interfaces. To see more access-list commands visit here!

Learn to configure Console Security on Cisco Router

2009-06-19T04:12:00.006+07:00

The console port is used to attach a terminal directly into the router. By default, no security is applied to the console port and the setup utility does not prompt you to configure security for console access. Cisco routers have many different modes of operation, one of which is user mode. When you first access the router via the console port, the router will prompt you for a password, if one has been configured. After successfully supplying the password, you are logged into user mode on the router. When a Cisco router is in user mode, the router will display its hostname followed by the greater than symbol. Here is an example of user mode access:

CiscoRouter>

User mode has limited functionality. Enable mode, also called privileged mode, can be accessed by typing the enable command. If passwords have been configured to access this level of the IOS, the router prompts you for the correct password. When a Cisco router is in enable mode, the router will display its hostname followed by the pound sign. Here is an example of enable mode access:

CiscoRouter#

Cisco passwords are case sensitive. The simplest and most direct way to connect to the network device is to use a direct connection to the console port of a router or switch. You can configure a console password to authenticate users for user mode access by entering the following commands:

CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#line con 0
CiscoRouter(config−line)#password CisRoutPsw
CiscoRouter(config−line)#login
CiscoRouter(config−line)#end

The preceding configuration sets the user mode password to CisRoutPsw. Cisco routers also maintain a local user authentication database, which can be used to authenticate users who connect directly to the console port of a router. Here's an example of configuring the router to use the local user database for authentication of users who attempt to access the router via the console:

!
username Visa privilege 15 password 0 Vipsw
username Googla privilege 12 password 0 Goopsw
username Yaha privilege 8 password 0 Yapsw
!
line con 0
login local
transport input none
!

The preceding configuration defines three users: Visa, Googla, and Yaha. Each user has an associated privilege level defined for their respective login credentials and has a password that is associated with their username. This allows Visa to log into the router with a username of Visa and a password of Vipsw. Because Visa's privilege level defines the maximum privilege level that can be configured on the router, Visa is considered to be the super−user. Googla has a privilege
level of 12 and the password Goopsw.

Assignment of privilege levels is discussed in detail later in next post!

By assigning Googla a privilege of 12, the administrator can limit the functionality that Googla may have on the router. That's also the case for Yaha. When a user plugs into the console port of a router configured with local authentication, they are first prompted for their username; after successfully passing the correct username to the router, they are then prompted for the password that is associated with that username. The following example details these steps:

User Access Verification
Username: Visa
Password: Vipsw
CiscoRouter#

Now, what do you think would happen if you were to attempt to log in with the username of Visa and the password that is associated with Googla? You would suspect that the router would deny you access. This example details this attempt:

User Access Verification
Username: Visa
Password: Goopsw
% Login invalid
Username:

From this, you can see that you must supply the password that is associated with the username with which you are attempting to gain access.

Warning: When using local authentication and assigning privilege levels, you must be careful to associate the correct username with the correct privilege level.
Anyone who logs in with a privilege level that is equal to 2 or above is logged directly into privileged mode.

Becareful with your Routers on HTTP Access

2009-05-30T01:24:00.005+07:00

Before going through the problem, the following word should be considered to be read first:

What is HTTP?

-> HTTP stands for Hypertext Transfer Protocol, is an application-level protocol for distributed, collaborative, hypermedia information systems.Its use for retrieving inter-linked resources led to the establishment of the World Wide Web. HTTP uses port 80 as its default port. As you can see on Web Browser with the link address, Example: http://NetworkSecurityNotes.blogspot.com, my Network Security blog's address that can be browsed or viewed by using HTTP protocol. More additionally, on your Web Browser address bar, you can also browse any website with link address, Example: http://NetworkSecurityNotes.blogspot.com:80, the address will sill be redirected to the address http://NetworkSecurityNotes.blogspot.com. That's the port 80 is HTTP's default port.

How About HTTP Access?

-> Well, I just give a short definition what HTTP Access is. HTTP Access is a process of an access by using HTTP protocol.

Why on the Routers need to becareful with HTTP Access?

As you know on routers with Cisco IOS software equipped with a Web browser user interface that allows you to issue commands into the router via the Web interface. The Web browser user interface can be customized and tailored to your business environment. The HTTP server is disabled by default; when it's enabled, it introduces some new security vulnerabilities into your network. The HTTP server function, when it's enabled, gives all client devices with logical connectivity to the router the ability to monitor or modify the configuration of the router. All that needs to reside on the client is a software package that interprets packets on port 80. This is obviously a major security issue. So, the most concern with HTTP Access is about the security vulnerabilities when the HTTP Server is enabled on Routers.

So, How to take control of these security vulnerabilities?

The router software allows you to change the default port (port 80) that the HTTP server is running on. You can also configure an access list of specific hosts that are allowed Web access to the router and apply the access list to the HTTP server. Authentication of each user provides better security if you elect to use the router's HTTP server functions. Authentication can take place by one of four different methods:
> AAA: commonly stands for “Authentication, Authorization and Accounting"
> Enable: Indicates that the configured enable password is used for authentication. This is the default authentication method.
> Local: Indicates that the locally configured security database is used for authentication.
> TACACS+: stands for Terminal Access Controller Access-Control System Plus, a protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. This option indicates that the Terminal Access Controller Access system is used for authentication.

Understanding about Route Filtering to securing network

2009-05-07T04:54:00.007+07:00

As my previous post about Routing Protocol Authentication, today post, I would like to find out about Route Filtering to securing network.

What is Route Filtering?

Route Filtering is the process by Router, in which the certain routes are not considered for inclusion in the local route database, or not advertised to one's neighbours. During configuring Router, the Network Administrator need to be aware of which type of network route should be allowed to enter the Network Local or to go out to the remote Network.

There are two Types of Filtering:

1.Input filtering

Input filtering is a filter is applied to routes as they are learned from a neighbour. A route that has been filtered out is discarded straight away, and hence not considered for inclusion into the local routing database.

2.Output filtering

Output filtering, a filter is applied to routes before they are announced to a neighbour. A route that has been filtered out is never learned by a neighbour, and hence not considered for inclusion in the remote route database.

Why Route Filtering?

1.Route filtering enables the network administrator to keep tight control over route advertisements.

2.Route filters ensure that routers will advertise as well as accept legitimate networks. They work by regulating the flow of routes that are entered into or advertised out of the routing table.

3.Filtering the networks that are advertised out of a routing process or accepted into the routing process helps to increase security because, if no route is advertised to a downstream or upstream neighbor, then no route apparently exists to the network.

4.Using Route Filtering to prevent routers on a local network from learning about routes that are dynamically advertised out on the interface, you can define the interface as passive. Defining an interface as passive keeps routing update messages from being sent through a router interface, preventing other systems on the interface from learning about routes dynamically from this router. You can configure a passive interface for all IP routing protocols except Border Gateway Protocol (BGP).

Routing Protocol Authentication

2009-04-27T02:50:00.007+07:00

What is Routing Protocol?

A routing protocol is a protocol that specifies how routers communicate with each other, disseminating information that enables them to select routes between any two nodes on a computer network, the choice of the route being done by routing algorithms. Each router has a prior knowledge only of networks attached to it directly. A routing protocol shares this information first among immediate neighbors, and then throughout the network. This way, routers gain knowledge of the topology of the network.

The term routing protocol may refer specifically to one operating at layer three of the OSI model, which similarly disseminates topology information between routers.

Many routing protocols used in the public Internet are defined in documents called RFCs.

There are two major types of routing protocols, some with variants: link-state routing protocols and (path vector protocols) distance-vector routing protocols.

The specific characteristics of routing protocols include:

-the manner in which they either prevent routing loops from forming or break them up if they do

-the manner in which they select preferred routes, using information about hop costs

-the time they take to converge

-how well they scale up

-many other factors

Routing protocol authentication?

Routing protocol authentication prevents the introduction of false or unauthorized routing messages from unapproved sources. With authentication configured, the router will authenticate the source of each routing protocol packet that it receives from its neighbors. Routers exchange an authentication key or a password that is configured on each router. The key or password must match between neighbors.

There are two types of routing protocol authentication: plain text authentication and Message Digest 5 (MD5) authentication.

1.Plain text authentication is generally not recommended because the authentication key is sent across the network in clear text, making plain text authentication susceptible to eavesdropping attempts.

2.MD5 authentication creates a hash value from the key; the hash value instead of the actual password is exchanged between neighbors, preventing the password from being read because the hash, not the password, is transmitted across the network.

Securing your network with SNMP

2009-04-15T17:13:00.009+07:00

After my previous post about Physical and Logical security, today I want to show you about securing the network with SNMP.

What is SNMP?

SNMP stands for Simple Network Management Protocol, is a component of the Internet Protocol Suite as defined by the Internet Engineering Task Force (IETF). It is used in network management systems to monitor network-attached devices for conditions that warrant administrative attention. SNMP is alsow known as an application−layer protocol that helps to facilitate the exchange of management information between network devices. SNMP helps network administrators to manage network performance, and troubleshoot network problems, and plan for network growth.

3 basic components of SNMP:

An SNMP-managed network consists of three key components:

1. Managed devices: A managed device is a network node that contains an SNMP agent and that resides on a managed network. Managed devices collect and store management information and make this information available to NMSs using SNMP. Managed devices, sometimes called network elements, can be any type of device including, but not limited to, routers, access servers, switches, bridges, hubs, IP telephones, computer hosts, and printers.

2. Agents: An agent is a network-management software module that resides in a managed device. An agent has local knowledge of management information and translates that information into a form compatible with SNMP.

3. Network-management stations (NMSs): An NMS executes applications that monitor and control managed devices.NMSs provide the bulk of the processing and memory resources required for network management. One or more NMSs may exist on any managed network.

An SNMP managed device has various access levels:

+Read−only: Allows read access of the Management Information Base (MIB) on the managed device.

+Read/write: Allows read and write access of the Management Information Base on the managed device.

+Write−only: Allows write access of the Management Information Base on the managed
device.

Cisco IOS software supports 3 versions of SNMP: SNMPv1, SNMPv2c, and SNMPv3.

SNMPv1 and SNMPv2c

These two versions use a community based form of security. The group of managers eables to access the agent is defined by an access list and password.

How about SNMPv2c?

SNMPv2c support includes a bulk retrieval echanism and more detailed error message reporting to management stations. The bulk retrieval mechanism supports the retrieval of large quantities of information, minimizing the number of polls required. The SNMPv2c improved error handling support includes a larger number of error codes that distinguish different kinds of error conditions. Error return codes in SNMPv2c report the error type.

How is SNMPv3?

SNMPv3 provides for both security models and security levels. A security model is an authentication strategy that is set up for a user and the group in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level will determine which security mechanism is employed when an SNMP packet is handled.

==>You can read more about SNMP at http://www.cisco.com/en/US/docs/internetworking/technology/handbook/SNMP.html

Setting Banner Messages

2009-04-05T21:49:00.006+07:00

Router(config)#banner motd #
*********************************************
UNAUTHORIZED ACCESS PROHIBITED!
*********************************************
#

You can use banner messages to issue statements to users, indicating who is and who is not allowed access into the router. Banner messages should indicate the seriousness of an attempt to gain unauthorized access into the device and should never reflect to the user that gaining unauthorized access is acceptable. If possible, recite certain civil and federal laws that are applicable to unauthorized access and let users know what the punishment would be for accessing the device without express written permission. If possible, have certified legal experts within the company review the banner message.

Configuring Password Encryption

2009-04-05T21:46:00.004+07:00

All Cisco console and Telnet passwords configured on the router are stored in plain text within the configuration of the router by default, thus making them easily readable. If someone issues the show running−config privileged mode command, the password is displayed. Another instance when the password can easily be read is if you store your configurations on a TFTP server, the intruder only needs to gain access into the TFTP machine, after which the intruder can read the
configuration with a simple text editor. Password encryption stores passwords in an encrypted manner on the router. The encryption is applied to all configured passwords on the router.

Disabling Password Recovery

2009-04-05T21:42:00.004+07:00

Setting passwords is the first line of defense against intruders. Sometimes passwords are forgotten and must be recovered. All Cisco password recovery procedures dictate that the user performs the password recovery process from the console port of the router or switch. There are, however, certain circumstances in which the widely available password recovery procedure should be disabled. One such circumstance is an emergency Add, Move, or Change (AMC), whereby a
networking device needs to be in a location that does not have the proper mechanisms in place for physical security, thus allowing an intruder a greater chance of circumventing traditional security measures.

Setting Privilege Levels

2009-04-05T21:37:00.002+07:00

Privilege levels associate router commands with each security level configured on the router. This allows for a finer granularity of control when restricting user access. There are 16 privilege levels contained within the router operating system. Level 2 to level 14 are customizable and allow you to configure multiple privilege levels and multiple passwords to enable certain users to have access to specific commands.

But most users of Cisco routers are familiar with only two privilege levels:

User EXEC mode — privilege level 1

Privileged EXEC mode — privilege level 15

When you log in to a Cisco router under the default configuration, you’re in user EXEC mode (level 1). From this mode, you have access to some information about the router, such as the status of interfaces, and you can view routes in the routing table. However, you can’t make any changes or view the running configuration file.

Because of these limitations, most Cisco router users immediately type enable to get out of user EXEC mode. By default, typing enable takes you to level 15, privileged EXEC mode. In the Cisco IOS, this level is equivalent to having root privileges in UNIX or administrator privileges in Windows. In other words, you have full access to the router.

Securing Telnet Access

2009-04-05T21:15:00.003+07:00

Telnet (Telecommunication network) is a network protocol used on the Internet or local area networks. It was developed in 1969 beginning with RFC 15 (Request For Comments 15 ) and standardized as IETF (Internet Engineering Task Force) STD 8, one of the first Internet standards. Typically, Telnet provides access to a command-line interface on a remote machine.

Telnet is a protocol that allows a user to establish a remote connection to a device. After connected to the remote device, you are presented with a screen that is identical to the screen that would be displayed if you were directly connected to the console port. Telnet ports on a router are referred to as virtual terminal ports. Telnet is really no different from a console connection, and as such, the

proper logical security mechanisms should be put into place to ensure that only responsible personnel are allowed Telnet access. Virtual terminal ports support many different methods for authenticating a user and allowing access. Some of the methods are included in the following list:

· Vty password
· Local user database
· TACACS+
· RADIUS

Securing Console Access

2009-04-05T20:52:00.007+07:00

It's important to put the proper physical security mechanisms into place. If the proper physical

security mechanisms are not in place, an intruder could potentially bypass all other logical security mechanisms and gain access to the device. If an intruder can gain access to the administrative interface of the router, he could view and change the device's configuration and gain access to other networking equipment. The first thing you should do to prevent intruders from accomplishing is to set a console password. If the intruder has already gained physical access to the device, he'll attempt to gain network access through the console port first. The console port supports many different methods for authenticating a user and allowing access, some of which are listed here:
· Console password
· Local user database
· TACACS+ (Terminal Access Controller Access-Control System Plus) : is a protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. TACACS+ provides separate authentication, authorization and accounting services.
· RADIUS(Remote Authentication Dial In User Service) : is a networking protocol that provides centralized access, authorization and accounting management for people or computers to connect and use a network service. When a person or device connects to a network often "Authentication" is required. Networks or services not requiring authentication are said to be anonymous or open.

Physical and Logical Security

2009-04-03T12:20:00.003+07:00

Physical and logical security staffs, both tasked with protecting enterprise assets, are seeing increased technology and budgetary overlaps.

Physical and logical security include the following:

. Securing console access
· Securing Telnet access
· Setting privilege levels
· Disabling password recovery
· Configuring password encryption
· Setting banner messages

Enterprise Security Policy and Audits

2009-04-02T12:09:00.004+07:00

The main purpose of a security policy is to inform anyone that uses the enterprise's network of the requirements for protecting the enterprise's technology and information assets.

A security policy should not determine how an enterprise operates; instead, the business of the enterprise should dictate how a security policy is written. Business opportunities are what drive the need for security in the first place.

The policy should contain:

1.Acceptable use policy—Spells out what users are allowed and not allowed to do on the various components within the network; this includes the type of traffic allowed on the network. The policy should be as explicit as possible to avoid any ambiguity or misunderstanding.

2.Remote access policy—Spells out to users acceptable or unacceptable behavior when they have connected to the enterprise via the Internet, a dial−up connection, a virtual private network (VPN), or any other method of remote connectivity.

3.Incident handling policy—Addresses planning and developing procedures to handle incidents before they occur. The incident handling policy can be contained within the actual security policy.

4.Internet access policy—Defines what the enterprise considers to be ethical, proper use of its Internet connection.

5.Email policy—Defines the acceptable use of the enterprise's email systems, including personal emails and Web−based email.

6.Physical security policy—Defines controls that pertain to physical device security and access.

After you've completed the enterprise security policy, the last step is to perform regular audits. Audits not only give you a baseline by which to judge what is deemed as normal activity or network behavior, they also, in many cases, produce results that will be the first alert in the detection of a security breach. Noticing unusual events within the network can help to catch intruders before they can cause any further damage.

Types of Threats

2009-04-02T11:49:00.004+07:00

The methods hackers and crackers use to gain unauthorized access into network devices are known as threats.

1.Unauthorized access—A network intruder can gain unauthorized access to networking devices through a variety of means, three of which are as follows:

Physical—If attackers have physical access to a machine, more often than not, they will be able to get in. The techniques used to gain access range from accessing the device via the console to physically taking apart the system.

System—System access assumes that the intruder already has a user account on the system. Proper privileges should be granted to the user such that he or she is authenticated and authorized only to do that which is deemed to be a function of his or her job duties.

Remote—Remote access involves intruders who attempt to penetrate the system remotely from across the Internet, through a dial−up connection, or on local or wide area network. This type of intruder usually has no account privileges.

2.Eavesdropping—Eavesdropping is used to capture TCP/IP or other protocol packets, thus allowing the intruder to decode the contents of the packet using a protocol analyzer. "Packet sniffing" is a more common term used to describe the act of eavesdropping. Eavesdropping leads to information theft, like stolen credit card and social security numbers.

3.Data manipulation—Data manipulation is simply the act of altering files on computers, vandalizing a Web site, or replacing FTP files.

4.Protocol weakness—The most−used protocol in circulation today is TCP/IP. This protocol was designed a long time ago. As a result, a number of its design flaws can lead to possible security problems, such as smurf attacks, IP spoofing, TCP sequence number prediction, and SYN floods. The IP protocol itself is a very trusting protocol; therefore, hackers are free to forge and change IP data.

5.Session replay—Intruders can eavesdrop on one or more users involved in a communication session and manipulate the data in such a manner according to the hack they are trying to perform.

These are just some types of security threats to give you a general idea of the number and types of methods intruders have at their disposal.