LTLnetworker | IT hálózatok, biztonság, Cisco

               IT networks, security, Cisco

TLS Experiences with Elliptic Curve Algorithms on Cisco ASA

Posted by ltlnetworker on December 18, 2016

Elliptic Curve Cryptography (ECC) is a newer approach to public cryptography. EC algorithms were introduced in NSA Suite B. Cisco uses the broad term Next Generation Encryption (NGE) for Suite B. Why are elliptic curve keys and such certificates important? As the use of elliptic curve keys are more efficient than RSA keys, it is expected that elliptic keys will gain popularity. (However, there are some intentions of replacing Suite B with an even newer CNSA Suite which contains even stronger ECDH and ECDSA algorithms.) EC algorithms are capable of providing the same level of cryptographic strength using shorter key length than RSA keys.

Elliptic curve TLS ciphers and certificates are supported from

  • ASA version 9.4(1)
  • Windows 7
  • Windows 2008 Server

Read the rest of this entry »

Posted in ASA, Cisco | Tagged: , , , , , | 3 Comments »

Management network topology and asymmetric routing

Posted by ltlnetworker on August 16, 2015

We all want a management network or at least a management VLAN. Regarding those who say they have none, actually they do have a VLAN for management, it is probably just shared with ordinary users (i. e. it is not dedicated). But most IT people prefer a dedicated VLAN that is not used for other kind of traffic and preferably not reachable for users.

In this article we use this definition:
a management VLAN or management network is a dedicated segment for network management traffic which can be used for:

  • administering your network devices (aka device access: switches, routers, firewalls via telnet, ssh, https etc.)
  • collecting monitoring information (syslog, SNMP etc.)
  • hosting syslog, monitoring and management servers (Nagios, Tivoli, Cisco Prime etc.)
  • AAA traffic (RADIUS or TACACS+ to Cisco ACS/ISE)

Read the rest of this entry »

Posted in ASA, Check Point, Cisco, F5, Fortinet, routing, switch | Tagged: , , , , , | 3 Comments »

Why is this huge traffic appearing here? Unknown unicast flood

Posted by ltlnetworker on October 5, 2014

Switches usually forward unicast frames to the necessary direction only. Selecting the egress port depends on the MAC address table that is populated by MAC learning. The switch has a chance to learn an address and keep it in the table only if frames are sent from that address regularly. Cisco switches’ default aging time is 300 s, a MAC address is dropped from the table if no frames arrive for 5 minutes.

Unknown unicast flood occurs if traffic is sent to a MAC address which was
a) never learned
b) already aged out
from the MAC address table. In this case, the frame is flooded out on all ports belonging to the VLAN just like a broadcast.
Read the rest of this entry »

Posted in Cisco, switch | Tagged: , | Leave a Comment »

Using Cisco ISE as a generic RADIUS server

Posted by ltlnetworker on August 31, 2014

Cisco ISE is an identity-based policy server featuring a wide range of functions from RADIUS CLI authentication to workstation posturing. With just a base license it includes a full-featured RADIUS server and it is capable of performing trivial RADIUS tasks which would not require such a sophisticated product themselves. For the functions described in this article Cisco Secure ACS could have been commonly chosen some years earlier. ISE’s policy logic and web interface is quite different.

The following use cases are described:

Posted in AAA, ASA, Cisco, IPsec, ISE, remote access, router IOS, switch | Tagged: , , , | 8 Comments »

Load balancer topology design (Cisco ACE, F5 BIG-IP LTM)

Posted by ltlnetworker on April 12, 2014

Adding a load balancer to an existing network is easy. You just open the vendor’s quick start guide, connect some cables to the server segment, maybe some to the core network. Load balancer configuration includes assigning IP addresses, defining virtual servers and adding server pools. Practically you are done, all the rest you need to do is adding some static routes to some servers or tweaking some NAT setting on the load balancer.

Actually, I don’t say this is evil. Such setups can work for long times with moderate risks and operation principles may be well defined and documented. Even if it can cause problems for network redesign or firewall projects and I estimate slightly higher opex as the tricky load balancer topology most be considered at all changes, still, I can accept such a method in some cases.

However, I am a networker and I prefer creating a design that reflects general best practice of networking.
Read the rest of this entry »

Posted in Cisco, load balancer | Tagged: , , , | 2 Comments »

Youtube video flaw with an IPv6/IPv4 dual-stack client

Posted by ltlnetworker on February 3, 2014

I wrote four years ago:

I am very happy with my HE IPv6 tunnel. Szívesen lennék natív IPv6 felhasználó is, de az UPC nem ad információt, hogy milyen IPv6 tervei vannak. )-:

UPC Hungary has shown no progress since then so I still have to use the Hurricane Electric tunnel. There are some changes though. Google, Youtube, Facebook, Cisco and other big portals have switched to IPv6/IPv4 dual stack (at least the public facing services) so the amount of my IPv6 traffic has increased. On the other hand, I am unable to watch some Youtube videos due to a Youtube bug. Read the rest of this entry »

Posted in IPv6 | Tagged: | Leave a Comment »

Smart tunnels on Cisco ASA

Posted by ltlnetworker on January 17, 2014

Sometimes we have to provide secure remote access for users whose computers we don’t have any influence at all on. These computers don’t have AnyConnect or Cisco VPN client and the users may not have administrator rights so browser-based AnyConnect installation is not an option either. We can set up a WebVPN portal for such users on Cisco ASA with the clientless SSL VPN feature.

Clientless SSL VPN provides a web portal with various services such as intenal websites, CIFS links, Outlook Web Access etc. which are all accessed via the browser. The ASA software provides HTTPS service to the client and proxies the internal server’s material. The SSL core rewriter (or content rewriter) does application proxying therefore not all websites are guaranteed to work properly. For example, as of 9.1(3) the ASA software does not support Microsoft Sharepoint 2013 portal and some tricky content is not displayed. Read the rest of this entry »

Posted in ASA, Cisco, remote access | Tagged: , | 2 Comments »

Keeping firewall policies consistent on Juniper SRX firewalls with Junos Space

Posted by ltlnetworker on January 12, 2014

A distributed firewall system requires a means to keep the firewall rules and other security policies consistent across similar-role firewalls. Traffic may choose alternative paths if multiple telco lines or data centers are used. We have been testing some Juniper SRX’s in this scenario. The Juniper management software you need for such tasks is Security Director that is an add-on application to Junos Space Management Platform.
Read the rest of this entry »

Posted in Juniper, Junos, Junos Space, SRX | Tagged: , , , | Leave a Comment »

Route not advertised due to EIGRP zero successor

Posted by ltlnetworker on December 4, 2013

This article’s topic really fits in this blog’s genre. It focuses on a case of classic routing protocol behaviour inspection.

I was looking at the subnets in the routing tables when I noticed that a network I picked up was absent in one of the devices. It is a VLAN routed on a pair of core switches (SW1,SW2). The switches advertise the VLANs by EIGRP and all other routers learn it as external EIGRP routes (due to redistribute connected). However, there’s a router R2 connected to SW2 by a L3 link that doesn’t have the network in the routing table.

Let’s see R2’s EIGRP config :
Read the rest of this entry »

Posted in Cisco, router IOS, routing | Tagged: | Leave a Comment »

Unreachable network behind TMG

Posted by ltlnetworker on February 3, 2013

I was asked to troubleshoot Active Directory DC synchronization network issues. Two DC’s are behind TMG, the third is in an ASA DMZ so the path is :

                  DC0  —            ASA   —                          TMG — DC73

         — ASA — — TMG —

The TMG performs no NAT for these networks so it’s plain routing. TMG has a default gateway set to ASA and ASA has a static route pointing to TMG’s outside address .

Connectivity was completely broken (no ping, AD sync fail). On the ASA we could see half-open TCP connections:
Read the rest of this entry »

Posted in ASA, Cisco | Tagged: , , | Leave a Comment »

ASA throughput depends on port location

Posted by ltlnetworker on January 25, 2011

I can hardly believe my own test results. I’m making performance tests with ASA 5550 (the one with a factory-installed 4GE module) and there is an interface pair where throughput is smaller than on other pairs.
Read the rest of this entry »

Posted in ASA, Cisco | Tagged: , , | 2 Comments »

Interesting MST troubleshooting

Posted by ltlnetworker on January 23, 2011

I’ve experienced a strange problem on my desk with two switches. I disconnected the uplink to the company network then the two switches lost connectivity with each other. Even if it was December 31th I felt I must find out what was happening.
Read the rest of this entry »

Posted in Cisco, switch | Tagged: , , | Leave a Comment »

IOS Easy VPN Server with LDAP authentication

Posted by ltlnetworker on November 9, 2010

LDAP support for authentication and authorization was introduced in IOS 15.1(1)T.  In this article we are testing Cisco VPN client connection authenticated against Novell NetWare eDirectory.

Structure of the LDAP directory:
Read the rest of this entry »

Posted in AAA, Cisco, IPsec, remote access, router IOS | Tagged: , | Leave a Comment »

IPv6 host’s default router selection

Posted by ltlnetworker on May 14, 2010

An IPv6 host’s default router selection is affected both by manual static routes and received router advertisements.

I am very happy with my HE IPv6 tunnel. Szívesen lennék natív IPv6 felhasználó is, de az UPC nem ad információt, hogy milyen IPv6 tervei vannak. )-: I bookmarked Google’s IPv6 site but once it turned inaccessible. What could have happened?

Read the rest of this entry »

Posted in Cisco, IPv6, router IOS | Tagged: , , , | 3 Comments »

IOS Easy VPN with RADIUS, Cisco Secure ACS 5.1 and AAA cache

Posted by ltlnetworker on May 10, 2010

AAA Authorization and Authentication Cache was integrated in IOS 15.0(1)M. This feature enables the router to store AAA credentials in its cache after it received the RADIUS or TACACS+ reply to an AAA request. The cache can be used either for performance boost (avoiding sending requests to the AAA server) or for a fallback method in case the servers are unreachable. The mode depends on the order you place your authentication methods in the aaa commands (see below).

In this example we are caching TACACS admin users’ credentials (telnet, vty) and RADIUS VPN users’ credentials (IKE xauth). The VPN group is also defined on the RADIUS server.

Read the rest of this entry »

Posted in ACS, Cisco, IPsec, remote access, router IOS | Tagged: , , , , | 2 Comments »