Wednesday, May 20, 2009

Narbik's Bootcamp In India This Year

Narbik Kocharians
CCIE#12410 (R&S, SP, Security) CCSI# 30832

Narbik has over 30 years of experience in the industry. Narbik has designed, implemented and supported numerous enterprise networks. Some of the companies that Narbik has worked for are IBM, Carlton United Breweries, Australian cable and wireless, BP, and in US, 20th Century Ins., Home Saving of America, Verizon, TTI, Trinet Inc, and many more. Narbik has been a dedicated CCIE instructor for over 10 years.

IPSEC Basics

The IPsec standard provides a method to manage authentication and data
protection between multiple
crypto peers engaging in secure data transfer.
IPsec includes the Internet Security Association and Key
Management Protocol
(ISAKMP)/Oakley and two IPsec IP protocols: Encapsulating Security Protocol
(ESP) and Authentication Header (AH).

IPsec uses symmetrical encryption algorithms for data protection. Symmetrical
encryption algorithms
are more efficient and easier to implement in hardware.
These algorithms need a secure method of key
exchange to ensure data protection.
Internet Key Exchange (IKE) ISAKMP/Oakley protocols provide
this capability.

This solution requires a standards-based way to secure data from eavesdropping
and modification. IPsec
provides such a method. IPsec provides a choice of
transform sets so that a user can choose the strength
of their data protection.
IPsec also has several Hashed Message Authentication Codes (HMAC) from

which to choose, each giving different levels of protection for attacks such as
man-in-the-middle, packet
replay (anti-replay), and data integrity attacks.

Best Regards,
Deepak Arora

Tuesday, May 19, 2009

Zone-Based Policy Firewall (ZFW)

Cisco IOS® Software Release 12.4(6)T introduced Zone-Based Policy Firewall (ZFW), a new configuration model for the Cisco IOS Firewall feature set. This new configuration model offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic.

Nearly all classic Cisco IOS Firewall features implemented before Cisco IOS Software Release 12.4(6)T are supported in the new zone-based policy inspection interface:

  • Stateful packet inspection

  • VRF-aware Cisco IOS Firewall

  • URL filtering

  • Denial-of-Service (DoS) mitigation

Cisco IOS Software Release 12.4(9)T added ZFW support for per-class session/connection and throughput limits, as well as application inspection and control:

  • HTTP

  • Post Office Protocol (POP3), Internet Mail Access Protocol (IMAP), Simple Mail Transfer Protocol/Enhanced Simple Mail Transfer Protocol (SMTP/ESMTP)

  • Sun Remote Procedure Call (RPC)

  • Instant Messaging (IM) applications:

    • Microsoft Messenger

    • Yahoo! Messenger

    • AOL Instant Messenger

  • Peer-to-Peer (P2P) File Sharing:

    • Bittorrent

    • KaZaA

    • Gnutella

    • eDonkey

Cisco IOS Software Release 12.4(11)T added statistics for easier DoS protection tuning.

Some Cisco IOS Classic Firewall features and capabilities are not yet supported in a ZFW in Cisco IOS Software Release 12.4(15)T:

  • Authentication proxy

  • Stateful firewall failover

  • Unified firewall MIB

  • IPv6 stateful inspection

  • TCP out-of-order support

ZFW generally improves Cisco IOS performance for most firewall inspection activities.

Neither Cisco IOS ZFW or Classic Firewall include stateful inspection support for multicast traffic.

Best Regards,
Deepak Arora

Monday, May 18, 2009

Cisco Ringtones

Best Regards,
Deepak Arora

Some more ARP detials

Gratituos arp is nothing but a arp packets which checks and validates the ip address given to the system is not given for any other system . this is done by sending a arp packet which contains its own ip address , so if a duplicate system is present it responds to it so that it can be corrected

Proxy arp if we know about router converting or routing different netwoks its the same , the router gives its own mac address of the interface without forewarding the broadcast as arp is based on broadcast

arp headers dosent contain any info on protocols such as tcp udp and ip headers so it basically cannot be read by devices which looks for ip headers

Friday, May 15, 2009

ASA Order of Operation

This is the complete ASA Order of Operation in Routed Mode:
  • Virtual Firewall Classification
  • Layer 2 validation
  • Layer 3 validation
  • IP packet security checks
  • Fragmented IP traffic handling
  • INPUT L2 ACL - Unlike L3/4 ACL, L2 ACL is per packet
  • Packet capture
  • Flow look-up - If Fails, Continue; If Success, jump to Input QoS
  • Additional packet security checks
  • NAT untranslate
  • RPF Checks
  • Input Route lookup
  • Addtional packet security checks (thru the box only)
  • Crypto checks
  • ACL Check
  • WCCP Redirection
  • TCP Intercept
  • IP Options permit check
  • Validate IPSec SPI
  • Flow Creation
  • Global Classification
  • Input QOS
  • IPSec Tunnel Procesing
  • TCP Intercept Processing
  • TCP Security Engine
  • IP Option Processing
  • NP Inspect Engine Processing (ICMP/DNS/RTP/RTCP)
  • DNS Guard
  • Pinhole Processing
  • Multicast processing
  • CSC Module Processing (optional)
  • Inspection Engine Processing/AAA punts/IPsec over TCP punts
  • IPSec NAT-T Processing
  • Decrypt
  • Address Update and Checksum Adjustments
  • TCP Security Engine
  • IPS - AIP Module processing (optional)
  • Adjacency Look-up if necessary
  • Output QOS
  • Encrypt
  • Fragment
  • Output Capture
  • Output L2 ACL
  • Queue processing and Transmit

ASA & PIX Quick Learning Modules

I know many of the people including me are still looking for some nice ASA tutorials. So here they are...

Best Regards,
Deepak Arora

Thursday, May 14, 2009

Cisco Flexible Packet Matching

Embedded Event Manager (EEM) Scripting Community

EEM is a flexible system designed to customize IOS & NX-OS

Automate tasks, perform minor enhancements and create workarounds. Develop and run scripts in your own environment, program your own custom actions using Tcl and share your scripts with others by uploading them here. Download examples and useful scripts submitted by others for customization and use in your environment

Best Regards,
Deepak Arora

Practice Questions for Border Gateway Protocol(BGP)!BGP-Set2

Login Password Retry Lockout

In IOS ver 12.3(14)T This feature was introduced.

The Login Password Retry Lockout feature allows system administrators to lock out a local AAA user account after a configured number of unsuccessful attempts by the user to log in using the username that corresponds to the AAA user account. A locked-out user cannot successfully log in again until the user account is unlocked by the administrator.

A system message is generated when a user is either locked by the system or unlocked by the system administrator. The following is an example of such a system message:

%AAA-5-USER_LOCKED: User user1 locked out on authentication failure.

The system administrator cannot be locked out.

To configure Login Password Retry Lockout, perform the following steps.


1. enable

2. configure terminal

3. username name [privilege level] password encryption-type password

4. aaa new-model

5. aaa local authentication attempts max-fail number-of-unsuccessful-attempts

6. aaa authentication login default method

Router (config)# username user1 privilege 15 password 0 cisco
Router (config)# aaa new-model
Router (config)# aaa local authentication attempts max-fail 3
Router (config)# aaa authentication login default local

To unlock the locked-out user, perform the following steps

clear aaa local user lockout
{username username | all}

Router# clear aaa local user lockout username user1

Important Show Command - show aaa local user locked
Best Regards,
Deepak Arora

Wednesday, May 13, 2009



Enhanced Password Security

The feature Enhanced Password Security, introduced in Cisco IOS Software Release 12.2(8)T, allows an administrator to configure MD5 hashing of passwords for the username command. Prior to this feature, there were two types of passwords: Type 0, which is a cleartext password, and Type 7, which uses the algorithm from the Vigenère cipher. The Enhanced Password Security feature cannot be used with protocols that require the cleartext password to be retrievable, such as CHAP.

In order to encrypt a user password with MD5 hashing, issue the username secret global configuration command.

username secret

Order Of Operation While Configuring CBAC & NAT Togather

While configuring CBAC and NAT on a router, the NAT order of operation plays an important role.

For inside-to-outside traffic, perform these steps:

  1. Check input ACL.
  2. Perform NAT inside to outside.
  3. Check output ACL.

For outside-to-inside traffic, perform these steps:

  1. Check input ACL.
  2. Perform NAT outside to inside.
  3. Check output ACL.

For filtering inside-to-outside traffic on the inside interface, the inside hosts should be specified by their actual IP addresses.

Similarly, for filtering outside-to-inside traffic on the outside interface, the inside hosts should be specified by their translated addresses (inside global).

Tuesday, May 12, 2009

Difference between interface service policy(QOS) and inter-zone security policy(ZBF)

The zone-based firewall uses security policy-maps to specify how the flows between zones should be handled based on their traffic classes. The obvious actions that you can use in the security policy are pass, drop and inspect, but there’s also the police action and one of the interesting question is: “why would you need the police action in the security policy if you already have QoS policing”.

The difference between interface service policy and inter-zone security policy is in the traffic aggregation: the interface service policy works on traffic classes entering or leaving a single interface and the inter-zone policy works on aggregate traffic between zones, including the return traffic if you’ve used the inspect command to configure stateful inspection of the traffic class.

For example, you could limit the amount of HTTP traffic between your internal clients and your DMZ segment to prevent the internal users from overloading your public web servers.

Tuesday, May 5, 2009

Cisco Revising CCIE R&S Certification

NEW: Troubleshooting

Beginning October 18, 2009, the CCIE R&S lab exam will feature a two-hour troubleshooting section. Candidates will be presented with a series of trouble tickets for preconfigured networks and need to diagnose and resolve the network fault or faults. As with the configuration section, the network must be up and running for a candidate to receive credit. Candidates who finish the troubleshooting section early may proceed on to the configuration section, but they will not be allowed to go back to troubleshooting since their equipment will need to be reinitialized for the configuration portion.