Wednesday, 26 December 2012

Implementing your own CA server on a IOS Router



Why is this useful ?

  • It can help you practice PKI in a lab environment . Ex : VPNs (Ipsec or SSL)
  • You can use it on a small Intranet to secure your network


Studying for the CCNA Security Certification there are labs for VPNs that a CA server was required
for authentication with rsa digital certificates. When you want to practice at home you will need a CA Server to practice your skills.
To do that you can use various ways , in a lab the best way is to use an IOS router for the CA Server role .


What do you need :

  • GNS 3
  • IOS Image
  • a brain



Lets put all the pieces together

You will need to create 1 router : You can name it CA or anything you like.


First we need to configure the CA Router to actually act as a CA Server:


! Make sure you configure the time before proceeding if not the CA
! server will not work. On a production environment NTP is prefered.
CA#clock set 20:09:9 26 DEC 2012

CA#configure terminal
 ! Enable http server
CA(config)#ip http server
 ! Setup the PKI service , the MY-CA it is a name
CA(config)#crypto pki server MY-CA
! set your lifetime values for the CA and the certificate it self
! the value for your lifetime is in days . 
CA(cs-server)#lifetime ca-certificate 600
CA(cs-server)#lifetime certificate 600
! Available options include :
! CN=Common Name,L=Location,C=Country
CA(cs-server)#issuer-name CN=LOCAL C=LAB
! the command above may be different depending on the IOS used
! specify where the database will be located
CA(cs-server)#database url pem flash:/MY-CA
! enable automatic certificate enrollment 
CA(cs-server)#grant auto
! Activate the PKI Server
CA(cs-server)#no shutdown
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:
Re-enter password:
CA(cs-server)#end
CA#copy run start




 Now you have a CA Server to use for your labs !

Here is an example how to use your New CA services on a router :

R1#clock set 20:09:9 26 DEC 2012
R1#configure terminal
R1(config)#ip domain-name lab.com
R1(config)#crypto key generate rsa
The name for the keys will be: R1.lab.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.


How many bits in the modulus [512]: 1024
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#crypto ca trustpoint MY-CA
R1(ca-trustpoint)#subject-name CN=LOCAL C=LAB
R1(ca-trustpoint)#enrollment url http://13.0.0.2:80
R1(ca-trustpoint)#exit
R1(config)#crypto ca authenticate MY-CA
Certificate has the following attributes:
Fingerprint MD5: 57B7D70D 1092F7F2 B690B0D8 B03DC946
Fingerprint SHA1: 41CA2E7C D5B8112F 39287279 EDC06E73 FB0C010B


% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
R1(config)#crypto ca enroll MY-CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.


Password:
Re-enter password:


% The subject name in the certificate will include: CN=LOCAL C=LAB
% The subject name in the certificate will include: R1.lab.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate MY-CA verbose' commandwill show the fingerprint.


Dec 26 20:59:19.095: CRYPTO_PKI: Certificate Request Fingerprint MD5: 6BA37CCE 404F5058 CB41348C 2201AF76
Dec 26 20:59:19.095: CRYPTO_PKI: Certificate Request Fingerprint SHA1: B71A47B3 865E327C 8835EE1A 4FEED9E2 AA61EB17
R1(config)#end
R1#wr

If you wish to know more visit this link

Sunday, 9 December 2012

Password management

Nowadays we use many kind of accounts for many uses : e-mail , social networks, Paypal, e-commerce... and for other uses as well.
Many people use simple and predictable passwords(ex: birthdays) for their accounts and on top of that it is common to use similar (if not the same password) for their accounts.

While it is convenient to have short easy to remember passwords, it is really a bad choice to secure your accounts.


Why is it a problem ?



Here are some common uses for e-mail accounts that have been compromised :

  • the attacker can use your e-mail account to send spam messages with malicious intent
  • using the account to perform social engineering attacks.
  • to glean information using the e-mails you get or send, using it for other attacks in the future.
So , why do we use weak passwords ?

First , with many accounts we have many usernames and passwords. People have trouble to memorize many long complex passwords, so they use passwords that are easy to remember and type.

How to create a password ?

Step 1:

A password should :

  • have more than 8 characters in length
  • not be a word found in a dictionary
  • have special characters
  • have Capital letters
  • have Lower case letters
  • have numbers
  • Change every 3 months at least
A password that do not have the attributes above is weak.


                                       Step 2:
To create passwords long enough yet memorable you can use a phrase or a song.

You replace some letters with special symbols, numbers , other letters etc...

 ex 1: Sun sea and sand --> 5uN_S3@_@nD_S@nd
 ex 2: Sun sea and sand --> $_n*$34*4Nd_$4nd

 create something that you can remember with ease.

---------------------------------------------------------------------------------------------------------------------

Now we can create complex P@SsW0rDz there is another problem: where to store them ? 

Never do the following : write down the passwords in a file stored in the computer(usually in .txt,doc,xls files in an easy accessible location : on desktop or in my documents), in a text book on the desk or even on sticky notes pasted on the screen !!!

Here is where we can use a password manager , like keepass .
Why ?
  • The passwords are stored in an encrypted database
  • You only need to remember one password
  • You can manage easily your passwords
  • With the auto type feature you wont need to type usernames and passwords.
Some may argue and say : we can store our passwords in the browser as well right ?

NO don’t do that , there are tools that can recover your credentials from the browser and plus you won’t have mobility : with keepass you can install it in a usb stick with a copy of your password database to securely access your accounts.

There is no such thing as 100% security , but with right password management you made one step more to secure your privacy.

Note: I do not own the images used in this post !!!!

Friday, 30 November 2012

LINUX



IS LINUX FOR YOU ?

What is Linux ?
Linux is a Unix-like (is not a UNIX) operating system. Linux in fact is a kernel (the operating system it self) without any additional software installed on it.
That is where the distributions come , a Linux Distribution is a flavor , a collection of pre installed components that comprise a Complete Operating System .

There are different distributions that serve different purposes : Desktop , Firewall , Server , and many other functions . Some Distributions are not free but the most of them are .



Linux is not used as much as Windows , Right ?

The hard truth is that only applies to end users only , in fact Linux and Unix are integral parts of Computing in ways you may have not noticed yet !

The majority of the INTERNET web servers are Linux/Unix systems and that is not because they are cheap …
The proven stability , the superior security provided by these operating systems make them suitable choices not only for web servers but also Major Players in the Computer Networking using Linux (they have build their own proprietary distros) , examples are the Cisco Systems Cisco Unified Communication Manager ( VoIP call manager ) , Access Control Service Server ( AAA services ) and other Vendors as well are using Linux to provide reliable services .

Linux is also used on : Smart phones , media players , routers and other devices!
 
It is really amazing in how many ways Linux is used , that power is out there free and available for all to use !!

Is Linux for me ?

It is really all about if you want to spend time and effort to get started with Linux , there are some limitations on Linux especially on Video drivers NVIDIA has great support for linux while Radeon has not.

You need to have the will to learn something new from scratch , you do not need to be a hacker or a genius to do so.



What distribution is for me ?

That depends on what you want to do with your computer , if you are an average user you will need a Desktop distribution that can cover your needs.
There are beginner distributions to begin your journey :)
Examples : Ubuntu , Mint , Fedora and many more !!!

For enterprise environments a Server or a Specialized distribution is preferred.

Is it difficult to use Linux ?

Anything new is a little confusing but you do not need to worry, of course you will need some practice to get used to Linux. A good solution is to install Linux on a virtual machine first to practice (Virtual Box is a free Solution) .
 
One big difference that you will experience is the installation of new software , on Linux
you will not go to a website to download an application (except certain circumstances ex: when you download source code to compile) but you will use a software manager to do that for you, just select the software you want to install and the software manager will handle everything else.There are applications that you may have used on Windows that can run on Linux as well ex: Firefox , Chrome
 
Each distribution has it's own software manager pre installed but the same logic applies to most of them .(of course you can install other managers if you like as well)

One cool thing about Linux is that when you run the Update Manager it is not only updates the Operating System but your applications as well ! Bye bye outdated software !!! :P

In addition you can install Windows applications on Linux using Wine but not all of them work. The same can be done with games as well , Play on Linux can be used to install Windows Games on Linux (keep in mind that some are not working) .

Linux distributions for Desktop use come with many tools installed for Internet , Office , Multimedia and other useful apps. 

Is Linux Safe to Use ?

 Linux is not affected by most viruses and other harmful software.
But you should be careful not just with Linux but with ANY Operating System when it comes to security. But in general terms Linux is safe to use.



Do I need to learn command line to use Linux ?

No!!! If you do not wish to learn how to use the command line you do not have to at all !
Linux Can support many window managers that you can use to configure your Computer.
And of course you can install at any time additional window managers : KDE , GNOME ,UNITY , LXDE , XFCE ,Enlightenment

You can Customize your Desktop way more than Windows Easily.


Where can I get Linux ?

There is a website with many Distributions of Linux and UNIX as well at

Is Linux difficult to install ?

Linux is really easy to install , there is graphic installation guide that will get you step by step through the installation process.


Linux needs some time and effort to learn it but it is not something difficult to achieve , if you have questions each Linux Distribution has a Community to help you get started.
All that free of charge .

Note: I do not own the images used in this post !!!!

Monday, 15 October 2012

Vlan Maps

Using Vlan Maps

Vlan Maps are used to filter or redirect traffic in a Vlan , giving you more granular control over the traffic . 


Steps needed to configure a Vlan Map

  1. Determine what do you want to accomplish : It is vital to know what do you want to achieve prior the configuration , that can save you lots of headaches in the actual implementation. 
  2.  Write an access list : What kind of access list you will use it depends on what do you want to do. The most common are the Ip access lists , if you want to match just the source ip address a standard access list is sufficient , for protocol filtering use an extended access list. Keep in mind that the access list permits the traffic you want to manipulate.
  3. Create a Vlan Map : This is where you will use your access list to match the traffic you want to handle , and set an action for that traffic. Keep in mind that the Vlan Map works similar with route maps and access lists , by default it discards traffic that has not match so be sure to allow the traffic that needs to traverse your vlan.
  4. Apply the Vlan Map to a Vlan : Here you can apply your Vlan Map to one or a list of vlans . The Vlan Map will not work unless applied to a vlan.


Scenario

Your Company policy states that telnet traffic should not be allowed on vlan 10 for security purposes , all other traffic should be allowed.

Here you get to configure a vlan map to meet the requirements :


(step 1) Objectives : telnet traffic should be restricted for all hosts in vlan 10.
so we need an extended access list to match telnet traffic
a vlan map name : we will name it "NO_TELNET
we must ensure that other traffic will be allowed 
we will apply our vlan map to vlan 10

(step 2) Implementation : 

SwitchABC(config)#access-list 101 permit tcp any any eq telnet
// here we created an access list that permits the traffic we want to filter
SwitchABC(config)#vlan access-map NO_TELNET 10
// we have created the vlan map
SwitchABC(config-access-map)#match ip address 101
// we are using the access list we created before
SwitchABC(config-access-map)#action drop
// anything that matches the access list will be dropped 
SwitchABC(config-access-map)#vlan access-map NO_TELNET  20
SwitchABC(config-access-map)#action forward
// if there is no match statement anything matches and based on the action we have set all other traffic will be allowed.
SwitchABC(config-access-map)#exit
SwitchABC(config)#vlan filter NO_TELNET vlan-list 10
// now we have applied the vlan map to the vlan 10. And our job is done :)
 
 


Saturday, 13 October 2012

Basic DHCP Configuration


DHCP is the dominant way of providing end user devices with the information required to connect to your network.

In small or midsize environments DHCP is usually provided through the ISR Router.

Steps needed to deploy DHCP

  1. Define which addresses are going to be excluded. 
  2. Statically configure addresses on Servers and to any device that needs a specific IP address. 
  3. Configure your Router as DHCP relay if a DHCP Server is used or enable the DHCP Service on your router to act as a DHCP Server.

Configuring a DHCP Relay Agent

 

In case your network has a dedicated platform that provides DHCP services , you should configure on the interface that is the default gateway the command : ip helper-address address

If your DHCP Server has the 192.168.33.1 address then you should type :

Router(config-if)# ip helper-address 192.168.33.1 
 

Configuring a DHCP Server on a Cisco Router

 -----------------------------------------------------------------------------

Router(config)# ip dhcp excluded-address 10.1.1.1 10.1.1.9 
 // excludes the addresses 10.1.1.1 - 10.1.1.9 from being assigned to hosts.
Router(config)# ip dhcp pool DHCP1
// Creates a DHCP Pool named DHCP1 
Router(dhcp-config)# network 10.1.1.0 255.255.255.0 
// Defines the Network that is going to be used to provide addresses , here it will use the 10.1.1.0 /24 subnet .
Router(dhcp-config)#default-router 10.1.1.1 
// The default gateway is 10.1.1.1 
Router(dhcp-config)#dns-server 4.2.2.2 
// DNS Server is 4.2.2.2

-------------------------------------------------------------------------------

The previous commands have this effect : 
  • addresses 10.1.1.1 - .9 are not assigned to hosts
  • The network range is 10.1.1.0 /24
  • The Gateway is 10.1.1.1
  • DNS server is 4.2.2.2


 Caution : In order for the DHCP Service to operate you should have configured the interface with an address from the 10.1.1.0 /24 subnet usually the default gateway address 10.1.1.1 /24