The Lost Packets

Multiple ipsec vpn tunnels/crypto maps on a single interface

2011-11-30T22:57:00.001-08:00

As a follow up to the previous post, I've finished the configs on all the routers to demonstrate implementing multiple ipsec vpn tunnels on a single interface. In this lab, the West router is the corporate office and satellite offices represented by North, Central, and South. An ipsec tunnel will be established between the North router and each of the offices.

Unlike dmvpn or vpn over mpls, I created this lab in gns3 simply to demonstrate how to create multiple ipsec tunnels using a single crypto map on a single physical interface.

If you were to create three different crypto maps with different names, each pertaining to its respective remote office in this case, the router will only allow one crypto map to be applied to f0/0 interface. The use of a sequence number after the crypto map name will allow you to create multiple policies to satisfy different criteria while only using one physical interface.

From Cisco documentation:

How Many Crypto Maps Should You Create?

You can apply only one crypto map set to a single interface. The crypto map set can include a combination of IPSec/IKE and IPSec/manual entries. Multiple interfaces can share the same crypto map set if you want to apply the same policy to multiple interfaces.
If you create more than one crypto map entry for a given interface, use the seq-num of each map entry to rank the map entries: the lower the seq-num, the higher the priority. At the interface that has the crypto map set, traffic is evaluated against higher priority map entries first.
You must create multiple crypto map entries for a given interface if any of the following conditions exist:
•If different data flows are to be handled by separate IPSec peers.
•If you want to apply different IPSec security to different types of traffic (to the same or separate IPSec peers); for example, if you want traffic between one set of subnets to be authenticated, and traffic between another set of subnets to be both authenticated and encrypted. In this case the different types of traffic should have been defined in two separate access lists, and you must create a separate crypto map entry for each crypto access list.
•If you are not using IKE to establish a particular set of security associations, and want to specify multiple access list entries, you must create separate access lists (one per permit entry) and specify a separate crypto map entry for each access list.
Using context sensitive help at the global config mode for the crypto map, you can see the sequence number.

WEST(config)#crypto map WEST_TO_ALL_MAP ?
1-65535       Sequence to insert into crypto map entry
client          Specify client configuration settings
isakmp          Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address   Interface to use for local address for this crypto map
redundancy      High availability options for this map

And when used to create multiple crypto map sequences with the same crypto map, it looks like this:

crypto map WEST_TO_ALL_MAP 33 ipsec-isakmp
set peer 10.100.0.2
set transform-set WEST_TO_ALL_SET
set pfs group2
match address WEST_TO_NORTH_ACL
crypto map WEST_TO_ALL_MAP 44 ipsec-isakmp
set peer 10.100.0.6
set transform-set WEST_TO_ALL_SET
set pfs group2
match address WEST_TO_CENTRAL_ACL
crypto map WEST_TO_ALL_MAP 55 ipsec-isakmp
set peer 10.100.0.10
set transform-set WEST_TO_ALL_SET
set pfs group2
match address WEST_TO_SOUTH_ACL

I chose to use 33, 44, and 55 as my sequence numbers just to make recognizing the sub-commands easier. 33 uses an ACL for North router and its 33.33.33.33 loopback interface and so on for 44 and 55. Obviously you can use whatever sequence number of your choosing up to 65535.

Here's what it looks like in SDM:

To generate interesting traffic to satisfy to corresponding ACL, you must use an extended ping and specify to destination and source addresses.

WEST#ping
Protocol [ip]:
Target IP address: 33.33.33.33
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 22.22.22.22
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 22.22.22.22
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/52 ms
WEST#

The same test in SDM:

The sh crypto isakmp sa command is a quick way to verify that all tunnels are up. Note the state of qm_idle which unlike it sounds, means that the tunnel is actually active.

WEST#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.16.80.2 10.100.0.6 QM_IDLE 1007 0 ACTIVE
172.16.80.2 10.100.0.2 QM_IDLE 1008 0 ACTIVE
172.16.80.2 10.100.0.10 QM_IDLE 1006 0 ACTIVE

Tunnel verification in SDM:

Using extended pings with the respective loopbacks will generate interesting traffic across the tunnel. The inbound and outbound encrypted packets can be viewed with the sh crypto ipsec sa command. For brevity, I ran it from 33.33.33.33 on the North router to 22.22.22.22 on the West router.

NORTH#sh crypto ipsec sa
interface: Serial0/0
Crypto map tag: NORTH_WEST_MAP, local addr 10.100.0.2
protected vrf: (none)
local ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (22.22.22.22/255.255.255.255/0/0)
current_peer 172.16.80.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 999, #pkts encrypt: 999, #pkts digest: 999
#pkts decaps: 999, #pkts decrypt: 999, #pkts verify: 999
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 10.100.0.2, remote crypto endpt.: 172.16.80.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0x96125197(2517782935)
inbound esp sas:
spi: 0x9318B623(2467870243)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: NORTH_WEST_MAP
sa timing: remaining key lifetime (k/sec): (4525986/86021)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x96125197(2517782935)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: NORTH_WEST_MAP
sa timing: remaining key lifetime (k/sec): (4525986/86021)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
NORTH#

CONFIGS

----

WEST ROUTER

----

WEST#sh run
Building configuration...
Current configuration : 2346 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname WEST
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$XLVQ$0Iv.mmpjqeaORAL1jvURy.
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
no ip domain lookup
login on-success log
!
multilink bundle-name authenticated
!
!
!
username root privilege 15 secret 5 $1$O6qN$iOg0pvIhgwb6vDLZ2v1yU0
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 10.100.0.2
crypto isakmp key cisco address 10.100.0.6
crypto isakmp key cisco address 10.100.0.10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set WEST_TO_ALL_SET esp-aes esp-sha-hmac
!
crypto map WEST_TO_ALL_MAP 33 ipsec-isakmp
set peer 10.100.0.2
set transform-set WEST_TO_ALL_SET
set pfs group2
match address WEST_TO_NORTH_ACL
crypto map WEST_TO_ALL_MAP 44 ipsec-isakmp
set peer 10.100.0.6
set transform-set WEST_TO_ALL_SET
set pfs group2
match address WEST_TO_CENTRAL_ACL
crypto map WEST_TO_ALL_MAP 55 ipsec-isakmp
set peer 10.100.0.10
set transform-set WEST_TO_ALL_SET
set pfs group2
match address WEST_TO_SOUTH_ACL
!
!
interface Loopback22
ip address 22.22.22.22 255.255.255.255
!
interface FastEthernet0/0
ip address 172.16.80.2 255.255.255.252
duplex auto
speed auto
crypto map WEST_TO_ALL_MAP
!
interface FastEthernet0/1
ip address 192.168.143.1 255.255.255.0
duplex auto
speed auto
!
router eigrp 1
network 22.22.22.22 0.0.0.0
network 172.16.80.0 0.0.0.3
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.80.1
!
!
ip http server
ip http authentication local
no ip http secure-server
!
ip access-list extended WEST_TO_CENTRAL_ACL
permit ip host 22.22.22.22 host 44.44.44.44
ip access-list extended WEST_TO_NORTH_ACL
permit ip host 22.22.22.22 host 33.33.33.33
ip access-list extended WEST_TO_SOUTH_ACL
permit ip host 22.22.22.22 host 55.55.55.55
!
!
control-plane
!
!
line con 0
privilege level 15
logging synchronous
login local
line aux 0
line vty 0 4
privilege level 15
logging synchronous
login local
line vty 5 15
privilege level 15
logging synchronous
login local
!
!
end
WEST#

----

NORTH ROUTER

----

NORTH#sh run
Building configuration...
Current configuration : 1731 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname NORTH
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$X1KH$rf6mUDjbeg4fIp1f2uSnl1
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
multilink bundle-name authenticated
!
!
username root privilege 15 secret 5 $1$B0JJ$uTk6IMRD2k1sxTaTN.KRb.
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 172.16.80.2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set NORTH_WEST_SET esp-aes esp-sha-hmac
!
crypto map NORTH_WEST_MAP 1 ipsec-isakmp
set peer 172.16.80.2
set transform-set NORTH_WEST_SET
set pfs group2
match address NORTH_WEST_ACL
!
!
interface Loopback33
ip address 33.33.33.33 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 10.100.0.2 255.255.255.252
clock rate 2000000
crypto map NORTH_WEST_MAP
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 1
network 10.100.0.0 0.0.0.3
network 33.33.33.33 0.0.0.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.100.0.1
!
!
ip http server
no ip http secure-server
!
ip access-list extended NORTH_WEST_ACL
permit ip host 33.33.33.33 host 22.22.22.22
!
!
control-plane
!
!
line con 0
privilege level 15
logging synchronous
login local
line aux 0
line vty 0 4
privilege level 15
logging synchronous
login local
line vty 5 15
privilege level 15
logging synchronous
login local
!
!
end
NORTH#

----

CENTRAL ROUTER

----

CENTRAL#sh run
Building configuration...
Current configuration : 1765 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CENTRAL
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$YPsa$9VwF4dW/SU/QZ1RK4lH000
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
username root privilege 15 secret 5 $1$7Nor$KT0mgG1KFDz6C7YfJ1D8Q1
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 172.16.80.2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set CENTRAL_WEST_SET esp-aes esp-sha-hmac
!
crypto map CENTRAL_WEST_MAP 1 ipsec-isakmp
set peer 172.16.80.2
set transform-set CENTRAL_WEST_SET
set pfs group2
match address CENTRAL_WEST_ACL
!
!
interface Loopback44
ip address 44.44.44.44 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 10.100.0.6 255.255.255.252
clock rate 2000000
crypto map CENTRAL_WEST_MAP
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 1
network 10.100.0.4 0.0.0.3
network 44.44.44.44 0.0.0.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.100.0.5
!
!
ip http server
no ip http secure-server
!
ip access-list extended CENTRAL_WEST_ACL
permit ip host 44.44.44.44 host 22.22.22.22
!
!
control-plane
!
!
line con 0
privilege level 15
logging synchronous
login local
line aux 0
line vty 0 4
privilege level 15
logging synchronous
login local
line vty 5 15
privilege level 15
logging synchronous
login local
!
!
end
CENTRAL#

----

SOUTH ROUTER

----

SOUTH#sh run
Building configuration...
Current configuration : 1732 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SOUTH
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Zp0E$p9TbxGygnbIO0O3Vll2wa/
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
multilink bundle-name authenticated
!
!
username root privilege 15 secret 5 $1$21Ba$GyBJHQ9MmJ.P4gDkvAwhh0
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 172.16.80.2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set SOUTH_WEST_SET esp-aes esp-sha-hmac
!
crypto map SOUTH_WEST_MAP 1 ipsec-isakmp
set peer 172.16.80.2
set transform-set SOUTH_WEST_SET
set pfs group2
match address SOUTH_WEST_ACL
!
!
interface Loopback55
ip address 55.55.55.55 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 10.100.0.10 255.255.255.252
clock rate 2000000
crypto map SOUTH_WEST_MAP
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 1
network 10.100.0.8 0.0.0.3
network 55.55.55.55 0.0.0.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.100.0.9
!
!
ip http server
no ip http secure-server
!
ip access-list extended SOUTH_WEST_ACL
permit ip host 55.55.55.55 host 22.22.22.22
!
!
control-plane
!
!
line con 0
privilege level 15
logging synchronous
login local
line aux 0
line vty 0 4
privilege level 15
logging synchronous
login local
line vty 5 15
privilege level 15
logging synchronous
login local
!
!
end
SOUTH#

IPSec VPN Lab with EIGRP

2011-11-19T07:47:00.001-08:00

Currently studying for CCNA:Security exam and using GNS3 for lab time. Using five 3725 routers running EIGRP for L3 connectivity. Tunnel will be established between West and North router. I'll use this topology again for the zone-based firewall portion of the exam which I really look forward to! See topology below for reference.

IPSec Tunnel from West to North

Updates coming soon!

2011-11-15T05:44:00.001-08:00

The MPLS and VoIP project has kept me very busy, apologies for not posting any updates. Projects will be ending within a few weeks and I look forward to posting parts of the project especially my dealings with mpls config for isp customers, route manipulation, intervlan routing, asa phone proxy, and a few other small bits.

Recently hired a network support technician to assist with out-of-state projects. Business is growing and we will soon be expanding to two states on the east coast. More mpls and voip! :)

Cisco Router Login Enhancements

2011-02-24T22:07:00.000-08:00

To prevent service disruption from attacks such as Denial of Service or Dictionary Attacks, login enhancements should be used. When DoS detection and login enhancements are used, the router can be customised to act upon attacks and respond by preventing logins after so many failed attempts within a certain amount of time. These failed attempts can also be logged for auditing. More information about login enhancements here.

To enable login enhancements, the first command that must be issued is login block-for attempts <#> within <seconds>

Router(config)#login block-for 180 attempts 3 within 60

With this command, we are telling the router that if there are 3 invalid login attempts within 60 seconds, then block vty logins for 180 seconds. Since we have not configured a quiet-mode acl yet, the only way to access the router is via the console port.

Here we can see an attacker attempted to login to a router but was unsuccesful in 3 attempts within 60 seconds. To prevent any further DoS or Dictionary attacks, the router then blocks vty logins for 180 seconds by going into quiet-mode.

After issuing the login on-failure log command, we can see detailed information about the failed login such as: timestamp, source IP, port, and username used.

From the timestamp we can see that after 180 seconds (00:35:06.75 mark) the router disabled quiet-mode and allowed logins to the vty lines.

But what happens if the router is in quiet-mode for more than 180 seconds? What if the router logins are inaccessible for 60 minutes and your only access is the console port but you are not physically in front of that router? In the topology below, the attacker has logged in unsuccessfully 3 times and the router is in quiet mode for several minutes. Any vty line login attempt made from the Remote Office location would be unsuccessful unless the source IP of that subnet is permitted by the quiet-mode acl. In this topology the source IP would be in the loopback0 interface of 192.168.1.1/24 on the Remote_Office router.

By default, the sl_def_acl is created but as you can see, any source IP to any destination IP will be denied.

Headquarters#sh access-lists

Extended IP access list sl_def_acl

10 deny tcp any any eq telnet log

20 deny tcp any any eq www log

30 deny tcp any any eq 22 log

To circumvent this issue, a new access-list can be created. In this case we will permit any traffic from the Remote_Office router to the vty lines on the Headquarters router when it is in quiet-mode.

Headquarters(config)#ip access-list extended PERMIT_REMOTE_OFFICE

Headquarters(config-ext-nacl)#permit ip 10.100.0.0 0.0.0.3 any

Headquarters(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any

After the quiet-mode acl has been created it will need to be applied with:

Headquarters(config)#login quiet-mode access-class PERMIT_REMOTE_OFFICE

As you can see that even while the router is in quiet-mode due to login enhancement parameters, any traffic permitted by the quiet-mode acl will be permitted on the vty lines. Note the timestamp of when quiet-mode was enabled and shortly after that there was a successful login from the Remote_Office router from user root on source IP 10.100.0.2.

Finally, two other commands useful for troubleshooting are sh login and show login failures.

Cisco ASA 5510 ICMP and Traceroute Traffic

2011-02-17T10:01:00.000-08:00

On a Cisco ASA 5510, by default all outbound ICMP and traceroute traffic is denied. Well, for testing and troubleshooting purposes, being able to ping hosts on the internet is extremely helpful so you will have to permit it. There are several methods to allow icmp and traceroute traffic outbound on the ASA as documented here. For a simple config, I prefer to use access-lists to permit or deny traffic. If you're an asdm fanboy, I'll you a quick way to setup outbound traffic as well.

At the cli, to permit icmp and traceroute traffic outbound, simply create an access-list like the one below and apply it to the outside interface inbound. Make note of the protocols.

access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside

When acl 101 gets applied inbound on the outside interface, any establish echo requests' reciprocal echo reply will be permitted inbound. The same applies for source-quench, unreachable, and time-exceeded.

If you prefer the asdm then simply create a new access rule in the security policy tab like the one below. In this case I'm only permitting icmp echo-reply traffic to pass.

Calling an audible, CCNA:Security > MCSE:2003

2010-12-07T06:53:00.000-08:00

My original plan was to finish MCSE:2003 by April with 293, 294, and 297. However, several of my projects include various security audits and assessments of our infrastructure and 640-553 seems like it would be beneficial for me at this point. Given my experience I think I can knock this one out by the end of the year. I've got an okay lab for this and more than enough in cbt's. Lab consists of two 2620xm's at full memory and 12.4T Advanced Enterprise IOS and two 2950's with Ehanced Image. I really look forward to this exam especially the vpn topics.

Here is some information on the Cisco 640-553 IINS exam:

Cisco Certified Network Associate Security (CCNA® Security) validates associate-level knowledge and skills required to secure Cisco networks. With a CCNA Security certification, a network professional demonstrates the skills required to develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats. The CCNA Security curriculum emphasizes core security technologies, the installation, troubleshooting and monitoring of network devices to maintain integrity, confidentiality and availability of data and devices, and competency in the technologies that Cisco uses in its security structure.

Outlook for Mac 2011 and Exchange 2003...

2010-11-16T14:50:00.000-08:00

...Doesn't work so don't bother wasting your time. Here I am thinking that they would've been smart enough to add support for the thousands of Exchange 2003 servers that are still in existence, however after an hour of trying to configure it I was deeply saddened to discover otherwise. If you have a client using Outlook 2011 for Mac, your Exchange server will need to be 2007 SP1 or later. Since when did Exchange 2003 become the red headed step child?

http://support.microsoft.com/kb/2353366

Note: Exchange support in Outlook 2011 requires connectivity to Microsoft Exchange 2007 SP1 RU4 or later.

Getting ready for MS 70-293

2010-10-26T06:27:00.000-07:00

My original plan was to complete MCSE:2003 by the end of the year and then focus on to CCNA:S and CCNP in 2011. At the time I made this plan I didn't know that I was going to have to squeeze in Security+ for the lifetime perk. Now that Sec+ is out of the way, it's time to get back on track with MCSE. As it stands I have only three exams left: 70-293, 70-294, and 70-297. As much as I would like to, I doubt I can get all three exams done by the end of the year. It's just too much material and not enough time for labbing and absorbing it all which is the most important. Maybe what I will do is do 70-293 and 70-293 this year and then do 70-297 in January 2011. That'll give me 11 months to do the Cisco stuff.

Here are the exam objectives for 70-293:

Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Passed Security+ (SYO-201)

2010-10-14T10:28:00.000-07:00

Decided to surprise my wife with something special for our anniversary which was last Thursday. I took the day off to take the sec+ exam and clean the house. My BS is in InfoSec so I had a pretty foundational knowledge of most of the topics on the exam. I read up on cryptography, certificates, and other topics that I needed a refresher on. I was shocked to see my score of 862, I was actually thinking it was going to be in the 700's! It's a good test, anyone who wants to get into infosec should definitely take it.

Next on deck is 70-293 and to finish MCSE.

More Security+ Review - Common Ports to Know

2010-10-05T06:57:00.000-07:00

Below is a list of common ports that are not only important to know in a production environment but are probably going to be on the Sec+ exam. Just memorize them already!

FTP Data Transfer- 20
FTP Control - 21
SSH - 22
Telnet - 23
SMTP - 25
TACACS - 49
IPSec Header - 50 and 51
DNS - 53
TFTP - 69
HTTP - 80
Kerberos - 88
POP3 - 110
NNTP - 119
NTP - 123
IMAP - 143
SNMP - 161
SNMP Traps - 162
LDAP - 389 and 636
HTTPS - 443
SMB - 445
L2TP - 1701
PPTP - 1723
RADIUS - 1812
RDP - 3389

Building a CCNA:S/CCNP lab

2010-08-21T06:22:00.000-07:00

It has begun! Last week marked the start of my CCNA:Security and CCNP lab building process. So far here is what I have:

2 x 2620XM
1 x 1721
1 x WS-C2950C-24
1 x WS-C2950T-24

That will get me started for the 640-553 IINS exam because the 2620XM's and the 1721 all run SDM. When it comes time for the new CCNP track, I'm going to hope for a WS-C3550-24-SMI and upgrade it to EMI and also an ASA5505-BUN-K9. I'm looking forward to learning more about layer 3 switching and VPN, specifically site-to-site. 2011 looks like it is going to be a good year financially so the expense of the lab gear shouldn't set me too far back. Like they say "you've got to spend money to make money". That is so true in IT. I'm still on point for Security+ and the rest of MCSE (293, 294, 297) which should all be completed by the end of the year.

Pics of the lab to come soon.

Event ID 1111 - Terminal Services Printer Redirection

2010-08-04T16:57:00.000-07:00

I came across an issue with a remote user on a Mac that had a local printer attached and was trying to use printer redirection across rdp to our Win2k8 terminal server and rdp'ing from there to her office pc. At one point it was working but then "stopped" all of a sudden. Both x86 and x64 drivers were installed correctly on the ts box and her workstation. Nothing stood out in the ts event viewer, but on her workstation I was getting a ton of event 1111 termservdevices errors like the one below:

Curious that her printer, the MFC7840W, was looking for an HP 4350 PS driver. After reading more about the ntprintsubs.inf file and about the PrinterMappingINFName registry key, I was lead to the Terminal Server Printer Redirection Wizard Tool at MS kb239088.

Overview

The Terminal Server Printer Driver Redirection Wizard will help you troubleshoot and replace print drivers that were unsuccessfully redirected. This tool automates the process found in the Microsoft Knowledge Base article KB239088 entitled “Windows 2000 Terminal Services Server Logs Events 1111, 1105, and 1006” http://support.microsoft.com/?id=239088.

This tool will scan a server’s System Event Log and detect all events with Event ID 1111 and Source ‘TermServDevices.’ The tool will then scan the server’s registry for installed Version 3 MINI drivers, and prompt you to substitute an installed Version 3 MINI driver for each of the printers that failed printer redirection. Any changes will be written to a file named NTPrintSubs.inf which is where custom redirected printer mappings are stored.

Since the issue appeared to be her office workstation and not the terminal server, I extracted the package to a local folder on her pc and ran it. After a few seconds of scanning the registry it found the issue with incorrect printer driver mappings between the HP 4350 PS and the MFC-7840W. After a quick reboot, she was able to redirect her print jobs to her remote printer. Good resource to know.

Security+ SY0-201 review - types of viruses

2010-08-02T22:44:00.000-07:00

In preparation for the Security+ SY0-201 exam that I am taking this month, I've started jotting down some notes that I think might be important for the exam. This is just a quick review on the types of common viruses.

Armored virus – designed to make itself undetectable by using source code that prevents debuggers and disassemblers from examining the virus in detail. Armored viruses can also be developed with some parts of it as a decoy, while hiding some of the core parts of the virus.

Companion virus – attaches itself to legitimate programs and creates a program with a different filename extension. So when the legitimate program is ran, it is actually the virus that is running.

Macro virus – fastest growing exploitation today that exploits add-ins of specific applications like Microsoft Office. Can infect all documents on a system and spread to other systems via e-mail.

Multipartite virus – designed to attack a system in multiple ways. It can attack the boot sector, infect vulnerable executable files, and corrupt application files. It aims to affect multiple sections to make recovery difficult.

Phage virus – alters and modifies databases and program files. Once infected, a complete reinstall of the program or database is required.

Polymorphic virus – constantly changes it's form to be elusive and avoid detection by encrypting parts of itself. This method of changing its form is called mutation which makes it difficult for common characteristics to be detected by anti-virus programs.

Retrovirus – sometimes called an “anti anti-virus”, it directly attacks or bypasses the anti-virus program. The virus definition database is one of its main targets.

Stealth virus – avoids detection by masking itself from applications. It has the ability to attach itself to the boot sector of a hard disk and report infected files with different file sizes. It can also move itself from file to file to avoid detection.

More review to come...

10 DNS Errors that will kill your network

2010-07-28T09:46:00.000-07:00

I love this article. Even though it was written in '04, it still holds true to today. If you work with DNS on Windows, you need to know these. All credit goes to the original writer of the article, Bill Boswell. The full article can be found here.

TCP/IP Configuration Points to Public DNS Servers
Improper DNS Suffix Handling
Improperly Configured Forwarding
Improper Zone Transfer Configuration
Failure to Verify Dynamic Update of Resource Records
Failure to Properly Delegate Child Zones
Failure to Secure Public- Facing DNS Servers
Failure To Properly Secure Resource Records
Incorrect, Outdated or Unreachable DNS Servers
Lack of Fault Tolerance

If you are interested in expanding your knowledge of DNS on Windows Server 2003, I highly recommend you get the O'Reilly book DNS on Windows Server 2003 by Matt Larson. I used this book for my 70-291 exam and whenever I need a good reference, for example how to use dnslint to enumerate name server information. It is a great book and you will learn a ton from it.

SQL Server Reporting Services likes templates, and so will you!

2010-07-21T08:50:00.000-07:00

I've been doing a ton of SSRS 2005 projects lately. (fun times!) If you have pseudo-ocd like me, you like to keep all of you projects unison. So, instead of going back and forth between your reports to make sure the properties are identical, just create freakin' template already.

Creating an SSRS report template:

Create an initial report and give it the properties that you want your template to have e.g. page layout, colors, expressions, etc..
Save the report to a your sql box's path at C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\ProjectItems\ReportProject.
Right-click on the 'Reports' folder of your project in the Solution Explorer window and choose 'Add > New Item'.
Your template will magically appear in the add new item window.

Now anytime you want to add that "special" report, a click here, a click there and you're good.

SC {query, start, stop} command for service enumeration and management

2010-07-15T20:22:00.000-07:00

Ever needed to work on a remote host only to find out that the Windows firewall is enabled and your port is being blocked? Have no fear, sc query is here! SC is a command line program used for communicating with the Service Control Manager and services of the OS. Yes, I took that right from my dos prompt.

To enumerate the services on your box, simply run the sc query command. You can also run sc queryex to retrieve extended status about a service. Knowing the process ID of the service is useful too.

In XP, to gather information about the firewall service, you would run the sc \\target query sharedaccess command where \\target can be a remote host. If you run it locally, simply omit the \\target parameter. This will query the service and tell you if it is started or stopped. The service name of the Windows XP firewall is sharedaccess so to start or stop the firewall service, simply run the sc \\target {start, stop} sharedaccess command.

In Windows 7, instead of the sharedaccess service name, you would use the mpssvc service name.

On this local Windows 7 session, you can see the service is now stopped after running the sc stop mssvc command. If the remote host was named windows7box, the commmand would be sc \\windows7box stop mpssvc.

As you can see, the service control manager commands can process all sorts of goodies to the services running on a box. Imagine all those yummy albeit dangerous scripts...

DNS pointer records not updating? Check your dhcp credentials!

2010-07-09T19:16:00.000-07:00

While troubleshooting network connectivity for a few new win7 boxes the other day, I wasn't able to run a reverse lookup on them and was getting the usual "Non-existent domain" error. I checked dns and the hosts were there and they were also configured to dynamically create their ptr records upon their a record creation. However, when I checked the reverse lookup zone, the ptr records didn't exist which explains why the reverse lookup failed.

After checking eventvwr and logs I decided to have a look at my dhcp box. What I discovered was that the account that was originally assigned to dynamically update dns was disabled and I assume the password had expired since it wasn't set not to expire. After re-enabling the account and updating the password and setting it to never expire, I entered in the appropriate credentials in the dhcp manager. Since this was mid-day, I had to wait for hosts to contact the dns and dhcp boxes to update their leases. I checked in the next day and low and behold, the ptr records were created and reverse lookup was working.

To change the dns credentials in dhcp:

1. Open properties of dhcp box
2. Open Advanced tab
3. Click on Credentials button
4. Enter appropriate credentials

See screenshot below for reference

Passed 70-291, finally MCSA!

2010-07-05T11:51:00.001-07:00

Can't believe it's been a year since an update...

I took 70-291 on June 28th and passed with a 916! The test was easier than I had expected but my CCNA experience had a lot to do with that. There were suprisingly a lot of subnetting related questions on the test. I'd say the most difficult section for me was RRAS since I've never really implemented it. Note to Microsoft: leave the routing and remote access to Cisco! :) To anyone plan on taking the test, don't get scared with people calling it "The Beast". Just study the skills measured material on Microsoft's 70-291 page and you will be fine. Most people struggle with DNS and RRAS so focus on those topics a bit more.

Next up for me is Security+. I plan to take this test by the end of July. I'd like to get this done (and maybe Linux+) before the end of the year since CompTIA decided to change their certification renewal policy. Not sure yet if I will do Linux+ or the LPIC track but I need to brush up on my *Nix skills if I plan to learn more on LAMP stacks and scripting. More on that later.

After Security+ I am going to finish up with my MCSE:2003. I will only have 70-293, 70-294, and 70-297 to pass. I plan to give each of those tests about 2 months of studying. Virtualbox is great for labbing! I'm really excited about getting into more Windows Security and the advanced Active Directory stuff.

Using poxy auto-configuration files for mobile users

2009-07-19T20:48:00.000-07:00

Wow, it's been too long. Haven't had a chance to update the site lately because of the new job and the baby coming! I've got a ton of stuff in store and I have no idea where to begin so I figure that I at least write about the challenges that I come across at work. Some time this week I will be writing about proxy auto-configuration files or .pac files. It was a pretty decent challenge to get it to work with our proxy appliance so I feel that it is blog worthy. Stay tuned for the update.

Edit (07-25-10): I really wanted to add this to the blog but I no longer have access to the scripts that I referenced above since I am no longer with that employer. I'll try my best to find a similar script to illustrate what the project was all about.

Short term projects

2009-02-24T18:07:00.000-08:00

Sorry for the lack of updates lately, the CCNA exam has been taking most of my time. That and getting settled in the new house. The projected test date is the end of March and after that I have a few things in store for the community. It will take me about 6 or so months to complete the entire list but as each one is done I'll post it here and the networking forums that I visit often.

Here is what I have planned in order of preference:

Subnetting video tutorial
Routing protocols video tutorial
Packet Tracer exercise labs

Im also going to be purchasing some equipment after the exam, the stuff I have at work might get "reappropriated" soon... Its good to have your own stuff though so this will be a good thing.

Until then, dont get lost.

Looking ahead for 09 - CCNA Certification

2008-12-28T08:15:00.000-08:00

I took the ICND1 640-822 exam earlier this year in January... and failed. After sifting through emotion and questioning my reason to be in IT, I took the exam again in December and passed! Im not wasting any time between CCENT and CCNA so Ive already started preparing for it. Im scheduling it around March to give myself ample time to prepare. Ive heard that its a challenge but with the amount of learning resources that I have, I think I will do well.