Archive for the ‘Security’ Category

New start

Mittwoch, April 20th, 2011

Hi there,

as i move across a boarder up to Switzerland from Germany and also to another employee. I have decided to startup with my preparation for the sec lab again. I managed to setup gns3 version 0.7.4. Here is my .net file. I have implemented all related devices for compatibility.

I find it really great. Seems like it’s possible to simulate 100% of the lab equipment and functions on my laptop. I have a notebook with the intel m620 processor ( and 4 gb ram (windows 7, 64-bit). After adjusting idle values i got about 30-40% processor usage after starting all 14 devices (ASA1, ASA2, IDS/IPS, R1, R2, R3, R4, R5, R6, SW1, SW2, BB1, BB2, BB3). ASA1, ASA2 and IDS/IPS is producing most of the load. While „only“ the routers are doing about 5-10% when idle and with no configuration.

Here is my gns3 .net file for version 0.7.4. You have to adapt the directories to your environment.

ACS 5.1 with vmware workstation 6.5

Mittwoch, April 14th, 2010

Just had the problem with vmware workstation 6.5.3 that the ACS 5.1 installation would not find the SCSI hard disc. It’s always claiming the the hard disc size is „0“. The problem with the vmware workstation installation is, that for the ACS bootdisc it’s not possible to identify the SCSI controller. I must be an LSI SCSI controller.

With vmware version 6.5 it seems not possible to configure the SCSI controller version over the GUI. So you will have to change the value directly in the machines vmx file.

You have to add the controller device in the vmx vmware configuration file for the virtual machine itself. It should look like:

scsiX.virtualDev = „lsilogic“

where X is the controller number. For the ACS insstallation it would be

scsi0.virtualDev = „lsilogic“

After this change the Installation should work fine.

Other defaults i took have been:

OS: Red Hat

Mem 512

Disc: min 60 GB SCSI

Processors: 2

After booting from the iso image you will have to enter „1“ and wait for some minutes. Then login with „setup“ and enter the defaults for the device.

Then the installation will complete.

You will have to obtain a valid license after login in.

Use „ACSAdmin“ and your given password (or use „default“) from the setup process.

After changing to a new password, you will have to add a valid license file.

Don’t ask me for this license.



Starting my journey all over again

Mittwoch, April 14th, 2010

Long time no update. I have done different things and also just came from a holiday. My son is now nearly 2 years old on he is about to make great steps further into the future.

In my current job i have done some migrations and audits for example. Also i made my Prince2 (project management) certification in the meantime.

Time to go deeper again. Time to go in depth with the current sec lab.

In two weeks i will be at the INE bootcamp end of april near london for a week. Currently i’m still trying to setup my lab alltogether. I’m still not having a IDS/IPS solution. I’m hoping the cisco aset lab will open soon to be able to train mor on this equipment.

I was in trouble motivating myself for the next path. But i’m starting again. Currently looking at ACS and IOS authentification.

I still haven’t booked my sec lab yet. But i think this will be at the end of august/september. So here we go.

Glad having gns3 on my side. There have been numerous changes since version 3 and 4. I use it quite often while travelling for example. Great work guys.

IPS and java versions

Samstag, August 8th, 2009

After i tried three different java versions, i managed to login to my ips 4215. I tried java versions:




With these versions the login got stuck at loading 92% of the configuration from the machine. Just told me „Initializing Config Modules“ and got stuck at 92%.

Then the last version i tried did the trick.


Works for the https login.

Have done my CCIE Written for security now …

Mittwoch, Mai 13th, 2009

As i was looking for something i could do next, after passing my ccie r&s, i took the security path next and last week, i did the written as a first step. It have been 105 question with a 790 points passing score. I managed to pass the test. It was quite close, i didn’t expect to pass. I was feeling i would fail, but tried my best and the last 10 – 15 questions and there must have been some correct answers.

With the new written in security i also recertified my r&s ccie for nearly the next 4 years now. The next time until i had to recertify is the 26.2.2013. Cisco just adds the new Written at the end of the first ending period. So that will take some time.

Since i read that the Security ASET Labs have been a great help for preparation, i have already booked some ASET Labs at the end of may until june. I know that for r&s they have been absolutly helpful and one of the best resources.

I still will look for some PEC courses for security. I found some for r&s with have been at least interesting. But the PEC was reorganized and the website changed a lot. I found it very difficult to get to the courses i have seen before.

I have to look again at the PEC. Might have been changed again. 🙂

I have booked the lab at the end of October in Brussels. But I’m unsure if this will be enough time for preparation. I will see. I had to decide until end of July. So until then, i will probably know more about, if it will work.

Currently i reorganize my testing environment also. Still was using a OpenSuse installation on my notebook. But i feel moving to another distribution. Might be Fedora or Ubuntu. Shouldn’t be a problem with dynamips on both. I have ordered a new HD with about 320 GB, so i will have more space available for my vmware installations. Still using my Lenovo T60 though. Have 3 GB of main memory, but i’m already looking for notebooks with more than 4 GB. I’m still waiting for.
But first I will be on holiday with my now 1 year old son for some time. 😉

If you wounder how often i could go on holiday, that nice time will shortly be over. I’m still on parental leave until midst of June and until then it have been 7 months altogether for me. My wife did the other 7 months before. Since 2007 in Germany it’s possible to parents sharing the time. And if one of them is taking at least two months, i will be 14 altogether, instead of only 12. It’s a great time with my son. He develops so quickly, for me it’s absolutely to quick. A few months ago, he was so small and now he is close to being able to walk already. It’s fantastic to see him every day and to experience his presence.

Have a nice time.

Books and equipment for the sec lab

Dienstag, März 17th, 2009

I hooked up myself to „“ and have started to read some books. Still looking for other useful additions. Some of them have already arrived:

CIsco ASAA: All-in-one Firewall, IPS, and VPN Adaptive Security Appliance

IPSec VPN Design

Penetration Testing and Network Defense

Cisco Access Control Security: AAA Administration Services

Intrusion Prevention Fundamentals

Most of them have been published 3 – 5 years ago. Some things might have changed, but most of it probably not. Since there are no newer editions. ACS will stay the same on version 4.1 in the lab, also for version 3 of the . IPS will be version 6.1. Seems like there is currently no virtual installation possible, like for ASA 8.0 also, at least no fully functional version. But pix with 8.0 should do it also. And IPS 5.1.8 might have not that much changes. ACS 4.1 is available as a 90 day trial installation. You can either install on windows 2003 or windows 2000 with the following versions:

•Windows 2000 Server (English version only)

•Windows 2000 Advanced Server (Service Pack 4) without features specific to Windows 2000 Advanced Server enabled or without Microsoft clustering service installed (English version only)

•Windows Server 2003, Enterprise Edition or Standard Edition (Service Pack 1)


Cisco Firewall evolution with access-lists, reflexive access-lists, ip tcp intercept and CBAC

Dienstag, Dezember 2nd, 2008

What can i do with cbac and who to configure it? What is it thought of? What can also be done with reflexive access-lists? Might be ip tcp intercept also helpful?

Reflexive Access Lists are cisco introduction to statefull filtering. For Firewalling it is a nice feature and can be thought as a kind of ip nat with overload without beeing able to reach the inside, only if you have trigged a connection from the inside, then traffic is allowed to pass.

Speaking of a established session, means the device in between records the connection and dynamically adds an allow filter to let the traffic matching to this session passing back through the firewall. That is the meaning of a statefull filter. Cisco standard and extended access-lists can only filter statically. Here is where reflexive access-lists come into play.

This are two configuration examples regarding telnet access for telnet sessions:

1. The first example allows telnet for established sessions in a „extended“ access-listinterface

ip access-list extended ESTABLISHED
permit tcp any eq telnet any established


ip access-group ESTABLISHED in

Here only telnet traffic originated from the inside client is allowed to come back into the network.

As you already expect there is another way with reflexive access-lists:


ip access-group REFL_IN in
ip access-group REFL_OUT out

ip access-list extended REFL_IN
evaluate REFLECT
ip access-list extended REFL_OUT
permit tcp any any eq telnet reflect REFLECT timeout 30

FW#sh access-lists

Reflexive IP access list REFLECT
permit tcp host eq telnet host eq 28929 (12 matches) (time left 25)

Extended IP access list REFL_IN
10 evaluate REFLECT
Extended IP access list REFL_OUT
10 permit tcp any any eq telnet reflect REFLECT (7 matches)

Here the host is outside from firewalls perspective and is answering telnet requests from This reflexive access-list is dynamically generated. By default this list is active for 300 seconds. If the connection is idle for that amount of time, the access-list is removed from the list and memory, but does not terminate the session. The active session will again bring up a new reflexive access-list. So this timeout has nothing to do with an absolut or idle timeout in the normal way of understanding idle timeout. It is more a „clean up“ timeout.

Here is a possible use of „ip tcp intercept“. vs. reflexive access-lis

ip tcp intercept list REFL_OUT
ip tcp intercept connection-timeout 20

Here you can set an idle timeout for the tcp connection in your firewall. The idle timeout is now set to 20 seconds.

R2#sh tcp intercept connections
Client Server State Create Timeout Mode

Client Server State Create Timeout Mode ESTAB 00:00:59 00:00:01 I

After that time you can see your firewall sending an TCP Session Reset to both ends:

Packet debug on the firewall:

*Mar 1 10:37:00.665: IP: s= (local), d= (Vlan5), len 40, sending
*Mar 1 10:37:00.665: TCP src=23, dst=50346, seq=197049759, ack=1038522490, win=0 ACK RST
*Mar 1 10:37:00.665: IP: s= (local), d= (FastEthernet0/0), len 40, sending
*Mar 1 10:37:00.665: TCP src=50346, dst=23, seq=1038522490, ack=197049759, win=0 ACK RST
The connection is cleanly reset.

With ip tcp intercept you have more possible scenarios. For example if you are under a DOS Syn attack. Here i use nmap as a tool for generating multiple TCP SYN packets.


nmap -sS -P0 -p 23 &
nmap -sS -P0 -p 23 &
nmap -sS -P0 -p 23 &
nmap -sS -P0 -p 23 &
nmap -sS -P0 -p 23 &
nmap -sS -P0 -p 23 &
nmap -sS -P0 -p 23 &
nmap -sS -P0 -p 23 &
nmap -sS -P0 -p 23 &
nmap -sS -P0 -p 23 &

If you start this several times you will see ip tcp intercept starting some actions against half open sessions. High watermark is the point for starting aggressive mode and low watermark has to be crossed for starting normal mode again.

*Mar 1 13:50:35.548: %TCP-6-INTERCEPT: getting aggressive, count (5/5) 1 min 9
*Mar 1 13:50:35.548: INTERCEPT: Possible attack! Aborting half-open connection SYNRCVD ( <->
*Mar 1 13:50:35.548: INTERCEPT(*): ( <- RST
*Mar 1 13:50:35.548: INTERCEPT: new connection ( SYN ->
*Mar 1 13:50:35.548: INTERCEPT(*): ( <- ACK+SYN
*Mar 1 13:50:35.584: INTERCEPT: Possible attack! Aborting half-open connection SYNRCVD ( <->

Now tcp intercept is starting to drop half open connections. Oldest first. You can also change the drop mode.

Next take a look at „ip inspect“ called CBAC (Context-Based Access Control).

interface FastEthernet0/0

ip access-group 101 in
ip inspect TELNET out

access-list 101 deny tcp any eq telnet any

ip inspect tcp idle-time 15
ip inspect name TELNET telnet

After opening a session, the telnet connection is able to establish and inspect has registred the session:

FW#sh ip inspect sessions
Established Sessions
Session 6571BC0C (>( telnet SIS_OPEN

You can enable an idle timeout for telnet session:

ip inspect name TELNET telnet timeout 10

or for all tcp sessions:

ip inspect tcp idle-time 10

ip inspect max-incomplete low 4
ip inspect max-incomplete high 5
ip inspect name TELNET telnet alert on audit-trail off timeout 10

If you test the TCP Syn flood here also, you will get ip inspect react on the SYN Attack:

*Mar 1 14:24:43.736: %FW-4-ALERT_ON: getting aggressive, count (6/5) current 1-min rate: 6
*Mar 1 14:24:44.012: %FW-4-ALERT_OFF: calming down, count (3/4) current 1-min rate: 16

Audit-trail will log all connections/attempts. Alert will send only those to the log, which have been found suspicious.

CBAC does support many different protocols. Also protocols which negotiate ports dynamically. And is therefore able to inspect at the application layer.


asa 5510 active/active

Mittwoch, Oktober 10th, 2007

Doing currently a failover installation with two 5510 on both sides so there will be four devices altogether. Seems like there was some kind of not planning things good enough.

The customer situation is, there we have two leased lines that are direct connections from one site to the other.Both leased lines are direct connected from site to site. So the idea was to make a failover config with both firewalls in an active/active failover configuration.

But the pitfall was, that the traffic has to be encrypted over a site-to-site vpn tunnel. But active/active you have to configure in multiple context mode. And multiple context mode does not have ipsec available. So in multiple context mode, you can not configure any vpn’s.

So then you have only active/standby. There’s acatch also. If you configure active/standby and both end’s are active, everthing is ok. But if one side goes standby and the other side is still active because the „monitored“ interface is just working fine, this will be a dead lock. Neither side will match and the tunnel will not come  again.

It would be a great advantage if you could track or monitor the tunnel interface. Then you could switch from active to standby if the tunnel is no longer available.

Small diagramm:

fw1(active) — leased line(vpn) — fw3(active)

fw2(standby) — leased line(vpn) — fw4(standby)

active/active does also not real load balancing. You can switch the different vlan’s over both leased lines, so that the traffic is about the same amount.

The better solution for such a szenario is, if possible, two routers with vpn and VRRP/HSRP and OSPF/EIGRP. So you can to real load balancing and also can have  both lines active.

FTP passive and active mode

Sonntag, Oktober 15th, 2006

FTP supports two tranfer mode. With the first active mode, the client initiates the connection to the server on port 21 and the server then binds his on port 20 and opens  a connection to a port above  1023 to the client.

While using passive FTP both connections are established from the client to port tcp 21 and 20 to the  server.

FTP connections

How does ppp CHAP authentication work (RFC 1994)?

Mittwoch, August 9th, 2006

PPP authentication is a bit tricky. Well, maybe just for me to understand. I had to follow the path on configured examples that have to be set on both sides. I show this in the following example and explain how both ends have to be configured.

PPP Auth

R1 is configured like this:

Hostname: R1
Alias hostname: ROUTER1
Password: secret1

username ROUTER2 password secret1
interface s0/0
encapsulation ppp
ppp authentication chap
ppp chap hostname ROUTER2

R2 is configured like this:

Hostname: R2
Alias hostname: ROUTER2
Password: secret2

username ROUTER1 password secret1
interface s0/0
encapsulation ppp
ppp authentication chap
ppp chap hostname ROUTER2

CHAP is doing a three way handshake (RFC 1994). PAP is also possible as an authentication protocol, but it’s less secure. PAP uses a two way handshake and it send’s it’s password in clear text.

So here it goes like this.

  • R1 want to connect to R2. R1 is initiating a call.
  • LCP negotiates the Authentication protocol, CHAP in this case
  • So now R2 is going to challenge R1. And it’s preparing a packet with challenge informations. This depend on his configuration. If no hostname is configured with „ppp chap hostname name„, then the hostname of the router R2 itself for the challenge is used, otherwise the configured name, in this case ROUTER2.
  • R2 is sending a challenge packet back to R1, which means, R2 asks for authentication for a certain hostname „ROUTER2“ here.
  • R1 receives the challenge and looks, if it has a local user configured matching the hostname/username ROUTER2.
  • R1 find’s the username ROUTER2 in it’s local database and the password „secret1“
  • R1 is now answering the challenge for username ROUTER2 with the configured password. But R1 uses hostname ROUTER1 in it’s answer packet to R2, because it’s configured with „ppp chap hostname ROUTER1“. Otherwise R1 would use his hostname R1 only to answer.
  • Now R2 receives the answer from R1 and looks himself into his local password database and finds a matching entry for ROUTER1 with password „secret1“. R2 compares the passwords and grants access to R1 and authentication is successfull.

Debuging PPP authentication with:

debug ppp negotiation

debug ppp authentication