Storm's Blog
The Living Blog!
This Blog contains a repository of info on links to technologies, standards, training, useful tools, shortcuts, timesavers and other things of interest to the Technical Community. This is a living Blog. Updated Frequently so check back or subscribe.
3/9/2008 My most recent last recent entry:
Following all rules: What should the first several lines in a CE Edge router really look like?
Assuming my PubNet range is a block of 32 66.238.29.0 - 31. See below
! no fragments
access-list 100 deny tcp any 66.238.29.0 0.0.0.31 log fragments
access-list 100 deny udp any 66.238.29.0 0.0.0.31 log fragments
access-list 100 deny icmp any 66.238.29.0 0.0.0.31 log fragments
! no snmp inbound from the Internet
access-list 100 deny udp any any eq snmp
access-list 100 deny udp any any eq snmptrap
! RFC 2827 Ingress, RFC 3804 Martian Filtering and RFC 1918 private Address Filtering
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 255.0.0.0 0.255.255.255 any log
access-list 100 deny ip 224.0.0.0 31.255.255.255 any log
access-list 100 deny ip host 0.0.0.0 any log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 192.0.2.0 0.0.0.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny ip 14.0.0.0 0.255.255.255 any log
access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
access-list 100 deny ip 198.18.0.0 0.0.255.255 any log
access-list 100 deny ip 66.238.29.0 0.0.0.31 any log
! no routing protocols inbound (unless needed)
access-list 100 deny tcp any any eq bgp log
access-list 100 deny tcp any eq bgp any log
access-list 100 deny ipinip any any
access-list 100 deny gre any any
access-list 100 deny pim any any
access-list 100 deny 90 any any
access-list 100 deny ospf any any log
access-list 100 deny eigrp any any log
access-list 100 deny udp any eq rip any log
access-list 100 deny udp any any eq rip log
access-list 100 permit now begins your permits...if any
Notes:
192.0.2.0 0.0.0.255 any log (range known to be used exploit default pw on WLA devices) 1
4.0.0.0 0.255.255.255 any log (Known as Net-14, a Public use network, possibly used by attackers) 1
69.254.0.0 0.0.255.255 any log (RFC2026 Link Local)
198.18.0.0 0.0.255.255 any log (block for benchmark tests of network interconnect devices, RFC2544)
Storm - Out
3/4/2008 My last entry. The Configs for the Instructor Routers for 220 class. Thanks to you all for a great week!!
Get the Configs Here: ccnp330-config.txt
12/05/2007 Living List of Links: (jc thx)
--> new 1. Most Every hacking tool known to the human race, free and with full instructions: http://www.elhacker.net/hacking.htm
2. Undocumented IOS and Catalyst Commands: http://www.elemental.net/~lf/undoc/
3. 1. Top 100 Security Tools (http://sectools.org/)
2. Switch Inspector (sweet, inexpensive switchport mapper - http://www.switchinspector.com/)
3. MRTG (traffic statistics, free - http://oss.oetiker.ch/mrtg/), PRTG (traffic statistics, cheap - http://www.paessler.com/prtg)
4. Level 7 Password Decryption (http://cfz.ir/ot/?what=ciscocracker) Cain does it too
5. Cain and Abel Security Audit util (http://www.oxid.it/cain.html)
6. Kiwi Syslog (free, good syslog server - http://www.kiwisyslog.com/products.php#syslog)
7. Kiwi CatTools (configuration management / change tracking - http://www.kiwisyslog.com/products.php#cattools)
8. TFTP Server (overcomes 32MB limit - http://tftpd32.jounin.net/tftpd32_download.html)
9. IOS Configuration Editor, fairly cheap (http://www.winagents.com/en/products/cisco-config-editor/)
10. IP Chicken - external IP from anywhere...no pop-up ads (www.ipchicken.com)
-> new 11. Best Speed tester on the net! www.speedtest.net
12. Tera Term - my favorite FREE Windows telnet/SSH client (http://hp.vector.co.jp/authors/VA002416/teraterm.html) Still like SecureCRT better :-P
13. Boson's Free Utils - bunch of handy/goof around utils (http://www.boson.com/FreeUtilities.html)
Router Switch Aliases I Use to save time:
!Status and Management Aliases
!
alias exec sr sh run
alias exec gc config t
alias exec sri sh run | include
alias exec srb sh run | begin
alias exec sre sh run | exclude
alias exec srint sh run int
alias exec si sh int
alias exec sip sh ip proto
alias exec sib sh ip int brief
alias exec cl clear line
alias exec ds disconnect
alias exec ss show sessions
alias exec su show users
!
! Routing and Routing Protocol Related
! General
alias exec sir sh ip route
alias exec cir clear ip route *
alias router net network
alias configure ipr ip route
!
! EIGRP
alias configure re router eigrp
alias exec sen sh ip eigrp neighbors
alias exec set sh ip eigrp topology
alias exec cen clear ip eigrp neigh
alias exec sire show ip route eigrp
!
! OSPF
alias configure ro router ospf
alias exec son sh ip ospf neighbor
alias exec sod sh ip ospf database
alias exec soi sh ip ospf interface
alias exec siro sh ip route ospf
alias exec cop clear ip ospf process
!
! BGP
alias configure rb router bgp
alias exec sb sh ip bgp
alias exec sbs sh ip bgp summary
alias exec sbn sh ip bgp neighbor
alias exec sbp sh ip bgp path
alias exec cbgp clear ip bgp *
!
! Misc Aliases
alias interface ipa ip address
alias configure rr router rip
alias exec sal show access-list
alias exec tr traceroute
alias exec cft copy flash tftp
alias exec ctf copy tftp flash
!
The Components of creating the Cisco Self-Defending "Active Defense System" that you must know:
(In additon to the staples, like ASA5500s, ISR Routers and so on)
CSA 5.2+ (at least on critical Hosts)
IPS 6 (Perfect it in the ASA as the AIP-SSM and the IDSM-2 in the 6500s)
MARS (Without a doubt the BEST security correlation, monitoring and active response system I have ever seen)
Large Enterprises should add Cisco Security Manager for Enterprise-level management
More to come.
Storm - out
Mike Storm
Post a Comment
Email
PrintWho nedes a slepl chkecer aynawy?
Aoccdrnig to a rscheearch at an Elingsh uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht frist and lsat ltteer is at the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae we do not raed ervey lteter by itslef but the wrod as a wlohe.
Pasting Large Cisco Device Configurations in One Step
(republished from ciscoblog...JC)
If you've been working with Cisco devices for awhile, you know that the fastest way to backup your configuration is:
1. Do a "show run" command
2. Copy all the output to your clipboard
3. Paste it into notepad
Then, if you need to restore the configuration you just move into global configuration mode and paste all the output back in. Voila! Insta-configured Cisco device. Here's the problem...when you paste in larger configuration files, it fails. Somewhere after about 50-80 lines of config, the input begins to get scrambled and jumbled all around. The reason is the Cisco device cannot keep up with the data that you are entering. So...how do fix this? Slow down the input! Here's how:
All terminal programs have a setting called “Transmit delay msec/line” for the serial port. Here’s a view of what it looks like in Tera Term:
By default, this is some absurdly low value somewhere between 0-10 msec, which means your terminal program will just keep flooding the data and not give the receiving device enough pause to apply it. Adjust this value to something between 35-50 msec and your Cisco device will have no problem keeping up with the data.
-out
How Quality Training Directly Relates to Job Performance
So here it is...the Granddaddy of all discussions with regards to training. Was it worth it?
Was it worth the money? Was it worth the time I spent? Arriving at a difinitive answer for these questions can be difficult; for the student, for the Training Coordinator, Managers, etc.
Why?
Let's set the scenario...
You took a training class somewhere, and well, you learned some stuff,
Interface's HardHat for CCNP Training is LIVE!
I'll be honest with all of you, I have a hard time putting into words how amazing our new HardHat CCNP classes are. Not only are you working with the latest Cisco gear, like ISRs and 6509s, but you will be building architectures that mimic EXACTLY what Cisco enterprise customers are doing. The program is focused on building solutions that you should actually use, and will use, based on best practices and proper application of technologies and how they blend together, not just on getting practice with isolated technologies on a router in an unrealistic lab environment. We just don't do it that way at Interface.
The Ultimate Session at Cisco Networkers 2007
I am honored to, once again, be one of the few non-cisco employees to be asked to speak at Cisco Networkers again this year. Cisco Networkers, known as the conference to beat all conferences when it comes to everything networking, security, voice...you name it, is back in California this year. Anahiem to be exact, July 22-26 2007, with an amazing customer appreciation event on Thursday evening. (most likely to be held at one of the theme parks...and yes only Networkers attendees will be there.) Have you ever been to Disneyland when there are just a few thousand people there instead of a few million? If not, you gotta check this out.
Cisco 6500 Switches Added to the Interface Cisco Lab Environment
Yep. You heard it. Interface now has a fully populated pair of Cisco Catalyst 6509 Switches for our Cisco HardHat Training environment. We decided on SUP32s with the 8-port SFP Gig connectors for the Aggregated trunk between the two 6500s. We really couldn't justify the SUP720s for a lab environment, since 99% of the functionality is the same anyway, and well, we just don't generate that much traffic in a classroom environment. We are using 24-ports of Gig uplinks to each pod network and each switch has a 48-port POE 10/100/1000 switching module as well. I am a big advocate of scalability, so plan on seeing IDSM-2s, FWSMs, WiSMs, and my favorite, the NAM, being added in the coming months to some of the empty slots in the chassis.
Interface is in the middle of a $250K hardware refresh (that's at about 70% discount price point), so I am sure the actual list price for what we have added to the lab is in the Million ranges.
Interface Cisco Gear Refresh - You being the beneficiary
Interface has always been focused on quality of content, extensively experienced educators and exceeding customer expectations at every turn. In the Cisco and Security arena, where we have one of the most extensive hardware labs available in the US, our ability to imitate practically any Enterprise Architecture is what makes Interface the best at what we do....High-end Corporate Technical Training. What you will do during an Interface course, is what you will actually do in real Enterprise environments. It's all real. Done correctly. Solutions-based. Best Practices. You name it.
In order for Interface to remain cutting edge with our classroom delivery, we have to stay cutting edge with our gear as well.
Save Our Internet Bandwidth!!
For the sake of all that is sacred....save us from the bandwidth theives! YouTube, Google Video, MySpace....and others. All of them are to thank for our latest level of Internet bandwidth saturation. If it bothers you like it does me, why not do something about it. Save the Internet bandwidth for your business!!
Blocking Peer-to-Peer and Other Traffic of Interest
I don't even want it on my corporate network. It serves no business purpose, so why allow it. What am I talking about? Peer-to-peer file sharing applications and other traffic of interest that may sacrifice my security policy. Allowing P2P could very well be the fastest way to complete Network Death!
Scheduled Reload of Cisco Devices
Did you know that you can schedule WHEN your Cisco IOS Device reboots? Yes, it's true.
Implementing Private VLANs - How They REALLY Work!
One very functional layer 2 security mechanisms that it seems hardly anyone understands is the use of Private VLANs. While simple in concept, the implementation of PVLANs can be difficult to grasp, especially in large, complex environments.
Taking Inventory on Cisco Devices
Another quick, random tip to save you time.
Have you ever wanted to quickly identify your router or switch platform as well as it's installed modules and the serial numbers of each? Well there is a simple command that you can use to access all of this data on a Cisco IOS device:
Cisco Voice VLANs...Why Spanning Tree is a Killer!
Ouch! Poor voice or video quality...dropped calls and sessions, etc....the enemies of Voice over IP, IP Telephony and other real-time applications in Cisco Multi-layer Switched Network Environments.
Speed Up Your Cisco Layer 2 Switch Configs
Everyone needs shortcuts, especially when there is a lot of work to do. Setting up your access-layer switches doesn't have to take more than a few commands to make the switch do just what you want it to do without sacrificing functionality or security.
BiDirectional NAT on a Cisco PIX or ASA
Cisco PIX/ASA Security - Bidirectional NAT with DMZ Interfaces
It is time to get rid of that pesky ALIAS command!
If any of you have ever dealt with a Cisco PIX or ASA appliance with at least one DMZ interface that contains a public resource (like a web server) that users on the inside also need to access directly by URL – you might have used the PIX alias command to make it happen.