FirstDigest » Cisco-security

Cisco Easy VPN Router-to-Router

Calin — Fri, 16 Sep 2011 09:17:12 +0000

Cisco Easy VPN is not a new technology. Actually it is pretty old, but still used by many companies or people to connect remote site / remote workers to headquarter.

A few days ago I was looking to connect a remote site in a simple way but still secure and a colleagues suggested me to use Easy VPN. It supposed to be a simple configuration and it was after solving all issues that came into play.

First of all, I needed an Easy VPN Router(client) [...]

ACS 5.1 integration with Active Directory [Part II]

Calin — Wed, 04 May 2011 23:53:59 +0000

In the first part of this article, I described a little bit the installation process for Microsoft Active Directory. Now it’s time to go ahead and talk about the ACS 5.x integration with AD. In the meantime I changed the version “5.1″ to “5.x” as version 5.2 is already out there. This tutorials work for both versions.

Maybe you are wondering why I don’t have a separate chapter about the installation process of ACS 5.x. The reason is that the [...]

Cisco Secure ACS Unauthorized Password Change Vulnerability

Calin — Tue, 19 Apr 2011 08:04:03 +0000

I just finished testing a solution involving ACS 5.2 and Active Directory, when this “good news” hit me in face. It seems that ACS has a vulnerability that allow an unauthenticated attacker to change the password of any user account to any value without providing the account’s previous password.

You might think that this affects older version of the ACS, but in fact all recent versions are affected by this bug (CSCtl77440):

Vulnerable Products

The following Cisco Secure ACS versions are affected by this [...]

ACS 5.1 integration with Active Directory [Part 1]

Calin — Fri, 25 Feb 2011 21:13:14 +0000

If sometime you need to test a configuration regarding ACS integration with Microsoft Active Directory, or if you think that this is something that you want to try, then continue reading:

Part 1 – Active Directory installation

Part 2 – ACS 5.1 integration with AD

Part 3 – Some basic testing to prove that everything is working

I really hope that I’ll have sufficient time to complete this tutorial in the next weeks. As you probably [...]

Cisco: How can MSS help to solve issues in VPN communication

Calin — Fri, 03 Sep 2010 11:03:35 +0000

Since a week, I’m stretching my brains to solve a communication problem over a VPN connection. The problem was that connections like SSH over VPN were not successfully completed. Imagine site A (Paris – remote end) and site B (Hamburg – local end).

In the back, of this sites, servers and clients. If somebody tried to connect from a client in site A over SSH to a server in site B, the initial authentication protocol was successful, but as soon as a [...]

Web Server Directory Traversal Vulnerability in Cisco CDS

Calin — Fri, 23 Jul 2010 05:11:16 +0000

The Cisco Internet Streamer application, part of the Cisco Content Delivery System, contains a directory traversal vulnerability on its web server component that allows for arbitrary file access. By exploiting this vulnerability, an attacker may be able to read arbitrary files on the device, outside of the web server document directory, by using a specially crafted URL.

An unauthenticated attacker may be able to exploit this issue to access sensitive information, including the password files and system logs, which could be leveraged to launch [...]

Cisco PPP Authentication

Calin — Tue, 23 Mar 2010 21:42:03 +0000

As a network engineer, you most probably already had to do with PPP authentication at least once or two times in your daily operation. Even more, if you are going for a Cisco certification (and not only) you should know some stuff about PPP authentication. For today, I’ve planned to deal with back-to-back PPP authentication.

For this back to back scenario, we have the following simple topology:

When we talk about PPP authentication on a end-to-end line we are dealing [...]

Converting from old to new with the PIX to ASA Migration Tool

Calin — Tue, 16 Mar 2010 22:35:34 +0000

Digging through Internet I’ve found a very good article from David Davis explaining how to make your life easier when migrating from PIX to ASA.

The important thing to note about PIX and ASA configurations are that they are different. In other words, to do one thing on a PIX requires a different command on an ASA. The ASA uses a more “IOS-like” configuration where the PIX [...]

Cisco: Small escape leading to non-functional NAT

Calin — Wed, 20 Jan 2010 13:02:37 +0000

I have seen that a lot of people is using search engines to look after terms like “NAT: failed to allocate address for…” or “NAT: address not stolen for…” asking for help in regard to a non-functional NAT. Of course I skipped the cases when the solution was obvious and clear like wrong NAT configuration, NAT pool or missing the access-list.

One not so clear case you have in the example below:

ip access-list standard nat_acl
permit 192.168.0.0 0.0.0.255

route-map to_nat permit 10
[...]

Cisco: DoS protection using TCP Intercept

Calin — Tue, 19 May 2009 08:35:17 +0000

Every now and then, all network engineers have to deal with some kind of network attack. Usually, the attack does not target the network devices, but the machines that provide services (e.g. www, database hosting…), because it’s more easy to find on the Internet a script that is probing port 80 for example, which by the way any kiddie can use, than to corrupt BGP in order to act as man-in-the-middle. Anyway, in front on the machine being attacked, there is a network device and [...]