Micronics Training Security Blog

It’s Friday, 7pm and we’ve just finished our great journey through Cisco security technologies. We’ve spent almost 60 hours mastering Cisco firewalls, VPNs, IPS, Identity and other security technologies on routers and switches. I’d like to thank all my students for their determination and willingness to be in the class every day for 12 hours. I wish you all the best using that knowledge in the real life and during your lab attempt. Take care and see your soon.

/PM, from Workingham, Berkshire, UK

This seems to be a hot topic as many of you are hitting me with those questions. How to configure Key Server (KS) and Group Members (GM) if KS is behind firewall? The answer is: IT DEPENDS

Let’s assume we have KS in the Inside network and GMs on the Outside and there is no NAT configured on the ASA. The answer depends on what firewall mode is there and what Rekey method is used for GETVPN. Let’s try to summarize all those things:

Scenario 1: ASA Single/Routed Mode + GETVPN Unicast Rekey

This is the easiest one as GETVPN unicast rekey uses unicast packets as a transport. The KS simply sends rekey packets down to all it’s members (GMs) and waits for response (ACK). Note that only Primary KS sends rekey packets. Since rekey packet is UDP/848 (GDOI) it should be routed between Inside and Outside without any configuration. We need, however, open up a hole in the outside interface for GM registration packets.

In this example our ACLs should look like:

ACL_IN

none

ACL_OUT

access-list OUTSIDE_IN permit udp h <GM-IP> eq 848 h <KS-IP> eq 848

Read the rest of this entry

Tomorrow, I’m going to run DCNI-1 training class for our CLP partner in Warsaw, Poland. This course is about building Data Center network infrastructure with Catalyst 6500, Catalyst 4900M (sic!), FWSM and NAM service modules. It is quite old in my opinion and as always I will add a mass new things from myself to satisfy my students and teach them up-to-date stuff.

My plan is to add a bunch of information like:

• Sup2T – a new 6500 supervisor, its performance, scalability and features
• new line cards and their features
• detailed 6500 Architecture and Packet Walks when using different line cards in the same chassis
• DCI – Data Center Interconnection options and trends
• enhanced QoS and VRFs
• VSS and service modules (like FWSM)
• ASASM – a successor for FWSM
• NAM5 and its monitoring capabilities

I believe we will be able to finish that in 5 short days and hope my students will become a much better engineers after that! See you there!

This is very useful and common configuration when an administrator wants to configure ASA and AnyConnect remote access VPN so that the user has a certificate and then must provide username/password to authenticate. This approach is very similar to Cisco IPSec Client type of VPN tunnel setup. When migration from IPSec Client to AnyConnect administrators want to maintain similar user experience and of course security during connection.

Here’s how to configure that step by step:

1. Configure ASA username and password for our remote users (we use only Local AAA)

username piotr password piotr123
username piotr attributes
 service-type remote-access

2. Create local IP address pool for remote users

ip local pool CCIE 192.168.25.1-192.168.25.254

3. create group policy for remote users with IP address pool and banner message. Ensure that Anyconnect is required and will be kept on the client installed.

group-policy CCIE internal
group-policy CCIE attributes
 banner value WELCOME TO CCIE GROUP!
 vpn-tunnel-protocol svc
 address-pools value CCIE
 webvpn
  svc keep-installer installed
  svc ask none default svc

4. Create tunnel group (connection profile) and assign group policy to it. Ensure that you require certificate and username/password to be provided for authentication. Username should be taken from the certificates CN.

tunnel-group CCIE type remote-access
tunnel-group CCIE general-attributes
 default-group-policy CCIE
 username-from-certificate CN
tunnel-group CCIE webvpn-attributes
 authentication aaa certificate
 pre-fill-username ssl-client hide
 pre-fill-username clientless
 group-alias CCIE enable

Read the rest of this entry

We’ve just finished CCIE Security Bootcamp at Sydney. We’ve spent above 50 hours in 5 days on hands on experience with all Cisco security technologies. It was challenging but we did it. Every day we spent ca. 10-12 hours on lecturing and labbing.

Using this way, I’d like to thank you guys who participate in that event for your attitude and dedication during this week. I know you were tired but I was always surprised how happy you were to hit another topic and stay in class longer and longer every day.

I hope we’ll meet next time in Sydney and of course I wish you all the best in nailing CCIE lab exam.

Yours sincerely,

Piotr

Hi all,

This is a first article describing new features on ASA firewall. I know, it is not part of current CCIE Security lab exam blueprint, but I bet it will be covered in the future. In addition to CCIE Security bootcamps Micronics Training Inc. starts two new security classes called “Mastering ASA” and “Mastering VPNs”.  This material will be covered in the greater detail during the first class. Despite of that, it is always beneficial for all of us to be inline with new features.

OK, what is all about then?

NAT has changed in ASA version 8.3 and above. The change is called “NAT Simplification” but I bet you’ll ask yourself a question “what a heck?” when you’ll see this – especially those of you who are studying for CCIE Security. All we now about NAT configuration on the ASA is not valid anymore starting from version 8.3

In order to achieve simplification of NAT, the following have been changed in ASA 8.3:

• Ease of configuration (single command to configure NAT rule) – questionable
• All NAT rules in a single table, applied on first match basis
• Ability to insert the rule in any arbitrary order
• NAT configuration is independent of security-levels
• Removal of ACL support
• Removal of NAT control

Read the rest of this entry

This is the most common question I hear from customers when talking about Internet security. This could potentially be achieved on firewalls or IPSes but not on routers, right? NO, actually it is something to be done on the routers much easier than on firewalls/ips. All we need is Flexible Packet Matching (FPM) described in details here and here.

First, we need to ensure that Skype is using SSL to secure traffic going to the Internet. If we have open Internet-usage policy, this will be hard to achieve. Normally, we should use some kind of webproxy server for internet browsing so that outgoing policy has only port tcp/80, tcp/443 and udp/53 opened from the proxy’s IP address. Tunneling using HTTP should also be blocked.

Second, we must catch Skype initialization packets and drop them.

How to achieve the first condition? By using ZFW of course.

Read the rest of this entry

I’m proud to present that long-awaited CCIE Security Mock Labs have been released today. We decided to sell them all together with our MidiLabs and Troubleshooting Labs (TSlabs) which are available for some time now.

Since Cisco decided to remove Core Knowledge (a.k.a. Open Ended Questions) from CCIE Security lab exam and focus on troubleshooting skills, we addressed that already couple of months ago. We have TSlabs for our MidiLabs ready for some time now and now they will be selling along with our MocLabs as a bundle.

CCIE Security v3.0 MockLabs contain five 8-hours labs for practicing and mixing different technologies in one complex topology. This product requires deep knowledge and understanding of all security technologies and their coexistence and influence with each other. The MockLabs are especially prepared to focus on dependencies and influences than different technologies may have. Each lab uses different approach, wording and contains diverse tasks to show different solutions and possible configurations. Each task has detailed explanations and comments.

In addition to 5 MockLabs the student receive 4 MidiLabs containing advanced 4-hour labs focusing on one technology or a group of technologies. Those MidiLabs are prepared for the following technologies:
MidiLab#1 – ASA Firewall
MidiLab#2 – Zone Based Policy Firewall (ZBF)
MidiLab#3 – L2L VPN and Remote Access VPN
MidiLab#4 – DMVPN & GET VPN

Based on MidiLabs tasks and topologies there are 4 Troubleshooting Labs which are especially created to challenge the student and check his troubleshooting skills. Those TSlabs are the only troubleshooting labs available on the market for CCIE Security.

If you’re interested in purchasing please contact our Sales dept. at sales {at} micronicstraining {dot} com

An official announcement from Cisco has been released today:

Effective August 15, 2011, CCIE Security Lab Exam and CCIE Storage Networking Lab Exam, in all global locations, will no longer include the four open-ended Core Knowledge questions.  The removal of Core Knowledge questions allow candidates to utilize the total lab time for configuration and troubleshooting. The total lab time will remain eight hours.

I think it is very good news for all CCIE Security candidates.

Today, Cisco released AnyConnect SSL VPN Client for Samsung Android system. If you have one of the following devices you may be interested:

• Galaxy S running Android 2.3.3 or later
• Galaxy S II running Android 2.3.3 or later
• Galaxy Tab 8.9 running Android 3.0 or later

This requires ASA version 8.0(4) or later but there are some licensing caveats which can force you to the higher ASA software versions:

• for 8.0(4) – 8.2(4) and 8.4(1) – you must have AnyConnect Premium & AnyConnect Mobile licenses
• for 8.2(5)+ and 8.4(2)+ – you must have AnyConnect Essentials & AnyConnect Mobile licenses

I don’t need to tell you what option is cheaper

Anyway, this is the first SSL VPN client for Samsung Android! It is worth a try!

You can download it directly from Android Market