Wednesday, 26 December 2012

Implementing your own CA server on a IOS Router

Why is this useful ?

  • It can help you practice PKI in a lab environment . Ex : VPNs (Ipsec or SSL)
  • You can use it on a small Intranet to secure your network

Studying for the CCNA Security Certification there are labs for VPNs that a CA server was required
for authentication with rsa digital certificates. When you want to practice at home you will need a CA Server to practice your skills.
To do that you can use various ways , in a lab the best way is to use an IOS router for the CA Server role .

What do you need :

  • GNS 3
  • IOS Image
  • a brain

Lets put all the pieces together

You will need to create 1 router : You can name it CA or anything you like.

First we need to configure the CA Router to actually act as a CA Server:

! Make sure you configure the time before proceeding if not the CA
! server will not work. On a production environment NTP is prefered.
CA#clock set 20:09:9 26 DEC 2012

CA#configure terminal
 ! Enable http server
CA(config)#ip http server
 ! Setup the PKI service , the MY-CA it is a name
CA(config)#crypto pki server MY-CA
! set your lifetime values for the CA and the certificate it self
! the value for your lifetime is in days . 
CA(cs-server)#lifetime ca-certificate 600
CA(cs-server)#lifetime certificate 600
! Available options include :
! CN=Common Name,L=Location,C=Country
CA(cs-server)#issuer-name CN=LOCAL C=LAB
! the command above may be different depending on the IOS used
! specify where the database will be located
CA(cs-server)#database url pem flash:/MY-CA
! enable automatic certificate enrollment 
CA(cs-server)#grant auto
! Activate the PKI Server
CA(cs-server)#no shutdown
% Please enter a passphrase to protect the private key
% or type Return to exit
Re-enter password:
CA#copy run start

 Now you have a CA Server to use for your labs !

Here is an example how to use your New CA services on a router :

R1#clock set 20:09:9 26 DEC 2012
R1#configure terminal
R1(config)#ip domain-name
R1(config)#crypto key generate rsa
The name for the keys will be:
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 1024
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#crypto ca trustpoint MY-CA
R1(ca-trustpoint)#subject-name CN=LOCAL C=LAB
R1(ca-trustpoint)#enrollment url
R1(config)#crypto ca authenticate MY-CA
Certificate has the following attributes:
Fingerprint MD5: 57B7D70D 1092F7F2 B690B0D8 B03DC946
Fingerprint SHA1: 41CA2E7C D5B8112F 39287279 EDC06E73 FB0C010B

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
R1(config)#crypto ca enroll MY-CA
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.

Re-enter password:

% The subject name in the certificate will include: CN=LOCAL C=LAB
% The subject name in the certificate will include:
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate MY-CA verbose' commandwill show the fingerprint.

Dec 26 20:59:19.095: CRYPTO_PKI: Certificate Request Fingerprint MD5: 6BA37CCE 404F5058 CB41348C 2201AF76
Dec 26 20:59:19.095: CRYPTO_PKI: Certificate Request Fingerprint SHA1: B71A47B3 865E327C 8835EE1A 4FEED9E2 AA61EB17

If you wish to know more visit this link

Sunday, 9 December 2012

Password management

Nowadays we use many kind of accounts for many uses : e-mail , social networks, Paypal, e-commerce... and for other uses as well.
Many people use simple and predictable passwords(ex: birthdays) for their accounts and on top of that it is common to use similar (if not the same password) for their accounts.

While it is convenient to have short easy to remember passwords, it is really a bad choice to secure your accounts.

Why is it a problem ?

Here are some common uses for e-mail accounts that have been compromised :

  • the attacker can use your e-mail account to send spam messages with malicious intent
  • using the account to perform social engineering attacks.
  • to glean information using the e-mails you get or send, using it for other attacks in the future.
So , why do we use weak passwords ?

First , with many accounts we have many usernames and passwords. People have trouble to memorize many long complex passwords, so they use passwords that are easy to remember and type.

How to create a password ?

Step 1:

A password should :

  • have more than 8 characters in length
  • not be a word found in a dictionary
  • have special characters
  • have Capital letters
  • have Lower case letters
  • have numbers
  • Change every 3 months at least
A password that do not have the attributes above is weak.

                                       Step 2:
To create passwords long enough yet memorable you can use a phrase or a song.

You replace some letters with special symbols, numbers , other letters etc...

 ex 1: Sun sea and sand --> 5uN_S3@_@nD_S@nd
 ex 2: Sun sea and sand --> $_n*$34*4Nd_$4nd

 create something that you can remember with ease.


Now we can create complex P@SsW0rDz there is another problem: where to store them ? 

Never do the following : write down the passwords in a file stored in the computer(usually in .txt,doc,xls files in an easy accessible location : on desktop or in my documents), in a text book on the desk or even on sticky notes pasted on the screen !!!

Here is where we can use a password manager , like keepass .
Why ?
  • The passwords are stored in an encrypted database
  • You only need to remember one password
  • You can manage easily your passwords
  • With the auto type feature you wont need to type usernames and passwords.
Some may argue and say : we can store our passwords in the browser as well right ?

NO don’t do that , there are tools that can recover your credentials from the browser and plus you won’t have mobility : with keepass you can install it in a usb stick with a copy of your password database to securely access your accounts.

There is no such thing as 100% security , but with right password management you made one step more to secure your privacy.

Note: I do not own the images used in this post !!!!

Friday, 30 November 2012



What is Linux ?
Linux is a Unix-like (is not a UNIX) operating system. Linux in fact is a kernel (the operating system it self) without any additional software installed on it.
That is where the distributions come , a Linux Distribution is a flavor , a collection of pre installed components that comprise a Complete Operating System .

There are different distributions that serve different purposes : Desktop , Firewall , Server , and many other functions . Some Distributions are not free but the most of them are .

Linux is not used as much as Windows , Right ?

The hard truth is that only applies to end users only , in fact Linux and Unix are integral parts of Computing in ways you may have not noticed yet !

The majority of the INTERNET web servers are Linux/Unix systems and that is not because they are cheap …
The proven stability , the superior security provided by these operating systems make them suitable choices not only for web servers but also Major Players in the Computer Networking using Linux (they have build their own proprietary distros) , examples are the Cisco Systems Cisco Unified Communication Manager ( VoIP call manager ) , Access Control Service Server ( AAA services ) and other Vendors as well are using Linux to provide reliable services .

Linux is also used on : Smart phones , media players , routers and other devices!
It is really amazing in how many ways Linux is used , that power is out there free and available for all to use !!

Is Linux for me ?

It is really all about if you want to spend time and effort to get started with Linux , there are some limitations on Linux especially on Video drivers NVIDIA has great support for linux while Radeon has not.

You need to have the will to learn something new from scratch , you do not need to be a hacker or a genius to do so.

What distribution is for me ?

That depends on what you want to do with your computer , if you are an average user you will need a Desktop distribution that can cover your needs.
There are beginner distributions to begin your journey :)
Examples : Ubuntu , Mint , Fedora and many more !!!

For enterprise environments a Server or a Specialized distribution is preferred.

Is it difficult to use Linux ?

Anything new is a little confusing but you do not need to worry, of course you will need some practice to get used to Linux. A good solution is to install Linux on a virtual machine first to practice (Virtual Box is a free Solution) .
One big difference that you will experience is the installation of new software , on Linux
you will not go to a website to download an application (except certain circumstances ex: when you download source code to compile) but you will use a software manager to do that for you, just select the software you want to install and the software manager will handle everything else.There are applications that you may have used on Windows that can run on Linux as well ex: Firefox , Chrome
Each distribution has it's own software manager pre installed but the same logic applies to most of them .(of course you can install other managers if you like as well)

One cool thing about Linux is that when you run the Update Manager it is not only updates the Operating System but your applications as well ! Bye bye outdated software !!! :P

In addition you can install Windows applications on Linux using Wine but not all of them work. The same can be done with games as well , Play on Linux can be used to install Windows Games on Linux (keep in mind that some are not working) .

Linux distributions for Desktop use come with many tools installed for Internet , Office , Multimedia and other useful apps. 

Is Linux Safe to Use ?

 Linux is not affected by most viruses and other harmful software.
But you should be careful not just with Linux but with ANY Operating System when it comes to security. But in general terms Linux is safe to use.

Do I need to learn command line to use Linux ?

No!!! If you do not wish to learn how to use the command line you do not have to at all !
Linux Can support many window managers that you can use to configure your Computer.
And of course you can install at any time additional window managers : KDE , GNOME ,UNITY , LXDE , XFCE ,Enlightenment

You can Customize your Desktop way more than Windows Easily.

Where can I get Linux ?

There is a website with many Distributions of Linux and UNIX as well at

Is Linux difficult to install ?

Linux is really easy to install , there is graphic installation guide that will get you step by step through the installation process.

Linux needs some time and effort to learn it but it is not something difficult to achieve , if you have questions each Linux Distribution has a Community to help you get started.
All that free of charge .

Note: I do not own the images used in this post !!!!

Monday, 15 October 2012

Vlan Maps

Using Vlan Maps

Vlan Maps are used to filter or redirect traffic in a Vlan , giving you more granular control over the traffic . 

Steps needed to configure a Vlan Map

  1. Determine what do you want to accomplish : It is vital to know what do you want to achieve prior the configuration , that can save you lots of headaches in the actual implementation. 
  2.  Write an access list : What kind of access list you will use it depends on what do you want to do. The most common are the Ip access lists , if you want to match just the source ip address a standard access list is sufficient , for protocol filtering use an extended access list. Keep in mind that the access list permits the traffic you want to manipulate.
  3. Create a Vlan Map : This is where you will use your access list to match the traffic you want to handle , and set an action for that traffic. Keep in mind that the Vlan Map works similar with route maps and access lists , by default it discards traffic that has not match so be sure to allow the traffic that needs to traverse your vlan.
  4. Apply the Vlan Map to a Vlan : Here you can apply your Vlan Map to one or a list of vlans . The Vlan Map will not work unless applied to a vlan.


Your Company policy states that telnet traffic should not be allowed on vlan 10 for security purposes , all other traffic should be allowed.

Here you get to configure a vlan map to meet the requirements :

(step 1) Objectives : telnet traffic should be restricted for all hosts in vlan 10.
so we need an extended access list to match telnet traffic
a vlan map name : we will name it "NO_TELNET
we must ensure that other traffic will be allowed 
we will apply our vlan map to vlan 10

(step 2) Implementation : 

SwitchABC(config)#access-list 101 permit tcp any any eq telnet
// here we created an access list that permits the traffic we want to filter
SwitchABC(config)#vlan access-map NO_TELNET 10
// we have created the vlan map
SwitchABC(config-access-map)#match ip address 101
// we are using the access list we created before
SwitchABC(config-access-map)#action drop
// anything that matches the access list will be dropped 
SwitchABC(config-access-map)#vlan access-map NO_TELNET  20
SwitchABC(config-access-map)#action forward
// if there is no match statement anything matches and based on the action we have set all other traffic will be allowed.
SwitchABC(config)#vlan filter NO_TELNET vlan-list 10
// now we have applied the vlan map to the vlan 10. And our job is done :)

Saturday, 13 October 2012

Basic DHCP Configuration

DHCP is the dominant way of providing end user devices with the information required to connect to your network.

In small or midsize environments DHCP is usually provided through the ISR Router.

Steps needed to deploy DHCP

  1. Define which addresses are going to be excluded. 
  2. Statically configure addresses on Servers and to any device that needs a specific IP address. 
  3. Configure your Router as DHCP relay if a DHCP Server is used or enable the DHCP Service on your router to act as a DHCP Server.

Configuring a DHCP Relay Agent


In case your network has a dedicated platform that provides DHCP services , you should configure on the interface that is the default gateway the command : ip helper-address address

If your DHCP Server has the address then you should type :

Router(config-if)# ip helper-address 

Configuring a DHCP Server on a Cisco Router


Router(config)# ip dhcp excluded-address 
 // excludes the addresses - from being assigned to hosts.
Router(config)# ip dhcp pool DHCP1
// Creates a DHCP Pool named DHCP1 
Router(dhcp-config)# network 
// Defines the Network that is going to be used to provide addresses , here it will use the /24 subnet .
// The default gateway is 
// DNS Server is


The previous commands have this effect : 
  • addresses - .9 are not assigned to hosts
  • The network range is /24
  • The Gateway is
  • DNS server is

 Caution : In order for the DHCP Service to operate you should have configured the interface with an address from the /24 subnet usually the default gateway address /24

Saturday, 29 September 2012

Implementing Basic Cisco Switch Security Part 2

DHCP Snooping

Rogue DHCP Servers most of the times are used to provide fake Gateway information to users pointing to the attackers device or to a compromised host .

DHCP Snooping has two port modes :
  • Trusted : a port that has a DHCP Server connected , thus DHCP Replies are allowed .
  • Untrusted (default) : a port that has no DHCP Server attached  .

DHCP Snooping is very easy to configure , all you have to do is to enable it in global configuration mode and define which ports are trusted ( ports that have a legitimate DHCP Server connected ) , by default all ports are untrusted .

switch(config)# ip dhcp snooping  // enables the dhcp snooping
switch(config-if)# ip dhcp snooping trust  // set the port to trusted mode

Dynamic ARP Inspection ( DAI )

 DAI mitigates arp poisoning attacks , the attacker sends unsolicited ARP messages stating that the default gateways mac address is the attackers layer 2 address forcing the users of the network to send packets intended for the Gateway ( packets for an another subnet ) to pass through the attacker.

Before you can enable DAI the DHCP Snooping feature should be enabled first.
DAI also uses trusted and untrusted ports , ports to other switches should be trusted.
switch(config)# ip arp inspection vlan 10  // it enables DAI for the vlan 10
// for the interfaces that are connected to other switches
switch(config-if)#  ip arp inspection trust  // set the interface as trusted ( DAI does not inspect traffic )


Spanning tree is used in our networks to thwart layer 2 loops , but an attacker can leverage this protocol for eavesdropping , MiTM attacks and more.

The attacker can connect a rogue switch that it is configured with low bridge id to force a spanning tree election , the attackers switch becomes the Root bridge of your network and the traffic flows through the rogue machine allowing attacks to be executed. The attacker can also use a computer with software to perform that kind of attack as well using a penetration testing tool . ex Yersinia .



For better security , unused ports should :
  • Operate at Access mode assigned to a bogus vlan ( Blackhole vlan )
  • Shutdown
  • Turn off the negotiation Feature using the nonegotiate command under interface configuration

Note : there are more features concerning the topics covered , this article presents the basic functions only .

Wednesday, 26 September 2012

Implementing Basic Cisco Switch Security Part 1

Since many easy to use security auditing tools are available to individuals with hostile intentions , security has become a vital part in computer networks .

The most common easy to pull Man In The Middle attacks are :

  • ARP Poisoning
  • DHCP Spoofing
  • MAC Flooding

Those attacks are popular because :
The Attacker intercepts traffic and usually forwards it to the right destination while is gleaning any information that can use to further attack or to steal information like voice over ip conversations , passwords and many more.

It is not uncommon for the attacker to place a rogue device on the network to assist his/her purpose.

Preventing the attacker : 

Fortunately Cisco Switches have ready to use tools to help you secure your network :
  •  Port security : Use it to prevent Mac Flooding and rogue device placing.
  • Dynamic ARP Inspection : Prevents ARP Poisoning.
  • DHCP Snooping : Protects against Rogue DHCP Servers.

Network Devices Management :

Alas , with no secure device management anything you do to protect your network it will be in vain. 
  • Avoid using telnet and http to manage your devices , use ssh and https instead.
  • Use strong passwords
  • If possible use VPNs to secure management traffic .
  • Management traffic should be on a separate network/vlan . 

Port security :

This feature allows you to set who and how many can connect to a switch port(using the mac addresses) .
By default if you enable port security , it allows one device on the port and if some other device connects to that port (using a hub or a switch) the port shutdowns to prevent the attacker to use that port.
port security is effective versus MAC Flooding attacks and prevents rogue devices from connecting to your network .

Port security has 3 violation modes : 
  • Shutdown (default) : when used the port shuts down, it can sent an  SNMP trap , creates a syslog message and increments the violation counter.
  • Restrict : The port ignores any packets from the rogue device , stays up  , creates a syslog message and increments the violation counter.
  • Protect : This mode is similar with Restrict but it just wont do anything to let you know if there is a violation , the port stays up and ignores the offending device packets.

Configuring Port security

First you have to enable port security on the ports you want to protect:
switch# configure terminal
switch(config)# interface fa0/1
switch(config-if)# switchport mode access \\ port security needs the port to be in access mode to function
switch(config-if)# switchport port-security    \\ this enables the feature
switch(config-if)#switchport port-security maximum 1  \\ it configures the port to allow for 1 device.
 switch(config-if)#switchport port-security violation shutdown \\ it configures the violation mode to shutdown
Remember to allow exact as many devices are connected to the port , if you put a maximum of 4 for example you allow 4 devices to use that port simultaneously , if you have fewer devices that make your port security useless , the same applies when the opposite occurs having more devices than the maximum value configured and the port will shutdown or you will have connectivity problems.
 If the devices do not change places in certain ports (they are no mobile) it is a good practice to hard-code the mac-address of the device in port security :
switch(config-if)#switchport port-security mac-address 1a1a.11a1.a111
// the 1a1a.11a1.a111 is an example how to write the mac address .