Paul Stewart, CCIE 26009 (Security)

Author Archives: Paul Stewart, CCIE 26009 (Security)

Positioning an IT Conversation

About a  week ago, I took my wife’s van to the shop. The main issue was it was making a popping noise in the front end. I only observed the noise when steering sharply and the vehicle was in motion. Typically this occurred when parking. Although I was nearly certain this was an issue with a CV joint, I only told the mechanic about the symptoms we had observed.

The reason I didn’t lead the conversation to the CV joint is that I wanted the mechanic to look at the problem objectively. I knew he was the expert and I wanted him to solve the problem instead of replacing a part. In order to shift the responsibility, I needed the mechanic to diagnose the problem and create a plan of action.

Positioning IT Conversations to Solve Problems

At this point in my career, I have worked in various areas of technology. Over the years, I’ve had customers that tell me exactly what they think they need. In some cases, they’re correct. However, there are times that their solution does not fully solve the problem they are observing. On the other hand, some customers take a smarter approach and explain the problem they are trying to solve.

When Continue reading

Google and Cloudflare: Encrypting the WWW

A couple of months ago, Google announced that it had started using SSL as a factor in SEO ranking. Since the search giant is the referrer for most website traffic, this is the type of announcement that gets the attention of website owners.

Cloudflare, a popular and easy to implement Content Delivery Network, seems to be stepping up to this challenge. Even their free offering has an option to provide forward facing SSL services. As discussed on Packet Pushsers Priority Queue show 34, they are also modifying SSL in ways that allow them to provide services to organizations without the need to obtain the site owner’s private keys. The likely result of the offering is that many existing and many new Cloudflare customers will take advantage of their SSL services.

Paul’s Take–I think Google’s announcement, combined with Cloudflare’s SSL offerings, will result in a significant increase of SSL encrypted traffic. This will have an interesting effect on how organizations do security. Traditionally, there has been a lower (but increasing) ratio of https to http traffic. Scanning SSL traffic, for troubleshooting or security, is significantly more challenging than its clear text counterpart.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. Continue reading

Vulnerable OMA-DM Implementations and Over the Air Hacks

Earlier today, I was listening to Risky Business show #341. In this show Matt Solnik discussed vulnerabilities that he attempted to share at BlackHat. I say attempted, because it sounds like they may have had some issues with audio/video during critical times of the presentation. Nonetheless, it seems like there are many vulnerable implementations of the open mobile administration device management (OMA-DM). I took a minute to dig up some of the videos published by Accuvant that makes this stuff real.

Over the Air Code Execution and Jailbreak

NIA-Based Lock Screen Bypass

External Links

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may not reflect the position of past, present or future employers.

Readers of this article may also enjoy:

  1. Brocade at Networking Field Day 7
  2. Avaya at Networking Field Day 7
  3. Pluribus Networks at Networking Field Day 7
  4. Dell at Networking Field Day 7
  5. Y.M.C.A er O.S.P.V

The post Vulnerable OMA-DM Implementations and Over the Air Hacks appeared first on PacketU.

Using Ping Sweep to Find MTU Ceiling

Earlier this week I had breakfast with a very interesting group. One of those present had an extensive history with Cisco systems. We talked about his tenure and several of the projects that he had been involved in. For some reason, one that caught my attention was the sweep option that we find in the extended Ping utility. Although it is hard to believe, there was a point in time that this gem didn’t exist.

I’ve written a few articles about the challenges of path MTU discovery and the issues that arise when it misbehaves. Today’s article looks specifically at using a ping sweep and how it can be used to quickly identifying the path MTU ceiling. The topology used for testing is simple and shown below. Notice that the two top routers are connected by a link with a lowered MTU (1492).

Ping Sweep MTU Discovery

Let’s step through the process that an administrator might go through when a networked application isn’t working correctly. He or she would likely determine the endpoints and confirm reachability. For this example, I am testing a connection between 192.168.1.1 and 192.168.4.4. The ping command is the tool of choice for confirming reachability.

Basic Continue reading

Classic IOS as a DNS Server

There is an occasional need for a DNS server in the absence of a dedicated host. This may occur in the following situations–

  • Using PAT, Public DNS may return a non-RFC1918 address for internal server
  • Lab/Demo Environment
  • Other Name Resolution challenges in SOHO, SMB or Branch Office

When these corner-case challenges present, an IOS router may be beneficial by providing basic DNS functions. Assuming the router already has Internet connectivity, the configuration is straightforward–

//enable the dns server functionality
IOS-DNS(config)#ip dns server 

//if public requests should be resolved, configure one or more name
//servers as resolvers and confirm domain-lookups are enabled
IOS-DNS(config)#ip name-server 8.8.8.8 8.8.4.4
IOS-DNS(config)#ip domain-lookup

At this point the router should perform DNS resolution by relaying requests to the public name servers in the configuration. Hosts could use any IP address on the device in their DNS configuration. ACLs should be used to block DNS requests to interfaces that aren’t servicing clients.

To create DNS records for local resolution, the ip host command can be used.

IOS-DNS(config)#ip host ?
  WORD  Name of host
  view  Specify view
  vrf   Specify VRF

IOS-DNS(config)#ip host www.example.com ?
     Default telnet port number
  A.B.C.D     Host IP address
  additional  Append addresses
  mx          Configure a  Continue reading

IP Subnetting Part 5: Subnetting Across the Octet Boundary

Throughout this series, we have examined several fundamental building blocks of subnetting. In IP Subnetting Part 4, we looked at what was required to subnet a Class C network. This article takes the fundamentals one step further and looks at subnetting a Class A address. We will also add the complexity of crossing octet the octet boundary for both the subnet and the host portions of the address.

A Class A IP address has the following characteristics–

  • I’s first octet begins with binary 0…….
  • The first Octet will be in the range of 1 to 63 (0 is invalid)
  • The first Octet (leftmost) represent the Network
  • The last three Octets (rightmost) represents a Host on a network

You will also recall that a single network can be subnetting into multiple, smaller networks.

Using a consistent syntax, we could represent a Class A network as follows.

10.0.0.0

In this example--

Green represents the Classful Network
Blue represents the Host address

10.0.0.0 is would be a Network based on the fact that the host portion is 0.0.0. This is literally zero. Had the address been 10.0.0.1, 10.0.1.0 or 10.1.0.0 Continue reading

Using NVI to Allow Internal Hosts to Connect to Public Addresses of Hosted Servers

IP NAT is a very common configuration. One of the challenges that sometimes surfaces is the need for internal hosts to connect to the public address of a locally hosted server. Anyone who has tried to configure something like the following has likely faced this issue.

IP NAT ExampleIn this example, the top of the diagram represents the outside (Internet, ISP, or External Server), the left represents the DMZ area, and the bottom represents the inside. The goal is to enable dynamic port address translation for internal hosts and static port address translation for the host or hosts found in the DMZ area.

This configuration is fairly straightforward and typically covered in the CCNA curriculum. This includes identifying each interface as inside or outside and configuring the appropriate nat statements.

R1 Configuration

interface FastEthernet1/0
 description To INSIDE
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
interface FastEthernet1/1
 description To ACME WWW
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
!
interface FastEthernet1/2
 description To OUTSIDE
 ip address 192.0.2.100 255.255.255.0
 ip nat outside
!
ip nat inside source list 1 interface FastEthernet1/2 overload
ip nat inside source static tcp 192.168. Continue reading

Getting the Sourcefire Firepower VM working Inline

The Sourcefire NGIPS/NGFW solution is a way to quickly get some interesting information about traffic on a network. One of the things I like about the solution is that actionable information is almost immediately available after deployment.

Sourcefire Screenshot

There are five deployment modes for a Sourcefire Firepower appliance:

  • Routed
  • Switched
  • Hybrid
  • Inline
  • Passive

Passive and inline modes are the two deployment options for the Virtual versions of the Firepower appliances. Inline mode provides significant advantages over simple passive monitoring. Inline mode allows the appliance to block offending traffic or communications that violates the configured policy. Following the installation guide is straightforward and should allow a security engineer to quickly get this solution up and running.

The first time I ran through this process, I couldn’t get traffic to flow through the inline appliance. After struggling a while, I reconfigured the device into passive mode and spanned some traffic over to it. At first I didn’t see any statistics. After realizing that I also needed to configure VMWare to accept promiscuous mode, I quickly started getting interesting information in the Firesight dashboard.

At this point, a thought occurred to me. What if the Firepower appliance had no layer 2 hooks and forwarded traffic that blindly Continue reading

IP Subnetting Part 4: Subnetting a Class C Network

At this point in the PacketU subnetting series, we have worked through the following–

This article takes the concept of subnetting to the next step. Today we are going to look at the concepts required to subnet a Class C network. As we reflect on the Classful IP rules, we recall that a Class C network has the following characteristics–

  • First octet begins with binary 110…..
  • The first Octet will be in the range of 192 to 223
  • The first three (three leftmost) octets represent a Network
  • The last octet (rightmost) Octet represents a Host on a network

We also know that this single IP network can be further subdivided into multiple, but smaller, networks. This process is known as subnetting.

Continuing with the syntax used in previous articles, we might represent a Class C Network as follows–

192.168.100.0

In this example--

Blue  represents a Classful Network
Green represents a Host address

In this case the host address value is 0, so only the network is being represented here. Based on this information, we only have one IP network that can be assigned. That one network could Continue reading

Useful Links — Cisco Quicklinks

I just wanted to take a quick moment to share a site Dan DeBusschere has created. This site is a list of very useful config snippets, information and links. Most of the content is focused on Datacenter and UCS. If you support this type of environment, check it out.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart.  This may or may not reflect the position of past, present or future employers. 

No related content found.

The post Useful Links — Cisco Quicklinks appeared first on PacketU.

Joining the Cisco Team

HeadShots-10pToday was a bittersweet day for me. It was my final day working with a great group of people at a prominent community bank. I have nothing but good things to say about the people, the organization, and the interesting projects I’ve been involved in. I’ll miss everyone a lot and plan to stay in touch.

Tomorrow I begin a new role as a Systems Engineer at Cisco Systems. I will be working with the SLED (public sector) sales team in Kentucky and West Virginia. In this role I hope to broaden my knowledge of networking components and spend time helping customers better position their technology infrastructures.

What this means for me–

I will be aggressively learning the Cisco Product lines, including areas that I previously had less exposure to. I will take advantage of the resources I have and marry my vision of the changing network industry to the components Cisco positions into higher education environments. My intentions include better understanding the roadmap and technical details as they pertain to the integration path from traditional networking to software defined approaches.

But what about…

As long time PacketU readers know, I have written positive and negative articles about many vendors. All vendors have their strengths and weaknesses. We regularly see them Continue reading

Podcast Spotlight — Software Gone Wild

Bright orange RSS icon

Today’s podcast spotlight goes to Software Gone Wild. This is a newer podcast hosted by our friend Ivan Pepelnjak. The topics are focused on the growing pains the networking industry is experiencing and various forms of automation that are attempting to solve them. This includes various aspects of SDN, NFV and how others are using technology to deliver bigger/better/faster solutions.

Recent episodes include Network Automation @ Spotify and The F-Script with my good friend John Herbert.

Links

Disclaimer: I have no affiliation with the Software Gone Wild podcast or any organization linked to,  represented in or derived from content found in this article. This article represents my own opinions and may not be that of my employer.

 

Readers of this article may also enjoy:

  1. Podcast Spotlight — The Class-C Block
  2. Podcast Spotlight — The IPv6 Show
  3. Using IPvFoo to Determine IPv4 and IPv6 Site Connections
  4. Defining Cisco’s onePK
  5. Did You Say SDN?

The post Podcast Spotlight — Software Gone Wild appeared first on PacketU.

Recognizing IP MTU Issues

At some point, Network engineers will likely face some type of issue with MTU or maximum transmittable unit. Their first experience with this may be an eye opening and time consuming effort. After resolving the issue, those with a thirst for knowledge will take the necessary time to understand the issue.

MTU problems are most often seen when Path MTU Discovery, or PMTUD, fails to function. This is the process by which one end host determines the largest possible packet size to another station on the network. Symptoms of this type of issue include two devices having proven reachability, but applications fail to work in a way that indicates a network issue. Some applications may even crash or hang the system.

Symptoms of PMTUD Failure

  • Hosts may be able to ping one another
  • Service/Port may prove accessible using telnet
  • Severe and persistent application issues
  • Partial page loads
  • Either host appearing to hang

Understanding IP MTU

To understand the problems of Path MTU Discovery, it is first necessary to understand how MTU relates to the conversation. MTU, or maximum transmittable unit, is the maximum chunk of data that a given interface can transmit. The type of data receiving our attention is IP Continue reading

Explanation: TunnelX temporarily disabled due to recursive routing

I wanted to take a few minutes to share a scenario that some seem to struggle with. This scenario is a routing issue that sometimes occurs when an interior routing protocol allows routes to leak back through a tunnel. To demonstrate this, I’ve built a lab with three routers. R1 and R3 are participating in EIGRP and have a GRE tunnel configured directly between them.

Topology

TunnelRecurse

 

Router Configurations

R1

hostname R1
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
!
interface Tunnel0
 ip address 192.168.13.1 255.255.255.0
 tunnel source 192.168.12.1
 tunnel destination 192.168.23.3
!
router eigrp 1
 network 192.168.0.0 0.0.255.255
!
ip route 0.0.0.0 0.0.0.0 192.168.12.2

R2 (hub)

hostname R2
!
interface FastEthernet0/1
 ip address 192.168.12.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.23.2 255.255.255.0
!

R3

hostname R3
!
interface FastEthernet0/1
 ip address 192.168.23.3 255.255.255.0
!
interface Tunnel0
 ip address 192.168.13.3 255.255.255.0
 tunnel source 192.168.23.3
 tunnel destination 192.168.12. Continue reading

IP Subnetting Part 3: Understanding the Binary

I’ve often stated how simple subnetting really is. While each individual concept is rather simple, it is the combination that make the holistic process challenging. If we, as humans, could look at the process more like computers and network devices, subnetting would be a much simpler process. In short, some knowledge of binary is an important requirement prior to sharing more complex subnetting examples.

This article will demonstrate the process of converting binary to and from the more familiar decimal numbering system. This will establish the necessary baseline knowledge required to understand when applying subnet masks to IP addresses. The first question we need to answer is–

What is Binary?

Binary, also known as base-2, is a numbering system in which each position only has two possible values. We often represent one possible value as zero and the other possible value as one. Alternatively, it could be represented many other ways including: positive and negative voltage, black and white colors, voltage and no voltage present, or null and not null. This simplicity in representation is what makes the system so advantageous for a computer’s limited discreet capabilities.

In this article, we will represent binary digits using either a one or a Continue reading

Using Cisco’s DevNet “All-in-One VM” as a Free Router Lab

I know many have been [not so patiently] waiting for the arrival of a Cisco virtual lab. Although I haven’t heard any official release date for VIRL or CML, there is a small scale virtual router lab available today. This lab is the All-in-One Virtual Machine made available on the Cisco DevNet site.

While not a comprehensive lab, it is a quick and easy way to get some real command line experience or test smaller layer 3 challenges. This VM includes 3 routers with a total of 10 routed interfaces in use. There is no access to layer 2, so the topology can only be manipulated by shutting down interfaces on the routers.

Allinonetopo

Using the DevNet All-in-One Virtual Machine

  1. Download the OVA File
  2. Import into VMWare
  3. Launch the Virtual Machine
  4. Set Passwords
  5. Access the Routers

This product downloads as an OVA file. The file is easily imported into VMWare. In my case, I used VMWare Fusion running on OSX. Once downloaded and imported, the VM is launched like any other virtual machine. As it boots, you will notice that this is running in Ubuntu. The initial credentials are cisco/cisco123 and the operating will prompt to change the password.

AllInOneDesktopOnce installed and logged in, you will be Continue reading

Asking for Clarity

Confusion ThumbI have a lot of discussions with vendors, peers and other friends in the business. One of the things that I find challenging is the nuances with the language of technology. Our conversations include things like traffic flow, NAT, SDN, Cloud and many of the other industry buzzwords. Our use of terminology often has different meanings to different people (and in different contexts).

While I don’t fully subscribe to the, There is no bad question philosophy, I believe questions should be asked liberally. The only questions I hate to hear are from those trying to prove their [superior] knowledge. Beyond that, individual research can help with the learning process. However, everyone should have the confidence to ask those questions necessary to grasp the conversation at hand. More than likely others will benefit from the clarification as well.

No related content found.

The post Asking for Clarity appeared first on PacketU.

Community Spotlight — PacketLife.net

Community SpotlightI’ve been reading articles by Jeremy Stretch for several years now. His site, PacketLife.net, may be best know for the useful cheat sheets that cover everything from IGP routing protocols to Wireshark Display filters. This site doesn’t end with cheat sheets. It also has many useful articles about all things networking. So if you’re looking for a site to add to you feedreader, check it out.

Links

Disclaimer–I continually get requests for a list of the blogs, podcasts and people I follow to “keep up” in this industry. As a result, I decided to start publishing some of the blogs I regularly read. Links to other content from PacketU or affiliated social channels should not be thought of as a universal endorsement or indication of independence or neutrality for a given external site. Readers should assess ALL applicable content before proceeding with actions that could adversely affect their environment.

Readers of this article may also enjoy:

  1. Community Spotlight — Daniel’s Networking Blog
  2. Blog Spotlight — Cisco Inferno
  3. Blog Spotlight — The Peering Introvert — Ethan Banks abstracts networking with words
  4. Blog Spotlight — Colin McNamara — OpenStack Nerd, CCIE, DevOps Junkie

The post Continue reading

IP Subnetting Part 2: Simple Subnetting Examples

Subnetting is a foundational concept in IP networking. Although it is often misunderstood and even dreaded, this is a simple concept if we could look at things from the perspective of binary. However the combination of binary concepts, IP addressing and subnet masking is a lot to attempt to understand at once.

In this article, we will look at some simple examples that are meant to illustrate the process of IPv4 subnetting. This is not meant to be a comprehensive study. It is meant to build my previous subnetting article and should introduce only basic concepts. In future articles, we will delve into more complex and complete examples of IP subnetting.

In an earlier article, I outlined the concept of Classful IP Addressing. That knowledge is a fundamental starting point for the IP Subnetting discussed here. In that article, I outlined three classes of unicast IP addresses. The class an IP address belongs to determines what part of the address is the network and what part is the host. That assumption can be overridden when by applying a subnet mask to the configuration of a modern IP stack.

Example IP Addresses

Address           Class           Network           Continue reading

IP Subnetting Part 1: What is a Subnet?

We cover all sorts of different topics on this site. Today, we are starting a multipart series on subnetting. These concepts are fundamental building blocks for network administrators, engineers and architects. The subnetting topics outlined in this series should be well understood prior to moving into advanced design or configuration topics. Moreover, the underlying technical concepts of this subject should be understood prior to utilizing any shortcuts to calculate subnet addresses and useable address space.

So the question I ask today is–

What is a Subnet?

If I asked this as a multiple choice question, which one of the possible answers would you choose?

  1. In OSI terms, the layer under the network layer–also known as the data link layer.
  2. A subset of a Classful Network
  3. 255.255.255.192
  4. 192.168.1.0

If you chose answer B, you are correct. A subnet is a subset of a Classful Network. So the next logical question is, “What is a Classful Network?”

As we answer these questions, we will use “Classful Network” and Network interchangeable. As we move to discussions about subnets, we will explicitly address them as such.

Classful Networks, in TCP/IP terminology are outline in RFC791. It specifically states the following–

Addresses are fixed length of Continue reading

1 6 7 8 9