Saturday, October 13, 2007
Voip Book for Dummies
Paperback: 281 pages
Publisher: Wiley-VCH (May 30, 2006)
Language: German
ISBN-10: 3527702628
ISBN-13: 978-3527702626
Download DescriptionPut your phone system on your computer network and see the savings See how to get started with VoIP, how it works, and why it saves you money VoIP is techspeak for “”voice over Internet protocol,”" but it could spell “”saving big bucks”" for your business! Here’s where to get the scoop in plain English. Find out how VoIP can save you money, how voice communication travels online, and how to choose the best way to integrate your phone system with your network at home or at the office. Discover how to: Use VoIP for your business or home phone service Choose the best network type Set up VoIP on a wireless network Understand transports and services Demonstrate VoIP’s advantages to management
Download:
http://rs75.rapidshare.com/files/36593970/VoIP.rar
Saturday, September 1, 2007
Cisco Routers for the Desperate
The book quickly teaches readers about working with the Cisco command line, which is the entry path into router configuration, management, WAN connections, and even upgrading Cisco’s Internetwork Operating System (IOS). Chapter 5 on troubleshooting routers is the book’s most important section, and is the real reason behind buying the book in the first place. Focusing on the two primary problem areas for routers (crashes and/or network failure or slowness), the suggestions offered should ideally be incorporated into a disaster recovery procedure for router recovery. At 25 pages, Chapter 7 on redundancy with BGP and HSRP is the book’s lengthiest and most complex chapter, requiring a re-read to grok all the router concepts and blocks of capital letters (ARIN, ASN, BGP, HSRP, MRTG, and RADB). Nevertheless, once these initially cryptic concepts are understood, they not only make sense, they also bring an even deeper appreciation for the complexity that Cisco routers are capable of managing.
H.323 versus SIP: A Comparison
H.323 was designed with a good understanding of the requirements for multimedia communication over IP networks, including audio, video, and data conferencing. It defines an entire, unified system for performing these functions, leveraging the strengths of the IETF and ITU-T protocols.
As a result, it might be reasonable for users to expect about the same level of robustness and interoperability as is found on the PSTN today, although this admittedly varies across the globe.
H.323 was designed to scale to add new functionality. The most widely deployed use of H.323 is "Voice over IP" followed by "Videoconferencing", both of which are described in the H.323 specifications
SIP was designed to setup a "session" between two points and to be a modular, flexible component of the Internet architecture. It has a loose concept of a call (that being a "session" with media streams), has no support for multimedia conferencing, and the integration of sometimes disparate standards is largely left up to each vendor.
As a result, SIP is now a 10-year old protocol with a vast number of interoperability problems. While SIP has been successfully deployed in some environments, those are generally "closed" environments where the means of interoperability has been PSTN gateways.
Reliability
H.323 has defined a number of features to handle failure of intermediate network entities, including "alternate gatekeepers", "alternate endpoints", and a means of recovering from connection failures
SIP has not defined procedures for handling device failure. If a proxy fails, the user agent detects this through timer expiration. It is the responsibility of the user-agent to send a re-INVITE to another proxy, leading to long delays in call establishment.
Message Definition
H.323-> ASN.1, a standardized, extremely precise, easy-to-understand structural notation that is used by many other systems.
SIP->ABNF, or Augmented Backus-Naur Form, a syntactical notation. SIP uses the ABNF as defined in RFC 2234
Message Encoding
H.323 encodes messages in a compact binary format that is suitable for narrowband and broadband connections. Messages are efficiently encoded and decoded by machines, with decoders widely available (e.g., Ethereal).
SIP messages are encoded in ASCII text format, suitable for humans to read. As a consequence, the messages are large and less suitable for networks where bandwidth, delay, and/or processing are a concern.
SIP messages get so large that they sometimes exceed the MTU size when going over WAN links, resulting in delays, packet loss, etc. As a result, effort has been made to binary encode SIP (e.g., RFC 3485 and RFC 3486).
Media Transport
H.323 - RTP/RTCP, SRTP
SIP - RTP/RTCP, SRTP
Extensibility -Vendor Specific
H.323 is extended with non-standard features in such a way as to avoid conflicts between vendors. Globally unique identifiers prevent feature and data element collision.
SIP is extended by adding new header lines or message bodies that may be used by different vendors to serve different purposes, thus risking interoperability problems.
Extensibility -Standard
H.323 is extended by the standards community to add new features to H.323 in such a way as to not impact existing features. However, new revisions of H.323 are published periodically, which introduce new functionality that is mandatory, yet done in such a way as to preserve backward compatibility
SIP is extended by the standards community to add new features to SIP in such a way as to not impact existing features. However, new revisions of SIP are potentially not backward compatible (e.g., RFC 3261 was not entirely compatible with RFC 2543). In addition, several extensions are "mandatory" in some implementations, which cause interoperability problems
Scalability -Load Balancing
H.323 has the ability to load balance endpoints across a number of alternate gatekeepers in order to scale a local point of presence. In addition, endpoints report their available and total capacity so that calls going to a set of gateways, for example, may be best distributed across those gateways.
SIP has no notion of load balancing, except "trial and error" across pre-provisioned devices or devices learned from DNS SRV records. There is no means of detecting the load on a particular gateway or to know whether a device has failed, meaning that proxies simply have to try a PSTN gateway, wait for the call to timeout, and then try another
Scalability -Call Signaling
When an H.323 gatekeeper is used, it may simply provide address resolution through one RAS message exchange, or it may route all call signaling traffic. In large networks, the direct call model may be used so that endpoints connect directly to one another.
When using a SIP proxy to perform address resolution for the SIP device, the proxy is required to handle at least 3 full message exchanges for every call. In large networks, such as IMS networks, the number of messages on the wire may be excessive. A basic call between two users may require as many as 30 messages on the wire!
Scalability -Statelessness
An H.323 gatekeeper can be stateless using the direct call model.
A SIP proxy can be stateless if it does not fork, use TCP, or use multicast
Scalability -Address Resolution
H.323 defines an interface between the endpoint and gatekeeper for address resolution using ARQ or LRQ. The H.323 gatekeeper may use any number of protocols to discover the destination address of the callee, including LRQs to other gatekeepers, Annex G/H.225.0, TRIP, ENUM, and/or DNS. The endpoint does not have to be concerned with the mechanics of this process, and the processing requirements for address resolution placed on the gatekeeper by H.323 are for just a single message exchange.
While SIP has no address-resolution protocol, per se, a SIP user agent may route its INVITE message through a proxy or redirect server in order to resolve addresses. The SIP proxy may use various protocols to discover the destination address of the callee, including TRIP, ENUM, and/or DNS. The endpoint does not have to be concerned with the mechanics of this process. Unfortunately, the processing requirements placed on the SIP proxy are higher than with H.323 because at least 3 message exchanges must take place between the SIP device, SIP proxy, and the next hop.
Addressing
Flexible addressing mechanisms, including URIs, e-mail addresses, and E.164 numbers.
H.323 supports these aliases:
E.164 dialed digits
generic H.323 ID
URL
transport address
email address
party number
mobile UIM
ISUP numberH.323 also supports overlap sending with no additional overhead, except conveyance of the newly received digits in a single message.
SIP only understands URI-style addresses. This works fine for SIP-SIP devices, but causes some confusion when trying to translated various dialed digits. The unofficial convention is that a "+" sign is inserted in the SIP URI (e.g., "sip:+18005551212@example.com") in order to indicate that the number is in E.164 format, versus a user ID that might be numeric.
SIP has support for overlapped signaling defined in RFC 3578, though additional digit received requires transmission of three messages on the wire (a new INVITE, a 484 response to indicate that the address is incomplete, and an ACK).
Billing
Even with H.323's direct call model, the ability to successfully bill for the call is not lost because the endpoint reports to the gatekeeper the beginning and end time of the call via the RAS protocol. Various pieces of billing information may be present in the ARQ and DRQ messages at the start and end of the call
If the SIP proxy wants to collect billing information, it has no choice but to stay in the call signaling path for the entire duration of the call so that it can detect when the call completes. Even then, the statistics are skewed because the call signaling may have been delayed. Otherwise, there is no mechanism in SIP to perform any accounting/billing function.
Call Setup
A call can be established in as few as 1.5 round trips using UDP:
Setup -> <- Connect Ack ->
Of course, more elaborate call establishment procedures may be required to negotiate complex capabilities, negotiate complex video modes, etc.
A call can be established in as few as 1.5 round trips using UDP:
INVITE -> <- 200 OK Ack ->
Most real-world flows are more complex, as they often pass through one or more proxy devices, have intermediary response messages, and "negotiate" capabilities through a "trial and error" process that is far from scientific.
Capability Negotiation
H.323 entities may exchange capabilities and negotiate which channels to open, including audio, video, and data channels. Individual channels may be opened and closed during the call without disrupting the other channels.
SIP entities have limited means of exchanging capabilities. RFC 3407 is the state of the art, which is more or less a "declaration" mechanism, not a negotiation procedure. The end result is still a "trial and error" approach in case the called party does not support the proposed media
Call Forking
H.323 gatekeeper can control the call signaling and may fork the call to any number of devices simultaneously.
SIP proxies can control the call signaling and may fork the call to any number of devices simultaneously.
PSTN Interworking
H.323 borrows from traditional PSTN protocols, e.g., Q.931, and is therefore well suited for PSTN integration. However, H.323 does not employ the PSTN's circuit-switched technology--like SIP, H.323 is completely packet-switched. How Media Gateway Controllers fit into the overall H.323 architecture is well-defined within the standard.
SIP has no commonality with the PSTN and such signaling must be "shoe-horned" into SIP. SIP has no architecture that describes the decomposition of the gateway into the Media Gateway Controller and the Media Gateways. This has been a recent study of 3GPP and others in the form of IMS. Presently, there are about 4 "IMS" variants: 3GPP, ITU NGN, 3GPP2, and PacketCable. Pick the architecture you like best, I suppose.
Services
H.323 Services may be provided to the endpoint through a web-browser interface using HTTP or a feature server using Megaco/H.248. In addition, services may be provided to an endpoint as it places a call, as a call arrives, or during the middle of a call by a gatekeeper or other entity that routes the call signaling. As a result, H.323 is well-suited to providing new services.
SIP devices can receive service from a SIP proxy as the endpoint places a call, as a call arrives, or during the middle of a call. There is no defined way within SIP of providing services via a web browser or a feature server, as everything is done within the context of a "session".
Video and Data Conferencing
H.323 fully supports video and data conferencing. Procedures are in place to provide control for the conference as well as lip synchronization of audio and video streams.
SIP has limited support for video and no support for data conferencing protocols like T.120. SIP has no protocol to control the conference and there is no mechanism within SIP for lip synchronization. There is no standard means of recovering from packet loss in a video stream (to parallel H.323's "video fast update" command).
Administrative Requirements
H.323 does not require a gatekeeper. A call can be made directly between two endpoints.
However, most devices do utilize a gatekeeper for the purpose of registration and address resolution
SIP does not require a proxy. A call can be made directly between two user agents.
However, most devices do utilize a SIP proxy for the purpose of registration, address resolution, and call routing.
Codecs
H.323 supports any codec, standardized or proprietary. No registration authority is required to use any codec in H.323.
SIP supports any IANA-registered codec (as a legacy feature) or other codec whose name is mutually agreed upon.
Firewall/NAT support
Provided by H.323 "proxy" or by the endpoint, both in conjunction with a gatekeeper residing in the public network. Refer to H.460.17, H.460.18, and H.460.19.
SIP does not defined a NAT/FW traversal mechanism, as this is left to other standard. Some standards that have been defined or are being defined are STUN, TURN, ANAT, and ICE. (All of this has been work in progress for years, with most workable solutions done by agreed convention.)
Transport protocol
H.323 Reliable or unreliable, e.g., TCP or UDP. Most H.323 entities use a reliable transport for signaling.
SIP Reliable or unreliable, e.g., TCP or UDP. Most SIP entities use an unreliable transport for signaling.
Third-party Call Control
H.323 ->Yes, through third-party pause and re-routing which is defined within H.323. More sophisticated control is defined by the related H.450.x series of standards.
SIP->Yes, through SIP as described in RFC 3
Conferencing Entity
H.323-Yes, an MC is required for this, but it could be co-located in a participating endpoint, or all endpoints could contain an MC. A stand-alone conference bride may provide this functionality and H.323 has well-defined procedures for such entities.
SIP-No; however, SIP user agents may perform conferencing themselves. A stand-alone conference bridge may also provide this functionality
Authentication
H 323 - Yes, via H.235.
SIP-Yes, via HTTP (Digest and Basic), SSL, PGP, S/MIME, or various other means.
DTMF Carriage
H323 - Three ways, with the alphanumeric choice of the H.245 UserInputIndication message being the baseline carriage common to all H.323 endpoints
SIP- Three ways. There is no baseline carriage, which presents issues of interoperability. However, transport of DTMF via the INFO method and RFC 2833 are most common.
Cisco CCNP Exam (640-604) Simulator 4.0.0
Download :
http://software.filefactory.com/Windows/Whizlabs_Cisco_CCNP_Exam_640-604_Simulator_4-0-0/Download.html
WinAgents RouterTweak 1.0.136.0
Knowing the principles of working with the command line interface of Cisco devices, you can use WinAgents RouterTweak to automate the most common tasks of network device administration. This approach saves your time by allowing you to hand over routine operations to the program. Here are some benefits you get by using WinAgents RouterTweak:
Reducing the time needed to connect to a device. Having specified the username and password for connecting to a device only once, you will not have to spend time on entering them again when you connect to your router next time. WinAgents RouterTweak will enter the account data itself and switch to the privileged mode if necessary. Viewing the configuration of a device in a convenient form. Just click once to get the configuration of your device in a visual form. Syntax highlighting and the structure tree of the device configuration will allow you to quicker find your bearings among numerous configuration commands.
Increasing the speed of work with access control lists (ACL). WinAgents RouterTweak allows you to do without a TFTP server while editing access control lists. You can add, edit and remove commands located in the middle of ACLs. The program knows about the peculiarities of using the command line interface with Cisco access control lists and takes them into account while editing ACLs.
Usability in editing the configuration of devices. It is easier to edit configuration commands due to the context help system. While you are adding a new command to the configuration file, WinAgents RouterTweak requests its possible parameters from the device. In the process of editing commands, you see the list of available variants for each command all the time and can select one of them without entering the entire string.
Download :
http://software.filefactory.com/Windows/WinAgents_RouterTweak_1-0-136-0/Download.html
File Size
3.43 MB
VoIP Hacks Tips and Tools
*providing low-layer security in a VoIP environment
*employing IP hardphones, analog telephone adapters, and softPBX servers
*dealing with and avoiding the most common VoIP deployment mistakes
Cisco: A Beginner's Guide, Fourth Edition
CBT Cisco CCNA Vol.1 - Vol.3 CD
--------------------------------------------
All courses are distributed on CD-ROM so there is no need for an internet connection. Just install the courses to your personal computer or laptop and let the learning begin. All trainers are certified professionals with an average of 8-12 years of experience in their field.
Download CertExams Router Simulator 3.0
Download :
http://rapidshare.de/files/23870647/RoutSim.rarhttp://depositfiles.com/files/322272
Password/Crack CCNA
Router Troubleshooting 2
Ans.You can delete the current startup configuration files and return the router to its factory default settings with the erase nvram: command:
Router1#erase nvram:
Erasing the nvram filesystem will remove all files! Continue? [confirm]
[OK]
Erase of nvram: complete
Router1#reload
System configuration has been modified. Save? [yes/no]: no
Proceed with reload? [confirm]
You can achieve the same result with the erase startup-config command:
Router1#erase startup-config
Erasing the nvram filesystem will remove all files! Continue? [confirm]
[OK]
Erase of nvram: complete
Router1#reload
Proceed with reload? [confirm]
Q.You want to upgrade the IOS image that your router uses.
Ans. The copy tftp command allows you to use TFTP to download a new IOS version into the router's Flash memory:
Router1#copy
Destination filename [c2600-ik9o3s-mz.122-12a.bin]?
Accessing
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing
device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...
erased
Erase of flash: complete
Loading c2600-ik9o3s-mz.122-12a.bin from 172.25.1.1 (via Fastethernet0/0.1): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![OK - 11135588 bytes]
Verifying checksum... OK (0xE643)
11135588 bytes copied in 82.236 secs (135410 bytes/sec)
Router1# reload
Proceed with reload? [confirm]
Q.You want to save a backup copy of your IOS image on a TFTP server.
Ans. You can upload a copy of your router's IOS image to a TFTP server with the following set of commands:
Freebsd% touch /tftpboot/c2600-ik9o3s-mz.122-12a.bin
Freebsd% chmod 666 /tftpboot/c2600-ik9o3s-mz.122-12a.bin
Freebsd% telnet Router1
Trying 172.25.1.5...
Connected to Router1.Escape character is '^]'.
User Access Verification
Password:
Router1>enPassword:
Router1#copy flash:c2600-ik9o3s-mz.122-12a.bin tftp
Address or name of remote host [ ]? 172.25.1.1
Destination filename [c2600-ik9o3s-mz.122-12a.bin]?
Router1#
Q.You want to load an IOS image into your router through a serial connection to the console or AUX ports.
Ans. You can use the following set of commands to copy an IOS image onto a router through the console or the AUX port:
Router1#copy xmodem: slot1:
**** WARNING ****
x/ymodem is a slow transfer protocol limited to the current speedsettings of the auxiliary/console ports. The use of the auxilaryport for this download is strongly recommended.During the course of the download no exec input/output will be available.
---- ******* ----
Proceed? [confirm]
Destination filename [ ]? c3620-ik9s-mz.122-12a.bin
Erase slot1: before copying? [confirm]
Use crc block checksumming? [confirm]
Max Retry Count [10]:
Perform image validation checks? [confirm]
Xmodem download using crc checksumming with image validationContinue? [confirm]
Ready to receive file...........CC
4294967295 bytes copied in 1450.848 secs (1271445669961 bytes/sec)
Router1#
Q.You want to configure and monitor your router using a browser interface.
Ans. Cisco includes an HTTP server in the IOS. You can enable this feature on a router and then use any standard web browser instead of Telnet to access the router:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 75 permit 172.25.1.1
Router1(config)#access-list 75 deny any
Router1(config)#ip http server
Router1(config)#ip http access-class 75
Router1(config)#end
Router1#
Q.You want to set the router to automatically reload at a specified time.
Ans.You can set the router to reload after waiting a particular length of time with the reload in command:
Router1#reload in 20
Reload scheduled for 11:33:53 EST Sat Feb 1 2003 (in 20 minutes)
Proceed with reload? [confirm]
Router1#
The reload at command lets you specify a particular time and date when you want the router to reload:
Router1#reload at 14:00 Feb 2
Reload scheduled for 14:00:00 EST Sun Feb 2 2003 (in 26 hours and 44 minutes)
Proceed with reload? [confirm]
Router1#
Router Troubleshooting
Ans.Have you ever accidentally wiped out the IOS on your router? If you're working quickly and not paying attention, it can be an easy mistake to make. All it takes is making a typo in the destination filename when you're trying to save a change.
Here's an example:
router# copy running-config startp-config
Destination filename [startp-config]?
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]Hitting [Enter] a couple of times out of habit can all too quickly wipe out the IOS. If you don't realize the mistake in time, rebooting the router means the IOS is gone for good, and the router won't boot up.
Losing the IOS can also happen when upgrading the flash on the router. As the Cisco IOS grows larger, having to upgrade your flash is a very common task. But when you install the new flash, it has no IOS, leaving you in the same position as if you had accidentally erased the flash.
Unfortunately, if you're like many people, when you wipe out the IOS, you may not have a backup copy of the IOS. Or, you may not have access to the Cisco IOS download site or have the time to download the somewhat large IOS file.
And if you're looking for the same IOS on all of your routers, it can be difficult to locate it on the Cisco IOS download site. Many times, it's much easier to take the IOS from an existing router and restore it on the router that's missing its IOS.
Let's look at the step-by-step process for restoring the Cisco IOS to a router using this method.
Install a TFTP server
First you need to install a (TFTP) server. I recommend the Tftpd32 server, which you can download from the Web. This is a great TFTP server, without a lot of the fluff that most of the others have. At less than 1 MB, it's very small and has no install application.
Run the TFTP server on a PC
If you've just pulled the working router off a shelf, you can connect the PC to the router with a reverse Ethernet cable. Configure the router and PC on the same network. Make sure that you can ping the router and that the router can ping you.
If your working router is up on your network, you can just download the IOS over the network directly using instructions in the next section
Copy the IOS from the working router to the PC
Here's an example of how to accomplish this:
copy c2600-12-3.xxxx.bin tftp://10.253.15.72 Replace 10.253.15.72 with the IP address of your PC, and replace c2600 with the name of your IOS. (You can locate the name of the IOS on the working router using the show flash command.)
This saves the IOS on the PC in the directory configured by the TFTP server. Figure A shows an example of what it looks like while downloading. Make sure to note the directory in which you'll save the IOS.
Download the IOS to the nonworking router
The best way to accomplish this is via Ethernet. The alternative—using XMODEM through the console—will be very slow, even if you increase the serial port baud rate to the maximum. So, instead, connect the PC's reverse Ethernet cable to the nonworking router (or use two normal/straight-through Ethernet cables and a switch).
Without an IOS, the nonworking router will boot up in ROMmon mode. The prompt will look like this:
rommon>Verify the necessary settings
On the console of the nonworking router while in ROMmon mode, use the set command to display the current settings, which the program will use to download the IOS via TFTP. (For a Cisco example of these steps, check out this Cisco documentation.)
For example, here are the settings you must set for the tftpdnld command to work:
rommon> setIP_ADDRESS=10.253.100.126
IP_SUBNET_MASK=255.255.0.0
TFTP_SERVER=10.253.15.72
DEFAULT_GATEWAY=10.253.1.1
TFTP_FILE={the name of the IOS that is saved on the PC}
However, your settings may not contain any of the required variables for the tftpdnld command. By default, it may look something like this:
rommon 9 > set
PS1=rommon ! >
BSI=0
RET_2_RUTC=0
RET_2_RTS=?=1
If this is the case, set the required variables. While it might seem obvious to use the set command to set the variables, you can actually set the variables simply by entering the name of the variable, the equal sign [=], and the value.
For example, to set the IP address of the broken router, you would use the following:For example, to set the IP address of the broken router, you would use the following:
IP_ADDRESS=10.253.100.126Final steps
After setting your values, run the tftpdnld command, which will replace the IOS. Listing A provides an example of how I restored a router
An alternate approach to the tftpdnld command
However, if the tftpdnld command doesn't work for some reason, you can use the xmodem command to send the IOS over the serial console line. (For instructions for this process, check out this Cisco documentation.) However, if you decide to take this route, it's a good idea to change the baud rate on the console and your PC to 115,200 so it doesn't take more than four hours for an 8-MB IOS file to transfer over the 9600-baud console.
On a final note, keep in mind that different models of Cisco routers and different Cisco firmware versions respond differently. For example, these commands performed on a 2600 series router may not work on a 3600 series router. However, the basic process remains the same
Q.You want to load configuration commands via the Trivial File Transfer Protocol (TFTP).
Ans. You can use the copy tftp: command to configure the router via the TFTP:
Router1#copy tftp://172.25.1.1/NEWCONFIG
running-configDestination filename [running-config]?
Accessing tftp://172.25.1.1/NEWCONFIG...
Loading NEWCONFIG from 172.25.1.1 (via FastEthernet0/0.1): !
[OK - 24 bytes] 24 bytes copied in 0.192 secs (125 bytes/sec)
Router1#
Q,You want to store a backup copy of your router's configuration on a TFTP server.
Ans. This example shows how to use TFTP to upload a copy of the router's active configuration to a remote server:
router#telnet Router1
Trying 172.25.1.5...
Connected to Router1.Escape character is '^]'.
User Access Verification
Password:
Router1>enPassword:
Router1#copy running-config tftp://172.25.1.1/router1-confg
Address or name of remote host [172.25.1.1]?
Router1#
Q.You want to boot the router using an alternate configuration.
Ans. The following set of commands allows you to automatically load a configuration file located on a remote TFTP server when the router boots:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#service config
Router1(config)#boot network tftp Network-auto 172.25.1.1
Router1(config)#boot host tftp Router8-auto 172.25.1.1
Router1(config)#end
Router1#
Q.Your configuration file has become larger than the router's available NVRAM.
Ans.You can compress your router's configuration file before saving it to NVRAM to allow you to save more configuration information. The command service compress-config will compress the configuration information when the router saves the file, and uncompress it when it is required:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#service compress-config
Router1(config)#end
Router1#
ISDN Message Codes
Hex Value
Cause
Diagnostics
Explanation
--------------------------------------------------------------------------------------
1
01
Unallocated (unassigned) number
Note 10
The ISDN number was sent to the switch in the correct format; however, the number is not assigned to any destination equipment.
2
02
No route to specified transit network
Transit network identity (Note 9)
The ISDN exchange is asked to route the call through an unrecognized intermediate network.
3
03
No route to destination
Note 10
The call was routed through an intermediate network that does not serve the destination address.
6
06
Channel unacceptable
The service quality of the specified channel is insufficient to accept the connection.
7
07
Call awarded and being delivered in an established channel
The user is assigned an incoming call that is being connected to an already-established call channel.
16
10
Normal call clearing
Note 10
Normal call clearing has occurred.
17
11
User busy
The called system acknowledges the connection request but is unable to accept the call because all B channels are in use.
18
12
No user responding
The connection cannot be completed because the destination does not respond to the call.
19
13
No answer from user (user alerted)
The destination responds to the connection request but fails to complete the connection within the prescribed time. The problem is at the remote end of the connection.
21
15
Call rejected
Note 10. User supplied diagnostic (Note 4)
The destination is capable of accepting the call but rejected the call for an unknown reason.
22
16
Number changed
The ISDN number used to set up the call is not assigned to any system.
26
1A
Non-selected user clearing
The destination is capable of accepting the call but rejected the call because it was not assigned to the user.
27
1B
Designation out of order
The destination cannot be reached because the interface is not functioning correctly, and a signaling message cannot be delivered. This might be a temporary condition, but it could last for an extended period of time. For example, the remote equipment might be turned off.
28
1C
Invalid number format
The connection could be established because the destination address was presented in an unrecognizable format or because the destination address was incomplete.
29
1D
Facility rejected
Facility identification (Note 1)
The facility requested by the user cannot be provided by the network.
30
1E
Response to STATUS ENQUIRY
The status message was generated in direct response to the prior receipt of a status enquiry message.
31
1F
Normal, unspecified
Reports the occurrence of a normal event when no standard cause applies. No action required.
34
22
No circuit/channel available
The connection cannot be established because no appropriate channel is available to take the call.
38
26
Network out of order
The destination cannot be reached because the network is not functioning correctly, and the condition might last for an extended period of time. An immediate reconnect attempt will probably be unsuccessful.
41
29
Temporary failure
An error occurred because the network is not functioning correctly. The problem will be resolved shortly.
42
2A
Switching equipment congestion
The destination cannot be reached because the network switching equipment is temporarily overloaded.
43
2B
Access information discarded
Discarded information element identifier(s) (Note 5)
The network cannot provide the requested access information.
44
2C
Requested circuit/channel not available
The remote equipment cannot provide the requested channel for an unknown reason. This might be a temporary problem.
47
2F
Resources unavailable, unspecified
The requested channel or service is unavailable for an unknown reason. This might be a temporary problem.
49
31
Quality of service unavailable
Table B-2
The requested quality of service cannot be provided by the network. This might be a subscription problem.
50
32
Requested facility not subscribed
Facility identification (Note 1)
The remote equipment supports the requested supplementary service by subscription only.
57
39
Bearer capability not authorized
Note 3
The user requested a bearer capability that the network provides, but the user is not authorized to use it. This might be a subscription problem.
58
3A
Bearer capability not presently available
Note 3
The network normally provides the requested bearer capability, but it is unavailable at the present time. This might be due to a temporary network problem or to a subscription problem.
63
3F
Service or option not available, unspecified
The network or remote equipment was unable to provide the requested service option for an unspecified reason. This might be a subscription problem.
65
41
Bearer capability not implemented
Note 3
The network cannot provide the bearer capability requested by the user.
66
42
Channel type not implemented
Channel Type (Note 6)
The network or the destination equipment does not support the requested channel type.
69
45
Requested facility not implemented
Facility Identification (Note 1)
The remote equipment does not support the requested supplementary service.
70
46
Only restricted digital information bearer capability is available
The network is unable to provide unrestricted digital information bearer capability.
79
4F
Service or option not implemented, unspecified
The network or remote equipment is unable to provide the requested service option for an unspecified reason. This might be a subscription problem.
81
51
Invalid call reference value
The remote equipment received a call with a call reference that is not currently in use on the user-network interface.
82
52
Identified channel does not exist
Channel identity
The receiving equipment is requested to use a channel that is not activated on the interface for calls.
83
53
A suspended call exists, but this call identity does not
The network received a call resume request. The call resume request contained a Call Identify information element that indicates that the call identity is being used for a suspended call.
84
54
Call identity in use
The network received a call resume request. The call resume request contained a Call Identify information element that indicates that it is in use for a suspended call.
85
55
No call suspended
The network received a call resume request when there was not a suspended call pending. This might be a transient error that will be resolved by successive call retries.
86
56
Call having the requested call identity has been cleared
Clearing cause
The network received a call resume request. The call resume request contained a Call Identity information element, which once indicated a suspended call. However, the suspended call was cleared either by timeout or by the remote user.
88
58
Incompatible destination
Incompatible parameter (Note 2)
Indicates that an attempt was made to connect to non-ISDN equipment. For example, to an analog line.
91
5B
Invalid transit network selection
The ISDN exchange was asked to route the call through an unrecognized intermediate network.
95
5F
Invalid message, unspecified
An invalid message was received, and no standard cause applies. This is usually due to a D-channel error. If this error occurs systematically, report it to your ISDN service provider.
96
60
Mandatory information element is missing
Information element identifier(s) (Note 5)
The receiving equipment received a message that did not include one of the mandatory information elements. This is usually due to a D-channel error. If this error occurs systematically, report it to your ISDN service provider.
97
61
Message type non-existent or not implemented
Message type
The receiving equipment received an unrecognized message, either because the message type was invalid or because the message type was valid but not supported. The cause is due to either a problem with the remote configuration or a problem with the local D channel.
98
62
Message not compatible with call state or message type non-existent or not implemented
Message type
The remote equipment received an invalid message, and no standard cause applies. This cause is due to a D-channel error. If this error occurs systematically, report it to your ISDN service provider.
99
63
Information element non-existent or not implemented
Information element identifier(s) (Notes 5, 7)
The remote equipment received a message that includes information elements, which were not recognized. This is usually due to a D-channel error. If this error occurs systematically, report it to your ISDN service provider.
100
64
Invalid information element contents
Information element identifier(s) (Note 5)
The remote equipment received a message that includes invalid information in the information element. This is usually due to a D-channel error.
101
65
Message not compatible with call state
Message type
The remote equipment received an unexpected message that does not correspond to the current state of the connection. This is usually due to a D-channel error.
102
66
Recovery on timer expires
Timer number (Note 8)
An error-handling (recovery) procedure was initiated by a timer expiry. This is usually a temporary problem.
111
6F
Protocol error, unspecified
An unspecified D-channel error when no other standard cause applies.
127
7F
Internetworking, unspecified
An event occurred, but the network does not provide causes for the action that it takes. The precise problem is unknown.
Deploying Cisco Voice over IP Solutions
============
Learn real-world voice-over-IP deployment solutions and strategies from the Cisco experts
Deploying Cisco Voice over IP Solutions covers:
Definitive guidelines on real-world VoIP deployments, the fundamentals of the latest VoIP solutions, and a look into the future of VoIP services
Different techniques for engineering and properly sizing traffic-sensitive voice networks
Basic concepts applicable to echo analysis, echo cancellation, and locating and eliminating echoes
Various QoS features applicable to voice
Detailed information on call admission control (CAC)
Dial plan configuration recommendations on Cisco H.323 gateways and gatekeepers used to support large dial plans
Basic tasks of designing a long-distance VoIP network
The two classes of hosted voice networks: Managed Multiservice (MMS) networks and packet voice VPNs
Fax services store and forward as well as real-time relay fax services
Sample configurations and step-by-step examples to help you learn how to build a VoIP network
Deploying Cisco Voice over IP Solutions provides networking professionals the knowledge,
advice, and insight necessary to design and deploy voice over IP (VoIP) networks that meet customers' needs for scalability, services, and security. Beginning with an introduction to the important preliminary design elements that need to be considered before implementing VoIP, Deploying Cisco Voice over IP Solutions also demonstrates the basic tasks involved in designing an effective service provider-based VoIP network. You'll conclude with design and implementation guidelines for some of the more popular and widely requested VoIP services, such as prepaid services, fax services, and virtual private networks (VPNs).
This book is a collaboration of Cisco Systems CCIE(r) engineers, technical marketing engineers, and systems engineers. You'll find design experience from people who have designed some of the world's largest VoIP networks.
Download :
http://rapidshare.com/files/12112950/1587050307.zip
Saturday, August 18, 2007
Hacking Exposed Cisco Networks: Cisco Security Secrets & Solutions
Use the tried-and-true Hacking Exposed methodology to find, exploit, and plug security holes in Cisco devices and networks
Locate vulnerable Cisco networks using Google and BGP queries, wardialing, fuzzing, host fingerprinting, and portscanningAbuse Cisco failover protocols, punch holes in firewalls, and break into VPN tunnelsUse blackbox testing to uncover data input validation errors, hidden backdoors, HTTP, and SNMP vulnerabilitiesGain network access using password and SNMP community guessing, Telnet session hijacking, and searching for open TFTP serversFind out how IOS exploits are written and if a Cisco router can be used as an attack platformBlock determined DoS and DDoS attacks using Cisco proprietary safeguards, CAR, and NBARPrevent secret keys cracking, sneaky data link attacks, routing protocol exploits, and malicious physical access .
Cisco IOS Access Lists
Intranets. The book serves as an introduction and a reference for network engineers implementing routing policies within intranet networking.
Firewalls. The book is a supplement and companion reference to books such as Brent Chapman's Building Internet Firewalls. Packet filtering is an integral part of many firewall architectures, and Cisco IOS Access Lists describes common packet filtering tasks and provides a "bag of tricks" for firewall implementers. The Internet. This book is also a guide to the complicated world of route maps. Route maps are an arcane BGP construct necessary to make high level routing work on the Internet.Cisco IOS Access Lists differs from other Cisco router titles in that it focuses on practical instructions for setting router access policies. The details of interfaces and routing protocol settings are not discussed.
Securing and Controlling Cisco Routers
Managing Cisco Network Security
Tuesday, June 12, 2007
Improving Security on Cisco Routers
This document is an informal discussion of some Cisco configuration settings that network administrators should consider changing on their routers, especially on their border routers, in order to improve security. This document is about basic boilerplate configuration items that are almost universally applicable in IP networks, and about a few unexpected items of which you should be aware.
Cisco IOS software has many security-specific features, such as packet-filtering access lists, the Cisco IOS Firewall Feature Set, TCP Intercept, AAA, and encryption. Many other features, such as packet logging and quality of service (QoS) features, can be used to increase network security against various attacks. None of these are discussed, except in passing. This is not a document about firewall configuration. For the most part, this is a document about how to secure the router itself, and ignores the equally important issue of the protection of other network devices.
Password Management
Passwords and similar secrets, such as Simple Network Management Protocol (SNMP) community strings, are the primary defense against unauthorized access to your router. The best way to handle most passwords is to maintain them on a TACACS+ or RADIUS authentication server. However, almost every router still has a locally configured password for privileged access, and can also have other password information in its configuration file.
enable secret
The enable secret command is used to set the password that grants privileged administrative access to the IOS system. An enable secret password must always be set. Use the enable secret command, not the older enable password command. The enable password command uses a weak encryption algorithm. If no enable secret is set, and a password is configured for the console TTY line, the console password can be used to receive privileged access, even from a remote VTY session. This is almost certainly not what you want, and is another reason to be certain to configure an enable secret.
service password-encryption (and limitations)
The service password-encryption command directs the IOS software to encrypt the passwords, CHAP secrets, and similar data that are saved in its configuration file. This is useful to prevent casual observers from reading passwords, such as when they look at the screen over the shoulder of an administrator.
However, the algorithm used by the service password-encryption command is a simple Vigenere cipher. Any competent amateur cryptographer can easily reverse it in a few hours. The algorithm is not designed to protect configuration files against serious analysis by even slightly sophisticated attackers, and should not be used for this purpose. Any Cisco configuration file that contains encrypted passwords must be treated with the same care used for a cleartext list of those same passwords.
This weak encryption warning does not apply to passwords set with the enable secret command, but it does apply to passwords set with the enable password command.
The enable secret command uses MD5 for password hashing. The algorithm has had considerable public review, and is not reversible as far as Cisco knows. It is, however, subject to dictionary attacks. A dictionary attack is when a computer tries every word in a dictionary or other list of candidate passwords. Therefore, remember to keep your configuration file out of the hands of untrusted people, especially if you are not sure your passwords are well chosen.
Control Interactive Access
Anyone who can log in to a Cisco router can display information which you probably do not want to make available to the general public. A user who can log in to the router might be able to use it as a relay for further network attacks. Anyone who can get privileged access to the router can reconfigure it. You need to control interactive logins to the router in order to prevent inappropriate access.
Although most interactive access is disabled by default, there are exceptions. The most obvious exception is the interactive sessions that are from directly connected asynchronous terminals, such as the console terminal, and from integrated modem lines.
Console Ports
It is important to remember that the console port of a Cisco IOS device has special privileges. In particular, if a BREAK signal is sent to the console port during the first few seconds after a reboot, the password recovery procedure can easily be used to take control of the system. This means that attackers who interrupt power or induce a system crash, and who have access to the console port via a hardwired terminal, a modem, a terminal server, or some other network device, can take control of the system, even if they do not have physical access to it or the ability to log in to it normally.
Any modem or network device that gives access to the Cisco console port must be secured to a standard comparable to the security used for privileged access to the router. At a bare minimum, any console modem should be of a type that can require the dialup user to supply a password for access, and the modem password must be carefully managed.
General Interactive Access
There are more ways to get interactive connections to routers than users realize. Cisco IOS software, which depends on the configuration and software version, can support these connections:
via Telnet
rlogin
SSH
non IP-based network protocols, such as LAT, MOP, X.29, and V.120
possibly other protocols
via local asynchronous connections and modem dial-ins
More protocols for interactive access are always being added. Interactive Telnet access is available not only on the standard Telnet TCP port (port 23), but on a variety of higher-numbered ports as well.
All interactive access mechanisms use the IOS TTY abstraction (in other words, they all involve sessions on lines of one sort or another). Local asynchronous terminals and dialup modems use standard lines, known as TTYs. Remote network connections, regardless of the protocol, use virtual TTYs (VTYs). The best way to protect a system is to make certain that appropriate controls are applied on all lines, which includes both VTY lines and TTY lines.
Because it is difficult to make certain that all possible modes of access have been blocked, administrators should use some sort of authentication mechanism in order to make sure that logins on all lines are controlled, even on machines that are supposed to be inaccessible from untrusted networks. This is especially important for VTY lines and for lines connected to modems or other remote access devices.
The login and no password commands can be configured in order to completely prevent interactive logins. This is the default configuration for VTYs, but not for TTYs. There are many ways to configure passwords and other forms of user authentication for TTY and VTY lines. Refer to the Cisco IOS software documentation for more information.
Local asynchronous terminals are less common than they once were, but they still exist in some installations. Unless the terminals are physically secured, and usually even if they are, the router should be configured to require users on local asynchronous terminals to log in before they use the system. Most TTY ports in modern routers are either connected to external modems, or are implemented by integrated modems. The security of these ports is obviously even more important than securing local terminal ports.
By default, a remote user can establish a connection to a TTY line over the network. This is known as reverse Telnet. This allows the remote user to interact with the terminal or modem connected to the TTY line. It is possible to apply password protection for such connections. Often, it is desirable to allow users to make connections to modem lines, so that they can make outgoing calls. However, this feature can allow a remote user to connect to a local asynchronous terminal port, or even to a dial-in modem port, and simulate the login prompt of the router to steal passwords. This feature can also do other things that can trick local users or interfere with their work.
Issue the transport input none configuration command in order to disable this reverse Telnet feature on any asynchronous or modem line that should not receive connections from network users. If possible, do not use the same modems for both dial-in and dial-out, and do not allow reverse Telnet connections to the lines you use for dial-in.
Control VTYs and Ensure VTY Availability
Any VTY must be configured to accept connections only with the protocols actually needed. This is performed with the transport input command. For example, a VTY that is expected to receive only Telnet sessions is configured with the transport input telnet command, while a VTY that permits both Telnet and SSH sessions has the transport input telnet ssh command. If your software supports an encrypted access protocol such as SSH, then enable only that protocol, and disable cleartext Telnet. Also, issue the ip access-class command in order to restrict the IP addresses from which the VTY accepts connections.
A Cisco IOS device has a limited number, usually five, of VTY lines. When all of the VTYs are in use, no more remote interactive connections can be established. This creates the opportunity for a denial-of-service attack. If an attacker can open remote sessions to all the VTYs on the system, the legitimate administrator might not be able to log in. The attacker does not have to log in to do this. The sessions can simply be left at the login prompt.
One way to reduce this exposure is to configure a more restrictive ip access-class command on the last VTY in the system than on the other VTYs. The last VTY, usually VTY 4, can be restricted to accept connections only from a single, specific administrative workstation, whereas the other VTYs can accept connections from any address in a corporate network.
Another useful tactic is to issue the exec-timeout command in order to configure VTY timeouts. This prevents an idle session from consuming a VTY indefinitely. Although its effectiveness against deliberate attacks is relatively limited, it also provides some protection against sessions accidentally left idle. Similarly, if
you enable TCP keepalives on incoming connections with the service tcp-keepalives-in command, this can help to guard against both malicious attacks and orphaned sessions caused by remote system crashes.
You can disable all non IP-based remote access protocols and use IPSec encryption for all remote interactive connections to the router in order to provide complete VTY protection. IPSec is an extra-cost option, and its configuration is beyond the scope of this document.
Warning Banners
In some jurisdictions, civil and criminal prosecution of crackers who break into your systems is made much easier if you provide a banner that informs unauthorized users that their use is unauthorized. In other jurisdictions, you can be forbidden to monitor the activities of even unauthorized users unless you have taken steps to notify them of your intent. One method to provide this notification is to put it into a banner message configured with the Cisco IOS banner login command.
Legal notification requirements are complex, and vary in each jurisdiction and situation. Even within jurisdictions, legal opinions vary, and this issue should be discussed with your own legal counsel. In cooperation with counsel, you must consider what information is put into your banner:
- A notice that the system is to be logged in to or used only by specifically authorized personnel, and perhaps information about who can authorize use.
- A notice that any unauthorized use of the system is unlawful, and can be subject to civil and/or criminal penalties.
- A notice that any use of the system can be logged or monitored without further notice, and that the resulting logs can be used as evidence in court.
- Specific notices required by specific local laws.
From a security, rather than a legal point of view, your login banner must not contain any specific information about your router, its name, its model, what software it runs, or who owns it. This information can be abused by crackers.
Commonly Configured Management Services
Many users use protocols other than interactive remote login in order to manage their networks. The most common protocols for this purpose are SNMP and HTTP.
Neither of these protocols is enabled by default, and, as for any other service, the most secure option isto not enable them at all. However, if they are enabled, they must be secured as described in this section.
SNMP
SNMP is very widely used for router monitoring, and frequently for router configuration changes. Unfortunately, version 1 of the SNMP protocol, which is the most commonly used, uses a very weak authentication scheme based on a community string. This amounts to a fixed password transmitted over the network without encryption. If possible, use SNMP version 2, which supports an MD5-based digest authentication scheme and allows for restricted access to various management data.
If you must use SNMP version 1, choose inobvious community strings. Do not choose, for example, "public" or "private". If possible, avoid the use of the same community strings for all network devices. Use a different string or strings for each device, or at least for each area of the network. Do not make a read-only string the same as a read-write string. If possible, periodic SNMP version 1 polling should be done with a read-only community string. Read-write strings should be used only for actual write operations.
SNMP version 1 is not suited to use across the public Internet for these reasons:
- It uses cleartext authentication strings.
- Most SNMP implementations send those strings repeatedly as part of periodic polling.
- It is an easily spoofable, datagram-based transaction protocol.
You must carefully consider the implications before you use it that way.
In most networks, legitimate SNMP messages come only from certain management stations. If this is true in your network, you should probably use the access list number option on the snmp-server community command in order to restrict SNMP version 1 access to only the IP addresses of the management stations. Do not use the snmp-server community command for any purpose in a pure SNMP version 2 environment. This command implicitly enables SNMP version
For SNMP version 2, configure digest authentication with the authentication and md5 keywords of the snmp-server party configuration command. If possible, use a different MD5 secret value for each router.
SNMP management stations often have large databases of authentication information, such as community strings. This information can provide access to many routers and other network devices. This concentration of information makes the SNMP management station a natural target for attack, and it must be secured accordingly.
HTTP
Most recent Cisco IOS software versions use the World Wide Web HTTP protocol in order to support remote configuration and monitoring. In general, HTTP access is equivalent to interactive access to the router. The authentication protocol used for HTTP is equivalent to sending a cleartext password across the network. Unfortunately, there is no effective provision in HTTP for challenge-based or one-time passwords. This makes HTTP a relatively risky choice for use across the public Internet.
If you choose to use HTTP for management, issue the ip http access-class command in order to restrict access to appropriate IP addresses. Also, issue the ip http authentication command in order to configure authentication. As with interactive logins, the best choice for HTTP authentication is to use a TACACS+ or RADIUS server. Avoid the use of the enable password as an HTTP password.
Management and Interactive Access via the Internet (and Other Untrusted Networks)
Many users manage their routers remotely, and sometimes this is done over the Internet. Any unencrypted remote access carries some risk, but access over a public network such as the Internet is especially dangerous. All remote management schemes, which includes interactive access, HTTP, and SNMP, are vulnerable.
The attacks discussed in this section are relatively sophisticated ones, but they are not out of the reach of crackers today. These attacks can often be thwarted if the public network providers involved have taken proper security measures. You need to evaluate your level of trust in the security measures used by all the providers that carry your management traffic. Even if you trust your providers, it is recommended to take at least some steps to protect yourself from the results of any mistakes that might occur.
All the cautions here apply as much to hosts as to routers. This document discusses the protection of router login sessions, but you should use analogous mechanisms to protect your hosts if you administer those hosts remotely.
Remote Internet administration is useful, but requires careful attention to security.
Packet Sniffers
Crackers frequently break into computers owned by Internet service providers (ISPs), or into computers on other large networks, and install packet sniffer programs. These programs monitor the traffic that passes through the network and steal data, such as passwords and SNMP community strings. Although this has become more difficult as network operators improve their security, it is still relatively common. In addition to the risk from outside crackers, it is not unheard of for rogue ISP personnel to install sniffers. Any password sent over an unencrypted channel is at risk. This includes the login and enable passwords for your routers.
If possible, avoid logging in to your router that uses any unencrypted protocol over any untrusted network. If your router software supports it, use an encrypted login protocol such as SSH or Kerberized Telnet. Another possibility is to use IPSec encryption for all router management traffic, which includes Telnet, SNMP, and HTTP. All of these encryption features are subject to certain export restrictions imposed by the United States Government, and are special-order, extra-cost items on Cisco routers.
If you do not have access to an encrypted remote access protocol, another possibility is to use a one-time password system such as S/KEY or OPIE, together with a TACACS+ or RADIUS server. This controls both interactive logins and privileged access to your router. The advantage here is that a stolen password is of no use, because it is made invalid by the very session in which it is stolen. Non-password data transmitted in the session remains available to eavesdroppers, but many sniffer programs are set up to concentrate on passwords.
If you absolutely must send passwords over cleartext Telnet sessions, change your passwords frequently, and pay close attention to the path traversed by your sessions.
Other Internet Access Dangers
In addition to packet sniffers, remote Internet management of routers presents these security risks:
1.In order to manage a router over the Internet, you must permit at least some Internet hosts to have access to the router. It is possible that these hosts can be compromised, or that their addresses can be spoofed. By permitting interactive access from the Internet, you make your security dependent not only on your own anti-spoofing measures, but on those of the service providers involved.
2.You can make sure that all the hosts that are permitted to log into your router are under your own control in order to reduce dangers. Also, use encrypted login protocols with strong authentication.
It is sometimes possible to hijack an unencrypted TCP connection (such as a Telnet session), and actually take control away from a user who is logged in. Although such hijack attacks are not as common as simple packet sniffing and can be complex to mount, these attacks are possible, and might be used by an attacker who has your network specifically in mind as a target. The only real solution to the problem of session hijack is to use a strongly authenticated encrypted management protocol.
3.Denial of service attacks are relatively common on the Internet. If your network is subjected to a denial of service attack, you might not be able to reach your router to collect information or take defensive action. Even an attack on a network of another person can impair your management access to your own network. Although you can take steps to make your network more resistant to denial of service attacks, the only real defense against this risk is to have a separate, out-of-band management channel, such as a dialup modem, for use in emergencies.
Logging
Cisco routers can record information about a variety of events, many of which have security significance. Logs can be invaluable to characterize and respond to security incidents. These are the main types of logging used by Cisco routers:
AAA logging—Collects information about user dial-in Connections,Logins, logouts, HTTP accesses, privilege level changes, commands executed, and similar events. AAA log entries are sent to authentication servers that use the TACACS+ and/or RADIUS protocols, and are recorded locally by those servers, typically in disk files. If you use a TACACS+ or RADIUS server, you can enable AAA logging of various sorts. Issue AAA configuration commands, such as aaa accounting, in order to enable this. Detailed description of AAA configuration is beyond the scope of this document.
SNMP trap logging—Sends notifications of significant changes in system status to SNMP management stations. Use SNMP traps only if you have an SNMP management infrastructure that already exists.
System logging—Records a large variety of events, which depends on the system configuration. System logging events can be reported to a variety of destinations, which include these:
1.The system console port (logging console).
2.Servers that use the UNIX syslog protocol (logging ip-Address, logging trap).
3.Remote sessions on VTYs and local sessions on TTYs (logging monitor, terminal monitor).
4.A local logging buffer in router RAM (logging buffered).
From a security point of view, the most important events usually recorded by system logging are interface status changes, changes to the system configuration, access list matches, and events detected by the optional firewall and intrusion detection features.
Each system logging event is tagged with an urgency level. The levels range from debugging information (at the lowest urgency), to major system emergencies. Each logging destination can be configured with a threshold urgency, and receives logging events only at or above that threshold.
Save Log Information
By default, system logging information is sent only to the asynchronous console port. Because many console ports are unmonitored, or are connected to terminals without historical memory and with relatively small displays, this information might not be available when it is needed, especially when a problem is debugged over the network.
Almost every router must save system logging information to a local RAM buffer. The logging buffer is of a fixed size, and retains only the newest information. The contents of the buffer are lost whenever the router is reloaded. Even so, a moderately-sized logging buffer is often of great value. On low-end routers, a reasonable buffer size might be 16384 or 32768 bytes. On high-end routers with lots of memory (and many logged events), even 262144 bytes might be appropriate. You can issue the show memory command to make sure that your router has enough free memory to support a logging buffer. Issue the logging buffered buffer-size configuration command in order to create the buffer.
Most larger installations have syslog servers. You can send logging information to a server with the logging server-ip-address, and you can control the urgency threshold for logging to the server with the logging trap urgency command. Even if you have a syslog server, you should still enable local logging.
If your router has a real-time clock or runs NTP, issue the service timestamps log datetime msecs command in order to time-stamp log entries.
Record Access List Violations
If you use access lists to filter traffic, you might want to log packets that violate your filtering criteria. Earlier Cisco IOS software versions use the log keyword in order to support logging. This causes logging of the IP addresses and port numbers associated with packets that match an access list entry. Later versions provide the log-input keyword, which adds information about the interface from which the packet was received, and the MAC address of the host that sent it.
It is not a good idea to configure logging for access list entries that match very large numbers of packets. This causes log files to grow excessively large, and can cut into system performance. However, access list log messages are rate-limited, so the impact is not catastrophic.
Access list logging can also be used to log the suspect traffic in order to characterize traffic associated with network attacks.
Secure IP Routing
This section discusses some basic security measures related to the way in which the router forwards IP packets.
Anti-Spoofing
Many network attacks rely on an attacker that falsifies, or spoofs, the source addresses of IP datagrams. Some attacks rely on spoofing to work at all, and other attacks are much harder to trace if the attacker can use the address of someone else instead of his or her own. Therefore, it is valuable for network administrators to prevent spoofing wherever feasible.
Anti-spoofing must be done at every point in the network where it is practical. It is usually both easiest and most effective at the borders between large address blocks, or between domains of network administration. It is usually impractical to perform anti-spoofing on every router in a network, because of the difficulty to determine which source addresses might legitimately appear on any given interface.
If you are an ISP, you might find that effective anti-spoofing along with other effective security measures, causes expensive, annoyed problem subscribers to take their business to other providers. ISPs must apply anti-spoofing controls at dialup pools and other end-user connection points (refer to RFC 2267 ).
Administrators of corporate firewalls or perimeter routers sometimes install anti-spoofing measures to prevent hosts on the Internet from assuming the addresses of internal hosts, but do not take steps to prevent internal hosts from assuming the addresses of hosts on the Internet. Try to prevent spoofing in both directions. There are at least three good reasons to perform anti-spoofing in both directions at an organizational firewall:
1.Internal users are less tempted to launch network attacks and less likely to succeed if they do try.
2.Accidentally misconfigured internal hosts are less likely to cause trouble for remote sites. Therefore, these are less likely to generate angry telephone calls or damage the reputation of your organization.
3.Outside crackers often break into networks as launching pads for further attacks. These crackers might be less interested in a network with outgoing spoofing protection.
Anti-Spoofing with Access Lists
Unfortunately, it is not practical to give a simple list of commands that provide appropriate spoofing protection. The access list configuration depends too much on the individual network. The basic goal is to discard packets that arrive on interfaces that are not viable paths from the supposed source addresses of those packets. For example, on a two-interface router that connects a corporate network to the Internet, any datagram that arrives on the Internet interface, but whose source address field claims that it came from a machine on the corporate network, should be discarded.
Similarly, any datagram that arrives on the interface connected to the corporate network, but whose source address field claims that it came from a machine outside the corporate network, should be discarded. If CPU resources allow it, anti-spoofing should be applied on any interface where it is feasible to determine what traffic can legitimately arrive.
ISPs that carry transit traffic can have limited opportunities to configure anti-spoofing access lists, but such an ISP can usually at least filter outside traffic that claims to originate within the address space of the ISP.
In general, anti-spoofing filters must be built with input access lists. This means that packets must be filtered at the interfaces through which they arrive at the router, not at the interfaces through which they leave the router. This is configured with the ip access-group list in interface configuration command. You can use output access lists in some two-port configurations in order to anti-spoof, but input lists are usually easier to understand even in those cases. Furthermore, an input list protects the router itself from spoofing attacks, whereas an output list protects only devices behind the router.
When anti-spoofing access lists exist, they should always reject datagrams with broadcast or multicast source addresses, and datagrams with the reserved loopback address as a source address. It is usually appropriate for an anti-spoofing access list to filter out all ICMP redirects, regardless of source or destination address. These are the appropriate commands:
access-list number deny icmp any any redirect
access-list number deny ip 127.0.0.0 0.255.255.255 any
access-list number deny ip 224.0.0.0 31.255.255.255 any
access-list number deny ip host 0.0.0.0 any
The fourth command filters out packets from many BOOTP/DHCP clients. Therefore, it is not appropriate in all environments.
Path Integrity
Many attacks depend on the ability to influence the paths datagrams take through the network. If they control routing, crackers can spoof the address of another user machine and have the return traffic sent to them, or they can intercept and read data intended for someone else. Routing can also be disrupted purely for denial of service purposes.
IP Source Routing
The IP protocol supports source routing options that allow the sender of an IP datagram to control the route that datagram takes toward its ultimate destination, and generally the route that any reply takes. These options are rarely used for legitimate purposes in real networks. Some older IP implementations do not process source-routed packets properly, and it is possible to send them datagrams with source routing options in order to crash machines that run these implementations.
A Cisco router with the no ip source-route command set never forwards an IP packet which carries a source routing option. You should use this command, unless your network needs source routing.
ICMP Redirects
An ICMP redirect message instructs an end node to use a specific router as its path to a particular destination. In an IP network that functions properly, a router sends redirects only to hosts on its own local subnets. No end node ever sends a redirect, and no redirect is ever traversed more than one network hop. However, an attacker can violate these rules. Some attacks are based on this. Filter out incoming ICMP redirects at the input interfaces of any router that lies at a border between administrative domains. Also,It is not unreasonable for any access list that is applied on the input side of a Cisco router interface to filter out all ICMP redirects. This causes no operational impact in a correctly configured network.
This filter prevents only redirect attacks launched by remote attackers. It is still possible for attackers to cause significant trouble using redirects if their host is directly connected to the same segment as a host that is under attack.
Routing Protocol Filter and Authentication
If you use a dynamic routing protocol that supports authentication, enable that authentication. This prevents malicious attacks on the routing infrastructure, and can also help to prevent damage caused by misconfigured rogue devices on the network.
For the same reasons, service providers and other operators of large networks are generally well advised to use route filtering (with the distribute-list in command) to prevent their routers from accepting clearly incorrect routing information. Although excessive use of route filtering can destroy the advantages of dynamic routing, judicious use often helps to prevent unpleasant results. For example, if you use a dynamic routing protocol to communicate with a stub customer network, you should not accept any routes from that customer other than routes to the address space you have actually delegated to the customer.
Detailed instruction on how to configure routing authentication and route filtering is beyond the scope of this document. Documentation is available on the Cisco website and elsewhere. Because of the complexity involved, novices are advised to seek experienced advice before configuring these features on important networks.
Flood Management
Many denial of service attacks rely on floods of useless packets. These floods congest network links, slow down hosts, and can overload routers as well. Careful router configuration can reduce the impact of such floods.
An important part of flood management is to be aware of where performance bottlenecks lie. If a flood overloads a T1 line, then filtering out the flood on the router at the source end of the line is effective, whereas filtering at the destination end has little or no effect. If the router itself is the most overloaded network component, then filtering protections that place heavy demands on the router can make matters worse. Keep this in mind when you consider the implementation of the suggestions in this section.
Router Self-Protection
Before a router can protect other parts of the network from the effects of floods, the router itself must be protected from overload.
The CEF switching mode, available in Cisco IOS Software Releases 11.1CC, 11.1CT, 11.2GS, and 12.0, replaces the traditional Cisco routing cache with a data structure that mirrors the entire system routing table. Because there is no need to build cache entries when traffic starts to arrive for new destinations, CEF behaves more predictably than other modes when presented with large volumes of traffic addressed to many destinations.
Although most flooding denial of service attacks send all of their traffic to one or a few targets and do not tax the traditional cache maintenance algorithm, many popular SYN flooding attacks use randomized source addresses. The host under attack replies to some fraction of the SYN flood packets, which creates traffic for a large number of destinations. Therefore, routers configured for CEF perform better under SYN floods (directed at hosts, not at the routers themselves) than routers that use the traditional cache. CEF is recommended when available.
Scheduler Configuration
When a Cisco router is fast-switching a large number of packets, it is possible for the router to spend so much time in response to interrupts from the network interfaces that no other work is done. Some very fast packet floods can cause this condition. Issue the scheduler interval command, which instructs the router to stop handling interrupts and attend to other business at regular intervals, in order to reduce the effect. A typical configuration might include the scheduler interval 500 command, which indicates that process-level tasks are to be handled no less frequently than every 500 milliseconds. This command rarely has any negative effects, and should be a part of your standard router configuration unless you know of a specific reason to leave it out.
Many newer Cisco platforms use the scheduler allocate command instead of the scheduler interval command. The scheduler allocate command takes two parameters: a period in microseconds for the system to run with interrupts enabled, and a period in microseconds for the system to run with interrupts masked. If your system does not recognize the scheduler interval 500 command, issue the scheduler allocate 3000 1000 command. These values were chosen to represent the midpoints of the ranges. The range for the first value is 400 to 60000, and the range for the second value is 100 to 4000. These parameters can be tuned.
Finger
Cisco routers provide an implementation of the finger service, which is used to find out which users are logged into a network device. Although this information is not usually sensitive, it is sometimes useful to an attacker. The finger service can be disabled with the no service finger command.
NTP
The Network Time Protocol (NTP) is not especially dangerous, but any unneeded service can represent a path for penetration. If NTP is actually used, it is important to explicitly configure trusted time source, and to use proper authentication. This is because the corruption of the time base is a good way to subvert certain security protocols. If NTP is not used on a particular router interface, it can be disabled with the ntp disable interface command.
CDP
Cisco Discovery Protocol (CDP) is used for some network management functions, but is dangerous because it allows any system on a directly-connected segment to learn that the router is a Cisco device, and to determine the model number and the Cisco IOS software version that is run. This information can be used to design attacks against the router. CDP information is accessible only to directly-connected systems. The CDP protocol can be disabled with the no cdp running global configuration command. CDP can be disabled on a particular interface with the no cdp enable command.
Stay Up To Date
Like all software, Cisco IOS software has bugs. Some of these bugs have security implications. In addition, new attacks are always invented, and behavior that might have been considered correct when a piece of software was written can have bad effects when deliberately exploited.