Add a mount point for an ASA

I have found a nice feature on the Cisco ASA. You can create a mount point to a server FTP.

Below you can find a sample of the configuration to  apply:

mount Backup-ASA type ftp
 server 10.10.10.10
 path /root/Backup
 username  userFTP
 password passwordFT
 mode passive
 status enable

To check all the configuration available on this particular folder you can use the command 'dir':

ASA# dir Backup-ASA:

Directory of Backup-ASA:/

       -rwx  71147       19:37:00 Jul 14 2011  ASA-14jul11.txt
       -rwx  79337       16:41:00 Jan 31 2012  ASA-09-02-2012.txt

0 bytes total (2146293760 bytes free)

This trick can be useful to backup easily the running configuration on remote folder:

ASA#copy running-config Backup-ASA

Archive configuration on a Cisco Switch

In a previously post I have written a script (python) to automatically backup cisco config.
There is another method to backup this configuration. Used the archive command. By this way, it's possible to backup the configuration on a remote FTP server. Below, you will find an example:


ip ftp username user1
ip ftp password password1
!
archive
 path ftp://10.10.10.10/folder/My-switch.cfg
 write-memory
 time-period 1440

The write memory command trigger an automatic backup on the ftp server.
1440 means one backup generate every day.

If you make a mistake and you decide to come back on an old version, it's possible to restore the configuration. The better way is  using this command:


configure replace path ftp://10.10.10.10/folder/My-switch.cfg--9-09-00-23-0

To see the state of the archive you can use the 'show archive' command:


SWITCH#show archive
The maximum archive configurations allowed is 14.
The next archive file will be named ftp://10.10.10.10/folder/My-switch.cfg-%3Ctimestamp%3E-2
 Archive #  Name
   1        ftp://10.10.10.10/folder/My-switch.cfgFeb--9-09-00-23-0
   2        ftp:// 10.10.10.10/folder/My-switch.cfgFeb--9-09-00-37-1 <- Most Recent
   3
   4

Multi Instances with PuttyCM

By default you can just start one puttyCM instance. For example if several users want to use a puttyCM on  server via RDP it's impossible by default. To open several session you need to modify a key register on windows. Below this key:


HKEY_CURRENT_USER\Software\ACS\PuTTY Connection Manager\
AllowMultipleInstances REG_DWORD 1

Used IPv6 stateful Autoconfiguration

I would like add some details to my post vista and DHCPv6 (in french). I would like detailed which mechanisms is used to choose between stateless and stateful configuration. The DHCPv6 client used 2 bits in the RA  (Routers Advertisements send by the router) in order to know if DHCPv6 server is available:

• O bit: with this bit, a IPv6 host can use DHCPv6 to collect some parameters like DNS server address. However DHCPv6 server doesn't provide the client's IP address. Host use stateless configuration.
• M bit: with this bit, a IPv6 host can use DHCPv6 to collect a IPv6 address and others parameters from the server.
• Without these bits set, the IPv6 host will use stateless autoconfiguration.

The command managed-config-flag  which is used in the router doesn't force hosts to use DHCPv6. It's just a suggestion.

Protect against unwanted Router Advertisements (RA)

RA is used by auto-configuration. What is it auto-configuration ? It's a solution who allows devices to choose their own address.
How it works ?

Autoconfiguration is a two-step process:

- Host has to obtain prefix information to configure its address. To do this, it sends a Router Solicitation (RS). It's a multicast frame (ICMPv6 RS) for each router.
- Router advertisement (RA) is sent back by the router. These RAs are also sent periodically by the router. In our case, it's an instantaneous response.

It's a helpful solution for administrator but it's also a good way for hacker to shunt data flows. A hacker can send a wrong RA to a device. In this case, there are 2 issues, denial of service or man in the middle attack. If the hacker sends his own address (gateway information in the RA) all the flows can pass through him. Another error can occur with a misconfigured device, the host should obtain a wrong prefix. To protect against this kind of attack you can use this simple configuration (Port ACL) to stop untrusted RA. The access-list stop RA on all the untrusted interface. Just keep free interface where the router is plugged:

ipv6 access-list filter_RA
 remark Block Rogue RA
 deny icmp any any router-advertisement
 permit any any
!
interface gigabitethernet 1/0/10
 ipv6 traffic-filter filter_RA in

On the Catalyst 6500 and 4500 it's possible to use a macro to configure this kind of PACL:

interface gigabitethernet 1/0/10

 ipv6 nd raguard 

It's also possible to filter DHCPv6 with a PACL and just authorize the interface of the server to send response:

ipv6 access-list filter_DHCP
 remark Block traffic from DHCP to client
 deny udp any eq 547 any eq 546
 permit any any
!
interface gigabitethernet 1/0/10
 ipv6 traffic-filter filter_DHCP in

Provide TFTP address by DHCP

A simple memo (in english!) to explain the configuration of DHCP option 150:

Cisco phone use TFTP to download their configuration. To determine the address of the TFTP server, the phone (when the phone starts) sends a DHCP request with option 150 (DHCP 150 provide address of the TFTP server). Below, you will find a simple way to configure this option on a Cisco switch:


 ip dhcp pool DHCPPool
   network 192.162.1.0 255.255.255.0
   option 150 ip 192.168.1.200
   default-router 192.168.1.1

Stopper les usurpations d'adresse MAC

De nombreux outils permettent de corrompre les tables MAC des hosts situés sur un réseaux. Un exemple fréquent est l'usurpation d'adresse MAC. Cette opération qui est très simple à réaliser permet de récupérer du trafic censer transiter par la victime.
La technique utilisée pour stopper cette attaque est le DAI (Dynamic ARP inspection) sur les switchs Cisco.
Le but du DAI est d'étudier toutes les trames ARP qui transitent par les ports du réseaux. Pour se faire, le DAI utilise la base créée par le DHCP snooping qui est aussi une technologie Cisco. Une fois activé, le DHCP snooping créé une base qui relie le port du switch, l'adresse IP fixée par le DHCP et l'adresse MAC
(le DHCP snooping n'est pas présenté dans ce post, mais peut-être bientôt :)). Donc toute trame ARP qui circule sur le réseau et qui ne correspond pas à cette base est droppée. Ci-dessous un exemple de  configuration:

Activation du DHCP snooping, la configuration ci-dessous n'est pas complète car certaines précautions non présentées sont à prendre en compte (port serveur, lien trunk...):
Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping vlan 10-5

Exemple de base créée:
Switch#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:1C:23:14:12:27   192.168.51.10    691130      dhcp-snooping   11    FastEthernet0/1
Total number of bindings: 1

Activation du DAI sur un switch:
Switch(config)#ip arp inspection vlan 10-15
Switch(config)#interface range FastEthernet0/1 – 24
Switch(config-if-range)#no ip arp inspection trust

Ci-dessous, une tentative de ARP spoofing (attaque man-in-the-middle) réalisée sur le réseau et droppée par le switch:
*Mar  1 06:48:16.546: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 11.([001c.2314.1227/192.168.51.1/5c26.0a33.ba85/192.168.51.12/06:48:16 UTC Mon Mar 1 1993])


Remarque:
il est nécessaire de désactiver le DAI sur les interfaces trunks, Access point et tous les ports où les adresses IP sont fixes. Ou l'on peut utiliser des ACLs ce qui supprime toute la souplesse du protocole pour fixer les adresses MACs autorisées sur un port.