How to DoS the Cisco Identity Services Engine ¯\_(ツ)_/¯

On the journey to CCNA Security (210-260)

  • Option 1: Try to login ise
  • Option 2: Do not login for 45 days…. because you forgot you had an ISE lab running
  • Double or nothing: Do not login for 45 days because you forgot the password scribbled somewhere on your labnotes
  • Protip: The admin password can vary for the cli and web gui, however, this can be a double edged sword – also might want to change the default password expiry

Adjusting log timestamps to localtime on Cisco IOS devices

Correlating Log files are an important aspect when responding to incidents/attacks/outages regarding your Cisco devices.

However I have noticed for a while that my logging timestamps are off an hour from the actual clock synced by NTP.

After some digging I realized that Cisco devices use
service timestamps log datetime
as a default. You can check the default values using the command:
sh run all | inc timestamp
In order for your logs to use the local clock time you need to issue the command
device(config)# service timestamp log datetime localtime
From now on, your logging timestamp should be identical to your local time on the device.

Turkey Citizens respond to Twitter censorship (via DNS)

Internet censorship is bad – especially when it is abused to censor media reports about potentially corrupt government officials. Luckily a lot of incompetent people try to implement censorship via DNS.

Censorship via DNS is a method which is pretty easy to bypass and some people have responded to this this:

http://mashable.com/2014/03/21/twitter-ban-turkey-graffiti/?utm_medium=feed&utm_source=rss

And no, I will not go into detail here on how to do it right – for obvious reasons….

 

 

Cisco ACL resequencing

Managing Access Lists on Cisco IOS devices can be a real headache. Copying ACLs and Editing them in a Text Editor was a widely spread method until extended ACLs implemented Named Access Lists (nacls) with featured sequence numbers.

Extended IP access list my_acl_in
2 permit icmp ..... (1234 matches)
3 permit ip any host x.x.x.x
10 permit ip ....
11 permit ip ....
12 permit ip ....
13 permit ip ....
14 permit tcp any host ...... eq 443
15 permit tcp any host ...... eq www

Btw. the IPv6 Access list sequence numbers are placed at the end

permit tcp host 2001:DB8:1::32 host 2001:DB8:2::32 eq ssh sequence 1

Sequence Numbers allow for quick changes to an ACL without the copy&paste foo. A growing and ever changing ACL however can post a challange to your sequencing once the gaps are filled. In order to realign your Access Control Entries you can use the resequence command to put your ACEs in order again.

r1(config)#ip access-list resequence ?
<1-99> Standard IP access-list number
<100-199> Extended IP access-list number
<1300-1999> Standard IP access-list number (expanded range)
<2000-2699> Extended IP access list number (expanded range)
WORD Access-list name

r1(config)#ip access-list resequence my_acl_in ?
<1-2147483647> Starting Sequence Number

r1(config)#ip access-list resequence my_acl_in 5 ?
<1-2147483647> Step to increment the sequence number

r1(config)#ip access-list resequence my_acl_in 5 5

will resequence your ACEs to look something like this:

Extended IP access list my_acl_in
5 permit icmp ..... (1234 matches)
10 permit ip any host x.x.x.x
15 permit ip ....
20 permit ip ....
25 permit ip ....
30 permit ip ....
35 permit tcp any host ...... eq 443
40 permit tcp any host ...... eq www

This feature will definitely help to keep your sanity.

I find it quite a bit strange that this fuction is not mentioned on neither the 640-802 CCNA nor the 640-554 CCNA Security Cert Guides.

For more infos, check out the Cisco ACL sequence numbering guide

Lab: Layer 3 Switching Pt.3 – Inter VLAN Routing with Switched Virtual Interfaces(SVI)

With Switched Virtual Interfaces, a Layer 3 Switch can forward packets between networks on its own – no external Router required.

Compared to a normal Router with FastEthernet or GigabitEthernet Interfaces, Layer 3 Switches using SVI can forward packets between VLANS at backplane speed! To get an idea how SVI works, take a look at this graphic:

 

 

In this example we have 3 VLAN on the Layer 3 Switch: Vlan 20, 30 and 40. To be able to forward packets, IP Routing first needs to be enabled on a Layer 3 Switch:

sw1(config)#ip routing

As we need a gateway for each VLAN, we simply assign the gateway IP address to the equivalent VLAN Interface. Note that I left out the subnet mask in the image due to space restrictions. After that we put the VLAN interface online using the no shut command. You should see IP Addresses assigned to your VLAN Interfaces when using the sh ip int brief command.

Once your VLAN Interfaces are up and running with an assigned IP Adress, your switch is ready to forward packets.

Note: SVIs are also used to provide Layer 3 connectivity to a switch – for example if you want to access the switch via SSH or Telnet (seriously, do no use Telnet if you can use SSH).

The advantages of using SVIs to forward packets between your VLANs compared to using a Router or Router on a Stick are pretty obvious: Speed and Port density.

The disadvantage of this method is pretty obvious as well: It requires a Layer Switch such as the 3750 im using in my lab.

 

Lab: Layer 3 Switching Pt.2 – Inter VLAN Routing with Router on a Stick

 

With the Layer 3 Switch set up in Pt.1  it is time to look at some basic concepts of Layer 3 Switching. The Router on a Stick concept is technically not Layer 3 Switching since the Packet Forwarding (Routing) requires a Router.

The basic concept of Router on a stick is implemented by creating subinterfaces on a single physical Router port. After the Switchport has been set to trunk mode (802.1q for you non-Cisco networkers), the subinterfaces can be assigned a VLAN by setting the trunk encapsulation to dot1q and a VLAN ID.

 

 

 

 

 

This concept should work with any switch that supports VLANs. Another advantage of this concept is the fact that only one Router port is required in order to forward Layer 3 packets between the VLANs. The downsides however are a single point of failure and possible congestion (depending on the amount of VLANs and bandwidth utilization).

Coming up next: Inter-VLAN Routing with Switched Virtual Interfaces (SVI) and Routed Ports which require Layer 3 switches.