Saturday, December 31, 2016

2016 Year In Review

 on  with No comments 
In , ,  
With this post, I'm looking to start a new tradition with my studies, and by extension, with the blog.  I'm going to recap 2016.  Where I've been, what I've done, and where I hope to go from here.  This post is entirely for me, anyone else will probably not find it very useful unless they're stalking me. But feel free to stalk if you wish, I don't mind.

I started out the year with a post called New Year, New Focus, where I laid out my intentions on where the blog was heading this year.  i did a pretty good job of staying on target for the most part.  Study and certification wise, wanted to say on target with the CCNP Security, which I did by finally passing the 300-206 SENSS exam.  I also intended to give thought to the MCSA 2016 which I plan to tackle soon, and the CISSP, which is the capstone of my Masters Degree program.  

For the blog, I finally bit the bullet and bought my first domain after a bit of back and forth on what I wanted.  I also started paying more attention to the aesthetics of the blog, and moved away from the default themes, and finally commissioned a logo.  This blog started out as simply somewhere to stash my list of free CCNA related resources, but I set a goal to start posting more to help with my studies.  Mission accomplished there, I have more posts this year than the previous 5 years combined.    

I didn't touch the MCSA at all.  The closest I got was adding a couple VMs to the lab which run Server 2016.  I barely even kicked the tires on it.  So I'll get back on this after the CISSP.

Towards the CISSP however, I did accomplish a lot.  In school I took a few classes directly related to the material (a class that was supposed to be related to intrusion detection that instead went through a Security+ level of material, a class on disaster recover/business continuity, and a class on enterprise incident response). Outside of the classroom, I continued reading.

Of course, the lab has continued to evolve and grow.  I went into the year with a couple low power toys (AMD A4 CPUs) running Hyper-V.  As the year went along, I built an ESXi server on a pair of quad-core Opterons, and continue to throw more hardware at it.  It currently has 64GB of RAM, 2.5TB of storage, and 4 Gigabit Ethernet ports.  The two Hyper-V hosts still exist, running a few VMs as well in addition to file server duties.  Finally, there's an i5 half-top running as a domain controller and will probably host a few VMs itself if I ever get around to upping the 4GB of RAM in it.  The network consists of a Cisco 2821 router, 3750 switch, 1130 access point, and a 2511 access server.  Other than that, everything is currently virtualized.

Here's the rundown on all the current VMs, not counting the workstations and systems that were set up for short term testing that I haven't bothered to really keep track of.
  • av1 Alienvault
  • cloud1 Turnkey Owncloud 14.1 
  • facs2 Cisco Secure ACS 5.6 
  • facs3 Server 2003 Std  Cisco Secure ACS 4.2
  • fata1 Server 2012R2 Std Microsoft Threat Analytics 1.6
  • fcda1 Cisco CDA 1.0
  • fdc2 Server 2016 Std  AD Domain Controller
  • fexch1 Server 2012R2 Exchange 2016
  • fipam1 Server 2012R2  Windows IPAM
  • fissue1 Server 2012R2  Issuing CA
  • fntp2 NetBSD 6.5.1  NTP Server
  • fnpas1 Server 2012R2 Std Windows NPAS
  • foos1 Server 2012R2 Std Office Online Server
  • fprtg1 Server 2008R2 Ent PRTG
  • froot1 Server 2008R2 Ent Root CA
  • fsccm1 Server 2008R2 DC SCCM 2012R2
  • fscom1 Server 2012R2 Std SCOM 2012R2
  • fscvmm1 Server 2012R2 Std SCVMM 2012R2
  • fscrut1 Scrutinizer
  • fscvmm1 Server 2012R2 Std SCVMM 2012R2
  • fskype1 Server 2012R2 Std Skype for Business 2015
  • fsp1 Server 2012R2 Std Sharepoint 2016
  • fsplunk1 Server 2008R2 Ent Splunk 6.5.0
  • fsql1 Server 2008R2 Ent SQL Server 2014
  • fsql3 CentOS 7.3 SQL Server 14.0 for Linux
  • fterm1 Server 2016 Std  Remote Desktop Services
  • fvc2 Server 2008R2 VCenter 5.5
  • fwds1 Server 2016 TP5  Windows Deployment Server
  • fwins1 Server 2000  WINS Server
  • fwms1 Server 2008  Windows Media Services
  • fwol2 Server 2003 Std  Wake on LAN Web App
  • fwsus2 Server 2008  WSUS
  • ise1 Cisco ISE 2.0 
  • mc1 Server 2008R2 Ent Minecraft Server
  • sf1 Sourcefire VDC 5.3.1 
  • so1 Security Onion  
  • vnmc1 Cisco VNMC 2.1.1a 
  • wlc1 Cisco Virtual WLC
Now if only this were true.  I came across this nonsense at a site called  


Saturday, December 24, 2016

My Fan Club

 on  with No comments 
In , ,  
As I've mentioned a few times in the past, I act as an admin for one of the largest, if not the largest, Facebook groups dedicated to CCNA study.  You can find that group right here, or through the Facebook button in the top right corner of any page on this blog.  The group has a few other admins spread out through the world (so that our eyes would be on the page at different times of the day, ideally) and we run the group in accordance to our own moral compass, which for the most part aligns pretty well amongst ourselves and past admins.

Of course, the rules that we've set for the group don't sit well with some people.  If you're into something that doesn't jive with the rules, just simply don't discuss it in the group.  It's pretty simple, right?  Well for some it isn't that easy.  And since I encourage feedback from the community of users, I get it.  Here I've collected a few of my favorites.  There have been others, but many of them blocked me not long after and Facebook knocked it off of my messages before I could get a screenshot.  Warning, the language in these screenshots is a bit graphic.

This first satisfied customer of our services was removed for discussing braindumps and gets right to the point.

User number two was removed for the same reason.  Apparently cheating on exams means obtaining knowledge, and I'm just jealous somehow.   Interesting take.

User number three is my personal favorite.  I think he's asking me to create a group full of porn, and then show it to him?  I didn't realize that porn was so difficult to find.  I know that Netflix is taking over as the king of Internet traffic, but recent numbers show porn is still well over 30% of all traffic.

User number four was apparently upset that the free service we're providing him didn't get him an answer quickly enough for his satisfaction.  So he asked a few more times.  I believe this is the fourth time he asked, a couple times as a top level post, and a couple other times attempting to thread-jack another discussion.  Anyway, I did answer one of his other posts but he chose to ignore that and post again.  Needless to say, he won't have to worry about us getting back to him too slowly anymore.

Finally, this last one didn't come from the CCNA group, it came as a private message to the Free CCNA Workbook Facebook page, which I am also an admin for.  No commentary necessary, I think it speaks for itself.  Apparently when I took the screenshot of this one, I was feeling generous and omitted the name of this class act.  I wonder what he would have thought if I tracked down his instructor and showed them this?

And this is far from all of the nonsense I've gotten over the years, it's just the ones that amused me to the point of taking a screenshot.  That is not to say that it's all negative feedback, but that's primarily the thanks you get for a well maintained group.  The group has no spam, no flame wars, nothing violating the rules except for the very brief time it takes an admin to see and kill the post.  That is, except in my private inbox.  That's full of it.

Saturday, December 17, 2016

Unusual Bursts of Traffic

 on  with No comments 
In ,  
Has anyone seen this before? And if you have seen it, do you have any insight into it? I have a few theories, but its one of those "would be nice to know for sure" things. For the most part, I get an insignificant amount of traffic from Israel and Russia. But on 12/9, I received a huge spike in traffic, and pretty much all from these two countries. I'll show two graphics to illustrate this.

First, here's the spike in traffic, with a couple surrounding days for reference.  As you can see, the other days on the chart almost look insignificant in comparison.

Next, here's how it rates compared to other locations.  Again, these two countries normally are an insignificant source of traffic compared to the US, India and Great Britain which are usually the top sources.

I've seen similar spikes from both Russia and Israel in the past, but never at the same time.  My theory is content scrapers.  Sites that steal content to generate traffic to their own sites filled with ads and/or malware.  I'm just wondering if there's something else I haven't considered.

Saturday, December 10, 2016

Saturday, December 3, 2016

It's Not a Tumah!!

 on  with No comments 
In , ,  
Have you ever been working on a problem and were convinced you knew what the problem was but just couldn't figure out how to fix it?  And then later realized that you were barking up the complete wrong tree on the matter?  Here's one example I came across recently.

I had just set up a terminal server for outside access to my network, and port forwarded a random port to 3389 on that local server.  Everything tested out fine, from a couple of different locations outside of my house so I assumed I was good.  A couple days later, a coworker said he wanted to kick the tires of SCCM 2012R2 a bit, so I set him up a domain account and passed him along the details.  The next day he couldn't get in.  Fortunately I was working from home that day, so I had a chance to look into it.

In my infinite wisdom, I determined that someone had to be logged into the console of the server before a user could RDP into the server.  That's how it looked locally at the moment, so I figured that was the problem remotely as well.  After a little while reading Google hits on the problem, I thought I had it taken care of with a couple GPO settings.  Everything looked good until the next day, and the next day I was at the office.  So when wasn't working again, I was unable to check into it.  I changed a few settings that night, declared it fixed again, and moved on to something else.  Of course it still wasn't actually fixed, but I had other fish to fry with another attempt at the SENSS coming up.

Fast forward a few days and the memory card in my wife's phone became corrupt.  I popped it into one of the kids' computer because nothing else at my house has a memory card reader and started running some diagnostics.  When I put the kids to bed that night (which was about an hour after I logged out and let the diagnostic run), I noticed that the computer had gone to sleep.  WTH I thought, I have a GPO in place stopping computers from going to sleep if they're plugged in.

Later that night while checking my GPO, I noticed that I had the settings backwards.  Computers would go to sleep after 20 minutes while plugged in, and never while on battery.  DOH!

So what does this have to do with my RDP problem from earlier?  Simple, the terminal server was going to sleep after 20 minutes of inactivity.  It's running in ESXi, so when I clicked into the console, I was actually waking the server up rather than just grabbing focus.  The login screen came up fast enough that I didn't realize what was really happening.   So after a reboot of the terminal server, I haven't had the problem again.

The Android RDP Client from Microsoft was quite handy here.  There's a bit of a learning curve in handling mouse clicks, but you'll catch on quick enough.

Wednesday, November 30, 2016

Introduction to Private VLANs

 on  with No comments 
In , ,  
Private VLANs are a technique used to restrict communication between hosts or group of hosts within a VLAN.  In other words, isolation of hosts and/or groups of hosts. These differ from Private VLAN Edge, which I have previously blogged about.  Private VLAN Edge is a much simpler topic, in theory and in practice, that is the only option on lower end switches such as the Catalyst 2950.   Private VLANs are more featureful, and by extension of that, a bit more complex to implement.

The need for Private VLANs can be imagined when thinking about the early days of cable modems and DSL.  Poorly configured ISPs allowed broadband customers to see one another on the Internet.  At the time, many customers did not have a router at home, they would just connect their PC directly to the cable modem.  In the interest of IP address conservation, ISPs would put entire neighborhoods (or even more) on to a single subnet and on a single VLAN, and this allowed directly connected PCs to see one another.  Network Neighborhood in Windows 98 found many of my neighbors back when I first signed up for Media One broadband.

In the ISP situation, what would their options be?  Subnet their address range down and give each customer a /30?  That would essentially lose 75% of their address space as a /30 would assign 4 IP addresses to each customer instead of 1.  Also note that they'd need a VLAN per customer, and switches are limited in the number of active VLANs that they support.  So they would need to limit the number of customers per switch, which would increase the number of switches necessary, as well as routers to connect those switches.  They could use VLAN ACLs or other advanced techniques, but that could get very complex very quickly, and may not scale well.

Also consider a co-location facility hosting web servers for a number different clients.  They want those servers to be reachable from the Internet, but most likely not reachable from each other.  This is especially true if one were to become infected with a fast spreading worm.  A client at the co-location facility may also have more than one server.  These servers may need to communicate to one another, and to the Internet, but not to other clients.  How does the colo handle this increasingly complex setup?  One possible solution is Private VLANs which allows granular separation of customers.

In the Private VLAN, there are two types of port assignments.  First is the Host port, which inherits its behavior from the Secondary VLAN type it is assigned to.  This is just your standard host.  A server, workstation, printer, etc.   Next is the Promiscuous port.  This port is able to communicate with any other port in the Private VLAN, even those in an isolated secondary VLAN.  Promiscuous ports are generally where you would have a router or a firewall rather than a workstation or server.

To use Private VLANs, you start with an overall container, which is known as the Primary VLAN.  Think of the Primary VLAN as you would the standard VLANs you know, but with additional features.  The Primary VLAN works pretty much like any other VLAN on the switch for the most part, with few caveats that I'll get to as they come up.

Inside of this Primary VLAN will be one or more Secondary VLANs.  There are two primary types of Secondary VLANs.  First is the Isolated VLAN.  This type of Secondary VLAN contains individual hosts that cannot communicate with each other or other secondary VLANs, but can communicate with promiscuous ports.  Second is the Community VLAN.  This type of Secondary VLAN contains hosts that can communicate with each other but not with hosts in other Secondary VLANs.  In Cisco-speak, the Primary VLAN forwards downstream from promiscuous ports to community and isolated ports.  The important takeaway is that Secondary VLANs can never communicate with other Secondary VLANs but can always communicate with promiscuous ports. Also note that these rules apply to all traffic: unicast, multicast and broadcast.  So keep this in mind if you need to use DHCP with an isolated secondary VLAN for example.

Private VLAN's can be trunked and span multiple switches as well. In this case, the secondary VLAN will be used to tag the frames as they travel the trunk.   Because of this, you may have to configure the Private VLAN settings manually on each switch. In Cisco switches, VTP3 has TLVs to carry Private VLAN information, but not all switches support VTP3. And VTP in any version is proprietary to Cisco, it's not supported in other manufacturers equipment.

In Cisco switches, they are supported on the Catalyst 3560 and higher, which includes the 3750, 4500 series and 6500 series switches, as well as other advanced platforms.  An interesting switch in this regard is the 3550.  With the right IOS, the commands for PVLANs are there, and you can enter them.  But there is some disagreement on exactly how far this gets you.  Cisco states for the record that PVLANs are not supported on the 3550, which many have taken to mean that you are free to use them, however Cisco will not provide you any technical support in that regard (or at least wouldn't when the 3550 was still a supported platform).  I've also seen it written in places (including a blog post by Wendell Odom if memory serves me correct) stating that while it will take the commands, and that they'll show up in the configuration, there will be no effect on the operation of the switch.  In other words, they are merely cosmetic.  As I have a 3550 switch in the lab and an assortment of IOS images to test out, I plan to visit this topic in the near future.  PVLANs are also supported by IOU L2 images should you not have access to real hardware.

Though Private VLANs are originally a Cisco developed concept, they are described in RFC 5517, Cisco Systems' Private VLANs.  It's supported by Arista, Brocade, Juniper, Netgear, and others.  They're also supported in virtual switches in Hyper-V (somewhat) and VMware.

If you don't have access to a Cisco switch or IOU L2 images to use, Arista vEOS images support PVLANs in a very Cisco-like manner.  In fact, most commands on Arista's vEOS virtual switch platform are very Cisco-like.  A friend of the CCNA group, Stuart Fordham has previously blogged about his experience with using Arista switches during his CCIE Security studies in a few posts.  At this point, IOU is available and it works well for most tasks, but Arista is an option at this point.  Arista vEOS can be found here.  It was downloadable with a free account the last time I checked, but that was a while back and YMMV.

In this post, I went over the basics of Private VLANs.  In future posts, I'll talk about configuring Private VLANs as well as investigating the commands on 3550 switches further.

Saturday, November 26, 2016

Registering ASP.NET for Office Web Apps Error

 on  with No comments 
In , ,  
Here's a quick and dirty post for something that came up recently in the lab.  I was setting up an Office Web Apps server, and was getting the following error:

Can't create new Office Web Apps farm: The server must be joined to a domain.

Seeing this error message was a bit frustrating to say the least, because the server was indeed joined to a domain.  After a bunch of searching with Google, I finally came across the answer.  While setting up the server, I had installed IIS before .NET, so I needed to register ASP.NET.  The required bits in IIS were already installed, so it was just a matter of registration. This can be done with the following steps:

  • Open an elevated command prompt or PowerShell console.
  • execute the command start Microsoft.NET
  • navigate to c:\windows\Microsoft.NET\Framework\v2.0.50727
  • execute the command asp_regiis.exe /i 
  • execute the command iisreset or restart the server
Other things to check for when getting this error are to ensure that your server really is connected to a domain (and that the server account in AD is not broken) and that you have the correct DNS Server specified in the network settings.

Wednesday, November 23, 2016

Windows 2000 on ESXi

 on  with No comments 
In , ,  
After my recent experience with running Windows 2000 on VirtualBox, I found myself wanting to build a Windows 2000 Workstation host on my ESXi server.  Just something quick and dirty to sit behind an ASAv so I could verify the ASAv's configuration.  Like always, the motivation was the low resource utilization of 2000.  The 64GB of RAM in the server has its limits.

I was able to install the OS just fine, and I figured that since it was an .iso with SP4 slipstreamed in, I'd be fine.  But when it came time to install the VMWare Tools, the installer stopped and complained "The Microsoft Runtime DLL installer failed to complete installation."  After a bit of Googling around, I found two possible solutions to this.

The first is the simplest of the two.  You can just grab the E1000 drivers from Intel and install them.  Putting the executable into a .iso file, and then mounting that on the VM is all it takes.  The downside is that you only get the network drivers, rather than everything installed by the VMWare Tools.  Everything else technically works, but you don't get the niceties such as the VM not capturing the mouse and keyboard.  Note that you'll have to scroll down the page and click "Show more" a few times before you'll finally find drivers that are compatible with Windows 2000.

The second of the two is to track down the necessary updates for Windows 2000.  This is a bit tricky as 2000 is no longer supported and none of the download links on the Microsoft website work any more.  Update Rollup for Windows 2000 SP4 (KB891861) has the fix you need. KB835732 is the patch that solves the issue, but you may as well install the entire update rollup if you can.

So where do you get the update rollup?  If you Google "KB891861 download" you'll find a few sites hosting a copy.  Since they're doing so in a less than legal manner, I'm not going to link any of them here.  If you can't find a copy online, your other option may be to install the Intel drivers to get connected to the network, then updating Windows 2000 from a WSUS server.

I've also seen it said that disabling the CD-ROM driver in Windows 2000 after copying the VMWare tools installer to the c:\ drive works as well, but I haven't tried that.

Saturday, November 19, 2016

Windows 2000 on Virtualbox 5.0.24_SUSE r108355

 on  with No comments 
In , ,  
I'm setting up a small GNS3 environment on my main workstations to test out a few thing.  I setup a couple of VMs, one for a domain controller, one for ACS 4.2.  Both VM's are running Windows 2000 Server because I can run it in a small amount of memory, and my workstation only has 12GB of RAM.  After installing the Base OS on both, I noticed a couple of issues.  For completeness, I'm running GNS3 1.4.6 on OpenSUSE Leap 42.1.  The OS is up to date with updates as of today, September 17, 2016.

First off, no matter which NIC I select, there is no networking.  Windows 2000 does not recognize the NIC despite the VirtualBox guest additions being installed.  I got around this problem by inserting the disc of an older version of the VirtualBox guest additions .iso (Version 2.0.4) that I saved a copy of for some reason in the past.  With this older disc inserted, I was able to search for and install the drivers for VirtualBox's AMD PCnet-FAST III NIC.  I've built Windows 2000 based VMs in the not so distant past (on some 4.x or 5.x version of VirtualBox), so this is a recent phenomenon.

The next problem is a big one as it caused me quite a headache getting the Guest Additions .iso mounted at all.  When attached to a GNS3 topology, the second you attempt to access the .iso file through Windows Explorer in the guest OS, the VM aborts.  Everything seems to be fine when the VM is not attached to GNS3.  The same thing happened with my Windows 10 VM, so I would imagine that this behavior exists regardless of the OS installed on the Guest.

A third thing to look out for is that Windows 2000 SP4 will not install on Windows Server 2000 Datacenter in a VirtualBox VM.  After it extracts the files, you get a message stating that "This Service Pack 4 has not been qualified by your hardware vendor for installation on this copy of Windows 2000 Datacenter Server."  Obviously not a VirtualBox problem, but something else to keep in mind.  Standard Server and Advanced Server don't have this problem.  I've found a registry hack for Server 2003, but nothing for 2000.

Saturday, November 12, 2016

SENSS Passed

 on  with No comments 
In ,  
Just a short post for this week, as I've done recently.  This exam has completely consumed my time lately.  Because I had yesterday off, I scheduled my second attempt at the SENSS and nailed it this time with a score of 910.  Exams are a lot easier when you know what you need to know, aren't they?  This isn't a knock against Cisco's exam topics, I just didn't have a good idea of just how deep I needed to know certain things that didn't seem like they'd be covered as heavily which lead me to spend a lot of time on things that weren't really covered very much.  It was my first failed Cisco exam, and quite a humbling experience. Either way now I have a much better idea idea of what I need to do moving forward in the CCNP Security.

Next up, I don't know yet.  I plan to take a couple days to recover from that experience and give some thought to which exam I want to tackle next.  While the SIMOS looks like it'll be a lot more fun as it's very heavy in cryptography and VPNs, the SISAS may be more practical as ISE reared it's head multiple times already in the SENSS, and I doubt it won't be in the other exams as well. Besides that, the SISAS is the only exam with a certification guide, so getting to see a little bit of structure in exam preparation may be of use.

Either way, it's not going to be the SITCS this time.  There's no way I'll be able to knock out v1.0 before December 16, and I'd prefer to wait a little bit and let the community hash out exactly what v1.5 is before attempting it.  There was a lot of butt-hurt early on for all 4 of these exams from the early attempts and I'd hate to join the ranks.

Also in the near future will be the CISSP, which is the capstone of my Masters Degree, and the Upgrading Your Skills to MCSA Windows Server 2016 exam.  I haven't decided when I'll mix those two in yet either.  So for now I'll just be kicking the tires on Server 2016 and starting to tinker with ISE.  I've got a few SENSS related posts still in very rough form, so I'll probably get those presentable and post them here and there as well.

Saturday, November 5, 2016


 on  with No comments 
In , ,  
Syslog is an industry standard protocol for the purpose of message logging. It was developed by Eric Allman, originally as part of the Sendmail project.  Because of it's utility, it was adopted by other applications and eventually became the defacto default logging system on Unix like systems.  It was eventually documented by RFC 3164 (The BSD syslog Protocol) and standardized by RFC 5424 (The Syslog Protocol).  Many other RFCs exist extending the basic functionality such as RFC 5425 (TLS Transport Mapping for Syslog).


Sunday, October 30, 2016

First SENSS Attempt - Part II

 on  with No comments 
In , ,  
So I went down to the testing center yesterday and made my first attempt at the SENSS exam.  And I failed miserably, scoring nearly 200 points below the passing mark.  I have been studying for this exam off and on now for about 2 years.  More off than on with work, school, family, and everything else constantly taking my focus away, but during that time I did get a lot of quality study time in.  The disappointing part is not as much the questions that I wasn't sure of the answer to, its the questions asking about things where I was like wow, I don't recall reading about this at all.  Quite a humbling experience as this is the first Cisco exam that I've failed.

I don't think this was a case of the exam objectives being extremely vague as most certification objectives are.  These objectives were quite fair, in my opinion.  Instead this time its more a case of there being no study guide.  If you look at the list of suggested study materials, you'll find no fewer than 10 Cisco Press titles in addition to a laundry list of .pdfs ranging from short configuration guides to the SAFE Reference Guide.  That's a ton to take in.  Do I need everything in 7896 pages of books?

Well, I have to get this done before November 12, the day that my other Cisco certifications expire, so back to it!  As always, save your questions about what questions I saw, how many questions I got, what the passing score was, etc.  I'm not going to violate the NDA, even in my deflated mood.

Wednesday, October 26, 2016

First SENSS Attempt

 on  with No comments 
In , ,  
This week there will be no regularly scheduled Wednesday post because I am putting the final touches on my first (and hopefully only) attempt at the SENSS exam.  My exam is scheduled for 12:00pm on Saturday.  In nervousness, I've rescheduled it a couple times leading up to this point, but I can't keep doing that as all my other Cisco certifications are due to expire on November 12.  I'm feeling well over 95% confidence in all the topics except for SNMP.  Unfortunately, my confidence level on that topic is not too much higher than it was coming into preparation for this exam.  I have no idea why this one thing just won't sink in.  I'll see it again and again down the road, so I'll get it sooner or later.

Once this exam is over with, I'll be shifting my focus primarily towards the CISSP, which is the capstone for my Masters Degree.  I'm doing the last two classes for this class, so the capstone is all I'll have left after this semester.  My Bachelors and Masters Degree coursework both focused on CISSP material, and I've done a lot of reading on things covered in it outside of the classroom as well, so I'm not starting from zero.   I will be doing the MCSA 2016 upgrade exam in the near future (not sure exactly when yet), but I expect to get back on Cisco and start on the SISAS once the CISSP is in hand.  So a lot of ISE and Active Directory in the future.
Not that anyone really cares, but I'll post back here on how the SENSS went, and if I have any thoughts on the exam that I am willing to share.  Wish me luck!

Saturday, October 22, 2016

COPAA Compliance Extortion

 on  with No comments 
In ,  
This morning, one of my children brought me their tablet.  It's a Nabi 2s, which we bought 3 of a while back at Toys R Us during a sale.  The tablet was in "Nabi Mode" which is a locked down account for children.  Unfortunately, there is a small selection of games available in Nabi Mode.  The most important app on the tablet, Youtube, is also not available.  So we just leave it in "Mommy Mode," a separate user account without any of the child lock-down, because I'm not dealing with managing an allowed applications list on 3 different tablets, if such a feature is even available.

So the problem today is Nabi's strange enforcement of COPAA Compliance.  For those who don't know, COPAA, or The Children's Online Privacy Protection Act, is a 2008 regulation to protect children online.  The act requires proof of parental concent for a child to use any service online.   According to the verbage of a 2012 amendment, verifiable parental consent can be, but not limited to: "electronic scans of signed parental consent forms; video-conferencing; use of government-issued identification; and alternative payment systems, such as debit cards and electronic payment systems, provided they meet certain criteria."

When I attempted to put the tablet back into "Mommy Mode" today, I was greeted by this scare tactic.  Still half asleep, it was a bit concerning.  If this doesn't look like ransomware, I don't know what does.

In order to get out of Nabi Mode, I have to engage in their choice of a verifiable parental consent, immediately.  50 cents isn't a lot, even across all three tablets we have, but what are they doing with the money?  Microsoft donates it to National Center for Missing and Exploited Children.  Nabi doesn't have the information easily available.  I don't care to spend any more time looking, so I don't know.  And why today?

The quick solution for today was to just reboot the tablet, and it came back up in "Mommy Mode."   I get why they're doing it, but the way they chose to do this, on a completely random Sunday morning months after I bought the tablet left a really bad taste in my mouth.  So I'm choosing to not participate.  If Nabi's insistence becomes a problem, I'll just root the tablet.

Wednesday, October 19, 2016

Network Time Protocol (NTP)

 on  with No comments 
In , ,  
A very important but sometimes overlooked technology in networking is NTP.  NTP is used for clock synchronization between hosts on a packet switched network such as the Internet. It was first designed by Dr. David L Mills of the University of Delaware in 1985.  The current protocol is NTPv4, which is described in RFC 5905.  Version 4 is backwards compatible with version 3, described in RFC 1305.  I've written about NTP before, in a post on setting up an NTP server on the NetBSD operating system.

Based on Marzullo's Algorithm, NTP is able to synchronize time to within tens of milliseconds across the Internet and to within 1 millisecond under ideal LAN conditions. The protocol typically utilizes UDP Port 123 to send and receive timestamps, however the specification also allows for broadcast and multicast communication between hosts.  The protocol calls for a warning of any impending leap second adjustments, but does not take into account any local time zone or daylight savings time information.

In addition to the standard NTP Protocol, there is a smaller and less complex protocol, SNTP that drops the storage of state over extended periods of time.  This is useful in smaller or embedded devices where highly accurate time is not required, but it is still desirable to have a reasonably accurate time.

NTP utilizes a hierarchical configuration of NTP Servers.  Each layer is called a stratum and assigned a number starting with zero. Stratum 0 hosts are highly precise devices such as atomic clocks or GPS Satellites.  Stratum zero devices are also referred to as reference clocks.  Devices that are synchronized to Stratum 0 devices are called Stratum 1, or primary time servers.  Note that the connection between Stratum 0 and Stratum 1 devices is typically a dedicated link and therefore NTP is not actually used in those synchronizations.  Devices that are synchronized to Stratum 1 devices are called Stratum 2 devices and so on. The specification of NTP has an upper limit of Stratum 15, with Stratum 16 indicating that the device's clock is unsynchronized.  The plural of stratum is strata.

The Official Reference Implementation of NTP is available at, where is has been since its inception.  The current release is ntp-4.2.8p8 and was released on June 2, 2016.  The well being of has been written about recently as it appears a single developer is/was primarily holding down the fort.  Is there any update to this story?

In addition to the Official Reference Implementation, also hosts the NTP Pool Project, where publicly available NTP Servers are listed for use.  Official information about this project is at  To use this pool, you simply point your devices at region specific FQDNs for pools of NTP servers. Changes to the list of available servers happens in the background, so you're never more than a DNS time out away from getting a valid IP address for an NTP server.  For example, in the US, you can use one or more of the following 4 FQDNs as your NTP Servers.


Another implementation of NTP is the OpenNTPD project, which is developed by the OpenBSD team. As with all projects under the OpenBSD umbrella, OpenNTPD is designed to be secure, easy to configure, and accurate.  The stated intent is to "[r]each a reasonable accuracy" without sacrificing "secure design for getting that last nanosecond or obscure edge case."[ It is portable, and able to be used in systems that are not OpenBSD based as well.  It does not maintain the level of accuracy of the Reference Implementation, but not clock needs to be accurate to that level.

One more common NTP implementation is the Windows Time Service, specifically that on Active Directory domain controllers.  The W32Time service was originally implemented for the purpose of keeping time accurate in the interest of Kerberos authentication, hence it's short comings.  Windows XP and earlier only implement SNTP, while Server 2003 and later (which I would assume includes XP 64-bit as it is based on the same kernel revision as Server 2003) use a fully compliant NTP protocol. However, even with Server 2003 and up, w32time cannot keep time better than a 1 to 2 second accuracy. If you require better, Microsoft says to use a different NTP implementation.

So why is accurate time so important on networks?  There are a few notable reasons.  I have 3 right now and I'm sure you can come up with a few more if you give it some thought.

1. Log synchronization across multiple devices. Consolidated syslog servers collect log messages from multiple devices. If a security professional is tracking the progression of an event on the network, it will be completely impossible to gain the complete picture if the clocks of all involved devices are not accurate. Whatever that security professional discovers may also not be admissible in court if inaccurate time raises enough doubt as to the validity of their clams.  This applies to all the devices whose logs are being sent to the central syslog server, not just "most devices are accurate."  If you care about the device enough to keep it's logs, you should care enough to have accurate timestamps so those logs are usable.

2. Single Sign on Authentication.  Active Directory users should know that the clock on your host workstation must be within 5 minutes of the clock on the domain controller that the workstation is utilizing for authentication.  This is because accurate time is one of the security checks done by the Kerberos Protocol which is at the heart of Active Directory Authentication.  Kerberos is an open protocol, and used for authentication in a number of other systems.

3. Certificate validation.  A certificate is considered valid only if the current time falls within the range specified within the certificate. A while back a coworker sent me a text showing how every website he attempted to reach gave an invalid certificate error.  The first thing I thought of was the system clock, and that ended up being the problem.  While annoying, this is still manageable on a PC where you can tell the browser to accept the seemingly invalid certificate.  But automated processes on network devices do not have such luxury and those processes will simply fail.

Configuring NTP on Cisco IOS devices

Configuring NTP on an IOS device is a straightforward operation, consisting of three steps.  First, configure the time zone.  Next, configure the NTP server.  And finally, configure optional NTP authentication.  In this example, we’ll configure NTP to synchronize to a local NTP Server.

! Set the time zone, and optionally the daylight savings time settings
clock timezone EST -5
clock summer-time  EDT recurring
!  Specify the ntp server(s) to use, and which one is preferred
ntp server prefer
ntp server
! configure authentication settings
! note that multiple keys may be used as necessary
ntp authenticate
ntp authentication-key 1 md5 cisco123
ntp authentication-key 2 md5 cisco456
ntp server key 1
ntp server key 2

Configuring NTP on Cisco ASA devices

Like many features, the configuration of NTP on Cisco ASA devices is very similar to that of Cisco IOS devices. But like many features, there are a few slight differences.
! Set the time zone, and optionally the daylight savings time settings
clock timezone EST -5
clock summer-time  EDT recurring
! Specify the ntp server(s) to use and authentication details
ntp server key 1 source inside prefer
ntp authenticate
ntp authentication-key 1 md5 cisco123
ntp trusted-key 1

Verifying NTP on Cisco IOS and ASA devices

Now we'll use a couple simple commands to verify the operation of NTP
show ntp associations [detail]
And finally, for the few of you that require greater accuracy than NTP can provide, there is the Precision Time Protocol (PTP).  PTP offers accuracy in the sub-microsecond range, which makes it suitable for measurement and control systems. It was originally described in IEEE 1588-2002 and updated to verison 2 in IEE 1588-2008. According to the specs, "IEEE 1588 is designed to fill a niche not well served by either of the two dominant protocols, NTP and GPS. IEEE 1588 is designed for local systems requiring accuracies beyond those attainable using NTP. It is also designed for applications that cannot bear the cost of a GPS receiver at each node, or for which GPS signals are inaccessible."  PTP is available in higher end Nexus switches and ASR routers, but not in the more common ISR and ISR2 series routers. Other PTP implementations can be found here.

Saturday, October 15, 2016

CCNA Exam Objectives Breakdown

 on  with No comments 
In , ,  
A recent post in the CCNA Facebook Group was a quiz hosted at TechTarget titled "Cisco CCNA Exam: Are You Ready?"  The quiz was written by Chris Partsenidis, the founder and senior editor of the great website.  I took the quiz and did well, as I expected to and was actually surprised by the quality of the questions, although I shouldn't have been considering the author.  Articles like this usually ask simple things like "1. What port does DNS operate on?"

Saturday, October 8, 2016

CCNA Question of the Week 4

 on  with No comments 
In , ,  
This week, we had an open ended question that covers a lot of areas.  This is a take on a question that was asked during the phone screening for my first I.T. job.  As with all questions in this series, do not make assumptions, and do not answer a question that was not asked. Just answer the question as completely as your knowledge allows.

Your computer was just started and you just logged in and then loaded your favorite web browser.  No other actions have been taken on this computer and no other programs have been launched.  You type into the URL bar of the browser and press Enter.  Between now and when the page finishes loading, describe everything that happens in order for that page to load.


Saturday, October 1, 2016

Filtered DNS

 on  with No comments 
In , ,  
I've talked about DNS Security in the past.  This is becoming a bigger deal as time goes on as more and more malware finds new and creative ways of exploiting DNS to deliver or execute it's payload.  Whether it's DNS hijacking to force your browser to visit pages you really don't want to visit, or embedding command and control messages within what appear to be legitimate DNS packets, we need to pay close attention to DNS within our networks.

Saturday, September 24, 2016

Configuring SSH on IOS Devices

 on  with No comments 
In , ,  
According to Wikipedia, "Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network.  The best known example is application is for remote login to computer systems by users."  SSH was designed to be a secure replacement for protocols such as telnet, rlogin, and rsh, which transmits data in clear text across the wire.  SSH support a number of additional use cases such as file transfer and forwarding the X protocol, but we'll focus on remote logins as used on Cisco IOS devices here.

SSH comes in two versions, 1 and 2.  Version 1 was found to be susceptible to a remote integer overflow vulnerability, so the newer but incompatible Version 2 was developed.   You'll sometimes see "Version 1.99" used, however this isn't another version but instead it indicates that the SSH server supports both versions 1 and 2.

Moving along to the SSH specific configuration, you want to begin by configuring a hostname for the device.  This is accomplished with the hostname command.  Give this some thought now, because you can't change it once your keys are generated.

Router# configure terminal
Router (config)# hostname R1
R1 (config)#

Next, you need to configure a domain name for the device.  Ideally, you would want to be a valid DNS domain, however, not everyone owns one.  Microsoft has the domain name that it uses for documentation and help files, I'm not sure if Cisco has a similar domain.  Use your own domain, use contoso, or just make one up here.

R1 (config)# ip domain-name

Next, generate or import a certificate for your device.  This certificate will be used to encrypt the SSH packets that your device will send out on the wire.

R1 (config)# crypto key generate rsa
The name for the keys will be:
Choose the size of the key modulus in the range of 36o to 2048 for your
   General Purpose keys. Choosing a key modulus greater than 512 may take
    a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Note the name of the keys, which corresponds to the FQDN of this device.  Also note the default key length is 512 bits. 

Now that we've generated the key, we'll move on to configuring the VTY lines for SSH access.

R1 (config)# line vty 0 4
R1 (config-line)# login local
R1 (config-line)# transport input ssh

You can configure the VTY lines to accept telent as well as SSH if you have devices that will be accessing this device via the VTY lines that does not support SSH. 

Now we'll need a user.  In this example, we'll keep it simple and use a local user contained within the local device's database.  In addition to the local user database, we can use either RADIUS or TACACS+ as well.

R1 (config)# username alan privilege 15 secret **********

And then finally, let's look at some advanced parameters for SSH.

Configure the switch to run SSH version 1 or 2.  By default IOS devices are set for SSH Version 1.99.

ip ssh version [1 | 2]

Configure the SSH control parameters.  The SSH timeout is for the negation phase. It has a range of 0 to 120 seconds, with a default of 120.  The number of authentication-retries is the number of times a client can re-authenticate to the server.  The range is 0 to 5, with a default of 3.

ip ssh timeout seconds authentication retries number 

After authenticating via SSH, the device will use the default time-out value for CLI sessions.  This is set on the VTY lines with the exec-timeout command.

R1 (config-line)# exec-timeout 15 0

And finally, you have two show commands to monitor SSH.

show ip ssh - shows the version and configuration of the SSH server
show ssh - shows the status of the SSH server


Saturday, September 17, 2016

Discovery Protocols - Part II

 on  with No comments 
In , ,  
In Part One of this series, I covered the Cisco Discovery Protocol.  It is definitely the best known of discovery protocols, and the one that a student of Cisco certifications is going to care most about.  Cisco Discovery Protocol, or CDP, is used by most Cisco network devices to share topology information.  It is also used by a number of other manufacturers who may call their implementation CDP or Industry Standard Discovery Protocol (ISDP) in order to not reference Cisco.  But other manufacturers have their own protocols, and there have been a few attempts at an industry standard over the years.  In this post, I'm going to present a brief overview of a few of these other discovery protocols.  I may also cover one or more of them (particularly LLDP and LLDP-med) more in depth in the future if and when I feel the need to dig in further.  Most of these protocols are well known by Wireshark, and Wireshark will have display filters for those that are known.

Saturday, September 10, 2016

The Official CCNA Group Rules

 on  with No comments 
In , ,  
Group Rules:
1.This is a network for the network associate. All legitimate things CCNA related, as well as most other I.T. topics may be discussed here.
2.Things that may not be discussed here include (but is not limited to): Brain-dumps, any other form of copyright infringement, any illegal activity, spam, politics, and personal attacks. It doesn’t matter if it’s legal where you live, Facebook is an American website. If you like a post, that is considered the same as if you posted it yourself.
3.If says it’s a dump, then it’s a dump and this isn’t open to negotiation.
4.Do not post homework questions with the expectation that the answers will just be provided. We are willing to help if you don’t understand something, but this group isn’t here to just do it for you.
5.The admins, and only the admins, will decide and enforce the rules.
6.Not knowing is no excuse. You shouldn’t be posting anywhere on the Internet if you don’t know the rules. Violators of any rule are subject to immediate banning.
7. No new accounts. No offense to anyone, it's just that accounts newer than 30 days are where the majority of spam comes from. If you get turned away for this, feel free to try again later.
8. No one word answers. If you can't explain why the answer is d, then you don't need to be the 15th person saying d. Contribute something meaningful to the conversation.
9. Don't try to add people to the group. Nobody gets in without an admin's approval, and I do not approve anyone who did not join on their own.

Group FAQ:

Saturday, September 3, 2016

Printer Security

 on  with No comments 
In , ,  
Here's a quick and dirty post on a serious class of vulnerabilities in Hewlett Packard printers, and most likely other manufacturers devices as well.  It's old information, but a lot of the more gruesome details were news to me at the time I read about it.  It caught my attention when I was researching the proper remediation after seeing the vulnerability flagged by a recent scan.  So naturally, rather than just implement the fix stated in HP's bulletin, I made a detour to Google Scholar and did some additional reading.  I'm not one to just take HP at their word that a firmware update will fix you all up.  Especially when the firmware was already the latest greatest and had been since at least January.

To continue to build fear of all these devices being directly connected to the home network, and then to the Internet, Cui, Costello and Stolfo took a look at HP printers.  They presented a case study of the HP-RFU vulnerability which allows an attacker to inject malware into the printer's firmware by simply sending malicious documents to be printed.  This vulnerability is known to effect 373 different LaserJet firmware images.  Prior work shows the same overall design flaws exist in other embedded systems, however HP is the lucky one to be exploited.  The paper mentions that ATMs, enterprise routers, and PBX equipment can also be vulnerable to a similar attack.  The attack is effective against the majority of LaserJet printers on the market at the time.  Sales numbers show 11.9 million units shipped by HP in just one quarter of 2010.

Not only can malware be uploaded to these printers, in some cases it can be injected permanently.  The boot flash used on some of these printers feature a one time programmable (OTP) feature which allows areas of memory to be permanently programmed.  If an attacker were to write to this area of memory, the malware would not be able to be erased or overwritten, it would take a replacement of the chip at a minimum to remediate, which isn't always possible.   And on the extreme end of this vulnerability, an attacker can theoretically set your printer on fire remotely using this technique.  HP has, of course, denied this last charge claiming that safeguards are in place to prevent it.

More concerning than the ease of which these printers are exploitable is the fact that they found so many vulnerable printers directly accessible across the Internet.  In other words, printers that can theoretically receive print jobs directly from anywhere in the world.  After a scan of the IPv4 address space, they were able to identify 90,847 printers in government, educational, and other sensitive institutions.  Of the printers identified, just over 1% were patched.  They also found that 24.8% of the printers that were patched still had open telnet interfaces with no root password.  64% of the vulnerable printers were located in North America.  65% were found within educational institutions.  201 printers were identified within the U.S. Department of Defense.

Not only are the 90,000+ printers noted in the study vulnerable to this attack, but they also contain third party libraries such as zlib and OpenSSL, which are known to contain several other highly exploitable vulnerabilities.  Note that the 90,000 printers identified only contain vulnerable printers which can be exploited by this attack.  There are no doubt countless other printers (and a wide array of devices besides printers) with other flaws available directly on the Internet.

As for the vulnerability being flagged in the August scan despite the firmware being update between 7 and 8 months prior, your guess is as good as mine.

Wednesday, August 31, 2016

CCNA Question of the Week 2

 on  with No comments 
In , ,  
In the following image, you'll see a network topology.  In this topology, the routers are running the RIP routing protocol.  As is traditional with these questions, I'm going to strip out all the irrelevant information.  We're not going to see any router configuration, IP addressing, or anything else that would distract from the question at hand.  The key thing we're going to focus on here is that there are 20 routers.  First, we'll start with a couple assumptions:
  • The RIP routing protocol is configured correctly on every router.  
  • Nothing in the routers configurations differ except for IP addresses and networks in the routing protocol.
  • The IP addressing scheme is correctly subnetted, and the routers are addressed correctly on every interface.
So this week's question is, can the RIP protocol function correctly in this topology?  And for a couple follow up questions:  Why or why not?  Does it make a difference if we're running RIPv1 or RIPv2?

The first thing that probably comes to mind is that the RIP protocol has a maximum hop count.  Most CCNA students go here first when something of this nature comes up.   Now let's consider the difference between hop count, and the number of routers in the topology.  The hop count refers to the number of hops between two routers.  It says nothing about the number of routers in the topology.  

So Let's look at the two routers that are furthest apart, R1 and R20.  In this particular topology, there is no path from R1 to R20 that is more than 7 hops.  And if there a path that exceeded the maximum hop count, it would be ignored by the routing protocol, not having any effect on a different route that didn't exceed 15 hops.  

So the answer to the question is yes, this is a valid RIP topology.  Now two routers exceed 15 hops apart, so there is no part of the topology that is unreachable by any other portion of the topology.  PC1 can reach PC2.

And for the final follow up question, it doesn't matter if we're running RIPv1 or RIPv2.  Neither version of RIP will balk at a hop count of 7.

Thursday, August 25, 2016

CCNA Question of the Week 1

 on  with No comments 
In , ,  
Group member Donovan Bone posted this question in a discussion, and I thought that it would be a great "Question of the Week" for the group.  So a new thread was started for just it, and a lot of members attempted to answer the question. I didn't expect the majority to get it right, but only one got it right in the three hours I watched the replies.  Not surprisingly, the one person who answered correctly is the only one who actually labbed it up.  So here is the question.


Wednesday, August 24, 2016

Private VLAN Edge

 on  with No comments 
In , ,  
A common switch feature to limit communications between hosts within a common VLAN is Private VLANs.  I'll talk about Private VLANs in a future post.  Private VLANs can be a bit complex to set up, and they're not supported on a number of older and low end switch models.  A similar technology, Private VLAN Edge is available on a wider range of platforms.  The integrated switch in the Cisco ASA 5505 supports Private VLAN Edge, as does the older 2950 and 3550 series switches.  Because it's simpler and more widely available, Private VLAN Edge is a good starting point.

Private VLAN Edge (also referred to as PVLAN Edge or protected switchport), is a technology which allows the blocking of certain inter-host communication within a VLAN.  It blocks all unicast, multicast and broadcast traffic among the protected ports within a switch, while not interfering with traffic between two unprotected ports, or between one protected and one unprotected port. There is one key exception however.  Control traffic, such as routing protocol updates will still be forwarded between such ports.

Private VLAN Edge differs from Private VLANs in a number of key ways. First, Private VLAN Edge is much simpler to set up.  You simply add the command switchport protected at the interface level, and that is it. Second, Private VLAN Edge is limited to a single switch, whereas Private VLANs can span multiple switches.

That in a nutshell is all there really is to it.  For completeness, let's look at a configuration example. As I said earlier, it's real basic.  I would be normally using an IOU switch in my GNS3 topology, however it would appear that the one place that Private VLAN Edge is not supported is in the L2 IOU devices.  Perhaps in a different image.  So instead I'll be falling back to one of my old trusty 2950s.

S1(config)# interface FastEthernet 0/1
S1(config-if)#  switchport protected
S1(config-if)#  end

And to verify, we have a single show command

S1# show interfaces Ethernet 0/1 switchport
Switchport: Enabled
Administrative Mode: static access
<<Omitted for brevity>>
Protected: true

Wednesday, August 17, 2016

Tracking Superseded Windows Patches

 on  with 1 comment 
In , ,  
Here's another short blurb, and I'm mostly posting it here for my own reference.  Part of my job requires analyzing the monthly vulnerability scan and remediating any findings.  On occasion, a patch is reported missing from systems, and it turns out that the patch has been superseded, it is no longer reported by the system as installed.  And occasionally you'll see one wrongly reported that has been superseded, and the superseding patch has also been superseded, making it difficult to track back whether or not the system is actually vulnerable.

I've searched and searched for this fabled spreadsheet provided by Microsoft that tracks which patches supersede which patches, but have come up short every time.  But yesterday, I was given this link, BulletinSearch.xlsx.  Enjoy!

Monday, August 15, 2016

Obligatory I'm Still Alive Post

 on  with No comments 
In ,  
We're coming up on two weeks since I've last posted. The break started with a family vacation the week of my last post on August 3, and I just haven't gotten back into the swing of writing. I'm still trying to prepare for the SENSS, though I've rescheduled it for the beginning of next month as I've had trouble focusing on the exam material. As always, I've been running in a dozen different directions, picking up where I left off on ESXi/VCenter and trying to learn ExtremeWare, Server 2016, SCCM 2012r2, Advanced Treat Analytics, and Cisco CDA.

Yes, I'm still alive.


Wednesday, August 3, 2016

How ACL's are Intrepreted

 on  with No comments 
In , ,  
A quick and dirty post as I'm taking a much needed vacation.

Often times, an explanation of an ACLs layout used very simple ACLs with only one or two ACEs.  However, in practice, ACLs can grow to lengths of hundreds of ACEs.  This makes the planning of their layout a very important and complex affair. An ACL is processed from top to bottom.  Each packet which flows through an interface in a direction with an ACL applied will be inspected.  Being processed from the top down means that each packet will be examined against the ACL until a match is made.  The packet will be compared against the first line of the ACL. If a match is made, it will take the action specified by the ACE.  If no match is made, it will then be compared against the second line of the ACL, and so on.  It will continue through the ACL until a match is made, it will take the action specified by that line, and then it will stop processing.  The packet will not be compared to any other ACE after the first match.

Saturday, July 30, 2016

War Walking

 on  with No comments 
In ,  
You've done all your due diligence.  You've optimized the transmit power of all of your access points to allow little to no signal outside of your boundaries.  You've enabled WPA2 on the corporate SSID, and installed certificates on all authorized laptops.  You've tightened up the physical security of your environment, and nobody is getting in.  Your users have been trained and will be retrained periodically in the future.  And finally, you've hired a third party to do a wifi security assessment on your environment.  All set, right?

Not exactly.  Have you accounted for WarKitteh?

WarKitteh, and its partner WarDoge, is an interesting project that involves a wifi enabled cat collar for the purpose of wardriving.  In the early days of wifi, you may recall wardriving being a thing where people would drive or walk around with a laptop computer and specialized software to log all open wireless access points for the purpose of obtaining free Internet access.  War drivers would share their databases, and even mark the buildings where they found open wifi with chalk.  Today its not that difficult to find free wifi, every coffee shop and fast food joint in town offers it.  No, today if anyone is looking, they have ill intentions.

In the space of a cat collar decoration, a wifi receiver and GPS unit are able to log all visible access points along with their GPS coordinates.  The gentleman behind the project notes that on a particular run, he found 23 wifi hotspots in his neigborhood, of which better than 30% were open or encrypted using only WEP.  The discovered networks were mapped using Google Earth.   Cat not included.

Now, lets think back to the hypothetical network in the opening paragraph.  You've locked it down tight through every technical means possible.  You've addressed the physical security of your environment well enough that no person is getting in without you knowing about it.  Now can you say you've never seen a cat or dog walking around outside the building?  It doesn't have to be a big cat.  In fact, the collar could probably fit on a rat or a gerbil.

Just one more thing to think about when you do your security audit and your wireless site analysis.

Wednesday, July 27, 2016

Running Powershell Script on Multiple Machines

 on  with No comments 
In , ,  
Part of my responsibility is remediation of the vulnerabilities picked up by the monthly vulnerability scan.  You know the routine, every month Nessus scans the entire network, rattling the locks on the doors and windows of every host it comes across, and then spits out pretty reports detailing everything it finds.  A lot of things are one off findings on a machine or two that have just been recently imaged or have a piece of software that isn't on the other machines.  We'll usually knock those out by hand.  But occasionally a new vulnerability comes along and there are hundreds or even thousands of machines with the vulnerability, and there isn't an existing tool or process to take care of it.  This is where PowerShell comes in handy.

The first example script I have here is to knock out a common vulnerability that keeps coming up, Nessus Plugin 63155, "Microsoft Windows Unquoted Service Path Enumeration.  We have a PowerShell script already available from Microsoft to deal with this problem, but it unfortunately is written to only run on the host machine.  So my contribution is a wrapper script that takes a file called hostslist.txt from the current user's My Documents folder, and executes Microsoft's script on each machine in that list.  Put one hostname per line, nothing more.

$a = Get-Content $env:userprofile\DOCUMENTS\hostlist.txt

foreach ($i in $a)
  Invoke-Command -filepath c:\scripts\Windows_Path_Enumerate_v3.1.ps1 -computername $i

The next example again involves Windows services, but this time it's the permissions on the executable.  Since it's running icacls.exe, rather than a PowerShell script, it was a little more complicated to hack together, but nothing that was impossible.   This again takes a list of hostnames from the users's My Documents folder and executes icacls on those machines.

I like this one better overall because you can stuff any number of PowerShell cmdlet's inside the braces on the ScriptBlock parameter.

$a = Get-Content $env:userprofile\DOCUMENTS\hostlist.txt
$command = 'c:\windows\system32\icacls.exe c:\Progra~2 /remove Everyone /T /C'

foreach ($i in $a)
  Invoke-Command -ComputerName $i -ScriptBlock {Invoke-Expression $args[0]} -ArgumentList $command

If you're new to scripting, or to PowerShell, I highly suggest the videos available at the Microsoft Virtual Academy.  A lot of the PowerShell related videos I watched when I was studying for the MCSA 2012 were taught by Jeffrey Snover, the architect of PowerShell himself and/or Jason Hemlick, Microsoft MVP and Pluralsight author.

Saturday, July 23, 2016

Discovery Protocols - Part I

 on  with No comments 
In , , ,  
Introduced in IOS 10.3, the Cisco Discovery Protocol (CDP) is used to share information between directly connected Cisco devices such as routers, switches, IP phones, and access points.  This information includes, but is not limited to: IOS version, hostname, IP address or addresses, native VLAN and power draw for Power over Ethernet devices.  CDP announcements utilize the type-length-value (TLV) format.  Another similar discovery protocol, Cabletron's CDP, known also as the VlanHello Protocol, utilizes the same acronym but is not compatible.  Cabletron's CDP is described in RFC 2641 which was published in August of 1999.

Cisco utilizes the multicast destination address 0100:0ccc:cccc for a number of it's proprietary protocols such as CDP and VTP.   Because it's a multicast address, it's important to note that any device capable of receiving the message will be able to process and act upon the data contained within it.  By default, CDP announcements are sent on all interfaces that support Subnetwork Access Protocol (SNAP) headers such as Ethernet, Frame Relay and ATM. While enabled by default, it can be disabled globally or per interface on a device. 

CDP Version 2 (CDPv2) is the most recent release of the protocol.  With CDPv2, Cisco added a reporting mechanism for more rapid error tracking, sending of error message to the console or a logging server, reporting of mismatched native VLAN ID's on trunks, and reporting of unmatched port duplex states. 

Cisco devices that support CDP store this information within a table in memory.  This information can be viewed using the show cdp neighbors command, as well as through SNMP.  The CDP table is refreshed with every CDP announcement received from a neighboring device and the hold time for that information is zeroed.  By default this hold time is 180 seconds. Once this time has been reached without receiving another CDP announcement, the information is discarded.

Third Party Utilization

Hewlett-Packard supports CDP in it's Procurve product line.  All Procurves that support CDP are able to receive and process CDP announcements to some level.  However, all Procurve models shipped after February 2006 will no longer support transmitting CDP announcements, and previous models will have that capability removed from future software upgrades.  More information about HP and Cisco interoperability can be found in the document HP/Cisco Switching and Routing Interoperability Cookbook.  Dell, Netgear, and other manufacturers use the term Industry Standard Discovery Protocol (ISDP) in reference to their CDP compatible implementation.

With version 2.7.4,  routers and switches are able to receive and process CDP frames.   This support can be configured utilizing the enable lldp cdp, disable lldp cdp, reset lldp cdp and show lldp cdp commands.  These commands also support a number of optional parameters.   The following is an example of the show lldp cdp command.

CDP general information


Enabled ...................... Yes

Number of CDP neighbours ..... 14

SysUpTime .................... 12345.42s
CDP processing time .......... 3.385727s
CDP neighbour add .......... -
CDP neighbour remove ....... 5

The following shows the output of the show lldp cdp entry command, which as you can see, shows most if not all of the information available through CDP for the connected Cisco switch.

CDP entry information
Device ID ................. Switch
Protocol information:
IP address ................
Platform .................... cisco WS-C3750G-24TS
Capabilities ................ Router,Switch,IGMP device
Interface ................... port20
Port ID (outgoing port) ..... GigabitEthernet1/0/10
Holdtime .................... 155s
Cisco Internetwork Operating System Software
IOS (tm) C3750 Software (C3750-I5-M), Version 12.2(20)SE, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Wed 19-May-04 11:52 by yenanh

There is a project hosted on Sourceforge called CDP for Linux, which implements a module for the Linux kernel to receive and interpret CDP announcements.  It makes this data available through the /proc interface as /proc/net/cd_neighbors in a format very similar to show cdp neighbors detail on a Cisco router or switch.  However, the project's last update was in March of 2013 for a version to be utilized with Linux 2.4.18, so its not going to be useful with a modern kernel.  There is also a bundle of tools called CDP Tools which are user space tools to send and receive CDP announcements.  However, the changelog for these tools show their last update to be in 2007, calling into question whether or not they'll even compile at this point, let alone be of any use.

Finally, there are Perl modules such as Net:Packet:CDP and Net:CDP available via CPAN.

Wednesday, July 20, 2016

The Official CCNA Group FAQ

 on  with No comments 
In , ,  
I've been one of the admins of the group for a few years now, and there's a handful of questions that I see repeatedly posted.  I'm talking about the things that somebody asks at least once a week in the group.  So I've started compiling this FAQ for the group that can be posted as a response to any question that falls within this list.  As with many posts relating to the Facebook group, this will be a living document and material will be added, removed or modified as necessary.

If you haven't already read my post on how to ask better questions, maybe take a minute to look at that as well.

Saturday, July 16, 2016

I'm New, What Should I be Reading?

 on  with No comments 
In ,  
In the CCNA group, an often posted question is "what books should I be reading?" or the less inspired "What is the best networking book?"  Well, it's never quite that simple.  What are you looking to learn?  Do you want to become proficient in networking in general, or are you looking to become proficient in Cisco related networking?  Yes, there is a difference.  Do you want to really learn how things work, or do you want to just pass your next certification exam? Again, there is indeed a difference.

I wrote out a long post replying to this recently, and thought I'd save the response here and elaborate a little more.  A little because it's a good topic, and a lot because I'm lazy and will just link this rather than answer again in the future.  If you want to hear the simple answer, go with the dozens of knuckleheads screaming out that Todd Lammle is all you need.  Just ignore their misspelling of his name.  But if you want to actually learn networking, then continue reading.

Wednesday, July 13, 2016

Netflow Collectors

 on  with No comments 
In , ,  
One of the big topics currently in Cisco's security track is Netflow.  According to Cisco, "NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing."  With all of it's known, and yet to be discovered uses, it's no doubt that NetFlow will continue to be a big part of Cisco's security exams for the foreseeable future, as well as potentially finding it's way into other tracks if it's not already there.

Saturday, July 9, 2016 in Packet Tracer, Part 3

 on  with No comments 
In , ,  
In two previous blog posts, which can be found here and here, I started going through the labs on the Free CCNA Workbook website and attempting to perform the labs in Packet Tracer.  My focus lately has been more on my own studies with my first attempt at the SENSS exam scheduled for next month, but with Cisco finally releasing Packet Tracer to the world (you no longer need to be a Cisco Network Academy student to legally download a copy), I've been wanting to revisit this topic.  So in this post I'm going to move on to Section 5, Configuring Wide Area Network Links.