Here is a video  that is supposedly used by Cisco internally to train staff on basic security.  Seems like a good bit of propaganda but from working in the corporate world I know that what happens in the video could happen anywhere.  Cisco security products are good but expensive.  Having a Cisco Security Agent on the servers would be cost prohibitive for many companies especially in this economy.  I know first hand that they work.

Popularity: 50% [?]

With SSH being the protocol of choice for connecting to systems and Windows not even installing a telnet client by default, its time to find a way to remotely manage routers, switches, etc.  A popular choice is the free Telnet/SSH client called Putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/).  It runs on Windows and Unix systems but it’s really basic, especially on Microsoft systems.

On Unix and Linux systems  you can use the terminal and open up multiple tabs with several different remote connections.  That is a very handy feature that I have used many times.  Often there will be several open connections at once and with configurations being copied from one router to another.  So what is the solution for the SysAdmin on a Windows box?  The answer is Putty Connection Manager (http://puttycm.free.fr/cms/).  After downloading the putty.exe file and placing on the local hard drive, Putty Connection Manager can be used as a very useful front end for managing connections.  Just install Putty Connection Manager and let it know where the the Putty executable is.  It works great when working on Cisco labs created with GNS3 or managing a production network.  Once you create a database  of connections, it’s possible to save them and categorize them by protocol (SSH or Telnet), location, device name, etc.

This screen shot gives an idea of how it works.

Popularity: 64% [?]

As I go along in my CCNA Security studies using SDM to configure routers, I encountered a problem.  Using GNS3, I setup a Cisco 2691 router running  IOS version 12.3(26) with the advanced security package.  To get hands on experience using SDM, it was installed on the router.  So far so good..

The problem occurred when I tried to click on “Additional Tasks” under the “Configure” tab and nothing happened.  I had a feeling this was related to the version of Java installed on the PC running SDM.  I’m using SDM version 2.5 and while it is the latest version, it hasn’t been updated since January 2008.  I’ve run into this problem when administering a Cisco ASA using ASDM.  It all works really well until a new version of Java is installed and the management interface starts acting funny.  So searching Cisco.com I found that SDM 2.5 is compatible with the following versions of Java:

JRE 1.5_09
JRE1.4.2_08
JRE 1.5.0_06
JRE 1.5.0_07
JRE 1.6.0_02
JRE 1.6.0_03

I was running JRE 1.6.0_16 so it was time for a downgrade.  The website OldApps.com has the older version of Java readily available for download (http://www.oldapps.com/java.php).  I downloaded and installed JRE 1.6.0_03, rebooted and SDM worked flawlessly afterward.   So for anyone that runs into this strange behavior on SDM, here is the solution.   This is what makes studying for certifications so effective in the real world.  I ran into a problem, did some research and resolved the issue.  I also know that if the certification exam has any questions on SDM and Java version compatability, I can answer the questions quickly.

Popularity: 50% [?]

Here is a interview with Kevin Wallace, the co-author of the CCNA Security Official Exam Certification Guide from Cisco Press.  It’s interesting to hear him speak of his experience, how he came to teach networking and eventually write a study guide.  Much can be learned from his experience.  I always find it inspiring to hear from these guys that have achieved so much in the Cisco networking world.    Kevin Wallace also states the goal of the CCNA Security certification and what topics to are covered by the exam.  He also describes the book and strategies for getting the certification.  By the way, the interviewer is Jeff Doyle, the writer of Routing TCP/IP Volumes I & II. He is practically a legend among Cisco devotees.

Popularity: 91% [?]

SSH is the protocol to use for remotely accessing Cisco network devices without exposing the password.   Telnet as everyone knows transmits the username and password  in clear text making it easy for anyone with a sniffer to gather that information and break into the network.  Telnet is usually enabled by default and some routers and switches don’t come with an IOS that supports SSH.  With companies having to comply with SOX and PCI requirements, the change to SSH access needs to be made.  For a Cisco router or switch to accept SSH connections the IOS has to support IPSec.  For Cisco firewalls like the ASA or PIX, this isn’t a problem but I was very suprised to see how few of the switches and routers I work with need an IOS upgrade to get this functionality.  In this post I run through setting up SSH access on a router.  This is done using GNS3 to simulate a Cisco 2691 router running an IOS with the Advanced Security feature set.  To begin I console into the router and enter global configuration mode:

Router#config t

Next I give the router a hostname and domain name.  This is necessary for SSH configuration.

Router(config)#hostname SDMLab-Main
SDMLab-Main(config)#ip domain-name sdmlab.local

The next step is to create the SSH encryption keys.  I run the following command to make sure the keys don’t already exist:

SDMLab-Main(config)#crypto key zeroize
% DSS Keys not found in configuration.

If there were some previuosly created RSA keys under a different hostname and domain name, they would have been erased.  This step is necessary to make sure the new information goes into the keys.

Generate the RSA keys with the following command:

SDMLab-Main(config)#crypto key generate rsa
The name for the keys will be: SDMLab-Main.sdmlab.local
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys …[OK]

The default modulus is 512 as shown above but Cisco recommends at least 1024 bits.

This command also enables SSH on the router.  The following commands are optional but should be included in every configuration to improve security.  The first sets a timeout of 60 seconds for the SSH client to respond to the router.  This will keep the request from being open indefinitely:

SDMLab-Main(config)#ip ssh time-out 60

The next command limits the number of failed authentication attempts to three:

SDMLab-Main(config)#ip ssh authentication-retries 3

The final step is to set the transport input to the default vty lines to SSH only:

SDMLab-Main(config)#line vty 0 4
SDMLab-Main(config-line)#transport input ssh

If you are using the additional vty lines 5 15, you would do the same for those lines.  That is it.  So for PCI or SOX compliance or just general security and peace of mind, remove telnet and add SSH.  It may be necessary to upgrade the IOS image on the device but it is well worth doing.  Since I’m working on the CCNA Security certification, this is something that I need to know.

Popularity: 96% [?]

The first time I saw this video was during a Cisco WAAS  class with a reputable training company.    The instructor was a CCIE with a good deal of knowledge and this was towards the end of the class, he had wrapped up all the material and we were just having fun.  This video is very typical of what the typical Sys Admin will face sometime in his or her career.  I think it’s just hilarious  because I can relate to the IT Guy in the video.  I don’t play Halo as I work though, or at least I won’t admit it.  Warning there is some foul language.  I apologize for that ahead of time.

Popularity: 93% [?]

There is a set of Cisco ACE 4710 appliances at work that have several contexts configured.  Failover is setup between each ACE appliance in an active-passive configuration so that the contexts are distributed between the devices.   The good thing about this setup is that, similar to a Microsoft server cluster, the contexts can be switched over to one ACE Appliance while the other is rebooted, all without causing any significant downtime.

Today I was in one of the situations where it was necessary to reboot both ACE appliances.  The ACE has a really good web interface but it occasionally stops working.  I usually solve the problem by rebooting the appliance.  Of course, when the web interface isn’t available you can always rely on the CLI.  Here are the steps to switchover the contexts and reboot the device using the command line.

First, check which contexts are running on the appliance:

ACE4710_1/Admin# show ft group brief

FT Group ID: 2 My State:FSM_FT_STATE_STANDBY_HOT Peer State:FSM_FT_STATE_ACTIVE

Context Name: TS1 Context Id: 3

FT Group ID: 3 My State:FSM_FT_STATE_ACTIVE Peer State:FSM_FT_STATE_STANDBY_HOT

Context Name: TS2 Context Id: 2

FT Group ID: 4 My State:FSM_FT_STATE_ACTIVE Peer State:FSM_FT_STATE_STANDBY_HOT

Context Name: TS3 Context Id: 5

FT Group ID: 5 My State:FSM_FT_STATE_ACTIVE Peer State:FSM_FT_STATE_STANDBY_HOT

Context Name: TS4 Context Id: 4

FT Group ID: 6 My State:FSM_FT_STATE_ACTIVE Peer State:FSM_FT_STATE_STANDBY_HOT

Context Name: WEB1 Context Id: 7

We can see that there are four contexts active on this appliance – FT Group ID 3, 4, 5, and 6.

I need to fail all of them to the other appliance so the following command is entered:

ATL_ACE4710_1/Admin# ft switchover all

This command will cause card to switchover (yes/no)?  [no] yes

Type yes and hit enter.  The FT peer will take over running all the contexts.

Check to make sure that all the contexts are set to standby on the appliance.

ACE4710_1/Admin# sh ft group brief

FT Group ID: 2  My State:FSM_FT_STATE_STANDBY_HOT Peer State:FSM_FT_STATE_ACTIVE

Context Name: TS1 Context Id: 3

FT Group ID: 3  My State:FSM_FT_STATE_STANDBY_HOT Peer State:FSM_FT_STATE_ACTIVE

Context Name: TS2   Context Id: 2

FT Group ID: 4  My State:FSM_FT_STATE_STANDBY_HOT Peer State:FSM_FT_STATE_ACTIVE

Context Name: TS3    Context Id: 5

FT Group ID: 5  My State:FSM_FT_STATE_STANDBY_HOT Peer State:FSM_FT_STATE_ACTIVE

Context Name: TS4   Context Id: 4

FT Group ID: 6  My State:FSM_FT_STATE_STANDBY_HOT Peer State:FSM_FT_STATE_ACTIVE

Context Name: WEB1   Context Id: 7

Popularity: 93% [?]

This video proves that no one operating system can do it all!  Okay maybe not quite, but it is a clever way to show that Windows is good for business applications like spreadsheets, Mac reigns supreme with multimedia (at least that’s what the typical graphics designer will tell you) and Linux is a server operating system.  Ultimately, every OS has problems.  Not including marketing departments and graphics designers, I can never see Macs break into the business world, it’s just a boutique product, companies need cheap.  Windows will always rule the corporate desktop, it’s easy to use and you can buy a very powerful PC for one-third of the cost of  a Mac.  Linux is too complicated for the non-geek user and even for some IT professionals.  It is good for servers or appliances, but not the desktop.   Ubuntu Linux is a great desktop OS in my opinion but I can be considered a geek.  I even think it could replace Windows if marketed correctly but the typical user that just wants to update Facebook or play video games won’t like it.

So for me, I run Ubuntu, Windows Vista and XP.   I’ve even got the RTM version of Windows 7 Business on my work laptop.  One day I may buy a Mac if Steve Jobs decides to lower the price of his products to compete with the netbook craze.  I’m not a fanatic of any OS, I’d rather know how to use them all and take the good with the bad.  With most operating systems these days there is more good than bad.

Popularity: 100% [?]

As part of my CCNA Security certification studies, I’m trying to become thoroughly familiar with Cisco Security Device Manager (SDM).  I’ll admit I have never used this management interface in the real world but Cisco emphasizes it on the IINS exam.  The lab that I’m using is setup using GNS3 (http://www.gns3.net/).  This is the best network simulator you can use if you have easy access to Cisco IOS images.   GNS3 is free, the IOS images are not, you need to download them from Cisco.com.  So if the company you work for doesn’t have a Smartnet contract, you’re out of luck.  There are of course other ways to get them but I will let the reader figure that out on his own.

GNS3 uses is basically a hypervisor for Cisco routers and firewalls.  It’s possible to setup very complex networks on it.  I have even read other bloggers claim that it’s possible to get enough hands on experience to pass a CCIE lab test with GNS3.  I’m not sure how true that is for everyone but it definitely works for associate level certs.  For more information on GNS3 and some sample labs, visit http://www.blindhog.net/.

For this post I am setting up a router for the initial install of Cisco SDM.  It can be tricky because to install the software on the router, there has to be a local username and password setup.  I originally setup ACS authentication going back to a Cisco Secure ACS server that had been configured earlier.  SDM would not authenticate with the ACS server and I had to go back to a local username.  Here are the commands to do that:

Router(config)# ip http server
Router(config)# ip http authentication local
Router(config)# username <username> privilege 15 password 0 <password>
Router(config)# line vty 0 4

Router(config-line)# privilege level 15
Router(config-line)# login local
Router(config-line)# transport input telnet

What you need to do is get the HTTP Server up and running and the key is to set the IP HTTP authentication to local.  After SDM is installed you can use an ACS server for authentication but the initial setup doesn’t acknowledge any other authentication but a local account.   The next  post will detail install SDM on a router.

Popularity: 96% [?]

This morning I encountered an error message when I tried to open Outlook:

“Cannot start Microsoft Office Outlook. Cannot open the Outlook window.”

In all the years I’ve used Outlook, this is the first time this has occurred to me. Like every good IT “guru” I immediately consulted the technology oracle that goes by the name of Google search. I found that launching Outlook with the /resetnavpane switch resolves the problem and opens up the program. So if this ever happens again, just click Start – Run and type in:

outlook.exe/resetnavpane

Popularity: 99% [?]