In these videos, you can find eigrp summarization, authentication, unequal-cost load balancing, other basic eigrp topics. I hope you enjoy it. There is no need to explain eigrp here because there is enough explanation in the videos.
PART 1
PART 2
Tuesday, December 21, 2010
Friday, December 17, 2010
GNS3 Topology: OSPF AREA TYPEs and LSA TYPEs
PART 1
PART 2
I think I should begin this topic with OSPF router types. There are 4 types of routers in an OSPF. These are
a- Internal Router: This is a router which has all interfaces connected to same area.
b- Backbone Router: This is a router which has at least one interface connected to area 0.
c- ABR (Area Border Router): this is a router which has interfaces connected to multiple areas.
d- ASBR (autonomous system boundary router): this is a router which has at least one interface connected to an external internetwork.
One router can have multiple roles.
Although we saw only 6 types of LSA, there are 11 types of LSA
LSA Type Description
1 Router LSA
2 Network LSA
3 and 4 Summary LSAs
5 AS external LSA
6 Multicast OSPF LSA
7 Defined for not-so-stubby areas (NSSAs)
8 External attributes LSA for Border Gateway Protocol (BGP)
9, 10, 11 Opaque LSAs
PART 2
I think I should begin this topic with OSPF router types. There are 4 types of routers in an OSPF. These are
a- Internal Router: This is a router which has all interfaces connected to same area.
b- Backbone Router: This is a router which has at least one interface connected to area 0.
c- ABR (Area Border Router): this is a router which has interfaces connected to multiple areas.
d- ASBR (autonomous system boundary router): this is a router which has at least one interface connected to an external internetwork.
One router can have multiple roles.
Although we saw only 6 types of LSA, there are 11 types of LSA
LSA Type Description
1 Router LSA
2 Network LSA
3 and 4 Summary LSAs
5 AS external LSA
6 Multicast OSPF LSA
7 Defined for not-so-stubby areas (NSSAs)
8 External attributes LSA for Border Gateway Protocol (BGP)
9, 10, 11 Opaque LSAs
Friday, December 10, 2010
GNS3 Topology: Basic iBGP and eBGP Configuration
PART 1
Actually, in this first part of the video, there is nothing about BGP Configuration, rather I tried to prepare my topology for BGP lab. But I wanted to put this video into the blog, because it still shows how to configure frame relay switch in GNS3, and Putty CM.
PART 2
PART 3
Actually, in this first part of the video, there is nothing about BGP Configuration, rather I tried to prepare my topology for BGP lab. But I wanted to put this video into the blog, because it still shows how to configure frame relay switch in GNS3, and Putty CM.
PART 2
PART 3
GNS Topology: MPLS VPN OSPF PE-CE Routing Configuration
Here is he configuration of MPLS VPN.
PART 1
PART 2
PART 3
PART 4
PART 1
PART 2
PART 3
PART 4
Tuesday, November 9, 2010
LAYER 2 ATTACKS using YERSINIA
This video is for information only. DO NOT use this in a production network. if you are new in this field like me, you can cause a big mess even if you have a permission.
What is DTP ?
DTP is a dynamic trunking protocol which automates 802.1Q and ISL (inter switch link) configuration. DTP gives switches an ability to to negotiate trunking method with other DTP capable devices. DTP state on switch ports can be set to
1- Auto : it does not initiate but it accepts and respond to trunking negotiation
2- On : it is manually configured to be a trunk
3- Off : it is manually configured to be a access port
4- Desirable : it initiates the trunking
5- Nonegatiate : no DTP packets are sent.
By default, administrative mode of the ports are not access (off) mode.If the port is in dynamic auto or desirable mode, and if it receives a DTP packet which says " I am a trunk or I want to be a trunk", the port becomes a trunk port.
| Switchport Mode | Access | Dynamic Desirable | Dynamic Auto | Trunk |
| Access | No Trunk | No Trunk | No Trunk | No Trunk |
| Dynamic Auto | No Trunk | Trunk | No Trunk | Trunk |
| Dynamic Desirable | No Trunk | Trunk | Trunk | Trunk |
| Trunk | No Trunk | Trunk | Trunk | Trunk |
By default trunk ports have access all VLANs. If an attacker's machine can spoof as a switch, the attacker then becomes a member of all VLANs.
What is STP ?
STP is spanning tree protocol which is used to prevent loops in a switched networks. To provide loop-free switched networks, switches have to choose a root bridge and consider their ports' roles such as root, designated, or blocked. Root bridge is a switch with a smallest Bridge-ID (bridge-id has a two number 1-MAC address of the switch, and 2- configurable priority between 0 - 65535) After determining the root bridge, switches determines the least cost to reach the root bridge.
If the attacker spoof his/her system as a root bridge in the topology, the attacker can see variety of frames or can cause the network become down. To spoof, the attacker broadcast conf BPDU and tcn BPDU to force spanning tree recalculations. (BPDU: Bridge Protocol Data Unit)
What is CDP ?
"The Cisco Discovery Protocol (CDP) is a prapriotery Layer2 network protocol which is implemented in most Cisco networking equipment. It is used to share information about other directly connected Cisco equipment, such as the operating system, device ID, version or IP address." (http://en.wikipedia.org/wiki/Cisco_Discovery_Protocol)
YERSINIA
Yersinia is a network tool designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. You can find more detailed information here and the man page here
GNS3 Topology: Basic Switch Configuration
Actually, the intention of this video is not to show how switch configuration is done. I was creating my playground to learn how YERSINIA works. If you are preparing for CCNA, this video may help you understand basics of VLAN and VLAN Trunking Protocol configurations. But in a real switch (not etherswitch module) configuring VLANs is a little bit different and easier. You should also see the video "Layer2 attacks using yersinia" to understand how important layer2 security is.
enjoy!
Friday, November 5, 2010
ARP POISONING
I haven't made any video for more than two weeks. This doesn't mean that I stopped studying for exams. After I finished to study about firewall, I tried to emulate Cisco IDS ( version 6.X). I found very useful articles about it on forums like 7200emu and of course wiki. Yes, now, I can emulate Cisco IDS using GNS3. (Some say that they emulates 6.x on vmware but I couldn't able to emulate it.) After I learned a little bit about IDS I tried to make video but I realized that I don't know anything about real world attacks to demonstrate how IDS works. To make long story short, I change my track and I decided to learn Linux (Because most of the security tools run on Linux) and some useful tools about security before I continue for CCSP IDS. (it is actually not good for me, because CCSP exams are going to be changed and I am not sure that I can find any platform to study new exam topics such as IDS v7)
This video is about ARP poisoning. It is simpler than I thought.
How does Address Resolution Protocol work ?
Imagine we have computers Host A and Host B. We also assume that these computers have never previously communicated.
1- Host A would like to send Host B some data.
2-Host A looks in its ARP Cache and determines if an IP->MAC mapping exists.
3- Because they have never communicated before, a mapping does not exist.
4- Host A sends an ARP Request that says, "Who has the IP of Host B Tell Host A"
5- Host B is listening and replies, "IP B is MAC of B".
6- Host A updates it's ARP table with the IP->Mac mapping.
How does ARP Poisoning works
Well, you can find it in video.
This video is about ARP poisoning. It is simpler than I thought.
How does Address Resolution Protocol work ?
Imagine we have computers Host A and Host B. We also assume that these computers have never previously communicated.
1- Host A would like to send Host B some data.
2-Host A looks in its ARP Cache and determines if an IP->MAC mapping exists.
3- Because they have never communicated before, a mapping does not exist.
4- Host A sends an ARP Request that says, "Who has the IP of Host B Tell Host A"
5- Host B is listening and replies, "IP B is MAC of B".
6- Host A updates it's ARP table with the IP->Mac mapping.
How does ARP Poisoning works
Well, you can find it in video.
Thursday, October 14, 2010
AnyConnect SSL VPN, CSD and DAP Configuration through ASDM
if you want to give full network access through SSL based tunnels, AnyConnect VPN is for you. Using AnyConnect, remote user can send TCP, UDP or even ICMP packets. In this video, I tried to configure ASA to accept AnyConnect SSL VPN and also Clientless Remote Access SSL VPN through ASDM. I also configured Cisco Secure Desktop and Dynamic Access Policy for clientless remote user but these are very simple configurations to show how it works. You can even enable advanced endpoint assessment on emulated ASA.
PART 1
PART 2
PART 3
There is a few videos left I want to make. (Active-Active Failover, Qos, Advanced Protocol Handling). Then I will begin to study for IPS. I hope that I can get IPS work on virtual machine. I didn't even try it yet.
Saturday, October 9, 2010
GNS3 Topology: ASA Clientless Remote Access SSL (Web) VPN Configuration
Clientless SSL VPN feature is great. I really enjoyed when I was learning it. When I first connected to the PC sitting on the inside network or telnet into router through ASA without anything but a browser, I was amazed. It is really cool. You should try this one :)
PART 1
PART 2
Initial Configurations
ASA1
hostname ASA-Izmir
int e0/0
ip add 192.168.2.254 255.255.255.0
nameif inside
no shut
int e0/1
ip add 157.55.1.254 255.255.255.0
nameif outside
no shut
route outside 0 0 157.55.1.1 1
route inside 192.168.3.0 255.255.255.0 192.168.2.100
http server enable
http 0 0 inside
telnet 0 0 inside
telnet timeout 30
asdm image flash:/asdm.bin
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0
access-list acl_outside_in permit icmp any interface outside echo-reply
access-group acl_outside_in in interface outside
username levent password xxxxxxxx privilege 15
R2
interface FastEthernet0/0
ip address 192.168.2.100 255.255.255.0
no shut
!
interface FastEthernet1/0
ip address 192.168.3.254 255.255.255.0
no shut
!
ip route 0.0.0.0 0.0.0.0 192.168.2.254
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
!
end
R1
enable secret xxxxxxxxx
interface FastEthernet0/0
ip address 157.55.1.1 255.255.255.0
no shut
!
interface FastEthernet1/0
ip address 192.168.10.254 255.255.255.0
no shut
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
!
end
PART 1
PART 2
Initial Configurations
ASA1
hostname ASA-Izmir
int e0/0
ip add 192.168.2.254 255.255.255.0
nameif inside
no shut
int e0/1
ip add 157.55.1.254 255.255.255.0
nameif outside
no shut
route outside 0 0 157.55.1.1 1
route inside 192.168.3.0 255.255.255.0 192.168.2.100
http server enable
http 0 0 inside
telnet 0 0 inside
telnet timeout 30
asdm image flash:/asdm.bin
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0
access-list acl_outside_in permit icmp any interface outside echo-reply
access-group acl_outside_in in interface outside
username levent password xxxxxxxx privilege 15
R2
interface FastEthernet0/0
ip address 192.168.2.100 255.255.255.0
no shut
!
interface FastEthernet1/0
ip address 192.168.3.254 255.255.255.0
no shut
!
ip route 0.0.0.0 0.0.0.0 192.168.2.254
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
!
end
R1
enable secret xxxxxxxxx
interface FastEthernet0/0
ip address 157.55.1.1 255.255.255.0
no shut
!
interface FastEthernet1/0
ip address 192.168.10.254 255.255.255.0
no shut
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
!
end
Thursday, October 7, 2010
GNS3 Topology: ASA Multicontext Mode Configuration
ASA running in multicontext mode (virtual firewall) is useful when you need more than one firewall to protect traffic. In this video you can see not only how to configure virtual firewalls but also you can find simple NAT and ACL configuration. Please excuse me for terrible web pages which I used during testing the configuration. I am not a web designer but web pages could be better :)
PART 1
PART 2
PART 3
by the way, the below list is what you can not perform with ASA configured in MULTICONTEXT mode
No QoS
No IPSec VPN
No SSL VPN
No Dynamic Routing
PART 1
PART 2
PART 3
by the way, the below list is what you can not perform with ASA configured in MULTICONTEXT mode
No QoS
No IPSec VPN
No SSL VPN
No Dynamic Routing
Monday, October 4, 2010
GNS3 Topology: Certificate Base Remote Access IPSec VPN
This video shows that the configuration steps of ASA to accept remote access IPSec VPN client using certificates. Before I started, I installed active directory, IIS, Certificate services and SCEP on windows server. Active directory is optional of course, you can simply install standalone CA. I wish I could have shown more detailed windows configuration, but unfortunately my computer is not powerful enough to run server and recording software together. Other steps of remote access vpn configuration, like split tunneling or transparent NAT is same with classic (pre-shared-key) remote access vpn configuration. Enjoy!
PART 2
Thursday, September 30, 2010
GNS3 Topology: Remote Access IPSec VPN
In this video, I tried to configure Remote Access IPSec VPN through command-line. It is only base configuration to establish a tunnel between ASA and Cisco VPN client. When I have time, I will continue where I left off. Actually in the next video I am gonna add NAT 0 rule and configure NAT on routers (to show ipsec-over-tcp), vpn filter, and Client U turn.
PART 1
PART 2
PART 3
I was thinking that I could attach initial configurations as a txt file. But I couldn't. So, what I configured on ASA and routers before recording the video is only some ip addresses and default routes to provide ip connectivity.
PART 1
PART 2
PART 3
I was thinking that I could attach initial configurations as a txt file. But I couldn't. So, what I configured on ASA and routers before recording the video is only some ip addresses and default routes to provide ip connectivity.
Tuesday, September 28, 2010
Monday, September 27, 2010
GNS3 Topology: Site to Site IPSec VPN using pre-shared-key between two ASAs
This is my first GNS3 topology to configure Site to Site IPSec VPN using pre-shared-key on two ASA devices. I didn't add voice to video, because i am trying to keep video size short as much as possible. I hope this video helps you configure VPN using GNS3 (it is recommended to watch this video using 480p option)
Subscribe to:
Posts (Atom)