spacyfreak

Members
  • Content count

    177
  • Joined

  • Last visited

Community Reputation

-2 Poor

About spacyfreak

  • Rank
    Advanced Member
  • Birthday 04/01/61

Contact Methods

  • Website URL
    http://
  • Yahoo
    spacyfreak

Profile Information

  • Gender
    Male
  • Location
    Germania
  • Interests
    Putting Food on Family
  1. The access list on a switch is only needed to prevent management access to the switch, not to filter traffic going through the switch. So you can use ACLs to limit access to the http webconsole, or to telnet access so that only the source networks or ips you allow can manage the device.
  2. Cisco Packet Tracer is best for beginners. Later go for GNS3 as it is not a "simulator" but it is a "emulator" which emulates cisco hardware, and it loads REAL IOS and REAL PIX OS so you have exactly the same behaviour as on "real" devices. A simulator can allways have bugs, but with an emulator its "real" and if you find bugs, that are bugs that are inside the real OS.
  3. Yo, Checkpoint maybe No. 1 in professional Enterprise Firewalling. But what about IpSEC Site-to-Site VPNs? Do you have expirience with Checkpoint and VPNs to different vendors (asa, pix, astaro...)? Any problems or is it better/worser choice then using Cisco ASA for hundreds of VPNs? Thanks for any real life expirience.
  4. For that scenario, normally is used a firewall like asa which can filter the traffic between subnetworks or vlans. Then the layer3 interface has to be moved to the firewall. Other ideas would be ios firewall feature set. Maybe you can do it with ACLs on the switch, but as ACLs are not "statefull" firewallrules, the returning traffic is normally not permitted when you deny something. Maybe you can use reflexive ACLs for that http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#reflexacl
  5. Yes, via cdp you can find out which device is used, which ip it has, version etc. What a big problem! ;-) I think a much bigger problem is cisco webconsole management, as their http servers are so sick that it is very recommendably to disable http on any cisco device. First of all - as said my vlan 1 is separated, no user access port is configured for vlan 1. Never ever. And also not by accident. ;-) As CDP only runs on vlan 1, noone could use cdp to gain informations about the network. And IF someone can find out the ios verson and model of my seitches - so what? CDP is disabled on all outside ports. But on the uplink is a trusted ISP - so even IF i would not block cdp, whats the problem? If the uplink ISP WOULD LIKE to attack my router, it does not need CDP, it could simply run nessus and bomb the ip of the interface. And that could do anyone on the internet who knows the outside ip of the router. If i WOULD let users access devices in the management vlan (even if i would change management vlan to another vlan) then anyone COULD attack the devices ip with nessus or other tools and could easily find out which exploits could be used. The physical switches hardware is locked in rooms and racks where noone can get in without authentication. Thats what i say - if you know best practice, you can generate a best practice for your own environment, which fits the special circumstances and needs. Yes, its good to document a network - if you have enough admins who have time for it. Not easy when 2 admins have to manage some hundreds of switches! Its often much faster to find out which uplink switch is connected on which port via cdp, or if you have to find out quickly the ip of an uplink switch.
  6. I hope this does not sound respectless - and i would really like to understand it, but maybe my brain is to sick (or to healthy?) for that. ;-) Yes, but when the auditors came to my place i sticked my green cross over their red cross as they are not able to ARGUMENT WHY it should not be used. They did only read that its recommended not to use it. When we drive car - why not use a helmet, but only a belt? Its much safer! Under special cirumstances the best practice can "change" - but its good to know the best practice to be able to decide if to use it or not. I dont see any problem in using cdp on the inner networks. Sorry, thats my way of thinking. And i do this for many years with expirience. The best idea in a large network in my eyes is an out-of-band management, thats the way i go. A totally separated management network, but it runs with vlan 1 in my network, and all the other networks are on sperated vlans.
  7. "The reason VLAN 1 became a special VLAN is that L2 devices needed to have a default VLAN to assign to their ports, including their management port(s). In addition to that, many L2 protocols such as CDP, PAgP, and VTP needed to be sent on a specific VLAN on trunk links. For all these purposes VLAN 1 was chosen. As a consequence, VLAN 1 may sometimes end up unwisely spanning the entire network if not appropriately pruned and, if its diameter is large enough, the risk of instability can increase significantly. Besides the practice of using a potentially omnipresent VLAN for management purposes puts trusted devices to higher risk of security attacks from untrusted devices that by misconfiguration or pure accident gain access to VLAN 1 and try to exploit this unexpected security hole. " Aha. I did read this all before. So if i change from vlan 1 to vlan 100 for management - whats the difference? If not using vlan 1, i can not work with cdp. But i need cdp daily. Its off on ports where i dont want to send information about the device, but on the inner lan i need it and its helpfull. If not using vlan 1, i can not use vtp. But i love to use vtp. Why my switches have the funktion vtp when its reccomended not to use the vlan which that function needs? Any vlan which is used for managemen is fine, but its a good idea to protect it via access list so that the devices can not be compromized by inside attckers via nessus or metasploit. All the user subnets are in different vlans, not in vlan 1. So they are separated from management vlan. "Don't configure the management VLAN on any trunk or access port that doesn't require it (including not connected and shutdown ports). " Good tip. And if i dont allow management vlan on a trunk, how please can i then configure the uplink switches? This makes no sense to me. Maybe i simply dont understand, but till now i did not find a clear arguement why NOT to use it - as long as i know what can happen and how i can prevent this.
  8. ...but some protocols like CDP and VTP communicate via vlan 1. I never really understood the "big security advantage" of NOT using vlan 1. Can someone arguement whats the big security DISADVANTAGE of using vlan 1?
  9. To make the webserver 192.168.1.10 accessable from the outside - is this configuration ok? I think it should be ip nat outside source static tcp 209.165.100.250 80 192.168.1.10 80 as the requests come from the outside.. Cisco example says its this way... Testking1(config)#ip nat inside source static tcp 192.168.1.10 80 209.165.100.250 80 Testking1(config)#interface fa0/0 Testking1(config-if)#ip nat inside Testking1(config-if)#exit Testking1(config)#interface s0 Testking1(config-if)#ip nat outside What do YOU think? Maybe i am wrong, i feel sick today..
  10. And what happens in the following scenario? You connect 2 Switches, On Switch 1, all Ports are in vlan 1, except the uplink port to switch 2, which is a trunkport. On Switch 2, all Ports are in vlan 2, except the uplink port to switch 1, which is a trunkport. On Switch 2, you configure on the Uplinkport switchport trunk native vlan 2 Can a Host-PC which is connected on Switch 1 ping a Host-Pc which is connected on Switch 2 and both Hosts are Part of 10.10.10.0/24 network? What do YOU think?
  11. I think this question is wrong. You cant "gain" the number of subnetworks when making the subnetmask "bigger". You gain the number of subnetworks when you make the subnetmask "smaller". 172.17.32.0/32 This is not a network, its a single host. 172.17.32.0/27 is allready a subnet and goes from 172.17.32.0 - 172.17.32.63 But there is nothing "gained", only the number of hosts, 2^5-2=30 Hosts Wired.
  12. When you have a server on the internal network which should be accessable from the outside (internet), you can not access the server when it has a private IP-Address. Thats also called destination nat as the destination ip address in each packet will be changed to the real, private ip address that the server has. So the static NAT rule defines that this server will be reacheable from the outside. All packets which are sent to the public ip 172.137.16.9 will be forwarded to the server 10.99.199.9 and also the returning packets from the server will be translated to the public ip address.
  13. hmm?
  14. wpa

    WPA is a Protocol Suite to secure WLAN Connections with encryption, keymanagement and Message Integrity Check Algorythms (MIC). Between Access Point and WLAN Client is a encrypted communication, managed by WPA. WPA contains encryption algorithms, WPA1 uses TKIP (what is a temporarly solution and uses RC4 encryption .. until the "final" solution AES for WLAN was desined and standardized). WPA1 can on some devices also use AES. WPA2 uses only AES for encryption. When you only have Access Point and WLAN Client, you can use a Preshared Key (PSK) which is a symetric key, a password and it must be configured on Access Point and also on Client. When you use also RAdius Infrastructure and 802.1X Authentiicatin, the Access Points generates a dynamic key which is negotiated with the WLAN client, and that key changes frequently automatically. This scales much better then a static PSK when you have many users.
  15. Router id is identifiying a router in a group of routers which communicate via ospf with each other. You can define the router id with a command. If you dont define it manually, then the highest ip of its interfaces is chosen as router id. Its recommended to create a Loopback Inteface and give it an ip address, so this will be the router id. The advantage of loopback is that this interface never goes down which can make the ospf process more stable. But i allways set the router id manually and till now this worked fine.