Before I explain what I’ve done, a quick message for “the stupids”

No I won’t post a virtual machine for you to download
Buy a license or an appliance

The rest of this post is a run though of what I did, if you get bored easily skip to the summary.

The story is I’ve got a customer who wants dot1x with ACS5 and I need a box to play with before breaking their network; having read through the docs on cisco.com I noticed that vmware was a supported platform for evaluation, as awesome as that is, carrying around an ESXi server isn’t as convenient as you’d think so I boldly dropped the CD into my VirtualBox and booted to see what happened…. if only it was that simple!!!!!

As expected the installer crapped out early on complaining that VirtualBox is not a valid hardware configuration, so I decided to have a poke around the ISO image and had a moment of realisation.. THANK YOU CISCO FOR CHOOSING CENTOS!

Cisco choosing an open-source installation mechanism means that with a bit of googling I could customise the install process to work in VirtualBox…. sweeet!

To get started I followed the install guide to build a VirtualBox appliance that resembled the supported vmware machine, some things to note:

• The disk is on a SCSI controller
• The processor is PAE
• You need a serial port enabled

This is a summary of my VirtualBox configuration…

• General
  • Name: Cisco ACS 5
  • OS Type: Red Hat
• System
  • Base Memory: 1024 MB
  • Processor(s):1
  • Boot Order:Floppy, CD/DVD-ROM, Hard Disk
  • VT-x/AMD-V:Enabled
  • Nested Paging:Enabled
• Display
  • Video Memory:12 MB
  • 3D Acceleration:Disabled
  • 2D Video Acceleration:Disabled
  • Remote Display Server:Disabled
• Storage
  • IDE Controller
    IDE Primary Master (CD/DVD):Empty
  • Floppy Controller
    Floppy Device 0:Empty
  • SCSI Controller
    SCSI Port 0:CiscoACS.vdi (Normal, 65.00 GB)
• Misc
  • Audio
    Disabled
  • Network
    Adapter 1:PCnet-FAST III (Host-only adapter, ‘vboxnet0′)
  • Serial Ports
    Port 1:COM1, Disconnected
  • USB
    Disabled
  • Shared Folders
    None

If you’re hoping to follow my process, I assume you’ve already downloaded from cisco a copy of the ACS_v5.1.0.44.iso and sorted an eval license.

Looking at the contents of the CD I could see that the KickStart file was rejecting my hardware configuration. In my early attempts I edited ks.cfg removing everything between %pre and %post removed the line that said %include and rebuilt the ISO; this had limited success, I could boot further on my new ISO but found that anaconda crapped out as it was unable to find the CD from which it booted … Very Odd!

Messing with the kickstart file and having to rebuild the ISO each time got boring very quickly, especially since it wouldn’t boot into anaconda stage two. I decided to move to a network based installed, I setup a web server on my laptop, downloaded CentOS-4.7-i386-bin1of4.iso and booted my guest from that using linux askmethod at the loader. On my web server I copied the contents of the ACS CD into a directory (including . hidden files), during the centos boot I was able to install “everything” from the ACS directory on web server giving me yet more limited success (Everything was installed – including the Cisco packages – but unusable).

The next step was to get my web installation to read my kickstart file, the ks.cfg has a load of finalization which looked like it created files that the cisco packages would need. I had to change the permissions of the directory to give me write access (CD files copied as RO since the CD was RO). So my edited ks.cfg has nothing between %pre & %post plus the %include line deleted, the result had massive drawback, I’d inadvertently removed the disk layout; I have since concluded that my earlier attempt with everything installed but broke also had issues due to incorrect filesystem partitions.

To put the filesystem layout back into the kickstart file I inserted the following:

part / --fstype ext3 --size=100 --grow
part /localdisk --fstype ext3 --size=5120
part /recovery --fstype ext3 --size=1008
part /storedconfig --fstype ext3 --size=981
part /storeddata --fstype ext3 --size=2048
part swap --size=2048


To get the Centos Server to now boot from both the kickstart file and install from my webserver I now have to boot with linux ks=http://192.168.56.1/~nick/ACS/ks.cfg (this is instead of linux askmethod) and replace the line that says cdrom with url --url http://192.168.56.1/~nick/ACS.

After all that trial & error I was finally there! I have attached my ks.cfg for your reference and here is a summary of the steps to reproduce.

Install Summary:

1. Download ACS
2. Download Centos
3. Install a web server
4. Copy the contents of the ACS CD to your web server (look out for .discinfo)
5. Replace ks.cfg with your edited version (or mine)
6. Create a virtualbox machine
7. Boot the VirtualBox machine from the CentOS CD with linux ks=http://URL
8. As soon as you see a blue “installer” screen eject the CentOS CD
9. Wait
10. Done

Note: During my playing the anaconda installer crapped out a couple of times, just starting the process again seemed to fix the issue, some bottleneck on virtualbox disk accesses could be the problem.

Hope that all makes sense, happy hacking!

Today’s challenge was to get to grips with Cisco’s ZBFW, there are a few examples out there if you google but this cisco pdf was the best resource I found.

I’m going to share with you my GNS3 config, my first gotcha was getting the “right” IOS version, the latest advanced sec 12.4 image for the 3725 doesn’t cut it, you need to get a copy of c3725-advsecurityk9-mz.124-15.T7.bin.

My plan was simple, I wanted to re-create this following pseudo ASA style configuration:

access-list inside permit icmp any any
access-list inside permit tcp any any eq telnet
access-list outside permit tcp any host 192.168.10.100 eq telnet
access-group inside in interface inside
access-group outside in interface outside

What’s funny is that is 5 lines of code for ZBFW it’s more than 20! Yes the IOS FW isn’t a statefull firewall like the ASA but still more than 4 times the work… anyway, moving on…

The ZBFW is broken into four parts:

• Assign Zones to Interfaces
• Create a class-map to define interesting traffic
• Create a policy-map to give your class an action
• Create a zone pair to give you class a direction

As you can see in the picture, I have three routers Inside, Outside & Gateway; we will generate traffic from Inside -> Outside (and vice versa) and Gateway will be our firewall. In this blog post I’ll discuss the inside -> outside policy, read though the attached config to work out how outside->inside works

Creating zones and applying them to interfaces is the easy bit…

!
zone security inside
 description LAN
zone security outside
 description Internet
!
interface FastEthernet0/0
 ip address 10.10.10.10 255.255.255.0
 zone-member security outside
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 zone-member security inside

ZBFW supports traffic matching by protocol, ACL or both. To start with I need to create a class map equivalent of:
access-list inside permit icmp any any
So that looks like:

class-map type inspect match-any myinspectclass
 match protocol icmp

Our action to this applied via the policy map will be “inspect” … not “permit” like the access list, what we want to happen is the echo-request (echo) packet passing from the inside interface to the outside to be inspected so that the echo-reply packet is let back in…

policy-map type inspect myinspectpolicy
 class type inspect myinspectclass
  inspect

To apply this inside -> outside we create a zone-pair…

zone-pair security in-out source inside destination outside
 service-policy type inspect myinspectpolicy

Part 1 done. breath, take a break.

We can now ping from inside to outside, but outside to inside fails. Part two is to create a separate “flow” to allow telnet out. Now we could update our existing class-map, but it’s much clearer to create a new one, first we need an access-list…

ip access-list extended telnet_any
 permit tcp any any eq telnet

This will restrict our TCP protocol inspection to permit only telnet, without this ACL the following class map would permit (inspect) any TCP.

class-map type inspect match-all inspecttelnetclass
 match access-group name telnet_any
 match protocol tcp

Now that we have defined our traffic we can using the existing policy that permits the ICMP traffic through to permit this TCP thru, so this is the new policy map that replaces the one above:

policy-map type inspect myinspectpolicy
 class type inspect myinspectclass
  inspect
 class type inspect inspecttelnetclass
  inspect

The policy map will work top down, permitting ICMP traffic thru flow 1 (rule 1) and telnet through flow 2…. we don’t need to touch the zone pair

Attached is my GNS3 .net file and the three router configs [1,2,3], hopefully it all makes sense

To get started install this driver from apple (I think it needed a reboot).

If this was successful when you connect the USB-to-Serial you’ll be asked if you want to setup a modem / network connection… say no. From a terminal you should now see a new device similar to mine…

NickBook:~ nick$ ls /dev/cu*
/dev/cu.Bluetooth-Modem	/dev/cu.PL2303-00001004	/dev/cu.Bluetooth-PDA-Sync
NickBook:~ nick$

The PL device disappears when I unplug the USB adapter. Next you then need a copy of minicom, I installed macports and did port install minicom.

Since I don’t want to re-invent the wheel now go to http://www.macosxhints.com/article.php?story=20040521145713551 and Start at STEP 3 to configure minicom (Obviously you’ll replace /dev/cu.USA19QI191P1.1 with something similar to /dev/cu.PL2303-00001004 ) once finished you’ll be set.. happy terminal session!

• CAM CLI Commands
• CAS CLI Commands

also, from the release notes show version…

cat /perfigo/build

.. there are some other useful scripts in /perfigo/common/bin such as

/perfigo/common/bin/fostate.sh

… is used for checking failover state, if you can think of any more please post them in the comments

In the end i had to downgrade, very frustrating!

As I regularly have to review & build Cisco ASA Firewall configs I thought it would be nice to add a little colour

Notepad++ supports a user defined language system whereby users can create their own syntax highlighting. As google couldn’t find anyone else who’d had a go at this before I thought I’d have a crack at being the 1st.

Attached to this post you’ll find userDefineLang_ASA.xml, what you need to do is..

1. Download the user-defined language to your computer
2. Open the file with your favourite text editor (such as notepad++ or notepad)
3. Click start, run, type (or paste in) %APPDATA%\Notepad++ then click ok
4. Open userDefineLang.xml with a text editor
5. If this is the first userdefined language you are adding, copy/paste the entire first file (which you downloaded) into the userDefineLang.xml, replacing all that was there. If this is the second or more language you add, simply copy everything from the first file starting at to and paste it at the end of the userDefineLang.xml right before
6. Save the newly improved userDefineLang.xml

Reference: http://notepad-plus.sourceforge.net/uk/download.php

Now my implementation is quite simple at this stage, I’ve copied all the top level commands, i.e. anything from an initial “?” such as “show”, but I haven’t gone thru grabbing level two such as “run” as in “show run”. I have however added the most common level two commands so you should see something useful.

Comments or improvements welcome

Mars Events Diagram

Cisco recommends that potential candidates have a CCSP and at least 5 years experience in IT Security, and when I made the decision back in 2006/7 to begin studying I qualified in both cases and figured this was the path for me.

The thing is, the more I studied the more I realised what I didn’t know; I changed employers and began getting some practical experience with Ciscos non-security technology as routing & switching features quite heavily. After 2 years of gathering as much information as I can on both Ciscos security and basic-networking portfolio and think 2009 is the year to stop putting this off and go for it!

I’ve messed about with many different techniques to prepare for the CCIE SEC Written, different ideas ranging from old skool A4/A3 notebooks, to google notebook, delicious keeps a record of some good bookmarks, and I guess my Cisco and security blog posts count!

Meet my latest, and hopefully last plan…

See the rest of my Mind Maps

Yep, I’m mind mapping, not only that but I’m going opensource and the maps are on XMIND. The Maps are far from finished but I’m hoping that this work will not only get me up to standard but also help others, after all you can’t have too many security experts!

If you have any suggestion of good revion resources, NOT testing kings or ways to cheat! Please comment and let me know.

UPDATE: Forgot to post that the .xmind file is also in my dropbox

Link to Cisco Mars Custom Parser Packages

To get started, tweak the default logging settings within the NAC web interface, this screen-shot shows I’m sending the syslog to the local host as local6 messages, this change will send a copy of the “normal” NAC event logs to the localhost syslog server.

Next we need to enable the localhost syslog server; the CAM is build upon a Fedora image, so the SYSLOG daemon is already running it’s just not listening on UDP 514 (thus not yet receiving the logs configured above). Change /etc/sysconfig/syslog , the line:
SYSLOGD_OPTIONS="-m 0"
to
SYSLOGD_OPTIONS="-m 0 -r"

Now that the local daemon is recieving the files we need to change /etc/syslog.conf, here we will make two changes, One: we will write a copy of the NAC events to disk – this will allow us to see what events the “NAC application” is sending. The second change we’ll make is the forwarding configuration, we will put in two lines (for both our syslog hosts) so that we send forward the syslogs to two different servers – which was our original intention
Add the following lines to /etc/syslog.conf :

# Log Messages sent from Cisco NAC Application to dedicated File
Local6.*	/var/log/CiscoNAC.log

# Forward all syslog messages to host1
*.* 	@loghost1
# Forward all syslog messages to host2
*.* 	@loghost2

*NOTE: loghost1 & loghost2 need to be resolvable via DNS or in /etc/hosts !!

Finally restart the syslog daemon /etc/init.d/syslog restart

Housekeeping
It’s good practice once we’ve made changes to clear up after ourselves, these are some option steps you can take.

Add /var/log/CiscoNAC.log to logrotate, so that it doesn’t just grow and grow until you run out of disk space. This is done by editing /etc/logrotate.d/syslog before /var/log/messages insert /var/log/CiscoNAC.log

You may also want to compress your syslogs, edit /etc/logrotate.conf and uncomment the word compress (remove the “#”) .

Important Note
When performing NAC upgrades, Cisco provide operating system package upgrades & changes, it’s important to check that after an upgrade this config changes still exist, also I take no responsibility for Cisco’s TAC not wanting to support you because of the changes made!