Introduction to CCIE Security Mind Maps on XMIND

In 2004 I certified as a CCSP, well actually back then it was called CSS1, anyway after a couple of year experience I decided that would start walking down the CCIE security path.

Cisco recommends that potential candidates have a CCSP and at least 5 years experience in IT Security, and when I made the decision back in 2006/7 to begin studying I qualified in both cases and figured this was the path for me.

The thing is, the more I studied the more I realised what I didn’t know; I changed employers and began getting some practical experience with Ciscos non-security technology as routing & switching features quite heavily. After 2 years of gathering as much information as I can on both Ciscos security and basic-networking portfolio and think 2009 is the year to stop putting this off and go for it!

I’ve messed about with many different techniques to prepare for the CCIE SEC Written, different ideas ranging from old skool A4/A3 notebooks, to google notebook, delicious keeps a record of some good bookmarks, and I guess my Cisco and security blog posts count!

Meet my latest, and hopefully last plan…


See the rest of my Mind Maps

Yep, I’m mind mapping, not only that but I’m going opensource and the maps are on XMIND. The Maps are far from finished but I’m hoping that this work will not only get me up to standard but also help others, after all you can’t have too many security experts!

If you have any suggestion of good revion resources, NOT testing kings or ways to cheat! Please comment and let me know.

UPDATE: Forgot to post that the .xmind file is also in my dropbox :)

Multiple SYSLOG Receivers with a Cisco NAC Appliance Manager (CAM)

According to Cisco’s documentation on configuring syslog on a CAM, you can only forward the NAC logs to a single external log server. If you’re willing to get down and dirty with the Linux operating system underneath, then this document will show you that this is simply not the case.

To get started, tweak the default logging settings within the NAC web interface, this screen-shot shows I’m sending the syslog to the local host as local6 messages, this change will send a copy of the “normal” NAC event logs to the localhost syslog server.

Next we need to enable the localhost syslog server; the CAM is build upon a Fedora image, so the SYSLOG daemon is already running it’s just not listening on UDP 514 (thus not yet receiving the logs configured above). Change /etc/sysconfig/syslog , the line:
SYSLOGD_OPTIONS="-m 0"
to
SYSLOGD_OPTIONS="-m 0 -r"

Now that the local daemon is recieving the files we need to change /etc/syslog.conf, here we will make two changes, One: we will write a copy of the NAC events to disk – this will allow us to see what events the “NAC application” is sending. The second change we’ll make is the forwarding configuration, we will put in two lines (for both our syslog hosts) so that we send forward the syslogs to two different servers – which was our original intention :)
Add the following lines to /etc/syslog.conf :

# Log Messages sent from Cisco NAC Application to dedicated File
Local6.*	/var/log/CiscoNAC.log

# Forward all syslog messages to host1
*.* 	@loghost1
# Forward all syslog messages to host2
*.* 	@loghost2

*NOTE: loghost1 & loghost2 need to be resolvable via DNS or in /etc/hosts !!

Finally restart the syslog daemon /etc/init.d/syslog restart

Housekeeping
It’s good practice once we’ve made changes to clear up after ourselves, these are some option steps you can take.

Add /var/log/CiscoNAC.log to logrotate, so that it doesn’t just grow and grow until you run out of disk space. This is done by editing /etc/logrotate.d/syslog before /var/log/messages insert /var/log/CiscoNAC.log

You may also want to compress your syslogs, edit /etc/logrotate.conf and uncomment the word compress (remove the “#”) .

Important Note
When performing NAC upgrades, Cisco provide operating system package upgrades & changes, it’s important to check that after an upgrade this config changes still exist, also I take no responsibility for Cisco’s TAC not wanting to support you because of the changes made!

MARS: Zone product or package version does not match

I’ve been having problems getting my Cisco MARS Local and Global controllers to synchronise their topologies. This error message vexed me for a few days, but thankfully Cisco’s TAC solved it for me.

If you read Ciscos troubleshooting guides they will tell you to check that the MARS Local & Global controllers are running the same version, and to check that the SSL certificates are copied/pasted correctly.

If after checking the above Cisco recommendations and the additional basics ( network connectivity / ntp / timezones etc) check that both MARS boxes are running and have downloaded the same version of IPS signatures; under Admin -> IPS Signature Dynamic Update Settings -> Update Now.

It fixed the problem for me!

CS-Mars V6.0 in VMWARE (Franken Mars)

Emulating software is a very grey area for Cisco, they make their money by selling boxes so I guess officially Cisco don’t approve of things like GNS3 and PEMU. BUT cisco make a lot of their money from techies training in Cisco products who then get their management to buy boxes their certified in, as a result cisco appear to turn a blind eye to emulating their products for personal training purposes :)

So, I’m installing a CS-Mars box in the next couple of weeks and wanted to know what’s new in version 6. How to setup version 4 is already document here in this franken cs-mars guide, the thing is to upgrade from 4 to 6 is a re-image of the box. Upon re-imaging my VMWare appliance I realised that the lilo commands linux rw init=/bin/bash didn’t appear to work anymore. As a result I have a v6 mars box I can’t use due to a licensing problem.

To get this working read through both the old instructions, and what I have written.

The init/boot sequence of a mars box looks very much like a centos/fedora boot, so I thought up a cunning new plan. I downloaded the 1st installation CD of centos 5, after booting this CD instead of hitting “enter” and running the anaconda installer I typed linux rescue, this boots my appliance into a root linux shell. (See Update Below, boot from CentOS straight after MARS installs, don’t let MARS boot!)

What happened next was a little hit and miss, if you’re lucky you can type

mkdir /mnt/opt
mount /dev/md2 /mnt/opt

you can then

cd /mnt/opt/janus/release/bin
mv pnlicense pnlicense.org
echo "/bin/echo d84f7ceaf50f9c45683e2efb77752d4f:License verified:4:0:0:4" > pnlicense
chmod +x pnlicense

as per the old documentation.

If you’re unlucky this “mount” will fail, in this case ls /mnt/sysimage if you can’t see any files issue mount /dev/md1 /mnt/sysimage otherwise the plan is to change the root password so that we can edit the pnlicense file later.

Using vi edit /mnt/sysimage/etc/passwd, and change…

pnadmin:x:500:500::/opt/janus/release/bin:/opt/janus/release/bin/pnsh

for

pnadmin:x:500:500::/opt/janus/release/bin:/bin/bash

Next, setup your editor variable, and edit the suders file…

EDITOR=/mnt/sysimage/bin/vi;export EDITOR
visudo -f /mnt/sysimage/etc/suders

and add..

pnadmin ALL=(ALL)       NOPASSWD: ALL

Reboot by exiting the shell.

After the reboot login as pnadmin, you should now get a standard linux bash shell rather than the “hardened” cisco one. Change the root password…

sudo su
passwd root

And put /etc/password back to how it was. Now from the “pn shell” you can type expert and your root password will work and you’ll have root access to your mars box. With you new root access you can change the pnlicense file as described before and complete the setup process. :cool:

UPDATE: As commented by secopt below, to make this work you need to boot from the CentOS disk straight after the MARS image as installed, if you let the MARS OS boot (and start doing the oracle thing) then for some reason the mount commands don’t work!

UPDATE2: The mount command doesn’t work if you let MARS boot the 1st time as it changes the superblock, rokov has posted the following work around below…

  1. Assemble RAID
    mdadm –assemble /dev/md0 /dev/hda3 /dev/hdc3
  2. Change ext3 superblock magick number
    dd if=/dev/md0 skip=2 count=1 | sed ’s/\x5A\x7B/\x53\xEF/’ | dd of=/dev/md0 seek=2 count=1
  3. Mount partition
    mount /dev/md0 /mnt
  4. Do anything you want with it.
  5. Unmount partition and change magic back
    umount /mnt && d if=/dev/md0 skip=2 count=1 | sed ’s/\x53\xEF/\x5A\x7B/’ | dd of=/dev/md0 seek=2 count=1

Strange ASA ARP Replying Behavior

I’ve been implementing a few Cisco ASA’s recently, and I blogged about this strange behavior; well I came across another one yesterday.

Take a look at this debug arp….

CiscoASA# debug arp
debug arp  enabled at level 1
CiscoASA# 
CiscoASA# arp-set: added arp outside 192.168.1.122 001e.7000.1234 and updating NPs at 4301321940
arp-set: added arp inside 192.168.1.61 001a.7100.1234 and updating NPs at 4301321940
arp-in: request at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.120 001e.7a51.1234 arp-in: rqst for me from 192.168.1.125 for 192.168.1.120, on outside arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660 arp-in: generating reply from 192.168.1.120 001e.7a51.1234 to 192.168.1.125 001a.3000.1234
arp-in: request at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.73 001e.7a51.1234 arp-in: rqst for me from 192.168.1.125 for 192.168.1.73, on outside arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660 arp-in: generating reply from 192.168.1.73 001e.7a51.1234 to 192.168.1.125 001a.3000.1234 arp-in: request at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.69 001e.7a51.1234
arp-in: rqst for me from 192.168.1.125 for 192.168.1.69, on outside arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660 arp-in: generating reply from 192.168.1.69 001e.7a51.1234 to 192.168.1.125 001a.3000.1234
arp-in: request at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.123 001e.7a51.1234 arp-in: rqst for me from 192.168.1.125 for 192.168.1.123, on outside arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660 arp-in: generating reply from 192.168.1.123 001e.7a51.1234 to 192.168.1.125 001a.3000.1234 arp-in: response at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.125 ffff.ffff.ffff arp-in: updating gratuitous ARP 192.168.1.125 - 001a.3000.1234 arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660 CiscoASA#

The firewall is replying to arp requests even though both the source & destination of the traffic are on the same (outside) interface, now I haven’t manged to work out why the firewall was doing this, but I did find a fix on the cisco forums.

sysopt noproxyarp outside

Names, IPs & MAC’s have been changed to protect the innocent.
:cool:

Cisco NAC SSO Port List

Note to self, the ports I need to allow thru the Un-Authenticated ACL for Active Directory SSO to work…

TCP 88,135,389,636,445,1025,1026 				
UDP 88,389,636 

:)

Cisco ASA and 7905 IP Phone Weirdness

I came accross something odd the other day, I had some Cisco IP Phones on a DMZ interface and the Call Manager was behind the inside interface. If you made a call from a 7940 to a 7940 everything worked fine, if you made a call from a 7905 to a 7940 it failled!

I ran a packet capture and found that the phone was “bouncing” the RTP stream off the firewall rather than connecting directly to the peer phone… very weird! The problem was solved by enabling…

same-security-traffic permit intra-interface

I thought I post this for some future googlers!

Backup Interface on Cisco ASA Firewall

I tweeted a little while ago about Nokia recently supporting interface failover within IPSO, well it looks like Cisco’s ASA Version 8 software can do it now too!

The following example creates two redundant interfaces:

asa(config)# interface redundant 1
asa(config-if)# member-interface gigabitethernet 0/0
asa(config-if)# member-interface gigabitethernet 0/1
asa(config-if)# interface redundant 2
asa(config-if)# member-interface gigabitethernet 0/2
asa(config-if)# member-interface gigabitethernet 0/3

Reference: Adding a Redundant Interface

Thieves Don’t like CiscoPress!

As it’s late, and I’m bored waiting for a customer call back, I thought I’d write about something both amusing & irritating. Recently I purchased a copy of Network Security Technologies & Solutions from Amazon, as I’m in no hurry I opted for the free royal mail delivery option. When I got home I found the Amazon box on my door-step and surprising the the box was open!!!

You hear about things going lost in the mail regularly and I can only presume that someone responsible for sorting the parcel spotted a rather heavy box from Amazon and thought it must be some expensive gadget, how disappointed they must have been to see that it was a dull old Cisco book :wink:

Cisco Pix Firewall in front of a Playstation 3.

If you saw this tweet, you’ll see that a little while ago I had some fun with Playstation 3 online gaming; it’s probably my own fault because I’m possibly the only person with a version 6 Cisco Pix Firewall at home in front of their playstation.

If you want to get online gaming working though your firewall there’s a really good online reference here and my specific grumble about having to open up a shed load of ports for EA’s Burnout paradise is documented in their support area.

To summarize, this is what I’ve got open:

General Playstation Network Ports, these always need to be open.

udp 3658
udp 3478-3479

Open these extra ones for Motor Storm

udp 3659 – 3660

Open these extra ones for Burnout

udp 3659
udp 9600-9699

If you to have a cisco pix, you’ll need to open an entry on your outside access-list, something like

access-list outside permit udp any any eq  3658

and you’ll need a static entry….

static (inside,outside) udp interface 3658 playstation3 3658 netmask 255.255.255.255

For lots of ports the access-list command supports the range statement, so

access-list outside permit udp any any range 9600 9699

But you won’t be so lucky with statics, you’ll have to add an entry for each port, I created a small bash shell script to automate the task…

#!/bin/bash
#9600-9699
for i in `seq 9600 9699`;
do
        echo "static (inside,outside) udp interface $i playstation3 $i netmask 255.255.255.255"
done

I then pasted the output into my pix. If you are having problems here are some references that might be useful are the cisco pix command ref and the pix nat guide.

Cisco VPN 3k Config for iPhone

Recently I was asked if I could help setup a VPN connection between an Apple iPhone and a Cisco VPN Concentrator 3000, my 1st round of googling didn’t look good, there’s a discussion here complaining about how crap vpn support on the iphone is; further searching lead me to a Cisco document which specifically targets mac clients, this document is for ASA configuration, but if you look carefully* everything you need is in there.

*No, I didn’t get this working 1st time, it took me a good couple of hours of googling, but looking back I can see that all the info is there.

The key to getting this working is that the iphone side is not as configurable as it should be, so if you’re trying to get this to work you need to be talking to the IT administrator to get the concentrator side changed. The 1st word of warning is that the iphone client doesn’t support group authentication, so you’re going to be changing the base group, now by default most “production” groups will inherit settings from the base group, so you will need to make sure that if you change anything in the base group that it doesn’t effect your other L2L or Remote Access tunnels. (You have been warned.)

To get started, for whatever reason the iphone only supports cisco’s NAT-T implementation of IPSEC, so if you have a firewall or access-list in front of your concentrator you’re going to need to open up UDP 4500, then enable NAT Transparency. Another word of warning about NAT-T, we found that existing VPNS to Cisco Routers started to fail after enabling this, which was a bit odd as NAT-T wasn’t enabled under any of the L2L profiles, anyway, to fix the issue we enabled NAT-T on the routers (again make sure UDP 4500 is allowed though any ACLs) and under “conf t” issue:

crypto ipsec nat-transparency udp-encapsulation

So, back to the cVPN3k config……


Configuration -> Tunnel & Security -> NAT Transparency
IPSEC over NAT-T - TICK

So a quick explanation of the above so you get the idea; from the tree on the left, click “Configuration” then “Tunnel & Security” then “NAT Transparency” and tick the box next to NAT-T.

Now you need to setup your PHASE 1 Proposal…

Config -> Tunnel & Sec -> IPSEC -> IKE Proposal

I called mine iphone, and you need to configure the following settings.

  • Authentication: Preshared Key (NOT the one with Xauth)
  • Hash: SHA-1
  • Encryption: 3DES
  • DiffeHelmen: Group 2

After phase one, comes PHASE 2:

Config -> Policy Manage -> Traffic Mgnt -> SA

Again, add the following settings and I called mine: iphone

  • Authentication: ESP / SHA
  • Encryption: 3DES
  • Enacapsulation: Transport
  • IKE Proposal = iphone (or whatever your phase 1 was called)

Then finally we start working with the groups, so as mentioned above you need to work with the base group:

Config -> User Management -> Base Group

And you need to enable the following, the other settings will be optional:

On the Base Group Tab,

  • Tunnel Protocol: Tick “L2TP over IPSec”

On the IPSEC Tab,

  • Authentication: Internal or NT depending on what you’ve already configured for other Remote Access Profiles.
  • IPSEC SA is set to: iphone
  • Default Preshared Key: Set this to something really really long (this will be your secret on the iphone)

On the PPTP/L2TP Tab,

  • L2TP Authentication Protocols: Tick MSCHAPv1 / MSCHAPv2
  • L2TP Encryption: Tick 40 & 128 B

DONE! Now with a little bit of luck your iphone should connect.

A Quick note about comments: All support requested will be deleted, I don’t have access to a concentrator to offer any meaningful advise, you use the above config at your own risk.