Do you know there are 20782 CCIE Professionals Worldwide?

We all know CCIE is a dream for all the certification aspirers, especially those who are Cisco Certified Professionals. I was just wondering how many CCIE certified Experts exists? As per Cisco Systems latest update on 26^th of October 2009 there are 20782 CCIE Professionals Experts worldwide. Interestingly 86% (17891) of CCIE professionals are certified in Routing and Switching and the second choice is being the CCIE Security with mere 2337 Security professional. That’s a reason why I always hear there is a lack of CCIE Security Professionals. So CCIE Security can be good options for CCIE aspirers.

One Interesting fact is the total number of CCIE Voice Professionals they are growing wow. Quite a sharp growth in a short span of time.

Pic Courtesy: Cisco Systems

Do you know Apple iPhone Supports Cisco VPN Client?

Do you know iPhone supports the Cisco VPN Client?, yes both the iPhone Software versions 2.x and 3.x supports L2TP, PPTP and IPsec type of remote access VPN connectivity.  The IPSec option is actually Cisco VPN client software for communicating securely with Cisco ASA and  PIX firewall.

According to Cisco only ASA and PIX firewall supports the iPhone Remote Access VPN, where as the Cisco IOS routers and bit older VPN 3000 concentrators will not support the iPhone VPN features.

By using this feature mobile workers can connect remotely to their Enterprise network via secure VPN tunnel using their iPhone. Both the Wi-Fi and Mobile Data Networks can support the iPhone VPN client to set up a tunnel between an iPhone and their Enterprise network. Following authentication methods are supported for establishing the remote VPN tunnel

ü  Password

ü  RSA SecurID

ü  CRYPTOCard

ü  Certificate

For more info on how to configure your Cisco ASA firewall do check this link from Cisco Systems.

http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/iPhone/2.0/connectivity/guide/iphone.html

How to configure the System prompt in a Cisco Router or a Cisco Switch?

There is a cool handy way to know TTY sessions established in any Cisco Router or a Cisco Switch. By using this feature you can know the number of active telnet sessions from the prompt itself.

Normally whenever you log to any Cisco Router or Switch you will find this menu

ITKE-AS01#

By using the “prompt” command you can see the difference

You might be wondering how come this is possible, ok now let me show you how to enable this feature in a Cisco Router or a Cisco Switch,

Log in to your Cisco Device and use the following command “prompt %h:%n%p”

ITKE-AS01#config t

ITKE-AS01 (config)# prompt %h:%n%p
ITKE-AS01 (config)# exit

In the example I have used three escape sequences to set the prompt name to the hostname (%h), followed by the command number (%n) and then followed by the appropriate prompt character for the current command mode (%p).

You can see the difference in the hostname after applying the “prompt %h:%n%p” command.

ITKE-AS01:1#sho users

    Line       User       Host(s)              Idle       Location

*  1 vty 0     yasir      idle                 00:00:00 10.0.0.5

  Interface      User        Mode                     Idle     Peer Address

ITKE-AS01:1#

As the number of TTY session increases you can see the incremental change in the hostname with the sequence number as displayed below.

Example with two TTY sessions

ITKE-AS01:2#sho users

    Line       User       Host(s)              Idle       Location

   1 vty 0     yasir      idle                 00:00:23 10.0.0.5

*  2 vty 1     itkeuser      idle                 00:00:00 10.0.0.5

  Interface      User        Mode                     Idle     Peer Address

ITKE-AS01:2#

Example with three TTY sessions

ITKE-AS01:3#sho users

    Line       User       Host(s)              Idle       Location

   1 vty 0     yasir      idle                 00:01:14 10.0.0.5

   2 vty 1     itkeuser      idle           00:00:50 10.0.0.6

*  3 vty 2     itkeadmin   idle         00:00:00 10.0.0.7

  Interface      User        Mode                     Idle     Peer Address

ITKE-AS01:3#

Example with four TTY sessions

ITKE-AS01:4#sho users

    Line       User       Host(s)              Idle       Location

   1 vty 0     yasir      idle                 00:01:43 10.0.0.5

   2 vty 1     itkeuser      idle            00:01:20 10.0.0.6

   3 vty 2     itkeadmin   idle            00:00:29 10.0.0.7

*  4 vty 3     yasir      idle                 00:00:00 10.0.0.5

  Interface      User        Mode                     Idle     Peer Address

ITKE-AS01:4#

I you want to disable the TTY display enter the “no prompt” command as shown below.
ITKE-AS01:4#config t
ITKE-AS01:4 (config)# no prompt

Following are the prompt Variables available for the “prompt” command.

How to archive your Cisco Router or Switch Configuration?

Do you all know there is a great way to archive the tasks you carry out in your Cisco Router or a Cisco Switch? Especially whenever you perform a “write memory or copy run start” in your Cisco Router or a Cisco Switch.

Most people do not realize starting an IOS version 12.3 (4) T and higher an “archive” and “archive config” commands were introduced by Cisco Systems.

The main advantage of advantage of an “archive” command is to have incremental backups of your Cisco Router or Switches configurations and for some reasons if you have blowup with the configuration then using the this feature you can retrieve the old configuration file into your Cisco router or switch.

The “archive config” command allows you to save Cisco IOS configurations in the configuration archive using a standard location and filename prefix that is automatically appended with an incremental version number (and optional timestamp) as each consecutive file is saved.
Once the maximum number of file saved in the archive, the oldest file will be automatically replaced by the next file.

The “show archive” command displays information for all configuration files saved in the Cisco IOS configuration archive.
In this example, we will save the archive configuration files on the flash memory; however, you can also store the configuration files remotely using such protocols as FTP, HTTP, HTTPS,RCP, SCP, and TFTP.
By using following set of commands we can enable archive feature in a Cisco Router or a Cisco Switch provided the IOS version is either 12.3 (4) T or higher . In this example, the location and filename prefix is specified as disk0: itkebackup

ITKE-AS0 (config)#archive

ITKE-AS01(config-archive)#path flash:itkebackup

To save the current running configuration in the configuration archive use the “archive config” command as shown below

ITKE-AS01# archive config

The “show archive” command displays information of the files saved in the configuration archive as shown in the following example:

ITKE-AS01#show archive

         There are currently 3 archive configurations saved.

         The next archive file will be named flash: itkebackup -3

         Archive # Name

         0

         1 flash: itkebackup -1

         2 flash: itkebackup -2 <- Most Recent

         3

         4

         5

         6

         7

         8

         9

         10

         11

         12

         13

         14

ITKE-AS01#

By using the “configure replace flash” command you can restore the configuration

ITKE-AS01#configure replace flash: itkebackup -2

         This will apply all necessary additions and deletions

         to replace the current running configuration with the

         contents of the specified configuration file, which is

         assumed to be a complete configuration, not a partial

         configuration. Enter Y if you are sure you want to proceed. ? [no]: y

         Total number of passes: 0

         Rollback Done

The “archive” command is quite handy to keep the he is great for keeping multiple copies of the running config in an archive.

ManageEngine IT360 makes the Business Service Management Easy

ManageEngine has recently launched their latest Business Service Management (BSM) Solution “ManageEngine IT 360”. Last week I had a chance to download the 60 day trial version and test the suite.

Since I am much into Networking I started using their Network Monitoring module which seems to be more promising and simpler. The best thing which encouraged me download the 60 day trail version was the agentless monitoring of the network applications. ManageEngine recommends installing the application at least with a 8 Giga of RAM, with 2 GHZ Quad Core Processor and 32 Bit Windows Server 2003/2008 Enterprise Edition.

Unfortunately all my Servers are occupied and I had no servers to install. I found a DELL XPS 630i Machine lying in my office. I thought let me try to install the ManageEngine IT 360 application in the DELL XPS 630i machine. Due to my bad luck the installation of Windows Server 2003 on DELL XPS 630i machine failed, so I was forced to install the ManageEngine IT 360 with Windows XP. The installation was smooth and everything work perfect for me. The best thing I liked is the easy installation and everything can be managed very easily. The DELL XPS 630i machine was capable of supporting the ManageEngine IT 360 without any hassles. I just tried the Network Monitoring module and I am able to monitor all my Cisco Switches, Routers and Firewall. The ManageEngine IT360’s Business Dashboard interface seems to be more promising and it’s customizable as well. Since I am using the Network Dashboard it gave me all the info I am looking for like Device Summary, Top 10 Interface, Top 10 Bandwidth utilized interfaces, Event Summary and Top 10 CPU utilization.

In brief the ManageEngine IT360 is amazing, especially an out of box application which is capable of monitoring networks, servers, databases and Applications. Surely the ManageEngine IT360 can give your IT Operations Team a single pane of glass to troubleshoot performance issues quickly. The integrated Service Desk with support for Ticketing, Problem Management, Change Management, Knowledge Base, automated Trouble ticketing etc makes workflows in production simpler, thereby making efficient use of IT Personnel. Try downloading the 60 day trial version.

Some Key Features of ManageEngine IT360 are
Integrated Network, Server and Application Performance Management that helps IT Operations
• Network Performance Management (Availability, Performance, Traffic Analysis)
• Systems and Database Performance Management • Monitor Key Performance Indicators
• Trend Analysis and Reporting
• Capacity Planning
Business Service Management which helps Business Managers
• End User Experience Management
• Monitor Key Business Metrics
• IT Service Desk with Support for ITIL • Service Level Management
• IT Asset Management

How to disable SSH in Cisco Devices?

We all know the importance of SSH, and it is one of most used method for remote access of Cisco Devices either it might be a Cisco Router or a Cisco Switch. Most of the Network Engineers I come across say it is so complicated to either enable or disable the SSH in Cisco Devices.

 If you simply try to use “no commands” used to enable SSH it will not work. Here is the tip to disable the SSH in either Cisco Router or Cisco Switches.

 Commands used to enable SSH in a Cisco Device

ITKE-AS1(config)#ip domain-name itke.com

ITKE-AS1(config)#crypto key generate rsa general-keys modulus 512

The name for the keys will be: ITKE-AS1.itke.com

% The key modulus size is 512 bits

% Generating 512 bit RSA keys, keys will be non-exportable…[OK]

ITKE-AS1(config)#

ITKE-AS1(config)#aaa new-model

ITKE-AS1(config)#aaa authentication login default local

ITKE-AS1(config)#aaa authentication exec default local

Commands used to disable SSH in a Cisco Device

Do notice if you use the command “no crypto key generate rsa” it will not work rather the device will suggest you to use the ‘crypto key zeroize rsa’ command, amazing isn’t it

ITKE-AS1(config)#no crypto key generate rsa

% Use ‘crypto key zeroize rsa’ to delete signature keys.

ITKE-AS1(config)#crypto key zeroize rsa

% All RSA keys will be removed.

% All router certs issued using these keys will

will also be removed.

Do you really want to remove these keys? [yes/no]: yes

ITKE-AS1(config)#

HP buys 3Com for 2.7 Billion Dollars

HP has agreed to its plans to buy router and switching gear maker 3Com for $2.7 billion. This deal will see HP expands its infrastructure portfolio range with 3Com’s routers, Switches and Security products as well it will strengthen the HP position in China thanks to 3Com’s strong presence in China. The transaction is expected to close in the first half of 2010.
The transaction has been sealed at US$7.90 per 3Com share and is yet another example of an acquisition that will present significant competition for Cisco in the networking market, particularly in the data centre space and network convergence.
“Companies are looking for ways to break free from the business limitations imposed by a networking paradigm that has been dominated by a single vendor,” said Dave Donatelli, executive vice president and general manager, enterprise servers and networking at HP, in a statement issued by the vendor.
“By acquiring 3Com, we are accelerating the execution of our converged infrastructure strategy and bringing disruptive change to the networking industry. By combining HP ProCurve offerings with 3Com’s extensive set of solutions, we will enable customers to build a next-generation network infrastructure that supports customer needs from the edge of the network to the heart of the data centre,” he added.
HP points out that the purchase of 3Com will bring strong security capabilities through the vendor’s TippingPoint portfolio. It also states that thanks to extensive testing of 3Com products, it is planning to complete the global roll-out within HP soon after completion of the acquisition.
Let’s see how successful this acquisition will be in terms of capturing the market share from the lead player like Cisco Systems.

How to configure Secure Copy (SCP) in Cisco Devices?

In my previous post I was talking about the Secure Copy (SCP) what is it?  , now let’s see how to configure Secure Copy (SCP) in a Cisco Router or a Switch.

In order to configure Secure Copy (SCP) in a Cisco Router make sure the SSH is enabled and its working.

Step 1) Lets enable the SSH and AAA features in the Cisco Device

ITKE-AS1(config)#ip domain-name itke.com

ITKE-AS1(config)#crypto key generate rsa general-keys modulus 512

The name for the keys will be: ITKE-AS1.itke.com

% The key modulus size is 512 bits

% Generating 512 bit RSA keys, keys will be non-exportable…[OK]

ITKE-AS1(config)#

ITKE-AS1(config)#aaa new-model

ITKE-AS1(config)#aaa authentication login default local

ITKE-AS1(config)#aaa authentication exec default local

Step 2) In order to use the SCP feature to manage configuration we must have at least once user account with enough privilege to access it

ITKE-AS1(config)#

ITKE-AS1(config)#username itke privilege 15 password secret itkeleads

Step 3) Now you are ready to enable the SCP server on:

ITKE-AS1(config)#ip scp server enable

Just by following these 3 simple steps we can enable Secure Copy (SCP) in a Cisco router or a Switch. For any further clarifications you can always have a close look at Cisco’s document on Secure Copy (SCP). 

Fortinet October ’09 Threatscape Report Shows Highest Malware Levels Detected all Year

According to the latest Threatscape report (October 2009) released by Fortinet, the total amount of malware detected is more than a year, with levels four times greater than in the previous month (September 2009).

The two main Bredolab variants detected this month were W32/Bredo.G and W32/Bredolab.X, most notably included in fake DHL invoice spam campaigns.

Derek Manky, project manager, cyber security and threat research, Fortinet commented: “We’re seeing record levels of scareware building off volume from September, and the danger in these threats is only becoming more serious as the methods for delivery evolve and the blending of attacks bring more complexity.
“As we’ve seen in the consistency of repeated threats, the old schemes are still proving to be good methods. Enterprises and consumers must take equal responsibility in understanding the disguises of these threats and implementing a multi-pronged security solution that addresses the different and changing characteristics of tried and true tactics,” he added

During the month of October 2009 Scareware tactics have reached all time high, with worst ever attacks reported. Seven of the top ten malware variants detected linked back to scareware, with scareware tactics diverging to include botnets, corrupted advertisements and SEO attacks.

The most notable development in October 2009 was the preponderance of AntiVirus Pro 2010 rogue security software, which when installed will contact a remote server in order to obtain malicious payload and receive updated copies; a trojan downloader named Bredolab which is now downloading AntiVirus Pro 2010 installers and the ZBot keylogger; and the ongoing development of affiliate programs that tempt participants with a handsome pay-out on each software download purchased. Tools and kits are readily available to participating affiliates, accelerating the distribution of scareware and other malicious components.

Read the full October Threatscape report, which includes the top threat rankings in each category.

What is Secure Copy (SCP)?

We are all aware of the traditional way of transferring IOS files from and to Cisco Catalyst Switches, Cisco Routers and Cisco PIX/ASA firewall devices using TFPT, FTP and lately https. However there is also one more way to copy the IOS files, which is known as Secure Copy (SCP). The Secure Copy (SCP) is a secure and authenticated method of copying a configuration file or transferring an Image files to Cisco Catalyst Switches, Cisco Routers and Cisco PIX/ASA firewall devices.

Cisco Systems introduced the Secure Copy (SCP) feature in the following IOS releases

PIX/ASA firewalls 7.1 and above, FWSM 3.1 and above.

The Secure Copy (SCP) works on SSH protocol on port 22 which is like an encrypted tunnel. This tool is very useful especially to transfer files for upgrades or to perform safe backups.

In my next post you will find the commands to configure SCP in a Cisco Router and Switch.