Network technologies and trends


September 11, 2012  5:01 AM

How To Configure a Cisco ASA 5540 firewall for Video Conferencing for Polycom device?



Posted by: Yasir Irfan
Networking

 

Recently we were asked to configure the Polycom device to have video conferencing with external world. Our Polycom device is behind a Cisco ASA 5540 firewall as shown in the below network layout.

In order to permit H.323 video conferencing you need to follow the following steps

 

Step 1

 

Define static NAT rules

 

In the above example we will create a NAT rule for the external IP address 192.168.0.3 to the internal IP address 10.0.0.2 (assigned to Polycom device) using the following Cisco IOS command in ASA firewall.

static (inside,outside) 192.168.0.3 10.0.0.2 netmask 255.255.255.255

 

Step 2

 Create an access list to allow access to polycom device from external network, we need to allow the following ports tcp/udp to enable to video conferencing and apply the same to outside interface

H323 -udp

1720 – tcp

3230 3285 – tcp

 

access-list Outside_In remark Allow traffic going to polycom device

access-list Outside_In extended permit udp any host 192.168.0.3 eq 1720

access-list Outside_In extended permit tcp any host 192.168.0.3 eq h323

access-list Outside_In extended permit udp any host 192.168.0.3 range 3230 3285

access-list Outside_In extended permit tcp any host 192.168.0.3 range 3230 3243

 

access-group Outside_In in interface outside

 

 

Step 3

Create the Access list which will allow traffic to traverse the ASA firewall from Internal to External network, repeat the steps above, but ensure the Interface: is set to inside as shown below.

access-list Inside_In remark Allow Traffic form polycom device to outside

access-list Inside_In extended permit udp host 10.0.0.2 any range 3230 3285

access-list Inside_In extended permit tcp any host 10.0.0.2 eq h323

access-list Inside_In extended permit tcp host 10.0.0.2 any range 3230 3242

access-group Inside_In in interface inside

By following the above three steps you can enable video conference to any polycom device behind the ASA firewall.

August 31, 2012  1:27 PM

Data Center Security Policies and Procedures – part5



Posted by: Yasir Irfan
Networking

This will be my last series on Data Center Security Policies and Procedures, I will be covering the Exception Reporting and Requesting Access to the Data Center

 

  1. 1.     Exception Reporting

All infractions of the Data Center Physical Security Policies and Procedures shall been reported to the ITKE*.  If warranted (e.g., emergency, imminent danger, etc.).

When an unauthorized individual is found in the DataCenterit must be reported immediately to the responsible ITKE* member.  If this occurs during the evening hours, IT call center or ITKE* senior staff should be contacted.  The unauthorized individual should be escorted from theDataCenter and a full written report should be immediately submitted to ITKE*.

  1. 2.     Requesting Access to the Data Center

Departments / Projects that have computer equipment in the DataCentermay request access to the DataCenter.  The individuals designated by the requesting department/project will be granted access once ITKE* authorized them.  To initiate authorization for access, the manager of the department/project requesting access should direct a request to the ITKE* .  Upon approval by the Head of ITKE*, the person will fill the Datacenter Access Request Form and be provided with a copy of the ITKE* Data Center Access Policies and Procedures document.  A person’s department must notify the ITKE* as soon as possible so that the person’s access to the Data Center can be removed.  This is extremely important in cases where the employee was terminated for cause.  ITKE* – reserves the right not to allow entrance to the Data Centre if the Data Centre already has too many companies performing works.

 

RESPONSIBILITY

  1. It is the responsibility of the ITKE*, End-user Departments, contractors/ vendors/representative to ensure implementation of this IPP.
  2. Respective department heads are responsible for ensuring adherence to the provisions of this IPP.
  3. Audit and Follow-Up Administration will monitor compliance to the provisions stipulated herein.

I hope the policies covered in these series of article will help you out to draft an effective Data Center policy.

*ITKE is used just as reference which can be replaced by your organization or department name


August 31, 2012  1:15 PM

Data Center Security Policies and Procedures – part4



Posted by: Yasir Irfan
Networking

In my previous article we overlooked the security policy for Data Center doors and Security System for Data Centers. In this article let’s looks at the following

1.       Periodic Review and Termination / Revocation Access

2.       Access Control Log

 

 1.       Periodic Review and Termination / Revocation Access

Periodic (at least annual) reviews will be performed of those with any level of access to the Data Center.  ITKE* will perform these reviews.  If an individual no longer requires Data Center access, it will be terminate by Removing name from the ITKE* staff Access List.  The results of periodic reviews will be reported to the Head of ITKE*.  The report will include an updated list of those allowed access to the Data Center.

2.       Access Control Log

The Data Center Access Control Log must be properly maintained at all times.

The Log is maintained by ITKE* staff Access.  All individuals with ITKE* staff Access to the Data Center are responsible for maintaining this log. The following procedures must be followed:

  • Each time an individual with Contractors Access to the Data Center is admitted to the area, he must properly log in on the Access Control Log at the time of entrance.  The person admitting the visitor must countersign and fill out the appropriate section of the form.

 

  • Each time an individual with Contractors Access leaves the area, he must properly log out on the Access Control Log at the time he leaves (even if only for a short time). The person with ITKE* staff Access to the area who allows the visitor to leave must fill out the “Log Out” section of the Access Control Log.  The Representatives and the accompanying persons must wear their staff ID cards and our visitor cards within the ITKE* – Data Centre.

*ITKE is used just as reference which can be replaced by your organization or department name


August 17, 2012  7:49 AM

Data Center Security Policies and Procedures – part3



Posted by: Yasir Irfan
Data Center

 

Well it’s been a long time you saw any update from my side on Data Center policies, in my previous article I was taking about the types of access can be provided to Data Center, let continue our journey with two things

1)      Data Center Doors

2)      Security System for Data Centers.

1.       Data Center Doors

All doors to the Data Center MUST remain locked at all times and may only be temporarily opened for periods NOT to exceed that minimally necessary in order to:

  • Allow officially approved and logged entrance and exit of authorized individuals
  • Permit the transfer of supplies/equipment as directly supervised by a person with ITKE* staff Access to the area
  • Prop opens a door to the Data Center ONLY if it is necessary to increase Air flow into the Data Center in the case on an air conditioning failure. In this case, staff personnel with ITKE* staff Access MUST be present and limit access to the Data Center.

2.       Security System

Access control system provides the normal mechanism for control of access to the Data Center. These mechanisms are employed at the Data Center doors. The permission to access to datacenter MUST be sign from ITKE* directors. Customer MUST provide ITKE*with at least (1) one working day prior notice via e-mail any time it intends to access the ITKE*,Data Centre. Customer MUST provide ITKE*,with at least (3) three working days prior notice any time it requires onsite technical support at the ITKE* Data Centre or it intends to move-in or move-out any Customer Equipment. The Representatives and the accompanying persons MUST keep its licensed area as well as ITKE* Data Centre clean and tidy at all times. The Representatives and the accompanying persons agree to adhere to and abide by all security and safety measures established by ITKE*.

The Representatives and the accompanying persons MUST refrain from doing the following:

  • Engage in any activity that is in violation of the laws or aids or assists any criminal activity while at ITKE* property or in connection with the Data Centre Services;
  • Misuse or abuse any ITKE*’s property or equipment or third party equipment;
  • Make any unauthorized use of or interfere with any property or equipment of any other customer;
  • Harass any individual, including ITKE* personnel and representatives of other customers;
  •  Use of any photographic, video, film or such other device that produces, reproduces, retains or transmits images within the premises and the licensed space.

*ITKE is used just as reference which can be replaced by your organization or department name.


August 14, 2012  7:09 AM

How to enable special http inspection for Cisco ASA firewall



Posted by: Yasir Irfan
Cisco, Cisco Systems, Cisco Tips, Network Technologies and Trends, Networking

 

We had a special request from one of our clinicians; he was trying to access one of the health care portal with the URL http://apps.xxx.xx.sa:2000/. While he was trying to access the same portal from his office it was not accessible, whereas the same portal can accessed from any other location except our office.

While troubleshooting this issue we thought may be our Bluecoat proxy SG was blocking the port 2000 but that was not the case. We were facing the same problem even with static NAT from our ASA 5540 firewall.

One thing was sure the ASA 5540 firewall was blocking the access to the URL http://apps.xxx.xx.sa:2000/. We reviewed all our access list still nothing was wrong with that.  We thought might be some policy map is blocking the access, when we disabled the default policy-map as shown below

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect esmtp

sec/FW01-MB-IE-001(config)# policy-map global_policy

sec/FW01-MB-IE-001(config-pmap)# no class inspection_default

 

The url started working. Now one thing was sure, the problem lies with policy map. We cannot disable the default policy-map which Cisco configured by default in all ASA or PIX firewall, after reading the following documents from Cisco Systems

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html

 

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html

It was clear certain HTTP traffic need a special handling. When we enabled the default policy-map and added a command “inspect http”  as shown below the url can be accessed from our internal LAN.

 sec/FW01-MB-IE-001(config)# policy-map global_policy

sec/FW01-MB-IE-001(config-pmap)#  class inspection_default

sec/FW01-MB-IE-001(config-pmap-c)# inspect http

 


August 10, 2012  10:46 AM

HP releases a new software management platform



Posted by: Yasir Irfan
Networking

HP releases a new software management platform known as HP Automated Network Management (ANM) 9.2, which aim to improve the network security, automations and availability. The newly released software is a unified network-management platform which designed with an aim of improving control over network devices, changes in network, increase visibility into performance.

The  HP Automated Network Management (ANM) 9.2 is comprised of the following products:

 

1.  HP Network Node Manager i 9.0 software (NNMi 9), which delivers the common console for unified fault, performance and configuration

2.  HP iSPIs for Performance (Metrics, Traffic, Quality Assurance), which monitor and ensure performance

3.  HP iSPI Network Engineering Toolset (NET), which automates common operator tasks, and provides trap analytics and map export

4.  HP Network Automation, which handles network change and configuration management, and ensures compliance

The HP Automated Network Management (ANM) 9.2 is also capable of automating changes, configuration, compliance, cloud lifecycle and day to day routine network administrative tasks. The ANM 9.2 can be integrated with HP Intelligent Management Center (IMC) in more enhanced way which results in providing single-solution management and visibility of heterogeneous networked devices with automated configuration of network tasks.

Key benefits of HP Automated Network Management (ANM) are as follows

  • Single tool for complete control of the network infrastructure
  • Improved network availability with a multi-tenant network management solution
  • Common view and context for security and network issues
  • Increased operator productivity and efficiency, reduced MTTR
  • Manage more customers, departments or sites at lower cost

 


August 8, 2012  2:42 PM

What is the error “BUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0x930D0EBD” in Cisco 6500 Series Switch? – part 2



Posted by: Yasir Irfan
%CDP_PD-2-POWER_LOW: All radios disabled, %DIAG-SP-6-RUN_MINIMUM: Module 7: Running Minimal Diagnostics..., %EARL_L2_ASIC-DFC9-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0x930D0EBD

As mentioned in my previous post the error “BUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0x930D0EBD, Jun  7 16:47:27.446: %EARL_L2_ASIC-DFC9-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error” means that the EARL L2 ASIC detected an invalid header on DBus, and it could be a faulty Cisco Catalyst 6500 Series 8-Port 10 Gigabit Ethernet Module.

Initially I removed the defective module out of the chassis and firmly reinserted the module in the slot to ensure the module is well seated in the slot.

After reinserting the module it worked well and when I checked logs with the IOS command “ Show module” the module was passing all the test and no error was detected.

SL02-MB-1256-005#                  show module

Mod Ports Card Type                              Model              Serial No.

— —– ————————————– —————— ———–

1    1  Application Control Engine Module      ACE20-MOD-K9       XXXXXXXXXXX

7    2  Supervisor Engine 720 (Active)         WS-SUP720-3B       XXXXXXXXXXX

9    8  CEF720 8 port 10GE with DFC            WS-X6708-10GE      XXXXXXXXXXX

11   10  WiSM WLAN Service Module               WS-SVC-WISM-1-K9   XXXXXXXXXXX

13   10  WiSM WLAN Service Module               WS-SVC-WISM-1-K9   XXXXXXXXXXX

 

Mod  Sub-Module                  Model              Serial       Hw     Status

—- ————————— —————— ———– ——- ——-

7  Policy Feature Card 3       WS-F6K-PFC3B       XXXXXXXXXXX  1.0    Ok

7  MSFC3 Daughterboard         WS-SUP720          XXXXXXXXXXX  2.1    Ok

9  Distributed Forwarding Card WS-F6700-DFC3C     XXXXXXXXXXX  1.4    Ok

11  Centralized Forwarding Card WS-SVC-WISM-1-K9-D XXXXXXXXXXX  2.2    Ok

13  Centralized Forwarding Card WS-SVC-WISM-1-K9-D XXXXXXXXXXX  2.2    Ok

 

Mod  Online Diag Status

—- ——————-

1  Pass

7  Pass

9  Pass

11  Pass

13  Pass

SL02-MB-1256-005#

After a week when I again checked the module the error reappeared. Since we had a valid Smartnet contract with Cisco we opened a TAC case with Cisco, an RMA was created and the defective module was replaced. I would siege this opportunity to emphasize the importance of having valid smartnet contracts with Cisco System is very handy and proves to be a worth investment.


June 11, 2012  5:04 AM

What is the error “BUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0x930D0EBD” in Cisco 6500 Series Switch? – part 1



Posted by: Yasir Irfan
%EARL_L2_ASIC-DFC9-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0x930D0EBD, Application Control Engine Module, BUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0x930D0EBD, Centralized Forwarding Card, Cisco 6500 Switch troubleshooting, Cisco Catalyst 6500 E Series Switches, Cisco Catalyst 6500 Series 8-Port 10 Gigabit Ethernet Module, Cisco Switching, Cisco TAC, Policy Feature Card 3, Switching, WiSM WLAN Service Module

We have plenty of Cisco Catalyst 6500 E Series Switches, recently an error appeared in the one of Cisco Catalyst 6513 Switch. When I checked the log I found the following error.

SL02-MB-1256-005#show log

Log Buffer (8192 bytes):

BUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0x930D0EBD

Jun  7 16:47:27.446: %EARL_L2_ASIC-DFC9-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0x930D0EBD

Jun  7 16:48:28.582: %EARL_L2_ASIC-DFC9-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0x930D0EBD

Jun  7 16:49:28.971: %EARL_L2_ASIC-DFC9-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0x930D0EBD

Jun  7 16:50:29.723: %EARL_L2_ASIC-DFC9-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0x930D0EBD

Immediately I checked the status of modules and figured out the following

SL02-MB-1256-005#                  show module

Mod Ports Card Type                              Model              Serial No.

— —– ————————————– —————— ———–

1    1  Application Control Engine Module      ACE20-MOD-K9       XXXXXXXXXXX

7    2  Supervisor Engine 720 (Active)         WS-SUP720-3B       XXXXXXXXXXX

9    8  CEF720 8 port 10GE with DFC            WS-X6708-10GE      XXXXXXXXXXX

11   10  WiSM WLAN Service Module               WS-SVC-WISM-1-K9   XXXXXXXXXXX

13   10  WiSM WLAN Service Module               WS-SVC-WISM-1-K9   XXXXXXXXXXX


Mod  Sub-Module                  Model              Serial       Hw     Status

—- ————————— —————— ———– ——- ——-

7  Policy Feature Card 3       WS-F6K-PFC3B       XXXXXXXXXXX  1.0    Ok

7  MSFC3 Daughterboard         WS-SUP720          XXXXXXXXXXX  2.1    Ok

9  Distributed Forwarding Card WS-F6700-DFC3C     XXXXXXXXXXX  1.4    Ok

11  Centralized Forwarding Card WS-SVC-WISM-1-K9-D XXXXXXXXXXX  2.2    Ok

13  Centralized Forwarding Card WS-SVC-WISM-1-K9-D XXXXXXXXXXX  2.2    Ok


Mod  Online Diag Status

—- ——————-

1  Pass

7  Pass

9  Minor Error

11  Pass

13  Pass

SL02-MB-1256-005#

From the above log it’s quite evident the Cisco Catalyst 6500 Series 8-Port 10 Gigabit Ethernet Module inserted in the slot is no 9 is defective.

The error “BUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0x930D0EBD, Jun  7 16:47:27.446: %EARL_L2_ASIC-DFC9-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error” means that the EARL L2 ASIC detected an invalid header on DBus, and it could be a faulty Cisco Catalyst 6500 Series 8-Port 10 Gigabit Ethernet Module.

In my next post I will update you the initial action plan I followed before contacting the Cisco TAC.


April 17, 2012  5:38 AM

Data Center Security Policies and Procedures – part2



Posted by: Yasir Irfan
Authorized Access List, computer hardware, Data Center, Data Center access, Data Center Physical security policy, Data Center Security Policies and Practices, Electro-magnetic devices, outsourced, Radioactive materials, Routers, SANs, security solutions, Servers farms, staff access contractors access, Switches, vendors

In my previous article we came across the Data Center physical security policy and procedures and now let’s see the more about the access provided to Data Centers, basically there are three “Levels of Access” to the Data Center.

1)      ITKE* employees

2)      Contractors /Outsourced companies

3)      Visitor Engineers Access (Vendors)

1 ITKE* staff Access

It is given to people who have free access authority into the Data Center. ITKE* staff Access is granted to the ITKE* staff whose job responsibilities require that they have access to the area. These individuals also have the authority to grant temporary access to the Data Center and to enable others to enter and leave the Data Center. People with ITKE* staff Access are responsible for the security of the area, and for any individuals that they allow into the Data Center they MUST listed on Authorized Access List.  Individuals with ITKE* staff Access to the area may allow properly authorized and logged individuals (sign in and out) for contractors and visitor engineers when they Access to the Data Center.

 

2 Contractors/ Outsourced companies Access

It is closely monitored access given to people who have a business need for infrequent access to the Data Center. “Infrequent access” is generally defined as access required for pried of time (depend on the contract). A person given Contractors Access to the area MUST sign in and out under the direct supervision of a person with Controlling Access. A person with Contractors Access to the area MUST NOT allow any other person to enter or leave the area until have permission from ITKE* staff Access. Only those Representatives identified in writing by the Customer on the ITKE* Data Centre Access Authorization List Form may make request to enter the Data Centre. Each Customer MUST ensure that the Representatives and the accompanying persons do NOT take any actions that Customer is prohibited from taking under this Policy.

3 Visitor Engineers Access (Vendors)

It is granted to a person from vendors who have to do insulation or some work in the data center. A person given visitor engineers access to the area MUST sign in and out and submit report under the direct supervision of a person with Controlling Access. A person with visitor engineer’s access to the area MUST NOT allow any other person to enter or leave the area. Maximum of 3 persons, of whom at least one MUST be a Representative, may enter the Data Centre at the same time. For security reasons, all visitors (Representatives and accompanying persons) will be requested to show his/her STAFF ID or Passport for verification. He/she will be refused to enter the Data Centre if the required credentials CANNOT be shown.

In upcoming post let’s continue our journey with the policy and procedures related to Data Center access.


April 11, 2012  5:05 AM

Data Center Security Policies and Procedures – part1



Posted by: Yasir Irfan
computer hardware, Data Center, Data Center Physical security policy, Data Center Security Polices and Procedures, Data Center Security Policies and Practices, Electro-magnetic devices, levels of access, Radioactive materials, Routers, SANs, security solutions, Servers farms, Switches

Data Centers are heart for any organization; Data Centers are the one which houses the majority of Servers farms, Switches, routers, security solutions, SANs and much more. These days we were asked to develop the Security Polices and Procedures for our Data Centre which I am going to share in upcoming blogs.

In this particular part of my article I will try to focus on the Data Center physical security policy and procedures.

 

1. Overview

Security for the Data Center is the responsibility of all departments that are sharing the data center space. ITKE* is responsible for the administration of this policy. The following are the general requirements and policies to access to this sensitive area. Failure to follow the guidelines set forth in this document is grounds for termination of agreements and potential legal action.

Customer MUST NOT, except as otherwise agreed by ITKE*,

    1. Place any computer hardware or other equipment in the Licensed Area
    2. Store any other combustible materials of any kind in the Licensed Area; and
    3. Bring any “Prohibited Materials” (as defined below) into the Data Centre. Prohibited Materials shall include, but NOTlimited to, the following and any similar items:
        1. Food, drink, illegal drugs and other intoxicants
        2. Tobacco products
        3. Explosives and weapons
        4. Hazardous materials
        5. Electro-magnetic devices, which could unreasonably interfere with computer and telecommunications equipment
        6. Radioactive materials
        7. Photographic or recording equipment of any kind
        8. Any other items deemed inappropriate at ITKE*’s sole discretion.

2. Primary Guidelines

The “Data Center” is a restricted area requiring a much greater level of control than normal spaces. Only those individuals who are authorized to do so by the ITKE* may enter this area.  Access privileges will only be granted to individuals who have business need to be in the data center.

All departmental staff sharing the Data Center will familiarize themselves thoroughly with this document. Any questions regarding policies and procedures should be addressed to ITKE*.

The only exception allowed to the Data Center Security Policies and Practices is temporary suspension of these rules if it becomes necessary to provide emergency access.

In upcoming article I will try to focus on levels of access can be provided to the Data Centers.

*ITKE is used just as reference which can be replaced by your organization or department name.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: