Network technologies and trends


June 23, 2008  8:27 AM

Cisco Cools tips – Series 2,Using Privilege Mode Commands in Global Configuration Mode

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Begining with IOS version 12.3, Cisco has finally added a command to the IOS that allows you to view the configuration and statistics from within configuration mode.

Here’s a handy tip when using the show, ping, and telnet commands. Instead of switching back and forth between global configuration mode and privilege mode to use these commands, you can remain in global configuration mode and type the do command with the original syntax.

For example:

Switch(config)#do show running-config
or

Router(config)#do show ip route
or

Router(config)#do PING 192.168.0.1

or

Switch(config)#do show vtp status

Yasir
Personel Website:www.yasirirfan.com

Bookmark and Share     0 Comments     RSS Feed     Email a friend

June 23, 2008  5:41 AM

Sample IT Security Policy – Human Security

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

In my previous post on IT Securty Policy I did discussed about the Physical Security, now we will continue our journey and lets see what things should be considered while drafting the Human Security Policy.

2‐HUMAN SECURITY
“IS” CONSIDERED THE FOLLOWING:
1. Several studies and experiences indicate that employee and other persons who are authorized to be on the company premises or who are in a trusted relationship commit most computer crimes.
2. Do complete background checks before hiring someone or allowing someone access to Organisaton resources.
3. In new employee indoctrination, stress the importance of proprietary data and that any compromise of proprietary data will result in discipline, termination, or prosecution.
4. Advise departing employees that it is against the law to take proprietary material, and that you will prosecute anyone caught taking any type of proprietary information.
5. Set up an easy-to-use system that allows employees to covertly or anonymously report suspicious behavior.
6. Develop a method to combat the belief by many employees that anyone who has worked on something has a right to take a copy. This feeling of ownership occurs regardless of the signing of non-disclosure agreements and ownership/invention agreements. One of the most common criminal defenses used is that the ex employee just wanted a sample of their work.
7. Control and approve any articles written about the Organization by employees.
8. Access to information shall rise with pay and with proven loyalty.
9. Employees are responsible for immediately reporting lost, misplaced, or unaccounted for networked systems.
10. When audit policy monitoring reveals that an employee is a security risk, that employee’s access to sensitive information shall immediately be downgraded.
11. Off-Site computer usage whether at home or at other locations may only authorized by the Manager.
12. Assignment of portable systems shall be limited to those who require portability to perform their work. Portable equipment is not perquisite due to the inherent security risk and the cost of replacement.
I.S concern is
a. It must be used for business only.
b. The use for unlicensed SW way be put the Organization in critical Condition.
c. Viruses, Worms, Trojans and other malicious code can corrupt both data and the system files.
d. Theft of the portable computer exposed Organization to the threat of disclosure of sensitive data.
e. A laptop connected to any network is open to hacking and is unlikely to have any effective security features enabled. Files and data could be stolen, damaged or corrupted.
f. Where a laptop is used by several persons old/State data may still present, risking unintentional actions / reactions to inaccurate data
13. Sudden changes in Appearance that might indicate an external factor at work in the employee’s life shall be noted and monitored by security personnel. Sudden changes in lifestyle, apparent income, or attitude may necessitate a security evaluation.
14. Personnel issued with Mobile Phones by the Organization are responsible for using them in manner consistent with the confidentially level.
15. Security checks in/check out and name tags are required for all personnel on the premises. Employees shall be issued permanent badges. Visitors shall be issued temporary badges for the duration of their visit only.
16. Employees shall not have access to secret or higher systems or information for a period of ninety days from their initial employment. The purpose of this policy is to prevent the employment of spies from competing organizations.
17. Animosity, aggression, or violence towards the Organization, its assets, or its employees is an indicator of serious security risk. Audit policy shall be used to monitoring the behavior of suspect individuals without alerting them to the fact that they are under observation. Instances of sabotage or other security violations are grounds for immediate dismissal.
18. Sensitive or confidential information must not record in answer machine or voice mail.

Yasir

Personel Website:www.yasirirfan.com

Bookmark and Share     0 Comments     RSS Feed     Email a friend


June 22, 2008  12:59 PM

Cisco Cool Tips – Series 1-Cutting and Pasting config via Hyperterminal

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

If you cut and paste your config onto an IOS-based switch using Hyperterminal, it breaks down about midway. This occurs because Hyperterminal sends the text too quickly for the switch, particularly if a command returns a message, such as portfast. To avoid this, in Hyperterminal, select File – Properties; click the Settings tab, click the ASCII button, and add a character delay of 5 milliseconds. You should now be able to cut and paste your config successfully.

Yasir
Personel WebSite:www.yasirirfan.com

Bookmark and Share     0 Comments     RSS Feed     Email a friend


June 22, 2008  6:08 AM

Sample I.T Security Policy

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Dear Folks

Now I am going to concentrate on the SAMPLE I.T. Security policy for any Organization, I will try to cover in brief some important aspects in the forthcoming weeks, as we all know how important a Security Policy is. I did get an inspiration to draft a sample security policy after reading Network Security Architecture by Sean Convery.

What is a Security Policy?
Security policies are a special type of documented business rule for protecting information and the systems which store and process the information. Information security policies are usually documented in one or more information security policy documents. Within an organization, these written policy documents provide a high-level description of the various controls the organization will use to protect information.
Written information security policy documents are also a formal declaration of management’s intent to protect information, and are required for compliance with various security and privacy regulations. Organizations that require audits of their internal systems for compliance with various regulations will often use information security policies as the reference for the audit.
(Source http://en.wikipedia.org/wiki/Information_security_policy)

I am planning to cover following things in coming weeks,

1- PHYSICAL SECURITY
2- HUMAN SECURITY
3- USER POLICY
4- CLIENT SECURITY
5- NETWORK SECURITY
6- SERVER SECURITY
7- DATA SECURITY
8- REMOTE ACCESS SECURITY
9- INTERNET POLICY

First of all I will start with Physical Security policy and later on I will proceed with the next policies.

1‐PHYSICAL SECURITY
“IS” CONSIDERED THE FOLLOWING:
1- Make sure that building security is adequate to prevent walk-up access to the workstations.
2- Employ a security officer or an “attack receptionist” to guard the front desk, and don’t allow
non-employees access beyond that point.
3- Physical access to high security areas is to be controlled with strong identification and
authentication techniques. Staffs with authorization to enter such areas are to be provided
with information on the potential security risks involved.
4- Make certain all servers are located in locked and secure rooms. Restrict access to
administrative personnel.
5- Make certain the servers are stored in an area that is secure from physical compromise under
all reasonable circumstances. Make sure all guests have an escort when they are in the room.
6- Sensitive and value material things must be stored securely. We could use lockable storage
cupboards.
7- Put the sensitive data, material in fire protected storage cabinets
8- The use of safe is must be in mind for saving sensitive material.

Cheers

Yasir
Personel Website: www.yasirirfan.com

Bookmark and Share     0 Comments     RSS Feed     Email a friend


June 21, 2008  5:42 AM

What is SSH ? and how it can be configured in a Cisco Switch.

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Secure Shell (SSH) – TCP Port 22

SSH stands for “Secure Shell”. SSH commonly uses port 22 to connect your computer to another computer on the Internet. It is most often used by network administrators as a remote login / remote control way to manage their business servers. Examples would be: your email administrator needs to reboot the company email server from his home, or your network administrator needs to reset your office password while she is away at a conference.

If remote access to a switch is necessary, then consider using SSH instead of telnet. SSH provides encrypted connections remotely. However, only IOS versions that include encryption support SSH. Also, to include SSH capability the switch may need to have its IOS updated.

Before using SSH on the switch, the administrator must configure the switch with the following commands: hostname, ip domain-name, and crypto key generate rsa. The following example sets the hostname to Switch.

Switch(config)# hostname Switch
Refer to the previous subsection on DNS for an example using the ip domain-name command.
The crypto key generate rsa command depends on the hostname and ip domain-name commands. This crypto command generates a Rivest, Shamir, Adleman (RSA) key pair, which includes one public RSA key and one private RSA key.
The following example shows this crypto command, including the two parameters, the name for the keys
(e.g., switch.test.lab) and the size of the key modulus (e.g., 1024), that are prompted for.

Switch(config)# crypto key generate rsa
The name for the keys will be: switch.test.lab
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may
take a few minutes.
How many bits in the modulus[512]? 1024
Generating RSA keys…. [OK].

To restrict SSH access to the switch, configure an extended access-list (e.g., 101) that allows only the administrators’ systems to make these connections and apply this access-list to the virtual terminal lines. Allow only SSH connections to these lines by using the transport input ssh command. Set the privilege level to 0, and set the exec-timeout period to 9 minutes and 0 seconds to disconnect idle connections to these lines. Finally, use the login local command to enable local account checking at login that will prompt for a username and a password.

The following commands show the example configuration for SSH on the virtual terminal lines.

Switch(config)# no access-list 101
Switch(config)# access-list 101 remark Permit SSH access from
administrators’ systems
Switch(config)# access-list 101 permit tcp host 10.0.0.2 any eq 22 log
Switch(config)# access-list 101 permit tcp host 10.0.0.4 any eq 22 log
Switch(config)# access-list 101 deny ip any any log
Switch(config)# line vty 0 4
Switch(config-line)# access-class 101 in
Switch(config-line)# transport input ssh
Switch(config-line)# privilege level 0
Switch(config-line)# exec-timeout 9 0
Switch(config-line)# login local

The login local command cannot be used with AAA. Instead, use the login authentication command. Refer to the AAA section of this guide for more details.

Free SSH Clients
List of free SSH servers and Clients

Yasir

Personal Website: www.yasirirfan.com

Bookmark and Share     0 Comments     RSS Feed     Email a friend


June 19, 2008  1:52 PM

Sample Campus Network Documentation Policy

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Network Documentation Policy
1.0 Overview
This network documentation policy is an internal IT policy and defines the requirements for
network documentation. This policy defines the level of network documentation required such as
documentation of which switch ports connect to what rooms and computers. It defines who will
have access to read network documentation and who will have access to change it. It also defines
who will be notified when changes are made to the network.
2.0 Purpose
This policy is designed to provide for network stability by ensuring that network documentation
is complete and current. This policy should complement disaster management and recovery by
ensuring that documentation is available in the event that systems should need to be rebuilt. This
policy will help reduce troubleshooting time by ensuring that appropriate personnel are notified
when changes are made to the network.
3.0 Documentation
The network structure and configuration shall be documented and provide the following
information:
1. IP addresses of all devices on the network with static IP addresses.
2. Server documentation on all servers as outlined in the “Server Documentation”
document.
3. Network drawings showing:
a) The locations and IP addresses of all hubs, switches, routers, and firewalls on the
network.
b) The various security zones on the network and devices that control access
between them.
c) The locations of every network drop and the associated switch and port on the
switch supplying that connection.
d) The interrelationship between all network devices showing lines running between
the network devices.
e) All subnets on the network and their relationships including the range of IP
addresses on all subnets and net mask information.
f) All wide area network (WAN) or metropolitan area network (MAN) information
including network devices connecting them and IP addresses of connecting
devices.
4. Configuration information on all network devices including:
a) Switches
b) Routers
c) Firewalls
5. Configuration shall include but not be limited to:
a) IP Address
b) Netmask
c) Default gateway
d) DNS server IP addresses for primary and secondary DNS servers.
e) Any relevant WINS server information.
6. Network connection information including:
a) Type of connection to the internet or other WAN/MAN including T1,T3, frame
relay.
b) Provider of internet/WAN/MAN connection and contact information for sales and
support.
c) Configuration information including net mask, network ID, and gateway.
d) Physical location of where the cabling enters the building and circuit number.
4.0 Access
The IT networking and some enterprise security staff shall have full access to all network
documentation. The IT networking staff shall have the ability to read and modify network
documentation. Designated enterprise security staff shall have access to read and change network
documentation but those not designated with change access cannot change it. Help desk staff
shall have read access to network documentation.
5.0 Change Notification
The help desk staff, server administration staff, application developer staff, and IT management
shall be notified when network changes are made including.
a) Reboot of a network device including switches, routers, and firewalls.
b) Changes of rules or configuration of a network device including switches, routers, and
firewalls.
c) Upgrades to any software on any network device.
d) Additions of any software on any network device.
Notification shall be through email to designated groups of people.
6.0 Documentation Review
The network or IT manager shall ensure that network documentation is kept current by
performing a monthly review of documentation or designating a staff member to perform a
review. The remedy or help desk requests within the last month should be reviewed to help
determine whether any network changes were made. Also any current or completed projects
affecting network settings should be reviewed to determine whether there were any network
changes made to support the project.
7.0 Storage Locations
Network documentation shall be kept either in written form or electronic form in a minimum of
two places. It should be kept in two facilities at least two miles apart so that if one facility is
destroyed, information from the other facility may be used to help construct the IT infrastructure.
Information in both facilities should be updated monthly at the time of the documentation
review.


June 18, 2008  1:28 PM

Introduction to Free ware Bandwidth Monitoring software’s – Series 1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Cacti is one of the great free ware bandwidth monitoring software works with SNMP. It’s RRD based tool, which makes use of MySQL server as a database, and completely driven by PHP.

What is Cacti?
Cacti is a resource monitoring software which used RRDtool to store data & the data is used to create graphs. Cacti’s greatest strength is it provides complex graphs easily. Cacti come with fast poller to collect data from different resources simultaneously & do have many user management features. It’s very user-friendly that even a layman can accustomed to figure out how it works with less effort.

Why Cacti?
In a single sentence, “Cacti, because it’s easy”. Installing and using Cacti is a very simple task and does not require indepth knowledge in networking or resource management. You can install and configure it in simple steps, which makes it an ideal software for newbie network administrators. Never-the-less , its so powerful and scalable that you can use it even in large networks with hundreds of devices

Installation
Cacti can be installed on many platforms like unix, linux and windows. I am concentrating on Windows XP . In order install a Cacti download a full integrated package from following links http://www.disorder.com/~bsod/cacti-0.8.7b.1.8.exe
http://files.davehope.co.uk/cacti/ thanks to Rony and Dave Hope for hosting .
It’s pretty easy to install, make sure IIS is enabled and just follow the steps until you reached the final step where you are suppose to do some modifications which are attached with this post. Cacti Post Installation Instructions

Once you are done with installation then log on to the cacti local web port by following
http://IP Address of the PC/cacti/index.php with default username admin & password cactipw.

For Adding Devices and graphs access this link http://www.cacti.net/downloads/docs/html/graph_howto.html

For further details do log in to cacti forums and cacti web site
http://forums.cacti.net
http://www.cacti.net/


June 17, 2008  7:02 AM

Configuring HSRP in Cisco 6500 Switch

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Configuring HSRP in a Cisco 6500 Switch

Yasir
Personel Website:www.yasirirfan.com


June 17, 2008  6:48 AM

Introduction to Cisco port security and the reasons to implement

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Forensics

A growing challenge facing network administrators is determining how to control who can access the organization’s internal network—and who can’t. For example, can anyone walk into campus LAN , plug in a laptop, and access the network? You might argue that the wall jack has no connection to a switch, but couldn’t someone just pull the Ethernet cable from a working PC and connect to the network that way?

You might think this an unlikely scenario, but it does happen. For example a salesmen coming in to demo products, and they would just pull the Ethernet jack off a PC and connect it to their laptop, hoping to get Internet access.

I turned to switch port security to help solve the problem. Let’s look at how we can use Cisco’s Port Security feature to protect our organization.

Understand the basics
In its most basic form, the Port Security feature remembers the Ethernet MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will disable the port. Most of the time, network administrators configure the switch to send a SNMP trap to their network monitoring solution that the port’s disabled for security reasons. When using port security, we can prevent devices from accessing the network, which increases security.

Benefits to port Securty
The key benefits of Port Security are:
•Network Availability – Reduce campus wide network outages caused by broadcast storms by blocking non standard hubs and switches.
•Network Reliability – Network port bandwidth can be guaranteed if limited to one MAC address. Bandwidth can’t be guaranteed if other network devices are sharing the network port.
•DHCP Availability – Reduce the risk of over subscription of DHCP IP Address per VLAN by limiting one MAC address per port.
•Network Security – Limiting one MAC address per switch port is an attack mitigation strategy. Stops CAM tables flooding attacks forcing the switch into repeater mode. Tools like macof can be used for this type of attack.
•Future Proofing – The implementation of port authentication at the edge of the network (802.1x) will also limit user to one MAC address per port.

Applying Cisco Security Features to Solve Common Problems

Sample Configuration for port security
Configuring the Port Security feature is relatively easy. In its simplest form, port security requires going to an already enabled switch port and entering the port-security Interface Mode command. Here’s an example:

Switch)# config t
Switch(config)# int fa0/18
Switch(config-if)# switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode

Switch(config-if)# switchport port-security
Switch(config-if)#^Z

By entering the most basic command to configure port security, we accepted the default settings of only allowing one MAC address, determining that MAC address from the first device that communicates on this switch port, and shutting down that switch port if another MAC address attempts to communicate via the port. But you don’t have to accept the defaults.

Know your options
As you can see in the example, there are a number of other port security commands that you can configure. Here are some of your options:
switchport port-security maximum {max # of MAC addresses allowed}: You can use this option to allow more than the default number of MAC addresses, which is one. For example, if you had a 12-port hub connected to this switch port, you would want to allow 12 MAC addresses—one for each device. The maximum number of secure MAC addresses per port is 132.
switchport port-security violation {shutdown | restrict | protect}: This command tells the switch what to do when the number of MAC addresses on the port has exceeded the maximum. The default is to shut down the port. However, you can also choose to alert the network administrator (i.e., restrict) or only allow traffic from the secure port and drop packets from other MAC addresses (i.e., protect).
switchport port-security mac-address {MAC address}: You can use this option to manually define the MAC address allowed for this port rather than letting the port dynamically determine the MAC address.

Of course, you can also configure port security on a range of ports. Here’s an example:
Switch)# config t
Switch(config)# int range fastEthernet 0/1 – 24
Switch(config-if)# switchport port-security
However, you need to be very careful with this option if you enter this command on an uplink port that goes to more than one device. As soon as the second device sends a packet, the entire port will shut down.

View the status of port security
Once you’ve configured port security and the Ethernet device on that port has sent traffic, the switch will record the MAC address and secure the port using that address. To find out the status of port security on the switch, you can use the show port-security address and show port-security interface commands. Below are examples for each command’s output:
Switch# show port-security address
Secure Mac Address Table
——————————————————————-
Vlan Mac Address Type Ports Remaining Age
(mins)
—- ———– —- —– ————-
1 0004.00d5.285d SecureDynamic Fa0/18 -
——————————————————————-
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024

Switch# show port-security interface fa0/18
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0004.00d5.285d
Security Violation Count : 0

Switch#

Yasir
Personel website:www.yasirirfan.com


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: