I would like to present my idea how to protect the IoT. I’m aware that my design may contain some errors. It’s just my version.

The concept of ‘Internet of Things’, where many ‘things’ interact between each other, requires new model of security. I would like to propose my idea of using existing elements, which are reliable and widely used in today’s networks.
KEY ELEMENTS

• Zone - a virtual area where different hosts are located and depends on the zone membership you can set up different types of secure connections.
• Host – a device with Internet interface and security features.
• GET VPN –Group Encrypted Transport VPN – a tunnel-less VPN technology that provides end-to-end security for network traffic.
• GET VPN Server/Key Server - responsible for maintaining security policies, authenticating the GMs and providing the session key for encrypting traffic. KS authenticates the...

Today I would like to smash your confidence about the security of your organization. You spent hundreds of dollars or euros on your security devices and you think you are safe. I believe there are many organizations like yours that think the same thing. Once they become victims, they realize they are not as safe as they had thought.
Let’s talk about DOS/DDOS attacks. I think most people have some knowledge about them. Today we should not talk only about DOS attacks because the risk of being seriously impacted is very low. Most network devices can easily mitigate such attacks because they come from one source IP address. The situation is different when we receive illegitimate traffic from many IP addresses. There are two possibilities here: we can be flooded by traffic from a real, existing source IP address or addresses; or there is one real source IP, but the packets contain random...

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages.
There is only one switch SW1 and one device attached to port Fa1/0/2.

!
aaa new-model
aaa authentication dot1x default group radius
!    
!
int Fas1/0/2
authentication host-mode single-host 
authentication port-control auto 
mab
!

I haven’t configured ACS yet but let’s see what error message I receive:

SW1(config-if)
mab-ev(Fa1/0/2): Received MAB context create from AuthMgr
mab-ev(Fa1/0/2): Created MAB client context 0x1100000F
    mab : initial state mab_initialize has enter
mab-ev(Fa1/0/2): Sending create new context event to EAP from MAB for 0x1100000F (0000.0000.0000)
mab-sm(Fa1/0/2): Received event 'MAB_START' on handle 0x1100000F
    mab : during state mab_initialize, got

I would like to test tacacs+ authentication on routers.

R1sh run aaa
!
aaa authentication login ACS group tacacs+
aaa authentication enable default group tacacs+
!
!
!
!
!
!
tacacs-server host 192.168.157.100 key cisco
aaa new-model
aaa session-id common
!
!

R1

R1sh run | b line vty 0 4
line vty 0 4
 login authentication ACS
!

On ACS I added R1 as ND and ‘user1’ to the local database.

telnet 192.168.157.100

R1
*Aug 27 15:37:05.071: TPLUS: Queuing AAA Authentication request 49 for processing
*Aug 27 15:37:05.075: TPLUS: processing authentication start request id 49
*Aug 27 15:37:05.079: TPLUS: Authentication start packet created for 49()
*Aug 27 15:37:05.079: TPLUS: Using server 192.168.157.100
*Aug 27 15:37:05.087: TPLUS(00000031)/0/NB_WAIT/685E7C1C: Started 5 sec timeout
*Aug 27 15:37:05.099: TPLUS(00000031)/0/NB_WAIT: socket event 2
*Aug 27 15:37:05.103:

There are couple of ways how to configure management access to ASA. One of them is configuring users in ACS database. Depending on radius attributes the user can have access to specific management ways.

ciscoasa sh run aaa
aaa authentication telnet console ACS
aaa authentication enable console ACS
aaa authorization exec authentication-server
ciscoasa sh run aaa-s
ciscoasa sh run aaa-server
aaa-server ACS protocol radius
aaa-server ACS (inside) host 192.168.157.100
 key *****
ciscoasa

On ACS I added user1, authorization profile (policy elements->Authorization and Permissions->Network Access) with one attribute:

RADIUS-IETF Service-Type = Administrative

Let’s try then access to ASA:

R1telnet 192.168.157.10
Trying 192.168.157.10 ... Open


User Access Verification

Username: user1
Password: *****
Type help or '?' for a list of available commands.
ciscoasa>

on the ASA we can see...

                 vlan10                              vlan20
R1  [gig0/0]    -------   [Fa1/0/9] sw1 [Fa1/0/12] -------- [gig0/1] R2
     10.0.0.10                                              20.0.0.20  
   e8b7.4842.4c58                                          e8b7.4842.45c9
                                 [fa1/0/13]

                                      |
                                      |trunk
                                      |
                             fa0/0.10 | fa0/0.20
                             10.0.0.1 | 20.0.0.1
                               04c5.a43f.d6d0
                                      R3

Today I would like to talk about one command which can help us during troubleshooting of switching. As you see above scenario contains three routers located in two different VLANs.
Let’s try basic connectivity:

r1ping 20.0.0.20

Type escape sequence to abort.

Recently I worked on one problem with VRF aware VPN (GRE over IPsec), FVRF and IVRF.

                           10.0.0.0/24

               /----\ .6                 .7 /----\
6.6.6.6 Loop0 |  R6  |---------------------|  R7  | Loop0 7.7.7.7
               \----/                       \----/
                 Tun1                       Tun1
          192.168.0.1                       192.168.0.2

--CLIENT------------>|<-----INTERNET------>|<---------CLIENT--
     VRF                      VRF                      VRF

Let’s configure it !

We have to start defining VRF:

!
ip vrf INTERNET
!
ip vrf CLIENT
!  

and interfaces:

R6:

!
interface Loopback0
 ip vrf forwarding CLIENT
 ip address 6.6.6.6 255.255.255.0
!
interface Tunnel1
 ip vrf forwarding CLIENT
 ip address 192.168.0.1 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel destination 10.0.0.7
 tunnel vrf INTERNET
!

• default user on ASA has privilege 2
• min privilege to have access to ASDM is 2
• read-only access to ASDM requires an user with priv 2, service-type ‘nas-prompt’ and ‘aaa authorization command LOCAL’ + access to ‘show’ commands (Configuration>Device Management>Users/AAA>AAA Access>Authorization and ‘Set ASDM Definied User Roles’)
• telnet on ASA is not allowed on interface with security level = 0
• to control which commands are allowed you have to configure:

aaa authentication telnet console LOCAL 
aaa authorization command LOCAL 

privilege show level 7 command crypto
enable password test7 level 7 

btw the command “privilege show level 7 command crypto
” is converted to:

privilege show level 7 mode exec command crypto
privilege show level 7 mode configure command crypto

• you can exclude host from aaa: aaa mac-exempt match MAC-ACL
• using local aaa you can limit the number of failed...

I studied some methods of auth proxy on ASA and ACS. Below you can find few examples:

1) Method no 1

We can match traffic passing through the firewall:

access-list TELNET-TRAFFIC extended permit tcp any any eq telnet
aaa authentication match TELNET-TRAFFIC inside TACACS

Once we initiate traffic we will be asked for authentication:

[hzw@zeus ~]$ telnet 7.7.7.7
Trying 7.7.7.7...
Connected to 7.7.7.7.
Escape character is '^]'.

Username: user1

Password:



User Access Verification

Password:
R3>

As we see above, first we were asked for ASA proxy authentication and then for telnet password set up on R3.

Let’s check the uauth table:

ciscoasa(config) sh uauth
                        Current    Most Seen
Authenticated Users       1          1
Authen In Progress        0          1
user 'test1' at 192.168.157.130, authenticated
   absolute   timeout: 0:05:00
   inactivity timeout:

Today I would like to set up a VPN tunnel between two ASAs with capability of sending OSPF packets over the IPsec tunnel. I know there are similar examples available on the Internet but I would like to check if there are any problems during the implementation.

         4.4.4.0/24        7.7.7.0/24        5.5.5.0/24

  /----\ .1     .10 -----  .1      .2 -----  .10      .2/----\
 |  R1  |----------| ASA1 |----------| ASA2 |----------|  R2  |
  \----/            -----             -----             \----/

                        |<-----VPN----->|

The basic configuration:

R1:

!
hostname r1
!
interface GigabitEthernet0/0
 ip address 4.4.4.1 255.255.255.0
 no sh
!
router ospf 200
 network 4.4.4.0 0.0.0.255 area 0
!

R2:

!
hostname r2
!
interface GigabitEthernet0/0
 ip address 5.5.5.2 255.255.255.0
 no sh
!         
router ospf 100
 log-adjacency-changes
 network 5.5.5.0 0.0.0.255 area