I’d better step it up a notch! I could be replaced by a younger, more energetic network manager!

http://www.networkworld.com/news/2008/032708-netkid.html?fsrc=rss-security

But, we all knew this was happening. It’s not so much the intelligence that impresses me about him…. but rather, the responsibility that he possessed.

So, I purchased a Cisco ASA 5505 to build a VPN Tunnel from a remote office to my main office. Really simple to do, when you are using Easy VPN . Anyway, I wanted to turn on SSH. So, I enabled SSH on the ASA, and tried to access it:

 

[apaxson@netutil ~]$ ssh -l username 1.2.3.4
ssh_exchange_identification: Connection closed by remote host 

 

Hmmmm….. let’s do a debug, and see what happens:

 

asa# debug ssh
Device ssh opened successfully.
SSH0: SSH client: IP = '1.2.3.10' interface # = 1
SSH: unable to retrieve default host public key. Please create a defauth RSA key pair before using SSH
SSH0: Session disconnected by SSH server - error 0x00 "Internal error"

 

Ahhhh….. we have to create a default RSA key pair. Let’s do that.

 

asa(config)# ca generate rsa key 1024
WARNING: the 'ca' command syntax has been deprecated
Please use the 'crypto key generate' command.

 

Okaaaay…… looks like we have to change our ways again.

 

asa(config)# crypto key generate rsa

INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
asa(config)#

 

Okay, so far so good. Let’s try to connect again:

 

[apaxson@netutil ~]$ ssh -l username 1.2.3.4
RSA key fingerprint is 9b:99:12:45:6f:7a:bb:37:f4:25:19:1d:d9:0d:62:24.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘1.2.3.4′ (RSA) to the list of known hosts.

 

Outstanding!

Technorati Tags: ASA, cisco, ssh

Well, it has finally happened.  It was only a matter of time.  Since the Cisco ASA (Adaptive Security Appliance) did exactly what the Pix does, and them some, why support two lines?
Cisco announces that they will stop sales for the Pix Firewall in January 2009.  Support, however, will be continued until 2013.

See Cisco’s press release.

So, let’s talk about these ASA’s.  For those that do not know, the ASA is actually the PIX underneath, with modularity to allow you to expand it to a specific appliance, such as Application Inspection or Virus/Malware/Spyware inspection.  I’m actually using the one with the CSC module, which includes the Virus/Malware/Spyware inspection.  The ASA actually inspects SMTP,HTTP,POP3, and IMAP packets.

When I first purchased and used it 18 months ago, Trend Micro (who owns the scanning engine of the CSC module) had quite a few bugs in it, so, I didn’t like it at first.  Too many problems.  However, over the last 18 months, their updates and bug fixes have seem to stablize it a little bit

You can learn more about the ASA at Cisco’s website, if you aren’t already familiar.

Technorati Tags: Cisco, Network, Security

So, for the first time, I had to NAT an IPSec tunnel for a vendor, due to overlapping networks.  I know the fundamentals, but have never actually done it.

First, define the vpn traffic…. check

Next, define the  nat traffic…. check

Map the traffic to the cryptomap….check

Create the access-list to filter the VPN Traffic…..no check…. ummm…. okay.. so here is where I needed some help.  Does the ACL get hit first, and THEN NAT?  If so, I’ll need to use the NAT address in the ACL.  But, what if NAT gets hit first?  Then I’ll have to use my private address in the ACL.

What to do?  Well, visit the irc chat room #cisco, that’s what.  They sent me to an incredible post which details the operations of both ingress and egress in a Cisco IOS system.

Very handy!  ….. <Aaron is printing>….

How many times has someone wanted to access the DMZ (or some other network other than "inside&quot from the VPN?  Why didn’t it work?  Did you figure it out?

Well, the problem stems from IPSec.  See, IPSec and NAT just do not get along.  Mainly due to the security inherit in the protocol.  So, how do you get around it?  Well, you tell the ASA/PIX not to NAT your VPN traffic.

Let’s assume I have two networks:  (inside) 10.10.10.0/24 and (dmz) 172.16.1.0/24 and let’s also assume that the VPN is being attached to the inside interface.

Create an access-list to match the VPN Traffic to the DMZ:

access-list DMZnoNAT permit ip 172.16.1.0 255.255.255.0 10.10.10.0 255.255.255.0

Now, apply the access-list to the NAT statement on the interfaced named ‘dmz’, so it will not be nat’d (i.e. 0)

nat (dmz) 0 access-list DMZnoNAT

Done!  You should now be able to pass VPN traffic from 10.10.10.0 to the DMZ on 172.16.1.0, because we are no longer NAT’ing the traffic, and IPSec is happy again!

Powered by Qumana

When I first started my job at my current company last year, I was amazed on the security products they were using.  Keep in mind, that the company I work for, made several acquisitions over the last few years.  So, we have locations using McAfee, Computer Associates, Trend Micro, and Symantec.  Not only is this an administrative nightmare, but it’s not cost-effective.  So, for budgets, I placed some money to consolidate.

It turns out, there is a U.S. company called ESET, that not only has a good solution, but is priced extremely reasonable, in comparison.  I’ve never heard of them, and was embarrassed when our Swedish division told me about them, and I didn’t know anything about it.

In my eyes, deciding a vendor isn’t really about virus definitions anymore.  That’s become a trivial process.  For me, the deciding factor for choosing a solution are the following:

• Central control of policies and processes (including emergency updates and scans)
• Central Reporting

• Built-in Reports
• Ability to customize reports
• Database to use 3rd party reporting

• Easy rollout (including pushing software to new clients)
• Small footprint on the client

I am starting to demo their products for the time being.  The only downside is that they do NOT offer Macintosh solutions.  Well, that won’t break my heart, since less than 1% of our network is Mac, just disappointing that they didn’t choose to support the best OS out there (shameless plug). 

However, they do offer solutions for Linux, Windows, Domino and Exchange servers, etc.  Worth checking out!

~~Aaron