Wednesday, February 28, 2007

Router: Debug Crypto Condition command

When your router has more than one vpn peer configured, troubleshooting one of the problematic crypto peer using debug crypto isakmp and debug crypto ipsec can get you crosseyed in no time. You'll feel like the console is doing a DOS on your brain.

In Cisco IOS Software Release 12.3(2)T, you can use the debug crypto condition command to filter debug output to a specific peer. You can use many criteria to customize the output, including peer IP, SPI, connid, flowid, etc. This filter causes the router to show only the crypto messages for the peer you are troubleshooting.

For example, first define a condition with a peer IP before enabling debug crypto:
debug crypto condition peer ipv4 2.2.2.2
debug crypto isakmp
debug crypto isakmp packet <---helpful hidden command debug crypto ipsec

To identify which debug conditions are active:
sh crypto debug-condition

Tuesday, February 27, 2007

CCIE heroes

For anyone who is aware how difficult it is to earn the numbers, you can't help but feel awe for people who have passed the CCIE exam many times over. I'm talking about the multiple CCIEs who are subject of cisco-geek hero worship.

Quadruple CCIE!
Rent-A-CCIE Superhero NetworkWorld.com Community
http://www.cisco.com/web/learning/le3/ccie/case_studies/morris_scott.html

Quintiple CCIE!!
http://www.cisco.com/web/learning/le3/ccie/case_studies/glennon_tom.html

Three CCIE in one year!!!
http://www.cisco.com/web/learning/le3/ccie/case_studies/holmsen_marius.html

Thursday, February 22, 2007

ASA v8.0

In addition to the recent release of version 6.0 of the IPS, looming ahead is the release of ASA software version 8.0. I've heard that the beta version of ASA 8.0 is already made available to select customers who signed up for the beta testing program.

Here's news from Cisco that briefly mentioned ASAv8.0:
http://newsroom.cisco.com/dlls/2007/prod_020507.html

And a powerpoint presentation of the new SSL enhancements in ASA v8.0:
http://www.cisco.com/application/pdf/en/us/guest/products/ps6120/c1161/cdccont_0900aecd805c768e.pdf

According to the slide, there will be 120+ new features on v8.0!

Thursday, February 15, 2007

Cisco Multiple vulnerabilities in IOS and Pix/ASA

Heads up! Cisco announced flaws in their Cisco IOS IPS and Pix/ASA products.

1. Cisco Security Advisory: Multiple Vulnerabilities in Cisco PIX and ASA Appliances

  • Enhanced Inspection of Malformed Hypertext Transfer Protocol (HTTP) traffic may cause a Pix/ASA to crash resulting in a denial of service.
  • Inspection of malformed Session Initiation Protocol (SIP) packets may cause a Pix/ASA to crash resulting in a denial of service.
  • Inspection of a stream of malformed Transmission Control Protocol (TCP) packets may cause a Pix/ASA to crash resulting in a denial of service.
  • Privilege escalation of locally defined user with privilege of zero (0)

2. Cisco Security Advisory: Multiple IOS IPS Vulnerabilities

  • Fragmented IP packets may be used to evade signature inspection.
  • IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause a router to crash resulting in a denial of service.


Fixes and workarounds are available. Check the security advisories for the affected versions and fix.

Wednesday, February 14, 2007

Have Telnet, Get Pwned

A series of two simple and trivial exploit for the Solaris has surfaced recently. One is an icmp induced DOS and the other is a remote exploit using telnet!

Hearing about things like this makes me agree that we are losing the war on IT security. But then again, these attacks are not difficult to avoid. Haven't your mother taught you not to use telnet especially on internet facing systems?

Monday, February 12, 2007

Network Down Blooper

An IT support was on the phone with his counterpart in Sydney office and was checking if the IPL is down.
" Dood! We're down here. Are you down there?"