Archive for the ‘Cisco’ Category
IPv6 – Problem and some solutions
The Internet is about to face one of its most serious issues in its history: experts have warned that the Internet is running out of addresses, and may run out by 2011. At issue is slow adoption of a new system intended to vastly increase the available pool, further complicating matters.
Currently, the web uses IPv4 (Internet Protocol version 4). 32-bit numbers are used; meaning about 4 billion addresses are available. About 94 percent of them have already been allocated. There is a new system, however, called IPv6. That uses 128-bit numbers, and the number of available addresses skyrocket.
It is time to start migration from IPv4 to IPv6.
Here is couple of articles about the problem:
http://www.betanews.com/article/Internet-has-less-than-a-years-worth-of-IP-addresses-left-say-experts/1279816984
http://www.neowin.net/news/iana-ipv4-addresses-will-dry-up-in-a-year
I have searched the web, and found articles about support and configuration of IPv6 on popular operating systems and applications:
Microsoft Announces IPv6 Technical Preview for Windows 2000:
http://www.microsoft.com/presspass/press/2000/Mar00/IPv6PR.mspx
Installing IPv6 on Windows XP
http://forums.techarena.in/networking-security/1098260.htm
How IIS 6.0 Supports IPv6 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1ecff3af-36c2-41b5-957a-8bcc6fac8abc.mspx?mfr=true
Changes to IPv6 in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878121.aspx
Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878108.aspx
DNS Enhancements in Windows Server 2008
http://technet.microsoft.com/en-us/magazine/2008.01.cableguy.aspx
Support for IPv6 in Windows Server 2008 R2 and Windows 7
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx
Using IPv6 with IIS7
http://blogs.iis.net/nazim/archive/2008/05/03/using-ipv6-with-iis7.aspx
IPv6 Support in Exchange 2007 SP1 and SP2
http://technet.microsoft.com/en-us/library/bb629624(EXCHG.80).aspx
Red Hat / CentOS IPv6 Network Configuration
http://www.cyberciti.biz/faq/rhel-redhat-fedora-centos-ipv6-network-configuration/
IPv6 on Fedora Core mini-HOWTO
http://linux.yyz.us/ipv6-fc2-howto.html
Adding IPv6 to Ubuntu systems
http://knowledgelayer.softlayer.com/questions/468/Adding+IPv6+to+Ubuntu+systems
Enabling IPv6 on a Network (Solaris 10)
http://docs.sun.com/app/docs/doc/819-3000/ipv6-config-tasks-1?a=view
Building a Linux IPv6 DNS Server
http://www.linuxjournal.com/article/6541
Networking IPv6 User Guide for J2SDK/JRE 1.4
http://download.oracle.com/docs/cd/E17476_01/javase/1.4.2/docs/guide/net/ipv6_guide/index.html
Networking IPv6 User Guide for JDK/JRE 5.0
http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/guide/net/ipv6_guide/index.html
Apache Talking IPv6
http://www.linuxjournal.com/article/5451
How-to IPv6 in Globus Toolkit 3
http://www.cs.ucl.ac.uk/staff/sjiang/webpage/how-to-IPv6-Globus.htm
Enabling IPv6 Support in Nginx
http://kovyrin.net/2010/01/16/enabling-ipv6-support-in-nginx/
IPv6 Support in iOS 4
http://isc.sans.edu/diary.html?storyid=9058
IPv6 – Cisco Systems
http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html
Cisco – IP version 6 Introduction
http://ciscosystems.com/en/US/tech/tk872/tk373/tsd_technology_support_sub-protocol_home.html
Hewlett-Packard Next Generation Internet Protocol version 6 (IPv6) web sites
http://h10026.www1.hp.com/netipv6/Ipv6.htm
EMC Product Support for IPv6
http://india.emc.com/products/interoperability/ipv6.htm
Nokia IPv6 How To
http://www.nokia.com/NOKIA_COM_1/About_Nokia/Press/White_Papers/pdf_files/techwhitepaper_ipv6_howto.pdf
Hardening guide for Cisco Firewall (PIX, ASA, FWSM)
Important note
The guide bellow instructs how to secure Cisco Firewall (PIX, ASA, FWSM).
Not all commands will work on every device series or on every IOS version.
It is highly recommended to test each setting in a test lab before implementing changes to production systems.
Hardening phase
Configure AAA Authentication for Enable Mode (ASA, FWSM, PIX):
aaa authentication enable console LOCAL
Configure AAA Authentication for Console and VTY Lines (ASA, FWSM, PIX):
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
Configure Local Password (ASA, FWSM, PIX):
passwd
Configure ASDM Access Control (ASA, FWSM, PIX):
http
Configuring SSH (ASA, FWSM, PIX):
hostname
domain-name
crypto key generate rsa modulus 2048
Configure SSH for Remote Device Access (ASA, PIX):
no telnet 0.0.0.0 0.0.0.0
ssh
ssh version 2
Configure Timeout for Login Sessions (ASA, FWSM, PIX):
console timeout 10
ssh timeout 10
Configure Local User and Encrypted Password (ASA, FWSM, PIX):
username
Configure Enable Password (ASA, FWSM, PIX):
enable password
Disable SNMP Read Access (ASA, FWSM, PIX):
clear configure snmp-server
no snmp-server host
Disable SNMP Traps (ASA, FWSM, PIX):
no snmp-server enable traps all
Configure Clock Time Zone (ASA, PIX):
clock timezone GMT
Disable DHCP Server Service (ASA, FWSM, PIX):
clear configure dhcpd
no dhcpd enable
Disable HTTP Service (ASA, FWSM, PIX) – in-case not in use:
no http server enable
Configure Console Logging Severity Level (ASA, FWSM, PIX):
logging console critical
Configure Timestamps in Log Messages (ASA, FWSM, PIX):
logging timestamp
Configure AAA Flood Guard (FWSM, PIX):
floodguard enable
Configure Fragment Chain Fragmentation Checks (ASA, FWSM, PIX):
fragment chain 1
Configure Protocol Inspection (FWSM, PIX):
fixup protocol ftp
fixup protocol http
fixup protocol smtp
Configure Protocol Inspection (ASA):
inspect ftp [map_name]
inspect http [map_name]
inspect esmtp [map_name]
Configure Unicast Reverse-Path Forwarding (ASA, FWSM, PIX):
interface
ip verify reverse-path interface
exit
Save the changes:
wr
Hardening guide for Cisco Routers and Switches
Important note
The guide bellow instructs how to secure Cisco router/switch.
Not all commands will work on every device series (router/switch) or on every IOS version.
It is highly recommended to test each setting in a test lab before implementing changes to production systems.
Hardening phase
Configure AAA service:
aaa new-model
Configure AAA Authentication for Login:
aaa authentication login default local-case
Configure AAA Authentication for Enable Mode:
aaa authentication enable default enable
Configure AAA Authentication for Local Console Line:
line console 0
login authentication default
exit
Configure AAA Authentication for VTY Lines:
line vty 0 4
login authentication default
exit
line vty 5 15
login authentication default
exit
Set and secure passwords:
service password-encryption
enable secret 0
Configure Local User and Encrypted Password:
username
Note: Use the following syntax for version after 12.0(18)S, 12.1(8a)E, 12.2(8)T:
username
Configure SSH:
hostname
domain-name
crypto key generate rsa modulus 2048
Configure SSH for Remote Device Access:
ip ssh timeout 60
ip ssh authentication-retries 3
Configure VTY Transport SSH:
line console 0
transport input ssh
exit
line vty 0 4
transport input ssh
exit
line vty 5 15
transport input ssh
exit
Configure Timeout for Login Sessions:
line vty 0 4
exec-timeout 5 0
exit
line vty 5 15
exec-timeout 5 0
exit
Disable Auxiliary Port:
line aux 0
no exec
exec-timeout 0 10
transport input none
exit
Disable SNMP server (in-case not in use):
no snmp-server
Disable SNMP Community Strings private and public:
no snmp-server community private
no snmp-server community public
Configure Clock Timezone – GMT:
clock timezone GMT
Disable Router Name and DNS Name Resolution (in-case not in use):
no ip domain-lookup
Disable CDP Run Globally:
no cdp run
Disable PAD service (in-case not in use):
no service pad
Disable Finger Service:
no service finger
Disable Maintenance Operations Protocol (MOP):
interface
no mop enabled
exit
Disable DHCP server (in-case not in use):
no service dhcp
Disable IP BOOTP server (in-case not in use):
no ip bootp server
Disable Identification Service:
no identd
Disable IP HTTP Server (in-case not in use):
no ip http server
Disable Remote Startup Configuration:
no boot network
no service config
Configure TCP keepalives Services:
service tcp-keepalives-in
service tcp-keepalives-out
Disable small-servers:
no service tcp-small-servers
no service udp-small-servers
Disable TFTP Server:
no tftp-server
Configure Logging:
logging on
logging buffered 16000
logging console critical
Configure Service Timestamps for Debug and Log Messages:
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime
Disable IP source-route:
no ip source-route
Disable Directed Broadcast:
interface
no ip directed-broadcast
exit
Configure Unicast Reverse-Path Forwarding:
interface
ip verify unicast reverse-path
exit
Disable IP Proxy ARP:
interface
no ip proxy-arp
exit
Disable Gratuitous-Arps:
no ip gratuitous-arps
Configure switch port-security:
switchport port-security
switchport port-security violation shutdown
switchport port-security maximum 1
switchport port-security mac-address sticky
Save the changes:
wr