web analytics

Archive for the ‘Cisco’ Category

IPv6 – Problem and some solutions

The Internet is about to face one of its most serious issues in its history: experts have warned that the Internet is running out of addresses, and may run out by 2011. At issue is slow adoption of a new system intended to vastly increase the available pool, further complicating matters.
Currently, the web uses IPv4 (Internet Protocol version 4). 32-bit numbers are used; meaning about 4 billion addresses are available. About 94 percent of them have already been allocated. There is a new system, however, called IPv6. That uses 128-bit numbers, and the number of available addresses skyrocket.
It is time to start migration from IPv4 to IPv6.

Here is couple of articles about the problem:


I have searched the web, and found articles about support and configuration of IPv6 on popular operating systems and applications:

Microsoft Announces IPv6 Technical Preview for Windows 2000:

Installing IPv6 on Windows XP

How IIS 6.0 Supports IPv6 (IIS 6.0)

Changes to IPv6 in Windows Vista and Windows Server 2008

Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008

DNS Enhancements in Windows Server 2008

Support for IPv6 in Windows Server 2008 R2 and Windows 7

Using IPv6 with IIS7

IPv6 Support in Exchange 2007 SP1 and SP2

Red Hat / CentOS IPv6 Network Configuration

IPv6 on Fedora Core mini-HOWTO

Adding IPv6 to Ubuntu systems

Enabling IPv6 on a Network (Solaris 10)

Building a Linux IPv6 DNS Server

Networking IPv6 User Guide for J2SDK/JRE 1.4

Networking IPv6 User Guide for JDK/JRE 5.0

Apache Talking IPv6

How-to IPv6 in Globus Toolkit 3

Enabling IPv6 Support in Nginx

IPv6 Support in iOS 4

IPv6 – Cisco Systems

Cisco – IP version 6 Introduction

Hewlett-Packard Next Generation Internet Protocol version 6 (IPv6) web sites

EMC Product Support for IPv6

Nokia IPv6 How To

Hardening guide for Cisco Firewall (PIX, ASA, FWSM)

Important note
The guide bellow instructs how to secure Cisco Firewall (PIX, ASA, FWSM).
Not all commands will work on every device series or on every IOS version.
It is highly recommended to test each setting in a test lab before implementing changes to production systems.

Hardening phase
Configure AAA Authentication for Enable Mode (ASA, FWSM, PIX):
aaa authentication enable console LOCAL

Configure AAA Authentication for Console and VTY Lines (ASA, FWSM, PIX):
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL

Configure Local Password (ASA, FWSM, PIX):
passwd <login_password> encrypted

Configure ASDM Access Control (ASA, FWSM, PIX):
http <remote_ip_address> <remote_subnet_mask> <interface_name>

Configuring SSH (ASA, FWSM, PIX):
hostname <device_hostname>
domain-name <domain-name>
crypto key generate rsa modulus 2048

Configure SSH for Remote Device Access (ASA, PIX):
no telnet <interface_name>
ssh <remote_ip_address> <remote_subnet_mask> <interface_name>
ssh version 2

Configure Timeout for Login Sessions (ASA, FWSM, PIX):
console timeout 10
ssh timeout 10

Configure Local User and Encrypted Password (ASA, FWSM, PIX):
username <local_username> password <local_password> encrypted

Configure Enable Password (ASA, FWSM, PIX):
enable password <enable_password> encrypted

Disable SNMP Read Access (ASA, FWSM, PIX):
clear configure snmp-server
no snmp-server host <interface_name> <remote_ip_address>

Disable SNMP Traps (ASA, FWSM, PIX):
no snmp-server enable traps all

Configure Clock Time Zone (ASA, PIX):
clock timezone GMT <hours offset>

Disable DHCP Server Service (ASA, FWSM, PIX):
clear configure dhcpd
no dhcpd enable <interface_name>

Disable HTTP Service (ASA, FWSM, PIX) – in-case not in use:
no http server enable <port>

Configure Console Logging Severity Level (ASA, FWSM, PIX):
logging console critical

Configure Timestamps in Log Messages (ASA, FWSM, PIX):
logging timestamp

Configure AAA Flood Guard (FWSM, PIX):
floodguard enable

Configure Fragment Chain Fragmentation Checks (ASA, FWSM, PIX):
fragment chain 1 <interface_name>

Configure Protocol Inspection (FWSM, PIX):
fixup protocol ftp <port>
fixup protocol http <port>
fixup protocol smtp <port>

Configure Protocol Inspection (ASA):
inspect ftp [map_name]
inspect http [map_name]
inspect esmtp [map_name]

Configure Unicast Reverse-Path Forwarding (ASA, FWSM, PIX):
interface <interface_id>
ip verify reverse-path interface <interface_name>

Save the changes:

Hardening guide for Cisco Routers and Switches

Important note
The guide bellow instructs how to secure Cisco router/switch.
Not all commands will work on every device series (router/switch) or on every IOS version.
It is highly recommended to test each setting in a test lab before implementing changes to production systems.

Hardening phase
Configure AAA service:
aaa new-model

Configure AAA Authentication for Login:
aaa authentication login default local-case

Configure AAA Authentication for Enable Mode:
aaa authentication enable default enable

Configure AAA Authentication for Local Console Line:
line console 0
login authentication default

Configure AAA Authentication for VTY Lines:
line vty 0 4
login authentication default
line vty 5 15
login authentication default

Set and secure passwords:
service password-encryption
enable secret 0 <password>

Configure Local User and Encrypted Password:
username <username> password <password>
Note: Use the following syntax for version after 12.0(18)S, 12.1(8a)E, 12.2(8)T:
username <username> secret <password>

Configure SSH:
hostname <device_hostname>
domain-name <domain-name>
crypto key generate rsa modulus 2048

Configure SSH for Remote Device Access:
ip ssh timeout 60
ip ssh authentication-retries 3

Configure VTY Transport SSH:
line console 0
transport input ssh
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh

Configure Timeout for Login Sessions:
line vty 0 4
exec-timeout 5 0
line vty 5 15
exec-timeout 5 0

Disable Auxiliary Port:
line aux 0
no exec
exec-timeout 0 10
transport input none

Disable SNMP server (in-case not in use):
no snmp-server

Disable SNMP Community Strings private and public:
no snmp-server community private
no snmp-server community public

Configure Clock Timezone – GMT:
clock timezone GMT <hours>

Disable Router Name and DNS Name Resolution (in-case not in use):
no ip domain-lookup

Disable CDP Run Globally:
no cdp run

Disable PAD service (in-case not in use):
no service pad

Disable Finger Service:
no service finger

Disable Maintenance Operations Protocol (MOP):
interface <interface-id>
no mop enabled

Disable DHCP server (in-case not in use):
no service dhcp

Disable IP BOOTP server (in-case not in use):
no ip bootp server

Disable Identification Service:
no identd

Disable IP HTTP Server (in-case not in use):
no ip http server

Disable Remote Startup Configuration:
no boot network
no service config

Configure TCP keepalives Services:
service tcp-keepalives-in
service tcp-keepalives-out

Disable small-servers:
no service tcp-small-servers
no service udp-small-servers

Disable TFTP Server:
no tftp-server

Configure Logging:
logging on
logging buffered 16000
logging console critical

Configure Service Timestamps for Debug and Log Messages:
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime

Disable IP source-route:
no ip source-route

Disable Directed Broadcast:
interface <interface-id>
no ip directed-broadcast

Configure Unicast Reverse-Path Forwarding:
interface <interface-id>
ip verify unicast reverse-path

Disable IP Proxy ARP:
interface <interface-id>
no ip proxy-arp

Disable Gratuitous-Arps:
no ip gratuitous-arps

Configure switch port-security:
switchport port-security
switchport port-security violation shutdown
switchport port-security maximum 1
switchport port-security mac-address sticky

Save the changes: