Monday, January 31, 2011

Cisco IP access control list (ACL)

Cisco has two type of access lists
1. Standard access-list
2. Extended access-list

Standard access list number ranges from 1 to 99 while extended access list number ranges from 100 to 199. In newer IOS releases, you may give a string name to an extended access list. In Cisco IOS Software Release 12.0.1 and onwards, standard ACLs begin to use additional numbers (1300 to 1999) and extended ACLs begin to use additional numbers (2000 to 2699).

Standard access list only allows you to permit or deny traffic from specific network or host. The destination of the packet and the ports involved do not matter. Standard ACLs control traffic by the comparison of the source address of the IP packets to the addresses configured in the ACL Example

access-list 10 permit 192.168.3.0 0.0.0.255

Extended IP access list creates a packet filtering firewall. This is where you specify the allowed destinations of each packet from an allowed source.Extended ACLs allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to specify different types of traffic such as ICMP, TCP, UDP, etc. It is very granular and allows you to be very specific. Example


access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80

access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established

After the ACL is defined, it must be applied to an appropriate interface (inbound or outbound) for the desired effect. Example

access-group 101 out

access-group 102 in

Ref:-
1. http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
2. http://www.networkclue.com/routing/Cisco/access-lists/index.aspx

Friday, January 21, 2011

Find some file in linux

Do the following for file:-
1. find / -name -type f //for file in entire directory structure
2. find / -name -type f //for file in current directory
3. find / -name -type d //for directory search in entire directory structure
4. find /usr -name -type f //for file in usr directory
5. find /usr -name -type d //for directory search in usr directory

Thursday, January 20, 2011

Disable root login from network in linux

To disable root login from network do the following:-

1. edit the file /etc/ssh/sshd_config file
2. find the PermitRootLogin no
3. uncomment the line
4. simililarly you can control other options also

Monday, January 17, 2011

Intel new AESNI instructions set

Intel has introduced 6 new instruction for AES encryption. These instruction has hardware support in processor itself. The instructions AESENC, AESENCLAST, AESDEC, and AESDELAST support AES encryption and decryption operations. The instructions AESIMC and AESKEYGENASSIST support AES key expansion. Using these instructions your encryption throughput may increase significantly. I tested AESNI for IPSEC throughput between two gateways (One linux box other fortigate 3016B firewall) over 1 Gbps link using ipsec-tools 0.7.3.
System Requirements:-
presently it is uspported for 64 bit machine only.
Linux kernel 2.6.31 or above is required

Without IPSEC throughput comes around 900 Mbps
With IPSEC (withoutAESNI) throughput comes around 500 Mbps
With IPSEC (With AESNI ) throughput comes around 800 Mbps

So I got throughput enhancement about 1.6 times in my case. These result may vary depending on your applications and operating systems. But one thing is sure your throughput will increase.

Monday, January 3, 2011

Quagga Installation guide

Follow these steps.
1. I used freeBSD as OS. Quagga works for Linux also.
2. In case of freeBSD . Go to the port and give following command "make install clean"
3. In case of missing project file. Download the files from internet (if you are not directly connected to internet) an put these files in dist folder.
4. Once quagga get installed you require to have two configuration files some where in the system(default location /usr/local/etc/quagga/
5. First one ospfd.conf should have the following configuration
! -*- ospf -*-
!
! OSPFd sample configuration file
!
!
hostname ospfd
password zebra
enable password zebra
!
router ospf
redistribute connected
network 192.168.1.0/24 area 0
network 10.10.11.0/24 area 11
log stdout

6. Second one zebra should have the following configuration
! -*- zebra -*-
!
! zebra sample configuration file
!
! $Id: zebra.conf.sample,v 1.1.1.1 2002/12/13 20:15:30 paul Exp $
!
hostname Router
password zebra
enable password zebra
!
! Interface's description.
!
!interface lo
! description test of desc.
!
!interface sit0
! multicast

!
! Static default route sample.
!
!ip route 0.0.0.0/0 203.181.89.241
!

!log file zebra.log

7. once you are over with all these.
you require to put following lines in the rc.conf for starting the quagga during boot up.
quagga_enable="YES"
quagga_flags="-d"
quagga_daemons="zebra ospfd"
router_enable="NO"
watchquagga_enable="YES"
watchquagga_flags="-dz -R '/usr/local/etc/rc.d/quagga restart' zebra ospfd"

8. watchquagga is a supporting daemons which keeps watching quagga. In case of quagga process termination, it restart quagga. cool isn't ?


9. For more detail visit the following url
http://openmaniak.com/quagga.php

Open Source Router/Firewall

There are number of open source router/Firewalls are available .

1. Vyatta:- It is based on XORP routing software architecture. Its is very good open source routers/ firewalls. you require less than 30 minutes to make a router or firewall from any i386 based machines. Configuration is very simple. It also has a GUI running over HTTPS. I have not tested its GUI thoroughly. But command lines configuration is very good and self explanatory. you may test live CD to have a feel of it.
2. XORP:- It is Linux based routing software architecture. I have not tested it.
3. pfsense:-It is freeBSD based open soucre software architecture. Mainly it is used for firewall purpose. But it also support OSPF. It is a fork of monowall.
4. ZEBRA:- Its is mainly UNIX based routing software architecture. Quagga a fork of ZEBRA and more popular that Zebra.

Open Source Routers/Firewall.

Nowadays hardware are getting cheaper day by day. In these scenario, it is software which is costing more to us. Open source routing software is very good in this context. So let us analyze pros and cons of open source routers.
Pros:-
1. First of all it is free. You require to spend nothing except time to make a router/Firewall.
2. For small and medium business enterprise it is like a boon since it costs very less.
3. Source code is available with almost all open source routers/firewall.You can audit and scrutinize you router/firewall. You can tweak the code as per your needs.
4. Now a days most of the open source router come with GUI. So it very easy to configure it.
Cons:-
1. For network requiring high throughput it may not be a viable solutions.
2. Hardware configuration should be checked before installation.
3. it require more management skills in comparison to some branded router or firewall.