• What is NAT-Traversal??

    Hi All, been awhile since my last post, however I believe this to be a good one!. So…the question arose the other day regarding NAT-Traversal. What is that? Why do we have it? What does it do? Most network engineers have heard of NAT-traversal before when configuring their Firewalls and VPN Clients, etc. But, I wanted to take a minute to explain where NAT-Traversals (NAT-T) need came from and the reason we still use it.

    In order to understand NAT-Traversal, we need to understand two Networking concepts. First we need to understand “The Network Flow”. HOw do two hosts on a Network maintain a communication session. The second, is Network Address Translation. Yes NAT’ing, is a big part of IPv4 networks, they are so common place that you are probably using NAT’ing right now when reading this article.

    The Network Flow.

    So in a typical end-to-end connectivity the network traffic flow is maintained by 4 main parameters.

    1. Destination IP
    2. Destination Port
    3. Source IP
    4. Source Port

    These 4 parameters provide a seamless flow of packets back and forth to each end-to-end device within a communication. It is how packets carrying your data arrive at their destination and it is how a return response knows how to get back to the requesting device. The IP requirement is usually pretty straight forward, it’s like the address of a house. You have to know the TO and FROM fields when sending a mail letter. So where does this port information come into play?? So Port number is like a sub-address of where the mailbox is located on a house. Usually a home will only have one mailbox, but imagine the same scenario with an apartment building or housing complex..Many mailboxes at a single address. Now depending on where you live you may need to prepend or add a apartment number to the address. Translate this same concept to port numbers. If my address is 123 North St and I am sending to 789 South St. My courier knows how to drive to each destination, but it doesn’t know where to put the actual mail envelopes since it is an apartment building with hundreds of apartments. This is where the port number comes in. So if on my envelope I put 123 North St. Apt#100 and I am sending to 789 South St. Apt#201. My mail will be delivered not only to the correct address but the correct mailbox.

    I like using the apartment analogy, because it makes us think about Address and Ports being used together to deliver mail. An address and port combination is called a Socket in the networking world.

    Now in a typical request scenario, a client forms the TCP/IP datagram. A Client’s machine fills in the destination IP and Destination Port based on the target and application type generating the request. For example, when you type http:// in your browser, the browser application knows to use port 80 as the Destination Port. The client then fills in it’s own IP address for the Source IP, and the OS chooses a Source Port at random. We call this random Source Port, the Ephemeral Port.

    A typical TCP/IP communication header.

    Sent Packet:

    Dst IP Dst Port Src IP Src Port
    192.168.10.10 80 192.168.1.100 49152

    Return Packet:

    Dst IP Dst Port Src IP Src Port
    192.168.1.100 49152 192.168.10.10 80

    [Read More…]

  • IP Blocklist to Cisco ASA access-list VBscript

    **This article is old, see new Blocklist2ACL 2.0 project.**


    Hi folks! A little script I wrote with VBscript that pulls in IP blocklists from different third party URLs and converts them in to well-formatted Cisco ASA access-lists.  The idea stemed from the old days of running PeerGuardian and Moblock to inhibit known malicious or unwanted IP address from attempting to connect and stopping them right then and there on your computer’s firewall. It is similar to URL Blocklists that focus on URLs and Domain Names, but instead filering is done by IPs only. I wanted to take this IP Blocklist concept that has primarly been done at the Desktop Fireweall layer and abstract it to the Network Firewall. In this case a Cisco ASA that way all traffic that any connection that crosses the Firewall will be filtered by this list.

    The script is fairly straightforward and the source code is below so you may look through it. Feel free to improve upon it and share it with others. I have a few years of writing vbscripts, but am in no way a professional coder. Also, if you by any chance know Linux Shell or Qt and could potentially port this to Linux or even better JAVA for platform independence, let me know!! That would be sweet.

    Video Tutorial

    [Read More…]

  • What the IPSEC are you talking about?

    What is IPsec?

    Most of the time when we are trying to establish a site-to-site or LAN-to-LAN connectivity between two independent parties over an untrusted medium we rely on IPsec. Internet Protocol Security (IPSec) is a open standard suite of protocols used to authenticate and encrypt IP Packets in a connection. This ensures data integrity and data confidentiality. IPsec can be used in a variety of ways, to secure host-to-host communication, network-to-network communication, host-to-network. The most common type is network-to-network. An argument can be made that host-to-host is the same as network-to-network with /32s (i.e. 192.168.1.1/32 to 192.168.255.1/32). Anyway!

    IPsec allows us to form a secure virtual communication link over a untrusted medium such as the internet to allow LAN to LAN communication. Sound familar? VPN anyone? For instance if CompanyA with 192.168.1.0/24 address space and CompanyB with 172.16.1.0/24 address space require hosts on each of their networks to talk to one another, this can be accomplished by utilizing a IPsec tunnel. Hosts at CompanyA would be able to traverse the IPsec tunnel to CompanyB as it appears to them to be nothing more than another routed LAN. It’s a cheap and easy way to create this linked infrastructure without the need to buy or lay-down physically dedicate cabling. Why not piggy back and on an already existing insecure circuit and make it secure with IPSec!!

    Phase 1 and Phase 2 ???

    “Phase 1” — Before IPsec can even begin to send your data, there is a negotiation and the establishment of an agreed upon method to create and secure this connection. The negotiation is performed by Internet Key Exchange (IKE), which consists of (I think) 3 different Key Management protocols. ISAKMP, Oakley, SKEME. All of which are used based on how you want to setup the key exchange, ISAKMP being the most popular. The main point of this Phase 1 is two things, one to agree upon a way to protect this negoitation, followed by authenticating each endpoint to form a trust relationship. This all happens bidirectionally. Once both of those have been completed we have a successfully formed a IKE Security Association(SA) that maintains this trust. IKE uses the key exchange algorithm called Diffie-Hellman to establish a secret key between each end. After this secure channel is setup it will be used in the next phase to negotiate the IPsec SAs, creatively called “Phase 2”. Keep in mind thata single Phase 1 SA can house multiple IPSec SAs!!!, unless you are using Perfect Forward Security(PFS). PFS make it so each IPSec tunnel has only 1 unique Phase 1 SA, that way if Phase 1 is ever compromised it won’t jeopardize all your IPSec tunnels under a single Phase 1 SA. Did I lose you? 🙂

    “Phase 2”IKE is used to negotiate IPSec SAs and how IPSec should be protected. In this Security Association (SA), the actual networks at each end of the tunnel must be agree upon. If they are not, Phase 2 will never come up as their SA are in mismatch. Furthermore, in this Phase 2 an agree upon Transform-set is established. The Transform-Set is the method on how the packets will be encrypted and transmitted out the tunnel interface. How should we transform the packets through the tunnel? Phase 2 also uses the key exchanged from Phase 1 to be used when encrypting the data. If PFS is used, keys are derived independently and not from Phase 1. The cost being time, benefit being a single key compromise does not compromise all IPSec tunnels. Keep in mind Phase 2 is required to be completed at both ends. If not the opposing side won’t know how to decrypt the data!!

    So in summary IKE is used to protect Phase 1 and Phase 2, IPSec is used to send the packets. If you want to understand these steps further, I recommned reading this overview. It is a great explaination. Also if you haven’t already bookmark PacketLife.net!!

    Tunnel vs Transport ??

    Difference between Tunnel and Transport mode is in Tunnel mode the complete Original IP packet header information is encapsulated and encrypted, in Transport mode only the TCP/UDP payload is encrypted.

    ***Source– https://www.slideshare.net/keshabnath/ip-security-19425154***

    The Design:


    Openswan U2.6.37/K3.2.0-4-amd64 w/NetKey Support connecting to a Cisco ASA 5505 running version 9.1(3). I include the versioning because I read a lot of articles where the version of OpenSwan matters tremendously, and also seems to influence what types of issues you might run into. The version I am running uses a fairly new feature called NetKey. From my research this was introduced to make configuring a IPSEC tunnel easier and not require the re-compiling of the Linux Kernel.
    [Read More…]

  • Cisco ASA 5505 Memory Upgrade

    Hi Folks! So I was trying to update my Cisco ASA 5505 my buddy gave me from version 8.2 to 9.1. However upon reloading the device with the new 9.1 image file I got a warning on the console! I received the error of purchase Cisco item “ASA5505-MEM-512=”


    [Read More…]

  • Cisco IOS Router as a DHCP/DNS Authoritative Server

    I was trying to set up a SOHO router for a small client the other day and was having difficulty getting the DNS server to function the way I wanted on the router. I could get the DNS server to run on the Cisco Router, but it would only work on external domains. Any static record I added would not be resolvable for clients.

    For starters, I will assume you have your own Cisco router running 12.4+ IOS firmware with ipservices.

    DHCP first…

    1. First, let’s set up DHCP on the Router
      R1(config)# interface fastEthernet 0/1
      R1(config)# ip address 10.0.0.1 255.255.255.0
      R1(config)# no shutdown
      
    2. Enable DHCP service on that interface
      R1(config)# ip dhcp-server 10.0.0.1
    3. Configure DHCP settings
      R1(config)# ip dhcp pool dhcp-pool
      R1(config-dhcp)# network 10.0.0.0 255.255.255.0
      R1(config-dhcp)# domain-name yourdomain.local
      R1(config-dhcp)# dns-server 10.0.0.1
      R1(config-dhcp)# default-router 10.0.0.1
      R1(config-dhcp)# lease 7

      [Read More…]

  • MRTG in Minutes!

    MRTG is one of those tools a Network Engineer has on his/her toolbelt. MRTG allows the graphing of trending network activity for a wide range of devices. It uses SNMP to query a host and poll it’s network information and statistics. It can be used with Routers, Switches, Linux Hosts, etc.

    I’m going to run MRTG against a Linux Router(running IPtables), a HP PowerConnect Switch, a Cisco Router, and an ESXi host. Anyway….Let’s get started.

    [Read More…]

  • Link Aggregation with LACP and NIC Teaming

    Hi All!, been awhile since I posted an article and I don’t think I have ever posted one on Network Link Aggregation!! Link Aggregation is the physical combining of network links into one logical link. There are two main advantages to this practice. First is the increase throughput that you obtain by combining links, for example combining 2x 1GB links will increase your total bandwidth to 2GB.(Keep in mind this will not change your latency…) Secondly, link aggregation grants the benefits of redundancy. Imagine the setup above. If 1 of the 1GB links fails, you would still have the other 1GB link to fall back on, woot!.

    Wikipedia Image
    –Image From Wikipedia
    [Read More…]

  • Squid Proxy Splash Page

    Hi All! So after my last article regarding securing a guest network web access with Squid and SquidGuard, I wanted to share how I came about creating a Splash Page for Guest users of my Free WiFi hotspot. My goal was to present new Guests with a splash page identifying certain Terms of Usage, etc. Basically we will need a HTML or PHP Splash Page, an ACL identifying the Guests by IP, an external ACL program (squid_session), and a Deny with Information (deny_info).
    [Read More…]

  • Squid 3.1 Caching Proxy with SSL

    Hello, hello! Recently I posted a two part article on creating a Guest wireless network using OpenWRT, VLANs, and Firewall rules. Now we left things kinda open from a security standpoint. WE gave our Guest users full Internet access with no restrictions on sites, bandwidth usage, or ports!! Yikes! For this article I am going to walk you through the steps to close those gaps. We are going to first configure a Web Proxy server that will proxy outbound Internet connections. This allows us to check where and what are Guests are trying to get their hands on. Good and bad. We will also force Guests to connect to this Web Proxy server transparently. What I mean by that is the Guests will not be required to do anything on their side to connect, our firewall will take care of that. And lastly, I want only allow limited bandwidth of HTTP traffic. You will see later on how we can accomplish this. I’ve expanded upon this article of mine that uses squid proxy to filter Ads.
    [Read More…]

  • Multiple Access Points With 802.1Q using OpenWRT(part2)

    Welcome back!

    In the last part, part 1, we configured our OpenWRT device, got it to emit two(2) Access Point SSIDs (insecureWiFi & secureWiFi), created two(2) VLANs to separate traffic frames, and created a trunk to our PoweConnect switch! Wow!
    For this part, part 2, we will be creating another VLAN Trunk from our Dell PowerConnect switch to our Linux router, designing and configuring some Firewall rules.
    [Read More…]