VTI-Based Site-to-Site IPsec VPN

VTI (Virtual Tunnel Interface) Virtual tunnel interface is a full-featured routable interface, many of the common interface options that can be applied to physical interfaces can now be applied to the IPsec virtual tunnel interface. Using VTI in IPsec VPN makes the static mapping between the IPsec crypto map and physical interface no longer an …

Continue reading ‘VTI-Based Site-to-Site IPsec VPN’ »

Cisco IPsec VPN

IPSec VPN Components Internet Key Exchange (IKE): IKE is a protocol defined by RFC 2408 that uses parts of several other protocols, such as Internet Security Association Key Management Protocol (ISAKMP), Oakley, and Secure Key Exchange Mechanism (SKEME), to dynamically create a shared security policy and authenticated keys for services that require keys, such as …

Continue reading ‘Cisco IPsec VPN’ »

Cisco Site-to-Site VPN Basics

When designing a Site to Site VPN solution, there are mainly three components to consider: Choosing VPN LAN Topology: the overall logical network architecture which depicts the way in which different sites are interconnected with each other. When choosing between different VPN LAN Topology, traffic pattern must be gathered and analyzed as well as connectivity …

Continue reading ‘Cisco Site-to-Site VPN Basics’ »

Cisco IOS IPS

IPS Basic Concepts and Components Intrusion Detection System (IDS) uses sensors to monitor, analyze and detect the malicious activities, and generate alerts or syslog to notice administrator to take action to prevent further attack. While Intrusion Prevention system (IPS), is designed to detect, classify and take real-time actions to prevent further malicious activities automatically without …

Continue reading ‘Cisco IOS IPS’ »

Zone Based Policy Firewall (ZBPFW)

Each organization can be separated into several security zones, internal, DMZ, External etc. Then all network devices interfaces are assigned to different security zones. Different security policies are applied between different security zones for each connection direction. Unlike previous cisco IOS based firewall feature which was called Context-Based Access Control (CBAC), ZBPFW defines traffic of …

Continue reading ‘Zone Based Policy Firewall (ZBPFW)’ »

Transport Layer Security (TLS)

Transport Layer Security (TLS): it relies on Reliable Transport Layer (e.g TCP), transparently supports any application protocols. One advantage of TLS is that it is application protocol independent. Higher level protocols can layer on top of the TLS Protocol transparently. The TLS standard, however, does not specify how upper layer protocols add security with TLS; …

Continue reading ‘Transport Layer Security (TLS)’ »

RADIUS

Remote Authentication Dial-In User Service (RADIUS) Designed for Centralized AAA Service: RADIUS is a widely deployed protocol enabling centralized authentication, authorization, and accounting (AAA) for network access. Originally developed for dial-up remote access. However,  RADIUS is now supported by virtual private network (VPN) servers, wireless access points, authenticating Ethernet switches, Digital Subscriber Line (DSL) access, …

Continue reading ‘RADIUS’ »

Configuring 802.1x & IBNS

Before a port enters an authorized state, 802.1X allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) packets to traverse the port. Configuring 802.1X port authentication is supported on Layer 2 static access ports, voice VLAN–enabled ports, and Layer 3 routed ports. It is not supported on …

Continue reading ‘Configuring 802.1x & IBNS’ »

Identity-Based Networking Service (IBNS) and IEEE 802.1x

IEEE 802.1x Overview It is a data link layer (Layer 2) protocol designed to provide port-based network access control using authentication unique to a device or user in Ethernet or WLAN. This service is called port-level authentication. Cisco IBNS is an IEEE 802.1x-based technology solution that increases network security by authenticating users based on personal …

Continue reading ‘Identity-Based Networking Service (IBNS) and IEEE 802.1x’ »

Threats, Vulnerability Analysis and Mitigation

Switched Data Plane Attack Types VLAN Hopping: a packet from one VLAN hopped over to another VLAN without aid of Layer 3 routing. there are 2 types of VLAN hopping attack. Switch Spoofing: a device spoofs as a switch taking with connected switch port using DTP, and finally form a trunk link with all VLAN …

Continue reading ‘Threats, Vulnerability Analysis and Mitigation’ »