|
If I wanted to set up a Dynamic VPN where only authorized laptops would be allowed to VPN in, would the best solution be Certificate based and only allowing administrators to import the client side certificate with a password?
|
#
?
Sep 29, 2011 15:41
|
|
|
|
| # ? May 30, 2024 16:12 |
|
|
Zuhzuhzombie!! posted:Well we cut them a check for more than 20K a month so they better get something goin on here... Realize in the grand scheme of things, as a provider, that is chump change 
|
|
#
?
Sep 29, 2011 17:53
|
|
|
Sepist posted:If I wanted to set up a Dynamic VPN where only authorized laptops would be allowed to VPN in, would the best solution be Certificate based and only allowing administrators to import the client side certificate with a password? What is the head end device? What OS on the client laptops? Generally speaking that would be a good way to go. On ASA you could use Advanced Endpoint Assessment. Set an obscure registry key and have it search for that value, etc.
|
|
#
?
Sep 29, 2011 17:56
|
|
|
ASA on as the head end, Win XP is probably the client computer I'd have to verify, I just know they're windows desktops.
|
|
#
?
Sep 29, 2011 18:08
|
|
|
There would be unauthorized machines with your VPN settings configured on it? Additional auth such as xauth, RSA keyfobs, etc.
|
|
#
?
Sep 29, 2011 19:30
|
|
|
falz posted:There would be unauthorized machines with your VPN settings configured on it? Additional auth such as xauth, RSA keyfobs, etc. Wouldn't prevent users from installing the VPN software and profile on a non-corporate asset.
|
|
#
?
Sep 29, 2011 19:34
|
|
|
I figured as long as administrators load the cert and password protect it, it should be enough.
|
|
#
?
Sep 29, 2011 19:48
|
|
|
I see, I thought you were trying to prevent untrusted users, not untrusted devices. I suppose if a cert isn't exportable it should work. We used to manage client ssl certs to auth ipsec clients on Netscreen and while it worked, it was a huge pain in the rear end. We didn't have direct access to the machines, they were all remote users without any centralized authrntication or remote administration.
|
|
#
?
Sep 30, 2011 00:12
|
|
|
Sepist posted:If I wanted to set up a Dynamic VPN where only authorized laptops would be allowed to VPN in, would the best solution be Certificate based and only allowing administrators to import the client side certificate with a password? Joining the relevant computers into a AD group that enrolls them with a certificate would probably be the way to go.
|
|
#
?
Oct 1, 2011 10:57
|
|
|
So here is something that I haven't done before. We are going to connect with a client, however the client can ONLY support HSRP for dual connections. For business reasons we HAVE to connect to this client, and thus we HAVE to do it at layer 2. So the question is how to protect our infrastructure when we have a layer 2 connection that goes outside of our AS? Or more succinctly does anyone have a list of layer2 best practices from Cisco or something?
|
|
#
?
Oct 3, 2011 18:21
|
|
|
I'm not following you. Colo your own router(s) at their facility, or colo their router(s) at your facility. Then you can do whatever you want, and be concerned only with the layer-2 caveats on a shared "meet-me" network that exists within a single location.
|
|
#
?
Oct 3, 2011 19:47
|
|
|
I'm buying two 7009's, it looks like. I'm interested if anyone is running a combination of both M1 and F1 linecards, and how the layer-3 punting works. I suspect we'll be focusing on M1 cards, since we're only worried about connecting our 10-gig ports to a pair of 6140s, but I'd like to know more about the F1s, just in case.
|
|
#
?
Oct 3, 2011 20:45
|
|
|
jwh posted:I'm not following you. Basically we are going to be sharing a /28 with this customer. We will have an HSRP address, and so will the customer. We will be pointing a static route at their HSRP address to get to their trading network. So basically I'm looking for a best practices document for interacting with a switched topology that I don't fully control. Spanning tree concerns, etc.
|
|
#
?
Oct 3, 2011 21:03
|
|
|
I'd think turning BPDU filter on the ports facing the DMZ would be adequate.
|
|
#
?
Oct 3, 2011 21:16
|
|
|
Why not just bring that /28 into a routed interface(s)? Wouldn't that mitigate your participatory layer-2 concerns?
|
|
#
?
Oct 3, 2011 22:21
|
|
|
The /28 is attached to an SVI but it doesn't change the fact that there are two layer 2 links between our equipment and his. I guess I'll enable BPDUFilter, and disable CDP. What else would be good to do? Oh it will be two Single Mode Fiber connections.
|
|
#
?
Oct 3, 2011 23:12
|
|
|
Why can't you change the /28 from being homed from a SVI to a routed port(s)?
|
|
#
?
Oct 4, 2011 02:05
|
|
|
Where would the HSRP address live if I did that?
|
|
#
?
Oct 4, 2011 15:34
|
|
|
Is this the physical topology?code:
|
|
#
?
Oct 4, 2011 15:49
|
|
|
Yep, thats it. Well except Client A and Client B are just two separate connections to the same client, and SP A and SP B are the same SP (which is us).
|
|
#
?
Oct 4, 2011 16:54
|
|
|
They are seperate routers though?
|
|
#
?
Oct 4, 2011 17:41
|
|
|
Yep. Four total routers, two Client's, two mine. They are 6509's with Sup720 if that helps.
|
|
#
?
Oct 4, 2011 19:27
|
|
|
Assuming there is a link that connects each organization's router pair together at layer 2... I'd go the SVI route, have the ports facing the DMZ setup as access mode. I assume you want portfast enabled on these links? Enable BPDU filtering. Block other layer 2 control protocols as you see fit (CDP etc). If you really want a belt and suspenders approach, apply a VACL that denies traffic to all the MAC addresses used for the previously listed layer 2 control protocols. Probably want to have port security enabled on the DMZ facing ports as well, 16 MACs seems like a reasonable limit. tortilla_chip fucked around with this message at 20:21 on Oct 4, 2011 |
|
#
?
Oct 4, 2011 20:19
|
|
|
Powercrazy posted:Yep. Four total routers, two Client's, two mine. Why run HSRP? 2 /30s, run BGP, problem solved.
|
|
#
?
Oct 5, 2011 01:42
|
|
|
Powercrazy posted:Where would the HSRP address live if I did that? On the routed interface which connects into the layer 2 domain on the same vlan as your other router.
|
|
#
?
Oct 5, 2011 03:29
|
|
|
Please don't enable BPDU filter, use guard instead and declare that you're going to be the root. If it's L2, use STP. I've seen ridiculous attempts to get around STP on Nexus 2Ks (all ports are edge with bpdu guard that cannot be disabled) by using filter and it never ends well. I work in the datacentre space with lots of colo guys with their own whacked out topologies and it's hell on earth unless you assert control of the root.
|
|
#
?
Oct 5, 2011 12:02
|
|
|
CrackTsunami posted:Please don't enable BPDU filter, use guard instead and declare that you're going to be the root. The correct guard to configure in this case is root guard, not bpdu guard.
|
|
#
?
Oct 5, 2011 12:24
|
|
|
You should configure: layer1 UDLD agressive layer2 switchport mode access switchport nonegotiate spanningtree bpduguard or filter (not both) restrict maximum number of mac adresses you accept on the ports no cdp enable layer3 conenct using a VRF-lite setup no ip unreachables
|
|
#
?
Oct 5, 2011 12:31
|
|
|
ragzilla posted:Why run HSRP? Because I HAVE to use HSRP to connect to the Client. Not my choice, every single other customer we have with dual connections gets BGP over a /30, and then injected into our MPLS network. My question was about using Root Guard vs BPDU Filter vs BPDU Guard. BPDU Guard is bad because it will just err-disable the ports. Filter may have other consequences, root guard seems good though. Not sure about UDLD, it should work fine though.
|
|
#
?
Oct 5, 2011 17:50
|
|
|
Powercrazy posted:Because I HAVE to use HSRP to connect to the Client. Not my choice, every single other customer we have with dual connections gets BGP over a /30, and then injected into our MPLS network. udld is a nice belt and suspenders but you may run into issues running it on an SVI if you want to provide the shared media for the HSRP. With that requirement I'd agree to just share spanning-tree with them, demand root be on your side (set your prios accordingly) and set rootguard on your ports. Make sure you pass the VLAN between your 2 routers so you always have a path to the root on your side. When setting max-mac-count I'd set it to 3 that should cover their 2 switch MACs and their HSRP MAC. Do not set secure or sticky MACs though. Also, use a different HSRP group (I usually use VLAN ID if I can) since chances are they'll use group 0.
|
|
#
?
Oct 5, 2011 18:17
|
|
|
UDLD will require configuration on both sides. This may or may not be an issue. BPDU filter is the best option here because ideally you want no spanning tree interaction between either party. Think of them in terms of a L2 MetroE customer.
tortilla_chip fucked around with this message at 19:50 on Oct 5, 2011 |
|
#
?
Oct 5, 2011 19:34
|
|
|
Powercrazy posted:Because I HAVE to use HSRP to connect to the Client. Not my choice, every single other customer we have with dual connections gets BGP over a /30, and then injected into our MPLS network. Every HSRP connection I have setup is basically putting an IP on an SVI from a small subnet, a backup IP, and a standby group. Standby group handles load balancing with a priority setting. I've only ever disabled CDP.
|
|
#
?
Oct 5, 2011 20:20
|
|
|
Bardlebee posted:Need a bit of Cert advice. You can look at a CCNA Security as a mid-level jump off point. Also don't forget the CCSP, though I'm really not sure what the difference between that and the CCNP Security is.
|
|
#
?
Oct 6, 2011 04:01
|
|
|
falz posted:"Crafted IPv6 Packet May Cause MPLS-Configured Device to Reload They also released an alert today on a TACACS+ authentication bypass vulnerability for the ASA.  http://tools.cisco.com/security/center/viewAlert.x?alertId=24242
|
|
#
?
Oct 6, 2011 04:09
|
|
|
Kenfoldsfive posted:You can look at a CCNA Security as a mid-level jump off point. Also don't forget the CCSP, though I'm really not sure what the difference between that and the CCNP Security is. The CCNP Security replaces the CCSP, like the ROUTE and SWITCH replaced BSCI/BCMSN.
|
|
#
?
Oct 6, 2011 06:44
|
|
|
Bardlebee posted:Need a bit of Cert advice. To be an effective security engineer you must have a very good understanding of routing, as well as switching. Only then can you really master firewalling and more advanced security concepts such as NAC and IPS/IDS. I find that some of the most annoying customer engineers I deal with are those who regard themselves as security experts but don't have a clue how to route, switch, or have a firm grasp of how their own network fits together. I had my CCNP within a year of entering the industry (my company has a very aggressive training policy for new hire consultants), and felt I was a paper CCNP for a few months until I cut my teeth on some very complex and challenging projects and troubleshooting, and worked in our network lab a lot. I'd say it is never too early to dedicate a lot of time to study though, as it is going to help your career. For example, if you are working with an EIGRP only network, you aren't going to start familiarizing yourself with OSPF unless you start learning through labs or self-study. I would definitely recommend getting CCNP first to get the layer 2/3 basics down, then specializing in security, voice, data center design, etc, because IP is the fundamental medium for any of this stuff to work. As far as Cisco security, it is definitely a good specialization to choose. Since I proved myself as a competent ASA engineer for the consulting firm I work for I have gotten a lot more interesting and rewarding project assignments involving the technology versus the run of the mill LAN infrastructure upgrades. It is also nice knowing you can troubleshoot every piece of the network and not get BSed by the firewall guys.
|
|
#
?
Oct 9, 2011 06:26
|
|
|
Matteyo posted:those who regard themselves as security experts Everyone thinks they're a security expert.
|
|
#
?
Oct 9, 2011 06:47
|
|
|
Ninja Rope posted:Everyone thinks they're a security expert. "Welp, here's your problem!" *Proceeds to unplug router from the outside world*
|
|
#
?
Oct 10, 2011 15:24
|
|
|
I thought there was a way to upgrade the code on an ASA cluster without interruption, yet as I'm googling around I can't find a guide on how to do it. I'm going to be upgrading from 8.3(x) to 8.3(2.24), and I'm not 100% sure if after the upgrade the members will resync if they are on different code revisions or not. My thought process would be, upgrade the standby code, reload it. Once it comes back up, upgrade the primary code, failover to secondary, and then reload primary. Seems like it should work, but I can't seem to find any documentation about it. Any one know?
|
|
#
?
Oct 10, 2011 17:58
|
|
|
|
| # ? May 30, 2024 16:12 |
|
|
Anyone use ONS 15454s with Sonus GSXes? We're in the middle of upgrading our GSXes, which requires reboots. Problem is this causes random T1s to go out of service on the oubound DS3s to the GSX. If we bounce the T1s on the Sonus side, they don't come up, but if I bounce the T1s on the ONS (by switching from ESF to unframed back to ESF) the T1 comes back up. I had a ticket open with TAC but since they don't have any GSXes kicking around they couldn't test it, but it definitely seems to be an issue on the ONS side. Anyone run into these problems? We're running 9.2.1 code on the ONSes, and upgrading to 7.3 code on the GSXes (which doesn't really matter, because we had an issue with one, which required another reboot after the software was upgraded, and still had T1s going out of service, so it wasn't the upgrade specifically).
|
|
#
?
Oct 10, 2011 19:32
|
|