Site-to-Site VPN's

Recently at my company I was put in charge of configuring and deploying Cisco 881 routers and creating a Site-to-Site VPN's back to our ASA at the corporate office. I think this might have something to do with my co-workers knowing that I'm studying my CCNA: Security, oh well I didn't mind at all and kinda volunteered for this project. Well I wanted to learn about Site-to-Site VPN's through my IINS book before I started this project but the deployment happened before I could get to Chapter 4 and I'm really OCD about skipping chapters. In the end it worked out well because I think reading the chapter on Site-to-Site VPN's before ever configuring one beforehand would of just confused me.

I was able to open a TAC case to have an engineer help me get the bare bones configuration up. I then created a template and tweaked it to the point were all you have to do is change the IP's, allow the IP's on the ASA ACL, and create a static route and you were good to go. I was able to configure a group of 5 Cisco 881's in about 2 hours taking about 20 minutes each, the longest time was spent taking the packaging off of the router. The configuration took about 5 minutes.

This weekend I spent some time setting up a site-to-site configuration from scratch. For what ever reason I could never get the tunnel up and I quadruple checked the configuration including starting the lab over from scratch! It wasn't until I found some documentation that I realized why the tunnel never attempted to be created. The tunnel was only created when "interesting' traffic was sent to the other peer that's involved in the VPN process. I did a simple ping from end host to the other and just like magic the tunnels came right up!

A quick show crypto isakmp sa will show you rather your tunnel is up and alive:

Cisco SDM and ACLs

The last week or so I have been reading through chapter 3 in the IINS book which covers access lists (ACLs) using both the CLI (command line interface) and SDM (Security Device Manager). Of course most of the configuration is based off of SDM but most people will use CLI in the real world including my self. I'm near the end of the chapter which digs into Zone-Based Policy Firewall which confuses me still to be honest. I understand the high level view of it which involves around creating zones with multiple interfaces/devices to be inspected with traffic instead of assigning a different ACL per interface which can become complex. I'm sure I'll have this concept nailed down within the next few months.

I'm actually putting some of this security stuff into use already which is nice, I've taken over configuring Cisco 880 routers with VPN connectivity for our home users. Also after our UCS upgrade, I plan on streamlining alot of our IOS configuration and implementing all of our Cisco devices with AAA using the ACS server that we have.

More Cisco SDM Stuff

Well after 3 full days, I was able to get SDM up and working in GNS3. I know I've ran into issues in the pass but I wasn't smart enough to document how I resolved them really. This time I written down the exact configuration I need to have in order for SDM to run properly. You pretty much HAVE to install and use SDM if you plan on studying the CCNA: Security because most of the configuration you're going to do is based off of it. Today I was able to install AAA via SDM and some CLI which went fairly smooth. I had to setup AAA to user the routers AAA local user and password info since I don't have a RADIUS or TACACS server setup. This is good information though because we have a ACS server in our environment that uses AAA but only the older Cisco equipment is setup to use it as neither my colleague or myself are experienced in using it. We plan on beefing up and standardizing our network in the near future but we're just swamped with preparing for some very big network upgrades.

Role-Based CLI Configuration

I spent sometime this morning playing around with different roles you can assign, similar to the privileged levels that you can assign for specific users in the IOS. I created a role called "simple" that only allowed for looking at the running configuration on the router and that's it. the show parser view shows what role/view you're in. The default "root" view is the only view that allows you to create other views...it's like a riddle I know but it makes sense once you play around with it.

I also learned how you can help prevent DoS attacks on the IOS itself. You can limit the amount of times someone can try to access a Cisco device within a certain time period. If someone attempts to login unsuccessfully within a certain amount of time, the IOS can block out any further attempts within a specified time period. As shown in the picture above, this command is called the login block-for and login quiet-mode.

Risk Management

Today I read through more of chapter 1, it's one of the longest chapters I've ever read through in an IT book. I'm on page 91 with at least 10-20 more pages to go. I read up about basic risk management and the ways that you can analysis risk within a business. It's all about weighing the benefits between cost and security along with some guess work about if the risk will ever happen i.e. a tsunami hitting the middle of Missouri. I hope to have the rest of the chapter knocked out by tomorrow or Wednesday.

System Design Life Cycle

This weekend I read through a good portion of Chapter 1 in the Cisco IINS book regarding the System Design Life Cycle (SDLC) and how to create a security policy. I played around with a low-level network scanner tool called Nmap. It's pretty cool, it can scan various things in your network such as UDP/TCP ports and can even graph a simple network topology out of it! I also played around with Cisco's security policy creator template which creates a ready to go security policy with pretty much everything you need. Starting this week I'm going to begin really digging into my studies work and weather permitting. I'm honestly not sure if I'll sit this exam but i do want to up my knowledge on security, even if it's just general knowledge.

Certification Plans

Well I believe I have my plan laid out regarding which certs I'm going to pursue next. I'm hopping right into the CCNA:Security exam now, security is by far my weakest subject. After Security I'm going to most likely restart my CCNP studies again. I believe I would be doing myself a huge disservice if I didn't establish a solid fundamental understanding regarding IP networking and the protocols that's used to transport it. After that I might back track to CCDA or finally begin the new CCNP: Voice cert. I'm starting to realize in my current environment that troubleshooting and configuring networks is only one half of a solution. Properly designing the network to begin with will make or break a network. With an improperly designed network it can be hard to scale or troubleshoot the simplest of tasks.