Simple Next Generation Firewall Manipulation Leading to Data Exfiltration

I was asked to take over a project involving implementing some Next Generation Firewalls. In this particular case it was Cisco Firepower Threat Defense. I was told that these NGFWs are all singing, all dancing and given the cost of them you’d expect that and more. I was told they understand more than just Layer 3 meaning we can do things like write rules based on FQDN, allow traffic based

Cisco Two Armed VPN Concentrator and Default Route

Take the following scenario: You have a hub site. Branch (spoke) sites connect to the hub with a L2L IPsec tunnel. All traffic must traverse the tunnel (no local breakout to the Internet). At the hub, your VPN concentrator is separate from your firewall and runs in two armed mode. Where one interface is outside the firewall (public) to terminate the incoming tunnels and another interface is within a DMZ. As such

DHCP Option 43 Generator for Cisco Lightweight APs

I got lazy after having to create a load of DHCP scopes for Cisco Lightweight Access Points, each requiring Option 43 in TLV format. And now you can be lazy too. Save the following as a HTML file and open in your favorite browser. In the text area enter your WLC IP addresses one per line and hit submit. This will generate the hex string to use in DHCP Option 43.

Cisco VSS, Domain ID and Virtual MAC Addresses

The other weekend I connected a L2 circuit between two sites. At both ends were Cisco 6500 Catalyst switches running VSS. The interfaces they connected to were configured as L3 and EIGRP was run between the two sites to share routes. But as soon as they were connected the neighbors started flapping. Troubleshooting started and as always you start at the lowest OSI layer and work up. Bingo! The issue

Show Me The Config!

Back in the days before stacks and VSS, doing a “show run” to look at something was easy. You pressed space a few times to page through the output and found the section you were interested in. Now when you’ve got a stack of several switches or switch running VSS with hundreds of interfaces you’ll be pressing space forever and a day paging through the config. In IOS you can pipe output to a selection of

Cisco Crypto ACLs – Do They Really Need to Match?

When starting out with IPsec tunnels it seems to be a common misconception that the crypto ACL, sometimes referred to as the encryption domain or the interesting traffic, must match 100% or be mirrored at both peers or the tunnel won’t come up. This isn’t strictly true. Whilst the ISAKMP phase 1 and IPsec phase 2 proposals must match, the crypto ACL can be different. Assume that at the local

Auditing Cisco ASA Firewall Rules

Today I was auditing a firewall rule set on a Cisco ASA firewall. The firewall has around 399 ACLs (Access Control Lists) comprising of 7272 ACEs (Access Control Entries). Quite a task! Unfortunately I didn’t have any tools to hand such as Cisco Security Manager or something like FirePac to audit the rules and give me some suggestions. Stage 1 was to visually look at the ACLs and spot the obvious

Automating Mass Cisco IOS Upgrades

This morning I needed to upgrade the IOS on 29 Cisco 3560G switches. Rather than login to each one, clean up the flash storage, FTP on the IOS image and set the boot image, I wrote a simple shell script and used clogin from RANCID to automate this task. Of course, nearly every Network Configuration Management platform that’s any good should be able to do this but I prefer the personal

Automating Cisco Switch Swap Outs

So you can’t automate the entire process unfortunately. You’re still going to need to pull a late night and get your hands dirty… Recently I was tasked with swapping out 4 old Cisco 10/100Mb switches with new 10/100/1000Mb switches. The old switches were a combination of Cisco 3560, 2950 and 3548 series. The old switches also had some old configurations that needed to be updated and the interface configurations weren’t consistent. The

Should Network Engineers Also Be Programmers?

Short answer: Yes. Maybe not a programmer in the sense that you need to be proficient in C++, .NET, assembler, know UML etc but having some general programming knowledge is very useful. In my opinion and experience the most important programming skill to have is a fairly in-depth knowledge of a scripting language. Be that shell, Perl, Powershell or even batch scripts. A week doesn’t go by where I don’t write a