Cisco IOS Rootkit
Maybe you already read about the Cisco IOS Rootkit which was developed by Sebastian Muniz of CORE Security. EUSecWest did an interview with him about his proof of concept Rootkit.
Cisco also responded with a Security Response about the IOS Rootkit, which mainly says that no new vulnerability has been found and is recommending to follow the best-practices to harden the network devices. A Cisco guide on how to harden their network devices can be found here. To be able to install the Rootkit the attacker needs to have privilege access to the device so hardening the devices should be sufficient to avoid the installation of an IOS Rootkit.
Nicolas Fischbach from Colt Telecom wrote a review at the Cisco Mailinglist [c-nsp] which can be found here. The whole issue can be summarized with a part of his post:
“So what’s the impact today ? Topo’s proof of concept doesn’t bypass ACLs (rACLs,VTY ACLs), AAA, etc [yet], requires enable rights, a new image and a reload (or enable only if you do gdb-on-the-fly patching). In summary it’s “noisy” and unless you bought the router on an auction site and/or download IOS from “alternative” sources) you should notice (or probably deserve to get owned 
“
Cisco IOS Secure Shell Denial of Service Vulnerabilities
Cisco announced a Cisco Security Advisory concerning a vulnerability in their SSH Server implementation.
“The Secure Shell server (SSH) implementation in Cisco IOS contains multiple vulnerabilities that allow unauthenticated users the ability to generate a spurious memory access error or, in certain cases, reload the device.”
Get the Cisco configuration over SNMP
Saving the configurations from Cisco Devices is normally done by a tool (CW2k, Solarwinds Cirrus or whatever) but if you do not want to buy a tool here’s a way to do it yourself.
Cisco has a SNMP MIB called CISCO-CONFIG-COPY-MIB.oid which allows to save the configurations from Cisco devices over SNMP. If you also know your way around scripting (Shell, Perl or whatever you prefer) this is how you could save your devices automatic.
Matching Address Classes with Prefix-Lists
Instead of using ACLs to match address classes like Class A, B or C ip prefix-lists can do the trick too.
Lets first start with the class definitions:
Class A: 1.0.0.0 – 127.255.255.255
Class B: 128.0.0.0 – 191.255.255.255
Class C: 192.0.0.0 – 223.255.255.255
The reserved addresses are all in the definition above since they still belong into the definitions even though they are only used for their special function. To show how to calculate the correct ip prefix-list statement they have to be taken into the calculation.
IE Blog: understanding redistribution
If you want to have a good read about understanding redistribution, you should check out the Internetwork Experts Blog. Petr Lapukhov wrote an excellent guide about the topic providing rules of thumb, informations about problems with redistribution and on how to solve them. The document is split in three parts linked below. Have fun
Summarizing discontinuous networks
The summarization of discontinuous networks is a neat feature, but I doubt that chances are high to find a situation where those IPs are the matching ones in a real environment. But anyhow its something you should keep in mind during preparations for Cisco exams.
So lets say we have the following Addresses and we have to summarize them and no other addresses using a standard ACL:
116.1.162.33
116.1.162.37
116.1.170.33
116.1.170.37
116.1.178.33
116.1.178.37
116.1.186.33
116.1.186.37
Context Based Access-Lists
How CBAC works
Context Based Access-Lists (CBAC) open temporary openings into ACLs on a firewall interface. Those openings will be created if defined traffic from the internal network passes the router. The openings allow the backwards traffic to enter the network, which will normally be blocked by the existing ACLs on the router. The packets will only get accepted when they belong to the same sessions which opened the temporary opening. The ACLs and the ip inspect command have do be configured depending on which interface CBAC is to be set on. Basically there are two types of interfaces, the external and internal interface. External interfaces are the ones that point to the unsecured external network (such as the Internet) while the internal interfaces connect to the protected internal network.
Lab Challenge IGP (EIGRP, OSPF and RIP)
The first Lab challenge I wrote on the networking-forum. Its about the IGP protocols EIGRP, OSPF and RIP and got some little tricky stuff in it. There are several ways to solve most of the tasks/problems that arise during the lab. The final target is to have full reachability through the whole lab. If you want to do it and got questions, just drop me a line.
Update 04.27.2009 Changed the wording for the OSPF tasks Read more »
IPv6 Link-Local Address
Link-local addresses only have a scope of the link they are used on, they will not be used or even reachable from another link.
The link-local address of an interface is a mix between the BIA (Burned In Address) and some static IPv6 stuff. The “dynamic” part is also know as modified EUI-64 addressing.
First of all, every link-local address in IPv6 is generated from FE80::/10, so if you ever see a address starting with FE80 you know thats a link-local address
Over a sh int you see your BIA:
R1#sh int fa 0/0
FastEthernet0/0 is up, line protocol is up
Hardware is AmdFE, address is cc00.0bfc.0000 (bia cc00.0bfc.0000)
About
Im a network engineer working for an international medical company based in Basel, Switzerland. I began my professional life in 2000 after 4 years of an IT apprenticeship. I started as the Network Management System responsible with quite a lot other of other tasks inside the Cisco networking field. In 2005 I changed to my current employer where I changed my field of knowledge from part NMS part Networking to full time Networking. I also started to educate myself deeper into networking. After passing the CCNA and CCNP exams I wanted to go further with my education and took the CCIE R&S track instead of doing a school with lots of stuff Im not interested in 
I started the CCIE journey in August 2007 with the first of 5 workshops at the Cisco Network Academy in Rapperswil and passed the CCIE in Brussels at 07th of May 2008.
During that time I wrote a lot of documents to keep the stuff I learned and I thought it might be an idea to make it public so it might help other people on their path through the Cisco Certifications. I hope this site gets useful not only for CCIE candidates but also for other networking professionals on their search for knowledge.
If you have any questions or want to contact me, please drop me a line to pashtuk at gmail.com
