<

CCIE notes – Security part 2

Layer 3 Security

 

Recommendation
1. Enable secure Telnet access to a router and use SSH
2. Enable SNMP security, adding SNMPv3 support
3. Turn off unnecessary services on the router platform
4. Turn on logging to provide on audit trail
5. Enable protocol authentication
6. Enable CEF

 

General Layer3 Security Considerations

1. Smurf Attacks

- a large number of ICMP Echo Requires with same typical IP address in the packet
- the destination address is a subnet broadcast address, also known as a direct broadcast address

Solutions

CCIE notes – Security part 1

Router & Switch Device Security

- to encrypt passwords with the following command #service password-encryption
- “#no service password-encryption” – does not automatically decrypt the password. It waits until a new password is added.
- #enable secret – encrypts the password as md5
- #enable password – type 7 password
- #username password <pass> – encrypts the password as MD5

 

AAA – Authentication, Authorization and Accounting

Radius vs Tacacs

RADIUS TACACS
Scope of Encryption: Packet Payload or just Password  Password Only  Entire Payload
 Layer 4 Protocol  UDP  TCP
 Well Known ports  1812/1645  49/49
 Standard or Cisco Propriety  Standard  Cisco

CCIE notes – MPLS

Below are some notes from my CCIE written. Hope you enjoy them

 

MPLS IP Forwarding: Data Plane

- MPLS routers inject (push) or remove (pop) or forwards packets based on labels
- MPLS relies on the CEF while expanding the logic and data structures as well

 

LSR (Label Switch Router)

- any router that has awareness of MPLS Labels
FIB – used for incoming unlabled packets
LFIB – used for incoming labeled packets

MPLS header and Label
- header of 4 bytes, located before the IP header

MPLS header

Fortigate CFG_CMDBAPI_ERR Error

Hello,

 

It seems there is a new error that i found on a few Fortigate firewalls: CFG_CMDBAPI_ERR

 

To fix the issue you can do 2 things:

1. Upgrade the Fortigate to the latest version

2. Reboot the IPS of the Fortigate (this is was it causing the issue). Below is the command(through CLI):

diagnose test application ipsmonitor 99

 

Hope it helps!

Fortigate FortiOS 5 preview

Hello,

I have found the following video on Youtube that presents the FortiOS 5 in 5 minutes.

The new features look really good.

Check it out:

What do you think?!