CCIE notes – Security part 2

Layer 3 Security

  Recommendation 1. Enable secure Telnet access to a router and use SSH 2. Enable SNMP security, adding SNMPv3 support 3. Turn off unnecessary services on the router platform 4. Turn on logging to provide on audit trail 5. Enable protocol authentication 6. Enable CEF  

General Layer3 Security Considerations

1. Smurf Attacks

- a large number of ICMP Echo Requires with same typical IP address in the packet - the destination address is a subnet broadcast address, also known as a direct broadcast address Solutions

CCIE notes – Security part 1

Router & Switch Device Security

- to encrypt passwords with the following command #service password-encryption - "#no service password-encryption" - does not automatically decrypt the password. It waits until a new password is added. - #enable secret - encrypts the password as md5 - #enable password - type 7 password - #username password <pass> - encrypts the password as MD5  

AAA - Authentication, Authorization and Accounting

Radius vs Tacacs

Scope of Encryption: Packet Payload or just Password  Password Only  Entire Payload
 Layer 4 Protocol  UDP  TCP
 Well Known ports  1812/1645  49/49
 Standard or Cisco Propriety  Standard  Cisco

CCIE notes – MPLS

Below are some notes from my CCIE written. Hope you enjoy them  

MPLS IP Forwarding: Data Plane

- MPLS routers inject (push) or remove (pop) or forwards packets based on labels - MPLS relies on the CEF while expanding the logic and data structures as well   LSR (Label Switch Router) - any router that has awareness of MPLS Labels FIB - used for incoming unlabled packets LFIB - used for incoming labeled packets MPLS header and Label - header of 4 bytes, located before the IP header MPLS header

Fortigate CFG_CMDBAPI_ERR Error

Hello,   It seems there is a new error that i found on a few Fortigate firewalls: CFG_CMDBAPI_ERR   To fix the issue you can do 2 things: 1. Upgrade the Fortigate to the latest version 2. Reboot the IPS of the Fortigate (this is was it causing the issue). Below is the command(through CLI): diagnose test application ipsmonitor 99   Hope it helps!

Fortigate FortiOS 5 preview

Hello, I have found the following video on Youtube that presents the FortiOS 5 in 5 minutes. The new features look really good. Check it out: What do you think?!