Saturday, April 30, 2022

Check default gateway in linux

 service networking restart

!

netstat –rn


at No comments:

Friday, January 14, 2022

Yum or Apt-get

 Package managers - Yum, apt-get


Which package manager to use in different Linux based OS:

RedHat/AWS Linux uses yum

Ubuntu uses apt-get

Debian uses dpkg

at No comments:

Monday, September 13, 2021

Cisco ASA Failover

 Cisco ASA Failover

For uninterrupted network access using redundancy appliances.

- Uses IP protocol number 105 SCPS - space communications protocol standards)

- Uses IP protocol number 8, 9 for stateful updates


Types of Failover

1. Hardware or Regular Failover

Client had to reconnect using the redundant device.


2. Stateful Failover

Active unit continually passes per-connection state information to the standby unit.

After a failover, same connection information is available at the new active unit. End users

Applications are not required to re-connect to keep the same communication session.


State information passed to the standby unit includes:

- NAT table

-TCP connection state

-UDP connection state

ICMP connection state

-ARP table

-Layer 2 bridge table(if transparent FW mode)

-HTTP connection states

-ISAKMP and IPSec SA table

-SIP signal sessions

-Dynamic Routing Protocols

-Cisco IP soft phone sessions

-VPN


State information NOT passed to the standby unit includes:

- The user authentication(uauth) table

-The HTTP connection table(unless HTTP replication is enabled)

-DHCP server address leases

-State information for modules such as the ASA IPS SSP or ASA CX SSP

SSL VPN features not included in state information:

- Smart tunnels Port forwarding, plugins, Citrix auth, Anyconnect sessions, Java applet.


Failover implementation types:

1. Active-Standby : One primary other secondary, if primary goes down secondary will take its place.

  Only one units passes traffic other units wait.

  Available both in single and multi context mode.


2. Active-Active : Need to two appliances and two security context. Each appliance will be active for one context. Both units pass network traffic

- Units must in multiple context mode.

- Supports both stateful or stateless failover


Hardware requirements:

Must be same model

Must have same type and number of interfaces

Must have same amount of RMA

Same hardware

Same modules

Exception is flash memory. 


Software requirements:

Software version must be same for better performance. 

Must be in same operating mode


License Requirement:

5505: Security plus

5510, 5512-X. :Security Plus

All other models: Base License

*5505 does NOT support Active/active failover and stateful. 

Failover Default Setting:

- No HTTP replication in stateful failover

-A single interface failure causes failover

  • -Interface poll time is 5 sec

-Interface hold time is 25 sec

-Unit poll time is 1 sec

-Unit hold time is 15 sec

-Virtual MAC add are enabled in multiple context mode. Disabled in single context mode.

-Monitoring on all interfaces, or for 5505 and ASASM all VLAN interfaces.


Failover Link

Two units in a failover pair constantly communicate over a failover link and stateful failover to determine 

The operating status of each unit. Like:

Unit state(active or standby)

Hello messages(keep-alive)

Network link status

MAC address exchange

Configuration and replication

*You can use any unused ethernet interface on the device as the failover link.

*Using a cross over ethnic cable to connect the appliance directly.


Stateful Link

To use stateful failover, you must configure a stateful failover link to pass all state information.

You have three options for configuring a stateful failover link:

-You can use a dedicated ethernet interface for the stateful failover link

-If you are using a LAN-Based failover, you can share the failover link

-You can share a regular data interface. However, this option is not recommended.


Device Initialization:

If both units boot simultaneously, then the primary becomes active and secondary unit becomes the standby.

If a unit boots and does not detect a peer, it becomes the active unit.

If a unit boots and detects a peer already running as active, it becomes standby

Primary unit MAC addresses are always coupled with the active IP addresses. The exception to this rule occurs when the secondary unit is active. To solve this problem define static MAC.


Failover Health Monitoring:

Unit Health monitoring: Appliance determines the health of the other unit by monitoring the failover link(keep-alive). 

When a unit doesn’t receive three consecutive hello messages on the failover link, the unit sends the interface hello messages on each interface, including the failover interface to validate whether or not the peer interface is responsive. The action that the security appliance takes depends upon the response from the other unit

Possible actions:

- If the security appliance receives a response on the failover interface, then it does not failover.

- If the security appliance doesn’t receive a response on the failover link, but receives a response on the another interface, then the unit doesn’t’t failover. The failover link is marked as failed. You should restore the failover link ASAP because the unit cannot failover to the standby while the failover link is down.

-If the security appliance doesn’t receive a response on any interface, then the standby unit switches to active mode and classifies the other unit as failed.


Interface Monitoring:

-Link up/down test

-Network activity test

-ARP test

-Ping test- broadcast ping

at No comments:
Labels: , ,

Tuesday, July 27, 2021

IPSEC

IPSEC


Features

Confidentiality – your data will keep as secret using enc algo like DES, 3DES, AES

Integrity – data not altered during transmission using MD5, SHA.. hash is calculated    on encrypted data.

Data Origin Authentication – Both devices will auth each other before data exchange using pre-shared key or PKI

Anti-replay – If an attacker come to know the encryption and can unencrypt the packets, read them and send to original peer(replaying), it makes sense to change the key after every 30 mins or so. This will make the key known by attacker useless(invalid) and traffic will be safe.


IPSEC Protocols


IKE – Internet key Exchange – Taking all the attributes like Keys, encryption,   Hashing, Lifetime from one peer to other. 

IKE Modes - 

Main mode – IKE Phase 1

Uses 6 messages:

Message 1 – Initiator will send own proposal to responder

Message 2 – Responder will send own proposal to initiator

Message 3 – Initiator will send own key to responder using DH protocol

Message 4 – Responder will send own key to initiator using DH protocol

Message 5 – Initiator will auth the session

Message 6 – Responder will auth the session

Aggressive mode – IKE Phase 1

Uses 3 messages:

Message 1 – Initiator will send own proposal and key to responder

Message 2 – Responder will authenticate initiator’s proposal and sends own proposal and key to initiator

Message 3 – Initiator will authenticate the session

Note – Either main or aggressive mode will work at a time. 

Quick mode – IKE Phase 2

In quick mode they will recheck attributed using SPI(security Parameter index)

SPI is sent with every packet by peers


IKE – Phase 1

In phase1 they create a single IKE bi-directional tunnel. Single key is used to authenticate the session. 

If main mode will work, aggressive mode will not work

If aggressive mode will work, main mode will not work

It depends on IPSec VPN:

Site-Site – Main mode

Remote Access with Pre- shared - Aggressive mode

DMVPN – Main mode

GETVPN – Main mode

IKE – Phase 1.5

It is an optional IKE phase

Phase 1.5 provides an additional layer of auth, called Xauth, or

Extended Authentication.

X-Auth forces the user to auth before use of the IPSec connection is granted. 


IKE – Phase 2

When phase 1 is successfully completed Phase 2 is started.

If phase 1 is not successful completed phase2 will not start.

In phase 2 they create multiple IPSec tunnels. Two tunnels per protocol ESP or AH.


ISAKMP – Internet Security Association key management protocol


IKE is a management protocol, IKE uses ISAKMP for proposal exchange.

Uses UDP port 500

Used in Phase – 1. 


 IPSec Mode

Transport Mode

Encrypts the data portion (payload) of each packet and leaves the packet IP header untouched. Used in DMVPN.

Tunnel Mode

Tunnel mode is more secure than transport mode because it encrypts both the payload and the IP header of a packet. 

Tunnel mode is used in SitetoSite, Remote access, GETVPN.


Security Association

A group of security parameters (AES, MD5 etc) and policies which is agreed b/w two IPSec peers.

SA Components:

SAD – Security Association Database

Contains:

Peer IP

SPI

IPSec Protocols information like ESP/AH

SPD – Security Policy Database

Contains:

Encryption algorithm(DES, 3DES or AES)

Hash algorithm(MD5 or SHA-1)

IPSec mode(tunnel or transport)

Key lifetime(Seconds or kilobytes)

Note: Hashed value of Security policy database is SPI

DH Group

Diffie hellman allows two parties to share a secret key over an insecure channel.


Uses Public and Private key to encrypt the keys.

Initiator will send its Public key in the proposal and responder will encrypt its pre-shared key using the public key of the initiator and send it back to the initiator. Initiator will then decrypt using its private key and check if the pre-shared key matches with its own pre-shared key.

Same will process will be done the other way around. 

at No comments:
Subscribe to: Posts (Atom)

configure the "capability vrf lite"

 It is noteworthy to mention that on Cisco routers, if an OSPF process is run in a VRF then it automatically and unconditionally considers...

  • configure the "capability vrf lite"
     It is noteworthy to mention that on Cisco routers, if an OSPF process is run in a VRF then it automatically and unconditionally considers...
  • IPSEC
    IPSEC Features Confidentiality – your data will keep as secret using enc algo like DES, 3DES, AES Integrity – data not altered during transm...