Cisco Packet Tracer (Security): February 2019

Friday 22 February 2019

Installation

1) ndnSIM -Importing new ndnSIM with visulizer in eclipse
----->mercurialeclipse / main / wiki / Installation and Configuration — Bitbucket
----->Install Oracle Java 8 In Ubuntu Or Linux Mint Via PPA Repository [JDK8] ~ Web Upd8: Ubuntu / Linux blog

2) Installing R

3) Openflow with ns-3

4) Installing tor browser in ubuntu 14.04

5) Ns-2 installation

Steps for installing ns-2.35 on Ubuntu 13.04 and before versions.

Open Terminal

[Step 1]
Install some Essential Libraries and Softwares:
sudo apt-get install tcl8.5-dev tk8.5-dev

sudo apt-get install gcc-4.4 g++-4.4

sudo apt-get install build-essential autoconf automake

sudo apt-get install perl xgraph libxt-dev libx11-dev libxmu-dev

[Step 2]
Download ns-2.35

Download ns-2.35 from
http://sourceforge.net/projects/nsnam/files/latest/download

Unpack ns2 to your Desktop directory
tar -zxvf ns-allinone-2.35.tar.gz -C /home/khawajaali/Desktop

(or simply unzip the package on your desktop)

[Step 3]
Modify the OTcl makefile

Open /home/khawajaali/Desktop/ns-allinone-2.35/otcl-1.14/Makefile.in

Change CC = @CC@ to CC=gcc-4.4

Save the file

[Step 3.1]
installation errors

If you get installation errors modify the specified files in ns-allinone-2.35 folder as specified below:
Go to ns-allinone-2.35/ns-2.35/linkstate/ 2. Edit ls.h In line number 137, in place of void eraseAll() { erase(baseMap::begin(), baseMap::end()); } make it void eraseAll() { this->erase(baseMap::begin(), baseMap::end()); }

[Step 4] Install ns2

cd /home/khawajaali/Desktop/ns-allinone-2.35

./install

(this will take a while)

[Step 5] Modify ~/.bashrc

Once the installation is successful (without any errors), we need to add the path information to the file ~/.bashrc

gedit ~/.bashrc

Now Add these lines in the end of the file

    #LD_LIBRARY_PATH
    OTCL_LIB=/home/khawajaali/Desktop/ns-allinone-2.35/otcl-1.14
    NS2_LIB=/home/khawajaali/Desktop/ns-allinone-2.35/lib
    X11_LIB=/usr/X11R6/lib
    USR_LOCAL_LIB=/usr/local/lib
    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$OTCL_LIB:$NS2_LIB:$X11_LIB:$USR_LOCAL_LIB
    # TCL_LIBRARY
    TCL_LIB=/home/khawajaali/Desktop/ns-allinone-2.35/tcl8.5.10/library
    USR_LIB=/usr/lib
    export TCL_LIBRARY=$TCL_LIB:$USR_LIB
    # PATH
    XGRAPH=/home/khawajaali/Desktop/ns-allinone-2.35/bin:/home/khawajaali/Desktop/ns-allinone-2.35/tcl8.5.10/unix:/home/khawajaali/Desktop/ns-allinone-2.35/tk8.5.10/unix
    # Note: the above two lines starting from XGRAPH should come in the same line
    NS=/home/khawajaali/Desktop/ns-allinone-2.35/ns-2.35/
    NAM=/home/khawajaali/Desktop/ns-allinone-2.34/nam-1.15/
    PATH=$PATH:$XGRAPH:$NS:$NAM

Save the modification and close the file

source ~/.bashrc

end of installation

Install Behind Proxy

`Install Behind Proxy`

`PIP`

sudo pip install --proxy http://edcguest:edcguest@172.31.100.14:3128 pygraphviz

`Add Apt Repository`

export http_proxy=http://edcguest:edcguest@172.31.100.14:3128
export https_proxy=http://edcguest:edcguest@172.31.100.14:3128
sudo -E add-apt-repository name_of_ppa

sudo apt-get update

`Download whole site`

wget  -r --proxy-user=cs1123 --proxy-password=chinu http://upscguide.com
wget -A pdf -m -p -E -k -K -np http://www.xyz.com/

`Git`

export http_proxy=http://edcguest:edcguest@172.31.100.14:3128
export https_proxy=http://edcguest:edcguest@172.31.100.14:3128

git clone url folderName

https://github.com/qinshulei/ubuntu-install

Security Material

HMAC
What and were use
How generated
Ideal Block Cipher

Discrete Logarithm Problem

Tuesday 12 February 2019

Enable AAA Security on Router

Open console of router by default you are in user mode

Router>

Write command enable to enter privilege mode
Router>enable
Router#

Write command configure terminal to enter global config mode
Router#configure terminal
Router(config)#

All the configuration are done in global config mode

Introduction

AAA security can be enabled in two ways--
1) Using local data base of the router
2) Using a third party server (Server-based Authentication)

Using TACACS+ server
Using RADIUS server

AAA Using local data base of the router

The rest of the discussion is done through the example scenario given below--

1) Initial Setting

    Change the hostnames of routers to R1, R2, and R3 as shown in the figure above.
    Router1(config)#hostname R1
    Router2(config)#hostname R2
    Router3(config)#hostname R3

    Assign all the IP addresses.
    Configure all the routers using RIP.
    Set enable password for each router R1, R2, and R3 to cisco.
    R1(config)#enable password cisco
    R2(config)#enable password cisco
    R3(config)#enable password cisco

    Create new usernames and passwords for R1, R2, and R3 using the following commands--
    R1(config)#username Admin1 secret admin1
    R2(config)#username Admin2 secret admin2
    R3(config)#username Admin3 secret admin3

AAA Authentication using the local database

2) Configure the line console to use AAA authentication.

    Create new usernames and passwords for R1
    R1(config)#username Admin1 secret admin1

    Enable AAA on R1 and configure AAA authentication for the console login to use default method list
    R1(config)#aaa new-model
    R1(config)#aaa authentication login default local
    R1(config)#line console 0
    R1(config-line)#login authentication default

    Verify the setting by exiting from router's console and re-login using R1's console

3) Configure the line vty to use AAA authentication.

     Configure the domain name and generate RSA key to use with SSH
     R1(config)#ip domain-name ccnasecurity.com
   R1(config)#crypto key generate rsa
     Enter 1024 on prompt

    Create a name-list AAA authentication method for the vty line
    R1(config)#aaa authentication login SSH-LOGIN local

    Configure the vty line to use the defined AAA authentication method named SSH-LOGIN
    R1(config)#line vty 0 4
    R1(config-line)#transport input ssh
    R1(config-line)#login authentication SSH-LOGIN

    Verify the setting form PC-A by doing ssh from the command prompt
    PC-A>ssh -l Admin1 192.168.1.1

Server-based Authentication using TACACS+ Server

    For backup purposes, configure a local username of Admin2 having
password admin2 on R2.
    R2(config)#username Admin2 secret admin2

    TACACS+ Server configuration
   Click the TACACS+ Server. On the Services tab, click AAA.

   Add network configuration entry.
   Client Name: R2
   Client IP: 192.168.2.1
   Secret: tacacspass
   Choose Server type as TACACS
   Click Add button

Add username and password corresponding to R2.
Username: Admin2
Password: admin2
Click Add button

  On the service by clicking ON radio button near Service label
   Configure the AAA TACACS server IP address and secret key on R2
   R2(config)#tacacs-server host 192.168.2.2
   R2(config)#tacacs-server key tacacspass

   Configure AAA login authentication for console access on R2.
   R2(config)#aaa new-model
   R2(config)#aaa authentication login default group tacacs+ local
   R2(config)#line console 0
   R2(config-line)#login authentication default

Monday 4 February 2019

Access Control List

Access Control List (ACL)

Open console of router by default you are in user mode

Introduction

ACL is used for denying traffic for an IP or a group of IPs.

TODO

Types of Traffic

Inbound Traffic - Traffic or packets going into the router

Outbound Traffic - Traffic or packets coming out of the router

Types of ACL

There are two types of ACL

1. Standard ACL (1-99)

applied closest to the destination
denies or permits source IP address

2. Extended ACL (100-199)

applied closest to the source
denies or permits source IP address
denies or permits destination IP address
denies or permits port (service)

Standard ACL

Consider two networks having subnets Source Network ID (SNID) and Destination Network ID (DNID) attached to the routers RSource and RDestination respectively.

Suppose you want to deny a host from the SNID network having IP IPsource to access the DNID network. This can be done through Standard ACL by creating an ACL which denies the host having IP IPsource.

1. Creating an ACL

Open console of router RDestination

Go to global config mode
Router(config)#

Enter command ->access-list ACLNumber deny IPsource WildCardBits

Router(config)#access-list 1 deny 10.0.2.3 0.0.0.0
% 1 for standard ACL. Deny only one IP address

Enter command ->access-list ACLNumber permit any

Router(config)#access-list 1 permit any
% Permit all other traffic

2. Applying the ACL to the interface

Go to global config mode
Router(config)#

Enter command ->interface interfaceName
Router(config)#interface fa0/0
% fa0/0 is the interface on which the ACL will be applied

Enter command ->ip access-group ACLName InBoundOrOutBound
Router(config)#ip access-group 1 out
% Here out is for outbound traffic

Extended ACL

TODO

Source:- Cisco CCNA Security

Virtual Private Network

Virtual Private Network (VPN)

Open console of router by default you are in user mode

Create VPN

Suppose you want to create a VPN between interface IRi and interface IRj of router Ri and router Rj respectively.

Assign IP address to all the interfaces.
Insert forwarding entries in routers either statically or using RIP.
First check from the router Ri that if you are able to ping on interfaces IRj.
Then check from the router Rj that if you are able to ping on interfaces IRi.
Open console of Ri

      Go to global config mode
      Router(config)#

Enter command ->interface tunnel tunnelNumber

Router(config)#interface tunnel 0

Enter command ->ip address IPAddressOfTunnel SubnetMask

Router(config-if)#ip address 100.0.0.1 255.255.255.0

Enter command ->tunnel source interfaceIDof-IRi

Router(config-if)#tunnel source se0/0/0

Enter command ->tunnel destination IPAddressof-IRj

Router(config-if)#tunnel destination 10.0.3.1

Enter command ->no shutdown

Router(config-if)#no shutdown

Open console of Rj

Go to global config mode
Router(config)#

Enter command ->interface tunnel tunnelNumber

Router(config)#interface tunnel 0

Enter command ->ip address IPAddressOfTunnel SubnetMask

Router(config-if)#ip address 100.0.0.2 255.255.255.0

Enter command ->tunnel source interfaceIDof-IRj

Router(config-if)#tunnel source se0/0/0

Enter command ->tunnel destination IPAddressof-IRi

Router(config-if)#tunnel destination 10.0.1.1

Enter command ->no shutdown

Router(config-if)#no shutdown

note:- Tunnel number should be same for both tunnel source and tunnel destination

Friday 1 February 2019

VLAN

Open console of router by default you are in user mode

Switch>

Write command enable to enter privilege mode
Switch>enable
Switch#

Write command configure terminal to enter global config mode
Switch
#configure terminal
Switch(config)#

All the configuration are done in global config mode

Show all the vlan of a switch

Go to privilege mode
Switch#

Enter command ->show valn
Switch#show valn

Create a vlan

Go to global config mode
Switch(config)#

Enter command ->vlan vlanNumber
Switch(config)#vlan 50

Enter command ->name vlanName
Switch(config-vlan)#name data

Enter command ->exit for switching to global config mode
Switch(config-vlan)#exit

Assign ports of switch to a vlan

Go to global config mode
Switch(config)#

Enter command ->interface interfaceName
Switch(config)#interface fa0/10

Enter command ->switchport mode access
Switch(config-if)#switchport mode access

Enter command ->switchport access vlan vlanNumber
Switch(config-if)#switchport access vlan 50

Enter command ->exit for switching to global config mode
Switch(config-if)#exit

Assign IP address to vlan interface

Go to global config mode
Switch(config)#

Enter command ->interface vlan vlanNumber
Switch(config)#interface valn 99

Enter command ->ip address VlanIP netMask
Switch(config-if)#ip address 192.168.99.2 255.255.255.0

Enter command ->no shutdown
Switch(config-if)#no shutdown

Makeing a port trunk

Go to global config mode
Switch(config)#

Enter command ->interface interfaceName

Switch(config)#interface fa0/10

Enter command ->switchport mode trunk

Switch(config-if)#switchport mode trunk

Enter command ->switchport trunk allowed valn from-to

Switch(config-if)#switchport trunk allowed valn 1-99

Enter command ->exit for switching to global config mode
Switch(config-vlan)#exit

Config Native Vlan

Go to global config mode
Switch(config)#

Enter command ->vlan vlanNumber
Switch(config-if)#vlan 80

Enter command ->name native
Switch(config-vlan)#name native

Enter command ->switchport trunk native vlanNumber
Switch(config-vlan)#switchport trunk native 80

Show details of interfaces of switch

Go to privilege mode
Switch#

Enter command ->show interfaces switch-port
Switch#show interfaces switch-port

Show details of spanning tress of switch

Go to privilege mode
Switch#

Enter command ->show spanning-trees
Switch#show interfaces spanning-trees

Enable security on interfaces

Go to global config mode
Switch(config)#

Enter command -> interface interface-name0/fromInt-ToInt
eg. Below command will configure interface 1 to 3
Switch(config)#interface range fa0/1-3

Change switch port mode to access mode
Switch(config-if-range)#switchport mode access

Assign vlan interfaces to a vlan (this command automatically creates vlan if they does not exist)
Switch(config-if-range)#switchport mode access vlan 22

Disable CDP on all port
Switch(config-if-range)#no cdp enable

Enable BPDU gaurd

Switch(config-if-range)#spanning-tree bpduguard enable

Close
Switch(config-if-range)#shutdown

Access security on port

Go to global config mode
Switch(config)#

Enter command -> interface interface-name0/fromInt-ToInt
eg. Below command will configure interface 1 to 3
Switch(config)#interface range fa0/1-3

Enter command ->switchport port-security maximum num
Here num is number of mac or devices allowed in single port
Switch(config-if-range)#switchport port-security maximum 1

Enter command ->switchport port-security violation shutdown
It will shutdown interface on voilation of security
Switch(config-if-range)#switchport port-security violation shutdown

Enter command ->strom-control broadcast level percentage
Here percentage in amount of broadcast traffic allowed
Switch(config-if-range)#strom-control broadcast level 75