Where old Debian repositories are stored?

In archive :)
Example for Lenny:
deb http://archive.debian.org/debian/ lenny main non-free contrib
deb-src http://archive.debian.org/debian/ lenny main non-free contrib
# Security:
deb http://archive.debian.org/debian-security/ lenny/updates main contrib non-free
deb-src http://archive.debian.org/debian-security/ lenny/updates main contrib non-free
# Volatile:
deb http://archive.debian.org/debian-volatile lenny/volatile main contrib non-free
deb-src http://archive.debian.org/debian-volatile lenny/volatile main contrib non-free
# Backports:
deb http://archive.debian.org/debian-backports lenny-backports main contrib non-free

CCNA Security is done

Well, yesterday I successfully passed CCNA Security exam(640-553). Literally some weeks before a new version of this exam 640-554 was released. I had no time to prepare for this version, so I did not even consider it. Exam was not very difficult, however I learned a lot of new stuff. 60 questions,  2,5 hours.
For preparation I used 3 books: CCNA Security by Neil Edde, CCNA Security official exam certification guide by Michael Watkins and Implementing Cisco IOS Network Security by Catherine Paquet.
For lab sims I used site www.securitytut.com.
Practice tests were downloaded from   www.examcollection.com
What is next? I don't know :) In the first place some rest, I think a couple of months. And then my goal is Microsoft Certifications.

How to configure IPsec VPN on Cisco routers

IPsec is not a protocol, it's a framework for securing unicast traffic.It conssists of 3 protocols: ESP, AH(obsolete) and IKE. For multicast and broadcast GRE should be used. For negotiations(IKE) UDP port 500 is used. Encapsulating Security Payload uses IP protocol 50, Authentication Header uses IP protocol 51.  IKE Phase 1 can be established via main mode(6 messages) or aggressive mode(3 messages). During this phase peers authenticate each other, using pre-shared keys(PSK) or RSA signatures(PKI). There is only one mode - quick in Phase 2, 3 packets.
Below you can find short description of configuring IPSec in tunnel mode on router,  to configure another router you just need to change the ip addresses, everything rest is the same.
IPSec configuration consist of the following steps:

• Configure ISAKMP(IKE phase 1) protocol 
• Configure transform set, IKE protocol phase 2 
• Configure access list which determines what traffic to encrypt 
• Create crypto map 
• Apply crypto map to an interface

Configure ISAKMP policy
Here we configure policy priority, encryption, authentication, Diffie-Hellman group(it defines the size of DH modulus, that is how random will be the key, group 2 is usually used)
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#hash sha
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#group 2
R1(config-isakmp)#exit

Configure ISAKMP key - this key is used only for authentication, not encryption.
R1(config)#crypto isakmp key test address 10.10.0.2

Configure transform set
Here we configure transform set name, encryption and authentication.
R1(config)#crypto ipsec transform-set myset2 esp-aes 256 esp-sha-hmac

Configure access list
access-list 102 permit ip any 1.1.1.0 0.0.0.255

Configure crypto map
Here we combine transform set, access list and peer
R1(config)#crypto map map2 10 ipsec-isakmp
R1(config-crypto-map)#set peer 10.10.0.2
R1(config-crypto-map)#set transform-set myset2
R1(config-crypto-map)# match address 102

Apply crypto map to the interface
R1(config)#interface fastEthernet 1/1
R1(config-if)#crypto map map2

Check that everything works
R1#show crypto isakmp sa - check the state of Phase 1
R1#show crypto engine connections active
R1#show crypto session
R1#show crypto isakmp policy
R1#show crypto ipsec sa
R1#debug crypto isakmp
R1#debug crypto ipsec

NAT with IPSec
First NAT is processed on the outbound traffic and only then IPSec, so the traffic will not match the specified ACL. On the inbound traffic the situation is vice versa.

Multiple crypto maps
If it is required to establish connection with more than  one host, we will need multiple crypto maps. Actually, one crypto map will be used but with multiple sequence numbers, because we can apply only one crypto map to the Interface. Also we will create new access list and a new key.


IPSec configuration types
Above you can see an example of establishing IPSec tunnel using crypto maps. This the oldest but not the only one method. There are also the following types:

• VTI 
• GRE over IPSec

Checking SSL ciphers

Sometimes it is indispensably to test what ciphers are supported by SSL server. It can be done with openssl command. For example, we can try to connect to the site using LOW ciphers:
openssl s_client -connect site.com:443 -cipher LOW

To see what ciphers are included in the category:
openssl ciphers LOW -v 

Connect to service using SSLv2

openssl s_client -ssl2 -connect SERVERNAME:443

And in addition very useful link: OpenSSL Command-Line HOWTO

L2 security

VLAN hopping
Can be done via switch spoofing and double tagging. Switch spoofing means to connect rogue switch to a switch port. To avoid it we need to disable trunking:

Cat3550(config-if)# switchport mode access

And prevent use of DTP:
Cat3550(config-if)# switchport trunk encapsulation dot1q
Cat3550(config-if)# switchport mode trunk
Cat3550(config-if)# switch port no negotiate

To avoid double tagging do not use native VLAN for connecting users.

STP attacks
Root guard - if a port starts receiving a superior BPDU, all user data is stopped, after BPDUs stop, the port begins to forward packets again
SW1(config)# interface gigabitethernet 0/1
SW1(config-if)# spanning-tree guard root

BPDU guard - if a port received BPDU it is Disabled. Works with PortFast feature.
SW1(config)# interface gigabitethernet 0/2 
SW1(config-if)# spanning-tree bpduguard enable 
or in Global mode 
SW1(config)# spanning-tree port fast bpduguard

DHCP Starvation attack
Hacker sends a lot of DHCP requests from bogus MAC addresses and occupies all possible DHCP addresses. And then he will introduce his own DHCP server.

DHCP spoofing
DHCP snooping feature on Cisco Catalyst switches will help. There are two port states: trusted and untrusted.  If this feature is enabled all ports by default are untrusted. Trusted ports are allowed to receive DHCP responses, untrusted are not and they become Disabled if receive such responses.

SW1(config)# ip dhcp snooping
SW1(config)# interface gigabitethernet 0/4
SW1(config-if)# ip dhcp snooping trust 
SW1(config-if)# show ip dhcp snooping
SW1(config-if)# show ip dhcp snooping binding

DHCP DoS attack
Somebody may send tons of DHCP requests from different MAC addresses. It possible to use limits of requests per second, for instance 3:
 SW1(config)# interface gigabitethernet 0/5 
SW1(config-if)# ip dhcp snooping limit rate 3 

ARP spoofing
We can protect from this using DAI(Dynamic ARP inspection) feature.
SW1(config)# ip arp inspection vlan 10
SW1(config)# interface gigabitethernet 0/6
SW1(config-if)# ip arp inspection trust
SW1#show ip arp inspection vlan 123

Static ARP access list

arp access-list ACL_NAME

permit ip host 1.1.1.1 mac 1111.1111.1111

ip arp inspection filter ACL_NAME vlan 123

show arp access-list ACL_NAME 

Auto recovery of port

errdisable recovery cause arp-inspection

errdisable recovery interval 30 

Validate IP, source MAC and destination MAC in payload

ip arp inspection validate ip/dst-mac/src-mac

CAM table overflow attack, MAC address spoofing
You send thousands of frames to switch with bogus MAC addresses, this leads to refilling of CAM table. Then when switch gets a new frame it just sends it to all ports, because it is uknown to it. Consequently, attacker can now listen all traffic it this VLAN.
Port-security command can be used to mitigate, define maximum MAC addresses per port.
For using port security we have to explicitly configure access or trunk port.
When we configure port security for trunk port we can use details for specific vlans.
We can also use aging for port security dynamic mode.

Port security can be static, dynamic and sticky.
Sticky - dynamicly learns MAC addresses on a port and put them into static. Then we just have to save running config to startup.

Vialation actions can be
Protect - stop everything after 5 MAC addresses - no alerts, syslog messages, no SNMP - not very good variant
Restrict - the same as Protect, but with alerts
Shutdown - default action - just turns port off + alerts
Shutdown vlan

SW1(config-if)# switchport port-security maximum 5
SW1(config-if)# switchport port-security aging type inactivity
SW1(config-if)# switchport port-security aging time 5
SW1(config-if)# switchport port-security violation restrict
SW1(config-if)# switchport port-security mac-address 0000.0000.0000
SW1(config-if)# switchport port-security
SW1(config-if)# switchport port-security mac-address sticky

Source guard
Protects from IP spoofing and MAC spoofing
int gig o/2
ip verify source port-security

ip source binding b827.eb51.1af6 vlan 123 10.123.0.50 interface gig 0/2
show ip verify source
show ip source binding

Storm control
Configured in interface context, we can monitor broadcast, unicast, multicast. BAsed on pps, bps, interface utilization.
storm-control broadcast level pps 500 100
strorm-control action shutdown
errdisable recovery cause storm-control
errdisable recovery interval 60
show strom-control broadcast

SAN and its numerous protocols

Preparing to CCNA Security exam I decided to research a little about SAN(Storage Area Network) technology and protocols used in it. It turned out that its is not quite simple. For years number of protocols were developed: Fibre Channel, Fibre Channel over Ethernet, Fibre Channel over IP, iSCSI. Moreover they compete with each over.
The history and the differencies are described in an interesting article: Fibre Channel vs. iSCSI: The war continues