Skip to main content

NETWORK BASICS

Network A system of interconnected computers and computerized peripherals such as printers is called computer network. This interconnection among computers facilitates information sharing among them. Computers may connect to each other by either wired or wireless media. A computer network consists of a collection of computers, printers and other equipment that is connected together so that they can communicate with each other.  


Network application
A Network application is any application running on one host and provides a communication to another application running on a different host, the application may use an existing application layer protocols such as: HTTP(e.g. the Browser and web server), SMTP(e.g. the email-client). And may be the application does not use any existing protocols and depends on the socket programming to communicate to another application. So the web application is a type of the network applications. 
There are lots of advantages from build up a network, but the th…

Disabling and Configuring Network Services

Image result for network services"
By default, the Cisco IOS runs some services that are unnecessary to its normal operation, and if you don’t disable them, they can be easy targets for denial-of-service (DoSattacks and break-in attempts.
DoS attacks are the most common attacks because they are the easiest to perform. Using software and/or hardware tools such as an intrusion detection system (IDS) and intrusion prevention system (IPS) can both warn and stop these simple, but harmful, attacks. 
However, if we can’t implement IDS/IPS, there are some basic commands we can use on our router to make them more safe. Keep in mind, though, that nothing will make you completely safe in today’s networks.
Let’s take a look at the basic services we should disable on our routers.Blocking SNMP Packets
The Cisco IOS default configurations permit remote access from any source, so unless 
you’re either way too trusting or insane, it should be totally obvious to you that those configurations need a bit of attention. You’ve got to restrict them. If you don’t, the router will be a pretty easy target for an attacker who wants to log in to it. This is where access lists come into the game—they can really protect you. If you place the following command on the serial0/0 interface of the perimeter router, 
it’ll stop any SNMP packets from entering the router or the DMZ. (You’d also need to have 
a permit command along with this list to really make it work, but this is just an example.)
Lab_B(config)#access-list 110 deny udp any any eq snmp
Lab_B(config)#interface s0/0
Lab_B(config-if)#access-group 110 in
Disabling Echo
In case you don’t know this already, small services are servers (daemons) running in the router 
that are quite useful for diagnostics. And here we go again—by default, the Cisco router has a 
series of diagnostic ports enabled for certain UDP and TCP services, including echo, chargen, and discard.
Turning off BootP and Auto-Config 1031
When a host attaches to those ports, a small amount of CPU is consumed to service these requests. All a single attacking device needs to do is send a whole slew of requests with different, random, phony source IP addresses to overwhelm the router, making it slow 
down or even fail. You can use the no version of these commands to stop a chargen attack:
Lab_B(config)#no service tcp-small-servers
Lab_B(config)#no service udp-small-servers
Finger is a utility program designed to allow users of Unix hosts on the Internet to get information about each other:
Lab_B(config)#no service finger This matters because the finger command can be used to find information about all users on the network and/or the router. It’s also why you should disable it. The finger command is the remote equivalent to issuing the show users command on the router. Here are the TCP small services:
Echo Echoes back whatever you type. Type the command telnet x.x.x.x echo ? to see the options.
Chargen Generates a stream of ASCII data. Type the command telnet x.x.x.x chargen ? to see the options.
Discard Throws away whatever you type. Type the command telnet x.x.x.x discard ? to see the options.
Daytime Returns the system date and time, if correct. It is correct if you are running NTP or have set the date and time manually from the EXEC level. Type the command 
telnet x.x.x.x daytime ? to see the options.
The UDP small services are as follows:
Echo Echoes the payload of the datagram you send.
Discard Silently pitches the datagram you send.
Chargen Pitches the datagram you send and responds with a 72-character string of ASCII 
characters terminated with a CR+LF.
Turning off BootP and Auto-Config Again, by default, the Cisco router also offers BootP service as well as remote auto-configuration. To disable these functions on your Cisco router, use the following 
commands: 
Lab_B(config)#no ip boot server
Lab_B(config)#no service config
1032 Appendix C u Disabling and Configuring Network Services
Disabling the HTTP Interface
The ip http server command may be useful for configuring and monitoring the router, 
but the clear-text nature of HTTP can obviously be a security risk. To disable the HTTP 
process on your router, use the following command:
Lab_B(config)#no ip http server To enable an HTTP server on a router for AAA, use the global configuration command 
ip http server. Disabling IP Source Routing
The IP header source-route option allows the source IP host to set a packet’s route through the IP network. With IP source routing enabled, packets containing the source-route option 
are forwarded to the router addresses specified in the header. Use the following command to disable any processing of packets with source-routing header options:
Lab_B(config)#no ip source-route
Disabling Proxy ARP
Proxy ARP is the technique in which one host—usually a router answers ARP requests intended for another machine. By “faking” its identity, the router accepts responsibility for getting those packets to the “real” destination. Proxy ARP can help machines on a subnet reach remote subnets without configuring routing or a default gateway. The following command 
disables proxy ARP:
Lab_B(config)#interface fa0/0
Lab_B(config-if)#no ip proxy-arp
Apply this command to all your router’s LAN interfaces.
Disabling Redirect Messages
ICMP redirect messages are used by routers to notify hosts on the data link that a better route is available for a particular destination. To disable the redirect messages so Disabling the Maintenance Operation Protocol (MOP) 1033 bad people can’t draw out your network topology with this information, use the following command:
Lab_B(config)#interface s0/0
Lab_B(config-if)#no ip redirects
Apply this command to all your router’s interfaces. However, just understand that if this is configured, legitimate user traffic may end up taking a sub-optimal route. Use caution 
when disabling this command.
Disabling the Generation of ICM
Unreachable Messages
The no ip unreachable command prevents the perimeter router from divulging topology information by telling external hosts which subnets are not configured. This command is used on a router’s interface that is connected to an outside network:
Lab_B(config)#interface s0/0
Lab_B(config-if)#no ip unreachable
Again, apply this to all the interfaces of your router that connect to the outside world.
Disabling Multicast Route Caching
The multicast route cache lists multicast routing cache entries. These packets can be read, and so they create a security problem. To disable the multicast route caching, use the following command:
Lab_B(config)#interface s0/0
Lab_B(config-if)#no ip m route-cache
Apply this command to all the interfaces of the router. However, use caution when disabling this command because it may slow legitimate multicast traffic.
Disabling the Maintenance Operation 
Protocol (MOP)
The Maintenance Operation Protocol (MOP) works at the Data Link and Network layers in the DECnet protocol suite and is used for utility services like uploading and downloading 1034 Appendix C u Disabling and Configuring Network Services system software, remote testing, and problem diagnosis. So, who uses DECnet? Anyone with their hands up? I didn’t think so. To disable this service, use the following command:
Lab_B(config)#interface s0/0
Lab_B(config-if)#no mop enabled
Apply this command to all the interfaces of the router.
Turning Off the X.25 PAD Service
Packet assembler/disassembler (PAD) connects asynchronous devices like terminals and computers to public/private X.25 networks. Since every computer in the world is pretty much IP savvy, and X.25 has gone the way of the dodo bird, there is no reason to leave this service running. Use the following command to disable the PAD service:
Lab_B(config)#no service pad
Enabling the Nagle TCP 
Congestion Algorithm
The Nagle TCP congestion algorithm is useful for small packet congestion, but if you’re using a higher setting than the default MTU of 1,500 bytes, it can create an above-average traffic load. To enable this service, use the following command:
Lab_B(config)#service nagle It is important to understand that the Nagle congestion service can break X Window connections to an X server, so don’t use it if you’re using X Window. Logging Every Event Used as a syslog server, the Cisco ACS server can log events for you to verify. Use the logging trap debugging or logging trap level command and the logging ip_address command to turn this feature on:
Lab_B(config)#logging trap debugging
Lab_B(config)#logging 192.168.254.251
Lab_B(config)#exit
Disabling the Default Forwarded UDP Protocols 1035
Lab_B#sh logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
 Console logging: level debugging, 15 messages logged
 Monitor logging: level debugging, 0 messages logged
 Buffer logging: disabled
 Trap logging: level debugging, 19 message lines logged
 Logging to 192.168.254.251, 1 message lines logged
The show logging command provides you with statistics of the logging configuration on the router.
Disabling Cisco Discovery Protocol Cisco Discovery Protocol (CDP) does just that—it’s a Cisco proprietary protocol that discovers directly connected Cisco devices on the network. But because it’s a Data Link layer protocol, it can’t find Cisco devices on the other side of a router. Plus, by default, Cisco switches don’t forward CDP packets, so you can’t see Cisco devices attached to any other port on a switch.
When you are bringing up your network for the first time, CDP can be a really helpful protocol for verifying it. But since you’re going to be thorough and document your network, you don’t need the CDP after that. And because CDP does discover Cisco routers 
and switches on your network, you should disable it. You do that in global configuration mode, which turns off CDP completely for your router or switch:
Lab_B(config)#no cdp run Or, you can turn off CDP on each individual interface using the following command:
Lab_B(config-if)#no cdp enable
Disabling the Default Forwarded 
UDP Protocols
When you use the ip helper-address command as follows on an interface, your router 
will forward UDP broadcasts to the listed server or servers:

Lab_B(config)#interface f0/0

Lab_B(config-if)#ip helper-address 192.168.254.251
You would generally use the ip helper-address command when you want to for￾ward DHCP client requests to a DHCP server. The problem is that not only does this 1036 Appendix C u Disabling and Configuring Network Services forward port 67 (BootP server request), it forwards seven other ports by default as well. 
To disable the unused ports, use the following commands: 
Lab_B(config)#no ip forward-protocol udp 69
Lab_B(config)#no ip forward-protocol udp 53
Lab_B(config)#no ip forward-protocol udp 37
Lab_B(config)#no ip forward-protocol udp 137
Lab_B(config)#no ip forward-protocol udp 138
Lab_B(config)#no ip forward-protocol udp 68
Lab_B(config)#no ip forward-protocol udp 49
Now, only the BOOTP server request (67) will be forwarded to the DHCP server. If you want to forward a certain port—say, TACACS+, for example—use the following command:
Lab_B(config)#ip forward-protocol udp 49
Cisco’s Auto Secure Okay, so ACLs seem like a lot of work and so does turning off all those services I just discussed. But you do want to secure your router with ACLs, especially on your interface connected to the Internet. However, you are just not sure what the best approach should be, or maybe you just don’t want to miss happy hour with your buddies because you’re creating ACLs and turning off default services all night long. 
Either way, Cisco has a solution that is a good start, and it’s darn easy to implement. 
The command is called auto secure, and you just run it from privileged mode as shown: 
R1#auto secure
 --- Auto-secure Configuration ---
*** Auto-secure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
Auto-secure will modify the configuration of your device.
All configuration changes will be shown. For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for Auto-secure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Cisco’s Auto Secure 1037
Gathering information about the router for Auto-secure
Is this router connected to internet? [no]: yes
Enter the number of interfaces facing the internet [1]: [enter]
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.10.10.1 YES NVRAM up up
Serial0/0 1.1.1.1 YES NVRAM down down
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial0/1 unassigned YES NVRAM administratively down down
Enter the interface name that is facing the internet: serial0/0
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.
Authorized Access only
 This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
 You must have explicit permission to access this
 device. All activities performed on this device are logged. Any violations of access policy will result in disciplinary action. 1038 Appendix C u Disabling and Configuring Network Services
Enter the security banner {Put the banner between
k and k, where k is any character}:
#
If you are not part of the www.globalnettc.com domain, disconnect now!
#
Enable secret is either not configured or is the same as enable password
Enter the new enable secret: [password not shown]
% Password too short - must be at least 6 characters. Password configuration 
failed
Enter the new enable secret: [password not shown]
Confirm the enable secret : [password not shown]
Enter the new enable password: [password not shown]
Confirm the enable password: [password not shown]
Configuration of local user database
Enter the username: Todd
Enter the password: [password not shown]
Confirm the password: [password not shown]
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: ?
% A decimal number between 1 and 32767.
Blocking Period when Login Attack detected: 100
Maximum Login failures with the device: 5
Maximum time period for crossing the failed login attempts: 10
Configure SSH server? [yes]: [enter to take default of yes]
Enter the domain-name: lammle.com
Configuring interface specific Auto Secure services
Disabling the following ip services on all interfaces:
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
Disabling mop on Ethernet interfaces
Cisco’s Auto Secure 1039
Securing Forwarding plane services...
Enabling CEF (This might impact the memory requirements for your platform)
Enabling unicast rpf on all interfaces connected to internet
Configure CBAC Firewall feature? [yes/no]:
Configure CBAC Firewall feature? [yes/no]: no
Tcp intercept feature is used prevent tcp syn attack
on the servers in the network. Create autosec_tcp_intercept_list
to form the list of servers to which the tcp traffic is to
be observed
Enable tcp intercept feature? [yes/no]: yes
And that’s it—all the services I mentioned earlier are disabled, plus some! By saving the configuration that the auto secure command created, you can then take a look at your running-config to see your new configuration. It’s a long one!
Although it is tempting to run out to happy hour right now, you still need to verify your security and add your internal access-list configurations to your intranet.

Comments

Popular posts from this blog

What if Analysis

What-If Analysis What-If Analysis in Excel allows you to try out different values (scenarios) for formulas. The following example helps you master what-if analysis quickly and easily.  Use scenarios to consider many different variables  A scenario is a set of values that Excel saves and can substitute automatically in cells on a worksheet. You can create and save different groups of values on a worksheet and then switch to any of these new scenarios to view different results. 
Create Different Scenarios 
Note: You can simply type in a different revenue and Cost into cell B2 and B3 respectively to see the corresponding result of a scenario in cell B4. However, what-if analysis enables you to easily compare the results of different scenarios.  
I. On the Data tab, click What-If Analysis and select Scenario Manager from the list. The Scenario Manager Dialog box appears  II. Add a scenario by clicking on Add.  III. Type a name (e.g. “First Case”), select cell B2 and B3 (represents “Revenue” and “…

PROFESSIONAL ENGLISH

Asking For and Giving Opinions on Likes and Dislikes

Words Meaning Sample Sentence Opinion A statement or judgment formed about some matter. Bhoomika gave her final opinion on the company’s matter. Dialogue A conversation between two or more people. Her dialogue stated her opinion about the company’s matter. Expression The action of making known one’s thought or feelings. Her expression was sad at the meeting. Frank An open, honest, and direct speech or writing Bhoomika is very frank with her friends. Recover Return to normal state of health, mind or strength. The company’s economic crisis will be recovered soon. Turmoil A state of great disturbance. The company is facing financial turmoil. Economics The branch of knowledge concerned with the production, consumption, and transfer of wealth. Bhoomika studied Economics at the State University. Betrayed Expose to danger by treacherously giving information to an enemy.

DAILY LIFE VOCABULARY

Apology Etiquette and Office Vocabulary 

Chapter Vocabulary

Word Meaning Sample Sentence Stressed A state of any mental or emotional tension. Ram seems much stressed after his poor exam. Launch An act of instance of starting something. The government launched a new scheme for the poor people. Error A mistake Ravi found a grammatical error in his new grammar book. Scold Blaming someone for any wrong doing Bhuvan scolded his employees for their poor performance. Accuse Claiming that someone has done something wrong. Bharati accuses her friend Chaya for stealing her necklace. Fair Good and honest Ravi got promoted for doing a fair job. Ashamed Embarrassed or guilty because of one’s action. <