Slashdot Mirror

While I don't know the particulars of how it started, one of the organizations I support at work is a vocational high school that has a bunch of equipment from E-Rate. They've got ~20 PCs total in 2 labs in different buildings, 2 Cisco Catalyst 2924 switches, one in each lab connected by gig fiber, and a Cisco 3640 handling a T1 back to our main office. So if that's where the "Universal Service" fee is going, I'm OK with it. Of course, they've also got a Cisco 4600 series CDM, and a pair of 500 series CEs. They seem to think those are VCRs, but they've never actually used them. So that's like $35,000 worth of E-Rate money going to waste. (Although they do actually have some use for the equipment, they just don't know how to use it, I'm working on it...)

While I don't know the particulars of how it started, one of the organizations I support at work is a vocational high school that has a bunch of equipment from E-Rate. They've got ~20 PCs total in 2 labs in different buildings, 2 Cisco Catalyst 2924 switches, one in each lab connected by gig fiber, and a Cisco 3640 handling a T1 back to our main office. So if that's where the "Universal Service" fee is going, I'm OK with it. Of course, they've also got a Cisco 4600 series CDM, and a pair of 500 series CEs. They seem to think those are VCRs, but they've never actually used them. So that's like $35,000 worth of E-Rate money going to waste. (Although they do actually have some use for the equipment, they just don't know how to use it, I'm working on it...)

We also have problems with students going into labs and unjacking the patch cable from a desktop and plugging it into their own laptop. Again, no authenticated access. We tried port security but they either have fun by going around a room jacking in and disabling an entire room during an evening with no network techs around, or duplicating the mac address and doing it anyway. I guess what is left is somehow securing it into the back of a desktop but some determined soul with a crimp tool and 5 minutes could just cut it and make a new end.

If this is truly a problem you want to solve, get yourself a VPN concentrator (Cisco, among other companies makes them) and put your entire lab network on private IPs with no access to anything other than the concentrator. Install the VPN software on your workstations (and even give it to your students to use on their laptops) and you've got an authenticated user associated with each connection to the internet. You can even go one step further and get some wifi bridges and you're into the 21st century with secure, authenticated WiFi access around campus.

Some caveats: the cisco VPN software is Windows/Linux/OS X only. If you've got a large BSD/MacOS population on campus (or any BSD/Solaris/etc. workstations), you'll need to use the pptp concentrator module for those users.

And what choice do they have? It's either take the job or be unemployed and have no money food etc, and hope that your familiy can support you. (Welfare? doesn't exist of course)

What choice do they have? Lets see, they could work for Sun, Cisco, Microsoft, Motorola, Yahoo, Adobe, Hughes, EDS or Oracle, to name a few employers in India.

What makes you think that IBM are even looking for the best talent?

How much bargaining power in the job market do you think these Indian workers have?

you seem to be woefully misinformed about the Indian job market. The number one concern of employers is how to retain their employees for more that 6 months due to aggressive recruiting techniques and incentives from competitors. Check out Monster India, Naukri or Career India for a clue, or just look at the results for this Google search.

Krishna

And it supports IPv6. Too bad it's much more bloated than 12.2(x)T.

Actually all IOS trains were rebuilt, there is a fixed image for even old and crufty 11x code.

No memory needed, download and reboot.

Read the advisory, if you can understand "show ver", you can find the right image to upgrade to.

http://cco.cisco.com/warp/public/707/cisco-sa-2003 0717-blocked.shtml

No, fast switching is alive and well:

http://www.cisco.com/en/US/products/sw/iosswrel/ps 1831/products_configuration_guide_chapter09186a008 00ca6c8.html">http://www.cisco.com/en/US/products/ sw/iosswrel/ps1831/products_configuration_guide_ch apter09186a00800ca6c8.html

http://www.networkcomputing.com/902/902sp2.html

http://www.cisco.com/univercd/cc/td/doc/product/so ftware/ios121/121cgcr/switch_c/xcprt1/xcdipsp.htm

http://www.faqs.org/faqs/cisco-networking-faq/sect ion-20.html

No, fast switching is alive and well:

http://www.cisco.com/en/US/products/sw/iosswrel/ps 1831/products_configuration_guide_chapter09186a008 00ca6c8.html">http://www.cisco.com/en/US/products/ sw/iosswrel/ps1831/products_configuration_guide_ch apter09186a00800ca6c8.html

http://www.networkcomputing.com/902/902sp2.html

http://www.cisco.com/univercd/cc/td/doc/product/so ftware/ios121/121cgcr/switch_c/xcprt1/xcdipsp.htm

http://www.faqs.org/faqs/cisco-networking-faq/sect ion-20.html

What were you saying ? (works if you have a CCO login)

If I'm reading this page correctly, the protocol type of the packet that causes the problem appears to be the PIM protocol:

grep 103 /etc/protocols
pim 103 PIM # Protocol Independent Multicast

A rare, specially crafted sequence of IPv4 packets with protocol type 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND), or 103 (Protocol Independent Multicast - PIM) which is handled by the processor on a Cisco IOS device may force the device to incorrectly flag the input queue on an interface as full, which will cause the router to stop processing inbound traffic on that interface.

-- Jack

This issue affects all Cisco devices running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets. Cisco devices which do not run Cisco IOS software are not affected. Devices which run only Internet Protocol version 6 (IPv6) are not affected.

The following two Cisco vulnerabilities are documented in DDTS. CSCea02355 (registered customers only) affects all Cisco routers running Cisco IOS software. CSCdz71127 (registered customers only) was introduced by an earlier code revision. Any version of software which has the fix for CSCdx02283 (registered customers only) is vulnerable.

Nope....
his link is just badly formatted...a /. issue I assume (as it is happening to me too!)
The link is still there...
link - http://www.cisco.com/univercd/cc/td/doc/product/so ftware/ios121/121newft/121t/121t5/dtssm5t.htm#1021 424

I'd encourage you to read up on rACLs.
Of course, if you actually administered a GSR, instead of speculating, you probably already knew this.

No, the advisory states that non-contract customers can send an email to tac@cisco.com and get access to a "free upgrade".

Actually, the bulk of Cisco PoE gear does not use "unused pairs." They use the same pairs that data is using: 1,3 2,6:

Inline Power Detect

just my cisco-not-sponsored comment : they do not purchase anyone that might be competition (otherwise alcatel, juniper may have been bought, for example), but they purchase when they have want to expand into one domain : it cost less to them to buy some company than to build up entire knowledge.

And, contrary to some convicted monopolies, they are openly listing all their acquisitions on a web page.

Actually it hasn't been cracked in reality, only theoritically. Vendors like such as Cisco have agreed and have not only provided responses to the claims, but also have 'fixes' (although somewhat proprietory in the Cisco case) - see this article

If you want to make design, why head to cisco configmaker instead of cisco network designer ?

Yes... because a hardcore network engineer can visualize hundreds of routers/switches, all their varioius routing protocols and associated foibles, all the redundancies etc ...

Thats assinine. Have you ever worked on a network with THOUSANDS of devices before? He didn't say 'Small Business' he said 'enterprise'.

stupid arrogant people assuming the people who need diagrams aren't good enough. Glad you can sit and boost your ego that way, but when that stops working for you, join the real world.

To keep this slighly on topic, try using Ciscoworks ... its good for planning, config backup, management, etc.

Also go check out the Cisco CallManager, and the 3Com NBX.

I've worked with the Cisco system, and I know that it has call detail capability. It does run Windows 2000. However, it was pretty reliable. I've talked to others running the NBX, and they swear by it.

That all being said, don't rule out the standard telephony players. Although their systems aren't VOIP based, many of them have hooks for VOIP and network management. Many are still hurting after the telecom boom went bust, so you could probably get a decent deal.

Does this do the same thing as Cisco's IPTV product?

I've heard the Cisco Aironet 1400 tastes quite good with a little Tabasco...

The generally accepted term for this type of technology is "Content Distribution Networking" or "Content Delivery Networking". Akamai, Speedera, Digital Island etc. are Content Distribution companies which will (according to the necessary commercial agreements), take a customer's content and distribute it around their overlay CDNs. Generally speaking, these CDNs overlay the traditional Internet using co-located space in customer or exchange point datacentres. There are, however, some CDN organisations who take the approach of building their own infrastructure.

"Transparent Web Caching" on the other hand is generally a term applied to the transparent redirection of TCP port 80 IP traffic on access equipment through a set of HTTP proxy devices. This technique is used by many ISPs to force users to use their Webcaches even if the user thinks they are being clever by disabling the pre-defined HTTP Proxy settings in their Web browser.

Until recently, you could build your own CDN ($$$) using software from people such as Inktomi, but can still use devices from other manufacturers such as Network Appliance or Cisco Systems.

A P90 is not going to be able to handle the kind of traffic that this will.

He is right. PC routers are for small purpose routing for which, generally, you don't need the additional software capabilities that the Cisco OS provides. The kind of speed that these things run across the backplane is staggering. Your P90 would be melted faster than the quickest slasdotting trying to deal with 320Gbps.

http://newsroom.cisco.com/dlls/hd_061003.html

GNU General Public License Modules Cisco Cache software, Release 3.0.2 incorporates software licensed under the GNU General Public License. If you would like the source code for any of the modified GPL code in Cisco Cache software, Release 3.0.2, send a request to ce-sw-req@cisco.com

Hmm, what about coverage though? Regulations in the EU are a lot stricter (max 100mW EIRP for example, the 'A' zone - america etc, can do 4W EIRP, so you can legally stick a 13dB antenna on a 100mW access point. In the EU, you cant. Theres also issues with deliberatly broadcasting outside. I want to push wireless 6 miles from town to my (future) home, but as

1) Thats in Greece. I speak 27 words of greek, and I dont want to try and explain the technicalities of it if the greek radio agency come round
2) I'm only 40 degrees off some massive radar military dishes. I dont want to explain the technicalities of it if the greek radio agency come round in a tank with machine guns

(Maximum legal power / gain)

Any links that are more specific on the legalities across Europe (which I would assume are the same) would be appreciated.

"Repeat after me: T O L K I E N, not Tolkein
S I L M A R I L L I O N, not Silmarillian"

10. Who's that guy Fordo Prefect?

9. Tolkien got Golem from Yiddish myth, right?

8. Stan Lee should sue: Tolkein got "Sauron" from the X-Men Savage Land comics.

7. Captain Kirk battled Aragorn on Star Trek.

5. What's that bad wizard and the guy with the eye? I never get the two straight: Sarmon and Souron? Souromon and Sauromon? Whatever.

4. If you call me with a technical support question about your Tolkien Ring network, I WILL hang up on you.

3. Brie: cheese or town?

2. Fangorn is that horror movie magazine!

1. "Teleporno". Well, this one is correct: it is a real name in the Tolkien works. This is the one that should be wrong!

Pentium II and III are mentioned here.

Bill

Maybe this is a better example. Cisco vs Code Red.

The Cisco equivalent of this is called Network-Based Application Recognition (NBAR). Rather than use regular expressions, Cisco ship PDLMs (Packet Description Language Modules) that can loaded and unloaded whilst IOS is running, much like you'd get by combining Netfilter's ip_conntrack_helper modules with the ideas these guys have.

(I still think they should be doing this inside Netfilter rather than qdisc)

NBAR can also be - and is - used to filter network worms at ISP borders, by matching the specially-crafted URLs used to compromise vulnerable systems. For example, here's the Cisco config to catch the Nimda worm.

The Cisco equivalent of this is called Network-Based Application Recognition (NBAR). Rather than use regular expressions, Cisco ship PDLMs (Packet Description Language Modules) that can loaded and unloaded whilst IOS is running, much like you'd get by combining Netfilter's ip_conntrack_helper modules with the ideas these guys have.

(I still think they should be doing this inside Netfilter rather than qdisc)

NBAR can also be - and is - used to filter network worms at ISP borders, by matching the specially-crafted URLs used to compromise vulnerable systems. For example, here's the Cisco config to catch the Nimda worm.

I understand where you're coming from, but EAP/TLS clients were written by people who also understand this (at least the ones I've played with). Thus, when validation of the server certificate fails, you don't get an option that says "proceed anyway". On Win XP, you get something that looks like this. No option to accept.

That's not to say that you can't turn validation off. You can, but it requires that the user go into some in-depth options on their NIC configuration. I, the evil uber-hacker, could attempt to persuade my victim to walk through these steps or, better yet, download and install a key from my evil-CA which I would then use on the evil-rogue-AP to spoof a session.

Shoot, at that point it's just as easy to persuade said user to download and install a trojan, which works equally well on both wired and wireless networks, rendering the security differences moot. And, as a bonus, the wired network doesn't even require that I construct and install an evil-spoofing-AP!

All the same, if you have a link to the demo you mentioned, please post it. I'd be interested, for sure.

Ok, let's take EAP/TLS.

EAP/TLS requires that you have PKI in place. To deploy it, you have to set up a CA. Presumably anyone worth their beans will have used a secure connection to distribute the root certificate and client keys to the wireless users.

The authentication process verifies that both the client and the server are who they claim to be using certificates. If someone tries to forge packets, say with a rogue AP, they won't know the authenticator's secret key and thus the client will reject the connection.

How does your exploit pretend to be the real AP and authenticator if it doesn't know the correct secret key, or can't fake the CA chain? Welcome to the world of asymetric cryptosystems!

If you're not familiar with EAP/TLS, a quick google comes up with a whitepaper from Cisco. It covers the concepts of PKI, CA, etc.

If you can defeat 1024 bit PKI, then I think there are much more profitable things to hack aside from WLAN!

RFC 3261 Section 21.4.5 clearly states:

21.4.5 404 Not Found

The server has definitive information that the user does not exist at
the domain specified in the Request-URI. This status is also
returned if the domain in the Request-URI does not match any of the
domains handled by the recipient of the request.

RFC 3261 Section 21.4.5 clearly states:

21.4.5 404 Not Found

The server has definitive information that the user does not exist at
the domain specified in the Request-URI. This status is also
returned if the domain in the Request-URI does not match any of the
domains handled by the recipient of the request.

"Any ideas on what OS is used to control this?"

maybe this one ?

to make this post interesting :

this page describes differences and common points between PIX and firewall

Please moderate this post as karma whoring.

IMHO any information security professional needs to develop a professional paranoia, being thoughtful of potential risks and failures, and understand what might go wrong.

Reading Bruce Schneier's Secrets and Lies is a really good start in this area. It is a not very technical book, written at the level suitable for an IT manager. This is also useful to help explains risks, vulnerabilities, and failures to IT Management.

The ever so ugly covered Hacking Exposed, which explains the basics of what criminals (or attackers) do commonly to gain unauthorized access to (networked) computer systems. This is so you a) know how easy it is, and b) are familiar with an overview of the basic steps and techniques to gain illicit access.

For online resources, RISKS digest (not focused on malicious activities, but how systems fail - very insightful and low volume), and Bugtraq a full disclosure mailing list will show you recent exploits, and vuln notices, but it is fairly lacking in actual educational content, and there are several other mailing lists at SecurityFocus that could also be useful to developing professional paranoia.

Next you need the language and basics of information/computer security. For this textbooks like Computer Security by Dieter Gollmann, Information Security Management Handbook by Tipton and Krause, Practical Unix & Internet Security by Simson Garfinkel, Gene Spafford, Alan Schwartz, and Security in Computing by Pfleeger and Pfleeger.

For procedures look at CISSP study material, BS 7799 / ISO 17799, and security auditing and incident handling materials. Some knowledge of risk management can also be useful.

From these basics, of the right mindset, the common language of infosec, and procedures and policy you can get into the low-level details of firewalls, VPNs, IDS, and network design. For this you should have a good network/internetworking basics, a very detailed understanding of TCP/IP, and understand firewalls, VPNs, and IPsec.

Firewalls and Internet Security: Repelling the Wily Hacker, 2nd ed. by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin is a great place to start, and Building Internet Firewalls by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman is a great follow-up. An alternative book on firewalls and VPNs is Inside Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers, and Intrusion Detection Systems by Stephen Northcutt, Karen Frederick, Scott Winters, Lenny Zeltser, Ronald W. Ritchey (crowd from SANS).

For networking basics, a Cisco certification like CCNA could useful in providing knowledge about internetworking and Cisco router's IOS. For the gory details of TCP/IP either TCP/IP Illustrated: Volume 1: The Protocols by Richard Stevens or Internetworking With TCP/IP Volume 1: Principles Protocols, and Architecture, 4th edition by Douglas Comer.

For IDS - Network Intrusion Detection: An Analyst's Handbook by Stephen Northcutt and Intrusion Signatures and Analysis by Matt Fearnow, Stephen Northcutt, Karen Frederick, Mark Cooper are the best IMHO.

I am not sure what to recommend for VPNs, other than you need to know about IPsec.

at their Networkers conferences in Orlando and L.A., including one entitled 'How to Think Like a Security Administrator When It's Not Your Full-Time Job'.

More details here.

All work for me from my notebook (IBM T30). I'm running RedHat 7.3 and the Cisco Linux drivers.

However, I have heard that installing the latest Windows driver will "upgrade" the card firmware in such a way that it won't work with the Linux driver anymore. Some folks have had to down grade. Perhaps this has been fixed by now?

Annoyingly, it seems the Win driver will re-update the card whenever it is booted. This is only a problem for those with dual-boot notebooks.

I ordered mine directly from their web site cisco.com.

This would appear to be a good approach. From Cisco's website:
LRE also overcomes the distance limitations of traditional Ethernet (100 meters) by providing Ethernet-performance at up to 15 Mbps and distances up to 5,000 feet (1,524 meters).
It works over Cat 1/2/3 wiring, alongside voice systems.

Pricing:
Catalyst 2950 12-port LRE Switch: $3500

575 LRE "Customer Premise Equipment", i.e. your "LRE modem" costs: $180

Prices

Details

Thoughts?

Cisco has a system for using ethernet over regular phone wire up to 5k feet with 5-15mbps performace

A large number of providers offer IPv6 support today. NTT/Verio has been offering this as a Commercial Service for quite some time, as well as through the domestic provider OCN and the OCN DSL services. As the 6bone tunneled networks go away, there is ongoing native support being added to networks. IETF and other conferences have been supporting providers that offer native IPv6 services. Aside from the always behind the ball DSL/Cable providers in the edge provider space of multicast, IPv6, etc.. you can contact any of the Tier-1 networks to obtain IPv6 services. Likely for free and not out of the 3FFE space. Build IPv6 into your kernels, ask your service providers for IPv6 and encourage them to provide these to you for little/no additional cost. Juniper and Cisco routers currently offer IPv6 in their current software releases. Now that Cisco has acquired Linksys, hopefully they will assist in providing support for these services in the edge-router space.

Have you thought about providing television and internet over coaxial cable? Cisco makes some nice cable gear here. As far as content, you can set up some c-band satellite dishes and distribute content via the same wire and get multiple revenues over one network....and it's capable of faster speeds than non-shielded/twisted copper.

-ted

Mine are very simple suggestions, and probably not exactly what you need, but I need to address some of the ideas being bongled about:

On the physical aspects
1. NO TO PULLING ETHERNET!
2. Cisco Long Reach Ethernet switches allow ethernet signaling over phone wire. Can supply 15Mbps over up to 1500 meters.
3. You can do DSL too

On the logical aspects
1. Only run a transparent proxy, and run it on openBSD
2. Do not worry about viruses.
3. Use a firewall. (You can make your own cisco PIX!) I can't find my links right now, but reply to this if you're interested and I'll find them and give them out.
4. Only supply a connection, the only services you should try to supply are what saves bandwidth like a transparent proxy.
5. How much do you want to spend on public IPv4? Would your tenants like rfc1918 privates?

OK, did that help at all?

Cisco make SIP software available for their IP-phones. So you can choose between Cisco proprietary and SIP. See this link

We have some capabilities in some of our equipment that will allow you to take all the traffic that goes across an interface and send it to another interface. Right now that is used in some cases as a lawful interception technology.
When we first started talking, some engineers said, "Let's turn this on and use that." I said, "Heavens no, if we can narrow the range of information, let's do it."

CISCO Port SPAN. This is what he is refering to. They can currently trap all the packets. This new technology will allow them to select a smaller subset of packets to capture...

This is still scary stuff, and will lead to other new encrypted VOIP stuff that is not built around Cisco hardware, but sending packets themselves, encrypted...