Monday, March 21, 2011

Link Aggregation

Link Aggregation Introduction

Network Diagram

Figure 1-1 Network diagram for link aggregation configuration

Networking and Configuration Requirements

Switch A aggregates ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to form one link connected to Switch B and performs load sharing among these ports.

Saturday, March 19, 2011

Device Link Detection Protocol (DLDP)

DLDP Introduction

Sometimes, unidirectional links may appear in networks. On a unidirectional link, one end can receive packets from the other end but the other end cannot. Unidirectional links result in problems such as loops in an STP-enabled network.
As for fiber links, two kinds of unidirectional links exist. One occurs when fibers are cross-connected, as shown in Figure 1-2. The other occurs when one end of a fiber is not connected or one fiber of a fiber pair gets disconnected, as illustrated by the hollow arrows in Figure 1-2.
Figure 1-1 Unidirectional fiber link: cross-connected fiber

Figure 1-2 Unidirectional fiber link: fiber not connected or disconnected

Device Link Detection Protocol (DLDP) can detect the link status of a fiber cable or twisted pair. On detecting a unidirectional link, DLDP can shut down the related port automatically or prompt users to take measures as configured to avoid network problems.

Thursday, March 10, 2011

Review A Firewall Log In 15 Min Or Less – Part 2

In my last post I introduced the concept of using white listing in order to review firewall logs. I discussed how this process can both simplify as well as expedite the log review process, by automating much of the up front work. In this post we will look at some actual examples, as well as start creating a firewall log parsing script.

The basics of grep

In order to show you the process of white listing your firewall logs, I am going to use grep. Grep is a standard Linux/UNIX tool, with free versions available for Windows (grab both the Binaries as well as the Dependencies). Grep is certainly not the most efficient tool for the job, but it is by far the simplest to learn. If you are a Perl, PHP, AWK&SED, SQL, etc. guru, by all means stick with your tool of choice. Simply mimic the process I’ve defined here using your appropriate command set.
Grep is a pattern-matching tool. It allows you to search one or more files looking for a specific pattern. When the pattern is found, the entire line is printed out. So for example the command:
grep firewall.log

Review A Firewall Log In 15 Min Or Less – Part 1

One of the most difficult and time consuming parts of maintaining a perimeter is reviewing firewall logs. It’s not uncommon for an organization to generate 50, 100, 500 MB or more worth of firewall log entries on a daily basis. The task is so daunting in fact, that many administrators choose to ignore their logs. In this series I’ll show you how to expedite the firewall log review process so that you can complete it faster than that morning cup of coffee.

Why firewall log review is important

I once took part in a panel discussion where one of my fellow SANS instructors announced to the crowd “the perimeter is dead and just short of useless”. I remember thinking I was glad I was not one of his students. I occasionally take on new clients and find that 7/10 times I can identify at least one compromised system they did not know about. In every case it has been the client’s own firewall logs that pointed me to the infected system.
In the old days firewall log review was all about checking your inbound drop entries to look for port scans. Today the focus is on outbound traffic. Specifically, you should be checking permitted patterns. With the plethora of non-signature Malware today it has become far too easy for an attacker to get malicious code onto a system. A properly configured perimeter will show you when a compromised system tries to call home. This is typically your best chance to identify when a system has become compromised.

Tuesday, March 8, 2011

Multiple VPN Tunnels in Windows Environment

With Windows RRAS, you can have multiple VPN tunnels to connect main office, branch offices, home office and remote laptop as a private LAN. In the below case, all VPN server and clients are assigned 172.16.x.x IP range and are using 172.16.0.x to route to remote office and computers.

Exporting VPN Client Settings

Cicso ASDM - how to export vpn profile

from the client machine.
I'm assuming this is a Windows machine-
Create the profile and test it, then:
Browse to
-the Program Files folder
-Cisco Systems
-VPN Client

You'll see the PCF file you need. Same name!
To import, just move into the same location on your target machine. Job done!

Windows 7 VPN Settings/Profile Export/Import

If you do not use Cisco VPN but just create the connection with the wizard in Windows system, you can simply copy the connection from the folder %userprofile%\AppData\Roaming\Microsoft\Network\Connections\PBK.

For related information please refer


Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.
IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).
Some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of the TCP/IP model. Hence, IPsec protects any application traffic across an IP network. Applications do not need to be specifically designed to use IPsec. The use of TLS/SSL, on the other hand, must be designed into an application to protect the application protocols.
IPsec is a successor of the ISO standard Network Layer Security Protocol (NLSP). NLSP was based on the SP3 protocol that was published by NIST, but designed by the Secure Data Network System project of the National Security Agency (NSA).
IPsec is officially specified by the Internet Engineering Task Force (IETF) in a series of Request for Comment documents addressing various components and extensions. It specifies the spelling of the protocol name to be IPsec.

Monday, March 7, 2011

Site to Site VPN

The site to site VPN solutions provide security at the same time being affordable. It provides broadband connection via internet. It also meets WAN requirements apart from adding cheer to many businesses. 

More and more enterprises are following a distributed business model. Branch offices extend an enterprise's reach into key markets. Communication between the central office and branch office is vital to applications that support the business. Security between branch office, point of sales or remote locations and the central office is important. In the past leased lines was a secure but a costly option. Virtual private networks create VPN tunnels on the internet for the secure transportation of data. VPN technologies is a cheaper alternative to dedicated leased lines WAN. Many technologies are invading the market and making a choice is difficult. There options among VPN technology are varied and differ based upon VPN hardware and VPN software.

Traditional site to site connections were between to intranets or two Local area networks. These connections were leased, dedicated lines. These required constant management and its deployment was difficult. Affordable site to site VPN solutions have brought about secure broadband connections via the internet. The ubiquitous internet and VPN has brought cheer to ERP, CRM and many other businesses. As alternatives to the WAN infrastructure site to site VPN's does not change the private WAN requirements. It meets WAN requirements like support of multiple protocols, high reliability and scalability at a lesser cost.

Site to site VPN solutions

Security of a general purpose computer cannot be guaranteed now days. New viruses and worms and malware spread via the internet. Many of those who use the internet are unaware of the threats to which their system is exposed. Large corporations cannot put up with these as they cause a huge loss to business. The options VPN's offer toward this threat is based on software and hardware.
Software based VPN Firewall/Gateways
These systems have their inherent problems. They require a computer that has a faster speed of processing. The processing of data for security and VPN applications is very intensive and places demands on the computer which in turn slows down the network. For any business it is therefore optimum to have another server only for VPN transaction. The operating system is to be free from loopholes that crooks could manipulate to access data. It is therefore necessary that you constantly update and download security patches so that your network is not compromised. The server and its associated software's, complexity and the management of the network are problematic issues for a business.
Hardware based Firewalls/VPN solution
These solutions exemplify security and also off-load the firewall and VPN processing from the server/computer. The security appliance protects the network at the internet gateway which is the VPN router and provides seamless local or remote management of security and remote access services. These security appliances are application specific integrated circuits which have powerful onboard processors handling the demands or firewall and VPN processing.
Unified Threat Management Systems
These devices are Firewall/hardware based solutions that intergrate a host of other functions like securing internet tunnels, filtering emails for spam and viruses, avoiding mails that involve in phishing, blocks spyware, detects and prevents attacks against specific applications that are vulnerable and filters URL's as well. The company that sells these devices also sells gateway software to be run on a range of standard server hardware. Add on cards can be fitted into the existing machine so increase speed and also provide the additional security.
Intranet based Site to site VPN
Any business that has more than one remote location can used dedicated equipment that provides encryption and authentication to establish a VPN between both the sites. The branch office LAN can be connected to the central office LAN via the internet using a VPN solution. This connection of the tow LAN's is called an intranet based site to stier VPN.
Extranet based site to site VPN.
One or more companies with intranet based VPN's has a close cooperation with another company in providing specialized service to customers or suppliers can build a virtual private network that allows all of the companies to work in a shared environment over the internet. This type of a VPN is an extranet based solution to business enhancement.

Site to site VPN Products
The VPN solutions by companies are varied and cater to different aspects of the market. Some solutions are software based others are hardware based; still others provide a mixture of both software and hardware. VPN solutions are provided dependent on the platform and operating system of the machine.
  • Microsoft has brought out the ISA-Internet security and Acceleration server software to cater to the growing needs of enterprises using the internet as a medium of communication. The step by step set up and configuration of the ISA server and the remote access to the ISA server is available on the Microsoft website. Many other VPN consultants have online articles on the connection and configuration process.
  • Companies that offer specific products like hardware provide the necessary support on their websites so that you can configure the software you have for optimum security and performance.
  • CISCO offers Cisco PIX 500 series security appliances (PIX 515E, PIX 525, and PIX 535) and the Cisco ASA 5500 series security appliances (ASA 5510, ASA 5520, and ASA 5540) for VPN
  • Firewall/VPN Appliances offered by Sonic wall use ICSA deep packet inspection firewall and IPSec for encryption The many devices offered are PRO 5060, PRO 4100, PRO 4060, PRO 3060, PRO 2040, PRO 1260, TZ 170 SP Wireless, TZ 170 Wireless, TZ 170 SP, TZ 170, TZ 150 Wireless and TZ 150.
  • AEP Systems delivers hardware security and acceleration solutions which include SSL VPNs,high-security VPN encryptors and SSL acceleration hardware.These are SureWare NEt, SureWare Keyper, and SureWare A-Gate. Netilla Networks, Inc. is a leader in secure application access solutions along with AEP systems it offers solutions for VPN. Its Security Platform-NSP suite is for SSL VPN solutions, Netilla Secure Gateway Appliance (SGA) is for midsize business that need SSL VPN solutions.
  • SonicWALL site to site VPN along with Internet security appliances offer traditional site-to-site connections to securely communicate with their multiple locations.
Site to site VPN solutions can adopt any protocol for its security and authentication. PPTP,L2TP,IPSec, SSL all differ in areas of implementation. The choice of VPN network connection for intranet or extranet based site to site VPN's should not compromise the security of the sister network.

Client to Server VPN

Client to Server VPN-RRAS

A virtual private network is a means of connecting to a private network (such as your office network) by way of a public network (such as the Internet). A VPN combines the virtues of a dial-up connection to a dial-up server with the ease and flexibility of an Internet connection. By using an Internet connection, you can travel worldwide and still, in most places, connect to your office with a local call to the nearest Internet-access phone number. If you have a high-speed Internet connection (such as cable or DSL) at your computer and at your office, you can communicate with your office at full Internet speed, which is much faster than any dial-up connection that uses an analog modem. This technology allows an enterprise to connect to its branch offices or to other companies over a public network while maintaining secure communications. The VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link.

Virtual private networks use authenticated links to make sure that only authorized users can connect to your network. To make sure data is secure as it travels over the public network, a VPN connection uses Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP) to encrypt data.

Components of a VPN

A VPN in servers running Windows Server 2003 is made up of a VPN server, a VPN client, a VPN connection (that portion of the connection in which the data is encrypted), and the tunnel (that portion of the connection in which the data is encapsulated). The tunneling is completed through one of the tunneling protocols included with servers running Windows Server 2003, both of which are installed with Routing and Remote Access. The Routing and Remote Access service is installed automatically during the installation of Windows Server 2003. By default, however, the Routing and Remote Access service is turned off.
The two tunneling protocols included with Windows are:
  • Point-to-Point Tunneling Protocol (PPTP): Provides data encryption using Microsoft Point-to-Point Encryption.
  • Layer Two Tunneling Protocol (L2TP): Provides data encryption, authentication, and integrity using IPSec.
Your connection to the Internet must use a dedicated line such as T1, Fractional T1, or Frame Relay. The WAN adapter must be configured with the IP address and subnet mask assigned for your domain or supplied by an Internet service provider (ISP). The WAN adapter must also be configured as the default gateway of the ISP router.

Refer:How to install and configure a Virtual Private Network server in Windows Server 2003

Client to Server VPN-Router
Broadband Routers with VPN Servers
Until recently, VPN server hardware was VERY expensive. As home networks become more sophisticated, the demand for home level VPN’s increase.  At the end of 2001, the home network industry responded by adding VPN servers into some broadband routers. These products are often priced at under $300 (us) and some are as inexpensive as $170.
VPN functionality is very processor intensive and most broadband routers have somewhat slow processors in them. Broadband router based VPN servers are often limited in throughput because of their microprocessors. Most have a maximum VPN throughput of around .6Mbps or 600Kbps.

More info about VPN Routers soon!

Outside Links for more info
VPN Labs Loads of VPN Info

Peer to Peer VPN

The definition of a Peer to Peer network is a network that allows two or more computers to share their resources. This can include not just file sharing, but the sharing of individual resources such as hard drives, CD-ROM drives, and printers.

In traditional VPNs, there is a designated “server” computer and “client” computers that are accessing resources or files on the server. But in a peer to peer network, the resources of every computer on the peer to peer network are accessible from every other computer on the peer to peer network.
So, a VPN peer to peer network is one that shares these resources across a public access, such as the internet. Since peer to peer computers have their own hard drives that are accessible by all computers, you can think of each computer as acting as both a client and a server.
VPN Peer to Peer networks would normally be used for sharing content like audio, video, data or anything in digital format. Three major types of peer to peer networks are:
Pure Peer to Peer:
  • Peers act as clients and server
  • There is no central server
  • There is no central router
Hybrid Peer to Peer:
  • Has a central server that keeps information on peers and responds to requests for that information.
  • Peers are responsible for hosting the information as the central server doesn’t store files, for letting the central server know what files they want to share and for downloading its shareable resources to peers that request it.
  • Route terminals are used addresses, which are referenced by a set of indices to obtain an absolute address.
Mixed Peer to Peer:
  • Has both pure and hybrid characteristics
An important difference in a VPN peer to peer network from regular dedicated server VPNs is that in peer-to-peer networks, the bandwidth of all clients can be used, so the total bandwidth available grows with the number of users, instead of all clients having to share the bandwidth of one server.
This means adding more clients won’t slow down data transfer for all users like it would when there is a specific server and fixed bandwidth for all users to access it.

VPN Solutions

Search & Buy Amazon Products at discounted rate!!


Subscribe to AtoZ-networking Newsletter

Do you want to receive Linux FAQs, Microsoft FAQ, Solaris FAQ, detailed Networking tutorials and tips published at atoz-networking? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.

Sign-up for the newsletter