To summary or not to summary: EIGRP

One of the key features of EIGRP is that it auto-summarizes routes by default. It is interesting to spot the differences in the routing table among equipments when this feature is activated or deactivated.

I will propose for this post the following topology, used by my teacher in a CCNP-ROUTE lab as a case study:

the config of the devices goes as follows:

for R1:

interface Loopback0
 ip address 10.2.11.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.252
!
router eigrp 65500
 network 10.2.11.0 0.0.0.255
 network 10.10.10.0 0.0.0.3

For R2

interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.10.10.2 255.255.255.252
!
interface FastEthernet0/1
 ip address 20.20.20.2 255.255.255.248
!
router eigrp 65500
 network 10.10.10.0 0.0.0.3
 network 20.20.20.0 0.0.0.7
 network 172.16.1.0 0.0.0.255

For R3:

interface Loopback0
 ip address 30.30.30.1 255.255.255.240
!
interface FastEthernet0/0
 ip address 20.20.20.1 255.255.255.248
 duplex auto
 speed auto
!
!
router eigrp 65500
 network 20.20.20.0 0.0.0.7
 network 20.30.30.0 0.0.0.15

 when EIGRP is activated in its default mode (auto-summary), the routing tables are seen like this:

Looking at R1's printout, you may see R2's and R3's loopbacks with its default mask (8 bits and 16bits respectively. Why is that? because R2 and R3 are summarizing the networks they receive from EIGRP.
R2 will summarize 20.20.20.0/29 to R1 as 20.0.0.0/8, because the out interface from R2 to R1 has an ip address that is not from the same family (10.10.10.0/30).
this behaviour applies also to R2's loopback. R1 sees this route as 172.16.0.0/16, because this IP does not belong to the same family as 10.10.10.0/30.

In R2, you see R3's loopback as 20.30.30.0/28. Why this route appear with the original mask? because R3 does not summarize this route. The IP address of the interface that goes from R3 to R2 (20.20.20.0/29) belongs to the same family of the loopback (20.30.30.0/28)

Conclussion: summarization for EIGRP will only take place if the network to be announced does not belong to the same family of the out interface.

There is a tip to know when a router is summarizing: the router shows NULL0 as the out interface. This is useful as a protection mechanism: the router will search for an exact match in its routing table when finding a destination to a packet. If this exact match does not exist, it will discard the packet, to the Null interface.

Lets apply the no auto-summary command in each EIGRP process. At the end of the process, the output of the show ip route command goes as follows:

You will no see routes to Null0 any more. You will see the routes with its original network mask. Summarization is not performed.

Notas personales sobre Frame Relay: CCNP Route

A pesar de ser un protocolo que no se emplea mucho, todavía hay muchas soluciones que se basan en Frame Relay, entre ellas las que usan los cajeros automáticos de los bancos. Los enlaces que usan estos cajeros son de poca demanda de ancho de banda, lo cual hace que sea un solución costo-eficiente.

En la primera clase vimos la importancia de conocer las implicaciones que tiene Frame Relay como protocolo.

Tipos de redes: Existen 2 tipos de redes:

• punto a punto: sólo se pueden conectar dos elementos de red entre sus extremos. Protocolos que usan esto están PPP y HDLC
• Múltiple acceso: Redes que permiten conectar más de dos routers o elementos de red. Protocolos que usan esto está Ethernet, Frame Relay, X25, ATM. En el caso de Ethernet, ésta permite difundir broadcast, mientras que Frame Relay no permite el broadcast. Frame Relay trata el tráfico multicast como si fuera broadcast, por lo tanto también se restringe.

Hay dos opciones para montar Frame Relay:

• se puede montar sobre la interfaz física en el enrutador
• Se pueden usar subinterfaces

Para conexiones punto a punto, no es necesario tener un suiche Frame Relay actuando como intermediario, lo único que hay que tener en cuenta es que se deben quitar los keepalives sobre la interfaz serial a través del comando no keepalive.

Ya para conexiones en las cuales es necesario usar un suiche Frame Relay, hay que indicarle de qué forma se van a conmutar las tramas.

Respecto al Circuito Virtual, hay dos formas de realizar el mapeo entre DLCI y la dirección IP:

• Usando IARP (inverse ARP): el DLCI se obtiene dinámicamente del suiche Frame Relay. Se usa IARP para poder saber la IP.
• Mapeo estático: es definido por el usuario.

Ya en lo que respecta a configuración, necesitamos:

Para enlaces back to back:

        no keepalive

     encapsulation frame-relay ietf

     frame-relay lmi-type ansi

     frame-relay map ip dirección_ip_otro_extremo dlci broadcast

no olvidar configurar la ip de la interfaz-

Respecto al suiche Frame Relay, es necesario indicarle al router que se debe comportar como tal. Esto se logra con el comando en modo de configuración global frame-relay switching.

Para hacer el mapeo de la IP con DLCI la sintaxis es como sigue:

frame-relay route dlci dlci_que_llega interface interfaz_de_salida dlci_de_salida

Este pequeño abrebocas permitirá conocer qué parámetros configurar a la hora de implementar un protocolo de enrutamiento sobre Frame-Relay. Conocer su funcionamiento es fundamental, de esta forma se podrá hacer troubleshooting de manera más eficiente.

Script to do directory backups

It is usual to carry an external hard disk drive. As a portable device, it is prone to damage, can be stolen or corrupted by a virus. It is a good idea to have a backup of the contents of the portable HD in a laptop. I created a script written in BASH that helps me with this task.
The script does the following:

• identifies the source directory (the original content)
• identifies the destination directory (the place where you want to store the backup file)
• the script stores the last 3 backup files. This means that, if a forth backup file is created, the script will erase the oldest backup file.
• The script is executed manually. This is because the external hard drive is not always connected. Automatic execution may lead to errors because origin directory in not mounted on the filesystem.

The script goes as follows:

#!/bin/bash -x
#date: jun 21 2010
#backup of a directory in an external hard disk into laptop hard drive

BACKUPDIR=/home/EvilCat/WDBackup       

#this is the location where I want to store the backup 

SOURCE2=/media/WD\ Passport/My\ Documents/   

#this is the directory i want to do the backup

BACKUPFILE=backup.`date +%F_%R`.tgz           

#this is going to be the name of the backup file. 

#appends to the name the date and time the file was created

COUNT=`ls $BACKUPDIR/backup.* | wc -l`       

#counts the number of backup files that have been created. 
 
THRESHOLD=3 #the number of backup files to be stored.


if [ $COUNT -le $THRESHOLD ]
then
    tar -czf $BACKUPDIR/$BACKUPFILE "$SOURCE2"
    if [ $? != 0 ]
       then 
           echo problems creating backup file
    fi
else
    OLDFILE=`ls -ltr $BACKUPDIR/back* | cut -f 8 -d " " | head -n 1`
    rm -rf "$OLDFILE"
    tar -czf $BACKUPDIR/$BACKUPFILE "$SOURCE2"

fi


The script's name is backup.sh. In order to become executable, it must have the proper permissions. Your can set the permissions by issuing chmod u+x backup.sh. The script becomes executable.

At the moment, this utility syncs only one directory. Further work will involve a GUI, a way to select several folders to be backed-up and a mechanism to detect when the hard drive is connected and initiate a backup wizard.

Duplicando una VM en VirtualBox

A veces es muy útil hacer un backup de una máquina virtual, ya sea porque no queremos tener que volver a hacer el tedioso proceso de instalar un sistema operativo o porque vamos a hacer pruebas de hacking que vayan a volverla corrupta. Tengo una VM de WIndowsXP, la cual quiero clonar.

A través de el CLI en Fedora, procedo a identificar la ubicación del Disco Duro virtual de la VM que quiero clonar y ejecuto:

[evilcat@luiskr .VirtualBox]$ VBoxManage clonevdi HardDisks/WinXP.vdi HardDisks/WinXP_Real.vdi
VirtualBox Command Line Management Interface Version 2.2.4
(C) 2005-2009 Sun Microsystems, Inc.
All rights reserved.

0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
Clone hard disk created in format 'VDI'. UUID: 3e617b00-ac56-44cb-ae45-c3271dcfc1e7
[evilcat@luiskr .VirtualBox]$

Esto permite que VirtualBox duplique el disco duro y le asigne un nuevo UUID (el identificador del disco duro, el cual ya puede ser importado a otra máquina virtual.
Es necesario entonces, ejecutar el wizard de creación de nueva máquina virtual y especificarle que use el disco duro recién clonado.

CompTIA Security+ Video Mentor: A Review

As a Security+ Certified person, it is really good to take a look at this new release from PEARSON.
When you take a look at the table of contents, you may see that the booklet covers all the necessary knowledge that a person should know in order to take the certification exam. Contents include:

Lesson 1, about Asymmetric Algorithms, shows the basic concepts and protocols in a clear language. Labs make use of GNU software as Linux and Backtrack. Also, Windows will be necessary: it is important to get to know several OS because security involves multivendor environments.

Lesson 2 covers Steganography, I think it is a good briefing about this subject. Anyway, I would suggest further reading to the hungry minds that would like to get a deeper understanding about this. Nonetheless, the exposed material is clear and deep enough for the exam purposes. I must confess steganography lab is very fun.

Lesson 3 is about Sniffers and protocol analysers. I believe, according to my experience, that this is a very important skill to develop if you work in a security-related business. This lesson shows the most popular programs and its usage.

Lesson 4 teaches about PKI and certificates. This section is very illustrative, because in the lab activity you can practice the concepts and create your own CA and do several operations with it.

Leson 5 shows TCP/IP. Briefly explains the OSI & TCP/IP model, how encapsulation works, three-way-handshake, ports and IPv6. The language used is very clear and understandable. Lab activities are great and lets the reader have a deeper understanding of the concepts exposed in the pdf.

Lesson 6 is about passwords: types, policies & management, attacks and mistakes that we do about them. It is an interesting reading because you have to deal with passwords everyday, you will notice that the password that you use for your e-mail account is not the safest and does not convey with the basic requirements a password should meet. Lab activities help a lot with this.

As a summary, I would like to recommend this product. I think this would be very helpful if you wish to learn and pass the certification exam. I liked it very much because it shows concepts and labs are comprehensive and helps you to increase your knowledge.

If you want to buy this product, you can follow this link to Amazon:

Setting up a personal SOHO firewall

I want to create a firewall for my laptop. As you may recall from the previous post, I have a Dell Inspiron 11z, running Fedora 12 64bits. I will use IPtables for this purpose.
A firewall must be configured according to the needs of the home/company. In my case, my network habits involve the following:

• Torrent downloading
• Chat (MSN and GTalk)
• Host a SSH server
• Host SMB server
• Access to SSH in other machines
  

As a network security guy, I have ill concerns about the heath and intrusiveness of my equipment, so I like to include some items in order to guarantee that it is safe:

• Must not send echo-replies, but be able to ping other host
• must not send port-unreachable and host-unreachable messages so services are hidden.

You must remember that functionality is important, so the rules should not be so tight that is difficult to use the equipment and use the services.

The configuration script goes as follows:

#!/bin/bash

#purpose: soho firewall

#pending june 3: do not send mesages to dmesg

#pending june 4: execute at boot


IPTABLES="/sbin/iptables"

# Flush all rules
$IPTABLES -F

# Set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# Incoming external traffic##
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT ## ICMP
$IPTABLES -A INPUT -p udp --sport domain -j ACCEPT ## DNS
$IPTABLES -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT ## Accept al ESTABLISH incoming traffic
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT ## Accept SSH
$IPTABLES -A INPUT -p tcp --dport 5901 -j ACCEPT ## Accep VNC
$IPTABLES -A INPUT -p tcp --destination-port 6881 -j ACCEPT ## Accept bittorrent
$IPTABLES -A INPUT -j LOG --log-prefix="BAD INPUT: " --log-level 4 ## Log all dropped incoming traffic

# Outgoing external traffic
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT ## Accept ICMP Request
$IPTABLES -A OUTPUT -p icmp --icmp-type host-unreachable -j DROP ## Block ICMP host unreachable
$IPTABLES -A OUTPUT -p udp --dport domain -j ACCEPT ## Accept DNS responses
$IPTABLES -A OUTPUT -p icmp --icmp-type port-unreachable -j DROP ## BLOCK ICMP PORT UNREACHABLE
$IPTABLES -A OUTPUT -p tcp --source-port 6881:6999 -j ACCEPT ## Allow bittorrent traffic to internet
$IPTABLES -A OUTPUT -p tcp -j ACCEPT ## accept all outgoing traffic
$IPTABLES -A OUTPUT -j LOG --log-prefix="BAD_OUTPUT: " --log-level 4 ## log all dropped outgoing traffic


# internal traffic rules
## Accept all internal input traffic
#$IPTABLES -A INPUT -j ACCEPT
## Accept all internal output traffic
#$IPTABLES -A OUTPUT -j ACCEPT

# forwarding packets rules
$IPTABLES -P FORWARD ACCEPT


As you may notice, this scrpt is under development. Among the pending tasks, I must finde a way to execute the script at boot time and avoif syslog messages to go to dmesg and iptables.log, a file I created in the rsyslog.conf file:

kern.warning /var/log/iptables.log

Also, I must define an internal forwarding policy to allow Virtual Machines access services and a tighter Outgoing traffic policies.

Testing the firewall is the next step. I used Backtrack to do so. First of all, I have to execute the script on my machine:



Then I go tho the VM with Bachtrack 4 installed so I can test.


You may notice that services exposed are the ones that are necessary.

Impressions? suggestions? What do you think about it? Your feedback is appreciated.

INSPIRON 11z karma

This post is about my new laptop, a Dell Inspiron 11z, small and powerful device. As soon as I received it, I wanted to convert it into a dual boot system: Windows 7 64 bits and Fedora 12 64 bits.
I am not going to discuss how I messed up the system and how it became useless... I have dignity. But I am going to describe how I managed to restore everything and all the googling I made to resolve the issue.

1. Messing with the partition table.
I planed to partition the 320 GiB hardrive this way:

• 80GiB NTFSfor Windows
• the rest of the space for Fedora

You can use several programs for this purpose. In my case, I had a Boot USB with a Live image of Fedora 12. How did I create this Live image to run on the USB? I used a program called Live USB creator. You can get it from here. The process is self explanatory.

As soon as I booted the laptop with the Fedora Live Image, I installed an disk utility called GParted. I deleted all partitions but left the NTFS one and the rest as unallocated.

2. Installing Windows
An important note for this step is that Dell provides an install DVD for Windows. But... Inspiron 11z does not have a DVD drive. I bought an external DVD drive, connected by USB, but I found that the BIOS does not recognize the device as an external USB drive or as an external storage media. WTF!
The only solution in mind was to create a bootable USB media with the install image on it. After several failed programs I tried, I found the one that was successful. It is called Win to Flash.
The link provided has the download link and also explains the procedure. Of course, you have to have the install media for Windows and a 4 GiB USB.

Successfully, my laptop could start the Windows installation media on the USB and it was installed on the intended partition.

3. Installing Fedora.
The rest of the story is very straightforward, because there are a lot of tutorial that explain how to set up a dual boot system. The how-to I followed is located in this link.