Saturday 24 November 2012
Resetting secure channel between DCs
This summary is not available. Please
click here to view the post.
Friday 23 November 2012
Windows 2008 RADIUS Server for Cisco Router
Introduction
RADIUS (Remote Authentication Dial-In User
Service) is a security protocol which is used for centralized network
access control for computers to connect and use network devices and
services. RADIUS uses a client/server system where the RADIUS client
will run on the networking devices (in our case it is Cisco router)
and send the authentication request to the central RADIUS server (in
our case it is NPS) that contain all the user authentication and
network service access information. Refer Figure1 to see how the
RADIUS works. AAA (Authentication, Authorization, and Accounting)
is a network security service where you can set up access control on
your router or access servers. AAA uses protocols such as RADIUS ,
TACACS+, or Kerberos to administer its security functions.
Microsoft NPS (Network Policy
Server) is a feature in Windows Server 2008 that centrally manage and
enforce the network access policies that determine whether the user
can or cannot access the network. The NPS is using the RADIUS
protocol to communicate with the servers and network devices for
authentication. This service is mainly used for the Remote user who
connect with VPN or wireless access points to access the network
resources. Using an NPS server you can create network policies
centrally and can be used in all the networking devices in your
network.
Figure 1:
This guide will show you the quick steps to configure a
Microsoft NPS server for RADIUS authentication for Cisco router
logins. Below are the tasks we are going to accomplish.
1.
Configure Microsoft NPS server as RADIUS Server
2.
Configure Cisco for RADIUS authentication.
Prerequisites
1. Windows Server 2008R2
2. Active Directory Domain Services
3. NPS Server must be a member of a domain
Configure Microsoft NPS server as RADIUS Server
1. Go to Server Manger > Roles > Add
Roles and select 'Network Policy and Access Services' click
Next
2. Read the description and click Next
3. Select Network Policy Server and click Next
4. Confirm the Installation by clicking Finish
5. Now go to Start > Administrative Tools >
Network Policy Server.
Now click Action and click Register Server
in Active Directory to register the NPS in Active Directory.
6. Confirm that you want to authorize this computer (NPS) to read users' dial-in properties of the domain by clicking OK
7. Now you will see the confirmation screen and click OK
8. Now on the left panel under the RADIUS Clients and
Servers right click RADIUS Clients and click New RADIUS
Client.
9. Now specify the policy name and connection type.
Here I am mentioning the policy name as 'Cisco Router Access'
and Type of network access server is 'Unspecified'.
10. On the Specify Conditions page add a Windows
group and specify a group from Active Directory.
Here I am adding Network Support group from the
Active Directory.
11. On the Specify Access Permission page, select Access granted only and click Next.
12. Now select Unencrypted authentication [PAP, SPAP]
on the Configure Authentication Methods.
13. On the Configure settings page in Standard Section add Service-Type parameter with the value NAS Prompt.
14. On the Configure settings
page in Vendor Specific section
add Cisco-AV-Pair parameter
with value: shell:priv-lvl=15
. This particular example causes a user logging in from a network
access server to have immediate access to EXEC commands.
15. On the Completing New Network Policy page
review the settings and click Finish
Below you can see the screen-shot of the network policy
that we have created.
2.
Configuring Cisco Router for RADIUS authentication
The below configuration will enable the RADIUS
Authentication on your Cisco Router.
Enable AAA on the router by using the below command in
global configuration mode.
Cisco(config)#aaa
new-model
Cisco(config)#aaa group server radius NPS
Cisco(config-sg-radius)#server
172.17.0.52 auth-port 1812 acct-port 1813
Where 172.17.0.52 is the IP address of the RADIUS Server.
Cisco(config)#aaa authentication login ciscoauth local group NPS
Cisco(config)#aaa
authorization exec ciscoauth local group NPS if-authenticated
Cisco(config)#aaa
authorization network ciscoauth local group NPS
Cisco(config)#aaa
accounting exec default start-stop group NPS
Cisco(config)#aaa
accounting system default start-stop group NPS
Cisco(config)#aaa session-id common
Cisco(config)#ip radius source-interface GigabitEthernet0/0 (User facing Interface)
Cisco(config)#radius-server
host 172.17.0.52 auth-port 1812 acct-port 1813 key sharedkey
Cisco(config)#line vty 0 4
Cisco(config-line)#
authorization exec ciscoauth
Cisco(config-line)#login
authentication ciscoauth
Cisco(config-line)#transport
input telnet rlogin ssh
There we finish our configuration. Now you can test it by logging into the router as a user who is a member of the Network support group.
Thursday 8 November 2012
How to block P2P Traffic on a Cisco Router
P2P is a network protocol which is widely used to share large volumes of file over the network. It uses the protocols like BitTorrent to download as well as to share data over the Internet. In a Peer-to-peer network each computer will act as a server or client for the other computer. Since the files are available from various sources we can quickly download a file using a P2P application.
Nowadays P2P plays a major role over the Internet where millions of people are using it to download movies, games, software etc.Statistics shows that around 30-40% of global Internet traffic is used by the P2P traffic. Recent survey conducted by Cisco estimated that the p2p traffic will be doubled (7 Petabytes per month) by 2014 compared to 2009 where it was only 3.2 Petabytes per month.
How P2P works?
 |
| How P2P Works? |
The P2P file share process works like this:
1. You run a software like utorrent on your computer and sends out a request for a file that you want to download.
2. The software (eg.utorrent) queries the other computers which is connected to the internet and is running with similar software.
3. As soon as it finds the file on another computer, the download begins.
4. In the same way other computers will also download the file from your computer.
Major P2P Protocols
1. BitTorrent (Azureus, BitSpirit, BitTorrent.Net, MLdonkey, QTorrent, µTorrent,etc)
2. Gnutella (BearShare, iMesh, Gnotella, Gnucleus, GTK-gnutella, LimeWire, etc)
3. FastTrack (Grokster, iMesh, Kazaa, Morpheus, etc)
4. eDonkey (eMule, Overnet, etc )
5. Direct Connect (BCDC++, DC++, NeoModus Direct Connect, etc )
6. OpenNap ( WinMX )
How to Block P2P ?
Blocking P2P traffic is a real challenge as the P2P protocols are using dynamic ports to connect to our computers. Cisco provided us with two solutions to block P2P traffic on our gateway. This document will guide you to configure those two methods to block the p2p traffic in your network. But I cannot give you 100% guarantee to block P2P because of its port hopping ability and the encryption in the traffic.
Blocking P2P traffic is a real challenge as the P2P protocols are using dynamic ports to connect to our computers. Cisco provided us with two solutions to block P2P traffic on our gateway. This document will guide you to configure those two methods to block the p2p traffic in your network. But I cannot give you 100% guarantee to block P2P because of its port hopping ability and the encryption in the traffic.
The two features that Cisco provide to block P2P traffic are:
1. NBAR
2. Application Control in Zone Based Firewall.
- This example is based on a Cisco Integrated Service Router running with 15.0(1)M3 code.
1. Blocking P2P using NBAR
NBAR is a classification engine that can recognize a wide variety of applications via the deep packet inspection. This feature is available from Cisco IOS Version 12.0(5)XE2. It has the ability to identify applications including Web-based applications and client/server applications that dynamically assign TCP , User Datagram Protocol (UDP) port numbers as well as P2P applications. NBAR helps the network administrator to classify the traffic by defining QoS policies there by ensuring the best bandwidth for the legitimate traffic. For more info visit: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/prod_case_study09186a00800ad0ca.html
Follow the below steps to block P2P traffic using the NBAR deep packet inspection engine.
Enable cef on your router. For this type the command as below on the global configuration mode:
Cisco_ISR(config)#ip cef
Create a Class map which will group all the P2P protocols. Type the command as below:
Cisco_ISR(config)#class-map match-any ALL-P2P-PROTOCOLS
Cisco_ISR(config)# match protocol edonkey
Cisco_ISR(config)# match protocol fasttrack
Cisco_ISR(config)# match protocol gnutella
Cisco_ISR(config)# match protocol winmx
Cisco_ISR(config)# match protocol cuseeme
Cisco_ISR(config)# match protocol kazaa2
Cisco_ISR(config)# match protocol irc
Cisco_ISR(config)# match protocol bittorrent
Cisco_ISR(config)# match protocol skype
Cisco_ISR(config)# match protocol ssh
Cisco_ISR(config)# match protocol irc
Create a Policy map to define what you want to do with the traffic. In our case it is drop since we need to block the p2p traffic.
Cisco_ISR(config)#policy-map P2P- DROP
Cisco_ISR(config)#class ALL-P2P-PROTOCOLS
Cisco_ISR(config)#drop
Apply the policy to the user-facing (Incoming) interface.
Cisco_ISR(config)#interface gigabitEthernet 0/0
Cisco_ISR(config-if)#service-policy input P2P-DROP
Now you can verify the correct operation of the NBAR feature using the below command :
Cisco_ISR#show policy-map interface gigabitEthernet 0/0
Below you can find an output of the above command where the drop rate is 16000 bps.
This configuration requires a Zone Based Firewall already configured on your router. If you don't have a Zone Based Firewall configured on your router you can refer the following document http://yadhutony.blogspot.in/2012/10/cisco-ios-zone-based-firewall-step-by.html to do the configuration.
Now to block p2p traffic using a zone based firewall follow the below steps.
Task 1 : Configure HTTP port misuse policy
With this configuration you can the stop the misuse of http port by p2p and other applications.
Create a Class map to define the port-misuse parameters. Type the command as below :
Router(config)#class-map type inspect http match-any HTTP-PORT-MISUSE
Router(config-cmap)#match request port-misuse im
Router(config-cmap)#match request port-misuse p2p
Router(config-cmap)#match request port-misuse tunneling
Create a Policy-map which define what you want to do with the traffic and apply the above class-map 'HTTP-PORT-MISUSE' to the policy-map.
Router(config)#policy-map type inspect http HTTP-PORT-MISUSE-POLICY
Router(config-pmap)#class type inspect http HTTP-PORT-MISUSE
Router(config-pmap)#reset
Router(config-pmap)#log
Now apply this policy-map to the outgoing http inspection policy
Router(config)#policy-map type inspect IN-TO-OUT-POLICY
Router(config-pmap)#class type inspect HTTP-ACCESS
Router(config-pmap)#inspect
Router(config-pmap)#service-policy http HTTP-PORT-MISUSE-POLICY
For more information about port misuse commands refer: http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_p1.html#wp1064215
Task 2 : Configuring firewall policy to block p2p traffic
Here we are defining the class maps and policy maps to configure a firewall policy that will explicitly block p2p traffic on your firewall. Type the command as below:
Class Map
Router(config)#class-map type inspect match-any ALL-P2P-PROTOCOLS
Router(config-cmap)#match protocol edonkey signature
Router(config-cmap)#match protocol gnutella signature
Router(config-cmap)#match protocol kazaa2 signature
Router(config-cmap)#match protocol fasttrack signature
Router(config-cmap)#match protocol bittorrent signature
Now apply the above class-map to the outgoing policy-map configuration.
Policy Map
Router(config)#policy-map type inspect IN-TO-OUT-POLICY
Router(config-cmap)#class type inspect ALL-P2P-PROTOCOLS
Router(config-cmap)#drop log
Verification
You can verify the above operation using the command :
Router#show policy-map type inspect zone-pair
Below you can find an output of the verification command
It is best practice to place the Class-map that you created to block the P2P traffic above all class-maps on your Inside to Outside Policy-map or Firewall policy.
For advanced configuration and IM application blocking visit http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/white_paper_c27_543585.html
With all the above configurations we can only block the P2P traffic up to an extent. It will not give you a complete solution because of the encryption used in the p2p traffic where the Cisco device fails to do a deep packet inspection. I will suggest using some applications in your network along with NBAR or ZBFW in order to prevent p2p traffic in your network.
You may also find this document useful Cisco IOS Local Content Filtering
Thursday 1 November 2012
How to setup a Windows Server 2008R2 Domain Controller
Introduction
Prerequisites
3. Now the Active Directory Domain Services Installation wizard will open up. Tick the Use advanced mode installation check box and click next.
7. On the Domain NETBIOS name wizard leave it as default and click Next. In our example it is MATHEW
Domain is one of the most important concept in a Windows
network. A domain is a collection of user and computer accounts that
are grouped together so that they can be centrally managed using a
Domain controller. A domain controller is a server which hold the
'Active Directory Domain Service (AD DS)' role in a network. Once
you promote a Windows server as a domain controller it can be used
for controlling and managing the whole domain in a centralized
location. The domain controller will provide a single sign-on to
various servers and services inside a domain. Also users and
computers can be granted with access permissions. Group policy is one
of the most important feature in AD DS that controls the working
environment of user accounts and computer accounts. Group policy
provides centralized management and configuration of operating
systems, applications and user's setting in active directory
environment. While you setup a domain controller, a DNS server will
also get configured along with the AD DS. DNS server is one of the
most important service in a network that will serve the computers
with its name resolution functionality.
Visit http://technet.microsoft.com/en-us/library/cc786438(v=ws.10).aspx and http://technet.microsoft.com/en-us/library/dd578336(v=ws.10).aspx for more details about Domain Controllers and Active Directory Services.
Prerequisites
- Server should be configured with a static IP address.
- Appropriate DNS configuration should be there, if there is no DNS server in your network put the loop-back address as the DNS server address in TCP/IP configuration.
-
Computer must be connected in a network.
Promoting
Windows Server 2008R2 as Domain controller
1. Log on to windows server 2008R2 computer as an
administrator.
Click
Start
> Run
Type
'dcpromo'
and click OK
2. Now AD DS binaries will start installing on your
server. Wait for the installation to get finished.
3. Now the Active Directory Domain Services Installation wizard will open up. Tick the Use advanced mode installation check box and click next.
4.
On the Operating system
compatibility windows,
read the information and click Next.
5.
On 'Choose a Deployment
Configuration' window
select 'Create a new
domain in a new forest' since
we are going to configure the first domain server in this network,
click Next
6.
On this windows you can name the domain that you are going to create.
In this example I am naming it as 'mathew.com'
Type the fully
qualified domain name that you wish to use and click Next.
7. On the Domain NETBIOS name wizard leave it as default and click Next. In our example it is MATHEW
8. On
the forest functional level wizard choose the functional level that
you wish to use and click next. In this example I am choosing
'Windows Server 2008
R2'. You can see the
details about each functional level available on the box below. Click
Next.
To
know more about functional levels visit http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
9.
On the Additional Domain Controller Option tick
the DNS
server option and
click Next. Here
you can find that the Global catalog option is ticked and grayed out.
This is because Global catalog is installed by default while you
configure first domain controller in a network.
10.
Safely ignore the DNS warning wizard and click Yes
to continue.
14. Once you click Next the wizard will configure Active Directory Domain Services on your Server. It is better to tick the Reboot on completion check box to reboot the server automatically to finish the Installation.
3. Default Domain Policy of after the fresh Installation of AD DS.
You can find the screen-shots of the default domain policy after the installation of AD DS. Refer Figure 1 and Figure 2:
11.
Now the wizard will ask you to choose a location for Database, Log
Files and SYSVOL. The best practice is to choose a location which is
other than the System volume to store these files. Click Next
12.
Choose a Directory services restore mode administrator password. Make
sure that you are providing a password other than the administrator
password. This password is used for recovering AD in case of any
disaster. Click Next
13. On
the Summary window review the settings and
Click next.
14. Once you click Next the wizard will configure Active Directory Domain Services on your Server. It is better to tick the Reboot on completion check box to reboot the server automatically to finish the Installation.
15.
After the reboot go to
Start > Administrative Tools > Active Directory Users and
computers where you
will find the domain that you have created. In our example you can
find 'mathew.com' in
Active
Directory Users and computers.
Additional
Information
1. To find
out the roles Installed along with AD DS
You
can use the command 'netdom
query fsmo' to find
out the roles installed along with the Active Directory Domain
Services. Below is the screen-shot which shows the output of the
command.
You can visit "How to transfer FSMO Roles in 2008R2" to know more about fsmo roles and how to transfer these
roles to another DC in the same domain.
2. DNS
Server Snap-In after the fresh installation
Here you can find the DNS Manager snap-in after a fresh
Installation.
To know more about DNS Server Role visit http://technet.microsoft.com/en-us/library/cc753635(v=ws.10).aspx
3. Default Domain Policy of after the fresh Installation of AD DS.
You can find the screen-shots of the default domain policy after the installation of AD DS. Refer Figure 1 and Figure 2:
Figure 1:
Figure 2:
To know more about group policy visit http://technet.microsoft.com/en-us/library/bb742376.aspx
While we configure a Domain Controller in a network it is better to configure an additional domain controller to improve the reliablility and availability of the network services. The Additional Domain Controller will serve the client machines in case of any failure of the Primary Domain Controller. I will explian how to configure an Additional Domain Controller latter in my Blogs.
While we configure a Domain Controller in a network it is better to configure an additional domain controller to improve the reliablility and availability of the network services. The Additional Domain Controller will serve the client machines in case of any failure of the Primary Domain Controller. I will explian how to configure an Additional Domain Controller latter in my Blogs.
Subscribe to:
Posts (Atom)