Friday, 21 December 2012

Cisco IPSec Site-to-site VPN Configuration

Introduction

IPSec Site-to-site VPN connectivity is used to secure the connection between two sites (eg.Head office and branch office). A secure VPN tunnel is created over the public network (Internet) using advanced encryption technologies where we can transmit our data with high confidentiality and integrity. The major advantages of using IPSec are 1.Confidentiality  2.Integrity  3.Origin Authentication.
  • This document will show you how to configure a site-to-site IPSec VPN tunnel using two Cisco IOS routes.
 How IPSec works on a Cisco Router

IPSec is a layer 3, protocol independent framework that is used to secure unicast network traffic. IPSec is comprised of two distinct phases:

a) Phase 1 : Responsible for session management and authentication of end points. This phase ensure that the connection between endpoints is secured.

b) Phase 2 : It is used to setup the security association (SA) that will be used to secure the target data.

Phase 1

Phase 1 process authenticates endpoints to each other. This is done by single, bidirectional security association  (SA).  The major component of Phase 1 authentication is IKE Policy.

  IKE Policy

The IKE Policy comprises of the following parameters:
  • Authentication* : Decide the authentication that will be used by the policy.
  • Encryption : Decide the encryption algorithm that will be used by the policy.
  • Hashing : Decide the hashing algorithm that will be used by the policy.
  • Diffe-Hellman group : Decide the Diffe-Hellman group that will be used by the policy.
  • Life-time : Decide the life-time of SA before re-keying.
*The authentication is based on one of the following:
  • Pre-shared key (PSK)
  • RSA  Encryption
  • Digital Certificate
Phase 2

The Phase 2 is used to setup the security associations that will be used to secure the target data between two sites.

The major components of Phase 2 authentication are :
  • Extended ACL : It is used to find the interesting traffic which should be transmitted over the VPN tunnel.
  • Transform-Set : Decide the encryption and hashing algorithm. This will provide the authentication to each protocol that is used in the ACL.
Network Diagram


This example is based on a Cisco Integrated Service Router running with 15.0(1r)M15 code.

Configuration Tasks 
  1. Create IKE Policy
  2. Setup Pre shared key (PSK)
  3. Configure extended Access-List
  4. Define IPSec Transform-set
  5. Configure Crypto-map
  6. Apply Crypto-map to Interfaces.
Now we should go in details and configure each tasks which is listed above.

1.) Creating IKE Policy

Cisco ISR* 1

Cisco_ISR(config)#crypto isakmp policy 10
Cisco_ISR(config-isakmp)#authentication pre-share
Cisco_ISR(config-isakmp)#encryption aes 256
Cisco_ISR(config-isakmp)#group 5
Cisco_ISR(config-isakmp)#lifetime 86400

Cisco ISR 2

Cisco(config)#crypto isakmp policy 10
Cisco(config-isakmp)#authentication pre-share
Cisco(config-isakmp)#encryption aes 256
Cisco(config-isakmp)#group 5
Cisco(config-isakmp)#lifetime 86400


*ISR - Integrated Service Router

2.) Setup Pre-shared key

Cisco ISR1

Cisco_ISR(config)#crypto isakmp key MYSECUREKEY address 192.168.100.2

Cisco ISR 2

Cisco(config)#crypto isakmp key MYSECUREKEY address 192.168.100.1


3.) Configure extended Access-List

Cisco ISR 1

Cisco_ISR(config)#access-list 100 permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
 
Cisco ISR 2

Ciscoconfig)#access-list 100 permit ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255


4.) Defining IPSec Transform-set

Cisco ISR 1

Cisco_ISR(config)#crypto ipsec transform-set MYTRANSFORMSET esp-aes 256 esp-sha-hmac

Cisco ISR 2

Cisco(config)#crypto ipsec transform-set MYTRANSFORMSET esp-aes 256 esp-sha-hmac


5.) Configure Crypto-map

Cisco ISR 1

Cisco_ISR(config)#crypto map MYCRYPTOMAP 10 ipsec-isakmp
Cisco_ISR(config-crypto-map)#set peer 192.168.100.2
Cisco_ISR(config-crypto-map)#set transform-set MYTRANSFORMSET
Cisco_ISR(config-crypto-map)#match address 100

While you create a crypto-map you will get a message like below:
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.

You can safely ignore this message and configure the peer as a next step.


Cisco ISR 2

Cisco(config)#crypto map MYCRYPTOMAP 10 ipsec-isakmp
Cisco(config-crypto-map)#set peer 192.168.100.1
Cisco(config-crypto-map)#set transform-set MYTRANSFORMSET
Cisco(config-crypto-map)#match address 100


6.) Apply Crypto-map to Interfaces

Cisco ISR 1

Cisco_ISR(config)#interface gigabitEthernet 0/1
Cisco_ISR(config-if)#crypto map MYCRYPTOMAP

Cisco ISR 2

Cisco(config)#interface gigabitEthernet 0/1
Cisco(config-if)#crypto map MYCRYPTOMAP


There we finish our configuration.
IPSec VPN and Zone Based Firewall

For more info visit Using IPSec VPN with Zone-Based Policy Firewall.

IPSec Verification & Troubleshooting

a.) Commands used to verify IPSec operation
  • show crypto isakmp sa
  • show crypto isakmp policy
  • show crypto ipsec sa
  • show crypto session
b.) Commands used to troubleshoot IPSec operation
  • debug crypto isakmp
  • debug crypto ipsec

Saturday, 24 November 2012

Resetting secure channel between DCs



Introduction

Secure channel is used for secure communication between the Primary Domain controller and the member servers or workstations. This channel is used to validate the membership of the member servers or workstations. It also enables secure exchange of Challenge/Response messages and pass-through authentication in an NT LAN Manager (NTLM) authentication sequence. The Netlogon service is responsible for setting up a secure channel. During a system startup the Netlogon service creates a secure channel between the first DC that respond to the secure channel request. When you join a computer to a domain a password is shared between the computer and DC and it is stored in the DC along with the computer account. This password helps to authenticate the computer account to the DC and it is changed every 30 days. When the computer authenticate with the DC a secure channel got created between the DC and the computer. In case of a backup DC, during startup the netlogon service try to create a secure channel between the PDC and if this attempt doesn't succeed the secure channel will be broken. This happens due to communication issue, DNS misconfiguration and system time issue.
  • This post will show you how to reset the secure channel between a Backup DC and PDC. 

Typical errors when the secure channel is broken

1. Replication error:
 
CALLBACK MESSAGE: Error contacting server 2044b77-7bc2-486a-2cfb-9638a99d99dbd._msdcs.xxx.com (network error): 5 (0x5):
Access is denied.
SyncAll exited with fatal Win32 error: 8440 (0x20f8):
The naming context specified for this replication operation is invalid.

 
The following error occurred during the attempt to contact the Domain Controller PDC001
Access is denied.

  
You may get Netlogon event ID 3210, 5722, 5723 or NTDS KCC event 1925.
 
Event Source: Netlogon
Event Category: None Event ID: 3210
User: N/A Event Description:
Failed to authenticate with \\PDC, a Windows NT domain controller for domain DOMAIN. 
 
Event Source: Netlogon
Event ID: 5722
Event Category: None User: N/A Event Description:
The session setup from the computer 1 failed to authenticate. The name of the account referenced in the security database is 2. The following error occurred: n3
 
2. Logon error:
 
Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable or because your computer account was not found.”

or
 
"The system could not log you on. Make sure your username and domain are correct."
 
3. Nltest error:
 
nltest /sc_query:
 
access is denied:

Secure Channel Reset

There are two ways to work around the above problems:

Method 1:

Perform the below steps to reset the secure channel between a DC and PDC.

1. Find out the problematic DC and stop the KDC (Key Distribution Center) Service. To do so either go to services.msc and locate Kerberos Key Distribution Service and click stop or use the command net stop KDC on command prompt. 
 
2. Now locate kerbtray.exe from the below location :
C:\Program Files\Windows Resource Kits\Tools\Kerbtray.exe.
Double click the exe file and you will find a green ticket icon on the lower right corner of your desktop.

3. Right click the green ticket icon on your desktop and click purge ticket. You should get a confirmation message that the ticket cache is purged. Click OK.



4. Reset the problematic DC password on the PDC. To do so open command prompt in PDC and type the command :
netdom resetpwd /server:Replication_Partner_Server_Name /userd:domainname\administrator_id /passwordd:password

5. Restart the problematic server. After the restart check the KDC services status. If it is not started then start the service manually.

6. Now synchronize the domain to verify the successful DC replication. To do so open a command prompt and type 'repadmin /syncall'

Method 2

Forcefully demote the faulty DC followed by metadata cleanup and promote the server back as DC,but consider this as last point of restore.



3. Change and Seize FSMO Roles : http://support.microsoft.com/kb/255504

 
PS: To reset secure channel between a Computer and Domain Controller

Friday, 23 November 2012

Windows 2008 RADIUS Server for Cisco Router



Introduction

RADIUS (Remote Authentication Dial-In User Service) is a security protocol which is used for centralized network access control for computers to connect and use network devices and services. RADIUS uses a client/server system where the RADIUS client will run on the networking devices (in our case it is Cisco router) and send the authentication request to the central RADIUS server (in our case it is NPS) that contain all the user authentication and network service access information. Refer Figure1 to see how the RADIUS works. AAA (Authentication, Authorization, and Accounting) is a network security service where you can set up access control on your router or access servers. AAA uses protocols such as RADIUS , TACACS+, or Kerberos to administer its security functions.

Microsoft NPS (Network Policy Server) is a feature in Windows Server 2008 that centrally manage and enforce the network access policies that determine whether the user can or cannot access the network. The NPS is using the RADIUS protocol to communicate with the servers and network devices for authentication. This service is mainly used for the Remote user who connect with VPN or wireless access points to access the network resources. Using an NPS server you can create network policies centrally and can be used in all the networking devices in your network.

Figure 1:

This guide will show you the quick steps to configure a Microsoft NPS server for RADIUS authentication for Cisco router logins. Below are the tasks we are going to accomplish.

1. Configure Microsoft NPS server as RADIUS Server

2. Configure Cisco for RADIUS authentication.

Prerequisites

1. Windows Server 2008R2

2. Active Directory Domain Services

3. NPS Server must be a member of a domain

Configure Microsoft NPS server as RADIUS Server

1. Go to Server Manger > Roles > Add Roles and select 'Network Policy and Access Services' click Next

2. Read the description and click Next
 
3. Select Network Policy Server and click Next

4. Confirm the Installation by clicking Finish

5. Now go to Start > Administrative Tools > Network Policy Server.
Now click Action and click Register Server in Active Directory to register the NPS in Active Directory.

6. Confirm that you want to authorize this computer (NPS) to read users' dial-in properties of the domain by clicking OK

7. Now you will see the confirmation screen and click OK
 
8. Now  on the left panel under the RADIUS Clients and Servers right click RADIUS Clients and click New RADIUS Client.
9. Now specify the policy name and connection type. Here I am mentioning the policy name as 'Cisco Router Access' and Type of network access server is 'Unspecified'.
 
10. On the Specify Conditions page add a Windows group and specify a group from Active Directory.
Here I am adding Network Support group from the Active Directory. 

11. On the Specify Access Permission page, select Access granted only and click Next.

12. Now select Unencrypted authentication [PAP, SPAP] on the Configure Authentication Methods.

13. On the Configure settings page in Standard Section add Service-Type parameter with the value NAS Prompt.
 
14. On the Configure settings page in Vendor Specific section add Cisco-AV-Pair parameter with value: shell:priv-lvl=15 . This particular example causes a user logging in from a network access server to have immediate access to EXEC commands.

15. On the Completing New Network Policy page review the settings and click Finish

Below you can see the screen-shot of the network policy that we have created.

2. Configuring Cisco Router for RADIUS authentication

The below configuration will enable the RADIUS Authentication on your Cisco Router.

Enable AAA on the router by using the below command in global configuration mode.

Cisco(config)#aaa new-model

Cisco(config)#aaa group server radius NPS
Cisco(config-sg-radius)#server 172.17.0.52 auth-port 1812 acct-port 1813

Where 172.17.0.52 is the IP address of the RADIUS Server.

Cisco(config)#aaa authentication login ciscoauth local group NPS
Cisco(config)#aaa authorization exec ciscoauth local group NPS if-authenticated
Cisco(config)#aaa authorization network ciscoauth local group NPS
Cisco(config)#aaa accounting exec default start-stop group NPS
Cisco(config)#aaa accounting system default start-stop group NPS

Cisco(config)#aaa session-id common

Cisco(config)#ip radius source-interface GigabitEthernet0/0  (User facing Interface)
Cisco(config)#radius-server host 172.17.0.52 auth-port 1812 acct-port 1813 key sharedkey

Cisco(config)#line vty 0 4
Cisco(config-line)# authorization exec ciscoauth
Cisco(config-line)#login authentication ciscoauth
Cisco(config-line)#transport input telnet rlogin ssh

There we finish our configuration. Now you can test it by logging into the router as a user who is a member of the Network support group.

Thursday, 8 November 2012

How to block P2P Traffic on a Cisco Router

P2P is a network protocol which is widely used to share large volumes of file over the network. It uses the protocols like BitTorrent to download as well as to share data over the Internet. In a Peer-to-peer network each computer will act as a server or client for the other computer. Since the files are available from various sources we can quickly download a file using a  P2P application.


Nowadays P2P plays a major role over the Internet where millions of people are using it to download movies, games, software etc.Statistics shows that around 30-40% of global Internet traffic is used by the P2P traffic. Recent survey conducted by Cisco estimated that the p2p traffic will be doubled (7 Petabytes per month) by 2014 compared to 2009 where it was only 3.2 Petabytes per month. 

How P2P works?

How P2P Works?


















The P2P file share process works like this:

1. You run a software like utorrent on your computer and sends out a request for a file that you want to download.
2. The software (eg.utorrent) queries the other computers which is connected to the internet and is running with similar software.
3. As soon as it finds the file on another computer, the download begins.
4. In the same way other computers will also download the file from your computer.
 
Major P2P Protocols

1. BitTorrent (Azureus, BitSpirit, BitTorrent.Net, MLdonkey, QTorrent, ĀµTorrent,etc)
2. Gnutella (BearShare, iMesh, Gnotella, Gnucleus, GTK-gnutella, LimeWire, etc)
3. FastTrack (Grokster, iMesh, Kazaa, Morpheus, etc)
4. eDonkey (eMule, Overnet, etc )
5. Direct Connect (BCDC++, DC++, NeoModus Direct Connect, etc )
6. OpenNap ( WinMX )

How to Block P2P ?

Blocking P2P traffic is a real challenge as the P2P protocols are using dynamic ports to connect to our computers. Cisco provided us with two solutions to block P2P traffic on our gateway. This document will guide you to configure those two methods to block the p2p traffic in your network. But I cannot give you 100% guarantee to block P2P because of its port hopping ability and the encryption in the traffic.
The two features that Cisco provide to block P2P traffic are:

1. NBAR

2. Application Control in Zone Based Firewall.
  • This example is based on a Cisco Integrated Service Router running with 15.0(1)M3 code.

1. Blocking P2P using NBAR

NBAR is a classification engine that can recognize a wide variety of applications via the deep packet inspection. This feature is available from Cisco IOS Version 12.0(5)XE2. It has the ability to identify applications including Web-based applications and client/server applications that dynamically assign TCP , User Datagram Protocol (UDP) port numbers as well as P2P applications. NBAR helps the network administrator to classify the traffic by defining QoS policies there by ensuring the best bandwidth for the legitimate traffic. For more info visit: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/prod_case_study09186a00800ad0ca.html

Follow the below steps to block P2P traffic using the NBAR deep packet inspection engine.

    Enable cef on your router. For this type the command as below on the global configuration mode:

    Cisco_ISR(config)#ip cef

    Create a Class map which will group all the P2P protocols. Type the command as below:

    Cisco_ISR(config)#class-map match-any ALL-P2P-PROTOCOLS
    Cisco_ISR(config)# match protocol edonkey
    Cisco_ISR(config)# match protocol fasttrack
    Cisco_ISR(config)# match protocol gnutella
    Cisco_ISR(config)# match protocol winmx
    Cisco_ISR(config)# match protocol cuseeme
    Cisco_ISR(config)# match protocol kazaa2
    Cisco_ISR(config)# match protocol irc
    Cisco_ISR(config)# match protocol bittorrent
    Cisco_ISR(config)# match protocol skype
    Cisco_ISR(config)# match protocol ssh
    Cisco_ISR(config)# match protocol irc

Create a Policy map to define what you want to do with the traffic. In our case it is drop since we need to block the p2p traffic.

    Cisco_ISR(config)#policy-map P2P- DROP
    Cisco_ISR(config)#class ALL-P2P-PROTOCOLS
    Cisco_ISR(config)#drop

Apply the policy to the user-facing (Incoming) interface.

    Cisco_ISR(config)#interface gigabitEthernet 0/0
    Cisco_ISR(config-if)#service-policy input P2P-DROP

Now you can verify the correct operation of the NBAR feature using the below command :
 
   Cisco_ISR#show policy-map interface gigabitEthernet 0/0

Below you can find an output of the above command where the drop rate is 16000 bps.



2. Blocking P2P Using Application Control feature in Zone Based Firewall

This configuration requires a Zone Based Firewall already configured on your router. If you don't have a Zone Based Firewall configured on your router you can refer the following document http://yadhutony.blogspot.in/2012/10/cisco-ios-zone-based-firewall-step-by.html to do the configuration.
Now to block p2p traffic using a zone based firewall follow the below steps.

Task 1 : Configure HTTP port misuse policy

With this configuration you can the stop the misuse of http port by p2p and other applications.
Create a Class map to define the port-misuse parameters. Type the command as below :
  
   Router(config)#class-map type inspect http match-any HTTP-PORT-MISUSE
   Router(config-cmap)#match request port-misuse im
   Router(config-cmap)#match request port-misuse p2p
   Router(config-cmap)#match request port-misuse tunneling

Create a Policy-map which define what you want to do with the traffic and apply the above class-map 'HTTP-PORT-MISUSE' to the policy-map.
 
  Router(config)#policy-map type inspect http HTTP-PORT-MISUSE-POLICY
  Router(config-pmap)#class type inspect http HTTP-PORT-MISUSE
  Router(config-pmap)#reset
  Router(config-pmap)#log

Now apply this policy-map to the outgoing http inspection policy
 
  Router(config)#policy-map type inspect IN-TO-OUT-POLICY
  Router(config-pmap)#class type inspect HTTP-ACCESS
  Router(config-pmap)#inspect
  Router(config-pmap)#service-policy http HTTP-PORT-MISUSE-POLICY

For more information about port misuse commands refer: http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_p1.html#wp1064215

Task 2 : Configuring firewall policy to block p2p traffic

Here we are defining the class maps and policy maps to configure a firewall policy that will explicitly block p2p traffic on your firewall. Type the command as below:

Class Map
 
  Router(config)#class-map type inspect match-any ALL-P2P-PROTOCOLS
  Router(config-cmap)#match protocol edonkey signature
  Router(config-cmap)#match protocol gnutella signature
  Router(config-cmap)#match protocol kazaa2 signature
  Router(config-cmap)#match protocol fasttrack signature
  Router(config-cmap)#match protocol bittorrent signature

Now apply the above class-map to the outgoing policy-map configuration.

Policy Map

  Router(config)#policy-map type inspect IN-TO-OUT-POLICY
  Router(config-cmap)#class type inspect ALL-P2P-PROTOCOLS
  Router(config-cmap)#drop log

Verification

You can verify the above operation using the command :

 Router#show policy-map type inspect zone-pair

Below you can find an output of the verification command


It is best practice to place the Class-map that you created to block the P2P traffic above all class-maps on your Inside to Outside Policy-map or Firewall policy.

For advanced configuration and IM application blocking visit http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/white_paper_c27_543585.html

With all the above configurations we can only block the P2P traffic up to an extent. It will not give you a complete solution because of the encryption used in the p2p traffic where the Cisco device fails to do a deep packet inspection. I will suggest using some applications in your network along with NBAR or ZBFW in order to prevent p2p traffic in your network.

You may also find this document useful Cisco IOS Local Content Filtering

Thursday, 1 November 2012

How to setup a Windows Server 2008R2 Domain Controller

Introduction

Domain is one of the most important concept in a Windows network. A domain is a collection of user and computer accounts that are grouped together so that they can be centrally managed using a Domain controller. A domain controller is a server which hold the 'Active Directory Domain Service (AD DS)' role in a network. Once you promote a Windows server as a domain controller it can be used for controlling and managing the whole domain in a centralized location. The domain controller will provide a single sign-on to various servers and services inside a domain. Also users and computers can be granted with access permissions. Group policy is one of the most important feature in AD DS that controls the working environment of user accounts and computer accounts. Group policy provides centralized management and configuration of operating systems, applications and user's setting in active directory environment. While you setup a domain controller, a DNS server will also get configured along with the AD DS. DNS server is one of the most important service in a network that will serve the computers with its name resolution functionality.

Prerequisites
  • Server should be configured with a static IP address.
  •  Appropriate DNS configuration should be there, if there is no DNS server in your network put the loop-back address as the DNS server address in TCP/IP configuration.
  • Computer must be connected in a network.
Promoting Windows Server 2008R2 as Domain controller
1. Log on to windows server 2008R2 computer as an administrator.
Click Start > Run

Type 'dcpromo' and click OK



2. Now AD DS binaries will start installing on your server. Wait for the installation to get finished.


3. Now the Active Directory Domain Services Installation wizard will open up. Tick the Use advanced mode installation check box and click next.

4. On the Operating system compatibility windows, read the information and click Next.


5. On 'Choose a Deployment Configuration' window select 'Create a new domain in a new forest' since we are going to configure the first domain server in this network, click Next



6. On this windows you can name the domain that you are going to create. In this example I am naming it as 'mathew.com' Type the fully qualified domain name that you wish to use and click Next.



7. On the Domain NETBIOS name wizard leave it as default and click Next. In our example it is MATHEW
 
8. On the forest functional level wizard choose the functional level that you wish to use and click next. In this example I am choosing 'Windows Server 2008 R2'. You can see the details about each functional level available on the box below. Click Next.




9. On the Additional Domain Controller Option tick the DNS server option and click Next. Here you can find that the Global catalog option is ticked and grayed out. This is because Global catalog is installed by default while you configure first domain controller in a network.


 
10. Safely ignore the DNS warning wizard and click Yes to continue.
 
11. Now the wizard will ask you to choose a location for Database, Log Files and SYSVOL. The best practice is to choose a location which is other than the System volume to store these files. Click Next
 
12. Choose a Directory services restore mode administrator password. Make sure that you are providing a password other than the administrator password. This password is used for recovering AD in case of any disaster. Click Next

13. On the Summary window review the settings and Click next.

14. Once you click Next the wizard will configure Active Directory Domain Services on your Server. It is better to tick the Reboot on completion check box to reboot the server automatically to finish the Installation.

15. After the reboot go to Start > Administrative Tools > Active Directory Users and computers where you will find the domain that you have created. In our example you can find 'mathew.com' in Active Directory Users and computers.

Additional Information
1. To find out the roles Installed along with AD DS
You can use the command 'netdom query fsmo' to find out the roles installed along with the Active Directory Domain Services. Below is the screen-shot which shows the output of the command.
 
You can visit "How to transfer FSMO Roles in 2008R2to know more about fsmo roles and how to transfer these roles to another DC in the same domain.

2. DNS Server Snap-In after the fresh installation



Here you can find the DNS Manager snap-in after a fresh Installation.



3. Default Domain Policy of after the fresh Installation of AD DS.

You can find the screen-shots of the default domain policy after the installation of AD DS. Refer Figure 1 and Figure 2:
Figure 1:

Figure 2:
To know more about group policy visit http://technet.microsoft.com/en-us/library/bb742376.aspx 

While we configure a Domain Controller in a network it is better to configure an additional domain controller to improve the reliablility and availability of the network services. The Additional Domain Controller will serve the client machines in case of any failure of the Primary Domain Controller. I will explian how to configure an Additional Domain Controller latter in my Blogs.