intershipreportnathanboone

High school-College Brussels

Academic Year 2013-2014

Applied Informatics

Name: Nathan Boone

Class: Computer Networking

Student number: 341162

Course: Internship Report

Page intentionally left blank

© Nathan Boone

Preface In the process of completing my studies of Applied Informatics at the University-College Brussels, I wanted to do an internship abroad which is close to my major. My major is Computer Networking and I am specialized in Network Security.

I chose to do my internship to develop some business skills and soft skills. I wanted to be able to communicate with people from all over the world, because this gives you many insights into different planes, both professional and private. I also wanted to learn how to work and live in an international environment. It gave me the opportunity to practice and to optimize my language skills.

I would like to thank mister Debrabandere for all the effort he made in order to find a placement for me that includes computer networking. Professor Dominik Engel was the person at the Fachhochschule Salzburg University of Applied Sciences. He welcomed me in the Fachhochschule and he gave me all the interesting projects where I worked on. I would like to thank him for his continuous support through my whole internship in Salzburg.

© Nathan Boone

Contents Preface ..................................................................................................................................................... 3

Introduction ............................................................................................................................................. 9

Main Text ............................................................................................................................................... 11

1 The Companies .............................................................................................................................. 11

1.1 Fachhochschule Salzburg University of Applied Sciences ..................................................... 11

1.2 Cisco Networking Academy ................................................................................................... 11

2 Projects .......................................................................................................................................... 11

2.1 Virtual Private Networks ....................................................................................................... 11

2.2 Voice over IP .......................................................................................................................... 13

2.3 Helping at the Open House of the Fachhochschule Salzburg ............................................... 14

2.4 Reporting from the Wings for Life World Run ...................................................................... 15

Personal Development Plan .................................................................................................................. 19

1 General competitions .................................................................................................................... 19

2 IT-competitions ............................................................................................................................. 19

List of attachments ................................................................................................................................ 21

Project 1: Remote Connectivity VPN ..................................................................................................... 23

1 Introduction ................................................................................................................................... 23

2 Virtual private network (VPN) ....................................................................................................... 23

2.1 Benefits to use a VPN ............................................................................................................ 23

2.2 Types of VPN ......................................................................................................................... 26

2.3 SSL vs IPsec ............................................................................................................................ 26

2.4 IPsec VPN ............................................................................................................................... 27

2.5 SSL VPN .................................................................................................................................. 30

2.6 Attacking a VPN ..................................................................................................................... 33

2.7 Other uses of VPNs ................................................................................................................ 34

3 Cisco ASA Firewall.......................................................................................................................... 35

3.1 The features of a Cisco ASA ................................................................................................... 35

3.2 ASA Security Levels ................................................................................................................ 35

3.3 Default flow of traffic ............................................................................................................ 36

3.4 Packet filtering ACL................................................................................................................ 36

3.5 Modular Policy Framework ................................................................................................... 36

4 Prior to starting with the lab ......................................................................................................... 37

4.1 Cisco ASDM ............................................................................................................................ 37

4.2 Cisco Configuration Professional ........................................................................................... 40

5 How to update the Cisco ASA with tftp and CLI ............................................................................ 42

© Nathan Boone

5.1 Check if the correct image is running .................................................................................... 42

5.2 Show the flash memory......................................................................................................... 42

5.3 Upload the files with tftp ...................................................................................................... 42

5.4 Change the boot image ......................................................................................................... 42

6 Setting up an IPsec site-to-site and SSL VPN’s with a ASA Firewall............................................... 43

6.1 Topology ................................................................................................................................ 43

6.2 IP Addressing Table ............................................................................................................... 43

6.3 Objectives .............................................................................................................................. 44

6.4 Basic configuration of the Routers ........................................................................................ 44

6.5 Configure a Cisco ASA firewall ............................................................................................... 46

6.6 Configure an IPsec VPN endpoint on the ASA with ASDM .................................................... 49

6.7 Configure the R3 as an IPsec VPN endpoint with CCP........................................................... 56

6.8 Test VPN connectivity with CCP ............................................................................................ 63

6.9 Monitoring VPN tunnel using ASDM on Cisco ASA ............................................................... 64

7 Setting up Clientless SSL VPN ........................................................................................................ 66

7.1 Configuring clientless SSL VPN .............................................................................................. 66

7.2 Using clientless SSL VPN ........................................................................................................ 73

8 Setting up AnyConnect SSL VPN Remote Access Using ASDM ...................................................... 74

8.1 Configure Anyconnect SSL VPN ............................................................................................. 74

8.2 Using AnyConnect SSL VPN ................................................................................................... 81

9 Conclusion ..................................................................................................................................... 89

10 VPN pre-configuration script ..................................................................................................... 89

Project 2: Voice over IP ......................................................................................................................... 91

1 Introduction ................................................................................................................................... 91

2 Voice over IP servers ..................................................................................................................... 91

3 Voice over IP clients ...................................................................................................................... 91

4 Voice over IP gateways .................................................................................................................. 92

5 Voice over IP protocols .................................................................................................................. 92

5.1 Session initiation protocol ..................................................................................................... 92

5.2 Skinny Call Control Protocol .................................................................................................. 94

5.3 Differences between SSCP and SIP ........................................................................................ 96

5.4 Real-time Transfer Protocol .................................................................................................. 96

6 Voice over IP codecs ...................................................................................................................... 96

7 Network latency and QOS ............................................................................................................. 96

8 Zone-Based Firewall ...................................................................................................................... 97

8.1 How Zone-Based Firewall Operate ........................................................................................ 97

© Nathan Boone

8.2 The features of a Zone-Based Firewall .................................................................................. 97

8.3 Zones and why we need pairs of them ................................................................................. 97

8.4 How to implement a policy ................................................................................................... 98

9 VoIP hacking .................................................................................................................................. 99

9.1 Footprinting the organization ............................................................................................... 99

9.2 Scanning the network .......................................................................................................... 100

9.3 VoIP network enumeration ................................................................................................. 102

10 VoIP basic security ................................................................................................................... 106

10.1 Turn off unnecessary protocols ........................................................................................... 106

10.2 Divide VoIP network from data network............................................................................. 106

10.3 Configure some layer 2 security .......................................................................................... 106

10.4 Place an Intrusion Prevention System and Intrusion Detection System ............................. 109

10.5 Firewall SIP support ............................................................................................................. 110

10.6 Use encrypted protocols ..................................................................................................... 110

11 VoIP SIP lab .............................................................................................................................. 111

11.1 Network topology ................................................................................................................ 111

11.2 IP addressing scheme .......................................................................................................... 111

11.3 Objectives ............................................................................................................................ 112

11.4 Configure the LAB ................................................................................................................ 112

11.5 Hacking ................................................................................................................................ 121

11.6 Configure the Security ......................................................................................................... 129

12 Conclusion ............................................................................................................................... 136

Project 3: Reporting for Cisco NetAcad ............................................................................................... 137

1 Blog Posts .................................................................................................................................... 137

1.1 First Blog post: Introduction of the NetAcad Team ............................................................ 137

1.2 Second Blog post: About the event ..................................................................................... 139

1.3 Third Blog post: Upclose Personal interview ....................................................................... 140

1.4 Fourth Blog post: Technical challenges of the event .......................................................... 143

1.5 Fifth Blog post: How did it all start ...................................................................................... 146

1.6 Sixth Blog post: Reflection on my time at the event ........................................................... 148

2 Twitter posts ................................................................................................................................ 150

3 How many views for the Wings for Life World Run Social Networking ...................................... 154

Project 4: Open House ........................................................................................................................ 159

1 VoIP network topology ................................................................................................................ 159

GNS3 .................................................................................................................................................... 161

1 Explanation .................................................................................................................................. 161

© Nathan Boone

2 How to use GNS3? ....................................................................................................................... 161

Time sheet ........................................................................................................................................... 162

Sources ................................................................................................................................................ 167

1 Virtual Private Networks ............................................................................................................. 167

1.1 Books ................................................................................................................................... 167

1.2 Websites .............................................................................................................................. 167

2 Voice over IP ................................................................................................................................ 168

2.1 Books ................................................................................................................................... 168

2.2 Websites .............................................................................................................................. 168

3 Reporting from the Wings for Live World Run ............................................................................ 170

3.1 Blog posts ............................................................................................................................ 170

Curriculum vitae Nathan Boone ......................................................................................................... 171

Presentation ........................................................................................................................................ 173

© Nathan Boone

Introduction I realized four projects in Salzburg, two researching projects, one project concerning the Open House of the Fachhochschule and one Social Networking project for the Cisco Networking Academy.

The companies I worked for are the Fachhochschule Salzburg University of Applied Sciences and the Cisco Networking Academy.

My projects at the Fachhochschule were research projects for Professor Dominik Engel. I did research in Virtual Private Networks and in Voice over IP. These were two interesting projects where I learned about these two subjects in different point of views. I first did research about the theoretical part and when this research was done, I designed, configured, hacked and secured a case about each subject. My documentation was afterwards used as course material for students which are studying Network Security and VoIP.

The third project was a Social Networking project, I worked in a team of the Cisco Networking Academy to blog, Facebook and tweet about the Wings for Life World Run. This project was a project where I spoke with a lot of interesting people and I got to know what happens behind the scenes at such a big event.

The fourth project was a project for the Fachhochschule where I helped at the Open House. I configured a simple Voice over IP network to make students interested in studying at the Fachhochschule and not at another university.

9

© Nathan Boone


10

© Nathan Boone

Main Text The main text consists of a description of the different companies I worked for and also about the projects I realized for these companies.

1 The Companies I worked for two different companies, the Fachhochschule Salzburg University of Applied Sciences and the Cisco Networking Academy.

1.1 Fachhochschule Salzburg University of Applied Sciences The Fachhochschule is the university where I am attending my courses. This is a university where you can attend lots of different courses ranging from Game Development to Arts and Physiotherapy. I chose the courses Cryptology and Network management.

Professor Dominik Engel is a professor at the Fachhochschule, he is also a Cisco Certified Instructor. He gave me subjects to research. He used my research in his courses as course material.

I worked for Professor Dominik Engel, he gave me the subjects where I worked on and he graded my subjects. Every week on Monday I briefed him about what I did in the previous week, and we made appointments when it was needed.

1.2 Cisco Networking Academy The Cisco Networking Academy (Cisco NetAcad) is the Networking Academy from Cisco. Cisco is the world leader in Networking Equipment. The Networking Academy is a part of Cisco, it is the branch where you can study on how to use Cisco Networking Equipment. I have learned everything I know about networking by attending courses provided by Cisco NetAcad.

Jutta Jerlich is an employee of Cisco NetAcad, she contacted Mister Dominik Engel with the question if he had students who would be interested in working at the Wings for Life World Run for Cisco NetAcad.

2 Projects I did four different projects, two research projects, one project where I helped in the Open House of the Fachhochschule and one Social Networking project.

2.1 Virtual Private Networks The Virtual Private Network (VPN) project was commissioned by Professor Dominik Engel. He asked me to do research around Virtual Private Networks. This documentation can be found in attachment.

2.1.1 Job description My job for Professor Dominik Engel was to do research about Virtual Private Networks, so he could use my research in his classes.

My research has been used as course material for his students. My project had different parts, the first part was the theoretical part where I did a lot of research about the subject, in this case VPN. In the second part I made a lab where I designed, configured, hacked and secured a Virtual Private Network. I also documented everything I did.

11

© Nathan Boone

2.1.1.1 Preparation In the Fifth semester of Applied Informatics, I did a project called an IT-project. This IT-project was about network security and hacking, one chapter of this project was about VPNs. This helped me to get a structure in documenting about VPNs. Nevertheless, I did more research on VPNs to explain everything in a more elaborated way.

2.1.1.2 Tasks The first task was to research about VPNs and to document all of this research.

The second task was to make a lab that his students could use to learn more about VPNs.

2.1.1.3 Implementation I already had some documentation about VPNs from my IT-project so I used the same structure, but I went much deeper into each chapter.

I used a lab from the Cisco CCNA Security course as a fundament of the lab that I made, but I adjusted that lab to make it more complete.

My documentations consists of three parts. The first part is the theoretical background of Virtual Private Networks, the second part is an explanation on how you could attack a VPN and the third part is the configuration of these VPNs.

I configured and documented the following VPNs:

• IPSec site-to-site VPN • AnyConnect Client SSL VPN • Clientless SSL VPN

In order to configure these VPNs I used the Command Line Interface and the programs, Cisco Configuration Professional (CCP) and Cisco Adaptive Security Device Manager (ASDM).

2.1.2 Reflection I learned a lot about VPNs and everything that is happening if the VPN is being established. If I wanted I could ask my professor for some more info about VoIP networks, but I didn’t. I did all the research by myself and studied myself. This was very interesting, because I think you can learn much more by researching yourself and finding out yourself.

2.1.2.1 Set Backs I used GNS3 in the beginning to make my Lab, I tried to work with this program for more than one week but it crashed every 5 hours. So I asked my professor if it was possible to get an ASA Firewall device. More information about GNS3 can be found in the attachment.

When I got the ASA device I wanted to configure it but I didn’t have an USB to console cable, so I asked Benjamin (the man who designed the networking class) for a cable.

This cable didn’t work because the driver was not compatible with Windows 8.1, it took me 2 days in order to make this cable work with Windows 8.1.

2.1.2.2 Opportunities I did some research before about Virtual Private Networks for my IT-project, this helped me to start with the documentation.

I attended Network Security in the University-College Brussels, there is a part dedicated to VPN. This helped me with understanding faster everything about VPNs.

12

© Nathan Boone

I could work directly on an ASA device which I could take to my room at the dormitory to work on it there.

If the networking room was free, I could use all the devices and cables there. I had access to the networking room day and night, but not on Sundays and Holidays.

2.2 Voice over IP The Voice over IP (VoIP) project was also commissioned by Professor Dominik Engel. He asked me to do research about VoIP.

2.2.1 Job description My job for Professor Dominik Engel was to do research about Voice over IP, so he could use my research in his classes.

There are a lot of VoIP protocols and servers available, he asked me to do research about the Session Initiation Protocol (SIP), Skinny Call Control Protocol (SCCP) and Remote Transport Protocol (RTP). These protocols are the most used protocols in VoIP. He also asked me to use an Asterisk server in the lab.

2.2.1.1 Preparation I had no prior knowledge about Voice over IP so I needed to do a lot of research in order to understand everything.

I watched some YouTube videos and I read a lot of documents with documentation in order to understand the basics of VoIP networks.

2.2.1.2 Tasks The first task was to do research about VoIP. I needed to include the protocols, SIP, SCCP and RTP in my research. These are the most used VoIP protocols. I also needed to include documentation about the Asterisk VoIP server and the Cisco Unified Communications Manager (CUCM).

The second task was to make a lab that his students could use to learn more about VoIP networks and the security of VoIP networks.

2.2.1.3 Implementation I designed the lab by myself, this was difficult because I needed to think in advance what I all wanted to include in the lab.

The lab consists of four parts:

• Network Topology • Configuring the lab • Hacking the lab • Securing the lab

I included these four parts so the students who will learn my documentation will have a complete overview of VoIP networks.

I included the hacking part because in my opinion, in order to know which kind of security to use, you need to try to hack your network, so you know at which level of the network you need to implement the correct security measurements.

13

© Nathan Boone

2.2.2 Reflection It was very interesting to do a project around VoIP networks, I had no prior knowledge about VoIP networks. Everything I learned was by watching videos on YouTube and reading through a lot of websites.

2.2.2.1 Set Backs I wanted to include Secure RTP (SRTP) and SIP over TLS in the lab, but after a lot of research and troubleshooting I couldn’t get it working. So I needed to hand in my project without the SRTP and the SIP over TLS. This was a disappointment to me.

2.2.2.2 Opportunities I had no prior knowledge about VoIP networks so it was a good opportunity to learn a lot about this subject. VoIP networks are being implemented more and more in companies, so it was good to learn about this subject.

I got access to the networking room where I could use VoIP phones and the all the devices I needed in order to configure my lab.

2.3 Helping at the Open House of the Fachhochschule Salzburg The Open House is an open house organized by the Fachhochschule to make students interested to study at the Fachhochschule and not at another university. Every major has his own room in the university and I worked for the networking major. I made a little Voice over IP network so the visiting students could call to each other, they could also replay the conversation with Wireshark. I installed an Asterisk server and on the same computer also Wireshark.

2.3.1 Job Description I needed to make a VoIP network to make students interested in networking and in studying in the Fachhochschule. I made a simple VoIP network that could be eavesdropped easily, in order to inform the students that they will not only learn how to configure these networks but also how you can hack and secure these networks.

2.3.1.1 Preparation I did some research in VoIP networks so I could answer to all the questions of the students, I also made a simple network design so I could easily explain the students what was going on behind the scenes.

This network design is included as an attachment.

2.3.1.2 Tasks The first task was to configure the VoIP network and the Asterisk server.

The second task was to give an explanation about VoIP networks to students. The most important aspect was that I needed to be able to answer to all the questions of the students.

2.3.1.3 Implementation A day before the Open House, I went to the school to configure the VoIP network and the Asterisk server. I also helped with the general preparation of the Open House.

The VoIP network consisted of four VoIP phones, these phones were in contact with an Asterisk server by using a HUB. On the computer where the Asterisk server was configured, I also installed Wireshark, so we could replay the conversation of the students after they talked with each other.

14

© Nathan Boone

During the Open House, I gave the whole day explanations to students about VoIP networks, what it is, how to hack them and how to secure them. I also answered all the questions of the students.

I worked together in a team during the Open House. I world with Gerold who is an Austrian student and with Kevin who is also an incoming student from Belgium. Gerold gave the explanation in German and Kevin and me gave the explanation in English.

We always divided the groups of students in two groups. One group per 2 phones, it was easier to handle the big amount of students.

2.3.2 Reflection It was nice to be a part of the Open House. It felt good to make other students interested in computer networking, it also felt nice to be able to give my knowledge to other students. Some students that are studying computer networking now came to see what we did with VoIP and it was nice to explain them more in depth about VoIP networks in general and how to secure them.

2.4 Reporting from the Wings for Life World Run The Wings for Life World Run project is a project commissioned by the Cisco Networking Academy.

Jutta Jerlich is an employee at Cisco Networking Academy, she had the idea to bring students closer to the working environment. So she asked people all around the world if they would like to help in reporting from the Wings for Life World Run Global Race Control Center. She also asked this question to Networking Academy teachers in Austria. Dominik Engel forwarded the mail to me, and I was immediately exited to participate in this event. Thanks to my fast answer I got a place on the core team that was reporting live at the Wings for Life World Run Global Race Control Center.

2.4.1 Wings for Life Wings for Life is a non-profit spinal cord research foundation. Their mission is to find a cure for spinal cord injury. They fund world-class scientific research and clinical trials around the globed aimed at healing the injured spinal cord.

Progress in spinal cord research is largely driven by private funding. Wings for Life is dependent on donations from individuals and companies, because it is not a common injury.

The Wings for Life foundation were searching to organize a big event to raise money for their foundation. All of the money raised will go directly to spinal cord research.

They contacted Red Bull and they had a great idea for organizing an event.

2.4.2 Wings for Life World Run The Wings for Life World Run is an idea from Sigurd Meiche, he had this idea 7 years ago. But the Red Bull company was not so enthusiastic about his idea, because it is really difficult to accomplish. When Wings for Life asked to organize an event to raise money for spinal cord research, they immediately thought about the idea Sigurd Meiche had a 7 years ago.

2.4.2.1 Cooperation The Wings for Life World Run is organized by Wings for Life, Red Bull, Cisco and Tiani “Spirit”. This event was only possible because of the cooperation of these companies.

2.4.2.2 Concept The Wings for Live World Run is a run that is being run simultaneously in 32 different countries with 34 different runs.

15

© Nathan Boone

The concept is different from a normal world run because there is no finish line where the runners can run to. There are two cars, called the catcher cars who are driving at a pre-determined speed synced over all the countries to the runners. If the catcher car catches the runner, the runner has finished his race. The last runner caught by the catcher car wins the race. There is a male and a female winner per county and also a global male and female winner. After these two catcher cars is one cheering car who will cheer at the runners to congratulate them with their run.

2.4.3 Job description My job for the Cisco Networking Academy was to report from the Wings for Life World Run Global Race Control Center.

I was in a team of five people, Ivica from Croatia, Felix and Maximillian from Austria and Kevin who is like me also from Belgium. It was good to work in a team with people with different backgrounds and different interests. Felix and I were interested in the networking part, Kevin, Ivica and Maximillian were more interested in the timing part of the event.

We reported from this event from the World Race Global Race Control Center. This Center was located in the Red Bull Ring in Spielberg. The boxes that are usually used for the cars were now used for the different teams. There was a social networking team, a video editing team, a reporting team and a broadcasting team.

2.4.3.1 Preparation The preparation started at the day we arrived at the Red Bull Ring. The preparation was about getting to know the background and concept of the event.

We had a meeting with the CEO of Wings for Life and with the head of Sports of Red Bull international. These two persons explained us everything we needed to know about the event.

2.4.3.2 Tasks The first task we got was to brainstorm about how and where we would share our reports with the world.

The second task was to introduce ourselves to the world.

The third task was to get to know more about the event in a technical point of view. We needed to make some blog posts and twitter feeds about the technical things that are happening behind the scenes.

The fourth task was to make an overview of what we learned during this event and what our findings are about this event.

2.4.3.3 Implementation To implement the first task, we sat together in the team and we started talking about what we thought would be the best. After some brainstorming we had some great findings. We concluded that Facebook, Twitter and the Cisco blogs were the best channels to get interaction with the people. We also made some YouTube video’s to get more interaction with the interested people.

We did two things to introduce ourselves to the world. We made a YouTube video where we explained who we are and why we are at the Red Bull Ring. Each person of the team made an Upclose personal, this is some kind of interview where you explain your interests, character and your goals.

16

© Nathan Boone

Felix and I interviewed the company that was responsible for the internal network at the Red Bull Ring for the Wings for Life event. We also interviewed the people who were working in the satellite park.

We made a blog post from all the information we collected, and we also made 14 twitter posts. We posted one twitter post every 30 minutes. Each twitter post contained one technical fact. In the middle and as the last twitter post, we posted a link to our blog.

An example of a twitter post:

Figure 2-1 Example of a twitter post

We also used Facebook, but only to share the links to the blog.

2.4.4 Reflection Participating in this event was really great and interesting. I learned more about Social Networking and about professionals reacting in crisis situations. It was great being a part of this big event.

17

© Nathan Boone


18

© Nathan Boone

Personal Development Plan 1 General competitions In the beginning of my Internship, I had the skills to communicate fluently in Dutch, which is my mother tongue, and French. As I spoke English for four months, I can now also speak fluently English. I have a good basic knowledge of German, thanks to my internship in Austria.

My internship was in an international environment, my team leader is from Austria. And for the project of Wings for Life I collaborated with persons from all over the world. (Croatia, India, Bulgaria, etc.) English was the only common language.

I supported the company by doing research about subjects concerning network security and VoIP networks. My documentation has been used as course material for the students of network security and VoIP networks.

2 IT-competitions I learned through my internship to write and collect data in a clear text. In this way, my documentation could be reused for the next years as course material.

I worked independently, the only thing that my team leader said is about which subject he wanted me to do research on. I specialized myself in these subject and I made documentation about these subjects.

I designed, configured, hacked and secured two labs, my team leader was satisfied about this responsible way of working.

19

© Nathan Boone


20

© Nathan Boone

List of attachments

Project 1: Remote Connectivity VPN ..................................................................................................... 23

Project 2: Voice over IP ......................................................................................................................... 91

Project 3: Reporting for Cisco NetAcad ............................................................................................... 137

Project 4: Open House ........................................................................................................................ 159

GNS3 .................................................................................................................................................... 161

Time sheet ........................................................................................................................................... 162

Sources ................................................................................................................................................ 167

Curriculum vitae Nathan Boone ......................................................................................................... 171

Presentation ........................................................................................................................................ 173

21

© Nathan Boone


22

© Nathan Boone

Project 1: Remote Connectivity VPN 1 Introduction There are a lot of companies that let their employees work remotely. It is a must for most of the companies that the connectivity between the personal computer and the company’s network is secure. To achieve this, many companies use a Virtual Private Network (VPN).

2 Virtual private network (VPN) A Virtual Private Network is basically a tunnel where all the data is encrypted and secured. This tunnel will be used if an employee wants to work remotely on the network of the company.

2.1 Benefits to use a VPN There are four major benefits for which you would opt for a VPN:

• Confidentiality • Data integrity • Authentication • Antireplay

2.1.1 Confidentiality Confidentiality means that only the indented parties can understand the data that is sent. Any party that eavesdrops may see the actual packets, but the contents of the packet, the payload is scrambled (also called cipher text) and is meaningless to anyone who cannot decrypt the data.

2.1.1.1 How does it work? You will use a key to encrypt the payload of a packet on your side of the VPN, the receiver will also use a key to decrypt the data when it arrives at the destination.

There are two types of keys:

• Symmetrical keys: the keys to decrypt and to encrypt are the same at both the sender and the receiver side.

• Asymmetrical keys: the keys that are used on both sides are different.

2.1.2 Data integrity An important factor in networking is the data integrity. If two devices are communication over a VPN, the data they send to each other must be the same at both ends of the VPN. If an attacker injects bits or data into the packets of a VPN session, data integrity could suffer if the modification of the data goes undetected. A VPN will use hashing to provide the data integrity.

23

© Nathan Boone

2.1.2.1 How does hashing works? The VPN will use a hashing algorithm to ensure the integrity of the data.

You can use a hashing algorithm on a router to check if the IOS image is exactly the same as the one that is provided at the Cisco download page.

Command:

R1# verify /md5 flash:/<*.bin file that you want to check>

Result:

R1#verify /md5 flash:c1841-ipbasek9-mz.124-22.T.bin .......................................................... .......................................................... .......................................................... .......................................................... .......................................................... ...Done! verify /md5 (flash:c1841-ipbasek9-mz.124-22.T.bin) = 991c4bdd206480d91dea021ea7421b12

You can download the md5 value associated with the file from the Cisco website, after this you will compare the md5 value that you got from the file and the md5 value that was on the Cisco website.

If they are the same, the file is exact the same as the one on the website of Cisco.

2.1.2.2 How does hashing work for a VPN? The VPN will do the same thing as explained before on every packet that is send over the VPN.

The initiator will add a hash to the packet, when the responder does the hashing algorithm on the packet and if it is the same hashing value as the hashing value he gets, the packet is not modified.

The different hashing algorithms:

• Message Digest 5 (MD5): provides a 128-bit hash. • Secure Hash Algorithm 1 (SHA-1): provides a 160-bit hash. • Secure Hash Algorithm 2 (SHA-2): provides a 224-bit or a 512-bit hash.

24

© Nathan Boone

2.1.3 Authentication You will need to authenticate the other computer to which you are establishing a VPN. You will need to do this to ensure that you are not establishing a VPN to the computer of the hacker.

2.1.3.1 How does authentication works? To do authentication you can use different methods:

• Pre-shared keys used for authentication only: pre-shared keys are keys that are shared between the initiator and the responder. These keys need to be the same at both sides. It is like a password for the VPN.

• Public-Private Key pair:

Figure 2-1 Public-Private Key pair

Bob will make a random message and add a digital signature to that message. The digital signature is a random string that is decrypted with Bob’s private key. He will encrypt the whole thing with the Public key of Alice. He will send the whole thing to Alice. Alice receives the whole thing from Bob and she will decrypt the whole thing with her private key. It will all be decrypted but not the Digital Signature. She will than encrypt the digital signature with the public key of Bob to know if the message really is from Bob.

• User authentication in combination with remote-access VPNs.

2.1.4 Antireplay If an attacker watches your VPN traffic and captures it with the intent to replay it back, and fool one of the VPN peers into believing that the peer trying to connect is a legitimate peer. The attacker might be able to build a VPN pretending to be a different device. To solve that, most implementations of VPNs have an Antireplay functionality built in. This just means that once a VPN packet has been sent and accounted for, that exact same VPN packet is not valid the second time in the VPN session.

2.1.5 Conclusion Objective Method Confidentiality Encryption Data integrity Hashing Authentication Pre-shared keys, public/private key pair, user authentication Antireplay Integrated in IPsec

Figure 2-2 Conclusion of what a VPN uses.

25

© Nathan Boone

2.2 Types of VPN There are two types of VPNs, you can make a Secure Socket Layer (SSL) or an Internet Protocol Security (IPsec) VPN.

• IPsec: this will implement security at layer 3 of the OSI model, this can be used for site-to-site and remote access VPNs.

• SSL: this is Secure Socket Layer, this implements security of the TCP sessions at Layer 4 of the OSI model, and this can be used for remote-access VPNs and to securely visit a website that supports HTTPS.

2.2.1 Main types of VPN The IPsec and SSL types can be used to make:

• Site-to-site VPNs • Client-to-site VPNs

2.2.1.1 Site-to-site VPN A site-to-site VPN is a VPN that you can use if your company has two sites, one in Germany and one in Austria. You can than build a site-to-site VPN so that the servers form one site are easily accessible on the other site. You basically merge the network to one big network. The best practice with a site-to-site VPN is to work with the IPsec protocol.

2.2.1.2 Client-to-site VPN A client-to-site VPN is a VPN that you can use if an individual wants to work remotely from an unsecure network like the public network of McDonalds to a secure network of the company. The best practice with a client-to-site VPN is to use a SSL VPN from within the browser. You can also use an IPsec VPN but you will need to install a Cisco VPN Client in that case.

2.3 SSL vs IPsec SSL IPsec Applications Web-based applications, file

sharing, email. With the full AnyConnect client, all IP-based applications, similar to IPsec, are available.

All IP-based applications are available to the user. The experience is like being on the local network.

Encryption Moderate range of key lengths.

Stronger range of longer key lengths.

Authentication Moderate, one-way or two-way authentication

Strong, two-way authentication using shared secrets or digital certificates.

Ease of use Very high Moderate. Can be challenging for nontechnical users, and deployment is more time-consuming.

Overall security Moderate. Any device can initially connect.

Strong. Only specific devices with specific configurations, such as a VPN client, can connect.

Figure 2-3 SSL vs IPsec

26

© Nathan Boone

2.4 IPsec VPN An IPsec VPN is a VPN that operates on the third layer of the OSI-model, this is the Network layer. An IPsec VPN will use two phases for the establishment of a full working VPN. These phases are:

• Internet Key Exchange Phase 1 (IKE Phase 1) o Main mode o Aggressive mode

• Internet Key Exchange Phase 2 (IKE Phase 2)

2.4.1 Internet Key Exchange Phase 1 (IKE Phase 1) The IKE Phase 1 tunnel is a tunnel that will be used to secure the management of the VPN and for making of the IKE Phase 1 tunnel. There are 5 subjects that needs to be discussed for the making of the IKE Phase 1 tunnel:

• The Hash Algorithm: Message Digest 5 Algorithm (MD5) or Secure Hash Algorithm (SHA) • The Encryption Algorithm: Digital Encryption Standard (DES), Triple DES (3DES) or Advanced

Encryption Standard (AES) • The Diffie-Hellman group: the Diffie-Hellman Shared Secret key will be used to encrypt the

data when it is sent in the tunnel. • The authentication mode: this will be used to check the identity of the initiator and

responder. This can be accomplished with Pre-Shared keys or a Public-Private key pair. • Lifetime: the lifetime will be discussed in the IKE Phase 1. This is the one property that does

not need to match at both devices.

You can chose between two modes to make the IKE Phase 1, the two modes are:

• Main mode • Aggressive mode

2.4.1.1 Main mode This is the mode that will be used the most because it is the safest. The main mode consist of three steps:

• The GW1 and GW2 will decide which algorithms and hashes will be used to secure the IKE Phase 1 tunnel.

• After this is done, both of the Gateways will make the Diffie-Hellman key, this is the Shared Secret Keying Material.

• Last the GW1 and GW2 will check their identity en exchange certificates.

27

© Nathan Boone

Figure 2-4 IKE Phase 1

28

© Nathan Boone

2.4.1.2 Aggressive Mode This method is less secure, with the main mode is all the traffic encrypted from the moment that the DH Shared Secret key is made.

With the Aggressive mode, the traffic is only encrypted after the authentication took place. So if there is someone who eavesdrops could fake his identity and hack into the IKE Phase 1, but only if you use aggressive mode.

The aggressive mode consists of one step:

• The GW1 and GW2 will authenticate the IPsec Peers, negotiate a matching policy to protect the IKE exchange, exchange keys via Diffie-Hellman and establishes IKE security association. In this step they will also decide which algorithms, hashes and Diffie-Hellman group to use.

• In the second step, the initiator will check the identity of the responder. If this is successful, the tunnel will be made

2.4.2 Internet Key Exchange Phase 2 (IKE Phase 2) IKE phase II is encrypted according to the keys and methods agreed upon in IKE phase I. The key material exchanged during IKE phase II is used for building the IPsec keys. The outcome of phase II is the IPsec Security Association (IPsec SA). The IPsec SA is an agreement on keys and methods for IPsec, thus IPsec takes place according to the keys and methods agreed upon in IKE phase 2. The IKE Phase 2 is also called Quick mode or IPsec Phase.

2.4.2.1 Quick mode The “Quick mode” or also called “IKE Phase 2” is a mode which will be used to set up the actual IPsec Tunnel.

This mode consists of three steps:

Figure 2-5 IPsec Phase 2

29

© Nathan Boone

If all is agreed the IPsec SA will arise. This is a collection of encryption methods and keys that will be used to securely transfer the data.

Figure 2-6 IPsec tunnel

2.5 SSL VPN Secure Socket Layer VPN (SSL VPN) is a kind of VPN that is used the most for client-to-site VPN’s, because it is easy to set up and you can even set up a VPN without installing anything on the PC.

A SSL VPN uses the TLS and SSL protocol framework. This are cryptographic protocols that provide secure transactions on the Internet for things like email, web browsing, instant messaging, and so on.

Most online transactions that are browser based are secured by SSL or TLS.

These protocols can provide:

• Confidentiality • Integrity • Authentication:

o Public-Private Key pair and digital signatures o Encryption with symmetric algorithms o Asymmetric encryption for authentication and for the exchange of keys

30

© Nathan Boone

2.5.1 How does SSL work? A basic SSL session works as follows:

• The client initiates a connection to the server using his IP address and the destination TCP port 443. The source IP address is the one of the client, and the source port is a random unused port greater than 1023.

• The standard Three-Way-Handshake of TCP • After the client initiates the request for connection, the server responds, providing his digital

certificate, which contains the server’s public key. • The client needs to verify the authenticity of the server. This is where PKI comes in play, he

needs to do a couple of things to make sure the certificate is valid. (You don’t need to do these things in a testing environment to make it work.)

o The digital certificate must be signed by a certificate authority (CA) that the client’s browser trusts

o The certificate must have a valid date o The certificate cannot be in the Certificate Revocation List (CRL)

• The client generates a Pre-Shared-Key for the encryption. The client will encrypt this key with the public key of the server and sends it to the server.

• The Server Decrypts the key and uses it for the encryption. • The SSL session will be encrypted with the key

31

© Nathan Boone

2.5.2 Options for SSL VPN implementations Clientless SSL VPN Clientless SSL VPN

with Plug-Ins for Some Port Forwarding

Full AnyConnect SSL VPN Client

Other names WebVPN. Thin client. Full SSL client. Installed software on client

No client required Small applets and/or configuration required.

Full install of AnyConnect required but may be installed by initially connection via the clientless option and securely installing it that way.

User experience. Feels like accessing resources (that are in the corporate network) through a specific browser window or hyperlink.

Some applications and be run locally with output redirected through the VPN. Includes the features of the clientless VPN on the left.

Full access to the corporate network. The local computer acts and feels like it is a full participant on the corporate network.

Servers that can be used

IOS with correct software and ASA with the correct licenses.



How the user looks from the corporate network

Traffic is proxied (PORT ADDRESS Translation [PAT]) by the SSL server as the users packets enter the corporate network.

Traffic is proxied (Port Address <Translation [PAT]) by the SSL server as the users packets enter the corporate network.

Clients are assigned their own virtual IP address to use while accessing the corporate network. Traffic is forwarded from the given IP address of the client into the corporate network.

Clients supported Most SSL-capable computers.

Computers that support SSL and Java.

Most computers that support SSL.

32

© Nathan Boone

2.6 Attacking a VPN 2.6.1 Google hacking voor VPN When you would want to hack a VPN you can search on Google. The search string that you

can enter is filetype:pcf site:<siteOfCompany>.

VPN’s will store profile information in files with the file extension “.pcf”. The profile information in this file in encrypted, but you don’t need to try to decrypt it. You can just import it in a Cisco VPN Client. The VPN Client will than connect you with the company network.

2.6.1.1 Google hacking for VPN Countermeasures You shouldn’t be able to find the pcf files on the internet. But this is the case with some

companies. There are a lot of people that want to set up a VPN but don’t really know what they are doing.

2.6.2 Probing IPsec VPN Servers To know is there is a VPN server available on the network, you can do a port search for UDP

port 500. There is a possibility that this port is hidden, it would not appear in the scan if it is hidden. If you could not find anything and you are sure there is a VPN, you could use IKE-scan.

2.6.2.1 Nmap UDP Scan A VPN uses UDP port 500 so if you do a port scan for UDP port 500 you could find where the VPN server is.

Command:

root@bt: # nmap -sU -p 500 192.168.1.1

Result:

Starting Nmap 6.25 ( http://nmap.org ) at 2014-01-16 11:08 CET Nmap scan report for 192.168.1.1 Host is up (0.00062s latency). PORT STATE SERVICE 500/udp open isakmp MAC Address: 44:03:A7:AA:02:E0 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 13.17 seconds

2.6.2.2 IKE-scan

If the Nmap scan fails you can still use IKE-scan. You can also use an IKE-scan to get detailed info about the VPN.

Command:

root@bt: # ike-scan 192.168.1.1

Result:

Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.1.1 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=0e803d2b90649737) Ending ike-scan 1.9: 1 hosts scanned in 0.014 seconds (72.26 hosts/sec). 0 returned handshake; 1 returned notify

Ike-scan downloaded from www.nta-monitor.com/tools/ike-scan

33

© Nathan Boone

http://www.nta-monitor.com/tools/ike-scan

More information on ike-scan: http://www.nta-monitor.com/wiki/index.php/Ike-scan_Documentation

2.6.2.3 Probing VPN Servers Countermeasures You can do little against the probing of the VPN servers. What you can do with site-to-site

VPNs is only allowing IP-addresses that you know. But this is not possible with a client-to-site VPN because the IP address can change over time.

2.6.3 Attacking IKE Aggressive Mode There is a way to hack a VPN tunnel, but only when the VPN tunnel uses aggressive mode

with IKE phase 1.

You can use IKEProbe to find out if the VPN server is vulnerable.

IKEProbe can be downloaded from www.ernw.de/download/ikeprobe.zip

If you know from the IKEProbe that the VPN server is configured to use aggressive mode mode, you could use the perl script IKECrack to initiate a connection to the target VPN server and capture the authentication messages. You can than perform an offline brute-force attack against it.

It will take a long time to perform this attack, but it is possible.

2.6.3.1 Attacking IKE Aggressive Mode Countermeasure The best way to defend against these attack is to never use aggressive mode when

configuring a VPN.

2.7 Other uses of VPNs You can do a lot more with a VPN than you think. For example:

• Play old multiplayer games via a VPN with friends over the whole world using Hamachi. • Access full Netflix and streaming content from outside the USA. • Break out of a restrictive network at work/school. • Download and upload P2P files in privacy. • Bypass the country’s web censorship and content surveillance. • Cloak your VOIP phone calls. • Use search engines without having your searches logged. • Watch home-specific broadcast while you are traveling. • Avoid the be able to trace your research back to you.

34

© Nathan Boone

http://www.nta-monitor.com/wiki/index.php/Ike-scan_Documentation

http://www.nta-monitor.com/wiki/index.php/Ike-scan_Documentation

http://www.ernw.de/download/ikeprobe.zip

3 Cisco ASA Firewall A cisco ASA firewall is a firewall that can be made on an ASA device. This an Adaptive Security Appliance.

3.1 The features of a Cisco ASA The Cisco ASA Firewall includes the following features:

• Statefull filtering: when a packet is send from one interface to another the packet will be inspected and the reply traffic is allowed.

• Application inspection/awareness: you can do deep packet inspection to search in the data part of the packets for viruses or other malicious traffic.

• Packet filtering: you can inspect the packets and make rules for the source and destination IP address as well as for the protocol and the source and destination port numbers.

• Network Address Translation (NAT): with NAT it is possible to have a lot of private IP-addresses behind one public IP address.

• DHCP • Routing: the ASA can route packets between different networks. • Layer 3 or Layer 2 implementation: the ASA can be implemented as a layer 3 and a layer 2

networking device. • VPN support: it is possible to configure the ASA as a IPsec and a SSL VPN at the same time • Object groups: this is a configuration item on the ASA that lets you put multiple IP-addresses

or network address ranges in one object-group. An access list can than refer to an object group.

• Botnet traffic filtering: the ASA works with an external system at Cisco that provides information about the Botnet Traffic Filter Database and can protect against attacks that are originating from a Botnet.

• High availability: by using two firewalls in a high-availability failover combination, you can implement protection against a single system failure.

• AAA support: it is possible to use authentication, authorization and accounting (AAA) services on the ASA.

3.2 ASA Security Levels ASA uses security levels to control the flow of traffic. The security level is a number between 0 and 100, this number (level) and can be assigned to interfaces. You also need to give each interface a name. The higher the number the more trust you have in that network.

For example: I would always give my intern network a security level of 100 because I trust that network. But be aware that this not only counts to the directly connected network but to all networks connected through that interface.

You need to do three things to make the interfaces of the ASA operational:

• assign a security level to the interface • assign a name to the interface • bring up the interface with the no shutdown command

35

© Nathan Boone

3.3 Default flow of traffic By default, the ASA forwards traffic if the initial traffic is sourced from a device that lives off its high-security interface (such as inside with a level of 100), and if the destination of the packet is being routed out of an interface that has a lower security level. The traffic will be allowed back in the high-security interface because of the stateful inspection.

3.4 Packet filtering ACL If you made a zone that is called a Demilitarized Zone (DMZ) which hosts a web-server that needs to able to get traffic from a lower zone (the outside zone), you can implement packet filtering access lists. You will configure it by allowing traffic in originating from the outside interface (inbound from a security level perspective) that is going to the correct IP address and correct port of the web server in the DMZ.

3.5 Modular Policy Framework On the ASA, you use class maps to identify traffic, policy maps to identify the actions you are going to take on that traffic, and service policy commands to implement the policy.

• Class maps: class maps can identify traffic based on Layer 3 and Layer 4. You can for example use a class map to identify all FTP traffic and forward it to the Intrusion Prevention System for deeper inspection. Or you can identify all Voice traffic and give that traffic a higher priority. A class map can identify traffic using several different methods:

o Referring to an access list o TCP or UDP ports o IP Precedence o Real-time Transport Protocol (RTP) port numbers o VPN tunnel groups

• Policy maps: These are the actions that can be taken on the traffic that is identified by the class maps. Policy maps with multiple sections are processed in order. A policy map can make the following actions:

o Reroute the traffic to a hardware module such as the IPS module that can be inside the ASA

o Perform inspection on that traffic o Give priority treatment to the forwarding of that traffic o Rate-limit or police that traffic o Perform advanced handling of the traffic

• Service policies: This is where you apply the policies, the policies can be applied in different

ways: o To a specific interface, every interface can only have one policy applied to it o A global applied policy, on all the interfaces o It is possibly that an interface has a policy applied to it and also can inherit from the

global policy. (this only works if there is no conflict of policy between the two)

36

© Nathan Boone

4 Prior to starting with the lab Because the new update of java is causing some problems, and the programs which you will be working with uses java, you will need to do some things before you can start the lab.

4.1 Cisco ASDM ASDM is the program that you will use for configuring the ASA. I made an overview in screenshots, what you need to do to make ASDM work with the newest Java update.

4.1.1 Start Java Configuration Panel You need to type in Java and then Configure java to go to the Java configuration panel.

Figure 4-1 Get ASDM working

37

© Nathan Boone

4.1.2 Go to Sicherheit and Siteliste bearbeiten You will need to go to Sicherheid and after that to Sitelste bearbeiten to change the trusted sites.


38

© Nathan Boone

4.1.3 Press on Hinzufügen With pressing on hinzfünger, you add this site to the trusted sites


4.1.4 Add https://192.168.1.1 You will need to add https://192.168.1.1 to the trusted sites, because this is the IP address of the ASA where ASDM will be running.


After you did these steps, you must be able to run ASDM from within the web browser.

39

© Nathan Boone

https://192.168.1.1/

4.2 Cisco Configuration Professional Cisco Configuration Professional (CCP) is the tool you will use to make the VPN endpoint on the Router. There are also a couple of things that needs to be done in order to make the program work.

4.2.1 Add Local host to compatibility view You will need to add the local host to the compatibility view.

Figure 4-5 Get CCP working


40

© Nathan Boone

4.2.2 Go back to the Java Configuration panel and add http://127.0.0.1:8600 You will need to add the local host as a trusted site in the Java configuration panel


4.2.3 Run CCP If you run CCP always run it as administrator.

41

© Nathan Boone

http://127.0.0.1:8600/

5 How to update the Cisco ASA with tftp and CLI Before you start this lab, you need to make sure you are using the correct ASA and ASDM image, you also need to make sure that there is a AnyConnect client software on the ASA.

5.1 Check if the correct image is running To make sure that the correct image is running, you can use following command:

CCNAS-ASA# show version

In the information that comes next you need to make sure you see the following:

Cisco Adaptive Security Appliance Software Version 8.4(2) Device Manager Version 6.4(5)

If you have the previous information, you can start with the labo. If this is not the case, then you need to go to the next step.

5.2 Show the flash memory I you need to update the ASA and/or the ASDM firmware, you will need to show the flash memory to check if the firmware is on the ASA. You can do it with the following command:

CCNAS-ASA# show flash:

The files that need to be in the flash memory are:

Asa842.bin Asdm-645.bin Anyconnect-win-2.5.2014-k9. Anyconnect-win-3.1.01065-pre-deploy-k9.msi

If these files are in place, you can jump to the step to change the boot image.

5.3 Upload the files with tftp If the files are not in the flash memory, you will need to upload them with tftp. You will need to configure the ASA so that you can connect to the ASA to an interface. After this, you need to install a tftp server on the computer that is connected with the ASA.

Tftp server download: http://tftpd32.jounin.net

If this is done you need to enter the following commands:

CCNAS-ASA# copy tftp: flash: Address or name of remote host []? 192.168.1.3 Source filename [provide the files you want to upload]? asa842-k8.bin Destination filename [asa842-k8.bin]? asa842-k8.bin

Files you will need to upload to the ASA:

anyconnect-win-2.5.2014-web-deploy-k9.exe anyconnect-win-3.1.01065-pre-deploy-k9.msi asa842-k8.bin asdm-645.bin

5.4 Change the boot image If these files are in the flash, you can easily change the boot image with the following commands CCNAS-ASA# conf t CCNAS-ASA(config)# boot system asa842-k8.bin CCNAS-ASA(config)# asdm image asdm-645.bin CCNAS-ASA(config)# exit CCNAS-ASA# write mem CCNAS-ASA# reload

42

© Nathan Boone

http://tftpd32.jounin.net/

6 Setting up an IPsec site-to-site and SSL VPN’s with a ASA Firewall 6.1 Topology

6.2 IP Addressing Table Device Interface IP Address Subnet Mask Default

Gateway Switch Port

R1 FA0/0 209.165.200.225 255.255.255.248 / ASA E0/0 S0/0/0 10.1.1.1 255.255.255.252 / /

R2 S0/0/0 10.1.1.2 255.255.255.252 / / S0/0/1 10.2.2.2 255.255.255.252 / /

R3

FA0/1 172.16.3.1 255.255.255.0 / S3 FA0/5 FA0/0 172.16.4.1 255.255.255.0 / / S0/0/1 10.2.2.1 255.255.255.252 / /

ASA

VLAN 1 (E0/1)

192.168.1.1 255.255.255.0 / S2 FA0/24

VLAN 2 (E0/0)

209.165.200.226 255.255.255.248 / R1 FA0/0

VLAN 3 (E0/2)

192.168.2.1 255.255.255.0 / S1 FA0/24

DMZServer NIC 192.168.2.3 255.255.255.0 192.168.2.1 S1 FA0/6 InternalHost NIC 192.168.1.3 255.255.255.0 192.168.1.1 S2 FA0/18 ExternalHost NIC 172.16.3.3 255.255.255.0 172.16.3.1 S3 FA0/18 ExternalHost2 NIC 172.16.4.3 255.255.255.0 172.16.4.1 R3 FA0/0

43

© Nathan Boone

6.3 Objectives • Setting up a Cisco ASA Firewall. • Setting up an IPsec tunnel between the router on the Branch office and the corporate

network. • Setting up a SSL Clientless VPN connection between a remote host and the ASA of the

corporate network. • Setting up a SSL AnyConnect client VPN connection between a remote host and the ASA of

the corporate network.

6.4 Basic configuration of the Routers The basic configuration is the configuration that the networking devices need to have to communicate with each other. These are IP-addresses, default routes and passwords.

6.4.1 Router 1 basic configuration R1#enable R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#hostname R1 R1(config)#interface fastEthernet 0/0 R1(config-if)#ip address 209.165.200.225 255.255.255.248 R1(config-if)#no shut R1(config-if)#exit R1(config)#interface serial 0/0/0 R1(config-if)#ip address 10.1.1.1 255.255.255.252 R1(config-if)#no shut R1(config-if)#exit R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0 R1(config)#line vty 0 4 R1(config-line)#password cisco R1(config-line)#login R1(config-line)#exit R1(config)#line con 0 R1(config-line)#password cisco R1(config-line)#login R1(config-line)#end R1#copy run start

6.4.2 Router 2 basic configuration R2#enable R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#hostname R2 R2(config)#interface serial 0/0/0 R2(config-if)#ip address 10.1.1.2 255.255.255.252 R2(config-if)#no shut R2(config-if)#interface serial 0/0/1 R2(config-if)#ip address 10.2.2.2 255.255.255.252 R2(config-if)#clock rate 64000 R2(config-if)#no shut R2(config-if)#exit R2(config)#ip route 209.165.200.224 255.255.255.248 serial 0/0/0 R2(config)#ip route 172.16.3.0 255.255.255.0 serial 0/0/1 R2(config)#line vty 0 4 R2(config-line)#password cisco R2(config-line)#login R2(config-line)#exit R2(config)#line con 0 R2(config-line)#password cisco R2(config-line)#login R2(config-line)#end R2#copy run start

44

© Nathan Boone

6.4.3 Router 3 basic configuration R3#enable R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#hostname R3 R3(config)#interface serial 0/0/1 R3(config-if)#ip address 10.2.2.1 255.255.255.252 R3(config-if)#no shut R3(config-if)#interface fastEthernet 0/1 R3(config-if)#ip address 172.16.3.1 255.255.255.0 R3(config-if)#no shut R3(config-if)#interface fastEthernet 0/0 R3(config-if)#ip address 172.16.4.1 255.255.255.0 R3(config-if)#no shut R3(config-if)#exit R3(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/1 R3(config)#line vty 0 4 R3(config-line)#password cisco R3(config-line)#login R3(config-line)#exit R3(config)#line con 0 R3(config-line)#password cisco R3(config-line)#login R3(config-line)#end R3#copy run start

45

© Nathan Boone

6.5 Configure a Cisco ASA firewall An ASA firewall is a firewall that will work with security levels. All the traffic originated from a higher security level is allowed to go to a lower security level.

6.5.1 ASA Hostname and Domain configuration In order to be able to generate RSA keys you will need to configure a hostname and a domain-name.

ciscoasa> enable ciscoasa> conf t ciscoasa(config)# hostname CCNAS-ASA CCNAS-ASA(config)# domain-name ccnasecurity.com CCNAS-ASA(config)# exit CCNAS-ASA# copy run start

6.5.2 Configure enable password A best practice in configuring networking devices is to always set the enable password.

CCNAS-ASA> enable CCNAS-ASA# conf t CCNAS-ASA(config)# enable password class CCNAS-ASA(config)# passwd cisco CCNAS-ASA(config)# exit CCNAS-ASA# copy run start

6.5.3 Configure the interfaces Next you will need to configure the interfaces so they are part of the correct VLAN.

CCNAS-ASA# conf t CCNAS-ASA(config)# interface Ethernet0/0 CCNAS-ASA(config-if)# switchport access vlan 2 CCNAS-ASA(config-if)# no shut CCNAS-ASA(config-if)# interface Ethernet0/1 CCNAS-ASA(config-if)# switchport access vlan 1 CCNAS-ASA(config-if)# no shut CCNAS-ASA(config-if)# interface Ethernet0/2 CCNAS-ASA(config-if)# switchport access vlan 3 CCNAS-ASA(config-if)# end CCNAS-ASA# copy run start

6.5.4 Configure the VLANs of the firewall In order to let the firewall route between the VLANs, you will need to configure the VLANs, chose a security level and set an IP address.

CCNAS-ASA# conf t CCNAS-ASA(config)# interface Vlan1 CCNAS-ASA(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. CCNAS-ASA(config-if)# security-level 100 CCNAS-ASA(config-if)# ip address 192.168.1.1 255.255.255.0 CCNAS-ASA(config-if)# interface Vlan2 CCNAS-ASA(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. CCNAS-ASA(config-if)# security-level 0 CCNAS-ASA(config-if)# ip address 209.165.200.226 255.255.255.248 CCNAS-ASA(config-if)# interface Vlan3 CCNAS-ASA(config-if)# no forward interface Vlan1 INFO: "no forward" command is not required to use 3 or more interfaces with this license CCNAS-ASA(config-if)# nameif dmz INFO: Security level for "dmz" set to 0 by default. CCNAS-ASA(config-if)# security-level 70 CCNAS-ASA(config-if)# ip address 192.168.2.1 255.255.255.0 CCNAS-ASA(config-if)# end CCNAS-ASA# copy run start

46

© Nathan Boone

6.5.5 Configure network objects You can put a single host or a whole subnet into one network object. You can use the network object in an Access List.

CCNAS-ASA# conf t CCNAS-ASA(config)# object network inside-net CCNAS-ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0 CCNAS-ASA(config-network-object)# object network dmz-server CCNAS-ASA(config-network-object)# host 192.168.2.3 CCNAS-ASA(config-network-object)# end CCNAS-ASA# copy run start

6.5.6 Configure an access list In this step we will make en extended access list to permit every host for going to the DMZ server.

CCNAS-ASA# access-list OUTSIDE-DMZ extended permit ip any host 192.168.2.3

6.5.7 Configure NAT We will use Port Address Translation (PAT). To use this you must make a NAT rule. In the following configuration, you make a NAT rule that says any traffic sourced from devices in the inside interface and exiting the ASA on the outside interface must be translated to the IP address of the outside interface of the ASA.

We also make another rule saying that all the traffic from the DMZ interface that is exiting the ASA on the outside interface needs to be translated to the IP address 209.165.200.227.

CCNAS-ASA# conf t CCNAS-ASA(config)# object network inside-net CCNAS-ASA(config-network-object)# nat (inside,outside) dynamic interface CCNAS-ASA(config-network-object)# object network dmz-server CCNAS-ASA(config-network-object)# nat (dmz,outside) static 209.165.200.227 CCNAS-ASA(config-network-object)# end CCNAS-ASA# copy run start

6.5.8 Configure access group In this step, we will apply the access-list “OUTSIDE-DMZ” to the outside interface.

CCNAS-ASA# conf t CCNAS-ASA(config)# access-group OUTSIDE-DMZ in interface outside CCNAS-ASA(config)# exit CCNAS-ASA# copy run start

6.5.9 Configure a default route I order to let all your traffic find a way to the internet you need to configure a default route with a distance metric of 1.

CCNAS-ASA# conf t CCNAS-ASA(config)# route outside 0.0.0.0 0.0.0.0 209.165.200.225 1 CCNAS-ASA(config)# exit CCNAS-ASA# copy run start

6.5.10 Configure AAA authentication We will use AAA authentication to let you login in the ASA with the username “admin” and the password “cisco123”. We will be able to use these logins for telnet, SSH and http.

CCNAS-ASA# conf t CCNAS-ASA(config)# username admin password cisco123 CCNAS-ASA(config)# aaa authentication telnet console LOCAL CCNAS-ASA(config)# aaa authentication ssh console LOCAL CCNAS-ASA(config)# aaa authentication http console LOCAL CCNAS-ASA(config)# exit CCNAS-ASA# copy run start

47

© Nathan Boone

6.5.11 Configure allowed hosts Next we will need to configure from where the access is allowed to the http-, telnet- and SSH-server.

CCNAS-ASA# conf t CCNAS-ASA(config)# http server enable CCNAS-ASA(config)# http 192.168.1.0 255.255.255.0 inside CCNAS-ASA(config)# ssh 192.168.1.0 255.255.255.0 inside CCNAS-ASA(config)# telnet 192.168.1.0 255.255.255.0 inside CCNAS-ASA(config)# telnet timeout 10 CCNAS-ASA(config)# ssh timeout 10 CCNAS-ASA(config)# exit CCNAS-ASA# copy run start

6.5.12 Configure Class-map This class-map will identify all traffic based on Layer 3 and Layer 4. The match statement uses the default-inspection-traffic, this traffic is:

ctiqbe----tcp--2748 dns-------udp—53 skinny----tcp--2000 ftp-------tcp--21 gtp-------udp--2123,3386 smtp------tcp--25 h323-h225-tcp--1720 h323-ras--udp--1718-1719 sqlnet----tcp--1521 http------tcp--80 icmp------icmp tftp------udp--69 ils-------tcp--389 ip-options-----rsvp waas------tcp--1-65535 mgcp------udp--2427,2727 netbios---udp--137-138 xdmcp-----udp—177 radius-acct----udp—1646 rpc-------udp—111 sip-------udp—5060 rsh-------tcp--514 rtsp------tcp—554 sip-------tcp--5060 CCNAS-ASA# conf t CCNAS-ASA(config)# class-map inspection_default CCNAS-ASA(config-cmap)# match default-inspection-traffic CCNAS-ASA(config-cmap)# end CCNAS-ASA# copy run start

6.5.13 Configure Policy-maps The following policy-maps will be used to identify the actions you are going to take on that traffic.

CCNAS-ASA# conf t CCNAS-ASA(config)# policy-map type inspect dns preset_dns_map CCNAS-ASA(config-pmap)# parameters CCNAS-ASA(config-pmap-p)# message-length maximum client auto CCNAS-ASA(config-pmap-p)# message-length maximum 512 CCNAS-ASA(config-pmap-p)# policy-map global_policy CCNAS-ASA(config-pmap)# class inspection_default CCNAS-ASA(config-pmap-c)# inspect icmp CCNAS-ASA(config-pmap-c)# end CCNAS-ASA# copy run start

6.5.14 Configure prompt hostname and reporting With the first command you can change the display of where you are working in the ASA. With the second command you configure to not report anything to Cisco.

CCNAS-ASA# conf t CCNAS-ASA(config)# prompt hostname context CCNAS-ASA(config)# no call-home reporting anonymous CCNAS-ASA(config)# exit CCNAS-ASA# copy run start

6.5.15 Generate the RSA keys You will need these RSA keys for the SSH connection and for the building of the VPN.

CCNAS-ASA# conf t CCNAS-ASA(config)# crypto key generate rsa modulus 1024

48

© Nathan Boone

INFO: The name for the keys will be: <Default-RSA-Key> Keypair generation process begin. Please wait... CCNAS-ASA(config)# end CCNAS-ASA# copy run start

6.6 Configure an IPsec VPN endpoint on the ASA with ASDM In this part we will configure an IPsec VPN with the tool ASDM. ASDM is a tool that you can use to configure the ASA with a GUI.

6.6.1 Access ASDM To access the ASDM you need to go to the IP Address of the ASA from PCB (the host of the internal network). Be sure to put https:// in front of the IP Address. The URL you need to visit is: https://209.165.200.226.

Next you will get this screen:

Figure 6-1 ASDM Virtual Private Network

You need to click on “Run ASDM”, and then login with the following credentials:

• username: admin • password: cisco123

If you did it correctly you will get to this screen:

49

© Nathan Boone

https://209.165.200.226/


6.6.2 Start the VPN wizard To start the VPN wizard, you need to select the Wizards > VPN Wizards > Site-to-Site VPN Wizard.

You will then get the following screen:


You need to click on next to go to the next screen.

6.6.3 Configure peer device identification The next step is to configure what the IP Address is of the other Peer. This IP address is 10.2.2.1, and the VPN Access Interface is outside.

50

© Nathan Boone


6.6.4 Specify the IKE version In this screen you will need to specify the IKE version. The version we are going to use is IKE version 1.


51

© Nathan Boone

6.6.5 Specify traffic to protect On the Traffic to protect screen, click IPv4 and enter the inside network 192.168.1.0/24 as the Local Network and the R3 LAN 172.16.3.0/24.


6.6.6 Configure authentication On the Authentication Methods screen, enter a Pre-Shared Key of cisco12345. You will not be using a device certificate so leave it set to None.


52

© Nathan Boone

6.6.7 Configure Encryption Algorithms On the encryption screen, click on the Manage button next to IKE Policy. Click OK to the message that IKE policy is global. On the Configure IKEv1 Policies screen, you will see many policies. Only policy 120 is needed, so you can delete all the other policies.


Click on the Select button next to IPsec Proposal. On the select IPsec Proposals screen, remove all of the IPsec proposal entries from the Assigned entry field, exept for ESP-3DES-SHA as this is the one R3 will be using.


53

© Nathan Boone

If you did this successfully you will get following screen:


6.6.8 Configure miscellaneous settings On the Miscellaneous screen, select the checkbox to enable inbound IPsec sessions to bypass interface access lists. Select the checkbox to Exempt ASA side host/network from address translation for the inside interface.


54

© Nathan Boone

6.6.9 Review the configuration summary and deliver the commands to the ASA. In this screen you can review the summary, if it is correct, you can deliver it to the ASA.


6.6.10 Verify the ASDM VPN connection profile You can verify the VPN configuration, to do this you must go to Configuration > Site-to-Site VPN > Connection Profiles.


55

© Nathan Boone

6.7 Configure the R3 as an IPsec VPN endpoint with CCP Cisco Configuration Professional (CCP) is a tool which you can use to configure network equipment. First you will need to install the tool, the tool can be found on the website of Cisco.

You will need to configure the device you want to access with CCP so CCP can discover that device and change his configuration.

6.7.1 Configure CCP access on Router 3 Cisco Configuration Professional is a tool made by Cisco to configure and monitor routers and switches. You will need to enter some commands in order to let CCP discover the router.

R3#enable R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#enable secret cisco123 R3(config)#ip http server R3(config)#username admin privilege 15 secret cisco123 R3(config)#ip http authentication local R3(config)#end R3#copy run start

6.7.2 Configure CCP so it can connect to Router 3 In order to let CCP configure Router 3 you must enter some credentials in CCP.

IP Address: 172.16.3.1

Username: admin

Password: cisco123

Figure 6-14 CCP Virtual Private Network

56

© Nathan Boone

The next step is to let CCP discover the device.


6.7.3 Start the CCP VPN wizard to configure R3 To configure R3 as a VPN endpoint you will need to go to the configuration tab in the CCP application. And chose Security > VPN > Site-to-Site VPN. When you are on this screen you need to click on “Launch selected task”.


After you pressed on “Launch the selected task”. A pop-up window will appear, in this pop-up window you will configure the VPN. You need to chose for “Step by step wizard”.

57

© Nathan Boone


58

© Nathan Boone

6.7.4 Configure basic VPN Connection settings. Next you will need to configure the basic VPN connection settings.

First you need to choose the correct interface for the VPN connection. This interface is “Serial0/0/1”.

Second you need to enter the IP address of the other host from which you will establish a VPN tunnel. This host is 209.165.200.226.

Third you will need to choose the authentication type. We will be using pre-shared keys, the pre-shared key that we will use is “cisco12345”.


59

© Nathan Boone

6.7.5 Specify IKE policy In order to make a successful VPN tunnel you need to configure a correct IKE policy. This are rules from which the two VPN endpoints needs to accept.

We will use the next IKE policy:

Priority: 1 Encryption: 3DES Hash: SHA_1 D-H Group: group2 Authentication: PRE_SHARE


60

© Nathan Boone

6.7.6 Configure a transform set The transform set is the IKE policy that is used during the IKE Phase 2.

On the transform set screen you can use the default one or you can make another one. But here we will use the default transform set.

The transform set is:

Name: ESP-3DES-SHA ESP Encryption: ESP_3DES ESP Integrity: ESP_SHA_HMAC Mode: Tunnel


61

© Nathan Boone

6.7.7 Specify traffic to protect You must define which traffic needs to be sent through the VPN tunnel. We will configure our Local Network and the Remote Network.


6.7.8 Review the summary of the configuration As final step you will need to review what you have configured to be sure you are correct. It should look like the following:


62

© Nathan Boone

6.8 Test VPN connectivity with CCP To test the VPN connectivity, you will need to go to “Edit Site to Site VPN”. Than you should have following screen:


Than you need to click on “Test Tunnel …”, after that you need to click on “Start”.

After this you will be asked to determine to which network the traffic needs to be sent.


63

© Nathan Boone

If your tunnel is successful you should get following screen.


6.9 Monitoring VPN tunnel using ASDM on Cisco ASA You can monitor the VPN connection between R3 and the ASA with the tool ASDM.

From the ASDM menu bar, select Monitoring and click VPN from the panels at the lower left of the screen. Click VPN Statistics > Sessions. You should see following screen.


64

© Nathan Boone

When you click on Encryption Statistics you should see one or more sessions using the 3DES encryption algorithm.


If you click on crypto statistics, you will get more information about the VPN.


65

© Nathan Boone

7 Setting up Clientless SSL VPN 7.1 Configuring clientless SSL VPN Before you configure this VPN, it is recommended to erase the configuration of the Cisco ASA and reconfigure it with the configuration it had before you configured the Site-to-Site VPN. You can find the script in the end of the lab.

If this is done, you need to make sure that you are booting from the correct image, go to chapter 5 and follow the instructions.

7.1.1 Review the Remote Access VPN ASDM Wizard To set up a Clientless SSL VPN we are going to use ASDM. First start up ASDM and then go to the configuration tab, after, go to Remote Access VPN.


Click on “Clientless SSL VPN Remote Access (using Web Browser). Here you can find more information about what is going to happen if you configure this VPN.

66

© Nathan Boone

7.1.2 Start the VPN Wizard To start the VPN Wizard you need to go to Wizards > VPN Wizards > Clientless SSL VPN Wizard

The following screen will appear, you need to click on next to begin the wizard.


7.1.3 Configure the SSL VPN user interface On the SSL VPN interface screen, configure ClientlessVPN-Con-Prof as the Connection Profile Name, and specify outside as the interface to which outside users will connect.


67

© Nathan Boone

7.1.4 Configure AAA user authentication In this window you can choose between Authentication using AAA server group or using the local user database. We will choose for the local user database.

Username: VPN-User

Password: remote

Don’t forget to click on the Add >> button.


7.1.5 Configure the VPN group policy We will create a new group policy. This newly created group policy will inherit its setting from DfltGrpPolicy.

Name: ClientlessVPN-Grp-Pol


68

© Nathan Boone

7.1.6 Configure Bookmark list Bookmarks are items that are used in the Clientless SSL VPN web portal.

You need to click the Manage button to create an HTTP server bookmark in the bookmark list.


Click on the Add button.


69

© Nathan Boone

Then type Web-Server in the Bookmark List Name. You need to click on Add when this is done.


In the Next window you will need to add the bookmark.

Bookmark Title: Web Mail

URL: http://192.168.2.3

Allow the users to bookmark the link need to be checked.

If this tis Done click on Ok.


70

© Nathan Boone

http://192.168.2.3/

If you get following screen you can click on Ok.


If you get following screen you can click on Ok.


71

© Nathan Boone

If you get following screen you can click on next.


7.1.7 Review the configuration summary and deliver the commands to the ASA. You need to review the summary. If everything is correctly configured you need to get following screen.


72

© Nathan Boone

7.2 Using clientless SSL VPN To use the SSL clientless VPN you need to go to the outside interface of the ASA. Be sure to put https:// in front of the IP address.

7.2.1 Connecting to the SSL VPN You will get following screen if you go to the following URL: https://209.165.200.226

Next you will need to fill in the credentials.

Username: VPN-User

Password: remote


7.2.2 Using the SSL VPN Service If you login with the correct credentials you will get the following screen with the configured bookmark.


If you click on the bookmark and you have configured a web-server on the computer that has the IP address of 192.168.2.3, than you will go to that web server.

Figure 7-16 Web server on the Internal network - SSL VPN

73

© Nathan Boone

https://209.165.200.226/

You can install the free Abyss webserver from: http://www.aprelium.com/abyssws/download.php.

7.2.3 Monitoring SSL VPN with ASDM With the ASDM tool you can see how many VPN connections are made and which users made these connection.

As you can see in the following screen, we made a Site-to-Site and a Clientless VPN connection to the same ASA device.


8 Setting up AnyConnect SSL VPN Remote Access Using ASDM Before you configure this VPN, it is recommended to erase the configuration of the Cisco ASA and reconfigure it with the configuration it had before you configured the Site-to-Site VPN. You can find the script in the end of the lab.

If this is done, you need to make sure that you are booting from the correct image, go to chapter 5 and follow the instructions.

8.1 Configure Anyconnect SSL VPN 8.1.1 Review the Remote Access VPN ASDM Assistant From the ASDM menu bar, click Configuration button and choose Remote Access VPN. Here you find more information about VPN’s.


74

© Nathan Boone

http://www.aprelium.com/abyssws/download.php

8.1.2 Start the VPN wizard From the ASDM main menu, choose the Wizards > VPN Wizards > AnyConnect VPN Wizard.

Choose than for Cisco SSL VPN Client (AnyConnect VPN Client).


8.1.3 Configure the connection profile In order for the VPN to work, you will need to make a connection profile.

Connection profile: AnyC-SSL-VPN-Con-Prof

SSL VPN interface: outside


75

© Nathan Boone

8.1.4 Specify the VPN encryption protocol. You will need to have a username to login on the webpage of the ASA. The credentials of the user are:


8.1.5 Specify the client image to upload to AnyConnect users. On the Client images screen, click add and browse in the flash for the correct image. There are two AnyConnect images, the AnyConnect 2.5 image if for Windows7 and the 3.1 image is for windows8.


76

© Nathan Boone

8.1.6 Configure AAA local authentication The AAA Server Group must be LOCAL.

The credentials we are using are:

username: ClientVPN-User

Password: remote


8.1.7 Configure the client address assignment You will need to make an IPv4 address pool, so if the client connects with the VPN with the AnyConnect application. The client will get an IP-address from the configured pool.

You will need to click on “New…” next to “IPv4 Address Pool” and then enter the following attributes.

Name: AnyC-VPN-Client-Pool

Starting IP Address: 192.168.1.33

Ending IP Address: 192.168.1.62

Subnet Mask: 255.255.255.224

77

© Nathan Boone



78

© Nathan Boone

8.1.8 Configure network name resolution On the Network Name Resolution screen, enter the IP address of a DNS server.


8.1.9 Exempt address translation for VPN traffic You need to exempt VPN traffic from NAT, because when they connect they will receive an IP address from the inside network.


79

© Nathan Boone

8.1.10 AnyConnect Client deployment On the AnyConnect Client Development screen, read the text and click on Next.


8.1.11 Review the Summary screen In this screen you can review your configurations and apply then to the Cisco ASA.


80

© Nathan Boone

8.1.12 Verify the AnyConnect client profile After the configuration if delivered to the ASA, you can review the connection profile.


8.2 Using AnyConnect SSL VPN To use the AnyConnect SSL VPN you will need to make a connection to the ASA, download the AnyConnect client from the ASA and configure the VPN in the Client.

8.2.1 Login from the remote host The first step in making a SSL VPN connection is to make a connection to the ASA. To do this you need to go to the following url from the remote host: https://209.165.200.226 and enter following credentials:

Group: AnyC-SSL-VPN-Con-Prof

Username: ClientVPN-User

Password: remote


81

© Nathan Boone

https://209.165.200.226/

8.2.2 Downloading AnyConnect client If the login is successful you will get following screen, where you can download the AnyConnect client. You need to click on “Windows Vista/64/XP/2000” to download the client.

Figure 8-15 AnyConnect VPN

Next you need to download the client.


8.2.3 Install the AnyConnect client The next step is to install the Client it is a straight forward process, just click on Next on every screen and the client will be installed.

82

© Nathan Boone




83

© Nathan Boone


84

© Nathan Boone

8.2.4 Use the AnyConnect client software: Windows 7 If you have successfully installed the client, you need to accept the certificate.


8.2.5 Login with good credentials After you accepted the certificate, you can login with the following credentials.


Password: remote


85

© Nathan Boone

8.2.6 VPN is successful


8.2.7 Check if the VPN is successful If you go to command line interface and type: ipconfig

Figure 8-24 Check VPN Successful

Here you will see that the external computer got an internal IP address. The VPN is successful.

86

© Nathan Boone

8.2.8 Use the AnyConnect client software: Windows 8 In order to use the AnyConnect client on Windows 8, you will need to install the latest AnyConnect client. This client can be downloaded from: http://vpn.managednetworks.net/vpn/

8.2.9 Installation of AnyConnect Client The installation is the same as on Windows 7.

8.2.10 Setting up VPN Connection When the client is installed you need to run the program. It will look like this:


You will get a warning, just click on Connect anyway.


Next you will need to fill in the credentials these are:


Password: remote

Next you will see that you are connected successfully:

87

© Nathan Boone

http://vpn.managednetworks.net/vpn/



If you go to command line interface and type: ipconfig

Figure 8-29 Check if VPN is succesful

Here you will see that the external computer got a internal IP address. The VPN is successful.

88

© Nathan Boone

9 Conclusion Setting up a VPN service with the good user interfaces that Cisco provides is clear. But you always need to keep in mind, that the technology is evolving and there will always be new images for the ASA, new AnyConnect clients and new versions of Java.

10 VPN pre-configuration script ! !-- Configure Hostname and Domain for generating RSA keys -- ! enable conf t hostname CCNAS-ASA domain-name ccnasecurity.com ! !-- Configure the passwords -- ! enable password class passwd cisco ! !-- Configure the interfaces -- ! interface Ethernet0/0 switchport access vlan 2 no shut exit interface Ethernet0/1 switchport access vlan 1 no shut exit interface Ethernet0/2 switchport access vlan 3 no shut exit ! !-- Configure the VLANs of the firewall -- ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 interface Vlan2 nameif outside security-level 0 ip address 209.165.200.226 255.255.255.248 interface Vlan3 no forward interface Vlan1 nameif dmz security-level 70 ip address 192.168.2.1 255.255.255.0 exit ! !-- Configure network objects -- ! object network inside-net subnet 192.168.1.0 255.255.255.0 object network dmz-server host 192.168.2.3 exit ! !-- Configure an access-list -- ! access-list OUTSIDE-DMZ extended permit ip any host 192.168.2.3 ! !-- Configure NAT -- !

89

© Nathan Boone

object network inside-net nat (inside,outside) dynamic interface object network dmz-server nat (dmz,outside) static 209.165.200.227 ! !-- Configure access group -- ! access-group OUTSIDE-DMZ in interface outside ! !-- Configure default route -- ! route outside 0.0.0.0 0.0.0.0 209.165.200.225 1 ! !-- Configure AAA authentication -- !username admin password cisco123 aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL ! !-- Configure allowed hosts -- ! http server enable http 192.168.1.0 255.255.255.0 inside ssh 192.168.1.0 255.255.255.0 inside telnet 192.168.1.0 255.255.255.0 inside telnet timeout 10 ssh timeout 10 ! !--- Configure Class Map --- ! class-map inspection_default match default-inspection-traffic exit ! !--- Configure Policy Maps ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect icmp ! !--- Configure Prompt hostname and reporting ! prompt hostname context no call-home reporting anonymous ! !-- Generate the rsa key -- ! crypto key generate rsa modulus 1024 y end !

90

© Nathan Boone

Project 2: Voice over IP 1 Introduction Voice over IP is the name of voice traffic on top of an IP network.

Most VoIP solutions rely on multiple protocols, at least one for signaling and one for transport of the encoded voice traffic.

The two most common signaling protocols are Session Initiation Protocol (SIP) and Skinny Call Control Protocol (SCCP), and their role is the setup, modification and tear down of a phone call.

The other protocol is called Real-time Transport protocol (RTP) and it will transport the encoded voice traffic. In accompany of the RTP is the Real-time Control Protocol (RTCP) which provides call statistics (delay, packet loss, and so on).

2 Voice over IP servers A Voice over IP server, is a server that will route your calls from one VoIP phone to the other one.

The name of a normal phone system is called PBX, with a normal phone system every call goes through the PBX.

A VoIP server uses the IP network to communicate, and uses VoIP phones that the users can use to communicate to each other, these VoIP phones are called that clients, like in a client – server model.

A VoIP server of a company does not need to be located on the network of the company, it can also be hosted over the internet.

With VoIP we don’t use PBXs anymore but we use IPPBXs, these devices are also called VoIP servers. This kind of server can have analog and Ethernet connections, the Ethernet connections are also called VoIP trunks. And these IPPBXs can also route the calls between the analog and Ethernet connections.

There are several open source VoIP servers:

• Asterisk • Switchvox

3 Voice over IP clients VoIP clients are all the devices connected to the VoIP server. There are two different types of clients.

• Hardphone: this is a VoIP phone that looks like a normal phone and that provides only VoIP services.

• Softphone: this is software installed on a computer that lets the computer use VoIP services.

To make these clients work, you need to make user accounts on the VoIP server and make sure that the phones (clients) can register with the VoIP server. You will also need to configure a number on the VoIP server for each phone.

91

© Nathan Boone

4 Voice over IP gateways VoIP gateways will interconnect different types of communication. It can interconnect analog phone lines to Ethernet Lines.

By converting normal phone calls into VoIP calls, you can reduce much telephony costs.

For example: you are working for a large company, and you have a headquarters in Austria and branch offices in Belgium, Netherlands, Germany and France. If you make a normal phone call from one of these branch offices to the headquarters it will cost a lot of money. But if you change that normal phone call to a VoIP phone call with the VoIP gateway, you will spend less money on the phone call.

5 Voice over IP protocols There are different protocols out there that VoIP can use to make phone calls possible. Some of the most famous protocols are, Session Initiation Protocol (SIP) and Skinny Call Control Protocol (SCCP). These two protocols have their advantages and disadvantages.

You have the proprietary Cisco protocol called Skinny Call Control Protocol (SCCP) that will be used between Cisco Call Manager and Cisco VoIP phones.

You also have the open source protocol called Session Initiation Protocol (SIP); this protocol is being used for establishing, modifying, and termination IP based communication.

Another protocol that will be used in a VoIP network is called Remote Transfer Protocol. RTP provides reliability through UDP.

5.1 Session initiation protocol Session initiation protocol (SIP), is a session control protocol that is located in the application layer of the OSI model. It can perform multimedia session establishment, modification and tear down in real time communications over IP based networks.

5.1.1 How does SIP work? SIP devices will communicate with each other using a SIP server. This SIP server will provide an infrastructure for routing, registration, authentication and authorization services. But SIP cannot exist alone in a communication system, it will use RTP as a protocol for the devices to interconnect to each other. SIP supports both IPv4 and IPv6.

The devices that will be used to talk to each other are called User Agents. These devices can be hardphones or softphones. A registrar server is a database that has the location of the User Agents within a domain.

The proxy server handles the route detection, call routing, authentication and loop detection within a domain. It also accepts the User Agent request to lookup information. After the connection is established, the proxy server can stay in the path or drop out. The User Agents can now communicate directly to each other.

The proxy server and the registrar server can be on the same machine, there is only a logical difference between both.

The redirect server is used by the proxy if the User Agent is of the domain.

92

© Nathan Boone

5.1.2 Example 1: User Agents on the same domain If one user agent Alice tries to call another user agent Bob.

1. Alice will send a SIP invite message to the proxy server. 2. The proxy server will query that to the registrar server for Bobs contact info. 3. After the proxy server receives the information about Bob, it will then relay Alice her original

SIP invite to Bob. 4. Alice will accept the SIP invite by answering the phone. 5. The proxy server will then inform Alice that Bob has accepted the invite and is ready to

communicate. 6. There is now a direct point to point RTP connection. 7. The final message is the Bye, which is send to the proxy server and the session is complete.

5.1.3 Example 2: User Agents on a different domain A User Agent calls a User agent on a different domain:

1. User X in Domain A calls User Y in Domain B 2. Query of Proxy server in Domain A: 'How to get to User Y in Domain B'

(Here the SIP Proxy Server of Domain A recognizes that the User Y is outside the Domain A and queries the SIP Redirect Server for User Y's IP address.)

3. Redirect Server's response: 'Address is enclosed in the response message, send the requests to Proxy Server in Domain B'.

4. Call Proxied to SIP Proxy Server of Domain B.(SIP Proxy Server A forwards the SIP session invitation to SIP Proxy Server B)

5. Proxy Server B's query: 'Where is User Y?' 6. Registrar Server B's response: 'User Y is at the address enclosed in this response message.' 7. Proxy server B delivers User X's invitation to User Y. 8. User Y's response. User Y responds to User X's call. 9. Response. Proxy server of User Y sends the response of User Y to Proxy server of User X. 10. Response. Proxy server of User X conveys User Y's response to User X. (User Y forwards his or

her acceptance along the same path the invitation travelled.)

If the call set-up is successful (Y is free to take the call), a media path using RPT is established between X and Y and the connected parties can start to talk.

SIP is independent of the underlying transport layer, which in most cases is RTP.

Figure 5-1 SIP User Agents on a different domain

93

© Nathan Boone

5.2 Skinny Call Control Protocol Skinny Call Control Protocol (SSCP), this is a proprietary terminal protocol used for call establishment, modification and tear-down in VoIP environments. It is a lightweight protocol used for session control signaling with Cisco Call Manager.

5.2.1 How does SCCP work? In a VoIP call, first the phone registers its IP address, type and name in the Cisco Unified Call Manager (CUCM). Then the CUCM request from the device provides a list of supported voice and video codecs. The “Keep Alive” messages are exchanged periodically between the CUCM and the phone as negotiated during the registration.

SCCP uses the TCP port 2000 as the signaling patch and use UDP as its media path.

A CUCM cluster is a collection of SCCP clients and a CUCM.

With SCCP every single user input is send to the CUCM immediately. If the user takes of the phone, a signaling message is sent from the phone to the CUCM from which it is registered.

For example: if a user takes up the phone, and then dials 1000, this would trigger five individual signaling events from the phone to the CUCM. And the CUCM will then react to the user input from the Dial Plan mapped to the phone.

Figure 5-2 SCCP: Flow from phone to CUCM

5.2.2 Example 1: SCCP phone call, phones are registered on the same CUCM In this example I will explain in steps how a VoIP phone call using SCCP will work.

1. Phone A calls phone B 2. The phone number will be looked up in the CUCM 3. The CUCM will contact Phone B 4. Phone B will be ringing to inform you that there is a phone call 5. Phone B will be off hooked 6. The RTP stream will interconnect both devices

Figure 5-3 SCCP: IP-Phone to IP-Phone Call Flow

94

© Nathan Boone

Bellow you can find the sequence of SCCP messages exchanged between the CUCM and the IP phones.

Figure 5-4 SCCP: Simple Intra-Cluster Call Flow

95

© Nathan Boone

5.3 Differences between SSCP and SIP There are some differences between the two protocols.

SIP SCCP Open source Proprietary of Cisco Required to press speaker button to start dialing

When you pick up the phone it immediately starts dialing

Less features than with SCCP More features then with SIP Registration with usernames and passwords Registration with mac address Support multicast conference calls Support multicast conference calls Range of different messages with each having a lot of additional data

Very simplified message structure

UDP as transport medium UDP as transport medium

5.4 Real-time Transfer Protocol Real-time Transfer Protocol (RTP), will add a RTP header to the VoIP packet, in the RTP packet you will find a Sequence number, Port number and a timestamp. RTCP will be used for the statistics, for example how many packets are lost. The RTP port that will be chosen is an even port, the RTCP port number will always be one number more than the port chosen for RTP. The ports will be from 16384 to 32767.

Secure RTP can be used to encrypt the voice stream.

6 Voice over IP codecs The codec is how the VoIP traffic is encoded and encapsulated, if you talk over the phone, your traffic needs to be put in packets to then be send over the network. The codec is what determines how this happens. With choosing the right codec you need to know how much bandwidth you can use for the VoIP traffic, the more bandwidth the codec uses, the higher the sound quality will be.

The codec will determine the sound quality and the bandwidth that will be used.

The codec is most of the time built in, in the VoIP server. Some codecs are proprietary, so you will need to pay money in order to use a codec. But whenever you buy a VoIP server, you will also likely pay for the built in codec. There are also open source codecs, like in the Asterisk server. The sound quality will be good, but you will use more bandwidth than when you would use a proprietary codec. This is not so important in a small network, but if you are building a large network, it is needed to have a good codec.

7 Network latency and QOS With Quality of Service (QOS) you can prioritize the Voice over IP network traffic in order to make sure that the phone calls you make will succeed.

Network latency is important if you use hosted VoIP services. Network latency is how long it will take for the VoIP traffic to go from phone A to phone B. If it takes from 75ms to 100ms, you have a good connection.

96

© Nathan Boone

8 Zone-Based Firewall We will configure a Zone-Based firewall on the router that connects to the internet. A Zone-Based firewall is a firewall where you put interfaces in to zones. You will then allow or deny the traffic between the different zones.

8.1 How Zone-Based Firewall Operate With Zone-Based firewalls, interfaces are put in zones. Zones are created by the administrator. The administrator can name the zones to what he wants.

Then the class maps are made, with these class maps you can identify the traffic that is going through the ports.

After the class-maps we will make policy maps. These policy maps specify which traffic to allow between the interfaces. And what action the firewall needs to take if the policies are met. The policies are always in a direction, for example: from the inside zone to the outside zone.

A benefit for this approach is when the policies are in place, you can just add more interfaces to the zones and the interfaces will take over the policies.

8.2 The features of a Zone-Based Firewall The Zone-Based Firewall include the following features:

• Stateful inspection: when a packet is send from one interface to another interface the packet will be inspected and the reply traffic is allowed.

• Application inspection: you can do deep packet inspection to search in the data part of the packets for viruses or other malicious traffic.

• Packet filtering: you can inspect the packets and make rules for the source and destination IP address as well as for the protocol and the source and destination port numbers.

• URL filtering: you can filter on the URL, so you can chose which URL the users can go to and which URL they can’t go to.

• Transparent firewall: this is the ability to make a firewall on a layer 2 device like a switch. • Support for virtual routing and forwarding (VRF): these are virtual routing tables you can use

them instead of having all the routes in the global (primary) routing tables. • Access control lists (ACL) are not required as a filtering method to implement the policy

8.3 Zones and why we need pairs of them A zone is created by the administrator, and one or more interfaces can be assigned to a zone.

There is one default zone, called the self zone. This is the zone of the router itself, this is a logical zone. By default, all the traffic originated from, or going to the self zone is allowed, but this can be changed with policies.

There is per default no traffic allowed between the zones made by the administrator. The traffic between the interfaces that are in the same zone is allowed.

If you would like to allow traffic between two zones you will need to make a zone pair and put a policy in place for that zone pair.

A zone pair if a configuration in the router that is created to identify traffic that is initiated from one zone and destined for the other zone. The administrator than makes a set of rules (policy) and bounds this set of rules to a zone pair.

97

© Nathan Boone

8.4 How to implement a policy Cisco uses a language called the Cisco Common Classification Policy Language (C3PL) for the implementation of a policy. This process has three primary components:

• Class maps: These are used to identify traffic, such as traffic that should be inspected. Traffic can be matched based on Layer 3 through Layer 7 of the OSI model, including application-based matching. Class maps can also refer to access control lists (ACL) for the purpose of identifying traffic or even call upon other class maps. Class maps can have multiple match statements. A class map can specify that all match statements have to match (which is a match-all condition) or can specify that matching any of the entries if considered a match (which is a match-any condition).

• Policy maps: These are the actions that should be taken on the traffic. Policy maps call on the class maps for the classification of traffic. Policy maps with multiple sections are processed in order.

Policy action Description When to use it Inspect Permit and Stateful inspect the

traffic This should be used on traffic initiated by users who expect to get replies from devices on the other side of the firewall.

Pass Permits/allows the traffic but does not create a Stateful database

Traffic that does not need a reply. Also in the case of protocols that do not support inspection, this policy could be applied to the zone pair for specific outbound traffic, and be applied to a second zone pair for inbound traffic.

Drop Deny the packet Traffic you do not want to allow between the zones where this policy map is applied.

Log Log the packets If you want to see log information about packets that were dropped because of policy, you can add this option.

• Service policies: This is where you apply the policies, identified from a policy map, to a zone

pair. This step actually implements the policy.

98

© Nathan Boone

9 VoIP hacking In order to make sure that your VoIP network is secure, you will need to try to hack your network. If you are able to hack your network, you will know where the vulnerabilities are located and you can secure them.

If you would like to try to hack something in an IP network there are some steps you need to do before you will be able to perform the hack:

• Footprinting: searching for information about the organization you are going to break into. • Scanning: once you found enough information about the company and you found out which

global IP addresses the company has. And you got access to the internal network, you can begin with the scanning of the internal network.

• Enumeration: with the scanning you found out behind which IP addresses the VoIP phones and the VoIP server are located. Now you can do deeper scans to know which kind of phones and which kind of server is running to support the VoIP network.

• Hacking VoIP: now you know which server and which phones are being used, you can search for hacks of these kind of phones and server.

9.1 Footprinting the organization With footprinting the organization you will search for information about the company and their employees.

9.1.1 Social Engineering To know more about the organization and the people who are working in the organization, you can search on social network sites. You can use the information from these sites later on, for example: if you are performing a brute-force attack to know usernames or passwords. Some social network sites are:

• Facebook.com • Myspace.com • Reunion.com • Classmates.com • Twitter.com • Linkedin.com • Plaxo.com • Monster.com • Careerbuilder.com • Dice.com • Ancestry.com • Flickr.com • Photobucket.com

9.1.2 Google Hacking Database (GHDB) Google Hacking Database is a database that includes a lot of search strings that you can use to search more information about the company, like passwords and wrong configured servers that can help you to find a way into the company.

The website where you can find these search strings are: http://www.hackersforcharity.org/ghdb

99

© Nathan Boone

http://www.hackersforcharity.org/ghdb

Some of the search strings for VoIP are brought together here: http://www.hackingvoip.com/google.html

9.1.3 Forums In forums you can find a lot of information about companies, because if a network administrator has a problem with the network. The odds are big that he will put the configuration of the network devices online so other people can also troubleshoot with him.

9.1.4 Countermeasures against Footprinting As a network administrator, you must always be careful with which information you make

available on the internet. You should always change usernames, passwords and IP addresses if you ask a question on a forum. Also make sure that no vulnerable servers (the internal VoIP server) are in connection with the internet without having an Intrusion Prevention System (IPS) or firewall in between.

9.2 Scanning the network In the previous step, Footprinting, we searched information about the organization and individuals. We know now what the global IP address is, and we got a way into the organization, so we also know which internal IP address-ranges are used.

In this step, we can scan the IP address-ranges to search for the VoIP server and IP phones.

9.2.1 SIP Scanning SIP is a widely used open source protocol for the session establishment. SIP will use different messages that will be send between the participating devices. These messages will be used to scan the network, because depending on the answer we get on the message we can know if there is a phone behind that particular IP address.

SIP Messages

Message Description IINVITE Initiation message for a new conversation ACK Invites acknowledgment BYE Terminates an existing session CANCEL Cancels all pending requests OPTIONS Identifies server capabilities REGISTER SIP location registration

SIP Error Codes

Error Code Description SIP 1.xx Informational response messages SIP 2.xx Successful response messages SIP 3.xx Redirection responses SIP 4.xx Client request failure

We will not need to do this manually, there are some tools that we can use to automate this scanning.

SiVuS is a general purpose SIP hacking tool for Windows and Linux, it can be downloaded from: http://redoracle.com/index.php?option=com_remository&Itemid=82&func=fileinfo&id=210

100

© Nathan Boone

http://www.hackingvoip.com/google.html

http://redoracle.com/index.php?option=com_remository&Itemid=82&func=fileinfo&id=210

Besides SiVuS are a number other tools that can be used to scan the network like SIPVicious which is a command-line-based SIP tool written in phyton and can be downloaded from www.sipvicious.org.

9.2.2 Countermeasures for SIP scanning There is not a lot you can do to prevent this. You could make different VLANs, one for voice

and one for data. But if the hacker has access to the Voice VLAN, he can scan the network and search for VoIP phones.

9.2.3 Pillaging TFTP for VoIP Treasures During the boot process, many SIP phones rely on a TFTP server to retrieve their configuration setting. TFTP is a perfect implementation of security by obscurity as, in order to download a particular file, all you’re required to know is the filename.

To know where the TFTP server is located we will perform a network scan, searching for devices which are listening to port 69 which is the port of TFTP. We will use the network scanner Nmap which you can download from www.nmap.com.

Command: nmap –sU –p 69 <IP_address-range/netmask>

Now we know where the TFTP server is located and we can perform an attack to the TFTP server knowing the most used names of configuration files. These configuration file names differ between vendors and devices, so to ease the process, you can find a list of common filenames at http://hackingvoip.com/tools/tftp_bruteforce.txt. The tool we are going to use to brute force the TFTP-server is tftpbrute and can be downloaded from http://www.securiteam.com/tools/6E00P20EKS.html.

We will supply the text document to the TFTP-brute force tool so it can be used to brute force the TFTP server.

Command: perl tftpbrute.pl <IP_addressTFTPServer> tftp_bruteforce.txt

These configuration files can contain a wealth of information such as usernames and passwords for administrative functionality. For Cisco IP Phones, the configuration files for an extension can be downloaded by accessing SEP<macaddress>.cnf.xml from the TFTP server.

9.2.4 Countermeasures for Pillaging TFTP for Treasures One method to secure your TFTP server is to configure that it only allows incoming

connections from the static addresses of the VoIP phones. You need to keep in mind that the attacker can spoof his IP address so he has a valid IP address of a VoIP phone.

There are some things you can do to make the phones more secure:

• Disable access to the setting menu on the devices. • Disable the web server on the IP phones. • Use signed configuration files to prevent configuration manipulation.

101

© Nathan Boone

http://www.sipvicious.org/

http://www.nmap.com/

http://hackingvoip.com/tools/tftp_bruteforce.txt

http://www.securiteam.com/tools/6E00P20EKS.html

9.3 VoIP network enumeration Now that we have scanned the network, we can do some enumeration to know the users that are configured on the phones.

9.3.1 Enumerating VoIP Users A way to look at the VOIP telephony world would be to see each phone a user, making each extension a username. These usernames are 4-6 digit values who are used as one half of the authentication process. The other half is a 4-6 digit pin. The extensions are valuable pieces of information. We will try to enumerate them now.

First we will look on how to enumerate the users from an Asterisk server and then the user enumeration on Cisco VoIP systems.

9.3.1.1 Asterisk REGISTER User Enumeration If you send a REGISTER message to the Asterisk server with a valid user account the server will react on this message with a different error code then when we would try this with an invalid user account. In this way, we can enumerate the valid user accounts, by probing the server with user accounts.

Now that we know the logic behind SIP user enumeration, we can look at tools who will automate this process.

There are several tools which can perform such an automated attack, these tools are:

• SIPVicious toolkit with the svwar.py tool, this tool supports OPTIONS, REGISTER and INVITE messages

• SiVuS tool can also perform this kind of attack • SIPScan is a GUI tool that supports OPTIONS, REGISTER and INVITE messages to be sent. It

can be downloaded from www.hackingvoip.com/tools/sipscan.msi. • sipsak is known as the “SIP Swiss army knife”, as it can perform any task you could ever want

to do with SIP. It can be downloaded from www.sipsak.org.

9.3.1.2 Cisco IP Phone Boot Process A lot of large-scale enterprises use Cisco hardphones for their employees. Every Cisco phones goes through the same boot process. You will first need to know the boot process in order to understand the hack. During the process, the MAC address of the phone is added to the CUCM database and assigned an extension number along with user details.

The sequence of events that takes place if a Cisco phone boots up is:

1. The IP Phone send a Cisco Discovery Protocol (CDP) Voice VLAN Query request. 2. A Cisco networking device in the range responds with the Voice VLAN information. 3. The IP Phone reconfigures its Ethernet port to tag all traffic with the receive VVLAN IP (VVID) 4. The IP Phone sends a DHCP request with Option 55 – Parameter Request List, requesting

Option 150 – TFTP Server Address. 5. The DHCP server is configured to respond with Option 150 specifying the TFTP server

address. 6. The IP Phone connects to the TFTP server and downloads the certificate trust list (CTL), initial

trust list (ITL) file, and the phone-specific configuration file SEPmacaddressW.cnf.xml. 7. This configuration file contains all the settings needed to register the phone with the call

server.

102

© Nathan Boone

http://www.hackingvoip.com/tools/sipscan.msi

http://www.sipsak.org/

9.3.1.3 Cisco User Enumeration Cisco provides a nice feature called Directory Services to achieve the same result as with SIP. When the phone receives the initial configuration via TFTP, it contains an URL for the directory lookup. This xml element if of the form <directoryURL>http://CallManagerIP:8080/ccmip/xmldirectory.jsp</directoryURL>. The Directory Services application provides an input page to enter search information and returns an XML dataset <CiscoIPPhoneDirectory> containing the directory information. Cisco IP Phones have a built-in basic web browser to display this parsed directory information. However, the Automated Corporate Enumerator (ACE) tool that can be downloaded from www.ucnsniff.sourceforge.net/ace.html can find the TFTP configurations for a phone, extract the above URL, and dump all the entries in the corporate directory. This tool has a number of options, at a minimum, it needs the MAC address of a phone in the network and the interface information.

Command: ./-I eth0 –t <IP_address> -m <MAC_Address>

9.3.1.4 Countermeasures for VoIP Enumeration As with many attacks described in this chapter there is little you can do to prevent them

because these attacks are just abusing the normal functionality of the protocol and the server. What you could do is provide some “defense in depth” by segmenting the VoIP and data networks and by placing Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) in strategic areas to detect and prevent these attacks.

9.3.2 Hacking the VoIP network Now that we know where the phones and the server are located, and which user accounts are used, we can do a couple of attacks to the VoIP network:

• Interception Attack • Offline Attack • Denial of Service Attack

9.3.2.1 Interception Attack The interception attack is an attack that you only can perform if you are in the path of the traffic. The Interception attack will need several steps, these steps are:

• ARP spoofing attack • Sniff UDP traffic • Save the capture files

Because many companies does not use hubs anymore, this is not something easy. To accomplish that you are in the path of the traffic flow, you can perform an ARP spoofing attack. This attack goes as follows:

• First an ARP reply will be sent to the router to make it believe that you (the hacker) is the network administrator.

• Second, you (the hacker) will sent an ARP reply to the network administrator to make him believe that you are the router.

• You will make use of IP forwarding, to make sure that the packets reach their destination and that the network administrator does not feel anything.

103

© Nathan Boone

http://www.ucnsniff.sourceforge.net/ace.html

Figure 9-1 ARP spoofing

The tricky thing about this attack is to make sure that you are on the Voice VLAN, but you can accomplish this if you sit at the desk where the phone is located. Because in many companies they will put a cable in the phone and then another cable from the phone to the computer.

9.3.2.2 Offline Attack With the offline attack, you will inspect and decode the capture that is made. So you can listen the conversation. You can perform this attack with the tool Cain, this tool can be downloaded from

9.3.2.3 Countermeasures to the Interception Attack There are a number of defense and protection features built into most of the recent

hardware and software but quite often they are not used. Sometimes it is because of the impact of end-to-end encryption on delay and jitter, but sometimes it is just because of laziness.

You could put some switchport port security in place to only allow the static IP address of the computer or phone in that same switchport.

You could configure some Dynamic ARP inspection, this will make sure that the ARP spoofing attack won’t work.

You can also use safer protocols like:

• Secure RTP: this protocol will encrypt all the RTP traffic • TLS: this will also encrypt all the traffic and can be used with SIP and with SCCP

Firewalls could also be deployed to protect the VoIP infrastructure at the application layer. If you select a firewall for this task, make sure that it can inspect the VoIP traffic.

The phones should only download signed configurations and firmware, and they should also use TLS to identify the servers, and vice versa.

104

© Nathan Boone

9.3.2.4 Denial of Service Attack This is an attack that is not so difficult and also not as rewarding as the other attacks. You can easily flood an entire VoIP network by sending out SIP INVITE messages to all the phones. All the phones will keep ringing.

The tool that we will be using for this is called inviteflood and can be downloaded from www.hackingvoip.com/sec_tools.html.

This attack will have a devastating result, it will generate a lot of network traffic and it will also flood the VoIP phone with SIP INVITE requests. It is such a powerful tool, that when targeting a SIP gateway the server often becomes completely overwhelmed and ceases to function during the time of the attack.

9.3.2.5 Countermeasures for a Denial of Service Attack The first thing you need to do is make sure there is network segmentation, the second thing

is to make sure that there is a IPS or IDS in place so it can drop all the rogue traffic.

105

© Nathan Boone

http://www.hackingvoip.com/sec_tools.html

10 VoIP basic security Because every phone that is in the company, is connected with the internet so it can be attacked from outside the company. There are a couple of things you can do to secure your VoIP traffic. There are two different parts of a VoIP phone calls, you have the call setup messages and the actual call media stream. It is important to choose the VoIP protocol that fits the best to your needs.

10.1 Turn off unnecessary protocols In every device you work with, is the security best practice to always turn off unnecessary protocols. You can have a phone that supports both SIP and SCCP, but if you only use SIP just disable the SCCP portion of the phone.

10.2 Divide VoIP network from data network A security best practice is to divide the VoIP network from the data network. You can achieve this in a physical way, to use different switches. Or in a logical way, by making different VLANs for voice traffic and for data traffic.

10.3 Configure some layer 2 security Because the devices you can call with are usually attached to a switch, it is needed to put some layer 2 security in place. First we can do some port security but this is not waterproof. We will also need to configure DHCP Snooping so no one can make a DHCP server themselves to eavesdrop the network. We will also configure dynamic ARP inspection to mitigate ARP spoofing attacks. And the last layer 2 security we will configure is IP Source Guard.

10.3.1 Port security With the port security we will only allow the MAC-addresses of the devices that needs to be connected to that port. If there is another MAC-address connected to that port, we will shutdown that port. After this port is in shutdown state, the administrator will get notified and he can put the port back working if he has examined the risk.

10.3.2 DHCP Snooping DHCP Snooping will be used so no rogue DHCP servers can give IP addresses to other computers on the network. If you have not enabled this feature, you can have the problem that a hacker can lead all the network traffic through his computer. He will let his computer act as a DHCP server. In this way, he can listen in on the conversations you make on your VoIP network.

We will use the following topology to explain DHCP Snooping:

Figure 10-1 DHCP Snooping

106

© Nathan Boone

10.3.2.1 How does DHCP work? In order to understand what will happen with DHCP snooping you will need to understand the DHCP protocol.

The DHCP protocol will use following steps in order for the computer to get an IP address:

1. The computer does a DHCP discover, this is a broadcast message so this message is sent over the whole broadcast domain.

2. The router will check the DHCP pool and the interface where it gets the discover message. It will then check if it has available leases. If he has available leases, he will send a DHCP offer back to the computer.

3. The computer will then do a request. He will request an IP address. This is also a broadcast. 4. The router will send an acknowledgement back to the computer, the computer will then

have his IP address.

The computer will use the IP address that he receives first. In the case of our topology, this is the IP address he receives from the rogue DHCP router. The rogue DHCP router will then send all of the traffic to the real DHCP router so that the computer has no idea that his traffic is being eavesdropped.

10.3.2.2 How does DHCP Snooping work? DHCP Snooping will work in order for the computer, that he only gets an IP address from the good router. You will be able to configure two states on the interfaces, to make this work. These two states are:

• Trusted: all messages are accepted, in all the directions o Discover o Offer o Request o Information o Acknowledgement

• Untrusted: the messages are accepted but only in one direction of the interface o Discover: in o Offer: out o Request: in o Acknowledgement: out o Inform: out

So what will happen if the snooping is in place? The messages are only allowed the way they should go. So if a discover message is sent, it will come in from the fa0/11 on S1. It cannot be sent to the fa0/1 on S1 because that is an untrusted interface. So the rogue router will not be able to receive a DHCP discover message.

But if the rogue router send on itself an offer to the computer, it will not be allowed in the interface, because it is an untrusted interface.

107

© Nathan Boone

10.3.2.3 DHCP snooping table If DHCP snooping is enabled, the switch will make a DHCP snooping table. In this table you will find the following:

• Source MAC address • Source IP address • Lease duration • Associated port • VLAN number

This table can be exported to flash, you will need to do this to use the table after a reload. This table can be used to perform dynamic ARP inspection and IP source guard.

10.3.2.4 Option 82 If DHCP snooping is enabled, it will turn on option 82. This option will add some additional things inside the DHCP packet:

• Circuit ID: this is the port and the VLAN • Remote ID: this is the hostname • Gateway IP address

This data is used to relay DHCP packets to the DHCP router in a network where the DCHP router resides on a different network. The broadcasts of the DHCP messages are sent to the gateway of their own LAN. This router will then unicast these packets to the DHCP server. The Option 82 is used to correctly relay these packets.

The problem is the Gateway IP address, this will be the IP address on the internal interface of the Router. But this Gateway IP address is not added to the layer 2 network. So the gateway IP address is not present in the DHCP packets when it arrives in R5. Because of this R5 will not trust the DHCP packet. There are three solutions to this problem:

• disable option 82 insertion on S1: this is not good if you would like to use IP source guard afterwards

• globally trust all the DHCP packets at R5 • trust the DHCP packets on R5 on interface level

10.3.3 Dynamic ARP inspection Dynamic ARP inspection will be used so the switch will only update his ARP table from devices you trust. By implementing this, the ARP spoofing attack will no longer work.

10.3.3.1 How does the ARP protocol work? The ARP protocol will translate IP addresses in MAC addresses, the switch will use this information to send the packets to the correct hosts.

The ARP protocol works with ARP requests and ARP responses, if you would like to know which MAC address is behind an IP address, you can send an ARP request. This is a broadcast message, the good host will answer with an ARP response. After this is done the ARP table will be updated with the new information.

The hacker could use this to let all the network traffic go through him so he can eavesdrop on the traffic and isolate the VoIP traffic. He can then replay the conversation you just had.

108

© Nathan Boone

10.3.3.2 How does Dynamic ARP inspection work? Dynamic ARP inspection (DAI) will use the IP DHCP snooping table to know who is allowed to send ARP requests and ARP responses.

DAI has two states:

• Trusted state: allows responses and requests • Untrusted state: only allow requests and responses from hosts who are in an ARP-access list

or in the DHCP snooping table.

DAI can also validate other properties:

• Source MAC: is the Source MAC address the same as the MAC address in the table • Destination MAC: is the Destination MAC address the same as the MAC address in the table • IP address: if any of the fields has invalid information

If you use static IP addresses for your hosts, these IP addresses will not automatically be trusted, you can perform two methods to make DAI trust these hosts:

• Make an ARP-access list that includes these static hosts. • Add an entry in the DHCP snooping table, you can export this table to the flash to use it after

reboot.

10.3.4 IP Source Guard By implementing IP Source Guard, you make sure that nobody can forge their IP address into an IP address of a valid host in the network.

IP Source Guard is an implementation that will check the IP address and MAC address for each packet to verify if it is valid.

10.3.4.1 How does IP Source Guard work? IP Source Guard will work similar to the DAI. It will also use the DHCP Snooping table.

You can populate info to the IP Source Guard in three ways:

• DHCP Snooping table • Entry in an Access list • IP device tracking: this method will sent ARP probes to verify that the hosts are still there. If

the host does not respond three times, the host is declared offline.

10.4 Place an Intrusion Prevention System and Intrusion Detection System An Intrusion Prevention System (IPS) or an Intrusion Detection System (IDS) are two different implementations. An IPS will be in the line of the traffic, so this system will be able to drop the unwanted packets as they pass by. An IDS will not be inline, but will be attached to an interface where all the traffic is mirrored. So all the traffic will also go into the IDS, but because the IDS is not inline of the traffic, it cannot drop the unwanted packets. But it will generate a message

Figure 10-2 IPS vs IDS

109

© Nathan Boone

about the unwanted packets. The advantage of an IDS above an IPS is that the IDS cannot slow down your network, while with an IPS the traffic needs to go through so it could make a bottleneck.

10.4.1 Different kinds of IPS and IDS There are different kinds of IPS and IDS. We will be documenting the Cisco IOS IPS and the Open Source SNORT IPS/IDS.

10.4.1.1 Cisco IOS IPS A Cisco IOS IPS is an IPS that is configured on a Cisco Router. We will configure the IPS as a Signature-Based IPS.

A signature is a set of rules looking for some specific pattern of characteristic in either a single packet or a stream of packets. A new sensor may have a thousand of default signatures provided by Cisco. Not all the signatures are enabled, but the administrator can enable, disable, customize and create new signatures to meet the needs of the current network.

10.4.1.1.1 Benefits of a IOS IPS Implementing an IOS IPS has some benefits above implementing an IPS on a dedicated hardware appliance.

• The IOS IPS is easy to implement, you don’t need to change your network topology in order to put the IPS in place because the IPS resides on the router and the router is already part of your network.

• You can dynamically update your signatures. • Compatible to work alongside of other security features, such as Zone-Based Firewalls,

Virtual Private Networks, Access Control Lists, authentication, authorization and accounting, and many others on the same router as long as there is enough memory and CPU to support all the features.

• Supports attack signatures from the same signature database that is used by the IPS appliances.

10.4.1.2 SNORT IPS/IDS SNORT is an open source network intrusion prevention and detection system (IDS/IPS). You can combine the benefits of signature, protocol and anomaly-based inspection.

10.5 Firewall SIP support A firewall is an end device that we will configure so no unwanted traffic can come inside the organization. We will configure the firewall so that the firewall will inspect all the SIP traffic coming from the Internal Servers zone to the Voice zone and vice versa.

10.6 Use encrypted protocols After all the precautions we made, it is almost impossible to intercept the VoIP traffic and eavesdrop the internal network. But it is important to use SIP in a way that all of his traffic is encrypted we will do this by using TLS on top of SIP. The SIP traffic for the session building is important as well as the RTP stream. We will use the Secure RTP protocol to encrypt the SIP traffic.

110

© Nathan Boone

11 VoIP SIP lab We will configure a network that is based on the SIP protocol with an Asterisk SIP server, an IOS Zone Based Firewall, an IOS based IPS and layer 2 security.

11.1 Network topology

11.2 IP addressing scheme Device Interface VLAN IP Address Subnet Mask Default Gateway Switch Port Router 1 Lo 0 N/A 172.16.0.1 255.255.248.0 N/A N/A

Fa 0/1 N/A 10.0.0.1 255.255.255.0 N/A N/A Fa 0/0.32 dot1Q 32 192.168.1.33 255.255.255.224 N/A MS Fa 0/3 Fa 0/0.64 dot1Q 64 192.168.1.65 255.255.255.224 N/A MS Fa 0/3 Fa 0/0.96 dot1Q 96 192.168.1.97 255.255.255.224 N/A MS Fa 0/3

MS N/A Management VLAN 32

192.168.1.34 255.255.255.224 N/A N/A

Switch 1 N/A Management VLAN 32

192.168.1.35 255.255.255.224 N/A MS Fa 0/2

Switch 2 N/A Management VLAN 32

192.168.1.36 255.255.255.224 N/A MS Fa 0/1

Asterisk Server Eth 0 N/A 10.0.0.2 255.255.255.0 10.0.0.1 N/A Admin NIC Management

VLAN 32 192.168.1.40 255.255.255.224 192.168.1.33 S1 Fa 0/5

Admin Phone 1001

NIC Voice VLAN 96

DHCP 255.255.255.224 192.168.1.97 S1 Fa 0/10

PC1 NIC Data VLAN 64

DHCP 255.255.255.224 192.168.1.65 S1 Fa 0/6

Phone 1002 NIC Voice VLAN 96

DHCP 255.255.255.224 192.168.1.97 S1 Fa 0/11

Phone 1003 NIC Voice VLAN 96

DHCP 255.255.255.224 192.168.1.97 S2 Fa 0/5

Hacker (PC2) NIC Data VLAN 64

DHCP 255.255.255.224 192.168.1.65 S2 Fa 0/10

PC 3 NIC Data VLAN 64

DHCP 255.255.255.224 192.168.1.65 S2 Fa 0/11

111

© Nathan Boone

11.3 Objectives In this lab we will do the following things:

• Configure a VOIP SIP network • Configure an Asterisk Server • Try to hack into the network • Configure an IOS Zone Based Firewall • Configure Layer 2 Security • Configure an IOS IPS

11.4 Configure the LAB To configure the lab you will need 2 routers, 3 switches, 4 computers, 3 IP phones and one Asterisk server.

11.4.1 Different VLANs used We will configure the following VLANs:

VLAN Name Network Start IP address End IP Address 32 Management 192.168.1.32/27 192.168.1.33 192.168.1.62 64 Data 192.168.1.64/27 192.168.1.65 192.168.1.94 96 Voice 192.168.1.96/27 192.168.1.97 192.168.1.126

11.4.2 Configure basic configurations To begin this lab, you will need to configure the routers and the switches with IP addresses. We will also configure some basic security.

11.4.2.1 Basic Router configuration 11.4.2.1.1 Basic Security We will configure some basic security on the router, the enable password is also needed in order for the SSH connection to work.

Router#conf t Router(config)#hostname R1 R1(config)#enable secret cisco R1(config)#line con 0 R1(config-line)#password cisco R1(config-line)#login R1(config-line)#end R1#copy run start

11.4.2.1.2 Interfaces We will configure 5 interfaces:

• Inside network, these are the sub interfaces per VLAN o VLAN 32 o VLAN 64 o VLAN 96

• Loopback internet interface • Internal Servers interface

112

© Nathan Boone

R1#conf t R1(config)#int lo 0 R1(config-if)#ip add 172.16.0.1 255.255.248.0 R1(config-if)#no shut R1(config-if)#exit R1(config)#int fa0/1 R1(config-if)#ip add 10.0.0.1 255.255.255.0 R1(config-if)#no shut R1(config-if)#exit R1(config)# interface FastEthernet0/0.32 R1(config-subif)#encapsulation dot1Q 32 R1(config-subif)#ip address 192.168.1.33 255.255.255.224 R1(config-subif)#no shut R1(config-if)#exit R1(config)#interface FastEthernet0/0.64 R1(config-subif)#encapsulation dot1Q 64 R1(config-subif)#ip address 192.168.1.65 255.255.255.224 R1(config-subif)#no shut R1(config-if)#exit R1(config)#interface FastEthernet0/0.96 R1(config-subif)#encapsulation dot1Q 96 R1(config-subif)#ip address 192.168.1.97 255.255.255.224 R1(config-subif)#no shut R1(config-if)#end R1#copy run start

11.4.2.1.3 SSH We will configure SSH because it is a safe way to remotely configure your devices. You will need to have a couple of things in order to make SSH work:

• A user that can login on the VTY line • The domain so the router is able to generate the RSA keys • RSA keys • Only allow SSH access on VTY lines

R1#conf t R1(config)#aaa new-model R1(config)#username adminssh password cisco R1(config)#ip domain-name voip.fh.com R1(config)#crypto key generate rsa The name for the keys will be: R1.voip.fh.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 2048 % Generating 2048 bit RSA keys, keys will be non-exportable...[OK] R1(config)#ip ssh time-out 60 R1(config)#ip ssh authentication-retries 3 R1(config)#line vty 0 4 R1(config-line)#transport input ssh R1(config-line)#end R1#copy run start

113

© Nathan Boone

11.4.2.2 Configure Router 1 DHCP server per VLAN The Router 1 will act as a DHCP server and will give IP addresses to the hosts per VLAN. It will use the 802.1Q tagging of VLANs.

We will configure a DHCP pool per VLAN, so that the host devices will receive their correct IP address inside the VLAN. We will only configure this for the DataVLAN64 and for the VoiceVLAN. Not for the management VLAN because these devices have static IP addresses.

R1#conf t R1(config)#ip dhcp pool DataVlan64 R1(dhcp-config)#network 192.168.1.64 255.255.255.224 R1(dhcp-config)#default-router 192.168.1.65 R1(dhcp-config)#exit R1(config)#ip dhcp pool VoiceVlan96 R1(dhcp-config)#network 192.168.1.96 255.255.255.224 R1(dhcp-config)#default-router 192.168.1.67 R1(dhcp-config)#end R1#copy run start

11.4.2.3 Basic Switch configuration 11.4.2.3.1 Switch basic security We will configure some basic security on all the switches, you will need to change the hostname in order to which switch you are configuring. The enable password is also needed in order for the SSH connection to work.

Switch# Switch#conf t Switch(config)#hostname MS MS(config)#enable secret cisco MS(config)#line con 0 MS(config-line)#password cisco MS(config-line)#login MS(config-line)#end MS#copy run start

11.4.2.3.2 SSH This SSH configuration is similar to the configuration of SSH on the Router. We will also configure SSH on the other switches. The configuration is exactly the same on every switch.

MS# MS#conf t MS(config)#username adminssh password cisco MS(config)#ip domain-name voip.fh.com MS(config)#crypto key generate rsa The name for the keys will be: MS.voip.fh.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 2048 % Generating 2048 bit RSA keys, keys will be non-exportable...[OK] MS(config)#ip ssh time-out 60 MS(config)#ip ssh authentication-retries 3 MS(config)#line vty 0 4 MS(config-line)#transport input ssh MS(config-line)#end MS#copy run start

We want only to accept SSH connections from our management VLAN. We will configure this by making an access-list and implementing this access-list on the vty line in.

114

© Nathan Boone

MS#conf t MS(config)#access-list 23 permit 192.168.1.32 0.0.0.31 MS(config)#line vty 0 4 MS(config-line)#access-class 23 in MS(config-line)#end MS#copy run start

11.4.2.3.3 Interfaces between switches and router as a trunk We need to put the interfaces between the switches and between the switch and the router in a trunk modus for the VLANs to work. For the multilayer switch are this the interfaces from fa 0/0 to fa 0/3. For the other switches is this interface fa 0/1.

MS#conf t MS(config)#int range fa 0/1-3 MS(config-if-range)#switchport trunk encapsulation dot1q MS(config-if-range)#switchport mode trunk MS(config-if-range)#no shut MS(config-if-range)#end MS#copy run start

11.4.2.3.4 Configure VLANs We will configure the VLANs on the multilayer switch, after this is done we will configure VTP so the other switches will also receive the VLANs.

MS#conf t MS(config)#vlan 32 MS(config-vlan)#name Management MS(config-vlan)#exit MS(config)#vlan 64 MS(config-vlan)#name Data MS(config-vlan)#exit MS(config)#vlan 96 MS(config-vlan)#name Voice MS(config-vlan)#end MS#copy run start

11.4.2.3.5 Configure VTP We will configure the Virtual Trunking Protocol (VTP), the multilayer switch will be the VTP server and the other switches will be VTP clients. The only thing you need to change in the following configuration the the vtp mode from server to client.

MS#conf t MS(config)#vtp mode server Device mode already VTP SERVER. MS(config)#vtp domain voicefh Changing VTP domain name from NULL to voicefh MS(config)#vtp password cisco Setting device VLAN database password to cisco MS(config)#end MS#copy run start

115

© Nathan Boone

11.4.2.3.6 Configure VLAN Interfaces Here we will configure the correct interfaces in the correct VLANs. The interfaces from fa 0/2 to fa 0/9 will be in the VoiceVlan. The interfaces from fa 0/10 until fa 0/19 will be in the DataVlan. You will need to change this for Switch1 where the administrator is connected to the management VLAN (VLAN 32) on port fa 0/10.

S1(config)#int range fa 0/2-9 S1(config-if-range)#switchport mode acces S1(config-if-range)#switchport access vlan 96 S1(config-if-range)#exit S1(config)#int fa 0/10 S1(config-if-range)#switchport mode acces S1(config-if-range)#switchport access vlan 32 S1(config-if-range)#exit S1(config)#int range fa 0/11-19 S1(config-if-range)#switchport mode access S1(config-if-range)#switchport access vlan 64 S1(config-if-range)#end S1#copy run start

11.4.2.3.7 STP portfast We will enable STP portfast on all the interfaces that are configured as an access interface. Because if the IP phones boot up the port needs to up fast in order to make the IP phones boot faster.

S1#conf t Enter configuration commands, one per line. End with CNTL/Z. S1(config)#int range fa 0/2-19 S1(config-if-range)#end S1#copy run start

116

© Nathan Boone

11.4.3 Configure Asterisk Server Install asterisk with the following command:

aptitude install asterisk

The Important files can be found in:

Path Description /etc/asterisk/extensions.conf What needs to be done? /etc/asterisk/sip.conf Which phones are available? /etc/asterisk/voicemail.conf Password to enter voicemail. /var/log/asterisk Message(error) logs and CDR

I recommend that before you begin with configuring the Asterisk server, that you make copies of the configuration files beforehand.

This can be done with the following command:

mv /etc/asterisk/sip.conf /etc/asterisk/sip.conf-original mv /etc/asterisk/extensions.conf /etc/asterisk/extensions.conf-original mv /etc/asterisk/voicemail.conf /etc/asterisk/voicemail.conf-original

11.4.3.1 sip.conf In this file we will configure which phones are available on the network. And we will also configure some additional settings for Asterisk to work with. The configuration file looks as follows:

[general] context=internal allowguest=no allowoverlap=no bindport=5060 bindaddr=0.0.0.0 srvlookup=no disallow=all allow=ulaw alwaysauthreject=yes canreinvite=no nat=yes session-timers=refuse localnet=192.168.1.32 /255.255.255.224 [1001] type=friend host=dynamic secret=grandstream context=internal [1002] type=friend host=dynamic secret=grandstream context=internal [1003] type=friend host=dynamic secret=grandstream context=internal

117

© Nathan Boone

11.4.3.2 extensions.conf We will configure in this file what the Asterisk server needs to do if a number is dialed. The configuration file looks as the following:

[internal] exten => 1001,1,Answer() exten => 1001,2,Dial(SIP/1001,60) exten => 1001,3,Playback(vm-nobodyavail) exten => 1001,4,VoiceMail(1001@main) exten => 1001,5,Hangup() exten => 1002,1,Answer() exten => 1002,2,Dial(SIP/1002,60) exten => 1002,3,Playback(vm-nobodyavail) exten => 1002,4,VoiceMail(1002@main) exten => 1002,5,Hangup() exten => 1003,1,Answer() exten => 1003,2,Dial(SIP/1003,60) exten => 1003,3,Playback(vm-nobodyavail) exten => 1003,4,VoiceMail(1003@main) exten => 1003,5,Hangup() exten => 8001,1,VoicemailMain(1001@main) exten => 8001,2,Hangup() exten => 8002,1,VoicemailMain(1002@main) exten => 8002,2,Hangup() exten => 8003,1,VoicemailMain(1003@main) exten => 8003,2,Hangup()

11.4.3.3 voicemail.conf In this file we will configure a password for who wants to listen to his voicemail.

[main] 1001 => 123 1002 => 123 1003 => 123

118

© Nathan Boone

11.4.4 Configure IP Phones There is an http server installed on every phone. You can access this server if you go to the IP address of the phones from the computer of the administrator. You can see the IP address that is given to the phone on the phone itself.

You will get the following login screen if you go to the http server of the phone:

Figure 11-1 Startscreen http server Grandstream

You can login to this phone by using the default password of admin.

If you filled in the correct password you can go to the configuration pages. The first configuration page that we are going to fill in is the Account1 General Settings page.

We will need to fill in the following settings:

• Account Active: Yes • Account Name: FH1001 • SIP Server: 10.0.0.2 • Sip User ID: 1001 • Authenticate ID: 1001 • Authenticate Password: grandstream • Name: FH1001 <1001>

119

© Nathan Boone

Figure 11-2 General Settings http server Grandstream

You will need to fill in these configurations on both phones. For the second phone you will need to adjust the settings to phone 1002 and the same for phone 1003.

You can now try to call from one phone to the other phone.

120

© Nathan Boone

11.5 Hacking It is important to know how to hack your VoIP network so you know on which places you need to secure your network. We will do the following hacks:

• SIP Scanning • TFTP Enumeration • VoIP Enumeration • Interception Attack • Denial of Service Attack

11.5.1 SIP Scanning We will perform the SIP scanning by using the tool SiVus, be sure to download SiVus 1.10. This tool can be found going to the following link: http://dl.dropbox.com/u/2939945/sivus-1.10.exe. But before we can use this, we will need to perform a network scan to know which IP addresses we need to scan in order to find IP phones. We will use Nmap for this scan, this tool can be downloaded from: http://nmap.org/zenmap/.

If you start Nmap you will need to fill in which subnet you would like to scan. We will perform an intensive scan. The command we will use to perform this is: nmap –T4 –A –v 192.168.1.0/24

We will get following result, where you can see that we can see all the devices, we will configure some security later on to make sure that the hacker cannot see other devices. You can see that device 192.168.1.98 and device 192.168.1.99 are no computers so we can assume that these devices are the IP phones.

Figure 11-3 Nmap intense scan

121

© Nathan Boone

http://dl.dropbox.com/u/2939945/sivus-1.10.exe

http://nmap.org/zenmap/

With SiVuS, you will need to fill in the correct subnet and then press on Scan. You will get following screen:

Figure 11-4 SiVuS SIP Scan

You can see which IP phones are being used and on which port they are listening.

11.5.2 TFTP Enumeration In order to perform TFTP enumeration you first need to find out if the VoIP server’s TFTP port is open. We will use Nmap to scan the server on port 69 which is TFTP.

Figure 11-5 TFTP Nmap Scan

122

© Nathan Boone

As you can see is the TFTP port closed because the Grandstream phones are not using TFTP, they are using an http server to obtain there configuration.

11.5.3 VoIP Enumeration Now we know where the VoIP server is located so we can perform an attack to know which extensions are being used. We will use SIPSCAN for this scan, this tool can be downloaded from: http://www.hackingvoip.com/tools/sipscan.msi.

You will need to fill in the following configurations:

• Target SIP Server: 10.0.0.2 • Target SIP Domain: 10.0.0.2 • Transport: UDP • Port: 5060 • Check REGISTER Scan • Check OPTIONS Scan • Check INVITE Scan • You will need to change the Username/extensions File, you will need to add the extensions

that we are using. A hacker in real will add much more extensions to this file. But we know for which extensions that we are searching so we can just add them to the file.

• You will need to create a file somewhere else on your computer and then add the file to folder where the original file is located because you cannot make or change files in that folder.

If filled in all the configurations, you can press on Scan. You will get following screen:

Figure 11-6 SIPSCAN

123

© Nathan Boone

http://www.hackingvoip.com/tools/sipscan.msi

11.5.4 Interception Attack The interception attack is an attack that has as purpose to intercept the VoIP traffic and to replay the conversation. We will perform this attack by using Cain. Cain is a Windows tool that can be downloaded from: http://www.oxid.it/cain.html.

This attack will have the following steps:

• plug the hacker computer in a VoIP port • do a network scan • sniff the traffic • replay the conversation

11.5.4.1 Get a IP address in the VoIP range The DHCP server is configured so that he will give IP addresses to the VoIP phones. You can unplug a VoIP phone and plug the computer of the Hacker in this port. The computer will get an IP address in the range of 192.168.1.97/27.

11.5.4.2 Network Scan In order to do a network scan, you will need to run the Cain application.

You will get following screen if you start Cain:

Figure 11-7 Start screen Cain

The following step is to change the interface:

Figure 11-8 Change the interface in the Configuration Dialog

124

© Nathan Boone

http://www.oxid.it/cain.html

Now you will enable the sniffer and scan for MAC-addresses:

Figure 11-9 Enable the sniffer and Scan MAC Addresses

To scan the MAC-addresses, you will need to choose “All hosts in my subnet”

Figure 11-10 Chose the hosts

125

© Nathan Boone

You will get following hosts:

Figure 11-11 Cain Hosts scan

The following step is to configure the ARP Poisoning, you will chose both phones and add them to the ARP Poisoning table:

Figure 11-12 Cain ARP Poison Routing

126

© Nathan Boone

The table will look as following:

Figure 11-13 Cain ARP Poisoning

Now you need to start the ARP Poising attack:


If you now make a call, the call will come into the VoIP tab:


127

© Nathan Boone

If you hang up the phone, the call will come up with more information about the actual call that is made.


You can now right click on the call and play the conversation.


If everything went well, you will now hear you conversation.

128

© Nathan Boone

11.6 Configure the Security We will now try to solve the problems from the attacks. We will configure security mechanisms so that it is not possible anymore for the attacks to happen.

11.6.1 Configure Router 1 ZBF The configuration of a Zone-Based Firewall consists of a few steps, these steps are:

• making the zones • assigning the zones to the interfaces • making class-maps • making policy-maps • making zone-pairs

11.6.1.1 Making the zones We will make 5 zones:

• zone Voice • zone InternalServers • zone Management • zone Data • zone Outside

R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#zone security Voice R1(config-sec-zone)#exit R1(config)#zone security InternalServers R1(config-sec-zone)#exit R1(config)#zone security Management R1(config-sec-zone)#exit R1(config)#zone security Data R1(config-sec-zone)#exit R1(config)#zone security Outside R1(config-sec-zone)#exit R1(config)#exit R1#copy run start

11.6.1.2 Assign the zones to the interfaces We will need to assign the zones to the interfaces:

R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#int fa 0/0.32 R1(config-subif)#description This is the Management zone R1(config-subif)#zone-member security Management R1(config-subif)#exit R1(config)#int fa 0/0.64 R1(config-subif)#description This is the Data zone R1(config-subif)#zone-member security Data R1(config-subif)#exit R1(config)#int fa 0/0.96 R1(config-subif)#description This is the Voice zone R1(config-subif)#zone-member security Voice R1(config-subif)#exit R1(config)#int fa 0/1 R1(config-if)#description This is the InternalServers zone R1(config-if)#zone-member security InternalServers R1(config-if)#end R1#copy run start

129

© Nathan Boone

11.6.1.3 Class-maps We will make two class-maps, one class-map for the SIP traffic and one class-map for the Management.

The following class-map is for the SIP traffic.

R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#class-map type inspect match-any SIP_Class_Map R1(config-cmap)#match protocol sip R1(config-cmap)#end R1#copy run start

The following class-map is for the Management.

R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#class-map type inspect match-any Everything_Class_Map R1(config-cmap)#match protocol tcp R1(config-cmap)#match protocol udp R1(config-cmap)#match protocol http R1(config-cmap)#match protocol https R1(config-cmap)#match protocol ssh R1(config-cmap)#match protocol telnet R1(config-cmap)#match protocol icmp R1(config-cmap)#end R1#copy run start

11.6.1.4 Policy-maps We will make two policy-maps, one for the SIP traffic and one for the Management.

The following policy-map is for the SIP traffic.

R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#policy-map type inspect SIP_Policy_Map R1(config-pmap)#class type inspect SIP_Class_Map R1(config-pmap-c)#inspect R1(config-pmap-c)#exit R1(config-pmap)#end R1#copy run start

The following policy-map is for the Management.

R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#policy-map type inspect Everything_Policy_Map R1(config-pmap)#class type inspect Everything_Class_Map R1(config-pmap-c)#inspect R1(config-pmap-c)#exit R1(config-pmap)#end R1#copy run start

130

© Nathan Boone

11.6.1.5 Intercept Protocol-Violation SIP Because of a bug in the Zone-Based firewall SIP inspection we will need to configure another class map and policy map to intercept these violations.

11.6.1.5.1 Class Map The class-map will inspect the protocol-violations.

R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#class-map type inspect sip match-any SIP_VIOLATION_CLASS R1(config-cmap)#match protocol-violation R1(config)#end R1#copy run start

11.6.1.5.2 Policy Map We will make another Policy Map with the SIP_Violation_Class in place.

R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#policy-map type inspect sip SIP_VIOLATION_POLICY R1(config-pmap)#class type inspect sip SIP_VIOLATION_CLASS R1(config-pmap)#allow R1(config-pmap)#end R1#copy run start

11.6.1.5.3 Service Policy We will add the Policy Map to the original SIP_Policy_Map so it will be in place in the correct zones.

R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#policy-map type inspect SIP_Policy_Map R1(config-pmap)#class type inspect SIP_Class_Map R1(config-pmap-c)#inspect R1(config-pmap-c)#service-policy sip SIP_VIOLATION_POLICY R1(config-pmap-c)#class class-default R1(config-pmap-c)#drop R1(config-pmap-c)#end R1#copy run start

11.6.1.6 Zone-pairs Now we will configure the Zone-pairs, we will need 6 Zone pairs:

• from Voice to InternalServers • from InternalServers to Voice • from Management to InternalServers • from Management to Data • from Management to Voice • from Management to Outside

R1#conf t R1(config)#zone-pair security internalservers-to-voice source InternalServers destination Voice R1(config-sec-zone-pair)#service-policy type inspect SIP_Policy_Map R1(config-sec-zone-pair)# R1(config-sec-zone-pair)#zone-pair security management-to-internalservers source Management destination InternalServers R1(config-sec-zone-pair)#service-policy type inspect Everything_Policy_Map R1(config-sec-zone-pair)# R1(config-sec-zone-pair)#zone-pair security management-to-voice source Management destination Voice R1(config-sec-zone-pair)#service-policy type inspect Everything_Policy_Map R1(config-sec-zone-pair)#

131

© Nathan Boone

R1(config-sec-zone-pair)#zone-pair security management-to-data source Management destination Data R1(config-sec-zone-pair)#service-policy type inspect Everything_Policy_Map R1(config-sec-zone-pair)# R1(config-sec-zone-pair)#zone-pair security management-to-voice source Management destination Outside R1(config-sec-zone-pair)#service-policy type inspect Everything_Policy_Map R1(config-sec-zone-pair)#end R1# copy run start

11.6.1.7 Conclusion It is not possible anymore to go from one VLAN to the other one, only the administrator who is in the Management VLAN can ping all the devices on the network.

It is still possible to perform an ARP Poisoning attack, this will be solved with the following security implementations.

132

© Nathan Boone

11.6.2 Configure IP DHCP Snooping IP DHCP Snooping will be used so there cannot be any rogue DHCP servers on the same network.

We will configure this on all switches, you will need to configure the next steps:

• enable IP DHCP snooping for the VLANs • put the trunk interfaces into trust state

MS #conf t MS(config)#ip dhcp snooping vlan 32,64,96 MS(config)#in range fastEthernet 0/1-3 MS(config-if-range)#ip dhcp snooping trust MS(config-if-range)#end MS #copy run start

We will also need to configure on the router that he trusts the DHCP relay information:

R1#conf t R1(config)#ip dhcp relay information trust-all R1(config)#end R1#copy run start

We will need to manually add the administrator to the DHCP snooping database, because this host does not get his IP address with DHCP.

We will put the expiry time on infinite.

S1#ip dhcp snooping binding 24B6.FD4E.6FBF vlan 32 192.168.1.40 interface fastEthernet 0/10 expiry 4294967295

The last thing we need to do is to back up the DHCP snooping database to the flash memory, so if the switch reboots you don’t lose the manually added hosts. This needs to be done on all the switches.

S1#conf t S1(config)#ip dhcp snooping database flash:dhcp S1(config)#end S1#copy run start

If you want to show your DHCP snooping database you can use following command:

S1#sh ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- D8:D3:85:75:B6:03 192.168.1.66 83856 dhcp-snooping 64 FastEthernet0/11 24:B6:FD:4E:6F:BF 192.168.1.40 infinite dhcp-snooping 32 FastEthernet0/10 00:0B:82:5A:7A:E3 192.168.1.98 85747 dhcp-snooping 96 FastEthernet0/6 Total number of bindings: 3

11.6.3 Configure Dynamic ARP Inspection Dynamic ARP inspection is there to make sure that it is not possible anymore to perform an ARP poisoning attack.

We will use the DHCP snooping database to get the hosts. The configuration is similar with the configuration of IP DHCP snooping.

MS#conf t MS(config)#ip arp inspection vlan 32,64,96 MS(config)#in range fastEthernet 0/1-3 MS(config-if-range)#ip arp inspection trust MS(config-if-range)#end MS#copy run start

133

© Nathan Boone

11.6.4 Configure IP Source Guard IP Source Guard will make sure that no one can forge his IP address.

We will need to configure port-security in order to enable IP source guard, we will configure this on all the access interfaces of the switches.

S1#conf t S1(config)#int range fa 0/2-19 S1(config-if-range)#switchport port-security S1(config-if-range)#switchport port-security max 5 S1(config-if-range)#ip verify source port-security S1(config-if-range)#end S1#copy run start

11.6.5 Configure Router 1 IOS IPS We will configure the IPS on router 1.

We will need to do some steps in order to configure the IPS:

• make a ipsdir in flash • configure the public key of cisco • enable sdee • configure the ipsdir as the configuration location of the IPS • chose which signatures to use in the IPS

11.6.5.1 Make the ipsdir directory We will make a directory on the flash memory on the router that will be used for the IPS.

R1#mkdir ipsdir

11.6.5.2 Configure the IPS Crypto Key Next we will need to configure the public key from Cisco, this can be done by copying and pasting the following on the router :

crypto key pubkey-chain rsa named-key realm-cisco.pub signature key-string 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 F3020301 0001 quit

11.6.5.3 Enable SDEE The Cisco Security Device Event Exchange (SDEE) server is an intrusion detection system alert format and transport protocol. To use SDEE, you will need to enable the HTTP server on the router.

R1#conf t R1(config)# ip ips name iosips R1(config)# ip ips config location flash:ipsdir R1(config)# ip http server R1(config)# ip ips notify sdee R1(config)# ip ips notify log R1(config)# exit

134

© Nathan Boone

11.6.5.4 Set the clock to give the log message a good timestamp With the following commands, you set the clock of the router and you also configure to add the timestamps to the logmessages.

R1# clock set 09:10:00 14 may 2014 R1# service timestamps log datetime msec

With the following command you will make sure that the log messages are sent to the administrator.

R1# logging 192.168.1.40

You can download the tool tftpd32 so you can receive these messages on the computer. This tool can be downloaded from: http://tftpd32.jounin.net.

11.6.5.5 Configuring the signatures With the following commands you will be able to configure the signatures on the router. We will not enable all the signatures because the router will have to much difficulties to check all these signatures.

R1(config)# ip ips signature-category R1(config-ips-category)# category all R1(config-ips-category-action)# retired true R1(config-ips-category-action)# exit R1(config-ips-category)# category ios_ips basic R1(config-ips-category-action)# retired false R1(config-ips-category-action)# exit R1(config-ips-category)# exit Do you want to accept these changes? [confirm] <Enter> R1#copy run start

11.6.5.6 Deliver the IPS signature package to the router In order to deliver this package to the router we will install a tftp server on the administrators computer. The tftp server that we will use is tftpd32 and can be downloaded from http://tftpd32.jounin.net.

First it is important that the router and the administrators computer have a connection. So what you need to do is to ping from the router to the administrator.

If that succeeds, you will need to open the tftpd32 application, set it to the good interface and change the map to the map where the signature package is located.

If this is done you will need to use the following command on the router so the tftp transfer will start:

R1# copy tftp://192.168.1.40/<name of signature package> idconf

You can use two commands to check if everything went successfully. The following command will show the ipsdir.

R1# dir flash:ipsdir

The following command will show the installed signatures.

R1# show ip ips signature count

135

© Nathan Boone



12 Conclusion Configuring an Asterisk server where phones can call to each other is not so difficult but this is also not so secure. So it is very important that if you configure a VoIP network that you put enough security measurements in place so no one can hack into your VoIP network, server or phones.

What a hacker could do if they have access to your phones is call from the phones to outside paying phone numbers. These paying phone numbers are also property of the hackers and in that way they can get much money from your company by hacking into the VoIP network.

136

© Nathan Boone

Project 3: Reporting for Cisco NetAcad 1 Blog Posts 1.1 First Blog post: Introduction of the NetAcad Team The NetAcad Team

May 3, 2014 9:00 am / Leave a comment

Cisco Networking Academy #netacad at Wingsforlifeworldrun #worldrun

The NetAcad Team invited to come behind the scenes at Worldrun arrived in the Global Race Control Center in the middle of Austria and right away immersed into speaking with tech experts to understand how such an event can develop from an idea into reality. Here are our team members and a very brief introduction.

Ivica Vugrinec

is an alumni University of Zagreb Faculty of Organization and Informatics and now studying for his CCNP at the Cisco Networking Academy NetAkademija. He is also the National NetRiders Winner 2013 of Croatia.

Kevin Van Ryckegem

is from Brussels, studied Networking Technology and Programing at University College of Brussels (HUB) and is doing his internship at the University of Applied Science in Salzburg.

Nathan Boone

is also from Brussels and from the same University. Kevin and Nathan became good friends in Salzburg. Both of them are interested in working with people from different countries due to the difference of point of view in working on one task.

137

© Nathan Boone

Felix Hartung

is from Vienna, graduated from a Higher Technical School HTL Rennweg in Vienna two years ago that is part of the Networking Academy Program. He competed for Austria in the WorldSkills 2014 in Leipzig last year and is passionate about Networking and Technology as such. His international experience inspired him to want to be part of the NetAcad Team at Wings For Life World Run.

Maximilian Lehrbaum

is the youngest in the team and attending the Networking Academy in HTL Ungargasse in Vienna. Due to his family situation he was able to already live in Austria, Germany, US and India which made him see things a bit different than others.

Here is a video introduction of our team.

This short time of the team being together at this event, it is already clear to me that all of them are self motivated young people, highly interested in what they do, doing it because they like to do it and not because it is their work.

In a time when geographical flexibility is becoming more and more important in the IT industry and many companies work across different countries, the experience we now have at the Wings for Life World Run, communicating with 33 countries in 34 locations to get all of the locations act on the same point in time, is just THE best preparation for work environments becoming more global every day.

You will hear more from and about everyone of them during the next 24 – 36 hours.

Stay Tuned !

138

© Nathan Boone

1.2 Second Blog post: About the event 50.000 people running in one race

May 3, 2014 3:34 pm / Leave a comment

@CiscoNetAcad at Wingsforlifeworldrun #worldrun

The idea for a World Run started with this: I want to be able to run a race at the same time with my cousin in Canada. Seven years later when the Wings for Life Foundation was born and needed an idea how to raise around the globe.

General information

The event will be live all over the world and will start at 10:00 UTC. So it will be 12:00 in Austria.

The locations are all over the world, so during the run – depends on where you are – it will be cold, very hot, sunny, raining, snowing or you will be in complete darkness when you start. The tracks are 100 km long.

The catcher car (actually two for redundancy reasons) will start 30 minutes after the runners started with 15 km/h accelerating to 35km/h at the end of the track. After the catcher car passes a runner the running is over for him or her – it is the moving finish line.

The cars all over the world are different models but have the same equipment in it. They are tracked via GPS and are not automatically accelerated – a display shows the drivers to accelerate or brake. The Tracking System is an RFID-chip integrated into the race bib of the runners.

About 50% of the athletes are expected to get passed by the catcher-car within the first 20 km – so they are close to the start. There will be a bus shuttle system that will bring runners back to the start.

After the catcher car there is a so-called speaker car – it will tell the runners “yeah <name>, you did more than 25 km – great job!” (The catcher car passes the ID of the athlete to the speaker car.) Why? Because there is a moving finish line and therefore no friends and family can receive and congratulate you.

The national winner is the last male and female running in every country. There will be a male and female global winner.

About 200 people are in the global race control center working together to make this event happen. About 150 of them are only for publishing media – Facebook – Radio – Website – TV.

Let us know if you have any questions about the technical implementation of the run for more than 50.000 people, data collected and coming in from 33 countries and 34 locations worldwide …

139

© Nathan Boone

http://networkingakademien.wordpress.com/2014/05/03/running-in-one-race/


http://networkingakademien.wordpress.com/2014/05/03/running-in-one-race/%23respond

1.3 Third Blog post: Upclose Personal interview Nathan Boone: Upclose Personal

May 3, 2014 9:34 pm / 5 Comments

#NetAcad Team at Wings for Life #worldrun

Name: Nathan Boone

Age: 20

Where do you live? Brussels Belgium, currently doing my internship in Salzburg

Education: University College Brussels

Graduated: 2014

What languages do you speak? Dutch: Native Speaker, English: Excellent, French: Good, German: Fair

Hello I am Nathan Boone, I live in Belgium and I am currently doing my internship in the Fachhochschule Salzburg University of Applied Sciences in Salzburg.

I had the great opportunity to make part of the Cisco NetAcad team that will be reporting live from the Wings for Life Race Control Centre. This Race is a beautiful initiative from the Wings for Life Foundation. I really like the idea that there are over 50 000 people all over the world running together to collect money for this foundation. This foundation will do spinal cord research with all the money that will be collected. The thing I like the most is that all the collected money directly goes to the foundation.

I am studying Networking and Network Security, so I am very interested on how all the networking and the network security is working at this event. Me and Felix Hartung had a great conversation with Bas Sanders, who is the CEO of Com1 which is providing the internal network of the Race Control Center. I really liked to talk with him because he is an interesting man with a lot of knowledge. We learned a lot about the networking and network security and we will be blogging about these subjects later on.

How did you find your interest for Networking?

I found my interest for Networking because when I was studying Informatics Technology in the University in Brussels, I learned that this is really interesting. It is a technology that is growing and growing. I don’t like to do the same all day long, and networking is something that never is the same, you can always learn new things and implement them in the environment where you are working.

Why do you like it and wanted to learn about it?

Because it find this interesting because it is developing and changing all the time. More and more different networks are merging with IP networks. First there were a lot of independent Phone networks, but now a lot of these phone networks are being merged with a VoIP network. Another example is the live pro sound, in this environment, they use more and more IP networks in order to configure and monitor their devices.

140

© Nathan Boone

Do you want to work in this profession?

Yes I would like to work with IP networking, I am not sure yet in which environment I would like to work. When I was doing an interview of the person who is responsible for the network in the Wings for Life World Run Control Center, I was surprised how they did this. And this made me interested to work in this kind of environment, because all the people that are working here are really motivated, and they all like their job.

How do you study and learn?

I study most of the time by buying the books about the subjects I want to know more about, I can study better from a book then from a computer screen. But when I don’t find something in the books I have, I search on the internet until I found what I need.

How do you motivate yourself?

When I have a hard time studying, or working, I listen to some music. It relaxes me and motivates me to keep on studying.

Why are you interested in connecting and working with people from different countries and backgrounds in an international team?

Because people from all over the world all have different interests and different points of view. You can learn a lot by just talking about their experiences and how they look at different subjects.

What are your hobbies?

My hobbies are jogging, tennis, and listening to music.

What are your goals?

The goal I have as a student is to successfully finish my Internship in the Fachhochschule Salzburg. And after this, to get my certification for CCNA Security.

My goal in life is to be able to travel a lot and to see the world.

Who are the persons who support you most? What did they help you to achieve?

My family by giving me the opportunity to do my Internship in a foreign country. My girlfriend and my friends by supporting me in every decisions I take. My teachers in Belgium who made me get really interested in networking.

What was the wisest thing anyone ever told you and what did it lead to?

If something does not go well, you just need to keep practicing, keep trying and in the end everything is going to be alright.

What was your best trip and why?

I didn’t really do a best trip but there are two trips that were really good.

One of them was the trip with my family and another family to Senegal in Africa. I had a great time there and I really enjoyed to get to know another culture.

The second one is the trip I the internship that I am doing now. Salzburg is a great city to study and learn.

141

© Nathan Boone

Have you ever done volunteer work?

Yes, the volunteer work that I do is being a monitor on the playground for young children (from 3,5 years until 12 years). I do this volunteer work every summer vacation if I have the time to do it.

Have you ever cooked a meal (by yourself) for more than 20 people?

Yes, I organized a birthday party for my brother and I cooked all the hamburgers on the barbeque, we were with around 20 people or more.

How do you look at failure or mistakes and is this how the society in your home country or work culture looks at it?

You need to make mistakes and have failures in order to learn something. I think my country has the same vision around this subject as I do.

Can you share a festival or tradition of your family that you really enjoy?

Every Wednesday we eat with all the family together at my grandma’s house.

What kind of activity are you doing to relax?

I listen to music or I go jogging.

How do you react if something is done differently to the way you are used to?

I will ask the people who did it, why and how they did it. And if I understand why they did it, I can learn from them.

If you would like to stay in touch, I have a Facebook and Linkdin account.

142

© Nathan Boone

1.4 Fourth Blog post: Technical challenges of the event Technical challenges Wings for Life World Run 2014

May 4, 2014 12:26 pm / 2 Comments

Felix and Nathan from #netacad Team at #worldrun

How does the Wings for Life World Run team masters all the technical challenges regarding such a huge event?

Basically all the competing countries use a satellite up-link where they send one HD video stream from all over the world to Spielberg, Austria. So there are a lot of antennas outside the Wings for Life World Run Control Center.

All those antennas are connected with a fiber channel link to the main datacenter. The datacenter is set up in a box for a racing car which looks like the picture on the right side. In the background you can see the network and system administrators sitting and observing/managing the network. On the right side are the racks that contain a big part of the network and storage used for all the video streams.

Let’s take a closer look at the datacenter setup.

Figure 1-1Global Race Control Center – Datacenter

143

© Nathan Boone

http://networkingakademien.wordpress.com/2014/05/04/networking-wflwr-2014/


http://networkingakademien.wordpress.com/2014/05/04/networking-wflwr-2014/%23comments

http://networkingakademien.files.wordpress.com/2014/05/wp_20140502_011.jpg

In the first rack there are all the administration / control parts of the setup.

As you can see the second rack, it contains a lot of the networking devices and also the storage arrays.

The third rack contains a lot of video calculation power and the fourth rack has a lot of ASIC components which are decoding the incoming HD video streams and storing them onto the storage arrays.

@Network Redundancy - The whole setup is redundant – which means the have two 500 MBit/s Synchronous Internet connection. One connection leaves the building in the opposite direction of the other internet connection. The Internet Connection is used for social media, webpages, small clips and media purposes. The main TV-Stream is NOT transferred via this connection.

There is 7,4 km of copper cable used at the Global Race Control Center and there are over 700 switchports used for copper/fiber.

When we take a look behind the datacenter picture above we have this view as seen on the picture on the right side.

Figure 1-2 Global Race Control Center – Datacenter view

Figure 1-3 Global Race Control Center – 7.4 km of copper cable

144

© Nathan Boone



@34 HD Streams - the satellite antennas terminate here in the datacenter and the video is decoded directly by hardware ASIC components in the fourth rack and then transmitted to the storage arrays. The streams are MPEG encoded and use a strong compression, but they have almost no quality loss. The traffic produced is about 15Mbit/s per stream, so we estimate that the permanent traffic on the satellite connections is about 550 MBit/s incoming traffic. The stream is uncompressed and results in about 50MBit/s per video stream hence 220 MByte/s.

@Storage – there are 8 x 50 TB storage arrays. The overall storage is 400 TB only for storing the 34 HD Video streams from all over the world and cutting them locally to produce small clips. The storage arrays are redundantly connected to the system.

@Video Cutting Performance - There are several servers. We received the information that the severs have an Intel 8 x 3.6 GHz processor and about 48GB RAM. With this data and considering Hyper-threading we estimate an overall x86_64 CPU speed of 700 GHz and 600 GB RAM. Those servers are used for cutting together the streams in real time and also offline.

@Video Cutting Workstations – the video cutting of all those streams is performed via a thin-client like architecture. The workstations used for that are connected via 1 GBit/s fiber to the datacenter. There are several servers used to calculate and encode all those streams.

@Backup - They do not host a second datacenter like this, but all the streams have a decentralized backup in every country. There is enough redundancy in this setup.

@Connection lost?

What happens when the connection to a certain country or car is lost? There is a local storage in every car which stores all the recorded video. When the transmission stops for some reason and is later resumed, the previous videos won’t be sent to the datacenter – only the current live stream. The other videos can be used after the event when transferred from the local storage. It’s the same with the video stream that is uploaded from the country to the satellite. The technology used to transmit the HD streams locally is Digital Video Broadcasting – DVB. There is a minimum of 6-8 hops before you can see the video at home.

The things we found out only describe the setup in the datacenter. There is also a huge truck where the live-stream director/producer is sitting. They have local video calculation power but they also rely on the storage in the datacenter.

For further questions, write us an e-mail to [email protected]

Figure 1-4 Data Center satellite antenna park

145

© Nathan Boone

mailto:[email protected]

http://networkingakademien.files.wordpress.com/2014/05/dsc020221.jpg

1.5 Fifth Blog post: How did it all start Lesson in Passion

May 4, 2014 4:30 pm / 3 Comments

@CiscoNetAcad at Wingsforlifeworldrun #worldrun

Interview with Sigurd Meiche

How did it all start?

We’re constantly looking for new ways to engage with consumers. So new ideas are always on my mind. During waiting for a plane connection n Moscow airport, I talked about doing something with running with a friend. We didn’t want to copy anything existing. Our strength is that we have knowledge about organizing runs in Austria, and our colleagues around the globe know how to organize events in their countries. The main idea was: Doing a run in different places of the world at the same time.

When I came back home, I typed some notes in my office about this idea. Unfortunately my energetic presentation did not help and the idea was not adopted further.

Years later, we were looking for how we can raise awareness on a global scale for the Wings for Life Foundation. That is when my idea had it’s come back. We wanted to create an event that has a meaning, that engages as many people as possible. We wanted to create an asset for people, rather than just asking for money as a charity. Doing something together for a cause is much more than a charity.

Running is the biggest sport, everybody runs. It’s the most simple form of movement everyone can do. It connects us all.

The great thing about this is also: We know where we are now, where we start but we don’t know where we end up.

How did you get the project running?

Bringing everybody to one table to talk about the idea. This is the best thing you can do to get the project running.

Why do the races have to start at the same time?

That the races start at the same time is the most important part of this project. It makes this unique. We wanted to create something that we can actually do together at the same point in time. This is the uniqueness of the project – we can all do something together at the same time. The global winner will have been better than more than 50 000 people.

Do you think it’s fair that people run in different weather and time conditions?

During the preparation for this I learned that the best condition for each runner is different because the biorhythm of everybody is different. In India it is 40°C hot, but the people there are more used to

146

© Nathan Boone

http://networkingakademien.wordpress.com/2014/05/04/lesson-in-passion/

http://networkingakademien.wordpress.com/2014/05/04/lesson-in-passion/

http://networkingakademien.wordpress.com/2014/05/04/lesson-in-passion/%23comments

this. The beauty in this race is that you can really choose where you would like to run. Early in the morning, in cold or hot weather. This is what professional runners do and the runners had a lot of runner-specific questions.

Another beauty of this event is that winning does not only depend on your own performance but also on the performance of others.

Do you expect more runs in the future?

Yes, in the future we expect many more runs. We would like to have more runs so that more people can easily come to a run instead of having to travel far to take part in a run.

Come and join us on May 3rd, 2015 !

Thank you, Sigrund for the time to speak to us and your passionate explanation on how the Wings for Life World Run was created.

147

© Nathan Boone

1.6 Sixth Blog post: Reflection on my time at the event … it became more and more interesting

May 6, 2014 1:50 pm / Leave a comment

#NetAcad taking part in the Wingsforlifeworldrun #worldrun

I am Nathan, I was one of the five persons of the Cisco Network Academy team who reported from the Wings For Life World Control Center in Spielberg. I blogged, twittered and facebooked about all the technical things that were happening behind the scenes.

When I got the first e-mail from Dominik Engel who is my coordinator in the Fachhochschule in Salzburg, I had no idea what exactly I would need to do for the Cisco Networking Academy at the Wings for Life World Run Global Control Center. But after some research on this event, I knew it would be really great to participate. I immediately answered him that I was interested in participating. When he brought me in contact with Jutta Jerlich from Cisco, she explained me what exactly our tasks were at the event and it became more and more interesting.

Our Cisco NetAcad team consisted of people from all over the world, me and Kevin are from Belgium, Felix and Maximilian are from Austria and Ivica is from Croatia. Me, Kevin and Maximilian are students, Felix and Ivica are already working. So we had people from different backgrounds and different countries in our team. This was exciting because everyone had another point of view and another way of working.

It was a great experience for us to be part of this event because we had 3 perspectives over this whole event. We were following the Livestream on our computer, we were also taking interviews of the people who made this event possible and our office was in the middle of the Global Race Control Center, so we could see how the professionals reacted to problems and how they solved them.

What I noticed about the crew working at the Global Race Control Center is their motivation and commitment to make this event successful. We could ask any question to anyone, they always answered our questions. I learned a lot during this event.

Participating in this event meant a lot to me. I am more motivated to keep on learning about networks and everything around this subject. It was very interesting to talk with the people who made the network for the event.

It is a big difference designing and configuring a network for an event than making a network for a company. When you design the network of a company, you can first investigate the needs of the company, and you are almost sure that while you are implementing your network, you will have enough devices, switchports, cables, etc. But if you make a network for an event, this is all different. You will need to rely on the meetings you had with the organization to know what is all needed for the event. But when you get to the event place, everything can change. This is what happened at the Global Race Control Center. They were working on designing the network for one week. But when

148

© Nathan Boone

http://networkingakademien.wordpress.com/2014/05/06/it-became-more-and-more-interesting/


http://networkingakademien.wordpress.com/2014/05/06/it-became-more-and-more-interesting/%23respond

http://networkingakademien.wordpress.com/2014/05/03/nathan-boone-upclose-personal/

http://netacadeurope.wordpress.com/2014/05/03/worldrun-netacad-team/


http://www.wingsforlifeworldrun.com/


they got at the event, they needed extra switchports and extra devices, so they worked for 2 more days at the event to meet all needs.

The way we let the world know about our findings was also really interesting, I learned how to make good blog posts and how to twitter. Before this event I had never twittered. The communication with the Cisco Network Academy was fluently and it was great that they helped us sharing all our findings on their global Facebook and twitter page. To notice that the things that me and my teammates wrote got shared all over the internet was really special.

It was great being a part of this big event. It gave an indescribable feeling when we were in the room with the staff and saw on the 34 screens that all the participants all over the world starting running at the same time. You could feel the joy and the happiness in the air.

Next year the Wings for Live World Run will be organized again and it would be great to participate again.

149

© Nathan Boone

2 Twitter posts I worked together with Felix Hartung to make the tweets. Felix putted them all together on his twitter account.

150

© Nathan Boone

3 How many views for the Wings for Life World Run Social Networking In this table you will see how many times each post has been liked or retweetd. The integrated platforms are, Twitter, Facebook, Linkdin and Google Plus.

154

© Nathan Boone

Project 4: Open House 1 VoIP network topology In order to explain the students what is happening behind the scenes, we made a simple networking topology to explain it:

159

© Nathan Boone

GNS3 1 Explanation GNS3 is an open source software that simulate complex networks while being as close as possible to the way real networks perform. All of this without having dedicated network hardware such as routers and switches.

GNS3 uses emulators to simulate the same operating systems as if they where on real networking devices. The emulators that GNS3 are using are:

• Dynamips: a Cisco IOS emulator • VirtualBox: runs desktop and server operating systems • Qemu: a Cisco ASA, PIX and IPS emulator

There is a big difference between GNS3 and Packet Tracer. With packet tracer you can only configure what is allowed in packet tracer. With GNS3 you can do everything that you can do on the real devices. You can build VPN’s, use ASDM and CCP to configure the networking devices. You can build networks on your computer as if they were real.

Because GNS3 uses real operating systems, GNS3 requires you to have a lot of RAM and processing power.

2 How to use GNS3? There are a few things you need to de before you can use GNS3.

1. You will need to configure and test the path to Dynamips (the Cisco IOS emulator). 2. You will need to search the internet to find IOS images which you can use on the network

devices. 3. You will need to configure the devices with the correct image. 4. You will need to configure an idle pc value. If you don’t do this, your CPU will always be at

100% when you are using GNS3.

I have learned how to work with GNS3 by watching this video: http://www.cbtnuggets.com/standalone?video=/freevideo/csco_642_902_02.mp4.

It is a good video that gives an overview of what GNS3 can do and how you can do it.

161

© Nathan Boone

http://www.cbtnuggets.com/standalone?video=/freevideo/csco_642_902_02.mp4

Time sheet Description Place Day Start End Spended Hrs. Total Hrs.

Information gathering about VPN School 10/feb 10.00 u. 12.30 u. 2.30 u. 2.30 u.Information gathering about VPN School 10/feb 13.30 u. 19.45 u. 6.15 u. 8.45 u.Information gathering about VPN School 11/feb 8.00 u. 11.45 u. 3.45 u. 12.30 u.Information gathering about VPN School 11/feb 12.45 u. 16.20 u. 3.35 u. 16.05 u.Information gathering about VPN School 12/feb 9.00 u. 13.00 u. 4.00 u. 20.05 u.Information gathering about VPN School 12/feb 12.20 u. 17.15 u. 4.55 u. 25.00 u.Information gathering about VPN School 13/feb 9.15 u. 11.15 u. 2.00 u. 27.00 u.Information gathering about VPN School 13/feb 15.00 u. 17.55 u. 2.55 u. 29.55 u.Information gathering about VPN School 14/feb 8.30 u. 12.00 u. 3.30 u. 33.25 u.Information gathering about VPN School 14/feb 13.20 u. 19.05 u. 5.45 u. 39.10 u.Experimenting with GNS3 Home 15/feb 14.00 u. 17.40 u. 3.40 u. 42.50 u.Setting up GNS3 to work with cisco ASA Home 15/feb 18.30 u. 20.10 u. 1.40 u. 44.30 u.Setting up GNS3 to make VPN and zone based firewall lab Home 16/feb 15.20 u. 17.40 u. 2.20 u. 46.50 u.Introduction to VoIP Home 17/feb 9.50 u. 11.30 u. 1.40 u. 48.30 u.Documenting GNS3 Home 17/feb 11.40 u. 12.50 u. 1.10 u. 49.40 u.Setting up GNS3 to make VPN and zone based firewall lab Home 17/feb 14.00 u. 16.40 u. 2.40 u. 52.20 u.Welcome Week Salzburg 18/feb 9.00 u. 18.00 u. 9.00 u. 61.20 u.Welcome Week School 19/feb 9.00 u. 11.30 u. 2.30 u. 63.50 u.Welcome Week School 19/feb 17.00 u. 19.00 u. 2.00 u. 65.50 u.Documenting Lab: ASA Firewall Home 19/feb 20.10 u. 21.30 u. 1.20 u. 67.10 u.Welcome Week School 20/feb 9.00 u. 10.20 u. 1.20 u. 68.30 u.Documenting Lab: ASA Firewall Home 20/feb 10.30 u. 12.00 u. 1.30 u. 70.00 u.Configuring Lab: GNS3 Home 20/feb 14.00 u. 18.00 u. 4.00 u. 74.00 u.Configuring Lab: GNS3 Home 21/feb 9.00 u. 12.30 u. 3.30 u. 77.30 u.Configuring Lab: GNS3 Home 21/feb 14.00 u. 17.30 u. 3.30 u. 81.00 u.Configuring Lab: GNS3 Home 25/feb 8.40 u. 12.40 u. 4.00 u. 85.00 u.Configuring Lab: GNS3 Home 25/feb 14.10 u. 17.50 u. 3.40 u. 88.40 u.Documenting Lab Home 26/feb 13.50 u. 17.40 u. 3.50 u. 92.30 u.Documenting Lab Home 27/feb 8.50 u. 13.10 u. 4.20 u. 96.50 u.Documenting Lab Home 27/feb 14.20 u. 18.10 u. 3.50 u. 100.40 u.Configuring Lab: GNS3 (Problem solving) Home 28/feb 9.10 u. 11.00 u. 1.50 u. 102.30 u.

Erasmus Salzburg

162

© Nathan Boone

Configuring Lab: GNS3 (Problem solving) Home 28/feb 13.00 u. 17.40 u. 4.40 u. 107.10 u.Configuring Lab: GNS3 (Problem solving) Home 3/mrt 10.00 u. 12.10 u. 2.10 u. 109.20 u.Documenting ASA Firewall Commands Home 3/mrt 13.20 u. 18.20 u. 5.00 u. 114.20 u.Documenting ASA Firewall Commands Home 4/mrt 14.00 u. 17.30 u. 3.30 u. 117.50 u.Documenting ASA Firewall Commands Home 5/mrt 11.30 u. 12.30 u. 1.00 u. 118.50 u.Troubleshooting USB to Serial adapter Home 5/mrt 17.10 u. 18.00 u. 0.50 u. 119.40 u.Troubleshooting USB to Serial adapter Home 6/mrt 9.10 u. 12.20 u. 3.10 u. 122.50 u.Configuring ASA Firewall Home 6/mrt 13.40 u. 18.10 u. 4.30 u. 127.20 u.Configuring ASA Site-to-Site endpoint Home 7/mrt 11.40 u. 12.30 u. 0.50 u. 128.10 u.Configuring and documenting ASA Site-to-Site endpoint Home 7/mrt 13.40 u. 19.10 u. 5.30 u. 133.40 u.Preperatoin of configuring whole labo Home 10/mrt 9.10 u. 13.20 u. 4.10 u. 137.50 u.Configuring the whole labo Cisco room 459 10/mrt 14.10 u. 17.20 u. 3.10 u. 141.00 u.Configuring Clientless SSL VPN Cisco room 459 11/mrt 8.50 u. 10.00 u. 1.10 u. 142.10 u.Configuring Clientless SSL and AnyConnect VPN Cisco room 459 11/mrt 13.00 u. 18.10 u. 5.10 u. 147.20 u.Documenting Clientless SSL VPN Home 12/mrt 9.00 u. 13.10 u. 4.10 u. 151.30 u.Documenting Clientless SSL VPN Home 12/mrt 16.10 u. 18.40 u. 2.30 u. 154.00 u.Documenting AnyConnect SSL VPN and Clientless VPN Home 13/mrt 11.40 u. 13.10 u. 1.30 u. 155.30 u.Documenting AnyConnect VPN Home 13/mrt 14.30 u. 18.40 u. 4.10 u. 159.40 u.Troubleshooting on AnyConnect SSL VPN Home 17/mrt 9.20 u. 10.30 u. 1.10 u. 160.50 u.Troubleshooting on AnyConnect SSL VPN Home 17/mrt 13.20 u. 18.50 u. 5.30 u. 166.20 u.Troubleshooting on AnyConnect SSL VPN Home 18/mrt 9.20 u. 13.10 u. 3.50 u. 170.10 u.Reconfiguring AnyConnect SSL VPN Home 18/mrt 14.00 u. 17.30 u. 3.30 u. 173.40 u.Redocumenting AnyConnect SSL VPN Home 19/mrt 9.00 u. 12.40 u. 3.40 u. 177.20 u.Updating Cisco Switches Cisco room 459 19/mrt 16.00 u. 18.10 u. 2.10 u. 179.30 u.Searching information about VOIP Home 20/mrt 9.40 u. 12.40 u. 3.00 u. 182.30 u.Preparation Open House Cisco room 459 20/mrt 14.00 u. 17.10 u. 3.10 u. 185.40 u.Open House Cisco room 459 21/mrt 8.00 u. 13.10 u. 5.10 u. 190.50 u.Open House Cisco room 459 21/mrt 13.40 u. 18.00 u. 4.20 u. 195.10 u.Rereading and adjusting documentation Home 24/mrt 9.20 u. 14.10 u. 4.50 u. 200.00 u.Updating Cisco ASA Cisco room 459 24/mrt 15.50 u. 19.40 u. 3.50 u. 203.50 u.Finishing documentation VPN Cisco room 459 25/mrt 10.30 u. 12.10 u. 1.40 u. 205.30 u.Finishing documentation VPN Cisco room 459 25/mrt 13.40 u. 20.00 u. 6.20 u. 211.50 u.Learning for Networkmanagement exam Home 26/mrt 9.20 u. 13.10 u. 3.50 u. 215.40 u.163

© Nathan Boone

Learning for Networkmanagement exam Home 26/mrt 15.10 u. 18.50 u. 3.40 u. 219.20 u.Documenting VoIP Home 27/mrt 10.30 u. 13.40 u. 3.10 u. 222.30 u.Documenting VoIP Home 27/mrt 14.20 u. 17.50 u. 3.30 u. 226.00 u.Documenting VoIP Home 28/mrt 9.30 u. 12.10 u. 2.40 u. 228.40 u.Documenting VoIP Home 28/mrt 13.40 u. 17.30 u. 3.50 u. 232.30 u.Gathering information about VoIP Home 31/mrt 10.10 u. 12.40 u. 2.30 u. 235.00 u.Documenting VoIP Home 31/mrt 14.00 u. 18.10 u. 4.10 u. 239.10 u.Documenting VoIP Home 1/apr 12.00 u. 13.20 u. 1.20 u. 240.30 u.Documenting VoIP Home 1/apr 14.50 u. 17.40 u. 2.50 u. 243.20 u.Gathering information about VoIP Home 2/apr 9.30 u. 12.20 u. 2.50 u. 246.10 u.Gathering information about VoIP Home 2/apr 13.10 u. 18.20 u. 5.10 u. 251.20 u.Documenting VoIP Home 3/apr 10.20 u. 13.10 u. 2.50 u. 254.10 u.Gathering information about VoIP Home 3/apr 14.30 u. 18.10 u. 3.40 u. 257.50 u.Gathering information about Hacking VoIP Home 4/apr 9.10 u. 12.20 u. 3.10 u. 261.00 u.Documenting Hacking VoIP Home 4/apr 13.10 u. 17.50 u. 4.40 u. 265.40 u.Documenting Hacking VoIP Home 7/apr 9.40 u. 12.30 u. 2.50 u. 268.30 u.Gathering information about Dynamic ARP Inspection and DHCP Snooping

Home 7/apr 13.10 u. 18.20 u. 5.10 u. 273.40 u.

Gathering information about IP Source Guard Home 8/apr 9.30 u. 12.40 u. 3.10 u. 276.50 u.

Documenting Dynamic ARP Inspection and DHCP Snooping Home 8/apr 14.30 u. 18.20 u. 3.50 u. 280.40 u.

Documenting IP Source Guard Home 9/apr 9.10 u. 11.30 u. 2.20 u. 283.00 u.Gathering Information about IOS IPS with signatures for VoIP Home 9/apr 14.20 u. 17.50 u. 3.30 u. 286.30 u.Gathering Information about SNORT IDS/IPS with signatures for VoIP

Home 10/apr 11.20 u. 13.10 u. 1.50 u. 288.20 u.

Documenting IOS IPS and SNORT IDS/IPS Home 10/apr 14.40 u. 17.20 u. 2.40 u. 291.00 u.Documenting VoIP Firewall Home 10/apr 17.30 u. 19.10 u. 1.40 u. 292.40 u.Making different network topologies Home 11/apr 9.20 u. 11.30 u. 2.10 u. 294.50 u.Documenting an IP addressing scheme Home 11/apr 14.10 u. 18.30 u. 4.20 u. 299.10 u.Elaboration Topology 2 and designing an IP Addressing Scheme Home 22/apr 9.20 u. 13.10 u. 3.50 u. 303.00 u.Researching on Zone-Based Firewall and VoIP Home 22/apr 14.20 u. 17.50 u. 3.30 u. 306.30 u.

164

© Nathan Boone

Documenting ZBF with VoIP Home 23/apr 11.10 u. 12.40 u. 1.30 u. 308.00 u.Researching on Asterisk configuration Home 23/apr 14.20 u. 17.40 u. 3.20 u. 311.20 u.Configuring and designing the network in Packet tracer Home 24/apr 13.10 u. 18.10 u. 5.00 u. 316.20 u.Configuring and designing the network in Packet tracer Home 25/apr 9.10 u. 11.20 u. 2.10 u. 318.30 u.Researching on Asterisk configuration Home 25/apr 14.10 u. 18.30 u. 4.20 u. 322.50 u.Documenting the configuration Home 28/apr 9.20 u. 11.30 u. 2.10 u. 325.00 u.Researching on a secure Asterisk configuration Home 28/apr 12.40 u. 17.20 u. 4.40 u. 329.40 u.

Researching on how to use access list to restrict inter vlan routing Home 29/apr 9.40 u. 12.00 u. 2.20 u. 332.00 u.

Adjusting packet tracer activity with latest configuration Home 29/apr 14.20 u. 17.40 u. 3.20 u. 335.20 u.Preparing for the Wings for Life World Run Home 30/apr 11.10 u. 12.20 u. 1.10 u. 336.30 u.Preparing for the Wings for Life World Run Home 30/apr 13.10 u. 17.40 u. 4.30 u. 341.00 u.Transport to Leobon for the Wings for Life World Run Train 1/mei 8.00 u. 13.00 u. 0.00 u. 341.00 u.Working for Cisco NetAcad at Wings for Life World Run Global Race Control Center

Spielberg 1/mei 17.10 u. 23.20 u. 6.10 u. 347.10 u.

Working for Cisco NetAcad at Wings for Life World Run Global Race Control Center














Making a last blogpost about my experience at the Global Race Control Center

Home 6/mei 10.20 u. 12.40 u. 2.20 u. 395.20 u.

Configuring SIP Lab Cisco room 459 7/mei 11.00 u. 13.10 u. 2.10 u. 397.30 u.Configuring SIP Lab Cisco room 459 7/mei 14.20 u. 18.10 u. 3.50 u. 401.20 u.165

© Nathan Boone

Configuring SIP Lab Cisco room 459 8/mei 9.10 u. 13.40 u. 4.30 u. 405.50 u.Configuring SIP Lab Cisco room 459 8/mei 14.30 u. 17.20 u. 2.50 u. 408.40 u.Documenting SIP Lab Home 8/mei 17.30 u. 18.50 u. 1.20 u. 410.00 u.Configuring SIP Lab Cisco room 459 9/mei 9.30 u. 13.20 u. 3.50 u. 413.50 u.Configuring SIP Lab Cisco room 459 9/mei 14.30 u. 16.40 u. 2.10 u. 416.00 u.Documenting SIP Lab Home 9/mei 16.50 u. 18.30 u. 1.40 u. 417.40 u.Configuring SIP Lab Cisco room 459 14/mei 12.40 u. 16.40 u. 4.00 u. 421.40 u.Documenting SIP Lab Home 14/mei 16.50 u. 19.10 u. 2.20 u. 424.00 u.Configuring Security in SIP Lab Cisco room 459 15/mei 9.40 u. 12.20 u. 2.40 u. 426.40 u.Configuring Security in SIP Lab Cisco room 459 15/mei 17.10 u. 18.40 u. 1.30 u. 428.10 u.Configuring Security in SIP Lab Cisco room 459 16/mei 10.00 u. 12.40 u. 2.40 u. 430.50 u.Configuring Security in SIP Lab Cisco room 459 16/mei 13.30 u. 17.50 u. 4.20 u. 435.10 u.Researching SRTP and SIP TLS Home 19/mei 9.20 u. 12.30 u. 3.10 u. 438.20 u.Configuring SRTP and SIP TLS Cisco room 459 19/mei 14.10 u. 18.30 u. 4.20 u. 442.40 u.Researching SRTP and SIP TLS Cisco room 459 20/mei 9.30 u. 13.20 u. 3.50 u. 446.30 u.Configuring SRTP and SIP TLS Cisco room 459 20/mei 14.10 u. 18.40 u. 4.30 u. 451.00 u.Researching SRTP and SIP TLS Cisco room 459 21/mei 9.20 u. 10.00 u. 0.40 u. 451.40 u.Configuring SRTP and SIP TLS Cisco room 459 21/mei 16.00 u. 17.10 u. 1.10 u. 452.50 u.Researching SRTP and SIP TLS Home 22/mei 9.20 u. 13.10 u. 3.50 u. 456.40 u.Finalizing Documentation Home 22/mei 14.20 u. 18.10 u. 3.50 u. 460.30 u.Configuring SRTP and SIP TLS Cisco room 459 23/mei 9.10 u. 12.30 u. 3.20 u. 463.50 u.Finalizing Documentation Home 23/mei 13.20 u. 18.10 u. 4.50 u. 468.40 u.Finalizing Documentation Home 26/mei 9.10 u. 12.20 u. 3.10 u. 471.50 u.Finalizing Documentation Home 26/mei 13.10 u. 19.30 u. 6.20 u. 478.10 u.Studying ICND1 Home 27/mei 9.20 u. 12.20 u. 3.00 u. 481.10 u.Studying ICND1 Home 27/mei 13.00 u. 17.20 u. 4.20 u. 485.30 u.Studying ICND1 Home 28/mei 10.00 u. 12.10 u. 2.10 u. 487.40 u.Studying ICND1 Home 28/mei 14.10 u. 17.30 u. 3.20 u. 491.00 u.Studying ICND1 Home 4/mei 9.10 u. 12.30 u. 3.20 u. 494.20 u.Writing Intership Report Home 4/mei 13.40 u. 17.20 u. 3.40 u. 498.00 u.Writing Intership Report Home 5/mei 10.10 u. 12.40 u. 2.30 u. 500.30 u.Writing Intership Report Home 5/mei 13.20 u. 17.40 u. 4.20 u. 504.50 u.Writing Intership Report Home 6/mei 10.20 u. 13.10 u. 2.50 u. 507.40 u.Writing Intership Report Home 6/mei 14.20 u. 17.30 u. 3.10 u. 510.50 u.Total hours spend: 510.50 u.

166

© Nathan Boone

Sources 1 Virtual Private Networks 1.1 Books CCNA Security 640-554 Official Cert Guide

CCNA Security Labs

Hacking Exposed 7: Network Security Secrets & Solutions

1.2 Websites http://www.math.umass.edu/~gunnells/talks/crypt.pdf

http://www.howtogeek.com/172762/how-to-play-old-lan-games-over-the-internet

http://netforbeginners.about.com/od/readerpicks/tp/Reasons-to-Use-a-VPN-Service.htm

https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/13847.htm ,

http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7

167

© Nathan Boone

http://www.math.umass.edu/%7Egunnells/talks/crypt.pdf

http://www.howtogeek.com/172762/how-to-play-old-lan-games-over-the-internet

http://netforbeginners.about.com/od/readerpicks/tp/Reasons-to-Use-a-VPN-Service.htm

https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/13847.htm

http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7

2 Voice over IP 2.1 Books VoIP hacking: Hacking Exposed 7: Network Security Secrets & Solutions by Stuart McClure, Joel Scabray and George Kurtz

Official Cert Guide CCNA Security 640-554 by Keith Barker and Scott Morris

2.2 Websites Introduction to VoIP: http://www.youtube.com/watch?v=2x3Ie6VZ_sg

Codecs: http://www.youtube.com/watch?v=pfahWL5z5rU

Difference between SIP and SCCP: http://www.differencebetween.com/difference-between-sip-and-vs-sccp

Fundamentals of SIP: http://www.youtube.com/watch?v=lvLwcARHFoY

SCCP: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab09/clb09/dialplan.html#wp1135394

Better understanding of the registration of SIP: http://www.siptutorial.net/SIP/registration.html

Good information about SIP: http://www.tutorial-reports.com/internet/telephony/voip/sip/sip-voip.php

SCCP Traffic Flow: https://supportforums.cisco.com/document/138351/unified-communications-call-flow-enterprise-network

VoIP security: http://www.checkpoint.com/securitycafe/readingroom/perimeter/voip.html

ARP spoofing: http://www.watchguard.com/archive/files/images/ARPpoison3.jpg, http://www.watchguard.com/infocenter/editorial/135324.asp

DHCP snooping and Dynamic ARP inspection: https://www.youtube.com/watch?v=9Nep2tFEORU

IP Source Guard: https://www.youtube.com/watch?v=9Nep2tFEORU

SNORT: http://www.snort.org

SNORT manual: http://s3.amazonaws.com/snort-org/www/assets/166/snort_manual.pdf

How to install SNORT: http://www.snort.org/assets/158/snortinstallguide293.pdf

Use SNORT for VoIP attacks: http://www.snortattack.org/docs/voip_en.pdf

SIP Firewall support: http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/12_4/sec_data_plane_12_4_book/sec_fwall_sip_supp.pdf

ASA Firewall SIP: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82446-enable-voip-config.html#configs1

Encrypt SIP traffic with Asterisk: https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

SIP configuration: http://www.voip-info.org/wiki/view/Asterisk+config+sip.conf

168

© Nathan Boone

http://www.youtube.com/watch?v=2x3Ie6VZ_sg

http://www.youtube.com/watch?v=pfahWL5z5rU

http://www.differencebetween.com/difference-between-sip-and-vs-sccp

http://www.differencebetween.com/difference-between-sip-and-vs-sccp

http://www.youtube.com/watch?v=lvLwcARHFoY

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab09/clb09/dialplan.html%23wp1135394

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab09/clb09/dialplan.html%23wp1135394

http://www.siptutorial.net/SIP/registration.html

http://www.tutorial-reports.com/internet/telephony/voip/sip/sip-voip.php

http://www.tutorial-reports.com/internet/telephony/voip/sip/sip-voip.php

https://supportforums.cisco.com/document/138351/unified-communications-call-flow-enterprise-network

https://supportforums.cisco.com/document/138351/unified-communications-call-flow-enterprise-network

http://www.checkpoint.com/securitycafe/readingroom/perimeter/voip.html

http://www.watchguard.com/archive/files/images/ARPpoison3.jpg

http://www.watchguard.com/infocenter/editorial/135324.asp

https://www.youtube.com/watch?v=9Nep2tFEORU

https://www.youtube.com/watch?v=9Nep2tFEORU

http://www.snort.org/

http://s3.amazonaws.com/snort-org/www/assets/166/snort_manual.pdf

http://www.snort.org/assets/158/snortinstallguide293.pdf

http://www.snortattack.org/docs/voip_en.pdf

http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/12_4/sec_data_plane_12_4_book/sec_fwall_sip_supp.pdf

http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/12_4/sec_data_plane_12_4_book/sec_fwall_sip_supp.pdf

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82446-enable-voip-config.html%23configs1

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82446-enable-voip-config.html%23configs1

https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

http://www.voip-info.org/wiki/view/Asterisk+config+sip.conf

Extensions configuration: http://www.voip-info.org/wiki/view/Asterisk+config+extensions.conf

Basic Asterisk configuration: http://draalin.com/basic-asterisk-configuration-in-ubuntu/

169

© Nathan Boone

http://www.voip-info.org/wiki/view/Asterisk+config+extensions.conf

http://draalin.com/basic-asterisk-configuration-in-ubuntu/

3 Reporting from the Wings for Live World Run 3.1 Blog posts http://networkingakademien.wordpress.com/2014/05/03/worldrun-netacad-team/




http://networkingakademien.wordpress.com/2014/05/04/lesson-in-passion written by Jutta Jerlich


YouTube video: http://www.youtube.com/watch?v=SH64ySubtI8

http://www.wingsforlife.com/en

170

© Nathan Boone

http://networkingakademien.wordpress.com/2014/05/03/worldrun-netacad-team/




http://networkingakademien.wordpress.com/2014/05/04/lesson-in-passion


http://www.youtube.com/watch?v=SH64ySubtI8

http://www.wingsforlife.com/en

Curriculum vitae Nathan Boone Name: Nathan Boone Address: Moensberg 93 Place of residence: 1180 UKKEL Country: Belgium Cellphone: +32 479 76 29 77 E-mail: [email protected] Date of birth: 25/12/1993 Driver license: B

EDUCATION Postgraduate Degree Program ICT Infrastructure & Network Management University College Brussels Odisee, 2014-2015. Bachelor of Applied Informatics (specialized in computer networks and infrastructure) University College Brussels Odisee, 2011-2014. Internship about networking in the Fachhochschule Salzburg University of Applied Sciences, February 2014 - June 2014. Secondary school Onze-Lieve-Vrouw instituut Sint-Genesius-Rode economics/commerce degree obtained in June 2011. Certifications Cisco CCENT Preparing for Cisco CCNA Main modules studied so far Computer networks:

• Courses o Cisco Discovery 1 Networking for Home and Small Businesses o Cisco Discovery 2 Working at a Small-to-Medium Business o Cisco Discovery 3 Introducing Routing and Switching in the Enterprise o Cisco Discovery 4 Designing and Supporting Computer Networks o Interconnection Cisco Network Devices 1 o Interconnecting Cisco Network Devices 2 o CCNA Network Security o Corning course on fibre networks

Computer infrastructure:

• VMware System virtualization • Linux

o Created a server park o Bash Scripting

• Windows o Windows Server 2008 R2

Basic knowledge of the following subjects:

• Transact SQL • SQL Server Management Studio • Oracle SQL • Oracle Apex • HTML • CSS

171

© Nathan Boone

• JavaScript • C#

LANGUAGE SKILLS Speaking Writing Listening Dutch Native Speaker Native Speaker Native Speaker English Excellent Excellent Excellent French Good Good Excellent German Fair Fair Fair Korean: learning since January 2015 PROJECTS Universtity College Brussels Odisee I designed and configured the network for the Super Hackathon in Brussels. This is an all-day lasting event where people come together to develop applications for Windows 8. This event was organized by Microsoft in the University College Brussels. For my bachelor thesis, I studied the book Hacking Exposed 7: Network Security Secrets & Solutions. I first made a summarization of the most interesting subjects of this book. I learned how to analyze a big amount of data and how to take the most interesting subjects out of there. I made cases and then I designed and configured networks in a test environment to test these cases. For my Postgraduate Program we designed and installed the backbone fibre network of a school of more than 600 students. Fachhochschule Salzburg University of Applied Sciences The following projects were requested by Professor Dominik Engel at the Fachhochschule Salzburg University of Applied Sciences:

• VoIP and VoIP Security project: I investigated the different protocols that are being used inside a VoIP network. I designed and made a VoIP network while taking care about the redundancy, availability and security.

• Virtual Private Networks project at my Internship: I researched the different virtual private networks and designed a network where they are used in.

Cisco Networking Academy I was a reporter at the Wings for Life World Run for Cisco Networking Academy in May 2014. I reported about all the technical information from behind the scenes at the Wings for Life World Run Control Center. Vandenborre Vandenborre is a Belgian retailer in electronic equipment. I tested and reported about three different devices that would change their whole business perspective, from September 2014 until December 2014. EXTRACURRICULAR ACTIVITIES

• French communication skills: I worked as a monitor for young children at various playgrounds in the summer vacation at 2009. I improved my French communication skills and also learned the importance of team skills.

• Founded a commercial import company for a school project. We imported and sold

champagne to local companies and individuals.

• Sports: tennis and football, this helps to work in a team, to persevere and to be ambitious.

172

© Nathan Boone

intershipreportnathanboone

Documents