Security

If you have built a home lab (or are running really ancient hardware in production), you may find yourself in need of resetting the password configured on a 2500 series router. Depending on the router platform, the syntax is different. Here's how to do it on a 2500:

1. Reboot the router and send a break sequence to enter ROMMON mode. Break sequences can be sent using a Ctrl+Break key combination, or if you are on a system that doesn't have a break sequence, try using your terminal software to send a break sequence.

2. (optional) Type the letter O and hit enter. Record the existing setting, it's most likely 0x2102.

3. To reset the configuration register and have the router bypass the startup-config, type the following:

o/r 0x2142

To boot the router, type the letter i and hit enter.

If you have ever setup an IPSEC VPN, then you are most likely aware of IKE. IKE is a protocol that can be used to get the first phase of an IPSEC VPN established, a.k.a exchange keys. Well, Cisco has identified a vulnerability in the IKE implementation on Cisco platforms thanks to the work of Roy Hills from NTA Monitor Ltd that could allow a malicious individual to unleash a denial of service on your VPN devices.

What's Vulnerable

Essentially, if your Internet facing VPN devices or border routers
allow anyone on the planet to establish an IKE session with your Cisco
VPN devices (Cisco 3000 VPN Concentrator, Pix, ASA, ISR, etc), then you
are vulnerable.

The issue is pretty much present in anything that supports IPSEC VPNs and doesn't explicitly filter traffic to the VPN devices. Cisco is tracking the issue in the following bug ID's:

Cisco last week released a slew of security advisories. One that specifically caught my eye is a Denial of Service vulnerability due to "improper processing of malformed IP version 6 (IPv6) packets by Cisco IOS Software."

I've been wondering how long it would take for the exploits to start to trickle in with IPv6. One can only imagine how many vulnerabilities Windows will have with IPv6 enabled by default. Expect to see more of these in the future as IPv6 becomes more prevalent.

The alert details are available here.

The vulnerability details are available here.

Studying for your CCNP Security? If you are, or if you simply want to learn more about VPNs, take a look at this free chapter from Cisco Press on Configuring Policies, Inheritance, and Attributes.

This is straight out of the CCNP Security VPN 642-647 Official Cert Guide. According to Cisco Press, the chapter covers the following topics:

• Policies and Their Relationships
• Understanding Connection Profiles
• Understanding Group Policies
• Configure User Attributes
• Using External Servers for AAA and Policy Assignment

Give it a read if you got your certification cross-hairs fixed on the CCNP Security.

A Tekcert member recently posted a question in the forums regarding IOS Clientless SSL VPN, a.k.a WebVPN. This prompted me to test the functionality in a lab environment and post my findings. To make it easier to find, I decided to make it a full-blown blog post. So, here we go...

The first step I took was to get a router with 12.4T code running on a LAN with a desktop connected to it. The following configuration is broken into chunks to help break down the process.

Configure basic settings on the router, including hostname, domain, usernames, etc. (not all of this is required for WebVPN to work, but it is what I had on my router so you're getting it all):

The Internet Systems Consortium has announced a vulnerability present in several versions of BIND 9.x. The description of the vulnerability from their site is as follows:

A defect in the affected BIND 9 versions allows an attacker to remotely
cause the "named" process to exit using a specially crafted packet. This
defect affects both recursive and authoritative servers. The code
location of the defect makes it impossible to protect BIND using ACLs
configured within named.conf or by disabling any features at
compile-time or run-time.

Versions affected are 9.6.3, 9.6-ESV-R4, 9.6-ESV-R4-P1, 9.6-ESV-R5b1, 9.7.0, 9.7.0-P1, 9.7.0-P2, 9.7.1, 9.7.1-P1, 9.7.1-P2, 9.7.2, 9.7.2-P1, 9.7.2-P2, 9.7.2-P3, 9.7.3, 9.7.3-P1, 9.7.3-P2, 9.7.4b1, 9.8.0, 9.8.0-P1, 9.8.0-P2, 9.8.0-P3, 9.8.1b1

Cisco has released a security advisory for a vulnerability in some of their Wireless LAN Controllers (WLCs) which if exploited can cause the device to reload. This doesn't affect very many of their wireless controllers, but this is a serious enough vulnerability to warrant a code upgrade if you are running an affected code version on an impacted platform. 

What Platforms Are Affected?

This vulnerability affects Cisco WLC software versions 6.0 and later. The following products are affected by the vulnerability described in this Security Advisory: