Category Archives: General

Magic Quadrant for Enterprise Network Firewalls 2017

Cisco is climbing fast, Fortinet faster, PaloAlto still leading and filling their gaps in portfolio and Check Point released finally the R80 for gateways. I predict 4 Leaders next year, it will be a nice race to watch!

Full Report on Report Magic Quadrant for Enterprise Network Firewalls 2017

Share

Spot Bad Traffic without decrypting it

How can we detect and mitigate a kill chain in encrypted traffic without breaking users privacy and same time  with minimal false positives? Cisco Catalyst 9k is the newest platform with this capability which is called Encrypted Traffic Analysis (ETS). Machine Learning & metadata seems to be the right ingredients to make the wheel work.

Read here for more detail.

 

 

 

Share

Wishes of Cisco Champion

I’ve thinking on this, a really cool thing could be Cisco providing extended trial licenses for those who live and breathe Cisco (true DNA of a Cisco Champion). Also part of the bundle could a Cisco VIRL license be included and/or a voucher for a Cisco Press ebook.

Maybe we can see some of these next year 2018.

Fingers crossed.

Share

ALG breaking a Transfer Zone

This came when i tried to do a DNS Transfer Zone through a Cisco SOHO (877), which when triggered i received a RST packet from the router. Initially i was thinking that came from the server, but looking to the packet capture i observed the TTL was 254, which was the from router it self. Why? Answer ALG.

Because ALG can handle until a certain message size, the only way to fix this is DISABLE the ALG.

INTERNET#sh ver | i Vers
Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.2(4)M6, RELEASE SOFTWARE (fc2)

[[email protected] ~]# dig -y @104.28.16.27 cocheno.com -t axfr;; communications error to 104.28.16.27#53: connection reset

Looking at the NAT Debug…..

Jan 11 23:15:10.146: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.150:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.150: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.150:  NAT-L4F: Policy check successful
Jan 11 23:15:10.150:  NAT-L4F: received fd1: 1073742971 and
tcp flags = 0x2, payload_len = 0
Jan 11 23:15:10.294:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.294: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.294:  NAT-L4F: received fd2: 1073742972 and
tcp flags = 0x12,payload_len = 0
Jan 11 23:15:10.298:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.298: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.298:  NAT-L4F: Received final ACK from fd1 : 1073742971 and
tcp flags = 0x10
Jan 11 23:15:10.298:  NAT-L4F:Transistioning to proxy: rc 0 error 0
Jan 11 23:15:10.298:  NAT-L4F: Successfully proxied this flow
Jan 11 23:15:10.298:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.298: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.298: NAT-ALG: lookup=0 l7_bytes_recd=125 appl_type=12
Jan 11 23:15:10.298: NAT-ALG: DNS l7_msg_size = 125
Jan 11 23:15:10.298: NAT-ALG: after state machine:
Jan 11 23:15:10.298: NAT-ALG: remaining_hdr_sz=0
Jan 11 23:15:10.298: NAT-ALG: remaining_payl_sz=0
Jan 11 23:15:10.298: NAT-ALG: tcp_alg_state=0
Jan 11 23:15:10.298: NAT-ALG: complete_msg_len=125
Jan 11 23:15:10.298:  l4f_send returns 125 bytes
Jan 11 23:15:10.298:  Complete buffer written to proxy
Jan 11 23:15:10.298:  NAT-L4F:NO DATA to read
Jan 11 23:15:10.446:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.446: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.454:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.454: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.454: NAT-ALG: lookup=1 l7_bytes_recd=1452 appl_type=12
Jan 11 23:15:10.454: NAT-ALG: DNS l7_msg_size = 31751
Jan 11 23:15:10.454: NAT-ALG: Unsupported l7_msg_size = 31751
Jan 11 23:15:10.454: NAT-L4F:CSM isn’t able to accept the pkt
Jan 11 23:15:10.458:  NAT-L4F:read RST, aborting
Jan 11 23:15:10.458:  NAT-L4F:setting ALG_NEEDED flag in subblock

 

How to disable DNS ALG?

INTERNET-RTR(config)#no ip nat service alg tcp dns

Share

New Year Resolutions for 2017

This is the right time on the year where we need to think what we want to do and define our goals to upcoming year, i consider this an important step to make you focus in your career and step away from the darkness (dead times). Comparing what i achieved this year it’s embarassing but i’m looking for a great 2017. This year i have to renew some of my Certs (2 years gone…) like Juniper and Checkpoint. This year i’m expecting to enhance my knowledge about Azure/AWS Platforms, Web Application Firewall, CyberSecurity, DNS RPZ , DDoS, SSL Decryption and maybe others a long run. Network Design and Automation stil my priority, but maybe my employer will challenge me next year, so i will add it later to my list :)

Likely maybe i will do some exams:

VMware Certified Professional 6 – Network Virtualization (VCP6-NV)

Cisco CCIE Service Provider Written+Lab(?)

Cisco CCDE Written+Lab(?)

JNCIE-ENT

JNCIP-SP

JNCIS-SEC

Palo Alto Networks Certified Network Security Engineer (PCNSE)

F5 Certified BIG-IP Administrator

F5 Certified Technology Specialists ASM

Beta versions?

Books

There are some books i’m still reading:

Art of Network Architecture, The: Business-Driven Design

MPLS Fundamentals – Cisco Press

CCDE Study Guide – Cisco Press

Lets the journey begins!

happy_2017

Share

Cisco DNA Learning Track

On this new track you can learn about about the building blocks of the Cisco Digital Network Architecture (DNA), including an introduction to REST APIs, how to code in Python, and how to use programmability in the context of controllers and device-level interface. You have 10 module and 32 learning Labs, free, free, free!

devnet_dna

Labs Available

devnet_dna_modules

References:

DevNet Express for DNA

Share