Category Archives: Security

Tweak multicast on Cisco ASA without RP

This came as a customer request, where they required to send multicast for testing purposes to their own customers but without using a RP. A Cisco ASA is segregating the environment acting as Layer 3 between the multicast sender and receivers. The first step was disabling the snooping on the switching to let the traffic going through, and last but not least setup a static group on the ASA to flood the interface outwards to the receivers. The challenge was the PIM, which has to be enabled but can’t have a neighbourship otherwise the interface is not going to flood the multicast out, so how do we make this work?

I’m running code Cisco ASA 9.1(7) with multicast-routing enabled

Because i have the firewall connect to a DMZ switch i have to disable the IGMP snooping on the switch

no ip igmp snooping vlan 2201

Setup a Filter to not allow the neighbourship but having the PIM enabled, and the static group to force the ASA to join particular multicast address (224.0.1.129)
You have to Deny the host adjacent in this case was 10.101.201.43

access-list CSC_FILTER_PIM standard deny host 10.101.201.43

interface Ethernet0/0
description CSC
nameif CSC-LON9
security-level 55
ip address 10.111.201.41 255.255.255.248 standby 10.111.201.42
pim neighbor-filter CSC_FILTER_PIM
igmp static-group 224.0.1.129

If a PIM neighbourship was established, that needs to expire before the interface starts flooding the traffic, if you see Nbr Count=0 you are almost there

fw01/sec/act# show pim interface

Address Interface PIM Nbr Hello DR DR
Count Intvl Prior

10.101.201.41 CSC-LON9 on 0 30 1 this system

fw01/sec/act# sh igmp interface CSC-LON9
CSC-LON9 is up, line protocol is up
Internet address is 10.101.201.41/29
IGMP is enabled on interface
Current IGMP version is 2
IGMP query interval is 125 seconds
IGMP querier timeout is 255 seconds
IGMP max query response time is 10 seconds
Last member query response interval is 1 seconds
Inbound IGMP access group is:
IGMP limit is 500, currently active joins: 0
Cumulative IGMP activity: 1 joins, 0 leaves
IGMP querying router is 10.101.201.41 (this system)

Now the interface is forwarding the multicast, if you see Null you missed something

fw01/sec/act# sh mroute 10.101.100.13 224.0.1.129

Multicast Routing Table
Flags: D – Dense, S – Sparse, B – Bidir Group, s – SSM Group,
C – Connected, L – Local, I – Received Source Specific Host Report,
P – Pruned, R – RP-bit set, F – Register flag, T – SPT-bit set,
J – Join SPT
Timers: Uptime/Expires
Interface state: Interface, State

(10.101.100.13, 224.0.1.129), 3w3d/00:03:29, flags: SFJT
Incoming interface: INSIDE
RPF nbr: 10.101.100.13
Inherited Outgoing interface list:
CSC-LON9, Forward, 3w3d/never

Cisco CCNA Cyber Ops completed!

2 months in a rush was what i needed to finish my CCNA Cyber Ops, it’s composed by 2 exams:

  •  210-250 SECFND
  • 210-255 SECOPS

The e-learning was part of the Cisco scholarship, so i had all materials required to learn what was required for each exam. The SECOPS exam it was a bit more difficult due his nature of different language.

 

210-250 SECFND

This exam understand common security concepts, and start to learn the basic security techniques used in a Security Operations Center (SOC) to find threats on a network using a variety of popular security tools within a “real-life” network infrastructure.

Course Objectives

Upon completing this course, students will be able to:

  • Describe, compare and identify various network concepts
  • Fundamentals of TCP/IP
  • Describe and compare fundamental security concepts
  • Describe network applications and the security challenges
  • Understand basic cryptography principles
  • Understand endpoint attacks, including interpreting log data to identify events in Windows and Linux
  • Develop knowledge in security monitoring, including identifying sources and types of data and events
  • 210-250 SECFND

 

 210-255 SECOPS

This exam focuses on the introductory-level skills needed for a SOC Analyst at the associate level. Specifically, understanding basic threat analysis, event correlation, identifying malicious activity, and how to use a playbook for incident response.

Course Objectives

Upon completion of this course, you will have the skills and knowledge to:

  • Define a SOC and the various job roles in a SOC
  • Understand SOC infrastructure tools and systems
  • Learn basic incident analysis for a threat-centric SOC
  • Explore resources available to assist with an investigation
  • Explain basic event correlation and normalization
  • Describe common attack vectors
  • Learn how to identify malicious activity
  • Understand the concept of a playbook
  • Describe and explain an incident respond handbook
  • Define types of SOC metrics
  • Understand SOC workflow Management system and automation

Cisco Live Barcelona 2018 here i GO!

This is going to be my 2nd Cisco Live, and i’m very excited because i’ve learned a lot over the past 8 years and i’m in a different professional stage at the moment that 8 years ago it was just a dream. I’m a strong believer that these events are important to grow your “networking” and keep you updated on new trends/technology.

So how my calendar looks like so far?

  • CCDE Techtorial and Exam
  • Firepower
  • ISE
  • Multi-Cloud
  • SD-X
  • DevOps

If you are are around, lets grab a beer and crack some of the topics above

Black Hat Europe London 2017

Black Hat Europe in London this year is not a mirage, it’s real! Wake Up, time for action! Briefings, Training, Arsenal and beer you choose! Register here

And if you are a student on the cyber security arena, you can get a free scholarship which allows full access to all Briefings on Wednesday, December 6 and Thursday, December 7 at the ExCeL London, United Kingdom. You can apply here.

If you go contact me, i will be around!