Skip to Content

VPN

Cisco Security Advisory - IKE Resource Exhaustion Attack

If you have ever setup an IPSEC VPN, then you are most likely aware of IKE. IKE is a protocol that can be used to get the first phase of an IPSEC VPN established, a.k.a exchange keys. Well, Cisco has identified a vulnerability in the IKE implementation on Cisco platforms thanks to the work of Roy Hills from NTA Monitor Ltd that could allow a malicious individual to unleash a denial of service on your VPN devices.

What's Vulnerable

Essentially, if your Internet facing VPN devices or border routers
allow anyone on the planet to establish an IKE session with your Cisco
VPN devices (Cisco 3000 VPN Concentrator, Pix, ASA, ISR, etc), then you
are vulnerable.

The issue is pretty much present in anything that supports IPSEC VPNs and doesn't explicitly filter traffic to the VPN devices. Cisco is tracking the issue in the following bug ID's:

Configuring Clientless SSL VPN (WebVPN) on Cisco IOS Routers

A Tekcert member recently posted a question in the forums regarding IOS Clientless SSL VPN, a.k.a WebVPN. This prompted me to test the functionality in a lab environment and post my findings. To make it easier to find, I decided to make it a full-blown blog post. So, here we go...

The first step I took was to get a router with 12.4T code running on a LAN with a desktop connected to it. The following configuration is broken into chunks to help break down the process.

Configure basic settings on the router, including hostname, domain, usernames, etc. (not all of this is required for WebVPN to work, but it is what I had on my router so you're getting it all):

Check Point Next Generation Firewall Passes NSS Labs Test with Flying Colors

NSS Labs is at it again, this time testing Next Generation Firewalls. They have pitted the Check Point Power-1 11065 against several tests and the results look promising. You might be asking yourself "what the heck is a next generation firewall?" At first glance, it looks like a term a vendor invented to sound better than the competition. However, the industry is using the phrase to identify a new breed of firewalls that do more than just filter packets.

Check Point Mobile Access for iPhones, iPads

Are your end users requesting that their iPhones have access to corporate email? Does the guy down the hall keep bugging you to let him VPN in with his Android phone? Did you just get an iPad for your birthday and you are secretly working on a way to use it at work instead of lugging around a laptop? If so, then you aren't alone. Companies around the world are facing a massive trend of end users wanting to bring their own gear to work and access corporate data (i.e. email, internal websites, network shares).  What is an IT implementor to do?

ASA5510 to ASA5505 Easy VPN Server / Client Configuration Sample

A recent configuration of mine...thought I would save the template for
future use. Useful if the ASA5505 has a dynamic IP where you can't build
a typical site-to-site VPN.

Configuring a Cisco Router to Accept VPN Connections

This blog has been a long-time-coming as someone asked me quite some time ago to post the simplest way to accomplish this (for a home environment). I hate to admit this, but my home PC (where I get all my email) was hacked since I allowed Microsoft's Remote Desktop Protocol (RDP) and VNC from anywhere on the Internet (very bad idea). That was the end of that - now VPN connections are required to get to my home PC. Well, the simplest way to configure a VPN on a router is to use the Cisco SDM...but Real Cisco Techs™ use the command line :). So here we go:
VPN.jpg

Syndicate content


Dr. Radut