Tuesday, May 29, 2012

IPSec VPN Configuration


FACT SHEET – VPN IPSEC (Cisco based)


  1. Understanding VPN components – IPSec and encryption (data integrity)
    1. Defining a VPN
    2. Understanding the need for encryption
    3. Types of encryption
  2. VPN benefits
    1. Cheaper connections
    2. Available anywhere
    3. Heavily encrypted and secure
    4. Many to many connection
  3. The world of IPSec
    1. Authentication
    2. Data Integrity
    3. Confidentiality
    4. Anti-Replay
  4. IPSec components
    1. Negotiation protocol – AH, ESP
    2. Encryption – DES, 3DES, AES
    3. Authentication – MD5, SHA-1
    4. Protection – DH1, 2,5,7
  5. IPSec modes of communication
    1. Transport mode
    2. Tunnel mode
  6. Two types of encryption keys
    1. Symmetric and asymmetric keys.
    2. Security over public network.
    3. Mixed approach.
    4. Encryption algorithms used today.
                                          i.    DES(64/56), 3DES(168), AES(128,192,256), RSA(512, 768, 1024) and DH(768, 1024, 1536).
  1. Key IPSec negotiation protocol
    1. AH – Authentication, data integrity
    2. ESP – Encryption, authentication, data integrity.
  2. IPSec Negotiation process
    1. Interesting traffic triggers VPN
    2. IKE phase1
    3. IKE phase2
    4. Data transfer
    5. VPN teardown
  3. Interesting traffic decision
    1. Encrypt using IPSec
    2. Send in clear text
    3. Discard.
  4. IKE Phase1
    1. Exchange the negotiation policy (Policy list [pres, dh, aes…])
    2. Exchange DH keys
    3. Identity verification
  5. IKE phase2
    1. IPSec transform set and encryption keys negotiated and exchanged.
    2. Lifetime.
  6. Designing IKE phase1 (IKE phase 1 focuses on establishing authentication and a secure tunnel for IKE phase2 exchange)
    1. Required elements
                                          i.    Remote peer IP or hostname
                                         ii.    Key distribution method
                                        iii.    Authentication method
                                        iv.    Encryption algorithm
                                         v.    Hash algorithm
                                        vi.    Lifetime
Side A IKE1 Parameters

Side B IKE1 Parameters

Encryption
AES-128
Encryption
AES-128
Hashing
SHA-1
Hashing
SHA-1
Authentication
Pre-Shared
Authentication
Pre-Shared
DH Level
2
DH Level
2
Lifetime
86400
Lifetime
86400

  1. Designing IKE Phase2 policy (IKE2 focuses on establishing secure IPSec tunnel for data transfer).
    1. Required elements
                                          i.    Transform set
                                         ii.    Interesting traffic designation.
                                        iii.    IPSec crypto-map
Side A IKE2 Parameters

Side B IKE2 Parameters

Encryption
ESP-AES
Encryption
ESP-AES
Hashing
ESP-SHA-HMAC
Hashing
ESP-SHA-HMAC
  1. IKE1 configurations.
    1. Enable ISAKMP: Router(config)#crypto isakmp enable
    2. Create ISAKMP Policy: Router(config)#crypto isakmp policy <1-10000>
    3. Router(config)#crypto isakmp policy 100
                                          i.    Router(config-isakmp)#encryption aes 128
                                         ii.    Router(config-isakmp)#authentication pre-share
                                        iii.    Router(config-isakmp)#group 2
                                        iv.    Router(config-isakmp)#hash sha
    1. Configure ISAKMP Identity: Router(config)#crypto isakmp identity <address/hostname>
    2. Configure pre-shared keys: Router(config)#crypto isakmp key <key> address <remote_ip>
  1. IKE2 Configurations.
    1. Create transform sets: Router(config)#crypto ipsec transform-set <name> <methods>
                                          i.    Router(config)#crypto ipsec transform-set TEST esp-aes 128 esp-sha-hmac
    1. (optional) Configure IPSec lifetime: : Router(config)#crypto ipsec <seconds/kilobytes> <value>
    2. Create mirrored ACLs defining traffic to be encrypted and the traffic expected to be received encrypted
    3. Set up IPSec crypto-map: Router(config)#crypto isakmp map <name> <seq> ipsec-isakmp
                                          i.    Router(config)#crypto map TESTING 100 ipsec-isakmp
1.     Router(config-crypto-map)#match address <acl>
2.     Router(config-crypto-map)#set peer <remote_ip>
3.     Router(config-crypto-map)#set pfs <group1/2/5>
4.     Router(config-crypto-map)#set transform-set <set>
  1. Verification commands
    1. show crypto isakmp policy
    2. show crypto ipsec transform-set
    3. show crypto ipsec sa
    4. show crypto map
    5. debug crypto isakmp
    6. debug crypto ipsec

Fact Sheet: Connectivity Issue Fast Resolution – How to make it happen?



Most of the times we face “Connectivity Issue”. By connectivity we mean a “Communication Failure ” between a sources and destination.

The very obvious conclusion at first step is that “There is a Network Issue”, since our definition of “connectivity” is most of the times synonymous with “network”.
 
Network is of course, may be one of the major reason of connectivity breakdown, but we should understand that the “Connectivity” can break at various layers.


Since “Connectivity” can break at any of the five layers of TCP/IP model, please refer following Table to understand connectivity.

Layer
Connectivity Metrics
What to check?
Who will check?
Application
Application Port
On Server check if “Port” for application is up or not.
First -> Application Team
Second -> Server OS Team
Transport
Firewall Rules for Application Port
On Server and firewall, need to check if there is interested traffic passing or not.
First -> Server OS Team
Second -> Firewall Team

Network
Routing done for Application/Server reachability
On Server and intermediate routers and switches check the gateways status and routing.
First -> Server OS Team
Second -> Network Team
Third -> Firewall Team
Data Link
Application/Server connectivity to local switch in DC.
Check the VLAN/Interface status in Server, switch and SVI status.
First -> Server Team
Second -> Network Team
Physical
Cabling and NIC cards on both Server and Switch
Check the server NIC, Switch ports for traffic and errors.
First -> Server Team
Second -> Network Team

There is always a “Technical Language Gap” across teams working on different technologies and domain. If we are ready and handy with the information, other team expects from us, we can rise above in converging to the root cause fast.

Saturday, March 31, 2012

Configuring Solaris as Syslog Server for Centralised Log Management

To configure syslog on UNIX/Solaris, perform the following steps:

  1. As root, on SunOS, AIX, HPUX, or Solaris, backup the /etc/syslog.conf file prior to modification.
  2. Modify /etc/syslog.conf to tell the UNIX system how to sort out the syslog messages coming in from the sending devices, that is, which logging_facility.level goes in which file. Make sure that there is a tab between the logging_facility.level and file_name.
  3. Make sure the destination file exists and is writable.
  4. The #Comment section at the beginning of syslog.conf usually explains syntax for the UNIX system. Alternatively, you can read the man page of syslogd with man syslogd .
  5. Do not put file information in the ifdef section.
  6. As root, restart syslogd to pick up the changes.
  7. Set “/etc/syslog.conf” for “local7.debug /var/log/local7.debug
    1. The debug, informational, notification, warning, error, critical, alert, and emergency messages coming in on the local7 logging facility will be logged to the local7.debug file.
  8. To setup Syslog Server on Linux machine (eg. Debian) there need to be done one simple thing
    1. in /etc/init.d/sysklogd need to edit line and add -r option then restart syslog deamon (SYSLOGD=“-r”)
  9. If point 8 is not in Solaris issue: svccfg -s /system/system-log setprop config/log_from_remote=true
  10. svcadm restart svc:/system/system-log
Here is the config,

root@Solaris#more /etc/syslog.conf
#
# Copyright (c) 2000-2002 by Sun Microsystems, Inc.
# All rights reserved.
#
#ident "@(#)syslog.conf 2.3 02/02/21 SMI"
#
# This "syslog.conf" file was installed by JASS. This
# file should be used to log information both locally as
# well as to a centralized log server (or servers) so that
# proactive log analysis can be done.

*.err;kern.notice;auth.notice /dev/console
*.alert root
*.emerg *

*.debug /var/adm/messages
# *.debug @loghost1
# *.debug @loghost2
# Added for Cisco Syslog Analyzer (begin)
local7.info /var/log/syslog_info
# Added for Cisco Syslog Analyzer (end)
root@Solaris#

root@Solaris#ps -ef | grep syslog
root 21285 1 0 15:57:01 ? 0:01 /usr/sbin/syslogd
rs008327 21491 21480 0 09:01:04 pts/1 0:00 grep syslog
root@Solaris#
root@Solaris#svcs -a | grep system-log
online 15:57:01 svc:/system/system-log:default
root@Solaris#

root@Solaris#more /var/log/syslog_info