Posted on in networking
In the rapidly evolving landscape of network security, ensuring the protection of Virtual Terminal (VTY) lines on Cisco-based networks remains a critical task. VTY lines provide remote access to routers and switches, typically via telnet by default, making them prime targets for remote brute force password attacks. This article will …
Posted on in Networking
I decided I needed a standardized set of Quality of Service classification access-lists for some work I'm doing. Check out my Cisco QoS Classification ACLs page and let me know what you think.
If you have any ideas on how I can improve the lists, leave a comment here or …
Posted on in Networking
As you might recall, I had previously taken umbrage with Cisco's inability to forward a range of ports to a particular host. Many readers have offered suggestions and links to other documents around the Internet offering various solutions, but none of them really sat quite right with me.
In hindsight …
Posted on in Networking
Oops! I guess I'm way behind the times.
For quite a while, I've been using ip verify unicast reverse-path to prevent packets with spoofed source addresses from crossing my routers. Apparently, as of IOS 12.0 (12.4 is current as of this writing), that command has been replaced with …
Posted on in Networking
If you are at all familiar with <acronym title="Simple Network Management Protocol">SNMP</acronym>, you've probably heard of "community strings". Community strings are similar to passwords. They define and grant access to a device's <acronym title="Management Information Base">MIB</acronym>. If you've used SNMP in conjuction with a …
Posted on in Networking
On most networks, there is a subset of IP addresses assigned to "management" hosts. These hosts might be the workstations of network administrators or monitoring servers. One of the keys to network security is restricting who has access to the device. Generally, we think of access restriction in terms of …
Posted on in Networking
Anyone who has ever done anything remotely "interesting" with a run-of-the-mill broadband router is undoubtedly familiar with the concept of port forwarding. In the case of some applications (<acronym title="Peer-to-Peer">P2P</acronym> comes immediately to mind, but the <acronym title="Real-time Transport Protocol">RTP</acronym> part of <acronym title …
Posted on in Networking
Is your network bandwidth being consumed by Peer-to-Peer (P2P) traffic? (Hint: If you don't know, it's time to fire up NBAR and do a little investigating.) One way to stop P2P traffic is to use an access-list to block traffic on the well-know P2P ports. Unfortunately, many P2P technologies no …
Posted on in Networking
In a Metro Ethernet network, the possibility exists for a lot of NetBIOS broadcasts if your users are connecting directly to the ring rather than through a firewall. My first assumption was that most users would have a firewall, but this is really only guaranteed in the case of business-class …
Posted on in Networking
It used to be that access lists in Cisco IOS were numbered. Not only were they numbered, but the numbers were significant to what kind of access list they were. Now access lists (and just about everything else) can be named rather than numbered. Although this seemingly innocuous change has …
