 I'm Sebastian Lacoste. This is Nicolas Fichbar. We are working for Cold Telecom, a large ISP in Europe. So we are working in Switzerland. So the topic today will be layer 2 routing protocols and a few ints and topics on router security and forensics. So on the layer 2 side we will talk about most of the layer 2 protocols you are used to see out there in the world. It doesn't work. This pin doesn't work. No, it doesn't work. Sorry. So we will represent ARP, STP, CDP, DPT and also VLAN and HSRP, VRRP. So the goal will be to show you what can be done with those different protocols and how you could protect against the different attacks we will present. And then NILCO will take over and we'll talk general configuration information based on Cisco equipments. And we'll have a presentation about how you can do a router forensic and integrity checking for your Cisco equipments. Okay, so the layer 2 protocol attacks are already used. Some are well known. So most of the attacks are already used are IRP based attacks like cache poisoning. You have a set of tools available for those attacks like this NIF and that NIF, IPOC and so on. So people are used to those attacks but you can do much more on your Ethernet based network. Mainly on new protocols or protocol used for high availability like HSRP and VRRP. There are also a lot of bunch of attacks you can manage against VLANs and spending 3 protocols. What we will see in the future, there are more and more people investigating this area, doing some research and there are more and more tools available and most of the time the network crew is not used to have a look at this layer of the network. So the main issue is that if someone managed to do or to attack you at those layers, nobody will notice it. And it's more linked. Nico will talk more in detail later on. We are seeing more and more research on rootkit and for embedded device of our network equipment. So I don't know if you attend the ethics talk earlier. He presented some nice stuff against IP printer and Cisco devices and there are much more coming so we'll be prepared. Okay, I already planted quickly the different protocol I will go through. So let's start with spending 3. Spending 3 is probably everybody is using it even if you don't know about it. It's used to prevent loop in Ethernet network. So mainly this protocol will detect loop in the network and block the ports to prevent the loop to happen. So on most of the switching equipment, spending 3 protocol is enabled by default on all ports. And what you have to do is spending 3 protocol was not designed for security so you have no way to or not a lot of different way to protect again spending 3 attacks. So there is a small state machine presenting the spending 3 processing for Cisco router. So what has to be done as long as on a Cisco at least as long as spending 3 process the port will be blocked so no traffic will be received or sent over this port. It can be used later on for denial of service attack. So how the spending 3 usually works so this is a simple network with like 4 switches and a redundant link on the 2 upper switches. So spending 3 will elect a root switch that will be the master for the spending 3 processing and the spending 3 protocol will run and will block the redundant links to avoid loops on the network. So basically all the traffic will go through the root switch. So this is nice to know. If you are now on a network with several switches and you want to do some traffic interception or sniffing, this could be used, you could use spending 3 to for the traffic to go through you. So here is our attacker connecting to the 2 switches. So for this kind of attack you need to have access to 2 different equipment, 2 switches. So what you will have to do is pretend to be the root switch. So it's an election process. So the only thing you have to do is to announce yourself with the higher priorities and the existing switches and then run spending 3 and 4 the blocking of all the other ports. So doing this, all the traffic between the right and the left side will go through the attacker. So then you can freely sniff the traffic and mainly nobody on the network will notice it because it's very transparent and most of the time nobody is monitoring this layer of the network. So yeah, this is quite nice and other kind of spending 3 attack you can do is one which is more well known is the Karmus MAC address on 3 poisoning. So you can have a DDoS, no deny of service against the switch doing that. What you could also do is a force in feeling a spending 3 processing. Meaning during the processing all the ports are blocked, you will have a completely deny of service on your network. So those attacks are pretty simple to make. Spending 3 protocol is not really easy. You have a server implementation like in the Linux channel for example. You have patch for it and you have a set of tools for manipulating spending 3. So it's really easy to make and really hard to track down because once spending 3 is running, you don't have any more access to any equipment. So what you will need is a serial access to all your switches, analyze the spending 3 topology and see and try to understand what's going on. So there are a few security measures you can use as a prevention against those kind of attacks. The main one would be to monitor which equipment is a root bridge. On a stable network if you don't add or modify the configuration of your equipment, the root bridge shouldn't change. So it should be always the same equipment. And if you have a large network usually you define yourself which one is a root bridge by setting up your priority for this one. Another thing you can do is a filter MAC address that can be available on each port. So depending on your equipment you have a different command set. Here we are presenting the command for Cisco switches. So you can just define which MAC address are available on a port to avoid someone plugging in on your network. Now to filter a spending 3 attack, what you should do on each port which is not connected to another switch running spending 3, you should disable spending 3 PDU. So here you have as example the command line for multi-air switch. So it's pretty simple and you can deactivate it for the whole switch or per interface. Just a small note, there is a nice feature on Cisco switches. You can filter the amount of broadcast traffic allowed on your network. So it's just a percentage of your global traffic and it's also very convenient to block broadcast on and so on. So now we move to another protocol which is used by Cisco. So it's a proprietary protocol. So it's based on HDLCs, meaning it doesn't use IP. It's a multicast traffic. So basically CDP is used to automatically discover your network. Every equipment will broadcast a CDP information which contains device, NIME, network, configuration, and capabilities of the equipment and so on. Okay, so this is an example of CAPTCHA CDP packet. So this was in a previous conference in Kansas State West in Vancouver. It was on the hotel network. This was the main router of the network. So mainly what you will be able to see with CDP was the IP address of the management network, which is the first red circle, which is quite convenient if you want to attack it. And you can also identify easily the model of equipment. So if you have an attack for a specific model of equipment, this is a way to identify the equipment very easily. You have to know that spanning tree is subject to a denial of service attack. It was discovered by FX last year. So you are able to just send a lot of CDP packets to the router or to the equipment and it will just crash when the CDP memory was full. So the security measure, usually you don't need CDP. You have to have other monitoring tools that don't use CDP. So if you don't use it, just activate it. It's just simple sanity measure. So you can deactivate CDP for the world equipment or on each interface of your equipment. So you have the example of configuration. Now we move a little bit to the VLAN. So layer two partitioning. So as you probably all know, VLANs were not designed for doing any security. It was just for network isolation, just for easier management or administration. Unfortunately, a lot of people tend to use VLAN to partition network. So as protocol was not designed for security, you have a few floor or at least a few points you should pay attention to. One main protocol which is used by Cisco, which is a VNPS, which is a VLAN management policy server. It's a very nice protocol. On the VNPS server, you just define a MAC address of your workstation and you define on this server in which VLAN this MAC address will belong to. So when you want to use your workstation, you just plug on any switch and you will automatically belong to the right VLAN. So the problem is it's easy to spoof the MAC address. So if anybody know your MAC address, they will have access to your VLAN. So just use this protocol. That's it. Another problem with VLAN will be to be able to jump across VLAN. So in the past, there were several issues with the switches when you were able to break the switch by jumping from one VLAN to another. In the latest release on most of the equipment, it's impossible or much harder to do. However, there are some protocol used for VLAN management. So like DTP, which is a Denaming Trunking protocol. So DTP is used to send several VLAN across switches. So typically on one port, you will have all the VLAN going through this port. One main problem is that on a lot of equipment, all the port are able to do DTP by default. So you just have to plug to the equipment and say, okay, hello, I want to do some Trunking. So the switch will say, okay, fine, let's do Trunking. And then you will have access to all the VLAN on the switch. So you will just have the choice. You will be able to choose on which VLAN you want to send your packets and well, it's done. Yeah, mainly. So main protection against DTP is just deactivated on each port which doesn't need to run Trunking. So by default, only the port between switches which are in Trunking mode should be allowed to use DTP. Another nice protocol is DTP, which is a VLAN Trunking protocol. It's a protocol used for centrally managed all the VLAN. So with this protocol, sorry, you will be able to, instead of going to each equipment and define which VLAN are available on your network, you will only need to go to one equipment, define the VLAN, and it will be spread across your network. So it uses a CDP like Frames, and it communicates only over Trunk ports. So using this protocol, you can easily add remove VLANs or create spanning tree loops in your network. So definitely, you should deactivate it or at least set a password on it. So you have an example of command for Cisco switches. Okay, going back to the DTP. So as I said, with DTP, you can inject Frames in any VLAN you want or jump between VLAN. So deactivate it if you don't need it. Okay, another protocol which is often running if you have high availability or equipment, it's HSRP and VRP. So HSRP is used mainly by Cisco and VRP is a more standard protocol used by Nokia, Checkpoint Firewall 1, and so on. The goal of those protocols is to provide the next up redundancy. This means an IP address will be shared between two equipment. One will be master once standby and if the master fails, the standby equipment will take over the IP address. So this protocol is usually using multicast for advertising between both equipment with the virtual mic address. What you have to know is with Cisco routers, if you have more than two routers in a standby group, you don't need to kill any router to take over the IP address. You just need to advertise yourself with the higher priority. And then you will have the IP address and you will get all the traffic. So this protocol supports MD5 authentication, so, yeah, activate it. So here you have the command for the authentication part and you can also define yourself the mic address you want to use for this protocol. If you really want to add another layer of security, you could use IPsec for the communication between the two equipment. The main problem is that HSRP is using multicast frames so it's quite tricky to set up on your equipment, but it's possible depending on your iOS release. And definitely it's only limited to two routers because you cannot have multi-point IPsec turnouts. So VRRP is mainly the same issue as IPsec. Now I will go to another issue is once something is going wrong on your network, what can you do to troubleshoot it? Yeah, one way of doing it is to do it locally on the equipment. So depending on the kind of equipment and the model and the volume of traffic you have on it, it may be more or less easy. Most of the time if you have every loaded equipment or switch, as soon as you enable some debugging or traffic dump on the equipment you will just crush it. However it's possible, so on this core switch you just have to define an ACL for the traffic you want to dump. And definitely please activate loading buffer so the output is not directly printed on the console but in the buffer that you can access easily. So this kind of monitoring or traffic dumping will have a high CPU impact on your router and as I said most of the time it will crush your equipment. Another way of doing it is if you are working on the router is to send the traffic you want of a GRE tunnel to another device. So one easy way to do that is using a GRE tunnel which is IP over IP encapsulation and you can use a tool like Tunnelix on the other side to receive the traffic and analyze it. When you are on switches it's a little bit more convenient than on a router because you have what is called spanning tree port. So with those ports you can mirror all the traffic of your switch to these ports. You can plug your PC or any other equipment to analyze the traffic. So depending on what model of switch you are working on you can monitor the whole switch traffic or define the villains you want to monitor etc. A nice feature you have also on 6000 series from Cisco is that you can send a span port across several switches. Let's say you have 456509 on your network you just link them and the spanning port of one switch will be sent across all the switches to the last one and you just need to plug in one place to monitor your traffic. So this feature is called AirSpan and the nice thing is that on switches you have a performance input which is close to zero with port monitoring. Okay this was for the layer 2 part so Nico will continue on with router configuration and router for NSIC. Thank you. So we're going to go ahead with some configuration basics for NSICs and so on. Don't try to write everything down, you're going to put the presentation online and give you the address at the end on the last slide so you can get a copy of it. So basically like any operating system, router switches and so on also have a lot of services turned on by default that nobody needs. So the first four tables you see are all the basic services you should turn off because they are really not useful in most of the environments you guys run the routers and switches in. What is also important is to use Syslog to load all the traffic to a remote workstation running Syslog D, Syslog NG or some other kind of Syslog servers. Don't forget that everything that is running on the router and logged locally on the router is lost when you boot it. Is it only stored in RAM, not in Flash or NV-RAM? And as usual run some NTP clients on every device to get some time synchronization and this will also help a lot to debug and have a look at the forensic side. So the slide before was basically all the global configuration commands you have to use. That ones are the ones they have to use in the interface level. So basically you have to deactivate all the things like source routing, directed broadcasts and so on and so on. If you guys are running multicast in your network just make sure that some routers cannot just jump in and become a rendezvous point to sensible. Become a rendezvous point at the multicast level so that people can try to inject new frames. And one thing that is really nice on most of the devices is to use loopbacks. Usually your routers have a lot of interfaces, each interface is an IP address and depending on the interface that is used to send information out like log message for example as an IP address you're going to have in the logs is going to be different. So if you use a loopback and tell the box to use a loopback to do that you will always find the same IP address or name in your logs. That also helps a lot when you have to debug. So SNMP, well everybody dislikes SNMP but has to use it because it's the protocol that is running and that most of the people use. So V1 is the old one that uses that everybody knows uses SNMP communities so to say as a password to get access to the information. V2 has a security or something that is used to be called party by Cisco and get bulk to get more information than just going over a set and then get next, get next and so on. Most of the new iOS releases support SNMP v3. So that one has integrated checking encryption and can even have a user defined locally on each router. So you don't have to use the one same community everywhere on your network. So most of the known attacks I mean you guys know about it so I'm just going to go over it quickly. The read communities, we still see a lot of guys using public, private, the name of the device, the name of the guy and this kind of thing so just, yeah. Formation leak also don't forget that when you guys set up SNMP management tool, network management tool, network monitoring tool that you have to restrict the IP space you want this SNMP community to send out. Otherwise you're going to send the information out to the world internet. We have seen that happen sometimes so don't give you cover any of it out. So what you can do, you have two options as usual when you have some things running on the Cisco devices is use IP level filtering that means you're going to filter out the packets at the interface or you can do application for access control at the application level. What you can also do which is a kind of nice option is that on that one is to restrict the view you're going to give the SNMP community. That means if you have some tools that just go ahead and dump the world SNMP mebs from your order, you can just exclude some of them so that you don't send every time like doing 10 minutes SNMP information back. So v3 is starting to be supported by most of the devices. For example, how to define a user a group and just permit access. That one for example is using MD5 to do the indication and there's 56 to the encryption this is just a basic example. You guys have probably heard that SNMP had a lot of weaknesses recently. Cisco was affected by a lot of work the last two years. One of them was the hidden ELMI community that one is used usually in the ATM networks. But was activated by default even if you don't have any ATM interfaces on your equipment. So all these SNMP especially the one that affected most of the vendors because it's in the core SNMP that means ASN1 is always a problem. You have to run SNMP but you have to find the right middle is running it open not open and so tune it and just don't activate it by default. You also have recent releases of iOS SSH support. Basically it's the same SSH as the one from SSH.com from the 1.2.26.27 series. So this implementation by Cisco has the same bugs as the old SSH1 release. So it's CSU32 by the key recovery traffic analysis and so on. That thing you can use of course triple S and you cannot use keys to indicate on the switch. And also downside is that you have to run an image that supports SSH and usually they are more expensive. But you can run SSH on any Cisco router or any Cisco switch. So configuration is quite basic you just have to define both name generate a Seiki for the box and activate it. Also since most of the 12 releases you can use SEP to SEP in and out the router instead of TFTP or Ternet which is clear text. IPsec configuration not much to say about it. If you guys want to use IPsec instead of SSH to manage the router you can just define the IPsec configuration you can try to deny all traffic IPsec but it's not working quite complex so basically the five steps is to define what you are going to accept, define the security association, define IC policy, go ahead, define the transform sets. It's up to you to use Tendry or transport mode but if you guys are running some root 2k boxes and want to use the IPsec version that's coming with win2k to manage your router you better go with transport mode. You put that all together in a nice crypto map and you affect it on the interface you want to use as the management interface and here you go. SSH is much more easy to set up than IPsec but it's working too if you prefer IPsec. Going back to the router itself you can define two types of things. You can have local users on the router or you can have remote users like with a central authentication mechanism that you are going to talk about. It's using C2 encryption type 7 which is very simple. It's just not encrypted it's just encoded. The enable password you are going to use to go from the normal user mode to the super user mode is using MD5 so it's not so easy to reverse or to find out. So basically what you have to define is the local users give a password to the box and also define what kind of access you are going to give if you want to stay with standard or SSH. So this is an example and a table below where you define the virtual terminals and you say you are going to accept SSH as incoming and nobody can use the device itself to connect to another device that is the transport output none. That means in that example that the router cannot be used as a stepping stone to another device. So if you don't want to go for local users on the device you can go for some triple A mechanism. The two that are supported by CSCAR Radius and TACACS. Basically what is recommended is TACACS because Radius is not that well supported and there are some limitations that you are going to quickly discuss. So you have an example where you have to define the router to use the TACACS servers and with the TACACS key and always as you can see they look back to send information out. What you can do which is nice TACACS is go for common accounting that means that when some of your users network administrators and so on connect to the device it's got a locally old accounting information. That means if you type show IP, BGP Na, blah blah blah and so on he's going to look that in the central so you can go after that and see what has been done before, crash, meltdown all this kind of things. All this user can be given authorization and privilege levels. By default you have in fact you have 16 levels but when you connect as a user it's level one this is kind of view only privilege and when you change when you type enable and go to enable mode which is called the privilege exact enable you get to level 15 where you can just do anything it's like being root so to say on the device. The bad thing is that you can not do that on switches. On switches you just have the two levels which are 1 and 15. On routers you can go ahead and say okay I want to use another level in between 1 and 15 for example level 3 and just give some commands so that user that you can use it's like being like a kind of as you do kind of thing on the other Cisco device. So from that example in the table you can also see that some basic commands that are usually available in level one like connect, telnet, SSH that make it possible for the guy if you don't remove transport output to use the router as a stepping stone we'll remove these commands when it connects basically to the device so as I said before command authorization that means asking the central AAA server for each command type if the user has a router it's only working with tactics that means you can use a basic radius server and do okay if that user has this router you can use that command this is not working. So what you can also use and some guys like we use to do it too in the past is to go for Kerberos Kerberos has been around like 20 years already and since Microsoft is using it in Win2K in the core system for a lot of things some guys just went there tried it and see what they can do most of the Cisco routers support Kerberos, telnets and pass authentication using Kerberos exchanges what is cool is that Kerberos you have this kind of name for an instance you can basically map an instance to a group like a group of users and this group of user can be given a kind of privilege level so you can say you have the network admins the network operators, the super admins kind of things they can use the Kerberos instance to do that bad side of the thing is that Kerberos is not supported on the lower end and high end devices on the middle range on the Cisco switches it only works with telnets not with a Sage up to now so two basic examples of how to configure Kerberos to do this instance mapping and use Kerberos server with Kerberos as well so ACLs ACLs are basically access content list that can be used to filter traffic that's going into the router, coming out of the router going over the router that means traffic that is being forwarded on that side of ACLs that on the Cisco device if you don't use the firewall feature set it's not stateful and it doesn't do any reassembly so if you guys are using Nmap you can port scan by using the right FTP data port and the scan the world internet network when the guys are using incoming FTP or going FTP log input is a keyword that you can use that will also load the source interface and the source MAC address that is dropped and don't forget that since it doesn't do any reassembly that most of the time only the first fragment is filtered so next to that I have the different type of ACL types the standard one that nobody uses basically a source IP address only kind of ACL the extended supports IP address source destination protocol type ports and also an established keyword but since it doesn't do anything stateful if you use the keyword established you want to check if the AC or STP is set this is the only thing that is checked it doesn't have any table database is going to look up to see if the thing is allowed so the other kind of ACLs are the turbo ACLs that use a hash table this is not bad because usually what happens is that for every entry in the ACL list the route of each packet is going to process it and as if you have a lot of traffic on your network or huge ACLs the route is going to die quite quickly in the 72 series and up you can use turbo ACLs basically it will take all the ACs puts them together in a hash table and you will have a constant lookup rate of 5 so to say cycles per packet and even if you use 1000 entries the other one I'm not that used I'm not going to go over it's just more or less for information so this is basically an example of how to use ACL and route or you define the access list and by default I deny everything and only accept some kind of the things we have seen that some iOS releases if you don't put the port range that means the 1, 6, 7, 6, 7, 7, 3, 5 it's going to load the packet but not the source port and not the destination port this is quite strange but we don't know why at the moment but not recommended and you're going to hit a lot of problems if you start to play with ACLs on a multi-layer switch or if your MSFC is going to be hit by all the packets but it can be done so route integrity checking we are heading towards the end so basically some 2 years back we are trying to find a way to do some integrity checking of our configuration and recently like one year ago Tripwire the guys that are doing the Tripwire file integrity checking system came up with Tripwire like for iOS and basically you can do that for free with some free tools so what we are doing is we are storing the configuration in a central CVS or any kind of central system to store files and keeping up reservations so what you have to do is to use something like CVS and then find a way to get the configuration from the device you can use a crypto-tellnet you can use SSH what you can do also but we do not recommend it is use SNMP the only thing is if you want to use SNMP to tell the box to upload the configuration to the central system you will have to use a read write community which is basically bad once you have done that you need to check the configuration you can do that automatically like every night using a Chroma add job or by watching the log files every time somebody changes the configuration of the router you will see in your log files this device has been configured by name of the guy or when you see a router board all these kind of things so there are a lot of events that you can use to do the checking and then one that is done just if the configuration you receive to be the one that is stored in your CVS for example there are a lot of limitations you have to trust the running system on the box like iOS or iOS you are just saying that there is no Cisco rootkit yet but that is going to happen I am going to talk a little bit about it later on and you have to trust the network and these kind of things and never forget that you have two files running on the system one is the task start up configuration file and one is the running configuration file usually that should be the same so we are going to be checking like two years ago when we first started we were going to discuss if it is possible to do kind of rootkit for iOS we were just saying is it possible and we started to list the different points that would say yes it is no it is not and if you guys have attended Black Hat yesterday well FX came up with some nice and no we are going to tend to say yes it is really possible to do it basically iOS is close to OOS running on MIPS for the newest models so it is just a fork from a kind of PSD unix it has been affected by most of the bugs that affected also unix systems like the Zedli bug, SNMP bugs and so on what you can do is you can try to deliver the device using remote gdb access or locally by running gdb on the device itself while you are working on that we are just looking at the boot by Cisco which is called inside Cisco iOS we are saying that at the kernel level everything is running at the same privilege that means your bgp process, your shell everything is running at the same level so if you can find any hole in any process running on the device you can own the whole device and there are a lot of things to check if everything is doing fine basically they just emphasis on making sure that the router is going to forward packets as fast as possible not that the device is going to survive failure of the process and usually what happens when the process dies in the box the router does a force of the remote anyway so open questions about that this may have been changed, I haven't updated it since yesterday so tell me if you see some wrong things so what do we have, you don't have any local tools to play with the device itself it's not like unix or microsoft if you are missing the tool you just upload the tool to the device and you start to play with it's not so easy since it's running a multi kernel that you cannot change easily on the switches you have an enabled engineer board that you can go to, you have some public documents on that on the internet where you can really play with the switch itself but since you are liking most of the configuration files documents describing how it's working it's not easy to understand what's going on what we have been thinking of if there's any way to upload a modified IOS image to the box first of all to change it and then secondly is it really possible to go there and say okay can we do that state for it I mean upload a new IOS run it and kill the old one without having the router report it may be possible if you use dual root processors like on the broadband concentrators or if you just go there and try to upload a great line on the large gearser house for example there are a lot of images out there you would have to patch basically Cisco has 2,500 images out there in the field and 37 feature sets but if you would focus on an IOSP you could just go there and try to modify one of the service provider release train one and one and a half years back Cisco was working on IOS next generation that would have support for loadable modules that would make not to say our life but would make the life of the attacker much more easy but we haven't seen anything lately on that so we don't even know if Cisco is still working on it okay so last slide talking a little bit about forensics basically like I said a router is a hardware box running an operating system so when you have to do some forensics I'm not going to talk about chain of custody evidence document these kind of things just give you some hints about where you should have a look at so basically at the top left side it's all the things you're going to export you should always make sure that you export the things to your syslog server so you will have all the packets that are dropped by ACLs dug by unicast RPF filtering the system informations when interface is going to flap if your BGP session is going to flap configuration change and so on you would also if you use SNMP but that's going to depend if you really need to upload so to say upload or activate traps you will get SNMP traps if you guys don't use local users on the system but go for triple A solution you will have all the triple A logs showing when guys logged in what they did and so on and also what's going to happen if you activate it on the router when the router crashes you can have it upload automatically through FTP call them of the image and in the memory to see what was going wrong what you're also going to have is all the NetFlow accounting data NetFlow is basically a protocol that's going to count all the traffic that's going on the router and log it centrally to help you analyze your traffic flow it's usually used to do traffic engineering and what we would recommend too is to make sure that you get somewhere on some other routers copies of the routing protocol information change quite quickly and what you could do is run it in K2 device that's just going to be a BGPP an OSPF neighbor for example and from there running for example Zebra and a Linux box or KDE stored all the information at least for some minutes to see what happened just before the network was done or somebody got into a router what you need on the left hand side till is well if somebody is going to put the router the HCP or BOOTP you could just go there and make the device reboot and get the configuration and the iOS image from a remote location that means that even even if you have the iOS locally on the flash card you could just put the device and have it download the configuration from a remote side so just make sure that this is not feasible and watch it somewhere so clock synchronization is always quite important as usual on the left hand side you shouldn't forget that you have basically two things running on most of the devices that is RAM which is volatile and flash that is basically non-volatile so what you have on the flash card usually is the iOS release that can be the one that runs in memory and also the two configuration files what is stored in DRAM or DRAM depending on the hardware is the running iOS all the processes all the debugging logs the history logs and so on so don't forget that basically what you see is that when somebody does phone 6 it just unlocks the cable boots the device and see what's going on afterwards if you do that with a router you lose more or less everything so don't forget that so what is important as said is first of all with a router if you cannot get into anymore because the guy changed the password is check your remote logs the strange activities were going on just before there is also a nice tool that allows you to read the flash cards formatted in Cisco formats which is available at that address you can use it as a PCMC laptop so always make sure that you sync before you reboot if you have done everything that check all the local buffers, the local logs local information I have some comments on the bottom what should have a look at if you try to connect our tennet SSH to the box you are going to make sure that the guy is going to see it so the best thing if you can have a local physical access of the device is go over the console port that's the basic thing also what you can do, especially if the guy managed to block the router so that you cannot get into it anymore by changing username, password and so on if you have switches running around the router if you don't have one base point to point connection is go there and put the switch in mirror mode and span mode and mirror all the traffic that's going into and leaving the router to see if you can find some evidence on who is connected to it and who is playing with it so basically I have some local commands that you can type if you can get to the box you have to have a look at the api cache cdp neighbor information sysco express rewarding information the netflow accounting data the logs, the active TCP sessions, interface status and you can also have most of that by doing a show tech support but don't forget that if you do that you won't have all the communities and passwords in the configuration you are going to save so that basically was it we are going to put the presentation online in the next few days at the address you will be able to grab the one from black cat that has all the information about netflow, DDoS detection OSPF BGP attacks at the same address so just write that one down and you should get the things from there if you see that it's not online in the next few days just drop an email and we are really going to make sure that we put it online okay I have to say give me a second so do you guys have questions about that yeah if you have questions just come over to us because to know is there is a thing behind us I recently was trying to use secure copy functionality I worked in the Cisco manuals and it tells you how to get images from the router to the server but how do you do the opposite with secure copy so when I upgrade the router and I don't want to use TFTP is there a criminal way to make SCP upgrade a router okay SCP basically what we know and what you have seen is that you have both client and server support on the device itself so we have tried it and for us it's working so maybe you just hit the bug in some iOS release yeah because I'm unfortunately it's a fairly new device it's an access router and they basically don't support they support the client side but not the server side and I wondered if you know of any work arounds or am I stuck how much of this information applies to the Cisco PIX firewalls at the same time you can speak just a little bit how much of this information you've given the supplies to the Cisco PIX firewalls for instance you said that the established only checks the act bit okay the question is all this stateful information about stateful not being stateful so the Cisco router by itself if you use a normal feature set the firewall feature set won't do any stateful filtering but the PIX firewalls which are really firewalls are doing real stateful filtering so if you use the established keyword there it's gonna work thank you in fact what you have to know is that the Cisco is using different source tree for all the equipment like the operating system for the switches the routers and the firewall are totally different so they may have the same feature but the way they are doing it is the same command and don't forget that if you see the same command written the same way it doesn't mean that it's gonna behave in the same way if it's a router switch a PIX firewall, a content switch a local director this kind of thing so you better always check the release not in the comments because this is something you just meant to hit something that's wrong some other questions okay thank you guys okay