Tuesday, July 28, 2009

Use DIA For Network Diagrams In Lieu Of Visio




A wonderful free tool which provides almost all the features which are being required by network designer.

http://dia-installer.de/download.html




Click Here To Read Rest Of The Post...

Monday, July 27, 2009

IP Sec Over VPDN Over MPLS



In my recent post, I have mentioned customers are looking for IPSec for data transer. But now a days customers are also looking for PE-CE IpSec where CE router works as VPDN. Firstly we thought its not possible because when the PPP session is originated it't very difficult to enetr the trafic in VPDN. But after hard working we made it possible and able to deliver IpSec over CE router VPDN.
Sooner will publish the test results.

Click Here To Read Rest Of The Post...

Wednesday, July 22, 2009

Security Association, Authentication Header & Encapsulating Security Payload


Security Association (SA)This is an instance of security policy and keying material applied to a data flow. Both IKE and IPsec use SAs, although SAs are independent of one another. IPsec SAs are unidirectional and they are unique in each security protocol. A set of SAs are needed for a protected data pipe, one per direction per protocol. For example, if you have a pipe that supports ESP between peers, one ESP SA is required for each direction. SAs are uniquely identified by destination (IPsec endpoint) address, security protocol (AH or ESP), and security parameter index (SPI). IKE negotiates and establishes SAs on behalf of IPsec. A user can also establish IPsec SAs manually. An IKE SA is used by IKE only. Unlike the IPsec SA, it is bi-directional.

Authentication Header (AH)This is a security protocol that provides authentication and optional replay-detection services. AH is embedded in the data to be protected, for example, a full IP datagram. AH can be used either by itself or with Encryption Service Payload (ESP). Refer to the RFC 2402.

Encapsulating Security Payload (ESP)A security protocol that provides data confidentiality and protection with optional authentication and replay-detection services. ESP completely encapsulates user data. ESP can be used either by itself or in conjunction with AH. Refer to RFC 2406: IP Encapsulating Security Payload (ESP).

Click Here To Read Rest Of The Post...

Friday, July 17, 2009

IP Sec - Symmetric Asymmetric Encryption



Cryptography is the most crucial part of the IP Sec. It's nothing but a simple mathematical algorithm which is used to change the original values so that no one other could understand it. The function or algorithm aka as cipher. With the help of cryptography IP Sec converts the human readable format in mathematical form and forwards over the untrusted network. Once the data is received by receiver, IP Sec decrypts the data from mathematical form to human readable form.
Encryption and Decryption is of two types:-
a) Symmetric Encryption
b) Asymmetric Encryption

Symmetric Encryption:- As the name implies, both sender and receiver should have identical keys for encryption and decryption. This is the easiest and simpler operation of encryption. A shared key is given to both sender and receiver and with the help of that sender can encrypt or decrypt the data. The main disadvantage of using shared key is that, if the key is hacked or leaked to someone that could lead to many problems. It's not a CPU hungry function and very easy to implement. Transforms used in IPsec Security Associations, such as Data Encryption Standard (DES), 3DES, and AES, are symmetric encryption algorithms. As such, IPsec relies heavily on symmetric key encryption to deliver confidential exchange of data.

Asymmetric Encryption:- As the name implies, both sender and receiver uses the different keys for sending and receiving data. This is the very secure way of communiaction but require lot of CPU process. In this a private key and public keys are used. Public keys are used to encypt the data while private keys are used to decrypt the data. The main advantage of using asymmetric encryption is that the private keys never exchanged with each other and key is used used to decrypt the data not to encrypt.
Most of the Banks,MNC and Credit Card companies allocates a small machine which generates tokens for online secure transation. It is nothing but a private key :).


Click Here To Read Rest Of The Post...

Thursday, July 16, 2009

IP Sec Fundamentals



Internet Protocol Security (IPsec), as defined in RFC 2401, provides a means by which to ensure the authenticity, integrity, and confidentiality of data at the network layer of the Open System Interconnection (OSI) stack. IPsec is a suite of protocols that define standards for four key elements needed in defining a comprehensively robust Virtual Private Network (VPN) enabler:

Security Protocols

Key Exchange Mechanisms

Algorithms Required for Encryption and Secure Key Exchange

SA Definitions and Maintenance


Click Here To Read Rest Of The Post...

Wednesday, July 15, 2009

IP Sec Is So Demanded



Most of companies requires IP Sec VPN for to access devices securly over the untrusted network. Why IP Sec VPN has received lot of love from the corporates companies, SMB companies and MNC. The main advantage of using IP Sec vpn is that it maintains the Data Confidentiality, Data Integrity and Message Authentication.

Data Confidentiality:- It ensures that the both sender and receiver will able to receive the original messages. Everytime user sends the data in plain text but with the help of some algorithms the format of data is changed which is aka cipher text or encrypted text. The whole mechanism depends on the exchange of keys between sender and receiver.

Data Integrity:- Digital signatures and unique keys protect the integrity of data over untrusted network.

Message Authentication:- Message authentication means that the message will be sent to the bonafied user.

These all features make IP Sec VPN unique from the traditional methods of exchanging information.


Click Here To Read Rest Of The Post...

Tuesday, July 14, 2009

Voip Implementation Guide



VoIP implementation can be a tricky project if you don't know what you're doing. If VoIP is implemented incorrectly, the entire system can be thrown off and the quality of voice, as well as network performance, will suffer. In this VoIP implementation study guide, we've packaged our best VoIP resources with a helpful quiz to test your knowledge and understanding of key concepts, such as echo, VoIP security and how VoIP works. Take the VoIP implementation quiz and browse our many resources on VoIP implementation.Click here for full article.

Click Here To Read Rest Of The Post...

Saturday, July 11, 2009

Multicast Over IPSec



Now a days I am reading IP Sec. I came to know a fact that crypto engine doesn't recoganize the multicast packets. This is the reason the multicast packets never forwarded over Ip Sec tunnels. Still to know about the fact how the protocol communication will possible over IP Sec. But I get a answer of forwarding multicast stram over IP Sec is possible only with the help of GRE. So if you are enabling the multicast services over ipsec then use GRE in the model, otherwise problem will be there.

Click Here To Read Rest Of The Post...

Thursday, July 9, 2009

MTI Tunnel In GSR



In GSR MTI tunnel will not come up until and unless customer initiated multicast traffic.

Click Here To Read Rest Of The Post...

Tuesday, July 7, 2009

Cisco and the IET



As a Cisco-certified IT professional, you already understand the importance of training and technical certifications. Cisco has partnered with the Institution of Engineering and Technology (IET), one of the world’s leading professional societies for the engineering and technology community with more than 150,000 members in 127 countries in Europe, North America and Asia, to foster professional development in the global IT industry.
The IET is pleased to announce the ICTTech, a brand new professional standard for Information and Communication Technology (ICT) practitioners. ICT practitioners support or facilitate the use of ICT equipment and applications in a range of roles that includes network technician, systems testing specialist, software developer, telecoms engineer and security administrator.
The ICTTech qualification is an assessment that considers not only your technical expertise, but also your wider skill set such as business knowledge, commitment to professionalism and personal communication. It will complement your Cisco certifications and provide you with an additional, globally recognized qualification as formal recognition of your skills and abilities. It will assure global businesses that you have demonstrated a high level of professional and technical competence.
The first step to qualifying is to become a member of the IET: as an active Cisco certified professional, you are assured a fast-track entry route to IET membership.
Click here for more


Click Here To Read Rest Of The Post...

Saturday, July 4, 2009

Packet Design - Route Explorer



In Cisco Live, packet design has launched a awesome mplsvpn network monitoring tool route explorer with capacity plan,QOS and NMS. It is very easy to use and provide the reports in such a way which makes the capacity plan easy.
click here for more information

Click Here To Read Rest Of The Post...

Friday, July 3, 2009

40 Bit Encryption For Service Providers



Individuals/Groups/Organisations are permitted to use encryption upto 40 bit key length in the RSA algorithms or its equivalent in other algorithms without having to obtain permission. However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organisations shall do so with the permission of the Telecom Authority and deposit the decryption key, split into two parts, with the Telecom Authority.
Click here for full guidelines of DOT .

Click Here To Read Rest Of The Post...

Thursday, July 2, 2009

GRE Over MPLS On 7600 Not Working



A question posted on netpro about GRE-MPLS tunnel which was not working end to end but PE-CE communication was there. The connectivity was depicted

CE1--PE1--P--PE2(7600)--CE2

GRE MPLS tunnel from CE2 to 7600 and 7600 onwards it becomes a part of MPLS. So traffic will like this; PE1 to PE2 it's a MPLS traffic and from PE2 to Ce2 it is a IP traffic. The analysis shown by one of my friend is that CE2 was replying to the packets sent by PE1. The weird is that MPLS to IP conversion is happening properlly but for reverse traffic IP to MPLS is not happening.
The first solution I posted that SIP 400 was required to bind tunnels but the analysis shown by friend steered me. During googling I found the solution on Cisco Site that there is command which need to be enabled on 7600 because it corrupts the ip packets.
Command is "mls mpls tunnel-recir"


Click Here To Read Rest Of The Post...

Wednesday, July 1, 2009

Cisco Certified Architecture Is More Than CCIE



Cisco Certified Architect is highest level of accreditation achievable within the Cisco Career Certification program. It is the pinnacle for individuals wishing to show their formal validation of both design and IT skills in Cisco technologies and infrastructure.
Prerequisites for Certification is CCDE.Visit here for full details

Click Here To Read Rest Of The Post...