Skip to content
the broadcast

networking, computing, virtualization, automation

Security

Cisco IOS – Public-Key User-Authentication

2018-10-20
By: ron
On: 2018-10-20
In: client, linux
With: 0 Comments

It’s a two step process to get rid of insecure username/password-authentication. Generate a RSA keypair at your SSH-client btw. Cisco-IOS doesn’t support DSA-keys Configure your network device(s) to assign the (public-)key of this keypair to an user-account This user-account could get privileges from a Radius/TACACS+-Server which could provide access-logs, too. Generate RSA-Key: Windows as SSH-Client I prefer Putty, usually in form of „mRemoteNG“, so i use PuttyGen to generate the RSA keypair. Windows.Start => PuttyGen (x) RSA, 4096-bits are supported, use it [Generate] move the mouse to improve the randomgenerator change the „comment“ – for example replace it by an username add a passphrase –Read More →

Linux: SNMPv3 with Python

2017-12-01
By: ron
On: 2017-12-01
In: automation
With: 0 Comments

Works out of the box. if you’re fine with AES128-Encryption. AES256 might not be a requirement in all cases, but having the opportunity to choose seems to be not absolutely absurd in 2017… Good news: The NetSNMP-AES192/256-patch is on the way. EasySNMP installation and usage I’d like to refer to Linux: SNMP with Python for the basics. IOS-Config: VIEW/GROUP/USER Take the opportunity and leverage SMP-Views to limit access to several SNMP-OIDs. EasySNMP: „Session“-Object with SNMPv3-Credentials Find the official docs here: EasySNMP Session-API Security level could be: no_auth_or_privacy If you want to use the user-based authentication without need for security auth_without_privacy Authentication only might be „goodRead More →

WAN MACsec – Encrypting Ethernet-Frames in the WAN

2017-11-15
By: ron
On: 2017-11-15
In: wan
With: 0 Comments

Not talking about ATM, PPP, HDLC, Frame Relay WAN. Ethernet is the new WAN. Sometimes you need an easy to use encryption, which is just added to a Link between two devices – and you don’t want to invent IPSec-VPNs which at least add complexity to the design. MACsec solved this problem bringing absolutely transparent encryption, but – since MACsec-Sessions are sent to a „link-local“ ethernet destination address (01-80-c2-00-00-03) they aren’t allowed to be forwarded by any device. A typical „non-dark-fiber“ WAN-Link can’t be encrypted using MACsec. http://www.ieee802.org/1/files/public/docs2013/ae-seaman-macsec-hops-0213-v02.pdf discussed years ago the elegant technical solution. Years later these thoughts are moving into production: Cisco inventedRead More →

Chrome – Using with HTTPs-Proxy

2017-11-13
By: ron
On: 2017-11-13
In: client
With: 0 Comments

Security is important. But sometimes it’s important, too, to be productive, for example during work hours. Maybe at a trusted customer site with a restrictive security policy to intercept all HTTPs-Traffic using a customer-provided certificate which never fits to the visited web-sites. Most of my technical research jobs using Google aren’t secret, otherwise I won’t pass them to Google, so HSTS for at least Google-Sites doesn’t makes sense in these cases. Google knows that and invented the no-HSTS-Switch: –ignore-certificate-errors Thank you!Read More →

Kategorien

  • automation
  • AWS
  • client
  • Cloud
  • linux
  • pub
  • Scripting
  • Uncategorized
  • wan
  • Windows

Neueste Beiträge

  • IEEE 802.1ax – LACP: How to virtually tear down a DC using a Linux-Server
  • Cisco HyperFlex Edge
  • Cisco HyperFlex Enterprise License
  • Cisco HyperFlex External Storage
  • Cisco HyperFlex Sizer

Schlagwörter

Ansible Automation AWS chrome Cisco Controller cot CSR1000v hsts Hyperconverged KVM Lab Linux Monitoring NAPALM nexus nxos Proactive productivity Python QoS Scapy Scripting Security todo UCSD VMware WAN Windows Wordpress

Impressum

Impressum

Designed using Dispatch WordPress Theme. Powered by WordPress.