Made Checkpoint as a Personal Firewall ;)  

Thursday, June 25, 2009

Hello everybody .. today i have done something which i feel very proud . not a feet really and already done by many of the people who are doing this .. but when ever i see any new technology which serves me i love it .. i simply love it and will share it ..

So what the topic about ?

Nothing serious really .... i have a spare pc (windows one) and what i did was to use check point ng r 55 platform on it ..

requirement :

1. spare pc with atleast 512 mb ram
2. pc has to have two network cards (one for your internal network and other for ext)

installation is fairly simple .. you can download the trial package from checkpoint for 15 day evaluation and install it on the old pc

configure your networks and bingo you network in now being protected by checkpoint ng firewall systems .

one option to consider is to buy license from checkpoint .. if you you need to format your pc in any form ;) and install your firewall

any doubts let me know

best regards
Rakesh

Hello here is pix fw emulation video  

Tuesday, June 16, 2009

Even though done by many greats i still wanted to do this video just to help out people and simplify their life with pix / asa activation ..

i was having problems with searching activation keys ..so here iam uploading the activation key and also serial number obtained from google search ..

not this will only work pix723.bin image and i tried on other with no luck ....

Those who already knew pix emulation may skip this video ...

This videos base idea has been take from blindhog.net

here's the link to download ...

I found other interesting email which i got recently from http://www.netbraintech.com/

check out their demo video it impressed me some how .. hope ccie lab proctors allows it for trouble shooting section ;) lol

CISCO PIX UR LICENSE VIDEO (IN GNS3 SIMULATOR)

heres the video link

best regards
Rakesh

cisco pix and asa  

Monday, June 8, 2009

Hello iam amazed with the speed and performance of cisco pix firewall in gns3. Moving on its been fun learning whole new technologies ..

i have presently shifted my path towards security and voice way not that i will be attempting them but to gain good knowledge over all of the security and qos conepts before i take my R and S exam lab . just in case to feel extra bit of familiarity .. no hurry for me .. i still have 1.5 years to deal with R and s beast and silently waiting how cisco r and s team have been dealing with changes with the exam .

next i would be dealing with ccip track to gain high familiarity levels with bgp track .. as said iam enjoying my learning and what surprises me is that iam not learning for my certification of ccsp and ccvp tracks so it give me extra bit of edge over concepts and to take them as i wish as possible and grasp as much as i need ...


installed pix over gns3 and it was real fun part .As mentioned i had problems with UR license but could solve that problem . will be posting all of those videos .. just waiting to see what i can include in my presentations.

learnt concepts about pix firewall family , pix administration , and acls .. was refreshing , object groups , nat principles and pix filtering services ..

will update you with other things ..

best regards
RaKeSh

cisco pix and asa in gns3  

Friday, June 5, 2009

Hello i have been trying to install pix and asa in my gns3 .. for the past day i was trying heavily to do some vpn labs but was making mistakes all around after 5-6 attempts i have mastered the art with site-site vpn and gre tunnels .

configuring sdm and acs was done on windows server 2k3 and i managed to configure site-site vpn and gre over ipsec with sdm after going through painful set of sdm where in i faced problems with loopback adapters ..


any how i could manage them . soon i will be releasing a video labs and pics

gooday

ipsec - vpn  

Thursday, June 4, 2009

today i have decided to complete off ipsec - vpn and i have done so ..

was having problem installing sdm over gns3 .. but finally could do it ..

i will be posting a detailed screen shots of sdm installation and one very important thing to remember

available sdm versions are 2.5 which seems to be latest along with java 1.6 updates .

my advice is not to use 2.5 use 2.3 with java 1.5 updates instead other wise you are going to waste time as i did

best regards

Maximum segment size  

Wednesday, June 3, 2009

Maximum segment size

Ethernet packet size = 1518 bytes

Ethernet II HEADER = 14bytes

ip header = 20 bytes

tcp header = 20 bytes (without options)

data area = x bytes

ethernet II trailer = crc 4 bytes

1518 bytes = 14 + 20 + 20 + x + 4

x = 1518 - 58 = 1460 bytes

there fore a data packet segment size can be a max of 1460 bytes

TCP OPTIONS  

TCP OPTIONS

MSS = MAXIMUM SEGMENT SIZE

SACK PERMITTED = SELECTIVE ACKS

WINDOW SCALE = INCREASE WINDOW

TIMESTAMP = DETERMINE ROUND TRIP LATENCY

Urgent Pointer  

Urgent Pointer

This pointer will make to read / skip in reading data field as wanted

This points to where data should be read first

only used if URG bit is set to 1


ETHERNET HEADER
IP HEADER
TCP HEADER
DATA AREA * --------------------------------> URG =1 ; URGENT POINTER = XXXX
ETHERNET II TRAILER CRC

TCP CHECKSUM --------- 2 bytes  

Checksum on the tcp header

source ip address field value

destination ip address field value

protocol field value

length value (tcp header + Data)

Congestion Avoidance  

Congestion Avoidance

Assumption : If we are to deal with pure technique on how tcp reacts for congestion we assume things that packets are lost not because of faluts ; packets are lost because of congestion itself

as we know that congestion windows gradually increases with increments of 1MSS from previous post or the other way to deal with increments of packets are

SEGMENT SIZE * SEGMENT SIZE /CONGESTION WINDOW

once we hit threshold windows size drops to 50% of its present value and again the process continues

Let us say a packet encountered congestion at 10000 bytes of data . now it drops back to 50% therefore the present size would 5000 bytes and process continues

Starting Window Size  

Starting Window Size

>According to RFC 2581 computing tcp's Retransmission timers , the initial window size should be no greater than MAX (2*MSS)

>Rfc 3390 , how ever suggests taht it could be upto 4*MSS OR MIN(4*MSS , MAX(2*MSS,4380BYTES))

MSS = MAXIMUM SEGMENT SIZE

Slow Start Process :  

Slow Start Process :

This process is used when there is an establishment of new tcp connection / session or when a timeout takes place

Every new tcp connection or a timoeout when occured is counted in increment of MSS

CONGESTION WINDOW cwnd = 2*MSS <-------- syn

CONGESTION WINDOW cwnd = 3*MSS<----------syn ack

CONGESTION WINDOW cwnd = 3*MSS<----------ACK.

CONGESTION WINDOW cwnd = 3*MSS<----------data

CONGESTION WINDOW cwnd = 4*MSS<----------ACK

........................................


Starting window size for ethernet = 2* MAX SEGMENT SIZE
= 2*MSS (1460) BYTES

*It increments window size by one every time

Types of windows  

Types of windows

>Receiver Window

>Congestion Window

>Sliding Window

Congestion Window :


Congestion window may be defined as the minimum of Receiver's advertised window or in other words What that network can handle.


>Network congestion occurs between networks and Receiver congestion occurs in TCP Buffer which is obvious

Windowing  

Windowing

>If windows size is '0' then the other side of the connection doesnt accept the packets and stops the transmission

>Maximum window size MSS = 65635 bytes

>You can scale windows size . For more you can always see RFC 1323

>Ever wondered when such MSS is used . It is indeed used and those type of networks are called LFN networks

LONG , FAT-PIPE NETWORKS

Advantages of tcp  

Tuesday, June 2, 2009

advantages of tcp are

>connection-oriented communications

>Data Streaming

>Congestion Control

>Retransmission and Retry counters

>Extensions through the use of Tcp options

Flags  

P=Push Flag Reserved U|A|1|R|S|F

If set , data should be sent through the outgoing and incoming tcp buffer space without being held

[Packet will be flushed very fast out of tcp buffer . Tcp buffer is created when ever a tcp session get initialised]

getting push bit -> may be it has some thing to do with our voice packet priorities


------------------------

S=Syn Reserved U|A|P|R|1|F

This is only used in the first two packets of the handshake process . This is used to inform the other side of the ISN (Initial sequence number)


-------------------------


F=Fin U|A|P|R|S|1

This is sort of interesting flag type . this if set , sender indicates that they are completed with a connection but they dont want to explicitly close or tear down the connection (they = two sides server and client)

Getting into flags  

U=Urgent Reserved 1|A|P|R|S|F

->If set , checks the urgent pointer field later in the header. That field indicates where you should start reading the data

------------------------


A=Ack Reserved U|1|P|R|S|F

->If set , indicates that the sender is acknowledging receiver from the partner


---------------------------

R=Reset Reserved U|A|P|1|S|F

->If set, sender is refusing or explicitly closing the connection


-----------------------------



understanding these flags helps in understanding our tcp connections which are very much helpful in getting protocols like BGP for example .. can you imagine importance of Reset flag in BGP?

The Tcp Flags  

The Tcp Flags

we have


Reserved bits like U|A|P|R|S|F

U=Urgent Reserved when set on 1|A|P|R|S|F
A=Ack Reserved when set on U|1|P|R|S|F
P=Push Reserved when set on U|A|1|R|S|F
R=Reset Reserved when set on U|A|P|A|S|F
S=Syn Reserved when set on U|A|P|A|1|F
F=Fin Reserved when set on U|A|P|A|S|1

The tcp handshake  

The tcp handshake

->Standard 3-way handshake to setup a connection

->sets up the initial sequence number (ISN) for each side

->May have 1 or more options in tcp header

ISN initial sequence number will be different for host and server

Congestion avoidance / Recovery  

Congestion avoidance / Recovery

When a packet hist congestion it drops down to 50% and again they slowly creep up

->congestion avoidance has two basic mechanisms

*Slow start algorithm

*congestion-avoidance algorithm

Tcp Functionality  

Tcp Functionality

-> Connection-oriented communications

->sequencing and acknowledgement

->windowing

->congestion avoidance and recovery

->specialised functions (aka flags)

->variable length header

->Recovery for lost packets

TCP/IP STACK  

TCP/IP STACK


UPPER LAYER -> UPPER LAYER PROTOCOLS, SNMP , TELNET, FTP , HTTP , POP3


TRANSPORT -> UDP RFC 768 , CONNECTION LESS TRANSPORT
-> TCP RFC 793 , CONNECTION ORIENTED TRANSPORT

NETWORK -> IPV4 RFC 791 , ICMP INTERNET CONTROL MESSAGING PROTOCOL (RFC 792)

ARP -RFC 826

DATALINK LAYER -> MEDIA ACCESS CNTROL (MAC) , ETHERNET , TOKEN RING , PPP ETC

Here iam again  

people who were following me or just watching my progress kept me mailing about the blog status . i was down with personal problems and was buried deep ! very deep .. iam just making out to brighter side of my life again and hence started with studies ...

i will be continuing with tcp / ip sessions and my notes as well

best regards

Design by Blogger Buster | Distributed by Blogging Tips