By default ASA will do FTP magic to let data pass trough the device correctlly (active and passive). By default this is only active on port 21, but if your FTP server runs on another port you should teach ASA this. Full info here.

access-list ftp-list extended permit tcp any any eq 2020
class-map ftp-class
  match access-list ftp-list
policy-map global_policy
  class ftp-class
   inspect ftp

That's all.

My colleague Niels created a syntax highlighting script for VIM.
Like he says:

Read the full article here.

This evening I was thinking about what I could write that could potentially interest fellow network and security people.
In my previous post I told a little story about tracerouting and connecting to a port using netcat and not Telnet. My plan is to write something about the difference between the two applications and when we should use one or the other. But not this evening.

Thinking about telnet... Last week I had a short discussion with my colleague concerning all these network-people that still use telnet to manage their network devices. In this 21^st century, and as a security person, I can't imagine creating such a security-hole in the network of my customers.

Why should(n't) we use the telnet protocol?

• + Telnet is widely used
• + Telnet is a fairly simple protocol
• + The Telnet client is installed by default on Microsoft Windows
• - Telnet is using clear text authentication
• - Telnet is using clear text data-transfer
• - Many Telnet daemons had several vulnerabilities
• - Secure alternatives like SSH exist

So why don't we all use SSH then?

It's very clear to all of us that Telnet is simply insecure-by-design®. But why are we still using it? Why do many sysadmins still leave that thing enabled by default, or why do they even enable it when it's turned off?

I think I finally discovered this during a discussion with that colleague. The reason can be resumed to only one, very simple, word.

laziness

It's just because we/they don't know by heart how to enable SSH. Enabling it is indeed a little more complex than Telnet. And why don't they look it up on the internet or in the documentation? Simply laziness...

Ok guys, now you don't have an excuse anymore ! Doh, this message is also published on the net, so they won't find it...

Enabling SSH on Cisco and HP devices

Even if I just realized it's completely useless to publish these commands once again on the net I'll just paste them here for my own future reference.

Cisco Switch with CatOS

set crypto key rsa 1024
set ip permit 10.0.0.0 255.255.255.0
set ip permit enable ssh
show ip permit
write memory

Cisco Router or Switch with IOS

hostname myrouter
ip domain-name vandeplas.lab
!--- generate the rsa keygen
cry key generate rsa
!--- allow authentication using local aaa
username chri password myVerySecurePassword
!--- Use SSH v2 as v1 is insecure
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 2
!--- Prevent non-SSH connections
transport input ssh
write memory

Cisco PIX/ASA

hostname mypix
domain-name vandeplas.lab

!--- generate the rsa key 
ca generate rsa key 1024
!--- or on newer versions
crypto key generate rsa modulus 1024
!--- don't forget to save the crypto key into the memory
ca save all
!--- allow ssh from the network 10.0.0.0/24 on the inside interface
ssh 10.0.0.0 255.255.255.0 inside
!--- allow authentication using local aaa
username chri password myVerySecurePassword
aaa authentication ssh console LOCAL
!--- save the running-config 
write memory

HP Procurve Switch

crypto key generate
ip ssh version 2
ip ssh
write memory

Useful links

http://www.cisco.com/en/US/customer/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
http://cisco.com/en/US/partner/products/ps6350/products_configuration_guide_chapter09186a00804831de.html
http://cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml
http://cisco.com/en/US/partner/docs/security/pix/pix63/command/reference/s.html
http://h10025.www1.hp.com/ewfrf/wc/genericDocument?docname=c01139356&cc=ca&dlc=en&lc=en&jumpid=reg_R1002_CAEN
http://www.dice.inf.ed.ac.uk/groups/infrastructure/network/docs/5308.html

From today I'm officially Cisco CCNA or Cisco Certified Network Associate.

The first time I tried the exam I failed with 847 points. Knowing that you must have at least 849/1000 points I failed for 0.2%. Really painful !
This time I must admit that some of the success was due to the study-drill I had from my collegues Eno and Tim. With a score of 871 points I passed the exam. Next steps at Cisco: CCDA, CCDP and CCSP.