Thursday, June 28, 2007

Cisco IOS Exploitation Techniques

This paper is a result of research carried out by IRM to analyse and understand the check_heaps() attack and its impact on similar embedded devices. Furthermore, it also helps developers understand security-specific issues in embedded environments and developing mitigation strategies for similar vulnerabilities.

The paper primarily focuses on the techniques developed for bypassing the check_heaps() process, which has traditionally prevented reliable exploitation of memory-based overflows on the IOS platform. Using inbuilt IOS commands, memory dumps and open source tools IRM was able to recreate the vulnerability in a lab environment.

The material is divided in three sections, which cover the ICMPv6 source-link attack vector, IOS Operating System internals, and finally the analysis of the attack itself.

Download PDF >>>

Wednesday, June 27, 2007

Run Cisco IOS on your PC

Started in August of 2005 by Christophe Fillot, Dynamips is a Linux and Windows based application that is used to emulate the hardware of the Cisco 7200 and 3600 series routing platforms. Unlike traditional router “simulators" Dynamips allows you to boot real Cisco IOS software images and build complex network topologies to test the functionality of IOS on your desktop PC. As of November 2006 Dynamips currently supports Ethernet, Serial, ATM, and POS interfaces for the 7200 series routers and Ethernet, Serial, and Etherswitch modules for the 3600 series routers. Best of all Dynamips is open-source and free to download!

To run Dynamips first you must install libpcap or winpcap depending on your platform. Windows users will need to install winpcap 4.0 or later which is currently in beta.

Next download the appropriate Linux or Windows executables for Dynamips. To do this I would recommended to download the Dynagen installer package, a front end written by Greg Anuzelli which uses an INI-like configuration file to provision the Dynamips emulator.

Next you'll need a Cisco IOS software image for a 7206, 3620, 3640, or 3660 router depending on which platform you will be emulating. IOS can be downloaded from for users with a valid service contract. Once you have downloaded the appropriate IOS image it is recommended that you extract the image to save time in the Dynamips booting process. This can be accomplished with programs such as gunzip for Linux or WinRAR for Windows.

Next you need to build a Dynagen .net file to provision the Dynamips emulator, or you can download prebuilt ones to emulate the Internetwork Expert Routing& Switching and Service Provider topologies from here:

Click here to download the Internetwork Expert Topologies for Dynagen

Note that these files may need minor modification to specify your working directories and the names and locations of your Cisco IOS images. Also included in the Internetwork Expert topologies for Dynagen is a router instance that is designated as a Terminal Server (Access Server). This instance can be used like a Cisco 2511 series router to reverse telnet to the console ports of the virtual Dynamips router instances, similar to how the Terminal Server is used in the CCIE Lab Exam.

To use the Terminal Server instance first create a Loopback interface on your PC with the IP address For Windows clients see for instructions how to add a Loopback interface in Windows. Once the Loopback is created reboot your PC and then run the Dynamips shortcut “Network Device List" located on the desktop. This output will show you the hardware address for the Loopback which will look something like {4065B11C-2A6C-4FD2-8204-A12A9A8328A4}. Next edit the .net file for the appropriate Internetwork Expert topology, and under the [[Router TermServ]] entry edit the line E0/0 = NIO_gen_eth:\Device\NPF_{4065B11C-2A6C-4FD2-8204-A12A9A8328A4} to insert the hardware address of your Loopback. If successful you should be able to ping the IP address of the Terminal Server ( from your local PC when the Dynamips instance for it is booted.

Next boot the Dynamips hypervisor. For Windows users this will be the “Dynamips Server" shortcut on your desktop that was created by the Dynagen installer package. Next run the appropriate .net file for Dynagen, and “start" your devices from the Dynagen command line. Once booted the Dynamips router processes can be telneted to with any terminal emulation software such as SecureCRT, PuTTY, HyperTerminal, or command line telnet.

Note that as the number of device you boot in Dynamips increases as do the processor, memory, and disk space requirements of your desktop.
More >>

50 School Districts Choose Parent Notification Solution from SchoolMessenger and Cisco

SchoolMessenger, a leading U.S. parental notification company, and Cisco, today announced that more than 50 school districts across the country have adopted their integrated parental notification solution. In addition, SchoolMessenger for Cisco Unified Communications, which was introduced last summer, now includes SMS text messaging to supplement voice and e-mail notification to reach a large audience using a range of devices.

Reports show that when notification solutions are used in schools, parents report improved peace of mind, and truancy rates decrease by up to 13 percent. In addition, by managing a single, centralized solution, and using its existing telecom investment, districts report that the solution pays for itself in less than two years when compared with annual subscription-based notification services.

SchoolMessenger for Cisco Unified Communications is a Web-based communications solution that integrates with a district's existing investment in Cisco Unified Communications. It is currently in use in 15 states, with the greatest concentration found in Texas and California.

More >>

Tuesday, June 26, 2007

Cisco overhauls networking certification to address skills shortage

Cisco has announced the addition of a new entry-level certification,
CCENT (Cisco Certified
Entry Network Technician
), along with enhancements to the
popular Cisco CCNA associate-level certification.

Simultaneously, Cisco also plans to localise both the curricula and
certification exams to meet the worldwide demand for networking skills. Analyst IDC is predicting as much as a 40% gap between
the demand and supply of technical networking skills by 2012. To address these
needs, Cisco is making significant investments in its education and
certification programs to equip more people for successful careers in networking.

CCENT presents a new point of entry to those just beginning to build a career
in networking. As an optional stepping-stone to CCNA, CCENT validates the skills
required to successfully install and verify basic networks – a requirement for
most entry-level network support positions. At the same time, Cisco's
foundational CCNA curriculum has been revised to include a greater breadth of
networking topics and more focus on performance-based skills to differentiate
Cisco certified applicants in the IT job market. The CCNA curriculum will be
released in English on 26 July 2007, and the exams will be released in English
on 1 August 2007. Additional languages will be announced as translation plans
are finalised.

Wim Elfrink, chief globalisation officer and senior vice-president of
customer advocacy at Cisco, said, "We are dedicated to leading worldwide development
of the right technical expertise, in the right place and at the right time.

“The introduction of CCENT and localisation plans for our foundational
curricula, underscore our commitment to accelerate the learning curve for
technical talent across the globe," he said.

Laying the groundwork for more rigorous certification, CCENT validates the
knowledge and skills needed to configure and verify small routed and switched
networks, including the ability to configure IP addressing, implement basic
security measures and understand the concepts of wireless networking.

A comprehensive understanding of networking fundamentals is the focus of CCNA,
said Cisco.

Certification at this level validates the knowledge and skills required to
install, operate and troubleshoot a small to medium-sized routed and switched
network, including the ability to implement and troubleshoot protocols to manage
addressing and authentication.

Students must also be able to establish and troubleshoot connections to
service providers over a wide-area network.

The CCNA Prep Center is
available to anyone with a login to help candidates prepare for the
CCENT and CCNA exams.

Configure static NAT for inbound connections

How to configure Network Address Translation (NAT) so that computers on the Internet could access his internal Web and mail server through his Cisco router. This requires configuring a static NAT translation between the dedicated public IP address and the dedicated private IP address. Here’s how to do it.

More >>

Monday, June 25, 2007

Cisco acquires e-mail security company

Cisco Systems is moving quickly to integrate technology it's gaining from buying e-mail security firm IronPort Systems.

Company officials said in interviews here about the US$850 million IronPort acquisition, which closed today, that e-mail and Web site reputation datastreams from IronPort appliances will be fed to Cisco firewalls by the end of this year, and then be extended to the company's routers, switches and other devices in 2008.

The service checks the source of e-mail and Web sites embedded in e-mail against a database of suspicious sites IronPort calls SendBase.

In addition, early next year IronPort's Layer 4 traffic monitor technology, which watches for spyware signatures, will also be added first to Cisco firewalls in the first quarter of next year and then to other products.

The capabilities should be able to pushed as a software upgrade to users of existing Cisco products, said Richard Palmer, senior vice-president and general manager of the company's security technology group, under which IronPort will operate as a separate business unit.

In buying IronPort, Cisco is expanding its security offerings from managing networks to include spyware and malware data inspection to begin offering what it dubs wide traffic inspection, correlating information from several network devices.

Thursday, June 21, 2007

Spirent Communications Selected As Exclusive Test System Provider For Cisco IPTV

The European Advanced Networking Test Center AG (EANTC) selected Spirent testing solutions to analyze Cisco Systems' IPTV infrastructure in a test commissioned by Light Reading.

Spirent’s Global Services team collaborated with EANTC to conduct an independent test of Cisco Systems IPTV infrastructure to verify an end-to-end IPTV and triple-play solution focusing on the network service requirements of broadcast TV and video-on-demand (VOD) applications.

For this event, Spirent supplied Spirent TestCenter, Spirent Video Quality Test System and Spirent GEM Ethernet Network and Impairment Emulator. In addition to test equipment, Spirent provided a three-person engineering support team for the pre-staging and the intense two-week period of formal testing. The Spirent Professional Services team collaborated with EANTC to create the test scripts to run the test. With engineering support and equipment, Spirent offered load generators for emulation of 120 DSLAMs plus 65 service ports (GigE and 10GigE), performed video quality measurements, and conducted impairment generation for the duration of the test.

“IPTV is highly complex and requires a different, more holistic focus in implementation and testing than traditional broadband access technologies,” said Carsten Rossenhövel, managing director of EANTC. “We found that Spirent was a great testing partner for IPTV solutions and support services, and together we put Cisco’s network design under a rigorous test routine.”

Covering four main areas that included quality of service (QoS), massive scalability of broadcast services, high availability of all services and user experience during high network load conditions, this test event exposed the realities of IPTV service deployment and need for thorough testing before the service goes live. Spirent’s test systems enabled EANTC to analyze QoS from the perspective of the user, often referred to as quality of experience (QoE), and by the handling of preferential services by the network including network resource allocation in the case of limited resources. Furthermore, with Spirent TestCenter the test was able to identify small sub-parts-per-million loss in all the data, and to analyze the associated flows in detail, identifying the less than 0.00002 percent packet loss in IPTV multicast service.


Tuesday, June 19, 2007

Network Traffic To Grow Up To Six-Fold Annually

The increased use of video and further online collaboration will drive network traffic to an annual growth rate of between 300% and 500% over the next several years, said Cisco Systems Inc. Chairman and Chief Executive John Chambers, who added this is beyond most expectations.

"It's the second phase of the Internet - it will be about collaboration," Chambers said during a keynote address at the NXTcomm telecommunications industry trade show on Tuesday.

Cisco supplies the switching network equipment for government, corporate and carrier customers. But Chambers said he believes the next phase of growth will come from layering services through that network. The executive touted the combination of different services like video and music integrated into various environments such as the car, mobile handset or home.

"It won't be about transport, it'll be about the changing business model," he said, adding that the consumer is now driving demand for new services.

Other services include the expanded use of telepresence, a high-end video conferencing product that many companies are offering.

Touting the increased productivity of collaboration, he cited Cisco's own acquisition history. In November 2005, Cisco closed the acquisition of television cable set-top box maker Scientific Atlanta in 45 days. The company took eight days to close the acquisition of WebEx earlier this year.

On net neutrality, Chambers said he is more concerned with building out the network and considers dividing up the lines and speeds a second priority.

Monday, June 18, 2007

Making your apps faster!

Optimization is a constant worry of network executives who need to make unruly applications -- never designed to run over anything but a high-speed LAN -- perform smoothly on the WAN. These days, network executives need to boost application performance itself, as well as factor in how to optimize storage, encryption and server-to-server technologies, such as XML.

Cisco wants to help by putting everything related to optimization into an intelligent network layer. Then, for example, network executives can deploy optimization services as blades and software add-ons in their existing Cisco gear. The router giant's network-based application-optimization strategy splits along the lines of two product families: Application-delivery networks focus on user-to-application communications (including performance, security and so forth), while the Application Oriented Networking initiative centers on application-to-application communications. George Kurian, general manager for Cisco's application delivery business unit, explains how it all fits together in an interview with Julie Bort, a Network World editor.

Networkworld Interview

Cisco Meshes With Cable

Cisco today announced it is launching the Cisco Cable ServiceMesh solution, the industry’s first integrated, end-to-end wireless architecture designed for cable operators who want to extend indoor Wireless Fidelity (Wi-Fi) to outdoor mesh networks in municipalities, tourism centers, small businesses and universities in North America. This new architecture offers the foundation layer for broadband mobility.

Building on the Cisco Internet Protocol Next-Generation Network (IP NGN) architecture, the Cisco Cable ServiceMesh solution is a fully integrated outdoor wireless platform that helps enable operators to quickly deploy a variety of value-added, revenue-generating services via a single network infrastructure. By using the Cisco Cable ServiceMesh solution, cable operators can create new revenue opportunities through the deployment of an outdoor wireless mesh solution that utilizes existing infrastructure to cost-effectively expand their service offerings and their market reach, bringing the Connected Life to customers at home, at work or on the move.

The new Cisco Cable ServiceMesh solution is a comprehensive wireless broadband system comprising:

- Cisco Aironet 1520 Series Lightweight Outdoor Mesh Access Points, a new set of wireless access points with integrated Data Over Cable Service Interface Specification (DOCSIS) 2.0 cable interfaces used to create metropolitan-scale, outdoor wireless networks, providing access to any Wi-Fi compliant device;

- Cisco Wireless Services Modules, which provide the control, scalability and reliability needed to build highly secure, carrier-grade indoor and outdoor 802.11 wireless networks;

- Cisco Wireless Control System software, an industry-leading platform for wireless local area network (LAN) planning, configuration, management, troubleshooting, and mobility services for the Cisco Cable ServiceMesh solution;

- Cisco Intelligent Services Gateway, which delivers advanced subscriber awareness, resource provisioning and access control capabilities. The
Cisco Intelligent Services gateway also simplifies the creation and speeds the delivery of advanced IP services over Cisco IP NGNs. The Cisco Intelligent Services Gateway has been designed to support both IP Multimedia Subsystem (IMS) and non-IMS based applications;

- Cisco Service Control Engine, a solution that controls packets on a Layer-7 application level while utilizing the existing IP wireless network infrastructure to provide a variety of services;

- Cisco 7600 Series Router, the industry’s leading edge router that delivers robust, high-performance IP/MultiProtocol Label Switching (MPLS) features for a range of service provider edge applications.

This combination makes possible multiple applications, including extending data, voice and video streaming outside the home, police, fire and emergency services, as well as those for city operations, such as remote access to city applications, automated meter reading, and permit verification and compliance.

Saturday, June 16, 2007

Connected Life Contest

Top prize is $10,000 and ten runners-up win $1,000 each. Entering this one requires “describing in 1,000 words or less a new experience or capability you would like networking technologies to enable you to do, whether at home, at work, or on the move.” You can submit a video too, and there are some videos on the contest page already.

Official page:

Thursday, June 14, 2007

Cisco and Scientific Atlanta showcase 'The Connected Life'

Cisco and Scientific Atlanta, a Cisco company, today announced planned demonstrations for NXTcomm 2007 that showcase the continued momentum and execution of the Cisco IP Next-Generation Network (IP NGN) architecture, and the innovative technologies that enable service providers to deliver unique "Connected Life" experiences to subscribers.

The technologies of Cisco and Scientific Atlanta enable service providers to take advantage of an open standards-based IP NGN platform to deliver a myriad of integrated and differentiated services. This means more network design freedom and flexibility for service providers. It also creates expanded content choices, enhanced navigation and greater service personalization for consumers.

The Cisco IP NGN helps enable service providers to deliver unique "Connected Life" experiences by integrating voice, video and data and mobility to create unique anyplay service offerings. With Cisco as a partner, service providers can offer residential and business customers differentiated, customizable services at home, at work or on the move. The ability to deliver these personalized experiences anywhere, anytime, and to virtually any device creates a host of new Connected Life opportunities for accelerated service provider growth and enhanced customer satisfaction.

"Today's technologies are revolutionizing the communications universe, giving people the power to communicate in ways that didn't even exist just a few short years ago," said Jeff Spagnola, vice president, Service Provider Marketing, Cisco. "Service providers are on the cusp of opportunity to harness the power to bring information and entertainment to their customers across one platform. Not only does this create enhanced services and new revenue streams, but it also gives consumers the ultimate personalized experience."

IBM, Cisco Collaborate on Management Software

IBM Corp. and Cisco Systems Inc. plan to release a jointly developed product in July as part of an expansion of their existing alliance around telecommunications network management and service assurance, the companies said Thursday.

The new offering, Cisco Assurance Management Solution, integrates Cisco's Active Network Abstraction (ANA) device management and mediation technology with IBM's Tivoli Netcool/OMNIbus and Netcool/Precision management software, according to Alan Ganek, chief technology officer, IBM Tivoli Software. The vendors have been working on the product for about a year, he said.

Ganek's hopeful that the new product will appeal not only to telecom carriers but also to large enterprises such as financial services providers that are looking for a simpler way to manage their heterogenous networks.

More on PC World

Tuesday, June 12, 2007

Cisco Trust Agent "User Notification" Authentication Bypass

Adam Blake has reported a security issue in Cisco Trust Agent, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to errors in the "user notification" feature, which displays "user notification" messages from the Cisco Secure Access Control Server (ACS) over the top of the login screen or the screen saver unlock window. This allows an attacker to access the "System preference" dialog and e.g. to change the password of administrative users when the system is performing a posture assessment.

Successful exploitation requires physical access to the system.

The vulnerability is reported in version on Mac OS X. Other versions may also be affected.

Note: Installations on Microsoft Windows or Linux are reportedly not affected.

Update to version

Multiple Vulnerabilities in Wireless Control System

Cisco Wireless Control System (WCS) contains multiple vulnerabilities which may allow a remote user to:

- access sensitive configuration information about access points managed by WCS
- read from and write to arbitrary files on a WCS system
- log in to a WCS system with a default administrator password
- execute script code in a WCS user's web browser
- access directories which may reveal sensitive WCS configuration information

There are workarounds for several, but not all, of these vulnerabilities. See the Workarounds section for more information. Cisco has made free software available to address these vulnerabilities for affected customers.

This advisory is posted at

Cisco's TelePresence technology shown at CNN discussion

Cisco TelePresence technology, which enables "in-person" virtual communications, took center stage in an international discussion organized to complement CNN International's upcoming Future Summit series. The global television network secured a panel of experts in Singapore who discussed the future of virtual worlds as Wikipedia and Wikia founder Jimmy Wales joined them from New York. The hour-long program, the latest installment of CNN's on-air and online initiative looking at the impact of technology in everyday life, airs globally on June 13.

Cisco TelePresence is a ground-breaking technology that creates live "face-to-face" meeting experiences using high-definition video and spatial audio over an Internet Protocol (IP) network. TelePresence preserves the important nonverbal cues, such as a raised eyebrow or slump of the shoulders, that studies show make up roughly 60 percent of the information conveyed in a conversation. With the touch of a button in Cisco's New York City office, Wales was able to join the interactive discussion in Singapore. By being able to remain in New York and go to other meetings during the day, Wales saved travel time and money while increasing his productivity. "I was pleasantly surprised by the quality of the video and audio over the Cisco TelePresence system, it was just like being there in person," said Wales. "It was the first time I was able to be in two places at once; now that's using technology to truly maximize productivity," said Wales.

The cutting-edge TelePresence technology can be seen when the program airs on CNN International Wednesday, June 13, and Saturday, June 16, both at 10 p.m. (Singapore). It replays in July and August. More details are available at the dedicated Website CNN's Future Summit Virtual Worlds segment features the Cisco TelePresence 1000, a single 65-inch, 1080p high-definition plasma screen that was set up by Cisco engineers with the help of Fujitsu Asia Pte Ltd., a Cisco Gold Certified Partner. The high-speed broadband connections were supplied by SingTel.

"The ability to transform the way people do business and improve their productivity on any given day is the power of Cisco TelePresence technology. Watching an executive virtually participate in a panel discussion on the other side of the world is a perfect showcase of what the future holds," said Charles Stucki, vice president and general manager, Cisco TelePresence Business Unit, Cisco.

Google tops Cisco in start-up acquisitions

It's a sentiment rousing entrepreneurs in Silicon Valley: build a start-up compatible with Google Inc.'s business strategy, pick up some venture capital along the way to stay competitive, and sell quickly to the cash-oozing search giant. In the past week or so, Google tossed RSS feed aggregator Feedburner Inc. and server computer start-up Peakstream Inc. into its shopping cart. Both companies were quick exits for their venture backers, especially Peakstream, which raised its first funding round less than a year ago from VC kings Kleiner Perkins Caufield & Byers and Sequoia Capital (two original investors in Google).

For years Cisco Systems Inc. has been the most prolific acquirer of venture-backed start-ups, pocketing 22 such companies since 2004, according to industry tracker VentureOne. But Google has emerged at the top of the list so far this year, acquiring five venture-backed start-ups to Cisco's four. And it's showing no sign of stopping, as the search outfit looks for companies that fit its overarching mission: "To organize the world's information and make it universally accessible and useful." In other words, make money off online advertising, where Google generates 99% of its revenue.

A look at the company's acquisitions this year highlights just how far-reaching its mission is in the start-up world: Peakstream, a maker of software for running powerful computers; FeedBurner, which creates Web feeds for bloggers and podcasters to distribute and monetize their content; Greenborder Technologies Inc., a maker of software that protects PCs and corporate networks from malicious emails; Marratech AB, a producer of software for video conferencing over the Internet; and Adscape Media Inc., whose technology inserts advertising into video games. And Google plans to knock further into the wireless handheld market, a hot area for start-ups developing technology around mobile marketing, content and search.


Thursday, June 7, 2007

Cisco invests in ZeroG Wireless

Chip designer ZeroG Wireless emerged from stealth mode by announcing it has raised more than $13m in its first round of funding from Cisco and others, which it will spend on research, development and the manufacturing of its product.

The Sunnyvale, California-based company is developing low-powered RF chips that can wireless connect distributed nodes throughout the enterprise. Beyond that, it is keeping tight-lipped. AdvertisementSenior director of sales David Friedman said the silicon itself would be a mixed-signal RF chip, but wouldn't give any specifications. He declined even to elaborate on how those chips might be used, except to say they would transmit and receive data wireless and would have a very small battery capacity. "In the future, wireless is going to grow in a big way, but will be true wireless," Friedman said. "So very small battery, no plugs, lots of little things collecting data."

Wednesday, June 6, 2007

New Cisco PIX 506E and 515E Firewalls

The "E" indicates that this is an enhanced version of the widely popular Cisco PIX® 506 or 515 Firewall platforms. Enhancements include more powerful processors, which result in up to a two and one-half times increase in firewall and virtual private network (VPN) performance, depending on packet size. In the case of the Cisco PIX 515E models (with Unrestricted or Failover licenses), this enhancement also provides integrated hardware-based VPN acceleration. Cisco PIX 506E and 515E platforms offer the same form factor, flexibility, interface support, and Cisco PIX OS support as the Cisco PIX 506 and 515 models.

Cisco Gets Two Awards from Vietnam Government

Vietnam’s Ministry of Education and Training has honored Cisco with two awards in recognition of its contribution to advancing education and research in the Communist country, the company announced on Tuesday.

The awards are one of the highest forms of recognition that the Vietnamese government gives to private companies and individuals upon recommendation by Vietnam’s university community.

The awards are likely to propel Cisco’s business further in Vietnam, where a leading bank, State Bank of Vietnam (SBV), is dependent on the network equipment maker for advancing its technologies in order to increase operational efficiencies and regulate the banking system.

The first award is a certificate of appreciation for Cisco’s effort to boost technical education in the country through its “Cisco Networking Academy Program.” The second is an Education Career medal, given to Professor Christopher Hoang Pham, a Cisco senior engineering manager of the U.S.-based Network Software and System Technology Group, for his contribution to research and development through the networking laboratory in the Hanoi University of Technology (HUT), and other educational activities.

Read More

Cisco Confirms OS Security Holes

Late last month, Cisco confirmed the existence of multiple vulnerabilities in IOS, along with separate flaws in IOS XR, its Cisco Firewall Service Module and its Cisco Unified Call Manager products.

According to a Cisco announcement, an attacker can trigger an IOS system crash by crafting malicious secure sockets layer (SSL) packets and passing them along during the protocol exchange process. Attackers can craft malicious ClientHello messages, Processing ChangeCipherSpec messages and Processing Finished messages, Cisco said.

In every case, according to the announcement, the big danger is denial of service. At this point, none of the SSL processing vulnerabilities have been linked to information disclosure or system compromise, Cisco stressed.

Cisco released software updates to patch both flaws.