Deploying CSR1000v (Cisco IOS XE) on VMware ESXi

If you haven't installed VMware ESXi yet, go through Installing VMware ESXi & VSphere Client on VMware Workstation post and come here after it is completed.

Basically what I'm going to do here is going install several Cisco CSR 1000v (IOS-XE) routers in VMware ESXi and network them together with a Virtual Switch. Final output topology will be like the following.

With 802.1q trunking, you will be able to connect routers with logical point to point links  to simulate routing without a simulator..

You will need a CSR 1000v ova template from Cisco.com
What I downloaded was csr1000v-universalk9.03.11.04.S.154-1.S4-std-C1-M2560-N3-DS8.ova

For a one CSR1000v router, you will need a 2 GB minimum of RAM..


Open VMware workstation and power up the ESXi server and login using vSphere client..

Go to File > Deploy New OVF Template, Browse for the OVF, select hit Next..

Hit Next again and name your Router (Ex:- CSR-01) and hit Next..

Give Thin Provision if your installing it on your desktop.. Thin Provision means that it will not take dedicated hard disk space from your hard drive, it will allocate hard drive space when it needs only..

Hit Next & Next agin for Network Mapping for it's defaults, we will change these things as we need later..

My final settings were like this before Finishing and deploying..

Hit Finish..

Add another router just like the previous one with a different name (Ex:- CSR-02)
Finally the Virtual Switch default setup will be like following.. (go to Configuration > Networking)

Now power up the routers and and right click > Open Console

After it is booted up, configure them for SSHv2.. If you are not familiar with allowing SSH on Cisco devices please read Enabling SSH on Cisco Routers / Switches for Local Users

Note:- 

According to this topology, you can assign an IP address to any Gig port of the router because we didn't care the network mapping part.
Because we let it be the default, all 3 gig ports of each router now connects to the vSwitch. But in a design you will have to consider which port is actually connected to the vSwitch and assign a matching IP address to the port.
For this basic setup, give the routers the IP addresses of the same subnet which the ESXi is in..
Ex:- my ESXi IP : 192.168.47.200
CSR-01 Gig 1 IP : 192.168.47.31
CSR-02 Gig 1 IP : 192.168.47.32


Now the routers will ping each other and you will able to access the routers through your native PC's SSH clients like SecureCRT..

Installing VMware ESXi & VSphere Client on VMware Workstation

VMware ESXi is a good environment to run & network Virtual Machines inside a single entity. ESxi with virtual operationg systems like IOSv, IOS-XRv, IOS-XEv, ASAv etc can be used to create networking labs without simulators. ESxi is just like another server Operating System which you can install in a server or inside your VMware Workstation in your PC.

Here I am going to install ESXi 5.1 inside my VMware Workstation on my PC..

Installing VMware ESXi

Go to File > New Virtual Machine select Typical & hit Next. Browse for the Installer Disk Image file location and select the ESXi ISO image and hit Next. Now you will be asked to give a name for the virtual machine and the location to install. After entering those details, you will be asked to specify the disk capacity. On my machine, it showed 40 GB for maximum by default and I left it as it was and selected Split virtual disk in to multiple files and hit Next..

Additionally I added 3 more network cards to the virtual machine and gave the maximum recommended memory  which is about 6GBs. Now all the settings were like in the left side capture before I hit Finish. 

As soon as you hit Finish, It will start to boot and popup the following dialog box.

Boot from standard installer..












After few yellow screens it will stop at the following dialog box.

Hit Enter and Hit F11 for the Next dialog box to accept license agreements..







Now it will stop at the following dialog box.

Hit Enter to continue and you will be asked to select key board layout and a root password.

Give the credentials and hit Enter..

It will again ask for a confirmation to install ESXi, hit F11 to continue..
Now it will go fine with the installation..


After the installation is finished, a dialog box will popup, Hit Enter to reboot the VM..

Assign a Static IP Address to the VM

Bydefault ESXi will take a DHCP address but in most cases you will need it to have a static IP address in your labs.

After the reboot completed, Hit F2 to Customize System.. You will be asked to login as root; therefore give the credentials entered during the installation..

In System Configuration, go to Configure Management Network > IP Configuration

Select Set static IP address and network configuration & give an IP address inside your subnet.

Hit Enter and hit Escape to go to the 1st menu (Customize System), you will be asked to restart the management system because you have changed it's configuration..
Hit Y for yes..

Installing VSphere Client

Now go to your web browser and enter the IP address you gave to the ESXi VM..
You will be informed with a security warning from the browser because the webpage is not a HTTPS site. That's fine, go through it..

You can download VSphere Client from there..

After download, install and run the VSphere Client..

Give the IP address of the ESXi, username and passwords and hit Login.

You will be warned by a untrusted SSL connection, that's fine and Ignore the message.















Now ESXi is fully functioning, you can install new Virtual Machines inside ESXi and network the with the Virtual Switches from now on.. (click on the images to view in fullsize)

How SSL VPNs work?

If you are not familiar with the basics of cryptography, please read A Note on Cryptography Fundamentals & Algorithms & How Digital Signatures Work? before this. All of them will be used here to explain this.

This is what happen when you go to a HTTPS website. It basically says that you are connected to a server which is verified by a certified authority, not to a malicious web server.

A hacker can download a webpage (ex:- facebook, paypal) from internet and upload it to his web server and using a DNS spoofing he can direct your traffic to the malicious website. If this technology is not there, you will enter your credentials in to that malicious website compromising your sensitive data. This is called Phishing.. We will do a cool Phishing tutorial later..

To stop this, SSL (Secure Socket Layer) VPNs were introduced. Let's take a real world example and understand what is happening at the back end.. Let's take an online session to PayPal.com

Before the client PC even start going to PayPal.com, some things have happened at the back end. Let's take a Certificate Authority like VeriSign.

They create a Public/ Private Key pair and they create their own Digital Signature using their Private Key..

Then they create their own CA certificate containing their Public Key and their Digital Signature and they send it to web browsers all over the world regularly. So the Client PC here has the CA's public key along with CA's digital signature before even start any web session to any website.

PayPal.com also create their own Public and Private Key pair and send their Public Key to CA asking for a Digital Certificate for them..

CA verify the legitimacy of the sender and they issue a Digital Certificate to PayPal.com containing PayPal.com's Public Key and CA's Digital Signature..

Now let's see an online session..
Client sends a SYN request to PayPal.com's web server's port 443 asking for a TCP 3-Way handshake. Server acknowledges and sends a SYN and the Client sends an ACK and TCP session starts..

Now the Client sends SSL hello along with a list of Ciphers which will be used in future to build the tunnel. (Ex:- Details about the Encryption Algorithm which will be used like RC4)
Server will pickup the best Ciphers it knows later..
Server sends SSL hello and PayPal.com's Digital Certificate to the Client PC.
Finally Client sends an ACK..

Because the Client has the CA's certificate which contains the CA's Public Key, He can verify the CA's Digital Signature by decrypting the Digital Signature on PayPal.com's Digital Certificate..

Following capture shows real Certificates of PayPal.com & It's CA..
You can view PayPal.com's Certificate by clicking on the padlock mark on web browser before the URL space when you are browsing PayPal.com & you can view the CA's Certificate in the Advanced Settings in your web browser..

Now the Client creates a Session Key for the online session.
This Key is a Symmetrical Key (Ex:- generated by RC4 algorithm)
So the Client PC encrypts the Session Key by PayPal.com's Public Key and send it to PayPal.com..

Because the Session Key is encrypted by the Public Key of the PayPal.com; PayPal.com can decrypt and retrieve the Session Key using their Private Key.

So both the Client and PayPal.com has the Session Key generated by the Client now.
Using this Session Key, both ends now can decrypt rest of the data securely creating the encrypted SSL session..

How IKEv1 IPSec VPNs Work?

If you are not familiar with the basics of cryptography, please read A Note on Cryptography Fundamentals & Algorithms before this. All of them will be used here to explain this.

IPSec VPN is just a logical tunnel between 2 VPN peers across a public network like internet. It does not create a separate network with a different IP range between peers. This post is about the IKE version 1 IPSec tunnels..

There are 2 types of IPSec VPNs according to their behavior. 

1. Site-to-Site VPNs

2. Remote Access VPNs

Basically Site-to-Site VPNs are formed between 2 gateways across the internet while Remote Access VPNs are created between a gateway and a client software.

Benefits:

1. Confidentiality through Encryption

2. Integrity through Hashing

3. Authentication through PSK (symmetrical keys) or RSA/DSA (asymmetrical keys)

4. Anti-replay packets by Counting Packets

Two Phases of VPN

Actually there are 2 tunnels in the process of creating a IPSec tunnel. We call them IKE (Internet Key Exchange) Phase 1 & Phase 2.

IKE Phase 1 is used to exchange control information between 2 VPN peers.

IKE Phase 2 is used to transport the real traffic.

Actually the IKE Phase 2 is the real IPSec tunnel which use IPSec parameters. IKE Phase 1 is formed using ISAKMP (Internet Security Association & Key Management Policy) parameters..

So IKE Phase 1 must be formed 1st in order to start IKE Phase 2 to send user traffic..

IKE Phase 1

STEP 01. Negotiate Phase 1

When PC1 wants to send a data packet to PC2, it hits R1 1st and R1 sends ISAKMP negotiation parameters to R2 to form IKE Phase 1. R2 sends his ISAKMP negotiation parameters to R1.

Following are the ISAKMP parameters which will be negotiated from both peers (R1 & R2)

Hashing Algorithm which will be used.. (MD5/SHA)

Authentication Type which will be used.. (PSK or RSA)

Group of Deffie Hellman Keys which will be used to generate shared key for encryption algorithms like DES/3DES/AES later.. (Group 1/2/ 5)

Life Time which the IKE Phase 1 tunnel must active.. (default is 1 day)

Encryption Algorithm which will be used.. (DES, 3DES, AES)

From all of the above 5 parameters only the life time can be different from both ends. They will agree to the minimum life time value from both ends.

STEP 02. Setup DH Keys

After the negotiation is completed, they will run Deffie Hellman Algorithm to generate shared secret key material. Following image will explain how the shared secret key is generated by DH Algorithm.

R1 and R2 creates public & private key pairs from their ends..
Both exchange their public keys with each other..
R1 creates his shared secret DH Key from his private key and R2's public key..
R2 creates his shared secret DH Key from his private key and R1's public key..

According to the DH Algorithm, final out put from both sides (DH Keys) are same. Following capture explains how the keys of both sides becomes equal mathematically.

Now using the shared secret key as the symmetrical key of the agreed encryption algorithm in step 1 (DES, 3DES, AES), both R1 and R2 can exchange encrypted data between peers.

STEP 03. Authenticate

Now R1 and R2 can authenticate by exchanging identities and certificates securely using the authentication method negotiated in step 1 and finally form IKE Phase 1 tunnel.

Now it's the time to form IKE Phase 2 tunnel which is the actual IPSec tunnel which will be used to transport user traffic from PC1 to PC2 using the security of IKE Phase 1 tunnel.

IKE Phase 2

STEP 01. Negotiate Phase 2

Like the ISAKMP parameters in IKE Phase 1, R1 & R2 will negotiate following IPSec parameters which will be used in IKE Phase 2 tunnel. Authentication is not necessary because IPSec peers are already authenticated in IKE Phase 1.

Hashing Algorithm which will be used.. (MD5/SHA)

Group of Deffie Hellman Keys which will be used to generate shared key for encryption algorithms like DES/3DES/AES later.. (Group 1/2/ 5). Here R1 & R2 can use the DH Key which is used in IKE Phase 1 or create a new DH Key just for IKE Phase 2. Creating a new DH Key for IKE Phase 2 is called Perfect Forward Secrecy (PFS)

Life Time which the IKE Phase 1 tunnel must active.. (can be a clock tick or amount of data)

Encryption Algorithm which will be used.. (DES, 3DES, AES)

STEP 02. DH Keys if PFS is configured

If PFS is configured R1 & R2 will run DH Algorithm to create a new shared secret key for the encryption algorithm which will be used in IKE Phase 2. Otherwise this step is omitted.

So after the negotiation or after the DH key creation (if PFS is configured) they form the fully working IPSec VPN from both ends. Now PC1's traffic can be securely sent to the PC2.

Note:-

According to the number of packets exchanged in the process of forming IKE Phase 1 & IKE Phase 2 tunnels, 3 modes are defined. But the overall process is same as described above.

Modes of IKE Phase 1:
1. Main Mode which use 6 packets to form IKE Phase 1 tunnel between R1 & R2
2. Aggressive Mode which use 3 packets to form IKE Phase 1 tunnel between R1 & R2

Modes of IKE Phase 2:
1. Quick Mode which use 3 packets to form IKE Phase 2 tunnel between R1 & R2

CDP Flooding Attack for Denial of Service of Cisco Switches

Very simple attack to launch.. will cause a DoS attack for a Cisco Switch. By flooding the CDP table switch gets an overhead in processes and will not be able to handle user traffic as usual.

Tools used: Yersinia in Kali Linux

Boot up the Kali Linux box from either Live USB or from a dedicated PC and connect it to a Cisco switch and enter the following command in terminal.
yersinia -G

It will start the GUI of Yersinia tool.. (click on the images to view in full screen)

Go to Launch Attack..

Select flooding cdp table and hit OK.

As soon as you hit OK, it will start generating thousands of CDP packets within seconds and they will fill out the CDP table of the switch and PCs connected to the switch will start to working slowly..





You can see the false CDP packets generated by the tool or if you have access to the switch you can enter show cdp neighbors to view what happened to the CDP table..

Before the attack is launched CDP traffic was like this..

When the attack was in progress, CDP traffic is like the following.. You can see 4653 inputs are there and an error message indicates that the memory allocation is failed..

How to protect from this?

Just disable CDP on access ports..

How Digital Signatures Work?

If you are not familiar with the basics of cryptography, please read A Note on Cryptography Fundamentals & Algorithms before this. All of them will be used here to explain this.

Involving Process is as follows..

Generate a key pair from sender side

First a key pair has to be generated at the sender side using an Asymmetric Encryption Algorithm like RSA or DSA.

Send the public key to receiver side

Public key has to be sent to the receiver side which is used to decrypt what sender is going to encrypt using his private key.

Get data and compute hash

Now sender get the data which he wants to digitally sign and send to receiver, (ex:- a data packet)
and run a Hashing Algorithm like MD5 or SHA and compute the hash.

Encrypt hash from private key to make signature

Hash /Checksum /Digest is encrypted using the senders private key. This encrypted hash is called the digital signature.

Send Data along with Digital Signature to receiver







Receiver verify the integrity

Now receiver can run the hashing algorithm to compute the hash and he can decrypt the digital signature using the sender's public key and check whether the both hash values are same or not. This way the receiver can find out that the data is really sent by the sender or not.

A Note on Cryptography Fundamentals & Algorithms

Encryption
Encryption is the most effective way to achieve data security. Basically when a plain text is encrypted it becomes scramble which is unreadable. This is not only for text documents, can be applied to any type of data..

Key
To encrypt and decrypt data, you need to have a Key, and a Key is a parameter which will define a functional output of a cryptographic algorithm. Encryption algorithms can be Symmetrical & Asymmetrical in the way they use Keys.

Symmetrical Encryption Algorithms
use only one key for both encryption and decryption.
Generally used in bulk encryption of data streams..
Ex:- DES, 3DES, AES, IDEA

Asymmetrical Encryption Algorithms
use 2 keys, one key to encrypt and another key to decrypt.
Anything encrypted by the 1st key can be decrypted only by the 2nd key and vice versa.
Generally used for authntications..
Ex:- RSA, DSA

Hashing Algorithms
use to verify the data integrity, means it will help you to check whether the data is manipulated in transit of not. Output of a hashing algorithm is called a hash/checksum/digest.
Ex:- MD5, SHA

Hashing algorithms are one way functions, so it is almost impossible retrieve original data by just a hash. If a hacker altered a single data bit in transit, checksum becomes completely different.
In the following example, you can see what happens to the digest when the last letter "t" is deleted.

Following command in Cisco devices will verify the integrity of a downloaded IOS image
R#verify /md5 flash:<filename.bin>


HMAC (Hashed Message Authentication Code)
use to verify the hash/checksum/digest generated by a hashing algorithm.
A hacker can capture and manipulate data in transit and run the hashing algorithm and attach the new hash and send to the destination as the original packet. This is a possibility in man in the middle attacks. HMAC is used to stop this.
Basically HMAC is a secret key which is used as an external parameter in computing hash using regular hashing algorithms like MD5 or SHA.
HMAC is known by the both sender and receiver only.

Now let's see a scenario of all the above things and how HMAC is used for integrity.
Here, let's assume a case where a man in the middle hacker some how could grab the encryption key. In this case if HMAC is not used, receiver will think the malicious data he received is correct.

Now lets' see what happens when HMAC is used in hashing. Because the Key used to generate HMAC is only known by the sender and receiver, hacker cannot regenerate the correct HMAC.
Basically, HMAC is the output of a hashing algorithm which can only be generated by a unique way and can be only done by the people who has the secret key.

Allow Remote Access from Internet to a Device of Inside Zone

This is the secure way to remotely manage / SSH a device (Coperate-Router) which is in the inside/higher security zone of a router from outside/lower security zone of the Firewall. That outside can even be the public internet. In this post I am allowing it through a Cisco ASA Firewall.

After basic ip and routing configured, lab starts with ASDM..

Here we have to solve only 2 problems,
1. Setup a public IP address to access the Coperate-Router from internet
2. Bypass the Firewall from lower security zone to higher security zone

We will use NAT & ACL to solve this problem..

Create 2 Objects for Coperate-Router with Public & Internal IPs

Go to Configuration > Firewall > Objects > Network Objects/Groups and create 2 Objects, One with a public IP address & another for just to represent the actual Coperate-Router in NAT process.

You can create an object with any public IP you have. It doesn't matter..

Static NAT rule between Created Objects

Go to Configuration > Firewall > NAT Rules and add a NAT rule with following settings

Original Packet Interfaces must be sourced from outside to destined for inside..
Source address is irrelevant because it can come from anywhere from Internet..
If you want only one one PC to be connected to Coperate-Router you can give it as the source address of the original packet. Anyway you can set it on the ACL too because this is just a NAT rule which the packet hits prior to the ACL..
Destination address of the original packet should be the Public-CoRouter object..

ACL from outside to internal ip of Coperate-Router

Go to Configuration > Firewall > Access Rules and add an ACL with following settings

ACL is applied to the outside interface and the destination must be the CoRouter object we created..
You can assign the service to be SSH only..

Configure Routes

Now in order to work this setup, 3 routes must be there..

1. Default route on Coperate-Router to ASA
2. Default route on ASA to INT-RTR
3. Static route to 203.115.1.1 on INT-RTR to ASA

If configured above routes well, Internet-PC will be able to open a SSH session to Coperate-Router..
If you encounter problems with SSH configuration on Coperate-Router please read this

Enabling SSH on Cisco Routers / Switches for Local Users

Basic yet a useful note, so made a post for my future reference.. Following commands are entered in global configuration mode..

Steps:-

1. Configure Domain name

Without a domain name, router will not be able to generate a RSA key itself

R(config)#ip domain name roshanznet.local

2. Generate Crypto keys

This will be used to generate key pairs for encryption & decryption of data. Keys of 1024 bits will be enough and processor friendly

R(config)#crypto key generate rsa

3. Enable SSH v2

More advanced version of SSH which is widely used will be enabled

R(config)#ip ssh version 2

4. Create Local User Accounts

These will be used as login credentials

R(config)#username roshan privilege 15 password cisco

5. Allow SSH on vty

These commands will define the input type and use local user database to login

R(config)#line vty 0 4

R(config-line)#transport input ssh

R(config-line)#login local

Because the keys are generated by the router itself, when you try to connect it using a terminal client, It will show this error. Hit yes and you are in..

Note:- 

Default name of the device "Router" will have to be changed to generate RSA Keys