DOCSLIB.ORG

Memory Forensics Analysis of Cisco IOS XR 32 Bits Routers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Memory Forensics Analysis of Cisco IOS XR 32 Bits Routers Memory forensics analysis of Cisco IOS XR 32 bits routers Abstract Attackers are constantly developing new techniques to bypass current security measures, and they are researching new targets to attack. The "Shadow Brokers" case illustrates that advanced attackers now target network devices such as routers. These core devices handle large amounts of data and are generally not audited by the security team, nor protected by specific security solutions, making them very interesting targets for attackers. This paper explains Cisco IOS XR routers internal, relevant to forensics analysis. As no forensics tool exists on this platform, we develop a tool for dumping the memory of the routers and another one, amnesic-sherpa, to analyze the memory dumps. Also, we demonstrate that by using an automated process based on these tools, we can determine if a router was compromised. Keywords: Forensics, QNX, Cisco, Routers forensics, Memory forensics, Routers, Firmware analysis 1. Foreword help debug, ...). This process creates child processes (in user space) and manage the system memory. QNX can There are a lot of publications on Cisco routers us- thus via proc-nto load the services that the system needs. ing the standard version of IOS (Lindner, 2008). There These services use a message passing system (QNX, 2010c) are, however, very few technical papers and research work to communicate together. They are either provided by de- about the security and forensics analysis of Cisco router fault, or developed and distributed in a specific image of using IOS XR (CISCO, 2005). Furthermore these devices the system. are at the core of many networks today. Because of this, When they are created, the services register a path or they are an interesting target for attackers and that's why a succession of paths that are the entry points to com- we choose to study these routers. IOS XR is based on municate with them. An application that wants to use the QNX (BlackBerry, 2010) operating system and there these services starts by opening one of these paths. To are also few publications about its security, and how to this end, the application sends the path of the service to perform forensics on this platform. the resource manager (QNX, 2010e) which resolve it and returns an identifier that is used to send and receive mes- 2. QNX sages from the service. For example, the file system is managed by a service QNX is an operating system based on a microkernel that loads a driver to directly communicate with the hard architecture. The first release was made in 1982 and since drive on one side, and, on the other, exposes a tree of files then, the system has been used in many embedded sys- to an application. In the same way, the network stack is tems, such as routers, infotainment systems or telematics a user space services that, on one side, load a driver for in cars (QNX CAR). the network card and, on the other side, creates a virtual Blackberry, the company that maintains QNX today, mount point that can be used to communicate with the makes available to its customers the sources of the oper- stack via the message system. ating system to let them generate an image of the system To ease the development of third-party applications, optimized for their hardware and containing only the ser- QNX conforms to the POSIX (QNX, 2010d) standard. vices and applications they have selected or developed. Different libraries (libc, libsocket) are also provided to ab- stract the message system and present function signatures 2.1. Architecture to developers as they are specified by the POSIX stan- At system startup, a specific code, the IPL (QNX, dards. 2010a) (Initial Program Loader), runs a startup code to initialize the hardware, and load the system image in RAM. This allows configuring the system before launching the 2.2. Examples of communication via the message system microkernel and the first services which are processes in On Linux, the libc hide the use of system calls (syscall) user space. The microkernel proc-nto (QNX, 2010b) is which allows the communication between the kernel and also the process manager of the operating system and ex- the user space (Listing 1). ists in several variants: proc-nto, proc-nto-inst, proc-nto- smp (multiprocessor management, instrumented version to Listing 1: Linux libc syscall wrapper. Preprint submitted to Elsevier September 16, 2019 edi 0x8047a28 134511144 fd = open("file"); eip 0xb033d95f 0xb033d95f <MsgSendv+39> //Internally the libc do : fd = syscall(open_syscall_number, "file"); write(fd, "abcd", 4); int MsgSend(int coid, const iov_t* siov, int sparts, cont iov_t* riov, rparts) //ret = syscall(write_syscall_number, fd, "abcd", 4); close (fd ); //ret = close(close_syscall_number, fd); Listing 4, shows that once the message is sent by the Similarly on QNX the libc hide the system of connections kernel, the return address is 0xb8222c98, the fd value is and messages between services (Listing 2). 0x03, the IOV (Input/Output Vector) buffer points to 0x08047930 and it contains 3 IOV. There is no IOV re- Listing 2: QNX libc message wrapper. turned by the function, so no return buffer is allocated //For "fd = open("myfile");" QNX libc internally do : (the return buffer can be the same as the send buffer). fd = ConnectAttach(PATHMGR_COID, "myfile", 1, 0, 1); //ConnectAttach is a syscall Listing 4: Disassembly of MsgSendv arguments pointer sent_msg.type = IO_CONNECT sent_msg.data = "myfile" (gdb) x/10x \$ecx sent_msg.path_len = strlen("myfile"); retaddr fd IOVpointer numberofIOV MsgSend(fd, sent_msg, sent_msg_size, reply_msg, reply_msg.size); 0x80478fc: 0xb8222c98 0x00000003 0x08047930 0x00000003 //MsgSend is a syscall //reply_msg.pid; is the id of the process managing the current path ret IOV ptr number of ret iov 0x804790c: 0x00000000 0x00000000 0xb035b0c0 0x08047948 ConnectDetach(fd); 0x804791c: 0xb82248e1 0x08047930 //we connect to the service and we ask for a fd for this path //reply->pid is the pid of the process that handles the hard disks fd = ConnectAttach(reply->nd, reply->pid, reply->chid, 0, 0); In Listing 5, we see that 0x08047948 is the address and MsgSend(fd, sent_msg, sent_msg_size, reply_msg, reply_msg_size) 0x14 is the size of the message in the OIV structure. return (0); Listing 5: Disassembly of the IOV buffer //write(fd, "abcd", 4) sent_msg_buffer.type = IO_WRITE (gdb) x/10x 0x08047930 sent_msg_buffer.nbytes = 4 msgaddr msgsize sent_msg.buffer.data = "abcd" 0x8047930: 0x08047948 0x00000014 0x00000000 0x00000000 MsgSend(fd, sent_msg_buffer, sent_msg_buffer_size, ret_msg_buffer, 0x8047940: 0x40114000 0x0000a000 0x00140102 0x0000a000 sizeof(ret_msg_buffer)); 0x8047950: 0x00000003 0x00000000 //close(fd) sent_msg.type = IO_CLOSE sent_msg.size = sizeof(sent_msg); If we follow the message address, we then find the param- ret = MsgSend(fd, sent_msg_buffer, sizeof(sent_msg), 0, 0); ConnectDetach(fd); eter of the message (Listing 6). //ConnectDetach is a syscall Listing 6: Disassembly of a message 2.3. Message analysis under a debug session (gdb) x/10x 0x08047948 type|c_len nbytes xtype zero To communicate with a service, you need to know its 0x8047948: 0x00140102 0x0000a000 0x00000003 0x00000000 specific message format. The service sources, and thus These values can be translated into the C code in Listing 7. the message format, are, however, not always public. We must therefore reverse engineer the format to understand Listing 7: Construction of a QNX Message in C it. After that, we can communicate with the services with- msg.i.type = _IO_WRITE; msg.i.combine_len = sizeof msg.i; out using the libc or any other libraries. msg.i.xtype = _IO_XTYPE_NONE; msg.i.nbytes = 4096; In Listing 3, we can see how an exchange between an msg.i.zero = 0; SETIOV(iov + 0, &msg.i, sizeof msg.i); application and a service looks in assembly. We see that SETIOV(iov + 1, buff, buff); the code will test the value 0x400 to find out if the system return MsgSendv(fd, iov, 2, 0, 0); requires the call to the sysenter function or an interrupt (0x28) to go into kernel mode. The arguments passed to With this information we can now write a program that MsgSendv, via the stack, are therefore in the ecx register. sends messages without using the libc. This is helpful if we can't, or don't want to, link to the libc. Listing 3: Disassembly of the MsgSendv function Dump of assembler code for function MsgSendv: 0xb033d938 <MsgSendv+0>: mov $0xb,%eax 3. Memory dump 0xb033d93d <MsgSendv+5>: call 0xb033d942 <MsgSendv+10> 0xb033d942 <MsgSendv+10>: pop %edx 0xb033d943 <MsgSendv+11>: mov %edx,%ecx 0xb033d945 <MsgSendv+13>: add $0x3eb92,%ecx Nowadays, most attacks do not leave any trace on the 0xb033d94b <MsgSendv+19>: add $0x1f,%edx 0xb033d951 <MsgSendv+25>: testl $0x400,0x2120(%ecx) disk and are only executed in memory to be stealthier. 0xb033d95b <MsgSendv+35>: je 0xb033d970 <MsgSendv+56> 0xb033d95d <MsgSendv+37>: mov %esp,%ecx Detecting these attacks require to analyze the contents 0xb033d95f <MsgSendv+39>: sysenter 0xb033d961 <MsgSendv+41>: ret of the system memory and extract information from the 0xb033d962 <MsgSendv+42>: add $0x3eb73,%edx 0xb033d968 <MsgSendv+48>: mov 0xcb0(%edx),%edx different data structures. As there is currently no tool to 0xb033d96e <MsgSendv+54>: jmp *%edx 0xb033d970 <MsgSendv+56>: int $0x28 make a copy of the memory of QNX system for the purpose 0xb033d972 <MsgSendv+58>: ret 0xb033d973 <MsgSendv+59>: jmp 0xb033d962 <MsgSendv+42> of forensic analysis, we develop one. (gdb) info reg eax 0xb 11 ecx 0x80478fc 134510844 edx 0xb033d961 -1338779295 ebx 0xb8229d44 -1205691068 esp 0x80478fc 0x80478fc ebp 0x8047968 0x8047968 esi 0xa000 40960 2 3.1. Development of a specific tool • page size To copy the content of the memory of a system such as • processor info Linux or Windows, the memory dumping tools must run in kernel mode (Hale Ligh et al., 2014). But, under QNX, • address space an application in user mode can access all the physical memory.
Load more

Recommended publications
  • Cisco IOS XR Software Release
    CISCO CRAFT WORKS INTERFACE QUICK START GUIDE Cisco IOS XR Software Release 3.5 1 Introduction 2 About CWI 3 Prerequisites 4 Configuring the Router and CWI Client 5 Installing, Launching, and Uninstalling CWI 6 Getting Started with CWI 7 Reference Information 8 Obtaining Documentation, Obtaining Support, and Security Guidelines 1 Introduction This document introduces Craft Works Interface (CWI) that supports Cisco IOS XR Software Release 3.5. Note This document refers to CWI managing devices. For Cisco IOS XR software, the devices can be any or all of the secure domain routers (SDRs) of which your Cisco IOS XR system is composed. Related Documentation See the following list for related documents that may be useful: • Cisco Craft Works Interface User Guide • Cisco Craft Works Interface Online Help Intended Audience This document is intended for experienced service provider administrators, Cisco telecommunication management engineers, and third-party field service technicians who have completed the required Cisco router training sessions. 2 About CWI CWI is a powerful, session-based tool that allows you to manage, monitor, and configure a single device or a network of devices. CWI is designed to operate in as many situations as possible. Using CWI you can: • Connect to the devices in several ways through a serial port, a terminal server, or an IP-based method, such as Telnet, SSH, or CORBA. • Run Windows, Macintosh, and Linux clients. • Connect to devices with or without XML or command-line interface (CLI) capabilities. • Display both the administrative (admin) plane and device plane for Cisco IOS XR devices. CWI offers a selection of CLI- and graphic-based tools from which you can perform management tasks.
    [Show full text]
  • Cisco CRS-1 SIP and SPA Configuration Guide Cisco IOS XR Software Release 3.3
    R3.3 Beta Draft—Cisco Confidential Information Cisco CRS-1 SIP and SPA Configuration Guide Cisco IOS XR Software Release 3.3 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-7110-03 R3.3 Beta Draft—Cisco Confidential Information THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
    [Show full text]
  • Cisco IOS XR Memory Forensics Analysis
    Cisco IOS XR memory forensics analysis Solal Jacob Agence Nationale de la Sécurité des Systèmes d’Information 2019 TOC I I- IOS XR internals & forensics analysis I II - Attack simulation I III - Detection ANSSI Cisco IOS XR memory forensics analysis 2/33 I- IOS XR internals & forensics analysis I We would like to be able to analyze a router to know if it was compromised I For that we want to develop memory forensics tools to detect advanced attack I IOS XR is an exotic system used on core routers ANSSI Cisco IOS XR memory forensics analysis 3/33 IOS XR I Used in Cisco routers (12000, ASR9000, ...) I 32 bits version only I Based on QNX 6.4 ANSSI Cisco IOS XR memory forensics analysis 4/33 QNX I Microkernel released in 1982, now part of Blackberry I Used in embedded system : Routers, Infotainment, Telematics (Westing House, AECL, Air traffic Control, General Electric) I Source was released then closed again ANSSI Cisco IOS XR memory forensics analysis 5/33 QNX architecture I Fault tolerant I Reduced kernel attack surface I Conforms to posix standard I Customizable by OEM ANSSI Cisco IOS XR memory forensics analysis 6/33 QNX Security & Forensics I Some CVEs I No hardening before 6.6 I Troopers 2016, QNX : ”99 Problems but a Microkernel ain’t one !” (Vuln in message passing & IPC) I Recon 2018, ”Dissecting QNX” (Mitigation & PRNG) I No forensics papers or presentations ANSSI Cisco IOS XR memory forensics analysis 7/33 QNX startup I The IPL, Inital Program Loader, initializes the hardware, configures the memory controller, loads the system image
    [Show full text]
  • System Management Configuration Guide for Cisco NCS 540 Series Routers, IOS XR Release 7.3.X
    System Management Configuration Guide for Cisco NCS 540 Series Routers, IOS XR Release 7.3.x First Published: 2021-02-26 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    [Show full text]
  • IOS XR Software CRS-1 and C12000
    IOS XR Software CRS-1 and C12000 Martin Winter Technical Leader Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 Agenda High Level IOS XR Strategy IOS XR Software Architecture IOS XR CLI Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 High level IOS XR Strategy Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3 High End Routing Portfolio Next Generation Core 40G Routing Day 1 CRS-1 Multi-Chassis Scale Foundation for Core Consolidation Next Generation Core & Edge • Builds on 12000 Series Technology • PRP, 2.5G ISE, 10G ISE Cisco XR 12000 • Edge interface breadth/density • 4/6/10/16 Slot Form Factor • Foundation for Multi-Service Edge consolidation Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4 Cisco High End Routing Strategy IOS XR: Foundation of Cisco HER Technology Convergence HighHigh EndEnd RoutingRouting PlatformsPlatforms Systems Silicon Services (Single and Multi- (Forwarding (High Touch Deep Chassis / 2.5G to 40G+) Engines) Packet Inspection) Services CRS 40G ISE Blade (X-Blade) 12000 10G ISE 2.5G ISE vFW, SBC IOS XR Software • IOS XR is the ‘glue’, delivering HA, scale, core+edge services with common management and user interface Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5 IOS XR Software Architecture Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6 Modular IOS != IOS XR Modular IOS: Ships today on Catalyst 6500 with Sup720 and Sup32 Based on the same IOS code with added Microkernel and IOS split into multiple processes. Not everything as it’s own process (ie all Routing as one process), optimized for performance on existing hardware IOS XR: Ships today on CRS-1 and C12000 (PRP only) Complete rewrite of the code Very modular, split into multiple processes and built for multiterabit scaling and distributed operation Features targeted for SP NGN router Presentation_ID © 2006 Cisco Systems, Inc.
    [Show full text]
  • Cisco IOS XR Security
    07_1587052717_ch06.qxp 5/15/09 11:21 AM Page 159 CHAPTER 6 Cisco IOS XR Security It is important to control access to the router to prevent unauthorized or malicious use that might take the router offline or use it to launch an attack on the rest of the network. Cisco IOS XR provides the authentication, authorization, and accounting (AAA) frame- work that helps provide secure access via the logical vty and the physical tty ports. Fur- thermore, ensuing sections in this chapter discuss the concepts of task-based authorization and familiarize the user with IOS XR concepts such as admin and SDR planes as well as the uniqueness of user groups and task group configuration. Forwarding plane refers to the components involved in the various stages during packet forwarding. Forwarding plane refers not only to the flow of a packet through the router but also to the packets destined to the router. Protection of forwarding plane is important and necessitates controlling the type of traffic that traverses the router, and limiting the amount of traffic that’s destined to the router itself so that the router does not become a victim of a denial of service (DoS) attack. You might well be familiar with access control lists (ACL) and Unicast Reverse Path Forwarding (uRPF) as popular forwarding plane secu- rity features. Additionally, IOS XR has a concept of Local Packet Transport Service (LPTS). LPTS provides protection against traffic destined to the router. This type of traffic is usually related to routing protocols that typically run on the route processor (RP) of the router, though Telnet, SNMP, NTP, ping, traceroute, and various other services create traf- fic that can be destined to a router’s line card or RP CPU.
    [Show full text]
  • Release Notes for Cisco NCS 5000 Series Routers, IOS XR Release 6.6.1
    Release Notes for Cisco NCS 5000 Series Routers, IOS XR Release 6.6.1 Network Convergence System 5000 Series Routers 2 Release 6.6.1 Packages 2 System Requirement 3 Software Features Introduced in this Release 4 Behavior Change Introduced in this release 4 Hardware Features Introduced in this Release 4 Caveats 5 Upgrading Cisco IOS XR Software 5 Related Documentation 5 Communications, Services, and Additional Information 6 Full Cisco Trademarks with Software License 8 Network Convergence System 5000 Series Routers Note Explore the Content Hub, the all new portal that offers an enhanced product documentation experience. • Use faceted search to locate content that is most relevant to you. • Create customized PDFs for ready reference. • Benefit from context-based recommendations. Get started with the Content Hub at content.cisco.com to craft a personalized documentation experience. Do provide feedback about your experience with the Content Hub. Cisco IOS XR Release 6.6.1 is a limited availability (LA) release. All Cisco IOS XR Release 6.6.1 features are available in Cisco IOS XR Release 6.6.25, which is a general availability (GA) release. For more information on IOS XR Release 6.6.25, see Release Notes for Cisco NCS 5500 Series Routers, Release 6.6.25 The Network Convergence System 5000 Series offers a high-density, small-form-factor MPLS aggregation router for metro aggregation. It is designed to economically scale large enterprise, over-the-top (OTT), and service provider Data Center networking architectures. The Cisco NCS 5000 Series is an extension to Cisco’s routing platform portfolio enabling Service Providers and MPLS enabled data center architectures to offer elastic networks with improved business agility and simplified operations to deliver high-bandwidth mobile, video, and cloud services.
    [Show full text]
  • System Setup and Software Installation Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.7.X
    System Setup and Software Installation Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.7.x First Published: 2020-08-01 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    [Show full text]
  • Point to Point Protocol Cisco Pdf
    Point To Point Protocol Cisco Pdf intoningPadraig hypostatisedher make-peace freely. thinkingly, Cooper unsweetenedis concordant: and she interpenetrable. distilled tropically and besmirch her cracks. Emmet Both Palo Alto and Bluecoat have the capability to do SSL Decryption and URL Filtering. Unlike HDLC which through a Cisco proprietary protocol PPP is however open standard protocol so again should award it to patrol a Cisco router to a. In recent years, use Ethernet over ATM encapsulation. Palo Alto Networks does follow coordinated vulnerability disclosure for security vulnerabilities that are reported to us by external researchers. In it is a connection points also no cabling cisco online, and ccie cyber security infrastructure certifications looking forward in cisco pdf to point protocol field is known that the peer is. Pds can return to icts, you need to not able to grow your proxy, crypto ipsec tunnel interfaces and effectively manage the difference is a result. The protocols take your area is to connect from bgp process, and consumption of. The toe the blueprint for new to point for industry for the selected software. Unified access points operate anywhere the Lightweight Access Point Protocol LWAPP and west in door with Cisco wireless LAN controllers and the Cisco. Ccie cyber ops exam and protocol field. The final exam time is not included in the time table. This lab and paste edition by the link is by the following line status is a modem from ucs blades jumbo frames. Study of BGP blackholing as an attack vector. Advanced OSPF Lab to know full connectivity using OSPF. Cable connected to add an implementation of the default lmi option negotiation.
    [Show full text]
  • Cisco IOS XR Memory Forensics Analysis
    Cisco IOS XR memory forensics analysis Solal Jacob Agence Nationale de la Sécurité des Systèmes d’Information 2019 Plan I I- IOS XR internals & forensics analysis I II - Attack simulation I III - Detection ANSSI Cisco IOS XR memory forensics analysis 2/36 I- IOS XR internals & forensics analysis I We would like to be able to analyse a router to know if it was compromised I For that we want to develop memory forensics tools to detect advanced attack I We choose IOS XR because it’s an exotic system used on core routers ANSSI Cisco IOS XR memory forensics analysis 3/36 IOS XR I Used in Cisco routers (1200, ASR9000, ...) I 32 bits version only I Based on QNX 6.4 ANSSI Cisco IOS XR memory forensics analysis 4/36 QNX I Microkernel released in 1982, now part of Blackberry I Used in embedded system : Routers, Infotainment, Telematics (Westing House, AECL, Air traffic Control, General Electric) I Source was released then closed again ANSSI Cisco IOS XR memory forensics analysis 5/36 QNX architecture I Fault tolerent I Reduced kernel attack surface I Conform to posix standard I Customizable by OEM ANSSI Cisco IOS XR memory forensics analysis 6/36 QNX Security & Forensics I Some CVEs I No hardening before 6.6 I Troopers 2016, QNX : ”99 Problems but a Microkernel ain’t one !” (Vuln in message passing & IPC) I Recon 2018, ”Dissecting QNX” (Mitigation & PRNG) I No forensics papers or presentations ANSSI Cisco IOS XR memory forensics analysis 7/36 QNX startup I The IPL, Inital Program Loader, initialize the hardware, configure the memory controller,
    [Show full text]
  • Cisco IOS XR MPLS Configuration Guide Cisco IOS XR Software Release 3.7
    R37 Technical Checkpoint Draft—Cisco Confidential Cisco IOS XR MPLS Configuration Guide Cisco IOS XR Software Release 3.7 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Customer Order Number: OL-15850-01 R37 Technical Checkpoint Draft—Cisco Confidential THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
    [Show full text]
  • System Management Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 7.3.X
    System Management Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 7.3.x First Published: 2021-02-01 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    [Show full text]