When you have to protect your VoIP CallManager in a secure zone of your lan you have to face two problem: SIP and NAT. In our case we handle voip sessions through firewall by configuring an ACL with TCP/UDP port_set. For internal resources, we don’t use NAT mode, here you have the ports from phones to CM: Destinaton port Description …
Nmap features
Nmap is an opensource software that apparently scans IPs and TCP/UDP ports. But it can do more! In association with scripts, it can able to analyze targets at layer 7. In fact Nmap is loaded with a scripting engine aka NSE (Nmap Scripting Engine) that transform this tool in a vulnerability scanner. For a complete list of scripts look here! …
BGP routes leak. Why?
Yesterday, 20190624, a routes leak hit majors Internet player like Cloudflare, Verizon and Amazon AWS that were obfuscated by a network outage. An impressive recon and report were made by CloudFlare that early detect the problem and helped AS33154 to solve the problem. You can find the complete report here. But what happened? Briefly, it seems that a BGP protocol …
Blackholing a Customer Edge
Protecting the internal network or a public network segments is the Network Engineer mission’s. Usually, we have firewalls for the perimetral security, but how do we do if we want to protect public transit IP? Some public IP addresses configured on Customer Edge Routers, provide only the traffic routing from the client side to the ISP so there is no …
Block suspect Layer2 traffic on Routers & Switches
How do I block a suspect mac-address on a customer edge router or switch? On Huawei exists a command that reminds me of the shun option on Cisco ASA: mac-address blackhole mac-address { vlan vlan-id | vsi vsi-name } Works both in VLAN and VPLS environment.