维基世界--世界维基

博客统计信息

用户名：siniuchongbai1
文章数：79
评论数：117
访问量：260654
无忧币：98
博客积分：1051
博客等级：5
注册日期：2008-01-26

文章

文章列表>>

原创

Unity 8 基本安装

2012-02-08 08:54:54

&nb..

类别：cisco 软件|阅读(404)|回复(1)|赞(2)阅读全文>>

原创

小菜5年cisco学习之路--迷茫于坚持,what a..

2011-01-31 06:33:47

夜深人静的时候，往往是一个技术人员学习的大好时光，盯着自己的笔记，忽然回想到自己刚开始决心走IT这条路的时候，那是在05年大一刚入学的时候，我在网吧里玩..

类别：cisco 考试|阅读(1593)|回复(15)|赞(21)阅读全文>>

转载

USB硬件攻击危险性初步分析

2010-03-17 06:02:58

版权申明：转载自billy 1 引言
PC高速总线串行化的“先导者”，当属USB外设总线。今天，可连接多种外设，支持即插即用（PnP）和热插拔的USB外设总线／接口，已基本取代以往用于连接外设的并口和串口。支持Pn..

类别：未分类|阅读(382)|回复(0)|赞(0)阅读全文>>

转载

最近几天石油价格又开始上扬，引起各方广泛关注。当前石油价格的微小波动都会对世界经济带来巨大影响，可见能源在当今世界的重要性。利用可再生能源替代石油和煤炭等化石能源的研究，已经进行了几十年，但目前化石能源的主导地位并未改变。水能和风能具有一定的不稳定性，太阳能目前成本较高，核裂变电站会产生放射性废料，很难处理。除了这些以外，还有一种目前处于研究阶段的新能源，核聚变（Fusion）能源。核聚变可以产生巨大的能量，这一点几十年前氢弹的成功爆炸已经证明。但要用核聚变反应来发电，就需要建设可控的核聚变反应堆。现在国际上最通用的可控核聚变反应装置叫做Tokamak（托卡马克）装置（见题图），它是一种利用磁约束来实现受控核聚变的环性容器，由前苏联科学家在1950年代发明。核聚变的反应温度可以高达上亿度，如此高的温度所有固体都气化了。所以，Tokamak装置是用一个强磁场来约束反应物质的。它的中央是一个像轮胎一样的环形真空室，外面缠绕着多组（超导）线圈，通电后，在中心真空室内形成磁场，将其中进行核聚变反应的等离子体约束住，并使其与外界尽可能地绝热。核聚变反应并不能直接发电，但它可以和核裂变反应一样，利用反应产生的热量把水变成水蒸气，再推动气轮机发电。核聚变使用的原料是氢的同位素氘（Deiterium）和氚（Tritium），反应后形成氦气（Helium），并释放能量。核聚变原料充足，氘、氚可从海水中大量提取，它也不产生CO2等温室气体及高放射性核废料（氦气是一种惰性气体），因此，它是未来人类新能源的希望所在。一旦核聚变发电取得成功，就可以解决人类绝大多数的能源需求。不过，世上没有免费的午餐，实现商用核聚变电站还有很长的路要走，还需要巨量的投资。目前世界各国建有多个Tokamak实验装置，像美国的TFTR，欧洲的JET，苏联的T-15，和日本的JT-60。中国也有两个，中科院在合肥有一个，叫做EAST（Experimental Advanced Superconducting Tokamak，先进超导托卡马克实验装置），清华大学在北京也有一个，和中科院合建，叫做SUNIST（Sino-UNIted Spherical Tokamak，中国联合球形托卡马克）。各国的Tokamak装置都可以进行核聚变反应并释放能量，但也都有一个同样的问题，那就是输出的能量小于输入的能量，是个赔本儿的买卖。目前核聚变反应堆产生能量的最高纪录由位于英国的JET（Joint European Torus）保持（题图是JET内部结构），它的纪录是1600万瓦，持续时间不到1秒钟。要想实现输出能量大于输入，就必须把反应堆再做大，这就需要本文说的ITER登场了。

ITER在现有技术的基础上，把反应堆的规模放大几倍，目的是要实现能量输出为正，为商用电站的建设做准备。此项目预期将持续30年，10年建设，20年用于操作。 2005年，参加ITER项目的欧盟、美国、中国、日本、韩国、俄罗斯和印度７方签署协议，正式开始ITER的建设。日本和法国在选址问题上争执多年，都想建在自己的一亩三分地，最后法国胜出，ITER将落户于法国南部的卡达拉舍市（Cadarache，在马赛附近，见左图）。在费用上，欧盟出资50%，其他各国每人出10%（多出的10%备用）。初期的预算是50亿欧元，但这种事儿预算超标是一定的，现在的预算是100亿欧元，预计建成时间是2018年。 ITER的名字指的是“International Thermonuclear Experimental Reactor”，不过其中的Thermonuclear （热核）一词比较吓人，加上再有一个“Experimental”，胆大的人听了都有点受不了。所以，现在就叫ITER了，号称“ｉｔｅｒ”这个词来源于拉丁文，含义是“journey”，“direction”，“way“，总之都是美好的东东。前面说过，JET可产生1600万瓦能量，持续1秒钟。与之相比较，ITER可产生5亿瓦，持续500秒，同时能量的输出/输入比是10。如果ITER试验成功，下一步商用核聚变电站将马上开建，预计2040年建成。一切顺利的话，到时候，人类面临的能源危机，气候变暖等重大问题就会迎刃而解。不过科学研究从来不会一帆风顺，再加上50年，估计本世纪末以前，商用核聚变电站可望成为现实。当然，你我可能看不到那一天了。相关评论：美国不是还有个激光大玩具吗？能源问题闹大了，欧美那么多闲人像大宋的民工们忙忙估计就好了。二战不就那么几年，研究了那么多东西出来。
反过来说，中东那帮王子们当然也明白，所以石油价格也不会太离谱。 EAST 建在中科院等离子所里面,在合肥科学岛.在合肥待过的同学应该都知道这里. 以前去等离子所玩的时候,能看到放EAST的大房子… 有传闻说等离子所的EAST是苏联人玩不起的东西,于是就给了中国继续玩.真实性有待考证. 就现有知识而言，可控聚变似乎是能源问题的终极技术方案，但动辄50年的计划也让人对计划的可行性心存疑虑（2040算第二个50年预言），能源问题更多还是经济学范畴的问题。
聚变技术除了磁约束、惯性约束还有前几年炒过一阵子常温聚变，到底那一种最终胜出，现在还很难说，个人感觉可控聚变的中间产品如超导体应用、大功率激光器可能意义更大。[/img]..

类别：未分类|阅读(269)|回复(0)|赞(0)阅读全文>>

转载

BGP安全之争

2010-03-17 04:39:37

版权申明：此文转载自appleleaf 路由是IETF镇宅之宝，BGP又是其中的定海神针，其安全的重要性自然不在话下。IETF为此专门成立了一个工作组 – RPSEC(Routing Protocol Security Requirements) 关注于路�..

类别：未分类|阅读(589)|回复(1)|赞(0)阅读全文>>

原创

安全个人遗忘小记

2010-03-04 01:57:32

To help you face the complexities of managing a modern network, this chapter discusses the core principles of security-the CIA triad: confidentiality, integrity, and availability.

类别：cisco 安全|阅读(150)|回复(2)|赞(0)阅读全文>>

原创

cisco 革命性VPN 之GET VPN基本原理图

2010-03-02 11:29:46

类别：未分类|阅读(1476)|回复(3)|赞(0)阅读全文>>

原创

小菜ASA学习笔记（四）

2010-02-19 16:07:26

Note When the security appliance is configured for Clientless SSL VPN, you cannot enable security contexts (also called firewall multimode) or Active/Active stateful failover. Therefore, these feat..

类别：未分类|阅读(650)|回复(2)|赞(0)阅读全文>>

原创

小菜ASA学习笔记（三）

2010-02-16 23:58:56

Note When the security appliance is configured for IPsec VPN, you cannot enable security contexts (also called firewall multmode) or Active/Active stateful failover. Therefore, these features are u..

类别：未分类|阅读(1618)|回复(0)|赞(0)阅读全文>>

原创

CISCO路由器封锁QQ客户端

2010-02-16 19:33:57

1、正常情况下，QQ可以顺利的登录：
clip_image002

这时通过抓包可以发现，QQ协议的数据包，正常情况下（后面有不正常的情况），都是通过udp协议传送的。在udp的数据载荷中，可以看到QQ对应用层数据做的封装格式。其中有一个叫做“命令”的字段（这个名字是科来给起的，真实名称估计是没有），这一字段在数据包所处位置固定、长度固定，通过分析登录过程中的一系列数据包，我大概可以断定这个“命令”字段就是QQ用来识别每一个数据包的作用和包含内容的（比如有请求登录、发送消息、接受消息、加个好友什么的）。正好科来在概要中有描述：其中有一个命令就是“请求登录令牌”，这个数据包听上去在登录过程中比较关键，所以我想测试一下，如果阻止这个数据包发送，能不能就阻断掉QQ登录。在包结构中看到，这个命令字段距离3层头开始的位置有31个字节，大小为2字节，它的值是“00BA”（注意是16进制数值）。
于是在路由器中定义一个class来匹配“请求登录令牌”这个数据包：
class-map type access-control match-any qq_udp
match start l3-start offset 31 size 2 eq 0xBA
然后通过policy将这个数据包记录下来并drop掉：
policy-map type access-control qq_udp
class qq_udp
log
drop
2、第一次测试结果：
clip_image004

在科来的抓包和路由器的日志中可以看到，路由器将“请求登录令牌”丢弃掉后，QQ客户端在不断的重新发送这个数据包，这一点可以证明这个数据包的作用还是很大的，送不出去，它是不会罢休的。
过了很久很久（大约1、2分钟后），我估计QQ是觉得通过udp发送是没戏了，这时它突然开始通过HTTP登录，并且很快就登上去了。这时再通过科来分析这些HTTP数据包，发现在HTTP数据载荷中都是无法识别的2进制数据，我估计它可能是把登陆数据加密后通过HTTP传输了：
clip_image006

但是继续分析多个HTTP数据后可以看出：

类别：未分类|阅读(1104)|回复(8)|赞(4)阅读全文>>

原创

cisco ISR G2系列小记

2010-02-11 21:18:59

接口全GE

2911之后都3个接口

2921之后都有combo光口

不支持AIM，VPN硬件加速集成在CPU硬件中，AIM-CUE等可作为服务加在SRE模块
新SM槽：可插SRE模块，或交换模块，或配合适配器插NME和EVM

新ISM槽：..

类别：cisco 硬件|阅读(522)|回复(0)|赞(0)阅读全文>>

原创

小菜ASA 笔记（二）

2010-02-11 14:47:48

You can disable an ACE by specifying the keyword inactive in the access-list command clip_image002

Note If you change the access list configuration, and you do not want to wait for existing connections to time out before the new access list information is used, you can clear the connections using the clear local-host command. In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access list, including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay). Transparent firewall mode can allow any IP traffic through. This feature is especially useful in multiple context mode, which does not allow dynamic routing, for example. clip_image006

The security appliance receives trunk port (Cisco proprietary) BPDUs. Trunk BPDUs have VLAN information inside the payload, so the security appliance modifies the payload with the outgoing VLAN if you allow BPDUs. Note If you use failover, you must allow BPDUs on both interfaces with an EtherType access list to avoid bridging loops. Note If you use failover, you must allow BPDUs on both interfaces with an EtherType access list to avoid bridging loops. Because EtherTypes are connectionless, you need to apply the access list to both interfaces if you want traffic to pass in both directions. You can apply only one access list of each type (extended and EtherType) to each direction of an interface. You can also apply the same access lists on multiple interfaces. Note If an EtherType access list is configured to deny all, all ethernet frames are discarded. Only physical protocol traffic, such as auto-negotiation, is still allowed. When you enter the access-list command for a given access list name, the ACE is added to the end of the access list. Webtype access lists are access lists that are added to a configuration that supports filtering for clientless SSL VPN. object groups: ? Protocol ? Network ? Service ? ICMP type Note You cannot remove an object group or make an object group empty if it is used in an access list. Note Users could experience a delay of approximately 80 to 100 seconds after the specified end time for the ACL to become inactive. For example, if the specified end time is 3:50, because the end time is inclusive, the command is picked up anywhere between 3:51:00 and 3:51:59. After the command is picked up, the security appliance finishes any currently running task and then services the command to deactivate the ACL.

类别：未分类|阅读(1130)|回复(0)|赞(0)阅读全文>>

原创

小菜ASA 学习笔记（一）

2010-02-11 14:42:23

8.0从8.0(2)开始，没有8.0(1) 8.0(2) clip_image002

开始支持EIGRP，Redundant interfaces ，Failover pair Auto Update support ，Remote command execution in Failover pairs ,threat detection,透墙NAT，管理连接限制，AIP SSM模块开始支持虚拟sensor，ASA支持安全日志（PIX不支持）等。 Some of the benefits of NAT include the following: ? You can use private addresses on your inside networks. Private addresses are not routable on the Internet. ? NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host. ? NAT can resolve IP routing problems by supporting overlapping IP addresses. The security appliance runs in two different firewall modes: ? Routed ? Transparent ? Is this a new connection? If it is a new connection, the security appliance has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the “session management path,” and depending on the type of traffic, it might also pass through the “control plane path.” The session management path is responsible for the following tasks: - Performing the access list checks - Performing route lookups - Allocating NAT translations (xlates) - Establishing sessions in the “fast path” Note The session management path and the fast path make up the “accelerated security path.” Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. ? Is this an established connection? If the connection is already established, the security appliance does not need to re-check packets; most matching packets can go through the fast path in both directions. The fast path is responsible for the following tasks: - IP checksum verification - Session lookup - TCP sequence number check - NAT translations based on existing sessions - Layer 3 and Layer 4 header adjustments For UDP or other connectionless protocols, the security appliance creates connection state information so that it can also use the fast path. Data packets for protocols that require Layer 7 inspection can also go through the fast path. Some established session packets must continue to go through the session management path or the control plane path. Packets that go through the session management path include HTTP packets that require inspection or content filtering. Packets that go through the control plane path include the control packets for protocols that require Layer 7 inspection. The admin context is just like any other context, except that when a user logs into the admin context, then that user has system administrator rights and can access the system and all other contexts. For the PIX 515/515E and the ASA 5510 and higher security appliances, the factory default configuration configures an interface for management so you can connect to it using ASDM, with which you can then complete your configuration. For the ASA 5505 adaptive security appliance, the factory default configuration configures interfaces and NAT so that the security appliance is ready to use in your network immediately. The factory default configuration is available only for routed firewall mode and single context mode. To restore the factory default configuration, enter the following command: hostname(config)# configure factory-default [ip_address [mask]] This command also clears the boot system command, if present, along with the rest of the configuration. The boot system command lets you boot from a specific image, including an image on the external Flash memory card. The next time you reload the security appliance after restoring the factory configuration, it boots from the first image in internal Flash memory; if you do not have an image in internal Flash memory, the security appliance does not boot. For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system execution space. When you change modes, the security appliance clears the configuration because many commands are not supported for both modes. If you already have a populated configuration, be sure to back up your configuration before changing the mode; you can use this backup for reference when creating your new configuration. ? To set the mode to transparent, enter the following command in the system execution space: hostname(config)# firewall transparent This command also appears in each context configuration for informational purposes only; you cannot enter this command in a context. ? To set the mode to routed, enter the following command in the system execution space: hostname(config)# no firewall transparent To save the system or context configuration, enter the following command within the system or context: hostname# write memory For multiple context mode, context startup configurations can reside on external servers. In this case, the security appliance saves the configuration back to the server you identified in the context URL, except for an HTTP or HTTPS URL, which do not let you save the configuration to the server. To save all context configurations at the same time, as well as the system configuration, enter the following command in the system execution space: hostname# write memory all [/noconfirm] 保存的时候可能会出现问题，具体看P74 clip_image006

You cannot use Active/Active failover and VPN; if you want to use VPN, use Active/Standby failover. pix不支持SSL VPN，不能做VPN load blance。多墙不支持feature： ? Dynamic routing protocols （只支持static路由） ? VPN ? Multicast routing. Multicast bridging is supported. ? Threat Detection ? QoS The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only. Note If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and delivered to each context. Unique Interfaces If only one context is associated with the ingress interface, the security appliance classifies the packet into that context. In transparent firewall mode, unique interfaces for contexts are required, so this method is used to classify packets at all times. Unique MAC Addresses If multiple contexts share an interface, then the classifier uses the interface MAC address. The security appliance lets you assign a different MAC address in each context to the same shared interface, whether it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique MAC addresses; the interface uses the physical interface burned-in MAC address in every context. An upstream router cannot route directly to a context without unique MAC addresses. You can set the MAC addresses manually when you configure each interface , or you can automatically generate MAC addresses 。 NAT Configuration If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup. All other fields are ignored; only the destination IP address is used. To use the destination address for classification, the classifier must have knowledge about the subnets located behind each security context. The classifier relies on the NAT configuration to determine the subnets in each context. The classifier matches the destination IP address to either a static command or a global command. The following configurations are not used for packet classification: ? NAT exemption-The classifier does not use a NAT exemption configuration for classification purposes because NAT exemption does not identify a mapped interface. ? Routing table-If a context includes a static route that points to an external router as the next-hop to a subnet, and a different context includes a static command for the same subnet, then the classifier uses the static command to classify packets destined for that subnet and ignores the static route. Note If you share an inside interface and do not use unique MAC addresses, the classifier imposes some major restrictions. The classifier relies on the address translation configuration to classify the packet within a context, and you must translate the destination addresses of the traffic. Because you do not usually perform NAT on outside addresses, sending packets from inside to outside on a shared interface is not always possible; the outside network is large, (the Web, for example), and addresses are not predictable for an outside NAT configuration. If you share an inside interface, we suggest you use unique MAC addresses. For transparent firewalls, you must use unique interfaces. Placing a context directly in front of another context is called cascading contexts; the outside interface of one context is the same interface as the inside interface of another context. Note Cascading contexts requires that you configure unique MAC addresses for each context interface. Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses. System Administrator Access You can access the security appliance as a system administrator in two ways: ? Access the security appliance console. ? Access the admin context using Telnet, SSH, or ASDM. As the system administrator, you can access all contexts. When you change to a context from admin or the system, your username changes to the default “enable_15” username. If you configured command authorization in that context, you need to either configure authorization privileges for the “enable_15” user, or you can log in as a different name for which you provide sufficient privileges in the command authorization configuration for the context. To log in with a username, enter the login command. For example, you log in to the admin context with the username “admin.” The admin context does not have any command authorization configuration, but all other contexts include command authorization. For convenience, each context configuration includes a user “admin” with maximum privileges. When you change from the admin context to context A, your username is altered, so you must log in again as “admin” by entering the login command. When you change to context B, you must again enter the login command to log in as “admin.” The system execution space does not support any AAA commands, but you can configure its own enable password, as well as usernames in the local database to provide individual logins. Context Administrator Access You can access a context using Telnet, SSH, or ASDM. If you log in to a non-admin context, you can only access the configuration for that context. You can provide individual logins to the context. Enabling or Disabling Multiple Context Mode ASDM does not support changing modes, so you need to change modes using the CLI. When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files. The original startup configuration is not saved, so if it differs from the running configuration, you should back it up before proceeding. The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match using the mode command. When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal Flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal Flash memory). The original startup configuration is not saved. The security appliance automatically adds an entry for the admin context to the system configuration with the name “admin.” To enable multiple mode, enter the following command: hostname(config)# mode multiple You are prompted to reboot the security appliance. If you convert from multiple mode to single mode, you might want to first copy a full startup configuration (if available) to the security appliance; the system configuration inherited from multiple mode is not a complete functioning configuration for a single mode device. Because the system configuration does not have any network interfaces as part of its configuration, you must access the security appliance from the console to perform the copy. To copy the old running configuration to the startup configuration and to change the mode to single mode, perform the following steps in the system execution space: hostname(config)# copy flash:old_running.cfg startup-config hostname(config)# mode single The security appliance reboots. The security appliance（5505） interfaces do not support jumbo frames. Note Subinterfaces are not available for the ASA 5505 adaptive security appliance.

类别：未分类|阅读(3031)|回复(3)|赞(0)阅读全文>>

原创

ASA transparent 基础知识

2010-02-11 14:33:56

Transparent Firewall

IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to a lower security interface, without an access list. ARPs are allow..

类别：cisco 安全|阅读(226)|回复(0)|赞(0)阅读全文>>

原创

ASA MPF基础知识

2010-02-11 14:27:56

Modular Policy Framework supports the following features: ? QoS input policing ? TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number randomization ? CSC ? Ap..

类别：未分类|阅读(285)|回复(0)|赞(0)阅读全文>>

原创

五险一金，工薪族的你了解多少？

2010-02-11 01:16:56

一．基础介绍
养老保险:单位每个月为你缴纳21%,你自己缴纳8%;
医疗保险:单位每个月为你缴纳9%,你自己缴纳2%外加10块钱的大病统筹(大病统筹主要管住院这块）；
失业保险:单位每个月为你缴纳..

类别：其他|阅读(933)|回复(0)|赞(0)阅读全文>>

原创

ASA系列防火墙license知识（ASA管理员须知）

2010-01-30 17:04:46

Note The ASA 5580 is not supported in Version 8.0; for ASA 5580 information, see the licensing documentation for Version 8.1 or later. The PIX 500 series security appliance does not support tempor..

类别：cisco 软件|阅读(1949)|回复(1)|赞(1)阅读全文>>

原创

小菜 ASA 80 随笔

2009-11-04 09:41:06

Multiple context mode supports static routing only. wps_clip_image-61

Note We suggest you do not change the system clock after you install the temporary license. If you set the clock to be a later date, then if you reload, the security appliance checks the system clock against the original installation time, and assumes that more time has passed than has actually been used. If you set the clock back, and the actual running time is greater than the time between the original installation time and the system clock, then the license immediately expires after a reload. Note When the security appliance is configured for security contexts (also called firewall multmode) or Active/Active stateful failover, IPSec or SSL VPN cannot be enabled. Therefore, these features are unavailable.