Security IOS

I have heard any product of security involving encryption gets delay with shipment , this is because govt. authorities need to verify it before shipment . Products can be Cisco ASA , Cisco IOS Security License , ACS , etc etc .
Now if that is true , I am assuming every security device gets processed through a specific process and considering the fact that cisco sells tons of equipments on daily basis if not weekly , are the authorities that free to just check of of the products ? Even if they check it somehow what kind of things they check .
Or maybe there is no delay in shipment of security products and they come in at same time as other normal products and what I have heard is not correct.

Typically there is a restriciton on importing/exporting wares containing cryptography.
This is based on individual agreements between countries, not on company level (with a few notable exceptions).
Typically the authorities will check if product conforms to some rules that are set.
This can take for no time at all, up to few months - and (usuall) there is nothing that a company, even major player can do.

Similar Messages

ASA5505 Security + IOS: Maximum ACE Allowance?

Hello,
I'm trying to find out what the maximum amount of ACE's allowed to be entered in a Single ACL for the ASA5505 with Security + IOS. I've scoured the Internet, searched Cisco documentation and found nothing that would necessarily help me.
What I'm trying to find out is whether denying all IP traffic and only permitting US IP Subnets into my network is feasible or not.I've come up with a list of US IP's to be roughly 45800 subnets (accurate as of last month). So the inbound ACL in a nutshell would be "permit US subnets" "deny anything else"
That will at least keep the scan attacks down to a minimum and if they use proxies from US servers, I can address them as they try to attack my network.
Thanks!

Thanks for the reply. I know at the 20K ACE limit, some ISP Grade routers run out of TCAMs (I believe they were Cisco12ks and ASR9010's) and basicaly once all TCAMs are allocated, any ACE's that didn't get loaded near the end of the ACL are not being actively filtered. I've read places across the net where a single ace is 173 bytes and it's all a factor of how much memory you have available for the ACE to be placed into the ASA; however, with my past issues with the routers, I find it hard to believe you can have 300k ACE's that would consume only 512MB of RAM. Even if it took them in memory, the CPU wouldn't be able to use that list for filtering in a timely manner.
There has to be a formula especially when you want to harden your firewall with a hefty ACL blocking country IP space or just allowing your country to talk inwards.

Secure IOS Configuration Template for AP's?

Hi,
I am responsible for several AP 1200's running a recent version of IOS; and while I feel as comfortable as I can about the security of the wireless traffic I'm not sure I've tightened down the AP IOS configs as well as is possible.
I've applied my knowledge of hardening our router's IOS per the NSA guidelines to some degree; but I'd like to be I'm covering all the bases I can.
Would anyone be willing to share their AP hardening tips with the forum?
Regards, Nick

Did you ever get an anwser?

NAC feature included in 1841 router with security IOS

I'm looking for some guidance, documentation regarding the capabilitys and configuration of NAC on an 1841 router. It looks like it's a software version of NAC that ties to a policy server, maybe an ACS server, or IAS server for example. Is that all it does, in other words, is the capability found mostly on the backend policy server and not the router itself? In that case, what is the router doing, I mean how does it work in relation to NAC? Is it only capable of blocking traffic at layer 3 rather than layer 2 as does 802.1x authentication on a switch of the Clean Access appliance offerred by Cisco?
thank you very much,
Bill

For NAC, the role of a device depends on your network security policy. You can have security applied to any device(s) or you can have it on a policy server which can ensure the security policy. Following link may help you
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns466/c654/cdccont_0900aecd80217e26.pdf

Problem in restoring IOS resilient secured config file

Hi everybody,
I'am testing the CISCO IOS resilient feature on a CISCO 1841 router but i have trouble when restoring the secured configuration file.
First i entered the two commands secure boot-image et secure boot-config in global configuration mode.
When i entered the command show secure booset in privilege exec mode i can see the two files:
flash:c1841-advsecurityk9-mz.124-10a.bin and flash:.runcfg-20110809-165042.ar
After that, i've erased the startup-config on the router and reloaded it. Then, i entered in rommon mode and entered the command boot flash:c1841-advsecurityk9-mz.124-10a.bin to boot from the secured IOS image. The system reset and in global config mode, i entered the command:
secure boot-config restore flash:.runcfg-20110809-165042.ar and i got the following message: ios resilience: there is an existing file with name flash:.runcfg-20110809-165042.ar. But nothing changed because my old configuration didn't come back.
When i've tried the command copy flash:.runcfg-20110809-165042.ar startup-config in privilege mode i got the message: Error opening flash:.runcfg-20110809-165042.ar (File not found).
Can someone help me to solve my problem please? Thanks.

You can not restore without using the latest available os, unless hyou have jailbroken your device. Apple does not support downgrades on iops devices. and if jailbroken, your warrenty and support is no longer valid including assistance from this forum.
Error details
http://support.apple.com/kb/TS4451
Error 3194, Error 17, or "This device isn't eligible for the requested build"

Advanced IP IOS comparision to ADVANCED SECURITY/ K9 IOS.

Does the ADVANCED SECURITY IOS on an ADVSEC/k( 1841 have theADVANCED IP SERVICES too?
Does it ( matter to) have 12.4(20) or (24) T1 (advanced ip image) or similar when doing the CCNA Security/ CCNP Route Labs?
********* Its ADVANCED SECURITY but is THAT the same as ADVANCED IP? ************
Also T-TRAIN CIsco IOS Release 12.4(11) T1 or later ........is this on the ADV Sec/ k9 IOS ?
Thanks

Hello
Please see the following link, it expains the difference between the various feature sets:
http://www.cisco.com/web/about/security/intelligence/ios-ref.html#17
Please rate if you find the input helpful!
Regards
Farrukh

Router 877 changing Ios

hi!
i dont know if it's the correct forum but i got a simple question that i would like to be answered.
Recently i brought a 877 adsl router with the advance security ios. I thought this ios supported 802.1q, but i don't think so. So i upgraded to advance ip services ios. This ios support 802.1q and vlan implementation. The router seems to work fine. Everything was configured through CLI.
My question: This upgrade can cause some kind of problem with router functionality? if so, which ones?
The configuration is very simple: no vpns and basic firewall configuration.
Thanks for your help.

Hi there,
IOS Upgrades Dont affect Router Functionality BUT the features available on the Device.
Min Flash Requirement is There as BackUp Images are Recommended. In case The New Image is Corrupt or things dont go as planned, We can Manually boot the Router from Rommon.
Its a Standard Practice in Production Environment so as to Maximize Uptime.
Regarding the Features Required the best Pactice is to Use Cisco Feature Navigator

Cisco IOS based IPS Services Licensing Query

Hi Experts,
We have a Cisco 3945 router at one of our location. Our requirement is to enable the IOS based IPS engine within in the router and would like to load new signature files from cisco website to the router. But i am not much familiar with the licensing part. show version and show ip ips license output has been attached for the reference. Following are my queries.
1) Is this platform and IOS is capable for enabling IPS Engine?
2) Is there any extra IPS Services Contract is required (other than the smartnet Coverage) for this router to enable IPS engine and to load new IPS Signature files from Cisco?
Advanced Thanks and Regards,
Sihanu N

1) Is this platform and IOS is capable for enabling IPS Engine?
Yes, it is (3945 with a security IOS image will be able to do it)
2)Is there any extra IPS Services Contract is required (other than the smartnet Coverage) for this router to enable IPS engine and to load new IPS Signature files from Cisco?
No, you are good to go.
I will write a future articule about how to enable this feature on an IOS router so stay tune in my website at http:laguiadelnetworking.com for further information as I will cover all of the details,
Cheers,
Julio Carvajal Segura

8.1 security breached

I have had my iPhone for two years and never had a problem with its security UNTIL last night when I updated to the 8.1 (the supposedly all new secure iOS). Within minutes of the update I had someone place spoof reminders in my reminders app. Through the night, while I was asleep, someone hacked in and tried to call my friends, search the web, sent emails, and accessed my contacts. Very annoyed Apple that this update is probably the least secure iOS I have had on my phone so far. I have had to switch off cellular, wifi, iCloud etc to protect my privacy... which kind makes my iPhone less 'i" and just "phone'.
They also, somehow, had access to a screenshot from last year and had it saved into my camera roll last night!!
Apple... NOT HAPPY FOR THE FIFTH TIME THIS MONTH!!!

no... there is no other explanation because nobody physically used my phone. They don't know my access code and my spouse is technologically challenged so they could not have worked that out.
The children would not have done it either. The phone was on my bedside table so I would have known if someone came in (I'm a light sleeper).
Additionally, at 11pm I was reading a news story on the phone when one of the spoof reminders popped up.... and so there you go... where'd that come from while I am there holding my phone?
I don't make stuff up like this and your response and innuendo are somewhat arrogant and the speculation for which you have no clue is irrelevant. If you really have a tech solution just say that and quit the unnecessary comments. I am wanting assistance, not some jock thinking they know it all when they don't know anything about this situation. I cannot wipe my phone. It won't let me.

IOS IPS for blocking IM and P2P

Any recommendations on the best way to use IOS IPS to stop P2P and IM?
I set up a 3845 with 12.3(14)T1 to do this by importing signatures from the latest SDF using SDM. I used the attack-drop, and all IM and P2P signatures I could find. I changed them all to drop and reset. I then applied it to the inside interface of a 3845. I also set up nbar with a drop policy for all P2P traffic.
The configuration caused very slow web response time for users, including blocked pages. Removing the IPS filter made everything work properly again. The router also stopped rebooting periodically.
Is there a recommended way to set this up that does not cause slow performance and reboots?

OK, went back and loaded some upgraded software. Now using 12.4.1 Advanced security IOS on the 3845, and SDM 211. The new 256MB.sdf signature file has all the IM and P2P signatures in it already!
After applying the IPS inbound on the serial interface, I changed the UDP signatures action to drop and the TCP to drop/reset.
Everything appears to be working beautifully. Yahoo and MSN messenger get dropped, as well as the peer to peer requests. I am unable to download Bittorrent. Web access is fast, and there is no hesitation by the router in configuring the IPS.
This appears to be a great solution so far.

IOS Template - Best Practices

Hello,
Does anyone have a standard template that they apply to all ios switches/routers/waps? I'm looking for some best practices for ios configs. For example, which services do you disable on all devices, what snmp settings, etc..
Thanks!

Hi,
See the below link :
http://www.cymru.com/Documents/secure-ios-template.html
Regards,
Mehrdad

The inside network is accessable only through IPsec, do I need enable ios FW?

I'm building a remote site, and the only traffic in or out of their inside network is via IPsec tunnels. There is no unecrypted access to the internet. Should I still configure the ISR firewall? If so , why?

If I get your set correctly imagined (haha)
Anyway, it really depends on you:
However, for full-tunnel setup, w/c i think you have set-up there, you can enable it for better QoS and basic site blocking as well
for split-tunnel, then configure it in your remote site.
Stateless firewall configuration in IOS really is handly, though reporting wise, its not that friendly.
Best part of stateless firewall is it can be content based.
EX:
class-map match-any FILTER
match protocol http host *yahoo*
match protocol facebook
match protocol youtube
#class-map type urlfilter match-any CONTENT_DROP
#match url category Adult-Mature-Content
There are more protocols as well, and (i think) even p2p protocol can be blocked (utorrent, bitorrent etc)
Content filtering however is a subscription license and needs to be registered/enabled
SEE: http://www.cisco.com/c/en/us/products/collateral/security/ios-content-filtering/white_paper_c89-492776.html

LAN Pool cant communicate over L2L VPN on AdvanceSecurity IOS

Hi i have strange issue, when i upgraded my Cisco Router IOS of Advance Security IOS before that all was good on advanceipservices.
IPSEC VPN is up
But No traffic Passing.
Traffic does pass if i make Source IP as loop back on same router A having VPN (Loopback 100) , but traffic dont pass/cannot ping when i try to generate it from my one hope before the router that is my CORE switches by creating loopback on CORE switch.
is this IOS behaving like ASA? do i need to enable some kind of security levels on interfaces? or statefull issue etc? any help would be great
VPN Router A
for understanding
GigabitEthernet0/0.1       10.174.1.4
GigabitEthernet0/0.202     222.125.139.225
Loopback 100 100.100.100.100
ip route 101.101.101.101 255.255.255.255 GigabitEthernet0/0.202
VPN Router B
GigabitEthernet0/0.1       10.110.1.4
GigabitEthernet0/0.202     203.126.123.145
Loopback 101 101.101.101.101
ip route 100.100.100.100 255.255.255.255 GigabitEthernet0/0.202
again: VPN dont have any issue in itself, since when loopback are made on routers they do ping, and when i create same loop back on my core switches it done ( i do proper static routing when i move loopback on core so routing is not issue )

My issues is resvoled by upgrading to advance ip services again.
so its some feature or bug with IOS for sure, since config was untouched

Cannot get IOS Root CA to run

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
I am trying to run the IOS CA to serve as root to two subordinate CA’s on my DMVPN hubs. I am using a 2650XM on IOS image c2600-advsecurityk9-mz.124-15.T12.bin, and am following the procedures in both http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/PKI-security.html and the Cisco IOS Security Configuration Guide http://www.cisco.com/en/US/customer/docs/ios/sec_secure_connectivity/configuration/guide/12_4t/sec_secure_connectivity_12_4t_book.html section(s) on PKI. I can get the CA running but ONLY if I do not configure ‘database url <url>’ (and presumably ‘cdp-url’)
I have tried using ftp:, and http: for ‘database url’ but I always get the server status of
Certificate Server root-ca:
    Status: disabled, Storage not accessible
and messages similar to “%PKI-3-CS_CRIT_STORAGE: Critical certificate storage, ftp://<username>:<password>@<ftp-server>/0x1.crt, is inaccessible, server disabled.” When I’m using ftp. No message is issued when using http but the server status is the same. And, the cert server appears to write the files 0x1.cnm and 0x1.crt, and the root-ca.ser file to the ftp server but still says storage is inaccessible.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Here is the no ‘database url’ configs that works:
crypto pki server root-ca
database level complete
database archive pkcs12 password 7 15361202377928311A
grant auto rollover ca-cert
grant auto
lifetime certificate 730
lifetime ca-certificate 750
auto-rollover 90
crypto pki trustpoint root-ca
revocation-check crl none
rsakeypair root-ca
crypto pki certificate chain root-ca
certificate ca 01
30820302 308201EA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
12311030 0E060355 04031307 726F6F74 2D636130 1E170D31 30303432 37323130
<lines deleted>
94D7B595 3C35C1A1 9D0BAA22 E92C40BD D7DE6C1F 92BD1285 534817FC 62B4CBCF
8EB659B5 5C3C
        quit
(I don’t think the rest of the config is needed, but ntp is configured and active as is the http server).
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
rsdpki1#sh crypto pki server
Certificate Server root-ca:
    Status: enabled
    State: enabled
    Server's configuration is locked (enter "shut" to unlock it)
    Issuer name: CN=root-ca
    CA cert fingerprint: ACFF6E7F 7A87AB31 21BF7222 314D3BA9
    Granting mode is: auto
    Last certificate issued serial number: 0x1
    CA certificate expiration timer: 14:08:26 PDT May 16 2012
    CRL NextUpdate timer: 20:08:56 PDT Apr 27 2010
    Current primary storage dir: nvram:
    Database Level: Complete - all issued certs written as <serialnum>.cer
    Auto-Rollover configured, overlap period 90 days
    Autorollover timer: 13:08:26 PST Feb 16 2012
rsdpki1#sh crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number: 0x1
Certificate Usage: Signature
Issuer:
    cn=root-ca
Subject:
    cn=root-ca
Validity Date:
    start date: 14:08:26 PDT Apr 27 2010
    end   date: 14:08:26 PDT May 16 2012
Associated Trustpoints: root-ca
rsdpki1#sh crypto key mypubkey rsa
% Key pair was generated at: 14:01:09 PDT Apr 27 2010
Key name: root-ca
Storage Device: not specified
Usage: General Purpose Key
Key is exportable.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
<lines removed>
3F020301 0001
% Key pair was generated at: 14:01:16 PDT Apr 27 2010
Key name: root-ca.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 009E1CF0 EE0A4456
<lines removed>
D92FACAB 7780169C 90B77FAF 92026085 F663353D 29CD8018 87020301 0001
rsdpki1#sh crypto key pubkey-chain rsa
Codes: M - Manually configured, C - Extracted from certificate
Code Usage         IP-Address/VRF         Keyring          Name
C    Signing                              default          X.500 DN name:
                              cn=root-ca
rsdpki1#sh crypto pki certificates storage
Certificates will be stored in nvram:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
rsdpki1#
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
However, when I clear that all out and reconfigure it with an ftp: database, I get:
crypto pki server root-ca
database level complete
database archive pkcs12 password 7 052F1F01121F4D1C2B
grant auto rollover ca-cert
grant auto
lifetime certificate 730
lifetime ca-certificate 750
cdp-url ftp://ssdftp1/rsdpki1_generated.crl
auto-rollover 90
database url ftp://ssdftp1
database username ftp4ios password <removed>
crypto pki trustpoint root-ca
revocation-check crl none
rsakeypair root-ca
And show xxx shows:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
rsdpki1#sh crypto pki server
Certificate Server root-ca:
    Status: disabled, Failed to generate selfsigned CA certificate
    State: check failed
    Server's configuration is locked (enter "shut" to unlock it)
    Issuer name: CN=root-ca
    CA cert fingerprint: -Not found-
    Granting mode is: auto
    Last certificate issued serial number: 0x0
    CA certificate expiration timer: 14:24:47 PDT May 16 2012
    CRL not present.
    Current primary storage dir: ftp://ssdftp1
    Database Level: Complete - all issued certs written as <serialnum>.cer
    Auto-Rollover configured, overlap period 90 days
rsdpki1#sh crypto pki certificates
rsdpki1#sh crypto key mypubkey rsa
% Key pair was generated at: 14:23:18 PDT Apr 27 2010
Key name: root-ca
Storage Device: not specified
Usage: General Purpose Key
Key is exportable.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
<lines removed>
63020301 0001
% Key pair was generated at: 14:23:25 PDT Apr 27 2010
Key name: root-ca.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00E514E6 0770D50A
<lines removed>
rsdpki1#sh crypto key pubkey-chain rsa
Codes: M - Manually configured, C - Extracted from certificate
Code Usage         IP-Address/VRF         Keyring          Name
rsdpki1#sh crypto pki certificates storage
Certificates will be stored in nvram:
rsdpki1# (I skipped the ‘sh crypto pki counters’)
But the files are written to the ftp server and appear fine. Can anyone tell me the rules for ‘database url’ and/or ‘cdp-url’? The “PKI Service for Large Scale IPSec Aggregation” document (first url) shows both ftp: and http: examples. As I say, I *think* I have the ftp specified correctly because the files are written. But I have no idea what the requirements are for the http server – do I need Web-DAV or something?
Thanks in advance.
PAUL TRIVINO
Sr. Network Engineer

Ran into same issue on a 2621XM CA server running advanced security IOS 12.4(15)T8.
I rebooted the router, and the CA service runs fine until I looked into the info request database, and approved the cert for a spoke, I got the following:
cry pki ser [removed] grant all
% Failed to process enrollment request. The request #1 is deleted.
...and in the log:
Sep 18 12:23:07.203: %PKI-3-CS_CRIT_STORAGE: Critical certificate storage, nvram:0xD.cnm, is inaccessible, server disabled.
Sep 18 12:23:07.211: %PKI-6-CS_DISABLED: Certificate server now disabled.
Have you found any resolution or root cause?
Thanks!

Firewall Security

My firewall is logging an entry that says "RosettaStoneDaem is listening". Anyone know what this is about? It says it even if I do not have my modem/router turned on.
Thanks

The IOS zone-based firewall could be used on your router.
It canbe challenging to setup from scratch but if you use the Cisco Configuration Professional (CCP) GUI, it's not too dificult.
There are some good links on this page:
http://www.cisco.com/c/en/us/products/security/ios-firewall/index.html

Security IOS

Similar Messages

Maybe you are looking for