Archive for March 10th, 2010

T-18 | Bootcamp Final Day Review

Posted by TacAck in 90 Day countdown on March 10th, 2010

I’m going to miss Marvin :D Here are the notes for the final day of the bootcamp .

L2 SECURITY

  • Violation modes of port-security
    • Shutdown
      • send port to err-disable
    • Protect
      • Violators cannot send traffic in , no alert is raised
    • Restrict
      • Violators cannot send traffic in
      • Generates SNMP/ Syslog
    • HSRP uses 2 MAC addresses ( NOTE )
    • During configuration, check if some traffic might inadvertantly trigger this port-security feature.
  • 2 ways to recover a port from err-disable
    • err-disable recovery configured
    • shut/no-shut
  • We can also configure a static ” Null route” a MAC address
  • When we block multicast, then some unicast/broadcast traffic also gets blocked in Storm-control ( read more on this )
  • “switchport protected” -> Mini PVLAN like configuration
  • When configuring VLAN Maps, ensure that ARP traffic is allowed ( most of the time, this is needed )
  • PVLAN requires Transparent ( VTP ) mode configuration on the switch

ATTACK MITIGATION

  • VLAN HOPPING ATTACK
    • 2 variations
      • Hosts runs DTP to form a trunk with the adjacent switch
      • Host sends frames double tagged with 802.1q
    • Mitigation
      • Ensure that all host-facing ports are statically assigned as access ports (switchport mode access )
      • Don’t ever use VLAN 1 as the default VLAN
  • CAM TABLE ATTACKS
    • port-security -> Mitigation
    • Shutting down the port is the best option
  • DHCP STARVATION ATTACKS
    • Tons of DHCP requests exhaust the DHCP pool.
    • Victim hosts are starved of a DHCP lease.
    • Could be a DOS/ MITM attack
    • Mitigation
      • DHCP Snooping
      • Ensure that all switches running a the particular VLAN have DHCP snooping turned on ( talk to the proctor )
  • ROGUE DHCP SERVER ATTACK
    • Mitigation : DHCP Snooping ( trust )
      • Can also use Port ACLs/VACLs
      • We can also use the “ip dhcp snooping Limit” command to limit the flood.
  • ARP SPOOFING
    • Gratuitous ARP -> Send ARP replies regularly without valid requests ( to refresh the ARP caches of the devices )
    • This can be a good playground to lauch MITM attacks
    • Mitigation
      • DHCP snooping with DAI
      • or ARP acls with DAI ( for static IP addressing )
      • If switches don’t support snooping or ARP inspection
        • IP ARP uses ethertype 0×806
        • IP uses Ethertype 0×800
        • This can be used to block the ARP traffic
      • Bad configuration of this can cause problems later ( reload, reboot ,etc ) . So remember, it won’t immediately show up due to ARP caching on the devices
  • MAC SPOOFING
    • Mitigation
      • IP Source guard
        • Consults the DHCP Snooping table
      • We can also use port-security
  • IP SPOOFING
    • Mitigation
      • RFC 1918/2827/3330 BOGON ingress filtering
      • uRPF
    • RFC 2827 is bidirectional
      • Traffic leaving should have the internal address
      • Traffic entering from the outside, should not have the internal address
    • uRPF takes into consideration all equal cost paths(urpf accepts both the paths as the reverse path ) into consideration when determining the interface upon which a packet should be received on . It even understands EIGRP unequal cost load-balancing.
  • SMURF/FRAGGLE ATTACK
    • Mitigation -> no ip directed broadcast
      • uRPF also does the job
      • via CAR/MQC
      • via Blackholing ( either source/destination based )

STANDARD BLACKHOLE FILTERING

  • Problem is legit traffic to the destination also gets blocked
  • Matches only by destination
  • Ensure that the “no ip unreachables” is configured on the Edge -routers

SOURCE-BASED BLACKHOLE FILTERING

  • There is a uRPF statement on the EDGE router
  • The trigger will be a route for the “source IP”s next hop ( instead of the destination IP , like the previous configuration )
  • If we do not add a “deny” route-map after the first route-map, any other static routes will get redistributed into the BGP.

SYN FLOODING

  • Mitigation
    • TCP Intercept
    • IOS CBAC/ ZBF
    • PIX/ASA MPF connection limits
    • SYN policing with CAR/MQC

Network scanning can be blocked by using ASA Threat detections, IPS/IDS , etc

  • To drop ip options you can use the global config command : “ip options drop”, or we can drop using ACL’s ” access-list 101 deny ip any any option.”

I’m now officially done with the bootcamp. I would recommend this to everyone , when they are almost done with their Vol 1 labs. There was a big section in Day 5 about Strategies and tips to be followed during the lab and that was very insightful and i thoroughly enjoyed it :)

To be honest, i don’t know what exactly i wanna do for the next couple of days/ weeks. I’m stuck between Vol 2 labs (or) Go through the CCIE-sec blueprint and configure each and every item in detail and also make a list of the Doc-CD references for each.

I’ll definitely have an answer soon :) .

I’m really lucky to have found an awesome support community online who continue to inspire/motivate/support me. Paul Stewart , Brian Almond and Ryan Schuett are some people i look up to someday i want to know as much as these dudes :)

Cheers,

TacACK

No Comments