Archive for the ‘security’ Category

Port Mirroring on Cisco – Monitoring the network

Thursday, May 14th, 2009

“We just bought a new IPS/IDS, just put it between us and our transit provider!”. Sounds slick, huh? This request seems easy, but do you really know if it will function like expected and not jam all network traffic?

Try it out on a mirrored (SPAN) port first! With a SPAN you can get a copy of all traffic from/to a port output on a second port, without interacting with traffic. This can be very helpful if you want to test out some new equipment for Intrusion detection and/or prevention. Snort is an open source alternative for monitoring network traffic for obscurity and irregularities.

To configure a SPAN on 2940, 2950, 2955, 2960, 2970, 3550, 3560 and 3750 switches

Switch#conf t
Switch(config)#monitor session 1 source interface Fa0/18
Switch(config)#monitor session 1 destination interface Fa0/2
Switch(config)#

With the configuration above you will copy all traffic from FastEthernet 0/18 and output it to FastEthernet 0/2
The Cisco Catalyst 2950 is incapable to monitor vlans, but this is possible on for example the Cisco 3750.

To verify a SPAN session

Switch#sh monitor session 1
Session 1
———
Source Ports:
RX Only: None
TX Only: None
Both: Fa0/18
Destination Ports: Fa0/2

I hope this maybe encourages you to test out some applications or equipment that you’ve been wanting to try but haven’t had the guts to!

Secure your Network: How ARP Spoofing Works

Friday, March 6th, 2009

You wonder how hackers got to your packets? Might it have been arp spoofing?

ARP Basics
ARP is a layer 2 protocol, its full name is actually “Address Resolution Protocol”.
Like the name indicates, ARP is used to resolve the layer 3 IP addresses to layer 2 MAC addresses.

It works pretty easy, if a host on the segment wants to talk to another host, but does not know its MAC address it will send a frame to broadcast (FF:FF:FF:FF:FF:FF) where it will say “who has 10.0.0.1”, then the host on 10.0.0.1 will see this request and reply with “10.0.0.1 is at ab:cd:ef:ab:cd:ef” then the ARP table will be updated with the corresponding information, and the two hosts will talk directly from now on.

Security problems in ARP
Usually most hosts will update their ARP table when they see a ‘10.0.0.1 is at’ ARP reply, even if it hasn’t requested it.
This keeps network traffic to the low, because the MAC address may be in the ARP table because some other host spoke to the server your computer wanted to talk to and your computer saw the ‘is at’ reply, hence making no need for an ARP request.

What if someone flooded your network with fake ARP replies ‘10.0.0.1 is at fa:ke:ad:dr:es’?
Exactly, the hosts will update their ARP table and start sending packets to the wrong host.
The machine at ‘fa:ke:ad:dr:es’ can then accept all packets and forward the correct ones to the actual 10.0.0.1 gateway (because the attacker does not poison its own arp table, the attacker will still be sending packets to the real IP address).

Imagine on a Wireless network how easy it is to become ‘attached’ to the network, they can also send spoofed ARP replies.

Tools
dsniff includes tools to arp spoof
ettercap is capable of doing arp poisoning too.
The package ‘arpalert’ on Ubuntu can notify you of changes in the ARP table.

To enable forwarding of packets in linux:

linux:~# echo 1 > /proc/sys/net/ipv4/conf/all/forwarding