Posts Tagged ‘security’

Secure your Network: How ARP Spoofing Works

Friday, March 6th, 2009

You wonder how hackers got to your packets? Might it have been arp spoofing?

ARP Basics
ARP is a layer 2 protocol, its full name is actually “Address Resolution Protocol”.
Like the name indicates, ARP is used to resolve the layer 3 IP addresses to layer 2 MAC addresses.

It works pretty easy, if a host on the segment wants to talk to another host, but does not know its MAC address it will send a frame to broadcast (FF:FF:FF:FF:FF:FF) where it will say “who has”, then the host on will see this request and reply with “ is at ab:cd:ef:ab:cd:ef” then the ARP table will be updated with the corresponding information, and the two hosts will talk directly from now on.

Security problems in ARP
Usually most hosts will update their ARP table when they see a ‘ is at’ ARP reply, even if it hasn’t requested it.
This keeps network traffic to the low, because the MAC address may be in the ARP table because some other host spoke to the server your computer wanted to talk to and your computer saw the ‘is at’ reply, hence making no need for an ARP request.

What if someone flooded your network with fake ARP replies ‘ is at fa:ke:ad:dr:es’?
Exactly, the hosts will update their ARP table and start sending packets to the wrong host.
The machine at ‘fa:ke:ad:dr:es’ can then accept all packets and forward the correct ones to the actual gateway (because the attacker does not poison its own arp table, the attacker will still be sending packets to the real IP address).

Imagine on a Wireless network how easy it is to become ‘attached’ to the network, they can also send spoofed ARP replies.

dsniff includes tools to arp spoof
ettercap is capable of doing arp poisoning too.
The package ‘arpalert’ on Ubuntu can notify you of changes in the ARP table.

To enable forwarding of packets in linux:

linux:~# echo 1 > /proc/sys/net/ipv4/conf/all/forwarding

A Word About BGP Bogons Filtering

Tuesday, December 9th, 2008

BGP4 filtering is important, but how can you keep track of the prefixes and do active filtering on them?

It has been a while since my last blog post now, it’s partly because I have been (honestly) pretty lazy lately, yes, I have been trying to cool down on all my working because I started to get some problems with keeping track of my own feelings.
..and also because I have been trying to spend a little more time with the girl that actually can stand living with such a busy internet lunatic, we went to see the Norwegian setup of the musical Grease and also a Norwegian talk show named Senkveld, and along with all the xmas preparations and that it has been kind of hectic, but very very nice.
While I am still talking freely here, why is it that while I can see people reading around, I never see any comments from you guys?

Anyways, enough with the excuses and all that – on with the show, right?

The point about this post is to inform about the problems with bogon IPv4 (and probably IPv6 too, I haven’t looked at that yet) prefixes being announced into the Internet, and the problem about Internet Service Providers accepting these prefixes and adds them to their routing table. The worst case scenario would be like spam from

But, what are bogons.. or bogon prefixes?
I am glad to be asked that question sometimes, it is good – it shows that someone paid attention.
Bogon prefixes are for example unassigned prefixes, or RFC1918 networks and there are also other reserved ranges.

The assignment process for IPv4 is somewhat like this:

  1. IANA allocates a block of IPv4 addresses to a Regional Internet Registry (usually /8 to i.e. RIPE)
  2. The RIR then makes suballocations of this block to a LIR, a LIR is a Local Internet Registry (i.e. your ISP)

The ISP can then announce this IPv4 prefix in the BGP table on the Internet.
All these IANA to RIR assignments are public information, you can find it at, they have regular updates.

The problem with bogons
The problem exists when networks listed as RESERVED or UNALLOCATED in this list are being announced and produces internet traffic.
For example, if you want to send out totally anonymous spam, what could you possibly do to ISPs without proper filtering?
Yeah, you could see someone announcing and start spamming from

Do you keep track of every announcement ever done to you? (In that case, how do you do it?)
I run a quagga router which also sees all announcements to our network and logs these to a logfile, and I am insterested to hear about other solutions – I know there are some java based applications.

To be consistent; you do not want bogons announced to you, you do not want to accept bogon networks and start routing traffic to them.

How to fix?
There’s a bogons prefix-list that Team Cymru creates that is very useful for Cisco enthusiasts like me.
They have constructed a secure BGP template.

So let us hope maybe there’s at least one extra bogon filter in place tomorrow, and let me know about it!

Configuring MySQL AAA Authentication and Accounting with Tacacs+ on Linux

Monday, November 10th, 2008

So, been experimenting more with tacacs+ and got everything working out nicely with MySQL – so here is my tutorial!

It seemed like I had to run out of my “Oh, I run ubuntu so I will just apt-get” luck sometime, as I actually had to take this one from source to make it work completely.
So I will start with the Linux end of this, the compiling of tac_plus

If you followed my previous tutorial, you will have to remove the old tac_plus package.

root@server:~# apt-get remove tac-plus
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following packages will be REMOVED:
0 upgraded, 0 newly installed, 1 to remove and 104 not upgraded.
Need to get 0B of archives.
After unpacking 324kB disk space will be freed.
Do you want to continue [Y/n]?
(Reading database … 227395 files and directories currently installed.)
Removing tac-plus …
Stopping Tacacs+ server: tac_plus.
root@server:~# dpkg –purge tac-plus

The dpkg –purge command will remove all configuration files, so if you want to keep them just run

root@server:~# cp -r /etc/tac-plus /root/tac-plus-configuration

This will store the old configuration files in a folder named /root/tac-plus-configuration

Now compile the tac_plus daemon, remember to have the libmysql++-dev installed before you do this. It should also bring along libmysql++2c2a libmysqlclient15-dev by itself.

root@server:~# cd /usr/local/src
root@server:/usr/local/src# wget -q
root@server:/usr/local/src# tar -zxf tac_plus-4.4.tgz
root@server:/usr/local/src# cd tac_plus-4.4
root@server:/usr/local/src/tac_plus-4.4# wget -q
root@server:/usr/local/src/tac_plus-4.4# tar -zxf securid.tgz
root@server:/usr/local/src/tac_plus-4.4# ./configure –with-mysql –with-db

It should now print a lot of ‘checking for’ or ‘checking wheter’ lines, just let it run.
The last couple of lines you should see should be:

creating Makefile
creating tac_plus.spec
creating config.h
config.h is unchanged

Then it’s time to run make to compile the source code into a binary file.

root@server:/usr/local/src/tac_plus-4.4# make
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c acct.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c authen.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c author.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c config.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c choose_authen.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c default_fn.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c default_v0_fn.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c do_acct.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c do_author.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c dump.c
dump.c: In function ‘dump_nas_pak’:
dump.c:159: warning: incompatible implicit declaration of built-in function ‘exit’
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c enable.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c encrypt.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c expire.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c hash.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c tac_plus.c
tac_plus.c: In function ‘main’:
tac_plus.c:364: warning: incompatible implicit declaration of built-in function ‘exit’
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c md5.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c packet.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c parse.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c programs.c
programs.c: In function ‘my_popen’:
programs.c:282: warning: incompatible implicit declaration of built-in function ‘exit’
programs.c:287: warning: incompatible implicit declaration of built-in function ‘exit’
programs.c:292: warning: incompatible implicit declaration of built-in function ‘exit’
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c pw.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c pwlib.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c report.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c sendauth.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c sendpass.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c time_limit.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c utils.c
utils.c: In function ‘tac_exit’:
utils.c:79: warning: incompatible implicit declaration of built-in function ‘exit’
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c accesslog.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c ext_authen.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c db.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c db_ext.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c db_null.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c db_mysql.c
gcc -g -O2 -L/usr/lib/mysql -o tac_plus -L/usr/lib/mysql acct.o authen.o author.o config.o choose_authen.o default_fn.o default_v0_fn.o do_acct.o do_author.o dump.o enable.o encrypt.o expire.o hash.o tac_plus.o md5.o packet.o parse.o programs.o pw.o pwlib.o report.o sendauth.o sendpass.o time_limit.o utils.o accesslog.o ext_authen.o db.o db_ext.o db_null.o db_mysql.o -lmysqlclient -lz -lnsl -lpthread -lc -lcrypt -Llib/lnx -laceclnt
root@server:/usr/local/src/tac_plus-4.4# cp tac_plus /usr/sbin/

Now, I just did a quick hack with copying the tac_plus binary to /usr/sbin, if you choose to install it with make install, be aware that it will spread files all around your system that you really don’t need.

I got a library error, this is my fix.

root@server:/usr/local/src/tac_plus-4.4# /usr/sbin/tac_plus -v
/usr/sbin/tac_plus: error while loading shared libraries: cannot open shared object file: No such file or directory
root@server:/usr/local/src/tac_plus-4.4# cp lib/lnx/ /usr/lib && ldconfig
root@server:/usr/local/src/tac_plus-4.4# /usr/sbin/tac_plus -v
tac_plus version 4.4rc2-3 (Extended Tac_plus)

Perfect, shared libraries installed and the tacacs daemon seems to be working!
Now to create the configuration file and everything.

root@server:/usr/local/src/tac_plus-4.4# cd /etc
root@server:/etc# mkdir tac-plus && chmod 700 tac-plus
root@server:/etc# cd tac-plus
root@server:/etc/tac-plus# touch tacacs.conf && chmod 700 tacacs.conf

Edit the /etc/tacacs.conf file with your favourite editor, I as always love vim.
For simplicity, let us keep it to a small amount of lines.

The contents of /etc/tacacs.conf

key mykey
default db = mysql://tacacs:tacacspassword@localhost/tacacs

The logics of the MySQL URI is mysql://username:password@databasehost/database, so the username will now be tacacs, the password will be ‘password’ and the database ‘tacacs’ on the MySQL server on localhost.

MySQL Setup
We now need to setup the backend databases for tac_plus to communicate with.

root@server:/etc/tac-plus# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11335
Server version: 5.0.38-Ubuntu_0ubuntu1.4-log Ubuntu 7.04 distribution

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

mysql> \. /usr/local/src/tac_plus-4.4/tac_plus.sql
Query OK, 1 row affected (0.36 sec)

Database changed
Query OK, 0 rows affected (0.19 sec)

#… You should get a lot of these lines and return to the prompt, verify the structure:
mysql> show tables;
| Tables_in_tacacs |
| access |
| accounting |
| acl |
| admin |
| attribute |
| contact_info |
| host |
| node |
| user |
| vendor |
10 rows in set (0.08 sec)

# You now need to grant access to tacacs
mysql> GRANT ALL PRIVILEGES ON tacacs.* to tacacs@localhost IDENTIFIED BY ‘tacacspassword’;
Query OK, 0 rows affected (0.00 sec)

You could grant SELECT on the user and host tables, while letting it modify for example only the accounting and access tables which it uses for .. well, accounting records. It records logins/logouts and commands written if you want to. Tac-plus will automagically do this for you, and the Cisco Configuration is well documented in my article about Log Commands on Your Cisco Routers and Switches With Tacacs On Linux. Oh well, let us go on.

Let us insert just a user and a host.

INSERT INTO user (uid, gid, password, expires) values (‘username’, ‘100’, ENCRYPT(‘testtest’), ‘0000-00-00’);
INSERT INTO host (ip, hostgroup, hkey, network, submask, loginacl, host) VALUES (‘’, ‘Routers’, ‘tercesym’, ‘0’, ‘0’, ‘666’, ‘1’);
INSERT INTO acl (id, type, seq, permission, value, value1, submask) VALUES (‘666’, ‘2’, ‘1’, ’57’, ‘allusers’, ‘0’, ‘0’);

That should be it, we are done with this and we can now start the daemon.

root@server:~# /usr/sbin/tac_plus -C /etc/tac-plus/tacacs.conf -d254 -l tac.log

You can now monitor tac.log which resides in your current working directory (pwd), with tail -f tac.log and you can remove the -d254 when you are sure this is working.
You should now be able to login with user username and password testtest.

To configure your Cisco IOS running Switch or Router

Router(config)#aaa authentication login default local group tacacs+
Router(config)#tacacs-server host key mykey

As long as you keep the ‘local’ in the authentication line, you will still be able to fall back to local user authentication.

If you get any weird errors or warnings, post them as a comment and I will have a look at it!

Log Commands on your Cisco Routers and Switches with Tacacs+ on Linux

Sunday, November 9th, 2008

I setup command logging with Tacacs+ on Linux this week. Let me show you how easy it is!

I am (as always) doing this with Ubuntu linux and so I just have to apt-get the packages I need.

espen@server:~$ sudo apt-get install tac-plus
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 104 not upgraded.
Need to get 105kB of archives.
After unpacking 324kB of additional disk space will be used.
Get:1 feisty/universe tac-plus 1:4.0.4.alpha-14 [105kB]
Fetched 105kB in 0s (331kB/s)
Selecting previously deselected package tac-plus.
(Reading database … 227388 files and directories currently installed.)
Unpacking tac-plus (from …/tac-plus_1%3a4.0.4.alpha-14_i386.deb) …
Adding system user `tacacs’ (UID 64005) …
Adding new group `tacacs’ (GID 64005) …
Adding new user `tacacs’ (UID 64005) with group `tacacs’ …
Not creating home directory `/home/tacacs’.
Setting up tac-plus (4.0.4.alpha-14) …
Starting Tacacs+ server: tac_plus.

Wow, that was quick… The tacacs+ server is already running!
But wait, we have to configure it just a bit.

For this article I will just focus on the logging part (accounting), but I will continue to write about authentication and authorization to fully comply fully with AAA.

Now, open up /etc/tac-plus/tacacs.conf in your favourite editor, mine is vim.
Be sure to uncomment and set the key, set the accounting file and you should be ready to roll.

key = tercesym
accounting file = /var/log/tac-plus/account

Just restart the tacacs daemon:

espen@server:/etc/tac-plus# sudo /etc/init.d/tac-plus restart
Restarting Tacacs+ server: tac_plus.

Now to configure this on your cisco equipment, please follow the steps in this article first.
Then to make sure the Cisco IOS Switch or Router will notify your tacacs deamon of accounting events, this is the configuration you need.

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#aaa accounting delay-start
Router(config)#aaa accounting exec default start-stop group tacacs+
Router(config)#aaa accounting commands 15 default start-stop group tacacs+
Router(config)#tacacs-server host key tercesym

! If you want the Router to source from a specific IP address
Router(config)#ip tacacs source-interface Loopback 1


Now you can verify accounting

Router#show accounting

Active Accounted actions on tty1, User admin Priv 1
Task ID 17, EXEC Accounting record, 00:16:58 Elapsed
task_id=17 start_time=1226261207 timezone=CET service=shell

There is one accounting session running, and you can also check the server to see if any accounting records are recorded.

espen@server:~# sudo tail /var/log/tac-plus/account
Sun Nov 9 21:26:58 2008 admin tty1 stop task_id=26 start_time=1226262225 timezone=CET service=shell priv-lvl=15 cmd=show accounting

Perfect, now there will be no doubt about who dropped that ‘no router bgp’ command on your Cisco Router!

IPv4 and IPv6 Access Control Lists In Cisco IOS

Wednesday, November 5th, 2008

Do you feel like you are comfortable with writing ACLs? This will be refreshing!

I’ll get to IPv6 in the bottom of this, it might prove extremely useful to understand the concept at first.

What are Access Control Lists?
ACLs are simple rulesets, they can be used to filter network traffic, routing updates, matching packets and a lot of different uses. The most common and basic usage must be to restrict network traffic to your router by applying it on the vty lines.

The access control lists have numbers and can also have text as identifiers, each number or string represents a specific access control list.

There are several “classes” of Access Control Lists, the most common ones are

  1. IP Standard Access List
    List numbers 1-99, can only define source or destination, not source and destination.
  2. IP Extended Access List
    List numbers 100-199, can define both source and destination as well as port and protocol numbers.

Okay, I understand…. but how do I configure it?

A IP standard access control list with two entries is configured like this

Router#conf t
Router(config)#ip access-list standard 5
Router(config-std-nacl)#5 permit
Router(config-std-nacl)#10 permit

To apply this inbound on an interface, just use

Router#conf t
Router(config)#int te 1/1
Router(config-if)#ip access-group 5 in

The alternative way to define an access list number 5 with two entries is

Router#conf t
Router(config)#access-list 5 permit
Router(config)#access-list 5 permit

To apply this one inbound on a line interface

Router#conf t
Router(config)#line vty 1
Router(config-line)#access-class 5 in

Nice, now I have a lot of ACLs configured in my network for all the IPv4 traffic, mon ami! But IPv6 traffic still seems to keep flowing right through, thought you said you were supposed to make sense of all this in the end?

Yeah, I know I promised that and as long as you understand the IPv4 basics you will understand IPv6 pretty well. You will need to understand basic IPv6 subnetting theory to be able to filter subnets (obviously), if anyone wants me to write an article about it, just comment about it and I will get on to it ASAP. When you learn that, you will see that IPv6 access control lists are pretty much the same as for IPv4.

Anyways, I take for granted you understand IPv6 subnetting by now so I will just get right on to the configuration, an example for an IPv6 access list in Cisco IOS follows

Router#conf t
Router(config)#ipv6 access-list myfirewall
Router(config-ipv6-acl)#permit 3ffe:200::/32 any
Router(config-ipv6-acl)#permit 3ffe:100::/32 any

To verify the access-lists just look at this

Router#show access-lists myfirewall
IPv6 access list myfirewall
permit ipv6 3FFE:200::/32 any sequence 10
permit ipv6 3FFE:201::/32 any sequence 20

To apply this IPv6 Access Control List to an interface, just do as follows

Router#conf t
Router(config)#int te 1/1
Router(config-if)#ipv6 traffic-filter myfirewall in

To apply this IPv6 access control list to a line

Router#conf t
Router(config)#line vty 1
Router(config-line)#ipv6 access-class myfirewall in

5 Tips to Securing a Cisco Network

Monday, October 27th, 2008

Some things you can’t do something about, but you should take security seriously.

1. Reverse Path Forwarding
When you enable Reverse Path Forwarding (RPF) on an interface, the router will check with a lookup in the FIB/CEF table to see that there exists a path back to the source address on the interface on which it receives a packet. This avoids spoofing of packets.

The way to configure reverse path forwarding is like this

Router#configure terminal
Router(config)#interface GigabitEthernet 2/1
Router(config-if)#ip verify unicast reverse-path

2. Silence that port
A lot of networks leak sensitive information on their switchports, this should be a pretty silent switchport.

Switch#configure terminal
Switch(config)#interface GigabitEthernet0/16
Switch(config-if)#no cdp enable
Switch(config-if)#spanning-tree bpdufilter enable
Switch(config-if)#no keepalive

This will supress CDP (Cisco Discovery Protocol), spanning-tree bpdu’s and ethernet keepalives on that interface. In my last post I wrote a little about storm-control and port security.

3. Configure AAA and ACL’s for secure VTY access
VTY’s are for example the telnet connections on Cisco, to configure who should be able to access your switch via telnet just do like this:

Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#access-list 80 permit
Switch(config)#access-list 80 permit
Switch(config)#line vty 0 15
Switch(config-line)#access-class 80 in

This will limit VTY access to and, the netmask is a Cisco wildcard mask, troubles figuring them out? Try the wildcard cheat.

If you want to have separate users (will show up in logs) instead of the regular password prompt, you can configure AAA as such:

Switch#configure terminal
Switch(config)#username cisco secret mypassword
Switch(config)#aaa new-model
Switch(config)#aaa authentication login default local
Switch(config)#line vty 0 15
Switch(config-line)#login authentication default

4. Encrypt passwords in Configuration
Do you see this in your configuration?

Switch#show run | include ^username
username admin password 0 mysecret

To enable encryption of passwords just configure

Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#service password-encryption
*Mar 4 10:21:10.343: %SYS-5-CONFIG_I: Configured from console by console
Switch#show run | include ^username
username admin password 7 060B1632494D1B1C11

This gives Cisco Type 7 encryption (which, I am sorry to say; is very crackable), but it is at least something.
I like to use ‘secret’ instead of ‘password’ which gives MD5 passwords in the configuration file, I am not sure of the difference, but it seems to give me what I want.

5. More secure routing protocols with passive-interface default
A passive interface is an interface which does not send nor receive routing information. Passive-interface default is supported by all routing protocols, and is configured quickly.

router routing-protocol
passive-interface default
no passive-interface interface

Passive-interface default sets all interfaces passive, and no passive-interface activates one interface. I have a more real life configuration example below.

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router ospf 1
Router(config-router)#passive-interface default
Router(config-router)#no passive-interface fastEthernet 0/2
*Mar 4 10:36:17.931: %SYS-5-CONFIG_I: Configured from console by console

This will ensure that OSPF traffic is only exchanged on fastEthernet 0/2.

Locking Down Network Ports from IOS

Sunday, October 26th, 2008

Someone connecting to your network can cause serious damage if you are sloppy with security.

port-security on switches is very flexible, first show the status of port security

Switch#show port-security interface Gi0/19
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 001b.53b1.ffff:20
Security Violation Count : 181

Port security is disabled, violation mode is shutdown which means that the port should be shutdown if port security is tripped. There are

Let us limit this port to one MAC address, and if we see more than one; shutdown the port.

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int gi 0/19
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#switchport port-security
11:31:17: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/19, putting Gi0/19 in err-disable state
11:31:17: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001b.53b1.ffff on port GigabitEthernet0/19.
11:31:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/19, changed state to down
11:31:19: %LINK-3-UPDOWN: Interface GigabitEthernet0/19, changed state to down

What happened here? First we limited the port to max one MAC address, then we configured that if this is violated then the port should be shutdown. And at last we turned on port-security.
As you can see, immediately the port went in an errdisable state for a security violation.

Storm control can be used to limit the amount of broadcast, unicast or multicast traffic on a port.
To show the status of storm control

Switch#show storm-control gigabitEthernet 0/19
Interface Filter State Upper Lower Current
——— ————- ———– ———– ———-

A typical broadcast storm can look like this

Switch#show interface gigabitEthernet 0/19 | i rate
Queueing strategy: fifo
5 minute input rate 106111000 bits/sec, 207129 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec

I have over 100mbit input traffic, and nothing output. I can try to apply storm-control that with shutdown the port if the amount of broadcast traffic reaches 100mbit.

Switch#conf t
Switch(config)#interface gigabitEthernet 0/19
Switch(config-if)#storm-control action shutdown
Switch(config-if)#storm-control broadcast level bps 100000000
2d10h: %PM-4-ERR_DISABLE: storm-control error detected on Gi0/19, putting Gi0/19 in err-disable state
2d10h: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Gi0/19. The interface has been disabled.
2d10h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/19, changed state to down
2d10h: %LINK-3-UPDOWN: Interface GigabitEthernet0/19, changed state to down

The interface went straight into errdisable due to the huge amount of broadcast traffic we were receiving.

You can also get the status of storm control

Switch#show storm-control
Interface Filter State Upper Lower Current
——— ————- ———– ———– ———-
Gi0/19 Link Down 100m bps 100m bps 0 bps

These are two great techniques of securing your network ports, just tune them to your preference and they will bring you a lot of good.

How to get user authentication with AAA running on Cisco

Monday, September 1st, 2008

To get aaa running you need to perform the following steps:

First create a local user database
switch(config)# username myusername secret myunencryptedpassword
switch(config)# aaa new-model
switch(config)# aaa authentication login default local

Could be good to also do:
switch(config)# line vty 0 15
switch(config-line)# login authentication default

Use CTRL+Z to skip out of config fast, then try to login in a new window before
closing the authenticated one, in case you screwed up the configuration.

You can get locked out!