Académique Documents
Professionnel Documents
Culture Documents
Swith Security
802.1x for port security
802.1q trunking and sub interfaces can implement ACLs on sub interfaces
Spanning tree protocal- STP and RSTP prevent loops- Root bridge and non root bri
dge - will block loops by droping packets. Layer 2 protocol that runs on bridges
and switches.
The specification for STP is IEEE 802.1D.
RSTP (IEEE 802.1w) natively includes most of the Cisco proprietary enhancements
to the 802.1D spanning tree, such as BackboneFast, UplinkFast, and PortFast.
(STP) The bridges have to determine the root bridge and compute the port roles (
root, designated, or blocked) with only the information that they have. To ensur
e that each bridge has enough
information, the bridges use special data frames called Bridge Protocol
Data Units (BPDUs) to exchange information about bridge IDs and root path costs.
A bridge sends a BPDU frame using the unique MAC address of the port itself as a
source address, and a destination address of the STP multicast address 01:80:C2
:00:00:00.
The bridge priority default is 32768 and can only be configured in multiples of
4096. When comparing two bridge IDs, the priority portions are compared first an
d the MAC addresses are compared
only if the priorities are equal.
STP switch port states:
Blocking - A port that would cause a switching loop if it were active. N
o user data is sent or received over a blocking port, but it may go into forward
ing mode if the other links in use
fail and the spanning tree algorithm determines the port may tra
nsition to the forwarding state. BPDU data is still received in blocking state.
Prevents the use of looped paths.
Listening - The switch processes BPDUs and awaits possible new informati
on that would cause it to return to the blocking state. It does not populate the
MAC address table and it does not
forward frames.
Learning - While the port does not yet forward frames it does learn sour
ce addresses from frames received and adds them to the filtering database (switc
hing database).
It populates the MAC address table, but does not forward frames.
Forwarding - A port receiving and sending data, normal operation. STP st
ill monitors incoming BPDUs that would indicate it should return to the blocking
state to prevent a loop.
Disabled - Not strictly part of STP, a network administrator can manuall
y disable a port
The sequence of events to determine the best received BPDU (which is the best pa
th to the root) is
Lowest root bridge ID - Determines the root bridge
Lowest cost to the root bridge - Favors the upstream switch with the lea
st cost to root
Lowest sender bridge ID - Serves as a tie breaker if multiple upstream s
SSL/TLS
SSL
VPN is secured by SSL(Secure Sockets Layer)/TLS(Transport Layer Security) or IPS
ec over the public internet.
The connection is private (or secure) because symmetric cryptography is
used to encrypt the data transmitted.
Symmetric-key algorithms are algorithms for cryptography that use the same crypt
ographic keys for both encryption of plaintext and decryption of ciphertext.
The keys may be identical or there may be a simple transformation to go
between the two keys. The keys, in practice, represent a shared secret between t
wo or more parties
that can be used to maintain a private information link. This requiremen
t that both parties have access to the secret key is one of the main drawbacks o
f symmetric key encryption.
This is how it should work with SSL - When the client connects to the server, it
negotiates a so-called ciphersuite (combination of encryption, key exchange, au
thentication algorithms) to use.
Each SSL client or server has a list of allowed ciphersuites and during
handshake the client and the server negotiate on what ciphersuite to use. It can
happen sometimes, that there's
no common denominator (ciphersuites sets don't intersect) and connection
can't be established.
Several versions of the SSL/TLS protocols find widespread use in applications su
TLS
TLS has a variety of security measures:
Protection against a downgrade of the protocol to a previous version or a weaker
cipher suite.
Numbering subsequent Application records with a sequence number and using this s
equence number in the message authentication codes (MACs).
Using a message digest enhanced with a key. Only a key-holder can check the MAC(
Message Authentication Codes). The HMAC construction used by most TLS cipher sui
tes is specified in RFC 2104
In cryptography, a keyed-hash message authentication code (HMAC) is a sp
ecific type of message authentication code (MAC)
involving a cryptographic hash function (hence the 'H') in combination w
ith a secret cryptographic key.
The identity of the communicating parties can be authenticated using public-key
cryptography. This authentication can be made optional,
but is generally required for at least one of the parties (typically the
server).
The pseudorandom function splits the input data in half and processes each one w
ith a different hashing algorithm (MD5 and SHA-1), then XORs them together to cr
eate the MAC.
This provides protection even if one of these algorithms is found to be
vulnerable.
Integrity can be ensured because each message transmitted includes a message int
egrity check useing message authentication code to prevent undetected loss or al
teration of the
data during transmission.
The message that ends the handshake ("Finished") sends a hash of all the exchang
ed handshake messages seen by both parties.
Note about--- SSL/TSL-SSL/TLS uses an underlying transport medium that provides
a bidirectional stream of bytes. That would put it somewhere above layer 4.
SSL/TLS organizes data as records, that may contain, in particular, handshake me
ssages. Handshake messages look like layer 5. This would put SSL/TLS at layer 6
or 7.
However, what SSL/TLS conveys is "application data", which is, in fact, a bidire
ctional stream of bytes.
Applications that use SSL/TLS really use it as a transport protocol.They then us
e their own data representation and messages and semantics within that "applicat
ion data".
Therefore, SSL/TLS cannot be, in the OSI model, beyond layer 4.
RADIUS= Remote Authentication Dial-in User service
Remote Access Server(RAS) - is older tech that can make connections through a mo
RADIUS is commonly used to authenicate end users even when Cisco devices are in
use
Most RADIUS communication is unencrypted (Clear Text)
RADIUS encrypts only the passwords (Plain Text is input into an encryption algor
ithm)- other information, such as username, authorized services, and accounting,
can be captured by a third party.
DIAMETER
DIAMETER (supports EAP) is also a AAA protocol that can be used if your devices
support it
EAP= Extensible Authenication Protocol. Add's new commands, more flexible. DIAME
TER may be a replacement for RADUIS
EAP, is an authentication framework frequently used in wireless networks and poi
nt-to-point connections.
TACACS+
TACACS = Terminal Access Controller Access controler system
TACACS devoloped into XTACACS then it is common when talking about TACACS they a
re refering to TACACS+
TACACS+ uses TCP, port 49. Encrypts full payload of each packet so more secure t
han RADIUS is proprietary to Cisco, very granular control of authorization.
AAA is seperated. Can only be used with cisco devices.
TACACS+ typicaly used to authenicate ADMIN Users because of the granular authori
zation, you can be granted certin rights and permissions.
If you have some level of privilage to work on a device (VPN server ect) When en
tering commands in devices they will first check with the AAA server to see if t
he ADMIN has the
privilage required to execute the command. This is the authroziation pie
ce of a AAA server. Every time an Admin makes a change it is sent to the AAA ser
ver so the change
and who made the change is accounted for.
TACAS+ when supported just does a better job when supported, it's more granular.
Authentication Services
Kerberos is an authenication protocal not a AAA protocal, Kerberos will be seen
in Microsoft Active Direcitory.
A problem that Kerberos can solve is getting access all at once to all the resou
rces you are entitled to with SSO(Single Sign On) as long as it is the same doma
in.
SSO will initally communicate with a centralized server, very likely a Domain Co
ntroler and this server will be acting as a key distribution center(KDC).
KDC has a service running called a Tigcket Granting Service(TGS) Initall
y you will communicat with the KDC. Once you have authenicated with the KDC you
will send a request to the TGS,
TGS will grant a ticket that you can present to a server authenicating w
ho you are. The server will authenicate and then give access to the approiate fi
le's or directories
you have permisssions or rights to (this is access control). Tickets do
expire so you may have to authenicate again.
There will likely be multuiple DC's and KDC for fault tolornce purposes or scala
bility. But reguardless from an arctecture standpoint it is still a certrilized
location.
Kerberos uses Symmetrical Encryption. Since it's Symmetrical encryption you are
useing the same key or sharded key on both ends to encrypt and decrypt data. Ker
beros uses port: 88
Kerberos has strict time requirements, which means the clocks of the involved ho
sts must be synchronized within configured limits.
The tickets have a time availability period and if the host clock is not
synchronized with the Kerberos server clock, the authentication will fail.
Kerberos is primarily a UDP protocol, although it falls back to TCP for large Ke
rberos tickets. This may require special configuration on firewalls to allow the
UDP response from
the Kerberos server (KDC). Kerberos clients need to send UDP and TCP pac
kets on port 88 and receive replies from the Kerberos servers.
Kerberos uses port 88 TCP/UDP
To summarize, a firewall must allow, for all Kerberos clients:
Destination port 88 UDP outbound to Kerberos KDCs
Destination port 88 TCP outbound to Kerberos KDCs
Source port 88 UDP inbound from Kerberos KDCs
Servers providing additional Kerberized services will need:
Destination port 544 TCP inbound (rsh/rcp)
Destination port 2105 TCP inbound (rlogin)
Source port 1-1023, destination port 32000-65525 TCP outbound (rsh/rcp)
Systems behind a firewall that will be rsh or rcp clients will need: -Source por
t 1-1023, destination port 32000-65525 TCP inbound (rsh/rcp)
RDP is encrypted- a proprietary protocol developed by Microsoft, which provides
a user with a graphical interface to connect to another computer over a network
connection on port 3389(TCP/UDP)
LDAP
Microsoft's AD and it's servers can provide LDAP services.
LDAP= Light Directory Access protocol = Port 389 UDP/TCP. CLDAP is based on the
use of the UDP encapsulation. The UDP is used when there is a need to transfer d
ata
very quickly and the loss of some of the data has no great impo
rtance. It is also used to transmit small amout of datas because it is faster th
an TCP.
Normal LDAP is not encrypted on port 389 UDP/TCP - however you can implement TLS
/SSL for secure communications between the LDAP server and the AAA server useing
LDAPS
CN(Common Name) ex. Jonathan Tuck - OU(Organizational Unit(OU) ex. Accounting de
partment - O(Organization) ex ACME.com. X.500 like directory structure
If you already have a CN as a user object inside of AD and want centeralized man
agment of user accounts for access to the network and resources there is no need
to add the CN to the AAA server.
You can have the CN in AD and use that as a mecanism for authenication u
sers. 1 option is to have your RAS/VPN/Ethernet Switch/Wireless AP's connect dir
ectly to AD useing a protocal
like LDAP.
Another option is if you have a VPN server that only speaks RADIUS or tacacs+ yo
u can have your AAA server (Insted of haveing the CN created there) you can have
the AAA server
communicate with the LDAP server. Microsoft's AD and it's servers can p
rovide LDAP services.
When CN tries to connect they could iniate an IPSec VPN tunnel over the public i
nternet to the VPN server. The VPN server then can foward the request to the AAA
server.
The AAA server then sends the request to the LDAP server. If successful
there would be a positive message back from the LDAP server to the AAA server. T
hen the AAA server would
relay the positive message VIA RADIUS to the VPN server.
With LDAP you may have a system that can talk directly to the LDAP server or you
would go through an intermediat device like a AAA server who can then speak LDA
P to the LDAP server.
The AAA server would be configured as an LDAP client. You would specify what UN/
PW when it make the LDAP requests.
Normal LDAP is not encrypted on port 389 UDP/TCP.
SSL/TLS: LDAPS can also be tunneled through SSL/TLS encrypted connections. The w
ell known TCP port for SSL is 636 (Layer 4 OSI, Transport) while TLS is negotiat
ed within a plain
TCP connection on port 389.
Servers also often support the non-standard "LDAPS" ("Secure LDAP", commonly kno
wn as "LDAP over SSL") protocol on a separate port, by default 636. LDAPS differ
s from LDAP in
two ways: 1) upon connect, the client and server establish TLS before an
y LDAP messages are transferred (without a StartTLS operation) and 2) the LDAPS
connection must be closed upon
TLS closure.
LDAP binds- you could encrypt the whole TCP stream between the application and D
C using IPSEC with ESP or TLS. Thankfully most modern applications have some
kind of ability to perform secure LDAP connections.
Some applications authenticate with Active Directory Domain Services (AD DS) thr
ough simple BIND. As simple BIND exposes the users credentials in clear text, us
e of Kerberos is preferred.
If simple BIND is necessary, using SSL/TLS to encrypt the authentication
session is strongly recommended.
You can make LDAP traffic confidential and secure by using Secure Sockets Layer
(SSL) / Transport Layer Security (TLS) technology. LDAPS differs from LDAP in tw
o ways upon connect,
the client and server establish TLS before any LDAP messages are transfe
rred (without a StartTLS operation) and the LDAPS connection must be closed upon
TLS closure.
An SSL-encrypted LDAP integration (LDAPS) communicates over TCP on port
636 by default, this communication channel requires a certificate (X.509 Certifi
cate from CA).
Before you install a certification authority (CA), you should be aware that you
are creating or extending a public key infrastructure (PKI).
Be sure to design a PKI that is appropriate for your organization.
LDAP over SSL/TLS (LDAPS) is automatically enabled when you install an Enterpris
e Root CA on a domain controller installing a CA on a domain controller not a re
commended practice.
When you have a multi-tier (such as a two-tier or three-tier) CA hierarchy, you
will not automatically have the appropriate certificate for LDAPS authentication
on the domain controller.
In order to enable LDAPS in a multi-tier CA hierarchy, you must request a certif
icate that meets the following requirements:
Certificate must be valid for the purpose of Server Authentication. This
means that it must also contains the Server Authentication object identifier (O
ID): 1.3.6.1.5.5.7.3.1
The Subject name or the first name in the Subject Alternative Name (SAN)
must match the Fully Qualified Domain Name (FQDN) of the host machine, such as
Subject:CN=server1.me.com.
The host machine account must have access to the private key.
The primary reason for enabling this functionality is to allow third-party appli
cations that arent capable of performing encrypted LDAP sessions to connect secur
ely on port TCP 636BIND (authentication Protocol)
When an LDAP client connects to the server, the authentication state of
the session is set to anonymous. The BIND operation establishes the authenticati
on state for a session.
Simple BIND and SASL PLAIN can send the user s DN (Distinguished Name, s
immilar to CN-common name) and password in plaintext, so the connections utilizi
ng either Simple or SASL PLAIN
should be encrypted using Transport Layer Security (TLS). The server typ
ically checks the password against the userPassword attribute in the named entry
.
SASL (Simple Authentication and Security Layer) BIND provides authentica
tion services through a wide range of mechanisms, e.g. Kerberos or the client ce
rtificate sent with TLS.
BIND also sets the LDAP protocol version by sending a version number in
the form of an integer. If the client requests a version that the server does no
t support,
the server must set the result code in the BIND response to the code for
a protocol error. Normally clients should use LDAPv3, which is the default in t
he protocol but not always in LDAP
libraries. BIND had to be the first operation in a session in LDAPv2, bu
t is not required as of LDAPv3. In LDAPv3, each successful BIND request changes
the
authentication state of the session and each unsuccessful BIND request r
esets the authentication state of the session.
SAML
SAML = Security Assertion Markup Language
Authentication is done at the primary website and allows you to still do busines
s with affilaiated sites. I.E. Booking a flight(Primary). Hotel(affilaiated), Ca
r rental(affilaiated).
The authication data is being shared between those various sites. The authinicat
ion and authorization data is being sharded from the Primary site to the affilai
ates.
In this situation you would be the Principal, the primary company you connected
to would be the identity Provider, any affilaiated sites are known as service pr
oviders.