Resnet Enhancements and Directions Part 1, Bruce Campbell, Information Systems and Technology.

Slides:



Advertisements
Similar presentations
Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.
Advertisements

Innovations In Wired Network Service Bruce Campbell.
Mitigating Layer 2 Attacks
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Virtual LANs.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
Wireless and Switch Security NETS David Mitchell.
University of Michigan Residence Halls Networking In-Room Student Registration System
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 5: Planning, Configuring, And Troubleshooting DHCP.
AutoMAC: A Tool for Automating Network Moves, Adds, and Changes Christopher J. Tengi Princeton University.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
COEN 252: Computer Forensics Router Investigation.
Mesh Network Technical Guide for the Mesh AP Topic 2 Installation Knowledge / Network Design Copyright © PLANET Technology.
All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
© Wiley Inc All Rights Reserved. CCNA: Cisco Certified Network Associate Study Guide CHAPTER 8: Virtual LANs (VLANs)
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Network Registration and User Tracking An Open Source Approach Mark Berman Ashley Frost Williams College.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Sybex CCNA Chapter 9: VLAN’s Instructor & Todd Lammle.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
DHCP Server © N. Ganesan, Ph.D.. Reference DHCP Server Issues or leases dynamic IP addresses to clients in a network The lease can be subject to various.
Module 7: Configuring TCP/IP Addressing and Name Resolution.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Voice VLANs Lecture 7 VLANs.ppt 21/04/ Apr-17
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.
Module 6 – Switch Configuration CCNA 3 Cabrillo College.
© 2006 Cisco Systems, Inc. All rights reserved.1 Microsoft Network Load Balancing Support Vivek V
TCP/SYN Attack – use ACL to allow traffic from TCP connections that were established from the internal network and block packets from an external network.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VLANs.
Ch. 6 – Switch Configuration
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008.
Wireless Networks and the NetSentron By: Darren Critchley.
 An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer, printer) participating in a computer network.
1/28/2010 Network Plus Unit 4 WAP Configuration WAP Configuration In this section we will discuss basic Wireless Access configuration using a Linksys.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
NETWORKING COMPONENTS AN OVERVIEW OF COMMONLY USED HARDWARE Christopher Johnson LTEC 4550.
Update on Campus Networks December 2009 Bruce Campbell Director, Network Services Information Systems and Technology.
Medium-Sized Switched Network Construction NetPro-ITI Implementing VLANs and Trunks.
The Next Generation Wireless Yuri Kolomiyets Network Services Information Systems and Technology.
Terri Lahey Control System Cyber-Security Workshop October 14, SLAC Controls Security Overview Introduction SLAC has multiple.
Supporting a Wireless Network By Gareth Ayres.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
DHP Agenda: How to Access Web Interface of the DHP-1320 on Access Point Mode How to Access Web Interface of the DHP-1320 on Router Mode How to Change.
INDIANAUNIVERSITYINDIANAUNIVERSITY Indiana University Update Tom Zeller
Switching Topic 2 VLANs.
Chapter 4 Version 1 Virtual LANs. Introduction By default, switches forward broadcasts, this means that all segments connected to a switch are in one.
Network Equipment Assignment 3 LTEC 4550 Aaron Whitaker.
ITE PC v4.0 Chapter 8 1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Public  Networks are systems that are formed by links.  People use different.
Chapter 5. An IP address is simply a series of binary bits (ones and zeros). How many binary bits are used? 32.
ORNL Site Report ESCC July 15, 2013 Susan Hicks David Wantland.
LAN Switching Virtual LANs. Virtual LAN Concepts A LAN includes all devices in the same broadcast domain. A broadcast domain includes the set of all LAN-connected.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Unit 7: DHCP, APIPA and NTP. Static versus dynamic IP addressing Dynamic IP addresses can change each time you connect to the Internet, while static IP.
Dynamic Host Configuration Protocol
IFIP-UNU ADVANCED COURSE ON NETWORKING AND SECURITY Module II-Wireless Communications Section 5 Access Points.
Layer 2 Attacks and Security
Virtual Local Area Networks (VLANs) Part I
Configuring and Troubleshooting Routing and Remote Access
Chapter 6 – Routing.
Virtual LANs.
What’s New in Fireware v12.1.1
2018 Real CompTIA N Exam Questions Killtest
Network hardening Chapter 14.
AbbottLink™ - IP Address Overview
What’s New In WatchGuard Wi-Fi Cloud v8.6
Presentation transcript:

Resnet Enhancements and Directions Part 1, Bruce Campbell, Information Systems and Technology

Overview The challenge - delivering internet access to 5,000 people... and keeping it manageable and secure IP, ARP, DHCP, fundamentally insecure Residence Network 10 years ago Residence Network 1 year ago Today Tomorrow Applications to the rest of campus Other network security features of possible interest

Resnet a separate network – physically and logically

The challenge Large number of users (>5000) Large number of new users each year IP/ARP/DHCP security weaknesses Staticly configured  potential for lots of errors Dynamically configured  trust DHCP = shouting “who am I” to a crowd ARP = shouting “who can I trust” to a crowd Static IP = letting everyone print their own photo ID.

Oops !

Resnet Equipment Early Days Cisco 5505 routers Cisco 3500xl aggregation Cisco 1900 edge

Resnet System Early Days Turn off ARP learning on router MAC address lockdown on switches Locally developed system which: Detects when a new resnet computer is connected Adds its MAC address to static DHCP Adds a static ARP entry to router Plus Nmap scans to find rogue DHCP servers Web based tools to manage/monitor

Issues MAC lockdown requires manual intervention if users change computers, end of term, etc Process to detect new computers and add to static DHCP misses some occasionally, particularly at start of term Rogue DHCP servers are detected, but not disabled (immediately) Lots of custom code to maintain

Upgrades 2007 Network gear upgraded to Procurve 5406zl routers, and Procurve 2650 switches Security features on new network gear Dhcp snooping ARP protection Static ARP tables, and nmap scans for rogue DHCP can be eliminated MAC address lockdown is maintained System to manage static DHCP is also maintained

DHCP snooping dhcp-snooping dhcp-snooping authorized-server x.10 dhcp-snooping authorized-server x.11 dhcp-snooping database file tftp:// x.y/filename dhcp-snooping vlan 240 interface 49 dhcp-snooping trust exit interface 50 dhcp-snooping trust exit This blocks rogue DHCP servers, and tracks DHCP bindings

ARP Protection arp-protect arp-protect trust arp-protect validate src-mac dest-mac ip arp-protect vlan 240 This uses the DHCP bindings from DHCP snooping, and blocks rogue ARP responses. The combination of DHCP snooping and ARP protection: Forces clients to use DHCP (blocks hard coded machine) Blocks rogue DHCP servers Forces clients to use the DHCP issued IP address

Issues Still have MAC address lock down, manual intervention needed occasionally, and at term start/end. Still need a system to maintain static DHCP. System still misses new resnet computers occasionally The system only supports a single MAC address per port.

2008 Aruba wifi deployed throughout Housing residences. 60% of the APs use existing wiring. VoIP phones deployed for Dons. They use existing wiring also. This puts 2 MAC addresses on the same port, for ports serving APs or phones. Wifi  new way of looking at things: Short lease times, users don’t always get the same IP Users can move around, IP/MAC doesn’t stay in the same place. Why enforce MAC lockdown, and static IP/MAC bindings on wired, when it isn’t enforced on wireless ?

Fall 2008 Dynamic DHCP for wired resnet Pair of conventional DHCP servers installed. Consistent with main campus DHCP servers (Sun V240). Dynamic IP ranges for all wired resnet subnets. 1 day lease time. DHCP settings to prevent a single MAC from leasing multiple IPs at the same time. New tools (ona). Includes dynamic IP trace. Supports multiple MACs per port for phones and APs. MAC address lockdown retained, but management tools simplified, some processes automated.

The Result By: Leveraging vendor capability Reviewing how things are done Operating DHCP in a conventional way We have: Reduced the number of custom systems IST maintains Reduced workload for Resnet staff Created a more flexible residence network environment Improved service for the user !

There’s more to MAC address lockdown than… port-security 1 learn-mode static … port-security 1 learn-mode configured mac-address 00:11:22:33:44:55 port-security 1 learn-mode limited-continuous  and others  “limited-continuous” limits the port to 1 address at a time, uses normal learning/aging process, no manual intervention needed to clear address.

- Ona queries ARP tables in routers every 15 minutes, saves, and logs all changes - Queries secure MAC tables (locked in MAC addresses) every hour, saves, and logs all changes

Ona logs all operator “ClearMac” functions (removals of secure MAC addresses)

Ona logs all “intrusions” (MAC address violation on locked port)

Intrusions are shown in red in Mac MACs field

Other related ona features Allows all logs to be viewed and searched Allows setting the MAC address limit (static learn mode only, supported) Clears all resnet secure MAC addresses at term end, automatically.

Resnet ona guide covers it all /ResnetOnaGuide /ResnetOnaGuide

Other features of interest - MAC authentication Uses RADIUS to set the vlan on a port, based on the MAC address. Allows for a default VLAN. So what ? Set the default vlan equal to the Aruba captive portal vlan Put registered MAC addresses from Maintain into their correct vlan for their subnet. Plug in an unknown computer, you get captive portal. Plug in a known computer, it gets its fixed address. Could simplify moves/adds/changes (We haven’t tested this)

Other features of interest – dynamic IP lockdown We have tested this Takes ARP protection up a notch Restricts all IP activity (not just ARPs) based on the DHCP assigned IP address. Unfortunately only supports one MAC/IP per port.

Next steps on resnet Possible use of limited-continuous MAC security, would allow students to change computers without visiting help desk. May require a shorter lease Would require a traffic shaper that was aware of MAC/IP changes.

Other network features – time permitting /ProcurveSecurityFeaturesOfPossibleInterest /ProcurveSecurityFeaturesOfPossibleInterest Anti peer to peer settings. Prevents ports in same vlan from communicating with each other. Add local proxy arp, and it allows peer to peer, but always through router, where ACLs, sflow, etc, are available. Tunneled mirroring. Potential use for remote troubleshooting.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.