The mind is a powerful thing: networking

Showing posts with label networking. Show all posts

Monday, December 6, 2010

DHCP Process

Dynamic Host Configuration Protocol (DHCP) is a protocol to assign an IP address to a client that requests for an IP address.

There are 4 stages in assigning a IP address using DHCP:

1. Client to server --> DHCPDiscover. In this process the client broadcasts a request asking if there are any DHCP servers available.

2. Server to client --> DHCPOffer. Here the server chooses an IP address from its pool and sends the assigned IP address with additional information (gateway, lease time etc) to client. If there are multiple DHCP server, the client will process and accept the first offer it receives. Before the DHCP server offers the address, it will firstly make sure that the IP address is currently not used (or being given by another DHCP server) by sending 2 ping commands to the IP address with an RTO=500 ms (can be modified by the command (config)#ip dhcp ping packets and (config)#ip dhcp ping timeout). If there is no reply the IP address is clear to use, but if there is a reply the address is being used by someone and DHCP server will choose another IP address from its pool and check the ip address again before offering it to the client.

3. Client to server --> DHCPRequest. In this process, the client accepts the IP address by sending packets with the IP address to the DHCP server.

4. Server to client --> Check. If the IP address is the same as given by the server, then the DHCP server will send DHCPAck with additional info. If it is not the same, the DHCP server will take the offered address back to the pool, meaning that the client has already another IP address.

To configure DHCP service on a router type the command:
(config)#service dhcp

This will enable cisco router to do dhcp by being a DHCP server. It does not necessarily acts as a main dhcp server, but the router can act as a secondary/standby dhcp server in case the main DHCP server goes down.

To disable dhcp service simply put the command:
(config)#no service dhcp

There are several DHCP Assignment Methods which are:

1. Dynamic --> This is the default assignment method where the client is assigned an ip address for a given period of time.
2. Manual --> This method uses static mapping/binding ip addresses to mac address
3. Automatic --> In this method DHCP server chooses IP address from pool to a mac address of the client and permanently binding them

The methods of binding itself is divided in 2 ways:

1. Manual binding, where the IP address is binded to the MAC address if the host is found in the DHCP database. The binding info database is kept in the NVRAM, which means it will be kept when the router is reloaded.
2. Automatic binding, where the IP address is binded to the MAC address, but the binding database is kept on a DHCP Database Agent (a remote device e.g. tftp server).

To create binding:
(dhcp-config)#host
(dhcp-config)#hardware-address xxxx.xxxx.xxxx
(dhcp-config)#client-name

To set dhcp server database location use the command
(config)#ip dhcp database

To create dhcp pool type the command:
(config)#ip dhcp pool
(dhcp-config)#network

There is a possibility to exclude an IP range from the subnet mask to prevent that IP address being given as an DHCP ip address by typing the command:
(config)#ip dhcp exluded-address // if single ip, no high ip address required

To set the lease time of the assigned IP address:
(dhcp-config)# lease

The IP helper address is another useful feature. Basically, a host broadcasts its DHCP request to search for DHCP servers. However, routers are L3 devices which do not forward broadcasts. The IP helper is ther to resolve this problem, because the hosts' broadcasts are translated to unicasts and therefore makes it possible for the router to send the packet to the desired DHCP server destination. The router here acts as dhcp relay agent.

To configure on interface of the router of the incoming host/receiving the broadcast:
(config-if)#ip helper-address

For more advanced networks use DHCP relay agent (insert its own router information when forwarding dhcp packages in the network) called option 82:
(config)#ip dhcp relay information option

-- 9 December 2010 --

Thursday, November 25, 2010

Wireless Networking

Wireless Networking

This topic will present basic information about wireless networking which are technology, configuration, scanning, authentication, and antenna type.

Until today, wireless network technology has 4 standards which can be seen on the table below

type	802.11a	802.11b	802.11g	802.11n
throughput	up to 54 mbps	up to 11 mbps	up to 54 mbps	up to 540 mbps
frequency	5Ghz	2.4 GHz	2.4 GHz	5 GHz or 2.4 GHz

There are 2 wireless network configuration which are BSS and IBSS.
Basic Service Set (BSS) is the most common configuration where a Wireless AP communicates with its host such as PCs. To be able to recognize the AP, the client searches for access points and uses the Service Set Identifier (SSID) which is basically a case sensitive name up to 32 character. The SSID can be set in the AP to be seen public or to be hidden.
Independent Basic Service Set (IBSS) is the second configuration where the clients communicate with each other independently or peer-to-peer. This type of configuration does not need an AP.

In order for the PC to be able to communicate to the AP, a method called Scanning must be used. There are 2 types of scanning which are active and passive.
In active scanning, the client makes the initiative and sends Probe requests, asking APs to send Probe Responses and waits for the Probe Response.
In passive scanning, the client hears and waits for Probe Responses from the AP.
If there are more than 1 Probe Responses found, the user can choose which one it wants to use.

Authentication is also needed for network security purposes. It will do this after it hears the Probe Response and the selected network is chosen by the user. There are several authentications. The first one is "Open," where everyone can access the network. The second one is "Shared Key"where only users that know the key can access the network (WEP, EAP, WPA and WPA2).

The antenna type for AP consists of several types. A point-to-point antenna is an antenna that has a very small beam and is usually used to create a point-to-point connection with another AP. A directional antenna has a limited coverage for serving only specific areas of customer. An omni-directional antenna is an antenna that has coverage to every direction and is used to serve all customers near the AP. However, the radius length of the coverage is more limited than point-to-point connection for the same power.

-- 26 November 2010 --

Friday, November 19, 2010

Network Attacks

There are several network attacks that can be done to attack one's network. A few of them are MAC address flooding attack, VLAN Hopping and Switch Spoofing.

MAC address flooding attack sends out numerous frames to the switch using different source MAC addresses. This will load the switch with processing capacity since it needs to find maintain those MAC addresses in the switching table. It will also create a denial of service (DoS), because when the memory for the MAC address table is run out, legitimate hosts will not be able to access the switch. Unnecessary bandwidth consumption is also being used since MAC address flooding will flood the network with broadcasts. From this attack, the attacker can also intercept packets with a packet sniffer, since this client can receive broadcasts from legitimate hosts. To prevent this, illegitimate hosts should be kept out of the network and should be blocked if they want to access the network. Port-based authentication and port security can be implemented to implement this prevention.

VLAN Hopping uses double VLANs to spoof the switch by using double VLANs. In order to do this, the host should be able to access the port, be placed in the native VLAN, and the switch should use dot1q. The attacker will use 2 different VLANs, where one is the native VLAN. When the switch sees a frame from a native VLAN, it will remove the VLAN tag and sends it in the network untagged (dot1q protocol). What the switch does not know is that the frame has a second VLAN tag. At this moment, the attacker's frame is free to attack other hosts for phising, trojan, virus etc using their second VLAN to attack users having the same VLAN as the second VLAN of the attacker. To prevent this, simply create a native VLAN where there are no host attached to it. In this way, every frame from the host is being inspected.

Switch spoofing uses the behavior of switches running a port in dynamic desirable mode. In this way, a switch will aggressively try to form a trunk port with its peer, without knowing who or what its peer is. The attacker can spoof the switch by acting as a switch and accepting the trunk. From this moment on, the attacker has the ability to listen traffic running through its device and can find out user names, passwords, credit card numbers etc. To prevent this, the switch should only set dynamic desirable mode or auto mode to ports that are known to have trusted switches at its peer. All other ports should be set to access mode.

Thursday, November 18, 2010

Private VLAN

A private VLAN is used to restrict a client so that it can only access a specific port or limited users. Each port can be configured in 3 ways:

1. Promiscuous mode where the client attached to that port can access primary and secondary VLAN clients. Usually, this mode is applied to gateway devices such as routers

2. Isolated mode where the client can only communicate with the primary VLAN and with devices in promiscuous ports., but not to the host in the same secondary VLAN (Same VLAN) or different secondary VLAN (different VLAN). Basically the client can communicate only a one-on-one relationship with the gateway.

3. Community mode where the client can communicate only with other host in the same secondary VLAN, and with devices in promiscuous ports, but not to other host in secondary VLAN (different VLAN)

The configuration of the private VLAN is shown below:

(config)#vlan
(config-vlan)#private-vlan community // it can also be set as isolated or primary
Private VLAN need to be set only on VTP transparent mode*. Then the private VLAN needs to be associated to a primary VLAN.
(config-vlan)#private association // note that the primary vlan needs to be created first, it will not create it automatically

Then the port needs to be set in private mode:
(config)#interface fast // the port that we want to set
(config)#switchport mode access // make it an access port first
(config)#switchport mode private-vlan // host is used when we want to define the port attached to the client, promiscuous is used when we want to define the port attached to the gateway device.

Tuesday, October 26, 2010

Setting passwords on Cisco Routers and Switches

Passwords can be set on Cisco Routers and Switches to make the hardware and the network configuration in it secure. In this blog, I will show you how.

We can add a password for every user that wants to access to the device by entering "enable password " at the configuration terminal of the switch/hardware. In this way, every user will be asked for the password. However, this password is not fully secured since it can be seen on the show running-config command. To make it more secure and encrypted, we can use the "enable secret " command.

The enable secret password has a higher priority than the enable password command, meaning that if both of them are set, the password put in the secret password will be enabled. So, what is usage of the enable password command? Well, this command is used on devices that do not support enable secret password yet.

Cisco routers and switches can be accessed remotely and therefore passwords for this must be configured too. The command is "line vty 0 15" then "password " and then type login to put the command to work. If the password is not set yet, then the remote login will not be available. However, this password is still visible in the show running-config command on the bottom. Basically, a user that wants to login needs to enter the vty password first to get access to the router. After that, it needs to enter the password again to be able to go to the configuration mode of the router/switch (if this has been set before).

Privelege levels on each of the virtual lines can also be set entering the line desired in the configuration terminal mode e.g. "line vty 0 15" and then "privilege level <0-15>". 0 means that the user will be very limited to do operations on the router while 15 means that the user will have full access to configure the router/switch. Combining this with the password commands we can set different privileges based on the password that the user knows. e.g. for line vty 1 we set password line1 and the privilege level of 0, while line vty 2 we set the password line2 and the privelege level 15.

There is also the possibility for accessing the network using a username and password. To do that, we need to set up a database of users and password in the configure terminal mode. Insert then the following structure: "username privilege password ". We can do that for as many users as we want. Now, apply this feature to all of the lines of the router by entering the "line vty 0 15" command in the configure terminal mode. Then type the "login local" command to enable the router to check only for usernames and passwords stored in the local database. After this, the command will be put in play.

Securing your network

Network security is important to keep a safe and secure network. Here are a few tips on securing your network:

- Pay attention to physical security. Put the hardware on locked rooms where only authorized persons can access it. Install the hardwares also in a environment secure place, away from leaking windows, heat generating devices, or possible drowned by flood.

- Set Passwords on the hardware whenever possible. Passwords as they suppose to be, should protect your network and therefore a proper password should be set. Do not set password keys such as "password" or "cisco" because that is too easy to guess.

- Set different privelege levels to different users. In this way, only those who are supposed to only see the network cannot modify the network.

- Give remote access to only those who are authorized to do it. If necessary, set it so that only the specific user with the specific computer (MAC address authorization) can access the network.

- Upgrade the software is necessary. Upgrades comes usually with bug fixes and patches along with additional features.

Sunday, July 25, 2010

VTP Pruning

VTP Pruning is a feature that can be enabled when the switch is in the Server mode and will be applied to all switches in the same domain if VTP pruning is enabled on one server. The command for VTP pruning is “#vtp pruning” on the switch’s configuration mode. This feature can filter and block unnecessary information.

Take for example switch A that has VLAN 2-20 enabled on it, and switch B that has VLAN 15-25 enabled on it. Without VTP pruning, advertisements are being broadcasted from switch A to B and backwards for all the VLANS. This will result in useless traffic being sent, since switch B does not have VLAN 2-14 on it and does not need this “waste” of information/traffic. Switch B needs only information for VLAN 15-20. The same goes for switch A that receives broadcasts for VLAN 15-25, while it needs only information for VLAN 15-20.

By using VTP pruning, the problem above can be avoided. The receiving switch will automatically detect and prune unnecessary VLAN information (traffic) so that only usable information will be forwarded.

Virtual Trunking Protocol

VTP (Virtual Trunking Protocol) is a Cisco layer 2 proprietary protocol that allows each switch in the network to have an overall view of the active VLANs. VTP can add, delete or modify VLANs and is distributed over the network thus reduce administration in every switch manually.

Without VTP, a switch configuration will not be forwarded to the other switches in the network. This can be a major problem when a switch creates a VLAN. With VTP, this problem can be prevented because VTP notify their neighbors by sending VTP advertisements originating from the switch that sends the advertisement. However, VTP advertisements can only happen in network with the same domain. These advertisements are multicast but are only send to switches trunking with the local switch.

In default, a cisco switch does not have a domain. To create a domain, type the command “vtp domain XXX” (with XXX is the domain name) in the switch’s configuration mode. Do the same on the other switches that needs to be put in the same domain. A cisco switch can only belong to 1 domain only.

There are also operating modes marked by VTP Operation Mode in the “show vtp status” command. The default setting of Cisco switches is in the “SERVER” mode. In this mode, a VTP switch can be used to add, delete or modify VLANs. Therefore, a VTP domain deployment needs to have at least 1 VTP set in the “Server” mode (make sure this switch is really secured physically). Another mode is the “CLIENT” mode. This mode cannot do anything except listen for VTP advertisement and change its settings if required by the advertisement. The last mode is the “TRANSPARENT” mode. This mode is used when the switch is set not to advertise its VLAN configuration and not to synchronize its VLAN configuration based on VTP received advertisements. VLANS can be created, changed or deleted when in transparent mode but are locally significant only. In VTP version 1, transparent switches forwards only VTP messages that they receive from VTP advertisements but do not synchronize or send its VTP configuration ONLY if the VTP version number and domain name on that switch is the same as on its downstream switches. In VTP version 2, transparent switches forwards only VTP messages that they receive from VTP advertisements but do not synchronize or send its VTP configuration even though the domain name doesn’t match. To switch between these modes type the “vtp mode client/server/transparent” in the switch configuration mode.

A VTP advertisement itself will be sent if the Configuration Revision on the switch (in the Server mode) is changed/added. The receiving switch (either in client or server mode) will inspect the value of the revision. If the value is higher than its own configuration revision number, then the receiving switch will revise its configuration according to the advertisement. If it receives a lower or the same value, it will not change its value. To reset a switch’s revision number change the VTP domain name to a nonexistent domain and change it back to the original name or a second way is to change the VTP mode to transparent and then back to the server mode.

Saturday, July 24, 2010

VLANs: creating, trunking and dynamic assignments

VLAN stands for Virtual LANs. It is used to create LANs that seems to be virtually separated although they are actually in the same physical network. One of the reasons for creating VLANs is to disconnect a network let’s say the IT security network from the Administration network in an office virtually.

Take for example a network with PC1 to PC10. Two VLANs are created which are VLAN A (PC1 – PC5) and VLAN B (PC6 to PC10). When a VLAN is created in the network, the broadcasts that were initially sent to all users will be restricted to the users in the same VLAN only. This can be done because the frame is tagged with a VLAN ID when it sends its data to the switch so that the switch knows where to send to. For this example, broadcasts that were initially sent to PC 1 to PC 10 when there were no VLANs will change. Only PC 1 to PC 5 will get the broadcast if it happens from VLAN A. Also, when VLANs are applied PC1 could even not ping to PC 6 – PC 10 because they are in a different network. Cisco’s best practice is to have 1 VLAN per subnet.

To show the VLANs and existing ports on it, the command “show vlan brief” can be used on the switch’s CLI. If the port that is supposed to be there does not exists in the "show vlan brief" command, then it means that the port is in the trunking command. To make sure of this, type the “show vlan trunk” command. To create a VLAN (e.g VLAN 20) just type the command VLAN 20 in the switch’s configuration mode. To insert an interface to a VLAN (assume to VLAN 20) go to the interface mode and type the “switchport access vlan 20” command.

A trunk can be created to make the VLANs across local LANs. However, a trunk belongs to all VLANs. To create a trunk, put the command “switchport mode trunk” in the interface mode of the desired interface on the switch to be the trunk. If the pairing switch is set at dynamic, then the pair switch will automatically make its port connecting to the originating switch as a trunk as well.

All the VLAN configuration above is done with “static” VLAN. There is also a possibility to create a dynamic VLAN which can detect automatically the MAC address of the device and puts them in the same VLAN although it has changed its port. This is done with a VMPS (VLAN Membership Policy Server). It can do this dynamic assignment by using a TFTP server that has a database that can store information about the mapping of VLANs and their MAC addresses associated to it. This database is downloaded every time the power cycle is done. The port on the switch that receives a dynamic VLAN assignment will turn its port to Portfast automatically. VMPS itself uses UDP data to listen to its clients requests.

So, to summarize, vlans are created to separate networks on a same physical network. It can also be done to create a LAN although it is physically separated, but remember to put a trunk port in the switches before. Besides static VLAN configuration, there is also dynamic VLANs which uses the VMPS.

Thursday, July 22, 2010

Building MAC Address Tables in a Switch

A switch is a layer 2 device that can be used to forward data from one device to another device. It does that by comparing its database of MAC addresses with the incoming traffic MAC address and port, and where its destination MAC address and port. Although this data can be put in manually (static), it is easier to let the switch learn these MAC addresses automatically (dynamic). This is also useful when the end user devices such as PC connects and disconnects often on different ports.

Basically, a switch first time powered on switch has an empty table. When it received its first frame lets say from PC A, it will save the incoming packet’s MAC address and port on its table. Because it doesn’t know where to send the packets (since the table is empty), it will forward the packet to all ports except from the port it came from. It will then wait for the packet replied by one of the devices attached to it (e.g PC D that is the real destination) and save that MAC address and port. So, next time when another PC sends a packet to PC D it will then go directly to PC D because the switch knows already where to send the packet to based on its table. This goes so on with other packets until all the MAC table and ports are built completely.

In overall, there will be 4 possibilites for forwarding data in a switch. The first one is if there is unicast data from originating device to destination device. If the MAC address of the destination device is known, it will be forwarded to the specific port. Second one, if the data is unicast and the destination device is not known yet in the switch’s database, it will be sent out to every port except from where it came from. The third one is if the data is sent to a MAC address that is known to come from the same port it originates. In this case, this frame will be filtered by the switch and will not be forwarded by the switch to any port. The fourth and last one is multicast or broadcast (remember: broadcast uses ff:ff:ff:ff:ff:ff as destination address). In this case the switch will sent to the designated ports or every port except where it came from.

Internet Cabling

In networking, physical connection is one of the important things to consider. When a problem occurs, the physical connection should be always the first to check. There are several rules in connecting devices that will be discussed in this blog.

The first rule to know is connecting devices of the same type. When we connect devices of the same type we should use a cross over cable. For example, connecting pc-to-pc, switch-to-switch (or to hub because hubs and switch are considered as the same device), and router to routers.

When we connect different type of devices we must use straight trough cables such as router to switch and switch to PC. However, if we want to connect a PC to a router we must use a console cable (or also known as rollover cable) or a cross over cable if use the Ethernet port.

An illustration for this settings is shown in the image below.