Friday, December 2, 2011

Configuring IP DHCP Snooping and Dynamic Arp Inspection to mitigate against Arp spoofing attacks


Configuring IP DHCP Snooping and Dynamic Arp Inspection to mitigate against Arp spoofing attacks


1.       DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.

2.       For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces.

3.       The switch drops a DHCP packet when one of these situations occurs:

  • A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received from outside the network or firewall.
  • A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match.
  • The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC address in the DHCP snooping binding database, but the interface information in the binding database does not match the interface on which the message was received.
  • A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0, or the relay agent forwards a packet that includes option-82 information to an untrusted port.

 4.       Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

5.       You enable dynamic ARP inspection on a per-VLAN basis by using the ip arp inspection vlan vlan-range global configuration command.

6.       Address Resolution Protocol (ARP) poisoning is a type of attack where the Media Access Control (MAC) address is changed by the attacker.  Also, called an ARP spoofing attacks, it is effective against both wired and wireless local networks.  Some of the things an attacker could perform from ARP poisoning attacks include stealing data from the compromised computers, eavesdrop using man-in-the middle methods, and prevent legitimate access to services, such as Internet service.

7.       Scenario:

User A will contact DLS1 (172.16.1.1) to obtain an ip address via DHCP.  This will create an entry in the DHCP binding table on DLS1.  “Attacker” will be on same vlan 1 as User A and will attempt to spoof an invalid mac address using Cain & Abel software. This will send out a gratuitous ARP, updating the arp entry for 172.16.1.1 on User A and on DLS1 for ip 172.16.1.2.  User A will send packets to attacker thinking it is sending to default gateway. This is called a “man-in-the-middle” attack.

8.       Topology



9.       Configuration

a.       Configure DLS1 as a DHCP server and configure DHCP snooping

b.       
c.       Verify DHCP Snooping picked up laptop’s DHCP binding:

Additional reading:
1.       Good flash animation on how ARP poisoning works: http://www.oxid.it/downloads/apr-intro.swf
2.       Intro to ARP cache poisoning: http://www.grc.com/nat/arp.htm

Friday, November 18, 2011

How HSRP Works

The point of this blog is to help others who are currently seeking out their CCNP certification.  I will take topics from the "Implementing Cisco Switched Networks (SWITCH)" book and try to get as detailed as possible.  If you are like me, you need to see what is actually happening on the network to understand and remember the concepts of networking. I will begin with Cisco's proprietary standby protocol: HSRP.

What the book doesn't provide is a good visualization of how HSRP broadcasts packets during a failover or normal operation.  Please read RFC2281:

From Cisco Academy Network:

“HSRP is a redundancy protocol developed by Cisco to provide gateway redundancy without any additional configuration on the end devices in the subnet. With HSRP configured between a set of routers, they work in concert to present the appearance of a single virtual router to the hosts on the LAN. By sharing an IP address and a MAC (Layer 2) address, two or more routers can act as a single virtual router.”



“The IP address of the virtual router will be configured as the default gateway for the workstations on a specific IP segment. When frames are to be sent from the workstation to the default gateway, the workstation uses ARP to resolve the MAC address associated with the IP address of the default gateway. The ARP resolution returns the MAC address of the virtual router. Frames sent to the MAC address of the virtual router can then be physically processed by the active router that is part of that virtual router group. The physical router that forwards this traffic is transparent to the end stations.”



“HSRP provides the mechanism for determining which router should take the active role in forwarding traffic. HSRP also has a mechanism to determine when that active role must be taken over by a standby router. The transition from one forwarding router to another is transparent to the end devices.”



Read on 5.3 – states,5.5 – events, 5.6 – actions.  These definitions have associated codes that will be referenced in a highly useful table for predicting the behavior of HSRP.  I will use this table to predict the behavior of shutting down an active HSRP router in my home lab.

HSRP states (Section 5.3):

1. Initial
This is the starting state and indicates that HSRP is not running.
This state is entered via a configuration change or when an
interface first comes up.
2. Learn
The router has not determined the virtual IP address, and not yet
seen an authenticated Hello message from the active router. In
this state the router is still waiting to hear from the active
router.
3. Listen
The router knows the virtual IP address, but is neither the active
router nor the standby router. It listens for Hello messages from
those routers.
4. Speak
The router sends periodic Hello messages and is actively
participating in the election of the active and/or standby router.
A router cannot enter Speak state unless it has the virtual IP
address.
5. Standby
The router is a candidate to become the next active router and
sends periodic Hello messages. Excluding transient conditions,
there MUST be at most one router in the group in Standby state.
6. Active
The router is currently forwarding packets that are sent to the
group's virtual MAC address. The router sends periodic Hello
messages. Excluding transient conditions, there MUST be at most
one router in Active state in the group.
 
HSRP Events (Section 5.5):
 
These are the events in the HSRP finite state machine.
           a - HSRP is configured on an enabled interface.
           b - HSRP is disabled on an interface or the interface is disabled.
           c - Active timer expiry. The Active timer was set to the Holdtime
           when the last Hello message was seen from the active router.
           d - Standby timer expiry. The Standby timer was set to the
           Holdtime when the last Hello message was seen from the standby
           router.
           e - Hello timer expiry. The periodic timer for sending Hello
           messages has expired.
           f - Receipt of a Hello message of higher priority from a router in
           Speak state.
           g - Receipt of a Hello message of higher priority from the active
           router.
           h - Receipt of a Hello message of lower priority from the active
                router.
           i - Receipt of a Resign message from the active router.
           j - Receipt of a Coup message from a higher priority router.
           k - Receipt of a Hello message of higher priority from the standby
           router.
           l - Receipt of a Hello message of lower priority from the standby
           router.


HSRP Actions (Section 5.6):

A Start Active Timer
         If this action occurred as the result of the receipt of a an
         authenticated Hello message from the active router, the Active
         timer is set to the Holdtime field in the Hello message.
         Otherwise the Active timer is set to the current Holdtime value
         in use by this router. The Active timer is then started.
B Start Standby Timer
         If this action occurred as the result of the receipt of an
         authenticated Hello message from the standby router, the
         Standby timer is set to the Holdtime field in the Hello
         message. Otherwise the Standby timer is set to the current
         hold time value in use by this router. The Standby timer is
         then started.
C Stop Active Timer
The Active timer is stopped.
D Stop Standby Timer
The Standby timer is stopped.
E Learn Parameters
This action is taken when an authenticated message is received
from the active router. If the virtual IP address for this
group was not manually configured, the virtual IP address MAY
be learned from the message. The router MAY learn Hellotime
and Holdtime values from the message.
F Send Hello Message
The router sends a Hello message with its current State,
Hellotime and Holdtime.
G Send Coup Message
The router sends a Coup message to inform the active router
that there is a higher priority router available.
H Send Resign Message
The router sends a Resign message to allow another router to
become the active router.
I Send Gratuitous ARP Message
The router broadcasts an ARP response packet advertising the
group's virtual IP address and virtual MAC address. The packet
is sent using the virtual MAC address as the source MAC address
in the link layer header, as well as within the ARP packet.

RFC 2281 Table:


                   
3 timers - active timer, standby timer, hello timer

1.       Active timer - monitor active router, expires in the holdtime

2.       Standby timer - monitor the standby router, started when hello message is seen from standby router

3.       Hello timer - expires once per hellotime period (default 3 seconds), if router is in speak/standby/active states it should generate a hello message upon hello timer expiry

Note: coup message is sent when a router wants to become and active router during preemption

Part 1 - shutting down active router in HSRP

  1. Run continuous ping from laptop – 172.16.10.100 to gateway ip 172.16.10.1
  2. Shut down all interfaces on DLS1.  Int range fa0/7 -12. Shutdown command
  3.  On standby router - hold time expires (3 x hello), (CDFI/6 - stop active/standby timers, send hello message, send GARP, transition to active)
       


    4. Standby now sending advertise active messages:



   5. Gratuitous ARP sent after standby becomes active:


    6. Standby promotes to active.  ARPs for laptops mac address:



    7. Ping can now reply:



        

Part 2 – Preempt
1.       DLS1 comes back up and preempts. DLS2: ABH/4 - start active/standby timer, send resign message, transition to speak.  
2.       DLS1 router receives hello message of lower priority from DLS2 active router.
3.       DLS1 router: BGFI/6 - start standby timer, send coup, send hello, send GARP, transition to active.
4.       172.16.10.3 sends a coup message in the listen state, it wants to become active.  Next packet 172.16.10.3 says hello I’m active!  Send GARP.  172.16.10.4 sends hello message in speak state.


5.       Hello exchanged from original router saying I have higher priority:


6.       Active router now is the original router that went down
7.       Screenshot of DLS1 – 172.16.10.3

8.       Previous active Router goes from active -> speak (standby timer times out, transition from speak to standby)
9.       Screenshot of DLS2 – 172.16.10.4


10.   Standby router is local, speak -> standby (EA: learn, start active timer)

           Question for readers:

  1.       Is the resign message a broadcast?  I did not receive this packet on my access port on ALS1
     Additional reading:
  1. Visual animation of HSRP: visualland.net
  2. RFC 2281: http://www.ietf.org/rfc/rfc2281.txt