Data Center Access Layer Security Recommendations

Every time I have been asked what kind of security recommendations are required for data center access layer? Let's understand what does Access Layer in data center is used for first.

The data center access layer provides Layer-2 connectivity for server farms. In most cases the primary role of the access layer is to provide port density for scaling the server farm or a network segment; it could be Physical or Virtual. Security at the access layer is primarily focused on securing Layer-2 flows and communication within the sites.

Recommendations for this layer are:

Use VLANs to segment and isolate traffic where it’s needed. This is the very basic stuff used in almost every data centers but always not consider it as security. Deploy private VLANs (PVLANs) after confirming that traffic flows will not be affected once they are deployed. It is best to ensure that hosts that need to communicate are placed in the same community while hosts that don’t require such connectivity are isolated. Communication of host matrix must be given by customer by clearly defines the traffic flows.

The following layer 2 security mechanisms should be enabled at the access layer :
1. Address Resolution Protocol (ARP) inspection/Arp Spoofing: Private vlan edge feature will to help mitigate this type of attack. 2. Dynamic Host Configuration Protocol (DHCP) Snooping.
3. IP Source Guard.
4. Port security where it can be used to lock down a critical server to a specific port
5. Blocking user-user L2 communication: Private vlan edge/Protected Port feature will to help mitigate this type of attack
6. Broadcast/Multicast Suppression: Strom Control feature will to help mitigate this type of attack
7. MAC address hijacking: protected port and port security features will to help mitigate this type of attack
8. IP source spoofing: uRPF feature will to help mitigate this type of attack
9. Content-addressable memory (CAM) overflow: This can be mitigated by using port security on customer facing port
10. Dynamic Host Configuration Protocol (DHCP) DoS: This can be mitigated by using port security/DHCP Snooping on customer facing port
11. DoS storms: This can be mitigated by using port security/private vlans edge on customer facing port

Click Here To Read Rest Of The Post...

Diffie-Hellman(DH) Shared Key Exchange Mechanism

Diffie-Hellman is cryptography protocol, which allows two users to exchange the key over the public cloud. Mainly VPN uses Diffie-Hellman algorithms to provide reliable and trusted method of key exchanges. The algorithm was being invented by Whitefiled Diffie and Martin Hellman in 1976. During DH exchange both users must agree on two non secret numbers which could be available publically or in the form of any certificate. After this agreement, users exchange their keys and come to know that their and remote user keys are same. After bona fied to each other, they start exchange their data.
In this post, I will explain how the keys values are calculated. First we need to define two public keys which are available through any certificate or via any other method to both users. Let’s assume n and g are public keys for user1 and user2. Value of g should be small and n(take big values) should be prime number.
Both users are having same keys initially.
n=997
g=2
Next step is to use the private keys and compute the value which should be given to remote user.
Private key for user1 is 3 and for user2 is 5.

Calculate the public key value which will be transmitted to remote user. Formula for calculating Public Value for User1 will be given below:-
Public Value:- g^(private key of user1) mod n
Public Value:- 2^3 mod 997
Public Value:- 8 mod 997
Public Value:- 8

Formula for calculating Public Value for User2 will be given below:-
Public Value:- g^(private key of user2) mod n
Public Value:- 2^5 mod 997
Public Value:- 32 mod 997
Public Value:- 32

Now both users will exchange their public values to each other and on the basics of receiving public values user will calculate the secret key.
User1 is receiving 32 from user2 and user2 is receiving 8 from user1

User1 will calculate it’s shared key by using given formula:-
User1 Shared Key:- (Received Public Key From User2)^(user1 private key) mod n
User1 Shared Key:-32^3 mod 997
User1 Shared Key:-32768 mod 997
User1 Shared Key:- 864

User2 will calculate it’s shared key by using given formula:-
User2 Shared Key:- (Received Public Key From User1)^(user2 private key) mod n
User2 Shared Key:-8^5 mod 997
User2 Shared Key:-32768 mod 997
User2 Shared Key:- 864

User1 and User2 are having same shared keys which is 864

Click Here To Read Rest Of The Post...

Hack Twitter Password

Twitter is becoming a daily life part and before the start of any new work, we would like to post updates on twitter. Twitter is growing incredibly because it's easy to use and secure. Today after noon, when I was analyzing some of my yesterday pcap files and I was astonished to see that twitter is sending clear text password during change in profile setting. This could be a high alert flaw because without using keyword logger, I am loosing my password identity. On the same lan twitter hack could expose lot of username and passwords. I had captured the logs where in password field is colored with black and I could see it with my naked eyes because

it is in clear text format which is explicitly depicting that Twitter team is not using any encryption method during setting or profile updates.
Image 1

Image 2

Click Here To Read Rest Of The Post...

Could IPSec Stop Viruses

Whenever I go to any customer call for MPLSVPN solution, the first question raises by customer is that how secure the MPLSVPN network is? I am weak in security and know little which is required for selling. The security doesn't mean that you are 100% secure and safe. In my last meet with the customer, he raised a option to go with ipsec vpn. I asked him why you are looking for IPSec vpn because already you are having a good security setup. The customer answered, "I want ot make my network secure from the virsues". He told me that you seem to be buzzing with lot of solutions. IS this IPSec work for me or not?
The answer given to me was so pitty and really I don't have any words to comment. I tried my level best to make him understand that IPSec couldn't save your network from the virsues,worms,spywares and not from the intruders. The main advantage of using IPSec is that if some one intrude the data by any means he couldn't reveal the information from it.
So the next time if you go for any custimer meet try to prepare youself how IPSec can help from Viruses.

Click Here To Read Rest Of The Post...

PE-CE Labels Security In MPLSVPN

Yesterday I was asked a very good question from the security team that if any of the customer sends the labeled packet by spoofing it then what will happen in that case? I answered quickly that in such cases customer can forward only ip packet not a labeled packet because mpls ip is not configured on that interface and because of this PE is not going to accept the label packet. So no more label spoofing from CE end. But what about if CE sends the spoof ip packet in that case only CE vrf will be affected.

regards
shivlu jain
Click Here To Read Rest Of The Post...

Cisco Published Annual Security Report Of 2008

At the end of 2008 cisco has published the annual security on 18th december.

Key Findings from Cisco
This year's report reveals that online and data security threats continue to increase in number and sophistication. They propagate faster and are more difficult to detect.


Key report findings include:

a) Spam accounts for nearly 200 billion messages each day, which is approximately 90 percent of email sent worldwide.

b)The overall number of disclosed vulnerabilities grew by 11.5 percent over 2007

c) Vulnerabilities in virtualization products tripled to 103 in 2008 from 35 in 2007, as more organizations embraced virtualization technologies to increase cost-efficiency and productivity

d)Over the course of 2008, Cisco saw a 90 percent growth rate in threats originating from legitimate domains; nearly double what the company saw in 2007

Click here to get the report


regards
shivlu jain
Click Here To Read Rest Of The Post...

Fight Against Secuirty: Mumbai Attack

An unprecedented attack on Mumbai dated 26 November 2008 made by perpetual guys of age 20 – 25 years. The mission was planned in such manner so that it can go for long with maximum number of living being made dead. You will be weird to see such type nationalism post on service provider blog. Actually I am relating the Mumbai Issue with computer networks. We as Indian trying our level best to kill the terrorism from its roots but all in vein. Instead of killing terrorism we should march towards security. Still we are not learning from our mistakes and just because of this we are f*****. The same scenario is with computer network security; today we are not taking any type of precaution but what happens when attack comes on the network? Every time we face the problem and pledge that next time we will do our level best but after the completion of event we used to forget everything. Is this the right approach, “ask yourself”.
If you want to see the approach then tries to learn from Nation Security Guard (NSG). The approach followed by them is really splendid. Why I am commenting on their approach because they make a plan first of their target and who can be affected with that. Target is militants in case of computer networks target is virus or hacker & civilians are affected in case of computer networks simple data packets will be affected. So NSG decided to go via roof instead of ground floor because they know that the militants sitting on top storey can fire them easily and civilians will be affected. The same when we the network is hacked or behaving like hell try to think like cool never do the things in hurry which creates mesh for you ahead.
Another thing which we need to learn from NSG is patience. Why I am talking about patience because sometimes we lose our patience during network attacks & did the things blindly. So never do such type of mistakes during network attacks; tries to collect the data; I know at that time your network is on stake and you are stakeholder. But mind one thing if you are not able to get the roots, roots can be collected in terms of data then the same can be happened at any time and at time you will not have any work around. In this way may be a small problem will get in your nerves and let your network down for long or short time.
One thing which I liked the most i.e. behaviour of politicians which was totally different. Instead of blaming to each other which they used to do but this time they come up as a single group and with one word need to save India. Really very realistic & patriotic approach. We as network operators or service providers need to follow the same approach instead of saying that my network is secure and I have nothing to do with other networks.
Now the time has come we need to pull up the reins of security instead of fighting with terror or network attacks. If you checked the major incidents they happened just because of lack of security. So we need to design the security model in such a way so that the risk of terrorism or network attacks should be minimized. What we are facing today it is just because of our mistakes?
At last I would like to say one thing never fight against terror always try to fight against security and get it implemented as soon as possible without losing our beloved ones or computer data.


Regards
shivlu jain
Click Here To Read Rest Of The Post...

Hearbeat Port Of L2TPV3

We are getting protocol 73 in the ip cache flow and not able to conform what actually the protocol is meant for. After googling we come to know that it is a heartbeat protocol. But now question comes in mind what is heartbeat and why it is coming in l2tpv3. Actually it is the keepalive used by l2tpv3 for checking the remote destination whether it is dead or alive.
SO if you are getting 73 in your cache flow no need to worry simply check whether you are running l2tpv3 or not.


regards
shivlu jain
Click Here To Read Rest Of The Post...

FWSM Design & Integration With 6500/7600

Click Here For FWSM Architecture
A big question of FWSM physical integration comes in mind how it is working without the existance of any physical port. Given figure which cleary reveals how blade is integrated with 7600/6500 chassis with 6 Gigabit Ether Channel. Blade consists of network proceeor 1A & Network processor 1B which are further connected to Network processor 2 and bus. NP1A & NP1B can handle upto 3 million packets per second. FWSM Code processor is a software based component which is responsible for layer 7 protocol inspection, neighbors adjacencies and maintains routing information. Traffic processed by NP1A & NP1B is known as fast path. Traffic processed by NP2 is considered the session management path and traffic processes by FWSM code processor is known as slow path.

regards
shivlu jain
Click Here To Read Rest Of The Post...

DHCP Authentication With Dot1x

How to secure lan so that any rougue laptop/pc donot get the ip address fom the dhcp, a big question mark, but possible in wireless media but what about wired media. Same question was asked to me few days back and my instant response was dhcp did not support authentication. But I replied we can use the dot 1x for the wired media.
So i started out my testing lab with one of my colleague and installed domain controller with radius. We use the dot1x mechanism to authenticate the pc/laptops; After 2 days testing we got the positive results.

Advantages
1. Get rid form the man in middle attack.
2. Dictionary attacks can be stopped with this.
3. Security of Lan; No one will get the ip address until and unless he/she is having domain username & password.

I am writing document on this, If someone need on urgent basics kindly mail me.
Click Here To Read Rest Of The Post...

Hacking ISP With OSPF

It is always recommended not to leak the information of network protocol which is running in ISP core. Why it is said, without leaking the information can someone gain the information of any ISP.
Answer is yes.
So in the docment attached I have tested a scenario in which ISP is using OSPF and one of its esteemed client who is attached to any of PE be able to access the ISP network consequence major downtime.
Thats why it is recommended not to use OSPF,EIGRP,IGRP,RIP with customer, If you are using then do it in a very secured manner. One mistake may lead kick you out from the organization.

Click Here To Download
Click Here To Read Rest Of The Post...