RE: Protection against Man-in -d -middle attack

Here's a CCDE scenario:

Marko Inc has ~ 1000 employees. It is in need of protection against rogue DHCP servers. You are a consultant. After lots of planning and staging and brainstorming and BSting...etc...you decide:

1) Just turn DAI on
2) Turn DAI with DHCP snooping on
3) Turn DAI with ARP ACL
4) Call CNC LLC.

Chose: all of the above, one,two,three,four,five of the above.

To insure proper implementation, you call up a super awesome consulting firm: CNC, LLC and ask for their advices. One of their consultant, me, told you that DAI protects against MITM attack. For protection against rogue DHCP servers, you would just need DHCP snooping. Being through very carefully planning and all, you just nod...whatever, just give. So he says:

1) Since DAI relies on DHCP snooping binding database to verify IP-to-MAC, turn on dhcp snooping first to protect against rogue and build the database information. Remember to touch/create the appropriate tftp files on your tftp server first so DHCP snooping can write to, then turn on DAI later once you have the info to check against.
2) Ask for a maintenance windows and force shut/no shut interface ranges and turn on DAI
3) Be friend your network admins and ask them to write you a script to force all DHCP /renew on windows versions/linux...etc and turn on DAI
4) (3) during a maintenance windows
5) Export network DHCP lease information, cross reference with mac-address-table and write a script according to "ip dhcp snooping binding X.X.X vlan xx x.x.x.x interface fax/x expiry xxxx" and turn DAI on.
6) Find out statically assigned IP addresses and DAI trust those ports.

Chose: all of the above, one,two,three,four,five of the above.

After turning on DAI, you start receiving lots of phone call regarding network connectivity. The owner Mister M said the new policy won't tolerate no connectivity for more than 30 seconds. You:

1) Look at the log for clues
2) Do something - write your answer here
3) Write an EEM script to do that
4) Do something else that is easier
5) Create accounts for Marko employees and teach them how to enable themselves
6) Quit and go work at McDonald.
7) Quite and go work at (fill in)

If you chose (6) and live in Chicago, I have a $1.50 CTA card for one of you lucky soul! :)

-Luan

-----Original Message-----
From: Marko Milivojevic [mailto:markom_at_ipexpert.com]
Sent: Friday, March 26, 2010 2:25 PM
To: Luan Nguyen
Cc: Narbik Kocharians; ccielab_at_groupstudy.com
Subject: Re: Protection against Man-in -d -middle attack

On Fri, Mar 26, 2010 at 18:17, Luan Nguyen <luan_at_netcraftsmen.net> wrote:
> Here's a question for redemption:
> What is the best way to turn on DAI on a production network?

Very carefully, with a lot of planning and in stages. Anything else is
just asking for trouble ;-)

--
Marko Milivojevic - CCIE #18427
Senior Technical Instructor - IPexpert
YES! We include 400 hours of REAL rack
time with our Blended Learning Solution!
Mailto: markom_at_ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Web: http://www.ipexpert.com/
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4977 (20100326) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Blogs and organic groups at http://www.ccie.net