Re: Protection against Man-in -d -middle attack

I can see your planning skills aren't as good as the consultant's
should be. I'll let you ponder why while you go over your scenario...

( you made a fundamental mistake in step 1 )

--
Marko Milivojevic - CCIE #18427
Senior Technical Instructor - IPexpert
YES! We include 400 hours of REAL rack
time with our Blended Learning Solution!
Mailto: markom_at_ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Web: http://www.ipexpert.com/
On Mon, Mar 29, 2010 at 18:33, Luan Nguyen <luan_at_netcraftsmen.net> wrote:
> Here's a CCDE scenario:
>
> Marko Inc has ~ 1000 employees. B It is in need of protection against rogue DHCP servers. B You are a consultant. After lots of planning and staging and brainstorming and BSting...etc...you decide:
>
> 1) B  B  B Just turn DAI on
> 2) B  B  B Turn DAI with DHCP snooping on
> 3) B  B  B Turn DAI with ARP ACL
> 4) B  B  B Call CNC LLC.
>
> Chose: all of the above, one,two,three,four,five of the above.
>
> To insure proper implementation, you call up a super awesome consulting firm: CNC, LLC and ask for their advices. B One of their consultant, me, told you that DAI protects against MITM attack. B For protection against rogue DHCP servers, you would just need DHCP snooping. B Being through very carefully planning and all, you just nod...whatever, just give. B So he says:
>
> 1) B  B  B Since DAI relies on DHCP snooping binding database to verify IP-to-MAC, turn on dhcp snooping first to protect B against rogue and build the database information. Remember to touch/create the appropriate tftp files on your tftp B  B  B server first so DHCP snooping can write to, then turn on DAI later once you have the info to check against.
> 2) B  B  B Ask for a maintenance windows and force shut/no shut interface ranges and turn on DAI
> 3) B  B  B Be friend your network admins and ask them to write you a script to force all DHCP /renew on windows B  B versions/linux...etc and turn on DAI
> 4) B  B  B (3) during a maintenance windows
> 5) B  B  B Export network DHCP lease information, cross reference with mac-address-table and write a script according to "ip B  B  B  dhcp snooping binding X.X.X vlan xx x.x.x.x interface fax/x expiry xxxx" and turn DAI on.
> 6) B  B  B Find out statically assigned IP addresses and DAI trust those ports.
>
> Chose: all of the above, one,two,three,four,five of the above.
>
> After turning on DAI, you start receiving lots of phone call regarding network connectivity. The owner Mister M said the new policy won't tolerate no connectivity for more than 30 seconds. B You:
>
> 1) B  B  B Look at the log for clues
> 2) B  B  B Do something - write your answer here
> 3) B  B  B Write an EEM script to do that
> 4) B  B  B Do something else that is easier
> 5) B  B  B Create accounts for Marko employees and teach them how to enable themselves
> 6) B  B  B Quit and go work at McDonald.
> 7) B  B  B Quite and go work at (fill in)
>
> If you chose (6) and live in Chicago, I have a $1.50 CTA card for one of you lucky soul! :)
>
> -Luan
>
>
> -----Original Message-----
> From: Marko Milivojevic [mailto:markom_at_ipexpert.com]
> Sent: Friday, March 26, 2010 2:25 PM
> To: Luan Nguyen
> Cc: Narbik Kocharians; ccielab_at_groupstudy.com
> Subject: Re: Protection against Man-in -d -middle attack
>
> On Fri, Mar 26, 2010 at 18:17, Luan Nguyen <luan_at_netcraftsmen.net> wrote:
>> Here's a question for redemption:
>> What is the best way to turn on DAI on a production network?
>
> Very carefully, with a lot of planning and in stages. Anything else is
> just asking for trouble ;-)
>
> --
> Marko Milivojevic - CCIE #18427
> Senior Technical Instructor - IPexpert
>
> YES! We include 400 hours of REAL rack
> time with our Blended Learning Solution!
>
> Mailto: markom_at_ipexpert.com
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> Web: http://www.ipexpert.com/
>
> __________ Information from ESET NOD32 Antivirus, version of virus signature database 4977 (20100326) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
Blogs and organic groups at http://www.ccie.net