Re: Protection against Man-in -d -middle attack

I think that you guys should take this offline. Perhaps meet and
discuss over pizza and bonbons. ;)

On Mon, Mar 29, 2010 at 3:22 PM, Luan Nguyen <luan_at_netcraftsmen.net> wrote:
> Are you suggesting me quitting consultant business and go teach? Hehe
> It's hard to catch your own mistake. You have to spit it out Marko. I'll give you the CTA card if you go to Chicago?
>
> -Luan
>
> -----Original Message-----
> From: Marko Milivojevic [mailto:markom_at_ipexpert.com]
> Sent: Monday, March 29, 2010 3:04 PM
> To: Luan Nguyen
> Cc: Narbik Kocharians; ccielab_at_groupstudy.com
> Subject: Re: Protection against Man-in -d -middle attack
>
> I can see your planning skills aren't as good as the consultant's
> should be. I'll let you ponder why while you go over your scenario...
>
> ( you made a fundamental mistake in step 1 )
>
> --
> Marko Milivojevic - CCIE #18427
> Senior Technical Instructor - IPexpert
>
> YES! We include 400 hours of REAL rack
> time with our Blended Learning Solution!
>
> Mailto: markom_at_ipexpert.com
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> Web: http://www.ipexpert.com/
>
> On Mon, Mar 29, 2010 at 18:33, Luan Nguyen <luan_at_netcraftsmen.net> wrote:
>> Here's a CCDE scenario:
>>
>> Marko Inc has ~ 1000 employees. It is in need of protection against rogue DHCP servers. You are a consultant. After lots of planning and staging and brainstorming and BSting...etc...you decide:
>>
>> 1) Just turn DAI on
>> 2) Turn DAI with DHCP snooping on
>> 3) Turn DAI with ARP ACL
>> 4) Call CNC LLC.
>>
>> Chose: all of the above, one,two,three,four,five of the above.
>>
>> To insure proper implementation, you call up a super awesome consulting firm: CNC, LLC and ask for their advices. One of their consultant, me, told you that DAI protects against MITM attack. For protection against rogue DHCP servers, you would just need DHCP snooping. Being through very carefully planning and all, you just nod...whatever, just give. So he says:
>>
>> 1) Since DAI relies on DHCP snooping binding database to verify IP-to-MAC, turn on dhcp snooping first to protect against rogue and build the database information. Remember to touch/create the appropriate tftp files on your tftp server first so DHCP snooping can write to, then turn on DAI later once you have the info to check against.
>> 2) Ask for a maintenance windows and force shut/no shut interface ranges and turn on DAI
>> 3) Be friend your network admins and ask them to write you a script to force all DHCP /renew on windows versions/linux...etc and turn on DAI
>> 4) (3) during a maintenance windows
>> 5) Export network DHCP lease information, cross reference with mac-address-table and write a script according to "ip dhcp snooping binding X.X.X vlan xx x.x.x.x interface fax/x expiry xxxx" and turn DAI on.
>> 6) Find out statically assigned IP addresses and DAI trust those ports.
>>
>> Chose: all of the above, one,two,three,four,five of the above.
>>
>> After turning on DAI, you start receiving lots of phone call regarding network connectivity. The owner Mister M said the new policy won't tolerate no connectivity for more than 30 seconds. You:
>>
>> 1) Look at the log for clues
>> 2) Do something - write your answer here
>> 3) Write an EEM script to do that
>> 4) Do something else that is easier
>> 5) Create accounts for Marko employees and teach them how to enable themselves
>> 6) Quit and go work at McDonald.
>> 7) Quite and go work at (fill in)
>>
>> If you chose (6) and live in Chicago, I have a $1.50 CTA card for one of you lucky soul! :)
>>
>> -Luan
>>
>>
>> -----Original Message-----
>> From: Marko Milivojevic [mailto:markom_at_ipexpert.com]
>> Sent: Friday, March 26, 2010 2:25 PM
>> To: Luan Nguyen
>> Cc: Narbik Kocharians; ccielab_at_groupstudy.com
>> Subject: Re: Protection against Man-in -d -middle attack
>>
>> On Fri, Mar 26, 2010 at 18:17, Luan Nguyen <luan_at_netcraftsmen.net> wrote:
>>> Here's a question for redemption:
>>> What is the best way to turn on DAI on a production network?
>>
>> Very carefully, with a lot of planning and in stages. Anything else is
>> just asking for trouble ;-)
>>
>> --
>> Marko Milivojevic - CCIE #18427
>> Senior Technical Instructor - IPexpert
>>
>> YES! We include 400 hours of REAL rack
>> time with our Blended Learning Solution!
>>
>> Mailto: markom_at_ipexpert.com
>> Telephone: +1.810.326.1444
>> Fax: +1.810.454.0130
>> Web: http://www.ipexpert.com/
>>
>> __________ Information from ESET NOD32 Antivirus, version of virus signature database 4977 (20100326) __________
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>>
>
> __________ Information from ESET NOD32 Antivirus, version of virus signature database 4983 (20100329) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Ronald Angello
Network Architect
CCIE 17846
CCDP, CCIP, CCNP
Blogs and organic groups at http://www.ccie.net