Resnet Enhancements and Directions

advertisement
Resnet Enhancements and Directions
Part 1, Bruce Campbell, Information Systems and Technology
Overview
 The challenge - delivering internet access to 5,000
people... and keeping it manageable and secure
 IP, ARP, DHCP, fundamentally insecure






Residence Network 10 years ago
Residence Network 1 year ago
Today
Tomorrow
Applications to the rest of campus
Other network security features of possible interest
Resnet
a separate network – physically
and logically
The challenge
 Large number of users (>5000)
 Large number of new users each year
 IP/ARP/DHCP security weaknesses
 Staticly configured  potential for lots of errors
 Dynamically configured  trust
 DHCP = shouting “who am I” to a crowd
 ARP = shouting “who can I trust” to a crowd
 Static IP = letting everyone print their own photo
ID.
Oops !
Resnet Equipment
Early Days
 Cisco 5505 routers
 Cisco 3500xl aggregation
 Cisco 1900 edge
Resnet System
Early Days
 Turn off ARP learning on router
 MAC address lockdown on switches
 Locally developed system which:
 Detects when a new resnet computer is connected
 Adds its MAC address to static DHCP
 Adds a static ARP entry to router
 Plus
 Nmap scans to find rogue DHCP servers
 Web based tools to manage/monitor
Issues
 MAC lockdown requires manual intervention if
users change computers, end of term, etc
 Process to detect new computers and add to static
DHCP misses some occasionally, particularly at
start of term
 Rogue DHCP servers are detected, but not disabled
(immediately)
 Lots of custom code to maintain
Upgrades
2007
 Network gear upgraded to Procurve 5406zl
routers, and Procurve 2650 switches
 Security features on new network gear
 Dhcp snooping
 ARP protection
 Static ARP tables, and nmap scans for rogue DHCP
can be eliminated
 MAC address lockdown is maintained
 System to manage static DHCP is also maintained
DHCP snooping
dhcp-snooping
dhcp-snooping authorized-server 129.97.x.10
dhcp-snooping authorized-server 129.97.x.11
dhcp-snooping database file tftp://129.97.x.y/filename
dhcp-snooping vlan 240
interface 49
dhcp-snooping trust
exit
interface 50
dhcp-snooping trust
exit
 This blocks rogue DHCP servers, and tracks DHCP bindings
ARP Protection
arp-protect
arp-protect trust 49-50
arp-protect validate src-mac dest-mac ip
arp-protect vlan 240
 This uses the DHCP bindings from DHCP snooping, and blocks
rogue ARP responses.
 The combination of DHCP snooping and ARP protection:
 Forces clients to use DHCP (blocks hard coded machine)
 Blocks rogue DHCP servers
 Forces clients to use the DHCP issued IP address
Issues
 Still have MAC address lock down, manual
intervention needed occasionally, and at term
start/end.
 Still need a system to maintain static DHCP.
 System still misses new resnet computers
occasionally
 The system only supports a single MAC address
per port.
2008
 Aruba wifi deployed throughout Housing residences. 60% of
the APs use existing wiring.
 VoIP phones deployed for Dons. They use existing wiring
also.
 This puts 2 MAC addresses on the same port, for ports
serving APs or phones.
 Wifi  new way of looking at things:
 Short lease times, users don’t always get the same IP
 Users can move around, IP/MAC doesn’t stay in the same place.
 Why enforce MAC lockdown, and static IP/MAC bindings on
wired, when it isn’t enforced on wireless ?
Fall 2008
Dynamic DHCP for wired resnet
 Pair of conventional DHCP servers installed. Consistent with
main campus DHCP servers (Sun V240).
 Dynamic IP ranges for all wired resnet subnets.
 1 day lease time.
 DHCP settings to prevent a single MAC from leasing multiple
IPs at the same time.
 New tools (ona). Includes dynamic IP trace.
 Supports multiple MACs per port for phones and APs.
 MAC address lockdown retained, but management tools
simplified, some processes automated.
The Result
By:
 Leveraging vendor capability
 Reviewing how things are done
 Operating DHCP in a conventional way
We have:




Reduced the number of custom systems IST maintains
Reduced workload for Resnet staff
Created a more flexible residence network environment
Improved service for the user !
There’s more to MAC address
lockdown than…
port-security 1 learn-mode static
…
port-security 1 learn-mode configured mac-address 00:11:22:33:44:55
port-security 1 learn-mode limited-continuous


and others
“limited-continuous” limits the port to 1 address
at a time, uses normal learning/aging process, no
manual intervention needed to clear address.
- Ona queries ARP tables in routers every 15
minutes, saves, and logs all changes
- Queries secure MAC tables (locked in MAC
addresses) every hour, saves, and logs all
changes
Ona logs all operator
“ClearMac” functions (removals
of secure MAC addresses)
Ona logs all “intrusions” (MAC
address violation on locked
port)
Intrusions are shown in red in
Mac MACs field
Other related ona features
 Allows all logs to be viewed and searched
 Allows setting the MAC address limit (static learn
mode only, supported)
 Clears all resnet secure MAC addresses at term
end, automatically.
Resnet ona guide
covers it all
 https://strobe.uwaterloo.ca/~twiki/bin/view/ISTNS
/ResnetOnaGuide
Other features of interest
- MAC authentication
 Uses RADIUS to set the vlan on a port, based on the MAC
address. Allows for a default VLAN.
 So what ?
 Set the default vlan equal to the Aruba captive portal vlan
 Put registered MAC addresses from Maintain into their correct
vlan for their subnet.
 Plug in an unknown computer, you get captive portal.
 Plug in a known computer, it gets its fixed address.
 Could simplify moves/adds/changes
 (We haven’t tested this)
Other features of interest –
dynamic IP lockdown
 We have tested this
 Takes ARP protection up a notch
 Restricts all IP activity (not just ARPs) based on
the DHCP assigned IP address.
 Unfortunately only supports one MAC/IP per port.
Next steps on resnet
 Possible use of limited-continuous MAC security,
would allow students to change computers without
visiting help desk.
 May require a shorter lease
 Would require a traffic shaper that was aware of
MAC/IP changes.
Other network features –
time permitting
 https://strobe.uwaterloo.ca/~twiki/bin/view/CNAG
/ProcurveSecurityFeaturesOfPossibleInterest
 Anti peer to peer settings. Prevents ports in same
vlan from communicating with each other. Add
local proxy arp, and it allows peer to peer, but
always through router, where ACLs, sflow, etc, are
available.
 Tunneled mirroring. Potential use for remote
troubleshooting.
Download