Resnet Enhancements and Directions Part 1, Bruce Campbell, Information Systems and Technology Overview The challenge - delivering internet access to 5,000 people... and keeping it manageable and secure IP, ARP, DHCP, fundamentally insecure Residence Network 10 years ago Residence Network 1 year ago Today Tomorrow Applications to the rest of campus Other network security features of possible interest Resnet a separate network – physically and logically The challenge Large number of users (>5000) Large number of new users each year IP/ARP/DHCP security weaknesses Staticly configured potential for lots of errors Dynamically configured trust DHCP = shouting “who am I” to a crowd ARP = shouting “who can I trust” to a crowd Static IP = letting everyone print their own photo ID. Oops ! Resnet Equipment Early Days Cisco 5505 routers Cisco 3500xl aggregation Cisco 1900 edge Resnet System Early Days Turn off ARP learning on router MAC address lockdown on switches Locally developed system which: Detects when a new resnet computer is connected Adds its MAC address to static DHCP Adds a static ARP entry to router Plus Nmap scans to find rogue DHCP servers Web based tools to manage/monitor Issues MAC lockdown requires manual intervention if users change computers, end of term, etc Process to detect new computers and add to static DHCP misses some occasionally, particularly at start of term Rogue DHCP servers are detected, but not disabled (immediately) Lots of custom code to maintain Upgrades 2007 Network gear upgraded to Procurve 5406zl routers, and Procurve 2650 switches Security features on new network gear Dhcp snooping ARP protection Static ARP tables, and nmap scans for rogue DHCP can be eliminated MAC address lockdown is maintained System to manage static DHCP is also maintained DHCP snooping dhcp-snooping dhcp-snooping authorized-server 129.97.x.10 dhcp-snooping authorized-server 129.97.x.11 dhcp-snooping database file tftp://129.97.x.y/filename dhcp-snooping vlan 240 interface 49 dhcp-snooping trust exit interface 50 dhcp-snooping trust exit This blocks rogue DHCP servers, and tracks DHCP bindings ARP Protection arp-protect arp-protect trust 49-50 arp-protect validate src-mac dest-mac ip arp-protect vlan 240 This uses the DHCP bindings from DHCP snooping, and blocks rogue ARP responses. The combination of DHCP snooping and ARP protection: Forces clients to use DHCP (blocks hard coded machine) Blocks rogue DHCP servers Forces clients to use the DHCP issued IP address Issues Still have MAC address lock down, manual intervention needed occasionally, and at term start/end. Still need a system to maintain static DHCP. System still misses new resnet computers occasionally The system only supports a single MAC address per port. 2008 Aruba wifi deployed throughout Housing residences. 60% of the APs use existing wiring. VoIP phones deployed for Dons. They use existing wiring also. This puts 2 MAC addresses on the same port, for ports serving APs or phones. Wifi new way of looking at things: Short lease times, users don’t always get the same IP Users can move around, IP/MAC doesn’t stay in the same place. Why enforce MAC lockdown, and static IP/MAC bindings on wired, when it isn’t enforced on wireless ? Fall 2008 Dynamic DHCP for wired resnet Pair of conventional DHCP servers installed. Consistent with main campus DHCP servers (Sun V240). Dynamic IP ranges for all wired resnet subnets. 1 day lease time. DHCP settings to prevent a single MAC from leasing multiple IPs at the same time. New tools (ona). Includes dynamic IP trace. Supports multiple MACs per port for phones and APs. MAC address lockdown retained, but management tools simplified, some processes automated. The Result By: Leveraging vendor capability Reviewing how things are done Operating DHCP in a conventional way We have: Reduced the number of custom systems IST maintains Reduced workload for Resnet staff Created a more flexible residence network environment Improved service for the user ! There’s more to MAC address lockdown than… port-security 1 learn-mode static … port-security 1 learn-mode configured mac-address 00:11:22:33:44:55 port-security 1 learn-mode limited-continuous and others “limited-continuous” limits the port to 1 address at a time, uses normal learning/aging process, no manual intervention needed to clear address. - Ona queries ARP tables in routers every 15 minutes, saves, and logs all changes - Queries secure MAC tables (locked in MAC addresses) every hour, saves, and logs all changes Ona logs all operator “ClearMac” functions (removals of secure MAC addresses) Ona logs all “intrusions” (MAC address violation on locked port) Intrusions are shown in red in Mac MACs field Other related ona features Allows all logs to be viewed and searched Allows setting the MAC address limit (static learn mode only, supported) Clears all resnet secure MAC addresses at term end, automatically. Resnet ona guide covers it all https://strobe.uwaterloo.ca/~twiki/bin/view/ISTNS /ResnetOnaGuide Other features of interest - MAC authentication Uses RADIUS to set the vlan on a port, based on the MAC address. Allows for a default VLAN. So what ? Set the default vlan equal to the Aruba captive portal vlan Put registered MAC addresses from Maintain into their correct vlan for their subnet. Plug in an unknown computer, you get captive portal. Plug in a known computer, it gets its fixed address. Could simplify moves/adds/changes (We haven’t tested this) Other features of interest – dynamic IP lockdown We have tested this Takes ARP protection up a notch Restricts all IP activity (not just ARPs) based on the DHCP assigned IP address. Unfortunately only supports one MAC/IP per port. Next steps on resnet Possible use of limited-continuous MAC security, would allow students to change computers without visiting help desk. May require a shorter lease Would require a traffic shaper that was aware of MAC/IP changes. Other network features – time permitting https://strobe.uwaterloo.ca/~twiki/bin/view/CNAG /ProcurveSecurityFeaturesOfPossibleInterest Anti peer to peer settings. Prevents ports in same vlan from communicating with each other. Add local proxy arp, and it allows peer to peer, but always through router, where ACLs, sflow, etc, are available. Tunneled mirroring. Potential use for remote troubleshooting.