Re: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding

[Eugene Pefti]

Tried it, great tool ;)

From: waleed ' <walleed...@hotmail.com<mailto:walleed...@hotmail.com>>
Date: Thursday, June 7, 2012 12:25 AM
To: "alexei...@gmail.com<mailto:alexei...@gmail.com>" 
<alexei...@gmail.com<mailto:alexei...@gmail.com>>, Eugene Pefti 
<eug...@koiossystems.com<mailto:eug...@koiossystems.com>>
Cc: CCIE Security 
<ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>>
Subject: RE: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding


if you want to test arp poisoning you can try cain&adel tool
regards
________________________________
Date: Thu, 7 Jun 2012 14:25:14 +1000
From: alexei...@gmail.com<mailto:alexei...@gmail.com>
To: eug...@koiossystems.com<mailto:eug...@koiossystems.com>
CC: ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>
Subject: Re: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding

1. I think he refers to man in the middle diverting your trafic via ARP attack 
and presenting you a bogus cert which you accept and all your "encrypted" 
traffic will be decrypted by the attacker. It has nothing to do with cracking 
SSL.

A possible scenario is you are in an Internet cafe checking your Internet bank 
account and going https://mybestbank.com<https://mybestbank.com/> and all of a 
suddenyou are presented with a self-signed cert. It may well be one of the guys 
next cubicle launching an attack against you. :-) IT folks would probably drop 
that session but those of regular public may just click on "accept" and keep 
walking into the trap. :-)

A.

On 7 June 2012 12:11, Eugene Pefti 
<eug...@koiossystems.com<mailto:eug...@koiossystems.com>> wrote:

Nice info.

Couple of moments.

Don’t understand what ARP Attack tools have to do with SSH/SSL. See page 54.

The general knowledge about RSA public/private key infrastructure is that the 
traffic between two hosts is encrypted and it is “unfeasible” to crack/brute 
force it.



Second, I don’t know what switch platform was used by Yusuf (if it was Yusuf) 
to configure IPSG. On 3650 switch the interface command “ip verify source vlan 
dhcp-snooping” doesn’t exist.



SW2(config-if)#ip verify source ?

  port-security  port security

  <cr>



SW2(config-if)#ip verify source vlan dhcp-snooping

                                ^

% Invalid input detected at '^' marker.



Eugene



From: Alexei Monastyrnyi 
[mailto:alexei...@gmail.com<mailto:alexei...@gmail.com>]
Sent: Wednesday, June 06, 2012 6:08 PM
To: Eugene Pefti
Cc: Kingsley Charles; Mike Rojas; 
ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>

Subject: Re: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding





There is a nice presentation on this put together by Yusuf.

http://www.cisco.com/web/ME/exposaudi2009/assets/docs/layer2_attacks_and_mitigation_t.pdf%20



check "building the layers" section



A.

On 7 June 2012 08:20, Eugene Pefti 
<eug...@koiossystems.com<mailto:eug...@koiossystems.com>> wrote:

I would say that IP source guard goes hand in hand with DHCP snooping.

Cisco doc says (Catalyst 3650)

“When IP source guard with source IP filtering is enabled on an interface, DHCP 
snooping must be enabled on the access VLAN for that interface”

And then they start configuring IPSG with DHCP snooping as part of it.



I tested it and my findings are that even if you have “ip source binding 
AAAA.BBBB.CCCC vlan XYZ XXX.XXX.XXX.XXX interface Fa0/XX” it is not active 
without DHCP snooping:



SW2#show ip ver source interface Fa0/6

Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan

---------  -----------  -----------  ---------------  -----------------  
----------

Fa0/6      ip           inactive-no-snooping-vlan



I had a host obtain an IP address from the DHCP server different from the IP 
address used in “ip source binding” and was able to communicate.

Once I enabled DHCP snooping globally and for the specific VLAN the IPSG 
feature became active and the host wasn’t able to communicate with others:



SW2#sh ip verif source inter fa0/6

Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan

---------  -----------  -----------  ---------------  -----------------  
----------

Fa0/6      ip           active       174.1.255.2                         102



Eugene





From:ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>
 
[mailto:ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>]
 On Behalf Of Kingsley Charles
Sent: Tuesday, June 05, 2012 9:01 PM
To: Mike Rojas
Cc: ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>
Subject: Re: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding



ip source binding 1112.3332.2243 vlan 3 1.1.1.1 interface gi0/3 can't be used 
for DHCP snooping. Have you tested it? It can be only used for IPSG validation 
not DHCP packet validation.

With regards
Kings

On Wed, Jun 6, 2012 at 7:35 AM, Mike Rojas 
<mike_c...@hotmail.com<mailto:mike_c...@hotmail.com>> wrote:

I made that mistake on the test, the question clearly said, make sure it 
survives upon reload....

Mike

________________________________

Date: Tue, 5 Jun 2012 20:04:27 -0400
From: fawa...@gmail.com<mailto:fawa...@gmail.com>
To: ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>
Subject: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding



For the dhcp snooping I learned the hard way the difference between the two 
commands.

The below command is done at exec level and binding will be removed afte a 
reload

3560# ip dhcp snooping binding cccd.1233.3422 vlan 101 1.11.1.1 interface gi0/3



The following is permenant and will not be removed from the config or binding 
database after reboot



3560(config)# ip source binding 1112.3332.2243 vlan 3 1.1.1.1 interface gi0/3



Are you able to pick the difference between the two commands.

Hope this helps.


--
FNK

_______________________________________________ For more information regarding 
industry leading CCIE Lab training, please visit 
www.ipexpert.com<http://www.ipexpert.com/> Are you a CCNP or CCIE and looking 
for a job? Check out 
www.PlatinumPlacement.com<http://www.platinumplacement.com/>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com<http://www.ipexpert.com/>

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com<http://www.platinumplacement.com/>



_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com<http://www.ipexpert.com/>

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com<http://www.platinumplacement.com/>




_______________________________________________ For more information regarding 
industry leading CCIE Lab training, please visit www.ipexpert.com Are you a 
CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com