Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: PortFast Question

from [John R. Morris] Network Security [Permanent Link]
Subject: Re: PortFast Question
Date: Mon, 27 Sep 2004 17:03:09 -0400 
Josh Sukol wrote:

I am running a small network using four Cisco Catalyst 2950 switches. I am in the process of configuring a new software package that uses
some proprietary hardware that connects to the network via Ethernet. When plugged into the network the device would connect for a minute or
two and than connectivity would drop (i.e. ping would fail, and the
light on the switch would turn from green to amber) This pattern
continued for as long as the device was plugged into the network. The
cabling was checked and tested with other equipment and there were no
other problems.

After trying several other things I eventually started changing the
ethernet port settings on the switch itself and found that by enabling
portfast the device functioned fine.  I have found very little
information about port fast security issues.  I was able to find and
did read up on PortFast BPDU guard and potential DoS using malformed
packets.  Are there any other security issues that effect me enabling
Portfast on specific ports that connect back to a single device?  Are
there any other ways to solve this problem that might allow me to
sidestep this potential security issues all together?



The only potential security problems are:
1 That the port you enable portfast on connects to a switch or hub which then gets connected back to your network, creating a loop and lots of problems...

2. Implementation flaws (usually DoS which you noted above already).


- Slightly Off Topic - If anyone knows why this behavior occurs and why enabling portfast
fixes the connectivity issue I would be very interested to a hear an
explanation.



Ok, so what PortFast the wonder Cisco (TM) technology does is bypass SpanningTree (the nifty Layer 2 stuff that blocks loops in your network but still allows redundant connections (and when the active links goes down it switches on the blocked one if applicable, keeping things flowing on your network, even though part of it failed. So it protects against idiots who would create loops and uses your useful redundancies effectively.) normal mode of blocking, learning and then forwarding (for a host (or even, though it ain't recommended! a hub or switch of only hosts that is never going to get plugged in twice. Better to not enable portfast anytime you see multiple MACS from a port unless you know A>they're all from one machine B> you have absolute confidence/control of that hub or switch and will never run the risk of a loop) device). Essentially hosts devices PCs, printers, alien doodads with an ethernet jack, whatever like to forward their packets. Having 30 seconds or so where the packets are being blocked and MAC addresses learned and such is not useful. PortFast spares you that (obviously, the switch still sees the packets and learns the MAC address but without the safety first blocking of a potential loop). It's a good thing. Do it on all your host ports.

Other things to check with odd host connectivity include (but not limited to) duplex/speed mismatches between port and device, (some cards don't play well with Cisco's autodetection or vice versa, depending on your viewpoint), bad ethernet card, bad switchport (check the error counters), or bad OS kernel driver for the ethernet card (check for patches), cabling problems (test/replace/test).

Other cool technologies by Cisco such as VMPS toss the first packet (has to read it in order to assign the VLAN membership dynamically. Now why it can't store it and send it on after it does that beats me... Most hosts can tolerate losing their first packet as they come up. If not you can do things like embed a single ping command in the startup right after the network comes up so your lost packet is not of any consequence. There are tons of important things to know like Portfast to properly configure a switch for good performance and not giving you fits. You'll be surprised once you make those configuration changes how much better things work. Of course, then you have to keep copies of your no longer default configs and pretty soon you are sucked in deep into the world of networking.

Anyway, this is just off the hip, google will of course provide tons more reference on Portfast, Spanningtree and such. Better written than I could possibly manage, but the above is correct to the best of my memory.

HTH,
John "If you have a job for a sysadmin / network admin in North Carolina e-mail me" Morris

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Something new in my inbox, Rob Hughes
Next by Date:  RE: WuFTP server with Iptables., Mark Johnston
Previous by Thread:  PortFast Question, Josh Sukol
Next by Thread:  RE: PortFast Question, Stephen W. Corey - 5535
Indexes:  [Date] [Thread] [Top] [All Lists]