Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PortFast Question

from [LordInfidel] Network Security [Permanent Link]
Subject: RE: PortFast Question
Date: Tue, 28 Sep 2004 09:38:28 -0400 
For some reason I had a slight brain fart when describing portfast....

It is not auto-negotiation with regards to port speed/duplex, it (portfast)
is part of STP (spanning tree protocol).  When you connect a device to a
catalyst port, the port will begin the learning phase (basically trying to
determine if the device is another switch or a device) and what state it
should place the port it (forwarding, blocking or trunk).  Enabling PortFast
on a specific port removes the learning phase and places the port
immediately into a forwarding state.  (PortFast should not be used when
connecting switch port to switch port, only for devices connected to a
specific switch port)

The port "still" must be manually set to the speed/duplex as I was
describing earlier, which is 'not' a function of portfast.  Both sides (the
port and the device) should be set manually to insure the proper
speed/duplex.

I apologize for the confusion and my lack of thought when writing my
original post......

LordInfidel

-----Original Message-----
From: LordInfidel@directionweb.com [mailto:LordInfidel@directionweb.com]
Sent: Monday, September 27, 2004 10:16 AM
To: 'Josh Sukol'; security-basics@securityfocus.com
Subject: RE: PortFast Question


If I had to guess.....  the proprietary hardware box is having a hard time
using auto-negotiation.

Here's what happens when you connect a device to a switch/hub, and both
sides are set to auto-negotiate.

The connecting device will try to connect at it's maximum speed and duplex.
If the other side(in this case the switch) can understand the connecting
device and hence agree at the speed and duplex, the connection is made.  If
it can not understand the connecting device, it says Hey I can't understand
that connection request, try another...

And they both go back and forth until a connection is made.  Now there are
times when a connection, "appears" to be made but you can not ping or it
seems like the connection is really slow.  That is because there are
transmission errors due to the way each connection is expecting to receive
the data.

Now with portfast, you are removing auto-negotiation from the switch and you
are telling the switch port "Do not attempt to auto-negotiate, assume the
port is 100/Full and bring the port up as such".

As far as protecting that port, you can lock that port down to the MAC
address of the connecting device.

Typically, for any static network device that you are using, (servers,
routers, firewalls, etc), the network adapter on the device should be
manually set for speed/duplex.  Never leave it set to auto.


-----Original Message-----
From: Josh Sukol [mailto:secnews@gmail.com]
Sent: Friday, September 24, 2004 10:05 AM
To: security-basics@securityfocus.com
Subject: PortFast Question


I am running a small network using four Cisco Catalyst 2950 switches. 
I am in the process of configuring a new software package that uses
some proprietary hardware that connects to the  network via Ethernet. 
When plugged into the network the device would connect for a minute or
two and than connectivity would drop (i.e. ping would fail, and the
light on the switch would turn from green to amber)  This pattern
continued for as long as the device was plugged into the network.  The
cabling was checked and tested with other equipment and there were no
other problems.

After trying several other things I eventually started changing the
ethernet port settings on the switch itself and found that by enabling
portfast the device functioned fine.  I have found very little
information about port fast security issues.  I was able to find and
did read up on PortFast BPDU guard and potential DoS using malformed
packets.  Are there any other security issues that effect me enabling
Portfast on specific ports that connect back to a single device?  Are
there any other ways to solve this problem that might allow me to
sidestep this potential security issues all together?

- Slightly Off Topic - 
If anyone knows why this behavior occurs and why enabling portfast
fixes the connectivity issue I would be very interested to a hear an
explanation.


Thanks in advance for the wisdom!

---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: PortFast Question, Steve Fletcher
Next by Date:  Re: Corporate Web based email - threats, Steve
Previous by Thread:  RE: PortFast Question, Scherer, Brian
Next by Thread:  Re: How to Enforce Complex Password Policy for Selected Users Onl y, Nunez, Yonesy F.
Indexes:  [Date] [Thread] [Top] [All Lists]