From the blog.

Managing Digital Racket
The more I tune out, the less I miss it. But that has presented me with some complex choices for a nuanced approach to curb
Complexity – My Friend, My Enemy
Over my years of network engineering, I've learned that the fewer features you can implement while still achieving a business goal, the better. Why? Fewer

OECG – Chapter 21

681 Words. Plan about 4 minute(s) to read this.

AAA – authentication, authorization and accounting – who are you, what are you allowed to do, and we’re watching you do it.

ACE – access control entry – one line of an access control list, generally consisting of a “permit” or “deny” followed by matching criteria
ACS – access control server – a server used in conjunction with AAA clients.

authentication method – how a router can determine whether the user is allowed access to the device. (RADIUS, TACACS+, local, none, etc.)

authentication server – in the context of 802.1X, this is the server that authenticates the client.

authenticator – in the context of 802.1X, this is the device that arbitrates between the supplicant and the authentication server

DAI – dynamic ARP inspection – a switch dropping naughty ARP messages

DHCP snooping – a switch dropping naughty DHCP messages (i.e., server messages showing up on ports where there’s no known DHCP server). Also creates a DHCP snooping binding database.

DHCP snooping binding database – this is what the switch has learned while performing DHCP snooping.
EAP – extensible authentication protocol – 802.1X authentication protocol (RFC3748)

EAPoL – EAP over LAN – encapsulation of EAP inside of a LAN frame, used between the “supplicant” and “authenticator”

enable password – password used to access privileged mode on the router

enable secret – password used to access privileged mode on the router, stored in a secret-squirrel MD5 hash

fraggle attack – a UDP echo attack – like a smurf attack

IEEE 802.1X – a standard for user authentication that must be satisfied before a port will be enabled on a switch

IP source guard – uses the DHCP snooping database to make sure that IP and MAC of a frame entering a port is what’s expected

man-in-the-middle attack – where an attacker positions himself in the middle of a flow by lying about MAC and/or IP addresses. Once the attacker sees the traffic, he forwards to the true recipient, hoping no one will be the wiser.

MD5 hash – message digest 5 – using a cipher with a private encryption key and sometimes a shared secret. The digest is included in the message. Both sides perform the same math to make sure that the message wasn’t tampered with.

OTP – one-time password – a shared ket and secret key are used by a hash to create a password. The shared key is not ever used again, so the password is only good for that one cycle.

port security – limiting the number of MAC addresses allowed on a port, and/or actually limiting the MACs themselves

RADIUS – RFC2865 – an authentication scheme for usernames/passwords. Authenticated users can have RADIUS attributes associated with their accounts that grant them certain permissions on the device they are authenticating against.

SAFE blueprint – a Cisco whitepaper on securing a network. Uses a tiered approach and defined mitigation strategy for common network threats.

smurf attack – an ICMP echo is sent via directed broadcast to a subnet. The source of the echo is spoofed to be a host on that LAN. That host gets all of the echo replies from all over the subnet, therefore being attacked.

sticky learning – when a switch running port-security with sticky learning learns a MAC, he applies that entry to his startup-configuration automatically

supplicant – in the context of 802.1X, this is the device the user is sitting in front of, where he enters his username/password. The device will send this information to the switch via EAP.

TACACS+ – Cisco proprietary – like RADIUS in concept. A meansof authenticating a user to a device via username/password.

TCP intercept – the router pays close attention to TCP conversations, either monitoring the status of 3-way handshakes, or actually taking on the burden of a 3-way handshake, protected the server.

TCP SYN flood – sending a ton of SYNs, causing the victim to SYN/ACK, but never responding with the final ACK. The victim sits there with tons of half-open TCP connections, potentially running out of resources in his TCP stack.