Equipment redundancy is largely an issue of how quickly the outage of a piece of equipment can be resolved. Any network infrastructure device that must be available 100 percent of the time is an obvious candidate for complete redundancy to cover the worst possible scenario. Many devices have incorporated redundant processor cards in high-performance equipment to ensure a smooth, dynamic failover in the event of single-card failures. In addition, new protocols or enhancements to existing protocols have been developed to ensure that redundancy with multiple boxes have failover capability without user
intervention. To have redundant coverage, make sure that failover to the backup system happens automatically.
Cisco IOS
For critical network segments that cannot have any routing outages, the Cisco IOS devices supporting these segments should be configured with the Hot Standby Router Protocol (HSRP). HSRP provides high network availability because it routes IP traffic from hosts on Ethernet, FDDI, or Token Ring networks without relying on the availability of any single router.
When HSRP is configured on a network segment, it provides a virtual MAC address and an IP address that is shared among routers in a group of routers that is running the HSRP. One of these devices is selected by the protocol to be the active router. The active router receives and routes packets destined for the group's MAC address. For n routers running the HSRP, there are n + 1 IP and MAC addresses
assigned.
The HSRP detects when the designated active router fails, at which point a selected standby router
assumes control of the hot standby group's MAC and IP addresses. A new standby router is also selected at that time.
Devices running the HSRP send and receive multicast UDP-based hello packets to detect router failure and to designate active and standby routers.
Note When the HSRP is configured on an interface, ICMP redirect messages are disabled by default for
the interface.
standby [group-number] ip [ip-address [secondary]]
A number of group attributes can be configured to affect how the local router participates in the HSRP. Here is an example of these attributes:
Router(config)#int e 0
Router(config-if)#standby ? <0-255> Group number
authentication Authentication string ip Enable hot standby protocol for IP
mac-address Specify virtual MAC address for the virtual router preempt Overthrow lower priority designated routers
priority Priority level timers Hot standby timers
track Priority tracks this interface state
use-bia Hot standby uses interface's burned-in address Consider the scenario shown in Figure 8-7.
Figure 8-7: An Example of HSRP Implementation
The configuration of a primary router is as follows:
hostname Primary ! interface Ethernet1 ip address 144.254.1.1 255.255.255.0 no ip redirects standby priority 200
standby preempt
standby ip 144.254.1.3
The configuration of a standby router is as follows:
hostname Standby ! interface Ethernet1 ip address 144.254.1.2 255.255.255.0 no ip redirects standby priority 101 standby ip 144.254.1.3 Cisco Switches
Switches are normally connected hierarchically, as shown in Figure 8-8.
Figure 8-8: An Example of Switch Hierarchy
In simple networks, the upper two levels of the hierarchy can be collapsed into a single backbone layer. Figure 8-8 shows the network topology after the spanning tree converges into a loop-free topology. The spanning tree has blocked the redundant links to avoid loops. Every access switch and distribution switch in the figure has a redundant uplink.
The Spanning Tree Protocol
The Spanning Tree Protocol (STP; IEEE 802.1D bridge protocol) is a link-management protocol that provides path redundancy while preventing undesirable loops in the network. For an Ethernet network to function properly, only one active path must exist between two stations. In STP, an algorithm calculates the best loop-free path through a switched network. Switches send and receive spanning-tree packets at regular intervals. The switches do not forward the packets, but use the packets to identify a loop-free path.
To provide path redundancy, STP defines a tree that spans all switches in an extended network. STP forces certain redundant data paths into a standby (blocked) state. If one network segment in the STP becomes unreachable, or if STP costs change, the spanning-tree algorithm reconfigures the spanning-tree topology and reestablishes the link by activating the standby path.
STP operation is transparent to end stations, which do not detect whether they are connected to a single LAN segment or to a switched LAN of multiple segments.
Election of the Root Switch
All switches in an extended LAN participating in STP gather information on other switches in the network through an exchange of data messages called Bridge Protocol Data Units (BPDUs). This exchange of messages results in the following actions:
· The election of a unique root switch for the stable spanning-tree network topology. · The election of a designated switch for every switched LAN segment.
· The removal of loops in the switched network by placing redundant switch ports in a backup state. The STP root switch is the logical center of the spanning-tree topology in a switched network. All paths that are not needed to reach the root switch from anywhere in the switched network are placed in STP blocked mode.
Bridge Protocol Data Units
BPDUs contain information about the transmitting switch and its ports, including switch and port Media Access Control (MAC) addresses, switch priority, port priority, and port cost. The STP uses this
information to elect the root switch and root port for the switched network, as well as the root port and designated port for each switched segment.
The stable active topology of a switched network is determined by the following: · The unique switch identifier (MAC address) associated with each switch.
· The path cost to the root associated with each switch port.
· The port identifier (MAC address) associated with each switch port. Each configuration BPDU contains the following minimal information:
· The unique identifier of the switch that the transmitting switch believes to be the root switch. · The cost of the path to the root from the transmitting port.
· The identifier of the transmitting port.
The switch sends configuration BPDUs to communicate with and compute the spanning-tree topology. A MAC frame conveying a BPDU sends the switch group address to the destination address field. All switches connected to the LAN on which the frame is transmitted receive the BPDU. BPDUs are not directly forwarded by the switch, but the receiving switch uses the information in the frame to calculate a BPDU, and, if the topology changes, to initiate a BPDU transmission.
A BPDU exchange results in the following: · One switch is elected as the root switch.
· The shortest distance to the root switch is calculated for each switch.
· A designated switch is selected. This is the switch closest to the root switch through which frames will be forwarded to the root.
· A port for each switch is selected. This is the port providing the best path from the switch to the root switch.
· Ports included in the STP are selected. Creating a Stable STP Topology
If all switches are enabled with default settings, the switch with the lowest MAC address in the network becomes the root switch. In some cases, however, (because of traffic patterns, the number of forwarding ports, or line types), the switch picked as the root may not be the ideal root switch. By increasing the priority (that is, by lowering the numerical priority number) of the ideal switch so that it becomes the root switch, you force an STP recalculation to form a new, stable topology.
The time it takes to detect and correct failures is important. For Cisco switches, the Spanning Tree Protocol UPlinkFast and BackboneFast features reduce spanning-tree convergence times. UPlinkFast provides fast convergence after a spanning-tree topology change and achieves load balancing between redundant links using uplink groups. An uplink group is a set of ports (per VLAN), only one of which is forwarding at any given time. Specifically, an uplink group consists of the root port (which is
forwarding) and a set of blocked ports, except for self-looping ports. The uplink group provides an alternative path in case the currently forwarding link fails.
Note The UPlinkFast feature is most useful in wiring-closet switches. This feature may not be useful for
other types of applications.
To configure a switch as the primary root switch, enter this command: set spantree root vlans [diameter network_diameter] [hello hello_time]
This command reduces the bridge priority (the value associated with the switch) from the default (32,768) to a significantly lower value, which allows the switch to become the root switch.
Note Run the set spantree root command on backbone switches or distribution switches only; do not run
it on access switches.
To configure a switch as the secondary root switch, enter this command: set spantree root [secondary] vlans [dia network_diameter] [hello hello_time]
You can run this command on more than one switch to create multiple backup switches in case the primary root switch fails.
The BackboneFast Convergence feature reduces the time needed for the spanning tree to converge after experiencing a topology change caused by indirect link failures. This feature complements the
UPlinkFast feature just described. However, the BackboneFast Convergence feature is designed for all switches that experience indirect link failures.
Note For the BackboneFast feature to work, you must enable it on all switches in the network.
To configure the BackboneFast Convergence feature, enter this command: set spantree backbonefast enable
The Multiple Default IP Gateways feature allows you to configure up to three default IP gateways.
Defining multiple default IP gateways provides redundancy. In the event that the primary gateway cannot be reached, the switch uses the secondary default IP gateways in the order in which they are configured. This feature is configured with the following command:
set ip route destination gateway [metric] [primary]
Use the primary keyword to give a default IP gateway higher priority than the other default IP gateway(s). If you do not designate a primary default IP gateway, the system chooses the default IP gateway based on the order in which the gateways were configured. If two or more gateways are designated as primary gateways, the system chooses the last primary gateway configured to be the default IP gateway.
Cisco PIX Firewall
The Cisco PIX firewall is usually a critical device in most corporate infrastructures. To eliminate it being a single point of failure, it is prudent to install a redundant PIX firewall and to use the failover command to ensure fast dynamic recovery in the event that the primary PIX has a power failure or some other type of failure. Use the failover command without an argument after you connect the optional failover cable between your primary firewall and a secondary firewall.
Note Failover is supported only between identical PIX firewall models running the same software
version.
Failover IP addresses must be configured on each interface card. The active unit of the failover pair uses the system IP addresses and the primary unit's MAC address; the standby unit uses the failover IP
addresses and the secondary unit's MAC address. The system IP addresses and the failover IP addresses must be on the same subnet with no router between them.
When a failover occurs, each unit changes state. The newly active unit assumes the IP and MAC addresses of the previously active unit and begins accepting traffic. The new standby unit assumes the failover IP and MAC addresses of the unit that was previously the active unit. Because network devices see no change in these addresses, no ARP entries change or time out anywhere on the network.
Note Both PIX firewall units in a failover pair must have the same configuration. To accomplish this,
always enter configuration changes on the active unit in a PIX firewall failover configuration. Use the write memory command on the active unit to save configuration changes to flash memory (nonvolatile
memory) on both the active and the standby units. Changes made on the standby unit are not replicated on the active unit.
Both units in a failover pair communicate through the failover cable. The two units send special failover hello packets to each other over all network interfaces and the failover cable every 15 seconds. The failover feature in PIX firewall monitors failover communication, the power status of the other unit, and the hello packets received at each interface. If two consecutive hello packets are not received within a time determined by the failover feature, failover starts testing the interfaces to determine which unit has failed and transfers active control to the standby unit.
Common Attack Deterrents
A multitude of types of attacks can bring a network to its knees. Many can be avoided or constrained with features that have been specifically developed to deter some of the better-known attacks.
Spoofed Packets
Although it is very difficult to actually recognize spoofed packets, some mechanisms can be used to help prevent some more obvious spoofs. Some of these packets may be caused by simple misconfigurations and routing loops. Whenever possible, filters should be put into place to ensure that only valid network addresses are permitted past the routers. All corporate infrastructure routers should have filters in place to disallow any obviously bogus traffic. For example, any edge router should deny traffic whose source address is one of the RFC reserved addresses shown in Table 8-7.
Table 8-7: RFC Reserved Addresses
Network IP Address Mask
127.0.0.0 0.255.255.255
10.0.0.0 0.255.255.255
172.16.0.0 0.240.255.255
192.168.0.0 0.0.255.255
These IP addresses are specified for special use and are therefore designated as nonroutable in the
Internet infrastructure. (That is, no Internet Service Provider will route these networks; therefore, no edge routers connecting to the Internet should receive packets with these addresses as a source.)
Some devices also have features to assist in tracking down the source of packets with bogus source
input interface for packets. (For a detailed discussion on Cisco IOS access lists, refer to Chapter 9, "Securing Internet Access.") It is enabled by adding log-input to an access list entry:
access-list 100 permit ip any host 171.69.233.3 log-input The output from this command looks like this:
%SEC-6-IPACCESSLOGP: list 100 permitted udp 171.69.2.132(53)
(Ethernet0/0)-> 171.69.233.3(5775), 1 packet
%SEC-6-IPACCESSLOGDP: list 100 permitted icmp 171.69.2.75
(Ethernet0/0) -> 171.69.233.3 (0/0), 1 packet Fragmentation Attacks
To deter any attack based on fragments, the device must have an option to reassemble the original packet, ensure that the packet is valid, and then fragment the packet again before forwarding it. This check can severely limit system performance; think carefully before rushing off to implement this feature on every device. It is best to determine the most critical, vulnerable area and then place the deterrent there. In most instances in a large corporate network, the most vulnerable areas are at the network access points such as Internet access or dial-in access.
TCP SYN Attack
It is important to recognize that it is nearly impossible to stop a TCP SYN flooding attack. What can be done, however, is to constrain its impact on critical parts of the network. Typically, a firewall is set up to act as a proxy when a TCP connection is established. The firewall checks for incoming TCP connection requests and proxy answers on behalf of the destination device to ensure that the request is valid before connecting to the server (see Figure 8-9).
Figure 8-9: A TCP Proxy
After the firewall has established a genuine connection with the client and the server, it then merges these two connections into a single source/destination session. In the case of bogus requests, the firewall
usually also has parameters to set very aggressive timeouts on half-open connections; it also has
parameters to set threshold levels for the number of both outstanding connections and incoming rate of TCP-connection requests.
connections from slower links time out.
On the Cisco IOS devices, the command to employ against TCP SYN attacks is this one:
ip tcp intercept <access-list-number>
ip tcp intercept mode watch
This command keeps track of the following information: How many session requests in the last one minute? ●
How many incomplete sessions are there? ●
How long is the wait for the final acknowledgment? ●
For the PIX firewall, you can issue the following command to limit the number of half-open TCP connections and total number of TCP connections allowed:
static 172.17.1.12 10.1.1.2 [max_conns] [em_limit]
In this syntax, max_conns is the maximum number of TCP connections allowed, and em_limit is the embryonic connection (half-open connection) limit. Refer to Chapter 9, "Securing Internet Access," for a more complete description.
Audit
The Audit function ensures that the network infrastructure is configured as expected. The function can also actively monitor network activity and includes the capability of intrusion detection.
All communication between auditing servers and network infrastructure devices should be authenticated and confidential (that is, encrypted) whenever possible. Audit logs should also be saved on write-once media (for example, WORM drives) or should be sent over a network to a trusted system that is
inaccessible by the administrators of the system being audited. This way, if a break-in occurs, the intruder cannot erase his or her tracks.