Tag: security

Configuring MACsec Encryption

This article describes the simplest way to enable MACSec using preconfigured static key-string. The example was tried on Catalyst 3850 and should work on other switches too.

There is another article that I wrote years ago which describes a more complex implementation with dot1x etc.

MACSec

Media Access Control Security is the way to secure point-to-point Ethernet links by implementing data integrity check and encryption of Ethernet frame.

When you configure MACsec on a switch interface (and of course, on the other switch connected to that interface), all traffic going through the link is secured using data integrity checks and encryption.

Data integrity is done by appending 8-byte header and a 16-byte trailer to the Ethernet packet which is generated before a data is sent and checked upon receiving on the other switch to prove that the data inside the frame was not modified on the way. If the check fails, the packet gets dropped.

MACSec – Media Access Control Security

UPDATE on 11 Jul 2019:
I wrote a fresh article describing how to implement MACSec on Cisco devices in the simplest way possible. I think that one is maybe what most of you are searching for.. get it here

Media Access Control Security or MACSec is the Layer 2 hop to hop network traffic protection.

Just like IPsec protects network layer, and SSL protects application data, MACSec protects traffic at data link layer (Layer 2).

MACSec is standardized IEEE 802.1AE hop-by-hop encryption that enables confidentiality and integrity of data at layer 2.

It encrypts entire Ethernet packet except Source and Destination MAC addresses on any device-to-device, switch-to-switch, router-to-switch, host-to-switch directly connected wired L2 connection.

MacSec

If we compare MACSec with, for example, IPsec, MACsec provides same security but on layer 2 for each hop separately. On each hop, packets are received and decrypted enabling other features like QoS and load balancing to function. Same data is again encrypted before being sent out to next device on the way towards the destination. MACsec works on host-to-switch connection and on switch-to-switch connection enabling line-rate up to 10 GigabitEthernet fast encryption.

It uses, especially for that occasion developed and optimised Galois/Counter Mode Advanced Encryption Standard 128 (GCM-AES-128) which makes line-rate encryption/decryption possible.

There is some difference in MACSec on the connection between host and switch, and MACSec on the connection from switch to switch

MACsec uses MACsec Key Agreement (MKA) which is standardized protocol to provide the required session keys and manages the required encryption keys on a MACSec connection between hosts (PC, server, etc.) and switch.

Reflexive Access List

Some of my readers commented on my old article about reflexive access-list with issues in the configuration. I tried it in the lab again to be sure I didn’t make any mistake in the configuration example and here I’m sharing the lab and the config used.

About Reflexive Access Lists

Extended ACLs are a special kind of extended access-lists that have limited stateful behaviour technique implemented for TCP sessions. It is better to say that reflexive access-list is simulating stateful behaviour because it, by use of ‘established’ command, is allowing TCP packets that have the ‘ACK’ bit set but not the initial ‘SYN-only’ packet. In this way, we are effectively permitting only the packets that are part of an established session.

In my prior article, I showed how this works by enabling PING from PC1 in VLAN 10 to PC2 in VLAN 20 but not the other way.

I created the lab topology in GNS3:

Juniper Control Plane Protection

I already wrote about Control Plane Protection in one of my previous posts focused on Cisco device configuration. Here we will make the same thing on Juniper device, I was using Juniper SRX300 and Juniper SRX1500 devices in my lab.

CoPP ??

Control Plane Protection (CoPP) is a method of protecting processor unit, running services on your network device, against excessive flooding. Excessive flooding of traffic aimed towards your router/firewall processor, being that valid or malicious, is always undesirable and can also be dangerous.

A network device, which starts the receive more control traffic that his processor can process, will eventually experience control traffic packet drops and it will lead to some of the router functions to become unstable. Some of the most common control traffic generating services on a router are routing protocols with different update packets, Spanning Tree with BPDU packets, HSRP, CDP, ARP, and different management traffic services like SSH, SNMP, RADIUS etc.

Some of those control plane traffic types are more important than others but they all have in common the fact that they don’t normally use much bandwidth to function. Having that in mind, it is easy to conclude that the situation above with router processor at 100% because of control plane traffic is most surely caused by a DDoS attack towards your device.

More unusual is the situation when a neighboring device is experiencing some kind of malfunction which makes him send large amounts of control plane traffic out of his interfaces towards your device.

CoPP is the best way to avoid this kind of attacks or malfunctions to get in the way of your network device stability. CoPP is basically configuration of QoS inbound to your device control plane (CPU).

CoPP Best Practices

The way to configure CoPP in the most stable and effective way is to use guaranteed minimal available bandwidth for each control plane traffic type.

QKD – How Quantum Cryptography Key Distribution Works

QKD – Quantum key distribution is the magic part of quantum cryptography. Every other part of this new cryptography mechanism remains the same as in standard cryptography techniques currently used.

By using quantum particles which behave under rules of quantum mechanics, keys can be generated and distributed to receiver side in completely safe way. Quantum mechanics principle, which describes the base rule protecting the exchange of keys, is Heisenberg’s Uncertainty Principle.

Heisenberg’s Uncertainty Principle states that it is impossible to measure both speed and current position of quantum particles at the same time. It furthermore states that the state of observed particle will change if and when measured. This fairly negative axiom which says that measurement couldn’t be done without perturbing the system is used in positive way by quantum key distribution.