AES128 vs AES256: Does it matter?


While doing some research on AES, I came across this article by Seagate:

http://www.seagate.com/staticfiles/docs/pdf/whitepaper/tp596_128-bit_versus_256_bit.pdf

Note:  This is a whitepaper on the encyption engine, not the key length.

Advertisements

Here comes Reddit!


I’ve recently spread my knowledge and influe over to http://www.reddit.com/r/ccna ; I hope to make that subreddit a go-to location for CCNA materials, advice, and tips! Stay tuned!

Do You Run Your Network, or Does Your Network Run You?


With so many technologies is the modern network nowadays, it’s almost two easy to hook up all your switches, program a couple IP addresses, and let it run!  PVST and VTP will take care of your layer 2 and varying routing technologies will take care of your layer 3.  Sounds easy enough, sure; until you go to troubleshoot an issue.

Spanning-tree is a network blessing when it is properly configured (either manually or automatically).  But when it goes bad, everything goes bad.  The critical factor here? Documentation.  Regardless of how your network is set up, you need to document everything.  Spanning-tree, VLANs, routing, ARP entries, config changes.  If you can think of it, DOCUMENT IT!  Once you begin to lose control of your network, your network gains control of you.  Suddenly you are changing your procedures to meet your network instead of the other way around.

There are numerous tools available to help you track and document your network.  SolarWinds NCM is a fantastic product for tracking your network devices.  Using resources such as SNMP (v3 of course!), syslog, and netflow, SolarWinds can compile this information and give you a variety of tracking and documentation features.

MSTP and VLAN Pruning


[Material from http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfc.shtml]

While you could spend days trying to wrap your head around MSTP, I’ve narrowed down a few rules to follow when setting up or troubleshooting MSTP on a Cisco network:

1) In a spoke-and-hub network set-up, you typically want to force your “hub” to be the root for all spanning tree instances.
2) Once you get into redundant links, you want to carefully consider your spanning tree instances (STI’s) before you begin pruning VLANs off of your trunks.  You may end up pruning a VLAN off its root port.
3) Know who your roots are.  Documentation, documentation, documentation.  Review your spanning tree devices, keep records of their MACs and priorities.
4) If all else fails, hard-code your priorities to keep certain devices as spanning tree roots.

If the traffic isn’t going where you need it to, there are 100 different ways to make it go there.  Remember to consider Layer 3 routing, too.  A network isn’t about focusing on one piece at a time and moving on; it’s about proper integration of all the pieces merged together.

How the Hackers Made Current SecurID Tokens Useless


An RSA SecurID SID800 token with USB connector

Image via Wikipedia

[From http://arstechnica.com/security/news/2011/06/rsa-finally-comes-clean-securid-is-compromised.ars]

SecurID tokens are used in two-factor authentication systems. Each user account is linked to a token, and each token generates a pseudo-random number that changes periodically, typically every 30 or 60 seconds. To log in, the user enters a username, password, and the number shown on their token. The authentication server knows what number a particular token should be showing, and so uses this number to prove that the user is in possession of their token.

The exact sequence of numbers that a token generates is determined by a secret RSA-developed algorithm, and a seed value used to initialize the token. Each token has a different seed, and it’s this seed that is linked to each user account. If the algorithm and seed are disclosed, the token itself becomes worthless; the numbers can be calculated in just the same way that the authentication server calculates them.

Spanning Tree Port States


A port moves through these five states as follows:

  • From initialization to blocking
  • From blocking to listening or to disabled
  • From listening to learning or to disabled
  • From learning to forwarding or to disabled
  • From forwarding to disabled

You can modify each port state by using management software. When Spanning-Tree Protocol is enabled, every switch in the network goes through the blocking state and the transitory states of listening and learning at power up. If properly configured, the ports then stabilize to the forwarding or blocking state.

When the spanning-tree algorithm determines that a port should be placed in the forwarding state, the following occurs:

  • The port is put into the listening state while it waits for protocol information that suggests it should go to the blocking state.
  • The port waits for the expiration of a protocol timer that moves the port to the learning state.
  • In the learning state, the port continues to block frame forwarding as it learns station location information for the forwarding database.
  • The expiration of a protocol timer moves the port to the forwarding state, where both learning and forwarding are enabled.

Spanning Tree


Spanning tree uses BPDU (Bridge protocol data units) to transmit information between switches regarding switches cost to the root or during root election.

Root is elected by the lowest mac address if the priory is left at the default 32768, or by the lowest priority.

Spanning tree uses different port modes to form a layer two switching topology to ensure no layer two loops exist in the network. You need to be familiar with the different port modes in PVST as given below;

Root – The port that receives the best BPDU that is closest to the root bridge in terms of path cost is called the root port. The root bridge is the only bride in the network that does not have a root port.

Designated – A port is designated if it can send the best BPDU on the segment to which it is directly connected. On a given LAN segment there can only be a single path towards the root bridge. This port forwards traffic to the LAN segment. Access ports are considered designated ports.

Alternate – An alternate port is the next best path available back to the root bridge shall the root port fail.

Backup – A backup port is a port that is connected to a segment where another bridge port already connects.

The default Spanning Tree mode is PVST on a Cisco Catalyst switch.

In this lab you will familiarize yourself with the following commands;

spanning-tree vlan # root primary – This command is executed from global configuration mode and configures the VLAN specified in the syntax on the switch you’re currently configuring as the root bridge for the specific VLAN on the network.

spanning-tree vlan # root secondary – This command is executed from global configuration mode and configures the vlan specified in the syntax on the switch you’re currently on as the backup root bridge shall the root bridge fail in the network.

spanning-tree vlan # priority # – This command is executed from global configuration mode and manually sets the bridge priority per vlan on a switch.

show spanning-tree vlan # – This command can be executed only in privileged mode and displays spanning-tree information relating to a specific VLAN number.

show spanning-tree summary – This command can be executed only in privileged mode and displays a summary of all spanning-tree instances and port counts.

show spanning-tree detail – This command can be executed only in privileged mode and displays detailed information on a per port basis of each port participating in a spanning-tree process.

show spanning-tree bridge – This command can be executed only in privileged mode and displays all spanning-tree processes per VLAN on the switch and other information including the priority per vlan, the sum of the bridge priority (vlan priority + sys-id-ext), Bridge MAC address, timers and effective spanning tree protocol.