Whispers & Screams
And Other Things

Wi-Fi security luddite? The ICO is coming for you!

The Information Commissioner's Office today published new guidance for home Wi-Fi security after a YouGov report found that 40% of home users did not understand how to manage the security settings on their networks.

The survey also found that in spite of most ISPs now setting up and installing security on Wi-Fi equipment, 16% of the people surveyed were unsure whether or not they were using a secured network, or were aware they weren't, but didn't give a toss either way.

The new guidance includes information on managing encryption settings and how to think of a secure password. Top tip? Don't use pa55w0rd.

Giving people unsolicited access to your network could reduce connection speed, cause you to exceed data caps, or allow hordes of criminals to use your network for nefarious purposes, said the ICO.

Welcoming the move, D-Link's Chris Davies pointed out that there was no excuse for being caught out.

"There is no doubt that in the past setting up security on wireless networks could be tricky," said Chris. "But this is no longer the case with most wireless products.

"Security can be set up wiin a couple of minutes with no prior technical knowledge required. We've also been working with ISPs to help them ship products to consumers with security pre-configured."

Let's just hope the ICO doesn't start fining home users for data breaches. Or maybe that would be the kick in the butt some of them need?
Continue reading
806 Hits
0 Comments

An examination of DHCP Snooping with option 82 on Cisco.

DHCP snooping is a DHCP feature that provides security by filtering untrusted DHCP messages from hosts or other devices on the network. DHCP snooping accomplishes this level of security by building and maintaining a DHCP snooping binding table.

An untrusted DHCP message is a DHCP message that the switch receives from outside the network or firewall or from an unauthorised DHCP server that can cause security attacks within a network. DHCP snooping is used along with the interface tracking feature, which inserts option 82 in the DHCP messages by the switch. Option 82 is the Relay Agent Information Option as described in RFC 3046.

The use of DHCP snooping extends existing security capabilities, including the capability to trust a port as a DHCP server and prevent unauthorised DHCP server responses from untrusted access ports. Another DHCP snooping supported feature is per-port DHCP message rate limiting, which is configurable in packets per second (pps) and is used to prevent DoS attacks. The DHCP snooping feature is useful in ISP networks, university campuses and Long Range Ethernet (LRE) network scenarios to prevent misconfigured or malicious DHCP servers from causing user-connectivity problems (such as giving out bogus DHCP addresses).

DHCP snooping builds a DHCP binding table that contains client IP addresses, MAC addresses, ports, VLAN numbers, leases and binding types. Switches support the enabling of the DHCP snooping feature on a per VLAN basis. With this feature the switch intercepts all DHCP messages within the layer 2 VLAN domain. With option 82 enabled, the Supervisor Engine adds the ingress module, port, VLAN and switch MAC address to the packet before forwarding the DHCP request to the DHCP server. The DHCP server can track the IP address that it assigns from the DHCP pool.

With this feature the switch restricts end-user ports (untrusted ports) to sending only DHCP requests, while all other types of DHCP traffic, such as DHCP offer responses, are dropped by the switch. DHCP snooping trusted ports are the ones connected to the known DHCP servers or uplink ports to the distribution switch that provide the path to the DHCP server. Trusted ports can send and receive any DHCP message . In this manner the switch allows only trusted DHCP serves to give out DHCP addresses via DHCP responses. Therefore this feature prevents users from setting up their own DHCP servers and providing unauthorised addresses.

In summary, DHCP snooping with option 82 provides an excellent mechanism to prevent DHCP DoS attacks or misconfigured clients from causing anomalous behaviour in the network.

Continue reading
483 Hits
0 Comments