TYPES OF GUARD, SNMP VERSION & SECURITY ZONE

TYPES OF GUARD

BPDU Guard-

 Its use to implement on an access port configure with PortFast. 

If BPDU Guard received BPDU from neighbor device then port become enable.

If BPDU Guard did not receive BPDU from neighbor device then port become Errdisable.

BPDU Filter-

It effectively disables STP on selected ports by preventing them from send or receive any other BDPU of any deivce.

If PortFast status is loss then BPDU Filter will be in disable.

If BPDU Guard is enable on same interface as BPDU filter configure, then BPDU Guard has no effect.`

Root Guard-

The root guard ensures that the port on which root guard is enabled is the designated port.

If Root Bridge is not appear on switch, then manually we can enable Root Guard.

Enforcedly provide the root bridge in the network.

Loop Guard-

It checks BPDUs is not received on a non-designated port & loop guard will be  enabled then port move into  loop-inconsistent state.

Unidirectional Link Detection  (UDLD)-

It work on layer 2 protocol so they can work on keepalive mechanism.& Cisco Proprietary.

It automatically detect the losses of bidirectional link.

In Cisco devices UDLD sends out ID frames every 15 sec & For other devices by default is 7 seconds.

SNMP VERSION

It is an application-layer protocol & used to manage and monitor network devices.

SNMP server use UDP-161 & SNMP agent use UDP-162.

SNMP component-

SNMP agent- 

Its software that run on management devices.

SNMP manager-

It run the network management application that monitor and control managed devices.

Management information base (MIB)-  

its database is a text file (.mib), MID & object identifier( OID) file should be assigned to monitoring devices so the device can be control and manage.

SNMP versions –

There are 3 versions of SNMP:

SNMPv1- 

It uses only community strings for authentication, No Authorization & no Privacy in Access mode and no encryption, it use UDP only.

SNMPv2-

It uses only community strings for authentication, No Authorization & no Privacy in Access mode and no encryption, it use UDP only but can be configure to use TCP.

SNMPv3-

It uses Hash based MAC with MD5 or SHA for authentication and DES-56 for privacy. This version uses TCP & its more secure then other version.

SECURITY ZONE

Its use for control the traffic between the zone which are in group of interface.

There are 3 type of zones – Inside, Outside and DMZ.

Inside Zone –

It protect the data or should not be access from unauthorized person from Outside. It also known as trusted or Internal zone.

Outside Zone- 

This zone is considered to be outside the control of an organization & unsecure from Public network.

DMZ –

It is network resource like File server or Web server so user can be access from outside public network this DMZ is placed behind the Firewall. 

So firewall has allow limited access to DMZ server.

Zone Pair-

Inside-to-Outside and Inside-to-DMZ-

Packet flow from the inside & move toward the outside or the DMZ. 

Outside-to-Inside-

Packet flow from outside & move toward the inside, but it allow only when user requested otherwise it will be block the packet.

DMZ to Inside- 

Packet flow from the DMZ & move toward, But it allow only when user requested otherwise it will be block the packet.

Outside to DMZ-

Packet flow from the outside and move toward the DMZ and check by the firewall to allow or denied packet.

It only allowed email, HTTP, HTTPS, or DNS traffic. 

DMZ to Outside- 

Packet flow from the DMZ and move toward the outside & as per firewall rule it can be allow only specific request.

 

High availability (HA) & VLAN HOPPING / DOUBLE TAGGING

High availability (HA)

Its use for link synchronize data and maintain state information, ICMP protocol used to exchange heart beat between HA peer.

Basically there two HA port, HA1 is called as Control link and HA2 is called Data link.

Control Link (HA1)-

Its  used to exchange User-id information,Heartbeat, HA state information, hello & management plan syn for routing. 

The HA1 link work on  Layer 3 link.

Data Link (HA2)-

Its used for sync sessions, forwarding tables, IPSec security associations and ARP tables between firewalls HA. 

It is always work on unidirectional & it can be flows from the active or active-primary firewall to the passive or active-secondary firewall. 

The HA2 link work on Layer 2.

Backup Links

It Providing redundancy HA1 and the HA2 links.

Primary deivce IP address & backup HA links  should not overlap.

HA backup should be have different subnet from the primary device HA.

Packet-Forwarding Link

Its addition of  HA1 and HA2 links which dedicated to HA3 link. 

The firewalls use this link for forwarding packets to the peer during session setup and asymmetric traffic flow. 

The HA3 link is support Layer 2 link that use for MAC encapsulation. It does not support Layer 3 encryption.

VLAN HOPPING

    

Vlan Hopping – Is an attacker which connect Vlan gain access to another Vlan.

There are two way accomplished-

Double tagging-

Attacker is connect interface as the native untagged VLAN on the trunk on same VLAN interface.

Then attacker sends Packet in switch with tagged two 802.1Q, the Vlan tag which are in inside the packet is that vlan to reach the destination. And Vlan tag outside is native vlan.

1^st switch will remove the first native vlan tag and move the packet to 2^nd switch through trunk port. Now attacker has access to victim vlan.

Switch spoofing-

Suppose attacker will send DTP packets & try access in switch through trunk but it only possible when switch is in default “dynamic auto” or “dynamic desirable”