Preparing network infrastructure for PHD
Text by Sergey Pavlov and Dmitry Kurbatov
May 11, 2011, one week remains before the Positive Hack Days forum. Everything is going according to plan: the room is rented, guests are invited, tasks have been invented. One of the sponsors brought a huge basket of HP blades, several Cisco Catalyst 2960 switches, access points and a wireless WLC controller. The equipment was laid in the form of the Tower of Pisa, but did not even turn on. We decided that as long as there are no L3 switches, there is nothing to configure.
The next day, a shipment of 2960 arrived, one Catalyst 3750, a box of patch cords and extension cords. It's time to get started and make a network. On the PHD website, schemes of halls in which the forum was planned were found. It goes without information about the length of the walls in meters, but only with the indication of playing areas and places for conducting seminars. After an hour of brainstorming, the first version of the network layout was ready:
')
What the network represented in the end had little to do with the outline shown above. Colleagues working in major system integrators claim that this paradox is an absolute norm, and in fact design and implementation are two completely unrelated processes. All draw schemes for the soul, and collect and customize how it goes. The most experienced say that this is not according to GOST and that it is impossible to work this way.
In our case, only the Catalyst 3750 switch and operation logic remained in the original location. Since the L3 switch was one, the network was not fault tolerant: the 3750 was the “core” of the network, aggregated LACP uplinks from access switches and routed traffic between VLANs. Six or seven pieces of 2960 were used as access switches. The architecture is simple and clear, there is nothing more to tell about it.
By the end of the day, the stacked switches were tangled in the thickets of patch cords, but this picture was not yet up to the masterpieces of the SCS horror films. In parallel, the wireless network components were configured, but we decided to finish and put everything together on Friday, the 13th.
“ Positive Hack Days CTF is an information protection competition and not harmless students take part in it!” Dima Evteev said something like this, letting us know that it would be nice to make the network as secure as possible from possible user actions.
So in the settings of the switches appeared the lines, hotly recommended by the manufacturer of network equipment, but unfamiliar to most network administrators:
and so on and so forth. More, as they say, on cisco.com .
Friday the 13th would not be themselves if it had not presented an unpleasant surprise. HP did not like the one hundred kilogram basket of HP at once; carrying it from the truck to the office was all that fun. The second “positive” characteristic of the device after the weight turned out to be the presence of the HP c-Class GbE2c Switch in it, which none of our “network” specialists had seen before. And Friday, eight in the evening, I want to leave work and forget the way to the office until Monday, and before my eyes:
After searching the manufacturer’s site, it became possible to familiarize themselves with the extensive documentation on the product, but it was not possible to overpower myself and deal with an unfamiliar piece of iron that evening. I had to postpone until Monday.
But it was not quite like that. Friday evening. Returning home from work thoughts were just about how cool to spend the weekend. But suddenly, almost in tears, Dima Evteev called and said, I was thrown one, but you, yes, I told you ... As it turned out, he needed switching in any form. But because trunk between HP and Cisco switches didn’t want to make friends, we had to make a very difficult decision. Namely: by joint efforts, the switches were set up to work in access mode, thus forgetting about trunking until Monday.
Monday, May 16, there are three days before PHD, one of them is for setting up the HP switch, since on the 17th all the equipment seems to leave for the forum venue.
How are the blade server, the switch itself and its external ports connected inside the basket? There are four servers in the basket, so it is necessary to provide at least two gigabit uplinks from the switch to the network, how? The eyes are afraid, and the hands are doing. Two hours were beaten headlong against the wall and as a result, EtherChannel with LACP between HP and Catalyst switches started working.
On May 17, the glands did not go anywhere, but were left in the stuffy room of the pentesters to be tested with ultraviolet from the spring sun :)
Once there was still time, we decided to scan all the equipment with the MaxPatrol system in the Pentest and Audit modes. ABOUT! How wonderful! A standard cisco / cisco account remained on one of the switches. It would be a scandal!
They instantly deleted this account and forgot everything as a bad dream. On the Cisco WLC controller, the equally dangerous default / default account for SNMPv3 with read-write permissions also hung.
A little about the wireless network itself.
The infrastructure itself consisted of 2 components:
- control controller Cisco Wireless LAN Controller 2106
- access points: Cisco LAP 1131
The main purpose of the wireless network was to provide access to the public Internet from communicators, laptops and other devices. Therefore, for the wireless network on the Cisco WLC, a DHCP server was turned on so that everything was transparent for users: came connected, got into the Internet, saw your password on the “board of shame”;) For the implementation, the last port mirroring was enabled on the 3750 switch.
On May 18, at 12 noon, probably the two most responsible employees in PT gathered at the reception desk of the Young Guard club. They gathered and began to wait for the rest, not suspecting that almost yesterday they would have to work as loaders and laborers. By one o'clock, the rest of the colleagues arrived, trucks arrived with all sorts of things. Without a break for lunch, but with regular smoke breaks, IS specialists, auditors, consultants, analysts and technical director deployed PHD infrastructure on two floors of the club. It took about ten hours, against the planned four or five, so they went home to one o'clock at night.
The real work on deploying a network for PHD began only at about 6 o'clock, since until that time integrators were only engaged in preparing the infrastructure for television. Therefore, after unloading equipment, accessories and gifts for visitors, it was possible to lay out the equipment on the tables at a leisurely pace on the tables to connect physics in accordance with the connection table. In the office, it looked much simpler, since the wired and wireless networks were configured separately from each other. The main core of the network is presented below.
As mentioned earlier, the projected and real network are always different. It happened with the wireless network. According to the scheme, it turned out that some access points had to be inside the box, which was already tightly sewn with plywood sheets.
In some locations of access points it was not possible to provide them with 220V power. They used WLC ports that support PoE. Fortunately, there were 2 such places and there were also 2 ports. The rest of the access points, as expected, were connected to the switch ports.
But the most interesting thing was still to come. By 8 pm, it turned out that the provider had provided 2 links with “white” IP addresses (for video and for PHD access to the Internet). But 3750 does not support NAT! Urgently they sent 2 messengers to Savelovsky behind a SOHO class router. They did not return quickly, around 11 o'clock. Quickly figured out the settings of this device, turned on the NAT, connected the device to our 3750 switch, checked the Internet access via a wireless network, and decided on this that it was worth stopping.
At home closer to three o'clock at night I was visited by a frightening thought: “Why the hell did I not hang up access control lists between VLANs?” network traffic even between segments is unlimited. Here it will be “funny” if someone goes beyond the CTF network and hacks the hosts of the organizers.
In the morning I hurried to PHD and planned to hang up the ACL one hour before the start of the competition and check everything, but I got stuck in traffic and arrived at eight-thirty. As a result, the network was relatively protected and ready for use only 15 minutes before the start of the CTF, but fulfilled its functions and partially fell only once, when the attacker weaned off the power of one of the switches.
I think the dream of all hackers on this day was a nondescript laptop on which the entire scheme of connections is neatly painted, as well as all the passwords to the network equipment.
Approximately in this vein, training took place.
Oh yes! I completely forgot that the day before PHD Andrei had a birthday, which had a more positive effect on the preparation for the exhibition;)
May 11, 2011, one week remains before the Positive Hack Days forum. Everything is going according to plan: the room is rented, guests are invited, tasks have been invented. One of the sponsors brought a huge basket of HP blades, several Cisco Catalyst 2960 switches, access points and a wireless WLC controller. The equipment was laid in the form of the Tower of Pisa, but did not even turn on. We decided that as long as there are no L3 switches, there is nothing to configure.
The next day, a shipment of 2960 arrived, one Catalyst 3750, a box of patch cords and extension cords. It's time to get started and make a network. On the PHD website, schemes of halls in which the forum was planned were found. It goes without information about the length of the walls in meters, but only with the indication of playing areas and places for conducting seminars. After an hour of brainstorming, the first version of the network layout was ready:
')
What the network represented in the end had little to do with the outline shown above. Colleagues working in major system integrators claim that this paradox is an absolute norm, and in fact design and implementation are two completely unrelated processes. All draw schemes for the soul, and collect and customize how it goes. The most experienced say that this is not according to GOST and that it is impossible to work this way.
In our case, only the Catalyst 3750 switch and operation logic remained in the original location. Since the L3 switch was one, the network was not fault tolerant: the 3750 was the “core” of the network, aggregated LACP uplinks from access switches and routed traffic between VLANs. Six or seven pieces of 2960 were used as access switches. The architecture is simple and clear, there is nothing more to tell about it.
By the end of the day, the stacked switches were tangled in the thickets of patch cords, but this picture was not yet up to the masterpieces of the SCS horror films. In parallel, the wireless network components were configured, but we decided to finish and put everything together on Friday, the 13th.
“ Positive Hack Days CTF is an information protection competition and not harmless students take part in it!” Dima Evteev said something like this, letting us know that it would be nice to make the network as secure as possible from possible user actions.
So in the settings of the switches appeared the lines, hotly recommended by the manufacturer of network equipment, but unfamiliar to most network administrators:
vtp mode off
ip dhcp snooping vlan 116-117,150-151,200
ip arp proxy disable
ip arp gratuitous none
service password-encryption
ip ssh time-out 60
ip ssh authentication-retries 4
ip ssh version 2
interface Vlan100
ip address 192.168.0.100 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
interface FastEthernet0/3
switchport access vlan 100
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 10
switchport port-security violation restrict
switchport port-security aging type inactivity
spanning-tree portfast
spanning-tree bpduguard enable
no ip http server
ip access-list standard Mngt_Access
permit 172.16.0.0 0.0.0.255 log
deny any
line vty 0 4
access-class Mngt_Access in
login local
transport input sshand so on and so forth. More, as they say, on cisco.com .
Friday the 13th would not be themselves if it had not presented an unpleasant surprise. HP did not like the one hundred kilogram basket of HP at once; carrying it from the truck to the office was all that fun. The second “positive” characteristic of the device after the weight turned out to be the presence of the HP c-Class GbE2c Switch in it, which none of our “network” specialists had seen before. And Friday, eight in the evening, I want to leave work and forget the way to the office until Monday, and before my eyes:
After searching the manufacturer’s site, it became possible to familiarize themselves with the extensive documentation on the product, but it was not possible to overpower myself and deal with an unfamiliar piece of iron that evening. I had to postpone until Monday.
But it was not quite like that. Friday evening. Returning home from work thoughts were just about how cool to spend the weekend. But suddenly, almost in tears, Dima Evteev called and said, I was thrown one, but you, yes, I told you ... As it turned out, he needed switching in any form. But because trunk between HP and Cisco switches didn’t want to make friends, we had to make a very difficult decision. Namely: by joint efforts, the switches were set up to work in access mode, thus forgetting about trunking until Monday.
Monday, May 16, there are three days before PHD, one of them is for setting up the HP switch, since on the 17th all the equipment seems to leave for the forum venue.
How are the blade server, the switch itself and its external ports connected inside the basket? There are four servers in the basket, so it is necessary to provide at least two gigabit uplinks from the switch to the network, how? The eyes are afraid, and the hands are doing. Two hours were beaten headlong against the wall and as a result, EtherChannel with LACP between HP and Catalyst switches started working.
On May 17, the glands did not go anywhere, but were left in the stuffy room of the pentesters to be tested with ultraviolet from the spring sun :)
Once there was still time, we decided to scan all the equipment with the MaxPatrol system in the Pentest and Audit modes. ABOUT! How wonderful! A standard cisco / cisco account remained on one of the switches. It would be a scandal!
They instantly deleted this account and forgot everything as a bad dream. On the Cisco WLC controller, the equally dangerous default / default account for SNMPv3 with read-write permissions also hung.
A little about the wireless network itself.
The infrastructure itself consisted of 2 components:
- control controller Cisco Wireless LAN Controller 2106
- access points: Cisco LAP 1131
The main purpose of the wireless network was to provide access to the public Internet from communicators, laptops and other devices. Therefore, for the wireless network on the Cisco WLC, a DHCP server was turned on so that everything was transparent for users: came connected, got into the Internet, saw your password on the “board of shame”;) For the implementation, the last port mirroring was enabled on the 3750 switch.
On May 18, at 12 noon, probably the two most responsible employees in PT gathered at the reception desk of the Young Guard club. They gathered and began to wait for the rest, not suspecting that almost yesterday they would have to work as loaders and laborers. By one o'clock, the rest of the colleagues arrived, trucks arrived with all sorts of things. Without a break for lunch, but with regular smoke breaks, IS specialists, auditors, consultants, analysts and technical director deployed PHD infrastructure on two floors of the club. It took about ten hours, against the planned four or five, so they went home to one o'clock at night.
The real work on deploying a network for PHD began only at about 6 o'clock, since until that time integrators were only engaged in preparing the infrastructure for television. Therefore, after unloading equipment, accessories and gifts for visitors, it was possible to lay out the equipment on the tables at a leisurely pace on the tables to connect physics in accordance with the connection table. In the office, it looked much simpler, since the wired and wireless networks were configured separately from each other. The main core of the network is presented below.
As mentioned earlier, the projected and real network are always different. It happened with the wireless network. According to the scheme, it turned out that some access points had to be inside the box, which was already tightly sewn with plywood sheets.
In some locations of access points it was not possible to provide them with 220V power. They used WLC ports that support PoE. Fortunately, there were 2 such places and there were also 2 ports. The rest of the access points, as expected, were connected to the switch ports.
But the most interesting thing was still to come. By 8 pm, it turned out that the provider had provided 2 links with “white” IP addresses (for video and for PHD access to the Internet). But 3750 does not support NAT! Urgently they sent 2 messengers to Savelovsky behind a SOHO class router. They did not return quickly, around 11 o'clock. Quickly figured out the settings of this device, turned on the NAT, connected the device to our 3750 switch, checked the Internet access via a wireless network, and decided on this that it was worth stopping.
At home closer to three o'clock at night I was visited by a frightening thought: “Why the hell did I not hang up access control lists between VLANs?” network traffic even between segments is unlimited. Here it will be “funny” if someone goes beyond the CTF network and hacks the hosts of the organizers.
In the morning I hurried to PHD and planned to hang up the ACL one hour before the start of the competition and check everything, but I got stuck in traffic and arrived at eight-thirty. As a result, the network was relatively protected and ready for use only 15 minutes before the start of the CTF, but fulfilled its functions and partially fell only once, when the attacker weaned off the power of one of the switches.
I think the dream of all hackers on this day was a nondescript laptop on which the entire scheme of connections is neatly painted, as well as all the passwords to the network equipment.
Approximately in this vein, training took place.
Oh yes! I completely forgot that the day before PHD Andrei had a birthday, which had a more positive effect on the preparation for the exhibition;)
Source: https://habr.com/ru/post/137011/
All Articles