David Piniella

Good ol’ MACSec.

First, I posted a quick and dirty notes-for-myself, MACSec how-to for Juniper.

Then, I posted a similar MACSec howto for Cisco. So here’s a miscellany of different macsec implementations.

Let’s say you want to run your own router, because your Layer 8 & 9 specialists mandate it, here MACSec on linux.

Here’s a guy who did cisco-switch-to-cisco-switch macsec over an mpls link between a cisco and juniper router (because macsec works at layer 1 and thus you need to fake layer 1 via MLPS). So that’s a thing.

Here’s the Extreme Network’s MACSec implementation:

set macsec port mka enable tg.1.1
set macsec pre-shared-key port tg.1.1 ckn foo cak passphrase bar

HP switches macsec config

Brocade MACSec details and also a Brocade sample config of MACSec.

The old joke goes: I don’t make mistakes. I thought I did once, but I was wrong.

But here’s how to save yourself from mistakes when configuring a JunOS or IOS device:

JUNOS is easy, “commit check”, “commit confirmed” and the handy “rollback”. Frankly, if you’re on a JUNOS device, you should already know about these.

But how to do the same on IOS? Cisco’s configurations happen as soon as you hit enter on the config, right?

Here’s how:

• The brute force method: “reload in 5”. Write your proposed changes in notepad++ (or notepad.exe if you insist). Login to the device that you’re going to change, and before you do any of your changes, run “reload in 5”. Then, make your changes. If you did something boneheaded that will disable the device or your connection to it, the device will reload from it’s start-config in 5 minutes, effectively erasing your running-config.

Of course, if this is a shared device, you’ve taken everyone offline for the time it takes the device to reboot. Or maybe you don’t want your config saved to start-config as a security measure*. So what do you do in order to prevent a reboot and still maintain the ability to revert a recently made change? Ah, you’ll be wanting the somewhat more sophisticated method 2:

• First, turn on archive:

cisco-router#configure terminal
cisco-router(config)#archive

then configure a path for where it’ll be stored and save that:

cisco-router(config-archive)#path usbflash0:backup-config
cisco-router(config-archive)#end
cisco-router#write mem

Now you should be able to use “configure terminal revert time 5” which is IOS’ functional equivalent of JUNOS’ “commit confirmed 5”:

cisco-router#conf t revert time 5

Here it will tell you that your config is being backed up to where you told it to and that the config will be rolled back in 5 minutes. So make your changes:

cisco-router(config)#int gig 0/0

cisco-router(config-if)# shutdown

If everything is good, “configure confirm” to keep the change:

cisco-router(config-if)#configure confirm

For the truly worried, use both methods: “reload in 10” and “revert in 5”. If the revert doesn’t work, the reload will (this will still take down the router, but hey…)

MACSec is kind of neat (TL;DR for the impatient: layer-1 crypto on links).

Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec is standardized in IEEE 802.1AE.

MACsec allows you to secure an Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions. MACsec can be used in combination with other security protocols such as IP Security (IPsec) and Secure Sockets Layer (SSL) to provide end-to-end network security.

CLI config:

#create an association:
set security macsec connectivity-association ca1

#choose a mode (static cak recommended — see here for why)
set security macsec connectivity-association ca1 security-mode static-cak

#ckn needs to be a 64-digit number in hex, but any empty space is padded w/ 0’s
set security macsec connectivity-association ca1 pre-shared-key ckn deadbeef99

#cak needs to be a 32-digit number in hex, but any empty space is padded w/ 0’s
set security macsec connectivity-association ca1 pre-shared-key cak deadbeef11

# set to 255 to make it “less likely” to be chosen as key server, 0 for “more likely”
set security macsec connectivity-association ca1 mka key-server-priority 0

# set to 6000 for high-traffic environment. default to 2000.
set security macsec connectivity-association ca1 mka transmit-interval 6000

#this leaves headers unencrypted for troubleshooting, set to 0 for full encryption, set to 50 for unencrypted ipv6 headers
set security macsec connectivity-association ca1 offset 30

# replay protection, set to 0 to enforce all packets coming in order
set security macsec connectivity-association ca1 replay-protect replay-window-size 5

# exclude a protocol
set exclude-protocol lldp

#enable macsec
set security macsec interfaces xe-0/1/0 connectivity-association ca1

Troubleshooting:
show security macsec statistics interface xe-0/1/0 detail

additional reading:
http://www.juniper.net/techpubs/en_US/junos13.2/topics/concept/macsec.html
http://www.juniper.net/techpubs/en_US/junos13.2/topics/reference/command-summary/show-security-macsec-statistics.html
(Cisco version: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/swmacsec.pdf)

There’s a Cisco version of this here: http://david.piniella.net/2015/11/cisco-macsec-notes/

First, define your objects:

set security zones security-zone Internal address-book address TSserver1 192.168.1.151/32

and whatever service you need to:

set applications application MS-RDP protocol tcp destination-port 3389

and your destination nat pool:

set security nat destination pool dnat-192_168_1_151 address 192.168.1.151/32

set security nat destination pool dnat-192_168_1_151 address port 3389

and your NAT policy:

Define the NAT policy is configured which specifies the NAT pool that the traffic should be translated to.

set security nat destination rule-set dst-nat from zone Internet

set security nat destination rule-set dst-nat rule rule1 match destination-address 256.1.1.1/32

set security nat destination rule-set dst-nat rule rule1 match destination-port 63389

set security nat destination rule-set dst-nat rule rule1 then destination-nat pool dnat-192_168_1_151

and lastly, your security policy to allow the traffic through:

Use the internal (real) IP address and port of the server — the security/firewall aspect happens after the “networking” aspect of the connection:

set security policies from-zone untrust to-zone trust policy Internet_to_Internal_RDP match source-address any destination-address TSserver1 application MS-RDP
set security policies from-zone untrust to-zone trust policy Internet_to_Internal_RDP then permit

Once you’ve commited the change, an RDP connection to 256.1.1.1:63389 will get translated to 192.168.1.151:3389.

Juniper SRX: selectively disable TCP SYN or Sequence checking | Bart Jansens.

Quite a bit of useful stuff on this netsec guy’s blog, worth your time if you’re poking at junos devices.

anything in [square brackets] needs to be changed or specified

First, define the QoS (CoS — Class of Service — in Juniper parlance) filters. This entails creating the classifiers, drop-profiles, forwarding-classes, scheduler-maps and schedulers. For the needs of this particular setup, I had to guarantee that the network control traffic (hellos, keepalives, etc) got through and the rest of the 30meg pipe that provided the office internet was to be shaped to prioritize traffic sensitive to delay (read: VoIP).

set interface [interface] per-unit-scheduler
set class-of-service classifiers dscp [mark_traffic_filter] forwarding-class expedited-forwarding loss-priority low code-points ef
set class-of-service classifiers dscp [mark_traffic_filter]  forwarding-class network-control loss-priority low code-points nc1
set class-of-service classifiers dscp [mark_traffic_filter] forwarding-class assured-forwarding loss-priority low code-points af11
set class-of-service classifiers dscp [mark_traffic_filter] forwarding-class best-effort loss-priority medium-low code-points be
set class-of-service drop-profiles be_drop_profile fill-level 50 drop-probability 10
set class-of-service drop-profiles be_drop_profile fill-level 75 drop-probability 15
set class-of-service drop-profiles be_drop_profile fill-level 95 drop-probability 20
set class-of-service forwarding-classes queue 0 best-effort
set class-of-service forwarding-classes queue 0 priority low
set class-of-service forwarding-classes queue 1 assured-forwarding
set class-of-service forwarding-classes queue 1 priority high
set class-of-service forwarding-classes queue 2 expedited-forwarding
set class-of-service forwarding-classes queue 2 priority high
set class-of-service interfaces reth0 unit 102 scheduler-map [name_cos_filter]
set class-of-service interfaces reth0 unit 102 shaping-rate 30m
set class-of-service scheduler-maps [name_cos_filter] forwarding-class network-control scheduler nc_scheduler
set class-of-service scheduler-maps [name_cos_filter] forwarding-class expedited-forwarding scheduler ef_scheduler
set class-of-service scheduler-maps [name_cos_filter] forwarding-class assured-forwarding scheduler af11_scheduler
set class-of-service schedulers ef_scheduler transmit-rate 29m
set class-of-service schedulers ef_scheduler buffer-size percent 30
set class-of-service schedulers ef_scheduler priority high
set class-of-service schedulers af11_scheduler transmit-rate remainder
set class-of-service schedulers af11_scheduler buffer-size percent 50
set class-of-service schedulers af11_scheduler priority medium-high
set class-of-service schedulers nc_scheduler transmit-rate 1m
set class-of-service schedulers nc_scheduler buffer-size percent 20
set class-of-service schedulers nc_scheduler priority strict-high

Once the CoS stuff is in place, you have to apply it to a firewall policy, so that it actually affects traffic:

set firewall family inet filter egress_cos_filter term office_voip from destination-address 1.1.1.0/24
set firewall family inet filter egress_cos_filter term office_voip from destination-address 256.256.256.0/24
set firewall family inet filter egress_cos_filter term office_voip from destination-address 192.168.2.0/22
set firewall family inet filter egress_cos_filter term office_voip from destination-address 127.0.0.0/22
set firewall family inet filter egress_cos_filter term office_voip from protocol udp
set firewall family inet filter egress_cos_filter term office_voip from destination-port 3479
set firewall family inet filter egress_cos_filter term office_voip from destination-port 15044
set firewall family inet filter egress_cos_filter term office_voip from destination-port 5060
set firewall family inet filter egress_cos_filter term office_voip from destination-port 5199
set firewall family inet filter egress_cos_filter term office_voip then count office_voip
set firewall family inet filter egress_cos_filter term office_voip then forwarding-class expedited-forwarding
set firewall family inet filter egress_cos_filter term non_voip_traffic then count non_voip_traffic_counter
set firewall family inet filter egress_cos_filter term non_voip_traffic then forwarding-class assured-forwarding
set firewall family inet filter egress_cos_filter term non_voip_traffic then accept

The count office_voip part of the filter stanza is there just to verify that the filter is actively affecting traffic (the office_voip count should go up if it is).

Further reading:

http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfig-interfaces-and-routing/default-cos-section.html

http://www.juniper.net/techpubs/en_US/junos12.3/topics/concept/cos-qfx-series-traffic-control-profiles-understanding.html

http://dataplumber.wordpress.com/2011/12/30/junos-qos-notes/

http://jsrx.juniperwiki.com/index.php?title=COS

On the AD side:

1. Install NPS on your AD DC.
2. Create a key (http://dice.neko-san.net/2012/08/linking-junos-authentication-to-active-directory-using-radius/ has screenshots, if you need that sort of thing.)
3. add clients (your switches/firewalls)

See also http://blog.arwin.me/os/cisco/how-to-setup-cisco-ios-to-authenticate-via-active-directory/

On a Cisco ASA:

aaa-server RADIUS protocol radius
aaa-server RADIUS host [IP address of your RADIUS box / AD machine running NPS] key [key]
radius-common-pw [key]
aaa authentication telnet console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication https console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL

On a Cisco switch:

This example shows local authentication, which lets you Telnet into the router with username “cisco” and password “cisco.”

aaa new-model
username cisco password 0 cisco
line vty 0 4
transport input telnet

In order to test authentication with SSH, you have to add to the previous statements in order to enable SSH.

ip domain-name host.domain.tld
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2

If you want to prevent non-SSH connections, add the transport input ssh command under the lines to limit the router to SSH connections only.

line vty 0 4
transport input ssh
cry key gen rsa
ip ssh time-out 30
ip ssh version 2
line vty 0 4
transport input ssh

On a Juniper switch or firewall running JunOS:

set system authentication-order [radius password]
set system radius-server [IP Address of DC running NPS] secret [key]
set system radius-server [IP Address of DC running NPS] source-address [IP Address of interface that will communicate to DC]
set system radius-options password-protocol mschap-v2
set system login user [username] full-name "[Full User Name]" uid 9999 class super-user
# NOTE this erases your local password, so that ONLY the Domain password is allowed. This is more secure but more of a PITA if your NPS box craps out.
delete system login user [username] authentication encrypted-password