02-08-2017 04:24 AM - edited 03-10-2019 12:46 AM
Can anyone explain the advantages and disadvantages of Gratuitous ARPs (Address Resolution Protocols)
Solved! Go to Solution.
02-09-2017 04:56 PM
Hello Shirshendu-
There are a lot of other threads on the community about gratuitous arp that you can reference. Here are a few good ones:
https://supportforums.cisco.com/discussion/12257536/what-gratuitous-arp
https://supportforums.cisco.com/discussion/10812846/gratuitous-arp
Overall, here is a good summary:
Gratuitous ARPs are useful for four reasons:
They assist in the updating of other machines' ARP tables. Clustering solutions utilize this when they move an IP from one NIC to another, or from one machine to another. Other machines maintain an ARP table that contains the MAC associated with an IP. When the cluster needs to move the IP to a different NIC, be it on the same machine or a different one, it reconfigures the NICs appropriately then broadcasts a gratuitous ARP reply to inform the neighboring machines about the change in MAC for the IP. Machines receiving the ARP packet then update their ARP tables with the new MAC.
I hope this helps!
Thank you for rating helpful posts!
02-13-2017 01:20 PM
You are most welcome! Glad I was able to help!
Now, if your issue/question was resolved, then you should mark the thread as "answered" :)
Regards,
Neno
02-16-2017 11:26 AM
The alternative to ssh is telnet. SSH utilizes cryptography to send the username/password encrypted, thus preventing someone sniffing the traffic from obtaining the credentials. On the other hand, telnet sends the username/password in clear text, thus making your environment vulnerable.
Yes, v2 is the current implementation of SSH.
For additional information on device hardening I would recommend using the the information in the link below. I have used it many times to craft a security baseline for customers:
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
Thank you for rating helpful posts!
02-09-2017 04:56 PM
Hello Shirshendu-
There are a lot of other threads on the community about gratuitous arp that you can reference. Here are a few good ones:
https://supportforums.cisco.com/discussion/12257536/what-gratuitous-arp
https://supportforums.cisco.com/discussion/10812846/gratuitous-arp
Overall, here is a good summary:
Gratuitous ARPs are useful for four reasons:
They assist in the updating of other machines' ARP tables. Clustering solutions utilize this when they move an IP from one NIC to another, or from one machine to another. Other machines maintain an ARP table that contains the MAC associated with an IP. When the cluster needs to move the IP to a different NIC, be it on the same machine or a different one, it reconfigures the NICs appropriately then broadcasts a gratuitous ARP reply to inform the neighboring machines about the change in MAC for the IP. Machines receiving the ARP packet then update their ARP tables with the new MAC.
I hope this helps!
Thank you for rating helpful posts!
02-13-2017 02:27 AM
Thank you Neno Spasov. I am new in this forum so discovery will take some time. But I am highly grateful as you have not only explained but have also given some links that will help. Thank you once again.
02-13-2017 01:20 PM
You are most welcome! Glad I was able to help!
Now, if your issue/question was resolved, then you should mark the thread as "answered" :)
Regards,
Neno
02-16-2017 02:31 AM
To ensure router security we know that we must enable ssh for accessing the router. What are the common vulnerabilities for not activating ssh. I know there are two threats like interception of communication and host impersonation. What else? What is the latest version of ssh to be used? is it SSH version 2?
02-16-2017 11:26 AM
The alternative to ssh is telnet. SSH utilizes cryptography to send the username/password encrypted, thus preventing someone sniffing the traffic from obtaining the credentials. On the other hand, telnet sends the username/password in clear text, thus making your environment vulnerable.
Yes, v2 is the current implementation of SSH.
For additional information on device hardening I would recommend using the the information in the link below. I have used it many times to craft a security baseline for customers:
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
Thank you for rating helpful posts!
03-07-2017 01:17 AM
When performing a detailed Router Security Audit, a lot of factors are taken into consideration. One such area is setting the Banner message. I am sharing these important points which may guide you in performing the audit activity.
Every router should have an appropriate warning banner for all login access. These banners, however, are often thought of as pure fluff by those technically inclined. How could a warning banner serve as any protection against a hacker? What hacker is going to go away because a warning banner tells him to? It is important to remember that warning banners are not implemented to provide technical protection. They provide legal protection.
Because many technicians see warning banners as worthless in the prevention of hack attacks, most systems have no banners. Even if management requires that banners be put in place, most administrators don't understand what a banner should say to provide legal protection, so even systems that have banners often include ineffectual ones.
A good warning banner has four main goals. It needs to:
Be legally sufficient for prosecution of intruders
Shield administrators from liability
Warn users about monitoring or recording of system use
Not leak information that could be useful to an attacker
Each banner should address the following issues:
The banner should specify that this system is for authorized users only. This specification keeps a hacker from claiming ignorance. While not the most effective legal strategy, with the novelty of computers and lack of case law, prosecutors are concerned enough about it that it should be included in every banner.
In addition to restricting the system to authorized users, the banner should state that the system is to be used for official work only. This statment closes the loophole of an authorized user attempting unauthorized activities.
Every banner should explicitly state that there is no expectation of privacy when using the system. This statement is extremely important. The Electronic Communications Privacy Act makes it illegal to intercept or disclose the contents of electronic communications unless there is explicit notice that users have no expectation of privacy (or the courts grant a wiretap). Without such a warning, an administrator performing routine maintenance might be performing an illegal wiretap and violating the law.
Elaborating on the previous statement, this explicitly states that all access and use may be monitored and/or recorded. It is important to say may be monitored rather than will be monitored. Computer logs can sometimes be considered hearsay and rendered inadmissible in a court of law. If your banner says that all access will be monitored and you don't monitor all access, a defending attorney might be able to relegate your entire warning banner to the state of an unenforced policy and therefore render it useless in court. May be monitored gives you the option of choosing when to perform monitoring.
It is important to inform the user that any monitoring or recording that indicates abuse or criminal activity may be turned over to law enforcement or other appropriate officials.
Finally, the banner should explicitly state that use of the system implies consent to all conditions laid out in the warning banner. This statement eliminates the possibility of someone claiming that they never agreed to the conditions of the banner and therefore weren't bound by them.
Without banners that display the previous information, you may cripple both your and law enforcement's ability to investigate any incidents. Additionally, if you do find the attacker, your evidence may not be admissible in court and may destroy your case. Also, many organizations like to put items in banners such as:
Router hardware and software types
Contact information
Location of the router
Name of the administrator
All of this information can be invaluable to attackers as they perform reconnaissance on your network. Anything more than the name of your organization should never be put into warning banners.
Finally, it is important to check your local legal requirements. For example, banners in Canada must include both English and French translations.
This example banner was provided by FBI agent Patrick Gray who works for the FBI's computer crimes division in Atlanta. It covers all of the issues mentioned earlier.
WARNING!!! This system is solely for the use of authorized users for official purposes. You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials.
This is a good example of a generic banner that covers the basic needs of a banner. You may want to check with your state's attorney general to see if there are any more specifics to add that relate to your state's cybercrime laws.
You can set four banners on Cisco routers. These banners include:
MOTD banner
Login banner
AAA authentication banner
EXEC banner
The MOTD banner sends users messages of the day and is set with the banner motd command. While it can be used to display the warning banner, it is generally used for more general announcements such as planned outages or system maintenance.
The login banner is presented each time a user attempts to log in. You definitely want to set this banner to the previous warning banner. This banner is set with the banner login command:
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z. Router(config)#banner login
$ Enter TEXT message. End with the character '!'. WARNING!!! This system is solely for the use of authorized users for official purposes You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials $ Router(config)#^Z
Router#
Now when users attempt to log into the router, they see the following:
% telnet
RouterOne
Trying RouterOne...
Connected to RouterOne.
Escape character is '^]'.
WARNING!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
Username:
If you are using AAA authentication, you can set the AAA authentication banner instead of the login banner. If both are set, both will be displayed. The AAA authentication banner is set with the aaa authentication banner command:
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z. Router(config)#aaa authentication banner
$ Enter TEXT message. End with the character '$'. WARNING!!! This system is solely for the use of authorized users for official purposes You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials $ Router(config)#^Z
Router#
The EXEC banner is displayed after a user has successfully logged in and started an EXEC or shell prompt. It is a good place to provide additional notification to users and to make it even harder for them to claim that they didn't see the banner. You set the EXEC banner with the banner exec command:
Router#config terminal Router(config)#banner exec $ Enter TEXT message. End with the character '$'. REMEMBER!!! This system is solely for the use of authorized users for official purposes. You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials. $ Router(config)#^Z Router#
Now users see the banner before and after they log into the system:
% telnet
RouterOne
Trying RouterOne...
Connected to RouterOne.
Escape character is '^]'.
WARNING!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
Username: jdoe
Password:
REMEMBER!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
Router>
This checklist summarizes the important security information
Make sure every router has an appropriate warning banner that includes wording that states:
The router is for authorized personnel only.
The router is for official use only.
Users have no expectations of privacy.
All access and use may (not will) be monitored and/or recorded.
Monitoring and/or recording may be turned over to the appropriate authorities.
Use of the system implies consent to the previously mentioned conditions.
Make sure the banner does not say Welcome anywhere in it.
Make sure the banner does not include any identifying information relating to the router, the administrators, or the organization running the router.
Check local legal requirements to make sure the banner contains all necessary language and content.
Use the banner login command to display the banner every time a user attempts to log in.
Use the banner exec command to display the banner a second time every time a user starts an EXEC or shell prompt.
03-15-2017 07:22 PM
Neno
Is there any free router audit tool, nipper from nipper studio is chargeable, in the demo version they have some saved reports but no way to generate real report from auditing the configuration file saved in my pc. They charge $1000 for the licence.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide