Security Basics mailing list archives
RE: PortFast Question
From: "Scherer, Brian" <BScherer () dialamerica com>
Date: Mon, 27 Sep 2004 15:28:27 -0400
STP (Spanning Tree Protocol) is enabled by default on VLAN 1 and on all newly created. While STP goes through its four steps (blocking,listening,learning,forwarding) which can take between 30-50 seconds no user data will pass and some applications may time out. By enabling portfast you are forcing the switchport into forwarding mode immediately. The port still participates in STP in the event that if the port is to be a part of the loop, it will eventually transition into STP blocking mode. In regards to security, as long as the port is participating in STP, there is a possibility that some device attached to that port and also running STP with lower bridge priority than that of the current root bridge, will assume the root bridge function and affect active STP topology, thus rendering the network suboptimal. Permanent STP recalculation caused by the temporary introduction and subsequent removal of STP devices with low (zero) bridge priority represent a simple form of Denial of Service (DoS) attack on the network. The STP portfast BPDU guard enhancement is designed to allow network designers to enforce the STP domain borders and keep the active topology predictable. The devices behind the ports with STP portfast enabled are not allowed to influence the STP topology. This is achieved by disabling the port with portfast configured upon reception of BPDU. The port is transitioned into errdisable state, and a message is printed on the console. The following is an example of the message printed out as a result of BPDU guard operation: 2000 May 12 15:13:32 %SPANTREE-2-RX_PORTFAST:Received BPDU on PortFast enable port. Disabling 2/1 2000 May 12 15:13:32 %PAGP-5-PORTFROMSTP:Port 2/1 left bridge port 2/1 -----Original Message----- From: Stephen W. Corey - 5535 [mailto:swc () wardandsmith com] Sent: Monday, September 27, 2004 9:03 AM To: security-basics () securityfocus com Subject: RE: PortFast Question We run portfast on all Catalyst ports that connect to a "non-switch" device, like PCs, servers, routers, etc. From what I saw, it works by not listening for MAC addresses as long before going to "active" state. I have never heard of any security issues by doing this. I believe Cisco still recommends this mode for optimum performance. You can always use Nessus (or some other up to date vuln scanner) to see if anything can be exploited. As for why it happens, here's my thought. Because it's speeding up a "natural" switch port process, weird things can happen. Depending on how the device (i.e. PC hardware) acts on layer 2, it may need the "full" startup procedure to be run. To me, portfast is a non-standard shortcut, and it may not work in every situation. As you probably read, you can't plug a portfast port into a switch, so there could easily be other devices it's incompatible with (Cisco can't test everything). -----Original Message----- From: Josh Sukol [mailto:secnews () gmail com] Sent: Friday, September 24, 2004 10:05 AM To: security-basics () securityfocus com Subject: PortFast Question I am running a small network using four Cisco Catalyst 2950 switches. I am in the process of configuring a new software package that uses some proprietary hardware that connects to the network via Ethernet. When plugged into the network the device would connect for a minute or two and than connectivity would drop (i.e. ping would fail, and the light on the switch would turn from green to amber) This pattern continued for as long as the device was plugged into the network. The cabling was checked and tested with other equipment and there were no other problems. After trying several other things I eventually started changing the ethernet port settings on the switch itself and found that by enabling portfast the device functioned fine. I have found very little information about port fast security issues. I was able to find and did read up on PortFast BPDU guard and potential DoS using malformed packets. Are there any other security issues that effect me enabling Portfast on specific ports that connect back to a single device? Are there any other ways to solve this problem that might allow me to sidestep this potential security issues all together? - Slightly Off Topic - If anyone knows why this behavior occurs and why enabling portfast fixes the connectivity issue I would be very interested to a hear an explanation. Thanks in advance for the wisdom! ------------------------------------------------------------------------ --- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ------------------------------------------------------------------------ ----
Current thread:
- PortFast Question Josh Sukol (Sep 24)
- Re: PortFast Question John R. Morris (Sep 28)
- <Possible follow-ups>
- RE: PortFast Question Stephen W. Corey - 5535 (Sep 27)
- RE: PortFast Question Steve Fletcher (Sep 28)
- RE: PortFast Question LordInfidel (Sep 28)
- RE: PortFast Question JGrimshaw (Sep 28)
- Re: PortFast Question Maarten Claes (Sep 29)
- Re: PortFast Question Sec News (Sep 28)
- Re: PortFast Question Chris Moody (Sep 30)
- RE: PortFast Question David Gillett (Sep 29)
- RE: PortFast Question JGrimshaw (Sep 28)
- RE: PortFast Question Scherer, Brian (Sep 28)
- RE: PortFast Question LordInfidel (Sep 29)