Monday, June 14, 2010

IEEE 802.1AE (a.k.a MACSec)

IEEE 802.1AE Media Access Control Security (MACSec) aims to integrate security protection into wired Ethernet to secure LANs from attacks such as passive wiretapping, masquerading, man-in-the-middle and some denial-of-service attacks.

MACSec helps assure ongoing network operations by identifying unauthorized stations on a LAN and preventing communication from them. It protects control protocols that manage bridged network and other data through cryptography techniques that authenticate data origin, protect message integrity, and provide replay protection and confidentiality. By assuring that a frame comes from the station that claimed to send it, MACSec can mitigate attacks on Layer 2 protocols. The proposed standard safeguards communication between trusted components of the network infrastructure by providing hop-by-hop security. This distinguishes it from IPSec, which protects applications on an end-to-end basis. Network administrators make use of MACSec by configuring a set of network devices to use the protocol.

When a frame arrives at a MACSec station, the MACSec Security Entity (SecY) decrypts the frame if necessary and computes an integrity check value (ICV) on the frame and compares it with the ICV included in the frame. If they match, the station processes the frame as normal. If they do not match, the port handles the frame according to a preset policy, such as discarding it.

802.1AE provides encapsulation and the cryptography framework for Ethernet protection. It requires supporting protocols for key management, authentication and authorization. To meet this need, the IEEE is defining an additional standard, 802.1af MAC Key Security, an extension of 802.1X that manages short-lived session keys used to encode and decode messages. An initial key, or master key, is typically obtained by an external method such as 802.1X and IETF's Extensible Authentication Protocol. A third related protocol under development is 802.1AR, Secure Device Identity, which ensures the identity of the trusted network component.

Currently, Cisco incorporates MACSec as a security feature under the Cisco TrustSec Framework


More about Cisco TrustSec Architecture

Friday, June 4, 2010

Musical Fountain @ Las Vegas

I like this musical fountain, which is just in front of Bellagios Hotel where I stayed in Mar earlier this year.

Thursday, June 3, 2010

SID duplication

Recently, I added a couple of VMs (Windows 2008 Server R2) from the same image. I did sysprep on the original image and just duplicate the VHD thinking that the sysprep process would reset the original SID. Depending on which point that you capture the VHD image after sysprep (i.e. SID is fixed once the Win7 logo appears), all subsequent duplicate VHD may still share the same SID as the first duplicate. I didn't realise it until I failed to add the duplicate VMs to a same security group. Hence, it's always recommended to capture the image right after the sysprep shutdown, so that you can re-use the same image again and again. (Hint: always shut and do not reboot after sysprep, which SID will be fixed during the initial booting process). 

In case of suspected SID duplication, there is this wonderful "name2sid" to find out if there's duplicate SID on the domain. Download it and check it against other servers, as well as the domain e.g.

name2sid Host01
name2sid Host02 and so forth

And there is also this blog post that mentioned about how to build an unattended installation XML and automated sysprep on the latest W2K8 R2 and Win7 images.