Lan ETS | Security in a large scale LAN event
Musing and tidbits from the LAN ETS events.
Ask anyone working in network security if allowing 4000 unknown and untrusted devices on your network is a good idea and you’ll get a chuckle and a “Wait, did you do that?”
This a very common challenge in LAN events, where we host over 2000 players over a 72 hours gaming session. Add wired and wifi devices and you get a large amount of strange devices entering your network. We have very little control over the type of devices that players bring and we need to have mechanisms in place to protect our network.
Here are a few of the tools and configs we use during the event.
DHCP Snooping
DHCP is the process by which a computer asks for a IP address and is given one by a DHCP server. Without a functioning DHCP server, computers connected to the network would have to be configured manually which is impossible with our type of event.
While extremely useful, DHCP can also be used by malicious attackers. The DHCP snooping mechanism allows us to prevent attackers from hosting their own DHCP server while on our network. Basically, we configure specific ports as “trusted”, usually our uplinks, as a source of DHCP OFFERS message type. Ports used by players become “untrusted” after enabling DHCP snooping. This means that an attacker hosting his own rogue DHCP server will never see his fake OFFERS reaching any other players. At the same time, OFFER DHCP messages will safely transit from our network core to the device.
DHCP Snooping does a bit more than just deal with the request portion of the DHCP protocol, but it’s a must-have configuration when it comes to any network. With DHCP being based mostly around broadcast message types,DHCP snooping allows you to cut down on traffic leaking to other ports. The less an attacker knows, the better.
#In Global config
ip dhcp snooping
ip dhcp snooping vlan 1,2,3,4,5
# This prevents the switch from adding option 82 in the packets.
no ip dhcp snooping information option
# On your trusted interfaces - Where DHCP traffic should come from
ip dhcp snooping trust
# On "untrusted" interfaces
ip dhcp snooping limit rate 25
Port-Security – Mac address limit
We also limit the number of MAC addresses per port. While we don’t necessarily mind players bringing several devices, we provide a single port per player for a console or a computer. This is mostly to prevent extreme cases where players bring their own switch (or hubs!) and connect all their friends. While not technically wrong, we offer up to a Gbit port to each player, we see no reason for players to not enjoy the full speed of the network.
This configuration will also prevent attackers from requesting too many IPs from our DHCP server by hosting dozens of Virtual Machines on his machine. This could technically prevent other legitimate players from obtaining leases from the DHCP server.
Here is a configuration snippet. We limit the MAC addresses per port to 2 and any extra MAC address traffic is dropped while the initial 2 can still pass through. This allows players to experience the network without any interruption even if they trip over the limit. We can then take action as we log all events and review throughout the event.
# Sample of our port-security policy.
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security aging time 5
switchport port-security aging type inactivity
BPDU Guard
here are things you never want to hear when running a LAN event. “They cut the fiber in the ceiling” – “Someone dropped his lunch on the core router” and “I think we have a loop somewhere”. Loops in a network are messy. Due to the somewhat spam-ish tendency of modern networks with broadcast traffic, a single loop can sometimes bring the entire network to it’s knees as traffic is forwarded in a back and forth.
With over 30 kilometers of optical fiber and Ethernet cables and a setup spanning 20 or so hours, it’s easy to lose sight of where cables go. It takes a single moment of inattention to plug a cable back into the same switch it’s from or to create a loop by pulling a second uplink from the same switch.
Fortunately, there is something called “BPDU Guard” that can be used as a first line of defense against loops. A “BPDU”, or a Bridge Protocol Data Unit, is a packet used in the creation of a “Spanning Tree” topology which provides a loop free network when properly designed.
Our network features a topology where end-users are provided a single port for a single device which allows us to enable BPDU Guard on ports used by players. This way, there can be no mistakes when plugging in the equipment as a port receiving a BPDU packet will automatically shutdown. It also protects us against a player bringing his own Spanning-Tree aware equipment. This is also addressed with the MAC addresses limit per port.
# Enable BPDU Guard on portfast enabled ports - our access ports.
spanning-tree portfast bpduguard
More Tools and Techniques – (and the future for us!)
Here are other features that you should look into to protect your network.
- ARP Inspection – Prevents ARP Spoofing and MITM attacks.
- Storm-Control – Sets a level of a allowed Multicast and Broadcast traffic and shutdown a port of the limit is exceeded.
- 802.1x – The holy grail of network security and NAC (Network Access Control). When enabled, all devices on your network must authenticate with a NAC device (Packetfence, Radius, NPS or any other flavor) before being granted access to the network. All devices must go through a guest VLAN for authentication and if successful, the port is switched into your internal VLAN. It was previously used for our event and it’s something we are looking into bringing back.
- Private VLAN – Allows to further restrict traffic between VLANs by using secondary tags between ports.
- IP Source Guard – Allows matching of IP per port. This means that another user cannot impersonate another IP while connected to another port.