How Secure Is Your Password?

As systems admins, we can be our own worst enemies when it comes to security. We implement these convoluted password complexity policies in the interest of security, yet what really happens? We end up making passwords so complex that the user cannot remember them, so they end up on sticky notes on monitors, or under keyboards. And really, these eight-character complex passwords are only slightly more secure than an eight-character non-complex password. So, have we made our environment more secure, or less?

Any security expert will tell you it is all about length.  Sign language and squirrel noises might help some, but when you get up to 14 to 18 characters, you are really most secure.

For example, you told your users that they must use a minimum of eight characters, and at least one number. Then we tell them that random strings are the way to go. Don't use your cat's name! The first thing they will do, (and I have had no less than five users tell me that this is their password), is go "Well, I need a random string I can remember..."

So they type "1qaz2wsx"...  The quotes are mine and are not included in the password, as is the case for all passwords on this page.  If that doesn't look familiar to you, start at the one key on your keyboard and head for the alt key.. Repeat, starting at the two. Let's see what howsecureismypassword.net says about this random string of numbers and letters.

This password is in the top 670 most commonly used passwords. It's not up there with "admin" or "god" or "cisco", but it's up there, and the bad guys know it. Keyboard patterns are built into password cracks. Using an eight-character word like "saboteur" is actually more secure: it would take a whopping 52 seconds to crack!

Ok, so no keyboard patterns or plain old words...  How about making them add a special character and a capital letter to our eight-character password? Let's see how "Ds#rtgmh" fares as a password.

A day might seem like a long time. It's not. Keep in mind that the bad guys usually have a little more juice than a "desktop PC". Also keep in mind that they have plenty of time. A day is a snap.

Again, it is all about length.

The lady at the front desk has a cat. Why not let her use "tail.cat.fluffy"? No caps, no special characters, and (gasp!) includes dictionary words..

Now we are talking! A secure password that she can remember, so it won't end up on a sticky note. A dictionary word is bad. Several dictionary words are absolutely great. Put in some dots or dashes to break up the words, and add to the length and complexity. Replacing the "a" in cat with an "@" drives our time-to-crack up to 3 billion years! Not uncrackable, but if someone has 3 billion years to spend on my account-- I might just give it to them for effort.

Forcing an expiration of 30 days, 60 days, 90 days is not really necessary, and just drives up your support costs. If it is in their brain, it isn't going to get lost, stolen, or otherwise misappropriated. There is no valid reason to force a change every 30 days. You are making it less secure by doing so. The more challenging you make this process for your users, the more likely they are to write it down, throwing all of your hard security work out the window. Or, they forget it- resulting in a help desk call to your already over-worked help desk.

Force 14 or 16 characters, have it expire once a year, and educate your users on creating long, yet easy to remember passwords. Did I say it was all about length? Your users and your help desk will thank you.

Try it yourself! Swing by howsecureismypassword.net and put in your favorite double-secret secure password. You might be surprised at the results.

Spanning Tree and Portfast

So, I have a lot of buffer full / output drops on ALL of my switches.  Spent some time with TAC yesterday troubleshooting, and it seems that I am having a ton of broadcasts, as a result of Spanning Tree topology changes.

sh span detail | in is executing|from|topology changes
 VLAN#### is executing the ieee compatible Spanning Tree protocol
  Number of topology changes 168945 last change occurred 00:00:27 ago
          from GigabitEthernet1/0/11

The TAC engineer narrowed it down to one port, which I chased down yesterday to a big Canon network copier.

Why would a Canon copier be causing Spanning Tree topology changes?

The port was in trunk mode, as all of our ports are in trunk mode to accommodate our data and (Non-Cisco) VoIP vlans. Since the copier doesn't talk on the phone much,  I put it’s port into access mode and the Spanning Tree topology changes stopped.

For a bit.

Then they started again. This time from a different port. Then another. This prompted some reading, as my TAC tech is out for the weekend.    I found this: Cisco

“As soon as a bridge detects a change in the topology of the network (a link that goes down or goes to forwarding), it advertises the event to the whole bridged network.”

So, it wasn’t just the copier. Anytime a link goes up or down, a TCN is sent out.

”The more hosts are in the network, the higher are the probabilities of getting a topology change. For instance, a directly attached host triggers a topology change when it is power cycled. In very large (and flat) networks, a point can be reached where the network is perpetually in a topology change status.”

This is us.  Perpetual topology change, perpetual TCN back to the root bridge, and then root broadcast of change notification.

So what is the fix?

"Avoid TCN Generation with the portfast Command


The portfast feature is a Cisco proprietary change in the STP implementation. The command is applied to specific ports and has two effects: 


Ports that come up are put directly in the forwarding STP mode, instead of going through the learning and listening process. The STP still runs on ports with portfast. 

The switch never generates a TCN when a port configured for portfast goes up or down. 


Enable portfast on ports where the connected hosts are very likely to bring their link up and down (typically end stations that users frequently power cycle). This feature should not be necessary for server ports. It should definitely be avoided on ports that lead to hubs or other bridges. A port that directly transitions to forwarding state on a redundant link can cause temporary bridging loops.


 Topology changes can be useful, so do not enable portfast on a port for which a link that goes up or down is a significant event for the network."

OK, I got it. I know about portfast. But most of my ports are trunks. So, I have to use portfast trunk. And I don't want to enable portfast trunk unless I have some bpdu protection, as we do have techs and users plugging switches in from time to time, some temporary, some permanent.  So, portfast somewhat nerfs STP, right?  I don't want a user seeing a network cable laying on the table, and plugging it back into the switch it's already plugged into and causing a loop. It's happened a couple of times already.

So, does Portfast really keep STP from doing it's job? I have a 3750x on my desk, and on it I have two ports configured as trunks in two vlans, and have added portfast trunk to each port. I have plugged a 2960 into port 1/0/48 on the 3750x. I can ping the 2960's management address, and the port is happy.

Take a look at Spanning Tree as we sit. The 2960 is the root, as it has a lower MAC address. Fine for our purposes.. We just want to see what happens.

Turned on Spanning Tree Event Debugging. (Don't do this in production)
#debug spanning-tree events

Now, let's plug 1/0/47 into the same switch.

You can see the port immediately jumps to forwarding, but then two-tenths of a second later, STP blocks the port. Eigth-tenths later, port goes back to up? So is it up, or blocked? The light is green...  Turns out it is both.

#show ip interface brief shows us that the port is up, but #show spanning-tree shows us that it is indeed blocked.

So, Spanning Tree does it's job, even though portfast is enabled. Why then, all the concern about having portfast enabled on a port that a switch can be plugged into? Two-tenths of a second seems pretty fast to me.

Just for giggles, I am going to plug both ends of a cable into the 2960 to see if I can really get a loop going. These ports have the default configuration on them (or lack thereof). So, no trunk, or portfast trunk, or even portfast.

Nope. No loop. But the difference is, the port was never forwarding. It went from listening to blocking, and stayed that way. So, even though it took a second and a half to block, it didn't have a chance to make a loop. Incidentally, there were no STP events triggered on the 3750 when this "loop" was made.

What do you think? Is two-tenths of a second really enough time to start an irreversible switching loop?  I am certainly not going to run out and throw portfast on all of my access ports, but this was a fun experiment nonetheless.

CCNA!

I passed, with a 902! And, yes- I'm allowed to post my score according to the Cisco posting guidelines.. Read them here.

Feels great! Had a case of the Monday's and a little panic when I woke up and my mind was blank. Could barely remember my name. But, when I sat down, it all came back.  Went very well, and I feel awesome.

Vacation is short, though. My CCNP ROUTE class starts tomorrow at 8 am. 

On to the next one!

Motivation..

I've been pretty good about keeping a regular study schedule. My classes have been pre-recorded, for the most part, so it's easy to procrastinate. "Why do today, that which you can put off until tomorrow?" has been my mantra for many years. Tough habit to break. So, I scheduled my CCNA test for two weeks from today. If I put the date on this blog, I figure I have to keep it. Very excited. Going back through the labs and practice exams from my classes, reading my notes, hitting Chris Bryant videos, and labs at freeccnaworkbook.

Can't wait to walk out of there with a pass! (Positive energy..)

Master IP Subnetting Forever

I agree with Chris Bryant at The Bryant Advantage. You should know how to subnet using binary. Knowing that, I went through his binary conversion and subnetting course, and learned it well. Practiced every day at subnettingquestions.com, until I no longer made silly errors, and it made sense to me.

But as exam day neared, I worried that I would be too slow with all of these binary conversions. I also found that when I hurried my conversions, the silly errors returned.   In my studies on the Cisco Learning Network, I saw people referring to an "increment of 16", or an "increment of 32". What does that mean? I found out here: Master IP Subnetting Forever. The "magic box" is a huge timesaver.

This document is truly a lifesaver, along with the "thumb rule". I don't remember where I learned it, but when it comes to the "power of two", the thumb rule is great. When trying to figure out "2 to the 5th power", stick your thumb out. That's two, or "2 to the 1st", now start doubling the number, extending a finger each time. 4, 8, 16, 32.  When you get to your fifth finger, you are at 32. "2 to the 5th" is 32. Now, if you are counting available host addresses, subtract 2. Five host bits gives us 30 hosts per network.

Just keep counting, and keep doubling. "2 to the 10th" is 1024, or 1022 hosts. Easy stuff. But again, learn how to do it in binary first. You should always know how to do it at the fundamental level, so when you forget the "trick" or the "magic box" you can fall back on the basics.

Why won't my 3750x stack upgrade automatically?

I received 11 new 3750x switches the other day, and was excited to hear that, with the Stackwise cables installed, I could just upgrade the master to the latest IOS, and it would upgrade all the other switches in the stack automatically. This would save me quite a bit of time and effort versus tftp'ing the ios over to each one individually.

So, like a kid on Christmas morning, I stacked up five of them on the bench, hooked up my laptop to the master, and copied the .bin file over, and waited. And waited. And moved the console cable down to the second switch, and nothing. None of the switches were doing anything. The consultant I had working on my new firewalls said "That should work". But nothing. Tried a couple reloads, still nothing.

Called Cisco and opened a ticket. The TAC tech was very nice, but going on vacation for a couple days. I manually upgraded the first batch of switches, as they were going in that night. Did a bunch of research on the internet while waiting for the TAC to get back to me. Found this article:
Cisco 3750 Stack Upgrade

In the article, I found that for the automatic upgrade to occur, I needed the .tar file, not the .bin file. I downloaded the .tar file, put it in my tftp root folder, and ran this command:
archive download-sw tftp://11.11.11.11/c3750-i5-tar.122-20.SE.tar
then, I watched in amazement as the master upgraded, and then upgraded the other three switches in the stack. It upgraded the boot path for me as well, and deleted the old IOS. Ready to go!

Well, almost.  It seems that once you stack a switch, it remembers it's number. When I went to rack those switches that night, the switch that I brought up third kept insisting that it was number four, and that it was the master. Not good. This meant that interfaces 4/0/1 through 48 would actually be on the third switch, and vice-versa. Two commands fixed my issues here:

To make sure Switch1 is always the master, I set it's priority to 15:
conf t
switch 1 priority 15

To renumber Switch4 to 3, and Switch3 to 4, I renumbered them:
conf t
switch 3 renumber 4
switch 4 renumber 3

Then I reloaded the stack to make all this take effect.
reload

You can also reload specific switches in the stack:
reload slot current slot number

More info here:
Creation and Management of Cisco 3750 Stacks

Training Resources

I am a big fan of Knowledgenet. They offer live online classes, as well as recorded classes. They use official Cisco curriculum, and it is refreshed regularly. The training is not just a series of videos-- you get the book, and they have very realistic labs and pre and post-assessment exams integrated into their training. Highly recommend them. 

Also love Chris Bryant's CCNA program.  If work isn't paying for your classes, and you find that a couple thousand dollars is too much, then you are in luck. The Bryant Advantage is very in-depth, very thorough, and Chris is a personable guy. A dry instructor can really make this curriculum boring. Chris doesn't do that.  He keeps the material interesting, and he has a ton of three to five minute videos that hit the point and get out. Do a couple each day on your coffee break. Follow him on Twitter, Youtube, or hit his blog.  The free videos he gives away each day are worth it alone.  For not a lot of money, you can pick up his CCNA or CCNP video series and study guide. Although I can't speak to his CCNP material yet, I have the CCNA guide and video series, and love them both. It is a quality program at a fraction of the price you would pay elsewhere. He demos everything on live equipment, and really does a great job of explaining the material. Also highly recommend Chris!

LearnSmart (formerly PrepLogic)... Hmmmmm. Really enjoyed the CCNA program for the short time I was subscribed. I like the layout, the organization of the site, the progress clocks and projected completion dates.  But, near as I can tell, the books are not official Cisco curriculum, and they have a lot of complaints on the web from people who apparently didn't read the fine print-- myself included.  I don't think they are a bad or malicious organization, and from what I've been told they have really been working hard to clean up their image. I had some trouble initially getting my money back on a "30 day money back guarantee", but they did come through for me and make it right. I will say, however-- read the fine print-- even if the sales guy tells you that you have a 30 day "no questions asked" return. If the contract says no refunds, then be prepared to not get your money back, no matter what the sales guy said. Like I told their guy on the phone the other day. I don't have a problem with their training. I really liked most of it. But things like automatic renewals are a big red flag to me, especially now. Provide a quality product, be upfront and honest, and instill trust in your clients, and they will come back-- voluntarily.