BPDU & Root Guard

A switch utilizes a cache of MAC addresses linked to each port to efficiently forward traffic. Still, when this cache is updated (like during topology changes in STP), it may need to "flood" unicast frames to all ports if it doesn't know the correct destination port, potentially impacting network performance; to mitigate this, configure access ports (connecting directly to host devices) with features like "PortFast" on Cisco switches to exclude them from topology change notifications, minimizing unnecessary flooding of unicast traffic.

 Key points:

 MAC address cache:

A switch stores MAC addresses associated with each port to quickly direct traffic.

 Flooding:

When a switch doesn't know the correct port for a destination MAC address, it sends the frame to all ports, even a unicast frame.

STP and topology changes:

Frequent changes in network topology, especially with Rapid Spanning Tree Protocol (RSTP), can cause the switch to update its MAC address cache frequently, leading to more flooding.

How to minimize flooding on access ports:

PortFast:

Configure "PortFast" on access ports on Cisco switches to prevent them from participating in topology change notifications, reducing unnecessary flooding.

 Edgeport (other vendors):

Similar functionality on non-Cisco switches is often referred to as "edgeport."

 STP commands to further control flooding:

 BPDU Guard:

If a port configured with PortFast receives a Bridge Protocol Data Unit (BPDU), which is expected on switch-to-switch links, it disables the port to prevent misconfiguration.

 BPDU Filter:

It drops all BPDUs on a port and is valid for links between separate switching domains.

Root Guard:

Prevents a switch connected to a specific port from becoming the root bridge in the Spanning Tree network, ensuring that only designated "core" switches can be the root.

Spanning Tree Port States

 Port States - Spanning Tree

When all network bridges have all their ports either in a "blocking" (inactive) or "forwarding" (active) state, the network is considered converged, meaning it has reached a stable loop-free topology; however, if a network change occurs, the network can become temporarily unavailable until the bridges recalculate their states and converge again, with RSTP (a few seconds or less) significantly reducing this downtime compared to the older STP (tens of seconds) protocol by converging much faster.

STP & RSTP - Spanning Tree

 Spanning Tree Protocol

This protocol requires a managed switch. Spanning tree prevents switching loops, which causes a broadcast storm. Without this, the switching loops continue until manually stopped.

Switching loops occur when both ends of the same cable are plugged into the same switch or adjacent wall jacks. This would also happen with multiple uplinks between two switches if LACP (Link Aggregation Control Protocol) is not configured. 

RSTP (Rapid Spanning Tree Protocol) improves STP by providing much faster convergence after any change to the topology. 

The other systems connected to the switch will eventually lose connection as though a DoS (Denial of Service) attack occurs. 

The DP (Designated Port) sends traffic down through the network. The RP (Root Port) sends traffic towards the root bridge. The BP (Blocking Port) prevents a switching loop.

Key Escrow Made Easy: How It Helps with Data Recovery and Security"

 Key Escrow

Key escrow is a security arrangement in which cryptographic keys are stored by a trusted third party (or multiple parties) so they can be retrieved under specific, authorized circumstances. It’s commonly used in environments where data recovery, regulatory compliance, or lawful access is necessary.

A key escrow is typically a third party that safely stores a copy of private keys. They use the M-of-N control. The M must be greater than 1, and the N must be greater than the M. For example, employing 5 trusted individuals (N) would require at least 2 (M), each having part of the key.

Why Key Escrow Exists

Key escrow balances the need for strong encryption with the need for access control in cases such as:

• Lost or forgotten encryption keys
• Legal investigations
• Corporate data recovery
• Compliance with government regulations

How Key Escrow Works

1. A user or organization generates an encryption key.

2. A copy of the key is securely stored with a trusted escrow agent.

3. Access to the escrowed key is governed by strict policies, such as:

• Multi-party authorization
• Legal warrants
• Internal corporate procedures

Types of Key Escrow

• Government Escrow: Used in law enforcement or national security contexts.
• Corporate Escrow: Enables businesses to recover encrypted data if employees leave or lose access.
• Split-Key Escrow: The key is divided among multiple parties, requiring collaboration to reconstruct it.

Benefits

• Data recovery: Prevents permanent data loss due to lost keys.
• Compliance: Meets legal or regulatory requirements.
• Security: Reduces risk of unauthorized access if properly managed.

Risks and Controversies

• Privacy concerns: Governments or third parties could misuse access.
• Security vulnerabilities: Escrow systems can be targeted by attackers.
• Trust issues: Relies heavily on the escrow agent's integrity.

Real-World Examples

• Enterprise backup systems often use key escrow for encrypted archives.
• Encrypted messaging apps may use escrow for account recovery.
• Government proposals (e.g., the Clipper Chip in the 1990s) sparked debates over privacy vs. security.

Why Password Salting is Essential for Protecting Against Cyberattacks

 Salting Passwords

Password salting is a security measure that enhances the protection of stored passwords by adding random data, known as a "salt," before the password is hashed. This process generates unique hashes for even identical passwords, making it significantly more difficult for attackers to crack them using techniques such as rainbow tables or brute-force attacks. 

What are Salted Passwords and Password Hashing? 

Here's a detailed explanation:

1. What is a salt?

A salt is a random string of characters generated for each password. It's unique to each password instance and is used to enhance the security of the hashing process. 

2. How does it work?

Salt Generation: When a user creates or updates a password, the system generates a random salt. 

Salt Combination: The salt is combined with the user's password before it is hashed. This can be done by prepending or appending the salt to the password, or even by using a more complex method. 

Hashing: The combined string (salt + password) is then processed using a cryptographic hash function (like SHA-256 or bcrypt). 

Storage: The salt and the resulting hash are stored separately in the database. 

3. Why is it important?

Preventing Rainbow Table Attacks: Rainbow tables are precomputed tables of hash values for common passwords. By salting passwords, each password has a unique hash, even if multiple users have the same password, rendering rainbow tables ineffective. 

Defending Against Brute-Force Attacks: Salting makes brute-force attacks significantly more difficult and time-consuming because attackers would need to try every possible salt-password combination. 

Protecting Against Dictionary Attacks: Salting also helps prevent dictionary attacks, where attackers try common words and phrases as passwords, by making each password's hash unique. 

4. Example: 

Let's say two users have the same password, "password". Without salting, they would have the same hash. However, with salting, each user would have a unique salt (e.g., user1: "salt123", user2: "salt456"). The system would then hash "salt123password" and "salt456password" separately, resulting in different hashes, even though the original password was the same. 

5. Best Practices: 

• Random and Unique Salts: Salts should be generated randomly and be unique for each password. 
• Salts are not secrets: While the salt is not a secret, it's essential to store it securely alongside the hash. 
• Re-salting on Password Change: its good practice to generate a new salt each time a user changes their password.

Key Stretching - Protecting Passwords

 Key Stretching

Key stretching is a way of slowing the attacker down from discovering a password in a hashed format. This method uses thousands of rounds of hashing. It first hashes the password, then hashes the hash, and continues this process.

The attacker would have to guess the password and start the hashing process by testing each hash until they find a match.

There are two main methods of key stretching: bcrypt & PBKDF2 (Password-Based Key Derivation 2)

 Bollards

Bollards are used as a barricade to prevent a vehicle from approaching the building at a high rate of speed. This stops an intruder from being able to crash through an entrance and then being able to steal equipment. 

They are also used as a safety control.