Documente Academic
Documente Profesional
Documente Cultură
Chapter 8:
Routers an d Routing
Protocol Hardening
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 2
A router’s operational architecture can be categorized into
three planes:
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 3
Securing the Management
Plane on Cisco Routers
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 4
This section discusses device hardening tasks related to
securing the management plane of a Cisco router, including
the following:
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 5
Securing the Management Plane
Step 1. Follow the written r outer security policy
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 7
Encrypted Passwords
Attackers deploy various methods of discovering
administrative passwords.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 8
Use Strong Passwords
Use a password length of ten or more characters.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 9
Encrypting Passwords
Typically routers require passwords for consoles access,
remote vty access, and privileged EXEC access.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 11
Encrypting Console and vty Passwords
When defining a console or vty line password using the
password line command, the passwords are stored in clear text
in the configuration.
Passwords that are protected using the automatic password
encryption are shown as type 7 passwords in the router
configuration.
Chapter8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 13
Encrypting Console and vty Passwords
Chapter 8 14
Authentication, Authorization, Accounting
Authentication, authorization, and accounting (AAA) is a
standards-based framework that can be implemented to
control:
• who is permitted to access a network (authenticate),
• what they can do on that network (authorize),
• and to audit what they did while accessing the network (accounting).
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 15
RADIUS and TACACS+ Overview
When users attempt to authenticate to a device, the device
communicates with a AAA server using either the
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 16
RADIUS and TACACS+ Overview
• TACACS+: A Cisco proprietary protocol that separates all threeAAA
services using the more reliable TCP port 49.
• TACACS+ encrypts the entire message exchanged therefore
communication between the device and the TACACS+ server is
“completely” secure.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 17
Enabling AAA and Local Authentication
Step 1. Create local user accounts using the username
name secret password global configuration command.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 18
Enabling AAA and Local Authentication
Step 5. If required, apply the method lists to the console,
vty, or aux lines.
• If a list-name was configured, the lines require the login list-name line
configuration command.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 19
Enabling AAA RADIUS Authentication with Local
User for Backup
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 20
Enabling AAA RADIUS Authentication with Local
User for Backup
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 21
Enabling AAA TACACS+ Authentication with Local
User for Backup
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 22
Enabling AAA TACACS+ Authentication with Local
User for Backup
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 23
Configuring Authorization and Accounting
After the AAA authentication has been configured on a
Cisco IOS device, AAA authorization and accounting can be
enabled if required.
• Step 1. Define a method list for an authorization service with the aaa
authorization command.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 24
Configuring Authorization and Accounting
To configure accounting, follow these steps:
• Step 1. Define a method list for an accounting service with the aaa
accounting global configuration command.
• Step Applythe
or line2.using anaccounting
accounting method list to a corresponding interface
command.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 25
Limitations of TACACS+ and RADIUS
RADIUS is not suitable to be used in the follo wing situations:
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 27
Use SSH Instead of Telnet
Step 1. Enable the use of SSH protocol: Ensure that the
target routers are running a Cisco IOS release that supports
SSH.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 28
Use SSH Instead of Telnet
Cha
pter8 29
© 2007 – 2013 CiscoS stems Inc. All ri hts reserved. CiscoP ublic
Use SSH Instead of Telnet
Chapter
8
– 30
Securing Access to the Infrastructure Using
Router ACLs
31
Implement Unicast Reverse Path Forwarding
Network administrators can use Unicast Reverse Path
Forwarding (uRPF) to help limit the malicious traffic on an
enterprise network.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 32
Implement Unicast Reverse Path Forwarding
The uRPF feature works in one of two modes:
• Strict mode: The packet must be received on the interface that the
router would use to forward the return packet. Legitimate traffic might
be dropped when asym metric routing occurs.
• Loose mode: The source address must appear in the routing table.
Administrators can change this behavior using the allow-default
option, which allows the use of the default route in the source
verification process.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 33
uRPF in an Enterprise Network
In many enterprise environments, it is necessary to use a
combination of strict mode and loose mode uRPF.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 34
uRPF Examples
An important consideration for deployment is that CEF
switching must be enabled for uRPF to function.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 35
Enabling uRPF
Gigabit Ethernet 0/0 interface for uRPF loose mode.
Gigabit Ethernet 0/1 is configured for uRPF strict mode.
Configuring loose mode makes sure the router can reach the source of any IP
packet received on interface Gigabit Ethernet 0/0 using any interface on the
router.
Strict mode makes the router verify that the source of any IP packet received on
interface Gigabit Ethernet 0/1 should be reachable by the interface and not any
other interface on the router.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 36
Implement Logging
Network administrators need to implement logging to get insight into
what is happening in their network.
It is also important that syslog entries be stamped with the correct time
and date. Time stamps are configured using the service timestamps
[debug | log] [uptime | datetime [msec]] [localtime] [show-timezone]
[year] global configuration command.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 37
Implementing Network Time Protocol
An NTP network usually gets its time from an authoritative time
source, such as a radio clock or an atomic clock attached to a
time server.
NTP then distributes this time across the network using UDP port
123.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 38
NTP Modes
Server: Also called the NTP master because it provides accurate time
information to clients.
• An NTP server is configured using the using the ntp master [stratum] global
configuration command.
ip-address command}.
Chapter 8
© 2007 – 2013, 40
Cisco S stems, Inc. All ri hts reserved. CiscoPu blic
Securing NTP
Authentication: NTP authenticates the source of the
information, so it only benefits the NTP client.
Access control lists: Configure access lists on devices
that provide time synchronization to others.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 41
Securing NTP
To configure NTP authentication, follow these steps:
Step 3. Tell the device which keys are valid for NTP
authentication using the ntp trusted-key key global configuration
command.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 43
NTP Versions
Currently NTP Versions 3 and 4 are used in production networks.
NTPv4 is an extension of NTP Version 3 and provides the
following capabilities:
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 44
NTP in IPv6 Environment
NTPv4 enables IPv6 enabled device to obtain time
information on a network by:
• For instance, the client is configured using the sntp server server_ip
global configuration command.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 47
Implementing SNMP
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 48
SNMPv3
SNMPv3 should be used whenever possible because it provides authenticity,
integrity, and confidentiality. Configuring SNMPv3 involves the following steps:
Step 1. Configure an ACL to limit who has access SNMP access to the device.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 49
Enabling SNMPv3
Chapter8
© 2007 – 2013, Cisco Systems, Inc. All rightsre served. CiscoPu blic 50
Verifying SNMPv3
show snmp
Provides basic information about the SNMP configuration.
You can use it to display SNMP traffic statistics, see
whether the SNMP agent is enabled, or verify whether the
device is configured to send traps,
copy command.
Another method is to use the Cisco IOS archive global
configuration command.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 53
U s i ng S C P
The Secure Copy (SCP) feature provides a secure and
authenticated method for copying router configuration or
router image files.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 54
Enabling SCP on a Router
Step 1. Use the username name [privilege level] {secret password}
command to configure a username and password to use for local
authentication.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 56
Enabling SCP on a Router
A workstation running a command-line SCP client can
authenticate to the SCP server on the router to securely
transfer files from the router flash memory.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 57
Disabling Unuse d Services
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 58
Disabling Unuse d Services
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 59
Disabling Unuse d Services
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 60
Conditional Debugging
Debugging can generate a great deal of output and sometimes
filtering through the output can be tedious.
Chap
ter8 © 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 62
Routing Protocol
Authentication
Options
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 63
This section describes neighbor router authentication as part
of a total security plan and addresses the following topics:
Increasing the security of routing protocol authentication
with time-based key chains.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 64
The Purpose of Routing Protocol
Authentication
The falsification of routing information is a more subtle class of
attack that targets the information carried within the routing
protocol.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 66
Plain-Text Authentication
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 67
Plain-Text Authentication
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 68
Hashing Authentication
With hashing authentication, the routing protocol update does not contain
the plain-text key.
Chapter 8
69
Hashing Authentication
It is important to understand that MD5 or SHA only provide
authentication. They do not provide confidentiality.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 70
Time-Based Key Chains
The security of routing protocol authentication can be
increased by changing the secret keys often.
The key chain contains sets of keys (sometimes called shared secrets)
that include:
• Key ID: Configured using the key key-id key chain configuration mode command.
Key IDs can range from 1 to 255.
• Key string (password): Configured using the key-string password key chain key
configuration mode command.
• Key lifetimes: (Optional) Configured using the send-lifetime and accept-lifetime
key chain key configuration mode commands.
The send and accept lifetimes of a key are specified using the start time
and end time.
The software examines the key numbers in order from lowest to highest.
It then uses the first valid key it encounters.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 72
Key Chain Specifics
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 73
Authentication Options with Different Routing
Protocols
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 74
Configuring EIGRP
Authentication
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 75
EIGRP Authentication Configuration Checklist
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 76
EIGRP Authentication Configuration
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 77
EIGRP Authentication Configuration
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 78
EIGRP Authentication Configuration
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 79
EIGRP Authentication Configuration
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 80
Configuring EIGRP for IPv6 Authentication
Chapter 8
81
Configuring EIGRP for IPv6 Authentication
Chapter 8
82
Configuring Named EIGRP Authentication
Chapter 8
83
Configuring Named EIGRP Authentication
Chapter 8
84
Configuring OSPF
Authentication
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 85
OSPF Authentication
When OSPFv2 neighbor authentication is enabled on a
router, the router authenticates the source of each routing
update packet that it receives.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 86
OSPF MD5 Authentication
Step 1. Configure a key ID and keyword (password) using
the ip ospf message-digest-key key-id md5 password
interface configuration command.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 87
Configure OSPF MD5 Authentication
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 88
Configure OSPF MD5 Authentication on Interfaces
Chapter8
Configure OSPF MD5 Authentication on Interfaces
Chapter 8
Configure OSPF MD5 Authentication on Interfaces
Chapter8
Configure OSPF MD5 Authentication in an Area
Chapter 8
92
Configure OSPF MD5 Authentication in an Area
Chapter8
© 2007 – 2013 CiscoS stems Inc. All ri htsre served. CiscoP ublic 93
Configure OSPF MD5 Authentication in an Area
Chapter 8 © 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 94
OSPFv2 Cryptographic Authentication
Since Cisco IOS Software Release 15.4(1)T, OSPFv2
supports SHA hashing authentication using key chains.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 95
Configuring OSPFv2 Cryptographic Authentication
Step 1. Configure a key chain using the key chain key-
name global configuration command.
• The key chain contains the key ID and key string and enables the
cryptographic authentication feature using the cryptographic-
algorithm auth-algo
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 96
Configure OSPFv2 Cryptographic Authentication
Example
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 97
Configure OSPFv2 Cryptographic Authentication
Example
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 98
Configure OSPFv2 Cryptographic Authentication
Example
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 99
OSPFv3 Authentication
OSPFv3 requires the use of IPsec to enable authentication.
The security policy consists of the combination of the key and the
security parameter index (SPI).
• The SPI is an identification tag added to the IPsec header.
Chapter8
Configuring OSPFv3 Authentication on an
Interface Example
Chapter 8
–
Configuring OSPFv3 Authentication in an Area
Example
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 104
Configuring OSPFv3 Authentication in an Area
Example
Chapter 8
Configuring OSPFv3 Authentication in an Area
Example
Chap
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 106
Configuring BGP Authentication
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 107
BGP Authentication Configuration Checklist
This authentication is accomplished by the exchange of an
authentication key (password) that is shared between the
source and destination routers.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 109
BGP Authentication Configuration
Chapter
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 110
BGP for IPv6 Authentication Configuration
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 111
Implementing
VRF-Lite
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 112
Virtual Routing and Forwarding (VRF) is a technology that
allows the device to have multiple but separate instances of
routing tables exist and work simultaneously.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 113
VRF and VRF-Lite
VRF is usually associated with a service provider running
Multiprotocol Label Switching (MPLS) because the two work well
together.
VRF-lite allows an SP to support two or more VPNs with
overlapping IP addresses using one interface.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 115
Enabling VRF
Chapte
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 116
Enabling VRF
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 117
Enabling VRF
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 118
Enabling VRF
Chapter 8
119
Enabling VRF
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 120
Enabling VRF
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 121
Enabling VRF
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 122
Enabling VRF
Chap
ter8 123
Easy Virtual Network
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 124
Easy Virtual Network
For true path isolation, Cisco Easy Virtual Network (EVN)
provides the simplicity of Layer 2 with the controls of Layer 3.
EVN reduces
across network
the entire virtualization
network configuration
infrastructure significantly
by creating a virtual
network trunk.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 125
Easy Virtual Network
EVN’s route replication feature allows each virtual network to have direct access to
the Routing Information Base (RIB) in each VRF.
Once in routing context, the IOS commands do not have to be explicitly identified as
VRF commands.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 126
Summary
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 127
Write and follow a security policy before securing a device.
Use SSH instead of Telnet, especially when using it over an unsecure network.
Create router ALCs to protect the infrastructure by filtering traffic on the network
edge.
A key chain is a set of keys that can be used with routing protocol authentications.
When EIGRP authentication is configured, the router verifies every EIGRP packet.
Classic EIGRP for IPv4 and IPv6 supports MD5 authentication, and named EIGRP
supports SHA authentication.
Chapter 8
© 2007 – 2013, Cisco Systems, Inc. All rights re served. CiscoPu blic 129
When authentication is configured, the router generates and checks every
OSPF packet and authenticates the source of each update packet that it
receives.
In OSPFv2 simple password authentication the routers send the key that is
embedded in the OSPF packets.
In OSPFv2 MD5 authentication the routers generate a hash of the key, key
ID, and message. The message digest is sent with the packet.
OSPFv3 uses native functionality offered by IPv6. All that is required for
OSPFv3 authentication is IPsec AH. AH provides authentication and
integrity check. IPsec ESP provides encryption for payloads, which is not
required for authentication.
Router generates and verifies MD5 digest of every segment sent over the
BGP connection.