Beruflich Dokumente
Kultur Dokumente
Chapter 8:
Routers and Routing
Protocol Hardening
ROUTE v6 Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 1
Chapter 8 Topics
Securing the Management Plane on Cisco Routers
Routing Protocol Authentication Options
Configuring EIGRP Authentication
Configuring OSPF Authentication
Configuring BGP Authentication
Implementing VRF-Lite
Easy Virtual Network
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 2
A routers operational architecture can be categorized into
three planes:
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 3
Securing the Management
Plane on Cisco Routers
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 4
This section discusses device hardening tasks related to
securing the management plane of a Cisco router, including
the following:
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 5
Securing the Management Plane
Step 1. Follow the written router security policy
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 7
Encrypted Passwords
Attackers deploy various methods of discovering
administrative passwords.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 8
Use Strong Passwords
Use a password length of ten or more characters.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 11
Encrypting Console and vty Passwords
When defining a console or vty line password using the
password line command, the passwords are stored in clear text
in the configuration.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 13
Encrypting Console and vty Passwords
Chapter 8 14
Authentication, Authorization, Accounting
Authentication, authorization, and accounting (AAA) is a
standards-based framework that can be implemented to
control:
who is permitted to access a network (authenticate),
what they can do on that network (authorize),
and to audit what they did while accessing the network (accounting).
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 15
RADIUS and TACACS+ Overview
When users attempt to authenticate to a device, the device
communicates with a AAA server using either the
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 16
RADIUS and TACACS+ Overview
TACACS+: A Cisco proprietary protocol that separates all three AAA
services using the more reliable TCP port 49.
TACACS+ encrypts the entire message exchanged therefore
communication between the device and the TACACS+ server is
completely secure.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 17
Enabling AAA and Local Authentication
Step 1. Create local user accounts using the username
name secret password global configuration command.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 19
Enabling AAA RADIUS Authentication with Local
User for Backup
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 20
Enabling AAA RADIUS Authentication with Local
User for Backup
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 21
Enabling AAA TACACS+ Authentication with Local
User for Backup
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 22
Enabling AAA TACACS+ Authentication with Local
User for Backup
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 23
Configuring Authorization and Accounting
After the AAA authentication has been configured on a
Cisco IOS device, AAA authorization and accounting can be
enabled if required.
Step 1. Define a method list for an authorization service with the aaa
authorization command.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 24
Configuring Authorization and Accounting
To configure accounting, follow these steps:
Step 1. Define a method list for an accounting service with the aaa
accounting global configuration command.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 25
Limitations of TACACS+ and RADIUS
RADIUS is not suitable to be used in the following situations:
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 27
Use SSH Instead of Telnet
Step 1. Enable the use of SSH protocol: Ensure that the
target routers are running a Cisco IOS release that supports
SSH.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 28
Use SSH Instead of Telnet
Cha
pter 8 29
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public
Use SSH Instead of Telnet
Chapter 8
Securing Access to the Infrastructure Using
Router ACLs
31
Implement Unicast Reverse Path Forwarding
Network administrators can use Unicast Reverse Path
Forwarding (uRPF) to help limit the malicious traffic on an
enterprise network.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 32
Implement Unicast Reverse Path Forwarding
The uRPF feature works in one of two modes:
Strict mode: The packet must be received on the interface that the
router would use to forward the return packet. Legitimate traffic might
be dropped when asymmetric routing occurs.
Loose mode: The source address must appear in the routing table.
Administrators can change this behavior using the allow-default
option, which allows the use of the default route in the source
verification process.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 33
uRPF in an Enterprise Network
In many enterprise environments, it is necessary to use a
combination of strict mode and loose mode uRPF.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 34
uRPF Examples
An important consideration for deployment is that CEF
switching must be enabled for uRPF to function.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 35
Enabling uRPF
Gigabit Ethernet 0/0 interface for uRPF loose mode.
Gigabit Ethernet 0/1 is configured for uRPF strict mode.
Configuring loose mode makes sure the router can reach the source of any IP
packet received on interface Gigabit Ethernet 0/0 using any interface on the
router.
Strict mode makes the router verify that the source of any IP packet received on
interface Gigabit Ethernet 0/1 should be reachable by the interface and not any
other interface on the router.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 36
Implement Logging
Network administrators need to implement logging to get insight into
what is happening in their network.
It is also important that syslog entries be stamped with the correct time
and date. Time stamps are configured using the service timestamps
[debug | log] [uptime | datetime [msec]] [localtime] [show-timezone]
[year] global configuration command.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 37
Implementing Network Time Protocol
An NTP network usually gets its time from an authoritative time
source, such as a radio clock or an atomic clock attached to a
time server.
NTP then distributes this time across the network using UDP port
123.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 38
NTP Modes
Server: Also called the NTP master because it provides accurate time
information to clients.
An NTP server is configured using the using the ntp master [stratum] global
configuration command.
Chapter 8
2007 2013, 40
Cisco Systems, Inc. All rights reserved. Cisco Public
Securing NTP
Authentication: NTP authenticates the source of the
information, so it only benefits the NTP client.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 41
Securing NTP
To configure NTP authentication, follow these steps:
Step 3. Tell the device which keys are valid for NTP
authentication using the ntp trusted-key key global configuration
command.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 43
NTP Versions
Currently NTP Versions 3 and 4 are used in production networks.
NTPv4 is an extension of NTP Version 3 and provides the
following capabilities:
For instance, the client is configured using the sntp server server_ip
global configuration command.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 47
Implementing SNMP
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 48
SNMPv3
SNMPv3 should be used whenever possible because it provides authenticity,
integrity, and confidentiality. Configuring SNMPv3 involves the following steps:
Step 1. Configure an ACL to limit who has access SNMP access to the device.
Step 2. Configure an SNMPv3 view using the snmp-server view view-name global
configuration command.
Step 5. Configure an SNMPv3 trap receiver using the snmp-server host global
configuration command.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 49
Enabling SNMPv3
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 50
Verifying SNMPv3
show snmp
Provides basic information about the SNMP configuration.
You can use it to display SNMP traffic statistics, see
whether the SNMP agent is enabled, or verify whether the
device is configured to send traps,
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 53
Using SCP
The Secure Copy (SCP) feature provides a secure and
authenticated method for copying router configuration or
router image files.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 54
Enabling SCP on a Router
Step 1. Use the username name [privilege level] {secret password}
command to configure a username and password to use for local
authentication.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 56
Enabling SCP on a Router
A workstation running a command-line SCP client can
authenticate to the SCP server on the router to securely
transfer files from the router flash memory.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 57
Disabling Unused Services
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 58
Disabling Unused Services
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 59
Disabling Unused Services
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 60
Conditional Debugging
Debugging can generate a great deal of output and sometimes
filtering through the output can be tedious.
Chap
ter 8 2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 62
Routing Protocol
Authentication
Options
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 63
This section describes neighbor router authentication as part
of a total security plan and addresses the following topics:
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 64
The Purpose of Routing Protocol
Authentication
The falsification of routing information is a more subtle class of
attack that targets the information carried within the routing
protocol.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 66
Plain-Text Authentication
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 67
Plain-Text Authentication
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 68
Hashing Authentication
With hashing authentication, the routing protocol update does not contain
the plain-text key.
Chapter 8
69
Hashing Authentication
It is important to understand that MD5 or SHA only provide
authentication. They do not provide confidentiality.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 70
Time-Based Key Chains
The security of routing protocol authentication can be
increased by changing the secret keys often.
The key chain contains sets of keys (sometimes called shared secrets)
that include:
Key ID: Configured using the key key-id key chain configuration mode command.
Key IDs can range from 1 to 255.
Key string (password): Configured using the key-string password key chain key
configuration mode command.
Key lifetimes: (Optional) Configured using the send-lifetime and accept-lifetime
key chain key configuration mode commands.
The send and accept lifetimes of a key are specified using the start time
and end time.
The software examines the key numbers in order from lowest to highest.
It then uses the first valid key it encounters.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 72
Key Chain Specifics
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 73
Authentication Options with Different Routing
Protocols
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 74
Configuring EIGRP
Authentication
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 75
EIGRP Authentication Configuration Checklist
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 76
EIGRP Authentication Configuration
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 77
EIGRP Authentication Configuration
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 78
EIGRP Authentication Configuration
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 79
EIGRP Authentication Configuration
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 80
Configuring EIGRP for IPv6 Authentication
Chapter 8
81
Configuring EIGRP for IPv6 Authentication
Chapter 8
82
Configuring Named EIGRP Authentication
Chapter 8
83
Configuring Named EIGRP Authentication
Chapter 8
84
Configuring OSPF
Authentication
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 85
OSPF Authentication
When OSPFv2 neighbor authentication is enabled on a
router, the router authenticates the source of each routing
update packet that it receives.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 86
OSPF MD5 Authentication
Step 1. Configure a key ID and keyword (password) using
the ip ospf message-digest-key key-id md5 password
interface configuration command.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 87
Configure OSPF MD5 Authentication
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 88
Configure OSPF MD5 Authentication on Interfaces
Chapter 8
Configure OSPF MD5 Authentication on Interfaces
Chapter 8
Configure OSPF MD5 Authentication on Interfaces
Chapter 8
Configure OSPF MD5 Authentication in an Area
Chapter 8
92
Configure OSPF MD5 Authentication in an Area
Chapter 8
93
Configure OSPF MD5 Authentication in an Area
Chapter 8 2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 94
OSPFv2 Cryptographic Authentication
Since Cisco IOS Software Release 15.4(1)T, OSPFv2
supports SHA hashing authentication using key chains.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 95
Configuring OSPFv2 Cryptographic Authentication
Step 1. Configure a key chain using the key chain key-
name global configuration command.
The key chain contains the key ID and key string and enables the
cryptographic authentication feature using the cryptographic-
algorithm auth-algo
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 96
Configure OSPFv2 Cryptographic Authentication
Example
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 97
Configure OSPFv2 Cryptographic Authentication
Example
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 98
Configure OSPFv2 Cryptographic Authentication
Example
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 99
OSPFv3 Authentication
OSPFv3 requires the use of IPsec to enable authentication.
The security policy consists of the combination of the key and the
security parameter index (SPI).
The SPI is an identification tag added to the IPsec header.
Chapter 8
Configuring OSPFv3 Authentication on an
Interface Example
Chapter 8
Configuring OSPFv3 Authentication in an Area
Example
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 104
Configuring OSPFv3 Authentication in an Area
Example
Chapter 8
Configuring OSPFv3 Authentication in an Area
Example
Chap
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 106
Configuring BGP Authentication
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 107
BGP Authentication Configuration Checklist
This authentication is accomplished by the exchange of an
authentication key (password) that is shared between the
source and destination routers.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 109
BGP Authentication Configuration
Chapter
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 110
BGP for IPv6 Authentication Configuration
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 111
Implementing
VRF-Lite
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 112
Virtual Routing and Forwarding (VRF) is a technology that
allows the device to have multiple but separate instances of
routing tables exist and work simultaneously.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 115
Enabling VRF
Chapte
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 116
Enabling VRF
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 117
Enabling VRF
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 118
Enabling VRF
Chapter 8
119
Enabling VRF
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 120
Enabling VRF
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 121
Enabling VRF
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 122
Enabling VRF
Chap
ter 8 123
Easy Virtual Network
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 124
Easy Virtual Network
For true path isolation, Cisco Easy Virtual Network (EVN)
provides the simplicity of Layer 2 with the controls of Layer 3.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 125
Easy Virtual Network
EVNs route replication feature allows each virtual network to have direct access to
the Routing Information Base (RIB) in each VRF.
Once in routing context, the IOS commands do not have to be explicitly identified as
VRF commands.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 126
Summary
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 127
Write and follow a security policy before securing a device.
Use SSH instead of Telnet, especially when using it over an unsecure network.
Create router ALCs to protect the infrastructure by filtering traffic on the network
edge.
A key chain is a set of keys that can be used with routing protocol authentications.
When EIGRP authentication is configured, the router verifies every EIGRP packet.
Classic EIGRP for IPv4 and IPv6 supports MD5 authentication, and named EIGRP
supports SHA authentication.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved. Cisco Public 129
When authentication is configured, the router generates and checks every
OSPF packet and authenticates the source of each update packet that it
receives.
In OSPFv2 simple password authentication the routers send the key that is
embedded in the OSPF packets.
In OSPFv2 MD5 authentication the routers generate a hash of the key, key
ID, and message. The message digest is sent with the packet.
OSPFv3 uses native functionality offered by IPv6. All that is required for
OSPFv3 authentication is IPsec AH. AH provides authentication and
integrity check. IPsec ESP provides encryption for payloads, which is not
required for authentication.
Router generates and verifies MD5 digest of every segment sent over the
BGP connection.