Date post: | 05-Jul-2018 |
Category: |
Documents |
Upload: | vishal-avhad |
View: | 220 times |
Download: | 0 times |
of 54
8/15/2019 Route v7 Ch08
1/54
© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ icROUTE v7 Chapter 8
1
Chapter 8:
Routers and RoutingProtocol Hardening
CCNP ROUTE: Routers and Routing Protocol Hardening
8/15/2019 Route v7 Ch08
2/54
Chapter 82© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Chapter 8 Objectives
Securing the Management Plane on Cisco Routers
Describing Routing Protocol Authentication
Configuring Authentication for EIGRP
Configuring Authentication for OSPFv2 and OSPFv3
Configuring Authentication for BGP peers Configuring VRF-lite
8/15/2019 Route v7 Ch08
3/54
Chapter 83© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Routers and Routing Protocol Hardening
A router’s operational architecture can be categorized into three
planes:
• Management plane: This plane is concerned with traffic that is sent to theCisco IOS device and is used for device management. Securing thisplane involves using strong passwords, user authentication,implementing role-based command-line interface (CLI), using Secure
Shell (SSH), enable logging, using Network Time Protocol (NTP),securing Simple Network Management Protocol (SNMP), and securingsystem files.
• Control plane: This plane is concerned with packet forwarding decisionssuch as routing protocol operations. Securing this plane involves using
routing protocol authentication.
• Data plane: This plane is also known as the forwarding plane because itis concerned with the forwarding of data through a router. Securing thisplane usually involves using access control lists (ACLs).
8/15/2019 Route v7 Ch08
4/54
Chapter 84© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Securing the Management Plane on CiscoRouters Securing the network infrastructure is critical to overall
network security.
A compromised router can cause the network to becompromised on a larger scale.• If an attacker gained access to a router, the security and management
of the entire network can be compromised, leaving servers andendpoints at risk. For example, the attacker could cause a networkdisruption by erasing the startup configuration and reloading therouter. When the router reboots, it will not have a startup configurationand, therefore, will not boot properly.
Routers must be hardened so that any attempts to disable arouter, gain unauthorized access, or otherwise impair thefunctionality of the router can be stopped.
8/15/2019 Route v7 Ch08
5/54
Chapter 85© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Securing the Management Plane on CiscoRouters
Router Security Policy
The first step to protect a router is to create and maintain a router securitypolicy, which defines the security posture of routers.
The router security policy should help answer the following questions:
• Password encryption and complexity settings: Do passwords appear in encrypted formwhen viewed at the configuration file? According to policy, how often do routerpasswords (Telnet, username, enable) have to be changed? Do the router passwordsmeet the required complexity as defined by the policy?
• Authentication settings: Is a message of the day (MOTD) banner defined? Isauthentication on the router done through locally configured usernames andpasswords, or through external AAA servers? Are login and logout tracking andcommand accounting for the router administrators through the external AAA serverenabled?
• Management access settings: Is Telnet access allowed for router management? Is theHTTP or HTTPS server used for router management? Which version of SNMP is usedto manage the router? Is the SNMP process restricted to a certain range of IPaddresses only? How often is the SNMP community string changed?
8/15/2019 Route v7 Ch08
6/54
Chapter 86© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Securing the Management Plane on CiscoRouters
Router Security Policy The router security policy should help answer the following questions:
• Securing management access using SSH: Is management access secure? Do westill have to support Telnet? Are we using SSH for management access? If Telnetsupport is required, how are we securing it?
• Unneeded services settings: Are the unneeded services and interfaces disabled?Which services are unneeded?
• Ingress/egress filtering settings: Is filtering of RFC 1918 IP addresses enabled? Are anti-spoofing ACLs in place? Is Unicast RPF filtering enabled?
• Routing protocol security settings: Is routing protocol message authenticationenabled?
• Configuration maintenance: How often are the router configurations backed up? Isthe backup moved to an offsite (disaster recovery) site? Is there a documentedprocedure for the backup of router configurations? Is TFTP used to transfer theconfiguration or the files to and from the router? On the system where theconfiguration files are stored, is the local operating system’s security mechanismused for restricting the access to the files?
8/15/2019 Route v7 Ch08
7/54Chapter 8
7© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Securing the Management Plane on CiscoRouters
Router Security Policy The router security policy should help answer the following questions:
• Securing management access using SSH: Is management access secure? Do westill have to support Telnet? Are we using SSH for management access? If Telnetsupport is required, how are we securing it?
• Unneeded services settings: Are the unneeded services and interfaces disabled?Which services are unneeded?
• Ingress/egress filtering settings: Is filtering of RFC 1918 IP addresses enabled? Are anti-spoofing ACLs in place? Is Unicast RPF filtering enabled?
• Routing protocol security settings: Is routing protocol message authenticationenabled?
• Configuration maintenance: How often are the router configurations backed up? Isthe backup moved to an offsite (disaster recovery) site? Is there a documentedprocedure for the backup of router configurations? Is TFTP used to transfer theconfiguration or the files to and from the router? On the system where theconfiguration files are stored, is the local operating system’s security mechanismused for restricting the access to the files?
8/15/2019 Route v7 Ch08
8/54Chapter 8
8© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Securing the Management Plane on CiscoRouters – Encrypted Passwords
Use Strong Passwords
Administrators should ensure that strongpasswords are used across the network.To protect assets, such as routers andswitches, follow these common guidelines for choosing strong passwords.
These guidelines are designed to make passwords more difficult todiscover through the use of intelligent guessing and password-crackingtools:
Use a password length of ten or more characters. A longer password is abetter password.
Make passwords complex. Include a mix of uppercase and lowercaseletters, numbers, symbols, and spaces.
8/15/2019 Route v7 Ch08
9/54Chapter 8
9© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Securing the Management Plane on CiscoRouters – Encrypted Passwords
Use Strong Passwords
Avoid passwords based on repetition, dictionary words, letter or
number sequences, usernames, relative or pet names, biographicalinformation, such as birthdates, ID numbers, ancestor names, or othereasily identifiable pieces of information.
Deliberately misspell a password (for example, Smith = Smyth =5mYth or Security = 5ecur1ty).
Change passwords often. If a password is unknowingly compromised,the window of opportunity for the attacker to use the password islimited.
Do not write passwords down and leave them in obvious places, such
as on the desk or monitor.
8/15/2019 Route v7 Ch08
10/54Chapter 8
10© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Securing the Management Plane on Cisco Routers- Authentication, Authorization, Accounting
Securing management access to the infrastructure network consists ofauthenticating users before they access the network, identifying what they arecapable of doing and what restrictions apply to them, and logging the informationabout user activities for accounting purposes.
Authentication, authorization, and accounting (AAA) is a standards-based frameworkthat can be implemented to control who is permitted to access a network
(authenticate), what they can do on that network (authorize), and to audit what theydid while accessing the network (accounting).
Implementation of the AAA model provides the following advantages:
• Increased flexibility and control of access configuration: AAA offers additional authorization flexibilityon a per-command or per-interface level.
• Scalability: Local authentication is appropriate for a small network with few administrative users.However, it does not scale well beyond that. AAA provides a very scalable solution that is requiredwhen managing large networks.
• Multiple backup systems: Multiple AAA servers can be identified for redundancy reasons. If a AAAserver fails, the next server on the list would provide AAA services.
8/15/2019 Route v7 Ch08
11/54Chapter 8
11© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Securing the Management Plane on Cisco Routers- Authentication, Authorization, Accounting
Implementation of the AAA model provides thefollowing advantages cont’d:
• Standardized authentication methods: AAA supports the RADIUS protocol openstandard to ensure interoperability and flexibility with other vendor devices.
• Users must authenticate against an authentication database, which can be stored:
• Locally: Users are authenticated against the local device database, which iscreated using the username secret command (sometimes referred to self-contained AAA).
• Centrally: A client/server model where users are authenticated against AAAservers. This provides improved scalability, manageability, and control.Communication between the device and AAA servers is secured using either theRADIUS or TACACS+ protocols.
8/15/2019 Route v7 Ch08
12/54Chapter 8
12© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Securing the Management Plane on CiscoRouters
RADIUS and TACACS+ Overview
When users attempt to authenticate to a device, the devicecommunicates with a AAA server using either the
• RADIUS protocol: An open standard protocol described in RFCs 2865(authentication and authorization) and 2866 (accounting). It combinesauthentication and authorization into one service using UDP port 1812 (or UDP1645), and the accounting service uses UDP port 1813 (or UDP 1646). RADIUSdoes not encrypt the entire message exchanged between device and server. Onlythe password portion of the RADIUS packet header is encrypted, thereby
identifying the AAA server as an authoritative source to authenticate against.
• TACACS+: A Cisco proprietary protocol that separates all three AAA servicesusing the more reliable TCP port 49. TACACS+ encrypts the entire messageexchanged therefore communication between the device and the TACACS+server is completely secure.
8/15/2019 Route v7 Ch08
13/54
Chapter 813© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Securing the Management Plane on CiscoRouters RADIUS and TACACS+ Overview
The client attempts to authenticate to R1. The router is called a network access server (NAS) or remote-access server (RAS). Steps 1 through 4 illustrate how the client is queried by the NAS for their credentials. InStep 5, the NAS sends the client’s login request in the form of an Access-Request packet, which contains theusername, encrypted password, NAS IP address, and NAS port number.
To ensure that the NAS is authorized to communicate with, the server compares the shared secret key sent inthe request packet with the value configured on the server. If the shared secrets do not match, the serverdrops the packet. If shared secrets match, the credentials in the packet are compared to the username and
password in the AAA server database.
If a match is found, the RADIUS server returns an Access-Accept packet with list of attributes to be used withthis session. If a match is not found, the RADIUS server returns Access-Reject packet.
8/15/2019 Route v7 Ch08
14/54
Chapter 814© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Securing the Management Plane on CiscoRouters
TACACS+
The client
attempts to
authenticate to
the NAS, R1. In
Step 1, the client
initiates a
connection to the
NAS, and the NAS
immediately establishes
a TCP connection with the AAA server.
In Steps 2 through 4, the NAS contacts the AAA server to obtain a username prompt, which is thendisplayed to the client. In Steps 5 and 6, the username entered by the user is forwarded to the server,In Steps 7 through 9, the NAS contacts the AAA server to obtain the password prompt, which is then
displayed to the client. Steps 10 and 11 forward the client’s password to the AAA server to be validatedagainst the database.
If a match is found, the server will send an Accept message to the client, and authorizationphase may begin (if configured on the NAS). If a match is not found, however, the server willrespond with the Reject message, and any further access will be denied.
8/15/2019 Route v7 Ch08
15/54
Chapter 815© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Securing the Management Plane on CiscoRouters - Enabling AAA and Local Authentication
The following are the configuration steps required to enable AAA local authentication:
Step 1. Create local user accounts using the username name secret password globalconfiguration command.
Step 2. Enable AAA by using the aaa new-model global configuration command. This command
is required to enable all other AAA-related commands. Until this command is enabled, all other AAA commands are hidden. The command also immediately applies local authentication to alllines and interfaces except the console line.
Step 3. Configure the security protocol parameters including the server IP address and secretkey. The actual commands will vary depending on whether RADIUS or TACACS+ is used andwhether multiple servers are being implemented.
Step 4. Define the authentication method lists using the aaa authentication login {default | list-name} method1 [...[method4]]. The default method list applies to any interface, line, or serviceunless a list-name method list is defined. The default keyword is typically used in smallerenvironments with a single shared AAA infrastructure. Alternatively, a list-name method list mustbe explicitly applied to an interface, line, or service. The list-name
8/15/2019 Route v7 Ch08
16/54
Chapter 816© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Securing the Management Plane on CiscoRouters - Enabling AAA and Local Authentication
The following are the configuration steps required to enable AAA local authentication:
Multiple authentication methods can be defined for fault tolerance. The mostcommonly used aaa authentication command methods include group radius, grouptacacs+, local, local-case. When multiple authentication methods are configured, theadditional methods of authentication are used only if the previous method returns an
error, not if it fails.
Step 5. If required, apply the method lists to the console, vty, or aux lines. If a defaultauthentication method was defined, the console, vty, and aux lines are automaticallyconfigured for AAA authentication. If a list-name was configured, the lines require thelogin list-name line configuration command.
Step 6. (Optional) Configure authorization using the aaa authorization globalconfiguration command.
Step 7. (Optional) Configure accounting using the aaa accounting global configurationcommand.
8/15/2019 Route v7 Ch08
17/54
Chapter 817© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Securing the Management Plane on CiscoRouters - Enabling AAA and Local Authentication
Enabling AAA RADIUS Authentication with Local User for Backup
RADIUS is commonly implemented to provide AAA authentication. For fallback purposes, it is agood idea to configure a few local accounts on each device to serve as a backup, shouldexternal servers fail.
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# R1(config)# aaa new-model R1(config)# R1(config)# radius server RADIUS-1
R1(config-radius-server)# address ipv4 192.168.1.101 R1(config-radius-server)# key RADIUS-1-pa55w0rd R1(config-radius-server)# exit R1(config)# R1(config)# radius server RADIUS-2 R1(config-radius-server)# address ipv4 192.168.1.102 R1(config-radius-server)# key RADIUS-2-pa55w0rd R1(config-radius-server)# exit R1(config)#
R1(config)# aaa group server radius RADIUS-GROUP R1(config-sg-radius)# server name RADIUS-1 R1(config-sg-radius)# server name RADIUS-2 R1(config-sg-radius)# exit R1(config)# R1(config)# aaa authentication login default group RADIUS-GROUP local R1(config)# aaa authentication login TELNET-LOGIN group RADIUS-GROUP local-case R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN R1(config-line)# exit
A second AAA login authentication method is specifiedusing a named method list called TELNET-LOGIN. Thismethod authenticates like the default list, except thatthe local-case keyword also makes the username casesensitive. The local keyword only makes the password
case sensitive.
8/15/2019 Route v7 Ch08
18/54
Chapter 818© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Securing the Management Plane on CiscoRouters - AAA Servers Limitations
Limitations of TACACS+ and RADIUS
RADIUS is not suitable to be used in the following situations:
• Multiprotocol access environments: RADIUS does not support older protocols such as ARA, NBFCP, NASI, and X.25 PAD connections.
• Device-to-device situations: RADIUS operates in a client/server mode, whereauthentication can only be initiated by a client and where the server alwaysauthenticates the client.
• RADIUS does not offer two-way authentication. Therefore, if two devices need mutualauthentication, RADIUS is not an appropriate solution.
• Networks using multiple services: RADIUS authentication can be used for charactermode service or PPP mode service. Character mode is authenticating the user foradministrative access to the device using Telnet service. PPP mode is used toauthenticate the user to provide access to network resources behind the NAS. RADIUScan bind a user to a single service model only.
• Therefore, RADIUS cannot bind a user simultaneously to character and PPP mode.
8/15/2019 Route v7 Ch08
19/54
Chapter 819© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Securing the Management Plane on CiscoRouters - AAA Servers Limitations
Limitations of TACACS+ and RADIUS
TACACS+ is not suitable to be used in the following situations:
• Multivendor environment: TACACS+ is a Cisco proprietary protocol.
Some vendors may not support it although Cisco has publishedTACACS+ specification in a form of a draft RFC.
• When speed of response from the AAA services is of concern:TACACS+ is a little slower at responding than RADIUS.• The reason is because RADIUS uses the UDP transport protocol, which
is faster than TACACS+, which uses the TCP transport protocol. TCP is aconnection-oriented protocol, which means that a connection betweentwo endpoints has to be established before the data can start to flow. Thismechanism consumes precious time, and therefore TACACS+ might notbe the best option if a fast response from the AAA services is required.
8/15/2019 Route v7 Ch08
20/54
Chapter 820© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Use SSH Instead of Telnet
When enabling remote administrative access, consider the security implications ofsending information across the network.
Traditionally, remote access on routers was configured using Telnet on TCP port 23.However, Telnet was developed in the days when security was not an issue;therefore, all Telnet traffic is forwarded in plain text.
An attacker could capture Telnet frames originating from an administrator’s computer
using a protocol analyzer such as Wireshark to discover administrative password ordevice configuration.
Secure Shell (SSH) provides an encrypted mechanism for accessing a router. It hasreplaced Telnet as the recommended practice for providing remote routeradministration with connections that support confidentiality and session integrity. It
provides functionality that is similar to an outbound Telnet connection, except that theconnection is encrypted and operates on port 22. With authentication and encryption,SSH allows for secure communication over a non-secure network. Therefore, it isadvisable to set up SSH access on a router and then disable Telnet access to it.
8/15/2019 Route v7 Ch08
21/54
Chapter 821© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Use SSH Instead of Telnet
Complete the following steps to enable the SSH access instead of Telnet:
Step 1. Enable the use of SSH protocol: Ensure that the target routers are running a CiscoIOS release that supports SSH.
Step 2. Enable local authentication for SSH access: This is because SSH access requireslogin using username and password.
Step 3. Allows SSH from authorized hosts: Optionally allow SSH access only from
authorized hosts by specifying an ACL.
8/15/2019 Route v7 Ch08
22/54
Chapter 822© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Securing Access to the Infrastructure UsingRouter ACLs
Infrastructure ACLs are typically applied in the input direction on the interface thatconnects to the network users or external networks with the following policies:
• All the traffic to the IP addresses of the network infrastructure devices is dropped andlogged. This rule prevents the network users from sending the routing protocol or themanagement traffic to network devices. Include the destination addresses that encompassall the device IP addresses as a condition. Note that this approach does not prevent usersfrom sending malicious transit traffic that would require processing in the CPU-intensiveslow data plane paths on the network devices. Such transit traffic may include packets with
IP options or packets that require processing that is not supported in the efficient fast dataplane path.
• All the other traffic is permitted and allows all the transit traffic over the network.
• The first rule may need to be relaxed to permit some network signaling exceptions, such asBGP sessions from trusted external peers, internal routing protocol sessions, and ICMP,
SSH, and SNMP traffic from management stations.
• An infrastructure ACL is constructed and applied to specify connections from hosts ornetworks that need to be allowed to the network devices. Common examples of these typesof connections are EBGP, SSH, and SNMP. After the required connections have beenpermitted, all the other traffic to the infrastructure is explicitly denied. All the transit trafficthat crosses the network and is not destined to the infrastructure devices is then explicitly
permitted.
8/15/2019 Route v7 Ch08
23/54
Chapter 823© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Securing Access to the Infrastructure UsingRouter ACLs - example
R1(config)# ip access-list extended ACL-INFRASTRUCTURE-IN
R1(config-ext-nacl)# remark Deny IP fragments
R1(config-ext-nacl)# deny tcp any any fragments
R1(config-ext-nacl)# deny udp any any fragments
R1(config-ext-nacl)# deny icmp any any fragments
R1(config-ext-nacl)# deny ip any any fragments
R1(config-ext-nacl)# remark permit required connections for management traffic
R1(config-ext-nacl)# permit tcp host 10.10.12.2 host 10.10.12.1 eq 179 R1(config-ext-nacl)# permit tcp host 10.10.12.2 eq 179 host 10.10.12.1
R1(config-ext-nacl)# permit tcp host 10.0.0.10 any eq 22
R1(config-ext-nacl)# remark Permit ICMP Echo from management station
R1(config-ext-nacl)# permit icmp host 10.0.0.10 any echo
R1(config-ext-nacl)# remark Deny all other IP traffic to any network device
R1(config-ext-nacl)# deny ip any 10.0.0.0 0.0.0.255
R1(config-ext-nacl)# remark permit transit traffic
R1(config-ext-nacl)# permit ip any any
R1(config-ext-nacl)# exit
R1(config)# interface ethernet 0/0
R1(config-if)# ip access-group ACL-INFRASTRUCTURE-IN in
R1(config-if)#^Z
8/15/2019 Route v7 Ch08
24/54
Chapter 824© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Implement Unicast Reverse Path Forwarding
Network administrators can use Unicast Reverse Path Forwarding (uRPF) to help limit the malicious traffic on
an enterprise network. This security feature works with Cisco Express Forwarding (CEF) by enabling the routerto verify that the source of any IP packets received is in the CEF table and reachable via the routing table. If thesource IP address is not valid, the packet is discarded.
The uRPF feature is commonly used to prevent common spoofing attacks and follows RFC 2827 for ingressfiltering to defeat denial-of-service (DoS) attacks, which employ IP source address spoofing. RFC 2827recommends that service providers filter their customers’ traffic and drop any traffic entering their networks thatis coming from an illegitimate source address.
The uRPF feature works in one of two modes:
• Strict mode: The packet must be received on the interface that the router would use to forward the return packet.uRPF configured in strict mode may drop legitimate traffic that is received on an interface that was not the router’schoice for sending return traffic. Dropping this legitimate traffic could occur when asymmetric routing paths arepresent in the network.
• Loose mode: The source address must appear in the routing table. Administrators can change this behavior usingthe allow-default option, which allows the use of the default route in the source verification process. In addition, apacket that contains a source address for which the return route points to the Null 0 interface will be dropped. Anaccess list may also be specified that permits or denies certain source addresses in uRPF loose mode.
8/15/2019 Route v7 Ch08
25/54
Chapter 825© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Routing Protocol Authentication Options
The routing protocol is also susceptible to an attack. For example, a
router could be receiving false route updates from an attacker tonefarious destinations. The solution is to enable routing protocolauthentication.
The Purpose of Routing Protocol Authentication
The falsification of routing information is a more subtle class of attackthat targets the information carried within the routing protocol. Theconsequences of falsifying routing information are as follows:
• Redirect traffic to create routing loops
• Redirect traffic to monitor on an insecure line
• Redirect traffic to discard it
8/15/2019 Route v7 Ch08
26/54
Chapter 826© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Routing Protocol Authentication Options
Two types of neighbor authentication can be used:
• Plain-text authentication (also referred to as simple passwordauthentication)
• Hashing authentication
Each method requires the use of a key to be used in theauthentication process.
Routing protocols that support plain-text authentication includeRIPv2, OSPFv2, and IS-IS.
8/15/2019 Route v7 Ch08
27/54
Chapter 827© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Routing Protocol Authentication Options
Hashing Authentication
• With hashing authentication, the routing protocol update does not containthe plain-text key. Instead, it contains a hash value that is used by thereceiving router to validate the authenticity of the routing update. The hashvalue is often referred to as a signature.
8/15/2019 Route v7 Ch08
28/54
Chapter 828© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Routing Protocol Authentication Options
Time-Based Key Chains
The security of routing protocol authentication can be increased by changing the secret keys often. However, routingbetween neighbors can be interrupted during the key rollover process. For instance, when a router is reconfigured witha new key, it will lose its neighbor adjacency until the other neighbors are configured with the same new key.
Some routing protocols support a time-based key chain management feature that provides a secure mechanism tomaintain stable communications while handling this key rollover period. These routing protocols can use more than onekey at a time to authenticate the update. Transitioning between the keys using timed-based key chains provides a non-disruptive exchange of routing updates.
Key Chain Specifics
A key chain is created using the key chain key-name global configuration command. Entering this command changes
the prompt to key chain configuration mode. The key chain contains sets of keys (sometimes called shared secrets)that include
• Key ID: Configured using the key key-id key chain configuration mode command. Key IDs can range from 1 to 255. Entering thiscommand changes the prompt to key chain key configuration mode.
• Key string (password): Configured using the key-string password key chain key configuration mode command.
• Key lifetimes: (Optional) Configured using the send-lifetime and accept-lifetime key chain key configuration mode commands.
Key-based routing protocols store and use more than one key for a feature at the same time. The key used will varybased on the send and accept lifetimes of a key. The device uses the lifetimes of keys to determine which keys in a keychain are active.
Each key in a keychain has two lifetimes, as follows:
• Accept lifetime: The time interval within which the device accepts the key during key exchange with another device
• Send lifetime: The time interval within which the device sends the key during key exchange with another device
8/15/2019 Route v7 Ch08
29/54
Chapter 829© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Routing Protocol Authentication Options
Authentication Options with Different Routing Protocols
The table below summarizes the different routing protocolauthentication options.
Note : EIGRP SHA does not support key chains.
8/15/2019 Route v7 Ch08
30/54
Chapter 830© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
EIGRP Authentication
The EIGRP MD5 authentication configuration steps are as follows:
• Step 1. Configure the key chain:
• The key chain global configuration command is used to define all the keys that are usedfor EIGRP MD5 authentication. Once in key chain configuration mode, use the keycommand to identify the key in the key chain. Each key is defined by the number, whichdefines the key ID. When the key command is used, the configuration enters the keychain key configuration mode, where the key-string authentication-key configuration
command must be used to specify the authentication string (or password). The key IDand authentication string must be the same on all neighboring routers.
• Step 2. Configure the authentication mode for EIGRP:
• The only authentication type that is available in classic EIGRP configuration is MD5. Thenewer named EIGRP configuration method also supports the more secure SHA hashingalgorithm.
• Step 3. Enable authentication to use the key or keys in the key chain:
• When an authentication type is selected and a key chain is configured, authentication ofEIGRP packets must be enabled on all interfaces that are participating in the EIGRPdomain as well. Authentication is enabled using the ip authentication key-chain eigrpinterface command.
8/15/2019 Route v7 Ch08
31/54
Chapter 831© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
EIGRP Authentication
The EIGRP MD5 authentication configuration steps are as
follows:
• Step 1. Configure the key chain:
• R1(config)# key chain EIGRP-KEYS
• R1(config-keychain)# key 1• R1(config-keychain-key)# key-string secret-1
• R1(config-keychain-key)# end
• Step 2. Configure the authentication mode for EIGRP:
• R1(config)# interface Ethernet 0/0• R1(config-if)# ip authentication mode eigrp 100 md5
• Step 3. Enable authentication to use the key or keys in the key chain:
• R1(config-if)# ip authentication key-chain eigrp 100 EIGRP-KEYS
8/15/2019 Route v7 Ch08
32/54
Chapter 832© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
EIGRP Authentication
Configuring EIGRP for IPv6 Authentication
• The only difference is ipv6 instead of ip & you can use SHA.
Configuring Named EIGRP Authentication• R1(config)# key chain NAMED-R1-Chain
• R1(config-keychain)# key 1
• R1(config-keychain-key)# key-string secret-1
• R1(config-keychain-key)# exit
• R1(config-keychain)# exit
• R1(config)# router eigrp ROUTE
• R1(config-router)# address-family ipv4 autonomous-system 110
• R1(config-router-af)# network 10.10.0.0 0.0.255.255
• R1(config-router-af)# af-interface ethernet 0/0
• R1(config-router-af-interface)# authentication key-chain NAMED-R1-Chain
• R1(config-router-af-interface)# authentication mode md5
• R1(config-router-af-interface)# end
8/15/2019 Route v7 Ch08
33/54
Chapter 833© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
OSPF Authentication
OSPF Authentication
When OSPFv2 neighbor authentication is enabled on a router, the routerauthenticates the source of each routing update packet that it receives. Itperforms this authentication by embedding an authentication data field ineach OSPF packet. The authentication data is computed based on theauthentication key, sometimes referred to as a password, which is knownto both the sending and the receiving router.
By default , OSPF does not authenticate rout ing updates. This means thatrouting exchanges over a network are not authenticated. OSPFv2 supports• Plain-text authentication:
• Simple password authentication. Least secure and not recommended for productionenvironments.
• MD5 authentication:• Secure and simple to configure using two commands. Should only be implemented if SHA
authentication is not supported.
• SHA authentication:• Most secure solution using key chains. Referred to as the OSPFv2 cryptographic authentication
feature and only available since IOS 15.4(1)T.
8/15/2019 Route v7 Ch08
34/54
Chapter 834© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
OSPF Authentication
OSPF MD5 Authentication
There are two tasks to enable MD5 hashing authentication:
• Step 1.
• Configure a key ID and keyword (password) using the ip ospf message-
digest-key key-id md5 password interface configuration command. Thekey ID and password are used to generate the hash value that isappended to the OSPF update. The password maximum length is 16characters. Cisco IOS Software wil l display a warning i f a passwordlonger than 16 characters is entered.
• Step 2.• Enable MD5 authentication using either the ip ospf authenticationmessage-digest interface conf iguration command or the area area-idauthentication message-digest OSPF router configuration command. Thefirst command only enables MD5 authentication on a specific interface,and the second command enables authentication for all OSPFv2interfaces.
8/15/2019 Route v7 Ch08
35/54
Chapter 835© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
OSPF Authentication
OSPF MD5 Authentication• R1(config)# interface ethernet 0/2
• R1(config-if)# ip ospf authentication message-digest
• R1(config-if)# ip ospf message-digest-key 1 md5 secret-1
• OR in an area
• R1(config)# interface ethernet 0/0
• R1(config-if)# ip ospf message-digest-key 1 md5 secret-2
• R1(config-if)# exit
• R1(config)#
• R1(config)# router ospf 1
• R1(config-router)# area 0 authentication message-digest
8/15/2019 Route v7 Ch08
36/54
Chapter 836© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
OSPF Authentication
OSPFv2 Cryptographic Authentication
• Af ter IOS 15.4(1)T, OSPFv2 supports SHA hashing authentication usingkey chains.
• The feature prevents unauthorized or invalid routing updates in a networkby authenticating OSPFv2 protocol packets using HMAC-SHA algorithms.
• A similar 2 step process allows the configuration.
• Step 1.
• Configure a key chain using the key chain key-name global configurationcommand. The key chain contains the key ID and key str ing and enables the
cryptographic authentication feature using the cryptographic-algori thm auth-
algo key chain key configuration mode command.
• Step 2.
• Assign the key chain to the interface using the ip ospf authentication key-chainkey-name interface configuration mode command. This also enables the feature.
8/15/2019 Route v7 Ch08
37/54
Chapter 837© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
OSPF Authentication
OSPFv2 Cryptographic Authentication
• R2(config)# key chain SHA-CHAIN
• R2(config-keychain)# key 1
• R2(config-keychain-key)# key-string secret-1
• R2(config-keychain-key)# cryptographic-algorithm hmac-sha-256 • R2(config-keychain-key)# exit
• R2(config-keychain)# exit
• R2(config)# interface s0/0/0
• R2(config-if)# ip ospf authentication key-chain SHA-CHAIN
8/15/2019 Route v7 Ch08
38/54
Chapter 838© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
OSPF Authentication
OSPFv3 Authentication
OSPFv3 requires the use of IPsec to enable authentication.Crypto s are required to use authentication because only cryptos include the IPsec application programming interfaces (APIs)needed for use with OSPFv3.
In OSPFv3, authentication fields have been removed fromOSPFv3 packet headers.
When OSPFv3 runs on IPv6, OSPFv3 requires the IPv6
Authentication Header (AH) or IPv6 Encapsulating SecurityPayload (ESP) header to ensure integrity, authentication, andconfidentiality of routing exchanges.
IPv6 AH and ESP extension headers can be used to provideauthentication and confidentiality to OSPFv3.
8/15/2019 Route v7 Ch08
39/54
Chapter 839© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
OSPF Authentication
Configuring OSPFv3 Authentication
To deploy OSPFv3 authentication, first define the security policyon each of the devices within the group. The security policyconsists of the combination of the key and the securityparameter index (SPI). The SPI is an identification tag added tothe IPsec header.
The authentication policy can be configured either on aninterface or in an area.
8/15/2019 Route v7 Ch08
40/54
Chapter 840© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
OSPF Authentication
Configuring OSPFv3 Authentication
• R1(config)# interface Ethernet0/1
• R1(config-if)# ipv6 ospf authentication ipsec spi 300 sha11234567890123456789012345678901234567890
• OR
• R1(config)# router ospfv3 1
• R1(config-router)# area 0 authentication ipsec spi 500 sha1 123456789012345678901234
5678901234567890
8/15/2019 Route v7 Ch08
41/54
Chapter 841© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
BGP Authentication
Configuring BGP Authentication
• As enterprises increase their web presence and reliance on the Internet forrevenue, the need for reliable and geographically diverse Internetconnectivity has become more common. These needs are often met
through multihome configurations that require BGP for connectivity to aservice provider’s BGP-speaking routers.
• However, introducing BGP routing into organizations introduces additionalrisks that are present due to threats to BGP. One such threat is the
advertisement of false BGP routing updates that are sent from unauthorizedBGP peers. To prevent receiving of false routing updates, you can enableBGP authentication, which prevents establishment of BGP session withunauthorized BGP peers.
8/15/2019 Route v7 Ch08
42/54
Chapter 842© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
BGP Authentication Configuration Checklist
• BGP neighbor authentication can be configured on a router so that therouter authenticates the source of each routing update packet that itreceives.
• This authentication is accomplished by the exchange of an authenticationkey (password) that is shared between the source and destination routers.
• Like EIGRP and OSPF, BGP also supports MD5 neighbor authentication.
• To generate an MD5 hash value, BGP uses the shared secret key andportions of the IP and TCP headers and the TCP payload. The MD5 hash is
then stored in TCP option 19, which is created specifically for this purposeby RFC 2385.
BGP Authentication
8/15/2019 Route v7 Ch08
43/54
Chapter 843© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
BGP Authentication
BGP Authentication
To enable MD5 authentication on a TCP connection between two BGP peers,use the neighbor password router configuration command with IP address tospecify individual BGP peer, or use the peer group name to specify entiregroup of peers, followed by the shared password.
• R1(config)# router bgp 65100
• R1(config-router)# neighbor 172.16.12.2 remote-as 65000
• R1(config-router)# neighbor 172.16.12.2 password secret-1
The same config is used for ipv6 except the neighbor addresses are different.
• R1(config)# router bgp 65100
R1(config-router)# neighbor 2001:db8:0:10::2 remote-as 65000
R1(config-router)# neighbor 2001:db8:0:10::2 password secret-2
8/15/2019 Route v7 Ch08
44/54
Chapter 844© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Implementing VRF-Lite
Virtual Routing and Forwarding (VRF) is a technology that allows
the device to have multiple but separate instances of routingtables exist and work simultaneously.
A VRF instance is essentially a logical router and consists of anIP routing table, a forwarding table, a set of interfaces that usethe forwarding table, and a set of rules and routing protocols thatdetermine what goes into the forwarding table.
A VRF increases:• Network functionality by allowing network paths to be completely
segmented without using multiple devices.
• Network security because traffic is automatically segmented. VRF is
conceptually similar to creating Layer 2 VLANs but operates at Layer 3.
Service providers (SPs) often take advantage of VRF to createseparate virtual private networks (VPNs) for customers.Therefore, VRF is often referred to as VPN routing andforwarding.
8/15/2019 Route v7 Ch08
45/54
Chapter 845© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Implementing VRF-Lite
VRF and VRF-Lite
VRF is usually associated with a service provider running Multiprotocol LabelSwitching (MPLS) because the two work well together. In a provider network, MPLSisolates each customer’s network traffic, and a VRF is maintained for each customer.However, VRF can be used in other deployments without using MPLS.
VRF-lite is the deployment of VRF without MPLS. With the VRF-lite feature, theCatalyst switch supports mult iple VPN routing/forwarding instances in customer-edge devices.
VRF-lite allows an SP to support two or more VPNs with overlapping IP addressesusing one interface. VRF-lite uses input interfaces to dis tinguish routes for different
VPNs and forms vir tual packet-forwarding tables by associating one or more Layer 3interfaces with each VRF.
Interfaces in a VRF can be either physical, such as Ethernet or serial ports, orlogical, such as VLAN SVIs. However, a Layer 3 interface cannot belong to more thanone VRF at any time.
8/15/2019 Route v7 Ch08
46/54
Chapter 846© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Implementing VRF-Lite
Central(config)# ip vrf VRF-A
Central(config-vrf)# exit
Central(config)# ip vrf VRF-B
Central(config-vrf)# exit
Central(config)# interface Serial0/0/0
Central(config-if)# ip vrf forwarding VRF-A
Central(config-if)# ip address 10.10.1.1 255.255.255.252
Central(config-if)# clock rate 2000000
Central(config-if)# no shut
Central(config-if)# exit
Central(config)#
Central(config-if)# interface Serial0/0/1
Central(config-if)# ip vrf forwarding VRF-A
Central(config-if)# ip address 10.20.2.1 255.255.255.252
Central(config-if)# no shut
Central(config-if)# exit
Central(config)#
Central(config-if)# interface Serial0/1/0
Central(config-if)# ip vrf forwarding VRF-B
Central(config-if)# ip address 10.30.3.1 255.255.255.252
Central(config-if)# clock rate 2000000
Central(config-if)# no shut
Central(config-if)# exit
Central(config)#
Central(config-if)# interface Serial0/1/1
Central(config-if)# ip vrf forwarding VRF-B
Central(config-if)# ip address 10.40.4.1 255.255.255.252
Central(config-if)# no shut
Central(config-if)# exit
Central(config)#
Note:The VRF instance must be configured on an interface first; otherwise, anerror message will appear
8/15/2019 Route v7 Ch08
47/54
Chapter 847© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Implementing VRF-Lite
Central# show ip route | begin Gateway
Gateway of last resort is not set
Central#
Central# show ip route vrf VRF-A | begin Gateway
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.10.1.0/30 is directly connected, Serial0/0/0
L 10.10.1.1/32 is directly connected, Serial0/0/0
C 10.20.2.0/30 is directly connected, Serial0/0/1
L 10.20.2.1/32 is directly connected, Serial0/0/1
Central#
Central# show ip route vrf VRF-B | begin Gateway
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.30.3.0/30 is directly connected, Serial0/1/0
L 10.30.3.1/32 is directly connected, Serial0/1/0
C 10.40.4.0/30 is directly connected, Serial0/1/1
L 10.40.4.1/32 is directly connected, Serial0/1/1
Notice how the first IP routing table is empty.That’s because the directly connected
interfaces now belong to the respective VRFs.The next two routing tables displayed in theexample verify the content of each VRF.
8/15/2019 Route v7 Ch08
48/54
Chapter 848© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Implementing VRF-Lite
Central(config)# router eigrp 1
Central(config-router)# address-family ipv4 vrf VRF-A
Central(config-router-af)# network 10.10.1.0 0.0.0.3
Central(config-router-af)# network 10.20.2.0 0.0.0.3
Central(config-router-af)# autonomous-system 1
Central(config-router-af)# no auto-summary
Central(config)# router ospf 1 vrf VRF-B
Central(config-router)# router-id 5.5.5.5
Central(config-router)# network 10.30.3.0 0.0.0.3 area 0
Central(config-router)# network 10.40.4.0 0.0.0.3 area 0
Now configure EIGRP to run on VRF-A
Now configure OSPF to run on VRF-B
8/15/2019 Route v7 Ch08
49/54
Chapter 849© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Easy Virtual Network• For true path isolation, Cisco Easy Virtual Network (EVN) provides the simplicity of Layer 2
with the controls of Layer 3. EVN provides traffic separation and path isolation capabilitieson a shared network infrastructure.
• EVN is an IP-based network virtualization solution that takes advantage of existing VRF-lite technology to:
• Simplify Layer 3 network virtualization
• Improve support for shared services
• Enhance management and troubleshooting
• EVN reduces network virtualization configuration significantly across the entire networkinfrastructure by creating a virtual network trunk. The traditional VRF-lite solution requirescreating one sub-interface per VRF on all switches and routers involved in the data path,creating a lot of burden in configuration management.
8/15/2019 Route v7 Ch08
50/54
Chapter 850© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Easy Virtual Network• EVN improves shared services support with route replication. Multiple EVN users may
require common sets of services such as Internet connectivity, e-mail, video, DynamicHost Configuration Protocol (DHCP), or Domain Name System (DNS). Traditionally,sharing common services can be achieved through importing and exporting routesbetween virtual networks using Border Gateway Protocol (BGP), which is complex.
• EVN’s route replication feature allows each virtual network to have direct access to theRouting Information Base (RIB) in each VRF, allowing the ability to
• Link routes from a Shared VRF to several segmented VRFs but still maintain
separation where it is required• Remove dependency on the BGP route target and route distinguisher, simplifying
both configuration and complexity of importing and exporting routes• Remove duplicate routing tables or routes, saving memory and CPU
8/15/2019 Route v7 Ch08
51/54
Chapter 851© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Chapter 8 Summary
The chapter focused on the following topics:
Write and follow a security policy before securing a device. Passwords are stored in the configuration and should be protected from
eavesdropping.
Use SSH instead of Telnet, especially when using it over an unsecure network.
Create router ALCs to protect the infrastructure by filtering traffic on the network
edge. Secure SNMP if it is used on the network.
Periodically save the configuration in case it gets corrupted or changed.
Implement logging to an external destination to have insight into what is goingon in a network.
Disable unused services.
Unauthorized routers might launch a fictitious routing update to convince arouter to send traffic to an incorrect destination. Routers authenticate the sourceof each routing update that is received when routing authentication is enabled.
8/15/2019 Route v7 Ch08
52/54
Chapter 852© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Chapter 8 Summary
The chapter focused on the following topics:
There are two types of routing authentication: plain-text and hashingauthentication.
Avoid using plain-text authentication.
A key chain is a set of keys that can be used with routing protocolauthentications.
Different routing protocols support different authentication options. When EIGRP authentication is configured, the router verifies every EIGRP
packet.
Classic EIGRP for IPv4 and IPv6 supports MD5 authentication, and namedEIGRP supports SHA authentication.
To configure classic MD5 authentication, define a key, enable EIGRPauthentication mode on the interface, and associate the configured key with theinterface.
To configure SHA authentication, you need to use EIGRP named configurationmode.
8/15/2019 Route v7 Ch08
53/54
Chapter 853© 2007 –2010, Cisco Systems, Inc. All r ights reserved. Cisco Publ ic
Chapter 8 SummaryThe chapter focused on the following topics:
Verify the EIGRP authentication by verifying neighborship.
When authentication is configured, the router generates and checks everyOSPF packet and authenticates the source of each update packet that itreceives.
In OSPFv2 simple password authentication the routers send the key that isembedded in the OSPF packets.
In OSPFv2 MD5 authentication the routers generate a hash of the key, key ID,and message. The message digest is sent with the packet.
OSPFv3 uses native functionality offered by IPv6. All that is required forOSPFv3 authentication is IPsec AH. AH provides authentication and integritycheck. IPsec ESP provides encryption for payloads, which is not required forauthentication.
BGP authentication uses MD5 authentication.
Router generates and verifies MD5 digest of every segment sent over the BGPconnection.
Verify BGP authentication by verifying if BGP sessions are up.
8/15/2019 Route v7 Ch08
54/54