Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Chapter 8:
Routers and Routing
Protocol Hardening
Cisco Public
Chapter 8 Topics
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
Cisco Public
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
Cisco Public
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
Encrypted Passwords
Attackers deploy various methods of discovering
administrative passwords.
They can shoulder surf or sniff for packets containing plaintext files.
Attackers can also use legitimate network management
software such as a password auditing tool, like L0phtCrack
or Cain & Abel
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
Cisco Public
Encrypting Passwords
Typically routers require passwords for consoles access,
remote vty access, and privileged EXEC access.
The recommended security solution for password
management in a network with multiple devices is to
authenticate against a central external AAA server.
However, some passwords still might need to be configured
on the router itself.
Cisco Public
10
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
11
Cisco Public
12
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
13
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
14
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
15
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
16
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
17
Cisco Public
18
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
19
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
20
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
21
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
22
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
23
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
24
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
25
Cisco Public
26
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
27
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
28
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
29
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
30
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
31
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
32
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
33
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
34
uRPF Examples
An important consideration for deployment is that CEF
switching must be enabled for uRPF to function.
The uRPF feature is enabled on a per-interface basis using
the ip verify unicast source reachable-via {rx | any}
[allow-default] [allow-self-ping] [list] global configuration
command.
Strict mode: Use the ip verify unicast source reachable-via rx
command.
Loose mode: Use the ip verify unicast source reachable-via any
option
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
35
Enabling uRPF
Gigabit Ethernet 0/0 interface for uRPF loose mode.
Gigabit Ethernet 0/1 is configured for uRPF strict mode.
Configuring loose mode makes sure the router can reach the source of any IP
packet received on interface Gigabit Ethernet 0/0 using any interface on the
router.
Strict mode makes the router verify that the source of any IP packet received on
interface Gigabit Ethernet 0/1 should be reachable by the interface and not any
other interface on the router.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
36
Implement Logging
Network administrators need to implement logging to get insight into
what is happening in their network.
Logging helps to detect unusual network traffic, network device failures,
or just to monitor what kind of traffic traverses the network.
Although logging can be implemented locally on a router, this method is
not scalable.
To implement accurate logging, it is important that all network
infrastructure devices have their dates and times synchronized.
It is also important that syslog entries be stamped with the correct time
and date. Time stamps are configured using the service timestamps
[debug | log] [uptime | datetime [msec]] [localtime] [show-timezone]
[year] global configuration command.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
37
Cisco Public
38
NTP Modes
Server: Also called the NTP master because it provides accurate time
information to clients.
An NTP server is configured using the using the ntp master [stratum] global
configuration command.
An NTP client is enabled with the ntp server {ntp-master-hostname | ntp-masterip-address command}.
Cisco Public
39
Enabling NTP
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
40
Securing NTP
Authentication: NTP authenticates the source of the
information, so it only benefits the NTP client.
Cisco devices support only MD5 authentication for NTP.
Access control lists: Configure access lists on devices
that provide time synchronization to others.
ACLs are applied to NTP using the ntp access-group
{peer | queryonly | serve | serve-only} ACL-# global
configuration command.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
41
Securing NTP
To configure NTP authentication, follow these steps:
Step 1. Define NTP authentication key or keys with the ntp
authentication-key global configuration command.
Cisco Public
42
Securing NTP
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
43
NTP Versions
Currently NTP Versions 3 and 4 are used in production networks.
NTPv4 is an extension of NTP Version 3 and provides the
following capabilities:
Supports both IPv4 and IPv6 and is backward-compatible with NTPv3.
NTPv3 does not support IPv6.
Uses IPv6 multicast messages instead of IPv4 broadcast messages to
send and receive clock updates.
Improved security over NTPv3.
Improved time synchronization and efficiency
NTPv4 access group functionality accepts IPv6 named access lists as
well as IPv4 numbered access lists.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
44
Cisco Public
45
Simple NTP
Simple NTP (SNTP) is a client-only version of NTP that can
only receive the time from NTP servers.
SNTP typically provides time within 100 milliseconds of the
accurate time, but it does not provide the complex filtering
and statistical mechanisms of NTP.
SNTP configuration commands simply replace the ntp
portion of NTP commands with sntp.
For instance, the client is configured using the sntp server server_ip
global configuration command.
To enable SNTP authentication, use the sntp authenticate global
configuration command.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
46
Implementing SNMP
SNMP is the most commonly used network management
protocol.
Therefore, it is important to restrict SNMP access to the
routers on which it is enabled.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
47
Implementing SNMP
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
48
SNMPv3
SNMPv3 should be used whenever possible because it provides authenticity,
integrity, and confidentiality. Configuring SNMPv3 involves the following steps:
Step 1. Configure an ACL to limit who has access SNMP access to the device.
Step 2. Configure an SNMPv3 view using the snmp-server view view-name global
configuration command.
Step 3. Configure an SNMPv3 group using the snmp-server group group-name
global configuration command.
Step 4. Configure an SNMPv3 user using the snmp-server user username
groupname global configuration command.
Step 5. Configure an SNMPv3 trap receiver using the snmp-server host global
configuration command.
Step 6. Configure interface index persistence using the snmp-server ifindex
persist global configuration command.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
49
Enabling SNMPv3
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
50
Verifying SNMPv3
show snmp
Provides basic information about the SNMP configuration.
You can use it to display SNMP traffic statistics, see
whether the SNMP agent is enabled, or verify whether the
device is configured to send traps,
show snmp view
Provides information about configured SNMP views to verify
for each group.
show snmp group
Provides information about the configured SNMP groups.
The most important parameters are the security model and
levels.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
51
Configuration Backups
Having a current backup of the configuration file of a device is
crucial if the device configuration file becomes corrupted and is
inadvertently changed.
A backup of the configuration file can be created by manually
copying the router configurations to an FTP server using the
copy command.
Another method is to use the Cisco IOS archive global
configuration command.
The advantage of this command is that it can be used to
automate the saving process.
An archive can also be configured to save the configuration
periodically at a predefined length of time.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
52
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
53
Using SCP
The Secure Copy (SCP) feature provides a secure and
authenticated method for copying router configuration or
router image files.
Before enabling SCP, SSH must be enabled, and the router
must have an RSA key pair.
In addition, SCP requires that AAA authorization be
configured so that the router can determine whether the
user has the correct privilege level.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
54
Cisco Public
55
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
56
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
57
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
58
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
59
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
60
Conditional Debugging
Debugging can generate a great deal of output and sometimes
filtering through the output can be tedious.
For this reason, it is practical to know how to limit debug output:
Use an ACL
Enable conditional debugging
Cisco Public
61
Conditional Debugging
To enable, define the condition with the debug condition
interface interface command.
The condition remains defined and applied until it is removed.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
62
Routing Protocol
Authentication
Options
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
63
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
64
Cisco Public
65
Plain-Text Authentication
With plain-text authentication, a password (key) is
configured on a router.
Each participating neighbor router must be configured with
the same key.
If the two keys do not match, the routing update is rejected.
Routing protocols that support plain-text authentication
include RIPv2, OSPFv2, and IS-IS.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
66
Plain-Text Authentication
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
67
Plain-Text Authentication
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
68
Hashing Authentication
With hashing authentication, the routing protocol update does not contain
the plain-text key.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
69
Hashing Authentication
It is important to understand that MD5 or SHA only provide
authentication. They do not provide confidentiality.
If the update was intercepted, attackers could still see the
content of the update.
The hashing algorithm used depends on the routing
protocol.
All routing protocols support MD5, but only OSPFv2,
OSPFv3, and named EIGRP support the more secure SHA
hashing algorithm.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
70
Cisco Public
71
The send and accept lifetimes of a key are specified using the start time
and end time.
If end time is not configured, it will default to infinite.
The software examines the key numbers in order from lowest to highest.
It then uses the first valid key it encounters.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
72
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
73
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
74
Configuring EIGRP
Authentication
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
75
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
76
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
77
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
78
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
79
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
80
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
81
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
82
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
83
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
84
Configuring OSPF
Authentication
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
85
OSPF Authentication
When OSPFv2 neighbor authentication is enabled on a
router, the router authenticates the source of each routing
update packet that it receives.
It performs this authentication by embedding an
authentication data field in each OSPF packet.
By default, OSPF does not authenticate routing updates.
OSPFv2 supports plain-text, MD5 and SHA (since IOS
15.4(1)T) authentication.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
86
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
87
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
88
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
89
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
90
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
91
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
92
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
93
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
94
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
95
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
96
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
97
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
98
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
99
OSPFv3 Authentication
OSPFv3 requires the use of IPsec to enable authentication.
When OSPFv3 runs on IPv6, OSPFv3 requires the IPv6
Authentication Header (AH) or IPv6 Encapsulating Security
Payload (ESP) header to ensure integrity, authentication,
and confidentiality of routing exchanges.
To configure IPsec, configure a security policy, which is a
combination of the security policy index (SPI) and the key
(the key is used to create and validate the hash value).
IPsec for OSPFv3 can be configured on an interface or on
an OSPFv3 area.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
100
Cisco Public
101
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
102
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
103
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
104
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
105
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
106
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
107
Cisco Public
108
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
109
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
110
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
111
Implementing
VRF-Lite
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
112
Cisco Public
113
Cisco Public
114
Enabling VRF
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
115
Enabling VRF
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
116
Enabling VRF
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
117
Enabling VRF
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
118
Enabling VRF
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
119
Enabling VRF
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
120
Enabling VRF
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
121
Enabling VRF
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
122
Enabling VRF
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
123
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
124
Cisco Public
125
Once in routing context, the IOS commands do not have to be explicitly identified as
VRF commands.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
126
Summary
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
127
Cisco Public
128
There are two types of routing authentication: plain-text and hashing authentication.
Avoid using plain-text authentication.
A key chain is a set of keys that can be used with routing protocol authentications.
Different routing protocols support different authentication options.
When EIGRP authentication is configured, the router verifies every EIGRP packet.
Classic EIGRP for IPv4 and IPv6 supports MD5 authentication, and named EIGRP
supports SHA authentication.
To configure classic MD5 authentication, define a key, enable EIGRP authentication
mode on the interface, and associate the configured key with the interface.
To configure SHA authentication, you need to use EIGRP named configuration
mode.
Verify the EIGRP authentication by verifying neighborship.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
129
Router generates and verifies MD5 digest of every segment sent over the
BGP connection.
Verify BGP authentication by verifying if BGP sessions are up.
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
130
Chapter 8
2007 2013, Cisco Systems, Inc. All rights reserved.
Cisco Public
131