Cis185 ROUTE 8 RoutersAndRoutingProtocolHardening

CIS 185 CCNP ROUTE
Chapter : Routers and Routing Protocol

Hardening
Rick Graziani
Cabrillo College
graziani@cabrillo.edu
Spring 2015
Router CLI, SSH, NTP, SNMP
Hardening
ACLs ACLs
 A router’s operational architecture can be categorized into three planes:

 Management plane: This plane is concerned with traffic used for device
management.
 Control plane: This plane is concerned with packet forwarding decisions such as
routing protocol operations.
 Data plane: This plane is also known as the forwarding plane because it is
concerned with the forwarding of data through a router 2
Securing the Management Plane
 Securing the management plane of a Cisco router, including the

following:
 Following the router security policies
 Securing management access
 Using SSH and ACLs to restrict access to a Cisco router
 Implement logging
 Securing SNMP
 Backup configurations
 Using network monitoring
 Disabling unneeded services
3
Following the router security policies
 Router security policy should deal with:
 Password encryption and complexity settings
 Authentication settings (AAA)
 Management access settings (HTTPS, SNMP)
 Securing management access using SSH
 Unneeded services settings disabled
 Ingress/egress filtering settings (ACLs, uRPF, RFC 1918 filtered)
 Routing protocol security settings
 Configuration maintenance (TFTP, recovery)
 Change management
 Router redundancy (FHRP)
 Monitoring and incident handling
 Security updates 4
Passwords
 Passphrases not passwords

5
Encrypting
Passwords
R1(config)# enable secret class123

R1(config)# line console 0
R1(config-line)# password cisco123
R1(config-line)# login
R1(config-line)# exit
R1(config)# line vty 0 4
R1(config-line)# password cisco123
R1(config-line)# login
R1(config)# service password-encryption
6
Encrypting R1# show run
Building configuration...
Passwords <Selected output>
service password-encryption
enable secret 4 JpAg4vBxn6wTb6NE3N1p0wfUUZzR6eOcVUKUFftxEyA
line con 0
password 7 070C285F4D06485744
line vty 0 4
password 7 070C285F4D06485744
 enable secret password is encrypted using level 4 encryption,

which is SHA256
 line console and line vty lines are encrypted using level 7
encryption which is considered weak
7
Encrypting R1(config)# username ADMIN secret class12345
R1(config)# username JR-ADMIN secret class123
Passwords R1(config)# line console 0
R1(config-line)# login local
R1(config-line)# end
 Recommended to enable authentication using the local database

consisting of usernames and password combinations
 Encrypted to level 4 (SHA256)
8
R1# show running-config
<Selected sections>
username ADMIN secret 4 VYlArd0J6s2X4dZwZ42oTpLQ5Zog8wZDgZKHMP2SHEw
username JR-ADMIN secret 4 JpAg4vBxn6wTb6NE3N1p0wfUUZzR6eOcVUKUFftxEyA
line con 0
login local
line vty 0 4
login local
R1# exit
<Output omitted>
User Access Verification
Username: ADMIN
Password: *****
R1>
 Level 4 indicating that SHA256 was used for the encryption
9
Authentication,
Authorization, Accounting
AAA model provides the following advantages:

 Increased flexibility and control of access configuration (per interface)
 Scalability for managing large networks.
 Multiple backup systems: AAA server redundancy.
 Standardized authentication methods: RADIUS
Users must authenticate against an authentication database which can be stored:

 Locally: Users are authenticated against the local device database, which is created
using the username secret command (sometimes referred to self-contained AAA).
 Centrally: A client/server model where users are authenticated against AAA servers.
10
When users attempt to authenticate to a device, the device communicates with a AAA
server using either the
 RADIUS : An open standard protocol described in RFCs 2865 (authenticationand
authorization) and 2866 (accounting).
 It combines authentication and authorization into one service.
 RADIUS does not encrypt the entire message exchanged between device and
server, only the password portion of the RADIUS packet header is encrypted
 Thereby identifying the AAA server as an authoritative source to authenticate
against.
 TACACS+: A Cisco proprietary protocol that uses the more reliable TCP port 49.
 TACACS+ encrypts the entire message exchanged therefore communication
between the device and the TACACS+ server is completely secure.
11
TACACS+ vs RADIUS
 .
12
RADIUS Authentication
13
TACACS+ Authentication
14
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd The default authentication method
R1(config)# username ADMIN secret Str0ng5rPa55w0rd applies to all lines. AAA will attempt to
R1(config)# authenticate using the first server in the
R1(config)# aaa new-model group then attempt to authenticate
R1(config)# against the second server in the group. If
R1(config)# line vty 0 4 it does not respond, authentication will
R1(config-line)# login authentication TELNET-LOGIN done using the local database.
R1(config)# exit
R1(config)# aaa authentication login default group RADIUS-GROUP local
R1(config)# aaa authentication login TELNET-LOGIN group RADIUS-GROUP local-case
R1(config)#
R1(config)# aaa group server radius RADIUS-GROUP The TELNET-LOGIN method applies to
R1(config-sg-radius)# server name RADIUS-1 all VTY lines. Overrides the default. Same
R1(config-sg-radius)# server name RADIUS-2 options a the default.
R1(config-sg-radius)# exit
R1(config)#
R1(config)# radius server RADIUS-1
R1(config-radius-server)# address ipv4 192.168.1.101 ! address ipv6 <ipv6-address>
R1(config-radius-server)# key RADIUS-1-pa55w0rd
R1(config-radius-server)# exit
R1(config)#
R1(config)# radius server RADIUS-2
R1(config-radius-server)# key RADIUS-2-pa55w0rd 15
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd The default authentication method
R1(config)# username ADMIN secret Str0ng5rPa55w0rd applies to all lines. AAA will attempt to
R1(config)# authenticate using the first server in the
R1(config)# aaa new-model group then attempt to authenticate
R1(config)# against the second server in the group. If
R1(config)# line vty 0 4 it does not respond, authentication will
R1(config-line)# login authentication TELNET-LOGIN done using the local database.
R1(config)# exit
R1(config)# aaa authentication login default group TACACS-GROUP local
R1(config)# aaa authentication login TELNET-LOGIN group TACACS-GROUP local-case
R1(config)#
R1(config)# aaa group server radius TACACS-GROUP The TELNET-LOGIN method applies to
R1(config-sg-radius)# server name TACACS-1 all VTY lines. Overrides the default. Same
R1(config-sg-radius)# server name TACACS-2 options a the default.
R1(config-sg-radius)# exit A custom TCP port number can be
R1(config)# specified
R1(config)# radius server TACACS-1
R1(config-radius-server)# key TACACS-1-pa55w0rd
R1(config-radius-server)# exit
R1(config)#
R1(config)# radius server TACACS-2
R1(config-radius-server)# key TACACS-2-pa55w0rd 16
Use SSH Instead of Telnet
17
Configuring SSH
S1(config)# ip domain-name cisco.com
S1(config)# crypto key generate rsa
1. Configure the IP domain using the ip domain-name domain-name global
The name for the keys will be: S1.cisco.com
config
Choose thecommand. (The
size of the keydomain name
modulus and range
in the hostname
of 360aretothe parameters
2048 for your
used inPurpose
General order toKeys.
nameChoosing
the key. Other
a key ways to do
modulus it.)
greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
*Mar 1 2:59:12.78: %SSH-5-ENABLED: SSH 1.99 has been enabled

S1(config)# username admin secret class
S1(config)# line vty 0 15
S1(config-line)# transport input ssh
S1(config-line)# login local
S1(config-line)# exit
S1(config)# ip ssh version 2
18
S1(config)#
Configuring SSH
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

2. Generate
*Mar RSA key %SSH-5-ENABLED:
1 2:59:12.78: pairs using the crypto key generate
SSH 1.99 has beenrsa global
enabled
configurationusername
S1(config)# mode command.
admin secret class
S1(config)# line vty 0 15a minimum modulus size of 1,024 bits.
 Cisco recommends
 A longer modulus
S1(config-line)# login length
local is more secure, but it takes longer to generate
and to use. exit
S1(config-line)#
 Generating an RSA key pair automatically enables SSH. 19
S1(config)#
Configuring SSH
Choose the size of the key modulus in the range of 360 to 2048 for your
a few minutes.


3. Configure user authentication using the username in global configuration
mode command. login local
S1(config-line)#
20
S1(config)#
4.
Configure the vty lines.
Configuring SSH  Enable local login using the login local line
S1(config)# ip domain-name cisco.com configuration mode command to require
S1(config)# crypto key generate rsa local authentication for SSH connections
from the local username database.
Choose the size of the key modulus in the range
Enable the SSHof using
360 to
the2048 for input
transport your
ssh line configuration mode command.
a few minutes.


S1(config-line)# login local
S1(config)# 21
Router(config)# hostname R1
R1(config)# ip domain-name cisco.com
R1(config)# username ADMIN privilege 15 secret class12345
R1(config)# crypto key generate rsa modulus 2048
The name for the keys will be: R1.cisco.com
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 8 seconds)
R1(config)#
*Aug 13 17:22:58.625: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1#
R1(config-line)# transport input ssh
R1(config-line)# access-class PERMIT-SSH in
R1(config)# ip access-list standard PERMIT-SSH
R1(config-std-nacl)# remark ACL permitting SSH to hosts on the Management LAN
R1(config-std-nacl)# permit 10.0.0.0 0.0.0.255
R1(config-std-nacl)# deny any log
R1(config-std-nacl)# end
22
Verifying SSH
Operation
23
24
R1# show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSYRdGaX5NesMnkkgCF5JYoREFTMzaUEbjhRMP/Mn/
7zhBtaNAnDlPTmY01A8ymtBMXr2LW/NrX/FuNJqTZMWDVy0Hm9rYs0P6aZCsRn+8EzMzjZgMQCM8A9rO
gDgRnRVEyAm9VORaZN4hx9F7JBug1cnCjghSzbfo0fBeypE3NzJlI/ekCKMO1zXvoWAGjqV+ArtyADwb
kNnw4tmEz1OkP0GXzua/IrHUZRTKNMhd3YTZgkki0GpUowmXBfF2s4Hhy4w/I1twtEr+/sVKkU9wqs2W
UDhZD2ZUxmJKo0GuFxIPNSpMJkn6fRte2MuALGs1a8QUCGzuibVz/Gua7P9R
R1# show crypto key mypubkey rsa
% Key pair was generated at: 09:46:39 PST Aug 13 2014
Key name: R1.cisco.com
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00D26117 46697E4D 7AC32792 48021792 58A11105 4CCCDA50 46E38513 0FFCC9FF
25
Unicast Reverse Path Forwarding
 The Unicast RPF feature helps to mitigate problems (DoS) that are
caused by the introduction of malformed or forged (spoofed) IP
source addresses into a network by discarding IP packets that lack
a verifiable IP source address.
26
 Unicast RPF checks the
FIB to see if 192.168.1.1
has a path to FDDI
2/0/0.
 If there is a matching
path, the packet is
forwarded. If there is no
matching path, the
packet is dropped.
27
 If there is no reverse
entry in the routing
table that routes the
customer packet
back to source
address
209.165.200.225 on
interface FDDI 2/0/0,
and so the packet is
dropped.
28
The uRPF feature works in one of two modes:
 Strict mode: The packet must be received on the interface that the router would use to forward the
return packet.
 Dropping of legitimate traffic could occur when asymmetric routing paths are present in the
network.
 Loose mode: The source address must appear in the routing table.
 Administrators can change this behavior using the allow-default option, which allows the use
of the default route in the source verification process.
 A packet that contains a source address for which the return route points to the Null 0
interface will be dropped.
 An access list may also be specified that permits or denies certain source addresses in uRPF
loose mode.
29
R1(config)# interface GigabitEthernet 0/0
R1(config-if)# ip verify unicast source reachable-via any
R1(config-if)# exit
R1(config)#
R1(config)# interface GigabitEthernet 0/1
R1(config-if)# ip verify unicast source reachable-via rx
R1(config-if)# exit
R1(config)#
 Loose mode: Use the ip verify unicast source reachable-via any

option to enforce
 Strict mode: Use the ip verify unicast source reachable-via rx
command
 The allow-default option may be used with either the rx or any
option to include IP addresses not specifically contained in the
routing table.
30
Network Time
Protocol
 An NTP network usually gets its time from an authoritative time source, such
as a radio clock or an atomic clock attached to a time server.
 NTP then distributes this time across the network using UDP port 123.
 NTP devices can operate in one of four different modes to provide flexibility
when enabling time synchronization in a network as explained in the chapter 31
! R1 will be synchronizing its system clock
with an external NTP time source and become an NTP master
R1(config)# ntp server 209.165.200.254
R1(config)# clock timezone EST -5
R1(config)# clock summer-time EST recurring
R1(config)#
! S1 and S2 will be NTP clients of R1 and NTP peers to each

other (peers exchange time synchronization information)
S1(config)# ntp server 10.0.0.1
S1(config)# clock timezone EDT -5
S1(config)# clock summer-time EDT recurring
S1(config)# ntp peer 172.16.0.2
S1(config)#
S2(config)# ntp server 10.0.1.1

S2(config)# clock timezone EST -5
S2(config)# clock summer-time EST recurring
S2(config)# ntp peer 172.16.0.1
32
! NTP Authentication
R1(config)# ntp authentication-key 1 md5 NTP-pa55w0rd

R1(config)# ntp authenticate
R1(config)# ntp trusted-key 1
R1(config)# ntp access-group serve-only 10
R1(config)# access 10 permit 10.0.0.0 0.0.255.255
S1(config)# ntp authentication-key 1 md5 NTP-pa55w0rd

S1(config)# ntp authenticate
S1(config)# ntp trusted-key 1
S1(config)# ntp server 10.0.0.1 key 1
33
SNMP
 SNMP is the most commonly used network management protocol.

 It is important to restrict SNMP access to the routers on which it is enabled.
 SNMP was developed to allow administrators to manage nodes, such as
servers, workstations, routers, switches, and security appliances, on an IP
network.
35
SNMP
 SNMP manager: The SNMP manager is part of a
network management system (NMS).
 Collects information from an SNMP agent using
the Get action and can change configurations on
an agent using the Set action.
 SNMP agents (managed node): Resides on the SNMP managed networking client
and responds to the SNMP manager’s Set and Get requests to the local MIB.
 SNMP agents can be configured to forward real-time information directly to an
SNMP manager using traps (or notifications).
 Devices supporting SNMP include routers, switches, firewalls, and servers
running SNMP agent software.
 Management Information Base (MIB): Resides on the SNMP managed networking
client and stores data about the device operation including resources and activity.
 The MIB data is available to authenticated SNMP managers.
36
SNMP
 The chapter shows a sample configuration for SNMP.
37
Configuration Backups
 archive global configuration command.

 Can be used to automate the saving process.
 In the event that the configuration of the device becomes corrupt or is
deleted, the archive command can then be used to restore configuration on
the device.
39
R1(config)# archive
R1(config-archive)# path ftp://admin:cisco123@10.1.2.3/$h.cfg
 archive global configuration command:

 $h will be replaced with device hostname.
 $t will be replaced with date and time of the archive.
 $t variable is not used, the names of the new files will have the
version number appended to differentiate it from the previous
configurations of the same device.
40
! Manual archive
R1# archive config
Writing R1.cfg-Sep-20-13-05-09.868-0
R1#
! Automatic archive
R1(config)# archive
! triggers the archive feature to copy the configuration each time the running configuration is copied into NVRAM
R1(config-archive)# write-memory
! specifies a periodic interval time that the configuration is automatically saved. In the example, every week (10,080
minutes)
R1(config-archive)# time-period 10080
R1(config-archive)# end
R1#
41
R1# show archive
The maximum archive configurations allowed is 10.
The next archive will be named ftp://admin:cisco123@10.1.2.3/R1-5
Archive # Name
0
1 ftp://admin:cisco123@10.1.2.3/R1-1
2 ftp://admin:cisco123@10.1.2.3/R1-2
3 ftp://admin:cisco123@10.1.2.3/R1-3
4 ftp://admin:cisco123@10.1.2.3/R1-4
 Notice how the version number is automatically appended.

42
SCP
R1(config)# username ADMIN privilege 15 secret SCP-Secret
R1(config)# ip domain-name scp.cisco.com
R1(config)# crypto key generate rsa general-keys modulus 1024
The name for the keys will be: R1.scp.cisco.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)
R1(config)#
*Nov 3 22:25:28.135: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)# aaa new-model
R1(config)# aaa authentication login default group radius local-case
R1(config)# aaa authorization exec default group radius local
R1(config)# ip scp server enable
 Secure Copy (SCP) feature provides a secure and authenticated method for copying router configuration
or router image files.
 Similar to that of Remote Copy (RCP), Berkeley R-tools suite, except that SCP relies on SSH for security.
 Therefore, before enabling SCP, SSH must be enabled, and the router must have an RSA key pair.
 In addition, SCP requires that AAA authorization be configured so that the router can determine whether
43
the user has the correct privilege level.
SCP
 Displays the command line to copy a file from the router flash memory to the local computer
and naming it R1.cfg.
C:\> pscp -l ADMIN -pw SCP-Secret ADMIN@10.1.1.1:flash:backup.cfg R1.cfg
C:\>
 Transferring files between routers, one router acts as the SCP client.
R2# copy scp: flash:
Address or name of remote host []? 10.1.1.1
Source username [ADMIN]? ADMIN
Source filename []? R2backup.cfg
Destination filename [R2backup.cfg]?
Password:
!
982 bytes copied in 13.916 secs (71 bytes/sec)
R2#
44
Disabling Unused Services
 All services that are not required should be disabled; otherwise, they are a
security liability that an attacker could exploit.
 Different Cisco IOS Software releases maintain different services that are
on or off by default.
45
Service Description of Service Commands Used to
Disable Service
DNS Name • If no DNS server is specifically mentioned in Router(config)#
Resolution the router configuration, all the name queries no ip domain-lookup
are sent to the broadcast address of
255.255.255.255 by default.
CDP • The CDP is a proprietary protocol that Cisco Router(config)#

devices use to identify their directly connected no cdp run
neighbors. Router(config-if)#
• CDP, like any other unnecessary local service, no cdp enable
is considered potentially harmful to security.
NTP • If NTP is not used in the network, it should be Router(config-if)#

disabled. ntp disable
• You can disable the processing of NTP packets
on specific interface.
BOOTP • BOOTP uses UDP to formulate a network Router(config)#

Server request to allow a device to obtain and no ip bootp server
configure its own IP information, such as IP
address and subnet mask. However, the 46
Disable Service
DHCP • DHCP is essentially an extension of BOOTP. Router(config)#
no ip bootp server
Proxy ARP • Proxy ARP replies are sent to an ARP request Router(config-if)#
destined for another device. no ip proxy-arp
• When an intermediate Cisco device knows the
MAC address of the destination device, it can
act as a proxy.
• When an ARP request is destined for another
Layer 3 network, a proxy ARP device extends a
LAN perimeter by enabling transparent access
between multiple LAN segments.
• This presents a security problem.
• An attacker can issue multiple ARP requests
and use up the proxy ARP device’s resources
when it tries to respond to these requests in a
DoS attack.
• Proxy ARP is enabled on Cisco router
interfaces.
47
Disable Service
IP Source • An option is found in the header of every IP packet. Router(config)#

Routing • The Cisco IOS Software examines the option and acts no ip source-route
accordingly.
• Sometimes an option indicates source routing.
• This means that the packet is specifying its own route.
• This feature poses a known security risk, such as a hacker
taking control of a packet’s route and directing it through the
network.
• So, if source routing is not necessary in your network, you
should disable it on all routers.
IP • ICMP messages that are automatically sent by Cisco routers Router(config-if)#

Redirects in response to various actions can give away a lot of no ip redirects
information, such as routes, paths, and network conditions,
to an unauthorized individual.
48
Conditional Debugging
 Conditional debugging is sometimes called “conditionally triggered

debugging” can be used to
 Limit output based on the interface.
 Debugging output is turned off for all interfaces except the specified
interface.
 Enable debugging output for conditional debugging events.
 Messages are displayed as different interfaces meet specific conditions.
49
R1# debug condition interface fa0/0
Condition 1 set
R1# debug ip packet detail
IP packet debugging is on (detailed)
R1#
R1# debug ip nat detailed
IP NAT detailed debugging is on
R1#
R1# no debug condition interface fa0/0
This condition is the last interface condition set.
Removing all conditions may cause a flood of debugging messages to result, unless
specific debugging flags are first removed.
Proceed with removal? [yes/no]: y
Condition 1 has been removed
R1# undebug all
All possible debugging has been turned off
R1#
 Define the condition with the debug condition interface interface command.
 The condition remains defined and applied until it is removed.
 Displays the commands required to debug NAT and IP packet details and limit to
output for interface Fa0/0 only.
 Check the active debug conditions using the show debug condition command. 50
Routing Protocol Authentication
 Review CCNA information at the beginning of this section on:

 The Purpose of Routing Protocol Authentication
 Plain-Text Authentication
 Hashing Authentication
 Time-Based Key Chains
 Key Chain Specifics
 Authentication Options with Different Routing Protocols
51
Configuring EIGRP Authentication
 This section describes how to configure the following:

 Classic IPv4 and neighbor authentication using preshared
passwords
 IPv6 EIGRP neighbor authentication using pre-shared
passwords
 Classic IPv4 and IPv6 EIGRP neighbor authentication using the
named EIGRP method.
52
Configuring
EIGRP
Authentication
 In the example:
 Configure EIGRP MD5 authentication mode
 Configure EIGRP key-based routing authentication
53
EIGRP MD5 authentication mode
R1(config)# key chain EIGRP-KEYS
R1(config-keychain)# key 1
R1(config-keychain-key)# key-string secret-1
R1(config-keychain-key)# end
R1# show key chain
Key-chain EIGRP-KEYS:
key 1 -- text "secret-1"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
R1#

54
R1(config-keychain-key)# exit
R1(config)# interface Ethernet 0/0
R1(config-if)# ip authentication mode eigrp 100 md5
R1(config-if)# ip authentication key-chain eigrp 100 EIGRP-KEYS

R2(config)# interface e0/0
R2(config-if)# ip authentication key-chain eigrp 100 EIGRP-KEYS
R2(config-if)#
55
56
EIGRP Key-Based Routing Authentication
R1(config)# key chain EIGRP-LIFETIME-KEYS

R1(config-keychain-key)# accept-lifetime 00:00:00 Jan 1 2014 23:00:00 Mar 20 2015
R1(config-keychain-key)# send-lifetime 00:00:00 Jan 1 2014 23:00:00 Mar 20 2015
R1(config-keychain-key)# key 2
R1(config-keychain-key)# accept-lifetime 22:45:00 Mar 20 2015 infinite
R1(config-keychain-key)# send-lifetime 22:45:00 Mar 20 2015 infinite
R1(config)# interface ethernet0/1
R1(config-if)# ip authentication key-chain eigrp 100 EIGRP-LIFETIME-KEYS
R1(config-if)#
*Sep 20 20:35:13.837: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.10.13.2
(Ethernet0/1) is down: authentication mode changed
57
EIGRP Key-Based Routing Authentication
58
EIGRP for IPv6 MD5 Authentication Mode
R1(config)# key chain R1-IPv6-Chain
R1(config-keychain)# exit
R1(config)# interface ethernet 0/0
R1(config-if)# ipv6 authentication mode eigrp 200 md5
Sep 20 23:06:57.444: %DUAL-5-NBRCHANGE: EIGRP-IPv6 200: Neighbor
FE80::A8BB:CCFF:FE00:7400 (Ethernet0/0) is down: authentication mode changed
R1(config-if)# ipv6 authentication key-chain eigrp 200 R1-IPv6-Chain
R2(config)# key chain R2-IPv6-Chain

R2(config-if)# ipv6 authentication mode eigrp 200 md5
R2(config-if)# ipv6 authentication key-chain eigrp 200 R2-IPv6-Chain
*Sep 20 23:13:09.602: %DUAL-5-NBRCHANGE: EIGRP-IPv6 200: Neighbor
FE80::A8BB:CCFF:FE00:5F00 (Ethernet0/0) is up: new adjacency 59
Named EIGRP Authentication Mode
R1(config)# key chain NAMED-R1-Chain
R1(config)# router eigrp ROUTE

R1(config-router)# address-family ipv4 autonomous-system 110
R1(config-router-af)# network 10.10.0.0 0.0.255.255
R1(config-router-af)# af-interface ethernet 0/0
R1(config-router-af-interface)# authentication key-chain NAMED-R1-Chain
R1(config-router-af-interface)# authentication mode hmac-sha-256 secret-1
R2(config)# key chain NAMED-R2-Chain
R2(config)# router eigrp ROUTE

R2(config-router)# address-family ipv4 autonomous-system 110
R2(config-router-af)# network 10.10.0.0 0.0.255.255
R2(config-router-af)# af-interface ethernet 0/0
R2(config-router-af-interface)# authentication key-chain NAMED-R2-Chain
R2(config-router-af-interface)# authentication mode hmac-sha-256 secret-1
60
OSPF Authentication
 This section describes how to do the following:
 Configure OSPFv2 neighbor authentication
 Configure OSPFv3 neighbor authentication
 OSPFv2 supports
 Plain-text authentication: Simple password authentication. Least
secure and not recommended for production environments.
 MD5 authentication: Secure and simple to configure using two
commands. Should only be implemented if SHA authentication is not
supported.
 SHA authentication: Most secure solution using key chains. Referred
to as the OSPFv2 cryptographic authentication feature and only
available since IOS 15.4(1)T. 61
OSPF MD5 Authentication on the interface

R1(config-if)# ip ospf authentication message-digest
R1(config-if)# ip ospf message-digest-key 1 md5 secret-1
R1(config-if)#
*Sep 21 14:56:55.750: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Ethernet0/2
from FULL to DOWN, Neighbor Down: Dead timer expired
R1(config-if)#

R3(config-if)# ip ospf authentication message-digest
R3(config-if)#
from LOADING to FULL, Loading Done
R3(config-if)#
9781587204562_ 62
63
OSPF MD5 Authentication in an Area
instead if on the interface

R1(config-if)# exit
R1(config)#
R1(config)# router ospf 1
R1(config-router)# area 0 authentication message-digest
R1(config-router)#
R1(config-router)#

R4(config-if)# exit
R4(config)# router ospf 1
R4(config-router)# area 0 authentication message-digest
R4(config-router)#
*Sep 21 15:23:12.394: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Ethernet0/0 from
LOADING to FULL, Loading Done
64
R4(config-router)#
65
OSPFv2 Cryptographic Authentication
R1(config)# key chain SHA-CHAIN

R1(config-keychain-key)# cryptographic-algorithm ?
hmac-sha-1 HMAC-SHA-1 authentication algorithm
md5 MD5 authentication algorithm
R1(config-keychain-key)# cryptographic-algorithm hmac-sha-256
R1(config-if)# interface s0/0/0
R1(config-if)# ip ospf authentication key-chain SHA-CHAIN
R1(config-if)#
*Sep 21 16:53:03.227: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Serial0/0/0
R1(config-if)#
66
OSPFv2 Cryptographic Authentication
R2(config)# key chain SHA-CHAIN

R2(config-keychain-key)# cryptographic-algorithm hmac-sha-256
R2(config)# interface s0/0/0
R2(config-if)# ip ospf authentication key-chain SHA-CHAIN
R2(config-if)#
*Jul 21 16:13:32.555: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Serial0/0/0 from
LOADING to FULL, Loading Done
R2(config-if)#
67
68
OSPFv3 Authentication
 OSPFv3 requires the use of IPsec to enable authentication.
 When OSPFv3 runs on IPv6, OSPFv3 requires the IPv6 Authentication
Header (AH) or IPv6 Encapsulating Security Payload (ESP) header to
ensure integrity, authentication, and confidentiality of routing exchanges.
 IPv6 AH and ESP extension headers can be used to provide authentication
and confidentiality to OSPFv3.
 To use the IPsec AH, use the ipv6 ospf authentication interface configuration
command.
 To use the IPsec ESP header, use the ipv6 ospf encryption interface
configuration command.
 The ESP header may be applied alone or in combination with the AH.
 When ESP is used, both encryption and authentication are provided.
69
OSPFv3 Authentication
 Configure OSPFv3 authentication on interfaces between R1 and R2

 Configure OSPFv3 in area 0
70
OSPFv3 Authentication on an Interface
R1(config)# interface Ethernet0/1

R1(config-if)# ipv6 ospf authentication ipsec spi 300 sha1 1234567890123456789012345678901234567890
! key argument in the ipv6 ospf authentication command must be exactly 40
hexadecimal digits
R1(config)# router ospfv3 1

R1(config-router)# area 0 authentication ipsec spi 500 sha1 123456789012345678901234
5678901234567890
R2(config)# interface Ethernet0/1

R2(config-if)# ipv6 ospf authentication ipsec spi 300 sha1
1234567890123456789012345678901234567890
! key argument in the ipv6 ospf authentication command must be exactly 40
hexadecimal digits
R2(config)# router ospfv3 1

R2(config-router)# area 0 authentication ipsec spi 500 sha1 123456789012345678901234
5678901234567890
71
BGP Authentication
 To prevent receiving of false routing updates, you can enable BGP

authentication, which prevents establishment of BGP session with
unauthorized BGP peers.
 This section covers the following topics:

 Configuring and verifying BGP for IPv4 authentication
 Configuring and verifying BGP for IPv6 authentication.
72
BGP MD5 authentication
R1(config)# router bgp 65100

R1(config-router)# neighbor 172.16.12.2 remote-as 65000
R1(config-router)# neighbor 172.16.12.2 password secret-1
R1(config-router)#

R2(config-router)# neighbor 172.16.12.1 remote-as 65100
R2(config-router)# neighbor 172.16.12.1 password secret-1
R2(config-router)#
73
BGP MD5 authentication

R1(config-router)# neighbor 2001:db8:0:10::2 remote-as 65000
R1(config-router)# neighbor 2001:db8:0:10::2 password secret-2
R1(config-router)#

R2(config-router)# neighbor 2001:db8:0:10::1 remote-as 65100
R2(config-router)# neighbor 2001:db8:0:10::1 password secret-2
R2(config-router)#
74
Implementing VRF-Lite
 Virtual Routing and Forwarding (VRF) is a technology that allows
the device to have multiple but separate instances of routing tables
exist and work simultaneously.
 A VRF instance is essentially a logical router and consists of a(n):
 IP routing table
 Forwarding table (FIB)
 Set of interfaces that use the forwarding table
 Set of rules and routing protocols that determine what goes into
the forwarding table
75
76
Central(config)# ip vrf VRF-A
Central(config-vrf)# exit
Central(config)# ip vrf VRF-B
Central(config-vrf)# exit
Central(config)# interface Serial0/0/0
Central(config-if)# ip vrf forwarding VRF-A
Central(config-if)# ip address 10.10.1.1 255.255.255.252
Central(config-if)# clock rate 2000000
Central(config-if)# no shut
Central(config-if)# exit
Central(config-if)# ip vrf forwarding VRF-A
Central(config-if)# exit
Central(config-if)# ip vrf forwarding VRF-B
Central(config-if)# clock rate 2000000
Central(config-if)# ip vrf forwarding VRF-B
77
78
Central(config)# router eigrp 1
Central(config-router)# address-family ipv4 vrf VRF-A
Central(config-router-af)# network 10.10.1.0 0.0.0.3
Central(config-router-af)# network 10.20.2.0 0.0.0.3
Central(config-router-af)# autonomous-system 1
Central(config-router-af)# exit
Central(config)# router ospf 1 vrf VRF-B

Central(config-router)# router-id 5.5.5.5 EIGRP OSPF
Central(config-router)# network 10.30.3.0 0.0.0.3 area 0
Central(config-router)# network 10.40.4.0 0.0.0.3 area 0
Central(config-router)#
79
EIGRP OSPF
80
EIGRP OSPF
81
CIS 185 CCNP ROUTE
Chapter : Routers and Routing Protocol
Hardening
Rick Graziani
Cabrillo College
graziani@cabrillo.edu
Spring 2015

Cis185 ROUTE 8 RoutersAndRoutingProtocolHardening

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cis185 ROUTE 8 RoutersAndRoutingProtocolHardening

Uploaded by

Copyright:

Available Formats

CIS 185 CCNP ROUTE

Chapter : Routers and Routing Protocol

 A router’s operational architecture can be categorized into three planes:

 Securing the management plane of a Cisco router, including the

 Passphrases not passwords

R1(config)# enable secret class123

enable secret 4 JpAg4vBxn6wTb6NE3N1p0wfUUZzR6eOcVUKUFftxEyA

 enable secret password is encrypted using level 4 encryption,

 Recommended to enable authentication using the local database

 Level 4 indicating that SHA256 was used for the encryption

AAA model provides the following advantages:

Users must authenticate against an authentication database which can be stored:

How many bits in the modulus [512]: 1024

*Mar 1 2:59:12.78: %SSH-5-ENABLED: SSH 1.99 has been enabled

How many bits in the modulus [512]: 1024

How many bits in the modulus [512]: 1024

*Mar 1 2:59:12.78: %SSH-5-ENABLED: SSH 1.99 has been enabled

How many bits in the modulus [512]: 1024

*Mar 1 2:59:12.78: %SSH-5-ENABLED: SSH 1.99 has been enabled

 Loose mode: Use the ip verify unicast source reachable-via any

! S1 and S2 will be NTP clients of R1 and NTP peers to each

S2(config)# ntp server 10.0.1.1

R1(config)# ntp authentication-key 1 md5 NTP-pa55w0rd

S1(config)# ntp authentication-key 1 md5 NTP-pa55w0rd

 SNMP is the most commonly used network management protocol.

 The chapter shows a sample configuration for SNMP.

 archive global configuration command.

 archive global configuration command:

 Notice how the version number is automatically appended.

CDP • The CDP is a proprietary protocol that Cisco Router(config)#

NTP • If NTP is not used in the network, it should be Router(config-if)#

BOOTP • BOOTP uses UDP to formulate a network Router(config)#

IP Source • An option is found in the header of every IP packet. Router(config)#

IP • ICMP messages that are automatically sent by Cisco routers Router(config-if)#

 Conditional debugging is sometimes called “conditionally triggered

 Review CCNA information at the beginning of this section on:

 This section describes how to configure the following:

R2(config)# key chain EIGRP-KEYS

R2(config)# key chain EIGRP-KEYS

R1(config)# key chain EIGRP-LIFETIME-KEYS

R2(config)# key chain R2-IPv6-Chain

R1(config)# router eigrp ROUTE

R2(config)# router eigrp ROUTE

R1(config)# interface ethernet 0/2

R3(config)# interface ethernet 0/0

R1(config)# interface ethernet 0/0

R4(config)# interface ethernet 0/0

R1(config)# key chain SHA-CHAIN

R2(config)# key chain SHA-CHAIN

 Configure OSPFv3 authentication on interfaces between R1 and R2

R1(config)# interface Ethernet0/1

R1(config)# router ospfv3 1

R2(config)# interface Ethernet0/1

R2(config)# router ospfv3 1

 To prevent receiving of false routing updates, you can enable BGP

 This section covers the following topics:

R1(config)# router bgp 65100

R2(config)# router bgp 65000

R1(config)# router bgp 65100

R2(config)# router bgp 65000

Central(config)# router ospf 1 vrf VRF-B

You might also like