Professional Documents
Culture Documents
Cis185 ROUTE 8 RoutersAndRoutingProtocolHardening
Cis185 ROUTE 8 RoutersAndRoutingProtocolHardening
Spring 2015
Router CLI, SSH, NTP, SNMP
Hardening
ACLs ACLs
6
Encrypting R1# show run
Building configuration...
Passwords <Selected output>
service password-encryption
line con 0
password 7 070C285F4D06485744
line vty 0 4
password 7 070C285F4D06485744
8
R1# show running-config
<Selected sections>
username ADMIN secret 4 VYlArd0J6s2X4dZwZ42oTpLQ5Zog8wZDgZKHMP2SHEw
username JR-ADMIN secret 4 JpAg4vBxn6wTb6NE3N1p0wfUUZzR6eOcVUKUFftxEyA
line con 0
login local
line vty 0 4
login local
R1# exit
<Output omitted>
User Access Verification
Username: ADMIN
Password: *****
R1>
9
Authentication,
Authorization, Accounting
.
12
RADIUS Authentication
13
TACACS+ Authentication
14
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd The default authentication method
R1(config)# username ADMIN secret Str0ng5rPa55w0rd applies to all lines. AAA will attempt to
R1(config)# authenticate using the first server in the
R1(config)# aaa new-model group then attempt to authenticate
R1(config)# against the second server in the group. If
R1(config)# line vty 0 4 it does not respond, authentication will
R1(config-line)# login authentication TELNET-LOGIN done using the local database.
R1(config)# exit
R1(config)# aaa authentication login default group RADIUS-GROUP local
R1(config)# aaa authentication login TELNET-LOGIN group RADIUS-GROUP local-case
R1(config)#
R1(config)# aaa group server radius RADIUS-GROUP The TELNET-LOGIN method applies to
R1(config-sg-radius)# server name RADIUS-1 all VTY lines. Overrides the default. Same
R1(config-sg-radius)# server name RADIUS-2 options a the default.
R1(config-sg-radius)# exit
R1(config)#
R1(config)# radius server RADIUS-1
R1(config-radius-server)# address ipv4 192.168.1.101 ! address ipv6 <ipv6-address>
R1(config-radius-server)# key RADIUS-1-pa55w0rd
R1(config-radius-server)# exit
R1(config)#
R1(config)# radius server RADIUS-2
R1(config-radius-server)# address ipv4 192.168.1.102 ! address ipv6 <ipv6-address>
R1(config-radius-server)# key RADIUS-2-pa55w0rd 15
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd The default authentication method
R1(config)# username ADMIN secret Str0ng5rPa55w0rd applies to all lines. AAA will attempt to
R1(config)# authenticate using the first server in the
R1(config)# aaa new-model group then attempt to authenticate
R1(config)# against the second server in the group. If
R1(config)# line vty 0 4 it does not respond, authentication will
R1(config-line)# login authentication TELNET-LOGIN done using the local database.
R1(config)# exit
R1(config)# aaa authentication login default group TACACS-GROUP local
R1(config)# aaa authentication login TELNET-LOGIN group TACACS-GROUP local-case
R1(config)#
R1(config)# aaa group server radius TACACS-GROUP The TELNET-LOGIN method applies to
R1(config-sg-radius)# server name TACACS-1 all VTY lines. Overrides the default. Same
R1(config-sg-radius)# server name TACACS-2 options a the default.
R1(config-sg-radius)# exit A custom TCP port number can be
R1(config)# specified
R1(config)# radius server TACACS-1
R1(config-radius-server)# address ipv4 192.168.1.101 ! address ipv6 <ipv6-address>
R1(config-radius-server)# key TACACS-1-pa55w0rd
R1(config-radius-server)# exit
R1(config)#
R1(config)# radius server TACACS-2
R1(config-radius-server)# address ipv4 192.168.1.102 ! address ipv6 <ipv6-address>
R1(config-radius-server)# key TACACS-2-pa55w0rd 16
Use SSH Instead of Telnet
17
Configuring SSH
S1(config)# ip domain-name cisco.com
S1(config)# crypto key generate rsa
1. Configure the IP domain using the ip domain-name domain-name global
The name for the keys will be: S1.cisco.com
config
Choose thecommand. (The
size of the keydomain name
modulus and range
in the hostname
of 360aretothe parameters
2048 for your
used inPurpose
General order toKeys.
nameChoosing
the key. Other
a key ways to do
modulus it.)
greater than 512 may take
a few minutes.
22
Verifying SSH
Operation
23
24
R1# show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSYRdGaX5NesMnkkgCF5JYoREFTMzaUEbjhRMP/Mn/
7zhBtaNAnDlPTmY01A8ymtBMXr2LW/NrX/FuNJqTZMWDVy0Hm9rYs0P6aZCsRn+8EzMzjZgMQCM8A9rO
gDgRnRVEyAm9VORaZN4hx9F7JBug1cnCjghSzbfo0fBeypE3NzJlI/ekCKMO1zXvoWAGjqV+ArtyADwb
kNnw4tmEz1OkP0GXzua/IrHUZRTKNMhd3YTZgkki0GpUowmXBfF2s4Hhy4w/I1twtEr+/sVKkU9wqs2W
UDhZD2ZUxmJKo0GuFxIPNSpMJkn6fRte2MuALGs1a8QUCGzuibVz/Gua7P9R
R1# show crypto key mypubkey rsa
% Key pair was generated at: 09:46:39 PST Aug 13 2014
Key name: R1.cisco.com
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00D26117 46697E4D 7AC32792 48021792 58A11105 4CCCDA50 46E38513 0FFCC9FF
25
Unicast Reverse Path Forwarding
The Unicast RPF feature helps to mitigate problems (DoS) that are
caused by the introduction of malformed or forged (spoofed) IP
source addresses into a network by discarding IP packets that lack
a verifiable IP source address.
26
Unicast RPF checks the
FIB to see if 192.168.1.1
has a path to FDDI
2/0/0.
If there is a matching
path, the packet is
forwarded. If there is no
matching path, the
packet is dropped.
27
If there is no reverse
entry in the routing
table that routes the
customer packet
back to source
address
209.165.200.225 on
interface FDDI 2/0/0,
and so the packet is
dropped.
28
The uRPF feature works in one of two modes:
Strict mode: The packet must be received on the interface that the router would use to forward the
return packet.
Dropping of legitimate traffic could occur when asymmetric routing paths are present in the
network.
Loose mode: The source address must appear in the routing table.
Administrators can change this behavior using the allow-default option, which allows the use
of the default route in the source verification process.
A packet that contains a source address for which the return route points to the Null 0
interface will be dropped.
An access list may also be specified that permits or denies certain source addresses in uRPF
loose mode.
29
R1(config)# interface GigabitEthernet 0/0
R1(config-if)# ip verify unicast source reachable-via any
R1(config-if)# exit
R1(config)#
R1(config)# interface GigabitEthernet 0/1
R1(config-if)# ip verify unicast source reachable-via rx
R1(config-if)# exit
R1(config)#
30
Network Time
Protocol
An NTP network usually gets its time from an authoritative time source, such
as a radio clock or an atomic clock attached to a time server.
NTP then distributes this time across the network using UDP port 123.
NTP devices can operate in one of four different modes to provide flexibility
when enabling time synchronization in a network as explained in the chapter 31
! R1 will be synchronizing its system clock
with an external NTP time source and become an NTP master
R1(config)# ntp server 209.165.200.254
R1(config)# clock timezone EST -5
R1(config)# clock summer-time EST recurring
R1(config)#
32
! NTP Authentication
33
SNMP
SNMP agents (managed node): Resides on the SNMP managed networking client
and responds to the SNMP manager’s Set and Get requests to the local MIB.
SNMP agents can be configured to forward real-time information directly to an
SNMP manager using traps (or notifications).
Devices supporting SNMP include routers, switches, firewalls, and servers
running SNMP agent software.
Management Information Base (MIB): Resides on the SNMP managed networking
client and stores data about the device operation including resources and activity.
The MIB data is available to authenticated SNMP managers.
36
SNMP
37
Configuration Backups
39
R1(config)# archive
R1(config-archive)# path ftp://admin:cisco123@10.1.2.3/$h.cfg
! Automatic archive
R1(config)# archive
! triggers the archive feature to copy the configuration each time the running configuration is copied into NVRAM
R1(config-archive)# write-memory
! specifies a periodic interval time that the configuration is automatically saved. In the example, every week (10,080
minutes)
R1(config-archive)# time-period 10080
R1(config-archive)# end
R1#
41
R1# show archive
The maximum archive configurations allowed is 10.
The next archive will be named ftp://admin:cisco123@10.1.2.3/R1-5
Archive # Name
0
1 ftp://admin:cisco123@10.1.2.3/R1-1
2 ftp://admin:cisco123@10.1.2.3/R1-2
3 ftp://admin:cisco123@10.1.2.3/R1-3
4 ftp://admin:cisco123@10.1.2.3/R1-4
Transferring files between routers, one router acts as the SCP client.
R2# copy scp: flash:
Address or name of remote host []? 10.1.1.1
Source username [ADMIN]? ADMIN
Source filename []? R2backup.cfg
Destination filename [R2backup.cfg]?
Password:
!
982 bytes copied in 13.916 secs (71 bytes/sec)
R2#
44
Disabling Unused Services
All services that are not required should be disabled; otherwise, they are a
security liability that an attacker could exploit.
Different Cisco IOS Software releases maintain different services that are
on or off by default.
45
Service Description of Service Commands Used to
Disable Service
DNS Name • If no DNS server is specifically mentioned in Router(config)#
Resolution the router configuration, all the name queries no ip domain-lookup
are sent to the broadcast address of
255.255.255.255 by default.
Proxy ARP • Proxy ARP replies are sent to an ARP request Router(config-if)#
destined for another device. no ip proxy-arp
• When an intermediate Cisco device knows the
MAC address of the destination device, it can
act as a proxy.
• When an ARP request is destined for another
Layer 3 network, a proxy ARP device extends a
LAN perimeter by enabling transparent access
between multiple LAN segments.
• This presents a security problem.
• An attacker can issue multiple ARP requests
and use up the proxy ARP device’s resources
when it tries to respond to these requests in a
DoS attack.
• Proxy ARP is enabled on Cisco router
interfaces.
47
Service Description of Service Commands Used to
Disable Service
48
Conditional Debugging
51
Configuring EIGRP Authentication
52
Configuring
EIGRP
Authentication
In the example:
Configure EIGRP MD5 authentication mode
Configure EIGRP key-based routing authentication
53
EIGRP MD5 authentication mode
R1(config)# key chain EIGRP-KEYS
R1(config-keychain)# key 1
R1(config-keychain-key)# key-string secret-1
R1(config-keychain-key)# end
R1# show key chain
Key-chain EIGRP-KEYS:
key 1 -- text "secret-1"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
R1#
54
EIGRP MD5 authentication mode
R1(config)# key chain EIGRP-KEYS
R1(config-keychain)# key 1
R1(config-keychain-key)# key-string secret-1
R1(config-keychain-key)# exit
R1(config)# interface Ethernet 0/0
R1(config-if)# ip authentication mode eigrp 100 md5
R1(config-if)# ip authentication key-chain eigrp 100 EIGRP-KEYS
55
EIGRP MD5 authentication mode
56
EIGRP Key-Based Routing Authentication
58
EIGRP for IPv6 MD5 Authentication Mode
R1(config)# key chain R1-IPv6-Chain
R1(config-keychain)# key 1
R1(config-keychain-key)# key-string secret-1
R1(config-keychain-key)# exit
R1(config-keychain)# exit
R1(config)# interface ethernet 0/0
R1(config-if)# ipv6 authentication mode eigrp 200 md5
Sep 20 23:06:57.444: %DUAL-5-NBRCHANGE: EIGRP-IPv6 200: Neighbor
FE80::A8BB:CCFF:FE00:7400 (Ethernet0/0) is down: authentication mode changed
R1(config-if)# ipv6 authentication key-chain eigrp 200 R1-IPv6-Chain
OSPFv2 supports
Plain-text authentication: Simple password authentication. Least
secure and not recommended for production environments.
MD5 authentication: Secure and simple to configure using two
commands. Should only be implemented if SHA authentication is not
supported.
SHA authentication: Most secure solution using key chains. Referred
to as the OSPFv2 cryptographic authentication feature and only
available since IOS 15.4(1)T. 61
OSPF MD5 Authentication on the interface
66
OSPFv2 Cryptographic Authentication
67
68
OSPFv3 Authentication
OSPFv3 requires the use of IPsec to enable authentication.
When OSPFv3 runs on IPv6, OSPFv3 requires the IPv6 Authentication
Header (AH) or IPv6 Encapsulating Security Payload (ESP) header to
ensure integrity, authentication, and confidentiality of routing exchanges.
IPv6 AH and ESP extension headers can be used to provide authentication
and confidentiality to OSPFv3.
To use the IPsec AH, use the ipv6 ospf authentication interface configuration
command.
To use the IPsec ESP header, use the ipv6 ospf encryption interface
configuration command.
The ESP header may be applied alone or in combination with the AH.
When ESP is used, both encryption and authentication are provided.
69
OSPFv3 Authentication
72
BGP MD5 authentication
73
BGP MD5 authentication
74
Implementing VRF-Lite
Virtual Routing and Forwarding (VRF) is a technology that allows
the device to have multiple but separate instances of routing tables
exist and work simultaneously.
A VRF instance is essentially a logical router and consists of a(n):
IP routing table
Forwarding table (FIB)
Set of interfaces that use the forwarding table
Set of rules and routing protocols that determine what goes into
the forwarding table
75
76
Central(config)# ip vrf VRF-A
Central(config-vrf)# exit
Central(config)# ip vrf VRF-B
Central(config-vrf)# exit
Central(config)# interface Serial0/0/0
Central(config-if)# ip vrf forwarding VRF-A
Central(config-if)# ip address 10.10.1.1 255.255.255.252
Central(config-if)# clock rate 2000000
Central(config-if)# no shut
Central(config-if)# exit
Central(config)# interface Serial0/0/1
Central(config-if)# ip vrf forwarding VRF-A
Central(config-if)# ip address 10.20.2.1 255.255.255.252
Central(config-if)# no shut
Central(config-if)# exit
Central(config)# interface Serial0/1/0
Central(config-if)# ip vrf forwarding VRF-B
Central(config-if)# ip address 10.30.3.1 255.255.255.252
Central(config-if)# clock rate 2000000
Central(config-if)# no shut
Central(config)# interface Serial0/1/1
Central(config-if)# ip vrf forwarding VRF-B
Central(config-if)# ip address 10.40.4.1 255.255.255.252
77
Central(config-if)# no shut
78
Central(config)# router eigrp 1
Central(config-router)# address-family ipv4 vrf VRF-A
Central(config-router-af)# network 10.10.1.0 0.0.0.3
Central(config-router-af)# network 10.20.2.0 0.0.0.3
Central(config-router-af)# autonomous-system 1
Central(config-router-af)# exit
79
EIGRP OSPF
80
EIGRP OSPF
81
CIS 185 CCNP ROUTE
Chapter : Routers and Routing Protocol
Hardening
Rick Graziani
Cabrillo College
graziani@cabrillo.edu
Spring 2015