Authentication w/ Routing Protocols

Bl8ckr0uterBl8ckr0uter Posts: 5,031Inactive Imported Users ■■■■■■■■□□
So Im labbing for the CCNA (which I am taking on Saturday) and I was setting up authentication for rip, ospf, and eigrp using a md5 key. I was wondering, is this practiced in the field or is some other sort of security used?

The reason why I was asking is that while "transcendering" I came across a question that involved setting up authentication for protocols (which was not in my Tood Lamelle book), so I took it upon myself to look in the cisco IOS cookbook and I found a way to do it. It seemed like something easy enough to do but I still have some questions about md5 that I need to look up.


Also can you authenticate with CDP?

Comments

  • billscott92787billscott92787 Posts: 933Member
    knwminus wrote: »
    So Im labbing for the CCNA (which I am taking on Saturday) and I was setting up authentication for rip, ospf, and eigrp using a md5 key. I was wondering, is this practiced in the field or is some other sort of security used?

    The reason why I was asking is that while "transcendering" I came across a question that involved setting up authentication for protocols (which was not in my Tood Lamelle book), so I took it upon myself to look in the cisco IOS cookbook and I found a way to do it. It seemed like something easy enough to do but I still have some questions about md5 that I need to look up.


    Also can you authenticate with CDP?




    It all depends on what text you had used. I seen this in my Cisco Press books, setting up authentication for all routing protocols. You can either use open authentication or md5. Open authentication sends the information via clear text. Your saying ? Not secure! Right, and then MD5. It is fairly simple to configure it. What do you mean by, can you authentication with CDP? CDP is only used to discover other Cisco devices which are connected at layer 2. PPP has authentication which is the advantage over HDLC. I would go back and review some of those topics before attempting your CCNA.
  • GT-RobGT-Rob Posts: 1,090Member
    No, there is no CDP authentication (and lots of security people will probably tell you to disable it). Its a very simple, low level mechanism that only goes 1 hop anyway, so theres not much need for auth (if they can plug into your switchport, and you don't trust them, you have other things to worry about!). You also can't influence other devices with CDP much, apart from giving false information about yourself, so theres no a whole lot of abuse you could cause with it. (unlike a routing protocol or STP for example).


    I have seen auth on most routing protocols, but I would say only about half the time. Depends on the size of the network, and really the policies of the company. I see auth on HSRP more often, and usually its on BGP, but rarely on internal protocols.
  • billscott92787billscott92787 Posts: 933Member
    GT-Rob wrote: »
    No, there is no CDP authentication (and lots of security people will probably tell you to disable it). Its a very simple, low level mechanism that only goes 1 hop anyway, so theres not much need for auth (if they can plug into your switchport, and you don't trust them, you have other things to worry about!). You also can't influence other devices with CDP much, apart from giving false information about yourself, so theres no a whole lot of abuse you could cause with it. (unlike a routing protocol or STP for example).


    I have seen auth on most routing protocols, but I would say only about half the time. Depends on the size of the network, and really the policies of the company. I see auth on HSRP more often, and usually its on BGP, but rarely on internal protocols.





    I have read as well that some Admins will disable CDP on the interface level for every interface except that of one connecting to another trusted Cisco device.
  • GT-RobGT-Rob Posts: 1,090Member
    Ya we disable it some places. I think its a good idea to disable it on user ports (so a user can't find out more info than they need to know about your network!) if there are no Cisco Phones, but CDP is more useful to me than it is dangerous IMO, so I usually leave it on most places.
  • Bl8ckr0uterBl8ckr0uter Posts: 5,031Inactive Imported Users ■■■■■■■■□□
    It all depends on what text you had used. I seen this in my Cisco Press books, setting up authentication for all routing protocols. You can either use open authentication or md5. Open authentication sends the information via clear text. Your saying ? Not secure! Right, and then MD5. It is fairly simple to configure it. What do you mean by, can you authentication with CDP? CDP is only used to discover other Cisco devices which are connected at layer 2. PPP has authentication which is the advantage over HDLC. I would go back and review some of those topics before attempting your CCNA.

    I understand that you can use open and md5 (I set up both). I also know that clear text is not secure. I also understand that CDP is a layer 2 protocol. Since CDP traffic can be captured and potentially used for harm of the network :
    http://www.fistconference.org/data/presentaciones/switchandroutersecuritytesting2.pdf (see page 9)

    I was wondering if there was a way to secure it without disabling it. I am not sure why you mentioned PPP, but I do understand that it is a wan protocol that has authentication.
  • StoticStotic Posts: 248Member
    I have read as well that some Admins will disable CDP on the interface level for every interface except that of one connecting to another trusted Cisco device.

    If you're going to disable cdp that would be the way to do it. CDP is way too valuable to disable it completely.
  • kalebkspkalebksp Posts: 1,033Member ■■■■■□□□□□
    knwminus wrote: »
    I also understand that CDP is a layer 2 protocol. Since CDP traffic can be captured and potentially used for harm of the network :
    http://www.fistconference.org/data/presentaciones/switchandroutersecuritytesting2.pdf (see page 9)

    I was wondering if there was a way to secure it without disabling it.

    CDP simply broadcasts (or multicasts, more accurately) information about itself to directly connected devices, because the receiving device is not going to change it's behavior based on CDP information authentication within CDP would be pointless.
  • Bl8ckr0uterBl8ckr0uter Posts: 5,031Inactive Imported Users ■■■■■■■■□□
    So basically use it in a "secure" way or disable it completely?

    At any rate as far as the other routing protocols go the CCNA study guides does not mention how to do it they just mention it can be done. Pretty weak. But I guess maybe it is not a common ccna level topic.
  • kalebkspkalebksp Posts: 1,033Member ■■■■■□□□□□
    knwminus wrote: »
    So basically use it in a "secure" way or disable it completely?

    At any rate as far as the other routing protocols go the CCNA study guides does not mention how to do it they just mention it can be done. Pretty weak. But I guess maybe it is not a common ccna level topic.

    Because CDP is sending out information only to directly connected neighbors the only way to see it is either being a directly connected neighbor or having a tap on the connection. In which case it wouldn't matter whether there were authentication or not, authentication only verifies that the device receiving the message trusts the device sending the message, it does not encrypt it, the message itself is readable by whoever happens to see it on the wire.

    Authentication can be important in routing protocols because if a rouge device is introduced into the network it could send false information to the other routers and damage the network. If authentication were enabled the routers wouldn't accept the routing information from the rouge device. With CDP all the device could do is tell it's neighbor incorrect information about itself which would have no affect on the network other than possibly confusing an engineer.

    Disabling CDP is recommended so that rouge devices can't learn anything about your infrastructure.
  • Morty3Morty3 Posts: 139Member
    Disabling CDP is recommended so that rouge devices can't learn anything about your infrastructure.

    +1. Step one in an attack is the reconnaissance. With CDP fully open it is too easy.
    CCNA, CCNA:Sec, Net+, Sonicwall Admin (fwiw). Constantly getting into new stuff.
  • shodownshodown Posts: 2,271Member
    Morty3 wrote: »
    +1. Step one in an attack is the reconnaissance. With CDP fully open it is too easy.


    yes this is true, but like someone said above is way to valuable in large networks to not have it turned on. I have dealt with some people who have wanted it turned off, but then have poor documentation on where everything is located. Just be smart with where you have it turned on at.
    Currently Reading

    CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related
  • Bl8ckr0uterBl8ckr0uter Posts: 5,031Inactive Imported Users ■■■■■■■■□□
    It all depends on what text you had used. I seen this in my Cisco Press books, setting up authentication for all routing protocols. You can either use open authentication or md5. Open authentication sends the information via clear text. Your saying ? Not secure! Right, and then MD5. It is fairly simple to configure it. What do you mean by, can you authentication with CDP? CDP is only used to discover other Cisco devices which are connected at layer 2. PPP has authentication which is the advantage over HDLC. I would go back and review some of those topics before attempting your CCNA.

    Well I tried to set up authentication for EIGRP and OSPF and the commands would not work. Rip and RIPv2 worked though.

    I also read that some non cisco devices do not support authentication the same way that cisco does. Is there a generic way to authenticate routers to each other? I know about GRE but I do not think it provides any security (if I recall correctly).
  • GT-RobGT-Rob Posts: 1,090Member
    When you say, authenticate routers with each other, are you talking about just routing information?

    An open based routing protocol, like OSPF or BGP, should have all of its features available on a router, but its not the law for lets say, BobRouter 12000, to support any of it. I wouldn't be surprised if lower end routers only supported the basic OSPF use, and auth, or maybe just MD5 auth, were not supported.

    In general, if you are working with a router that you cannot trust, you can just point static routes at its networks and forget the routing protocols all together (may not be reasonable in some cases).


    What router/IOS are you trying to put these commands in?


    Fun fact of the day: Did you know that OPEN in OSPF actually stands for open source, and not 'open the path'.
  • Bl8ckr0uterBl8ckr0uter Posts: 5,031Inactive Imported Users ■■■■■■■■□□
    GT-Rob wrote: »
    When you say, authenticate routers with each other, are you talking about just routing information?

    An open based routing protocol, like OSPF or BGP, should have all of its features available on a router, but its not the law for lets say, BobRouter 12000, to support any of it. I wouldn't be surprised if lower end routers only supported the basic OSPF use, and auth, or maybe just MD5 auth, were not supported.

    In general, if you are working with a router that you cannot trust, you can just point static routes at its networks and forget the routing protocols all together (may not be reasonable in some cases).


    What router/IOS are you trying to put these commands in?


    Fun fact of the day: Did you know that OPEN in OSPF actually stands for open source, and not 'open the path'.

    Yes only routing info.

    I was trying to do ip ospf authentication [ ] but this command did not work. I will post my ios version in a minute.
  • GT-RobGT-Rob Posts: 1,090Member
    Looks like the command was first integrated with 12.2(33)SRA, so if you are on 12.1 for example it probably wont be available.
  • Bl8ckr0uterBl8ckr0uter Posts: 5,031Inactive Imported Users ■■■■■■■■□□
    Then it should work:
    sh ver
    Cisco IOS Software, C1700 Software (C1700-ADVIPSERVICESK9-M), Version 12.4(13b), RELEASE SOFTWARE (fc3)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2007 by Cisco Systems, Inc.
    Compiled Tue 24-Apr-07 12:56 by prod_rel_team
    
    ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)
    
    MATRIX uptime is 2 hours, 15 minutes
    System returned to ROM by power-on
    System image file is "flash:c1700-advipservicesk9-mz.124-13b.bin
    

    Is setting the authentication for OSPF/EIGRP different then setting it for RIP? Like I said, rip works but ospf or eigrp don't. Does it have to do with the fact that I do have the vpn cards in my 1721s? (I doubt it)
  • GT-RobGT-Rob Posts: 1,090Member
    You are putting these on the interfaces right, and not on the router process?


    if you do:

    router ospf 1
    authentication message-digest

    is that there?


    Under the interface, do you have any ospf options? What kind of interface are you putting it on?
  • Bl8ckr0uterBl8ckr0uter Posts: 5,031Inactive Imported Users ■■■■■■■■□□
    GT-Rob wrote: »
    You are putting these on the interfaces right, and not on the router process?


    if you do:

    router ospf 1
    authentication message-digest

    is that there?


    Under the interface, do you have any ospf options? What kind of interface are you putting it on?
    MATRIX>en  
    MATRIX#config t
    Enter configuration commands, one per line.  End with CNTL/Z.
    MATRIX(config)#router ospf 1
    MATRIX(config-router)#au?
    auto-cost  
    
    MATRIX(config-router)#auth?
    % Unrecognized command
    MATRIX(config-router)#auth
    

    That command isn't there. But if I try it this way
    MATRIX(config)#int f 0
    MATRIX(config-if)#ip ospf authentication ?
      message-digest  Use message-digest authentication
      null            Use no authentication
      <cr>
    
    MATRIX(config-if)#ip ospf authentication message-digest ?
      <cr>
    
    MATRIX(config-if)#ip ospf authentication message-digest
    

    That is there. But it is different for RIP
    MATRIX(config-if)#ip rip authentication ?
      key-chain  Authentication key-chain
      mode       Authentication mode
    

    And I can set my key chains and so on. So I guess my question is, is it just different for ospf? Also look at this:
    MATRIX(config-if)#ip eigrp a?
    % Unrecognized command
    
    There are no authentication options at all for eigrp. Am I doing this wrong?
  • kalebkspkalebksp Posts: 1,033Member ■■■■■□□□□□
    Not trying to be a jerk, this is an honest question, why didn't you just google "eigrp authentication"? The very first result would have answered your question.
  • Bl8ckr0uterBl8ckr0uter Posts: 5,031Inactive Imported Users ■■■■■■■■□□
    kalebksp wrote: »
    Not trying to be a jerk, this is an honest question, why didn't you just google "eigrp authentication"? The very first result would have answered your question.

    I looked at that already. But like I cannot run the commands on the sheet.


    OOPS lol I think I know what the problem is....

    EDIT:

    Ok figured out. Authenticating just fine. Although I hate that I have to put it on each int or subint (I have 12) . I wish I could enable it globally.
Sign In or Register to comment.