Options
Authentication w/ Routing Protocols
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
in CCNA & CCENT
So Im labbing for the CCNA (which I am taking on Saturday) and I was setting up authentication for rip, ospf, and eigrp using a md5 key. I was wondering, is this practiced in the field or is some other sort of security used?
The reason why I was asking is that while "transcendering" I came across a question that involved setting up authentication for protocols (which was not in my Tood Lamelle book), so I took it upon myself to look in the cisco IOS cookbook and I found a way to do it. It seemed like something easy enough to do but I still have some questions about md5 that I need to look up.
Also can you authenticate with CDP?
The reason why I was asking is that while "transcendering" I came across a question that involved setting up authentication for protocols (which was not in my Tood Lamelle book), so I took it upon myself to look in the cisco IOS cookbook and I found a way to do it. It seemed like something easy enough to do but I still have some questions about md5 that I need to look up.
Also can you authenticate with CDP?
Comments
-
Optionsbillscott92787 Member Posts: 933So Im labbing for the CCNA (which I am taking on Saturday) and I was setting up authentication for rip, ospf, and eigrp using a md5 key. I was wondering, is this practiced in the field or is some other sort of security used?
The reason why I was asking is that while "transcendering" I came across a question that involved setting up authentication for protocols (which was not in my Tood Lamelle book), so I took it upon myself to look in the cisco IOS cookbook and I found a way to do it. It seemed like something easy enough to do but I still have some questions about md5 that I need to look up.
Also can you authenticate with CDP?
It all depends on what text you had used. I seen this in my Cisco Press books, setting up authentication for all routing protocols. You can either use open authentication or md5. Open authentication sends the information via clear text. Your saying ? Not secure! Right, and then MD5. It is fairly simple to configure it. What do you mean by, can you authentication with CDP? CDP is only used to discover other Cisco devices which are connected at layer 2. PPP has authentication which is the advantage over HDLC. I would go back and review some of those topics before attempting your CCNA. -
OptionsGT-Rob Member Posts: 1,090No, there is no CDP authentication (and lots of security people will probably tell you to disable it). Its a very simple, low level mechanism that only goes 1 hop anyway, so theres not much need for auth (if they can plug into your switchport, and you don't trust them, you have other things to worry about!). You also can't influence other devices with CDP much, apart from giving false information about yourself, so theres no a whole lot of abuse you could cause with it. (unlike a routing protocol or STP for example).
I have seen auth on most routing protocols, but I would say only about half the time. Depends on the size of the network, and really the policies of the company. I see auth on HSRP more often, and usually its on BGP, but rarely on internal protocols. -
Optionsbillscott92787 Member Posts: 933No, there is no CDP authentication (and lots of security people will probably tell you to disable it). Its a very simple, low level mechanism that only goes 1 hop anyway, so theres not much need for auth (if they can plug into your switchport, and you don't trust them, you have other things to worry about!). You also can't influence other devices with CDP much, apart from giving false information about yourself, so theres no a whole lot of abuse you could cause with it. (unlike a routing protocol or STP for example).
I have seen auth on most routing protocols, but I would say only about half the time. Depends on the size of the network, and really the policies of the company. I see auth on HSRP more often, and usually its on BGP, but rarely on internal protocols.
I have read as well that some Admins will disable CDP on the interface level for every interface except that of one connecting to another trusted Cisco device. -
OptionsGT-Rob Member Posts: 1,090Ya we disable it some places. I think its a good idea to disable it on user ports (so a user can't find out more info than they need to know about your network!) if there are no Cisco Phones, but CDP is more useful to me than it is dangerous IMO, so I usually leave it on most places.
-
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□billscott92787 wrote: »It all depends on what text you had used. I seen this in my Cisco Press books, setting up authentication for all routing protocols. You can either use open authentication or md5. Open authentication sends the information via clear text. Your saying ? Not secure! Right, and then MD5. It is fairly simple to configure it. What do you mean by, can you authentication with CDP? CDP is only used to discover other Cisco devices which are connected at layer 2. PPP has authentication which is the advantage over HDLC. I would go back and review some of those topics before attempting your CCNA.
I understand that you can use open and md5 (I set up both). I also know that clear text is not secure. I also understand that CDP is a layer 2 protocol. Since CDP traffic can be captured and potentially used for harm of the network :
http://www.fistconference.org/data/presentaciones/switchandroutersecuritytesting2.pdf (see page 9)
I was wondering if there was a way to secure it without disabling it. I am not sure why you mentioned PPP, but I do understand that it is a wan protocol that has authentication. -
OptionsStotic Member Posts: 248billscott92787 wrote: »I have read as well that some Admins will disable CDP on the interface level for every interface except that of one connecting to another trusted Cisco device.
If you're going to disable cdp that would be the way to do it. CDP is way too valuable to disable it completely. -
Optionskalebksp Member Posts: 1,033 ■■■■■□□□□□I also understand that CDP is a layer 2 protocol. Since CDP traffic can be captured and potentially used for harm of the network :
http://www.fistconference.org/data/presentaciones/switchandroutersecuritytesting2.pdf (see page 9)
I was wondering if there was a way to secure it without disabling it.
CDP simply broadcasts (or multicasts, more accurately) information about itself to directly connected devices, because the receiving device is not going to change it's behavior based on CDP information authentication within CDP would be pointless. -
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□So basically use it in a "secure" way or disable it completely?
At any rate as far as the other routing protocols go the CCNA study guides does not mention how to do it they just mention it can be done. Pretty weak. But I guess maybe it is not a common ccna level topic. -
Optionskalebksp Member Posts: 1,033 ■■■■■□□□□□So basically use it in a "secure" way or disable it completely?
At any rate as far as the other routing protocols go the CCNA study guides does not mention how to do it they just mention it can be done. Pretty weak. But I guess maybe it is not a common ccna level topic.
Because CDP is sending out information only to directly connected neighbors the only way to see it is either being a directly connected neighbor or having a tap on the connection. In which case it wouldn't matter whether there were authentication or not, authentication only verifies that the device receiving the message trusts the device sending the message, it does not encrypt it, the message itself is readable by whoever happens to see it on the wire.
Authentication can be important in routing protocols because if a rouge device is introduced into the network it could send false information to the other routers and damage the network. If authentication were enabled the routers wouldn't accept the routing information from the rouge device. With CDP all the device could do is tell it's neighbor incorrect information about itself which would have no affect on the network other than possibly confusing an engineer.
Disabling CDP is recommended so that rouge devices can't learn anything about your infrastructure. -
OptionsMorty3 Member Posts: 139Disabling CDP is recommended so that rouge devices can't learn anything about your infrastructure.
+1. Step one in an attack is the reconnaissance. With CDP fully open it is too easy.CCNA, CCNA:Sec, Net+, Sonicwall Admin (fwiw). Constantly getting into new stuff. -
Optionsshodown Member Posts: 2,271+1. Step one in an attack is the reconnaissance. With CDP fully open it is too easy.
yes this is true, but like someone said above is way to valuable in large networks to not have it turned on. I have dealt with some people who have wanted it turned off, but then have poor documentation on where everything is located. Just be smart with where you have it turned on at.Currently Reading
CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related -
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□billscott92787 wrote: »It all depends on what text you had used. I seen this in my Cisco Press books, setting up authentication for all routing protocols. You can either use open authentication or md5. Open authentication sends the information via clear text. Your saying ? Not secure! Right, and then MD5. It is fairly simple to configure it. What do you mean by, can you authentication with CDP? CDP is only used to discover other Cisco devices which are connected at layer 2. PPP has authentication which is the advantage over HDLC. I would go back and review some of those topics before attempting your CCNA.
Well I tried to set up authentication for EIGRP and OSPF and the commands would not work. Rip and RIPv2 worked though.
I also read that some non cisco devices do not support authentication the same way that cisco does. Is there a generic way to authenticate routers to each other? I know about GRE but I do not think it provides any security (if I recall correctly). -
OptionsGT-Rob Member Posts: 1,090When you say, authenticate routers with each other, are you talking about just routing information?
An open based routing protocol, like OSPF or BGP, should have all of its features available on a router, but its not the law for lets say, BobRouter 12000, to support any of it. I wouldn't be surprised if lower end routers only supported the basic OSPF use, and auth, or maybe just MD5 auth, were not supported.
In general, if you are working with a router that you cannot trust, you can just point static routes at its networks and forget the routing protocols all together (may not be reasonable in some cases).
What router/IOS are you trying to put these commands in?
Fun fact of the day: Did you know that OPEN in OSPF actually stands for open source, and not 'open the path'. -
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□When you say, authenticate routers with each other, are you talking about just routing information?
An open based routing protocol, like OSPF or BGP, should have all of its features available on a router, but its not the law for lets say, BobRouter 12000, to support any of it. I wouldn't be surprised if lower end routers only supported the basic OSPF use, and auth, or maybe just MD5 auth, were not supported.
In general, if you are working with a router that you cannot trust, you can just point static routes at its networks and forget the routing protocols all together (may not be reasonable in some cases).
What router/IOS are you trying to put these commands in?
Fun fact of the day: Did you know that OPEN in OSPF actually stands for open source, and not 'open the path'.
Yes only routing info.
I was trying to do ip ospf authentication [ ] but this command did not work. I will post my ios version in a minute. -
OptionsGT-Rob Member Posts: 1,090Looks like the command was first integrated with 12.2(33)SRA, so if you are on 12.1 for example it probably wont be available.
-
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□Then it should work:
sh ver Cisco IOS Software, C1700 Software (C1700-ADVIPSERVICESK9-M), Version 12.4(13b), RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Tue 24-Apr-07 12:56 by prod_rel_team ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1) MATRIX uptime is 2 hours, 15 minutes System returned to ROM by power-on System image file is "flash:c1700-advipservicesk9-mz.124-13b.bin
Is setting the authentication for OSPF/EIGRP different then setting it for RIP? Like I said, rip works but ospf or eigrp don't. Does it have to do with the fact that I do have the vpn cards in my 1721s? (I doubt it) -
OptionsGT-Rob Member Posts: 1,090You are putting these on the interfaces right, and not on the router process?
if you do:
router ospf 1
authentication message-digest
is that there?
Under the interface, do you have any ospf options? What kind of interface are you putting it on? -
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□You are putting these on the interfaces right, and not on the router process?
if you do:
router ospf 1
authentication message-digest
is that there?
Under the interface, do you have any ospf options? What kind of interface are you putting it on?MATRIX>en MATRIX#config t Enter configuration commands, one per line. End with CNTL/Z. MATRIX(config)#router ospf 1 MATRIX(config-router)#au? auto-cost MATRIX(config-router)#auth? % Unrecognized command MATRIX(config-router)#auth
That command isn't there. But if I try it this wayMATRIX(config)#int f 0 MATRIX(config-if)#ip ospf authentication ? message-digest Use message-digest authentication null Use no authentication <cr> MATRIX(config-if)#ip ospf authentication message-digest ? <cr> MATRIX(config-if)#ip ospf authentication message-digest
That is there. But it is different for RIPMATRIX(config-if)#ip rip authentication ? key-chain Authentication key-chain mode Authentication mode
And I can set my key chains and so on. So I guess my question is, is it just different for ospf? Also look at this:MATRIX(config-if)#ip eigrp a? % Unrecognized command
There are no authentication options at all for eigrp. Am I doing this wrong? -
Optionskalebksp Member Posts: 1,033 ■■■■■□□□□□Not trying to be a jerk, this is an honest question, why didn't you just google "eigrp authentication"? The very first result would have answered your question.
-
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□Not trying to be a jerk, this is an honest question, why didn't you just google "eigrp authentication"? The very first result would have answered your question.
I looked at that already. But like I cannot run the commands on the sheet.
OOPS lol I think I know what the problem is....
EDIT:
Ok figured out. Authenticating just fine. Although I hate that I have to put it on each int or subint (I have 12) . I wish I could enable it globally.