Book now with code EOY2025
knwminus wrote: » So Im labbing for the CCNA (which I am taking on Saturday) and I was setting up authentication for rip, ospf, and eigrp using a md5 key. I was wondering, is this practiced in the field or is some other sort of security used? The reason why I was asking is that while "transcendering" I came across a question that involved setting up authentication for protocols (which was not in my Tood Lamelle book), so I took it upon myself to look in the cisco IOS cookbook and I found a way to do it. It seemed like something easy enough to do but I still have some questions about md5 that I need to look up. Also can you authenticate with CDP?
GT-Rob wrote: » No, there is no CDP authentication (and lots of security people will probably tell you to disable it). Its a very simple, low level mechanism that only goes 1 hop anyway, so theres not much need for auth (if they can plug into your switchport, and you don't trust them, you have other things to worry about!). You also can't influence other devices with CDP much, apart from giving false information about yourself, so theres no a whole lot of abuse you could cause with it. (unlike a routing protocol or STP for example). I have seen auth on most routing protocols, but I would say only about half the time. Depends on the size of the network, and really the policies of the company. I see auth on HSRP more often, and usually its on BGP, but rarely on internal protocols.
billscott92787 wrote: » It all depends on what text you had used. I seen this in my Cisco Press books, setting up authentication for all routing protocols. You can either use open authentication or md5. Open authentication sends the information via clear text. Your saying ? Not secure! Right, and then MD5. It is fairly simple to configure it. What do you mean by, can you authentication with CDP? CDP is only used to discover other Cisco devices which are connected at layer 2. PPP has authentication which is the advantage over HDLC. I would go back and review some of those topics before attempting your CCNA.
billscott92787 wrote: » I have read as well that some Admins will disable CDP on the interface level for every interface except that of one connecting to another trusted Cisco device.
knwminus wrote: » I also understand that CDP is a layer 2 protocol. Since CDP traffic can be captured and potentially used for harm of the network :http://www.fistconference.org/data/presentaciones/switchandroutersecuritytesting2.pdf (see page 9) I was wondering if there was a way to secure it without disabling it.
knwminus wrote: » So basically use it in a "secure" way or disable it completely? At any rate as far as the other routing protocols go the CCNA study guides does not mention how to do it they just mention it can be done. Pretty weak. But I guess maybe it is not a common ccna level topic.
Disabling CDP is recommended so that rouge devices can't learn anything about your infrastructure.
Morty3 wrote: » +1. Step one in an attack is the reconnaissance. With CDP fully open it is too easy.
GT-Rob wrote: » When you say, authenticate routers with each other, are you talking about just routing information? An open based routing protocol, like OSPF or BGP, should have all of its features available on a router, but its not the law for lets say, BobRouter 12000, to support any of it. I wouldn't be surprised if lower end routers only supported the basic OSPF use, and auth, or maybe just MD5 auth, were not supported. In general, if you are working with a router that you cannot trust, you can just point static routes at its networks and forget the routing protocols all together (may not be reasonable in some cases). What router/IOS are you trying to put these commands in? Fun fact of the day: Did you know that OPEN in OSPF actually stands for open source, and not 'open the path'.
sh ver Cisco IOS Software, C1700 Software (C1700-ADVIPSERVICESK9-M), Version 12.4(13b), RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Tue 24-Apr-07 12:56 by prod_rel_team ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1) MATRIX uptime is 2 hours, 15 minutes System returned to ROM by power-on System image file is "flash:c1700-advipservicesk9-mz.124-13b.bin
GT-Rob wrote: » You are putting these on the interfaces right, and not on the router process? if you do: router ospf 1 authentication message-digest is that there? Under the interface, do you have any ospf options? What kind of interface are you putting it on?
MATRIX>en MATRIX#config t Enter configuration commands, one per line. End with CNTL/Z. MATRIX(config)#router ospf 1 MATRIX(config-router)#au? auto-cost MATRIX(config-router)#auth? % Unrecognized command MATRIX(config-router)#auth
MATRIX(config)#int f 0 MATRIX(config-if)#ip ospf authentication ? message-digest Use message-digest authentication null Use no authentication <cr> MATRIX(config-if)#ip ospf authentication message-digest ? <cr> MATRIX(config-if)#ip ospf authentication message-digest
MATRIX(config-if)#ip rip authentication ? key-chain Authentication key-chain mode Authentication mode
MATRIX(config-if)#ip eigrp a? % Unrecognized command
kalebksp wrote: » Not trying to be a jerk, this is an honest question, why didn't you just google "eigrp authentication"? The very first result would have answered your question.
Use code EOY2025 to receive $250 off your 2025 certification boot camp!
