Here is a chart showing routing protocol authentication mechanism compatibility with various routing protocols: Note that OSPFv2 supports all authentication types as well as provide key chain support. In contrast, OSPFv3 does not use built-in authentication mechanisms like OSPFv2, instead relying upon IPv6 native security capabilities, which use IPsec. The IPsec security policy specifies the … Continue reading 14.16 Authentication Options with Different Routing Protocols
Category: Securing Cisco Routers
14.15 Time-Based Key Chains
Key chains are sets of keys that are able to be rotated based on various criteria. Note the following: The key chain must be created. This holds all the keys for a process. [key chain <name>]Create one or more keys. [key <name>]For each key, specify the key (password) to be used. This is called the … Continue reading 14.15 Time-Based Key Chains
14.14 Hashing Authentication Process
The following illustration represents the exchange of keys in a hashed authentication scenario: The hash is generated based on the key and the specific routing update payload being sent. The hash is appended to the routing update and sent; the hash is not part of the key, but merely transmitted alongside it.The receiving router calculates … Continue reading 14.14 Hashing Authentication Process
14.13 Plaintext Authentication Process
The following illustration represents the exchange of keys in a plaintext (simple) authentication scenario: If the keys, sent in plaintext, match - the packet is accepted by the router. The routing protocols that use plaintext authentication are - OSPFv2 (Note: is also capable of MD5 or SHA authentication)RIPv2 (Note: is also capable of MD5 authentication)IS-IS
14.12 Authentication Types
There are two types of authentication that can be configured for routing protocols: Simple password authenticationRouter sends a packet and keyKeys are checked to see if they matchProcess is not secure; it uses cleartextHashing authenticationRouter creates a message digest based on the hashed value of the key and the packet sentThe message digest is sent … Continue reading 14.12 Authentication Types
14.11 Purpose of Routing Protocol Authentication
Routing Protocol Authentication is used to prevent illegitimate sources from poisoning routing information within our devices' routing tables. In this manner, only authorized routing peers are able to exchange updates. Though each routing protocol has marked differences in how they authenticate, each packet is generally authenticated using the authentication configuration applied to the routing process. … Continue reading 14.11 Purpose of Routing Protocol Authentication
14.10 Disable Unused Services
If you use IOS services, such as DNS, HTTP, CDP, etc - great. If not, disable them, because they are a potential vector for threat actors. Some services to consider disabling, a description why, and the command to disable, are listed below. DNS Name Resolution - because if no DNS server is specified in the … Continue reading 14.10 Disable Unused Services
14.9 Implement Logging
The following technologies are important for security: SNMP TrapsSyslogNetflowNTP
14.8 Configuration Backups
Periodic backups are crucial to recovery processes. The archive feature in Cisco IOS can automate periodic backups of configuration for expedited recovery. In the example above, the archive section specifies an FTP operation, where $h represents the host name for the local device. TFTP can be used as well. Note the time period is specified … Continue reading 14.8 Configuration Backups
14.7 Secure SNMP
Note the features of the different SNMP versions: SNMPv1 and SNMPv2c use community strings for authentication. SNMPv3 is similar if not configured with authentication or encryption, in which case, it only uses the configured username. Note authNoPriv and authPriv. You'll certainly have a question on the exam that asks for the valid SNMPv3 configuration modes. … Continue reading 14.7 Secure SNMP