Router prompt that indicates you are only have limited examination for the router

MD5 Authentication

The type of authentication that EIGRP supports is MD5 authentication. MD5 authentication adds keyed information into each EIGRP packet that is sent. The receiving router uses the keyed information to confirm that the source of the packet is really who they say they are. To configure MD5 authentication, you configure an authenticating key (sometimes referred to as a password) and a key ID on the source and destination routers. Here are the steps to configure MD5 authentication for EIGRP:

1.

Enter Global Configuration mode.

Enter interface configuration mode.

Enable MD5 authentication in EIGRP packets.

Enable authentication of EIGRP packets (this identifies the key to be used on this interface).

Exit to Global Configuration mode.

Identify a key chain, using the same name as in Step 4 (the key chain is a group of possible keys).

In key chain configuration mode, identify the key number (this is the identifier for the key).

In key chain key configuration mode, identify the key string.

Repeat Steps 1 through 7 on the other router.

Figure 8.4 shows the diagram of a network with two routers that will use MD5 authentication for EIGRP.

EXERCISE 8.3

Configuring EIGRP MD5 Authentication

In this exercise, we're going to configure MD5 authentication on the two routers in Figure 8.4.

Configuring Router1:

Enter Global Configuration mode:

Router1# configure terminal

Enter interface configuration mode:

Router1(config)# interface Fastethernet 0/0

Enable MD5 authentication in EIGRP packets:

Router1(config-if)# ip authentication mode eigrp 100 md5

! The 100 is the EIGRP AS.

Enable authentication of EIGRP packets:

Router1(config-if)# ip authentication key-chain eigrp 100 ourkey1

! ourkey1 is the name of the key

Exit to Global Configuration mode:

Router1(config-if)# exit

Identify a key chain, using the same name as in Step 4:

Router1(config)# key chain ourkey1

In key chain configuration mode, identify the key number:

Router1(config-keychain)# key 1

In key chain key configuration mode, identify the key string:

Router1(config-keychain-key)# key-string 1234567890

Repeat Steps 1 through 8 on the other router.

Configuring Router2:

Enter Global Configuration mode:

Router1# configure terminal

Enter interface configuration mode:

Router1(config)# interface Fastethernet 0/0

Enable MD5 authentication in EIGRP packets:

Router1(config-if)# ip authentication mode eigrp 100 md5

Enable authentication of EIGRP packets:

Router1(config-if)# ip authentication key-chain eigrp 100 anotherkey2

Exit to Global Configuration mode:

Router1(config-if)# exit

Identify a key chain, using the same name as in Step 4:

Router1(config)# key chain anotherkey2

In key chain configuration mode, identify the key number:

Router1(config-keychain)# key 1

In key chain key configuration mode, identify the key string:

Router1(config-keychain-key)# key-string 1234567890

We have now configured MD5 authentication on our routers as shown in Figure 8.4. The routers will use the key information to make sure they know who they are talking to.

Configuration Files

The configuration changes you make while in Global Configuration mode will only affect the currently running configuration of the router. If the router were to be rebooted, the configuration would revert back to the preceding configuration. This is because when the router boots, it pulls its configuration from NVRAM. This configuration is called the startup-config. If you want to make your configuration changes permanent, you must save them to NVRAM. This can be done by typing write memory (or wr mem), or copy running-config startup-config (or copy run to start).

User Account Setup

Now that you are at a point where privileged accounts are being used and you are on the verge of making configuration changes to the switch, we should discuss the topic of user account creation. This will become important when I address the use of secure protocols to configure switches, over virtual terminals or over Web interfaces.

Setting a username on a Cisco switch in IOS global configuration mode will be key for later, so you will have accountability of who accessed the switch. You will also come to know why you reset the default usernames and passwords on networking equipment if you value the security of your network devices. I suggest the use of these commands to establish usernames on your Cisco equipment:

Switch#configure terminal

Switch(config)#username itmgr privilage 15 password myPA$$w0rd1ss0l33t

Switch(config-line)#CTRL-Z

Switch#copy running-config startup-config

As you can see, setting up usernames on switches is just as easy as it is on routers. So it should be a good practice as well as an enforced policy to set usernames and passwords for those who administer the switches in your business.

Enabling IPv6

Refer to Exercise 10.3 for the steps to go through to enable IPv6 and configure an IPv6 address on an interface.

EXERCISE 10.3

Enabling IPv6 and Configuring IPv6 Addresses

Access global configuration mode:

company# configure terminal

Enable IPv6 forwarding on the router:

company(config)# ipv6 unicast-routing

Move to interface configuration mode:

company(config)# interface Fastethernet0/0

Enable IPv6 on the interface and cause a link-local address to be automatically generated.

company(config-if)# ipv6 enable

Remember, link-local addresses aren't routable so this command enables the device to communicate only with the other devices on the local link, or physical network. Here are the steps to configure a global unicast address on the interface.

company(config-if)# ipv6 address 2001:db8:1a2b:11::345c:de67/64

This command specifies the entire 128-bit IPv6 address.

Alternatively, you can specify the prefix information for the address and allow the router to create the interface identifier automatically by modifying the interface's MAC address.

company(config-if)# ipv6 address 2001:db8: 1a2b:11::/64 eui-64

To disable IPv6 on the router, execute the no ipv6 unicast-routing command at the global configuration prompt:

company(config)# no ipv6 unicast-routing

To disable IPv6 on an individual interface, the command no ipv6 enable is executed in interface configuration mode:

company(config-if)# no ipv6 enable

To remove the global IPv6 address from the interface without disabling IPv6, leaving the automatically-generated link-local address intact, use the no ipv6 address command in interface configuration mode. For example, to remove the IPv6 address we assigned to Fastethernet0/0, we would execute the command:

company(config-if)# no ipv6 address 2001:db8:1a2b:11::345c:de67/64

EUI-64

The EUI-64 option has been mentioned a few times now, so let's take a look at exactly what it is. The EUI-64 format uses the interface's MAC address, pads the MAC address, and creates an interface identifier from the padded MAC address. An interface identifier is 64 bits long and a MAC address is 48 bits long so padding the MAC address gives us the 64 bits we need for the interface identifier. The MAC address is padded by inserting FFFE into the middle, between the Organization Unique ID (OUI) and the serial number. Here is an example of a MAC address before it is modified:

00-10-AB-23-45-67

After the address has been modified using the EUI-64 standard it looks like this:

02-10-AB-FF-FE-23-45-67

MAC addresses used in the Cisco IOS are displayed as three 16-bit hexadecimal fields. For example, a MAC address used on a router interface would look something like this:

0010:AB23:4567

After the address is modified, it looks like this:

0210:ABFF:FE23:4567

In addition to the FF FE that is added into the middle of the MAC address, the second digit is now a 2. The 2 indicates that the address is a global unicast address. The seventh highest-order bit in the interface identifier is called the Universally Unique/Locally Unique (U/L) bit. The purpose of this bit is to specify if the address is intended to remain local or if it is to be a global address. An on (“1”) bit indicates that the address is a global unicast address. If the bit is off (a “0” bit), the address is intended to remain local. The seventh bit has a value of 2 when the bit is turned on. That's why the value of the second hexadecimal digit is now 2. More information on modified EUI-64 addresses is detailed in Figure 10.10.

FIGURE 10.10. Modified EUI-64 Address

Configuring the EUI-64 portion of the address is automatic in the case of the link-local address that is generated when an interface is enabled for IPv6. Here are the commands you would execute in the Cisco IOS:

company(config)# interface Fastethernet0/0

company(config-if)# ipv6 enable

These commands enable IPv6 on the Fastethernet0/0 interface and cause a link-local address, with the modified EUI-64 interface ID to be automatically created.

Final Security Issues

Now we're ready to set up coordinated times so that the router can accurately report events as they happen. In this section, we will also set up Simple Mail Transport Protocol (SMTP) monitoring and disable unneeded services that only open the router up to attack. Plus, we will briefly address some of the protective features of ACLs and discuss their proper placement in a router so that they are efficient and effective. We will conclude the section with a short discussion of basic firewall and VPN configuration.

Deriving and using accurate times from a trusted source in your enterprise is the key to being able to discover when events occurred. Start by finding the approved Network Time Protocol (NTP) source or server that your network is allowed to use. When you find it, make sure you validate it and ensure that it is accurate and is sensible to use.

To set up the time synchronization process on your router, enter the following in global configuration mode:

ACMERTR#configure terminal

ACMERTR(config)#service timestamps log datetime msec localtime show-timezone

ACMERTR(config)#ntp server <some-IP>

ACMERTR(config)#ntp server <somebackup-IP>

ACMERTR(config)#ntp peer <ACMEBDRRTR-ip>

ACMERTR(config)#ntp peer <switch-IP>

ACMERTR(config)#clock timezone PST -08

ACMERTR(config)#clock summer-time PDT recurring

ACMERTR(config)#ntp max-associations 10

ACMERTR(config)#CTRL-Z

ACMERTR#copy running-config startup-config

In the preceding code, we set the logging to be precise down to the millisecond and to reflect the current time zone (because not all network break-ins occur in just one time zone). Then we established two NTP servers for redundancy, designated other routers and switches in the infrastructure that will get timing from this router, and set the time zone and daylight saving time considerations. To prevent the router from getting virtually saturated with NTP requests, we set a limit on how many associations it will keep. At the end of this you can expect your syslog entries to have the proper date-time remarks added to the entries.

I showed you how to set up NTP on your router. For added security, you should restrict NTP by hardening the router and making it difficult for attackers to compromise the timing your router receives. You can perform some of these methods by using an access list and setting other options. You can read about these hardening practices on Cisco's Web site, at www.cisco.com/en/US/docs/ios/12_1/configfun/configuration/guide/fcd303.html#wp1001170.

But what about SNMP monitoring? Sure, we can do that here, but first I'll explain a dirty little secret about SNMP. Tons of routers and switches have their SNMP settings in default mode, and that makes them an easy target. So, let's start by setting up good community strings and applying an ACL to prevent abuse and compromise:

ACMERTR#configure terminal

ACMERTR(config)#snmp-server community F0rens1cs rw 9

ACMERTR(config)#access-list 9 permit <authorized_SNMPstation) log

ACMERTR(config)#access-list 9 permit <authorized_SNMPbackup) log

ACMERTR(config)#access-list 9 deny any

ACMERTR(config-iface)#CTRL-Z

ACMERTR# copy running-config startup-config

If you fail to set up strong community strings for your read/write SNMP access, an attacker can quickly establish how your router is configured and cause further mayhem. You may not be thrilled with someone issuing an SNMPset command to turn off your ACLs and otherwise reconfiguring your router. For some good reading courtesy of SecurityFocus, follow the link to the article on SNMP attacks: www.securityfocus.com/infocus/1847.

Now we're ready to apply the concepts of defense and minimization to the router to protect it. We will apply some defensive statements to prevent the router from either responding to a particularly dangerous set of circumstances, such as source routing, or participating in making problems worse. We will also shut off unnecessary services. Look through the following list and see which services you recognize. In this configuration our Serial 0/0 Interface is connected to the Internet.

ACMERTR#configure terminal

ACMERTR(config)#interface serial0/0

ACMERTR(config-iface)#no ip redirects

ACMERTR(config-iface)#no ip directed broadcats

ACMERTR(config-iface)#no ip mask reply

ACMERTR(config-iface)#no ip unreachables

ACMERTR(config-iface)#no ip proxy-arp

ACMERTR(config-iface)#EXIT

ACMERTR(config)#no ip source-route

ACMERTR(config)#no service tcp-small-servers

ACMERTR(config)#no service udp-small-servers

ACMERTR(config)#no service finger

ACMERTR(config)#no ip finger

ACMERTR(config)#no bootp server

ACMERTR(config)#no name-server

ACMERTR(config)#no ip domain-lookup

ACMERTR(config)#no service config

ACMERTR(config)#no boot network

ACMERTR(config)#no no service pad

ACMERTR(config)#CTRL-Z

ACMERTR# copy running-config startup-config

Who would ever imagine that this many services and protocols are running on routers? This just shows you how many different items are enabled by default and should be limited. We addressed some of the things that can be broadcast out of a chatty serial interface as well as services that run in the background. Next up is a brief tour of ACLs and what you should expect to see for a router to be considered defendable at a very basic level.

Disabling Signatures Globally

All signatures available in IOS are enabled by default when IDS is configured on a router. A number of these signatures are application- or operating system–specific, and might not pose a threat to your network. Still, intrusions occur and keep your Operations Department busy. You might for instance have no UNIX­based servers in your network, yet alarms keep getting triggered for the mountd Portmap Request signature and fill up your management GUI. In such cases, you want to disable a certain signature, and by doing so lower the administrative burden that results from these false positives.

We disable the mountd Portmap Request signature and the Majordomo Execute Attack signature by entering the following command in global configuration mode:

aRouter(config)#ip audit signature 6155 disable

aRouter(config)#ip audit signature 3107 disable

When the need arises to track traffic for signature 6155 (Portmap) again, you can enable this signature using the no keyword in front of the ip audit signature command. Doing so may look like you’re disabling the signature, but that’s not the case. It simply enables the signature. Here’s an example:

aRouter(config)#no ip audit signature 6155

Configuring the Authentication Proxy

Finally, to configure the authentication proxy, use the following commands, described in Table 9.20, in global configuration mode:

Table 9.20. Configuring the Authentication Proxy

Set the global authentication proxy idle timeout value in minutes.

ip auth-proxy auth-cache-time min

(Optional) Display the name of the firewall router in the authentication proxy login page. The banner is disabled by default.

ip auth-proxy auth-proxy-banner

Create authentication proxy rules.

ip auth-proxy name auth-proxy-name http [auth-cache-time min] [list std-access-list

Enter interface configuration mode by specifying the interface type on which to apply the authentication proxy.

interface type

In interface configuration mode, apply the named authentication proxy rule at the interface.

ip auth-proxy auth-proxy-name

Creating a Management Domain

To set up a VTP hierarchy in your infrastructure, you must first create a management domain. The domain hierarchy that will be set up to support our server and clients will allow you to use VTP to replicate the VLAN information. To set up the VTP domain, use the following command vtp domain. As shown in Figure 14.7, the switch is configured for the VTP domain corporate.

EXERCISE 14.1

Setting VTP Domain, Mode, and Version

From User Exec mode, type the command enable.

From Privileged Exec mode, type the command configure terminal.

From Global Configuration mode, type the command vtp domain corporate, which will create the corporate domain.

From Global Configuration mode, type the command vtp mode server, which will set the mode to server.

From Global Configuration mode, type the command vtp version 1, which will set the version to version 1.

Setting the VLAN IP Address

Setting the VLAN IP address is pretty simple as well in a Cisco switch. If you have mastered the application of assigning IP addresses to routers we use a similar process. As illustrated later, you enter Global Configuration mode by typing configure terminal, then access the specific VLAN by typing interface VLAN and then the VLANs number. To assign the address, the syntax is ip address 10.1.1.1 255.0.0.0 if you wanted to set the address to 10.1.1.1/8. As shown in Figure 13.2, you could set the IP address for VLAN 2.

Test Day Tip

Make sure you understand how to access the VLAN configuration information and set the IP address for each VLAN.

EXERCISE 13.1

Creating and Verifying VLANs

In this exercise, you will create three VLANs on your Cisco switch.

Type ENABLE to access privileged exec mode.

Type CONFIGURE TERMINAL to access global configuration mode.

Type VLAN 2 to create VLAN 2 and access VLAN configuration mode.

Type NAME HR to name this VLAN HR.

Type VLAN 3 to create VLAN 3.

Type NAME PRODUCTION to name this VLAN Production.

Type VLAN 4 to create VLAN 4.

Type NAME SALES to name it Sales.

Type Ctrl-Z to return to privileged exec mode.

Type SHOW VLAN BRIEF to verify VLAN creation.

Functions of a Router, Its Architectures, and Components

Routers, switches, and transmission equipment form the backbone of the Internet, yet most auditors do not understand how they work and how they fit into the bigger picture of security and functionality.

A router is designed to transmit packets between different networks. In addition, a router can also act as a control point, filtering unwanted protocols, networks, and other security concerns. Routers also act as a gateway between local and wide area networks. Routers are often used as relays for network attacks. Privileged access to the router may be used to reconfigure it or cause a Denial of Service (DoS) attack. Controlling interactive logons to the router helps prevent these and other conditions from occurring.