Configuring Security on Routers
Today's work is to configure security options in an internetwork.
So far, we have not concentrated on security, rather we have looked at
the operation of various technologies. Today we will 'tidy' up the
given internetwork and then apply security so that our network is more
secure from hackers.
Items to enhance security
The internetwork we shall be working with is operational but is missing
some essential security items. OSPF is the routing protocol but there
has been an issue with hackers attempting to inject routing
information. To address this issue it has been decided to add
authentication to the OSPF updates.
OSPF has two methods for authentication, simple and cryptographic. The
simple method is vulnerable to attack since the password is circulated
in plaintext across the network, so this is a rather pointless exercise
as a determined hacker will be able to 'sniff' this off the wire.
The cryptographic method is more secure and uses Message Digest
authentication. Here, a key (password) and key-id are configured on
each router. The router uses an algorithm based on the OSPF packet, the
key, and the key-id to generate a "message digest" that gets appended
to the packet. Unlike the simple authentication, the key is not
exchanged over the wire. A non-decreasing sequence number is also
included in each OSPF packet to protect against replay attacks.
This method also allows for uninterrupted transitions between keys.
This is helpful for administrators who wish to change the OSPF password
without disrupting communication. If an interface is configured with a
new key, the router will send multiple copies of the same packet, each
authenticated by different keys. The router will stop sending duplicate
packets once it detects that all of its neighbors have adopted the new
key. Following are the commands used for message digest authentication:
ip ospf
message-digest-key keyid md5 key (used under the interface)
area area-id
authentication message-digest (used under "router ospf
<process-id>")
As an example:
interface
Ethernet0
ip address
10.10.10.10 255.255.255.0
ip ospf
message-digest-key 10 md5 mypassword
router ospf 10
network
10.10.0.0 0.0.255.255 area 0
area 0
authentication message-digest
Message
Digest Authentication
This is achieved as a TWO step process.
Firstly each interface that will NOT participate in the routing updates
must be made a passive interface. Check each router for any interface
that is not necessary for OSPF routing updates and add the command
passive-interface
FastEthernet0/0
Now you will need to configure OSPF authentication. This is achieved by
adding the following command to each of the serial interfaces on each
of the routers.
interface
serial 0/0
ip ospf
message-digest-key 10 md5 MYPASSWORD
Note that the parts of the commands above in RED can vary. Here, the serial
interface names will differ across the internetwork and also the
message-digest-key can be any value from 1 to 255, but must be the same
on all routers as it is used as a part of the generation of the
'message digest".
Here, you should choose a suitable password and message digest key and
keep this the same throughout the internetwork.
IP Helper-address
All DHCP requests initially employ UDP to attempt to discover the DHCP
server. Under normal circumstances, the initial UDP request, made by
the DHCP client, is a broadcast and routers will not forward
broadcasts. The ip helper-address command allows the router to forward
these requests to the relevant DHCP server. The format of the command
is as follows:
Router(config-if)#ip
helper-address A.B.C.D (IP destination address of the DHCP
server)
You will need to apply this command to the Ethernet interface of the
LAN on the Madrid router. This will allow the initial UDP broadcast to
be forwarded to the DNS server.
Backup Links
OSPF assumes that the bandwidth of all its links are 108 bps
(100 Mbps). All routing information is calculated based on this
assumption.
The network is partially meshed to increase reliability,
however the internal serial links, as shown in the PT file, are 56
kbps. To allow OSPF to take note of this lower bandwidth, you will need
to use the bandwidth command on each of the serial interfaces to inform
OSPF that these are low bandwidth links. The command is of the format:
Router(config)#interface
s0/2
Router(config-if)#bandwidth
56 (where the
bandwidth is expressed in kbps)
Once this is changed, OSPF will change its routing decisions
accordingly and will only use the backup links whenever the higher
bandwidth links become unavailable.
Router ID and Loopback addresses
OSPF uses the largest IP address configured on the interfaces as its
router ID. If the interface associated with this IP address is ever
brought down, or if the address is removed, the OSPF process must
recalculate a new router ID and resend all its routing information out
its interfaces.
If a loopback interface is configured with an IP address, the Cisco IOS
software will use this IP address as its router ID, even if other
interfaces have larger IP addresses. Since loopback interfaces never go
down, greater stability in the routing table is achieved.
OSPF automatically prefers a loopback interface over any other kind,
and it chooses the highest IP address among all loopback interfaces. If
no loopback interfaces are present, the highest IP address in the
router is chosen. You cannot tell OSPF to use any particular interface.
To configure an IP address on a loopback interface, use the following
commands, starting in global configuration mode:
Router(config)#interface
loopback 0
Router(config-if)#ip
address 200.0.0.1 255.255.255.255
Note the use of
the single host subnet mask here.
Download and read Cisco's OSPF
configuration guide.
Practical Work
Download the Packet
Tracer file. This file has 6 routers and 4 LANs. The routers
are already configured to route using OSPF.
IMPORTANT
Take a copy of all routing tables BEFORE you begin as you will need to
refer back to these later.
Scenario and Practical Work
The company wants to implement Message Digest
authentication across the internetwork to increase security.
They have decided to add a DNS and a DHCP server to the Zurich
LAN. You will need to configure the DHCP parameters to match those
required by the Madrid LAN clients. There will only be 155 clients
(maximum) on the Madrid LAN. Make sure that your DHCP settings reflect
this.
The company also has an HTTP server based on the Berlin LAN.
This server is to be known as http://www.webserver.com. To allow this
server to be reached using the domain name, you will need to set up the
DNS server which is also based on the Zurich LAN.
The routers do not have enable passwords nor do they have
passwords for the TELNET nor console interfaces. You will need to set
these up. Use an encrypted password of class
for the enable password on all routers in the internetwork and cisco
for all TELNET and console ports.
PC1 has a static address so that you can test connectivity, but
eventually this must be changed so that it can receive a dynamic set of
IP information from the DHCP server. You will also need to setup the
other PCs on this LAN to accept DHCP information.
Adjust the reported bandwidth on the low data-rate serial links
to allow OSPF to only use the higher bandwidth links.
Ensure that all routers have unique hostnames as shown in the
PT file you downloaded.
Make sure all interfaces have a suitable description.
Make sure all routers have a suitable loopback address to
increase the stability of OSPF.
Testing
Make notes in your log books to answer the following questions.
Make sure that all PCs on the Madrid LAN can receive IP
information via the DHCP server.
Make a note of their IP parameters.
Be sure that all PCs can reach http://www.webserver.com
and read the webpage.
Compare the routing tables in your finished network against the
routing tables before you made the changes.
What differences are there?
Use tracert
to prove that the higher bandwidth links are
actually being used
Turn off some of the higher bandwidth serial links to ensure
that the backup 56 kbps links are used when they are needed. Use
tracert
to show this.
Save your Packet Tracer file when you have finished.
Further work (optional)
Add a PC to connect to the Rome router using a console cable.
Try to establish a TELNET session to the Paris router from within the
console connection.
Try changing the authentication key to determine whether there
is truly uninterrupted transition between keys.
Add a serial link between Paris and Rome with a
bandwidth of 4Mbps. Show whether the routing pattern has changed.
Add a TFTP server and save all of your configurations to that
server.
References
http://relcom.net/CURS/OSPF/2.html
10/03/09