SNMP: Make sure access-list is used to limit machines that is allowed to access to router. For example, see the following commands:
Setting the access-list to permit only IPs that are allowed to access the router.
access−list 12 permit 192.168.1.1
access−list 13 permit 192.168.1.2
The command below sets the community string which is sort like a password to access-list 28 and 29. Of course, you should set a very strong community to avoid brute-force or dictionary attacks.
snmp−server community cisco1 RW 28
snmp−server community cisco2 RO 29
The command below allow the router to send traps to the SNMP Manager machine
snmp−server host 192.168.1.1 cisco1 snmp
snmp−server host 192.168.1.2 cisco2 snmp
So by using the access-list command, only the allowed hosts are able to perform the necessary tasks.
RIP: RIPv1 does not support any authentication, instead it is using plain text for routing purposes. However, RIPv2 support both plain text and md5 authentication. When auditing an IOS config file, check for the following key words:
key chain cisco
ip rip authentication key−chain cisco
ip rip authentication mode md5
To allow routing protocol authentication, the key chain command will identify a group of authentication keys, the key command will identify an authentication key on a key chain and the key-string command will specify the authentication string for a key. On top of it, make sure that the command ip rip authentication mode md5 is enabled for RIP updates.
EIGRP: The same goes for EIGRP. The commands to check for EIGRP is identical to RIP as shown below:
key chain cisco
ip authentication mode eigrp 10 md5
ip authentication key−chain eigrp 10 cisco
Please note that the command ip authentication mode eigrp 10 md5 is different from RIP's ip authentication mode md5. The "eigrp 10" is intepreted as eigrp
OSPF: OSPF supports both plain text and md5 authentication. You can choose either one of the authentication method depending on your preference. Some routers might not support the md5 authentication, so that leaves you with no choice but to use plain text authention. Else, deploy md5 authentication which is 100 times more secure. Check for these commands below to see if the router is using any authentication.
For plain text authentication:
ip ospf authentication−key cisco
area 0 authentication
For md5 authentication:
ip ospf message−digest−key 40 md5 cisco
area 0 authentication message−digest
Please note that the value of the key-id which is 40 allows passwords to be changed without having to disable authentication.
So above is a quick list to check for authentication on routing protocols. If you happen to have a chance to audit a router config file, just a glance will tell you how good is the network administrator is.
To know more about the commands usage and its meaning, refer to http://cco.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017d029.html