Sunday, April 8, 2007

Verifying authencation mechanism used in routing protocls

Way back in my previous post, i had given a list of audting commands to follow when performing auditing of Cisco routers. Now its time to verify if the protocols themselves are using authentication mechanism to defeat most of the attacks. Most of the time after a penetration test, if you find telnet port open, you would suggest the client to use SSH instead of telnet. This is ok, because it is easy to migrate the protocols. What if SNMP port is open? Do you tell the client to disable it because it is vulnerable to attacks or would you suggest the client to upgrade to the lastest version? What about compatibility and interoperability issues between SNMPv2 and SNMPv3? What if the client needs this protocol for monitoring purposes? Well, I guess there is always solution to everything. I will show you steps where you can perform to ensure that the "vulnerable" protocol is at least safe from 70% of the attacks.

SNMP: Make sure access-list is used to limit machines that is allowed to access to router. For example, see the following commands:

Setting the access-list to permit only IPs that are allowed to access the router.

access−list 12 permit 192.168.1.1
access−list 13 permit 192.168.1.2


The command below sets the community string which is sort like a password to access-list 28 and 29. Of course, you should set a very strong community to avoid brute-force or dictionary attacks.

snmp−server community cisco1 RW 28
snmp−server community cisco2 RO 29


The command below allow the router to send traps to the SNMP Manager machine

snmp−server host 192.168.1.1 cisco1 snmp
snmp−server host 192.168.1.2 cisco2 snmp


So by using the access-list command, only the allowed hosts are able to perform the necessary tasks.

RIP: RIPv1 does not support any authentication, instead it is using plain text for routing purposes. However, RIPv2 support both plain text and md5 authentication. When auditing an IOS config file, check for the following key words:

key chain cisco
key 1
key−string rip

ip rip authentication key−chain cisco
ip rip authentication mode md5


To allow routing protocol authentication, the key chain command will identify a group of authentication keys, the key command will identify an authentication key on a key chain and the key-string command will specify the authentication string for a key. On top of it, make sure that the command ip rip authentication mode md5 is enabled for RIP updates.

EIGRP: The same goes for EIGRP. The commands to check for EIGRP is identical to RIP as shown below:

key chain cisco
key 1
key−string eigrp

ip authentication mode eigrp 10 md5
ip authentication key−chain eigrp 10 cisco


Please note that the command ip authentication mode eigrp 10 md5 is different from RIP's ip authentication mode md5. The "eigrp 10" is intepreted as eigrp , so please take note of that.

OSPF: OSPF supports both plain text and md5 authentication. You can choose either one of the authentication method depending on your preference. Some routers might not support the md5 authentication, so that leaves you with no choice but to use plain text authention. Else, deploy md5 authentication which is 100 times more secure. Check for these commands below to see if the router is using any authentication.

For plain text authentication:
ip ospf authentication−key cisco
area 0 authentication


For md5 authentication:
ip ospf message−digest−key 40 md5 cisco
area 0 authentication message−digest

Please note that the value of the key-id which is 40 allows passwords to be changed without having to disable authentication.

So above is a quick list to check for authentication on routing protocols. If you happen to have a chance to audit a router config file, just a glance will tell you how good is the network administrator is.

To know more about the commands usage and its meaning, refer to http://cco.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017d029.html

10 comments:

Anonymous said...

Can anyone recommend the well-priced Software Deployment program for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central remote software access
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

Nice fill someone in on and this enter helped me alot in my college assignement. Thank you as your information.

Anonymous said...

You don't even have to order diet food from diet catering companies and have it delivered in your home generic lumigan Nuts and Seeds:Even though, nuts and seeds are high in fats, they also contain a lot of fiber, minerals and vitamins
Thermal stability of silica is very high cymbalta price 90% of all people who commit suicide have a diagnosable psychiatric disorder or depression.
Learning how to control emotions might sound harsh and cold in a tragedy such as this; but sometimes, it's the only way you can do your job and report the incident properly viagra for women au This is the disease which generally happens because of the age and exposure of eyes to ultra violet rays
There are a lot of different ab machines available on the market today iressa price If nothing happens after a week, however, it means that your food contains another allergen, and you have to exclude it
Even more important, those who take the time to get this type of cosmetic dentistry performed are much more inclined to smile Didanosine First of all, drying out the skin can lead to eczema or aggravate it

Anonymous said...

Once okay, have the papers evaluated by an attorney or a property expert and then only sign it. web server for windows xp

Anonymous said...

Statins have the tendency to lower cholesterol with extreme effect to the extent that it would result in triggering other diseases instead of making you well buy viagra So taking exercise as our example, in making a goal to do with this, following the above suggestions will help you reach your fitness goals They are also fun to perform, and one will not experience boredom very often cialis uk To give your wrist and hands a bit of a break, get a stress ball and give it a half a dozen squeezes every so often

Anonymous said...

The outcomes revealed in this research entail the use of more vaccines in crowded military areas compared to the civilian population., gratis software. And now that your wedding is going to happen, you are surely on the ninth cloud. As many of you are already aware that most of the modern day software houses provide technology consulting services. anonymous browser free. These loans allow you to apply for funds anywhere in between £100 to £1500 for the short reimbursement period of 2 to 4 weeks. vpn port xserve

Anonymous said...

Please take the same care and common sense precautions that you would in any other part of the world. ssl iis windows xp. So don’t waste your time, and make your time valuable and profitable if possible. 6001 18000 080118 1840 x86fre server lp 2 krmslp2 dvd

Anonymous said...

The ratio of height and weight in the normal range? wow private server how to. Online education offers a lot of interesting and innovative methods in teaching concepts to these school students. windows telnet server

Anonymous said...

Research reveals that governments form counterintelligence agencies to assist them in carrying out these operations. windows 2000 remote desktop install. There are many people in the state who are confused or have some doubt about the way of acquiring this treatment card. private bank investment

Anonymous said...

[url=http://www.audio-transcoder.com/how-to-rip-audio-cd-to-mp3-files]cda to mp3 batch converter[/url]