At present, Cisco routers have a very high market demand. Here we mainly introduce the use of OSPF to solve the defects of the RIP route information protocol, including the OSPF Authentication Method. OSPF is also an open version of The Link Status Protocol.
In practice, OSPF is often used in some large and hybrid networks. In the previous article, I talked about the defects of the RIP Protocol. The reason why network experts develop the OSPF protocol is mainly to cope with the defects of the RIP Protocol.
1. Use OSPF to solve the defects of RIP Routing Information Protocol
To be honest, the introduction of OSPF is mainly used to solve some defects of the RIP routing information protocol. For example, the RIP and RIP2 protocols both have 15 hops. If the network span exceeds the 15-hop limit, the destination is considered inaccessible. Therefore, the scope of use of the RIP routing information protocol is defined in a small network. The OSPF protocol inherits the advantages of the RIP routing information protocol and breaks through the 15-hop restriction. In addition, OSPF can solve the defects such as slow convergence of RIP routing information protocols. When talking about the OSPF security, the author briefly introduces the relationship between the OSPF protocol and the RIP route information protocol, mainly to emphasize that the OSPF protocol is similar to the RIP Protocol, it is a commonly used protocol in enterprise network design. Therefore, it is especially important for network administrators to improve the security of the Protocol.
Ii. OSPF Authentication Method
OSPF provides the link security through route update authentication. If you can authenticate the OSPF group, the Cisco router can participate in the routing domain based on the pre-configured password. However, by default, Cisco routers often do not adopt authentication. Some books also call it NULL authentication. That is to say, Cisco router switches on the network do not authenticate each other. This is obviously not conducive to the security of the OSPF protocol.
In general, security measures are often taken to improve the security of the OSPF protocol. There are currently two common security measures. Simple Password Authentication and message digest authentication. Simple Password Authentication allows you to configure a password in each region. If a Cisco router in the same region participates in a routing domain, you must configure the same key. If no key is available, other Cisco routers will not accept the newly added Cisco routers. This improves the security of the OSPF protocol to a certain extent. However, this method is indeed "simple" and is vulnerable to attacks. For example, there is a method called "negative attack", which is very effective for simple password authentication. In this domain, as long as you have a link analyzer tool, you can easily obtain this key for some damage.
Message Digest authentication is more secure than simple password authentication. Because digest authentication is encrypted. Configure a key and a key ID for each Cisco router. If the Cisco router uses the OSPF protocol, it uses an OSPF-based algorithm and uses the key and key ID to create a message digest. Then, the Cisco router adds the message digest to the end of the OSPF group. Password Authentication is simple, and you do not need to exchange keys on the link. In this case, attackers cannot obtain this key even if they have link analysis tools. Therefore, the security of this key can be effectively improved. Message Digest authentication is widely used in login authentication of operating systems and network devices, such as Unix, various BSD system logon passwords, digital signatures, and many other parties, or Cisco network devices. For example, in UNIX systems, users' passwords are stored in the file system after digest authentication and hash calculation.
When a user logs on, the system authenticates the message digest and hashes the password entered by the user, and then compares it with the message digest authentication value saved in the file system, then confirm whether the entered password is correct. In this step, the system can determine the validity of the user's logon system without knowing the user's password. The same is true for Cisco routers and other network devices. This prevents the user's password from being known by users with system administrator permissions. Message Digest authentication maps a "Byte string" of any length to a large integer of BITs, and it is difficult to reverse the original string through the 128bits. In other words, even if you see the source program and algorithm description, you cannot change the value of the digest authentication to the original string. In terms of mathematical principle, it is because there are infinite numbers of original strings, this is a bit like a mathematical function without an inverse function. Therefore, if you encounter a message digest authentication password problem, you can use the message digest authentication function in this system to reset the password, overwrite the Hash value of the generated string of passwords with the original Hash value. Instead of thinking about how to crack it. Cracking is basically impossible. Unless you're lucky, you're lucky. It can be said that the probability of digest authentication being cracked is 5 million times lower than that of medium 5 million. Therefore, digest authentication is much more secure than simple password authentication.
In addition, the OSPF protocol also contains a non-descending serial number in its group. This serial number can be used to prevent replay attacks. A replay attack is a packet that has been received by the target host. by occupying the resources of the receiving system, the attacker can fool the system. Replay attacks are often used to attack identity authentication. Replay attacks are one of hackers' favorite tools.
3. improve OSPF security through Cisco Routers
How does a Cisco router ensure the security of the OSPF protocol? Cisco Network has adopted a complete solution.
First, set all affected devices to non-broadcast mode. In non-broadcast mode, OSPF devices must be clearly configured to communicate with valid OSPF neighbors (that is, network devices directly connected to an OSPF Cisco router. In non-broadcast mode, a basic security layer is provided to prevent configuration errors. In configuration mode, only the network device configured in advance to communicate with this OSPF Cisco router can communicate with it and Update route information. In the broadcast environment, any OSPF device with the correct configuration can participate in the OSPF route. For example, in simple password authentication mode, you only need to know the key to participate in route update information. In fact, this is similar to remote management of servers or routers. For example, you can use the access control list or firewall to restrict hosts with a specific MAC address or IP address to remotely connect to the Cisco router for remote management. In this way, the security of remote access can be improved. The non-broadcast mode is used here, and its security philosophy is the same. In Cisco router products, broadcast mode is used by default. This is mainly due to compatibility considerations. For example, you can directly join the network without additional configuration. However, to improve the security of OSPF, we often need to set its mode to non-broadcast mode. To change this mode, run the following command at the Cisco router interface configuration prompt: IP ospf network non-broadcast.
Second, set an appropriate authentication scheme for the OSPF route. In OSPF, three authentication methods are supported: NULL authentication, simple password authentication, and message digest authentication. NULL authentication is empty authentication, that is, it can be added to the OSPF network without authentication. In simple authentication, keys are transmitted in plaintext over the network. It is known that attackers can easily obtain keys by using tools such as listeners to easily damage the network. As mentioned above, digest authentication does not directly spread its key over the network. So far, it has adopted the internationally recognized message digest algorithm. It can be said that it is now the safest OSPF Authentication mode. Therefore, the author suggests that the network administrator use message digest identity authentication. The simple authentication method is similar to NULL authentication, which does not effectively guarantee the security of the OSPF network environment.
A typical application of the message digest algorithm is to generate information Summarization for a piece of information to prevent tampering. For example, let's take a practical example. In UNIX, many software programs have the same file name when downloading, and the file name extension is. md5. In this file, there is usually only one line of text. This is the digital signature of a downloaded file. MD5 treats the entire file as a large text, and generates this unique MD5 information digest through its irreversible String Conversion Algorithm. In this way, you can ensure the legitimacy of the downloaded file.
If the network administrator needs to use message digest authentication, it is also relatively simple. Cisco routers now support digest message authentication. To enable message digest authentication on a Cisco router, you must perform the operations at the interface configuration prompt. In addition, enterprises may not need to adopt such high security authentication methods for all OSPF processes. For security requirements, you can only use simple or empty authentication. After all, digest message authentication requires a certain amount of system resources. Although this proportion is relatively small, it will have a negative impact on network performance. Therefore, in a Cisco router, you can set different authentication methods for OSPF process IDs to meet different security requirements.