Improve OSPF security through Cisco Routers

Source: Internet
Author: User

This article describes in detail how to improve OSPF security for Cisco routers. This article describes how to improve network security in terms of protocol analysis and router authentication solutions.

OSPF is also an open version of The Link Status Protocol. In practice, OSPF is often used in some large and hybrid networks. In the previous article, I talked about the defects of the RIP Protocol. The reason why network experts develop the OSPF protocol is mainly to cope with the defects of the RIP Protocol.

1. Use OSPF to solve the defects of RIP Routing Information Protocol

To be honest, the introduction of OSPF is mainly used to solve some defects of the RIP routing information protocol.

For example, the RIP and RIP2 protocols both have 15 hops. If the network span exceeds the 15-hop limit, the destination is considered inaccessible. Therefore, the scope of use of the RIP routing information protocol is defined in a small network. The OSPF protocol inherits the advantages of the RIP routing information protocol and breaks through the 15-hop restriction. In addition, OSPF can solve the defects such as slow convergence of RIP routing information protocols. When talking about the OSPF security, the author briefly introduces the relationship between the OSPF protocol and the RIP route information protocol, mainly to emphasize that the OSPF protocol is similar to the RIP Protocol, it is a commonly used protocol in enterprise network design. Therefore, it is especially important for network administrators to improve the security of the Protocol.

Ii. OSPF Authentication Method

OSPF provides the link security through route update authentication. If you can authenticate the OSPF group, the router can participate in the routing domain based on the pre-configured password. However, by default, routers often do not adopt authentication. Some books also call it NULL authentication. That is to say, vro exchange on the network does not authenticate each other. This is obviously not conducive to the security of the OSPF protocol.

In general, security measures are often taken to improve the security of the OSPF protocol. There are currently two common security measures. Simple Password Authentication and message digest authentication.

Simple Password Authentication allows you to configure a password in each region. To add a vro in the same region to a routing domain, you must configure the same key. If no key is available, other routers will not accept the newly added vrouters. This improves the security of the OSPF protocol to a certain extent. However, this method is indeed "simple" and is vulnerable to attacks. For example, there is a method called "negative attack", which is very effective for simple password authentication. In this domain, as long as you have a link analyzer tool, you can easily obtain this key for some damage.

Message Digest authentication is more secure than simple password authentication. Because digest authentication is encrypted. Configure a key and a key ID for each vro. If the router uses the OSPF protocol, it uses an OSPF-based algorithm and uses the key and key ID to create a message digest. The router then adds the message digest to the end of the OSPF group. Password Authentication is simple, and you do not need to exchange keys on the link. In this case, attackers cannot obtain this key even if they have link analysis tools. Therefore, the security of this key can be effectively improved. Message Digest authentication is widely used in login authentication of operating systems and network devices, such as Unix, various BSD system logon passwords, digital signatures, and many other parties, or Cisco network devices. For example, in UNIX systems, users' passwords are stored in the file system after digest authentication and hash calculation. When a user logs on, the system authenticates the message digest and hashes the password entered by the user, and then compares it with the message digest authentication value saved in the file system, then confirm whether the entered password is correct. In this step, the system can determine the validity of the user's logon system without knowing the user's password. The same is true for Cisco routers and other network devices. This prevents the user's password from being known by users with system administrator permissions. Message Digest authentication maps a "Byte string" of any length to a large integer of BITs, and it is difficult to reverse the original string through the 128bits. In other words, even if you see the source program and algorithm description, you cannot change the value of the digest authentication to the original string. In terms of mathematical principle, it is because there are infinite numbers of original strings, this is a bit like a mathematical function without an inverse function. Therefore, if you encounter a message digest authentication password problem, you can use the message digest authentication function in this system to reset the password, overwrite the Hash value of the generated string of passwords with the original Hash value. Instead of thinking about how to crack it. Cracking is basically impossible. Unless you're lucky, you're lucky. It can be said that the probability of digest authentication being cracked is 5 million times lower than that of medium 5 million. Therefore, digest authentication is much more secure than simple password authentication.

In addition, the OSPF protocol also contains a non-descending serial number in its group. This serial number can be used to prevent replay attacks. A replay attack is a packet that has been received by the target host. by occupying the resources of the receiving system, the attacker can fool the system. Replay attacks are often used to attack identity authentication. Replay attacks are one of hackers' favorite tools.

3. improve OSPF security through Cisco Routers

How does a Cisco router ensure the security of the OSPF protocol? Cisco Network has adopted a complete solution.

First, set all affected devices to non-broadcast mode.

In non-broadcast mode, OSPF devices must be clearly configured to communicate with valid OSPF neighbors (network devices directly connected to an OSPF router. In non-broadcast mode, a basic security layer is provided to prevent configuration errors. In configuration mode, only network devices configured in advance that can communicate with this OSPF router can communicate with and Update route information. In the broadcast environment, any OSPF device with the correct configuration can participate in the OSPF route. For example, in simple password authentication mode, you only need to know the key to participate in route update information. In fact, this is similar to remote management of servers or routers. For example, you can use the access control list or firewall to restrict hosts with a specific MAC address or IP address to remotely connect to the vro for remote management. In this way, the security of remote access can be improved. The non-broadcast mode is used here, and its security philosophy is the same. In Cisco router products, broadcast mode is used by default. This is mainly due to compatibility considerations. For example, you can directly join the network without additional configuration. However, to improve the security of OSPF, we often need to set its mode to non-broadcast mode. To change this mode, run the following command at the router interface configuration prompt:

IP ospf network non-broadcast.

Second, set an appropriate authentication scheme for the OSPF route.

In OSPF, three authentication methods are supported: NULL authentication, simple password authentication, and message digest authentication. NULL authentication is empty authentication, that is, it can be added to the OSPF network without authentication. In simple authentication, keys are transmitted in plaintext over the network. It is known that attackers can easily obtain keys by using tools such as listeners to easily damage the network. As mentioned above, digest authentication does not directly spread its key over the network. So far, it has adopted the internationally recognized message digest algorithm. It can be said that it is now the safest OSPF Authentication mode. Therefore, the author suggests that the network administrator use message digest identity authentication. The simple authentication method is similar to NULL authentication, which does not effectively guarantee the security of the OSPF network environment.

A typical application of the message digest algorithm is to generate information Summarization for a piece of information to prevent tampering. For example, let's take a practical example. In UNIX, many software programs have the same file name when downloading, and the file name extension is. md5. In this file, there is usually only one line of text. This is the digital signature of a downloaded file. MD5 treats the entire file as a large text, and generates this unique MD5 information digest through its irreversible String Conversion Algorithm. In this way, you can ensure the legitimacy of the downloaded file.

If the network administrator needs to use message digest authentication, it is also relatively simple. Cisco routers now support digest message authentication. To enable message digest authentication on a Cisco router, you must perform the operations at the interface configuration prompt.

In addition, enterprises may not need to adopt such high security authentication methods for all OSPF processes. For security requirements, you can only use simple or empty authentication. After all, digest message authentication requires a certain amount of system resources. Although this proportion is relatively small, it will have a negative impact on network performance. Therefore, in a Cisco router, you can set different authentication methods for OSPF process IDs to meet different security requirements.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.