TIPS: improve OSPF security through Cisco Routers

This article mainly introduces how to improve OSPF security for Cisco routers. This article provides a detailed description of how to improve OSPF security.

1. Use OSPF to solve the defects of RIP Routing Information Protocol

To be honest, the introduction of OSPF is mainly used to solve some defects of the RIP routing information protocol.

For example, the RIP and RIP2 protocols both have 15 hops. If the network span exceeds the 15-hop limit, the destination is considered inaccessible. Therefore, the scope of use of the RIP routing information protocol is defined in a small network. The OSPF protocol inherits the advantages of the RIP routing information protocol and breaks through the 15-hop restriction. In addition, OSPF can solve the defects such as slow convergence of RIP routing information protocols. When talking about the OSPF security, the author briefly introduces the relationship between the OSPF protocol and the RIP route information protocol, mainly to emphasize that the OSPF protocol is similar to the RIP Protocol, it is a commonly used protocol in enterprise network design. Therefore, it is especially important for network administrators to improve the security of the Protocol.

Ii. OSPF Authentication Method

OSPF provides the link security through route update authentication. If you can authenticate the OSPF group, the router can participate in the routing domain based on the pre-configured password. However, by default, routers often do not adopt authentication. Some books also call it NULL authentication. That is to say, vro exchange on the network does not authenticate each other. This is obviously not conducive to the security of the OSPF protocol.

In general, security measures are often taken to improve the security of the OSPF protocol. There are currently two common security measures. Simple Password Authentication and message digest authentication.

Simple Password Authentication allows you to configure a password in each region. To add a vro in the same region to a routing domain, you must configure the same key. If no key is available, other routers will not accept the newly added vrouters. This improves the security of the OSPF protocol to a certain extent. However, this method is indeed "simple" and is vulnerable to attacks. For example, there is a method called "negative attack", which is very effective for simple password authentication. In this domain, as long as you have a link analyzer tool, you can easily obtain this key for some damage.

Message Digest authentication is more secure than simple password authentication. Because digest authentication is encrypted. Configure a key and a key ID for each Cisco router. If the router uses the OSPF protocol, it uses an OSPF-based algorithm and uses the key and key ID to create a message digest.

Then, the Cisco router adds the message digest to the end of the OSPF group. Password Authentication is simple, and you do not need to exchange keys on the link. In this case, attackers cannot obtain this key even if they have link analysis tools. Therefore, the security of this key can be effectively improved. Message Digest authentication is widely used in login authentication of operating systems and network devices, such as Unix, various BSD system logon passwords, digital signatures, and many other parties, or Cisco network devices. For example, in UNIX systems, users' passwords are stored in the file system after digest authentication and hash calculation. When a user logs on, the system authenticates the message digest and hashes the password entered by the user, and then compares it with the message digest authentication value saved in the file system, then confirm whether the entered password is correct. In this step, the system can determine the validity of the user's logon system without knowing the user's password. The same is true for Cisco routers and other network devices.

This prevents the user's password from being known by users with system administrator permissions. Message Digest authentication maps a "Byte string" of any length to a large integer of BITs, and it is difficult to reverse the original string through the 128bits. In other words, even if you see the source program and algorithm description, you cannot change the value of the digest authentication to the original string. In terms of mathematical principle, it is because there are infinite numbers of original strings, this is a bit like a mathematical function without an inverse function. Therefore, if you encounter a message digest authentication password problem, you can use the message digest authentication function in this system to reset the password, overwrite the Hash value of the generated string of passwords with the original Hash value. Instead of thinking about how to crack it. Cracking is basically impossible. Unless you're lucky, you're lucky. It can be said that the probability of digest authentication being cracked is 5 million times lower than that of medium 5 million. Therefore, digest authentication is much more secure than simple password authentication.

In addition, the OSPF protocol also contains a non-descending serial number in its group. This serial number can be used to prevent replay attacks. A replay attack is a packet that has been received by the target host. by occupying the resources of the receiving system, the attacker can fool the system. Replay attacks are often used to attack identity authentication. Replay attacks are one of hackers' favorite tools.