Router/Switch authentication in the network

Discussion in 'Cisco' started by Perdition, Dec 30, 2007.

  1. Perdition

    Perdition Guest

    Hey everyone :) I'm interested in implementing an authentication
    scheme in my network for the network devices, other than using static
    MAC addresses which aren't thought of as particularly secure. The idea
    is something similar to Dot1X (certificates for example to
    authenticate an end device) but for routers and switches so that an
    attacker can't replace our router with his own since it would not be
    an authenticated device in the network. The solution needn't
    necessarily be based on something propriety to Cisco.

    Thanks alot in advance,
    Michael
     
    Perdition, Dec 30, 2007
    #1
    1. Advertising

  2. Tacacs+ server should help.
    Regards
    Bartosz Gagat
    "Perdition" <> wrote in message
    news:...
    > Hey everyone :) I'm interested in implementing an authentication
    > scheme in my network for the network devices, other than using static
    > MAC addresses which aren't thought of as particularly secure. The idea
    > is something similar to Dot1X (certificates for example to
    > authenticate an end device) but for routers and switches so that an
    > attacker can't replace our router with his own since it would not be
    > an authenticated device in the network. The solution needn't
    > necessarily be based on something propriety to Cisco.
    >
    > Thanks alot in advance,
    > Michael
     
    Bartosz Gagat, Dec 30, 2007
    #2
    1. Advertising

  3. Perdition

    Trendkill Guest

    On Dec 30, 10:52 am, "Bartosz Gagat" <> wrote:
    > Tacacs+ server should help.
    > Regards
    > Bartosz Gagat"Perdition" <> wrote in message
    >
    > news:...
    >
    > > Hey everyone :) I'm interested in implementing an authentication
    > > scheme in my network for the network devices, other than using static
    > > MAC addresses which aren't thought of as particularly secure. The idea
    > > is something similar to Dot1X (certificates for example to
    > > authenticate an end device) but for routers and switches so that an
    > > attacker can't replace our router with his own since it would not be
    > > an authenticated device in the network. The solution needn't
    > > necessarily be based on something propriety to Cisco.

    >
    > > Thanks alot in advance,
    > > Michael


    He doesn't want authentication on the devices themselves, or at least
    that is not what he has asked for. He is looking to stop a device
    from coming onto the network without proper authentication, similar to
    that of dot1x, to ensure that someone doesn't turn up a router that
    influences traffic. To be honest, my first answer is to use
    authentication on your routing protocols to ensure that a false router
    cannot come online and begin participating in advertisements on the
    network. Additionally, secure your rooms with your network equipment
    to ensure that your only risk is someone plugging in a router at their
    desk, which would be worthless if you use auth on your routing
    protocols. I do understand what you are asking for, but locking down
    every IP to a MAC address or authentication mechanism is not practical
    in most scenarios (although I'm not doubting that you may really need
    this setup). I would encourage you to protect from major gaps or
    risks, while not going crazy and making a network that is too needy to
    manage efficiently. If you lock down your network rooms, use
    authentication like TACACs for your devices, use authentication on
    your routing protocols, you should protect yourself from the majority
    of risks. That isn't to say someone can't do a man in the middle
    attack and spoof your routers IP to sniff traffic, but at least it
    will not be manipulating the core of your network routing/switching
    wise.
     
    Trendkill, Dec 30, 2007
    #3
  4. Perdition

    stephen Guest

    "Trendkill" <> wrote in message
    news:...
    > On Dec 30, 10:52 am, "Bartosz Gagat" <> wrote:
    > > Tacacs+ server should help.
    > > Regards
    > > Bartosz Gagat"Perdition" <> wrote in message
    > >
    > > news:...
    > >
    > > > Hey everyone :) I'm interested in implementing an authentication
    > > > scheme in my network for the network devices, other than using static
    > > > MAC addresses which aren't thought of as particularly secure. The idea
    > > > is something similar to Dot1X (certificates for example to
    > > > authenticate an end device) but for routers and switches so that an
    > > > attacker can't replace our router with his own since it would not be
    > > > an authenticated device in the network. The solution needn't
    > > > necessarily be based on something propriety to Cisco.


    the other posters have suggested some places to start, but lots of
    organisations have issued "best practice" guides for this kind of thing - so
    some Google searches will get you going.

    > >
    > > > Thanks alot in advance,
    > > > Michael

    >
    > He doesn't want authentication on the devices themselves, or at least
    > that is not what he has asked for. He is looking to stop a device
    > from coming onto the network without proper authentication, similar to
    > that of dot1x, to ensure that someone doesn't turn up a router that
    > influences traffic. To be honest, my first answer is to use
    > authentication on your routing protocols to ensure that a false router
    > cannot come online and begin participating in advertisements on the
    > network.


    the are some cisco best practice guides around for routers rather than
    generic security - try
    http://www.nsa.gov/snac/downloads_cisco.cfm?MenuID=scg10.3.1

    securing routing:
    http://www.cisco.com/warp/public/cc/so/neso/vpn/prodlit/sfblp_wp.pdf

    there is a really good ISP one somewhere written by Cisco - but i cant find
    it online (but it was published as a book as well).

    Additionally, secure your rooms with your network equipment
    > to ensure that your only risk is someone plugging in a router at their
    > desk, which would be worthless if you use auth on your routing
    > protocols. I do understand what you are asking for, but locking down
    > every IP to a MAC address or authentication mechanism is not practical
    > in most scenarios (although I'm not doubting that you may really need
    > this setup). I would encourage you to protect from major gaps or
    > risks, while not going crazy and making a network that is too needy to
    > manage efficiently. If you lock down your network rooms, use
    > authentication like TACACs for your devices, use authentication on
    > your routing protocols, you should protect yourself from the majority
    > of risks. That isn't to say someone can't do a man in the middle
    > attack and spoof your routers IP to sniff traffic, but at least it
    > will not be manipulating the core of your network routing/switching
    > wise.


    This may be putting the cart before the horse as at some point you will find
    you need to compromise cost against hassle and operational support etc.

    At that point you need to decide which things you will do 1st / only - and
    you need to decide which things work well for you.

    the mantra from a security expert starts with "what is your security
    policy" - before you starting deciding what to do it is a good idea to
    decide why and how much ....
    --
    Regards

    - replace xyz with ntl
     
    stephen, Dec 30, 2007
    #4
  5. Perdition

    Perdition Guest

    On Dec 30, 7:27 pm, "stephen" <> wrote:
    > "Trendkill" <> wrote in message
    >
    > news:...
    >
    > > On Dec 30, 10:52 am, "Bartosz Gagat" <> wrote:
    > > > Tacacs+ server should help.
    > > > Regards
    > > > Bartosz Gagat"Perdition" <> wrote in message

    >
    > > >news:...

    >
    > > > > Hey everyone :) I'm interested in implementing an authentication
    > > > > scheme in my network for the network devices, other than using static
    > > > > MAC addresses which aren't thought of as particularly secure. The idea
    > > > > is something similar to Dot1X (certificates for example to
    > > > > authenticate an end device) but for routers and switches so that an
    > > > > attacker can't replace our router with his own since it would not be
    > > > > an authenticated device in the network. The solution needn't
    > > > > necessarily be based on something propriety to Cisco.

    >
    > the other posters have suggested some places to start, but lots of
    > organisations have issued "best practice" guides for this kind of thing - so
    > some Google searches will get you going.
    >
    >
    >
    > > > > Thanks alot in advance,
    > > > > Michael

    >
    > > He doesn't want authentication on the devices themselves, or at least
    > > that is not what he has asked for. He is looking to stop a device
    > > from coming onto the network without proper authentication, similar to
    > > that of dot1x, to ensure that someone doesn't turn up a router that
    > > influences traffic. To be honest, my first answer is to use
    > > authentication on your routing protocols to ensure that a false router
    > > cannot come online and begin participating in advertisements on the
    > > network.

    >
    > the are some cisco best practice guides around for routers rather than
    > generic security - tryhttp://www.nsa.gov/snac/downloads_cisco.cfm?MenuID=scg10.3.1
    >
    > securing routing:http://www.cisco.com/warp/public/cc/so/neso/vpn/prodlit/sfblp_wp.pdf
    >
    > there is a really good ISP one somewhere written by Cisco - but i cant find
    > it online (but it was published as a book as well).
    >
    > Additionally, secure your rooms with your network equipment
    >
    > > to ensure that your only risk is someone plugging in a router at their
    > > desk, which would be worthless if you use auth on your routing
    > > protocols. I do understand what you are asking for, but locking down
    > > every IP to a MAC address or authentication mechanism is not practical
    > > in most scenarios (although I'm not doubting that you may really need
    > > this setup). I would encourage you to protect from major gaps or
    > > risks, while not going crazy and making a network that is too needy to
    > > manage efficiently. If you lock down your network rooms, use
    > > authentication like TACACs for your devices, use authentication on
    > > your routing protocols, you should protect yourself from the majority
    > > of risks. That isn't to say someone can't do a man in the middle
    > > attack and spoof your routers IP to sniff traffic, but at least it
    > > will not be manipulating the core of your network routing/switching
    > > wise.

    >
    > This may be putting the cart before the horse as at some point you will find
    > you need to compromise cost against hassle and operational support etc.
    >
    > At that point you need to decide which things you will do 1st / only - and
    > you need to decide which things work well for you.
    >
    > the mantra from a security expert starts with "what is your security
    > policy" - before you starting deciding what to do it is a good idea to
    > decide why and how much ....
    > --
    > Regards
    >
    > - replace xyz with ntl


    Thanks for the quick responses :) I went over the majority of the best
    practice guides you've suggested. My network devices are secure behind
    strong lockers and md5 authentication will likely be used between
    routers. BTSH for OSPF/EIGRP would have been great if it were
    available, but all in all the routers and switches are physically
    secure with routing updates being authenticated. The unresolved issue
    being addressed is if someone wants to add a switch or router to the
    network edge, or possibly the core (even though it's far less likely).
    For example our team has been given a scenario of someone trying to
    get by Dot1x authentication by connecting a simple switch at the user
    port where the supplicant was, and connecting the supplicant to that
    simple switch along with an attacker's host. It is suggested that
    under this scenario the dot1x will be foiled since the supplicant will
    be validated by the authenticating switch and afterwards both the
    supplicant and the attacker computer will have access to the network
    since Dot1x isn't point to point. That is an example why
    authentication of the network device itself is a solution I'm looking
    into.

    Would the scenario I mentioned really allow the attacker's computer to
    gain access to the network?

    The security aspects of the network are a top priority, i'd prefer to
    not map static MACs to each switch and router if other mechanisms can
    properly secure the network, since spoofing MACs is two lines of work
    in any *nix system and a simple matter of freeware for Windows
    systems. If routing authentication, physical security, dot1x,
    firewalls between vlans, and strongly encrypted VPNs between networks
    is enough to be considered world class security, then that's great to
    hear. By the way this is a single private autonomous system, no BGP is
    necessary.

    Again thanks for your input :)
     
    Perdition, Dec 30, 2007
    #5
  6. Perdition

    stephen Guest

    "Perdition" <> wrote in message
    news:...
    > On Dec 30, 7:27 pm, "stephen" <> wrote:
    > > "Trendkill" <> wrote in message
    > >
    > >

    news:...
    > >
    > > > On Dec 30, 10:52 am, "Bartosz Gagat" <> wrote:
    > > > > Tacacs+ server should help.
    > > > > Regards
    > > > > Bartosz Gagat"Perdition" <> wrote in message

    > >
    > > >

    >news:...
    > >
    > > > > > Hey everyone :) I'm interested in implementing an authentication
    > > > > > scheme in my network for the network devices, other than using

    static
    > > > > > MAC addresses which aren't thought of as particularly secure. The

    idea
    > > > > > is something similar to Dot1X (certificates for example to
    > > > > > authenticate an end device) but for routers and switches so that

    an
    > > > > > attacker can't replace our router with his own since it would not

    be
    > > > > > an authenticated device in the network. The solution needn't
    > > > > > necessarily be based on something propriety to Cisco.

    > >
    > > the other posters have suggested some places to start, but lots of
    > > organisations have issued "best practice" guides for this kind of

    thing - so
    > > some Google searches will get you going.
    > >
    > >
    > >
    > > > > > Thanks alot in advance,
    > > > > > Michael

    > >
    > > > He doesn't want authentication on the devices themselves, or at least
    > > > that is not what he has asked for. He is looking to stop a device
    > > > from coming onto the network without proper authentication, similar to
    > > > that of dot1x, to ensure that someone doesn't turn up a router that
    > > > influences traffic. To be honest, my first answer is to use
    > > > authentication on your routing protocols to ensure that a false router
    > > > cannot come online and begin participating in advertisements on the
    > > > network.

    > >
    > > the are some cisco best practice guides around for routers rather than
    > > generic security -

    tryhttp://www.nsa.gov/snac/downloads_cisco.cfm?MenuID=scg10.3.1
    > >
    > > securing

    routing:http://www.cisco.com/warp/public/cc/so/neso/vpn/prodlit/sfblp_wp.pdf
    > >
    > > there is a really good ISP one somewhere written by Cisco - but i cant

    find
    > > it online (but it was published as a book as well).
    > >
    > > Additionally, secure your rooms with your network equipment
    > >
    > > > to ensure that your only risk is someone plugging in a router at their
    > > > desk, which would be worthless if you use auth on your routing
    > > > protocols. I do understand what you are asking for, but locking down
    > > > every IP to a MAC address or authentication mechanism is not practical
    > > > in most scenarios (although I'm not doubting that you may really need
    > > > this setup). I would encourage you to protect from major gaps or
    > > > risks, while not going crazy and making a network that is too needy to
    > > > manage efficiently. If you lock down your network rooms, use
    > > > authentication like TACACs for your devices, use authentication on
    > > > your routing protocols, you should protect yourself from the majority
    > > > of risks. That isn't to say someone can't do a man in the middle
    > > > attack and spoof your routers IP to sniff traffic, but at least it
    > > > will not be manipulating the core of your network routing/switching
    > > > wise.

    > >
    > > This may be putting the cart before the horse as at some point you will

    find
    > > you need to compromise cost against hassle and operational support etc.
    > >
    > > At that point you need to decide which things you will do 1st / only -

    and
    > > you need to decide which things work well for you.
    > >
    > > the mantra from a security expert starts with "what is your security
    > > policy" - before you starting deciding what to do it is a good idea to
    > > decide why and how much ....
    > > --
    > > Regards
    > >
    > > - replace xyz with ntl

    >
    > Thanks for the quick responses :) I went over the majority of the best
    > practice guides you've suggested. My network devices are secure behind
    > strong lockers and md5 authentication will likely be used between
    > routers. BTSH for OSPF/EIGRP would have been great if it were
    > available, but all in all the routers and switches are physically
    > secure with routing updates being authenticated. The unresolved issue
    > being addressed is if someone wants to add a switch or router to the
    > network edge, or possibly the core (even though it's far less likely).
    > For example our team has been given a scenario of someone trying to
    > get by Dot1x authentication by connecting a simple switch at the user
    > port where the supplicant was, and connecting the supplicant to that
    > simple switch along with an attacker's host. It is suggested that
    > under this scenario the dot1x will be foiled since the supplicant will
    > be validated by the authenticating switch and afterwards both the
    > supplicant and the attacker computer will have access to the network
    > since Dot1x isn't point to point. That is an example why
    > authentication of the network device itself is a solution I'm looking
    > into.


    you could "plug" this hole by limiting how many MAC addresses are allowed
    per port on a switch - 2 or more MACs and the port goes into ErrDisable
    state. The default state on a 4500 at least is that only 1 device is allowed
    on a port.

    Note this will not stop a traffic sniffer from recieving copies all packets
    on that port as long as it never sends anything, and if 2 devices end up
    with the same MAC you might be able to get around it that way.

    However - i think you need to work through where your "trust" boundary
    should be, and what security you need.

    Your description sounds like a recipe for end to end encryption /
    authentication at the application level rather than worrying about LANs and
    devices.
    >
    > Would the scenario I mentioned really allow the attacker's computer to
    > gain access to the network?


    Not by default on IOS AFAICT, but it may not be too much work to get around
    that.

    Given you are pushing the limits on common network deployments, you need to
    verify anything you do, test it, try penetration attacks and so on.

    and did anyone mention you will need to spend lots of money, resources and
    time to get this done?

    I suspect this is one of those "buy lots of gear and lock some engineers in
    a lab for 6 months" type problems :)
    >
    > The security aspects of the network are a top priority, i'd prefer to
    > not map static MACs to each switch and router if other mechanisms can
    > properly secure the network, since spoofing MACs is two lines of work
    > in any *nix system and a simple matter of freeware for Windows
    > systems. If routing authentication, physical security, dot1x,
    > firewalls between vlans, and strongly encrypted VPNs between networks
    > is enough to be considered world class security, then that's great to
    > hear. By the way this is a single private autonomous system, no BGP is
    > necessary.


    i suspect the only way you will "push" this to individual devices and make
    sure authentication is per device is to use IPsec VPN or something else with
    encryption as an overlay.

    in that case your threoretical bad guy may be able to spoof his way onto the
    network - but user traffic is in encrypted tunnels and that doesnt get him
    to a useful end point.

    Now making that work for all devices on a network - difficult.

    Ever seen a printer with IPsec, or a badge card reader etc, or all the other
    wierd devices that get hooked up these days?

    Given your constraints you cannot use separate encryption boxes as that
    gives the attacker a point to get to the unencrypted traffic.
    >
    > Again thanks for your input :)

    --
    Regards

    - replace xyz with ntl
     
    stephen, Dec 30, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rafael
    Replies:
    1
    Views:
    3,285
  2. Orion
    Replies:
    0
    Views:
    1,644
    Orion
    Apr 3, 2006
  3. Johnny
    Replies:
    11
    Views:
    3,131
    Cerebrus
    Aug 4, 2006
  4. zillah
    Replies:
    0
    Views:
    742
    zillah
    Nov 9, 2006
  5. veena bhaskar
    Replies:
    1
    Views:
    3,526
    garithscott
    Oct 16, 2008
Loading...

Share This Page