Securing Your OSPF Network

A message-of-the-day banner like this in your network equipment is effective. It pretty much covers all the possible consequences and goes so far as to state that there will be consequences based upon user’s actions.

Privilege Level Security

This feature was introduced by Cisco in release 10.3 and allows for the establishment of 16 levels of access within the router. Default privilege levels are: 1=user and 15=privileged.

Privilege levels can be used a variety of ways within a router:

•  They can be established for both commands and incoming terminal lines.

•  Specialized enable passwords can be linked to privilege levels.

•  They can be assigned to specialized exec and configure commands to control access.

Privilege Level Command Modes

There are a variety of different command modes that you can implement using privilege levels. All of them are global configuration commands except “exec”.

Privilege Level Configuration Example

To associate a privilege level with a specific command, you need to configure the router as shown here:

    OSPF_Router(config)#privilege exec level 6 ping    OSPF_Router(config)#privilege exec level 6 clear 

The preceding two commands, if applied to a router’s VTY port (the ones you Telnet to), allow anyone accessing the router using just the vty command to perform extended pings and a variety of clear commands (that is counters, interface, router, and so forth).

To establish a specific enable password for a privilege level, you enter the following:

    OSPF_Router(config)# enable password level <level #> <password> 

To associate a privilege level with a terminal line, you enter the following:

    OSPF_Router(config)# line vty 0 4    OSPF_Router(config-line)# privilege level <level #> 

Network Data Encryption

To safeguard your network data, Cisco provides network data encryption and router authentication services. This section briefly discusses how this is done and how it can benefit your network. Further discussion on the proper techniques and process involved in deploying this feature in your network is beyond the scope of this book. At the end of this section, additional resources will be provided in case you need further reading on this subject.

Network data encryption is provided at the IP packet level. IP packet encryption prevents eavesdroppers from reading the data that is being transmitted. When IP packet encryption is used, IP packets can be seen during transmission, but the IP packet contents (payload) cannot be read. Specifically, the IP header and upper-layer protocol (TCP or UDP) headers are not encrypted, but all payload data within the TCP or UDP packet will be encrypted and therefore not readable during transmission.

The actual encryption and decryption of IP packets occurs only at routers that you configure for network data encryption with router authentication. Such routers are considered to be peer encrypting routers (or simply peer routers). Intermediate hops do not participate in encryption/decryption.

Typically, when an IP packet is initially generated at a host, it is unencrypted (“cleartext”). This occurs on a secured (internal) portion of your network. Then when the transmitted IP packet passes through an encrypting router, the router determines if the packet should be encrypted. If the packet is encrypted, the encrypted packet will travel through the unsecured network portion (usually an external network such as the Internet) until it reaches the remote peer encrypting router. At this point, the encrypted IP packet is decrypted and forwarded to the destination host as cleartext.

---

Notes:  
It is important to remember that by requiring the routers to encrypt data, you are adding overhead to the routers’ processing load. You will want to test this first to ensure that the routers in your network can handle the added load.

---

Router authentication enables peer encrypting routers to positively identify the source of incoming encrypted data. This means that attackers cannot forge transmitted data or tamper with transmitted data without detection. Router authentication occurs between peer routers each time a new encrypted session is established. An encrypted session is established each time an encrypting router receives an IP packet that should be encrypted (unless an encrypted session is already occurring at that time).

---

TIPS:  
The use of data encryption is applied to your data only after it leaves the router because that is the device applying the encryption. This is important to mention because the data will travel from the host to the router in an unsecured format.

---

To provide IP packet encryption with router authentication, Cisco implements the following standards: the Digital Signature Standard (DSS), the Diffie-Hellman (DH) public key algorithm, and the Data Encryption Standard (DES). DSS is used in router authentication. The DH algorithm and DES standard are used to initiate and conduct encrypted communication sessions between participating routers.

Additional Resources on Network Data Encryption

This section was provided to make you aware that it is possible to encrypt all the data flowing within your network. This is not to say that you should immediately deploy data encryption or that this is the best way to protect your data, only that it is possible. The next section discusses how OSPF can encrypt routing updates, which does not encrypt the network’s data. If you require further information on this subject, you should consult the Cisco IOS Security by Cisco Systems, Inc.