Securing Your OSPF Network

Network address translation will allow the use of unregistered address space on the inside of the firewall and registered space within the firewall. The Cisco PIX Firewall can operate with a mixture of both registered and unregistered IP addresses. In addition, it also supports port address translation (PAT) with port level multiplexing, which is a method to further conserve address space. Through the use of this feature, inside user local IP addresses are automatically converted to a single outside IP address and the PIX Firewall uses different port numbers to distinguish between hosts. Over 64,000 inside hosts can be served by a single outside IP address with PAT. For additional information on Cisco’s PIX Firewall, please refer to the following Web site:

http://www.cisco.com/warp/public/751/pix/pie_ds.htm

Frequently Asked Questions

Q—I want to control which hosts can Telnet to or from the routers in my network. What is the easiest way to do that?

A—Build a standard access list to define which IP addresses will be allowed, then apply the list to the console or VTY line. Doing this by using the ip access-class # in command will limit inbound access to only those hosts allowed by your standard IP access list.

Q—I want to control which hosts will be allowed to send data onto my wide-area network. What is the easiest way to do that?

A—Build a standard access list that will define the hosts that are allowed to send data onto the network, and then apply the access list to the Ethernet interface. Do this by using the ip access-group # in command, which will allow packets from only the hosts you defined to pass out onto the network.

Q—What is the difference between the ip access-class command and the ip access-group command?

A—When using the ip access-class command, you are controlling Telnet access. Use the ip access-group command to filter data packets.

Q—How do I configure an OSPF private net for a firewall for Internet access? I currently have static routes for 0.0.0.0 via the firewall. I cannot redistribute this static route. This doesn’t seem to work. I don’t want to go to 100+ routers to add a static route. I have only one firewall now, but I might add a second one. The firewall does address translation; it masks our internal net numbers. How should I do this?

A—On the firewall router running OSPF, enter this command:

    default-information originate always 

It will originate the default route to all your other OSPF routers in the domain. You don’t need to configure default routes in all your OSPF routers in the domain.

Q—How do you configure MD5 authentication on OSPF neighbor routing updates and exchanges? Is the MD5 authentication used for Hello protocol negotiations? Is the MD5 authentication used in all router protocol updates? Will you please provide a sample configuration?

A—Here is a short description of MD5 authentication:
Message Digest Authentication is a cryptographic authentication. A key (password) and key identification are configured on each router. The router uses an algorithm based on the OSPF packet, the key, and the key-id to generate a message digest that is appended to the packet. Unlike the simple authentication, the key is not exchanged over the wire. A non-decreasing sequence number is also included in each OSPF packet to protect against replay attacks. This method also allows for uninterrupted transitions between keys. This is helpful for administrators who wish to change the OSPF password without disrupting communication. If an interface is configured with a new key, the router will send multiple copies of the same packet, each authenticated by different keys. The router will stop sending duplicate packets once it detects that all of its neighbors have adopted the new key. The following commands are used for message digest authentication.

•  ip ospf message-digest-key keyid md5 key (used under the interface)

•  area area-id authentication message-digest (used under router OSPF)

•  <process-id>

For example:

    interface Ethernet0 ip address 10.10.10.10 255.255.255.0    ip ospf message-digest-key 10 md5 mypassword    router ospf 10 network 10.10.0.0 0.0.255.255 area 0    area 0 authentication message-digest 

Q—I’ve heard that OSPF routing protocol exchanges are authenticated. What does this mean?

A—This means that only trusted routers can participate in the autonomous system’s routing. A single authentication scheme is used for each area. Each participating router can have a password.

Q—Does using an extended IP access list prevent regular routing updates (such as OSPF)? I have to specify 224.0.0.0 (destination) in my access list before routing updates allow for OSPF’s hello packets.

A—Inbound access lists on an interface are applied to any IP traffic on that interface. Outbound access lists apply only to traffic switched through the router.

Q—Can the distribute-list in|out command be used with OSPF to filter routes?

A—The distribute-list in command works on all OSPF routes. It is applied when OSPF routes are fed into the routing table. The distribute-list out command works only on the routes being redistributed from other processes into OSPF. It can be applied only to EXTERNAL_TYPE2 and EXTERNAL_TYPE1 routes and cannot be applied to INTRA and INTER routes.

Q—Why would I want or need to consider adding a firewall or other “proxy” device to my network?

A—If you want to increase the security and integrity of your network when connecting it to the Internet, you should consider adding a firewall. In addition, firewalls and proxy devices are able to translate private IP addresses into public IP addresses, thereby allowing your network to join the Internet.

Q—For Internet access, I have a router with access lists in place to allow communications only with a TCP proxy server on the same segment. There is another router on this segment with filters in place also to allow communications only with the proxy server. Are there methods for implementing another filter(s) on both routers to allow SNMP management of the external router?

A—You can use the snmp-server access-list command to restrict SNMP traffic. You will, however, have to allow SNMP (UDP) traffic through.

Q—I have two devices: One device is 164.72.98.45 with a 9-bit mask, and the other device is 192.186.14.97 with a 12-bit mask. I want to allow only TCP connections on ports 5000 and 5020 between two devices through serial 0 of router A. One of the access list statements will be:

    access-list 110 permit tcp 192.168.14.97 <mask>    164.72.98.45    <mask> eq 5000 

My question concerns the mask portion. For the 192.168.14.97, do I use a mask of 0.0.0.240, 0.0.0.15, or 255.255.255.240? And for the 164.72.98.45, do I use a mask of 255.255.255.128, 0.0.0.128, or 0.0.0.127?

A—If you want to permit only these two devices to talk to each other, use the mask 0.0.0.0 on both. The 0’s in an access list mean that you do not want to deal with any portion of the address. The 255’s mean that you don’t care what is in a particular position in the address. The mask here is not used like the mask defined on the interface for the subnet mask portion.

Q—I’m using the access-list nnn deny ip any any log command to track potential break-ins. This works fine in Cisco IOS 10.3, but it does not work in 10.2(11). Is there another way to do the same thing in Cisco IOS 10.2?

A—No, not in 10.2. You need to upgrade your Cisco IOS.

Q—Can access list wildcards be used both front and back (like *TOR*)? What level of Cisco IOS is required? I would like to filter all NetBIOS broadcasts except when the name contains a certain string, as in permit *TOR*. Is this possible?

A—Yes. The following steps show you how to configure NetBIOS access filters using station names.

1.  Assign the station access list name (note that there is an implicit DENY ALL after the permit statement):

    netbios access-list host DEVICE permit *TOR*     ^^^^^     wildcard 

2.  Specify the direction of the message to be filtered on the interface:

    netbios input\output-access-filter host DEVICE 

Here is a configuration example:

    !    hostname ROUTER    !    netbios access-list host DEVICE permit *TOR*    !    interface TokenRing0    ip address 10.10.10.1 255.255.255.0    ring-speed 16    source-bridge 2 1 2000    source-bridge spanning    netbios input-access-filter host DEVICE    ! 

Q—How can I build a firewall with my Cisco router?

A—Complementing the Cisco PIX™ Firewall, the Cisco Internetwork Operating System (Cisco IOS™) software, too, can be configured as a potent firewall. You can combine extended IP access lists for packet filtering, several methods of user authentication, and Cisco’s lock-and-key security solution to provide a strong, secure perimeter between “trusted” and “untrusted” networks.
The router can be configured to log security violations to a UNIX host’s syslog facility. In Release 11.2 of Cisco IOS software, network managers can enable IP network-layer encryption and Network Address Translation (NAT) capability (a separately priced software option) in their router-based firewalls.
For more information on Cisco IOS security solutions, visit this Web site:

   http://www.cisco.com/ warp/customer/732/Security/index.html. 

Q—What other configuration options should I enable on the router to secure my network?

A—Some additional options and the commands that will help protect the router from unauthorized access include the following:

•  Disable proxy arp: no ip proxy-arp.

•  Disable IP source routing: no ip source-route.

•  Enable only required applications, such as the Domain Name Service (DNS), Simple Mail Transfer Protocol (SMTP), e-mail, outgoing Web client traffic, outgoing File Transfer Protocol (FTP)—for which passive (PASV) mode is most secure—and outgoing Telnet.

•  Encrypt router passwords (service password-encryption) and encrypt the enable password with an MD5 hashing algorithm (enable secret password).

•  Apply access lists and passwords to virtual terminal (VTY) ports.

•  Enable route authentication in supported routing protocols.

Q—Does Cisco support Kerberos?

A—Cisco has announced plans to support Kerberos but has not announced specific products or time frames. Here is an excerpt from the Cisco IOS Security Architecture article:

Kerberos is a secret-key network authentication system developed at Massachusetts Institute of Technology (MIT) that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication. Kerberos was designed to authenticate requests for network resources. Kerberos, like other secret-key systems, requires trust in a third party; in this case, the Kerberos server. Cisco will integrate the client portion of Kerberos within the Cisco IOS in Cisco access servers.

Q—Which IP address space is reserved for secure networks (full internal connectivity, but outside connections from corporate only through firewall proxy or router)?

A—RFC 1597: Address Allocation for Private Internets (http://ds.internic.net/rfc/rfc1597.txt) covers this subject. An excerpt from this RFC follows.

The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private networks:

•  10.0.0.0-10.255.255.255

•  172.16.0.0-172.31.255.255

•  192.168.0.0-192.168.255.255

The first block is referred to as “24-bit block,” the second as “20-bit block,” and the third as “16-bit block.” Note that the first block is nothing but a single class A network number, the second block is a set of 16 contiguous class B network numbers, and third block is a set of 255 contiguous class C network numbers.

Q—When setting up a router as a firewall (allowing only FTP traffic through), is there a way to log messages indicating failed attempts, what the server was connected to, and for how long?

A—The best way to log connection attempts to the router is to use TACACS+. You can use access list violation logging in Cisco IOS 10.3(3) or higher to see the access list information.

Q—Which version of Cisco IOS addresses the security issue of IP “spoofing?”

A—All versions of Cisco IOS address the “spoofing” problem. For details, see the Details on CERT Advisory Dated 1/23/95 (http://www.cisco.com/warp/customer/459/12.html) and CERT Advisory 95:01 Response technical tips (http://www.cisco.com/warp/customer/701/29.html).

Q—Is there a performance advantage when using the IP access list keyword established on an extended access list? Does using established make the access list more vulnerable? Do you have specific examples of the usage?

A—There is no performance advantage per se. The established keyword simply means that packets with the ACK or RST bits set are allowed through. To better understand access lists in general, read Increasing Security on IP Networks (http://www.cisco.com/warp/customer/701/31.html). There are many examples there.

Q—What TCP port numbers are required for FTP?

A—FTP data is port 20, and FTP control is port 21. If you are trying to set up an access list, keep in mind that port 21 is the source port from the FTP server when it tries to establish the data connection back to the client. The destination port is a high-numbered port greater than 1023.

Q—Can I apply IP filters (access list in Cisco IOS 10.3.4) so that multiple (adjacent) class C nets are covered in one command (similar to class B)? Or do I have to specify each class C individually?

A—A mask can be specified to include multiple class C nets. For example:

    access-list 1 permit 192.198.48.0 0.0.15.255    access-list 1 deny 0.0.0.0 255.255.255.255 

This access list permits addresses from a range of class C nets that start with 192.198.48.0-192.198.63.0.

Q—How do you interpret the command access-list permit 130.10.8.0 0.0.7.255?

A—First, you need to add a unique number between 1 and 99 after access-list and before permit. Then, when applied to something, the list will permit packets with a source address from 130.10.8.0-130.10.15.255 and deny all others.

Q—My HTTPD program is set up to use port 80, and I want to limit accessing it from my network only. Will the following IP access list accomplish this without limiting other access, such as FTP, if I use it on my Internet serial connection: access-list 102 deny 80 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255?

A—There is an implicit deny all at the end of every access list. The access list is checked in the order of the statements, and if the first “true-condition” occurs, it is left in place. So you have to configure a permit of any-to-any at the end of your list. It would look something like this:

    access-list 102 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0    255.255.255.255 EQ 80    access-list 102 permit ip 0.0.0.0 255.255.255.255 0.0.0.0    255.255.255.255 

Q—How do I properly set the anti-spoofing filters in Cisco IOS 9.21(7)?

A—See the information on CCO about the CERT Advisory Dated 1/23/95 (http://www.cisco.com/warp/customer/69/12.html). The defense is to set up your Internet firewall router to deny packets from outside your network that claim to have a source address inside your network. An example configuration follows:

    access-list 101 deny 131.108.0.0 0.0.255.255 0.0.0.0    255.255.255.255    access-list 101 deny 198.92.93.0 0.0.0.255 0.0.0.0    255.255.255.255 

Repeat the preceding commands, where access-list 101 describes all possible source addresses on your network. The preceding example describes a network with internal source addresses of 131.108.x.x and 198.92.93.x. Then, for a router running 9.21 or later, continue with this command:

    interface serial 0    description interface facing the Internet    ip access-group 101 in 

If you do not have 9.21, an upgrade is not required if your Internet firewall is a two-port router (which it should be). Simply apply the access-list 101 command (as previously demonstrated) to the LAN interface and not the serial interface, as shown in the following example:

    interface ethernet 0    description LAN port on my internet router    ip access-group 101 

The essence of this defense is that any packets coming from the Internet that claim to be from your network are thrown out, which prevents this type of attack.
Also, for good measure, all Internet firewalls should have the global command no ip source-routing. You can also see Increasing Security on IP Networks (http://www.cisco.com/warp/customer/701/31.html) for more information about firewalling your network.

Q—How is CHAP security implemented with your products? When a user dials into a Cisco access server, does the access server make a call of some kind to a separate CHAP server, which then sends a random challenge to the remote users who must activate a software key or hand-held device to authenticate themselves?

A—The CHAP password for each user must be configured on the Cisco 2511 using the USERNAME command (the password must be the same on both the 2511 and the remote device). When the user dials in, the 2511 challenges the user for the password. For a full description, see Configuring DDR (http://www.cisco.com/univ-src/ccden/data/doc/software/11_0/ rpcg/cddr.htm) in the Router Products Configuration Guide.

Q—Does Cisco support encryption?

A—Yes, refer to the following documents on CCO for more information.

•  Cisco Network Encryption Services (http://www.cisco.com/warp/ public/732/Security/ncryp_tc.htm)

•  Cisco IOS Software (http://www.cisco.com/univercd/data/ doc/cintrnet/prod_cat/79999.htm)

•  Cisco IOS Security Architecture (http://www.cisco.com/warp/ public/732/Security/ossec_wp.htm)

Q—Cisco routers support the IP packet security types 130 and 133, which are for Basic and Extended IP security options (IPSO). However, if a router sees a packet with a different type number (assuming IPSO has not been configured), will the router forward the packet, or will it drop it and generate an ICMP error?

A—If the router is not configured for IPSO, it forwards the packet. If the router is configured for IPSO, it drops the packet.

Q—How can I provide ICMP packets to transmit and receive to a specific internal IP address via the Internet without compromising security to our internal network?

A—You can set up an access list permitting only ICMP from that specific host through to your internal network.

Q—I have a question regarding Novell IPX and routing via ISDN when using snapshot routing. I have one server and some workstations on one side, and a lot of servers on the other. When the one server has received its SAP update, it keeps the line up by sending Novell Security Packets to the other servers. Is there a way to keep it from doing this?

A—You have to make sure that the security packets are not part of the interesting packets in the dialer list. Depending on what you want to do on the line, I would set up the dialer list on a permit basis. If, for example, you just enable NCP to do file copies or REMOTE CONSOLE and so on, you definitely have to exclude the security packets.

Q—I need to know how to define an extended access list that will allow my users to access the Internet (using Netscape and Gopher) but keep intruders out. I am using Cisco 2513 with IOS v10.0(2).

A—In general, you are asking about the established keyword, which can be defined within an access list to permit two-way communication with an Internet host if (and only if) the session was started on your side of the firewall. However, security and firewalling are big issues. Please look at Increasing Security on IP Networks (http://www.cisco.com/warp/ customer/590/3.html) for more details on securing your firewall.