Re: Router/Switch authentication in the network

On Dec 30, 7:27 pm, "stephen" <stephen_h...@xxxxxxxxxxxx> wrote:
"Trendkill" <jpma...@xxxxxxxxx> wrote in message

news:33a285ed-a161-43b0-a8a6-fd1748e96fb0@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

On Dec 30, 10:52 am, "Bartosz Gagat" <bl...@xxxxxxxxxxxxxx> wrote:
Tacacs+ server should help.
Regards
Bartosz Gagat"Perdition" <nh...@xxxxxxxxxxx> wrote in message

news:e047f25b-f976-4765-810b-ff381190beb6@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hey everyone :) I'm interested in implementing an authentication
scheme in my network for the network devices, other than using static
MAC addresses which aren't thought of as particularly secure. The idea
is something similar to Dot1X (certificates for example to
authenticate an end device) but for routers and switches so that an
attacker can't replace our router with his own since it would not be
an authenticated device in the network. The solution needn't
necessarily be based on something propriety to Cisco.

the other posters have suggested some places to start, but lots of
organisations have issued "best practice" guides for this kind of thing - so
some Google searches will get you going.



Thanks alot in advance,
Michael

He doesn't want authentication on the devices themselves, or at least
that is not what he has asked for. He is looking to stop a device
from coming onto the network without proper authentication, similar to
that of dot1x, to ensure that someone doesn't turn up a router that
influences traffic. To be honest, my first answer is to use
authentication on your routing protocols to ensure that a false router
cannot come online and begin participating in advertisements on the
network.

the are some cisco best practice guides around for routers rather than
generic security - tryhttp://www.nsa.gov/snac/downloads_cisco.cfm?MenuID=scg10.3.1

securing routing:http://www.cisco.com/warp/public/cc/so/neso/vpn/prodlit/sfblp_wp.pdf

there is a really good ISP one somewhere written by Cisco - but i cant find
it online (but it was published as a book as well).

Additionally, secure your rooms with your network equipment

to ensure that your only risk is someone plugging in a router at their
desk, which would be worthless if you use auth on your routing
protocols. I do understand what you are asking for, but locking down
every IP to a MAC address or authentication mechanism is not practical
in most scenarios (although I'm not doubting that you may really need
this setup). I would encourage you to protect from major gaps or
risks, while not going crazy and making a network that is too needy to
manage efficiently. If you lock down your network rooms, use
authentication like TACACs for your devices, use authentication on
your routing protocols, you should protect yourself from the majority
of risks. That isn't to say someone can't do a man in the middle
attack and spoof your routers IP to sniff traffic, but at least it
will not be manipulating the core of your network routing/switching
wise.

This may be putting the cart before the horse as at some point you will find
you need to compromise cost against hassle and operational support etc.

At that point you need to decide which things you will do 1st / only - and
you need to decide which things work well for you.

the mantra from a security expert starts with "what is your security
policy" - before you starting deciding what to do it is a good idea to
decide why and how much ....
--
Regards

stephen_h...@xxxxxxxxxxxx - replace xyz with ntl

Thanks for the quick responses :) I went over the majority of the best
practice guides you've suggested. My network devices are secure behind
strong lockers and md5 authentication will likely be used between
routers. BTSH for OSPF/EIGRP would have been great if it were
available, but all in all the routers and switches are physically
secure with routing updates being authenticated. The unresolved issue
being addressed is if someone wants to add a switch or router to the
network edge, or possibly the core (even though it's far less likely).
For example our team has been given a scenario of someone trying to
get by Dot1x authentication by connecting a simple switch at the user
port where the supplicant was, and connecting the supplicant to that
simple switch along with an attacker's host. It is suggested that
under this scenario the dot1x will be foiled since the supplicant will
be validated by the authenticating switch and afterwards both the
supplicant and the attacker computer will have access to the network
since Dot1x isn't point to point. That is an example why
authentication of the network device itself is a solution I'm looking
into.

Would the scenario I mentioned really allow the attacker's computer to
gain access to the network?

The security aspects of the network are a top priority, i'd prefer to
not map static MACs to each switch and router if other mechanisms can
properly secure the network, since spoofing MACs is two lines of work
in any *nix system and a simple matter of freeware for Windows
systems. If routing authentication, physical security, dot1x,
firewalls between vlans, and strongly encrypted VPNs between networks
is enough to be considered world class security, then that's great to
hear. By the way this is a single private autonomous system, no BGP is
necessary.

Again thanks for your input :)
.

Relevant Pages

  • Re: Router/Switch authentication in the network
    ... scheme in my network for the network devices, ... from coming onto the network without proper authentication, ... the are some cisco best practice guides around for routers rather than ... get by Dot1x authentication by connecting a simple switch at the user ...
    (comp.dcom.sys.cisco)
  • Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel
    ... PCI busses normally don't have routers to networks outside the box connected ... Area Network? ... encrypt unix permission bits on most on-disk filesystems, ... secure against someone who can break into the machine room..... ...
    (Linux-Kernel)
  • RE: Wireless Security Notes and Findings (from this list and other places)
    ... There are two general areas of wireless security: Authentication and ... authentication standard that works with wireless networks. ... client computer runs a client program to connect to the network with a ...
    (Security-Basics)
  • Re: IP address assignment problem
    ... I have a little problem and seek for ur thoughts, let's assume I'm in a very open environment where everyone can very easily try to get his/her laptop on the network and IP addresses are assigned by a DHCP server and we are in a domain environment, how do I prevent machines that are not part of our domain to be assigned an IP address? ... This approach doesn't stop your rogue clients from connecting to other clients, but merely doesn't give them the information they normally need to do so. ... Using 802.1x, your workstations authenticate through the switch to a radius server before they are allowed any connectivity. ... This authentication can use X.509 certificates, computer account credentials from AD, or whatever else you'd normally configure radius to authenticate with. ...
    (Focus-Microsoft)
  • Re: Wireless Pen Test
    ... The authentication for getting the ... access to the Wireless Network is through RADIUS, ... Also if your telling a client that using WPApsk is secure then you are ...
    (Pen-Test)