HostedDB - Dedicated UNIX Servers
index_87
UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 87   address instead of the IP address to determine the final destination of a packet. For a detailed description of Proxy ARP, consult RFC 1027. However, because ARP offers no security, neither does Proxy ARP. The fundamental security weakness of ARP is that it was not designed to use any form of authentication. Anyone on a LAN segment can modify an entry in the ARP cache of a router that serves the segment. Therefore, if a host on the network does not use default gateways, but instead uses Proxy ARP to handle the routing, it is susceptible to bad or malicious routes. In any case, Proxy ARP is generally not used anymore, and it should be disabled. The following example illustrates how to do just that. Central# config t Enter configuration commands, one per line.  End with CNTL/Z. Central(config)# interface ethernet0/0 Central(config-if)# no ip proxy-arp Central(config-if)# exit Central(config)# interface ethernet0/1 Central(config-if)# no ip proxy-arp Central(config-if)# end Central# 4.4.3.    Routing tables, static routes, and routing protocols This section describes how to protect routers from some common routing hazards.   Router Neighbor Authentication The primary purpose of router neighbor authentication is to protect the integrity of a routing domain. In this case, authentication occurs when two neighboring routers exchange routing information. Authentication ensures that the receiving router incorporates into its tables only the route information that the trusted sending router really intended to send.   It prevents a legitimate router from accepting and then employing unauthorized, malicious, or accidental routing updates that would compromise the security of a network.  Such a compromise might lead to re-routing of traffic, a denial of service, or simply giving access to certain packets of data to an unauthorized person. OSPF Authentication OSPF provides authentication to prevent routing attacks. Each router accomplishes authentication by the exchange of an authentication key. That is, each router connected to the same network segment all use a shared secret key. Each sending router then uses this key to sign each OSPF update message. The receiving router checks the shared secret to determine whether the message should be accepted. OSPF uses two types of neighbor authentication: plaintext and message digest (MD5). Plaintext authentication uses a shared secret key known to all the routers on