index_99
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
99
South(config)# access-list 55 deny 14.2.10.0 0.0.0.255
South(config)# access-list 55 permit any
South(config)# router rip
South(config-router)# distribute-list 55 out
South(config-router)# end
South#
The examples above essentially accomplish the same task, that is, hosts from the
14.2.10.0 network are prevented from reaching the Internet. However, the three
different filters also have unusual side effects. Using the first filter, hosts on the
14.2.10.0 network can communicate with hosts on the 14.1.0.0 network if the hosts
on the latter network use Central, instead of North, as their default gateway. This is
because, while Central is not advertising a route to the 14.2.10.0 network, thereby
preventing North from learning that route, Central still has the route in its table.
The second and third filter fixes the problem that was evident with the first filter.
However, a similar problem arises. Connections from hosts on the 14.2.10.0 network
can be made with hosts on the 14.2.9.0 network if the hosts on the latter network use
South, instead of Central, as their default gateway. This is because either Central is
filtering the routes it receives (second filter) or South filters the routes it advertises
(third filter). In either case, South still maintains a route to the 14.2.10.0 network
because it is directly connected to it.
Ultimately, the easiest way to prevent hosts on the 14.2.10.0 network from
communicating with hosts on any other subnets is to simply turn off interface
Ethernet0/1 on South.
Migrating from RIP to OSPF: Security issues and concerns
Although RIP has withstood the test of time and proven itself to be a reliable routing
protocol, OSPF is the superior routing protocol. Both protocols are supported by
virtually every routing vendor. Therefore, using either of these routing protocols over
others such as IS-IS, IGRP, or EIGRP, is recommended.
However, if using RIP is not an essential requirement, then migrating to OSPF is the
recommended solution. While both protocols support authentication, OSPF offers
better convergence times, and using OSPF reduces the likelihood of accidentally
sending out OSPF packets on an unintended interface. How to migrate is beyond the
scope of this document, see [2] for detailed directions. However, an important step to
remember is to remove RIP after OSPF has been enabled. Failure to do so will not
cause a routing failure, but an attacker could then take advantage of RIP and insert a
malicious route into the routing table. The following example illustrates how to turn
off RIP on both example routers.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# no router rip
Central(config)# end
Central#