HostedDB - Dedicated UNIX Servers
index_99
UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 99   South(config)# access-list 55 deny 14.2.10.0 0.0.0.255 South(config)# access-list 55 permit any South(config)# router rip South(config-router)# distribute-list 55 out South(config-router)# end South# The examples above essentially accomplish the same task, that is, hosts from the 14.2.10.0 network are prevented from reaching the Internet. However, the three different filters also have unusual side effects. Using the first filter, hosts on the 14.2.10.0 network can communicate with hosts on the 14.1.0.0 network if the hosts on the latter network use Central, instead of North, as their default gateway. This is because, while Central is not advertising a route to the 14.2.10.0 network, thereby preventing North from learning that route, Central still has the route in its table. The second and third filter fixes the problem that was evident with the first filter. However, a similar problem arises. Connections from hosts on the 14.2.10.0 network can be made with hosts on the 14.2.9.0 network if the hosts on the latter network use South, instead of Central, as their default gateway. This is because either Central is filtering the routes it receives (second filter) or South filters the routes it advertises (third filter). In either case, South still maintains a route to the 14.2.10.0 network because it is directly connected to it. Ultimately, the easiest way to prevent hosts on the 14.2.10.0 network from communicating with hosts on any other subnets is to simply turn off interface Ethernet0/1 on South. Migrating from RIP to OSPF: Security issues and concerns  Although RIP has withstood the test of time and proven itself to be a reliable routing protocol, OSPF is the superior routing protocol. Both protocols are supported by virtually every routing vendor. Therefore, using either of these routing protocols over others such as IS-IS, IGRP, or EIGRP, is recommended. However, if using RIP is not an essential requirement, then migrating to OSPF is the recommended solution. While both protocols support authentication, OSPF offers better convergence times, and using OSPF reduces the likelihood of accidentally sending out OSPF packets on an unintended interface. How to migrate is beyond the scope of this document, see [2] for detailed directions.  However, an important step to remember is to remove RIP after OSPF has been enabled. Failure to do so will not cause a routing failure, but an attacker could then take advantage of RIP and insert a malicious route into the routing table. The following example illustrates how to turn off RIP on both example routers. Central# config t Enter configuration commands, one per line.  End with CNTL/Z. Central(config)# no router rip Central(config)# end Central#