1. Home
  2. Networking
  3. CCSP Cisco Certified Security Professional Certification

Eavesdropping

Eavesdropping

Eavesdropping, using packet-sniffing tools, allows attackers to read transmitted information, including logon information and database contents. Eavesdropping can yield information, such as credit card information, which can be used in later transactions, damaging both the customer and the business that allowed the breach.

A related problem involves eavesdropping and session replay in which the attacker retransmits the captured data, such as a session logon sequence to gain access to network resources.

Router Solutions

If you’re using a dynamic routing protocol that supports authentication, a good idea is to enable that authentication. This prevents some malicious attacks on the routing infrastructure and it can also help to prevent damage caused by misconfigured “rogue” network devices.

Configuring Authentication Example

Many routing protocols support authentication and the commands vary somewhat, but the following example demonstrates the feature using RIP version 2.

RIP version 1 doesn’t support authentication, but RIP version 2 allows RIP authentication on a per-interface basis. RIP supports two modes of authentication: plaintext authentication and MD5 authentication. The default is plaintext authentication. Don’t use plaintext authentication for security purposes because the unencrypted authentication key is sent in every RIP version 2 packet. Interfaces on both sides of the link must be configured for MD5 authentication using the same key number and key string.

The key chain determines the set of keys that can be used on the interface. If a key chain isn’t configured, no authentication is performed on that interface, not even the default authentication.

The following commands configure RIP authentication. The first three are configured in Global Configuration mode and the last two are in Interface Configuration mode.

Command

Purpose

key chain name

Names a key chain. Could contain more than one key for added security.

key number

Defines the first key in the key chain.

key-string string

Defines the key value—must be identical on both ends of the link.

ip rip authentication key-chain name

Enables RIP authentication.

ip rip authentication mode {text | md5}

Uses MD5 digest authentication (or defaults to plain text authentication).

 
Rtr1: 
key chain seattle
key 1
key-string 9631
!
interface Ethernet 0 
 ?ip address 192.168.1.1 255.255.255.0 
! 
interface Serial 0 
 ?ip address 192.168.2.1 255.255.255.252
 ?ip rip authentication mode md5
 ?ip rip authentication key-chain seattle
!
router rip 
 ?version 2 
 ?network 192.168.1.0 
 ?network 192.168.2.0

Rtr2:
key chain seattle
key 1
key-string 9631
!
interface Ethernet 0 
 ?ip address 192.168.3.1 255.255.255.0 
!
interface Serial0 
 ip address 192.168.2.2 255.255.255.252 
 ip rip authentication mode md5
 ip rip authentication key-chain seattle
 clockrate 64000 
!
router rip 
 version 2 
 network 192.168.3.0 
 network 192.168.2.0

Verifying MD5 Authentication

By configuring the Rtr1 and Rtr2 as shown, all routing update exchanges are authenticated before being accepted. Verify this by observing the output obtained from the debug ip rip command:

Rtr1#debug ip rip ??
RIP: received packet with MD5 authentication
RIP: received v2 update from 192.168.2.2 on Serial0
 ????192.168.3.1/24 via 0.0.0.0 in 1 hops

MD5 authentication uses the one-way, MD5 hash algorithm in which the routing update doesn’t carry the actual password (key) for the purpose of authentication. A128-bit message, generated by running the MD5 algorithm on the password, and the message are sent along for authentication. The recipient device runs the same hash using the key information configured and, assuming it generates the same 128-bit message, the update will be accepted. MD5 hashing is covered in greater detail in Chapter 8.

Encryption and Tunneling

Data separation using tunneling technologies, such as generic routing encapsulation (GRE) or Layer 2 Tunneling Protocol (L2TP), provides effective data privacy. When privacy requirements call for the use of digital encryption technology, protocols such as IPSec provide the added protection when implementing VPNs. The IPSec and VPN chapters, 9 through 16 and 21, cover these features in detail.

Hub and Switch Issues

While less-common than a few years ago, the shared media technology of hubs made them susceptible to sniffing attacks. All an intruder needed was access to any port in the collision domain and they could monitor all traffic. Just changing to switches reduced the threat because the only traffic visible on the port is traffic directed to the attached host or broadcasts.

Many switches support port monitoring or port spanning, which allows traffic from ports designated for capture to the port designated as the monitor port. The sniffer is attached to this port. Care should be taken to prevent port monitoring.




BackCover
CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide
Introduction
Part I: Introduction to Network Security
Part II: Securing the Network Perimeter
Chapter 3: Cisco AAA Security Technology
Chapter 4: Cisco Secure ACS and TACACS+/RADIUS Technologies
Chapter 5: Securing Cisco Perimeter Routers
Perimeter Router Terms and Concepts
Eavesdropping
Limit Unneeded TCP/IP and Other Services
Denial of Service Attacks
Unauthorized Access
Lack of Legal IP Addresses
Rerouting Attacks
Event Logging on Perimeter Routers
Chapter Review
Chapter 6: IOS Firewall Feature Set - CBAC
Chapter 7: IOS Firewall - Intrusion Detection System
Chapter 8: IOS Firewall - Authentication Proxy
Part III: Virtual Private Networks (VPNs)
Part IV: PIX Firewalls
Part V: Intrusion Detection Systems (IDS)
Part VI: Cisco SAFE Implementation
Appendix A: Access Control Lists
Appendix B: About the CD
List of Figures
List of Tables
List of Sidebars