Environments with the BGP protocol.
In addition to the security measures listed in the posts on static routing security, you can enhance the security of the OSPF protocol by using the following tools:
authentication;
filters for external routes on the autonomous system's edge routers.
Authentication.
By default, the router interfaces involved in the OSPF exchange are configured to send the simple password "12345678" in OSPF welcome messages. The password helps prevent unwanted modification of OSPF data by unauthorized OSPF routers on the network. The password is sent in plain text. Any user with a network listening device, such as a sniffer, can intercept OSPF welcome messages and view the passwords contained in them.
Filters for external routes on the autonomous system's edge routers.
To prevent unwanted routes obtained from external sources, such as RIP routes or static routes, from entering the autonomous OSPF system, route filters can be configured on the autonomous system's edge routers. Route filters can reject either all routes that match a given list, or all routes that do not match this list.
Protection against flooding by LSA packets.
It is possible that an attacker will try to "flood" the OSPF router with messages about the status of the LSA channel (Link State Advertisement). These messages come in various types. A hacker can start sending these messages in large numbers and thereby cause the router to slow down or even completely malfunction.
Depending on the type of network, there are two ways to protect yourself from LSA flooding. For broadcast, nonbroadcast, and point-to-point networks, flooding on OSPF can be blocked.
In point-to-multipoint networks, you can block flooding for certain neighbors.
Here are examples for both cases:
Blocking for
interface ethernet 0
ospf database-filter all out
Neighbor blocking 1.2.3.4
router ospf 109
neighbor 1.2.3.4 database-filter all out
The RIP and OSPF dynamic routing protocols are used only in local area networks. In global networks, due to their features, the BGP protocol is used. We'll look at it in more detail in the next post.
Oleg Petukhov, lawyer in the field of international law and personal data protection, information security specialist security, protection of information and personal data.
Telegram channel: https://t.me/protectioninformation
Telegram Group: https://t.me/informationprotection1
Website: https://legascom.ru
Email: online@legascom.ru
#informationprotection #informationsecurity
