Texas A&M Uses NetMRI
"NetMRI scores are helping me give feedback to the business people. It helps me justify what I'm spending money on because it gives them a visible score for the network, and I can be pretty confident that what it says about the network is true. Instead of...bits and bytes, I can talk about reliability, operator-caused errors, and I can give them additional functionality."
—Willis Marti, CISORead Case Study
Take the Next Step:
Network Analysis Tip: Configuring OSPF Authentication
Why is this important?
It is good network practice to use OSPF authentication to improve network reliability and security. Let’s take the case where a corporate partner needs a connection into your network and due to a configuration error within your network, the interface connecting to that router is set to run OSPF. Matching only a couple of incidental parameters would allow that router to inject routing information into your network. Since many sites use private addresses internally, the chances of an overlap of some subnets is pretty high, potentially creating what looks like a routing black hole (the packets for your subnet are routed to the corporate partner’s router).
On the security front, a router equipped with an unauthorized connection can be used to create a man-in-the-middle vulnerability where packets to a specific destination are forced through the rogue router.
Authentication of routing protocol exchanges helps to mitigate these threats.
OSPF authentication is pretty simple to configure. The Cisco IOS configuration fragment below shows the basic commands you need. Note the use of the interface subcommand options to enable authentication on the interface and within the OSPF area. This example is for one interface on one router. The same keyid and key (the number 1 and the text secret-password in the third line) must exist on all interfaces of all routers on the same subnet.
interface ethernet 0
ip address 10.1.1.1 255.255.255.0
ip ospf message-digest-key 1 md5 secret-password
router ospf 1
network 10.1.1.1 0.0.0.0 area 0
area 0 authentication message-digest
To verify that OSPF authentication is set on all router interfaces, you must check the configurations of each router.
NetMRI reports routers running OSPF without authentication enabled. In addition, NetMRI can be used to create a Configuration Policy Definition file to automatically check that the correct configuration has been implemented on the interfaces of each router.
The configuration of OSPF authentication for different vendors is slightly different. Check your vendor documentation for the correct syntax to use.
Cisco search: "Sample Configuration for Authentication in OSPF"
Cisco search: “Configuring OSPF Authentication on a Virtual Link”