Ayman Roy
asked on
Security and Encryption across WAN Links
Hello,
I have Nexus 7000 which connected to Infinet WL to 4 sites as point to point now i need to secure and encrypt the data across the WAN link is it better to use OSPF authentication and this enough ?
I have Nexus 7000 which connected to Infinet WL to 4 sites as point to point now i need to secure and encrypt the data across the WAN link is it better to use OSPF authentication and this enough ?
and depends whether you are your Infinet WL is an Internet or a private network.
If infinet WL is private network, then encryption only add an additional security.
if infinet WL is internet network, then of course, IPSEC, MPPE, STTP would be the recommended solution.
Nexus 7000 is a switch and it don't have VPN capability. you need additional facility to encrypt such traffic
If infinet WL is private network, then encryption only add an additional security.
if infinet WL is internet network, then of course, IPSEC, MPPE, STTP would be the recommended solution.
Nexus 7000 is a switch and it don't have VPN capability. you need additional facility to encrypt such traffic
Good to check Cisco SAFE in specific to protect WAN in practices, ospf or egirp auth does not encrypt as all mentioned and confidentiality is via VPN minimally, pse see
Pointers in general as hardening as well
- Available for BGP, IS-IS, OSPF, RIPv2 and EIGRP. Use MD5 authentication (not really as good but that is what they offers) rather than insecure plain text authentication. To function properly, neighbor authentication must be enabled on both ends of the routing session.
- Use the passive-interface default command when enabling routing on network ranges matching a large number of interfaces. This allows to selectively enable the propagation of routing updates over the interfaces that are expected to be part of the routing process. In RIP and IGRP, the passive-interface command stops the router from sending updates on the selected interface, but the router continues listening and processing updates received from neighbors on that interface. In EIGRP and OSPF, the passive-interface command prevents neighbor sessions to be established on the selected interface. This stops not only routing updates from being advertised, but it also suppresses incoming routing updates.
- Logging the status changes of neighbor sessions is a good practice that helps identify such problems and that facilitates troubleshooting. In most routing protocols, status change message logging is enabled by default. By default, EIGRP and OSPF log status changes.
A sample implementation of secure routing in the Internet WAN edge module is shown below and it integrates the SAFE guidelines to:http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap7.html#wp1053011
•Authenticate all routing peers.
•Only distribute the hub IP address out of the external routing domain. This is a loopback interface that is common across the hub devices.
•Disable routing on all interfaces by default.
•Explicitly enable the internal routing domain on interfaces to the WAN edge distribution switches and the VPN tunnels.
•Explicitly enable the external routing domain on interfaces to the private WAN.
•Only permit distribution into the internal routing domain of the branch subnets advertised from the tunnel interfaces.
•Enable neighbor logging on all routing domains.
The recommendation for secure WAN connectivity in the WAN edge includes the following:
•VPN for traffic isolation over the WAN
There are a number of VPN options and the choice will vary based on specific customer requirements. DMVPN, for instance, offers support for VPN over both a private WAN and the Internet, as well as multicast and dynamic routing. Consequently, DMVPN can be integrated to enable a common VPN implementation if both these WAN types are deployed at remote sites.
•Public Key Infrastructure (PKI) for strong tunnel authentication
PKI provides secure, scalable, and manageable authentication that is critical to large-scale VPN deployments. PKI also features the dynamic renewal and revocation of certificates that enables the dynamic commissioning and decommissioning of branches with ease.
•Advanced Encryption Standard (AES) for strong encryption
Data over the Internet is vulnerable to sniffing; therefore, encryption is critical to data confidentially and integrity. Data over a private WAN can also be encrypted for maximum security or for compliance reasons.
Pointers in general as hardening as well
- Available for BGP, IS-IS, OSPF, RIPv2 and EIGRP. Use MD5 authentication (not really as good but that is what they offers) rather than insecure plain text authentication. To function properly, neighbor authentication must be enabled on both ends of the routing session.
- Use the passive-interface default command when enabling routing on network ranges matching a large number of interfaces. This allows to selectively enable the propagation of routing updates over the interfaces that are expected to be part of the routing process. In RIP and IGRP, the passive-interface command stops the router from sending updates on the selected interface, but the router continues listening and processing updates received from neighbors on that interface. In EIGRP and OSPF, the passive-interface command prevents neighbor sessions to be established on the selected interface. This stops not only routing updates from being advertised, but it also suppresses incoming routing updates.
- Logging the status changes of neighbor sessions is a good practice that helps identify such problems and that facilitates troubleshooting. In most routing protocols, status change message logging is enabled by default. By default, EIGRP and OSPF log status changes.
ASKER
do you have any IPSec example from cisco match with my case ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need to use IPSec, for example.