Previous section   Next section

Recipe 22.9 Increasing HSRP Security

22.9.1 Problem

You want to increase the security of HSRP between two (or more) routers.

22.9.2 Solution

You can configure HSRP to use password authentication with the following commands:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#interface FastEthernet 0/1
Router1(config-if)#standby 1 ip 172.22.1.1 
Router1(config-if)#standby 1 priority 120
Router1(config-if)#standby 1 authentication OREILLY
Router1(config-if)#end
Router1#

You must configure the same authentication password on all routers within the same HSRP group, or the conflicts will prevent HSRP from working:

Router2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#interface FastEthernet 1/0
Router2(config-if)#standby 1 ip 172.22.1.1 
Router2(config-if)#standby 1 priority 110
Router2(config-if)#standby 1 authentication OREILLY
Router2(config-if)#end
Router2#

To prevent any other routers from becoming active, set the primary router's priority to the highest possible value, 255:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#interface FastEthernet 0/1
Router1(config-if)#standby 1 ip 172.22.1.1 
Router1(config-if)#standby 1 priority 255
Router1(config-if)#end
Router1#

Then you can configure the standby router to use a slightly lower priority number:

Router2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#interface FastEthernet 1/0
Router2(config-if)#standby 1 ip 172.22.1.1 
Router2(config-if)#standby 1 priority 254
Router2(config-if)#end
Router2#

This will help to ensure that no other routers that might be on this segment can take over because of an HSRP coup.

22.9.3 Discussion

HSRP is not a terribly secure protocol, even with the precautions shown in this recipe. This is usually not a problem, however, because most network engineers only use it on internal, trusted LAN segments.

HSRP has two main security related problems. The first is simply caused by incorrect router configuration. It is possible to cause serious routing problems if more than one router is active, if no routers are active on a segment, or if the wrong router becomes active. The second potential security problem is that a hostile user can configure a device, such as another Cisco router, to take over as the HSRP active router. They might use this to capture and examine packets that they would not otherwise see in a switched LAN, route packets to a different network, or cause a simple DoS attack. However, because HSRP uses the locally scoped multicast address 224.0.0.2, with a TTL of 1, it is extremely unlikely that anybody could launch an effective HSRP attack if they were not physically connected to this LAN segment.

You can use HSRP authentication to help prevent misconfigured routers from becoming active on a production LAN. The routers send the authentication password through the network in unencrypted clear-text using IP multicast, so it is relatively easy for any device on the LAN segment to determine this password.

The following is an HSRP hello packet that was captured using Ethereal:

Cisco Hot Standby Router Protocol
    Version: 0
    Op Code: Hello (0)
    State: Active (16)
    Hellotime: Default (3)
    Holdtime: Default (10)
    Priority: 120
    Group: 1
    Reserved: 0
    Authentication Data: Non-Default (OREILLY)
    Virtual IP Address: 172.22.1.1

Note that all of the important HSRP information, including timers, priorities, the group number, and even the virtual IP address are readily available to anybody who captures HSRP packets on her local LAN segment. This illustrates both how insecure HSRP is and how easy it would be to create a false HSRP device to maliciously disrupt LAN communication.

The biggest problem with HSRP authentication—and the reason why you may decide not to use it—appears when the passwords on two routers in the same group do not agree. The two routers have no particular way of knowing which password is correct, so they both assume that the other is wrong. This can cause both routers to become active, which is not at all desirable. This feature is obviously not a very good way to prevent a malicious user from taking over control of the gateway.

If HSRP routers in the same group are configured with different authentication passwords, you will see the following messages in their logs:

Jun 25 11:00:15: %STANDBY-3-BADAUTH: Bad authentication from 172.22.1.4, group 1, 
remote state Standby

Cisco's intention is that this feature should be used to prevent other routers from learning HSRP parameters, such as the virtual IP address and timer information. However, we don't generally advise using it to address real security requirements.

You can use the show standby command to verify your HSRP authentication information:

Router1#show standby
FastEthernet0/1 - Group 1
  Local state is Active, priority 120, may preempt
  Hellotime 1 sec, holdtime 3 sec
  Next hello sent in 0.754
  Virtual IP address is 172.22.1.1 configured
  Active router is local
  Standby router is 172.22.1.2 expires in 2.824
  Virtual mac address is 0000.0c07.ac01
  Authentication text "OREILLY"
  5 state changes, last state change 12:56:36
Router1#

The last example in the solution section to this recipe shows how to configure your router to avoid another type of attack. A rogue user could configure a router with a higher priority than the current active router. This would cause an HSRP coup, and the rogue router would be able to take over as the active router. This illegitimate router could then freely manipulate routing for this segment.

You can partially guard against this scenario by setting your primary router to the highest possible priority level. This should prevent a rogue router from forcing a priority election. However, recall that when two routers have the same HSRP priority, the one with the higher physical IP address will win the election. So, if you have good reason to be concerned about this type of attack, we recommend using the highest possible IP addresses on the segment for your physical IP addresses as well as the highest possible priorities.

The output of this show standby command highlights the priority value:

Router1#show standby 
FastEthernet0/1 - Group 1
  Local state is Active, priority 255, may preempt
  Hellotime 1 sec, holdtime 3 sec
  Next hello sent in 0.436
  Virtual IP address is 172.22.1.1 configured
  Active router is local
  Standby router is 172.22.1.2 expires in 2.508
  Virtual mac address is 0000.0c07.ac01
  Authentication text "OREILLY"
  5 state changes, last state change 13:00:48
Router1#

You can further improve your HSRP security by using IPSec to encrypt HSRP packets. This will ensure that rogue users can't affect how HSRP functions on your LAN segment. This is a secure method, but full coverage is outside the scope of this chapter. This type of hardening isn't usually required on enterprise networks; if you have internal users that are this hostile, securing HSRP is probably the least of your worries. However, if you need HSRP on a public network (such as an Internet connection), it might be worth considering. Note, however, that this is not necessary even in most Internet connection situations because the other routers on the segment will almost certainly be ISPs (if you are a customer) or a customer (if you are an ISP). These organizations will have a vested interest in a stable network, so they are unlikely to want to break things. The only place where you are likely to need extra security is on LAN segments that have many routers to many different networks, none of which you control. In this case, you could configure an IPSec encrypted tunnel between the LAN interfaces of the two routers, and use a route map to force HSRP packets through the tunnel. Refer to Chapter 12 for more information on IPSec.

22.9.4 See Also

Recipe 22.1; Chapter 12


  Previous section   Next section
Top