Increasing HSRP Security

Increasing HSRP Security

Problem

You want to increase the Security of HSRP between two (or more) routers.

Solution

You can configure HSRP to use password authentication with the following commands:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface FastEthernet 0/1
Router1(config-if)#standby 1 ip 172.22.1.1
Router1(config-if)#standby 1 priority 120
Router1(config-if)#standby 1 authentication OREILLY
Router1(config-if)#exit
Router1(config)#end
Router1#

You must configure the same authentication password on all routers within the same HSRP group or the conflicts will prevent HSRP from working:

Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#interface FastEthernet 1/0
Router2(config-if)#standby 1 ip 172.22.1.1
Router2(config-if)#standby 1 priority 110
Router2(config-if)#standby 1 authentication OREILLY
Router2(config-if)#exit
Router2(config)#end
Router2#

Beginning with IOS Version 12.3(2)T, Cisco introduced support for MD5-encrypted passwords. To configure strong MD5-encrypted passwords, use the following commands:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface FastEthernet0/1
Router1(config-if)#standby 1 ip 10.1.1.1
Router1(config-if)#standby 1 priority 200
Router1(config-if)#standby 1 authentication md5 key-string OREILLY
Router1(config-if)#end
Router1#

You must also configure the same password and encryption type on all routers within the same HSRP group, or conflicts will prevent them from working:

Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#interface FastEthernet0/0
Router2(config-if)#standby 1 ip 10.1.1.1
Router2(config-if)#standby 1 priority 150
Router2(config-if)#standby 1 authentication md5 key-string OREILLY
Router2(config-if)#end
Router2#

To prevent any other routers from becoming active, set the primary router's priority to the highest possible value, 255:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface FastEthernet 0/1
Router1(config-if)#standby 1 ip 172.22.1.1
Router1(config-if)#standby 1 priority 255
Router1(config-if)#exit
Router1(config)#end
Router1#

Then you can configure the standby router to use a slightly lower priority number:

Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#interface FastEthernet 1/0
Router2(config-if)#standby 1 ip 172.22.1.1
Router2(config-if)#standby 1 priority 254
Router2(config-if)#exit
Router2(config)#end
Router2#

This will help to ensure that no other routers that might be on this segment can take over because of an HSRP Coup.

Discussion

HSRP is not a terribly secure protocol, even with the precautions shown in this recipe. This is usually not a problem, however, because most network engineers only use it on internal trusted LAN segments.

HSRP has two main security-related problems. The first is simply caused by incorrect router configuration. It is possible to cause serious routing problems if more than one router is active, if no routers are active on a segment, or if the wrong router becomes active. The second potential security problem is that a hostile user can configure a device, such as another Cisco router, to take over as the HSRP active router. They might use this to capture and examine packets that they would not otherwise see in a switched LAN, to route packets to a different network, or they might just want to cause a simple denial of service. However, because HSRP uses the locally scoped multicast address 224.0.0.2, with a TTL of 1, it is extremely unlikely that anybody could launch an effective HSRP attack if they were not physically connected to this LAN segment.

You can use HSRP authentication to help prevent misconfigured routers from becoming active on a production LAN. The routers send the authentication password through the network in clear text (that is, not encrypted), using IP multicast, so it is relatively easy for any device on the LAN segment to determine this password.

The following is an HSRP hello packet that was captured using Ethereal:

Cisco Hot Standby Router Protocol
Version: 0
Op Code: Hello (0)
State: Active (16)
Hellotime: Default (3)
Holdtime: Default (10)
Priority: 120
Group: 1
Reserved: 0
Authentication Data: Non-Default (OREILLY)
Virtual IP Address: 172.22.1.1

Notice that all of the important HSRP information, including timers, priorities, the group number, and even the virtual IP address, are readily available to anybody who captures HSRP packets on their local LAN segment. This illustrates both how insecure HSRP is by default and how easy it would be to create a false HSRP device to maliciously disrupt LAN communication.

The biggest problem with HSRP authentication, and the reason why you may decide not to use it, appears when the passwords on two routers in the same group do not agree. The two routers have no particular way of knowing which password is correct, so they both assume that the other is wrong. This can cause both routers to become active, which is not at all desirable. So this feature is not a very good way of preventing a malicious user from taking over control of the gateway.

If HSRP routers in the same group are configured with different authentication passwords, you will see the following messages in their logs:

Jun 25 11:00:15: %STANDBY-3-BADAUTH: Bad authentication from 172.22.1.4, group 1, remote state Standby

Cisco intends for this feature to be used to prevent other routers from learning HSRP parameters, such as the virtual IP address and timer information. However we don't generally advise using it to address real security requirements.

You can use the show standby command to verify your HSRP authentication information:

Router1#show standby
FastEthernet0/1 - Group 1
Local state is Active, priority 120, may preempt
Hellotime 1 sec, holdtime 3 sec
Next hello sent in 0.754
Virtual IP address is 172.22.1.1 configured
Active router is local
Standby router is 172.22.1.2 expires in 2.824
Virtual mac address is 0000.0c07.ac01
Authentication text "OREILLY"
5 state changes, last state change 12:56:36
Router1#

The use of the MD5-encrypted passwords prevents people from snooping your HSRP password and offers a greater level of security. We highly recommend using MD5 password authentication over the traditional clear text passwords whenever possible. Keep in mind that all routers participating in the same HSRP group must support MD5 password encryption in order to work. What's more, a mixture of MD5 and clear text passwords will not work either, even if the participating routers use the same password.

To show which password authentication method is currently configured; use the show standby command to view the current status:

Router1#show standby
FastEthernet0/1 - Group 1
State is Active
2 state changes, last state change 00:00:03
Virtual IP address is 10.1.1.1
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.372 secs
Authentication MD5, key-string "OREILLY"
Preemption disabled
Active router is local
Standby router is unknown
Priority 100 (default 100)
IP redundancy name is "hsrp-Fa0/1-1" (default)
Router1#

Notice that Router1 has been configured to use MD5 authentication and the password has been set to "OREILLY".

The last example in the Solution section to this recipe shows how to configure your router to avoid another type of attack. A rogue user could configure a router with a higher priority than the current active router. This would cause an HSRP Coup, and the rogue router would be able to take over as the active router. This illegitimate router could then freely manipulate routing for this segment.

You can partially guard against this scenario by setting your primary router to the highest possible priority level. This should prevent a rogue router from forcing a priority election. However, recall that when two routers have the same HSRP priority, the one with the higher physical IP address will win the election. So, if you have good reason to be concerned about this type of attack, we recommend using the highest possible IP addresses on the segment for your physical IP addresses, as well as the highest possible priorities.

The output of this show standby command highlights the priority value:

Router1#show standby 
FastEthernet0/1 - Group 1
Local state is Active, priority 255, may preempt
Hellotime 1 sec, holdtime 3 sec
Next hello sent in 0.436
Virtual IP address is 172.22.1.1 configured
Active router is local
Standby router is 172.22.1.2 expires in 2.508
Virtual mac address is 0000.0c07.ac01
Authentication text "OREILLY"
5 state changes, last state change 13:00:48
Router1#

See Also