Information
BGP is a usually configured as a point-to-point / unicast protocol. Configuring authentication as part of the neighbor configuration adds an additional layer of security to the conversation.
Rationale:
Impact:
Configuring authentication adds an MD5 hash to the neighbor negotiation that occurs between two BGP peers. An authentication failure would indicate either a misconfiguration, or possibly an attacker mounting an impersonation attack, masquerading as the BGP peer (possibly by ARP cache poisoning attack) and attempting to then peer up with incorrect credentials.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
For each BGP neighbor, add the 'password' command to the matching stanza, with a long and complex string. Note that the same password must be used on the matching peer.
Different passwords should be used for each peer.
switch(config)# router bgp 65520
switch(config-router)# neigh 10.10.10.11
switch(config-router-neighbor)# password ?
0 Specifies an UNENCRYPTED neighbor password will follow
3 Specifies an 3DES ENCRYPTED neighbor password will follow
7 Specifies a Cisco type 7 ENCRYPTED neighbor password will follow
LINE The UNENCRYPTED (cleartext) neighbor password
switch(config-router-neighbor)# password somelongcomplexstring
Default Value:
By default, BGP authentication is not enabled.