Detections
Analytics

4.2.2 Ensure IS-IS neighbor authentication is set to SHA1

Information

IS-IS Neighbors should be authenticated with stronger SHA1 HMAC mechanism, where supported.

Rationale:

Where it is deployed, IS-IS routing is vital for normal operation of an organization's network infrastructure. Correct route information is required for routers to correctly direct traffic through the network. An attacker posing as one of the target routers IS-IS neighbors may inject incorrect information into the route table resulting in DoS attack or loss of confidential data through a Man in the Middle attack.

On Juniper routers (as well as routers from some other manufacturers such as Cisco or Brocade) it is possible to authenticate neighbors using an SHA1 digest of elements in PDU combined with a sequence number to protect against Replay attacks.

SHA1 provides a stronger algorithm than the older MD5 standard, but is not so widely supported on none Juniper platforms so should only be deployed once you are certain that all of the devices with which IS-IS Adjacencies will be formed support SHA1-HMAC authentication.

SHA1 authentication is configured differently than either Simple (which sends the password cleartext and should never be used) or MD5 authentication methods. Instead of configuring the key directly at the IS-IS protocol, area or interface level, support for SHA1 authentication is added via the Hitless Key Rollover extensions. This provides the added benefit of introducing mechanisms to coordinate regular changes to authentication keys and make changes to authentication settings without the need to reset IS-IS adjacencies.

NOTE: IS-IS does not appear to be configured on the target. This check is not applicable.

Solution

If you have deployed IS-IS in your network you should consider configuring Hitless Key Rollover with SHA1 authentication for all neighbors at each IS-IS Level configured.
First a key-chain must be configured. The same key-chain may be used for multiple levels or separate key-chains used for each level (or even for individual interfaces where required). From the [edit security authentication-key-chains] hierarchy issue the following commands:

[edit security authentication-key-chains]
user@host#set key-chain <name> key <key number> secret '<secret key>'
user@host#set key-chain <name> key <key number> start-time '<yyyy-mm-dd.hh:mm:ss>'
user@host#set key-chain <name> key <key number> algorithm hmac-sha-1
user@host#set key-chain <name> key <key number> options isis-enhanced

The start-time must be provided for all keys and provides the mechanism for controlled key rollover. Keys with a start time in the future can be configured across all of the devices in advance, when the time is reached all of the devices will hitlessly rollover to the new keys without disruption to IS-IS Adjacencies.
Next the key should be set for all Levels at which SHA1 HMAC authentication will be used. From the [edit protocols isis] hierarchy, issue the following command:

[edit protocols isis]
user@host#set level <level> authentication-key-chain <name>

Where a different key is required for a specific area or interface, the key-chain used at the Level can be overridden on a per interface per level basis using the following command from the '[edit protocols isis]' hierarchy:

[edit protocols isis]
user@host#set interface <interface name> level <level> hello-authentication-key-chain <name>

Note - Only the setting of the authentication-key-chain on a per level basis is included in the audit procedure for scoring this recommendation, the per interface override is included as additional information only.

Default Value:

No IS-IS routing is configured by default.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16.4

Plugin: Juniper

Control ID: 62d89c8c60a9f0b9e52d9edf2b01cba9b1d8d820aadde867021335577672ed84