3.1.4.4 Configure HSRP protections

Information

HSRP is a valuable redundancy protocol, but like many protocols discussed in this document can be attacked and compromised. HSRP Authentication is recommended to protect against such attacks.

Rationale:

Impact:

By default, HSRP is a clear-text protocol that negotiates which of a number of routing peers host the logical 'standby' IP address. Communication to negotiate this is via clear-text messages using the multicast address 224.0.0.2. By default, the protocol is authenticated in cleartext, with a passphrase of 'cisco'. In a two device HSRP pair, a tool such as SCAPY can be used to impersonate a third participant, advertising itself as an HSRP candidate at a higher priority value.

A successful attack of this type usually results in the malicious actor becoming the default gateway for that subnet, which puts the attacker in the position to inspect all traffic leaving the network, either for eavesdropping or for modifying traffic in transit. Return traffic will not usually be routed through the attacker (unless a second attack is mounted successfully to accomplish this), but intercepting sent traffic gives the attacker the ability to read credentials directly or modify the destination IP address (two common goals). Modifying the destination address allows the attacker to stand up a malicious copy of a target website (for instance, a bank site or paypal), where high value, encrypted credentials can be harvested.

Protecting HSRP with hashed credentials makes this type of attack much more difficult, the attacker must either reverse the hash, or otherwise mount a 'pass the hash' attack on the HSRP hosts. Note however that this setting will not prevent all HSRP attacks - it will however make it much more likely that an attack will generate alerts in the log, giving the defending team a good indication that the attack occurred and should be investigated. Automated attacks are often simpler (for instance, may only try the default value), so those may be defeated.

Solution

First, enable HSRP

switch(config)# feature hsrp

set the HSRP version to '2' to allow for MD5 encryption (per interface)

switch(config)# int vlan 1
switch(config-if)# hsrp version 2

Finally, configure the remainder of that interfaces HSRP setup. The key command is of course the 'authentication md5' clause

switch(config-if)# hsrp 1
switch(config-if-hsrp)# authentication md5 key-chain <HSRP-KEYCHAIN>
switch(config-if-hsrp)# name HSRPVLAN1
switch(config-if-hsrp)# preempt
switch(config-if-hsrp)# priority 110
switch(config-if-hsrp)# ip 10.10.10.1

Default Value:

HSRP is not configured by default.

If configured, hashed authentication is not enabled by default (the cleartext value of 'cisco' is used by default).

See Also

https://workbench.cisecurity.org/benchmarks/6524