1. Home
  2. Security Hardening
  3. DISA STIG Cisco NX OS Switch RTR V2R1
  4. CISC-RT-000030 – The Cisco switch must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.
Searching...

CISC-RT-000030 – The Cisco switch must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.

Details

If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect routes and redirecting traffic. Some routing protocols allow the use of key chains for authentication. A key chain is a set of keys that is used in succession, with each having a lifetime of no more than 180 days. Changing the keys frequently reduces the risk of them eventually being guessed.

Keys cannot be used during time periods for which they are not activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur, and therefore routing updates will fail. Therefore, ensure that for a given key chain, key activation times overlap to avoid any period of time during which no key is activated.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure each key used for routing protocol authentication to have a lifetime of no more than 180 days as shown in the example below:

SW1(config)# key chain OSPF_KEY
SW1(config-keychain)# key 1
SW1(config-keychain-key)# key-string xxxxxxxxxxxx
SW1(config-keychain-key)# send-lifetime 00:00:00 Oct 1 2019 23:59:59 Dec 31 2019
SW1(config-keychain-key)# accept-lifetime 00:00:00 Oct 1 2019 01:05:00 Jan 1 2020
SW1(config-keychain-key)# key 2
SW1(config-keychain-key)# key-string kxxxxxxxxxxxxx
SW1(config-keychain-key)# send-lifetime 00:00:00 Jan 1 2020 23:59:59 Mar 31 2020
SW1(config-keychain-key)# accept-lifetime 23:55:00 Dec 31 2019 01:05:00 Apr 1 2020
SW1(config-keychain-key)# end

Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Configuration Management.This control applies to the following type of system Cisco.

References

Source

Updated on July 16, 2022
Was this article helpful?
Yes No

Related Articles