Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
608
Views
0
Helpful
3
Replies

Verifying Router Identity Across Meshed Network

kava_kicks
Level 1
Level 1

‎07-11-2005 04:50 PM - edited ‎03-03-2019 10:00 AM

I have a router sitting at a third party's premises, connected back into our network via a Private IP offering (layer 3 meshed network provided by telco using virtual routers to provide a private network over their shared infrastructure). The telco will not support ACLs on their basement switches (to which my router is connected), so I am largely dependant on my router to secure this connection.

My concern is that there is nothing really stopping the third party from disconnecting my router and plugging in their own router (the PIP connection is presented as FastEthernet and they know the IP schema for the connection).

What can I do to prevent them from doing this? Is there anyway that I can verify the identity of this router when it re-enters my network (about 6-10 hops away)?

I was thinking I might be able to set up a VPN between this router and my own router and then drop any unencrypted traffic. Provided the third party couldn't guess the shared key etc this might work (but if I can avoid the overhead of encryting traffic across a private network I would prefer to!).

I will be monitoring the link as well as this, but would prefer to take additional steps if possible.

As mentioned, there is nothing I can do to secure the Telco switches to which this router is connected (otherwise I could just do port security and link it to the MAC address of the rotuer).

Any suggestions?

Thanks.

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎07-12-2005 05:20 AM

If we knew more about your situation and the environment, we might be able to identify some other alternative. But based on your description, if you really need some mechanism to verify that data is coming from your router and not being spoofed by some other device, then I can not think of a good alternative other than an IPSec VPN. After all one of the primary purposes of IPSec to to verify that data is really coming from the actual neighbor that it claims to be and to detect inposters and spoofing.

HTH

Rick

HTH

Rick
0 Helpful

kava_kicks
Level 1
Level 1
In response to Richard Burts

‎07-14-2005 04:05 PM

Hi Rick,

I have added a diagram showing the situation in more detail.

I suspect that a VPN will be the only option, but let me know if you can think of anything else after looking at the diagram.

Thanks for your help.

Preview file
53 KB
0 Helpful

johansens
Level 4
Level 4

‎07-12-2005 05:42 AM

You'll have to go with IPSec and digital certificates with a good secret for the verification of the certificate.. forget pre-shared keys...

The reason for this is simple: If you are worried about someone removing your router and putting in another.. then they already have physical access to the router and can easily extract the config. Come to think of it, if they get physical access to the router, you are pretty much without security as they could just break the router and get access to do whatever they want.. An alternative would be:

- Run ezVPN IPSec with digital certificates

- Don't let the xauth password be saved. To connect, you'll have to SSH out to the router and manually enter the username/password...

This will mean more administration when the link goes down for any reason, but you'll get the security you want...

And on your end you'll put in a RSA SecurID server to handle the AAA...

As I said, not very automatic, but more secure..

0 Helpful
Customers Also Viewed These Support Documents