Securing HSRP


In previous post I went over attacking HSRP using default authentication of "cisco". In this post I'll go over defenses.

HSRP attacks are performed at Layer 2 so the attacker must be on the same L2 domain (same VLAN/subnet). Probably this is the reason no one pays much attention to it. "It's our LAN, it's behind firewall so it's safe. Right?" Maybe, but there are bored employees, there are misconfigurations, and there could be malware that would mess up your network.

Either way, if it can be more secure it should be. That's what "defense-in-depth" is all about.

HSRP supports authentication. Either a plain-text or md5 ca be used. Plain text option provides little to no protection as the plain text password is sent in clear text with every HSRP packet. MD5 authentication solves the problem. It uses a secret key to generate a keyed MD5 hash of the packet that is part of the outgoing packet. A keyed hash of an incoming packet is generated and if the generated hash does not match the hash within the incoming packet, the packet is ignored.

To enable MD5 authentication the following command is used in the interface configuration context:


R1(config-if) #standby authentication md5 key-string "the key"



HSRP packet with default authentication:


HSRP packet with md5 authentication enabled:


No comments:

Post a Comment