How to hardening VRRP

[SergioGonzalez]

Hello.

I have two Nokia IP530 3.7-BUILD023 FW running Check Point VPN-1(TM) & FireWall-1(R) NG with Application Intelligence (R55) for IPSO 3.8 - Build 584, configured with VRRP between them for High Availability. I would like to know how can avoid the clear text authentication and provide some security to VRRP.

Thanks.

Sergio

[mcnallym]

It's understandable that customers may be asking for AH with VRRP because RFC 2338 mentions AH in passing. Also, the RFC mentions about password authentication for VRRP advertisements.
Authentication of VRRP packets is useless. Its intended purpose was to ensure that an unauthorized / mis-configured VRRP router would not take over as the VRRP master. However, the protocol is NOT able to ensure that. For instance, if you try and configure two routers backing up a VRRP IP with different passwords.....they will both become MASTER. So as is evident, authentication serves no purpose.

Nokia has advised the IETF of the flaw with authentication and they are now going to remove the authentication mechanisms from the RFC completely.

Also, the IETF is in the process of dropping password authentication for VRRP. When they do that, we too intend to remove password authentication from our VRRP implementation.

The above is taken from the Nokia knowledgebase.

Not sure if this is what you are referring to however, what you need to remember in terms of the VRRP on the Nokia's is that when running Check Point then you also need to add the security rulebase to allow another box to join the VRRP system correctly.

As such my understanding from Nokia is that the password authentication is still there just as a legacy and is purely a simetext password only. I myself don't bother using password authentication for my VRRP environenments as if the box isn't defined as being part of the check point cluster then it won't be able to inject VRRP updates into my Nokia's, even if it has the correct password, IP address.

As such I don't see what you would gain by encrypting the VRRP password anyway. I would agree that if in a non-firewall environment it may be desirable to prevent boxes joing by using an encrypted password, however what happens is you get a master-master environment where your box and the extra box go active, getting a potential break in service as now two boxes active for the VRRP IP address.

[SergioGonzalez]

We do not intend to remove password authentication from our VRRP implementation but encrypting this traffic to avoid an internal attack from any one who can see those passwords.

[mcnallym]

Just how will encrypting the VRRP password prevent an internal attack?

The only option I have seen is a simple password which is clear text, or no authentication at all, and as Nokia say the password doesn't prevent people from going master-master environment anyway so really no point having a password for the vrrp anyway.

As the check point software will require any vrrp updates to be allowed by the security policy then to compromise the vrrp then they will already have to have compromised the Check Point SMARTCenter login, and if they have done that then the VRRP is the least of your worries as they can do whatever they want to the security policy anyway.