Security administrators concerned about locking down application servers often overlook routers. However, routers are a vital component of your IT infrastructure. Because routers usually sit outside a firewall and potential intruders can access them through the Internet, routers are probably more exposed than most of your servers. Often, the only device visible from outside your firewall is your Internet router, which might be running potentially vulnerable services such as SNMP, Finger, and HTTP. Intruders who gain access to your routers can establish a beachhead from which to launch more complex attacks on the demilitarized zone (DMZ) and internal LAN or take advantage of Denial of Service (DoS) opportunities.
You must review your routers to make sure they're at least minimally secure. Because most organizations have Cisco Systems devices somewhere on their network, such a review involves understanding the Cisco Internetwork Operating System (IOS) OS. However, even security administrators well versed in Cisco IOS might find such a review daunting. Security scanners such as the Nessus open-source UNIX-based vulnerability scanner and the Internet Security Systems (ISS) scanner do some router auditing and provide some configuration suggestions for router security; however, such tools usually provide a superficial assessment and are geared more toward application servers such as email or Web servers. Fortunately, a free tool from the Center for Internet Security (CIS—http://www.cisecurity.org) can help you determine whether your router meets basic security requirements.
Auditing Tool for Cisco Routers
CIS has released a free security benchmark and an audit tool for Cisco IOS routers (and for other devices running Cisco IOS). The Cisco IOS Router Benchmark provides a standard in an HTML document that indicates how your router should be configured according to the National Security Agency (NSA) guidelines; the Router Audit Tool (RAT—not to be confused with a Remote Access Trojan) is a Perl program that compares your router configuration with the benchmark and grades the configuration accordingly. You will need to provide some information about your organization to download the tool, and if you want to distribute it internally or use it to certify networks for profit, you must become a CIS member.
CIS is an independent organization that takes input from industry, government, and users to create standards and benchmarks that improve Internet security. Membership fees and contributions fund the organization, and volunteers perform much of its work. The members range from large corporations and organizations such as Intel, The American Institute of Certified Public Accountants (AICPA), and the SysAdmin, Audit, Network, and Security (SANS) Institute to small companies, user groups, and individuals.
RAT for Windows Offers Two Levels of Security
Until recently, RAT was reserved for UNIX users. However, with the release of RAT 1.1, CIS offers a Windows version. Other improvements in RAT 1.1 include an easier-to-use local configuration program that tunes the test to your configuration, an FAQ, the ability to load RAT without using a Perl subprogram called snarf (a program used to download configuration files in earlier RAT versions), and minor fixes and adjustments to the benchmark.
The Cisco IOS Router Benchmark is based on the NSA Router Security Configuration Guide, as are most of CIS's benchmarks. Therefore, most government and corporate entities accept that the benchmark settings represent a reasonably secure installation.
RAT is offline and nonintrusive. Because you don't run this scanning tool on a live router, you don't need to pick special times to run RAT and it can't crash your main Internet router. Because you can run RAT against a saved Cisco configuration file, the tool doesn't affect your production router.
The Cisco IOS Router Benchmark provides for two levels of security: Level 1, which is for typical usage and applies to most companies; and Level 2, which is for installations that require a higher security level and which also covers some nonstandard options and protocols such as Border Gateway Protocol (BGP) and IP Security (IPSec). The Level 1 benchmark represents minimum security for Internet-connected routers, according to NSA's standard for Cisco routers. You choose which level benchmark to use when you run the ncat_config, which I discuss in the next section.