Vulnerability Analysis
Network analysis

There are many industry best practices, tools, guides, and training available to help secure network devices. These include tools from Cisco such as AutoSecure and Cisco Output Interpreter, as well as numerous web resources. Third party resources include the U.S. National Security Agency (NSA) Cisco Router Security Recommendation Guides and the Center for Internet Security (CIS) Router Audit Tool (RAT) for auditing Cisco router and PIX Security Appliance configuration files.

Cisco AutoSecure
Cisco AutoSecure is a Cisco IOS Security Command Line Interface (CLI) command . AutoSecure enables rapid implementation of security policies and procedures to ensure secure networking services. It enables a "one touch" device lockdown process, simplifying the security configuration of a router and hardening the router configuration. This feature simplifies the security process, thus lowering barriers to the deployment of critical security functionality.

Cisco Output Interpreter
The Cisco Output Interpreter is a troubleshooting tool that will report potential problems by analyzing supported show command output. The Output Interpreter is available at the Cisco website to users with a valid Cisco Connection Online (CCO) login. Output Interpreter supports the following functionality:

  • show command outputs from a Router, Switch or PIX Security Appliance. A list of supported show commands is available at the Output Interpreter site.
  • Error Messages generated by a Router, Switch or PIX Security Appliance. The Error or Log Messages can be copied and pasted from a Router, Switch or PIX Security Appliance into the Output Interpreter.
  • Decodes and analyzes a Router or Switch stack trace for any possible bugs. Copy and paste the show version command output followed by Traceback or Stack Trace and Alignment data.
  • Is able to convert the apply, conduit, and outbound statements of a PIX Security Appliance configuration to equivalent access-list statements. Copy and paste show tech-support or write terminal command output of the PIX Security Appliance.
  • Decodes and analyzes the Configuration Register. Copy and paste the show version or show tech-support command output into the Output Interpreter.

Figure shows an example of the output of the Output Interpreter.

National Security Agency (NSA) Cisco Router Security Configuration Guides
The Router Security Configuration Guide (RSCG) contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco Systems routers . The RSCG was used extensively in the development of the Cisco Router Security course. This guide was developed in response to numerous questions and requests for assistance received by the National Security Agency (NSA) System and Network Attack Center (SNAC). The topics covered in the guide were selected on the basis of customer interest, community consensus, and the SNAC’s background in securing networks. The RSCG is a large, detailed, yet readable and accessible document. It is supplemented with an Executive Summary Card, a quick checklist for securing your Cisco router.

Routers direct and control much of the data flowing across computer networks. The RSCG provides technical guidance intended to help network administrators and security officers improve the security of their networks. Using the information presented here, you can configure your routers to control access, resist attacks, shield other network components, and even protect the integrity and confidentiality of network traffic.

The goal for this guide is a simple one, improve the security provided by routers on US Government operational networks.

The RSCG document is only a guide to recommended security settings for Internet Protocol (IP) routers, particularly routers running Cisco Systems Internet Operating System (IOS) versions 11 and 12. It is not meant to replace well-designed policy or sound judgment. The guide does not address site-specific configuration issues. Care must be taken when implementing the security steps specified in this guide. Ensure that all security steps and procedures chosen from this guide are thoroughly tested and reviewed prior to imposing them on an operational network.

Cisco Router Audit Tool (RAT)
The CIS RAT is based on the CIS Benchmark for Cisco IOS Routers, a consensus-based best practice guideline for hardening Cisco routers. The version 2.2 of the RAT tool can be used to score both Cisco IOS Routers and PIX Security Appliances. The RAT is available for the Windows or UNIX operating systems. A sample RAT output is shown in Figure . The RAT downloads configurations of devices to be audited (optionally), and then checks them against the settings defined in the benchmark. For each configuration examined, it produces a report listing the following:

  • A list of each rule checked with a pass/fail score.
  • A raw overall score.
  • A weighted overall score (1-10).
  • A list commands that will correct problems identified.

The RAT produces a composite report listing all rules (settings) checked on all devices, as well as an overall score, and recommendations for improving the security of the router, as shown in Figure .


Resources

Resource: Example of Output Interpreter Results

Web Links