There are many industry best practices, tools, guides, and training
available to help secure network devices. These include tools from Cisco such
as AutoSecure and Cisco Output Interpreter, as well as numerous web resources.
Third party resources include the U.S. National Security Agency (NSA) Cisco
Router Security Recommendation Guides and the Center for Internet Security
(CIS) Router Audit Tool (RAT) for auditing Cisco router and PIX Security
Appliance configuration files.
Cisco AutoSecure
Cisco AutoSecure is a Cisco IOS Security Command
Line Interface (CLI) command
. AutoSecure
enables rapid implementation of security policies and procedures to ensure
secure networking services. It enables a "one touch" device lockdown
process, simplifying the security configuration of a router and hardening the
router configuration. This feature simplifies the security process, thus
lowering barriers to the deployment of critical security functionality.
Cisco Output Interpreter
The Cisco Output Interpreter
is a
troubleshooting tool that will report potential problems by analyzing supported
show command output. The Output Interpreter is available at
the Cisco website to users with a valid Cisco Connection Online (CCO) login.
Output Interpreter supports the following functionality:
-
show command outputs from a Router, Switch or PIX
Security Appliance. A list of supported show commands is
available at the Output Interpreter site.
- Error Messages generated by a Router, Switch or PIX Security Appliance. The
Error or Log Messages can be copied and pasted from a Router, Switch or PIX
Security Appliance into the Output Interpreter.
- Decodes and analyzes a Router or Switch stack trace for
any possible bugs. Copy and paste the show version command
output followed by Traceback or Stack Trace and Alignment data.
- Is able to convert the apply,
conduit, and outbound statements of a
PIX Security Appliance configuration to equivalent
access-list statements. Copy and paste show
tech-support or write terminal command output of
the PIX Security Appliance.
- Decodes and analyzes the Configuration Register. Copy and paste the
show version or show tech-support
command output into the Output Interpreter.
Figure
shows an example
of the output of the Output Interpreter.
National Security Agency
(NSA) Cisco Router Security Configuration Guides
The Router Security
Configuration Guide (RSCG) contains principles and guidance for secure
configuration of IP routers, with detailed instructions for Cisco Systems
routers
. The RSCG
was used extensively in the development of the Cisco Router Security course.
This guide was developed in response to numerous questions and requests for
assistance received by the National Security Agency (NSA) System and Network
Attack Center (SNAC). The topics covered in the guide were selected on the
basis of customer interest, community consensus, and the SNAC’s background in
securing networks. The RSCG is a large, detailed, yet readable and accessible
document. It is supplemented with an Executive Summary Card, a quick checklist
for securing your Cisco router.
Routers direct and control much of the
data flowing across computer networks. The RSCG provides technical guidance
intended to help network administrators and security officers improve the
security of their networks. Using the information presented here, you can
configure your routers to control access, resist attacks, shield other network
components, and even protect the integrity and confidentiality of network
traffic.
The goal for this guide is a simple one, improve the security
provided by routers on US Government operational networks.
The RSCG
document is only a guide to recommended security settings for Internet Protocol
(IP) routers, particularly routers running Cisco Systems Internet Operating
System (IOS) versions 11 and 12. It is not meant to replace well-designed
policy or sound judgment. The guide does not address site-specific
configuration issues. Care must be taken when implementing the security steps
specified in this guide. Ensure that all security steps and procedures chosen
from this guide are thoroughly tested and reviewed prior to imposing them on an
operational network.
Cisco Router Audit Tool (RAT)
The CIS
RAT is based on the CIS Benchmark for Cisco IOS Routers, a consensus-based best
practice guideline for hardening Cisco routers. The version 2.2 of the RAT tool
can be used to score both Cisco IOS Routers and PIX Security Appliances. The
RAT is available for the Windows or UNIX operating systems. A sample RAT output
is shown in Figure
. The RAT
downloads configurations of devices to be audited (optionally), and then checks
them against the settings defined in the benchmark. For each configuration
examined, it produces a report listing the following:
- A list of each rule checked with a pass/fail score.
- A raw overall score.
- A weighted overall score (1-10).
- A list commands that will correct problems identified.
The RAT produces a composite report listing all rules (settings)
checked on all devices, as well as an overall score, and recommendations for
improving the security of the router, as shown in Figure
.