Security administrators concerned about locking down application servers often overlook routers. However, routers are a vital component of your IT infrastructure. Because routers usually sit outside a firewall and potential intruders can access them through the Internet, routers are probably more exposed than most of your servers. Often, the only device visible from outside your firewall is your Internet router, which might be running potentially vulnerable services such as SNMP, Finger, and HTTP. Intruders who gain access to your routers can establish a beachhead from which to launch more complex attacks on the demilitarized zone (DMZ) and internal LAN or take advantage of Denial of Service (DoS) opportunities.
You must review your routers to make sure they're at least minimally secure. Because most organizations have Cisco Systems devices somewhere on their network, such a review involves understanding the Cisco Internetwork Operating System (IOS) OS. However, even security administrators well versed in Cisco IOS might find such a review daunting. Security scanners such as the Nessus open-source UNIX-based vulnerability scanner and the Internet Security Systems (ISS) scanner do some router auditing and provide some configuration suggestions for router security; however, such tools usually provide a superficial assessment and are geared more toward application servers such as email or Web servers. Fortunately, a free tool from the Center for Internet Security (CIShttp://www.cisecurity.org) can help you determine whether your router meets basic security requirements. . . .