Security administrators concerned about locking down application servers often overlook routers. However, routers are a vital component of your IT infrastructure. Because routers usually sit outside a firewall and potential intruders can access them through the Internet, routers are probably more exposed than most of your servers. Often, the only device visible from outside your firewall is your Internet router, which might be running potentially vulnerable services such as SNMP, Finger, and HTTP. Intruders who gain access to your routers can establish a beachhead from which to launch more complex attacks on the demilitarized zone (DMZ) and internal LAN or take advantage of Denial of Service (DoS) opportunities.
You must review your routers to make sure they're at least minimally secure. Because most organizations have Cisco Systems devices somewhere on their network, such a review involves understanding the Cisco Internetwork Operating System (IOS) OS. However, even security administrators well versed in Cisco IOS might find such a review daunting. Security scanners such as the Nessus open-source UNIX-based vulnerability scanner and the Internet Security Systems (ISS) scanner do some router auditing and provide some configuration suggestions for router security; however, such tools usually provide a superficial assessment and are geared more toward application servers such as email or Web servers. Fortunately, a free tool from the Center for Internet Security (CIS—http://www.cisecurity.org) can help you determine whether your router meets basic security requirements.
Auditing Tool for Cisco Routers
CIS has released a free security benchmark and an audit tool for Cisco IOS routers (and for other devices running Cisco IOS). The Cisco IOS Router Benchmark provides a standard in an HTML document that indicates how your router should be configured according to the National Security Agency (NSA) guidelines; the Router Audit Tool (RAT—not to be confused with a Remote Access Trojan) is a Perl program that compares your router configuration with the benchmark and grades the configuration accordingly. You will need to provide some information about your organization to download the tool, and if you want to distribute it internally or use it to certify networks for profit, you must become a CIS member.
CIS is an independent organization that takes input from industry, government, and users to create standards and benchmarks that improve Internet security. Membership fees and contributions fund the organization, and volunteers perform much of its work. The members range from large corporations and organizations such as Intel, The American Institute of Certified Public Accountants (AICPA), and the SysAdmin, Audit, Network, and Security (SANS) Institute to small companies, user groups, and individuals.
RAT for Windows Offers Two Levels of Security
Until recently, RAT was reserved for UNIX users. However, with the release of RAT 1.1, CIS offers a Windows version. Other improvements in RAT 1.1 include an easier-to-use local configuration program that tunes the test to your configuration, an FAQ, the ability to load RAT without using a Perl subprogram called snarf (a program used to download configuration files in earlier RAT versions), and minor fixes and adjustments to the benchmark.
The Cisco IOS Router Benchmark is based on the NSA Router Security Configuration Guide, as are most of CIS's benchmarks. Therefore, most government and corporate entities accept that the benchmark settings represent a reasonably secure installation.
RAT is offline and nonintrusive. Because you don't run this scanning tool on a live router, you don't need to pick special times to run RAT and it can't crash your main Internet router. Because you can run RAT against a saved Cisco configuration file, the tool doesn't affect your production router.
The Cisco IOS Router Benchmark provides for two levels of security: Level 1, which is for typical usage and applies to most companies; and Level 2, which is for installations that require a higher security level and which also covers some nonstandard options and protocols such as Border Gateway Protocol (BGP) and IP Security (IPSec). The Level 1 benchmark represents minimum security for Internet-connected routers, according to NSA's standard for Cisco routers. You choose which level benchmark to use when you run the ncat_config, which I discuss in the next section.
To prepare to use RAT, you need to take some initial steps. First, install Perl if you don't already have it. Second, download and install RAT (with or without snarf). Third, run the ncat_config program to set up RAT for your network. Then you'll be ready to run RAT (with or without the snarf commands).
RAT comes with snarf, which automatically contacts your routers and downloads their configuration files. You don't have to use snarf, but it's useful for administrators who don't typically work with the Cisco IOS. If you want to use snarf, you'll need a valid logon and the administrator password (called the "enable" password in Cisco parlance), as well as the IP addresses for the routers.
As noted above, RAT requires that Perl be installed on your Windows machine. Although Perl is installed by default on most UNIX systems, most Windows machines don't have Perl, so you'll probably need to download and install it. CIS recommends ActiveState Perl 5.6.1 or later, which you can obtain at ActiveState's Web site (http://www.activestate.com). Because Perl is free and other programs use it, it's a generally useful tool. You must also use the Comprehensive Perl Archive Network (CPAN—http://www.perl.com/CPAN), the global repository for Perl code, utilities, FAQs, documentation, and distribution to download a couple of extra libraries for Perl. CPAN lets you automatically download and install the required Perl libraries with little hassle. After you download and install Perl, to download the additional libraries required for snarf to work, go to a DOS prompt and type
ppm install Net-Telnet ppm install Net-Telnet-Cisco
The CPAN repository downloads and installs the extra libraries for you. If you don't plan to have RAT download the configuration files for you, you can skip these commands. (If RAT doesn't download the files, you need to download them manually through Trivial FTP —TFTP—or a similar utility.) If you aren't familiar with IOS or don't have a Cisco technician to assist you, I strongly recommend using snarf to avoid inadvertently affecting your router.
You're ready to install RAT. Download RAT from the CIS site, unzip the program, and at the DOS prompt, type
perl winmake.pl PATH
where you replace PATH with the path to the directory in which you want to install RAT. I recommend that you create a directory for RAT that's different from the directory into which you unpacked the program. When I tried to place RAT in the same directory, I received an error message. If you don't plan to use snarf to download the configuration files, type
perl winmake —nosnarf.pl
Alternatively, you can use the install.bat file, which automates entering these commands for you.
After RAT installs, you must run the ncat_config program to set up RAT for your routers. To do so, type
at the DOS prompt in the main RAT directory's /bin subdirectory. The ncat_config program asks you several questions about your network and uses that information to customize the test to your environment (e.g., whether you're running a Network Time server, whether you use other optional settings). If you're unsure about the answers, you can type
?at the prompt to get a more complete explanation of each parameter, or you can simply accept the default, which should work well for most configurations. Now, you're ready to test your router or routers against the Cisco IOS Router Benchmark.
To test your router configuration against the benchmark, go to the main RAT directory's /bin subdirectory. Type
perl rat CONFIGFILE
replacing CONFIGFILE with the name and path of your configuration file. If you don't have the configuration file locally and want to use the snarf utility to download it instead, type the following command at the prompt:
perl rat CONFIGFILE -snarf -user USERNAME -userpw USERPASSWORD -enablepw ENABLEPASSWORD IPADDR-OF-ROUTER
replacing the terms in capital letters with the appropriate information for your router. If you want to benchmark multiple routers, you can include multiple IP addresses separated by commas. If you don't know the IP addresses, you can use Fully Qualified Domain Names (FQDNs) such as router1.example.com. If you leave the snarf variables blank, the program will prompt you for each entry as it attempts to log on to each device.
The RAT Report
After RAT runs, the tool creates seven files. Table 1 lists the files and their descriptions. I installed and tested RAT against a Cisco 2600 router, a fairly simple router that might not have some of the features and complexities of larger core routers. However, the Level 1 rules apply to every router.
The all.html file, which Figure 1 shows, is an HTML report that lists each rule and shows whether the router includes that rule. Pass means that the router contains the rule; fail means that it doesn't. The RAT tool weights each rule on a scale of 1 to 10, with rules whose absence could create large security holes rated at the top of the scale. Rules that involve minor security concerns rate near the bottom of the scale. Basically, the weighted scale ensures that your router won't fail the test if it's missing only a few minor rules. The report displays failed rules in red. It also adds the results of the rules testing and gives each router a total score. The first 11 rules, most of which involve logon security, have the greatest weight. The report also gives you the configuration file line numbers for each rule tested, so you can easily find the failed rules in the configuration file.
Toward the bottom of the All report is a summary of how each device scored, which Figure 2 shows. The report gives the score both as a raw percentage of rules passed and as a weighted score that takes into account the value of each rule.
Below the summary, RAT creates a script that gives you the exact configuration lines to enter to remedy the listed deficiencies. I don't recommend ever blindly entering configuration lines, especially if you're not familiar with Cisco. Review the lines before you enter them, and have your Cisco technical support person available to help ensure that the configuration lines won't cause problems with the usual operation of the router. In fact, you might want to give the report to your Cisco technical support person to review and to enter any necessary configuration lines.
Routers are notoriously tricky devices to configure in the first place, much less to keep secure. Many administrators are happy to ignore routers that don't cause obvious problems. However, routers are often the gateway to your network. In many cases, routers perform the Network Address Translation (NAT) that protects your internal IP addresses from the outside world. In addition, your Internet router controls your connection to the world, so keeping it secure is important. Visit the CIS Web site, download RAT, and discover how secure your Cisco routers are.