Router Audit Tool and Benchmark

Slides:



Advertisements
Similar presentations
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Advertisements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Guide to Network Defense and Countermeasures Second Edition
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.
Enterprise Network Security Accessing the WAN Lecture week 4.
Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.
1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.
Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Virtual Company Group 8 Presentation Date: June /04/2017
Intranet, Extranet, Firewall. Intranet and Extranet.
Hands-On Microsoft Windows Server 2003 Administration Chapter 2 Managing Windows Server 2003 Hardware and Software.
1. 2 Device management refers to the IDS Sensor's ability to dynamically reconfigure the filters and access control lists (ACL) on a router, switch, and.
Honeypot and Intrusion Detection System
Windows 7 Firewall.
1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Public Remote access typically involves allowing telnet, SSH connections to the router Remote requires.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 2 – 6 IP Access Lists 1.
1 Session Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. Using the Cisco TAC Web Site for LAN Switching Issues Cisco TAC Web Seminar.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Enterprise Network Security Accessing the WAN – Chapter 4.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
1 Session Number Presentation_ID © 2002, Cisco Systems, Inc. All rights reserved. Using the Cisco TAC Website for Security and Virtual Private Network.
Security fundamentals Topic 2 Establishing and maintaining baseline security.
Configuring AAA requires four basic steps: 1.Enable AAA (new-model). 2.Configure security server network parameters. 3.Define one or more method lists.
Retina Network Security Scanner
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
1 Session Number Presentation_ID © 2002, Cisco Systems, Inc. All rights reserved. Using the Cisco TAC Web Site for Network Security and Virtual Private.
Module 8 Implementing Security Using Group Policy.
Cryptography and Network Security
Unit 2 Personal Cyber Security and Social Engineering Part 2.
The Challenges of Teaching an Interdisciplinary IA Course Rose Shumba Indiana University of Pennsylvania EPASEC 2006.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Pass4itsure Cisco Dumps
Enhancing Network Security
Outline Securing your system before the IDS and some tools to help you
Lab A: Planning an Installation
Working at a Small-to-Medium Business or ISP – Chapter 8
Critical Security Controls
Instructor Materials Chapter 9: Testing and Troubleshooting
Overview – SOE PatchTT November 2015.
IPv6 Autoconfiguration Plug & Play Dream or Security Nightmare
Chapter 11: It’s a Network
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Securing Cisco Networks with Threat Detection and Analysis practice-questions.html.
How to use mrtg to monitor traffic on your wireless and wired network
Securing Cisco Networks with Threat Detection and Analysis practice-questions.html.
Welcome To : Group 1 VC Presentation
Lesson #10 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 10 Configuring Network and Firewall Settings.
* Essential Network Security Book Slides.
IS3440 Linux Security Unit 9 Linux System Logging and Monitoring
Chapter 8: Monitoring the Network
– Chapter 3 – Device Security (B)
Firewalls Jiang Long Spring 2002.
AbbottLink™ - IP Address Overview
Chapter 10: Advanced Cisco Adaptive Security Appliance
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Router Audit Tool and Benchmark February 20, 2002 George M. Jones 9/18/2018 © 2002, George M. Jones

Introduction Subject: Router Audit Tool and Benchmark Premise: “The network is the computer” Corollary: Routers are the network. Audience: Network Engineers and Technical Security Auditors 9/18/2018 © 2002, George M. Jones

Problems Solved Lack of Cisco IOS benchmark Lack of audit tool for IOS. Difficulty maintaining consistency. Difficulty detecting changes. Need to quickly fix incorrect settings. Need for reporting and customization. Need to check non-IOS devices. 9/18/2018 © 2002, George M. Jones

Problems Not Solved Management Issues Poor Operations Practices Problems in vendor code. Problems inherent to protocols. Host-based problems (viruses, code red….) Bandwidth based DoS attacks New vulnerabilities Local configuration choices The need for competence and vigilance. 9/18/2018 © 2002, George M. Jones

Approach Perl: “There’s more than one way to do it.” Start with “good” config. Define rules. Write a program to compare rules & configs. Rules forbid/require certain strings/patterns. CSV-like output and HTML reports 9/18/2018 © 2002, George M. Jones

The Router Audit Tool (rat) Four Perl Programs snarf: pull configs ncat: reads rules & configs, writes CSVish output ncat_report: reads CSVish files, writes HTML rat: the program you run. Runs other programs. 9/18/2018 © 2002, George M. Jones

A Quick Example Define a rule to forbid SNMP read-write community string “private” Running the Tool RuleName:IOS - forbid SNMP community private RuleClass:default,access RuleVersion:version 1[12]\.* RuleContext:Global RuleType:Forbidden RuleMatch:snmp community private RuleImportance:10 RuleDescription:Don't use default SNMP community strings.\ SNMP allows management and monitoring of networked devices.\ "private" is a well know default community string.\ It should not be used Rat --nosnarf border-router.txt vpn-gateway-router.txt 9/18/2018 © 2002, George M. Jones

Sample Output 9/18/2018 © 2002, George M. Jones

The Benchmark Defines what to check Based on NSA Router Security Configuration Guide “Level 1” = Default, “Level 2” = Optional. Basic checks, baseline for all routers. Some sites will need more optional rules. 9/18/2018 © 2002, George M. Jones

The Rules Designed to protect the router itself. Four classes: services, access, logging, routing. 59 rules. 5 IOS 11 specific. 4 IOS 12 specific. 9/18/2018 © 2002, George M. Jones

SNMP Rules Major SNMP Vulnerabilities outlined in CERT Advisory CA-2002-03 RAT rules address this: Disable SNMP Forbid SNMP community public/private Forbid SNMP without ACLs Ingress/egress filters 9/18/2018 © 2002, George M. Jones

More SNMP Defenses Upgrade to patched IOS version Filter all SNMP at border (ingress) access-list 123 deny udp any any eq snmp access-list 123 deny udp any any eq snmptrap Change community strings Permit only known hosts to poll access-list 123 permit udp host 1.2.3.4 any eq snmp 9/18/2018 © 2002, George M. Jones

Using the Tool and Benchmark Using “as is” Minimum standards Scoring Fix problems found Customizing Changing headings Modifying rules Adding rules/new devices 9/18/2018 © 2002, George M. Jones

Example: index page 9/18/2018 © 2002, George M. Jones

Example: Single Report 9/18/2018 © 2002, George M. Jones

Example: Combined Report 9/18/2018 © 2002, George M. Jones

Future Work More Rules Other Devices Better Integration With Config Guide Windows Port? Any Volunteers? 9/18/2018 © 2002, George M. Jones

Related Work UUNET net-sec config checker (unpub.) Cisco Netsys Baseliner (discontinued) NSA Router Security Configuration Guide http://nsa2.conxion.com/Cisco/download.htm Improving Security on Cisco Routers http://www.cisco.com/warp/public/707/21.html http://www.cymru.com/~robt/Docs/Articles/ 9/18/2018 © 2002, George M. Jones

Credits NSA Information Assurance Directorate Produced Router Security Configuration Guide. Neal Ziring, the editor, has be very helpful John Stewart, Digital Island/Exodus Much help with Perl,CVS, install process Eric Brandwine and Jared Allison UUNET net-sec config checker Mark Krause & Neil Kirr, UUNET, Clint Kreitner, CIS, Alan Paller, SANS For encouraging and supporting the work. 9/18/2018 © 2002, George M. Jones

Availability and Feedback The tool and benchmark are available for public download from http://www.cisecurity.org/ Feedback rat-feedback@cisecurity.org rat-announce[-subscribe]@cisecurity.org rat-users[-subscribe]@cisecurity.org Questions ? 9/18/2018 © 2002, George M. Jones

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.