Free Tool Helps Users Secure Cisco Routers

The SANS Institute and the Center for Internet Security this week released a free benchmark and audit tool to help users ensure their Cisco routers are configured with proper security settings.

The tool was jointly developed by the US National Security Agency, UUNET and Digital Island, Inc., in conjunction with SANS and the CIS. Named simply the Router Audit Tool (RAT), it is designed to provide a minimum security baseline for Cisco routers and a means of testing against that baseline.

If you accept the idea that the network is the computer, then "the router is the network," says George Jones, a network security expert at UUNET and one of the chief authors of the tool. "If a router gets compromised, there is a high probability that your entire network will lose connectivity to the Internet, that your data center will lose connectivity or your entire network will go down."

While the first version of RAT focuses on Cisco routers due to their massive installed base, Jones noted that RAT is essentially an engine that can be used with any device that employs a text-based configuration file. He is already using it to check configurations on Cisco Catalyst switches and work is underway to define benchmarks for other devices.

RAT is written in PERL and runs on Unix or Linux systems. It includes four programs: one that pulls configuration files down for audit; another than reads rules and configurations, checks them, and produces a form of comma-separated value (CSV) output; a reporting program that produces reports in HTML format; and the program engine that users run. The tool can run against configuration files on the actual router or on a disk.

The program comes with predefined rules intended to ensure that a router meets the NSA's Router Security Configuration Guideline, a security benchmark for routers. Additional, optional rules are also included. The rules are essentially designed to protect the router, Jones says, by defining what services it is allowed to run, who can access it, what events or data gets logged and what type of packets should be dropped. The tool can be used as-is or can be customized to meet specific needs, such as by adding new rules.

Jones noted that more default rules will be forthcoming as developers find additional potential vulnerabilities that are common to most installations. Rules for devices other than Cisco routers are also a possibility. A Windows-based version of the tool is likely to be available within weeks.

As users develop new rules, Jones encourages them to share their work by sending email to rat-feedback@cisecurity.org. RAT is available for download from CIS at www.cisecurity.org.