Your SlideShare is downloading. ×

Brst – Border Router Security Tool

903

Published on

BRST Overview

BRST Overview

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
903
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Originally titled the Cisco Router Security Tool (CRST), it was a Master’s Project for Ted LeRoy’s Information Technology Program at RIT.
  • Why border routers? They are outside the corporate network, they are exposed to the Internet, and they are sometimes overlooked by administrators.
  • Why border routers? They are outside the corporate network, they are exposed to the Internet, and they are sometimes overlooked by administrators.
  • Why border routers? They are outside the corporate network, they are exposed to the Internet, and they are sometimes overlooked by administrators.
  • Telnet, if enabled, is only accessible from inside interface. User must VPN into network, then access router.
  • Transcript

    • 1. BRST – Border Router Security Tool
      Ted LeRoy
    • 2. Outline
      What is the BRST?
      Target Users and Topologies
      Default Cisco Router install example
      Before BRST nmap scan
      Router Security
      Disable Unneeded Services
      Enable Helpful Services
      Control AccessConfigure Anti-spoofing
      Logging
      Demo
      BRST Generated Configuration Example
      Nmap scan after using BRST
      References
      Copyright 2010 Theodore LeRoy GPLv3
    • 3. What is the BRST?
      The BRST is a web-based utility
      Answer questions on web form
      Click Submit
      Receive secure configuration via web
      Cut and paste into terminal session
      Copyright 2010 Theodore LeRoy GPLv3
    • 4. Target Users and Topologies
      Target Users
      Network Administrators
      May or may not have Cisco experience
      Target Topologies
      Border routers
      Routers between Firewall and Internet Service Provider
      Concepts can be carried over to larger infrastructures
      Copyright 2010 Theodore LeRoy GPLv3
    • 5. Default Cisco Router Install
      Basic Router Config
      IP Addresses/Subnet Masks on Inside and Outside interfaces
      IP Subnet Zero
      IP Classless
      Default Gateway
      Username & Password
      VTY Access & Password
      Ping from inside outward to ensure connectivity
      Copyright 2010 Theodore LeRoy GPLv3
      version 12.3
      service timestamps debug datetimemsec
      service timestamps log datetimemsec
      no service password-encryption
      !
      hostname Router
      !
      boot-start-marker
      boot-end-marker
      !
      no logging console
      no logging monitor
      !
      no aaa new-model
      ip subnet-zero
      !
      Username tleroy password 0 Secret
      !
      interface Ethernet0
      ip address 4.4.4.2 255.255.255.252
      !
      interface Serial0
      ip address 6.6.6.1 255.255.255.252
      shutdown
      service-module 56k clock source line
      service-module 56k network-type dds
      !
      ip classless
      ip route 0.0.0.0 0.0.0.0 4.4.4.1
      no ip http server
      !
      line con 0
      line vty 0 4
      login
      !
      end
    • 6. Nmap Scan
      Before running BRST
      Nmap scan reveals several open ports
      More open ports may be visible on older code versions
      NMAP Scan Here
      Banner grabbing can also be effective on an insecure router
      Telnet, SSH, HTTP, finger, daytime
      Copyright 2010 Theodore LeRoy GPLv3
    • 7. Router Security
      Disable Unneeded Services
      Global Services
      Interface Services
      CDP/Yersenia Example
      Enable Helpful Services
      SSH Authentication Retries Example
      Control Access
      Disable Aux Port
      Secure Console Port Access
      Secure Virtual Terminal (vty) Access
      Copyright 2010 Theodore LeRoy GPLv3
    • 8. Router Security (continued)
      Configure Anti-spoofing
      Null-route BOGON and Martian Addresses (if not in use on router)
      Anti-spoofing Access Control Lists (ACLs) on interfaces
      Internal IP’s should not enter from outside interface
      Logging
      Syslog messages to secure server using a DMZ interface on router
      Other options:
      Send syslog messages to DMZ on firewall
      Local logging only (all logs lost on reboot!)
      Copyright 2010 Theodore LeRoy GPLv3
    • 9. Live Demo
      Using BRST to secure a Cisco Router
      Set delay for TeraTerm (COM flow too fast for older hardware)
      ! Border Router Security Tool (BRST) Recommended Configuration
      ! Start Copying Config File Here !
      ! Enter the following router commands exactly as shown.!! You may copy and paste directly from the results that appear into ! the router configuration using your terminal emulation software.!! Comments are preceded by an !. They will be ignored by the router.!!! global router commands!! Watch for WARNINGS in the Configuration the BRST provides.! If you see a WARNING, read the warning, click your Browser's ! back button, correct the error, and click "Submit" again.!! Entering Global Configuration mode.!configure terminal!ip subnet-zeroip classless!! default routeip route 0.0.0.0 0.0.0.0 1.1.1.1!!Section 1: Unneeded Services!
      Copyright 2010 Theodore LeRoy GPLv3
    • 10. Post BRST Config
      Disabled many services
      No ipunreachables
      No ip redirects
      Enabled positive services
      tcp-keepalives in and out
      SSH timeout
      Configured secure access
      SSH if available
      Telnet only from certain hosts if not
      Configured anti-spoofing
      Null routing of BOGON’s
      Enabled logging
      Copyright 2010 Theodore LeRoy GPLv3
      show run
      Building configuration...
      Current configuration : 3361 bytes
      !
      version 12.3
      no service pad
      service tcp-keepalives-in
      service tcp-keepalives-out
      service timestamps debug datetimemsec
      service timestamps log datetimemsec
      service password-encryption
      no service dhcp
      !
      hostname Router
      !
      boot-start-marker
      boot-end-marker
      !
      logging buffered 4096 informational
      no logging console
      no logging monitor
      enable secret 5 $1$YLJj$O5nh6cmiNdspYsbEctgEa.
      !
      aaa new-model
      !
      !
      aaa authentication login default local
      aaa session-id common
      ip subnet-zero
      no ip source-route
      no ip gratuitous-arps
      ip options drop
      !
      username tleroy password 7 15210E0F162F3F
      !
      interface Loopback0
      ip address 10.0.0.1 255.255.255.255
      no ip redirects
      no ipunreachables
      no ip proxy-arp
      !
      interface Null0
      no ipunreachables
      !
      interface Ethernet0
      ip address 2.2.2.1 255.255.255.252
      ip access-group firewall_in in
      no ip redirects
      no ipunreachables
      no ip proxy-arp
      no cdp enable… Output truncated
    • 11. Nmap Scan
      After running BRST
      Nmap scan reveals no open ports
      OS Detection is more ambiguous
      NMAP Scan Here
      Banner grabbing much less effective
      No Telnet or HTTP Access
      SSH only from inside interface (VPN then SSH)
      Disabled services will not leak information
      Copyright 2010 Theodore LeRoy GPLv3
    • 12. References
      U.S. National Security Agency System and Network Attack Center (NSA SNAC) Guide
      Router Security Configuration Guide
      http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf
      Cisco Guide to Harden Cisco IOS Devices
      http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
      Team Cymru’s Secure IOS Template
      http://www.cymru.com/Documents/secure-ios-template.html
      “Hardening Cisco Routers,” O’Reilly Media, Akin, Thomas, February 2002
      Copyright 2010 Theodore LeRoy GPLv3
    • 13. Disclaimer
      This software is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc. Cisco, Cisco Systems, and IOS are registered trademarks of Cisco Systems, Inc. in the USA and certain other countries. All other trademarks are trademarks of their respective owners.
      BRST - Border Router Security Tool, Helps administrators secure their border routers.
      Copyright © 2008 Ted LeRoy
      This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
      This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.
      A local copy of the license can be found at copying.
      theodore.leroy_at_yahoo_dot_com
      Source code can be obtained at: https://sourceforge.net/projects/borderroutersec/
      Copyright 2010 Theodore LeRoy GPLv3

    ×