SlideShare a Scribd company logo

Brst – Border Router Security Tool

Download as PPTX, PDF
T
tleroy0928

BRST Overview

1 of 13
BRST – Border Router Security Tool Ted LeRoy
Outline What is the BRST? Target Users and Topologies Default Cisco Router install example Before BRST nmap scan Router Security Disable Unneeded Services Enable Helpful Services Control AccessConfigure Anti-spoofing Logging Demo BRST Generated Configuration Example Nmap scan after using BRST References Copyright 2010 Theodore LeRoy GPLv3
What is the BRST? The BRST is a web-based utility Answer questions on web form Click Submit Receive secure configuration via web Cut and paste into terminal session Copyright 2010 Theodore LeRoy GPLv3
Target Users and Topologies Target Users Network Administrators May or may not have Cisco experience Target Topologies Border routers Routers between Firewall and Internet Service Provider Concepts can be carried over to larger infrastructures Copyright 2010 Theodore LeRoy GPLv3
Default Cisco Router Install Basic Router Config IP Addresses/Subnet Masks on Inside and Outside interfaces IP Subnet Zero IP Classless Default Gateway Username & Password VTY Access & Password Ping from inside outward to ensure connectivity Copyright 2010 Theodore LeRoy GPLv3 version 12.3 service timestamps debug datetimemsec service timestamps log datetimemsec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! no logging console no logging monitor ! no aaa new-model ip subnet-zero ! Username tleroy password 0 Secret ! interface Ethernet0 ip address 4.4.4.2 255.255.255.252 ! interface Serial0 ip address 6.6.6.1 255.255.255.252 shutdown service-module 56k clock source line service-module 56k network-type dds ! ip classless ip route 0.0.0.0 0.0.0.0 4.4.4.1 no ip http server ! line con 0 line vty 0 4 login ! end
Nmap Scan Before running BRST Nmap scan reveals several open ports More open ports may be visible on older code versions NMAP Scan Here Banner grabbing can also be effective on an insecure router Telnet, SSH, HTTP, finger, daytime Copyright 2010 Theodore LeRoy GPLv3
Router Security Disable Unneeded Services Global Services Interface Services CDP/Yersenia Example Enable Helpful Services SSH Authentication Retries Example Control Access Disable Aux Port Secure Console Port Access Secure Virtual Terminal (vty) Access Copyright 2010 Theodore LeRoy GPLv3
Router Security (continued) Configure Anti-spoofing Null-route BOGON and Martian Addresses (if not in use on router) Anti-spoofing Access Control Lists (ACLs) on interfaces Internal IP’s should not enter from outside interface Logging Syslog messages to secure server using a DMZ interface on router Other options: Send syslog messages to DMZ on firewall Local logging only (all logs lost on reboot!) Copyright 2010 Theodore LeRoy GPLv3
Live Demo Using BRST to secure a Cisco Router Set delay for TeraTerm (COM flow too fast for older hardware) ! Border Router Security Tool (BRST) Recommended Configuration ! Start Copying Config File Here ! ! Enter the following router commands exactly as shown.!! You may copy and paste directly from the results that appear into ! the router configuration using your terminal emulation software.!! Comments are preceded by an !. They will be ignored by the router.!!! global router commands!! Watch for WARNINGS in the Configuration the BRST provides.! If you see a WARNING, read the warning, click your Browser's ! back button, correct the error, and click "Submit" again.!! Entering Global Configuration mode.!configure terminal!ip subnet-zeroip classless!! default routeip route 0.0.0.0 0.0.0.0 1.1.1.1!!Section 1: Unneeded Services! Copyright 2010 Theodore LeRoy GPLv3
Post BRST Config Disabled many services No ipunreachables No ip redirects Enabled positive services tcp-keepalives in and out SSH timeout Configured secure access SSH if available Telnet only from certain hosts if not Configured anti-spoofing Null routing of BOGON’s Enabled logging Copyright 2010 Theodore LeRoy GPLv3 show run Building configuration... Current configuration : 3361 bytes ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetimemsec service timestamps log datetimemsec service password-encryption no service dhcp ! hostname Router ! boot-start-marker boot-end-marker ! logging buffered 4096 informational no logging console no logging monitor enable secret 5 $1$YLJj$O5nh6cmiNdspYsbEctgEa. ! aaa new-model ! ! aaa authentication login default local aaa session-id common ip subnet-zero no ip source-route no ip gratuitous-arps ip options drop ! username tleroy password 7 15210E0F162F3F ! interface Loopback0 ip address 10.0.0.1 255.255.255.255 no ip redirects no ipunreachables no ip proxy-arp ! interface Null0 no ipunreachables ! interface Ethernet0 ip address 2.2.2.1 255.255.255.252 ip access-group firewall_in in no ip redirects no ipunreachables no ip proxy-arp no cdp enable… Output truncated
Nmap Scan After running BRST Nmap scan reveals no open ports OS Detection is more ambiguous NMAP Scan Here Banner grabbing much less effective No Telnet or HTTP Access SSH only from inside interface (VPN then SSH) Disabled services will not leak information Copyright 2010 Theodore LeRoy GPLv3
References U.S. National Security Agency System and Network Attack Center (NSA SNAC) Guide Router Security Configuration Guide http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf Cisco Guide to Harden Cisco IOS Devices http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml Team Cymru’s Secure IOS Template http://www.cymru.com/Documents/secure-ios-template.html “Hardening Cisco Routers,” O’Reilly Media, Akin, Thomas, February 2002 Copyright 2010 Theodore LeRoy GPLv3
Disclaimer This software is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc. Cisco, Cisco Systems, and IOS are registered trademarks of Cisco Systems, Inc. in the USA and certain other countries. All other trademarks are trademarks of their respective owners. BRST - Border Router Security Tool, Helps administrators secure their border routers. Copyright © 2008 Ted LeRoy This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. A local copy of the license can be found at copying. theodore.leroy_at_yahoo_dot_com Source code can be obtained at: https://sourceforge.net/projects/borderroutersec/ Copyright 2010 Theodore LeRoy GPLv3

Recommended

All about routers
All about routersAll about routers
All about routersagwanna
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaHanaysha
 
Ce hv6 module 60 firewall technologies
Ce hv6 module 60 firewall technologiesCe hv6 module 60 firewall technologies
Ce hv6 module 60 firewall technologiesVi Tính Hoàng Nam
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin
 
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingVi Tính Hoàng Nam
 
Ceh v5 module 21 cryptography
Ceh v5 module 21 cryptographyCeh v5 module 21 cryptography
Ceh v5 module 21 cryptographyVi Tính Hoàng Nam
 
Setup VoIP System and Interconnection with LTE network
Setup VoIP System and Interconnection with LTE networkSetup VoIP System and Interconnection with LTE network
Setup VoIP System and Interconnection with LTE networkNazmul Hossain Rakib
 
Setup VoIP System and Interconnection with LTE network
Setup VoIP System and Interconnection with LTE networkSetup VoIP System and Interconnection with LTE network
Setup VoIP System and Interconnection with LTE networkNazmul Hossain Rakib
 

Recommended

All about routers
All about routersAll about routers
All about routersagwanna
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaHanaysha
 
Ce hv6 module 60 firewall technologies
Ce hv6 module 60 firewall technologiesCe hv6 module 60 firewall technologies
Ce hv6 module 60 firewall technologiesVi Tính Hoàng Nam
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin
 
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingVi Tính Hoàng Nam
 
Ceh v5 module 21 cryptography
Ceh v5 module 21 cryptographyCeh v5 module 21 cryptography
Ceh v5 module 21 cryptographyVi Tính Hoàng Nam
 
Setup VoIP System and Interconnection with LTE network
Setup VoIP System and Interconnection with LTE networkSetup VoIP System and Interconnection with LTE network
Setup VoIP System and Interconnection with LTE networkNazmul Hossain Rakib
 
Setup VoIP System and Interconnection with LTE network
Setup VoIP System and Interconnection with LTE networkSetup VoIP System and Interconnection with LTE network
Setup VoIP System and Interconnection with LTE networkNazmul Hossain Rakib
 
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...Positive Hack Days
 
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015CODE BLUE
 
Palo Alto Virtual firewall deployment guide on OpenStack Cloud
Palo Alto Virtual firewall deployment guide on OpenStack Cloud Palo Alto Virtual firewall deployment guide on OpenStack Cloud
Palo Alto Virtual firewall deployment guide on OpenStack Cloud Ajeet Singh
 
Snort
SnortSnort
SnortMichael Boman
 
TekIVR Datasheet
TekIVR DatasheetTekIVR Datasheet
TekIVR DatasheetYasin KAPLAN
 
FortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZFortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZIPMAX s.r.l.
 
Snort
SnortSnort
SnortFadwa Gmiden
 
Positive Hack Days. Gritsai. VOIP insecurities workshop
Positive Hack Days. Gritsai. VOIP insecurities workshopPositive Hack Days. Gritsai. VOIP insecurities workshop
Positive Hack Days. Gritsai. VOIP insecurities workshopPositive Hack Days
 
Firewall
FirewallFirewall
FirewallAngga Racing
 
Wireless security
Wireless securityWireless security
Wireless securityAurobindo Nayak
 
Proxy servers-firewalls
Proxy servers-firewallsProxy servers-firewalls
Proxy servers-firewallsAli Asgar Patanwala
 
Offline bruteforce attack on WiFi Protected Setup
Offline bruteforce attack on WiFi Protected SetupOffline bruteforce attack on WiFi Protected Setup
Offline bruteforce attack on WiFi Protected Setup0xcite
 
Network topology by essay corp uk
Network topology by essay corp ukNetwork topology by essay corp uk
Network topology by essay corp ukJohnsmith5188
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security Hariraj Rathod
 
Acid
AcidAcid
AcidMichael Boman
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATCisco Russia
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Cisco Russia
 
Brute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupBrute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupScientia Groups
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Positive Hack Days
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Cisco Security
 
63151777 core-design
63151777 core-design63151777 core-design
63151777 core-designkamalmishra1105
 
C4 040 r-02
C4 040 r-02C4 040 r-02
C4 040 r-0297148881557
 

More Related Content

What's hot

Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...Positive Hack Days
 
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015CODE BLUE
 
Palo Alto Virtual firewall deployment guide on OpenStack Cloud
Palo Alto Virtual firewall deployment guide on OpenStack Cloud Palo Alto Virtual firewall deployment guide on OpenStack Cloud
Palo Alto Virtual firewall deployment guide on OpenStack Cloud Ajeet Singh
 
FortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZFortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZIPMAX s.r.l.
 
Positive Hack Days. Gritsai. VOIP insecurities workshop
Positive Hack Days. Gritsai. VOIP insecurities workshopPositive Hack Days. Gritsai. VOIP insecurities workshop
Positive Hack Days. Gritsai. VOIP insecurities workshopPositive Hack Days
 
Offline bruteforce attack on WiFi Protected Setup
Offline bruteforce attack on WiFi Protected SetupOffline bruteforce attack on WiFi Protected Setup
Offline bruteforce attack on WiFi Protected Setup0xcite
 
Network topology by essay corp uk
Network topology by essay corp ukNetwork topology by essay corp uk
Network topology by essay corp ukJohnsmith5188
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security Hariraj Rathod
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATCisco Russia
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Cisco Russia
 
Brute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupBrute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupScientia Groups
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Positive Hack Days
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Cisco Security
 

What's hot (20)

Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
 
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
 
Palo Alto Virtual firewall deployment guide on OpenStack Cloud
Palo Alto Virtual firewall deployment guide on OpenStack Cloud Palo Alto Virtual firewall deployment guide on OpenStack Cloud
Palo Alto Virtual firewall deployment guide on OpenStack Cloud
 
Snort
SnortSnort
Snort
 
TekIVR Datasheet
TekIVR DatasheetTekIVR Datasheet
TekIVR Datasheet
 
FortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZFortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZ
 
Snort
SnortSnort
Snort
 
Positive Hack Days. Gritsai. VOIP insecurities workshop
Positive Hack Days. Gritsai. VOIP insecurities workshopPositive Hack Days. Gritsai. VOIP insecurities workshop
Positive Hack Days. Gritsai. VOIP insecurities workshop
 
Firewall
FirewallFirewall
Firewall
 
Wireless security
Wireless securityWireless security
Wireless security
 
Proxy servers-firewalls
Proxy servers-firewallsProxy servers-firewalls
Proxy servers-firewalls
 
Offline bruteforce attack on WiFi Protected Setup
Offline bruteforce attack on WiFi Protected SetupOffline bruteforce attack on WiFi Protected Setup
Offline bruteforce attack on WiFi Protected Setup
 
Network topology by essay corp uk
Network topology by essay corp ukNetwork topology by essay corp uk
Network topology by essay corp uk
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security
 
Acid
AcidAcid
Acid
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
 
Brute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupBrute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected Setup
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)
 

Viewers also liked

Basic Campus Network Design - Network Cabling System
Basic Campus Network Design - Network Cabling SystemBasic Campus Network Design - Network Cabling System
Basic Campus Network Design - Network Cabling SystemMd. Abdul Awal
 
Router configuration in packet tracer
Router configuration in packet tracerRouter configuration in packet tracer
Router configuration in packet tracerAnabia Anabia
 
Packet Tracer Tutorial # 2
Packet Tracer Tutorial # 2Packet Tracer Tutorial # 2
Packet Tracer Tutorial # 2Abdul Basit
 
Routers and Routing Configuration
Routers and Routing ConfigurationRouters and Routing Configuration
Routers and Routing Configurationyasir1122
 
Network Problem CPM & PERT
Network Problem CPM & PERTNetwork Problem CPM & PERT
Network Problem CPM & PERTPulchowk Campus
 

Viewers also liked (11)

63151777 core-design
63151777 core-design63151777 core-design
63151777 core-design
 
C4 040 r-02
C4 040 r-02C4 040 r-02
C4 040 r-02
 
Campus Network Design version 8
Campus Network Design version 8Campus Network Design version 8
Campus Network Design version 8
 
Basic Campus Network Design - Network Cabling System
Basic Campus Network Design - Network Cabling SystemBasic Campus Network Design - Network Cabling System
Basic Campus Network Design - Network Cabling System
 
Router configuration in packet tracer
Router configuration in packet tracerRouter configuration in packet tracer
Router configuration in packet tracer
 
Ipsec
IpsecIpsec
Ipsec
 
Packet Tracer Tutorial # 2
Packet Tracer Tutorial # 2Packet Tracer Tutorial # 2
Packet Tracer Tutorial # 2
 
Routers and Routing Configuration
Routers and Routing ConfigurationRouters and Routing Configuration
Routers and Routing Configuration
 
Campus Area Network Security
Campus Area Network SecurityCampus Area Network Security
Campus Area Network Security
 
Network Problem CPM & PERT
Network Problem CPM & PERTNetwork Problem CPM & PERT
Network Problem CPM & PERT
 
Pert & Cpm
Pert & CpmPert & Cpm
Pert & Cpm
 

Similar to Brst – Border Router Security Tool

Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideHarris Andrea
 
Router security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summaryRouter security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summarymoonmanik
 
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...Sandro Gauci
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco routerIT Tech
 
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docx
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docxCopyright © 2016 VIT, All Rights Reserved. VIT and its log.docx
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docxbobbywlane695641
 
WebRTC Standards from Tim Panton
WebRTC Standards from Tim PantonWebRTC Standards from Tim Panton
WebRTC Standards from Tim PantonAlan Quayle
 
Detailed explanation of Basic router configuration
Detailed explanation of Basic router configurationDetailed explanation of Basic router configuration
Detailed explanation of Basic router configurationsamreenghauri786
 
Using Batfish for Network Analysis
Using Batfish for Network AnalysisUsing Batfish for Network Analysis
Using Batfish for Network AnalysisJoel W. King
 
Internetworking With Pix Firewall
Internetworking With Pix FirewallInternetworking With Pix Firewall
Internetworking With Pix FirewallSouvik Santra
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWallwebhostingguy
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWallwebhostingguy
 
第6讲 操作与配置Cisco Ios
第6讲 操作与配置Cisco Ios第6讲 操作与配置Cisco Ios
第6讲 操作与配置Cisco IosF.l. Yu
 
Ch13 Protecting Networks with Security Devices
Ch13 Protecting Networks with Security DevicesCh13 Protecting Networks with Security Devices
Ch13 Protecting Networks with Security Devicesphanleson
 

Similar to Brst – Border Router Security Tool (20)

Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
 
Ce hv6 module 63 botnets
Ce hv6 module 63 botnetsCe hv6 module 63 botnets
Ce hv6 module 63 botnets
 
class12_Networking2
class12_Networking2class12_Networking2
class12_Networking2
 
Router security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summaryRouter security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summary
 
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco router
 
098
098098
098
 
botnet.ppt
botnet.pptbotnet.ppt
botnet.ppt
 
CompTIA Security Plus Overview
CompTIA Security Plus OverviewCompTIA Security Plus Overview
CompTIA Security Plus Overview
 
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docx
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docxCopyright © 2016 VIT, All Rights Reserved. VIT and its log.docx
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docx
 
WebRTC Standards from Tim Panton
WebRTC Standards from Tim PantonWebRTC Standards from Tim Panton
WebRTC Standards from Tim Panton
 
Managing Network Device Security
Managing Network Device SecurityManaging Network Device Security
Managing Network Device Security
 
Detailed explanation of Basic router configuration
Detailed explanation of Basic router configurationDetailed explanation of Basic router configuration
Detailed explanation of Basic router configuration
 
Using Batfish for Network Analysis
Using Batfish for Network AnalysisUsing Batfish for Network Analysis
Using Batfish for Network Analysis
 
Internetworking With Pix Firewall
Internetworking With Pix FirewallInternetworking With Pix Firewall
Internetworking With Pix Firewall
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
 
Basics to Configure NW Device
Basics to Configure NW DeviceBasics to Configure NW Device
Basics to Configure NW Device
 
第6讲 操作与配置Cisco Ios
第6讲 操作与配置Cisco Ios第6讲 操作与配置Cisco Ios
第6讲 操作与配置Cisco Ios
 
Ch13 Protecting Networks with Security Devices
Ch13 Protecting Networks with Security DevicesCh13 Protecting Networks with Security Devices
Ch13 Protecting Networks with Security Devices
 

Brst – Border Router Security Tool

  • 1. BRST – Border Router Security Tool Ted LeRoy
  • 2. Outline What is the BRST? Target Users and Topologies Default Cisco Router install example Before BRST nmap scan Router Security Disable Unneeded Services Enable Helpful Services Control AccessConfigure Anti-spoofing Logging Demo BRST Generated Configuration Example Nmap scan after using BRST References Copyright 2010 Theodore LeRoy GPLv3
  • 3. What is the BRST? The BRST is a web-based utility Answer questions on web form Click Submit Receive secure configuration via web Cut and paste into terminal session Copyright 2010 Theodore LeRoy GPLv3
  • 4. Target Users and Topologies Target Users Network Administrators May or may not have Cisco experience Target Topologies Border routers Routers between Firewall and Internet Service Provider Concepts can be carried over to larger infrastructures Copyright 2010 Theodore LeRoy GPLv3
  • 5. Default Cisco Router Install Basic Router Config IP Addresses/Subnet Masks on Inside and Outside interfaces IP Subnet Zero IP Classless Default Gateway Username & Password VTY Access & Password Ping from inside outward to ensure connectivity Copyright 2010 Theodore LeRoy GPLv3 version 12.3 service timestamps debug datetimemsec service timestamps log datetimemsec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! no logging console no logging monitor ! no aaa new-model ip subnet-zero ! Username tleroy password 0 Secret ! interface Ethernet0 ip address 4.4.4.2 255.255.255.252 ! interface Serial0 ip address 6.6.6.1 255.255.255.252 shutdown service-module 56k clock source line service-module 56k network-type dds ! ip classless ip route 0.0.0.0 0.0.0.0 4.4.4.1 no ip http server ! line con 0 line vty 0 4 login ! end
  • 6. Nmap Scan Before running BRST Nmap scan reveals several open ports More open ports may be visible on older code versions NMAP Scan Here Banner grabbing can also be effective on an insecure router Telnet, SSH, HTTP, finger, daytime Copyright 2010 Theodore LeRoy GPLv3
  • 7. Router Security Disable Unneeded Services Global Services Interface Services CDP/Yersenia Example Enable Helpful Services SSH Authentication Retries Example Control Access Disable Aux Port Secure Console Port Access Secure Virtual Terminal (vty) Access Copyright 2010 Theodore LeRoy GPLv3
  • 8. Router Security (continued) Configure Anti-spoofing Null-route BOGON and Martian Addresses (if not in use on router) Anti-spoofing Access Control Lists (ACLs) on interfaces Internal IP’s should not enter from outside interface Logging Syslog messages to secure server using a DMZ interface on router Other options: Send syslog messages to DMZ on firewall Local logging only (all logs lost on reboot!) Copyright 2010 Theodore LeRoy GPLv3
  • 9. Live Demo Using BRST to secure a Cisco Router Set delay for TeraTerm (COM flow too fast for older hardware) ! Border Router Security Tool (BRST) Recommended Configuration ! Start Copying Config File Here ! ! Enter the following router commands exactly as shown.!! You may copy and paste directly from the results that appear into ! the router configuration using your terminal emulation software.!! Comments are preceded by an !. They will be ignored by the router.!!! global router commands!! Watch for WARNINGS in the Configuration the BRST provides.! If you see a WARNING, read the warning, click your Browser's ! back button, correct the error, and click "Submit" again.!! Entering Global Configuration mode.!configure terminal!ip subnet-zeroip classless!! default routeip route 0.0.0.0 0.0.0.0 1.1.1.1!!Section 1: Unneeded Services! Copyright 2010 Theodore LeRoy GPLv3
  • 10. Post BRST Config Disabled many services No ipunreachables No ip redirects Enabled positive services tcp-keepalives in and out SSH timeout Configured secure access SSH if available Telnet only from certain hosts if not Configured anti-spoofing Null routing of BOGON’s Enabled logging Copyright 2010 Theodore LeRoy GPLv3 show run Building configuration... Current configuration : 3361 bytes ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetimemsec service timestamps log datetimemsec service password-encryption no service dhcp ! hostname Router ! boot-start-marker boot-end-marker ! logging buffered 4096 informational no logging console no logging monitor enable secret 5 $1$YLJj$O5nh6cmiNdspYsbEctgEa. ! aaa new-model ! ! aaa authentication login default local aaa session-id common ip subnet-zero no ip source-route no ip gratuitous-arps ip options drop ! username tleroy password 7 15210E0F162F3F ! interface Loopback0 ip address 10.0.0.1 255.255.255.255 no ip redirects no ipunreachables no ip proxy-arp ! interface Null0 no ipunreachables ! interface Ethernet0 ip address 2.2.2.1 255.255.255.252 ip access-group firewall_in in no ip redirects no ipunreachables no ip proxy-arp no cdp enable… Output truncated
  • 11. Nmap Scan After running BRST Nmap scan reveals no open ports OS Detection is more ambiguous NMAP Scan Here Banner grabbing much less effective No Telnet or HTTP Access SSH only from inside interface (VPN then SSH) Disabled services will not leak information Copyright 2010 Theodore LeRoy GPLv3
  • 12. References U.S. National Security Agency System and Network Attack Center (NSA SNAC) Guide Router Security Configuration Guide http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf Cisco Guide to Harden Cisco IOS Devices http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml Team Cymru’s Secure IOS Template http://www.cymru.com/Documents/secure-ios-template.html “Hardening Cisco Routers,” O’Reilly Media, Akin, Thomas, February 2002 Copyright 2010 Theodore LeRoy GPLv3
  • 13. Disclaimer This software is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc. Cisco, Cisco Systems, and IOS are registered trademarks of Cisco Systems, Inc. in the USA and certain other countries. All other trademarks are trademarks of their respective owners. BRST - Border Router Security Tool, Helps administrators secure their border routers. Copyright © 2008 Ted LeRoy This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. A local copy of the license can be found at copying. theodore.leroy_at_yahoo_dot_com Source code can be obtained at: https://sourceforge.net/projects/borderroutersec/ Copyright 2010 Theodore LeRoy GPLv3

Editor's Notes

  1. Originally titled the Cisco Router Security Tool (CRST), it was a Master’s Project for Ted LeRoy’s Information Technology Program at RIT.
  2. Why border routers? They are outside the corporate network, they are exposed to the Internet, and they are sometimes overlooked by administrators.
  3. Why border routers? They are outside the corporate network, they are exposed to the Internet, and they are sometimes overlooked by administrators.
  4. Why border routers? They are outside the corporate network, they are exposed to the Internet, and they are sometimes overlooked by administrators.
  5. Telnet, if enabled, is only accessible from inside interface. User must VPN into network, then access router.