Router Defense

1. Router Defense
Cisco IOS security assessment tool
Lightning talk day 2 - 2010

2. Operational security
Did you ever seen a Cisco network device with
security BCP enforced?
« The network is more powerful than the node »

3. The network moves
Network (re)design
Configuration changes
Compromised network devices
Network usage (Software update policy, devs
plays with mcast)
RouterDefense will adapt
Recurrent assesment schedule for teh win

4. Threat base reference model
Enterprise/Service providers networks agnostic
IPv4/IPv6/MPLS
Cisco Guide to Harden Cisco IOS Devices (Cisco)
Cisco IOS Switch Security Configuration Guide
(NSA)
Tool's author experience
0-dayz vendor EPIC FAIL proactive prevention
(cisco-sa-20100707-snmp)

5. Features
Reads Cisco IOS config with a security mindset
Management, control, data planes
Stdout, HTML(5+CSS3), CSV, PDF output
Three-tier architecture
Router/switch scenarii
IOS versioning
CVSS base vectors scoring
138 tests

6. Demo

7. HTML output

8. Router Defense tool
Written in python during spare time
wc -l *.{py,xml} | tail -1 | awk '{ print $1}'
9336
Version 0.2
Available at Google Code
http://code.google.com/p/routerdefense/

9. $ whoami
Francois Ropert
Topics of interest:
network protocols and devices security
Feel free to ping6 me at:
http://www(6).packetfault.org
@pello