Brst – Border Router Security Tool


Published on

BRST Overview

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Originally titled the Cisco Router Security Tool (CRST), it was a Master’s Project for Ted LeRoy’s Information Technology Program at RIT.
  • Why border routers? They are outside the corporate network, they are exposed to the Internet, and they are sometimes overlooked by administrators.
  • Why border routers? They are outside the corporate network, they are exposed to the Internet, and they are sometimes overlooked by administrators.
  • Why border routers? They are outside the corporate network, they are exposed to the Internet, and they are sometimes overlooked by administrators.
  • Telnet, if enabled, is only accessible from inside interface. User must VPN into network, then access router.
  • Brst – Border Router Security Tool

    1. 1. BRST – Border Router Security Tool<br />Ted LeRoy<br />
    2. 2. Outline<br />What is the BRST?<br />Target Users and Topologies<br />Default Cisco Router install example<br />Before BRST nmap scan<br />Router Security<br />Disable Unneeded Services<br />Enable Helpful Services<br />Control AccessConfigure Anti-spoofing<br />Logging<br />Demo<br />BRST Generated Configuration Example<br />Nmap scan after using BRST<br />References<br />Copyright 2010 Theodore LeRoy GPLv3<br />
    3. 3. What is the BRST?<br />The BRST is a web-based utility<br />Answer questions on web form<br />Click Submit<br />Receive secure configuration via web<br />Cut and paste into terminal session<br />Copyright 2010 Theodore LeRoy GPLv3<br />
    4. 4. Target Users and Topologies<br />Target Users<br />Network Administrators<br />May or may not have Cisco experience<br />Target Topologies<br />Border routers<br />Routers between Firewall and Internet Service Provider<br />Concepts can be carried over to larger infrastructures<br />Copyright 2010 Theodore LeRoy GPLv3<br />
    5. 5. Default Cisco Router Install<br />Basic Router Config<br />IP Addresses/Subnet Masks on Inside and Outside interfaces<br />IP Subnet Zero<br />IP Classless<br />Default Gateway<br />Username & Password<br />VTY Access & Password<br />Ping from inside outward to ensure connectivity<br />Copyright 2010 Theodore LeRoy GPLv3<br />version 12.3<br />service timestamps debug datetimemsec<br />service timestamps log datetimemsec<br />no service password-encryption<br />!<br />hostname Router<br />!<br />boot-start-marker<br />boot-end-marker<br />!<br />no logging console<br />no logging monitor<br />!<br />no aaa new-model<br />ip subnet-zero<br />!<br />Username tleroy password 0 Secret<br />!<br />interface Ethernet0<br />ip address<br />!<br />interface Serial0<br />ip address<br /> shutdown<br /> service-module 56k clock source line<br /> service-module 56k network-type dds<br />!<br />ip classless<br />ip route<br />no ip http server<br />!<br />line con 0<br />line vty 0 4<br /> login<br />!<br />end<br />
    6. 6. Nmap Scan<br />Before running BRST<br />Nmap scan reveals several open ports<br />More open ports may be visible on older code versions<br />NMAP Scan Here<br />Banner grabbing can also be effective on an insecure router<br />Telnet, SSH, HTTP, finger, daytime<br />Copyright 2010 Theodore LeRoy GPLv3<br />
    7. 7. Router Security<br />Disable Unneeded Services<br />Global Services<br />Interface Services<br />CDP/Yersenia Example<br />Enable Helpful Services<br />SSH Authentication Retries Example<br />Control Access<br />Disable Aux Port<br />Secure Console Port Access<br />Secure Virtual Terminal (vty) Access<br />Copyright 2010 Theodore LeRoy GPLv3<br />
    8. 8. Router Security (continued)<br />Configure Anti-spoofing<br />Null-route BOGON and Martian Addresses (if not in use on router)<br />Anti-spoofing Access Control Lists (ACLs) on interfaces<br />Internal IP’s should not enter from outside interface<br />Logging<br />Syslog messages to secure server using a DMZ interface on router<br />Other options:<br />Send syslog messages to DMZ on firewall<br />Local logging only (all logs lost on reboot!)<br />Copyright 2010 Theodore LeRoy GPLv3<br />
    9. 9. Live Demo<br />Using BRST to secure a Cisco Router<br />Set delay for TeraTerm (COM flow too fast for older hardware)<br />! Border Router Security Tool (BRST) Recommended Configuration<br />! Start Copying Config File Here !<br />! Enter the following router commands exactly as shown.!! You may copy and paste directly from the results that appear into ! the router configuration using your terminal emulation software.!! Comments are preceded by an !. They will be ignored by the router.!!! global router commands!! Watch for WARNINGS in the Configuration the BRST provides.! If you see a WARNING, read the warning, click your Browser's ! back button, correct the error, and click "Submit" again.!! Entering Global Configuration mode.!configure terminal!ip subnet-zeroip classless!! default routeip route!!Section 1: Unneeded Services!<br />Copyright 2010 Theodore LeRoy GPLv3<br />
    10. 10. Post BRST Config<br />Disabled many services<br />No ipunreachables<br />No ip redirects<br />Enabled positive services<br />tcp-keepalives in and out<br />SSH timeout<br />Configured secure access<br />SSH if available<br />Telnet only from certain hosts if not<br />Configured anti-spoofing<br />Null routing of BOGON’s<br />Enabled logging<br />Copyright 2010 Theodore LeRoy GPLv3<br />show run<br />Building configuration...<br />Current configuration : 3361 bytes<br />!<br />version 12.3<br />no service pad<br />service tcp-keepalives-in<br />service tcp-keepalives-out<br />service timestamps debug datetimemsec<br />service timestamps log datetimemsec<br />service password-encryption<br />no service dhcp<br />!<br />hostname Router<br />!<br />boot-start-marker<br />boot-end-marker<br />!<br />logging buffered 4096 informational<br />no logging console<br />no logging monitor<br />enable secret 5 $1$YLJj$O5nh6cmiNdspYsbEctgEa.<br />!<br />aaa new-model<br />!<br />!<br />aaa authentication login default local<br />aaa session-id common<br />ip subnet-zero<br />no ip source-route<br />no ip gratuitous-arps<br />ip options drop<br />!<br />username tleroy password 7 15210E0F162F3F<br />!<br />interface Loopback0<br />ip address<br /> no ip redirects<br /> no ipunreachables<br /> no ip proxy-arp<br />!<br />interface Null0<br /> no ipunreachables<br />!<br />interface Ethernet0<br />ip address<br />ip access-group firewall_in in<br /> no ip redirects<br /> no ipunreachables<br /> no ip proxy-arp<br /> no cdp enable… Output truncated<br />
    11. 11. Nmap Scan<br />After running BRST<br />Nmap scan reveals no open ports<br />OS Detection is more ambiguous<br />NMAP Scan Here<br />Banner grabbing much less effective<br />No Telnet or HTTP Access<br />SSH only from inside interface (VPN then SSH)<br />Disabled services will not leak information<br />Copyright 2010 Theodore LeRoy GPLv3<br />
    12. 12. References<br />U.S. National Security Agency System and Network Attack Center (NSA SNAC) Guide<br />Router Security Configuration Guide<br /><br />Cisco Guide to Harden Cisco IOS Devices<br /><br />Team Cymru’s Secure IOS Template<br /><br />“Hardening Cisco Routers,” O’Reilly Media, Akin, Thomas, February 2002<br />Copyright 2010 Theodore LeRoy GPLv3<br />
    13. 13. Disclaimer<br />This software is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc. Cisco, Cisco Systems, and IOS are registered trademarks of Cisco Systems, Inc. in the USA and certain other countries. All other trademarks are trademarks of their respective owners.<br />BRST - Border Router Security Tool, Helps administrators secure their border routers.<br />Copyright © 2008 Ted LeRoy<br />This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.<br />A local copy of the license can be found at copying.<br />theodore.leroy_at_yahoo_dot_com<br />Source code can be obtained at:<br />Copyright 2010 Theodore LeRoy GPLv3<br />