The BRST is a web based utility for generating a secure configuration for Cisco routers. It is
primarily designed to be used for border routers in small to medium sized companies but the concepts
can be applied to larger internal routing infrastructures. More info
on the project.
Click on most links for a web based help file which will provide
more information. Some links take you to specific configuration instructions or outside web sites with
Be sure to read the Warnings prior to using the configuration file generated using the BRST on your router!
If you encounter problems, look at the troubleshooting page.
These are actions you should take prior to completing the questionnaire. Router commands to
complete these steps are available here.
Enter a router host name.
Enter the domain-name. (This step facilitates generation of an RSA Key in the next step.)
Generate an RSA Cryptography Key (crypto-key) to allow configuration of Secure Shell (SSH).
For specific commands that will create a host name, a domain name and will allow you to generate an
RSA crypto-key, click here.
Does your Internet Operating System (IOS) version support cryptography? (If you were able to generate a crypto-key using
the previous step, the answer is yes. If not, then click no)
Enter the code version running on your router. Do not include trailing letters.
Code version (example 12.0(3)):
(The code version can be obtained by typing the "show version" command at the enable prompt.)
Enter the model of your router. Model (example model 1602)):
(The router model can be obtained by typing the "show version" command at the enable prompt. Only numbers should be entered.)
Enter the IP address of your Internet Service Provider's (ISP's) router. This is the IP Address in
the ISP's network that is directly connected to the border router. This IP Address is your Gateway Address.
Answer the following questions so the crst can generate the recommended
changes to your configuration file for you.
Many unneeded services are enabled by default. This section guides you through
disabling Global (Section 1a), then interface specific (Section 1b) services that
are not needed.
Disabling of global unneeded services affects the entire router and is done at
the enable prompt.
Please review each setting below and uncheck services you want left as they are.
For an index of protocols that will be disabled
and a help file describing the services, their dangers, and recommended settings, click
Disabling of unneeded interface services affects the interface they are entered on
and is done at the configure interface prompt.
Enter the name of your Internet facing router interface (example: serial 0).
This is the interface that connects to your Internet Service Provider's equipment.
Enter the IP address and mask of your Internet facing router interface. This is the interface
that connects the router to the Internet Service Provider's (ISP's) router.
Review each setting below and uncheck services you want left as they are.
Enter the name of your Firewall facing router interface (example: ethernet 0).
This is the interface that connects the router to your firewall.
Enter the IP address and mask of your Firewall facing router interface. This is the interface
that connects the router to your firewall.
Some global and interface services that can increase router security are not enabled by default.
You will enable those services here.
Create a Loopback Interface which will have
protocols such as ntp bound to it.
Enter the IP Address you want to use for your loopback interface.
This should be an address from a network range that is not in use on any other interface on
(All services disabled on the previous interfaces will also be disabled here with the
exception of Network Time Protocol (ntp). Ntp will remain enabled on this interface.)
Create a Null Interface that will be used for null
(The only service that can be disabled on a null interface is ip unreachables.
Ip unreachables will be disabled on the null interface).
Correct time on the router is critical for tracking network attacks. Logfiles from several
devices may have to be parsed to find "threads" of activity through the network. Accurate
timestamps on log entries permits those logs to be searched for entries at specific times.
Network Time Protocol servers provide nearly synchronous time across a network.
Ntp was disabled on several interfaces. Ntp information should not be given to unauthorized
queries, and the router should not be an ntp server unless it is part of a larger ntp
infrastructure. Ntp will be enabled on and bound to the loopback interface.
To find a public ntp server near you, go to ntp.org's
Stratum 2 Time Servers. Scroll down the list to find a pair of servers that have an Open
Access Policy, and preferably ones that do not require Notification. They are listed by name which would
require our router to be able to resolve the names to use the ntp servers. The Domain Name System (DNS)
poses its own risks so we disabled it earlier. Resolve the name to an IP address by pinging it on a PC or
Unix computer. Be aware that the IP addresses associated with host names are subject to change, so you must
check that ntp is working periodically and it is best to configure at least two servers.
Be sure to look at ntp.org's Rules of Engagement
concerning the use of Stratum 2 Servers.
Configure Network Time Protocol on Loopback Interface.
Access to the router via both physical ports such as Auxilliary (aux) and Console ports,
and access to virtual terminal (vty) ports must be controlled. The information you provide
in this section will permit secure access but deny unauthorized login attempts.
Enter the Enable Secret Password.
Enter a username and password for a local user account.
The auxilliary port or aux port is not normally needed and should be disabled unless it is
attached to a modem for out of band access. Not all routers have aux ports. If your router
has an aux port, be sure to check the "Disable aux port" box if it is not used for out of band
access via a modem.
Disable aux port.
The console port is used to access the router locally using a serial connection and terminal
emulation software like Putty, TeraTerm, or HyperTerm.
Configure console port.
Virtual Terminal (vty) ports control remote access via the network. Since vty ports are
accesible over the network, they represent a great risk if they are not secured properly.
Vty ports should only be accessible from trusted IP addresses, and only protocols that
provide encryption like Secure Shell (SSH) should be permitted. Enter the IP address of
a trusted host. If you will always be accessing the router from the LAN behind a firewall,
you can use the firewall's IP address which is nearest the router.
Enter the IP Address of a trusted remote access computer or the Firewall's outside interface.
Secure vty ports.
Some commands that are available to all user levels should be restricted to administrator
Restrict Access to High Risk Commands.
AAA Access Control permits additional logging of actions taken by users.
Configure Local AAA.
Controlling the flow of erroneous or mischevious traffic to or through the router is done with
null routing and access control lists.
The crst uses null routing to dispose of bogon and martian packets that try to traverse or enter
the router because it is an effective and efficient way to do so. Null routing quietly drops packets
that are within static routes assigned to the null interface using minimal processing power to discard
these known bad packets.
Configuring null routing is recomended with a caveat. If you configure null routing, it is
strongly recommended that you check the null route provided against the current list maintained
at team cymru's web site.
You are also encouraged to sign up for their
and to update your null routes when changes are announced. Changes do not occur often. The
bogon addresses used to generate this null route are from 5 October, 2008. There had not been
a change to the list since May of 2008.
Configure null routing.
The firewall facing interface should only receive traffic from the firewall. This access list
will permit traffic with an originating address of the firewall but will deny and log all other
Create Outside ACL.
Create Inside ACL.
There are many options with regard to what to log and how to store log entries. Attackers may try
to cover their tracks by overwriting or erasing log files. It is important to forward log entries to
a secured syslog server that is external to the router if possible. This will ensure that logs are
preserved even if the router is power cycled. It should also make it more difficult for an attacker
to modify or erase the log files.
A relatively safe way to set up a syslog server is to use a spare Ethernet or Fast Ethernet interface
on the router to set up a kind of Demilitarized Zone (DMZ) strictly for the Syslog Server. You could use
an old computer you have and install a donation supported operating system like
Each of the operating systems referenced has its own firewall software available to screen traffic and has
a built in syslog service. Packets traversing the router's DMZ interface can be restricted so only syslog
messages from the loopback interface of the router, and possibly SSH traffic to and from the firewall
facing interface are allowed.
If there aren't any spare interfaces on your router, you could put a syslog server in the Firewall's DMZ
and only permit traffic to it from the router's loopback IP address.
If neither of those options are available, it may be preferable to configure local logging only instead of
permitting syslog messages to penetrate the Firewall to a syslog server on the Local Area Network.
This software is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc. Cisco, Cisco Systems, and IOS
are registered trademarks of Cisco Systems, Inc. in the USA and certain other countries. All other
trademarks are trademarks of their respective owners.
BRST - Border Router Security Tool, Helps administrators secure their border routers.
Copyright © 2008 Ted LeRoy
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
A local copy of the license can be found at copying.
Source code can be obtained at: