Version 1.0.2

BRST - Border Router Security Tool Questionnaire

The BRST is a web based utility for generating a secure configuration for Cisco routers. It is primarily designed to be used for border routers in small to medium sized companies but the concepts can be applied to larger internal routing infrastructures. More info on the project.

Click on most links for a web based help file which will provide more information. Some links take you to specific configuration instructions or outside web sites with more information.

WARNINGS

Be sure to read the Warnings prior to using the configuration file generated using the BRST on your router!

Troubleshooting

If you encounter problems, look at the troubleshooting page.

Preparation

These are actions you should take prior to completing the questionnaire. Router commands to complete these steps are available here.

  1. Enter a router host name.

  2. Enter the domain-name. (This step facilitates generation of an RSA Key in the next step.)

  3. Generate an RSA Cryptography Key (crypto-key) to allow configuration of Secure Shell (SSH). For specific commands that will create a host name, a domain name and will allow you to generate an RSA crypto-key, click here.

  4. Does your Internet Operating System (IOS) version support cryptography? (If you were able to generate a crypto-key using the previous step, the answer is yes. If not, then click no)

Enter the code version running on your router. Do not include trailing letters. Code version (example 12.0(3)):   .  (  )
(The code version can be obtained by typing the "show version" command at the enable prompt.)

Enter the model of your router. Model (example model 1602)):  
(The router model can be obtained by typing the "show version" command at the enable prompt. Only numbers should be entered.)

Gateway IP Address

Enter the IP address of your Internet Service Provider's (ISP's) router. This is the IP Address in the ISP's network that is directly connected to the border router. This IP Address is your Gateway Address.

IP Address:    .  .  .   

Answer the following questions so the crst can generate the recommended changes to your configuration file for you.

Section 1: Unneeded Services

Many unneeded services are enabled by default. This section guides you through disabling Global (Section 1a), then interface specific (Section 1b) services that are not needed.

Section 1a: Unneeded Global Services

Disabling of global unneeded services affects the entire router and is done at the enable prompt.

Please review each setting below and uncheck services you want left as they are.

For an index of protocols that will be disabled and a help file describing the services, their dangers, and recommended settings, click here.


(Select All recommended)
 
 

Section 1b: Unneeded Interface Specific Services

Disabling of unneeded interface services affects the interface they are entered on and is done at the configure interface prompt.

Section 1b1: Internet interface services

Enter the name of your Internet facing router interface (example: serial 0). This is the interface that connects to your Internet Service Provider's equipment.

Enter the IP address and mask of your Internet facing router interface. This is the interface that connects the router to the Internet Service Provider's (ISP's) router.

IP Address:    .  .  .    Mask:    .  .  .

Review each setting below and uncheck services you want left as they are.


(Select All recommended)
 

Section 1b2: Firewall facing interface services

Enter the name of your Firewall facing router interface (example: ethernet 0).
This is the interface that connects the router to your firewall.

Enter the IP address and mask of your Firewall facing router interface. This is the interface that connects the router to your firewall.
 

IP Address:    .  .  .    Mask:    .  .  .

Review each setting below and uncheck services you want left as they are.


(Select All recommended)
 

Section 2: Recommended Services

Some global and interface services that can increase router security are not enabled by default. You will enable those services here.

Section 2a: Recommended Global Services

Please review each setting below and uncheck services you want left as they are.

 

Section 2c: Loopback Interface

Enter the IP Address you want to use for your loopback interface. This should be an address from a network range that is not in use on any other interface on your router.

 .  .  .

(All services disabled on the previous interfaces will also be disabled here with the exception of Network Time Protocol (ntp). Ntp will remain enabled on this interface.)

Section 2d: Null Interface

that will be used for null routing.

(The only service that can be disabled on a null interface is ip unreachables. Ip unreachables will be disabled on the null interface).

Section 2e: Configure Network Time Protocol

Correct time on the router is critical for tracking network attacks. Logfiles from several devices may have to be parsed to find "threads" of activity through the network. Accurate timestamps on log entries permits those logs to be searched for entries at specific times. Network Time Protocol servers provide nearly synchronous time across a network.

Ntp was disabled on several interfaces. Ntp information should not be given to unauthorized queries, and the router should not be an ntp server unless it is part of a larger ntp infrastructure. Ntp will be enabled on and bound to the loopback interface.

To find a public ntp server near you, go to ntp.org's Stratum 2 Time Servers. Scroll down the list to find a pair of servers that have an Open Access Policy, and preferably ones that do not require Notification. They are listed by name which would require our router to be able to resolve the names to use the ntp servers. The Domain Name System (DNS) poses its own risks so we disabled it earlier. Resolve the name to an IP address by pinging it on a PC or Unix computer. Be aware that the IP addresses associated with host names are subject to change, so you must check that ntp is working periodically and it is best to configure at least two servers.

Be sure to look at ntp.org's Rules of Engagement concerning the use of Stratum 2 Servers.

Enter the IP Address of the Primary NTP Server:  .  .  .
Enter the IP Address of the Secondary NTP Server:  .  .  .

Section 3: Access Control

Access to the router via both physical ports such as Auxilliary (aux) and Console ports, and access to virtual terminal (vty) ports must be controlled. The information you provide in this section will permit secure access but deny unauthorized login attempts.

Section 3a: Enable Secret and Local User Account

Enter the Enable Secret Password.

Enable Secret Password:   

Enter a username and password for a local user account.

Username:       Password:   

Section 3b: Auxilliary Port

The auxilliary port or aux port is not normally needed and should be disabled unless it is attached to a modem for out of band access. Not all routers have aux ports. If your router has an aux port, be sure to check the "Disable aux port" box if it is not used for out of band access via a modem.

Section 3c: Console Port

The console port is used to access the router locally using a serial connection and terminal emulation software like Putty, TeraTerm, or HyperTerm.

Section 3d: Virtual Terminal (vty) Ports

Virtual Terminal (vty) ports control remote access via the network. Since vty ports are accesible over the network, they represent a great risk if they are not secured properly. Vty ports should only be accessible from trusted IP addresses, and only protocols that provide encryption like Secure Shell (SSH) should be permitted. Enter the IP address of a trusted host. If you will always be accessing the router from the LAN behind a firewall, you can use the firewall's IP address which is nearest the router.

Enter the IP Address of a trusted remote access computer or the Firewall's outside interface.

 .  .  .

Section 3e: Restricting Command Access

Some commands that are available to all user levels should be restricted to administrator level.

Section 3f: AAA Access Control

AAA Access Control permits additional logging of actions taken by users.

Section 4: Anti-spoofing

Controlling the flow of erroneous or mischevious traffic to or through the router is done with null routing and access control lists.

Section 4a: Null Routing

The crst uses null routing to dispose of bogon and martian packets that try to traverse or enter the router because it is an effective and efficient way to do so. Null routing quietly drops packets that are within static routes assigned to the null interface using minimal processing power to discard these known bad packets.

Configuring null routing is recomended with a caveat. If you configure null routing, it is strongly recommended that you check the null route provided against the current list maintained at team cymru's web site. You are also encouraged to sign up for their mailing list and to update your null routes when changes are announced. Changes do not occur often. The bogon addresses used to generate this null route are from 5 October, 2008. There had not been a change to the list since May of 2008.

Section 4b: Internet (Outside) Access Control List (ACL)

The firewall facing interface should only receive traffic from the firewall. This access list will permit traffic with an originating address of the firewall but will deny and log all other traffic.

Section 4c: Firewall Facing (Inside) ACL

The firewall facing interface should only receive traffic from the firewall. This access list will permit traffic with an originating address of the firewall but will deny and log all other traffic.

Section 5: Logging

There are many options with regard to what to log and how to store log entries. Attackers may try to cover their tracks by overwriting or erasing log files. It is important to forward log entries to a secured syslog server that is external to the router if possible. This will ensure that logs are preserved even if the router is power cycled. It should also make it more difficult for an attacker to modify or erase the log files.

A relatively safe way to set up a syslog server is to use a spare Ethernet or Fast Ethernet interface on the router to set up a kind of Demilitarized Zone (DMZ) strictly for the Syslog Server. You could use an old computer you have and install a donation supported operating system like OpenBSD, CentOS, FreeBSD, or Fedora. Each of the operating systems referenced has its own firewall software available to screen traffic and has a built in syslog service. Packets traversing the router's DMZ interface can be restricted so only syslog messages from the loopback interface of the router, and possibly SSH traffic to and from the firewall facing interface are allowed.

If there aren't any spare interfaces on your router, you could put a syslog server in the Firewall's DMZ and only permit traffic to it from the router's loopback IP address.

If neither of those options are available, it may be preferable to configure local logging only instead of permitting syslog messages to penetrate the Firewall to a syslog server on the Local Area Network.


 
Enter an IP address, netmask, and interface name for the DMZ interface and the IP address of the Syslog Server:
 
Local DMZ Interface IP:  .  .  . Local DMZ Interface Mask:  .  .  .
Local DMZ Syslog Server IP:  .  .  . Local DMZ Interface Name:
 

 
Enter the IP address of the Syslog Server:
 
Firewall DMZ Syslog Server IP address:  .  .  .
 

 

 

Get BRST - Border Router Security Tool at
		SourceForge.net. Fast, secure and Free Open Source software downloads

This software is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc. Cisco, Cisco Systems, and IOS are registered trademarks of Cisco Systems, Inc. in the USA and certain other countries. All other trademarks are trademarks of their respective owners.

BRST - Border Router Security Tool, Helps administrators secure their border routers.
Copyright © 2008 Ted LeRoy

This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.

A local copy of the license can be found at copying.

theodore.leroy_at_yahoo_dot_com

Source code can be obtained at: https://sourceforge.net/projects/borderroutersec/