Content
5.5
Managing the Router
5.5.4
Testing and security validation
The perimeter router is the first line of defense when protecting
against malicious attack. However, routers provide many services that
can have severe security implications if improperly configured. Some
of these services are enabled by default. Other services are enabled
by users. Security testing provides a means of verifying
that security functions and system operations are configured in a
secure manner. Ideally, testing should be performed at initial
deployment of a router, and whenever major changes have been made to
the any part of the configuration of a router.
Testing tools
There are a variety of tools available for testing purposes.
Scanners such as the Fyodor Nmap and Nessus are used to scan for open TCP and UDP ports on a router interface.
The Center for Internet Security (CIS) has developed the Router Audit
Tool (RAT) for auditing Cisco router configuration files. The RAT is
based on the CIS Benchmark for Cisco IOS Routers, a consensus-based
best practice guideline for hardening Cisco routers. The RAT is
available for the Windows or UNIX operating systems. A sample RAT
output is shown in Figure
.
Finally, the cisco Output Interpreter is a tool that analyzes Cisco
router or Cisco PIX configurations and displays potential security
issues and recommends security fixes.
Also, packet sniffer programs can be used to monitor traffic
passing through the network and steal unencrypted passwords and SNMP
community strings. This information can then be used to formulate
specific attacks against the router. Attack scripts are readily
available on the Internet for numerous well-known exploits. Several
denial of service (DoS) attacks and the newer distributed denial of
service (DDoS) attacks have been highly successful against some
versions of IOS.
Web Links
VA Linux
http://ncat.sourceforge.net/
Nessus
http://www.nessus.org/
NMAP
http://www.insecure.org/nmap/
RAT - Center for Internet Security
http://www.cisecurity.org/
Wyszukiwarka
Podobne podstrony:
contentcontentcontentcontentcontentcontentcontentcontentcontentfunction domnode get contentcontentcontentcontentcontentcontentcontentwięcej podobnych podstron