Brst – Border Router Security Tool
- 1. BRST – Border Router Security ToolTed LeRoy
- 2. OutlineWhat is the BRST?Target Users and TopologiesDefault Cisco Router install exampleBefore BRST nmap scanRouter SecurityDisable Unneeded ServicesEnable Helpful ServicesControl AccessConfigure Anti-spoofingLoggingDemoBRST Generated Configuration ExampleNmap scan after using BRSTReferencesCopyright 2010 Theodore LeRoy GPLv3
- 3. What is the BRST?The BRST is a web-based utilityAnswer questions on web formClick SubmitReceive secure configuration via webCut and paste into terminal sessionCopyright 2010 Theodore LeRoy GPLv3
- 4. Target Users and TopologiesTarget UsersNetwork AdministratorsMay or may not have Cisco experienceTarget TopologiesBorder routersRouters between Firewall and Internet Service ProviderConcepts can be carried over to larger infrastructuresCopyright 2010 Theodore LeRoy GPLv3
- 5. Default Cisco Router InstallBasic Router ConfigIP Addresses/Subnet Masks on Inside and Outside interfacesIP Subnet ZeroIP ClasslessDefault GatewayUsername & PasswordVTY Access & PasswordPing from inside outward to ensure connectivityCopyright 2010 Theodore LeRoy GPLv3version 12.3service timestamps debug datetimemsecservice timestamps log datetimemsecno service password-encryption!hostname Router!boot-start-markerboot-end-marker!no logging consoleno logging monitor!no aaa new-modelip subnet-zero!Username tleroy password 0 Secret!interface Ethernet0ip address 4.4.4.2 255.255.255.252!interface Serial0ip address 6.6.6.1 255.255.255.252 shutdown service-module 56k clock source line service-module 56k network-type dds!ip classlessip route 0.0.0.0 0.0.0.0 4.4.4.1no ip http server!line con 0line vty 0 4 login!end
- 6. Nmap ScanBefore running BRSTNmap scan reveals several open portsMore open ports may be visible on older code versionsNMAP Scan HereBanner grabbing can also be effective on an insecure routerTelnet, SSH, HTTP, finger, daytimeCopyright 2010 Theodore LeRoy GPLv3
- 7. Router SecurityDisable Unneeded ServicesGlobal ServicesInterface ServicesCDP/Yersenia ExampleEnable Helpful ServicesSSH Authentication Retries ExampleControl AccessDisable Aux PortSecure Console Port AccessSecure Virtual Terminal (vty) AccessCopyright 2010 Theodore LeRoy GPLv3
- 8. Router Security (continued)Configure Anti-spoofingNull-route BOGON and Martian Addresses (if not in use on router)Anti-spoofing Access Control Lists (ACLs) on interfacesInternal IP’s should not enter from outside interfaceLoggingSyslog messages to secure server using a DMZ interface on routerOther options:Send syslog messages to DMZ on firewallLocal logging only (all logs lost on reboot!)Copyright 2010 Theodore LeRoy GPLv3
- 9. Live DemoUsing BRST to secure a Cisco RouterSet delay for TeraTerm (COM flow too fast for older hardware)! Border Router Security Tool (BRST) Recommended Configuration! Start Copying Config File Here !! Enter the following router commands exactly as shown.!! You may copy and paste directly from the results that appear into ! the router configuration using your terminal emulation software.!! Comments are preceded by an !. They will be ignored by the router.!!! global router commands!! Watch for WARNINGS in the Configuration the BRST provides.! If you see a WARNING, read the warning, click your Browser's ! back button, correct the error, and click "Submit" again.!! Entering Global Configuration mode.!configure terminal!ip subnet-zeroip classless!! default routeip route 0.0.0.0 0.0.0.0 1.1.1.1!!Section 1: Unneeded Services!Copyright 2010 Theodore LeRoy GPLv3
- 10. Post BRST ConfigDisabled many servicesNo ipunreachablesNo ip redirectsEnabled positive servicestcp-keepalives in and outSSH timeoutConfigured secure accessSSH if availableTelnet only from certain hosts if notConfigured anti-spoofingNull routing of BOGON’sEnabled loggingCopyright 2010 Theodore LeRoy GPLv3show runBuilding configuration...Current configuration : 3361 bytes!version 12.3no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetimemsecservice timestamps log datetimemsecservice password-encryptionno service dhcp!hostname Router!boot-start-markerboot-end-marker!logging buffered 4096 informationalno logging consoleno logging monitorenable secret 5 $1$YLJj$O5nh6cmiNdspYsbEctgEa.!aaa new-model!!aaa authentication login default localaaa session-id commonip subnet-zerono ip source-routeno ip gratuitous-arpsip options drop!username tleroy password 7 15210E0F162F3F!interface Loopback0ip address 10.0.0.1 255.255.255.255 no ip redirects no ipunreachables no ip proxy-arp!interface Null0 no ipunreachables!interface Ethernet0ip address 2.2.2.1 255.255.255.252ip access-group firewall_in in no ip redirects no ipunreachables no ip proxy-arp no cdp enable… Output truncated
- 11. Nmap ScanAfter running BRSTNmap scan reveals no open portsOS Detection is more ambiguousNMAP Scan HereBanner grabbing much less effectiveNo Telnet or HTTP AccessSSH only from inside interface (VPN then SSH)Disabled services will not leak informationCopyright 2010 Theodore LeRoy GPLv3
- 12. ReferencesU.S. National Security Agency System and Network Attack Center (NSA SNAC) GuideRouter Security Configuration Guidehttp://www.nsa.gov/ia/_files/routers/C4-040R-02.pdfCisco Guide to Harden Cisco IOS Deviceshttp://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtmlTeam Cymru’s Secure IOS Templatehttp://www.cymru.com/Documents/secure-ios-template.html“Hardening Cisco Routers,” O’Reilly Media, Akin, Thomas, February 2002Copyright 2010 Theodore LeRoy GPLv3
- 13. DisclaimerThis software is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc. Cisco, Cisco Systems, and IOS are registered trademarks of Cisco Systems, Inc. in the USA and certain other countries. All other trademarks are trademarks of their respective owners.BRST - Border Router Security Tool, Helps administrators secure their border routers.Copyright © 2008 Ted LeRoyThis program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.A local copy of the license can be found at copying.theodore.leroy_at_yahoo_dot_comSource code can be obtained at: https://sourceforge.net/projects/borderroutersec/Copyright 2010 Theodore LeRoy GPLv3
Editor's Notes
- #4: Originally titled the Cisco Router Security Tool (CRST), it was a Master’s Project for Ted LeRoy’s Information Technology Program at RIT.
- #5: Why border routers? They are outside the corporate network, they are exposed to the Internet, and they are sometimes overlooked by administrators.
- #6: Why border routers? They are outside the corporate network, they are exposed to the Internet, and they are sometimes overlooked by administrators.
- #11: Why border routers? They are outside the corporate network, they are exposed to the Internet, and they are sometimes overlooked by administrators.
- #12: Telnet, if enabled, is only accessible from inside interface. User must VPN into network, then access router.