[c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Justin Shore
justin at justinshore.com
Mon Mar 24 16:43:46 EDT 2008
Sridhar Ayengar wrote:
> Fred Reimer wrote:
>> Exactly, autosecure is just a macro. It is always advisable to check the
>> actual router configuration after it is completed. The engineer should make
>> sure they understand how all of the commands implemented, and if they don't
>> research them and make sure they know of any caveats.
>
> Is there anything similar that will allow me to take a router
> configuration file and interactively process it on an external system to
> increase security on my router?
Yes. You can use RAT (Router Audit Tool).
http://www.cisecurity.org/
However that still doesn't exempt the admin from knowing exactly what
each and every suggested command does. RAT bitches and moans about my
configs because I don't ever set VTY passwords. RAT doesn't have the
ability to recognize that they are not needed in my scenario because I
utilize full AAA. RAT is programmed to look for certain things and give
the pre-determined output. It's still a good tool but you have to
understand what it's telling you to figure out if in fact there is a
problem to be addressed.
As always with security, there is no silver bullet.
Justin
More information about the cisco-nsp
mailing list