[c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Rikard Skjelsvik
rskjels at pogostick.net
Mon Mar 24 17:42:14 EDT 2008
Justin Shore wrote:
> Sridhar Ayengar wrote:
>
>> Fred Reimer wrote:
>>
>>> Exactly, autosecure is just a macro. It is always advisable to check the
>>> actual router configuration after it is completed. The engineer should make
>>> sure they understand how all of the commands implemented, and if they don't
>>> research them and make sure they know of any caveats.
>>>
>> Is there anything similar that will allow me to take a router
>> configuration file and interactively process it on an external system to
>> increase security on my router?
>>
>
> Yes. You can use RAT (Router Audit Tool).
>
> http://www.cisecurity.org/
>
> However that still doesn't exempt the admin from knowing exactly what
> each and every suggested command does. RAT bitches and moans about my
> configs because I don't ever set VTY passwords. RAT doesn't have the
> ability to recognize that they are not needed in my scenario because I
> utilize full AAA. RAT is programmed to look for certain things and give
> the pre-determined output. It's still a good tool but you have to
> understand what it's telling you to figure out if in fact there is a
> problem to be addressed.
>
> As always with security, there is no silver bullet.
>
> Justin
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
Or you could use nipper
http://sourceforge.net/projects/nipper
More information about the cisco-nsp
mailing list