[c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Joseph Jackson
jjackson at aninetworks.net
Mon Mar 24 20:28:26 EDT 2008
Thanks to everyone for all the great info!
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Rikard Skjelsvik
> Sent: Monday, March 24, 2008 4:42 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To
> disable, or not to disable..)
>
> Justin Shore wrote:
> > Sridhar Ayengar wrote:
> >
> >> Fred Reimer wrote:
> >>
> >>> Exactly, autosecure is just a macro. It is always advisable to
> check the
> >>> actual router configuration after it is completed. The engineer
> should make
> >>> sure they understand how all of the commands implemented, and if
> they don't
> >>> research them and make sure they know of any caveats.
> >>>
> >> Is there anything similar that will allow me to take a router
> >> configuration file and interactively process it on an external
> system to
> >> increase security on my router?
> >>
> >
> > Yes. You can use RAT (Router Audit Tool).
> >
> > http://www.cisecurity.org/
> >
> > However that still doesn't exempt the admin from knowing exactly what
> > each and every suggested command does. RAT bitches and moans about
> my
> > configs because I don't ever set VTY passwords. RAT doesn't have the
> > ability to recognize that they are not needed in my scenario because
> I
> > utilize full AAA. RAT is programmed to look for certain things and
> give
> > the pre-determined output. It's still a good tool but you have to
> > understand what it's telling you to figure out if in fact there is a
> > problem to be addressed.
> >
> > As always with security, there is no silver bullet.
> >
> > Justin
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> Or you could use nipper
>
> http://sourceforge.net/projects/nipper
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list