Version 1.0.2
The BRST is a web based utility for generating a secure configuration for Cisco routers. It is primarily designed to be used for border routers in small to medium sized companies but the concepts can be applied to larger internal routing infrastructures. More info on the project.
Click on most links for a web based help file which will provide more information. Some links take you to specific configuration instructions or outside web sites with more information.
Be sure to read the Warnings prior to using the configuration file generated using the BRST on your router!
If you encounter problems, look at the troubleshooting page.
These are actions you should take prior to completing the questionnaire. Router commands to complete these steps are available here.
Enter a router host name.
Enter the domain-name. (This step facilitates generation of an RSA Key in the next step.)
Generate an RSA Cryptography Key (crypto-key) to allow configuration of Secure Shell (SSH). For specific commands that will create a host name, a domain name and will allow you to generate an RSA crypto-key, click here.
Does your Internet Operating System (IOS) version support cryptography? (If you were able to generate a crypto-key using the previous step, the answer is yes. If not, then click no)
Enter the code version running on your router. Do not include trailing letters. Code version (example 12.0(3)): . ( ) (The code version can be obtained by typing the "show version" command at the enable prompt.)
Enter the model of your router. Model (example model 1602)): (The router model can be obtained by typing the "show version" command at the enable prompt. Only numbers should be entered.)
Enter the IP address of your Internet Service Provider's (ISP's) router. This is the IP Address in the ISP's network that is directly connected to the border router. This IP Address is your Gateway Address.
Answer the following questions so the crst can generate the recommended changes to your configuration file for you.
Many unneeded services are enabled by default. This section guides you through disabling Global (Section 1a), then interface specific (Section 1b) services that are not needed.
Disabling of global unneeded services affects the entire router and is done at the enable prompt.
Please review each setting below and uncheck services you want left as they are.
For an index of protocols that will be disabled and a help file describing the services, their dangers, and recommended settings, click here.
Disabling of unneeded interface services affects the interface they are entered on and is done at the configure interface prompt.
Enter the name of your Internet facing router interface (example: serial 0). This is the interface that connects to your Internet Service Provider's equipment.
Enter the IP address and mask of your Internet facing router interface. This is the interface that connects the router to the Internet Service Provider's (ISP's) router.
Review each setting below and uncheck services you want left as they are.
Enter the name of your Firewall facing router interface (example: ethernet 0). This is the interface that connects the router to your firewall.
Enter the IP address and mask of your Firewall facing router interface. This is the interface that connects the router to your firewall.
Some global and interface services that can increase router security are not enabled by default. You will enable those services here.
Create a Loopback Interface which will have protocols such as ntp bound to it.
Enter the IP Address you want to use for your loopback interface. This should be an address from a network range that is not in use on any other interface on your router.
(All services disabled on the previous interfaces will also be disabled here with the exception of Network Time Protocol (ntp). Ntp will remain enabled on this interface.)
Create a Null Interface that will be used for null routing.
(The only service that can be disabled on a null interface is ip unreachables. Ip unreachables will be disabled on the null interface).
Correct time on the router is critical for tracking network attacks. Logfiles from several devices may have to be parsed to find "threads" of activity through the network. Accurate timestamps on log entries permits those logs to be searched for entries at specific times. Network Time Protocol servers provide nearly synchronous time across a network.
Ntp was disabled on several interfaces. Ntp information should not be given to unauthorized queries, and the router should not be an ntp server unless it is part of a larger ntp infrastructure. Ntp will be enabled on and bound to the loopback interface.
To find a public ntp server near you, go to ntp.org's Stratum 2 Time Servers. Scroll down the list to find a pair of servers that have an Open Access Policy, and preferably ones that do not require Notification. They are listed by name which would require our router to be able to resolve the names to use the ntp servers. The Domain Name System (DNS) poses its own risks so we disabled it earlier. Resolve the name to an IP address by pinging it on a PC or Unix computer. Be aware that the IP addresses associated with host names are subject to change, so you must check that ntp is working periodically and it is best to configure at least two servers.
Be sure to look at ntp.org's Rules of Engagement concerning the use of Stratum 2 Servers.
Configure Network Time Protocol on Loopback Interface.
Access to the router via both physical ports such as Auxilliary (aux) and Console ports, and access to virtual terminal (vty) ports must be controlled. The information you provide in this section will permit secure access but deny unauthorized login attempts.
Enter the Enable Secret Password.
Enter a username and password for a local user account.
The auxilliary port or aux port is not normally needed and should be disabled unless it is attached to a modem for out of band access. Not all routers have aux ports. If your router has an aux port, be sure to check the "Disable aux port" box if it is not used for out of band access via a modem.
Disable aux port.
The console port is used to access the router locally using a serial connection and terminal emulation software like Putty, TeraTerm, or HyperTerm.
Configure console port.
Virtual Terminal (vty) ports control remote access via the network. Since vty ports are accesible over the network, they represent a great risk if they are not secured properly. Vty ports should only be accessible from trusted IP addresses, and only protocols that provide encryption like Secure Shell (SSH) should be permitted. Enter the IP address of a trusted host. If you will always be accessing the router from the LAN behind a firewall, you can use the firewall's IP address which is nearest the router.
Enter the IP Address of a trusted remote access computer or the Firewall's outside interface.
Secure vty ports.
Some commands that are available to all user levels should be restricted to administrator level.
Restrict Access to High Risk Commands.
AAA Access Control permits additional logging of actions taken by users.
Configure Local AAA.
Controlling the flow of erroneous or mischevious traffic to or through the router is done with null routing and access control lists.
The crst uses null routing to dispose of bogon and martian packets that try to traverse or enter the router because it is an effective and efficient way to do so. Null routing quietly drops packets that are within static routes assigned to the null interface using minimal processing power to discard these known bad packets.
Configuring null routing is recomended with a caveat. If you configure null routing, it is strongly recommended that you check the null route provided against the current list maintained at team cymru's web site. You are also encouraged to sign up for their mailing list and to update your null routes when changes are announced. Changes do not occur often. The bogon addresses used to generate this null route are from 5 October, 2008. There had not been a change to the list since May of 2008.
Configure null routing.
The firewall facing interface should only receive traffic from the firewall. This access list will permit traffic with an originating address of the firewall but will deny and log all other traffic.
Create Outside ACL.
Create Inside ACL.
There are many options with regard to what to log and how to store log entries. Attackers may try to cover their tracks by overwriting or erasing log files. It is important to forward log entries to a secured syslog server that is external to the router if possible. This will ensure that logs are preserved even if the router is power cycled. It should also make it more difficult for an attacker to modify or erase the log files.
A relatively safe way to set up a syslog server is to use a spare Ethernet or Fast Ethernet interface on the router to set up a kind of Demilitarized Zone (DMZ) strictly for the Syslog Server. You could use an old computer you have and install a donation supported operating system like OpenBSD, CentOS, FreeBSD, or Fedora. Each of the operating systems referenced has its own firewall software available to screen traffic and has a built in syslog service. Packets traversing the router's DMZ interface can be restricted so only syslog messages from the loopback interface of the router, and possibly SSH traffic to and from the firewall facing interface are allowed.
If there aren't any spare interfaces on your router, you could put a syslog server in the Firewall's DMZ and only permit traffic to it from the router's loopback IP address.
If neither of those options are available, it may be preferable to configure local logging only instead of permitting syslog messages to penetrate the Firewall to a syslog server on the Local Area Network.
This software is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc. Cisco, Cisco Systems, and IOS are registered trademarks of Cisco Systems, Inc. in the USA and certain other countries. All other trademarks are trademarks of their respective owners.
BRST - Border Router Security Tool, Helps administrators secure their border routers. Copyright © 2008 Ted LeRoy
This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.
A local copy of the license can be found at copying.
theodore.leroy_at_yahoo_dot_com
Source code can be obtained at: https://sourceforge.net/projects/borderroutersec/
