A security group consortium has released a free software-analysis
tool and benchmark guidelines to help make Cisco routers more
secure from hacker attacks and other vulnerabilities.
The nonprofit SANS Institute and the Center for Internet Security
have joined the National Security Agency (NSA) to announce the
availability of security guidelines and the security testing and
configuration guidance tool.
Clint Kreitner, president and CEO of the Center for Internet
Security, said the tool and guidelines were created to address
long-standing security vulnerabilities in Cisco routers, which are
widely used in corporate networks and across the Internet.
Like many vendors, Cisco ships its products with many security
controls turned off by default, leaving it to users to activate the
functions, he said. He compared it to buying a new car from a
dealer who leaves it up to the owner to turn on the air bags,
antilock brakes and other safety features.
"The reason routers are so important is that they are the heart of
the network, because all the traffic flows through the router,"
Kreitner said. "If someone can hack into it, they can get
anywhere."
The tool and benchmark guidelines were created to help system
administrators - many of whom lack the specialised security skills
needed to set up the routers properly - close the holes in their
systems and make them more secure, he said.
"This is not to point a finger at Cisco," Kreitner said. "None of
the vendors [is] doing a good job of shipping minimally-configured
[secure] systems or helping them."
Jim Duncan, lead incident manager of the product security incident
response team at Cisco, said his company evaluated early versions
of the software last year and sees it as a beneficial project.
"It's a tool to help customers understand issues with the way their
routers or other devices are configured," he said. "Anything that
helps customers improve their security posture and their
understanding of their security posture is a really good thing."
Different customers use the same products in different ways,
leading Cisco and other vendors to ship products with settings that
will be applicable for most users, Duncan said. Full-on security
settings aren't typically enabled, he said, because they would
increase the difficulty of installation and some users won't need
all the settings.
"Obviously, we don't like to see our routers broken into," Duncan
said.