The nonprofit SANS Institute and the Center for Internet Security have joined the National Security Agency (NSA) to announce the availability of security guidelines and the security testing and configuration guidance tool.
Clint Kreitner, president and CEO of the Center for Internet Security, said the tool and guidelines were created to address long-standing security vulnerabilities in Cisco routers, which are widely used in corporate networks and across the Internet.
Like many vendors, Cisco ships its products with many security controls turned off by default, leaving it to users to activate the functions, he said. He compared it to buying a new car from a dealer who leaves it up to the owner to turn on the air bags, antilock brakes and other safety features.
"The reason routers are so important is that they are the heart of the network, because all the traffic flows through the router," Kreitner said. "If someone can hack into it, they can get anywhere."
The tool and benchmark guidelines were created to help system administrators - many of whom lack the specialised security skills needed to set up the routers properly - close the holes in their systems and make them more secure, he said.
"This is not to point a finger at Cisco," Kreitner said. "None of the vendors [is] doing a good job of shipping minimally-configured [secure] systems or helping them."
Jim Duncan, lead incident manager of the product security incident response team at Cisco, said his company evaluated early versions of the software last year and sees it as a beneficial project.
"It's a tool to help customers understand issues with the way their routers or other devices are configured," he said. "Anything that helps customers improve their security posture and their understanding of their security posture is a really good thing."
Different customers use the same products in different ways, leading Cisco and other vendors to ship products with settings that will be applicable for most users, Duncan said. Full-on security settings aren't typically enabled, he said, because they would increase the difficulty of installation and some users won't need all the settings.
"Obviously, we don't like to see our routers broken into," Duncan said.