A free software-analysis tool and benchmark guidelines to help make widely-used Cisco Systems routers more secure from hacker attacks and other vulnerabilities were released today by a consortium of security groups.
In a webcast today, the nonprofit SANS Institute and the Center for Internet Security joined the National Security Agency (NSA) to announce the availability of security guidelines and the security testing and configuration guidance tool.
Clint Kreitner, president and CEO of the Center for Internet Security, said the tool and guidelines were created to address long-standing security vulnerabilities in Cisco routers, which are widely used in corporate networks and across the Internet.
Like many vendors, Cisco ships its products with many security controls turned off by default, leaving it to users to activate the functions, he said. He compared it to buying a new car from a dealer who leaves it up to the owner to turn on the air bags, antilock brakes and other safety features.
"The reason routers are so important is that they are the heart of the network, because all the traffic flows through the router," Kreitner said. "If someone can hack into it, they can get anywhere."
The tool and benchmark guidelines were created to help system administrators -- many of whom lack the specialized security skills needed to set up the routers properly -- close the holes in their systems and make them more secure, he said.
"This is not to point a finger at Cisco," Kreitner said. "None of the vendors [is] doing a good job of shipping minimally-configured [secure] systems or helping them."
John N. Stewart, a contributor to the tool project and chief security officer at San Francisco-based Digital Island Inc., a unit of London-based Cable & Wireless PLC, said the software tool audits router configurations and ranks any problems it finds. The tool then tells the user what to fix and how to fix it.
The three security groups had been working on the problem separately last year, but they joined forces last November. "It wasn't really a great leap to bring them together," he said.
Stewart was one of the chief authors of the tool, along with George Jones, a network security expert at Ashburn, Virginia.-based communications company UUnet.
Alan Paller, director of research at the Bethesda, Maryland.-based SANS Institute, said Cisco routers "have been known to have many, many vulnerabilities."
"Hundreds of thousands of routers have been installed with standard configurations that put the users' organizations and data at risk," he said.
The "router audit tool" measures compliance with the industry standard security benchmarks developed by the Center for Internet Security, which were largely based on Cisco security guidelines developed by the NSA for routers used by the U.S. Department of Defense.
One of the vulnerabilities affects the Simple Network Management Protocol (SNMP), a widely deployed protocol that is commonly used to monitor and manage network devices including routers and other equipment. The vulnerabilities can allow unauthorized access and denial-of-service attacks or cause unstable behavior.
Jim Duncan, lead incident manager of the product security incident response team at Cisco, said his company evaluated early versions of the software last year and sees it as a beneficial project.
"It's a tool to help customers understand issues with the way their routers or other devices are configured," he said. "Anything that helps customers improve their security posture and their understanding of their security posture is a really good thing."
Different customers use the same products in different ways, leading Cisco and other vendors to ship products with settings that will be applicable for most users, Duncan said. Full-on security settings aren't typically enabled, he said, because they would increase the difficulty of installation and some users won't need all the settings.
"Obviously, we don't like to see our routers broken into," Duncan said.