Tuesday, December 29, 2009

Auditing routers and firewall configs

There are several free tools available on net for router and firewall config auditing. I focus on tools which are able to work on the config file pulled from the router/firewall and placed in the local directory of the PC. See the short list below:


  • NIPPER – can be downloaded from https://www.titania.co.uk after free registration. It can be used to audit configuration files of Cisco, Juniper and Checkpoint, SonicWall, and many others. It produces nice reports.
  • CCSAT (Cisco Configuration Security Auditing Tool) see http://freshmeat.net/projects/ccsat/ The tool is based upon industry best practices, including Cisco, NSA, and SANS security guides and recommendations
  • RATS - Rough Auditing Tool for Security - is an open source tool developed and maintained by Secure Software security engineers acquired by Fortify, see http://www.fortify.com/security-resources/rats.jsp

It is easy and practical to put configuration files in local directory and run ad hoc 'grep' command. I did it once with simple grep 'any\|telnet\|timeout\|floodguard\|server\|logging\|auth\|audit\|pdm'  * > output . And if network admin is reluctant to send config files for auditing he can run such command by himself. And send you just 'output' file for further analysis. Or provide you 'nipper' report or 'ccsat' output. Good luck !

What is Auto-MDIX ?

Always surprised …, to be honest I’ve never heard about Auto-MDIX. I thought that this is important to remember which cable to use: straight-through or crossover. So automatic medium-dependent interface crossover (Auto-MDIX) is a feature that allows the switch interface to detect the required cable connection type (straight-through or crossover) and automatically configure the connection appropriately. With Auto-MDIX enabled, you can use either a straight-through or crossover type cable to connect to the other device, and the interface automatically corrects for any incorrect cabling. It works on 2940, 2970 and 3750 Series Switches.

Saturday, December 26, 2009

How to write up Network Security , part II ?

This is continuation of part I
  • Consultant/guest access to network - How they separate guest/consultant subnet from the rest of the network ? Well, VLAN is not a good answer. One of the best is probably use of VRF Lite (creating virtual routers, virtual routing tables for guest traffic) for traffic and host segmentation. It's very important from PCI standpoint


In order to setup IPS on IOS follow instructions here. My tftp server is at the address and dynamips router has interface The first step is to transfer signature files from tftp server to router.

Tuesday, December 1, 2009

How to write up Network Security ?

Most network security audit programs are written by people with risk or audit background and very little technical and operational experience. So there are a many risks and controls listed there which seem to make sense at first glance, but in fact always one of the below rules apply to them:
  • Every network will comply with controls
  • Controls cannot to be tested for effectiveness