Software tool released to check Cisco router security settings

Computerworld - A free software-analysis tool and benchmark guidelines to help make widely used routers from Cisco Systems Inc. more secure from hacker attacks and other vulnerabilities were released today by a consortium of security groups.

In a webcast today, the SANS Institute and the Center for Internet Security joined the National Security Agency (NSA) to announce the availability of security guidelines and the security testing and configuration guidance tool.

The free tool is available from the SANS Web site.

Clint Kreitner, president and CEO of the Center for Internet Security, said the tool and guidelines were created to address long-standing security vulnerabilities in Cisco routers, which are widely used in corporate networks and across the Internet.

Like a lot of vendors, Cisco ships its products with many security controls turned off by default, leaving it to users to activate the functions, Kreitner said. He compared it to buying a new car from a dealer who leaves it up to the owner to turn on the air bags, antilock brakes and other safety features.

"The reason routers are so important is that they are the heart of the network, because all the traffic flows through the router," Kreitner said. "If someone can hack into it, they can get anywhere."

The tool and benchmark guidelines were created to help system administrators -- many of whom lack the specialized security skills needed to set up the routers properly -- close the holes in their systems and make them more secure, he said.

"This is not to point a finger at Cisco," Kreitner said. "None of the vendors [is] doing a good job of shipping minimally configured [secure] systems or helping them."

John N. Stewart, a contributor to the tool project and chief security officer at San Francisco-based Digital Island Inc., a unit of London-based Cable & Wireless PLC, said the software tool audits router configurations and ranks any problems it finds. The tool then tells the user what to fix and how to fix it.

The three security groups had been working on the problem separately last year, but they joined forces in November. "It wasn't really a great leap to bring them together," Stewart said.

Stewart was one of the chief authors of the tool, along with George Jones, a network security expert at Ashburn, Va.-based communications company UUnet.

Alan Paller, director of research at the Bethesda, Md.-based SANS Institute, said Cisco routers "have been known to have many, many vulnerabilities."

"Hundreds of thousands of routers have been installed with standard configurations that