Re: [ISN] Security Group Pinpoints Cisco Router Weakness

From: InfoSec News (isnat_private)
Date: Fri Feb 22 2002 - 00:48:18 PST

  • Next message: InfoSec News: "[ISN] Biatchux Bootable Forensics CD"

    Forwarded from: H C <keydet89at_private>
    This stuff cracks me up...
    > "Are we saying Cisco routers are vulnerable? The answer is yes,"
    > said Alan Paller, director of research at the SANS Institute in
    > Bethesda, Md. Charging that Cisco has not provided security remedies
    > quickly enough, Paller said the user community must protect itself.
    Paller, eh?  Well, it just goes to show you what someone can do when
    they have a decent PR department behind them.
    > It downloads configurations of devices to be audited and checks them
    > against a set of guidelines established by the National Security
    > Agency, providing a security rating on a scale of 1 to 10. It also
    > creates a list of IOS commands to correct identified problems.
    Sounds like a good way to start, but it has to be taken with a grain
    of salt.  It's up to the administrators to determine how the routers
    should be configured, not SANS or the NSA.  No third party tool is
    capable of accurately determining this 'scale' for all possible
    configurations and infrastructures.  The use of one of the recommended
    IOS commands could easily make applications or backbones inoperable.
    > "RAT is a leap ahead in our ability to audit the configurations of
    > network devices.  Automated auditing against best practices
    > decreases the pain threshold of auditing."
    Auditing against best practices for whom?  What SANS and the NSA think
    are 'best practices' may not be suitable for a telecomm, or a specific
    router within the architecture at a hospital.
    > "Version 1 [of RAT] is only the beginning," said Clint Kreitner,
    > president and CEO of the Center for Internet Security. "Development
    > is under way to make a version that works on Windows systems."
    Underway?  What good does that do the community that follows SANS?  
    Microsoft has such a huge market-share, you'd think that they'd have a
    Windows version available when they made the announcement.
    I think I'll wait a version or two before I recommend to anyone I know
    that they should try this tool out.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Feb 22 2002 - 03:47:48 PST