Tuesday, 6 December 2011

Router Audit Tool (RAT)

The Router Audit Tool or RAT was designed to help audit the configurations of Cisco routers quickly and efficiently. RAT tests Cisco router configurations against a baseline. After performing the baseline test, it not only provides a list of the potential security vulnerabilities discovered but also a list of commands to be applied to the router in order to correct the potential security problems discovered. The router audit tool (RAT) is available from the Centre for Internet Security (CIS) website http://www.cisecurity.org/bench_cisco.html.

Aside from providing an industry-accepted benchmark for the CISCO IOS, RAT helps solve the following issues:

  • Difficulty maintaining consistency
  • Difficulty detecting changes
  • Need to quickly fix incorrect settings
  • Need for reporting and customization
  • Need to check non-IOS devices

Although RAT does provide many useful functions, it is not actively updated and therefore requires the user to check from time to time the latest version releases and patches. Also, as powerful as it is, there are a number of issues that it does not address such as:

  • Management Issues
  • Poor Ops Practices
  • Vendor code
  • Protocols weaknesses
  • Host-based problems (viruses, code red….)
  • Bandwidth based DoS New vulnerabilities
  • Local configuration choices
  • Need for competence and vigilance.
  • Non-CISCO devices are not yet supported.

How RAT works

The Router Audit Tool was written in Perl. It is consists of 4 other Perl programs namely ncat, ncat_report, ncat_config and snarf.

  • Snarf is used to download the router settings.
  • Ncat reads the rule base and configuration files and provides output in a text file.
  • Ncat_report creates the html pages from the text files.
  • Ncat_config is used to perform localization of the rule base.

The rules and baseline document are licensed by the Center for Internet Security. RAT performs an audit by comparing text strings in the configuration file from the router with regular expressions in the rules. Each rule has either a “required” or “forbidden” regular expression element. Based on this element RAT determines if a rule is passed or failed. Due to the use of regular expressions, the RAT rule base is extremely flexible. There are currently Level 1 and Level 2 audits that can be performed. The Level 1 audit is based on the NSA guidelines. The Level 2 audit includes additional tests from several sources including Cisco. The majority of the rules are for the protection of the router. There are, however, several rules that provide limited protection to the networks they serve. Additional rules can be added to the rule base with relative ease. This allows RAT to work with any configuration.

How to install RAT

Installing RAT is fairly simple. First, download the installer from http://www.cisecurity.org/bench_cisco.html. For windows users, select the win32 native installer.

1. Ensure that any previous versions of RAT are no longer installed; if necessary, use the Windows "Add/Remove Programs" control panel to uninstall a previous version of RAT.

2. Run the installer, either by double-clicking on it, to selecting it through the Windows "Add/Remove Program" control panel. You may be asked to restart your computer at this point.

3. At the CIS RAT logo splash image, click Next>

clip_image002

Figure 1 CIS RAT Logo

4. Click Next> again.

clip_image004

Figure 2 CIS RAT Install Box

5. After reading the Licensing Agreement, select "I accept the terms..." and click Next>

clip_image006

Figure 3 CIS Accept Page

6. Read the background information presented on the next page of the wizard, then click Next>

clip_image008

Figure 4 CIS RAT Release Notes

7. Select a directory where RAT should be installed. For best results, do not select a directory with spaces or special characters in its name. If the default is acceptable on your system, then use it. Then click Next>

clip_image010

Figure 5 CIS RAT Select where to install

8. Choose an installation type. Most users require only the "Basic" setup. Then click Next>

clip_image012

Figure 6 CIS RAT Install details

9. Verify that the installation settings are correct and then click on Install.

clip_image014

Figure 7 CIS RAT Ready to Install

10. Wait patiently during installation; allow for about 5-15 seconds.

11. Click on Finish.

clip_image016

Figure 8 CIS RAT is installed and ready to go

Read the documents rat.html and ncat_config.html in the \doc subfolder to view relevant options and files. For more information on running RAT on Windows, see the file etc\README.WIN32.txt. For information on running RAT specifically for CISCO PIX, see the file etc\README.PIX.txt.

Note that the file etc\OLD-INSTALL.WIN32.txt contains instructions for another, older, more complex method of installing RAT on windows. This involves installing ActiveState PERL and downloading and installing Perl (CPAN) modules. This is not recommended for most users.

How to run RAT

Prior to running RAT, first determine whether router configurations are going to be obtained directly from the router or if they have been already downloaded and saved into a file. In the case of the latter, the path to that file should be specified when invoking RAT on the command line. Alternately, with the use of the --snarf switch, RAT will log into the routers specified (you have to provide login info and the router’s IP address), pull down the configurations, audit them against a set of rules and produces several output files.

clip_image018

Figure 9 Running RAT

There are several options or “switches” that can be used to control the behavior of RAT. These switches are supplied later in the chapter. In the example of Figure 11.13, the configurations of the router are contained in a text file called syd_1760rt_06082007.txt.

NOTE: In this example it is assumed that the path to the directory where the RAT executables and supporting files has already been established. In the default installation, those files and folders are located at C:\CIS\RAT. Also, there are several ways of saving the router configuration file to a file. However, HTTP, TFTP or Telnet methods are not recommended as they produce output in clear text and therefore poses a risk to confidentiality. Pressing the <RETURN> key in the above resulted to the following:

clip_image020

Figure 10 CIS RAT Having been run

Several files have been created after running RAT against the configuration file. If we list those files using the dir command we get:

clip_image022

Figure 11 CIS RAT Creates Several Output files

The details of the output files that are created by RAT are included in the following table:

syd_1760rt_06082007.txt

Raw file containing router configurations.

syd_1760rt_06082007.txt.ncat_out.txt

raw ncat output. This is a ";" delimited file showing pass/fail data for each rule

syd_1760rt_06082007.txt.html

A HTML-based report showing fulll details of results, with links into rules.html

syd_1760rt_06082007.txt.ncat_fix.txt

A file containing commands to fix problems found.

syd_1760rt_06082007.txt.ncat_report.txt

A text based report showing summary of results, with links into rules.html

cisco-ios-benchmark.html

List of rules that were used to perform the audit

rules.html

An HTML version of the benchmark data

all.ncat_report.txt

A text based report showing summary of results, with links into rules.html, of all the routers included in the audit. In our sample, since there is only one router, this file is the same as syd_1760rt_06082007.txt.ncat_report.txt

all.ncat_fix.txt

A file containing commands to fix problems found in all the routers included in the audit. In our sample, since there is only one router, this file is the same as syd_1760rt_06082007.txt.ncat_fix.txt.

all.html

A HTML report listing summary of pass/fail status for all rules checked on all devices.

index.html

A HTML index of reports. This is probably the file that most users will want to examine (with the aid of a browser) after running RAT.

The generated index.html file looks like this:

clip_image024

Figure 12 CIS RAT Report Page

Clicking on the Description of Rules link brings up the rules.html file

Next, NCAT, the Network Config Audit Tool.

2 comments:

Dr Craig S Wright GSE said...

Seeing as CISecurity has changed the site - here is the new link to RAT

http://benchmarks.cisecurity.org/en-us/?route=downloads.browse.category.tools.rat

Dave Velasco said...

Thanks for that update dude. Been looking for great CISecurity then.

Licensing Education