Tuesday, 6 December 2011

Router Audit Tool (RAT)

The Router Audit Tool or RAT was designed to help audit the configurations of Cisco routers quickly and efficiently. RAT tests Cisco router configurations against a baseline. After performing the baseline test, it not only provides a list of the potential security vulnerabilities discovered but also a list of commands to be applied to the router in order to correct the potential security problems discovered. The router audit tool (RAT) is available from the Centre for Internet Security (CIS) website http://www.cisecurity.org/bench_cisco.html.

Aside from providing an industry-accepted benchmark for the CISCO IOS, RAT helps solve the following issues:

  • Difficulty maintaining consistency
  • Difficulty detecting changes
  • Need to quickly fix incorrect settings
  • Need for reporting and customization
  • Need to check non-IOS devices

Although RAT does provide many useful functions, it is not actively updated and therefore requires the user to check from time to time the latest version releases and patches. Also, as powerful as it is, there are a number of issues that it does not address such as:

  • Management Issues
  • Poor Ops Practices
  • Vendor code
  • Protocols weaknesses
  • Host-based problems (viruses, code red….)
  • Bandwidth based DoS New vulnerabilities
  • Local configuration choices
  • Need for competence and vigilance.
  • Non-CISCO devices are not yet supported.

How RAT works

The Router Audit Tool was written in Perl. It is consists of 4 other Perl programs namely ncat, ncat_report, ncat_config and snarf.

  • Snarf is used to download the router settings.
  • Ncat reads the rule base and configuration files and provides output in a text file.
  • Ncat_report creates the html pages from the text files.
  • Ncat_config is used to perform localization of the rule base.

The rules and baseline document are licensed by the Center for Internet Security. RAT performs an audit by comparing text strings in the configuration file from the router with regular expressions in the rules. Each rule has either a “required” or “forbidden” regular expression element. Based on this element RAT determines if a rule is passed or failed. Due to the use of regular expressions, the RAT rule base is extremely flexible. There are currently Level 1 and Level 2 audits that can be performed. The Level 1 audit is based on the NSA guidelines. The Level 2 audit includes additional tests from several sources including Cisco. The majority of the rules are for the protection of the router. There are, however, several rules that provide limited protection to the networks they serve. Additional rules can be added to the rule base with relative ease. This allows RAT to work with any configuration.

How to install RAT

Installing RAT is fairly simple. First, download the installer from http://www.cisecurity.org/bench_cisco.html. For windows users, select the win32 native installer.

1. Ensure that any previous versions of RAT are no longer installed; if necessary, use the Windows "Add/Remove Programs" control panel to uninstall a previous version of RAT.

2. Run the installer, either by double-clicking on it, to selecting it through the Windows "Add/Remove Program" control panel. You may be asked to restart your computer at this point.

3. At the CIS RAT logo splash image, click Next>


Figure 1 CIS RAT Logo

4. Click Next> again.


Figure 2 CIS RAT Install Box

5. After reading the Licensing Agreement, select "I accept the terms..." and click Next>


Figure 3 CIS Accept Page

6. Read the background information presented on the next page of the wizard, then click Next>


Figure 4 CIS RAT Release Notes

7. Select a directory where RAT should be installed. For best results, do not select a directory with spaces or special characters in its name. If the default is acceptable on your system, then use it. Then click Next>


Figure 5 CIS RAT Select where to install

8. Choose an installation type. Most users require only the "Basic" setup. Then click Next>


Figure 6 CIS RAT Install details

9. Verify that the installation settings are correct and then click on Install.


Figure 7 CIS RAT Ready to Install

10. Wait patiently during installation; allow for about 5-15 seconds.

11. Click on Finish.


Figure 8 CIS RAT is installed and ready to go

Read the documents rat.html and ncat_config.html in the \doc subfolder to view relevant options and files. For more information on running RAT on Windows, see the file etc\README.WIN32.txt. For information on running RAT specifically for CISCO PIX, see the file etc\README.PIX.txt.

Note that the file etc\OLD-INSTALL.WIN32.txt contains instructions for another, older, more complex method of installing RAT on windows. This involves installing ActiveState PERL and downloading and installing Perl (CPAN) modules. This is not recommended for most users.

How to run RAT

Prior to running RAT, first determine whether router configurations are going to be obtained directly from the router or if they have been already downloaded and saved into a file. In the case of the latter, the path to that file should be specified when invoking RAT on the command line. Alternately, with the use of the --snarf switch, RAT will log into the routers specified (you have to provide login info and the router’s IP address), pull down the configurations, audit them against a set of rules and produces several output files.


Figure 9 Running RAT

There are several options or “switches” that can be used to control the behavior of RAT. These switches are supplied later in the chapter. In the example of Figure 11.13, the configurations of the router are contained in a text file called syd_1760rt_06082007.txt.

NOTE: In this example it is assumed that the path to the directory where the RAT executables and supporting files has already been established. In the default installation, those files and folders are located at C:\CIS\RAT. Also, there are several ways of saving the router configuration file to a file. However, HTTP, TFTP or Telnet methods are not recommended as they produce output in clear text and therefore poses a risk to confidentiality. Pressing the <RETURN> key in the above resulted to the following:


Figure 10 CIS RAT Having been run

Several files have been created after running RAT against the configuration file. If we list those files using the dir command we get:


Figure 11 CIS RAT Creates Several Output files

The details of the output files that are created by RAT are included in the following table:


Raw file containing router configurations.


raw ncat output. This is a ";" delimited file showing pass/fail data for each rule


A HTML-based report showing fulll details of results, with links into rules.html


A file containing commands to fix problems found.


A text based report showing summary of results, with links into rules.html


List of rules that were used to perform the audit


An HTML version of the benchmark data


A text based report showing summary of results, with links into rules.html, of all the routers included in the audit. In our sample, since there is only one router, this file is the same as syd_1760rt_06082007.txt.ncat_report.txt


A file containing commands to fix problems found in all the routers included in the audit. In our sample, since there is only one router, this file is the same as syd_1760rt_06082007.txt.ncat_fix.txt.


A HTML report listing summary of pass/fail status for all rules checked on all devices.


A HTML index of reports. This is probably the file that most users will want to examine (with the aid of a browser) after running RAT.

The generated index.html file looks like this:


Figure 12 CIS RAT Report Page

Clicking on the Description of Rules link brings up the rules.html file

Next, NCAT, the Network Config Audit Tool.