index_195
UNCLASSIFIED
Testing and Security Validation
Version 1.0g
UNCLASSIFIED
195
6. Testing and Security Validation
6.1. Principles for Router Security Testing
The perimeter router is the first line of defense when protecting against malicious
attack. Routers provide many services that can have severe security implications if
improperly configured. Some of these services are enabled by default whereas other
services are frequently enabled by users. Security testing provides a means of
verifying that security functions and system operations are configured in a secure
manner.
Ideally, testing should be performed at initial deployment of a router, and whenever
major changes have been made to the any part of the configuration of a router.
6.2. Testing Tools
There are a variety of tools available for testing purposes. Scanners such as Fyodors
nmap program are used to scan for open TCP and UDP ports on a router interface.
Packet sniffer programs are used to monitor traffic passing through the network and
steal unencrypted passwords and SNMP community strings; this information can
then be used to formulate specific attacks against the router. Attack scripts are
readily available on the Internet for numerous well-known exploits; several denial of
service (DOS) attacks and the newer distributed denial of service (DDoS) attacks
have been highly successful against some versions of IOS.
Additional tools are listed in the Tools Reference, Section 9.3.