---

---

   UNCLASSIFIED Testing and Security Validation Version 1.0g  UNCLASSIFIED 195   6. Testing and Security Validation 6.1.  Principles for Router Security Testing The perimeter router is the first line of defense when protecting against malicious attack.  Routers provide many services that can have severe security implications if improperly configured.  Some of these services are enabled by default whereas other services are frequently enabled by users.  Security testing provides a means of verifying that security functions and system operations are configured in a secure manner. Ideally, testing should be performed at initial deployment of a router, and whenever major changes have been made to the any part of the configuration of a router.    6.2.  Testing Tools There are a variety of tools available for testing purposes.  Scanners such as Fyodor’s nmap program are used to scan for open TCP and UDP ports on a router interface.   Packet sniffer programs are used to monitor traffic passing through the network and steal unencrypted passwords and SNMP community strings; this information can then be used to formulate specific attacks against the router.  Attack scripts are readily available on the Internet for numerous well-known exploits; several denial of service (DOS) attacks and the newer distributed denial of service (DDoS) attacks have been highly successful against some versions of IOS. Additional tools are listed in the Tools Reference, Section 9.3.