The Center for Internet SecurityThe Center for Internet Security Site MapContact UsPrivacy Policy
The Center for Internet Security
HomeNewsWhat is CIS?Benchmarks/ToolsOther ResourcesJoin UsTestimonialsFAQ
CIS Members site

Become a Member of CIS - Click here for more info

More than 170 members, from around the wrold! Click here for more info

Get Involved - Click here for more info



CIS certifies commercial software. Click here for more info

CIS licenses resources for commercial use. Click here for more info.

click here to find out about CIS trademarks.

Click here to find out about upcoming conferences and events!

 Benchmarks/Tools
CIS Level 1 & 2 Benchmarks and Audit Tool for Cisco IOS Routers and PIX firewalls. - Click Here to Download Them
- FAQ - The Benchmarks
November 2007:

Version 2.2 Tool is now available for download FREE on this web site.

Features of the 2.2 version of the Router Audit Tool (RAT):
  • Ability to score Cisco Router IOS.
  • Ability to score Cisco PIX firewalls.
  • Includes benchmark documents (PDF) for both Cisco IOS and Cisco ASA, FWSM, and PIX security settings.
The download package includes a text file (etc/RELEASE-NOTES.txt) that provides full details regarding the update.

Also available for download is the NSA Security Recommendation Guide for router security configuration
The Download File Includes:

IOS/PIX Benchmarks and RAT for Windows

  • RAT_2.2.win32-native-installer.exe - This file provides a single executable that will install both the Router Audit Tool and the Benchmark. Download, run, and follow the directions. Almost all Windows users should use this install method.
  • RAT_2.2.win32-native-fallback.zip - This file provides a second way to install RAT under windows. It should only be used if there are problems installing the standalone .exe. See the instructions in etc/INSTALL.WIN32.txt after unpacking the zip file.

IOS/PIX Benchmarks and RAT for Unix

  • rat-2.2-dist.gz.sh - The files needed to install RAT on Unix. Most Unix systems with a recent version of Perl should work. Download this file, execute it and follow the instructions in etc/INSTALL.unix.txt

Benchmark Documents (standalone) - You can download the benchmarks and questionnaires without downloading the tool:

  • CIS_Cisco_IOS_Benchmark_v2.2.pdf - this is the Cisco IOS Benchmark Version 2.2
  • cisco-ios-router-questionnaire.pdf - this is the Cisco IOS Questionnaire
  • CIS_Cisco_Firewall_Benchmark_v2.0.pdf - This document applies to securing Cisco Adaptive Security Appliance (ASA), Firewall Services Module (FWSM) and PIX appliances.

Integrity Checking

The following files are provided to assist you in verifying the integrity and authenticity of the download files.
RAT_2.2_win32_native_installer_exe_md5.txt
This file contains an MD5 checksum of the single windows executable.
RAT_2.2_win32_native_fallback_zip_md5.txt
This file contains an MD5 checksum of the widows zip file.
rat-2.2-dist_gz_sh_md5.txt
This file contains the MD5 checksum of the Unix tar file.
What are the Benchmarks, Audit Tool, and Configuration Guide?
The Benchmarks define configuration settings for Cisco IOS and PIX devices. Both Level 1 and Level 2 configurations are identified in one benchmark document. These settings are designed primarily to enhance the security of the device itself.

The Level 1 Benchmark recommends the prudent level of minimum due care for operating system security and is based on the NSA Router Security Configuration Guide.  All IOS and PIX devices should implement these settings.  Level 1 Benchmark settings/actions:
  • Can be understood and performed by system administrators with any level of security knowledge and experience;
  • Are unlikely to cause an interruption of service to the operating system or the applications that run on it; and
  • Can be automatically monitored either by CIS Scoring Tools or by CIS Certified tools available from security software vendors.  CLICK HERE for a roster of commercially available
    CIS-certified software tools.  

The Level 2 Benchmark settings are optional. They may not apply in all situations. There are also many relevant settings for which no benchmark standards are yet defined (e.g. ssh, IPSEC, BGP, OSPF, radius...).  

The Level 2 Benchmark settings/actions:

  • Enhance security beyond the minimum due care level, based on specific network architecture and server function.
  • Contain some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments.

The Router Audit Tool (RAT) downloads configurations of devices to be audited (optionally), and then checks them against the settings defined in the benchmark. For each configuration examined, it produces a report listing the following:

  • A list of each rule checked with a pass/fail score.
  • A raw overall score
  • A weighted overall score (1-10)
  • A list of IOS/PIX commands that will correct problems identified.
In addition, RAT produces a composite report listing all rules (settings) checked on all devices, as well as an overall score.

The Router Security Configuration Guide provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco Systems routers. The information presented can be used to control access, resist attacks, shield other network components, and protect the integrity and confidentiality of network traffic.

This is an NSA Security Recommendation Guide. Distribution of the guide (rscg.pdf) is currently subject to the terms of an NSA Legal Notice, available at http://nsa2.www.conxion.com/cisco/notice.htm
Share Your Feedback
We value your feedback, which may be used both to update the Level 1 Cisco IOS and PIX Benchmarks and to further define the Level 2 security configuration recommendations.  Please direct your technical feedback to:
The CIS Feedback Email Address

Please direct other feedback to:

Bert Miuccio, Vice President
For more information about the CIS consensus process and the benchmarks, go to What are the Benchmarks? and FAQ - The Benchmarks.  
Updates to the Benchmarks
The CIS Level 1 & 2 Benchmarks for Cisco IOS Routers and PIX Firewalls are updated periodically.  Continuous feedback from CIS Members and other users assures that the consensus standard of minimum due care is always reflected in the Level 1 settings and that the latest recommendations are always reflected in the Level 2 settings. 

Revision histories can be found in the benchmark documents.  One of the benefits of CIS Membership is electronic notification when updates become available. 

Click Here for more information about membership.  If your organization is not a member of the Center, visit this website periodically to assure that you are using the latest version of the CIS Benchmarks for Cisco IOS Routers and PIX Firewalls.

Click Here to see what Members say about The Center for Internet Security.

DOWNLOAD the CIS Level 1 & 2 Benchmarks and Audit Tool for Cisco IOS Routers and PIX Firewalls
 



Logo and Design by Keiler
© 2007, the Center for Internet Security.