Protect your Cisco router against IOS rootkit software

What can we do to protect our Cisco routers against the IOS rootkit software that was described at the EUSecWest conference last week?

According to an interview on the EUSecWest Web site with Sebastian Muniz, author of the IOS rootkit presentation, and software, the rootkit “consists of a binary modification to the IOS image” and so for now someone would need to load a modified IOS image to your system to install such a rootkit. Right now the best things to do to protect your routers is to follow the guidelines published by Cisco in response to the EUSecWest presentation. Verify the MD5 checksums for the IOS images you download, keep your IOS images on a hardened software distribution server, restrict access to your routers to the smallest group possible, keep your IOS version up to date, and pay attention to the information in the device log files. Implementing the router management best practices described by Cisco will go a long way toward ensuring that your routers are running on valid, up-to-date IOS images. The Internet Storm Center handler’s diary from May 23 also points out the Cisco Security Device Manager and the Center for Internet Security Router Assessment Tool are useful in hardening and validating Cisco router configurations. One other tool, CIR, was mentioned by Muniz as being able to provide analysis of a Cisco IOS core dump file sufficient to tell whether the IOS image had been modified, which could help identify whether a router had been compromised.