For several years, a German network provider has been successfully using the checking software CROCODILE® developed by Fraunhofer IESE for monitoring the security of its IP networks. So far, however, the tool and the checking criteria were tailored to routers using the operating system IOS.

Recently, routers using the operating system SmartEdge OS are also being used increasinglyin the provider’s network. Due to a lack of suitable analysis tools, SmartEdge systems have requiredhigh-effort manual security checks until now.

In order to be able to assess SmartEdge configurations faster and more reliably, Fraunhofer IESE was commissioned by the customer to extend the CROCODILE tool with SmartEdge checkingrule sets. For this purpose, Fraunhofer IESE first reviewed the SmartEdge documentation as well as pertinent security guidelines of the customer. The configuration recommendations derived from this were coordinated with the customer and were documented in a catalog containing 110 fundamental security criteria. For each criterion, Fraunhofer IESE formulated one or several checkpoints and implemented corresponding automatic checks with the help of CROCODILE plugins.

The support of different configuration languages - IOS and SmartEdge OS - required several adjustments and extensions to be made to the CROCODILE analysis framework. The fact thatit was still possible to provide the new checking rule sets with moderate effort was due, onthe one hand, to the modular setup of the tool. On the other hand, the implementation of the checkpoints was able to use the framework’s proven, universal checking rule language. Therefore, most of the checking criteria could be realized with the help of simple, flexibly adaptablerule specifications. Only a few cases required new checking modules to be programmed in order to achieve implementation.

As suggested by the customer, the new version of CROCODILE now offers an online catalogof checking criteria. To this end, CROCODILE attaches a link to the underlying catalog entry toeach report message. Via mouse click, the user gets a more detailed description of the currentsecurity problem, hints on how to improve the configuration, as well as references to additional sources of information. Security auditors are now no longer restricted to the brief messages inchecking reports when they assess security reports, which makes it easier to assess the situation. The criteria catalog has been so well received by the users that it is now being consideredto also provide an extensive online catalog for the IOS checking rules.

Since security requirements must be continually adapted to new risks, the checking criteria catalog has an XML format that is easy to maintain. The user himself can update the catalog entries with little effort and without a thorough knowledge of CROCODILE.