THE SHORT VERSION

  Run "ncat_config" and answer the questions.

THE LONG VERSION

  There are a number of rules that depend on knowing things that
  change from site to site.  These include things like your external
  interface, your local address ranges, addresses of your syslog and
  time servers, etc.

RUN NCAT_CONFIG

  After installation, run "ncat_config".  It prompts you for the values
  to use for common site dependent parameters.  Here is an example
  run.

        6:37 foo:~> ncat_config --update_master
        ncat_config: Reading /home/bar/etc/ncat.conf.MASTER
        
        Please answer the questions below about your network and
        router configuration.  Type ? to get a short explanation of
        any parameter.  If you are unsure about what value to give
        for a parameter, hit RETURN to take the default value.
        
        
        Select types of optional rules to be applied:
        
        ncat_config: Apply rules for class use_multiple_ntp_servers [no] ? 
        ncat_config: Apply rules for class exterior_router [no] ? yes
        ncat_config: Apply rules for class tacacs_aaa [no] ? 
        ncat_config: Apply rules for class localtime [no] ? 
        ncat_config: Apply rules for class gmt [no] ? yes
        ncat_config: Apply rules for class snmp [no] ? help
         Help for class :
        
         
        	Additional SNMP checks.
        
        
         Default value is: no
        
        ncat_config: Apply rules for class snmp [no] ? 
        ncat_config: Apply rules for class 2nd_external_interface [no] ? yes
        
        Change default configuration values:
        
        ncat_config: Enter value for local_2nd_external_interface [Ethernet1] ? Ethernet2
        ncat_config: Enter value for local_acl_num_egress [181] ? 
        ncat_config: Enter value for local_acl_num_ingress [180] ? 
        ncat_config: Enter value for local_acl_num_vty [182] ? 
        ncat_config: Enter value for local_address_internal_netblock_with_mask [192.168.1.0 0.0.0.255] ? 
        ncat_config: Enter value for local_address_loopback [192.168.1.3] ? 
        ncat_config: Enter value for local_address_ntp_host [1.2.3.4] ? 
        ncat_config: Skipping local_address_ntp_host_2 because none of the prerequisite classes (use_multiple_ntp_servers) were selected.
        ncat_config: Skipping local_address_ntp_host_3 because none of the prerequisite classes (use_multiple_ntp_servers) were selected.
        ncat_config: Enter value for local_address_syslog_host [192.168.1.3] ? 
        ncat_config: Enter value for local_address_telnet_acl_block_with_mask [192.168.1.0 0.0.0.7] ? 
        ncat_config: Enter value for local_address_telnet_acl_host [192.168.1.254] ? 
        ncat_config: Enter value for local_exec_timeout [5 0] ? 
        ncat_config: Enter value for local_external_interface [Ethernet0] ? 
        ncat_config: Skipping local_gmt_offset because none of the prerequisite classes (localtime) were selected.
        ncat_config: Enter value for local_source_interface [Loopback0] ? 
        ncat_config: Skipping local_timezone because none of the prerequisite classes (localtime) were selected.
        
        ncat_config: Updating /home/bar/etc/ncat.conf.MASTER...Done.
        ncat_config: Writing /home/bar/etc/ncat.conf...Done.
        
        ncat_config: Now examine /home/bar/etc/ncat.conf.
        ncat_config: Edit /home/bar/etc/ncat.conf.MASTER and rerun ncat_config if not satisfactory.
        6:39 foo:~>
  
  Until you run this program certain rules will fail, such as
  ingress/egress filtering, VTY ACL definitions, syslog and time hosts,
  etc.

CHANGING ETC/NCAT.CONF.MASTER

  If you want to change other things in the rules definitions edit the
  master file ($PREFIX/etc/ncat.conf.MASTER) and rerun ncat_config.
  
  The local parameters are all at the beginning of the .MASTER file.
  See the lines beginning with
  
      ConfigLocal

CHANGING ACLS, ADDRESS BLOCKS, AND SERVERS

  The default rules and access control lists make assumptions about
  the number of syslog and NTP servers, the number of addresses 
  blocks and hosts that should be allowed in the access control lists,
  etc.  If these assumptions are incorrect, you will want to edit
  the master file.

  EXAMPLE 1: ONLY ONE HOST ALLOWED IN TELNET ACL

  For example, the default telnet (VTY) ACL assumes that you will
  allow one host and one netblock to telnet to your router. This is
  defined by the following rules in ncat.conf.MASTER

      RuleName:IOS - Define telnet ACL
      .
      .
      .
      RuleMatch:access-list LOCAL_ACL_NUM_VTY permit tcp LOCAL_ADDRESS_TELNET_ACL_BLOCK_WITH_MASK any eq telnet\
      access-list LOCAL_ACL_NUM_VTY permit tcp host LOCAL_ADDRESS_TELNET_ACL_HOST any eq telnet\
      access-list LOCAL_ACL_NUM_VTY deny   ip any any log

  To allow only a single host to access, you would remove the line
  that referred to LOCAL_ADDRESS_TELNET_ACL_BLOCK_WITH_MASK.  The
  result would look like

      RuleName:IOS - Define telnet ACL
      .
      .
      .
      RuleMatch:access-list LOCAL_ACL_NUM_VTY permit tcp host LOCAL_ADDRESS_TELNET_ACL_HOST any eq telnet\
      access-list LOCAL_ACL_NUM_VTY deny   ip any any log


  You would probably want to add corresponding lines to the RuleFix:
  section.  Also note that the LOCAL_* values will be replaced by
  values provide during execution of ncat_config, so the final output
  in ncat.conf might look like

      RuleName:IOS - Define telnet ACL
      .
      .
      .
      RuleMatch:access-list 182 permit tcp 192.168.1.0 0.0.0.7 any eq telnet\
      access-list 182 permit tcp host 192.168.1.254 any eq telnet\
      access-list 182 deny   ip any any log

  EXAMPLE 2: NEVER BEING ASKED ABOUT CERTAIN RULE CLASSES

  Let's say you know you'll never use a TACACS+ server for
  authentication, so you don't want ncat_config to ask you about it
  every time.  To accomplish this, edit ncat.conf.MASTER and simply
  comment out the lines that define the optional class

      ConfigClass:tacacs_aaa
      ConfigClassDescription:\
          Cisco routers can use TACACS+ for authentication, authorization\
          and accounting.  Selecting rules in this class will cause rules\
          for TACACS+ to be checked.

  Comments begin with "#" so, the result might look like

      # ConfigClass:tacacs_aaa
      # ConfigClassDescription:\
      #     Cisco routers can use TACACS+ for authentication, authorization\
      #     and accounting.  Selecting rules in this class will cause rules\
      #     for TACACS+ to be checked.

  
  Thereafter, when you run ncat_config you will not be asked about
  rule class tacacs_aaa.
  	  
CAVEATS

  Editing RuleMatch: fields can be tricky. Order matters.  If you use
  continuation lines ("\" at end of line), be sure that there are no
  spaces after the "\", and be sure that the last line *does not* have
  a "\".
  
  Probably the best way of creating/modifying things such as access
  control lists is to set up one router the way you want it, then copy
  the relevant portion of the configuration into the .MASTER rules
  file and edit it, making sure to preserve order and spacing.

  Be aware that "make install" (unix) or it's equivalent on other
  platforms will overwrite $PREFIX/etc/ncat.conf.MASTER with the
  version in the RAT distribution.

RUNNING NCAT_CONFIG WITHOUT PROMPTING
  
  You may edit these directly rather than having ncat_config prompt you.
  If you run ncat_config with the --noprompt option
  
      ncat_config --noprompt
  
  it will simply use the values in $PREFIX/ncat.conf.MASTER to produce
  a new $PREFIX/ncat.conf.
  
  You may add other arbitrary "ConfigLocal:KEY=VALUE" pairs as you see
  the need, for instance, if you added
  
      ConfigLocal:InternalInterface=Ethernet1
  
  then all instances of "InternalInterface" later in the file would be
  replaced with "Ethernet1".

UPDATING THE MASTER FILE

  Lastly, if you run the ncat_config with only the --update_master
  option, the values you enter at the prompts will be saved in
  $PREFIX/etc/ncat.conf.MASTER as well as being used in
  $PREFIX/etc/ncat.conf.  Be aware that "make install" (unix) or it's
  equivalent on other platforms will overwrite
  $PREFIX/etc/ncat.conf.MASTER with the version in the RAT
  distribution.

THINGS YOU STILL HAVE TO HAND EDIT

  Some values, such as SNMP community strings and encrypted passwords
  still have to be set by hand.  Search the .MASTER file for "EDIT-BY-HAND"
  to find these and change them to the appropriate values.  However, you
  should be very careful to protect any file that contains sensitive 
  information such as router passwords and SNMP community strings from
  disclosure to unauthorized parties.

TELL US ABOUT NEW AND MODIFIED RULES

  If you develop new rules, make changes to rules that you think should
  be standard, or have other comments/ideas about localization, send
  a note to
  
      rat-feedback@cisecurity.org

VALUES YOU MAY HAVE TO PROVIDE

This section provides a list of some of the values you may have to
provide during installation.  You may want to gather this information
before running ncat_config to generate production rules.

--------------------------------------------------------------------------

TYPE: Interfaces Names

  Name:Local_External_Interface
  Default Value:Ethernet0
  Required by Rule Class:exterior_router
  Description:
   The router interface that attached to an external or
   untrusted network (e.g. the Internet)
  
  Name:Local_2nd_External_Interface
  Default Value:Ethernet1
  Required by Rule Class:2nd_External_Interface
  Description:
   A second router interface that attached to an external or
   untrusted network (e.g. the Internet)
  
  Name:Local_Source_Interface
  Default Value:Loopback0
  Description:
   The name of the local loopback interface (almost always Loopback0)

TYPE: Addresses

  Name:Local_Address_Internal_Netblock_With_Mask
  Default Value:192.168.1.0 0.0.0.255
  Required by Rule Class:exterior_router 
  Description:
   The LAN address and netmask of your internal (trusted) network.
  
  Name:Local_Address_Telnet_ACL_Block_With_Mask
  Default Value:192.168.1.0 0.0.0.7 
  Description:
   The LAN address and netmask for the hosts permitted to telnet to the router.
  
  Name:Local_Address_Telnet_ACL_Host
  Default Value:192.168.1.254 
  Description:
   The IP address of the host permitted to telnet to the router.
  
  Name:Local_Address_Syslog_Host
  Default Value:192.168.1.3 
  Description:
   The IP address of this router's main logging server.
  
  Name:Local_Address_NTP_Host
  Default Value:1.2.3.4 
  Description:
   The IP address of this router's main NTP server.
  
  Name:Local_Address_NTP_Host_2
  Default Value:5.6.7.8
  Required by Rule Class:use_multiple_ntp_servers
  Description:
   The IP address of this router's 2nd NTP server.
  
  Name:Local_Address_NTP_Host_3
  Default Value:9.10.11.12
  Required by Rule Class:use_multiple_ntp_servers
  Description:
   The IP address of this router's 3nd NTP server.
  
  Name:Local_Address_Loopback
  Default Value:192.168.1.3 
  Description:
   The IP address of this router's loopback interface (if any)

TYPE: Define Access Control List (ACL) numbers

  Name:Local_ACL_Num_Ingress
  Default Value:180
  Required by Rule Class:exterior_router 
  Description:
   The number of the IP access list used for RFC2267 filtering
   on packets incoming from the untrusted network.
  
  Name:Local_ACL_Num_Egress
  Default Value:181
  Required by Rule Class:exterior_router 
  Description:
   The number of the IP access list used for RFC2267 filtering
   on packets being sent to the untrusted network.
  
  Name:Local_ACL_Num_VTY
  Default Value:182 
  Description:
   The number of the IP access list used to protect the VTY lines (telnet)

TYPE: timeout values

  Name:Local_Exec_Timeout
  Default Value:5 0 
  Description:
     Timeout values (minutes and seconds) interactive sessions.

TYPE: Timezone   

  Name:Local_Timezone
  Default Value:GMT
  Required by Rule Class:localtime 
  Description:
   Specify the name of the timezone to be used.  For example, GMT,EST, etc.
  
  Name:Local_GMT_Offset
  Default Value:0
  Required by Rule Class:localtime 
  Description:
   Specify the number off hours difference from GMT.  For example, 0, -5, 2, etc.
  
$Id: LOCALIZE.txt,v 1.6 2002/03/20 12:19:10 gmj Exp $
