Configuration Management with Cisco Prime LAN Management Solution 4.2
Chapter 4: Using Compliance and Audit Manager Feature
Downloads: This chapterpdf (PDF - 4.3MB) The complete bookPDF (PDF - 12.6MB) | Feedback

Using Compliance and Audit Manager Feature

Table Of Contents

Using Compliance and Audit Manager Feature

Managing Policy Groups

Adding Policy Groups

Adding New Policy Group by Selecting Policies from Existing System-Defined Policy Group

Adding a New Policy Group by Adding New Policies

Cloning Policy Groups

Editing Policy Groups

Deleting User-Defined Policy Groups

Deleting a Policy from User-Defined Policy Group

Managing Policy Profile

Adding a New Policy Profile

Cloning Policy Profiles

Editing Policy Profile

Deleting Policy Profiles

Running Compliance Check

Viewing Job History

Fixing Profile Violations

Understanding Compliance Violation Fix Job Browser

Understanding Compliance and Audit Manager (CAAM) Policies

Center of Internet Security (CIS)

Cisco Security Best Practices (SAFE)

Department Of Homeland Security (DHS)

Defense Information Security Agency (DISA)

End of Life (EOL)

Healthcare Insurance Portability Act (HIPAA)

ISO17799

National Security Agency (NSA) Router

Payment Card Industry (PCI)

Cisco Security Advisory (PSIRT)

SysAdmin, Audit, Network, Security (SANS)

Sarbanes Oxley Act (SOX)

Compliance and Audit Manager Policies

Banners

Console Access

Domain Name

Host Name

Logging and Syslog

Terminal Access

User Passwords

ACL on Interfaces

Null (Black Hole) Routing

SMURF Attack

Traffic Rules

Dynamic Trunking Protocols (DTP)

IEEE 802.3 Flow Control

Spanning Tree Protocols (STP)

Unidirectional Link Detection (UDLD)

VLAN 1

VLAN Trunking Protocols (VTP)

Remote Commands

AAA

AAA Accounting - Commands

AAA Accounting - Connections

AAA Accounting - Exec

AAA Accounting - Network

AAA Accounting - System

AAA Authentication - Enable

AAA Authentication - Login

AAA Authorization - Commands

AAA Authorization - Configuration

AAA Authorization - EXEC

AAA Authrorization - Network

Control Plane Policing

HTTP Server

Miscellanous Service

Routing and Forwarding

SNMP

TCP Parameters

BGP

EIGRP

OSPF

RIP

ACLs

CDP

Clock

Miscellaneous Services On Firewalls

NTP Configuration

Device Version Checks

Devices Running outdated OS Versions

Devices with outdated modules

Outdated Devices As Per Vendor Specific EOL/EOS Announcement

IEEE 802.1X Port-Based Authentication

IOS Software SIP DoS Vulnerability - 112248

Management VLAN

IOS Software IPv6 DoS Vulnerability - 112252

IOS Software Data Link Switching Vulnerability - 112254

Cisco 10000 Series DoS Vulnerability - 113032

IOS Software NAT H.323 Vulnerability - 112253

Multiple SSH Vulnerabilities - 8118

IOS Software Smart Install Vulnerability - 113030

SSH Parameters

IOS Software IPv6 over Multiprotocol Label Switching Vulnerability - 113058

IOS Software ICMPv6 over Multiprotocol Label Switching Vulnerability - 113058

FTP

Cisco ASA Internet Locator Service Inspection DoS vulnerability - 113097

IP Phone + Host Ports

Port Security

ASA SCCP Inspection DoS Vulnerability - 112881

Password Rules

ASA Unauthorized File System Access Vulnerability - 112881

IOS Software IPS and Zone Based Firewall Memory Leak Vulnerability - 113057

ASA Transparent Firewall Packet Buffer Exhaustion Vulnerability - 112881

IP Phone Ports

ASA Routing Information Protocol DoS Vulnerability - 112881

Outdated Devices As Per Vendor Specific EOL/EOS Announcements

Cisco ASA TACACS+ Authentication Bypass vulnerability - 113097

Content Services Gateway Service policy bypass - 112206

IOS Software NAT LDAP Vulnerability - 112253

DHCP

IOS Software IP Service Level Agreement Vulnerability - 113056

DHCP Status

Cisco ASA Four SunRPC Inspection Denial of Service vulnerability - 113097

Content Services Gateway DOS Vulnerability - 112206

IOS Software IPS and Zone Based Firewall crafted HTTP packets Vulnerability - 113057

Secure Webmode Access

Unused Ports

Cisco ASA MSN Instant Messenger Inspection DoS vulnerability - 113097

DHCP Snooping

IOS Software NAT SIP Vulnerability - 112253

Hot Standby Router Protocol (HSRP)

AAA Command Authorization By-pass - 68840 [IOS]

ARP Table Overwrite - 13600 [IOS]

ASA Crafted IKE Message DoS Vulnerability - 111877 [ASA]

ASA Crafted IKE Message DoS Vulnerability - 111877

ASA Crafted TCP Segment DoS Vulnerability - 111485 [ASA]

ASA Crypto Accelerator Memory Leak Vulnerability - 108009 [ASA]

ASA NTLMv1 Authentication Bypass Vulnerability - 111485 [ASA]

ASA SCCP Inspection DoS Vulnerability - 111485 [ASA]

ASA SIP Inspection DoS Vulnerability - 111485 [ASA]

ASA SIP Inspection DoS Vulnerability - 111877 [ASA]

ASA TCP Connection Exhaustion DoS Vulnerability - 111485 [ASA]

ASA Three SunRPC Inspection DoS Vulnerability - 111877 [ASA]

ASA Three TLS DoS Vulnerability - 111877 [ASA]

ASA WebVPN DTLS DoS Vulnerability - 111485 [ASA]

Access Point Memory Exhaustion from ARP Attacks - 68715 [IOS]

Access Point Web-browser Interface - 70567 [IOS]

Auth Proxy Buffer Overflow - 66269 [IOS]

Authentication Proxy Vulnerability - 110478 [IOS]

BGP Attribute Corruption - 10935 [IOS]

BGP Logging - 63845 [IOS]

BGP Long AS path Vulnerability - 110457 [IOS]

BGP Packet - 53021 [IOS]

BGP Update Message Vulnerability - 110457 [IOS]

CEF Data Leak - 20640 [IOS]

Call Processing Solutions - 63708 [IOS]

CatOS Catalyst 5000 Series 802.1x Vulnerability - 13617 [CatOS]

CatOS Denial-of-Service of TCP-based services - 43864 [CatOS]

CatOS DoS using Telnet, HTTP and SSH - 52781 [CatOS]

CatOS Embedded HTTP Server Buffer Overflow - 27962 [CatOS]

CatOS Enable Password Bypass Vulnerability - 13619 [CatOS]

CatOS Memory Leak Vulnerability - 13618 [CatOS]

CatOS Multiple SSH Vulnerabilities - 8118 [CatOS]

CatOS NAM (Network Analysis Module) Vulnerability - 81863 [CatOS]

CatOS OpenSSH Server Vulnerabilities - 45322 [CatOS]

CatOS Password Bypass Vulnerability - 42340 [CatOS]

CatOS SNMP Malformed Message Handling - 19296 [CatOS]

CatOS SNMP Multiple Community String Vulnerabilities - 13629 [CatOS]

CatOS SNMP Version 3 Authentication Vulnerability - 107408 [CatOS]

CatOS SSH Can Cause a Crash - 24862 [CatOS]

CatOS SSH Protocol Mismatch Vulnerability - 10932 [CatOS]

CatOS TCP Conn Reset - 50961 [CatOS]

CatOS TCP State Manipulation DoS Vulnerability - 109444 [CatOS]

CatOS Telnet Buffer Vulnerability - 20776 [CatOS]

Cisco IOS Software IGMP Vulnerability - 112027 [IOS]

Crafted Encryption Packet DoS Vulnerability - 110393 [IOS]

Crafted ICMP Messages DoS for IPSec Tunnels - 64520 [IOS]

Crafted ICMP Messages DoS for L2TPv2 - 64520 [IOS]

Crafted ICMP Messages DoS for TCP over IPv4 - 64520 [IOS]

Crafted ICMP Messages DoS for TCP over IPv6 - 64520 [IOS]

Crafted IP Option - 81734 [IOS]

Crafted TCP Packet Denial of Service Vulnerability - 111450 [IOS]

Crafted UDP Packet Vulnerability - 108558 [IOS]

Crypto - 91890 [IOS]

DFS ACL Leakage - 13655 [IOS]

DHCP - 63312 [IOS]

DLSw Denial of Service Vulnerabilities - 99758 [IOS]

DLSw Vulnerability - 77859 [IOS]

FTP Server - 90782 [IOS]

Firewall Application Inspection Control Vulnerability - 107716 [IOS]

H.323 Denial of Service Vulnerability - 111265 [IOS]

H.323 Protocol DoS Vulnerability - 110396 [IOS]

H323 DoS Vulnerability - 112021 [IOS]

HTTP - 13627 [IOS]

HTTP Auth - 13626 [IOS]

HTTP Command Injection - 68322 [IOS]

HTTP GET Vulnerability - 44162 [IOS]

HTTP Server Query - 13628 [IOS]

Hard-Coded SNMP Community Names in Cisco Industrial Ethernet 3000 Series Switches Vulnerability- 111895 [IOS]

IKE Resource Exhaustion Vulnerability - 110559 [IOS]

IKE Xauth - 64424 [IOS]

IPS ATOMIC.TCP Signature Vulnerability - 81545 [IOS]

IPS DoS Vulnerability - 107583 [IOS]

IPS Fragmented Packet Vulnerability - 81545 [IOS]

IPSec IKE Malformed Packet - 50430 [IOS]

IPsec Vulnerability- 111266 [IOS]

IPv4 - 44020 [IOS]

IPv6 Crafted Packet - 65783 [IOS]

IPv6 Routing Header - 72372 [IOS]

Information Leakage Using IPv6 Routing Header - 97848 [IOS]

Inter Process Communication (IPC) Vulnerabilty - 107661 [IOS]

Layer 2 Tunneling Protocol (l2TP) DoS Vulnerability - 107441

MPLS - 63846 [IOS]

MPLS Forwarding Infrastructure DoS Vulnerability - 107646

MPLS VPN May Leak Information Vulnerability - 107578

Mobile IP and IPv6 Vulnerabilities - 109487

Multicast Virtual Private Network (MVPN) Date Leak - 100374 [IOS]

Multiple Crafted IPv6 Packets - 63844

Multiple DNS Cache Poisioning Attacks - 107064 [IOS]

Multiple Features Crafted TCP Sequence Vulnerability - 109337

Multiple Features IP Sockets Vulnerability - 109333 [IOS]

Multiple Multicase Vulnerabilities - 107550

Multiple SIP DoS Vulnerabilities - 107617

Multiple SSH Vulnerabilities - 8118

Multiprotocol Label Switching Packet Vulnerability - 111458

NAM (Network Analysis Module) Vulnerability - 81863

NAT - 13659

NAT Skinny Call Control Protocol Vulnerability - 111268

NAT Skinny Call Control Protocol Vulnerability - 99866

NTP - 23445

NTP Packet Vulnerability - 110447

Network Address Translation Vulnerability - 112028

Next Hop Resolution Protocol Vulnerability - 91766

OSPF Malformed Packet- 61365 [IOS]

OSPF, MPLS VPN Vulnerability - 100526 [IOS]

Object-Group ACL Bypass Vulnerability - 110398 [IOS]

OpenSSL Implementation DoS Vulnerability - 45643 [IOS]

OpenSSL Implementation Vulnerability - 49898 [IOS]

PIX Crafted MGCP Packet - 98711 [PIX, ASA]

PIX Crafted TLS Packet - 98711 [PIX, ASA]

PIX Erroneous SIP Processing Vulnerabilities - 107475 [PIX, ASA]

PIX Buffer overflow - 28947 [PIX, ASA]

PIX CBAC - 23885 [PIX, ASA]

PIX Control Plane Access Control List Vulnerability - 105444 [PIX, ASA]

PIX Crafted TCP ACK Packet Vulnerability - 105444 [PIX, ASA]

PIX Crafted TLS Packet Vulnerability - 105444 [PIX, ASA]

PIX Crypto - 23886 [PIX, ASA]

PIX Crypto - 91890 [PIX, ASA]

PIX DoS - 13635 [PIX, ASA]

PIX Device Reload with SIP Inspection Vulnerability - 107475 [PIX, ASA]

PIX Enhanced inspection of Malformed HTTP traffic - 77853 [PIX, ASA]

PIX FTP - 13638 [PIX, ASA]

PIX Firewall Unintentional Password Modification - 70811 [PIX, ASA]

PIX IPSec Client Authentication Processing Vulnerability - 107475 [PIX, ASA]

PIX ISAKMP - 28947 [PIX, ASA]

PIX Inspection of a stream of malformed TCP packets - 77853 [PIX, ASA]

PIX Inspection of malformed SIP packets - 77853 [PIX, ASA]

PIX Instant Message Inspection Vulnerability - 105444 [PIX, ASA]

PIX LDAP Authentication Bypass - 82451 [PIX, ASA]

PIX Mailgaurd - 13636 [PIX, ASA]

PIX Multiple SSH Vulnerabilities - 8118 [PIX, ASA]

PIX OpenSSL Implementation DoS Vulnerability - 45643 [PIX, ASA]

PIX OpenSSL Implementation Vulnerability - 49898[PIX, ASA]

PIX Potential Information Disclosure in Clientless VPNs - 107475 [PIX, ASA]

PIX Privilege escalation - 77853 [PIX, ASA]

PIX SMTP - 15235 [PIX, ASA]

PIX SNMP - 19296 [PIX, ASA]

PIX SNMPv3 - 47284 [PIX, ASA]

PIX SSH - 24862 [PIX, ASA]

PIX SSL VPN DOS - 82451 [PIX, ASA]

PIX SSL VPN Memory Leak Vulnerability - 107475 [PIX, ASA]

PIX Scan Denial of Service Vulnerability - 105444 [PIX, ASA]

PIX TCP Conn Reset - 50961 [PIX, ASA]

PIX TCP Prevention - 68268 [PIX, ASA]

PIX TCP Reset - 13639 [PIX, ASA]

PIX Time-to-Live Vulnerability - 100314 [PIX, ASA]

PIX Traceback When Processing Malformed SIP Requests - 107475[PIX, ASA]

PIX URI Processing Error Vulnerability in SSL VPNs - 107475 [PIX, ASA]

PIX VPN Password Expiry - 82451 [PIX, ASA]

PIX VPNC - 47284 [PIX, ASA]

PIX/ASA ACL Bypass Vulnerability - 109974 [PIX, ASA]

PIX/ASA Crafted H.323 Packet DoS Vulnerability - 109974 [PIX, ASA]

PIX/ASA Crafted HTTP Packet DoS Vulnerability - 109974 [PIX, ASA]

PIX/ASA Crafted TCP Packet DoS Vulnerability - 109974 [PIX, ASA]

PIX/ASA IPv6 Denial of Service Vulnerability - 108009 [PIX, ASA]

PIX/ASA SQL *Net Packet DoS Vulnerability - 109974 [PIX, ASA]

PIX/ASA TCP State Manipulation DoS Vulnerability - 109444 [PIX, ASA]

PIX/ASA VPN Authentication Bypass Vulnerability - 109974 [PIX, ASA]

PIX/ASA Windows NT Domain Authentication Bypass Vulnerability - 108009

PPTP - 13640 [IOS]

Radius - 65328 [IOS]

Reload After Scanning - 13632[IOS]

SAA Packets - 42744 [IOS]

SGBP Packet - 68793 [IOS]

SIP - 81825 [IOS]

SIP DoS Vulnerabilities - 109322 [IOS]

SIP DoS Vulnerability - 110395 [IOS]

SIP DoS Vulnerability - 112022 [IOS]

SNMP Malformed Message Handling - 19294 [IOS]

SNMP Message Processing - 50980 [IOS]

SNMP Multiple Community String Vulnerabilities - 13629 [IOS]

SNMP Read-Write ILMI Community String - 13630 [IOS]

SNMP Trap Reveals WEP Key - 46468 [IOS]

SNMP Version 3 Authentication Vulnerability -107408 [IOS]

SSH Can Cause a Crash -24862 [IOS]

SSH Malformed Packet -29581 [IOS]

SSH TACACS+ Authentication -64439 [IOS]

SSL -91888 [IOS]

SSL Packet Processing Vulnerability - 107631 [IOS]

SSL VPN Vulnerability - 112029 [IOS]

Secure Copy Authorization Bypass Vulnerability - 97261 [IOS]

Secure Copy Privilege Escalation Vulnerability - 109323 [IOS]

Secure Shell Denial of Services Vulnerabilities -99725 [IOS]

Session Initiation Protocol Denial of Services Vulnerability -111448 [IOS]

Syslog Crash -13660 [IOS]

TCP -72318 [IOS]

TCP Conn Reset -50960 [IOS]

TCP Denial of Service Service Vulnerability -112099 [IOS]

TCP ISN -13631 [IOS]

TCP State Manipulation DoS Vulnerability -109444 [IOS]

Telnet DoS -61671 [IOS]

Telnet Option-10939 [IOS]

Timers Heap Overflow -68064 [IOS]

Tunnels DoS Vulnerability -109482 [IOS]

Unified Communications Manager Express Vulnerability -110451

User Datagram protocol delivery issue -100638 [IOS]

Virtual Private Dial-up Network DoS Vulnerability -97278 [IOS]

Vulnerabilities Found by PROTOS IPSec Test Suite -68158 [IOS]

Vulnerability in IOS Firewall Feature Set -9360 [IOS]

WeBVPN and SSLVPN Vulnerabilities -107397 [IOS]

Zone-Based Policy Firewall Vulnerability -110410 [IOS]

cTCP Denial of Service Vulnerability -109314 [IOS]

uBR10012 Series Devices SNMP Vulnerability -107696 [IOS]

Land Attack

Risky Traffic

Loopback Interfaces

Distributed DoS Attacks

Web Mode Status

SNMP Status

WLAN Security Status

CDP Status

Syslog Status

Telnet Status

NTP Server should be Configured

Check IDS Status

Check Authentication Servers

Data Synchronization between LMS and CAAM

Compliance Management License


Using Compliance and Audit Manager Feature


This chapter provides information about how to manage Policy Groups, Policy Profiles and check network devices for compliance against selected compliance rules and user defined policy.

This chapter contains the following:

Managing Policy Groups

Managing Policy Profile

Fixing Profile Violations

Understanding Compliance Violation Fix Job Browser

Understanding Compliance and Audit Manager (CAAM) Policies

Data Synchronization between LMS and CAAM

Compliance Management License

Compliance and Audit Reports

Managing Policy Groups

Policy Group is a collection of Policies. Policies are defined by a set of rules. LMS supports 293 policies. In addition to the system defined Policy Groups, you can create your own Policy Groups by selecting a set of system defined policies.

This section details:

Adding Policy Groups

Cloning Policy Groups

Editing Policy Groups

Deleting User-Defined Policy Groups

Deleting a Policy from User-Defined Policy Group

Adding Policy Groups

This section details:

Adding New Policy Group by Selecting Policies from Existing System-Defined Policy Group

Adding a New Policy Group by Adding New Policies

Adding New Policy Group by Selecting Policies from Existing System-Defined Policy Group

To add a new Policy Group from existing System-Defined Policy Group:


Step 1 Select Configuration > Compliance > Compliance and Audit Manager > Compliance Policies and Groups.

The Compliance Policies and Groups page appears.

Step 2 Select the required System Policy Group from the tree view.

The list of policies associated with the selected Policy Group appears in the Policies and Rules pane.

Step 3 Select a policy for which you want to modify the rules.

The rules corresponding to the selected policy appears.

Step 4 Edit the rules.

Step 5 Repeat Step 3 and Step 4 if you want to modify the rules associated with other policies listed in Policies and Rules pane.

Step 6 Click Add to add new policies to the group.

The Policy Selector appears.

Step 7 Select the required policies and click Select.

The selected policies will be added to the Policies and Rules pane. To return to Compliance Policies and Groups page, click Cancel.

Step 8 Select the newly added policy for which you want to modify the rules. The rules corresponding to the selected policy appears.

Step 9 Edit the rules.

Step 10 Click Save As to save as a new Policy Group.

A Create Group pop-up appears.

Step 11 Enter the name of the new Policy Group.

Step 12 Enter the description of the Policy Group.

Step 13 Click Save to save the newly created Policy Group. To return to Compliance Policies and Groups page, click Cancel.

The newly created Policy Group will be listed under My Policy Groups.


Adding a New Policy Group by Adding New Policies

To add a new Policy Group:


Step 1 Select Configuration > Compliance > Compliance and Audit Manager > Compliance Policies and Groups.

The Compliance Policies and Groups page appears.

Step 2 Click the icon in the Policy Group Selector section.

Step 3 Click Add Policy Group.

Step 4 Enter the name of the new Policy Group.

Step 5 Enter the description of the Policy Group.

Step 6 Click Add in the policies and rules pane, to add new policies to the group.

The Policy Selector appears. See Table 4-1 for the list of policies grouped under each policy group.

Step 7 Select the required policies and click Select.

The selected policies will be added to the Policies and Rules pane. To return to the Compliance Policies and Groups page, click Cancel.

Step 8 Select the newly added policy for which you want to modify the rules.

The rules corresponding to the selected policy appears.

Step 9 Set values for each rule.

Step 10 Click Save to save the new Policy Group.

The newly created Policy Group will be listed under My Policy Groups.


Table 4-1 Policy Group Details

Policy Group Name
Policies

Security

ACL on Interfaces

Distributed DoS Attacks

Land Attack

Martian Traffic

Null (Black Hole) Routing

Risky Traffic

SMURF Attack

Traffic Rules

Network Protocols

Control Plane Policing

HTTP Server

Hot Standby Router Protocol (HSRP)

ICMP

Miscellaneous Services

Routing and Forwarding

SNMP

SSH Parameters

TCP Parameters

Switching

DHCP Snooping

Dynamic Trunking Protocol (DTP)

IEEE 802.1X Port-Based Authentication

IEEE 802.3 Flow Control

IP Phone Ports

Management VLAN

Port Security

Spanning Tree Protocol (STP)

Unidirectional Link Detection (UDLD)

Unused Ports

VLAN1

VLAN Trunking Protocol (VTP)

Global Configuration

ACLs

CDP

Clock

FTP

Miscellaneous Services On Firewalls

NTP Configuration

Traceroute

Others

Device Version Checks

Device Running outdated OS Versions

Devices with outdated modules

Outdated Devices As Per Vendor Specific EOL/EOS Announcements

Routing Protocols

BGP

EIGRP

OSPF

RIP

Cisco Security Advisories (PSIRT)

For PSIRT policies see Cisco Security Advisory (PSIRT).

Network Access Services

Loopback Interfaces

Remote Commands

Audit and Management

Banners

Console Access

DHCP

Domain Name

Host Name

Logging and Syslog

Terinal Access

User Passwords

AAA Services

AAA

AAA Accounting - Commands

AAA Accounting - Connections

AAA Accounting - Exec

AAA Accounting - Network

AAA Accounting - System

AAA Authentication - Enable

AAA Authentication - Login

AAA Authorization - Configuration

AAA Authorization - Exec

AAA Authorization - Network


Cloning Policy Groups

To clone a Policy Group:


Step 1 Select Configuration > Compliance > Compliance and Audit Manager > Compliance Policies and Groups.

The Compliance Policies and Groups page appears.

Step 2 Mouse-hover on the System or My Policy Groups and then mouse-hover on the quick view picker icon next to System or My Policy Groups.

The policy details such as Group Name, Description and Policy Count appear in the mouse-hover pop-up window. You can also clone or delete groups.


Note You cannot delete stem defined Policy groups.


Step 3 Click Clone Group in the mouse-hover pop-up window to create a copy of the selected Policy Group.

Step 4 Enter the name of the Policy Group.

Step 5 Enter the description of the Policy Group.

Step 6 Click Save to save the Policy Group.

The copy of the selected Policy Group will be listed under My Policy Groups.


Editing Policy Groups

To edit a Policy Group:


Step 1 Select Configuration > Compliance > Compliance and Audit Manager > Compliance Policies and Groups.

The Compliance Policies and Groups page appears.

Step 2 Select the required System or My Policy Groups from the tree view.

The list of policies associated with the selected Policy Group appears in the Policies and Rules pane.

Step 3 Select a policy for which you want to modify the rules.

The rules corresponding to the selected policy appears.

Step 4 Edit the rules.

Step 5 Repeat Step 3 and Step 4 if you want to modify the rules associated with other policies listed in Policies and Rules pane.

Step 6 Click Add to add new policies to the group.

The Policy Selector appears.

To delete a policy, select a policy and click Delete.

Step 7 Select the required policies and click Select.

The selected policies will be listed in the Policies and Rules pane. To return to Compliance Policies and Groups page, click Cancel.

Step 8 Select the newly added policy for which you want to modify the rules. The rules corresponding to the selected policy appears.

Step 9 Edit the rules.

Step 10 Do one of the following:

Click Save to save the changes made in the selected My Policy Group.


Note You cannot edit and save the System Policy Group. Hence, Save option will be disabled for System Policy Group.


Or

Click Save As to save it as a new My Policy Groups and follow Step 11.

Step 11 Enter the name of the new Policy Group.

Step 12 Enter the description of the Policy Group.

Step 13 Click Save to save the new Policy Group. To return to Compliance Policies and Groups page, click Cancel.

The newly created Policy Group will be listed under My Policy Groups.


Deleting User-Defined Policy Groups

To delete a user-defined Policy Group:


Step 1 Select Configuration > Compliance > Compliance and Audit Manager > Compliance Policies and Groups.

The Compliance Policies and Groups page appears.

Step 2 Mouse-hover the user-defined Policy Group which you want to delete and then mouse-hover on the quick view picker icon next to the user-defined Policy Group.

The policy details appear in the mouse-hover pop-up window.

Step 3 Click Delete Group to delete the selected Policy Group.

A warning message appears.

Step 4 Click OK to delete the selected Policy Group. To return to the Compliance Policies and Groups page, click Cancel.


Deleting a Policy from User-Defined Policy Group

To delete a policy from the user-defined Policy Group:


Step 1 Select Configuration > Compliance > Compliance and Audit Manager > Compliance Policies and Groups.

The Compliance Policies and Groups page appears.

Step 2 Select a a user-defined Policy Group.

A list of policies associated with the selected Policy Group will be displayed in the Policies and Rules pane.

Step 3 Select a policy and click Delete.

A confirmation message appears.

Step 4 Click OK to delete the selected policy. To return to the Compliance Policies and Groups page, click Cancel.


Managing Policy Profile

Policy Profile is a set of Policy Groups where each Policy Groups are mapped with set of devices/device groups.

This section details:

Adding a New Policy Profile

Cloning Policy Profiles

Editing Policy Profile

Deleting Policy Profiles

Running Compliance Check

Viewing Job History

Adding a New Policy Profile

To add a new Policy Profile:


Step 1 Select Configuration > Compliance > Compliance and Audit Manager > Compliance Profiles and Execution.

The Compliance Policy Profile page appears.

Step 2 Click the icon in the Policy Profile Selector section.

Step 3 Click Add Policy Profile.

Step 4 Enter the name of the new Policy Profile.

Step 5 Enter the description of the Policy Profile.

Step 6 Click Add to add new Policy Groups.

The Policy Group Selector appears.

Step 7 Select the required Policy Group and click Select.

The selected Policy Group and a list of devices will be displayed. To return to Compliance Policy Profile page, click Cancel.

Step 8 Select a device(s) from the device selector.

Step 9 Click Save to save the newly created Policy Profile.


Cloning Policy Profiles

To clone a Policy Profile:


Step 1 Select Configuration > Compliance > Compliance and Audit Manager > Compliance Profiles and Execution.

The Compliance Policy Profile page appears.

Step 2 Mouse-hover on the Policy Profile and then mouse-hover on the quick view picker icon next to the Policy Profile.

The policy details appear in the mouse-hover pop-up window.

Step 3 Click Clone Policy Profile to create a copy of the selected Policy Profile.

Step 4 Enter a new Policy Profile name.

Step 5 Enter the description of the Policy Profile.

Step 6 Click Save to save the Policy Profile.


Editing Policy Profile

To edit a Policy Profile:


Step 1 Select Configuration > Compliance > Compliance and Audit Manager > Compliance Profiles and Execution.

The Compliance Policy Profile page appears.

Step 2 Select the Policy Profile which you want to edit.

The list of policy groups and devices associated with the selected Policy Profile appears in the Policy Group Selection and Device Mapping pane.

Step 3 Click Add to add new policy groups.

The Policy Group Selector appears.

To delete a Policy Group, select a Policy Group and click Delete.

Step 4 Select the required Policy Groups and click Select.

The selected Policy Groups will be listed in the Policy Group Selection and Device Mapping pane. To return to Compliance Policy Profile page, click Cancel.

Step 5 Select the device(s) from the device selector.

Step 6 Do one of the following:

Click Save to save the changes made in the selected Policy Profile.

Or

Click Save As to save it as a new Policy Profile and follow Step 7.

Step 7 Enter the name of the new Policy Profile.

Step 8 Enter the description of the Policy Profile.

Step 9 Click Save in the Create Policy Profile pop-up to save the new Policy Profile. To return to Compliance Policy Profile page, click Cancel.

The newly created Policy Profile will be listed under tree view.


Deleting Policy Profiles

To delete a Policy Profile:


Step 1 Select Configuration > Compliance > Compliance and Audit Manager > Compliance Profiles and Execution.

The Compliance Policy Profile page appears.

Step 2 Mouse-hover on the Policy Profile and then mouse-hover on the quick view picker icon next to the Policy Profile.

The policy details appear in the mouse-hover pop-up window.

Step 3 Click Delete Policy Profile to delete the selected Policy Profile.

A warning message appears.

Step 4 Click OK to delete the selected Policy Profile. To return to the Compliance Policy Profile page, click Cancel.


Running Compliance Check

To run a compliance check:


Step 1 Select Configuration > Compliance > Compliance and Audit Manager > Compliance Profiles and Execution.

The Compliance Policy Profile page appears.

Step 2 Mouse-hover on the Policy Profile and then mouse-hover on the quick view picker icon next to the Policy Profile.

The policy details appear in the mouse-hover pop-up window.

Step 3 Click Compliance Check.

The Schedule Compliance window appears.

Step 4 Select one of these scheduling options:

Immediate—Runs this task immediately.

Once—Runs this task once at the specified date and time.

Daily—Runs daily at the specified time.

Weekly—Runs weekly on the specified day of the week and at the specified time.

Monthly—Runs monthly on the specified day of the month and at the specified time.

Step 5 Enter a description for the job.

Step 6 Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job. You can enter multiple e-mail addresses separated by commas.

Step 7 Click Submit.

A message appears, Job JobID is created successfully.

Step 8 Where JobID is a unique Job number.

Step 9 Click OK.

Compliance Profile Execution Jobs page appears. You can check the status of your scheduled job in this page.


Viewing Job History

To view the job history:


Step 1 Select Configuration > Compliance > Compliance and Audit Manager > Compliance Profiles and Execution.

The Compliance Policy Profile page appears.

Step 2 Mouse-hover on the Policy Profile and then mouse-hover on the quick view picker icon next to the Policy Profile.

The policy details appear in the mouse-hover pop-up window.

Step 3 Click History to view all the jobs related to the selected profile.

The Compliance Profile Execution Jobs window appears.

Table 4-2 Compliance Profile Execution Job Details

Column
Description

Job ID

Unique number assigned to this task at creation time. This number is never reused. There are two formats:

Job ID:

Identifies the task. This does not maintain a history. For Example:1001

JobID.Instance ID:

Here, in addition to the task, the instance of the task can also be identified. For example: 1001.1, 1001.2

Status

Provides the status of the current jobs. The status of the current jobs is displayed as succeeded or failed. It also displays the failure reasons.

Profile Name

Name of the Profile for which the job is scheduled.

Description

Description of the job.

Owner

Username of the job creator.

Job Type

Type of Compliance and Audit Report job. The type include Compliance, Life Cycle Management, and Service reports.

Scheduled At

Date and time at which the job was scheduled.

Completed At

Date and time at which the job was completed.

Schedule Type

Frequency of the job. This can be:

Once

Immediate

Periodic (calendar/time based).

Delete

(button)

Deletes the selected job from the Compliance Profile Execution Jobs window. You can select more than one job to delete.

Refresh

(button)

Select a Job and click Refresh Job.

The Job Details pane gets refreshed showing the latest status of the job.

View Report

(icon)

Select a job and click View Report icon.

The report is launched in a new browser. You can also click the link Click here to see Report available in the Job Info pane to launch the report.

Filter

(button)

Click Filter and select a Filter By criteria from the drop-down list and enter the details in the Equals field.

The following Filter By options are available:

Job ID—Select Job ID and enter the Job ID number.

Status—Select Status and enter the status (Successful, Failed, Cancelled, Running, Waiting, Rejected).

Description—Select Description and enter the complete name.

Owner—Select Owner and enter the user name.

Scheduled at—Select Scheduled at and enter the schedule time details.

Completed at—Select Completed at and enter the completed time details.

Schedule Type—Select Schedule Type and enter the type (Immediate, Once, Daily, Weekly, Monthly)


Table 4-3 Job Results Pane Fields

Field
Description

Job Info

Job Description

Description of the job.

Job Type

Type of the report (Service or Life Cycle, or Compliance report)

Profile Name

Name of the Profile.

Job Status

Indicates whether the job is run successfully.

Job Message

Indicates success/failure message.

No of Violations

Indicates the violation count.

No of devices within violations

Indicates the violated device count.

Report Name

Name of the report.

Job Policies

E-mail Notifications

E-mail notification status (Enabled/Disabled)

E-mail IDs

E-mail IDs registered for e-mail notification

Device Details

Total No of Devices

Number of devices that have the report data

No of Devices without Report Data

Number of devices that do not have the device data

Device List

List of devices in the report



Fixing Profile Violations

The Profile Violations Fix Report lists all the devices that do not comply with a defined user profile. A profile is defined as a policy or a set of policies applied on either a device or a set of devices.

To fix a profile violation:


Step 1 Select Configuration > Compliance > Compliance and Audit Manager > Compliance Profile Execution Jobs.

The Job Browser Page appears.

Step 2 Select a job and click View Report.

The Compliance Report Page appears.

The View Report button will be disabled if the rules are not violated.

Step 3 Select a device from the Devices table to view the Policies associated with the device. For more details, see Table 4-4.

Step 4 Select a Policy from the Policies table to view the violation details. For more details, see Table 4-4.

Step 5 Select the violation that have to be fixed, from the Violations table. For more details, see Table 4-4.

Table 4-4 Compliance Violation Details

Column
Description

Devices Table

Device Name

Name of the profile violated device.

Selected Violations to fix

Number of violations selected to fix.

Total Violations

Total number of violations for the device.

Highest Severity

Highest violation severity for the device.

Policies Table

Policy Name

Name of the violated policy.

Selected Violations to fix

Number of violations selected for fix.

Total Violations

Total number of violations for the policy

Policy Info

Information about the violated Policy.

Violations Table

Violations with Fix

Lists the violations that can be fixed.

Violations without Fix

Lists the violations that cannot be fixed.

Violation Description

Description about the violation.

Severity

Severity of the Violation.

Info

Additional violation information.


Step 6 Click Fix Violations.

The Fix Compliance Violation Window appears.

Table 4-5 Compliance Violation Fix Details

Column
Description

Review Fix Commands

Devices

Name of the profile violated device.

Commands

Configuration commands for fixing the violation.

Schedule

Scheduler

Specifies the type of schedule for the job:

Immediate—Runs the job immediately.

Once—Runs the job once at the specified date and time.

Start Date

Select the start date for the job.

Start Time

Select the start time for the job from the hour and minute drop-down lists.

Job Description

Enter a description for the job that you are scheduling. This is a mandatory field. Accepts alphanumeric values and special characters.

E-mail

Enter the e-mail address to which the job sends messages when the job has run.

You can enter multiple e-mail addresses separated by semicolon.


Step 7 Select a Scheduler, enter a Job Description, and click Finish.

A notification message appears along with the Job ID. Click OK. The newly created job appears in the Compliance Profile Violation Fix Job Browser.

Understanding Compliance Violation Fix Job Browser

You can browse the compliance fix violation jobs registered on the system. Using the Compliance Fix Violation Jobs browser, you can stop, delete, refresh, or filter jobs. You can also view the job details such as work order, device details and job summary.


Note View Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform this task.


Select either:

Configuration > Compliance > Compliance and Audit Manager > Compliance Profile Violation Fix Jobs.

Or

Configuration > Job Browsers > Compliance Profile Violation Fix Jobs

The Compliance Fix Violation Jobs page appears.

Table 4-6 describes the List of Compliance Fix Violation Jobs pane.

Table 4-6 List of Compliance Fix Violation Jobs

Column/Button
Description

Job ID

Unique number assigned to a Compliance Fix Violation job when it is created.

For periodic jobs such as Daily, Weekly, the job IDs are in the number.x format. The x represents the number of instances of the job. For example, 1001.3 indicates that this is the third instance of the Job ID 1001.

Status

Status of the job:

Successful—When the job is successful.

Failed—When the job has failed.

The number within brackets, next to Failed status indicates the count of the devices that had failed for that job. This count is displayed only if the status is Failed.

For example, if the status displays Failed(5), then the count of devices that had failed accounts to 5.

Stopped—When the job has been stopped.

Running—When the job is in progress.

Description

Description of the job, entered at the time of job creation.

Owner

User who created the job.

Scheduled at

Date and time at which the job was scheduled.

Completed at

Date and time at which the job was completed.

Schedule Type

Type of job schedule—Immediate, Once.

Stop

(button)

Stop or cancel a running job.

Delete

(button)

Deletes the selected job from the Compliance Fix Violation Jobs. You can select more than one job to delete.

Refresh Job

(button)

Select a Job and click Refresh Job.

The Job Details pane gets refreshed showing the latest status of the job.

Filter

(icon)

Click Filter and select a Filter By criteria from the drop-down list and enter the details in the Equals field.

The following Filter By options are available:

Job ID—Select Job ID and enter the Job ID number.

Status—Select Status and enter the status (Successful, Failed, Cancelled, Running, Waiting, Rejected).

Description—Select Description and enter the complete name.

Owner—Select Owner and enter the user name.

Scheduled at—Select Scheduled at and enter the schedule time details.

Completed at—Select Completed at and enter the completed time details.

Schedule Type—Select Schedule Type and enter the type (Immediate, Once)

Refresh

(icon)

Click to refresh the List of Compliance Fix Violation Jobs table.


Table 4-7 describes the Job Details pane in the Compliance Fix Violation Jobs.

Table 4-7 Compliance Fix Violation Job Details

Tab
Description
Work Order

Shows the work order details for the selected job.

General Info

The General Info in the work order displays the following details:

Job ID

Job Type

Description—Job description entered at the time of job creation.

Schedule Type—Type of job schedule (Immediate, Once, Daily)

Policy Profile Execution Job Id

Profile Name

Job Policies

The Job Policies in the work order displays the following details:

E-mail Notification—E-mail notification status (Enabled/Disabled)

E-mail Ids—E-mail IDs registered for e-mail notification

Device Details

Shows the Device List of the job.

Device Details

Shows the list of devices added in the Compliance Fix Violation job.

Device

Shows the device name.

Status

Status of the device (Success, Failure).

Message Summary

Shows the device status summary.

Filter

Click Filter. Select a Filter By criteria from the drop-down list and enter the details in the Equals field. Click Go to filter details.

The following Filter By options are available:

Device—Select Device and enter the first few letters or the complete name of the device.

Status—Select Status and enter the status (Success, Failure)

Message Summary—Select Message Summary and enter the first few letters of the message summary.

Job Summary

Shows the job summary details for the selected job.

General Info

The General Info in the job summary shows the following details:

Status—Status of the device at the time of job creation.

Start Time—Start time of the job.

End Time—End time of the job.

Job Messages

Shows the following job messages:

Pre-job Execution

Post-job Execution

Device Updates

Shows the following update on the devices in the job:

Successful

Failed

Not Attempted

Pending


Understanding Compliance and Audit Manager (CAAM) Policies

This section provides information about the System-defined Policy Groups, Policies supported in each System-defined Policy Group and the rules in each Policy.

LMS supports the following System-defined Policy Groups:

Center of Internet Security (CIS)

Cisco Security Best Practices (SAFE)

Department Of Homeland Security (DHS)

Defense Information Security Agency (DISA)

End of Life (EOL)

Healthcare Insurance Portability Act (HIPAA)

ISO17799

National Security Agency (NSA) Router

Payment Card Industry (PCI)

Cisco Security Advisory (PSIRT)

SysAdmin, Audit, Network, Security (SANS)

Sarbanes Oxley Act (SOX)

Center of Internet Security (CIS)

CIS Policy Group supports the following policies:

Banners

Logging and Syslog

Terminal Access

User Passwords

ACL on Interfaces

SMURF Attack

Loopback Interfaces

AAA

AAA Accounting - Commands

AAA Accounting - Connections

AAA Accounting - Exec

AAA Accounting - Network

AAA Accounting - System

AAA Authentication - Enable

AAA Authentication - Login

HTTP Server

Miscellanous Service

Routing and Forwarding

SNMP

SSH Parameters

TCP Parameters

BGP

EIGRP

OSPF

RIP

CDP

Clock

Miscellaneous Services On Firewalls

NTP Configuration

Device Version Checks


Note The policies listed in CIS Policy Group may vary.


Cisco Security Best Practices (SAFE)

CiscoSafe Policy Group supports the following policies:

Banners

Console Access

Domain Name

Logging and Syslog

Terminal Access

User Passwords

SMURF Attack

Loopback Interfaces

Remote Commands

AAA

AAA Accounting - Exec

AAA Accounting - Network

AAA Authentication - Login

AAA Authorization - EXEC

AAA Authrorization - Network

HTTP Server

Miscellanous Service

Routing and Forwarding

SNMP

SSH Parameters

TCP Parameters

OSPF

CDP

Clock

Miscellaneous Services On Firewalls

NTP Configuration


Note The policies listed in CiscoSafe Policy Group may vary.


Department Of Homeland Security (DHS)

DHS Policy Group supports the following policies:

Banners

Console Access

Domain Name

Logging and Syslog

Terminal Access

User Passwords

AAA

AAA Authentication - Login

HTTP Server

Miscellanous Service

Routing and Forwarding

SNMP

TCP Parameters

BGP

EIGRP

OSPF

CDP

NTP Configuration


Note The policies listed in DHS Policy Group may vary.


Defense Information Security Agency (DISA)

DISA Policy Group supports the following policies:

Console Access

Logging and Syslog

Terminal Access

Remote Commands

AAA Authentication - Login

HTTP Server

SNMP

BGP

EIGRP

OSPF

RIP


Note The policies listed in DISA Policy Group may vary.


End of Life (EOL)

EOL Policy Group supports the following policies:

Devices Running outdated OS Versions

Devices with outdated modules

Outdated Devices As Per Vendor Specific EOL/EOS Announcement


Note The policies listed in EOL Policy Group may vary.


Healthcare Insurance Portability Act (HIPAA)

HIPAA Policy Group supports the following policies:

Console Access

Terminal Access

User Passwords

AAA

AAA Authentication - Login

AAA Authorization - Commands

HTTP Server

SNMP


Note The policies listed in HIPAA Policy Group may vary.


ISO17799

ISO17799 Policy Group supports the following policies:

Banners

Logging and Syslog

Terminal Access

User Passwords

ACL on Interfaces

SMURF Attack

AAA

AAA Accounting - Commands

AAA Accounting - Connections

AAA Accounting - Exec

AAA Accounting - Network

AAA Accounting - System

AAA Authentication - Enable

AAA Authentication - Login

AAA Authorization - Commands

AAA Authorization - Configuration

AAA Authorization - EXEC

AAA Authrorization - Network

HTTP Server

Miscellanous Service

SNMP

BGP

EIGRP

OSPF

RIP

NTP Configuration


Note The policies listed in ISO17799 Policy Group may vary.


National Security Agency (NSA) Router

NSA Router Policy Group supports the following policies:

Banners

Console Access

Domain Name

Host Name

Logging and Syslog

Terminal Access

User Passwords

Null (Black Hole) Routing

SMURF Attack

Dynamic Trunking Protocols (DTP)

IEEE 802.3 Flow Control

Spanning Tree Protocols (STP)

Unidirectional Link Detection (UDLD)

VLAN 1

VLAN Trunking Protocols (VTP)

Loopback Interfaces

AAA

AAA Authentication - Login

Control Plane Policing

HTTP Server

Miscellanous Service

Routing and Forwarding

SNMP

TCP Parameters

BGP

EIGRP

OSPF

RIP

ACLs

CDP

NTP Configuration

Device Version Checks


Note The policies listed in NSA Router Policy Group may vary.


Payment Card Industry (PCI)

PCI Policy Group supports the following policies:

Console Access

Logging and Syslog

Terminal Access

User Passwords

Traffic Rules

AAA

AAA Authentication - Login

HTTP Server

Miscellanous Service

SNMP

NTP Configuration


Note The policies listed in PCI Policy Group may vary.


Cisco Security Advisory (PSIRT)

PSIRT Policy Group supports the following policies:

AAA Command Authorization By-pass - 68840 [IOS]

ARP Table Overwrite - 13600 [IOS]

ASA Crafted IKE Message DoS Vulnerability - 111877 [ASA]

ASA Crafted TCP Segment DoS Vulnerability - 111485 [ASA]

ASA Crypto Accelerator Memory Leak Vulnerability - 108009 [ASA]

ASA NTLMv1 Authentication Bypass Vulnerability - 111485 [ASA]

ASA SCCP Inspection DoS Vulnerability - 111485 [ASA]

ASA SIP Inspection DoS Vulnerability - 111485 [ASA]

ASA SIP Inspection DoS Vulnerability - 111877 [ASA]

ASA TCP Connection Exhaustion DoS Vulnerability - 111485 [ASA]

ASA Three SunRPC Inspection DoS Vulnerability - 111877 [ASA]

ASA Three TLS DoS Vulnerability - 111877 [ASA]

ASA WebVPN DTLS DoS Vulnerability - 111485 [ASA]

Access Point Memory Exhaustion from ARP Attacks - 68715 [IOS]

Access Point Web-browser Interface - 70567 [IOS]

Auth Proxy Buffer Overflow - 66269 [IOS]

Authentication Proxy Vulnerability - 110478 [IOS]

BGP Attribute Corruption - 10935 [IOS]

BGP Logging - 63845 [IOS]

BGP Long AS path Vulnerability - 110457 [IOS]

BGP Packet - 53021 [IOS]

BGP Update Message Vulnerability - 110457 [IOS]

CEF Data Leak - 20640 [IOS]

Call Processing Solutions - 63708 [IOS]

CatOS Catalyst 5000 Series 802.1x Vulnerability - 13617 [CatOS]

CatOS Denial-of-Service of TCP-based services - 43864 [CatOS]

CatOS DoS using Telnet, HTTP and SSH - 52781 [CatOS]

CatOS Embedded HTTP Server Buffer Overflow - 27962 [CatOS]

CatOS Enable Password Bypass Vulnerability - 13619 [CatOS]

CatOS Memory Leak Vulnerability - 13618 [CatOS]

CatOS Multiple SSH Vulnerabilities - 8118 [CatOS]

CatOS NAM (Network Analysis Module) Vulnerability - 81863 [CatOS]

CatOS OpenSSH Server Vulnerabilities - 45322 [CatOS]

CatOS Password Bypass Vulnerability - 42340 [CatOS]

CatOS SNMP Malformed Message Handling - 19296 [CatOS]

CatOS SNMP Multiple Community String Vulnerabilities - 13629 [CatOS]

CatOS SNMP Version 3 Authentication Vulnerability - 107408 [CatOS]

CatOS SSH Can Cause a Crash - 24862 [CatOS]

CatOS SSH Protocol Mismatch Vulnerability - 10932 [CatOS]

CatOS TCP Conn Reset - 50961 [CatOS]

CatOS TCP State Manipulation DoS Vulnerability - 109444 [CatOS]

CatOS Telnet Buffer Vulnerability - 20776 [CatOS]

Cisco IOS Software IGMP Vulnerability - 112027 [IOS]

Crafted Encryption Packet DoS Vulnerability - 110393 [IOS]

Crafted ICMP Messages DoS for IPSec Tunnels - 64520 [IOS]

Crafted ICMP Messages DoS for L2TPv2 - 64520 [IOS]

Crafted ICMP Messages DoS for TCP over IPv4 - 64520 [IOS]

Crafted ICMP Messages DoS for TCP over IPv6 - 64520 [IOS]

Crafted IP Option - 81734 [IOS]

Crafted TCP Packet Denial of Service Vulnerability - 111450 [IOS]

Crafted UDP Packet Vulnerability - 108558 [IOS]

Crypto - 91890 [IOS]

DFS ACL Leakage - 13655 [IOS]

DHCP - 63312 [IOS]

DLSw Denial of Service Vulnerabilities - 99758 [IOS]

DLSw Vulnerability - 77859 [IOS]

FTP Server - 90782 [IOS]

Firewall Application Inspection Control Vulnerability - 107716 [IOS]

H.323 Denial of Service Vulnerability - 111265 [IOS]

H.323 Protocol DoS Vulnerability - 110396 [IOS]

H323 DoS Vulnerability - 112021 [IOS]

HTTP - 13627 [IOS]

HTTP Auth - 13626 [IOS]

HTTP Command Injection - 68322 [IOS]

HTTP GET Vulnerability - 44162 [IOS]

HTTP Server Query - 13628 [IOS]

Hard-Coded SNMP Community Names in Cisco Industrial Ethernet 3000 Series Switches Vulnerability- 111895 [IOS]

IKE Resource Exhaustion Vulnerability - 110559 [IOS]

IKE Xauth - 64424 [IOS]

IPS ATOMIC.TCP Signature Vulnerability - 81545 [IOS]

IPS DoS Vulnerability - 107583 [IOS]

IPS Fragmented Packet Vulnerability - 81545 [IOS]

IPSec IKE Malformed Packet - 50430 [IOS]

IPsec Vulnerability- 111266 [IOS]

IPv4 - 44020 [IOS]

IPv6 Crafted Packet - 65783 [IOS]

IPv6 Routing Header - 72372 [IOS]

Information Leakage Using IPv6 Routing Header - 97848 [IOS]

Inter Process Communication (IPC) Vulnerabilty - 107661 [IOS]

Layer 2 Tunneling Protocol (l2TP) DoS Vulnerability - 107441

MPLS - 63846 [IOS]

MPLS Forwarding Infrastructure DoS Vulnerability - 107646

MPLS VPN May Leak Information Vulnerability - 107578

Mobile IP and IPv6 Vulnerabilities - 109487

Multicast Virtual Private Network (MVPN) Date Leak - 100374 [IOS]

Multiple Crafted IPv6 Packets - 63844

Multiple DNS Cache Poisioning Attacks - 107064 [IOS]

Multiple Features Crafted TCP Sequence Vulnerability - 109337

Multiple Features IP Sockets Vulnerability - 109333 [IOS]

Multiple Multicase Vulnerabilities - 107550

Multiple SIP DoS Vulnerabilities - 107617

Multiple SSH Vulnerabilities - 8118

Multiprotocol Label Switching Packet Vulnerability - 111458

NAM (Network Analysis Module) Vulnerability - 81863

NAT - 13659

NAT Skinny Call Control Protocol Vulnerability - 111268

NAT Skinny Call Control Protocol Vulnerability - 99866

NTP - 23445

NTP Packet Vulnerability - 110447

Network Address Translation Vulnerability - 112028

Next Hop Resolution Protocol Vulnerability - 91766

OSPF Malformed Packet- 61365 [IOS]

OSPF Malformed Packet- 61365 [IOS]

OSPF, MPLS VPN Vulnerability - 100526 [IOS]

Object-Group ACL Bypass Vulnerability - 110398 [IOS]

OpenSSL Implementation DoS Vulnerability - 45643 [IOS]

OpenSSL Implementation Vulnerability - 49898 [IOS]

PIX Crafted MGCP Packet - 98711 [PIX, ASA]

PIX Crafted TLS Packet - 98711 [PIX, ASA]

PIX Erroneous SIP Processing Vulnerabilities - 107475 [PIX, ASA]

PIX Buffer overflow - 28947 [PIX, ASA]

PIX CBAC - 23885 [PIX, ASA]

PIX Control Plane Access Control List Vulnerability - 105444 [PIX, ASA]

PIX Crafted TCP ACK Packet Vulnerability - 105444 [PIX, ASA]

PIX Crafted TLS Packet Vulnerability - 105444 [PIX, ASA]

PIX Crypto - 23886 [PIX, ASA]

PIX Crypto - 91890 [PIX, ASA]

PIX DoS - 13635 [PIX, ASA]

PIX Device Reload with SIP Inspection Vulnerability - 107475 [PIX, ASA]

PIX Enhanced inspection of Malformed HTTP traffic - 77853 [PIX, ASA]

PIX FTP - 13638 [PIX, ASA]

PIX Firewall Unintentional Password Modification - 70811 [PIX, ASA]

PIX IPSec Client Authentication Processing Vulnerability - 107475 [PIX, ASA]

PIX ISAKMP - 28947 [PIX, ASA]

PIX Inspection of a stream of malformed TCP packets - 77853 [PIX, ASA]

PIX Inspection of malformed SIP packets - 77853 [PIX, ASA]

PIX Instant Message Inspection Vulnerability - 105444 [PIX, ASA]

PIX LDAP Authentication Bypass - 82451 [PIX, ASA]

PIX Mailgaurd - 13636 [PIX, ASA]

PIX Multiple SSH Vulnerabilities - 8118 [PIX, ASA]

PIX OpenSSL Implementation DoS Vulnerability - 45643 [PIX, ASA]

PIX OpenSSL Implementation Vulnerability - 49898[PIX, ASA]

PIX Potential Information Disclosure in Clientless VPNs - 107475 [PIX, ASA]

PIX Privilege escalation - 77853 [PIX, ASA]

PIX SMTP - 15235 [PIX, ASA]

PIX SNMP - 19296 [PIX, ASA]

PIX SNMPv3 - 47284 [PIX, ASA]

PIX SSH - 24862 [PIX, ASA]

PIX SSL VPN DOS - 82451 [PIX, ASA]

PIX SSL VPN Memory Leak Vulnerability - 107475 [PIX, ASA]

PIX Scan Denial of Service Vulnerability - 105444 [PIX, ASA]

PIX TCP Conn Reset - 50961 [PIX, ASA]

PIX TCP Prevention - 68268 [PIX, ASA]

PIX TCP Reset - 13639 [PIX, ASA]

PIX Time-to-Live Vulnerability - 100314 [PIX, ASA]

PIX Traceback When Processing Malformed SIP Requests - 107475[PIX, ASA]

PIX URI Processing Error Vulnerability in SSL VPNs - 107475 [PIX, ASA]

PIX VPN Password Expiry - 82451 [PIX, ASA]

PIX VPNC - 47284 [PIX, ASA]

PIX/ASA ACL Bypass Vulnerability - 109974 [PIX, ASA]

PIX/ASA Crafted H.323 Packet DoS Vulnerability - 109974 [PIX, ASA]

PIX/ASA Crafted HTTP Packet DoS Vulnerability - 109974 [PIX, ASA]

PIX/ASA Crafted TCP Packet DoS Vulnerability - 109974 [PIX, ASA]

PIX/ASA IPv6 Denial of Service Vulnerability - 108009 [PIX, ASA]

PIX/ASA SQL *Net Packet DoS Vulnerability - 109974 [PIX, ASA]

PIX/ASA TCP State Manipulation DoS Vulnerability - 109444 [PIX, ASA]

PIX/ASA VPN Authentication Bypass Vulnerability - 109974 [PIX, ASA]

PIX/ASA Windows NT Domain Authentication Bypass Vulnerability - 108009

PPTP - 13640 [IOS]

Radius - 65328 [IOS]

Reload After Scanning - 13632[IOS]

SAA Packets - 42744 [IOS]

SGBP Packet - 68793 [IOS]

SIP - 81825 [IOS]

SIP DoS Vulnerabilities - 109322 [IOS]

SIP DoS Vulnerability - 110395 [IOS]

SIP DoS Vulnerability - 112022 [IOS]

SNMP Malformed Message Handling - 19294 [IOS]

SNMP Message Processing - 50980 [IOS]

SNMP Multiple Community String Vulnerabilities - 13629 [IOS]

SNMP Read-Write ILMI Community String - 13630 [IOS]

SNMP Trap Reveals WEP Key - 46468 [IOS]

SNMP Version 3 Authentication Vulnerability -107408 [IOS]

SSH Can Cause a Crash -24862 [IOS]

SSH Malformed Packet -29581 [IOS]

SSH TACACS+ Authentication -64439 [IOS]

SSL -91888 [IOS]

SSL Packet Processing Vulnerability - 107631 [IOS]

SSL VPN Vulnerability - 112029 [IOS]

Secure Copy Authorization Bypass Vulnerability - 97261 [IOS]

Secure Copy Privilege Escalation Vulnerability - 109323 [IOS]

Secure Shell Denial of Services Vulnerabilities -99725 [IOS]

Session Initiation Protocol Denial of Services Vulnerability -111448 [IOS]

Syslog Crash -13660 [IOS]

TCP -72318 [IOS]

TCP Conn Reset -50960 [IOS]

TCP Denial of Service Service Vulnerability -112099 [IOS]

TCP ISN -13631 [IOS]

TCP State Manipulation DoS Vulnerability -109444 [IOS]

Telnet DoS -61671 [IOS]

Telnet Option-10939 [IOS]

Timers Heap Overflow -68064 [IOS]

Tunnels DoS Vulnerability -109482 [IOS]

Unified Communications Manager Express Vulnerability -110451

User Datagram protocol delivery issue -100638 [IOS]

Virtual Private Dial-up Network DoS Vulnerability -97278 [IOS]

Vulnerabilities Found by PROTOS IPSec Test Suite -68158 [IOS]

Vulnerability in IOS Firewall Feature Set -9360 [IOS]

WeBVPN and SSLVPN Vulnerabilities -107397 [IOS]

Zone-Based Policy Firewall Vulnerability -110410 [IOS]

cTCP Denial of Service Vulnerability -109314 [IOS]

uBR10012 Series Devices SNMP Vulnerability -107696 [IOS]


Note The policies listed in PSIRT Policy Group may vary.


SysAdmin, Audit, Network, Security (SANS)

SANS Policy Group supports the following policies:

Banners

Terminal Access

User Passwords

SMURF Attack

AAA

HTTP Server

Miscellanous Service

SNMP


Note The policies listed in SANS Policy Group may vary.


Sarbanes Oxley Act (SOX)

SOX Policy Group supports the following policies:

Console Access

Logging and Syslog

Terminal Access

User Passwords

AAA

AAA Accounting - Commands

AAA Authentication - Login


Note The policies listed in SOX Policy Group may vary.


Compliance and Audit Manager Policies

Policies are defined by a set of rules. This section explains the various policies that are supported in LMS.

Banners

Description

General banner and Message Of The Day (MOTD) related vulnerability checks.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

References

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.5.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

National Security Agency (NSA) Cisco Router Configuration Guide((Section 4.1.5 Page 58 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

SANS Router Security Policy(Sections 3.0(6), 3.0(7))

The SANS (SysAdmin, Audit, Network, Security) Institute publishes security policy to help system administrators with rapid development and implementation of information security policies.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 5.2, Page 15 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Cisco SAFE Compliance(1.1b)

SAFE: A Security Blueprint for Enterprise Networks

Department of Homeland Security (DHS) Compliance(Section 2.1, Page 12 of Version 2.0)

This document is being distributed to provide Department of Homeland Security (DHS) Cisco Router systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of security when an existing Cisco Router is being installed or configured. All settings and parameters presented in this document are the baseline security which all Cisco Router systems must meet.

Center for Internet Security, Benchmark for Cisco IOS.(Section 1.1.3, Page:12 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Center for Internet Security, Benchmark for Cisco PIX/ASA.(Section 1.1.3, Page: 11 of Version 2.0, Nov 2007)

CIS PIX/ASA benchmark recommends the prudent level of minimum due care for operating system security. CIS PIX/ASA benchmark contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All PIX devices should implement these settings.

Rule 1

Rule

Message Of The Day (MOTD) should be configured [IOS, PIX, ASA]

Description

A Message of the day banner, which includes a legal notice, should be setup on each operational router. A legal notice usually includes a 'no trespassing' warning, a statement that all use of the router must be authorized by the owning organization, and perhaps a statement about the router being subject to monitoring.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

A proper legal notice protects the ability of the owning organization to pursue legal remedies against an attacker. Consult your organization's legal staff or general counsel for suitable language to use in your legal notice.

Suggested Fix

Configure a Message of the day banner using the command:
[no] banner motd
line vty <begining number > - <end number>  
[no] motd-banner  

[no] exec-banner

Rule 2

Rule

Message Of The Day should contain given pattern [IOS, PIX, ASA]

Description

A Message of the day banner, which includes a legal notice, should be setup on each operational router. A legal notice usually includes a 'no trespassing' warning, a statement that all use of the router must be authorized by the owning organization, and perhaps a statement about the router being subject to monitoring.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

A proper legal notice protects the ability of the owning organization to pursue legal remedies against an attacker. Consult your organization's legal staff or general counsel for suitable language to use in your legal notice.

Suggested Fix

Modify a Message of the day banner to contain required information using the command:

banner motd

Rule
Description
Constraints

Match Type

Select if the given input is to be matched as a plain string or a regular expression.

Required: true

Default: false

String or Regular Expression

A String(Regular Expression) that should be present in Message Of The Day

Required: true


Rule 3

Rule

Message of The Day should NOT contain given pattern [IOS, PIX, ASA]

Description

A Message of the day banner should not contain network architecture information and router configuration details. Router model and location information should be included only if necessary. Be especially careful not to provide information in the banner message that should not be shared with the general public, or information that is not visible from unprivileged EXEC mode.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

A proper legal notice protects the ability of the owning organization to pursue legal remedies against an attacker. Consult your organization's legal staff or general counsel for suitable language to use in your legal notice

Suggested Fix

Modify the Message of the day banner not to contain prohibited information using the command:

banner motd

Rule
Description
Constraints

Match Type

Select if the given input is to be matched as a plain string or a regular expression.

Required: true

Default: false

String or Regular Expression

A String(Regular Expression) that should be NOT present in Message Of The Day

Required: true


Rule 4

Rule

Login message should be configured [IOS, PIX, ASA]

Description

A login banner, which includes a legal notice, should be setup on each operational router. A legal notice usually includes a 'no trespassing' warning, a statement that all use of the router must be authorized by the owning organization, and perhaps a statement about the router being subject to monitoring.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

A proper legal notice protects the ability of the owning organization to pursue legal remedies against an attacker. Consult your organization's legal staff or general counsel for suitable language to use in your legal notice.

Suggested Fix

Configure a login banner using the command:

[no] banner login

Rule 5

Rule

Login message should contain given pattern [IOS, PIX, ASA]

Description

A login banner, which includes a legal notice, should be setup on each operational router. A legal notice usually includes a 'no trespassing' warning, a statement that all use of the router must be authorized by the owning organization, and perhaps a statement about the router being subject to monitoring.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

A proper legal notice protects the ability of the owning organization to pursue legal remedies against an attacker. Consult your organization's legal staff or general counsel for suitable language to use in your legal notice

Suggested Fix

Modify a login banner to contain required information using the command:

banner login

Rule
Description
Constraints

Match Type

Select if the given input is to be matched as a plain string or a regular expression.

Required: true

Default: false

String or Regular Expression

A String(Regular Expression) that should be present in the Login Message

Required: true


Rule 6

Rule

Login message should NOT contain given pattern [IOS, PIX, ASA]

Description

A login banner should not contain network architecture information and router configuration details. Router model and location information should be included only if necessary. Be especially careful not to provide information in the banner message that should not be shared with the general public, or information that is not visible from unprivileged EXEC mode.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

A proper legal notice protects the ability of the owning organization to pursue legal remedies against an attacker. Consult your organization's legal staff or general counsel for suitable language to use in your legal notice.

Suggested Fix

Modify the log banner not to contain prohibited information using the command:

banner login

Rule
Description
Constraints

Match Type

Select if the given input is to be matched as a plain string or a regular expression.

Required: true

Default: false

String or Regular Expression

A String(Regular Expression) that should NOT be present in the Login Message

Required: true


Rule 7

Rule

Exec banner should be configured [IOS, PIX, ASA]

Description

A Exec banner, which includes a legal notice, should be setup on each operational router. A legal notice usually includes a 'no trespassing' warning, a statement that all use of the router must be authorized by the owning organization, and perhaps a statement about the router being subject to monitoring.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

A proper legal notice protects the ability of the owning organization to pursue legal remedies against an attacker. Consult your organization's legal staff or general counsel for suitable language to use in your legal notice.

Suggested Fix

Configure a exec banner using the command:

[no] banner exec
line vty <begining number > - <end number>
[no] exec-banner

Rule 8

Rule

Exec banner should contain given pattern [IOS, PIX, ASA]

Description

A Exec banner, which includes a legal notice, should be setup on each operational router. A legal notice usually includes a 'no trespassing' warning, a statement that all use of the router must be authorized by the owning organization, and perhaps a statement about the router being subject to monitoring.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

A proper legal notice protects the ability of the owning organization to pursue legal remedies against an attacker. Consult your organization's legal staff or general counsel for suitable language to use in your legal notice.

Suggested Fix

Modify a exec banner to contain required information using the command:
banner exec

Rule
Description
Constraints

Match Type

Select if the given input is to be matched as a plain string or a regular expression.

Required: true

Default: false

String or Regular Expression

A String(Regular Expression) that should be present in Exec Banner

Required: true


Rule 9

Rule

Exec banner should NOT contain given pattern [IOS, PIX, ASA]

Description

A Exec banner should not contain network architecture information and router configuration details. Router model and location information should be included only if necessary. Be especially careful not to provide information in the banner message that should not be shared with the general public, or information that is not visible from unprivileged EXEC mode.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

A proper legal notice protects the ability of the owning organization to pursue legal remedies against an attacker. Consult your organization's legal staff or general counsel for suitable language to use in your legal notice.

Suggested Fix

Modify the exec banner not to contain prohibited information using the command:

banner exec

Rule
Description
Constraints

Match Type

Select if the given input is to be matched as a plain string or a regular expression.

Required: true

Default: false

String or Regular Expression

A String(Regular Expression) that should be NOT present in Exec Banner

Required: true


Console Access

Description

Policies related to console and auxiliary terminal access.

Applicable Platforms

Cisco IOS Devices

References

Control Objectives for Information and Related Technology(AI2.4 of 4.0)

COBIT (Control Objectives for Information and Related Technology) is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT is a de-facto standard used by most of the auditors when auditing for IT section of Sarbanes-Oxley (SOX) Compliance.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 8.1(3) Page 275, Section 3.4.4 Page 49, Section 4.1.6 Page 66 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

Cisco SAFE Compliance(1.1b)

SAFE: A Security Blueprint for Enterprise Networks

Payment Card Industry Data Security Standard(PCI).(2.3 of Version 1.1, September, 2006)

The Payment Card Industry (PCI) Data Security Standard resulted from a collaboration between Visa and MasterCard to create common industry security requirements. Other card companies operating in the U.S. have also endorsed the Standard within their respective programs. PCI Data Security requirements apply to all members, merchants and service providers that store, process or transmit cardholder data.

Health Insurance Portability and Accountability Act.(164.312(a)(1), 164.312(e)(1))

HIPAA (Health Insurance Portability and Accountability Act.) is designed to protect confidential healthcare information through improved security standards and federal privacy legislation. It defines requirements for storing patient information before, during and after electronic transmission. Centers for Medicare & Medicaid Services (CMS) has provided a Security Rule (45 CFR Part 160 and 164) which is adopted to implement provisions of the HIPAA.

Defence Information System Agency(Section NET0655 of Dec 2, 2005)

DISA Checklist, sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security.

Department of Homeland Security (DHS) Compliance(Section 2.2, Page 21 of Version 2.0)

This document is being distributed to provide Department of Homeland Security (DHS) Cisco Router systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of security when an existing Cisco Router is being installed or configured. All settings and parameters presented in this document are the baseline security which all Cisco Router systems must meet.

Rule 1

Rule

Check console connection [IOS]]

Description

Permit or block the router access using console ports as desired.

Applicable Platforms

Cisco IOS Devices

Impact

None

Suggested Fix

Enable or disable the console ports using the command:

line con0

[no] exec

Rule
Description
Constraints

Access

Whether to allow connections using console terminal.

Required: true Default: true


Rule 2

Rule

Check auxiliary connection [IOS]

Description

Permit or block the router access using auxiliary ports as desired.

Applicable Platforms

Cisco IOS Devices

Impact

None.

Suggested Fix

Enable or disable the auxiliary ports using the command:

line aux 0

[no] exec

Rule
Description
Constraints

Auxiliary

Whether to allow connections using auxiliary terminal.

Required: true Default: true


Domain Name

Description

Using Domain Name Lookup Service, you can use device names in the commands instead of IP addresses. By default, the DNS lookups are broadcasted to 255.255.255.255. If there are trusted domain name servers, which can translate the hostnames into IP Addresses, you may configure the devices to send DNS queries to these servers.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

References

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.2.2 Page79 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 6.2.2, Page 18 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Cisco SAFE Compliance(Appendix A, Page 39 of A Security Blueprint for Enterprise Networks)

SAFE: A Security Blueprint for Enterprise Networks

Department of Homeland Security (DHS) Compliance(Section 4.3, Page 29 of Version 2.0)

This document is being distributed to provide Department of Homeland Security (DHS) Cisco Router systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of security when an existing Cisco Router is being installed or configured. All settings and parameters presented in this document are the baseline security which all Cisco Router systems must meet.

Rule 1

Rule

Check state of domain name configuration [IOS, PIX, ASA]

Description

Each device within a given domain should have a domain name to be configured with whatever is the local/global policy for that domain. Domain names will be used as part of fully qualified host name of the router and any unqualified name lookups. Setting a domain name is also necessary for using SSH.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

SSH can not be enabled with this violation. Also, all the host names would have to be fully qualified.

Suggested Fix

Configure domain name using the command:

[no] ip domain-name (for IOS)

[no] domain-name (for PIX)

Rule
Description
Constraints

State

Select whether the device should be configured with a domain name or not.

Required: true Default: true


Rule 2

Rule

Check value of domain name [IOS, PIX, ASA]

Description

Each device within a given domain should have a domain name to be configured with whatever is the local/global policy for that domain. Domain names will be used as part of fully qualified host name of the router and any unqualified name lookups. Setting a domain name is also necessary for using SSH.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

SSH can not be enabled with this violation. Also, all the host names would have to be fully qualified.

Suggested Fix

Configure domain name using the command:

ip domain-name <domain name>(for IOS)

domain-name <domain name>(for PIX)

Rule
Description
Constraints

Domain Name

Enter the name of the network domain to which this device belongs to.

Required: true


Rule 3

Rule

Check state of domain lookup configuration [IOS, PIX, ASA]

Description

By default, IOS sends DNS name queries to the broadcast address 255.255.255.255. If you do not want your router to send queries, turn off DNS name resolution. In general, DNS name resolution should be enabled on a router only if one or more trustworthy DNS servers are available.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

If DNS lookup is disabled, If there are any host names given in the commands, those names will not be resolved to IP addresses, causing them to be unreachable. The commands with hostnames given in them instead of plain IP Addresses may not work completely. Also, whenever an IP address is changed, all the network devices' configurations would have to be updated if they have the old IP address in their configuration. If the DNS lookup is enabled, then it is advisable to have at least one DNS server is configured. Otherwise, all the hostname to IP Address resolution will be done by broadcasting the packets to 255.255.255.255

Suggested Fix

Configure the DNS name resolution (Domain name lookup) using the command:

[no] ip domain lookup (for IOS)

[no] dns domain-lookup (for PIX)

Rule
Description
Constraints

State

Select whether the device should do lookups to convert host names to IP Addresses.

Required: true Default: true


Rule 4

Rule

Domain name servers should contain given hosts [IOS]

Description

All the devices within a network should be configured with a DNS server to be able to do address resolution.

Applicable Platforms

Cisco IOS Devices

Impact

If the domain look up is enabled but no DNS servers are configured, then all the lookup packets are broadcasted to 255.255.255.255. Also, it is advisable to configure all the devices within a domain with the same DNS server so that the host name data base is maintained centrally.

Suggested Fix

Configure one or more of DNS servers using the command:

ip name-server

Rule
Description
Constraints

DNS Servers

Enter the IP address(es) of the DNS Servers that should be configured on the device.

Using DNS Server Editor option, you can add, remove or update DNS Server details. You can also change the order of the server details.

Required: true


Host Name

Description

Host name related policies.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

References

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.2.2 Page 78 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

Rule 1

Rule

Host name must be configured [IOS, PIX, ASA]

Description

It is advisable that all the devices are configured with distinct hostnames to identify them uniquely.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

No unique way of identifying the device.

Suggested Fix

Configure host name using the command

hostname

Logging and Syslog

Description

Logging a router's activities and status offers several benefits. Using the information in a log, the administrator can tell whether the router is working properly or whether it has been compromised. Configuring logging on the router should be done carefully. Send the router logs to a designated log host, which is a separate computer whose only job is to accept and store logs. Set the level of logging on the router to meet the needs of your security policy, and expect to modify the log settings as the network evolves. The logging level may need to be modified based on how much of the log information is useful.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

References

Payment Card Industry Data Security Standard(PCI).(10 of Version 1.1, September, 2006)

The Payment Card Industry (PCI) Data Security Standard resulted from a collaboration between Visa and MasterCard to create common industry security requirements. Other card companies operating in the U.S. have also endorsed the Standard within their respective programs. PCI Data Security requirements apply to all members, merchants and service providers that store, process or transmit cardholder data.

Control Objectives for Information and Related Technology(DS5.5 of 4.0)

COBIT (Control Objectives for Information and Related Technology) is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT is a de-facto standard used by most of the auditors when auditing for IT section of Sarbanes-Oxley (SOX) Compliance.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 8.1(11) Page 277, Section 8.1(17) Page 278, Section 4.5.2 Page 139,142-145 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 12.2.1, Page 44 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 10.10.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

Cisco SAFE Compliance(1.1b)

SAFE: A Security Blueprint for Enterprise Networks

Defence Information System Agency(Section NET1021 of Dec 2, 2005)

DISA Checklist, sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security.

Department of Homeland Security (DHS) Compliance(Section 3.1, Page 14 of Version 2.0)

This document is being distributed to provide Department of Homeland Security (DHS) Cisco Router systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of security when an existing Cisco Router is being installed or configured. All settings and parameters presented in this document are the baseline security which all Cisco Router systems must meet.

Center for Internet Security, Benchmark for Cisco PIX/ASA.(Section 1.2.3, Page: 20 of Version 2.0, Nov 2007)

CIS PIX/ASA benchmark recommends the prudent level of minimum due care for operating system security. CIS PIX/ASA benchmark contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All PIX devices should implement these settings.

Center for Internet Security, Benchmark for Cisco IOS.(Section 1.2.3, Page: 28 of Version 2.2, Nov. 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Check if logging is enabled to all supported destinations [IOS, PIX, ASA]

Description

Check if state of event logging on the router is not same as that of desired state. Logging a router's activities and status offers several benefits. Using the information in a log, the administrator can tell whether the router is working properly or whether it has been compromised. In some cases, it can show what types of probes or attacks are being attempted against the router or the protected network.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

If the logging is disabled, The events that happen on the router are not logged anywhere. This might make it harder to trouble shoot any network issues. Also, this may cause some of the problems, including attempts to attacks go un-noticed, as well as not to have any evidence about any un-authorized activity. If the logging is enabled, make sure the logging messages are sent to only trusted host on a protected network so that the logs can not be compromised and can not viewed by anyone not authorized to view them.

Suggested Fix

Configure logging service using the command:

[no] logging on (for IOS)

[no] logging enable (for PIX)

Rule
Description
Constraints

Global Logging State

Whether the global logging should be enabled or disabled.

Required: true Default: true


Rule 2

Rule

Check syslog logging related parameters [IOS, PIX, ASA]

Description

Logging level and state should be carefully chosen so that important information is logged but at the same time, the logging server is not flooded with too many log messages from the devices. Also, the device should be configured to send log messages to a designated host on the protected network.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA device

Impact

If the logging level and host(s) are not configured according to the policy, it may make it harder to troubleshoot problems.

Suggested Fix

Configure the logging host(s), level(s) using the command:

[no] logging <desired logging level>

Rule
Description
Constraints

Syslog Logging State

Whether the syslog logging should be enabled or disabled.

Required: true Default: true

Syslog Logging Level

Syslog Logging level

Required: false Default: informational


Rule 3

Rule

Check syslog host related parameters [IOS]

Description

The device should be configured to send log messages to a designated host on the protected network.

Applicable Platforms

Cisco IOS Devices

Impact

If the logging level and host(s) are not configured according to the policy, it may make it harder to troubleshoot problems.

Suggested Fix

Configure the logging hosts using the command:

logging <hostname or ip address>(for IOS)

logging host <hostname or ip address>(for PIX)

Rule
Description
Constraints

Minimum number of syslog servers

Minimum number of syslog server

Required: false Default: 2
Min Value: 1
Max Value: 2147483647

Syslog Servers

List of syslog servers that a device should be configured with

Using Syslog Server Editor option, you can add, remove or update DNS Server details. You can also change the order of the server details.

Required: false


Rule 4

Rule

Check logging facility [IOS, PIX, ASA]

Description

Check that the specified syslog facility is used when sending logging messages to the remote syslog server. You can direct log messages to the specified logging facility on your remote syslog server using the logging facility command. To do this, enable logging and define the UNIX system facility to which you want to send the log messages.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

NConfigure the required logging facility parameters using the command:

logging facility

Suggested Fix

Rule
Description
Constraints

Logging Facility [IOS]

Logging facility to use with syslog logging on devices running IOS.

Required: false Default: local7

Logging Facility [PIX]

Logging facility to use with syslog logging on devices running PIX.

Required: false Default: 20
Min Value: 16
Max Value: 23


Rule 5

Rule

Check buffer loggin state, level and logging buffer size [IOS, PIX, ASA]

Description

Setup the buffered logging state, level and size according to your security policy. This lets the device to log messages to its internal buffers in the memory.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

If the buffer logging level and size are set to buffer too many messages, it may cause the device to run out of memory for other tasks. If it is configured too low, it may cause the messages to be lost in the buffer too quickly.

Suggested Fix

Configure the required buffered logging parameters using the command logging buffered

Rule
Description
Constraints

Buffer Logging State

Whether the buffer logging should be enabled or disabled

Required: true Default: true

Buffer Logging Level

Buffer Logging level

Required: false Default: informational

Minimum Buffer Size

Minimum logging buffer size. It would be a violation if the device is configured to have any buffer size that is less than the value given.

Required: false Default: 32768  Min Value: 4096 Max Value: 2147483647


Rule 6

Rule

Check console logging state and level [IOS, PIX, ASA]

Description

Setup the console logging state, level and size according to your security policy. This lets the device to log messages to the console terminal. In general, the logging level at the console should be set to display lots of messages only when the console is in use or its output is being displayed or captured.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

No known impact.

Suggested Fix

Configure the console logging parameters using the command:

[no] logging console

Rule
Description
Constraints

Console Logging State

Whether the console logging should be enabled or disabled

Required: true Default: true

Console Logging Level

Console Logging level

Required: false Default: critical


Rule 7

Rule

Check monitor logging state and level [[IOS, PIX, ASA]

Description

Setup the monitor logging state, level and size according to your security policy. This controls the messages that are displayed on any terminal that connected to the router.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

No known impact

Suggested Fix

Configure the monitor logging parameters using the command:

logging monitor

Rule
Description
Constraints

Monitor Logging State

Whether monitor logging should be enabled or disabled

Required: true Default: false

Monitor Logging Level

Monitor Logging level

Required: false Default: informational


Rule 8

Rule

Check history logging level [IOS, PIX, ASA]

Description

Setup the history logging level according to your security policy. The level is used for limiting log messages stored in the history table and sent to the SNMP network management station. The default for IOS devices is warning. There is no default for PIX, FWSM, or ASA devices.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

Because SNMP traps are potentially unreliable, at least one syslog message, the most recent message, is stored in a history table on the device. You can view the history table using the show logging history command. Limit the types of messages stored in the history table based on the severity level your organization requires.

Suggested Fix

Configure the history logging level using the command:

logging history

Rule
Description
Constraints

History Logging Level

History Logging level

Required: false Default: warnings


Rule 9

Rule

Check Timestamps in Log Messages [IOS, PIX, ASA]

Description

Check to see if timestamps are displayed in log messages

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

If the timestamps are not shown in the log messages, it may not be possible to sense the order of events occurring in the network.

Suggested Fix

Configure the device to show timestamps for log messages using the command:

[no] service timestamps log

Rule
Description
Constraints

Show Timestamps in Log Messages

Whether to show timestamps in each logging messages

Required: true Default: true


Rule 10

Rule

Check Timestamps in Debug Messages

Description

Check to see if timestamps are displayed in debug messages

Applicable Platforms

Cisco IOS Devices

Impact

If the timestamps are not shown in the debug messages, it may not be possible to sense the order of events occurring in the network.

Suggested Fix

Configure the device to show timestamps for debug messages using the command:

[no] service timestamps debug

Rule
Description
Constraints

Show Timestamps in Debug Messages

Whether to show timestamps in debugging messages

Required: true Default: true


Rule 11

Rule

Check sequence numbers in log messages [IOS]

Description

Check to see if visible sequence numbering of system logging messages is enabled or not.

Applicable Platforms

Cisco IOS Devices

Impact

If the sequence numbers are not shown in the log messages, it may not be possible to sense the order of events occurring in the network.

Suggested Fix

Configure the device to show timestamps for log messages using the command:

[no] service sequence-numbers

Rule
Description
Constraints

Show Sequence Numbers in Log Messages

Whether to show sequence numbers in each logging message

Required: true Default: true


Terminal Access

Description

This policy checks for various access controls that need to be put in place to restrict access to the network device's command line. One primary mechanism for remote administration of Cisco routers is logging in via Telnet or SSH. These connections are called virtual terminal lines. Login on the virtual terminal lines should be disabled if remote administration is not absolutely necessary. Remote administration without encryption is inherently dangerous because anyone with a network sniffer on the right LAN segment can acquire router passwords and would then be able to take control of the router.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

References

Control Objectives for Information and Related Technology(AI2.4 of 4.0)

COBIT (Control Objectives for Information and Related Technology) is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT is a de-facto standard used by most of the auditors when auditing for IT section of Sarbanes-Oxley (SOX) Compliance.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 8.1(6) Page 276, Section 4.1.5 Page 58, 59, 60, Section 4.1.6 Page 61 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

Health Insurance Portability and Accountability Act.(164.312(a)(1), 164.312(e)(1))

HIPAA (Health Insurance Portability and Accountability Act.) is designed to protect confidential healthcare information through improved security standards and federal privacy legislation. It defines requirements for storing patient information before, during and after electronic transmission. Centers for Medicare & Medicaid Services (CMS) has provided a Security Rule (45 CFR Part 160 and 164) which is adopted to implement provisions of the HIPAA.

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 10.6.1, 11.2, 11.5.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 5.2, Page 12 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Payment Card Industry Data Security Standard(PCI).(2.3 of Version 1.1, September, 2006)

The Payment Card Industry (PCI) Data Security Standard resulted from a collaboration between Visa and MasterCard to create common industry security requirements. Other card companies operating in the U.S. have also endorsed the Standard within their respective programs. PCI Data Security requirements apply to all members, merchants and service providers that store, process or transmit cardholder data.

Cisco SAFE Compliance(1.1b)

SAFE: A Security Blueprint for Enterprise Networks

SANS Router Security Policy(3.0(8))

The SANS (SysAdmin, Audit, Network, Security) Institute publishes security policy to help system administrators with rapid development and implementation of information security policies.

Defence Information System Agency(Section NET0645,NET0740 of Dec 2, 2005)

DISA Checklist, sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security.

Department of Homeland Security (DHS) Compliance(Section 1.3,2.3, Page 10 of Version 2.0)

This document is being distributed to provide Department of Homeland Security (DHS) Cisco Router systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of security when an existing Cisco Router is being installed or configured. All settings and parameters presented in this document are the baseline security which all Cisco Router systems must meet.

Center for Internet Security, Benchmark for Cisco PIX/ASA.(Section 1.1.2.4, Page: 9 of Version 2.0, Nov 2007)

CIS PIX/ASA benchmark recommends the prudent level of minimum due care for operating system security. CIS PIX/ASA benchmark contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All PIX devices should implement these settings.

Center for Internet Security, Benchmark for Cisco IOS.(Section 1.1.1.4, Page: 8; Section 1.1.2.3-1.1.2.6, Page:10-11; of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

No more than required VTY lines should be enabled on the device [IOS]

Description

Check that a given device does not have more VTY lines enabled than required.

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

If the router has more VTYs than needed, then either disable or delete the extra ones using the command:

line vty <beg line number> <end line number>  no exec

Rule
Description
Constraints

Maximum VTY Lines

Maximum number of VTY lines to be enabled

Required: true     Min Value: 1     Max Value: 2147483647


Rule 2

Rule

Check Authentication parameters on terminal lines [IOS]

Description

Each terminal line should be configured with some type of authentication for logging on the device, failing to do so can enable an unauthorized user to gain device access. This rule checks other miscellaneous authentication parameters on the terminal lines including session time out, maximum default privilege level configured and any access restrictions on the terminal lines.

Applicable Platforms

Cisco IOS Devices

Impact

An unauthorized user may gain access to the device.

Suggested Fix

Configure with some type of authentication for login on the terminal lines using the commands:

line vty <beg line number> <end line number>

login authentication

privilege level

exec-timeout

access-class

You can add, update and delete terminal line configuration details.

Rule
Description
Constraints

Terminal Line Group

Group of terminal lines to apply the policy.

Required: true

Login Authentication

Selected terminal lines should be configured to authenticate using login.

Required: true Default: login

Maximum default level allowed

Maximum default privlege level that should be given on lines.

Required: false Default: 0

Min Value: 0

Max Value: 15

Maximum Idle Timeout (Minutes)

Idle timeout (in minutes) to be enforced on lines. If a user leaves the EXEC session idle for this much time, it will be disconnected automatically by the device.

Required: false Default: 10

Min Value: 1

Max Value: 3579

Maximum Login Response Timeout (Seconds)

Maximum timeout (in seconds), the system will wait for login input (such as username and password) before timing out

Required: false

Min Value: 1

Max Value: 300

Whether Access to this teminal lines should be controlled

Choose whether access to this terminal line should be controlled using an access list control or not

Required: false Default: false


Rule 3

Rule

Check for allowed incoming connections [IOS]

Description

Make sure that all the terminal lines are configured to block incoming connections using un-authorized protocols.

Applicable Platforms

Cisco IOS Devices

Impact

An unauthorized user may connect to the device using any undesired protocols violating the set policy.

Suggested Fix

Disable terminal line access for un-authorized incoming connections using the command:

line vty <beg line number> <end line number>

transport input

You can add, update and delete terminal line configuration details.

Rule
Description
Constraints

Terminal Line Group

Group of terminal lines to apply the policy.

Required: true

Block all incoming connections

Block all incoming connections on this group of terminal lines

Required: true Default: dontcare

Telnet

Telnet protocol

Required: false Default: false

SSH

SSH protocol

Required: false Default: true


Rule 4

Rule

Check for allowed outgoing connections [IOS]

Description

Make sure that all the terminal lines are configured to block outgoing connections using un-authorized protocols.

Applicable Platforms

Cisco IOS Devices

Impact

An unauthorized user may connect to other devices from this device using any undesired protocols violating the set policy.

Suggested Fix

Disable terminal line access for all un-authorized outgoing connections using the command:

line vty <beg line number> <end line number>

transport output

You can add, update and delete terminal line configuration details.

Rule
Description
Constraints

Terminal Line Group

Group of terminal lines to apply the policy.

Required: true

Block all outgoing connections

Block all outgoing connections on this group of terminal lines

Required: true

Telnet

Telnet protocol

Required: false

SSH

SSH protocol

Required: false Default: true


Rule 5

Rule

Check that Telnet access is prohibited. [PIX, ASA]

Description

Prohibit telnet access to the PIX device.

Applicable Platforms

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

Only use SSH and-or Cisco PDM or ASDM to manage the PIX. Do not use Telnet for remote administration of the PIX, it offers no confidentiality or integrity protections.

Suggested Fix

Prohibit Telnet access using the command:

no telnet

Rule 6

Rule

Check the maximum timeout for Console sessions. [PIX, ASA]

Description

Verify timeout is configured to automatically disconnect the console sessions after a fixed idle time.

Applicable Platforms

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

This prevents unauthorized users from misusing abandoned sessions.

Suggested Fix

Configure device timeout to disconnect sessions after a fixed idle time, using the command:

console timeout

Rule
Description
Constraints

Maximum Console Session idle Timeout (Minutes)

Idle timeout (in minutes) to be enforced on console lines. If a user leaves the EXEC session idle for this much time, it will be disconnected automatically by the device.

Required: true Default: 10

Min Value: 1

Max Value: 60


Rule 7

Rule

Check the maximum timeout for Telnet sessions. [PIX, ASA]

Description

Verify timeout is configured to automatically disconnect the telnet sessions after a fixed idle time.

Applicable Platforms

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

This prevents unauthorized users from misusing abandoned sessions.

Suggested Fix

Configure device timeout to disconnect sessions after a fixed idle time, using the command:

telnet timeout

Rule
Description
Constraints

Maximum Telnet Session idle Timeout (Minutes)

Idle timeout (in minutes) to be enforced on lines. If a user leaves the EXEC session idle for this much time, it will be disconnected automatically by the device.

Required: true Default: 10

Min Value: 1

Max Value: 1440


Rule 8

Rule

Check the maximum timeout for SSH sessions. [PIX, ASA]

Description

Verify timeout is configured to automatically disconnect the SSH sessions after a fixed idle time.

Applicable Platforms

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

This prevents unauthorized users from misusing abandoned sessions.

Suggested Fix

Configure device timeout to disconnect sessions after a fixed idle time, using the command:

ssh timeout

Rule
Description
Constraints

Maximum SSH Session idle Timeout (Minutes)

Idle timeout (in minutes) to be enforced on lines. If a user leaves the EXEC session idle for this much time, it will be disconnected automatically by the device.

Required: true Default: 10

Min Value: 1

Max Value: 60


User Passwords

Description

There are three ways of protection schemes in Cisco IOS.

Plain password where there is no protection and encryption.

Cisco defined encryption algorithm which is known to the commercial security community to be weak.

Iterated MD5 hash which is much stronger.

Cisco recommends using the MD5 hash encryption for passwords where possible. (See "Configuring Passwords and Privileges" in the Cisco IOS Security Configuration Guide)

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Cisco IOS Devices With AUTO_SECURE Capability

References

Payment Card Industry Data Security Standard(PCI).(8.1, 8.4, 8.5 of Version 1.1, September, 2006)

The Payment Card Industry (PCI) Data Security Standard resulted from a collaboration between Visa and MasterCard to create common industry security requirements. Other card companies operating in the U.S. have also endorsed the Standard within their respective programs. PCI Data Security requirements apply to all members, merchants and service providers that store, process or transmit cardholder data.

Control Objectives for Information and Related Technology(DS5 of 4.0)

COBIT (Control Objectives for Information and Related Technology) is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT is a de-facto standard used by most of the auditors when auditing for IT section of Sarbanes-Oxley (SOX) Compliance.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 8.1(9) Page 276, 8.1(19) Page 279, Section 4.1.5 Page 63, Section 4.1.8 Page 66 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

Health Insurance Portability and Accountability Act.(164.308(a)(5)(ii), 164.312(d))

HIPAA (Health Insurance Portability and Accountability Act.) is designed to protect confidential healthcare information through improved security standards and federal privacy legislation. It defines requirements for storing patient information before, during and after electronic transmission. Centers for Medicare & Medicaid Services (CMS) has provided a Security Rule (45 CFR Part 160 and 164) which is adopted to implement provisions of the HIPAA. BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 10, Section 11.2, 11.5 of First Edition, 2000-12-01)

Information Technology - Code of practice for information security management.

Cisco SAFE Compliance(1.1b) SAFE: A Security Blueprint for Enterprise Networks SANS Router Security Policy(3.0.2) The SANS (SysAdmin, Audit, Network, Security) Institute publishes security policy to help system administrators with rapid development and implementation of information security policies. Department of Homeland Security (DHS) Compliance(Section 1.1, Page 6 of Version 2.0) This document is being distributed to provide Department of Homeland Security (DHS) Cisco Router systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of security when an existing Cisco Router is being installed or configured. All settings and parameters presented in this document are the baseline security which all Cisco Router systems must meet. Center for Internet Security, Benchmark for Cisco PIX/ASA.(Section 1.1.4, Page: 13 of Version 2.0, Nov 2007) CIS PIX/ASA benchmark recommends the prudent level of minimum due care for operating system security. CIS PIX/ASA benchmark contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All PIX devices should implement these settings.

Center for Internet Security, Benchmark for Cisco IOS.(Section 1.1.2.1, Page: 9; Section 1.1.4, Page:15 of Version 2.2, Nov 2007) CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Passwords should not be shown in clear text in configuration [IOS]

Description

Make sure the passwords are not shown in clear text in the configuration.

Applicable Platforms

Cisco IOS Devices

Impact

When passwords are shown in clear text, anyone who gets hold of a device configuration can access the router by using the username and password.

Suggested Fix

Encrypt all passwords using the command:

service password-encryption

Rule 2

Rule

Check enable password is configured and uses strong encryption [IOS, PIX, ASA]

Description

Make sure that the enable password is defined and it uses strong encryption.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

Access to the privileged EXEC mode (enable mode) should be protected by requiring a password.

Additionally, for Cisco IOS software devices, you can create a strongly encrypted password using the enable secret command. There are two password protection schemes in Cisco IOS software. Type-7 uses the Cisco-defined encryption algorithm which is known to the commercial security community to be weak. Type-5 uses an iterated MD5 hash which is much stronger. Cisco recommends that Type-5 encryption to be used instead of Type-7 where possible. The enable password command uses Type-7 encryption, whereas the enable secret command uses Type-5 encryption.

Suggested Fix

Use strong encryption to configure enable password using the command:

enable secret [IOS]

enable password [PIX]

Rule 3

Rule

All users must have passwords configured [IOS, PIX, ASA]

Description

Make sure all users have passwords configured.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

When users do not have passwords, the device does not ask for password when some one tries to access. This may lead to an intruder to gain access to the device if they can guess/know the username.

Suggested Fix

Configure passwords for all users using the command:

username <user name> password|secret

Rule 4

Rule

Passwords much be MD5 encrypted [IOS]

Description

Make sure all user Passwords are MD5 encrypted. MD5 is the highest level security provided by Cisco to store the user passwords. Other methods of password storing (clear text or Cisco proprietary encoding) are known to be vulnerable for decoding.

Applicable Platforms

Cisco IOS Devices

Impact

User passwords may be decoded and guessed by possible intruder.

Suggested Fix

Encrypt all user passwords with MD5 using the command:

username <user name> secret

Rule 5

Rule

Check minimum length for user/enable/line passwords [IOS]

Description

The minimum length, in characters, for passwords defined on the device. Specifying a minimum password length provides enhanced security access to the router by eliminating common passwords that are prevalent on most networks.

Applicable Platforms

Cisco IOS Devices With AUTO_SECURE Capability

Impact

One method attackers use to crack passwords is to try all possible combinations of characters until the password is discovered. Longer passwords have exponentially more possible combinations of characters, making this method of attack much more difficult.

Suggested Fix

Use security passwords min-length command to set the minimum length, in characters, for user/enable passwords defined on the device. Beware that if you use the security passwords min-length command, any configured passwords that are less than the specified minimum length will no longer work. Ensure that the user, enable, secret, and line passwords on the device satisfy the minimum length before using the command:

security passwords min-length

Rule
Description
Constraints

Minimum length for passwords should be atleast

The minimum length, in characters, for passwords defined on the device.

Required: true Default: 6

Min Value: 1

Max Value: 16


Rule 6

Rule

Check maximum authentication failure rate [IOS]

Description

The number of times a user can attempt to log into the device before the failure is logged to the syslog and user access is prohibited for 15 seconds. A device should be configured to lock access after some predefined number of unsuccessful login attempts whenever possible. One method of cracking passwords, called the dictionary attack, is to use software that attempts to log in using every word in a dictionary. This configuration causes access to the router to be locked for a period of 15 seconds after the predefined unsuccessful login attempts, disabling the dictionary method of attack. In addition to locking access to the device, this configuration causes a log message to be generated after the predefined unsuccessful login attempts, warning the administrator of the unsuccessful login attempts.

Applicable Platforms

Cisco IOS Devices With AUTO_SECURE Capability

Impact

Intruders may make continuous attempts to login into the device.

Suggested Fix

Configure authentication failure rate on the device using the command:

security authentication failure rate

Rule
Description
Constraints

Failure rate threshold should be at most

The number of times a user can attempt to log into the device before the failure is logged to the syslog and user access is prohibited for 15 seconds.

Required: true Default: 3

Min Value: 2

Max Value: 1024


Rule 7

Rule

Check unwanted usernames are not configured [IOS, PIX, ASA]

Description

Make sure unwanted usernames are not configured.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

This may lead to an intruder to gain access to the device if they can guess/know the username.

Suggested Fix

Delete unwanted username using the command:

no username <user name>

Rule
Description
Constraints

Banned Usernames

Banned usernames to check for.

Using Banned Usernames - Editor option, you can add, update or remove banned username details. You can also change the order of the banned username details.

Required: true


Rule 8

Rule

Check only one username is configured [IOS, PIX, ASA]

Description

Make sure only one username is configured.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

Configuring more than one username may lead to an intruder to gain access to the device if they can guess/know the username.

Suggested Fix

Delete unwanted username using the command:

no username <user name>

ACL on Interfaces

Description

Policies to make sure the interfaces have required Access Control Lists configured.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Rule 1

Rule

Check interfaces have access lists configured [IOS, PIX, ASA]

Description

This rule checks if given interfaces have required ACLs configured and those access lists have valid configuration.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

Interfaces may permit unwanted traffic.

Suggested Fix

Enable Access Control Lists on the interface using the command:

interface <interface name>

ip access-group <acl number or name> <in|out>

You can add, update or remove the inerface details. You can alsochange the order of the interface details.

Rule
Description
Constraints

Interface Group

Group of interfaces to apply the policy. Example valid Values: 'Any', 'AnyEthernet', 'FastEthernet', 'GigabitEthernet', 'FastEthernet0/1', 'FastEthernet0/.*' etc.

Required: true

Incoming ACL match type

ACL Match criterion to enforce for incoming traffic on this interface group.

Required: true

Incoming ACL ID

Incoming ACL ID to be applied on the interface to filter incoming traffic.

Required: false

Outgoing ACL match type

ACL Match criterion to enforce for outgoing traffic on this interface group.

Required: true

Outgoing ACL ID

Outgoing ACL ID to be applied on the interface to filter outgoing traffic.

Required: false



Note If you select a rule which checks for interface related configuration, compliance check will be done only for the interfaces which are administratively up and configured with an IP address.


Null (Black Hole) Routing

Description

Many administrators configure their routers to filter connections and drop packets using basic and extended access lists. Access lists provide the administrator with a high degree of precision in selectively permitting and denying traffic. For example, access lists would allow an administrator to block only Telnet (TCP port 23) traffic from exiting their network. The fine granuality access lists provide can impose significant administrative and performance burdens, depending on the network architecture, router configuration, and traffic load. Backbone routers, in particular, are often too heavily utilized to permit heavy use of access lists. An alternative to access lists for traffic control is a technique known as black hole routing, or null routing. Null routing (or black-hole routing) sacrifices the fine selectivity of access lists, it can be used only to impose a ban on all traffic sharing a specific destination address or network. There is no simple way to specify which protocols or types of traffic may or may not pass. If an address or network is null routed, ALL traffic sent to it will immediately be discarded. Because this type of filtering is done as part of normal routing, it imposes little or no performance burden on normal packet flow. It is important to note that null routing can only discard traffic based on its addresses (usually only the destination). This makes it well-suited to mitigating attack situations where 'bad' traffic into your network is all directed to one or a small number of address ranges. It is also well-suited for discarding data directed to unassigned or reserved addresses.

Applicable Platforms

Cisco IOS Devices With Static Routing Capability

References

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.4.6 Page 128 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

Rule 1

Rule

Check undesirable packets are directed to NULL interface [IOS]

Description

This rule checks that given ipaddress/mask combinations are black-holed and are routed to null interfaces. The simple way to configure null routing is to set up a null interface and create a static route that directs the undesirable packets to it.

Applicable Platforms

Cisco IOS Devices With Static Routing Capability

Impact

Undesired packets will be routed using normal routing table lookup.

Suggested Fix

Configure static routing for these subnets using the commands:

interface <Null interface>

!

ip route <ip address> <network mask> <Null Interface>

You can add, update or remove IP Address and Network Mask details.

Rule
Description
Constraints

IP Address

IP Address of the network to be routed to NULL interface

Required: true

Network Mask

Network mask of the subnet tht needs to be routed to NULL interface.

Required: true



Note If you select a rule which checks for interface related configuration, compliance check will be done only for the interfaces which are administratively up and configured with an IP address.


SMURF Attack

Description

The Smurf Attack involves sending a large amount of ICMP Echo packets to a subnet's broadcast address with a spoofed source IP address from that subnet.

Applicable Platforms

Cisco IOS Devices

References

National Security Agency (NSA) Cisco Router Configuration Guide(Section 8.1(2) Page 275, Section 4.3.3 Page 91 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 6.2.1, Page 18 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 10.6.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

Cisco SAFE Compliance(1.1b)

SAFE: A Security Blueprint for Enterprise Networks SANS Router Security Policy(3.0(3a))

The SANS (SysAdmin, Audit, Network, Security) Institute publishes security policy to help system administrators with rapid development and implementation of information security policies.

Rule 1

Rule

Check for SMURF attack vulnerablity [IOS].

Description

The Smurf Attack involves sending a large amount of ICMP Echo packets to a subnet's broadcast address with a spoofed source IP address from that subnet.

Applicable Platforms

Cisco IOS Devices

Impact

This attack can lead to Denial of Service(DoS).

Suggested Fix

Disable directed broadcast on the interfaces. Alternatively, an inbound access-list can be used to deny any packets destined for broadcast addresses using the command:

interface <interface name>

no ip directed-broadcast

Traffic Rules

Description

Policies to make sure the interfaces have traffic rules

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

References

Payment Card Industry Data Security Standard(PCI).(1.3, 1.4 of Version 1.0, December 15, 2004)

The Payment Card Industry (PCI) Data Security Standard resulted from a collaboration between Visa and MasterCard to create common industry security requirements. Other card companies operating in the U.S. have also endorsed the Standard within their respective programs. PCI Data Security requirements apply to all members, merchants and service providers that store, process or transmit cardholder data.

Rule 1

Rule

Check interfaces have access lists configured [IOS, PIX, ASA]

Description

This rule checks if given interfaces have required access controls configured.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

Interfaces may permit unwanted traffic.

Suggested Fix

Enable Access Control Lists on the interface using the command:

interface <interface name>

ip access-group <acl number or name> <in|out>

Rule
Description
Constraints

Interface Group

Group of interfaces to apply the policy. Example valid Values: 'Any', 'AnyEthernet', 'FastEthernet', 'GigabitEthernet', 'FastEthernet0/1', 'FastEthernet0/.*' etc.

Required: true

Incoming Traffic Rules

Traffic Match criterion to enforce for incoming traffic on this interface group.

You can add, update or remove Action and IP type of incoming traffic rules. You can also change the order of theIncoming Traffic Rule details.

Required: false

Outgoing Traffic Rules

Traffic Match criterion to enforce for outgoing traffic on this interface group.

You can add, update or remove Action and IP type of outgoing traffic rules. You can also change the order of the Outgoing Traffic Rule details.

Required: false



Note If you select a rule which checks for interface related configuration, compliance check will be done only for the interfaces which are administratively up and configured with an IP address.


Dynamic Trunking Protocols (DTP)

Description

Policy to specify required parameters for Dynamic Trunking Protocol (DTP). DTP is a protocol exchanged between switches to negotiate the trunking mode on the connected ports. Depending on the configuration on a neighboring port, the ports on this switch will be placed in either trunking mode or non-trunking mode dynamically. Cisco switches come up in this dynamic trunking mode by default and if they become trunk ports, it may cause to trunk all the VLANs, which further makes the management of VLANs harder.

Applicable Platforms

Cisco IOS Switches

References

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 9.5.2 Page 36 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Rule 1

Rule

Check DTP is disabled. [IOS]

Description

This check will make sure that DTP is disabled on the interfaces so that they are placed permanently in trunking mode or in non-trunking mode.

Applicable Platforms

Cisco IOS Switches

Impact

A port may use the Dynamic Trunking Protocol (DTP) to automatically negotiate which trunking protocol it will use, and how the trunking protocol will operate. By default, a Cisco Ethernet port's default DTP mode is "dynamic desirable", which allows the port to actively attempt to convert the link into a trunk. Even worse, the member VLANs of the new trunk are all the available VLANs on the switch. If a neighboring port's DTP mode becomes "trunk", "dynamic auto", or "dynamic desirable", and if the two switches support a common trunking protocol, then the line will become a trunk automatically, giving each switch full access to all VLANs on the neighboring switch. An attacker who can exploit DTP may be able to obtain useful information from these VLANs.

Suggested Fix

Set the port in either permanent trunk mode or permanent non-trunk mode using the command:

interface <interface name>

switchport mode <access|trunk>

IEEE 802.3 Flow Control

Description

In order to handle congestion, Ethernet ports are capable to respond to a flow control frame from a remote port and stop transmitting for some time. If a Gigabit Ethernet or 10-Gigabit Ethernet port receive buffer becomes full, the port transmits an IEEE 802.3Z pause frame that requests remote ports to delay sending frames for a specified time. All Ethernet ports (10 Gbps, 1 Gbps, 100 Mbps, and 10 Mbps) can receive and respond to IEEE 802.3Z pause frames from other devices.

Applicable Platforms

Cisco IOS Switches

References

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 8 Page 29 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Rule 1

Rule

Check Receive Flow Control [IOS]

Description

This check will ensure that the port is configured with a desired state of flow control in receive direction.

Applicable Platforms

Cisco IOS Switches

Impact

802.3X Flow Control allows receiving ports to pause transmission of packets from the sender during times of congestion. If this feature is enabled, a pause frame can be received, stopping the transmission of data packets. Flow Control pause frames could be used in a denial of service attack.

Suggested Fix

Configure receiving of flow control frames on the interface using the command:

interface <interface name>

[no] flowcontrol receive

You can add, update or remove flow control details. You can also change the order of the flow control details.

Rule
Description
Constraints

Interface Group

Group of interfaces to apply the policy. Example valid Values: 'Any', 'AnyEthernet', 'FastEthernet', 'GigabitEthernet', 'FastEthernet0/1', 'FastEthernet0/.*' etc.

Required: true

Desired state of receive flow control

10-Gigabit Ethernet port receive buffer becomes full, the port transmits an IEEE 802.3Z pause frame that requests remote ports to delay sending frames for a specified time. All Ethernet ports (10 Gbps, 1 Gbps, 100 Mbps, and 10 Mbps) can receive and respond to IEEE 802.3Z pause frames from other devices.

Required: true



Note If you select a rule which checks for interface related configuration, compliance check will be done only for the interfaces which are administratively up and configured with an IP address.


Spanning Tree Protocols (STP)

Description

Spanning Tree Protocol (STP), also known as 802.1d, is a Layer 2 protocol designed to prevent loops within switched networks. Loops can occur when redundant network paths have been configured to ensure resiliency. Typically, STP goes through a number of states (e.g., block, listen, learn, and forward) before a port is able to pass user traffic. This process can take between 30 and 50 seconds. In cases where a single host is connected to a port, and there is no chance of a loop being created, the STP Portfast feature can be utilized to immediately transition the port into a forwarding state. However, it will still participate in STP calculations and move into a blocked state in the event of a network loop. A vulnerability associated with STP is that a system within the network can actively modify the STP topology. There is no authentication that would prevent such an action. The bridge ID, a combination of a two-byte priority and a six-byte MAC address, determines the root bridge within a network. The lower the bridge ID, the more likely the switch will be elected as the root bridge. A switch with the lowest bridge ID can become the root bridge, thereby influencing traffic flows and reducing the efficiency of the network.

Applicable Platforms

Cisco IOS Switches

References

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 10 Page 38 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Rule 1

Rule

Check that BPDU Guard is enabled on all the ACCESS ports [IOS]

Description

This check will make sure the BPDU guard is enabled/disabled on given interfaces as per the policy. The STP Portfast BPDU Guard allows network administrators to enforce the STP topology on ports enabled with Portfast. Systems attached to ports with the Portfast BPDU Guard enabled will not be allowed to modify the STP topology. Upon reception of a BPDU message, the port is disabled and stops passing all network traffic. This feature can be enabled both globally and individually for ports configured with Portfast. By default, STP BPDU guard is disabled.

Applicable Platforms

Cisco IOS Switches

Impact

A vulnerability associated with STP is that a system within the network can actively modify the STP topology. There is no authentication that would prevent such an action. The bridge ID, a combination of a two-byte priority and a six-byte MAC address, determines the root bridge within a network. The lower the bridge ID, the more likely the switch will be elected as the root bridge. A switch with the lowest bridge ID can become the root bridge, thereby influencing traffic flows and reducing the efficiency of the network.

Suggested Fix

Configure BPDU Guard on the ports based on the policy using the command:

interface <interface name>

[no] spanning-tree bpduguard

Rule 2

Rule

Check the BPDU State [IOS]

Description

This check will make sure the BPDU guard is enabled/disabled on given interfaces as per the policy. The STP Portfast BPDU Guard allows network administrators to enforce the STP topology on ports enabled with Portfast. Systems attached to ports with the Portfast BPDU Guard enabled will not be allowed to modify the STP topology. Upon reception of a BPDU message, the port is disabled and stops passing all network traffic. This feature can be enabled both globally and individually for ports configured with Portfast. By default, STP BPDU guard is disabled.

Applicable Platforms

Cisco IOS Switches

Impact

A vulnerability associated with STP is that a system within the network can actively modify the STP topology. There is no authentication that would prevent such an action. The bridge ID, a combination of a two-byte priority and a six-byte MAC address, determines the root bridge within a network. The lower the bridge ID, the more likely the switch will be elected as the root bridge. A switch with the lowest bridge ID can become the root bridge, thereby influencing traffic flows and reducing the efficiency of the network.

Suggested Fix

Configure BPDU Guard on the ports based on the policy using the command:

interface <interface name>

[no] spanning-tree bpduguard

You can add, update or remove BPDU State details. You can also change the order of the BPDU State details.

Rule
Description
Constraints

Interface Group

Group of interfaces to apply the policy. Example valid Values: 'Any', 'AnyEthernet', 'FastEthernet', 'GigabitEthernet', 'FastEthernet0/1', 'FastEthernet0/.*' etc.

Required: true

Desired state of BPDU Guard

the administrator must manually put the Layer 2 LAN interface back in service. BPDU Guard can be configured at the interface level. When configured at the interface level, BPDU Guard shuts the port down as soon as the port receives a BPDU, regardless of the PortFast configuration.

Required: true


Rule 3

Rule

Check that Root Guard State is enabled on all the ACCESS ports [IOS]

Description

This check will make sure the interface is configured with a proper root guard state. The STP Root Guard feature is a mechanism used to protect the STP topology. Unlike the BPDU Guard, STP Root Guard allows participation in STP as long as the attached system does not attempt to become the root. If the Root Guard is activated, then the port recovers automatically after it quits receiving the superior BPDUs that would make it the root. Root Guard can be applied to one or more ports on edge switches and on internal switches on a network. In general, apply this feature to those ports on each switch that should not become the root.

Applicable Platforms

Cisco IOS Switches

Impact

A vulnerability associated with STP is that a system within the network can actively modify the STP topology. There is no authentication that would prevent such an action. The bridge ID, a combination of a two-byte priority and a six-byte MAC address, determines the root bridge within a network. The lower the bridge ID, the more likely the switch will be elected as the root bridge. A switch with the lowest bridge ID can become the root bridge, thereby influencing traffic flows and reducing the efficiency of the network.

Suggested Fix

Configure root Guard on the ports based on the policy using the command:

interface <interface name>

[no] spanning-tree guard root

Rule 4

Rule

Check the Root Guard State [IOS]

Description

This check will make sure the interface is configured with a proper root guard state. The STP Root Guard feature is a mechanism used to protect the STP topology. Unlike the BPDU Guard, STP Root Guard allows participation in STP as long as the attached system does not attempt to become the root. If the Root Guard is activated, then the port recovers automatically after it quits receiving the superior BPDUs that would make it the root. Root Guard can be applied to one or more ports on edge switches and on internal switches on a network. In general, apply this feature to those ports on each switch that should not become the root.

Applicable Platforms

Cisco IOS Switches

Impact

A vulnerability associated with STP is that a system within the network can actively modify the STP topology. There is no authentication that would prevent such an action. The bridge ID, a combination of a two-byte priority and a six-byte MAC address, determines the root bridge within a network. The lower the bridge ID, the more likely the switch will be elected as the root bridge. A switch with the lowest bridge ID can become the root bridge, thereby influencing traffic flows and reducing the efficiency of the network.

Suggested Fix

Configure root Guard on the ports based on the policy using the command:

interface <interface name>

[no] spanning-tree guard root

You can add, update or remove Root Guard State details. You can also change the order of the Root Guard State details.

Rule
Description
Constraints

Interface Group

Group of interfaces to apply the policy. Example valid Values: 'Any', 'AnyEthernet', 'FastEthernet', 'GigabitEthernet', 'FastEthernet0/1', 'FastEthernet0/.*' etc.

Required: true

Desired state of STP Root Guard

NOTE: Enabling root Guard functionality on a port may disable that port as soon as it receives a superior BPDU message. The STP root guard feature prevents a port from becoming root port or blocked port. If a port configured for root guard receives a superior BPDU, the port immediately goes to the root-inconsistent (blocked) state.

Required: true



Note If you select a rule which checks for interface related configuration, compliance check will be done only for the interfaces which are administratively up and configured with an IP address.


Unidirectional Link Detection (UDLD)

Description

The Cisco-proprietary UDLD protocol allows devices connected through fiber-optic or copper (for example, Category 5 cabling) Ethernet cables connected to LAN ports to monitor the physical configuration of the cables and detect when a unidirectional link exists. When a unidirectional link is detected, UDLD shuts down the affected LAN port and alerts the user. Unidirectional links can cause a variety of problems, including spanning tree topology loops. A unidirectional link occurs whenever traffic transmitted by the local device over a link is received by the neighbor but traffic transmitted from the neighbor is not received by the local device. If one of the fiber strands in a pair is disconnected, as long as autonegotiation is active, the link does not stay up. In this case, the logical link is undetermined, and UDLD does not take any action. If both fibers are working normally at Layer 1, then UDLD at Layer 2 determines whether those fibers are connected correctly and whether traffic is flowing bidirectionally between the correct neighbors.

Applicable Platforms

Cisco IOS Switches

References

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 8 Page 29, 30 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Rule 1

Rule

Check UDLD state on all fiber-optic interfaces [IOS]

Description

This check will make sure UDLD state on the fiber-optic interfaces is configured as per the policy.

Applicable Platforms

Cisco IOS Switches

Impact

Directly connected switches running the Unidirectional Link Detection (UDLD) protocol can determine if a unidirectional link exists between them. If one is detected, then the link is shutdown until manually restored. UDLD messages could be used in a denial of service attack.

Suggested Fix

configure UDLD on the interface or globally using the command:

[no] udld enable interface <interface name>

[no] udld port

Rule
Description
Constraints

Desired state of UDLD

Desired state of UDLD configuration.

Required: true

Default: false


Rule 2

Rule

Check UDLD state on all copper interfaces [IOS]

Description

This check will make sure UDLD state on the copper interfaces is configured as per the policy.

Applicable Platforms

Cisco IOS Switches

Impact

Directly connected switches running the Unidirectional Link Detection (UDLD) protocol can determine if a unidirectional link exists between them. If one is detected, then the link is shutdown until manually restored. UDLD messages could be used in a denial of service attack.

Suggested Fix

configure UDLD on the interface or globally using the command:

[no] udld enable interface <interface name>

[no] udld port

Rule
Description
Constraints

Desired state of UDLD

Desired state of UDLD configuration.

Required: true Default: false


Rule 3

Rule

Check UDLD state on specific interfaces [IOS]

Description

This check will make sure UDLD state on given interfaces is configured as per the policy.

Applicable Platforms

Cisco IOS Switches

Impact

Directly connected switches running the Unidirectional Link Detection (UDLD) protocol can determine if a unidirectional link exists between them. If one is detected, then the link is shutdown until manually restored. UDLD messages could be used in a denial of service attack.

Suggested Fix

Configure UDLD on the interface or globally using the command:

[no] udld enable interface <interface name>

[no] udld port

You can add, update or remove UDLD state details. You can also change the order of the UDLD state details.

Rule
Description
Constraints

Interface Group

Group of interfaces to apply the policy. Example valid Values: 'Any', 'AnyEthernet', 'FastEthernet', 'GigabitEthernet', 'FastEthernet0/1', 'FastEthernet0/.*' etc.

Required: true

Desired state of STP Root Guard

Desired state of UDLD configuration.

Required: true



Note If you select a rule which checks for interface related configuration, compliance check will be done only for the interfaces which are administratively up and configured with an IP address.


VLAN 1

Description

Policy to specify whether to use VLAN 1 on switches. Cisco switches use VLAN 1 as the default VLAN to assign to their ports, including their management ports. Additionally, Layer 2 protocols, such as CDP and VTP, need to be sent on a specific VLAN on trunk links, so VLAN 1 was selected. In some cases, VLAN 1 may span the entire network if not appropriately pruned. It also provides attackers easier access and extended reach for their attacks.

Applicable Platforms

Cisco IOS Switches

References

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 9.2 Page 32 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Rule 1

Rule

Check to make sure VLAN 1 is not used on any access interface [IOS]

Description

This check makes sure none of the interfaces on the switch use VLAN 1 in either ACCESS mode or trunk mode. It also makes sure the VLAN 1 is not used as a native VLAN for the trunk ports.

Applicable Platforms

Cisco IOS Switches

Impact

VLAN 1 may span the entire network if not appropriately pruned. It also provides attackers easier access and extended reach for their attacks.

Suggested Fix

Do not use VLAN 1 for either out-of-band management or in-band management. To provide network-based, out-of-band management, dedicate a physical switch port and VLAN on each switch for management use. Create a Switch Virtual Interface (SVI) Layer Three interface for that VLAN, and connect the VLAN to a dedicated switch and communications path back to the management hosts. Do not allow the operational VLANs access to the management VLAN. Also, do not trunk the management VLAN off the switch. Remove the access to VLAN1 using the command:

interface <interface name>

switchport access vlan <any vlan other than 1>

Rule 2

Rule

Check to make sure VLAN 1 is not allowed on any trunk interface [IOS]

Description

This check makes sure none of the interfaces on the switch use VLAN 1 in either ACCESS mode or trunk mode. It also makes sure the VLAN 1 is not used as a native VLAN for the trunk ports.

Applicable Platforms

Cisco IOS Switches

Impact

VLAN 1 may span the entire network if not appropriately pruned. It also provides attackers easier access and extended reach for their attacks.

Suggested Fix

Do not use VLAN 1 for either out-of-band management or in-band management. To provide network-based, out-of-band management, dedicate a physical switch port and VLAN on each switch for management use. Create a Switch Virtual Interface (SVI) Layer Three interface for that VLAN, and connect the VLAN to a dedicated switch and communications path back to the management hosts. Do not allow the operational VLANs access to the management VLAN. Also, do not trunk the management VLAN off the switch. Remove the VLAN1 from the trunks using the command:

interface <interface name>

switchport trunk allowed vlan remove 1

Rule 3

Rule

Check to make sure VLAN 1 is not allowed on any trunk interface as a native VLAN [IOS]

Description

This check makes sure none of the interfaces on the switch use VLAN 1 in either ACCESS mode or trunk mode. It also makes sure the VLAN 1 is not used as a native VLAN for the trunk ports.

Applicable Platforms

Cisco IOS Switches

Impact

VLAN 1 may span the entire network if not appropriately pruned. It also provides attackers easier access and extended reach for their attacks.

Suggested Fix

Do not use VLAN 1 for either out-of-band management or in-band management. To provide network-based, out-of-band management, dedicate a physical switch port and VLAN on each switch for management use. Create a Switch Virtual Interface (SVI) Layer Three interface for that VLAN, and connect the VLAN to a dedicated switch and communications path back to the management hosts. Do not allow the operational VLANs access to the management VLAN. Also, do not trunk the management VLAN off the switch. Remove the VLAN1 from the trunks as a native VLAN using the command:

interface <interface name>

switchport trunk allowed vlan remove 1

Rule 4

Rule

Check to make sure VLAN 1 is not configured as a voice vlan on any interface [IOS]

Description

This check makes sure none of the interfaces on the switch use VLAN 1 in either ACCESS mode or trunk mode. It also makes sure the VLAN 1 is not used as a native VLAN for the trunk ports.

Applicable Platforms

Cisco IOS Switches

Impact

VLAN 1 may span the entire network if not appropriately pruned. It also provides attackers easier access and extended reach for their attacks.

Suggested Fix

Do not use VLAN 1 for either out-of-band management or in-band management. To provide network-based, out-of-band management, dedicate a physical switch port and VLAN on each switch for management use. Create a Switch Virtual Interface (SVI) Layer Three interface for that VLAN, and connect the VLAN to a dedicated switch and communications path back to the management hosts. Do not allow the operational VLANs access to the management VLAN. Also, do not trunk the management VLAN off the switch. Change the voice VLAN to something other than 1 using the command:

interface <interface name>

switchport voice vlan <any vlan other than 1>

VLAN Trunking Protocols (VTP)

Description

Policy to specify required parameters for VTP

Applicable Platforms

Cisco IOS Switches

References

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 9.4.2 Page 35 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Rule 1

Rule

Check VTP Mode [IOS]

Description

A switch may be in one of three VTP modes: server, transparent and client. Set the VTP mode to desired state.

Applicable Platforms

Cisco IOS Switches

Impact

Even though VTP simplifies VLAN configuration where large number of VLANs are configured, it may cause some un-authorized switch to become a server and publish a wrong VLAN database.

Suggested Fix

Set the VTP mode to desired value using the command:

vtp mode

Rule
Description
Constraints

Desired Mode of VTP

VTP can operate in different modes. Server-In VTP server mode, you can create, modify, and delete VLANs and specify other configuration parameters (such as VTP version and VTP pruning) for the entire VTP domain. VTP servers advertise their VLAN configuration to other network devices in the same VTP domain and synchronize their VLAN configuration with other network devices based on advertisements received over trunk links. VTP server is the default mode. Client?VTP clients behave the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client. Transparent?VTP transparent network devices do not participate in VTP. A VTP transparent network device does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. However, in VTP version 2, transparent network devices do forward VTP advertisements that they receive out their trunking LAN ports.

Required: true


Rule 2

Rule

Check VTP Pruning State [IOS]

Description

Enable or Disable VTP pruning for VTP servers based on the desired policy.

Applicable Platforms

Cisco IOS Switches

Impact

None

Suggested Fix

Configure VTP pruning for VTP servers using the command:

[no] vtp pruning

Rule
Description
Constraints

Desired State of VTP Pruning

Desired state of VTP Pruning

Required: true Default: false


Rule 3

Rule

Make sure VTP Domain name is configured [IOS]

Description

This check will make sure VTP domain is configured. By default, all the switches respond to all the VTP messages in the network. By configuring VTP domains, it can be avoided to have mis-configured switch to overwrite the network's VLAN database.

Applicable Platforms

Cisco IOS Switches

Impact

A mis-configured switch that is added to the network can result in overwriting the VLAN database.

Suggested Fix

Configure a pre-defined domain name on all the VTP enabled switches using the command:

[no] vtp domain

Rule 4

Rule

Make sure Desired VTP Domain name is configured [IOS]

Description

This check will make sure VTP domain is configured. By default, all the switches respond to all the VTP messages in the network. By configuring VTP domains, it can be avoided to have mis-configured switch to overwrite the network's VLAN database.

Applicable Platforms

Cisco IOS Switches

Impact

A mis-configured switch that is added to the network can result in overwriting the VLAN database.

Suggested Fix

Configure a pre-defined domain name on all the VTP enabled switches using the command:

vtp domain

Rule
Description
Constraints

Domain Name

Desired VLAN domain name. All the switches within a VLAN domain that want to share VLAN database should be configured with the same domain name.

Required: true


Remote Commands

Description

remote Commands

Applicable Platforms

Cisco IOS Devices

References

Cisco SAFE Compliance

SAFE: A Security Blueprint for Enterprise Networks

Defence Information System Agency(Section NET0740 of Dec 2, 2005)

DISA Checklist, sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security.

Rule 1

Rule

Remote copy (RCP) service should be [IOS]

Description

Enforce whether RCP service should be enabled or not

Applicable Platforms

Cisco IOS Devices

Impact

None

Suggested Fix

Configure RCP service using the command:

no ip rcmd rcp-enable

Rule
Description
Constraints

Status

Remote Copy Service Status

Required: true Default: false


Rule 2

Rule

Remote Shell (RSH) service should be [IOS]

Description

Remote Shell (RSH) service.

Applicable Platforms

Cisco IOS Devices

Impact

None

Suggested Fix

Configure RSH service using the command:

no ip rcmd rsh-enable

Rule
Description
Constraints

Status

Remote Shell Service Status

Required: true Default: false


AAA

Description

By using AAA along with security server, you can control access to routers and other network services from a centralized location. This allows for easier management of user accounts and privileges and provides additional capabilities for auditing of network service usage.

Applicable Platforms

Cisco IOS Devices

References

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.4.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

Payment Card Industry Data Security Standard(PCI).(8.3, 8.5 of Version 1.1, September, 2006)

The Payment Card Industry (PCI) Data Security Standard resulted from a collaboration between Visa and MasterCard to create common industry security requirements. Other card companies operating in the U.S. have also endorsed the Standard within their respective programs. PCI Data Security requirements apply to all members, merchants and service providers that store, process or transmit cardholder data.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.1.5 Page 59, Section 4.6 Page 175,176, Section 4.6.2 Page 182, 185 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

SANS Router Security Policy(Section 3.0(1))

The SANS (SysAdmin, Audit, Network, Security) Institute publishes security policy to help system administrators with rapid development and implementation of information security policies.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 13.2, Page 48 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Cisco SAFE Compliance(1.1b)

SAFE: A Security Blueprint for Enterprise Networks

Control Objectives for Information and Related Technology(PO4, DS5 of 4.0)

COBIT (Control Objectives for Information and Related Technology) is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT is a de-facto standard used by most of the auditors when auditing for IT section of Sarbanes-Oxley (SOX) Compliance.

Health Insurance Portability and Accountability Act.(164.308(a)(4)(ii), 164.312(a)(1), 164.312(d))

HIPAA (Health Insurance Portability and Accountability Act.) is designed to protect confidential healthcare information through improved security standards and federal privacy legislation. It defines requirements for storing patient information before, during and after electronic transmission. Centers for Medicare & Medicaid Services (CMS) has provided a Security Rule (45 CFR Part 160 and 164) which is adopted to implement provisions of the HIPAA.

Department of Homeland Security (DHS) Compliance(Section 1.2, Page 8 of Version 2.0)

This document is being distributed to provide Department of Homeland Security (DHS) Cisco Router systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of security when an existing Cisco Router is being installed or configured. All settings and parameters presented in this document are the baseline security which all Cisco Router systems must meet. Center for Internet Security, Benchmark for Cisco IOS.(Section 1.1.1.1, Page: 6 of Version 2.2, Nov 2007) CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

AAA service should be enabled [IOS]

Description

By using AAA along with security server, you can control access to routers and other network services from a centralized location. This allows for easier management of user accounts and privileges and provides additional capabilities for auditing of network service usage

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Enable AAA configuration using the command:

aaa new-model

Rule 2

Rule

Minimum Number of Radius Servers Configured Globally [IOS]

Description

By using AAA along with security server, you can control access to routers and other network services from a centralized location. This allows for easier management of user accounts and privileges and provides additional capabilities for auditing of network service usage.

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Configure required RADIUS servers using the command:

radius-server host <host name>

Rule
Description
Constraints

Minimum Radius Servers Configured Gloabally

Number of minimum Desired Radius Servers to be configured globally.

Required: true

Min Value: 1

Max Value: 2147483647


Rule 3

Rule

Minimum Number of TACACS+ Servers Configured Globally [IOS]

Description

By using AAA along with security server, you can control access to routers and other network services from a centralized location. This allows for easier management of user accounts and privileges and provides additional capabilities for auditing of network service usage.

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Configure required TACACS servers using the command:

tacacs-server host <host name>

Rule
Description
Constraints

Minimum TACACS+ Servers Configured Globally

Number of minimum Desired TACACS+ Servers to be configured globally.

Required: true

Min Value: 1

Max Value: 2147483647


Rule 4

Rule

Radius Servers should be authenticated [IOS]

Description

This rule checks to make sure all the radius-servers configured on the router are configured with a shared key. This rule does not check to see if each radius-server is actually used in AAA or not. A RADIUS server and a Cisco router use a shared secret text string to encrypt passwords and exchange responses. To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon and a secret text (key) string that it shares with the router.

Applicable Platforms

Cisco IOS Devices

Impact

Communication between RADIUS server and the device are sent in plain text.

Suggested Fix

Configure RADIUS key using the commands:

radius-server key <password>

radius-server <host name> key <Key Name>

Rule 5

Rule

TACACS Servers should be authenticated [IOS]

Description

This rule checks to make sure all the tacacs-servers configured on the router are configured with a shared key. This rule does not check to see if each tacacs-server is actually used in AAA or not. A TACACS+ server and a Cisco router use a shared secret text string to encrypt passwords and exchange responses. To configure TACACS+ to use the AAA security commands, you must specify the host running the TACACS+ server daemon and a secret text (key) string that it shares with the router.

Applicable Platforms

Cisco IOS Devices

Impact

Communication between TACACS+ server and the device are sent in plain text.

Suggested Fix

Configure TACACS+ key using the commands:

tacacs-server key <password>

tacacs-server <host name> key <Key Name>

AAA Accounting - Commands

Description

Accounting enables you to track the services users are accessing as well as the amount of network resources they are consuming. When AAA accounting is activated, the network access server reports user activity to the RADIUS or TACACS+ security server (depending on which security method you have implemented) in the form of accounting records. Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analyzed for network management, client billing, and/or auditing. All accounting methods must be defined through AAA. As with authentication and authorization, you configure AAA accounting by defining a named list of accounting methods, and then applying that list to various interfaces.

Commands accounting runs accounting for all commands at the specified privilege level. Valid privilege level entries are integers from 0 through 15.

Applicable Platforms

Cisco IOS Devices

References

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.4.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.6, Page 178 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 13.2.3, Page 50 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Control Objectives for Information and Related Technology(PO4, DS5 of 4.0)

COBIT (Control Objectives for Information and Related Technology) is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT is a de-facto standard used by most of the auditors when auditing for IT section of Sarbanes-Oxley (SOX) Compliance.

Center for Internet Security, Benchmark for Cisco IOS.(Section 2.1.1.3,Page:36 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Minimum Number of TACACS + Server to be used for Comands Accounting [IOS]

Description

Cisco IOS Devices

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include TACACS+ servers in AAA Commands accounting methods which are used in the line configuration using the commands:

aaa new-model

aaa group server tacacs+   

server <Hostname or A.B.C.D IP address of server >   

!

tacacs-server host <Hostname or A.B.C.D IP address of TACACS server >

aaa accounting commands

line vty 0 15  

accounting commands

Rule
Description
Constraints

No. of Minimum Desired TACACS + Server

Number of minimum Desired TACACS+ Servers to be configured to use for accounting.

Required: true     Min Value: 1     Max Value: 2147483647


Rule 2

Rule

Commands Accounting should include required TACACS + Server [[IOS]

Description

This rule checks that required TACACS+ servers are used for Commands Accounting using AAA.

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include TACACS+ servers in AAA Commands accounting methods which are used in the line configuration using the commands:

aaa new-model

aaa group server tacacs+   

server <Hostname or A.B.C.D IP address of server >   

!

tacacs-server host <Hostname or A.B.C.D IP address of TACACS server >

aaa accounting commands

line vty 0 15  

accounting commands

Rule
Description
Constraints

Included TACACS + server

List of TACACS+ servers that a device should be configured to use.

Using TACACS+ Server Editor option, you can add, remove or update TACACS+ Server details. You can also change the order of the server details.

Required: true


AAA Accounting - Connections

Description

Accounting enables you to track the services users are accessing as well as the amount of network resources they are consuming. When AAA accounting is activated, the network access server reports user activity to the RADIUS or TACACS+ security server (depending on which security method you have implemented) in the form of accounting records. Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analyzed for network management, client billing, and/or auditing. All accounting methods must be defined through AAA. As with authentication and authorization, you configure AAA accounting by defining a named list of accounting methods, and then applying that list to various interfaces.

Connection accounting provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler (PAD), and rlogin.

Applicable Platforms

Cisco IOS Devices

References

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.4.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.6, Page 178 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 13.2.3, Page 50 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Center for Internet Security, Benchmark for Cisco IOS.(Section 2.1.1.4,Page:37 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Minimum Number of RADIUS Servers to be used for Connection Accounting [IOS]

Description

This rule checks that minimum Number of RADIUS Servers to be used for Connection Accounting

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include RADIUS servers in AAA Connection accounting methods which are used in the line configuration using the commands:

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

radius-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa accounting connection

line vty 0 15  

accounting connection

Rule
Description
Constraints

Number of Minimum Desired RADIUS Servers

Number of minimum Desired RADIUS Servers to be configured to use for accounting.

Required: true     Min Value: 1     Max Value: 2147483647


Rule 2

Rule

Minimum Number of TACACS+ Servers to be used for Connection Accounting [IOS]

Description

This rule checks that minimum Number of TACACS+ Servers to be used for Connection Accounting

Applicable Platforms

Cisco IOS Devices

No known impact.

Suggested Fix

Include TACACS+ servers in AAA Connection accounting methods which are used in the line configuration using the commands:

aaa new-model

aaa group server tacacs+   

server <Hostname or A.B.C.D IP address of server >   

!

tacacs-server host <Hostname or A.B.C.D IP address of TACACS server >

aaa accounting connection

line vty 0 15  

accounting connection

Rule
Description
Constraints

Number of Minimum Desired TACACS+ Servers

Number of minimum Desired TACACS+ Servers to be configured to use for accounting.

Required: true     Min Value: 1     Max Value: 2147483647


Rule 3

Rule

Connection Accounting should include required RADIUS Servers [IOS]

Description

This rule checks that connection Accounting should include required RADIUS Servers

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include RADIUS servers in AAA Connection accounting methods which are used in the line configuration using the commands:

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server >   

!

radius-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa accounting connection

line vty 0 15  

accounting connection

Rule
Description
Constraints

Included RADIUS Servers

List of RADIUS servers that a device should be configured to use.

Using RADIUS Server Editor option, you can add, remove or update RADIUS Server details. You can also change the order of the server details.

Required: true


Rule 4

Rule

Connection Accounting should include required TACACS+ Servers [IOS]

Description

This rule checks that connection Accounting should include required TACACS+ Servers

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include TACACS+ servers in AAA Connection accounting methods which are used in the line configuration using the commands:

aaa new-model

aaa group server tacacs+  

server <Hostname or A.B.C.D IP address of server >   

!

tacacs-server host <Hostname or A.B.C.D IP address of TACACS server >

aaa accounting connection

line vty 0 15  

accounting connection

Rule
Description
Constraints

Include TACACS+ Servers

List of TACACS+ servers that a device should be configured to use.

Using TACACS+ Server Editor option, you can add, remove or update TACACS+ Server details. You can also change the order of the server details.

Required: true


AAA Accounting - Exec

Description

Accounting enables you to track the services users are accessing as well as the amount of network resources they are consuming. When AAA accounting is activated, the network access server reports user activity to the RADIUS or TACACS+ security server (depending on which security method you have implemented) in the form of accounting records. Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analyzed for network management, client billing, and/or auditing. All accounting methods must be defined through AAA. As with authentication and authorization, you configure AAA accounting by defining a named list of accounting methods, and then applying that list to various interfaces.

EXEC accounting provides information about user EXEC terminal sessions (user shells) on the network access server, including username, date, start and stop times, the access server IP address, and (for dial-in users) the telephone number the call originated from.

Applicable Platforms

Cisco IOS Devices

References

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.4.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.6, Page 178 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 13.2.3, Page 50 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Center for Internet Security, Benchmark for Cisco IOS.(Section 2.1.1.5,Page:37 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Minimum Number of RADIUS Servers to be used for EXEC Accounting [IOS]

Description

This rule checks that minimum Number of RADIUS Servers to be used for EXEC Accounting

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include RADIUS servers in AAA EXEC accounting methods which are used in the line configuration

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

radius-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa accounting exec

line vty 0 15  

accounting exec

Rule
Description
Constraints

Number of Minimum Desired RADIUS Servers 

Number of minimum Desired RADIUS Servers to be configured to use for accounting.

Required: true     Min Value: 1     Max Value: 2147483647


Rule 2

Rule

Minimum Number of TACACS+ Servers to be used for EXEC Accounting [IOS]

Description

This rule checks that minimum Number of TACACS+ Servers to be used for EXEC Accounting

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include TACACS+ servers in AAA EXEC accounting methods which are used in the line configuration

aaa new-model

aaa group server tacacs+   

server <Hostname or A.B.C.D IP address of server >   

!

tacacs-server host <Hostname or A.B.C.D IP address of TACACS server >

aaa accounting exec

line vty 0 15  

accounting exec

Rule
Description
Constraints

Number of Minimum Desired TACACS+ Servers

Number of minimum Desired TACACS+ Servers to be configured to use for accounting.

Required: true     Min Value: 1


Rule 3

Rule

EXEC Accounting should include required RADIUS Servers [IOS]

Description

This rule checks that EXEC Accounting should include required RADIUS Servers

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include RADIUS servers in AAA EXEC accounting methods which are used in the line configuration

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

radius-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa accounting exec

line vty 0 15  

accounting exec

Rule
Description
Constraints

Include RADIUS Servers

List of RADIUS servers that a device should be configured to use.

Using RADIUS Server Editor option, you can add, remove or update RADIUS Server details. You can also change the order of the server details.

Required: true


Rule 4

Rule

EXEC Accounting should include required TACACS+ Servers [IOS]

Description

This rule checks that EXEC Accounting should include required TACACS+ Servers

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include TACACS+ servers in AAA EXEC accounting methods which are used in the line configuration

aaa new-model

aaa group server tacacs+   

server <Hostname or A.B.C.D IP address of server >   

!

tacacs-server host <Hostname or A.B.C.D IP address of TACACS server >

aaa accounting exec

line vty 0 15  

accounting exec

Rule
Description
Constraints

Include TACACS+ Servers

List of TACACS+ servers that a device should be configured to use.

Using TACACS+ Server Editor option, you can add, remove or update TACACS+ Server details. You can also change the order of the server details.

Required: true


AAA Accounting - Network

Description

Accounting enables you to track the services users are accessing as well as the amount of network resources they are consuming. When AAA accounting is activated, the network access server reports user activity to the RADIUS or TACACS+ security server (depending on which security method you have implemented) in the form of accounting records. Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analyzed for network management, client billing, and/or auditing. All accounting methods must be defined through AAA. As with authentication and authorization, you configure AAA accounting by defining a named list of accounting methods, and then applying that list to various interfaces.

Network accounting provides information for all PPP, SLIP, or ARAP sessions, including packet and byte counts.

Applicable Platforms

Cisco IOS Devices

References

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.4.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.6, Page 178 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 13.2.3, Page 50 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Center for Internet Security, Benchmark for Cisco IOS.(Section 2.1.1.6,Page:38 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Minimum Number of RADIUS Servers to be used for Network Accounting [IOS]

Description

This rule checks that minimum Number of RADIUS Servers to be used for Network Accounting

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Include RADIUS servers in AAA network accounting methods which are used in the line configuration

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

radius-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa accounting network

line vty 0 15  

accounting network

Rule
Description
Constraints

Number of Minimum Desired RADIUS Servers

Number of minimum Desired RADIUS Servers to be configured to use for accounting

Required: true     Min Value: 1     Max Value: 2147483647


Rule 2

Rule

Minimum Number of TACACS+ Servers to be used for Network Accounting [IOS]

Description

This rule checks that minimum Number of TACACS+ Servers to be used for Network Accounting

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Include TACACS+ servers in AAA network accounting methods which are used in the line configuration

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

tacacs-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa accounting network

line vty 0 15  

accounting network

Rule
Description
Constraints

Number of Minimum Desired TACACS+ Servers

Number of minimum Desired TACACS+ Servers to be configured to use for accounting

Required: true     Min Value: 1     Max Value: 2147483647


Rule 3

Rule

Network Accounting should include required RADIUS Servers [IOS]

Description

This rule checks that network Accounting should include required RADIUS Servers

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Include RADIUS servers in AAA network accounting methods which are used in the line configuration

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

radius-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa accounting network

line vty 0 15  

accounting network

Rule
Description
Constraints

Included RADIUS Servers

List of RADIUS servers that a device should be configured to use.

Using RADIUS Server Editor option, you can add, remove or update RADIUS Server details. You can also change the order of the server details.

Required: true


Rule 4

Rule

Network Accounting should include required TACACS+ Servers [IOS]

Description

This rule checks that network Accounting should include required TACACS+ Servers

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Include TACACS+ servers in AAA network accounting methods which are used in the line configuration

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

tacacs-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa accounting network

line vty 0 15  

accounting network

Rule
Description
Constraints

Included TACACS+ Servers

List of TACACS+ servers that a device should be configured to use.

Using TACACS+ Server Editor option, you can add, remove or update TACACS+ Server details. You can also change the order of the server details.

Required: true


AAA Accounting - System

Description

Accounting enables you to track the services users are accessing as well as the amount of network resources they are consuming. When AAA accounting is activated, the network access server reports user activity to the RADIUS or TACACS+ security server (depending on which security method you have implemented) in the form of accounting records. Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analyzed for network management, client billing, and/or auditing. All accounting methods must be defined through AAA. As with authentication and authorization, you configure AAA accounting by defining a named list of accounting methods, and then applying that list to various interfaces.

System accounting provides information about all system-level events (for example, when the system reboots or when accounting is turned on or off).

Applicable Platforms

Cisco IOS Devices

References

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.4.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.6, Page 178 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 13.2.3, Page 50 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Center for Internet Security, Benchmark for Cisco IOS.(Section 2.1.1.7,Page:38 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Minimum Number of RADIUS Servers to be used for System Accounting [IOS]

Description

This rule checks minimum Number of RADIUS Servers to be used for System Accounting

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Include RADIUS servers in AAA system accounting methods which are used in the line configuration

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

radius-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa accounting system

line vty 0 15  

accounting system

Rule
Description
Constraints

Number of Minimum Desired RADIUS Servers

Number of minimum Desired RADIUS Servers to be configured to use for accounting

Required: true     Min Value: 1     Max Value: 2147483647


Rule 2

Rule

Minimum Number of TACACS+ Servers to be used for System Accounting IOS]

Description

This rule checks minimum Number of TACACS+ Servers to be used for System Accounting

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Include TACACS+ servers in AAA system accounting methods which are used in the line configuration

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

tacacs-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa accounting system

line vty 0 15

accounting system

Rule
Description
Constraints

Number of Minimum Desired TACACS+ Servers

Number of minimum Desired TACACS+ Servers to be configured to use for accounting.

Required: true     Min Value: 1     Max Value: 2147483647


Rule 3

Rule

System Accounting should include required RADIUS Servers [IOS]

Description

This rule checks that system Accounting should include required RADIUS Servers

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include RADIUS servers in AAA system accounting methods which are used in the line configuration

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

radius-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa accounting system

line vty 0 15

accounting system

Rule
Description
Constraints

Included RADIUS Servers

List of RADIUS servers that a device should be configured to use.

Using RADIUS Server Editor option, you can add, remove or update RADIUS Server details. You can also change the order of the server details.

Required: true


Rule 4

Rule

System Accounting should include required TACACS+ Servers [[IOS]

Description

This rule checks that system Accounting should include required TACACS+ Servers

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Include TACACS+ servers in AAA system accounting methods which are used in the line configuration

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

tacacs-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa accounting system

line vty 0 15

accounting system

Rule
Description
Constraints

Included TACACS+ Servers

List of TACACS+ servers that a device should be configured to use.

Using TACACS+ Server Editor option, you can add, remove or update TACACS+ Server details. You can also change the order of the server details.

Required: true


AAA Authentication - Enable

Description

By using AAA along with security server, you can control access to routers and other network services from a centralized location. This allows for easier management of user accounts and privileges and provides additional capabilities for auditing of network service usage. Enable authentication specifies a series of authentication methods that are used to determine whether a user can access the privileged EXEC command level.

Applicable Platforms

Cisco IOS Devices

References

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.4.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

Center for Internet Security, Benchmark for Cisco IOS.(Section 1.1.1.3, Page: 7; Section 2.1.1.1,Page:35 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Minimum Number of RADIUS Servers to be used for Enable Authentication [IOS]

Description

This rule checks minimum Number of RADIUS Servers to be used for Enable Authentication

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Include RADIUS servers in AAA Enable Authentication methods using the commands

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

radius-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa authentication enable

Rule
Description
Constraints

Number of Minimum Desired RADIUS Servers

Number of minimum Desired RADIUS Servers to be configured to use for Authentication

Required: true     Min Value: 1     Max Value: 2147483647


Rule 2

Rule

Minimum Number of TACACS+ Servers to be used for Enable Authentication [IOS]

Description

This rule checks that minimum Number of TACACS+ Servers to be used for Enable Authentication

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include TACACS+ servers in AAA Enable Authentication methods using the commands

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

tacacs-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa authentication enable

 

Rule
Description
Constraints

Number of Minimum Desired TACACS+ Servers

Number of minimum Desired TACACS+ Servers to be configured to use for Authentication

Required: true     Min Value: 1     Max Value: 2147483647


Rule 3

Rule

Enable Authentication should include required RADIUS Servers [IOS]

Description

This rule checks that enable Authentication should include required RADIUS Servers

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include RADIUS servers in AAA Enable Authentication methods using the commands

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

radius-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa authentication enable

Rule
Description
Constraints

Included RADIUS Servers

List of RADIUS servers that a device should be configured to use.

Using RADIUS Server Editor option, you can add, remove or update RADIUS Server details. You can also change the order of the server details.

  Required: true


Rule 4

Rule

Enable Authentication should include required TACACS+ Servers [IOS]

Description

This rule checks that enable Authentication should include required RADIUS Servers

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Include TATACS+ servers in AAA Enable Authentication methods using the commands

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

tacacs-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa authentication enable

Rule
Description
Constraints

Included TACACS+ Servers

List of TACACS+ servers that a device should be configured to use.

Using TACACS+ Server Editor option, you can add, remove or update TACACS+ Server details. You can also change the order of the server details.

Required: true


Rule 5

Rule

Check for Usage of "none" in Enable Authentication

Description

This rule checks for usage of "none" in Enable Authentication

Applicable Platforms

Cisco IOS Devices

Impact

If none keyword is used at the end of an AAA Method, authentication is granted if none of the other authentication methods are available. In this case, users are able to pass authentication even without any credentials under circumstances where there are no AAA servers are available. If this none keyword is not used, then it is possible to be locked out of the device when none of the AAA servers are avaialble.

Suggested Fix

Add/remove the none keyword as per the requirement using the command:

aaa new-model

aaa authentication enable [none]

Rule
Description
Constraints

Usage of "none" for method

Desired usage of "none" key word in the methods. If this keyword is used, authentication is successfull if none of the previous methods are available.

Required: true     Default: false


AAA Authentication - Login

Description

By using AAA along with security server, you can control access to routers and other network services from a centralized location. This allows for easier management of user accounts and privileges and provides additional capabilities for auditing of network service usage. Login authentication specifies a series of authentication methods that are used to determine whether a user can access network device.

Applicable Platforms

Cisco IOS Devices

References

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.4.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

Payment Card Industry Data Security Standard(PCI).(8.3, 8.5 of Version 1.1, September, 2006)

The Payment Card Industry (PCI) Data Security Standard resulted from a collaboration between Visa and MasterCard to create common industry security requirements. Other card companies operating in the U.S. have also endorsed the Standard within their respective programs. PCI Data Security requirements apply to all members, merchants and service providers that store, process or transmit cardholder data.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.1.5 Page 59, Section 4.6 Page 175,176, Section 4.6.2 Page 182, 185 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

SANS Router Security Policy(Section 3.0(1))

The SANS (SysAdmin, Audit, Network, Security) Institute publishes security policy to help system administrators with rapid development and implementation of information security policies.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 13.2, Page 48 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Cisco SAFE Compliance(1.1b)

SAFE: A Security Blueprint for Enterprise Networks

Control Objectives for Information and Related Technology(PO4, DS5 of 4.0)

COBIT (Control Objectives for Information and Related Technology) is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT is a de-facto standard used by most of the auditors when auditing for IT section of Sarbanes-Oxley (SOX) Compliance.

Health Insurance Portability and Accountability Act.(164.308(a)(4)(ii), 164.312(a)(1), 164.312(d))

HIPAA (Health Insurance Portability and Accountability Act.) is designed to protect confidential healthcare information through improved security standards and federal privacy legislation. It defines requirements for storing patient information before, during and after electronic transmission. Centers for Medicare & Medicaid Services (CMS) has provided a Security Rule (45 CFR Part 160 and 164) which is adopted to implement provisions of the HIPAA.

Defence Information System Agency(Section NET0430 of Dec 2, 2005)

DISA Checklist, sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security.

Department of Homeland Security (DHS) Compliance(Section 1.2, Page 8 of Version 2.0)

This document is being distributed to provide Department of Homeland Security (DHS) Cisco Router systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of security when an existing Cisco Router is being installed or configured. All settings and parameters presented in this document are the baseline security which all Cisco Router systems must meet.

Center for Internet Security, Benchmark for Cisco IOS.(Section 1.1.1.2, Page: 7;Section 2.1.1.2,Page:36 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Minimum Number of RADIUS Servers to be used for User Authentication [IOS]

Description

By using AAA along with security server, you can control access to routers and other network services from a centralized location. This allows for easier management of user accounts and privileges and provides additional capabilities for auditing of network service usage

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Include RADIUS servers in AAA login authentication methods which are used in the line configuration using the commands:

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>  

!

radius-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa authentication login

line vty 0 15  

login authentication

Rule
Description
Constraints

Number of Minimum Desired RADIUS Servers

Number of minimum Desired Radius Servers to be configured to use for authentication.

Required: true     Min Value: 1     Max Value: 2147483647


Rule 2

Rule

Minimum Number of TACACS+ Servers to be used for User Authentication [IOS]

Description

By using AAA along with security server, you can control access to routers and other network services from a centralized location. This allows for easier management of user accounts and privileges and provides additional capabilities for auditing of network service usage

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Include TACACS+ servers in AAA login authentication methods which are used in the line configuration using the commands:

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>  

!

tacacs-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa authentication login

line vty 0 15  

login authentication

Rule
Description
Constraints

Number of Minimum Desired TACACS+ Servers

  Number of minimum Desired TACACS+ Servers to be configured to use for authentication.

Required: true     Min Value: 1     Max Value: 2147483647


Rule 3

Rule

Authentication method should not contain "none"at the end [IOS]

Description

AAA authentication login method should not contain none at the end.

Applicable Platforms

Cisco IOS Devices

Impact

User may be able to login into the device without proper user name and password under situation when other authentication methods are not available for whatever reason

Suggested Fix

Remove none keyword at the end of authentication method in the command:

aaa new-model

aaa authentication login [none]

Rule 4

Rule

Login authentication should use external AAA server IOS]

Description

By using AAA along with security server, you can control access to routers and other network services from a centralized location. This allows for easier management of user accounts and privileges and provides additional capabilities for auditing of network service usage

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Include RADIUS or TACACS+ servers in AAA login authentication methods which are used in the line configuration using the commands:

aaa new-model

aaa group server <tacacs+|radius>

aaa authentication login

line vty 0 15

Rule
Description
Constraints

Included RADIUS Servers

List of RADIUS servers that a device should be configured to use.

Using RADIUS Server Editor option, you can add, remove or update RADIUS Server details. You can also change the order of the server details.

Required: false


Rule
Description
Constraints

Included TACACS+ Servers

List of TACACS+ servers that a device should be configured to use.

Using TACACS+ Server Editor option, you can add, remove or update TACACS+ Server details. You can also change the order of the server details.

Required: false


Rule 5

Rule

All authentication methods should ask Username and Password [IOS]

Description

It is always important to choose the right order for the methods on a method list for 'AAA authentication'. For AAA login authentication, the first method on the list determines whether the user will be prompted for a username. Methods requiring only a password (e.g. the line method) should never be placed ahead of methods requiring a both username and password, because the user will never be prompted for a username and the mechanism will always fail.

Applicable Platforms

Cisco IOS Devices

Impact

If the authentication method does not ask for username and password, all subsequent authentication methods in the list will fail.

Suggested Fix

Re-arrange the order of aaa authentication methods so that enable and line are always at the end in the command:

aaa new-model

aaa authentication login

Rule 6

Rule

At least one local username should be defined if "local" or "local-case" is used in AAA Authentication login methods [IOS]

Description

AAA authentication login method local uses local username database to authenticate users. If there is no username configured in the database, using local is not useful.

Applicable Platforms

Cisco IOS Devices

Impact

none

Suggested Fix

Add some users to the local username database using the command:

username <user name>

Rule 7

Rule

AAA Authentication login methods should include "local" or "local-case" [IOS]

Description

AAA authentication login methods should include local or local-case. Including local or local-case on your method list will guarantee that if the security server(s) is not available, administrators will still be able to gain remote access by using a username and password defined locally on the router.

Applicable Platforms

Cisco IOS Devices

Impact

If all the security servers are down and can not authenticate users, there will be no way to gain access to the router

Suggested Fix

Add local username database as an authentication mechanism using the command:

aaa new-model

aaa authentication login <list of groups> local

AAA Authorization - Commands

Description

AAA authorization enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. Once this is done, the user will be granted access to a requested service only if the information in the user profile allows it. Commands authorization applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level.

Applicable Platforms

Cisco IOS Devices

References

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.4.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.6, Page 177 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 13.2.2, Page 50 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Health Insurance Portability and Accountability Act.(164.308(a)(3)(ii))

HIPAA (Health Insurance Portability and Accountability Act.) is designed to protect confidential healthcare information through improved security standards and federal privacy legislation. It defines requirements for storing patient information before, during and after electronic transmission. Centers for Medicare & Medicaid Services (CMS) has provided a Security Rule (45 CFR Part 160 and 164) which is adopted to implement provisions of the HIPAA.

Rule 1

Rule

Minimum Number of TACACS+ Servers to be used for Commands Authorization [IOS]

Description

This rule checks that minimum number of TACACS+ Servers are used for Commands Authorization using AAA

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Include TACACS+ servers in AAA Commands Authorization methods which are used in the line configuration using the commands:

aaa new-model

aaa group server tacacs+  

 server <Hostname or A.B.C.D IP address of server >   

!

tacacs-server host <Hostname or A.B.C.D IP address of TACACS server >

aaa authorization commands

Rule
Description
Constraints

Number of Minimum Desired TACACS+ Servers

Number of minimum Desired TACACS+ Servers to be configured to use for authorization.

Required: true     Min Value: 1     Max Value: 2147483647


Rule 2

Rule

Commands Authorization should include Required TACACS+ Servers [IOS]

Description

This rule checks that required TACACS+ Servers are used for Commands Authorization using AAA

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include TACACS+ servers in AAA Commands Authorization methods which are used in the line configuration using the commands:

aaa new-model

aaa group server tacacs+   

server <Hostname or A.B.C.D IP address of server >   

!

tacacs-server host <Hostname or A.B.C.D IP address of TACACS server >

aaa authorization commands

line vty 0 15  

authorization commands

Rule
Description
Constraints

Included TACACS+ Servers

List of TACACS+ servers that a device should be configured to use.

Using TACACS+ Server Editor option, you can add, remove or update TACACS+ Server details. You can also change the order of the server details.

Required: true


AAA Authorization - Configuration

Description

AAA authorization enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. Once this is done, the user will be granted access to a requested service only if the information in the user profile allows it. Configuration authorization applies to downloading configurations from the AAA server.

Applicable Platforms

Cisco IOS Devices

References

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.4.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.6, Page 177 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 13.2.2, Page 50 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Rule 1

Rule

Minimum Number of RADIUS Servers to be used for Configuration Authorization [IOS]

Description

This rule checks that minimum Number of RADIUS Servers to be used for Configuration Authorization

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Include RADIUS servers in AAA Configuration Authorization methods which are used in the line configuration using the commands:

aaa new-model aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

radius-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa authorization configuration

line vty 0 15  

authorization configuration

Rule
Description
Constraints

Number of Minimum Desired RADIUS Servers

Number of minimum Desired RADIUS Servers to be configured to use for authorization.

Required: true     Min Value: 1     Max Value: 2147483647


Rule 2

Rule

Minimum Number of TACACS+ Servers to be used for Configuration Authorization [IOS]

Description

This rule checks that minimum Number of TACACS+ Servers to be used for Configuration Authorization

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include TACACS+ servers in AAA Configuration Authorization methods which are used in the line configuration using the commands:

aaa new-model

aaa group server tacacs+   

server <Hostname or A.B.C.D IP address of server >   

!

tacacs-server host <Hostname or A.B.C.D IP address of TACACS server >

aaa authorization configuration

line vty 0 15  

authorization configuration

Rule
Description
Constraints

Number of Minimum Desired TACACS+ Servers

Number of minimum Desired TACACS+ Servers to be configured to use for authorization.

Required: true     Min Value: 1     Max Value: 2147483647


Rule 3

Rule

Configuration Authorization should include required RADIUS Servers [IOS]

Description

This rule checks that configuration Authorization should include required RADIUS Servers

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include RADIUS servers in AAA Configuration Authorization methods which are used in the line configuration using the commands:

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>  

!

radius-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa authorization configuration

line vty 0 15

 authorization configuration

Rule
Description
Constraints

Included RADIUS Servers

List of RADIUS servers that a device should be configured to use.

Using RADIUS Server Editor option, you can add, remove or update RADIUS Server details. You can also change the order of the server details.

Required: true


Rule 4

Rule

Configuration Authorization should include required TACACS+ Servers [IOS]

Description

This rule checks that configuration Authorization should include required TACACS+ Servers

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Include TACACS+ servers in AAA Configuration Authorization methods which are used in the line configuration using the commands:

aaa new-model

aaa group server tacacs+   

server <Hostname or A.B.C.D IP address of server >   

!

tacacs-server host <Hostname or A.B.C.D IP address of TACACS server >

aaa authorization configuration

line vty 0 15  

authorization configuration

Rule
Description
Constraints

Included TACACS+ Servers

List of TACACS+ servers that a device should be configured to use.

Using TACACS+ Server Editor option, you can add, remove or update TACACS+ Server details. You can also change the order of the server details.

Required: true


AAA Authorization - EXEC

Description

AAA authorization enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. Once this is done, the user will be granted access to a requested service only if the information in the user profile allows it. EXEC authorization applies to the attributes associated with a user EXEC terminal session.

Applicable Platforms

Cisco IOS Devices

References

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.4.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.6, Page 177 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 13.2.2, Page 50 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Rule 1

Rule

Minimum Number of RADIUS Servers to be used for EXEC Authorization [IOS]

Description

This rule checks that minimum Number of RADIUS Servers to be used for EXEC Authorization

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include RADIUS servers in AAA EXEC Authorization methods which are used in the line configuration using the commands:

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

radius-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa authorization exec

line vty 0 15  

authorization exec

Rule
Description
Constraints

Number of Minimum Desired RADIUS Servers

Number of minimum Desired RADIUS Servers to be configured to use for authorization.

Required: true     Min Value: 1     Max Value: 2147483647


Rule 2

Rule

Minimum Number of TACACS+ Servers to be used for EXEC Authorization [IOS]

Description

This rule checks that minimum Number of TACACS+ Servers to be used for EXEC Authorization

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include TACACS+ servers in AAA EXEC Authorization methods which are used in the line configuration using the commands:

aaa new-model

aaa group server tacacs+   

server <Hostname or A.B.C.D IP address of server >   

!

tacacs-server host <Hostname or A.B.C.D IP address of TACACS server >

aaa authorization exec

line vty 0 15  

authorization exec

Rule
Description
Constraints

Number of Minimum Desired TACACS+ Servers

Number of minimum Desired TACACS+ Servers to be configured to use for authorization.

Required: true     Min Value: 1     Max Value: 2147483647


Rule 3

Rule

EXEC Authorization should include required RADIUS Servers [IOS]

Description

This rule checks that EXEC Authorization should include required RADIUS Servers

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include RADIUS servers in AAA EXEC Authorization methods which are used in the line configuration using the commands:

aaa new-model aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

radius-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa authorization exec

line vty 0 15  

authorization exec

Rule
Description
Constraints

Included RADIUS Servers

List of RADIUS servers that a device should be configured to use.

Using RADIUS Server Editor option, you can add, remove or update RADIUS Server details. You can also change the order of the server details.

Required: true


Rule 4

Rule

EXEC Authorization should include required TACACS+ Servers [IOS]

Description

This rule checks that EXEC Authorization should include required TACACS+ Servers

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Include TACACS+ servers in AAA EXEC Authorization methods which are used in the line configuration using the commands:

aaa new-model

aaa group server tacacs+   

server <Hostname or A.B.C.D IP address of server >   

!

tacacs-server host <Hostname or A.B.C.D IP address of TACACS server >

aaa authorization exec

line vty 0 15  

authorization exec

Rule
Description
Constraints

Included TACACS+ Servers

List of TACACS+ servers that a device should be configured to use.

Using TACACS+ Server Editor option, you can add, remove or update TACACS+ Server details. You can also change the order of the server details.

Required: true


AAA Authrorization - Network

Description

AAA authorization enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. Once this is done, the user will be granted access to a requested service only if the information in the user profile allows it. Network authorization applies to network connections. This can include a PPP, SLIP, or ARAP connection.

Applicable Platforms

Cisco IOS Devices

References

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.4.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.6, Page 177 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 13.2.2, Page 50 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Rule 1

Rule

Minimum Number of RADIUS Servers to be used for Network Authorization [IOS]

Description

This rule checks that minimum Number of RADIUS Servers to be used for Network Authorization

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include RADIUS servers in AAA Network Authorization methods which are used in the line configuration using the commands:

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

radius-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa authorization network

line vty 0 15  

authorization network

Rule
Description
Constraints

Number of Minimum Desired RADIUS Servers

Number of minimum Desired TACACS+ Servers to be configured to use for authorization.

Required: true     Min Value: 1     Max Value: 2147483647


Rule 2

Rule

Minimum Number of TACACS+ Servers to be used for Network Authorization [IOS]

Description

This rule checks that minimum Number of TACACS+ Servers to be used for Network Authorization

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include TACACS+ servers in AAA Network Authorization methods which are used in the line configuration using the commands:

aaa new-model

aaa group server tacacs+   

server <Hostname or A.B.C.D IP address of server >   

!

tacacs-server host <Hostname or A.B.C.D IP address of TACACS server >

aaa authorization network

line vty 0 15  

authorization network

Rule
Description
Constraints

Number of Minimum Desired TACACS+ Servers

Number of minimum Desired TACACS+ Servers to be configured to use for authorization

Required: true     Min Value: 1     Max Value: 2147483647


Rule 3

Rule

Network Authorization should include required RADIUS Servers [IOS]

Description

This rule checks that network Authorization should include required RADIUS Servers

Applicable Platforms

Cisco IOS Devices

Impact

No known impact.

Suggested Fix

Include RADIUS servers in AAA Network Authorization methods which are used in the line configuration using the commands:

aaa new-model

aaa group server radius   

server <Hostname or A.B.C.D IP address of server>   

!

radius-server host <Hostname or A.B.C.D IP address of RADIUS server >

aaa authorization

network line vty 0 15  

authorization network

Rule
Description
Constraints

Included RADIUS Servers

List of RADIUS servers that a device should be configured to use.

Using RADIUS Server Editor option, you can add, remove or update RADIUS Server details. You can also change the order of the server details.

Required: true


Rule 4

Rule

Network Authorization should include required TACACS+ Servers [IOS]

Description

This rule checks that network Authorization should include required TACACS+ Servers

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Include TACACS+ servers in AAA Network Authorization methods which are used in the line configuration using the commands:

aaa new-model

aaa group server tacacs+   

server <Hostname or A.B.C.D IP address of server >   

!

tacacs-server host <Hostname or A.B.C.D IP address of TACACS server >

aaa authorization network

line vty 0 15  

authorization network

Rule
Description
Constraints

Included RADIUS Servers

List of TACACS+ servers that a device should be configured to use.

Using TACACS+ Server Editor option, you can add, remove or update TACACS+ Server details. You can also change the order of the server details.

Required: true


Control Plane Policing

Description

Policies related to Control Plane Policing. Control Plane Policing (CoPP) is a Cisco IOS feature that you can employ to counter resource starvation-based DoS attacks that target the central processor of a router (control plane and management plane). CPP protects the central processor via policies that filter or rate limit traffic directed to the processor. The Control Plane Policing feature allows users to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches against reconnaissance and denial-of-service (DoS) attacks. In this way, the control plane (CP) can help maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch.

Applicable Platforms

Cisco IOS Devices With CoPP Capability

References

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.3.7 Page 98 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

Rule 1

Rule

Check input Control Plane Policy is configured [IOS]

Description

This rule checks to make sure that a Control Plane Policy is configured in input direction. The Control Plane Policing feature allows users to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches against reconnaissance and denial-of-service (DoS) attacks. In this way, the control plane (CP) can help maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch.

Applicable Platforms

Cisco IOS Devices With CoPP Capability

Impact

There is no classification of the data that needs to be handled by the device's central processor, and hence is not protected from various DDoS attacks

Suggested Fix

Configure Control Plane Policing using the commands

control-plane   

service-policy input <policy name>

exit

Rule
Description
Constraints

Name of desired input policy

Desired input policy Name (Leave this blank if you dont want to check any specific policy name)

Required: false


Rule 2

Rule

Check output Control Plane Policy is configured [IOS]

Description

This rule checks to make sure that a Control Plane Policy is configured in output direction. The Control Plane Policing feature allows users to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches against reconnaissance and denial-of-service (DoS) attacks. In this way, the control plane (CP) can help maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch.

Applicable Platforms

Cisco IOS Devices With CoPP Capability

Impact

There is no classification of the data that needs to be handled by the device's central processor, and hence is is not protected from various DDoS attacks

Suggested Fix

Configure Control Plane Policing using the commands

control-plane   

service-policy output <policy name>

exit

Rule
Description
Constraints

Name of desired output policy

Desired output policy Name (Leave this blank if you dont want to check any specific policy name)

Required: false


HTTP Server

Description

HTTP Server allows web based remote administration of the router.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Cisco IOS Devices With HTTPS Capability

References

Payment Card Industry Data Security Standard(PCI).(2.3 of Version 1.1, September, 2006)

The Payment Card Industry (PCI) Data Security Standard resulted from a collaboration between Visa and MasterCard to create common industry security requirements. Other card companies operating in the U.S. have also endorsed the Standard within their respective programs. PCI Data Security requirements apply to all members, merchants and service providers that store, process or transmit cardholder data.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 8.1(16) Page 278, Section 4.2.1 Page 71, Section 4.2.2 Page 73,74 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 10.6.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 6.2.2, Page 18 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Cisco SAFE Compliance(1.1b)

SAFE: A Security Blueprint for Enterprise Networks

Health Insurance Portability and Accountability Act.(164.312(a)(1), 164.312(e)(1))

HIPAA (Health Insurance Portability and Accountability Act.) is designed to protect confidential healthcare information through improved security standards and federal privacy legislation. It defines requirements for storing patient information before, during and after electronic transmission. Centers for Medicare & Medicaid Services (CMS) has provided a Security Rule (45 CFR Part 160 and 164) which is adopted to implement provisions of the HIPAA.

SANS Router Security Policy(3.0(3f))

The SANS (SysAdmin, Audit, Network, Security) Institute publishes security policy to help system administrators with rapid development and implementation of information security policies.

Defence Information System Agency(Section NET0740 of Dec 2, 2005)

DISA Checklist, sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security.

Department of Homeland Security (DHS) Compliance(Section 4.3, Page 27 of Version 2.0)

This document is being distributed to provide Department of Homeland Security (DHS) Cisco Router systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of security when an existing Cisco Router is being installed or configured. All settings and parameters presented in this document are the baseline security which all Cisco Router systems must meet.

Center for Internet Security, Benchmark for Cisco PIX/ASA.(Section 1.2.2.2, Page: 19 of Version 2.0, Nov 2007)

CIS PIX/ASA benchmark recommends the prudent level of minimum due care for operating system security. CIS PIX/ASA benchmark contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All PIX devices should implement these settings.

Center for Internet Security, Benchmark for Cisco IOS.(Section 1.1.2.5, Page: 24 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Check state of HTTP server [IOS]

Description

HTTP Server allows web based remote administration of the router. It is useful primarily when intervening routers or firewalls prevent use of Telnet for that purpose. However, it is important to note that both Telnet and web-based remote administration reveal critical passwords in clear text. Further, web-based administration imposes the requirement that users log in at full (level 15) privilege. Therefore, web-based remote administration should be avoided

Applicable Platforms

Cisco IOS Devices

Impact

Can be exploited to access the router.

Suggested Fix

Configure HTTP server using the command

[no] ip http server

Rule
Description
Constraints

Server Status

HTTP server status

Required: true     Default: false


Rule 2

Rule

Check HTTP server port value [IOS]

Description

TCP port number that the HTTP server listens on.

Applicable Platforms

Cisco IOS Devices

Impact

HTTP Server may not be accessible if the port is not configured properly

Suggested Fix

Configure port for HTTP server using the command

ip http port <port number>

Rule
Description
Constraints

Port

Port for HTTP server

Required: true     Default: 80     Min Value: 1025     Max Value: 65535


Rule 3

Rule

Check state of HTTP Secure (HTTPS) server [PIX, ASA, IOS]

Description

HTTP Server allows web based remote administration of the router. It is useful primarily when intervening routers or firewalls prevent use of Telnet for that purpose. However, it is important to note that both Telnet and web-based remote administration reveal critical passwords in clear text. Further, web-based administration imposes the requirement that users log in at full (level 15) privilege. Therefore, web-based remote administration should be avoided, , then it is preferable

Applicable Platforms

Cisco PIX Devices Running >= 7.x and ASA devices Cisco IOS Devices With HTTPS Capability

Impact

Can be exploited to access the router.

Suggested Fix

Configure HTTPS server using the command

[no] ip http secure-server (for IOS)

[no] http server enable (for PIX)

Rule
Description
Constraints

Secure Server Status

HTTP Secured server status

Required: true     Default: false


Rule 4

Rule

Check HTTP Secure (HTTPS) server port value [PIX, ASA, IOS]

Description

TCP port number that the HTTP Secure server listens on.

Applicable Platforms

Cisco PIX Devices Running >= 7.x and ASA devices

Cisco IOS Devices With HTTPS Capability

Impact

HTTPS Server may not be accessible if the port is not configured properly

Suggested Fix

Configure port for HTTPS server using the command

ip http secure-port <port number>(for IOS)

http server enable <port number>(for PIX)

Rule
Description
Constraints

Secure Server Port (IOS)

Port for HTTP Secured server

Required: false Default: 443     Min Value: 1025     Max Value: 65535


Rule
Description
Constraints

Secure Server Port (PIX)

Port for HTTP Secured server

Required: false     Default: 443     Min Value: 1     Max Value: 65535


Rule 5

Rule

ACL must be configured for restricting access to HTTP server [IOS]

Description

If web-based remote administration is required, HTTP server should be enabled and access must be restricted to the trusted users.

Applicable Platforms

Cisco IOS Devices

Impact

Unauthorized users may gain access if not restricted using an access-list.

Suggested Fix

Configure an access list to restrict the access to the HTTP server on the device using the command

ip http access-class <1-99

Rule
Description
Constraints

ACL

Access List for HTTP server

Required: true     Min Value: 1     Max Value: 99


Rule 6

Rule

Restrict access to HTTP server [IOS]

Description

If web-based remote administration is required, HTTP server should be enabled and access must be restricted to the trusted users.

Applicable Platforms

Cisco IOS Devices

Impact

Unauthorized users may gain access if not restricted using an access-list.

Suggested Fix

Configure an access list to restrict the access to the HTTP server on the device, using the command

ip http access-class <1-99>

Rule
Description
Constraints

Allowed Subnets

Access List for HTTP server.

Using Allowed Subnets Editor option, you can add, remove or update Allowed Subnets details. You can also change the order of the server details.

Required: true


Rule 7

Rule

Check HTTP server authentication methods [IOS]

Description

Specify the desired type of authentication for HTTP connections.

Applicable Platforms

Cisco IOS Devices

Impact

Unauthorized users can gain access if authentication is not used.

Suggested Fix

Set up usernames and passwords for all administrators. If possible, use AAA user access control which will give more control and better audit. Configure required authentication using

ip http authentication

Rule
Description
Constraints

Auth Method

HTTP server authentication method. Violations cannot be fixed if you specify multiple methods for the input.

Using Auth method Editor option, you can add, remove or update Auth method details. You can also change the order of the server details

Required: true


Rule 8

Rule

Check management access via ASDM is restricted [PIX, ASA]

Description

Adaptive Security Device Manager (ASDM) ip address should be defined.

Applicable Platforms

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

Management access via the ASDM should be restricted to management workstations.

Suggested Fix

Define the Adaptive Security Device Manager (ASDM) ip address using the command

no http 0.0.0.0 0.0.0.0 <interface-name>

http <ip-address> <mask> <interface-name>

Miscellanous Service

Description

Policies governing miscellaneous TCP(echo, discard, chargen, day time) and UDP(echo, discard, chargen) services on the device.

Applicable Platforms

Cisco IOS Devices

Cisco IOS Devices With BOOTP Capability

Cisco IOS Devices With SCP Capability

References

Payment Card Industry Data Security Standard(PCI).(2.2 of Version 1.1, September, 2006)

The Payment Card Industry (PCI) Data Security Standard resulted from a collaboration between Visa and MasterCard to create common industry security requirements. Other card companies operating in the U.S. have also endorsed the Standard within their respective programs. PCI Data Security requirements apply to all members, merchants and service providers that store, process or transmit cardholder data.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 8.1(1) Page 274,275, 8.1(7) Page 276, Section 8.1(18) Page 278, Section 4.2.1 Page 70,71,72 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

SANS Router Security Policy(Sections 3.0(1), 3.0(2), 3.0(3))

The SANS (SysAdmin, Audit, Network, Security) Institute publishes security policy to help system administrators with rapid development and implementation of information security policies.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 6.2.1, Page 16 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 10.6.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

Cisco SAFE Compliance(1.1b)

SAFE: A Security Blueprint for Enterprise Networks

Department of Homeland Security (DHS) Compliance(Section 4.3, Page 22 of Version 2.0)

This document is being distributed to provideDepartment of Homeland Security (DHS) Cisco Router systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of security when an existing Cisco Router is being installed or configured. All settings and parameters presented in this document are the baseline security which all Cisco Router systems must meet.

Center for Internet Security, Benchmark for Cisco IOS.(Section 1.2.2.2-1.2.2.4,1.2.2.6, Page: 23 Section 1.2.2.9-1.2.2.11,page:26; section 1.3.1.2,Page:34; Section 2.3.3.3,Page:47 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Disable TCP small servers [IOS]

Description

TCP small servers are servers (daemons, in Unix parlance) that run in the router which are useful for diagnostics.

The TCP small servers are:

Echo: Echoes back whatever you type through the telnet x.x.x.x echo command.

Chargen: Generates a stream of ASCII data. Use the telnet x.x.x.x chargen command.

Discard: Throws away whatever you type. Use the telnet x.x.x.x discard command.

Daytime: Returns system date and time, if it is correct. It is correct if you run Network Time Protocol (NTP), or have set the date and time manually from the exec level. Use the telnet x.x.x.x daytime command.

Replace x.x.x.x with the IP address of your router. Most routers inside Cisco run the small servers.

The TCP small servers are enabled by default on Cisco IOS Software Version 11.2 and earlier. They are disabled by default on Cisco IOS Software Versions 11.3 and later.

Applicable Platforms

Cisco IOS Devices

Impact

It is recommended that you do not enable these services unless it is absolutely necessary. These services could be exploited indirectly or directly to gain information about the target system.

Suggested Fix

Disable TCP small servers using the command

no service tcp-small-servers

Rule 2

Rule

Disable UDP small servers [IOS]

Description

UDP small servers are servers (daemons, in Unix parlance) that run in the router which are useful for diagnostics.

The UDP small servers are:

Echo: Echoes the payload of the datagram you send.

Discard: Silently pitches the datagram you send.

Chargen: Pitches the datagram you send, and responds with a 72-character string of ASCII characters terminated with a CR+LF.

The UDP small servers are enabled by default on Cisco IOS Software Version 11.2 and earlier. They are disabled by default on Cisco IOS Software Versions 11.3 and later.

Applicable Platforms

Cisco IOS Devices

Impact

It is recommended that you do not enable these services unless it is absolutely necessary. These services could be exploited indirectly or directly to gain information about the target system.

Suggested Fix

Disable UDP small servers using the command

no service udp-small-servers

Rule 3

Rule

Disable Finger server [IOS]

Description

Finger is a utility that displays information about system users(login name, home directory, name, how long they've been logged in,etc.).

Applicable Platforms

Cisco IOS Devices

Impact

The information obtained from the finger server can be used in gaining unauthorized access to the device.

Suggested Fix

Disable finger server on the device using the command

no service finger

Rule 4

Rule

Disable BOOTP server [IOS]

Description

BOOTP (BOOTstrap Protocol) was originally created for loading diskless computers. It was later used to allow a host to obtain all the required TCP/IP information to use the Internet. BOOTP allows a host to broadcast a request onto the network, and obtains information required from a BOOTP server. The BOOTP server is a computer that listens for incoming BOOTP requests and generates responses from a configuration database for the BOOTP clients on that network. BOOTP differs from DHCP in that it has no concept of lease or lease expiration. All IP addresses allocated by a BOOTP server are permanent.

Applicable Platforms

Cisco IOS Devices With BOOTP Capability

Impact

This is rarely needed and may open a security hole.

Suggested Fix

Disable BOOTP server using the command

no ip bootp server

Rule 5

Rule

Disable configuration auto-laoding from TFTP server [IOS]

Description

Configuration autoloading enables autoloading of configuration files from a network server.

Applicable Platforms

Cisco IOS Devices

Impact

Can be exploited to load wrong configuration files.

Suggested Fix

Disable configuration autoloading using the command

no service config

Rule 6

Rule

Disable IP Source Routing [IOS]

Description

Source Routing is a technique whereby the sender of a packet can specify the route that a packet should take through the network. Source routing is useful when the default route that a connection will take fails or is suboptimal for some reason, or for network diagnostic purposes.

Applicable Platforms

Cisco IOS Devices

Impact

When used in conjunction with traceroute, an attacker can find all the routes between points on the network.

Also, sometimes machines will be on the Internet, but will not be reachable. (It may be using a private address like 10.0.0.1). However, there may be some other machine that is reachable to both sides that forwards packets. Someone can then reach that private machine from the Internet by source routing through that intermediate machine.

Suggested Fix

Disable IP Source Routing using the command

no ip source-route

Rule 7

Rule

Disable X.25 PAD service [IOS]

Description

Packet assembler/disassembler(PAD) is configured to enable X.25 connections between network devices. A PAD is a device that receives a character stream from one or more terminals, assembles the character stream into packets, and sends the data packets out to a host. A PAD can also do the reverse. It can take data packets from a network host and translate them into a character stream that can be understood by the terminals. A PAD is defined by Recommendations X.3, X.28, and X.29 of the International Telecommunication Union Telecommunication Standardization Sector (ITU-T).

PADs can also be configured to work with a protocol translation application.

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Disable PAD service using the command

no service pad

Rule 8

Rule

Disable Gratuitous ARPs [IOS]

Description

A gratuitous ARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used primarily by a host to inform the network about its IP address.

Applicable Platforms

Cisco IOS Devices

Impact

A spoofed gratuitous ARP message can cause network mapping information to be stored incorrectly, causing network malfunction.

Suggested Fix

IP gratuitous Address Resolution Protocol (ARP) requests should be disabled whenever possible using the command no ip gratuitous-arps

Rule 9

Rule

Disable Identification service [IOS]

Description

The identification protocol provides a means to determine the identity of a user of a particular TCP connection.

Applicable Platforms

Cisco IOS Devices

Impact

The information revealed about users, entities, objects, or processes might normally be considered private and can be exploited to attack the device.

Suggested Fix

Disable Identification service using the command no ip identd

Rule 10

Rule

Disable MOP (Maintenance Operation Protocol) [IOS]

Description

System utility services on DECnet networks uses MOP protocol. It is enabled by default on Ethernet interfaces.

Applicable Platforms

Cisco IOS Devices

Impact

Unless you are using DECnet, you should disable MOP. MOP enabled when you do not need it only provides another facility that can be attacked.

Suggested Fix

Disable MOP service on the device using the command interface <interface name> no mop enabled

Rule 11

Rule

Disable TFTP server [IOS]

Description

Disable TFTP Server on the device.

Applicable Platforms

Cisco IOS Devices

Impact

The Trivial File Transfer Protocol (TFTP) provides an easy way to transfer files between network devices. However, TFTP is not a secure service and normally should not be running on any device in a secure network.

Suggested Fix

Disable TFTP service on the device using

no tftp-server

Rule 12

Rule

Tunnel interfaces should not be configured [IOS]

Description

Check that no tunnel interfaces are defined on the device.

Applicable Platforms

Cisco IOS Devices

Impact

Tunnel interfaces are virtual interfaces on the router. These interfaces can be used by an attacker. Unless absolutely necessary, do not create any tunnel interfaces.

Suggested Fix

Delete a tunnel interface using

no interface Tunnel

Rule 13

Rule

Disable DHCP service[IOS]

Description

Check that DHCP service is disabled on the device.

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Disable DHCP service using the command

no service dhcp

Rule 14

Rule

Disable Booting from Network Configuration File [IOS]

Description

Check that booting from network configuration file is disabled.

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Disable booting from network configuration file using the command

no boot network

Rule 15

Rule

IP Classless Fowarding must be [IOS]

Description

Check that IP Classless forwarding is configured as required.

Applicable Platforms

Cisco IOS Devices

Impact

No known impact

Suggested Fix

Enable or disable IP classless forwarding using the command

[no] ip classless

Rule
Description
Constraints

Ip Classeless State

Whether IP classless forwarding should be enabled or disable

Required: true     Default: true


Rule 16

Rule

Enable SCP server [IOS]

Description

This rule checks that SCP Server is enabled on the device.

Applicable Platforms

Cisco IOS Devices With SCP Capability

Impact

The router administrators can not use the SCP protocol to transfer configuration or image files to and from the router.

Suggested Fix

Enable SCP service on the device using he commands

ip scp server enable

Rule 17

Rule

Disable FTP server [IOS]

Description

Disable FTP Server on the device.

Applicable Platforms

Cisco IOS Devices

Impact

The File Transfer Protocol (FTP) provides an easy way to transfer files between network devices. However, FTP is not a secure service and normally should not be running on any device in a secure network.

Suggested Fix

Disable FTP service on the device using

no ftp-server

Routing and Forwarding

Description

Policies governing Routing and Forwarding related services on the device.

Applicable Platforms

Cisco IOS Devices

Cisco IOS Devices With SPD Capability

References

Cisco SAFE Compliance

SAFE: A Security Blueprint for Enterprise Networks

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.3.6, Page 95, Section 4.4.7 Page 130 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 8.2, Page 29 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Department of Homeland Security (DHS) Compliance(Section 4.4, Page 31 of Version 2.0)

This document is being distributed to provide Department of Homeland Security (DHS) Cisco Router systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of security when an existing Cisco Router is being installed or configured. All settings and parameters presented in this document are the baseline security which all Cisco Router systems must meet.

Center for Internet Security, Benchmark for Cisco IOS.(Section 2.3.3.1, Page: 46 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Description

Check that Selective Packet Discard (SPD) is configured to be desired state.

Applicable Platforms

Cisco IOS Devices With SPD Capability

Impact

Selective Packet Discard (SPD) is a mechanism that manages the process-level input queues on the route processor. The goal of SPD is to provide priority to routing protocol packets and other important traffic control Layer 2 keepalives during periods of process-level queue congestion. Disabling the feature might create routing inconsistencies during periods of high volume traffic.

Suggested Fix

Configure Selective Packet Discard (SPD) using the command [no] spd enable

Rule
Description
Constraints

Desired SPD State

Desired state of SPD

Required: true     Default: false


Rule 2

Rule

Check Minimum SPD Headroom [IOS]

Description

Check that SPD headroom is configured to be at least given number of packets. Even with SPD, the behavior of normal IP packets is not changed; however, routing protocol packets are given higher priority because SPD recognizes routing protocol packets by the IP precedence field. Hence, if the IP precedence is set to 6, then the packet is given priority. SPD prioritizes these packets by allowing the software to enqueue them into the process level input queue above the normal input queue limit. The number of packets allowed in excess of the normal limit is called the spd headroom, the default being 100, which means that a high precedence packet is not dropped if the size of the input hold queue is lower than 175 (input queue default size + spd headroom size).

Applicable Platforms

Cisco IOS Devices With SPD Capability

Impact

Selective Packet Discard (SPD) is a mechanism that manages the process-level input queues on the route processor. The goal of SPD is to provide priority to routing protocol packets and other important traffic control Layer 2 keepalives during periods of process-level queue congestion. Disabling the feature might create routing inconsistencies during periods of high volume traffic.

Suggested Fix

Configure SPD headroom to be the desired value using command

spd headroom

Rule
Description
Constraints

Desired Minimum SPD Headroom

packets by allowing the software to enqueue them into the process level input queue above the normal input queue limit. The number of packets allowed in excess of the normal limit is called the spd headroom, the default being 100, which means that a high precedence packet is not dropped if the size of the input hold queue is lower than 175 (input queue default size + spd headroom size).

Required: true     Min Value: 0     Max Value: 65535


Rule 3

Rule

Check Minimum SPD Extended Headroom [IOS]

Description

Check that SPD extended headroom is configured to be at least given number of packets. Non-IP packets, such as Connectionless Network Service Intermediate System-to-Intermediate System (CLNS ISIS) packets, Point-to-Point Protocol (PPP) packets, and High-Level Data Link Control (HDLC) keepalives were, until recently, treated as normal priority as a result of being Layer 2 instead of Layer 3. In addition, Interior Gateway Protocols (IGPs) operating at Layer 3 or higher were given priority over normal IP packets, but given the same priority as BGP packets. So, during BGP convergence or during times of very high BGP activity, IGP hellos and keepalives were often dropped, causing IGP adjacencies to go down. Since IGP and link stability are more tenuous and more crucial than BGP stability, such packets are now given the highest priority and are given extended SPD headroom with a default of 10 packets. This means that these packets are not dropped if the size of the input hold queue is lower than 185 (input queue default size + spd headroom size + spd extended headroom).

Applicable Platforms

Cisco IOS Devices With SPD Capability

Impact

Selective Packet Discard (SPD) is a mechanism that manages the process-level input queues on the route processor. The goal of SPD is to provide priority to routing protocol packets and other important traffic control Layer 2 keepalives during periods of process-level queue congestion. Disabling the feature might create routing inconsistencies during periods of high volume traffic.

Suggested Fix

Configure SPD extended headroom to be the desired value using command

spd extended-headroom

Rule
Description
Constraints

Check Minimum SPD Extended Headroom

stability are more tenuous and more crucial than BGP stability, such packets are now given the highest priority and are given extended SPD headroom with a default of 10 packets. This means that these packets are not dropped if the size of the input hold queue is lower than 185 (input queue default size + spd headroom size + spd extended headroom).

Required: true     Min Value: 0     Max Value: 65535


Rule 4

Rule

Check that Cisco Express Fowarding (CEF) is enabled [IOS]

Description

Check that Cisco Express Forwarding (CEF) or Distributed CEF are enabled whenever they are available.

Applicable Platforms

Cisco IOS Devices

Impact

The CEF switching mode replaces the traditional Cisco routing cache with a data structure that mirrors the entire system routing table. Because there is no need to build cache entries when traffic starts arriving for new destinations, CEF behaves more predictably than other modes when presented with large volumes of traffic addressed to many destinations.

Although most flooding denial of service attacks send all of their traffic to one or a few targets and therefore do not tax the traditional cache maintenance algorithm, many popular SYN flooding attacks use randomized source addresses. The host under attack replies to some fraction of the SYN flood packets, creating traffic for a large number of destinations. Routers configured for CEF therefore perform better under SYN floods (directed at hosts, not at the routers themselves) than do routers using the traditional cache. CEF is recommended when available.

Suggested Fix

Enable CEF or Distributed CEF whenever they are available using the command

ip cef

Rule 5

Rule

Check that Unicast Reverse Path Fowarding (RPF) is enabled on interfaces [IOS]

Description

Check that unicast reverse path forwarding (RPF) is enabled on interfaces.

In almost all Cisco IOS software versions that support Cisco Express Forwarding (CEF), you can have the device check the source address of any packet against the interface through which the packet entered the device. If the input interface is not a feasible path to the source address according to the routing table, the packet is dropped. This look-back feature is called unicast reverse path forwarding (RPF).

You can use unicast RPF in any single-homed environment where there is essentially only one access point out of the network, that is, one upstream connection. Networks having one access point offer the best example of symmetric routing, which means that the interface where a packet enters the network is also the best return path to the source of the IP packet. Unicast RPF is best used at the network perimeter for Internet, intranet, or extranet environments, or in ISP environments for customer network terminations

Applicable Platforms

Cisco IOS Devices

Impact

Many network attacks rely on an attacker falsifying (spoofing) the source addresses of IP datagrams. Some attacks depend on spoofing, while other attacks are much harder to trace if the attacker can use somebody else's address. Therefore, you should prevent spoofing wherever feasible.

Suggested Fix

Configure RPF check on the interfaces using the command

ip verify unicast reverse-path

Rule 6

Rule

Check that Netflow switching for routing is enabled on all interfaces [IOS]

Description

Check that NetFlow switching for routing is enabled on all interfaces.

Applicable Platforms

Cisco IOS Devices

Impact

NetFlow efficiently provides the metering base for a key set of applications, including accounting and billing, network planning, network monitoring, and outbound marketing for both service provider and enterprise users.

NetFlow has two key components: first, the NetFlow cache or data source that stores IP Flow information and second, the NetFlow export or transport mechanism that sends NetFlow data to a network management collector for data reporting.

Suggested Fix

Enable NetFlow switching using the command on all the interfaces.

interface <interface name>

ip route-cache flow

Rule 7

Rule

Check that the Committed Access Rate (CAR) is configured on all interfaces [IOS]

Description

Check that the committed access rate is configured on all interfaces.

Applicable Platforms

Cisco IOS Devices

Impact

You can use the rate-limit command to allocate different traffic rates to selected types of traffic. This can help you reserve part of the interface bandwidth for critical traffic, preventing an attack from overwhelming the interface. You can also use the command during an attack to throttle the attack.

Suggested Fix

Configure committed access rate (CAR) using the command interface

<interface name>   

rate-limit

Rule
Description
Constraints

Check for traffic

Whether it should be checked for incoming traffic or outgoing traffic or both

Required: true     Default: 3


Rule 8

Rule

Check filtering of packets with IP options [IOS]

Description

The ip options command allows you to filter IP options packets, either to drop or to ignore packets with IP options. Drop and ignore modes are mutually exclusive; that is, if the drop mode is configured and then the ignore mode is configured, the ignore mode will override the drop mode.

Applicable Platforms

Cisco IOS Devices

Impact

This can be used to mitigate the effects of IP options on the router, and on downstream routers and hosts.

Suggested Fix

Configure filtering of IP options packet filtering using the command

[no] ip options

Rule
Description
Constraints

Action

Desired behaviour for packets with IP options

Required: true     Default: 1


Rule 9

Rule

Check that "scheduler allocate" or "scheduler interval" command is configured [IOS]

Description

When a Cisco router is fast-switching a large number of packets, it is possible for the router to spend so much time responding to interrupts from the network interfaces that no other work gets done. You can reduce this effect by using the scheduler interval or scheduler allocate commands to set aside time for the device to handle process rather than respond to interrupts.

The scheduler allocate command is a newer command and is not supported on all Cisco routers. With this command, you can specify a period for running with interrupts enabled, and another period for running with interrupts masked, so that process tasks can be handled. For example, a typical configuration might include the scheduler allocate 30000 2000 command

Applicable Platforms

Cisco IOS Devices

Impact

This can be exploited to cause DoS attacks on the device.

Suggested Fix

Configure scheduler parameters using the command

scheduler interval

scheduler allocate

SNMP

Description

The Simple Network Management Protocol (SNMP) is the standard Internet protocol for automated remote monitoring and administration. There are several different versions of SNMP, with different security properties. If a network has a deployed SNMP infrastructure in place for administration, then all routers on that network should be configured to securely participate in it. In the absence of a deployed SNMP scheme, all SNMP facilities on all routers should be disabled. While SNMP is helpful because it allows an administrator to remotely configure the router, it also offers a potentially dangerous conduit into a network.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

References

Payment Card Industry Data Security Standard(PCI).(2.3 of Version 1.1, September, 2006)

The Payment Card Industry (PCI) Data Security Standard resulted from a collaboration between Visa and MasterCard to create common industry security requirements. Other card companies operating in the U.S. have also endorsed the Standard within their respective programs. PCI Data Security requirements apply to all members, merchants and service providers that store, process or transmit cardholder data.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 8.1(8) Page 276, Section 4.2.1 Page 70, Section 4.5.3 Page 152 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

Health Insurance Portability and Accountability Act.(164.312(a)(1), 164.312(e)(1))

HIPAA (Health Insurance Portability and Accountability Act.) is designed to protect confidential healthcare information through improved security standards and federal privacy legislation. It defines requirements for storing patient information before, during and after electronic transmission. Centers for Medicare & Medicaid Services (CMS) has provided a Security Rule (45 CFR Part 160 and 164) which is adopted to implement provisions of the HIPAA.

SANS Router Security Policy(Sections 3.0(4))

The SANS (SysAdmin, Audit, Network, Security) Institute publishes security policy to help system administrators with rapid development and implementation of information security policies.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 6.2.2, Page 18 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Cisco SAFE Compliance(1.1b)

SAFE: A Security Blueprint for Enterprise Networks BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 10.6.2 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

Defence Information System Agency(Section NET0890,NET0894 of Dec 2, 2005)

DISA Checklist, sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security.

Department of Homeland Security (DHS) Compliance(Section 4.3, Page 29 of Version 2.0)

This document is being distributed to provide Department of Homeland Security (DHS) Cisco Router systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of security when an existing Cisco Router is being installed or configured. All settings and parameters presented in this document are the baseline security which all Cisco Router systems must meet.

Center for Internet Security, Benchmark for Cisco PIX/ASA.(Section 1.1.5, Page: 14 of Version 2.0, Nov 2007)

CIS PIX/ASA benchmark recommends the prudent level of minimum due care for operating system security. CIS PIX/ASA benchmark contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All PIX devices should implement these settings.

Center for Internet Security, Benchmark for Cisco IOS.(Section 1.1.5, Page:17 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Check the state of SNMP server [IOS, PIX, ASA]

Description

Check the state of SNMP server on the device.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

The Simple Network Management Protocol (SNMP) is the standard Internet protocol for automated remote monitoring and administration. There are several different versions of SNMP, with different security properties. If a network has a deployed SNMP infrastructure in place for administration, then all routers on that network should be configured to securely participate in it. In the absence of a deployed SNMP scheme, all SNMP facilities on all routers should be disabled. While SNMP is helpful because it allows an administrator to remotely configure the router, it also offers a potentially dangerous conduit into a network.

Suggested Fix

The safest way to ensure that SNMP is really unavailable to an attacker, and will remain so, is to list the established SNMP community strings and explicitly unset all of them. It is also recommended to disable [SNMP trap] and [system shutdown] features and finally disabling SNMP Server on the device using the command

[no] snmp-server (for IOS)

[no] snmp-server enable (for PIX)

Rule
Description
Constraints

SNMP Server Should be

Choose the desired SNMP state

Required: true     Default: false


Rule 2

Rule

Check that SNMP Reload is disabled [IOS]

Description

Using SNMP packets, a network management tool can send messages to users on virtual terminals and the console. This facility operates in a similar fashion to the [EXEC send] command; however, the SNMP request that causes the message to be issued to the users also specifies the action to be taken after the message is delivered. One possible action is a shutdown request. After a system is shut down, typically it is reloaded.

Applicable Platforms

Cisco IOS Devices

Impact

This can be exploited by attackers to reload the system.

Suggested Fix

Disable SNMP Reload feature using the command

no snmp-server system-shutdown

Rule 3

Rule

Check that SNMP Traps are disabled [IOS, PIX, ASA]

Description

SNMP trap messages are generated by the device for configuration event notifications or security alerts.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

SNMP traps carry information in clear text. This information can be easily captured to retrieve sensitive information.

Suggested Fix

Disable SNMP Traps using the command no snmp-server host

Rule 4

Rule

Check that desired servers are configured for receiving SNMP Traps [IOS, PIX, ASA]

Description

SNMP trap messages are generated by the device for configuration event notifications or security alerts. If you use SNMP and enable the network devices to send SNMP traps, you should ensure that the correct trap servers are configured on the devices.

Logging SNMP traps can be useful because Cisco devices can record information about a variety of events, many of which have security significance. Logs can be invaluable in characterizing and responding to security incidents. Logging the messages from devices and analyzing them in real time or offline provides an insight into the network to troubleshoot security issues. A syslog server is an inexpensive and widely available application that stores log entries from network devices. This facility allows you permanent storage for logging information, which is especially valuable when physical access to the network device is impractical. A syslog server also affords greater detail within the logs themselves (less reliance on the device's logging buffer). The level of detail of the syslog server-stored logs is set using the logging trap command. There is minimal performance impact to the device, regardless of the level of logging detail.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

SNMP traps will not be sent to required hosts.

Suggested Fix

Configure SNMP to send traps to required hosts using the command snmp-server host

Rule
Description
Constraints

Included Trap Servers

List of desired servers to receive SNMP Traps.

Using Trap Server Editor option, you can add, remove or update Trap Server details. You can also change the order of the server details.

Required: true


Rule 5

Rule

SNMP should be configured with these community strings [IOS, PIX, ASA]

Description

Make sure SNMP is configured with the given community strings.

Applicable Platforms

Cisco IOS Devices

Impact

Use of the same community string ensures that security of the devices can be easily managed. Users might use a different community string than the standard one for troubleshooting and then forget to turn it off. An attacker gaining access to a device might change the community string and then access the device later. In certain cases, turning off SNMP is not an option since there are applications that use SNMP to manage the device. In order to manage the network using SNMP and yet not compromise on security, it is essential that ACLs be enabled for device access. This will limit the SNMP access to the authorized subnets or hosts.

Suggested Fix

Configure the given community strings using the command

snmp-server community

Rule
Description
Constraints

Included Community Strings

Community string that must be included.

Using Community String Editor option, you can add, remove or update Community String details. You can also change the order of the server details.

Required: true


Rule 6

Rule

SNMP should be configured with the community string [PIX, ASA]

Description

Make sure SNMP is configured with the given community string.

Applicable Platforms

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

Use of the same community string ensures that security of the devices can be easily managed. Users might use a different community string than the standard one for troubleshooting and then forget to turn it off. An attacker gaining access to a device might change the community string and then access the device later. In certain cases, turning off SNMP is not an option since there are applications that use SNMP to manage the device. In order to manage the network using SNMP and yet not compromise on security, it is essential that ACLs be enabled for device access. This will limit the SNMP access to the authorized subnets or hosts.

Suggested Fix

Configure the given community strings using the command

snmp-server community

Rule
Description
Constraints

Community String

Community string that must be configured

Using Community String Editor option, you can add, remove or update Community String details. You can also change the order of the server details

Required: true


Rule 7

Rule

SNMP should not be configured with these well known community strings [IOS, PIX, ASA]

Description

Make sure SNMP is not configured with the well known community strings like public,private, etc.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

Use of well known community strings will make the network vulnerable since attackers can easily gain access to the network information.

Suggested Fix

Do not use well known community strings with SNMP like 'public', 'private',etc. Remove the prohibited community strings using the command no snmp-server community

Rule
Description
Constraints

Banned Community Strings

Well known strings to check for.

Using Banned Community Strings Editor option, you can add, remove or update Banned Community Strings details. You can also change the order of the server details

Required: true


Rule 8

Rule

Check that writeable community strings are not configured [IOS]

Description

Configuring SNMP community strings with write access allows users to change the system state. Care should be taken while doing so.

Applicable Platforms

Cisco IOS Devices

Impact

While SNMP is helpful because it allows an administrator to remotely configure the router, it also offers a potentially dangerous conduit into a network. Care should be taken while configuring SNMP community strings with write access since an attacker can change the system state.

Suggested Fix

Do not configure write access for SNMP community strings, give 'Read-Only' access. Change them to ReadOnly community strings using the command

snmp-server community <community string> ro

Rule 9

Rule

Check that SNMP access is restricted with ACLs [IOS]

Description

ACLs can be configured with SNMP community strings to restrict access to SNMP server.

Applicable Platforms

Cisco IOS Devices

Impact

Configuring an SNMP community string with no ACL allows users from any host to access the SNMP server if they know the community string. This can be exploited by an attacker who can change the system state.

Suggested Fix

Configure ACLs for SNMP community strings to allow access from trusted networks/hosts using the command

snmp-server community <community string> <ro|rw> <access-list name or number>

TCP Parameters

Description

Policies to enforce TCP related parameter values.

Applicable Platforms

Cisco IOS Devices

Cisco IOS Devices With TCP_INTERCEPT Capability

References

National Security Agency (NSA) Cisco Router Configuration Guide(1.1b)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

Cisco SAFE Compliance(1.1b)

SAFE: A Security Blueprint for Enterprise Networks

National Security Agency (NSA) Cisco Router Configuration Guide(Section 8.1(14) Page 278, Section 4.1.6 Page 66, Section 4.2.1 Page 70, Section 4.3.3 Page 90 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 12.2, Page 44 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Department of Homeland Security (DHS) Compliance(Section 4.4, Page 33 of Version 2.0)

This document is being distributed to provide Department of Homeland Security (DHS) Cisco Router systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of security when an existing Cisco Router is being installed or configured. All settings and parameters presented in this document are the baseline security which all Cisco Router systems must meet.

Center for Internet Security, Benchmark for Cisco IOS.(Section 1.2.2.7-1.2.2.8, Page:25-26 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

TCP keep-alives on incoming network connections [IOS]

Description

Enable/disable generation of TCP keep-alive messages on idle incoming network connections (those initiated by the remote host)

Applicable Platforms

Cisco IOS Devices Cisco IOS Devices With TCP_INTERCEPT Capability

Impact

The TCP keepalive service allows a router to detect when the host with which it is communicating experiences a system failure, even if data stops being sent (in either direction). This capability is most useful on incoming connections. For example, if a host failure occurs while the router is communicating with a printer, the router might never notice because the printer does not generate any traffic in the opposite direction. If keepalives are enabled, they are sent once every minute on otherwise idle connections. If 5 minutes pass and no keepalives are detected, the connection is closed. The connection is also closed if the host replies to a keepalive packet with a reset packet. This will happen if the host crashes and comes back up again. An unclosed, stale connection might be used by an attacker to gain unauthorized entry into the device.

Suggested Fix

Enable/Disable generation of TCP keep-alive messages on idle incoming network connections using the command

[no] service tcp-keepalives-in

Rule
Description
Constraints

State

State of TCP keep alives on incoming network connections.

Required: true     Default: true


Rule 2

Rule

TCP keep-alives on outgoing network connections [IOS]

Description

Enable/disable generation of TCP keep-alive messages on idle outgoing network connections (those initiated by the user on the device).

Applicable Platforms

Cisco IOS Devices Cisco IOS Devices With TCP_INTERCEPT Capability

Impact

The TCP keepalive service allows a router to detect when the host with which it is communicating experiences a system failure, even if data stops being sent (in either direction).

Suggested Fix

Enable/Disable generation of TCP keep-alive messages on idle outgoing network connections using the command [no] service tcp-keepalives-out.

Rule
Description
Constraints

State

State of TCP keep alives on outgoing network connections 

Required: true     Default: true


Rule 3

Rule

Check maximum TCP SYN wait time [IOS]

Description

Establishing a successful TCP connection involves the originator sending a connection request, the receiver sending an acknowledgement and then the originator sending an acceptance of that acknowledgement. This is called a 3-way handshake. Once this three-phase handshake is complete, the connection is complete and data transfer can begin. SYN wait time determines how long a device waits before bringing down the incomplete connections.

Applicable Platforms

Cisco IOS Devices

Cisco IOS Devices With TCP_INTERCEPT Capability

Impact

This can be exploited by a hacker to do a SYN flooding attack on the device. A SYN flooding attack involves sending repeated connection requests to a device but never sending the acceptance of acknowledgements to complete those connections. This creates increasingly more incomplete connections at the device. Since the buffer for incomplete connections is usually smaller than the buffer for completed connections, this can overwhelm and disable the host to receive further incoming connections denying the service for legitimate users.

Suggested Fix

Configure syn wait time, so that the device shutdowns the incomplete connections, using the command ip tcp synwait-time

Rule
Description
Constraints

SYN Wait Time in Seconds

Time (in seconds) the software waits while attempting to establish a TCP connection.

Required: true     Default: 10     Min Value: 5     Max Value: 300


Rule 4

Rule

Check state of TCP interception [IOS]

Description

The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are a type of denial-of-service attack.

A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a web site, accessing e-mail, using FTP service, and so on.

Applicable Platforms

Cisco IOS Devices With TCP_INTERCEPT Capability

Impact

Enabling TCP intercept feature helps in avoiding DoS attacks on TCP server services.

Suggested Fix

Enforce that TCP interception be enabled or disabled using the command [no] ip tcp intercept

Rule
Description
Constraints

State

State of TCP interception.

Required: true     Default: true


Rule 5

Rule

Check maximum TCP intercept watch-timeout[IOS]

Description

The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are a type of denial-of-service attack.

A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a web site, accessing e-mail, using FTP service, and so on.

Applicable Platforms

Cisco IOS Devices With TCP_INTERCEPT Capability.

Impact

Enabling TCP intercept feature helps in avoiding DoS attacks on TCP server services.

Suggested Fix

Configure TCP intercept Watch Timeout using the command

ip tcp intercept watch-timeout

Rule
Description
Constraints

TCP intercept watch-timeout in seconds.

Timeout (in seconds) seconds for a watched connection to reach established state before sending a Reset to the server.

Required: true     Default: 30     Min Value: 1     Max Value: 2147483


Rule 6

Rule

Check maximum TCP intercept connection-timeout[IOS]

Description

The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are a type of denial-of-service attack.

A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a web site, accessing e-mail, using FTP service, and so on.

Applicable Platforms

Cisco IOS Devices With TCP_INTERCEPT Capability

Impact

Enabling TCP intercept feature helps in avoiding DoS attacks on TCP server services.

Suggested Fix

Configure TCP intercept Connection Timeout using the command

ip tcp intercept connection-timeout

Rule
Description
Constraints

TCP intercept connection timeout in seconds

Time (in seconds) the device will manage a connection after no activity.

  Required: true     Default: 86400     Min Value: 1     Max Value: 2147483


BGP

Description

BGP Related policies

Applicable Platforms

Cisco IOS Devices With BGP Routing Capability

References

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.4.5 Page 123 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.4.7 Page 69 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

Defence Information System Agency(Section NET0400,NET0410 of Dec 2, 2005)

DISA Checklist, sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security.

Department of Homeland Security (DHS) Compliance(Section 4.1,4.2, Page 18,20 of Version 2.0)

This document is being distributed to provide Department of Homeland Security (DHS) Cisco Router systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of security when an existing Cisco Router is being installed or configured. All settings and parameters presented in this document are the baseline security which all Cisco Router systems must meet.

Center for Internet Security, Benchmark for Cisco IOS.(Section 2.3.2.1, Page: 43 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Check MD5 Authentication [IOS]

Description

This rule checks to make sure that BGP autonomous systems use MD5 authentication. Router neighbor authentication is a mechanism that, when applied correctly, can prevent many routing attacks. Each router accomplishes authentication by the possession of an authentication key. That is, routers connected to the same network segment all use a shared secret key. Each sending router then uses this key to 'sign' each route table update message. The receiving router checks the shared secret to determine whether the message should be accepted.

Applicable Platforms

Cisco IOS Devices With BGP Routing Capability

Impact

This router is vulnerable to various routing attacks by spoofing the route table update messages.

Suggested Fix

Configure BGP MD5 Authentication using the command

router bgp <AS Number>  

neighbor <Peer Group Name or Neighbor Address> password <Authentication Password>

Rule 2

Rule

Check that incoming BGP route filtering is configured [IOS]

Description

This rule checks that some kind of route filtering is configured for each BGP neighbor or globally for all interfaces for accepting route updates. BGP Route Filtering can be configured either using access list based filtering (using distribute-list) or using the prefix lists based filtering (prefix-list). Communications between routers for routing table updates involve routing protocols. These updates provide directions to a router on which way traffic should be routed. You can use access lists to restrict what routes the router will accept (in) or advertise (out) via some routing protocols.

Applicable Platforms

Cisco IOS Devices With BGP Routing Capability

Impact

Router may accept route update messages from unintended entities.

Suggested Fix

Configure route filtering for all BGP neighbors using the commands

router bgp <autonomous system number>   

distribute-list <acl number> in   

neighbor <neighbor address or peer group> distribute-list <acl number> in   

distribute-list prefix <prefix-list name> in   

neighbor <neighbor address or peer group> prefix-list <prefix-list name> in !

Rule
Description
Constraints

Route Filter Type

Desired route filter type to be enforce

Required: true     Default: dontcare


Rule
Description
Constraints

ACL to be enforced

Desired ACL to be enforced. Leave blank to enforce no particular ACL ID.

Required: false


Rule
Description
Constraints

Prefix List to be enforced

Desired prefix-list to be enforced. Leave blank to enforce no particular prefix-list.

Required: true     Default: dontcare


Rule 3

Rule

Check that outgoing BGP route filtering is configured [IOS]

Description

This rule checks that some kind of route filtering is configured for each BGP neighbor or globally for all interfaces for advertising route updates. BGP Route Filtering can be configured either using access list based filtering (using distribute-list) or using the prefix lists based filtering (prefix-list). Communications between routers for routing table updates involve routing protocols. These updates provide directions to a router on which way traffic should be routed. You can use access lists to restrict what routes the router will accept (in) or advertise (out) via some routing protocols.

Applicable Platforms

Cisco IOS Devices With BGP Routing Capability

Impact

Router may advertise route update messages to unintended entities.

Suggested Fix

Configure route filtering for all BGP neighbors using the commands router bgp <autonomous system number>   distribute-list <acl number> out   neighbor <neighbor address or peer group> distribute-list <acl number> out   distribute-list prefix <prefix-list name> out   neighbor <neighbor address or peer group> prefix-list <prefix-list name> out !

Rule
Description
Constraints

Route Filter Type

Desired route filter type to be enforced

Required: true     Default: dontcare


Rule
Description
Constraints

ACL to be enforced

Desired ACL to be enforced. Leave blank to enforce no particular ACL ID.

Required: false


Rule
Description
Constraints

Prefix List to be enforced

Desired prefix-list to be enforced. Leave blank to enforce no particular prefix-list

Required: false


Rule 4

Rule

Check TTL security [IOS]

Description

This rule checks to make sure that BGP autonomous systems use either TTL Security mechansim using ttl-security feature or ebgp-multihop feature. The Generalized TTL Security Mechanism (GTSM), documented in RFC 3682 [32] and introduced in Cisco IOS 12.0(27)S and 12.3(7)T, utilizes the Time-to-Live (TTL) field of the IP header to protect exterior BGP (eBGP) peering sessions from remote attacks. This mechanism uses the TTL value in a received packet and compares it to an administrator defined hop count. If the received IP packet contains a TTL value greater than or equal to the expected TTL value (i.e. 255 minus an administrator defined hop count), then the packet is processed. Otherwise, the packet is silently discarded. Since remote attacks originate multiple router hops away from an intended target, limiting the hop count to the actual number of hops between eBGP peers will help prevent attacks initiated on any network that does not lie between the peers.

This feature protects the eBGP peering session by comparing the value in the TTL field of received IP packets against a hop count that is configured locally for each eBGP peering session. If the value in the TTL field of the incoming IP packet is greater than or equal to the locally configured value, the IP packet is accepted and processed normally. If the TTL value in the IP packet is less than the locally configured value, the packet is silently discarded and no ICMP message is generated. This is designed behavior; a response to a forged packet is unnecessary.

Applicable Platforms

Cisco IOS Devices With BGP Routing Capability

Impact

Router may be vulnerable to CPU utilization-based attacks. These types of attacks are typically brute force Denial of Service (DoS) attacks that attempt to disable the network by flooding the network with IP packets that contain forged source and destination IP addresses.

Suggested Fix

Configure BGP TTL Security mechanism or use ebgp-multihop feature using the command

router bgp <AS Number>   

neighbor <Peer Group Name or Neighbor Address> ttl-security hops <hop-count>   

neighbor <Peer Group Name or Neighbor Address> ebgp-multihop <hop-count> !

Rule 5

Rule

Check BGP Dampening is configured [IOS]

Description

This rule checks to make sure BGP dampening is configured. Route flap dampening is a method that may be used to provide router CPU and network stability while BGP routes are converging. Damping controls the effect of route flapping which occurs when a route constantly transitions from an up-to-down or down-to-up state. These transitions cause excessive BGP route update messages (i.e. add/withdraw routes) to propagate through the network. ISPs and other backbone providers may configure BGP dampening to mitigate route flapping.

Applicable Platforms

Cisco IOS Devices With BGP Routing Capability

Impact

Too many BGP route flaps may effect CPU and network stability.

Suggested Fix

Configure BGP dampening using the command

router bgp <AS Number>   

bgp dampening !

EIGRP

Description

EIGRP Related policies

Applicable Platforms

Cisco IOS Devices With EIGRP Routing Capability

References

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.3.2 Page 88, Section 4.4.3 Page 111 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.4.7 Page 69 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

Defence Information System Agency(Section NET0400,NET0425 of Dec 2, 2005)

DISA Checklist, sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security.

Department of Homeland Security (DHS) Compliance(Section 4.1, Page 19 of Version 2.0)

This document is being distributed to provide Department of Homeland Security (DHS) Cisco Router systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of security when an existing Cisco Router is being installed or configured. All settings and parameters presented in this document are the baseline security which all Cisco Router systems must meet.

Center for Internet Security, Benchmark for Cisco IOS.(Section 2.3.2.2, Page: 44 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Check all participating interfaces use MD5 authentication [IOS]

Description

This rule checks to make sure that all the interfaces in all the EIGRP autonomous systems use MD5 authentication. Router neighbor authentication is a mechanism that, when applied correctly, can prevent many routing attacks. Each router accomplishes authentication by the possession of an authentication key. That is, routers connected to the same network segment all use a shared secret key. Each sending router then uses this key to 'sign' each route table update message. The receiving router checks the shared secret to determine whether the message should be accepted.

Applicable Platforms

Cisco IOS Devices With EIGRP Routing Capability

Impact

This router is vulnerable to various routing attacks by spoofing the route table update messages.

Suggested Fix

Configure EIGRP MD5 Authentication using the command

interface <interface name>   

ip authentication mode eigrp <autonomous system number> md5 !

Rule 2

Rule

Check interface state of EIGRP routing updates [IOS]

Description

This rule checks that all the given interfaces are blocked/allowed from participating in EIGRP routing updates. It goes through for every network in every EIGRP autonomous system, and then gets a list of interfaces that belong to that network. It checks to see that if the given interfaces belong to the list above. If so, The interface is checked to see if it is passive or active interface and compared against the given policy. The passive-interface command is used to prevent other routers on the network from learning about routes dynamically. It can also be used to keep any unnecessary parties from learning about the existence of certain routes or routing protocols used. It is typically used when the wildcard specification on the network router configuration command configures more interfaces than desirable.

Applicable Platforms

Cisco IOS Devices With EIGRP Routing Capability

Impact

This interface may receive and transmit in EIGRP routing updates, which means, unnecessary parties may learn about the existence of certain routes or routing protocols used. This also leads to higher chance of spoofed routing update attacks.

Suggested Fix

Configure the interface as a passive/active interface using the commands

router eigrp <autonomous system number>   

[no] passive-interface <interface name> !

Rule
Description
Constraints

Interface Group

List of interface groups to apply this policy.

Using Interface Group Editor option, you can add, remove or update Interface Group details. You can also change the order of the server details

Required: true

EIGRP State

Desired EIGRP State of this interface

Using EIGRP State Editor option, you can add, remove or update EIGRP State details. You can also change the order of the server details

Required: true     Default: dontcare


Rule 3

Rule

Check that EIGRP incoming distribute-list is configured [IOS}

Description

This rule checks that ip distribute-list is configured for each EIGRP autonomous system for accepting route updates. Communications between routers for routing table updates involve routing protocols. These updates provide directions to a router on which way traffic should be routed. You can use access lists to restrict what routes the router will accept (in) or advertise (out) via some routing protocols. The distribute-list acl-num out command is used to restrict routes that get distributed in routing updates, while the distribute-list acl-num in command may be used to filter routes that will be accepted from incoming routing updates.

Applicable Platforms

Cisco IOS Devices With EIGRP Routing Capability

Impact

Router may accept route update messages from unintended entities.

Suggested Fix

Configure distribute-list for all EIGRP autonomous systems using the commands

router eigrp <autonomous system number>   

distribute-list <acl number> in !

Rule
Description
Constraints

ACL to be enforced

Desired ACL to be enforced. Leave blank to enforce no particular ACL ID

Required: false


Rule 4

Rule

Check that EIGRP outgoing distribute-list is configured [IOS]

Description

This rule checks that ip distribute-list is configured for each EIGRP autonomous system for advertising route updates. Communications between routers for routing table updates involve routing protocols. These updates provide directions to a router on which way traffic should be routed. You can use access lists to restrict what routes the router will accept (in) or advertise (out) via some routing protocols. The distribute-list acl-num out command is used to restrict routes that get distributed in routing updates, while the distribute-list acl-num in command may be used to filter routes that will be accepted from incoming routing updates. 

Applicable Platforms

Cisco IOS Devices With EIGRP Routing Capability

Impact

Router may advertise route update messages to unintended entities.

Suggested Fix

Configure distribute-list for all EIGRP autonomous systems using the commands

router eigrp <autonomous system number>   

distribute-list <acl number> out !

Rule
Description
Constraints

ACL to be enforced

Desired ACL to be enforced. Leave blank to enforce no particular ACL ID

Required: false



Note If you select a rule which checks for interface related configuration, compliance check will be done only for the interfaces which are administratively up and configured with an IP address.


OSPF

Description

OSPF Related policies

Applicable Platforms

Cisco IOS Devices With OSPF Capability

References

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.4.3 Page 106 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

Cisco SAFE Compliance(Appendix A, Page 39 of A Security Blueprint for Enterprise Networks)

SAFE: A Security Blueprint for Enterprise Networks

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.4.7 Page 69 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

Defence Information System Agency(Section NET0400 of Dec 2, 2005)

DISA Checklist, sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security.

Department of Homeland Security (DHS) Compliance(Section 4.1, Page 19 of Version 2.0)

This document is being distributed to provide Department of Homeland Security (DHS) Cisco Router systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of security when an existing Cisco Router is being installed or configured. All settings and parameters presented in this document are the baseline security which all Cisco Router systems must meet.

Center for Internet Security, Benchmark for Cisco IOS.(Section 2.3.2.3, Page: 44 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Check MD5 Authentication [IOS]

Description

This rule checks to make sure that all the areas defined in all the OSPF processes use MD5 authentication. Router neighbor authentication is a mechanism that, when applied correctly, can prevent many routing attacks. Each router accomplishes authentication by the possession of an authentication key. That is, routers connected to the same network segment all use a shared secret key. Each sending router then uses this key to 'sign' each route table update message. The receiving router checks the shared secret to determine whether the message should be accepted.

Applicable Platforms

Cisco IOS Devices With OSPF Capability

Impact

This router is vulnerable to various routing attacks by spoofing the route table update messages.

Suggested Fix

Configure OSPF MD5 Authentication using the command

router ospf <process ID>   

area <Area ID> authentication message-digest !

Rule 2

Rule

Check interface state of OSPF routing updates [IOS]

Description

This rule checks that all the given interfaces are blocked/allowed from participating in OSPF routing updates. It goes through for every network in every OSPF process, and then gets a list of interfaces that belong to that network. It checks to see that if the given interfaces belong to the list above. If so, The interface is checked to see if it is passive or active interface and compared against the given policy. The passive-interface command is used to prevent other routers on the network from learning about routes dynamically. It can also be used to keep any unnecessary parties from learning about the existence of certain routes or routing protocols used. It is typically used when the wildcard specification on the network router configuration command configures more interfaces than desirable.

Applicable Platforms

Cisco IOS Devices With OSPF Capability

Impact

This interface may receive and transmit in OSPF routing updates, which means, unnecessary parties may learn about the existence of certain routes or routing protocols used. This also leads to higher chance of spoofed routing update attacks.

Suggested Fix

Configure the interface as a passive/active interface using the commands

router ospf <process ID>   

[no] passive-interface <interface name> !

Rule
Description
Constraints

Interface Group

List of interface groups to apply this policy

Using Interface Group Editor option, you can add, remove or update Interface Group details. You can also change the order of the server details

Required: true


Rule
Description
Constraints

OSPF State

Desired OSPF State of this interface

Using OSPF State Editor option, you can add, remove or update OSPF State details. You can also change the order of the server details

Required: true     Default: do not care


Rule 3

Rule

Check that OSPF incoming distribute-list is configured [IOS]

Description

This rule checks that ip distribute-list is configured for each OSPF process for accepting route updates. Communications between routers for routing table updates involve routing protocols. These updates provide directions to a router on which way traffic should be routed. You can use access lists to restrict what routes the router will accept (in) or advertise (out) via some routing protocols. The distribute-list acl-num out command is used to restrict routes that get distributed in routing updates, while the distribute-list acl-num in command may be used to filter routes that will be accepted from incoming routing updates.

Applicable Platforms

Cisco IOS Devices With OSPF Capability

Impact

Router may accept route update messages from unintended entities.

Suggested Fix

Configure distribute-list for all OSPF processes using the commands

router ospf <process ID>   

distribute-list <acl number> in

!

Rule
Description
Constraints

ACL to be enforced

Desired ACL to be enforced. Leave blank to enforce no particular ACL ID.

Required: false


Rule 4

Rule

Check that OSPF outgoing distribute-list is configured [IOS]

Description

This rule checks that ip distribute-list is configured for each OSPF process for advertising route updates. Communications between routers for routing table updates involve routing protocols. These updates provide directions to a router on which way traffic should be routed. You can use access lists to restrict what routes the router will accept (in) or advertise (out) via some routing protocols. The distribute-list acl-num out command is used to restrict routes that get distributed in routing updates, while the distribute-list acl-num in command may be used to filter routes that will be accepted from incoming routing updates.

Applicable Platforms

Cisco IOS Devices With OSPF Capability

Impact

Router may advertise route update messages to unintended entities.

Suggested Fix

Configure distribute-list for all OSPF processes using the commands

router ospf <process ID>   

distribute-list <acl number> out

Rule
Description
Constraints

ACL to be enforced

Desired ACL to be enforced. Leave blank to enforce no particular ACL ID

Required: false



Note If you select a rule which checks for interface related configuration, compliance check will be done only for the interfaces which are administratively up and configured with an IP address.


RIP

Description

Routing Information Protocol (RIP) Related policies

Applicable Platforms

Cisco IOS Devices With RIP Routing Capability

References

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.4.7 Page 69 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.4.3 Page 110, Section 4.4.4 Page 121 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

Defence Information System Agency(Section NET0425 of Dec 2, 2005)

DISA Checklist, sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security.

Center for Internet Security, Benchmark for Cisco IOS.(Section 2.3.2.4, Page: 45 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Check State of RIP [IOS]

Description

This rule checks if RIP is enabled/disabled on the router based on the given policy.

Applicable Platforms

Cisco IOS Devices With RIP Routing Capability

Impact

None

Suggested Fix

Enable/Disable RIP using the commands

router rip   

network <ip address>

Rule
Description
Constraints

RIP State

Desired state of RIP.

Required: true     Default: true


Rule 2

Rule

Check global version of RIP [IOS]

Description

This Rule checks that the RIP is enabled with correct version. Note that this rule does not check the per interface override of the RIP version. By default, the software receives RIP Version 1 and Version 2 packets, but sends only Version 1 packets. You can configure the software to receive and send only Version 1 packets. Alternatively, you can configure the software to receive and send only Version 2 packets.

Applicable Platforms

Cisco IOS Devices With RIP Routing Capability

Impact

None

Suggested Fix

Configure required version of RIP using the commands

router rip   

version <RIP version>

Rule
Description
Constraints

RIP State

Desired version of RIP.

Required: true     Default: 2


Rule 3

Rule

Check all participating interfaces use MD5 Authentication [IOS]

Description

This Rule checks all interfaces that receive/transmit RIP information are configured with version 2 AND are configured with MD5 authentication. Router neighbor authentication is a mechanism that, when applied correctly, can prevent many routing attacks. Each router accomplishes authentication by the possession of an authentication key. That is, routers connected to the same network segment all use a shared secret key. Each sending router then uses this key to 'sign' each route table update message. The receiving router checks the shared secret to determine whether the message should be accepted.

Applicable Platforms

Cisco IOS Devices With RIP Routing Capability

Impact

This router is vulnerable to various routing attacks by spoofing the route table update messages.

Suggested Fix

Configure interface to use MD5 authentication for RIP communications the commands

router rip   

version 2

interface <interface name >   

ip rip receive version 2   

ip rip send version 2   

ip rip authentication mode md5

Rule 4

Rule

Check that RIP incoming distribute-list is configured

Description

This rule checks that ip distribute-list is configured in RIP for accepting route updates. Communications between routers for routing table updates involve routing protocols. These updates provide directions to a router on which way traffic should be routed. You can use access lists to restrict what routes the router will accept (in) or advertise (out) via some routing protocols. The distribute-list acl-num out command is used to restrict routes that get distributed in routing updates, while the distribute-list acl-num in command may be used to filter routes that will be accepted from incoming routing updates.

Applicable Platforms

Cisco IOS Devices With RIP Routing Capability

Impact

Router may accept route update messages from unintended entities.

Suggested Fix

Configure distribute-list for RIP using the commands

router rip   distribute-list <acl number> in

Rule
Description
Constraints

ACL to be enforced

Desired ACL to be enforced. Leave blank to enforce no particular ACL ID

Required: false


Rule 5

Rule

Check that RIP outgoing distribute-list is configured

Description

This rule checks that ip distribute-list is configured in RIP for advertising route updates. Communications between routers for routing table updates involve routing protocols. These updates provide directions to a router on which way traffic should be routed. You can use access lists to restrict what routes the router will accept (in) or advertise (out) via some routing protocols. The distribute-list acl-num out command is used to restrict routes that get distributed in routing updates, while the distribute-list acl-num in command may be used to filter routes that will be accepted from incoming routing updates.

Applicable Platforms

Cisco IOS Devices With RIP Routing Capability

Impact

Router may advertise route update messages to unintended entities.

Suggested Fix

Configure distribute-list for RIP using the commands

router rip   

distribute-list <acl number> out

Rule
Description
Constraints

ACL to be enforced

Desired ACL to be enforced. Leave blank to enforce no particular ACL ID

Required: false


Rule 6

Rule

Check interface state of RIP routing updates [IOS]

Description

This rule checks that all the given interfaces are blocked/allowed from participating in RIP routing updates. It goes through for every network in RIP process, and then gets a list of interfaces that belong to that network. It checks to see that if the given interfaces belong to the list above. If so, The interface is checked to see if it is passive or active interface and compared against the given policy. The passive-interface command is used to prevent other routers on the network from learning about routes dynamically. It can also be used to keep any unnecessary parties from learning about the existence of certain routes or routing protocols used. It is typically used when the wildcard specification on the network router configuration command configures more interfaces than desirable.

Applicable Platforms

Cisco IOS Devices With RIP Routing Capability

Impact

This interface may receive and transmit in RIP routing updates, which means, unnecessary parties may learn about the existence of certain routes or routing protocols used. This also leads to higher chance of spoofed routing update attacks.

Suggested Fix

Configure the interface as a passive/active interface using the commands

router RIP   

[no] passive-interface <interface name>

Rule
Description
Constraints

Interface Group

List of interface groups to apply this policy.

Using Interface Group Editor option, you can add, remove or update Interface Group details. You can also change the order of the server details

Required: true


Rule
Description
Constraints

RIP State

List of interface groups to apply this policy.

Using RIP State Editor option, you can add, remove or update RIP State details. You can also change the order of the server details

Required: true



Note If you select a rule which checks for interface related configuration, compliance check will be done only for the interfaces which are administratively up and configured with an IP address.


ACLs

Description

Policies related to Access Control List Configurations.

Applicable Platforms

Cisco IOS Devices

Cisco IOS Devices With RECEIVE_ACL Capability

Cisco IOS Devices With TURBO_ACL Capability

References

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.3.3 Page 90, Section 4.3.5, Page 95 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

Rule 1

Rule

Check if all ACLs have established keywords [IOS]

Description

This rule will check to make sure that all extended ACLs, that are used on any interface, has atleast one Access Entry that permits traffic with TCP 'established' (ack or rst) flag. This will help in blocking packets from an external network that have only the SYN flag set. Thus, it allows traffic from TCP connections that were established from the internal network, and it denies anyone coming from any external network from starting any TCP connection. This is one of the ways to prevent TCP SYN attack, which involves transmitting a volume of connections that cannot be completed at the destination. This attack causes the connection queues to fill up, thereby denying service to legitimate TCP users.

Applicable Platforms

Cisco IOS Devices

Impact

This device may be vulnerable to TCP SYN attack originated from external network devices.

Suggested Fix

Modify the ACL by adding 'established' TCP flag for the permitted traffic in the access-list commands access-list <number/name> <deny/permit> tcp <source> <destination> established

Rule 2

Rule

Check if Turbo ACLs are used [IOS]

Description

This rule checks if Turbo ACL feature is enabled on the device. The Turbo ACL feature compiles the ACLs into a set of lookup tables, while maintaining the first match requirements. Packet headers are used to access these tables in a small, fixed number of lookups, independently of the existing number of ACL entries. 

Applicable Platforms

Cisco IOS Devices With TURBO_ACL Capability

Impact

Device performance can be improved by making use of this Turbo ACL feature

Suggested Fix

Enable Turbo ACL feature by using the command access-list compiled

Rule 3

Rule

ACL logging should not be turned on [IOS]

Description

ACL logging should not be turned on.

Applicable Platforms

Cisco IOS Devices

Impact

Turning on ACL logging can severely impact the system performance.

Suggested Fix

Do not turn on ACL logging in the access-list commands

ip access-list ... [log

Rule 4

Rule

Check for Recieve ACL [IOS]

Description

IP Receive ACL can be used to restrict traffic that is destined to the router

Applicable Platforms

Cisco IOS Devices With RECEIVE_ACL Capability

Impact

No known impact.

Suggested Fix

Configure a receive ACL using the command:

ip receive access-list

Rule
Description
Constraints

Recieve ACL ID

Receive ACL ID . Valid values are 1-199 [IP access list (standard or extended)] or 1300-2699 [IP expanded access list (standard or extended)].

Required: true     Min Value: -2147483648     Max Value: 2147483647


Rule 5

Rule

Recieve ACL should not have entries with "any" source address [IOS]

Description

IP Receive ACL can be used to restrict traffic that is destined to the router.

Applicable Platforms

Cisco IOS Devices With RECEIVE_ACL Capability

Impact

If any of the ACL entry has source address as any, the device accepts traffic from all the sources defeating the purpose of having Receive ACL.

Suggested Fix

Configure a receive ACL using ip receive access-list and make sure that none of the ACL entries has any as the source address.

ip receive access-list <ACL>

CDP

Description

Cisco Discovery Protocol (CDP) is primarily used to obtain protocol addresses of neighboring devices and discover the platform of those devices. CDP can also be used to show information about the interfaces your router uses. CDP is media and protocol-independent, and runs on all Cisco-manufactured equipment including routers, bridges, access servers, and switches.

Applicable Platforms

Cisco IOS Devices

References

National Security Agency (NSA) Cisco Router Configuration Guide(Section 8.1(1) Page 274, 4.2.1 Page 70,72 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

Cisco SAFE Compliance(1.1b)

SAFE: A Security Blueprint for Enterprise Networks

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 6.2.2, Page 18 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Department of Homeland Security (DHS) Compliance(section 4.2, Page 22 of Version 2.0)

This document is being distributed to provide Department of Homeland Security (DHS) Cisco Router systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of security when an existing Cisco Router is being installed or configured. All settings and parameters presented in this document are the baseline security which all Cisco Router systems must meet.

Center for Internet Security, Benchmark for Cisco IOS.(Section 1.2.2.1, Page: 22 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Check for CDP protocol state [IOS]

Description

The Cisco Discovery Protocol is a proprietary protocol that Cisco devices use to identify each other on a LAN segment. It is primarily used to obtain protocol addresses of neighboring devices and discover the platform of those devices. CDP can also be used to show information about the interfaces your router uses. CDP is media and protocol-independent, and runs on all Cisco-manufactured equipment including routers, bridges, access servers, and switches.

Applicable Platforms

Cisco IOS Devices

Impact

CDP is useful only in specialized situations, and is considered deleterious to security.

Suggested Fix

To turn off CDP entirely, use the global configuration command no cdp run. In the unlikely event that CDP is needed for part of a network, it can be enabled and disabled for each interface. To enable CDP use the cdp run command in global configuration mode, and then disable it on each interface where it is not needed using the no cdp enable command in interface configuration mode. To enable/disable CDP globally, use the command: [no] cdp run

Rule
Description
Constraints

State

CDP protocol state on the device

Required: true     Default: false


Rule 2

Rule

le

Check for CDP protocol state on the interface [IOS]

Description

The Cisco Discovery Protocol is a proprietary protocol that Cisco devices use to identify each other on a LAN segment. It is primarily used to obtain protocol addresses of neighboring devices and discover the platform of those devices. CDP can also be used to show information about the interfaces your router uses. CDP is media and protocol-independent, and runs on all Cisco-manufactured equipment including routers, bridges, access servers, and switches.

Applicable Platforms

Cisco IOS Devices

Impact

CDP is useful only in specialized situations, and is considered deleterious to security.

Suggested Fix

To turn off CDP entirely, use the global configuration command no cdp run. In the unlikely event that CDP is needed for part of a network, it can be enabled and disabled for each interface. To enable CDP use the cdp run command in global configuration mode, and then disable it on each interface where it is not needed using the command:

interface <interface name>  

[no] cdp enable

Rule
Description
Constraints

Interface State

CDP protocol state on the selected interfaces

Required: true     Default: false


Rule
Description
Constraints

Interfaces

List of interfaces or interface groups that should carry management traffic. Example valid Values: 'Any', 'AnyEthernet', 'FastEthernet', 'GigabitEthernet', 'FastEthernet0/1', 'FastEthernet0/.*' etc.

Required: true     Default: [Any]



Note If you select a rule which checks for interface related configuration, compliance check will be done only for the interfaces which are administratively up and configured with an IP address.


Clock

Description

Clock and time zone related policies.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

References

Cisco SAFE Compliance(Clock of none)

SAFE: A Security Blueprint for Enterprise Networks

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 12.2, Page 47 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Cisco SAFE Compliance(1.1b)

SAFE: A Security Blueprint for Enterprise Networks

Rule 1

Rule

Summer time should not be configured [IOS,PIX, ASA]

Description

Check that summer time clock is not configured

Applicable Platforms

Cisco IOS Devices Cisco PIX Devices Running >= 7.x and ASA devices

Impact

Log files time-stamped with different time zones are difficult to correlate. This difficulty increases if the time stamps of individual logs need to be adjusted for summer time clock settings. These time-stamp adjustments can lead to errors when you correlate logs for several devices during root cause analysis in case of an attack on the network. If you are not using the local time zone on a device (that is, you are using UTC time zone across your network), do not use the summer time clock.

Suggested Fix

Disable summer time using the command

no clock summer-time

Rule 2

Rule

Check the configured Summer time [IOS,PIX, ASA]

Description

Check that the user defined summer time clock is configured.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

If you use local time zones, you should also configure the clock for summer time settings so that you can more easily compare log file entries with your current time.

Suggested Fix

Configure time zone and summer time mode setting using the command clock summer-time

Rule
Description
Constraints

Time Zone Name

The name of the time zone (for example, PDT for Pacific Daylight Time) to be displayed when summer time is in effect.

Required: false


Rule
Description
Constraints

Mode

Whether the change to summer time is defined by a recurring rule that applies each year (Recurring), or by specific dates just for a single year (By Date).

Required: false


Rule 3

Rule

Check the configured time zone [IOS,PIX, ASA]

Description

Check that the device is configured to use the required time zone for the clock.

Applicable Platforms

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

Log files time-stamped with different time zones are difficult to correlate. This difficulty increases if the time stamps of individual logs need to be adjusted for different time zone settings. These time-stamp adjustments can lead to errors when you correlate logs for several devices during root cause analysis in case of an attack on the network. If you manage devices in more than one time zone, consider using a single time zone for the clock.

Suggested Fix

Configure timezone using the command

clock timezone

Rule
Description
Constraints

Time Zone Name

The name of the time zone. The default is UTC

Required: false


Rule
Description
Constraints

Offset, in hours, from UTC

The offset, in hours, from UTC. The default is 0

Required: false     Min Value: -23     Max Value: 23


Rule
Description
Constraints

Offset, in minutes

Offset, in minutes. The default is 0.

Required: false     Min Value: 0     Max Value: 59


Miscellaneous Services On Firewalls

Description

Miscellaneous policies specific to Firewall devices.

Applicable Platforms

Cisco PIX Devices Running >= 7.x and ASA device

References

Cisco SAFE Compliance

SAFE: A Security Blueprint for Enterprise Networks

Center for Internet Security, Benchmark for Cisco PIX/ASA.(Section 1.2.2.1, Page: 19; Section 1.3.1.3, Section 1.3.1.4, Page: 27 ; Section 1.3.1.7, Page: 29; Section 1.3.3.1, Page: 33 of Version 2.0, Nov 2007)

CIS PIX/ASA benchmark recommends the prudent level of minimum due care for operating system security. CIS PIX/ASA benchmark contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All PIX devices should implement these settings.

Rule 1

Rule

Check that DHCP server is not configured [PIX. ASA]

Description

The Dynamic Host Configuration Protocol (DHCP) server supplies automatic configuration parameters to Internet hosts.

Applicable Platforms

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

DHCP provides a service that can be used for denial-of-service (DoS) attacks.

Suggested Fix

Use a dedicated server to provide DHCP services instead of the firewall. Disable dhcp server using the command: no dhcpd enable <interface>

Rule 2

Rule

Check maximum NAT translation timeout [PIX. ASA]

Description

Check that the specified address translation slot timeout value is configured on the device.

Applicable Platforms

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

Cisco PIX Devices Running >= 7.x and ASA devices

Suggested Fix

Configure the NAT Translation Slot Timeout with the desired value using the command:

timeout xlate

Rule
Description
Constraints

Translation Slot Timeout (minutes)

The length of time used to identify the translation slot as idle.

Required: true     Default: 180     Min Value: 1     Max Value: 71580


Rule 3

Rule

Check maximum allowed packet fragements [PIX. ASA]

Description

By default, the PIX Firewall accepts up to 24 fragments to reconstruct a full IP packet. Based on your network security policy, consider configuring the PIX Firewall to prevent fragmented packets from traversing the firewall

Applicable Platforms

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

Fragmented packets are often used as Denial-of-Service attacks

Suggested Fix

Configure fragment chain command on each interface to allow desired number of packet fragments. Select a value of 1 to prevent receiving packet fragments.

fragment chain 1 <interface name>

Rule
Description
Constraints

Max Packet Fragements Allowed

Maximum number of packets fragments allowed on an interface. A value of 1 indicates that fragments are not allowed.

  Required: true     Default: 1     Min Value: 1     Max Value: 2147483647


Rule 4

Rule

Check that Unicast Reverse Path Forwarding (RPF) is enabled on interfaces [PIX, ASA]

Description

Check that unicast reverse path forwarding (RPF) is enabled on interfaces.

Applicable Platforms

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

Many network attacks rely on an attacker falsifying (spoofing) the source addresses of IP datagrams. Some attacks depend on spoofing, while other attacks are much harder to trace if the attacker can use somebody else's address. Therefore, you should prevent spoofing wherever feasible.

Suggested Fix

Configure RPF check on the interfaces using command:

ip verify reverse-path interface <interface name >

Rule 5

Rule

Check maximum timeout for idle session [PIX, ASA]

Description

Check that the specified timeout for idle sessions is configured on the device.

Applicable Platforms

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

This timeout command sets the idle time for connection slots. If the slot has not been used for the idle time specified, the resource is returned to the free pool. This reduces the risk of someone from accessing an already established but idle connection.

Suggested Fix

Configure the Idle Session Timeout with the desired value using the command:

timeout conn

Rule
Description
Constraints

Idle Session Timeout(Minutes)

The length of time used to identify the session as idle.

Required: true     Default: 60     Min Value: 1     Max Value: 71580


NTP Configuration

Description

The Network Time Protocol (NTP) is a protocol designed to time-synchronize a network of machines. NTP is designed to make time synchronization automatic and efficient across all devices in the network. Having accurate time is important for security, especially for intrusion and forensic analysis.

Applicable Platforms

Cisco IOS Devices With SNTP Capability

Cisco IOS Devices With NTP_CLIENT Capability

Cisco IOS Devices With NTP_SERVER Capability

Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices

References

Payment Card Industry Data Security Standard(PCI).(10.4 of Version 1.1, September, 2006)

The Payment Card Industry (PCI) Data Security Standard resulted from a collaboration between Visa and MasterCard to create common industry security requirements. Other card companies operating in the U.S. have also endorsed the Standard within their respective programs. PCI Data Security requirements apply to all members, merchants and service providers that store, process or transmit cardholder data.

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.2.1 Page 71, Section 4.5.2 Page 149 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 10.6, 11 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.

National Security Agency (NSA) Cisco Switch Configuration Guide(Section 12.2, Page 46 of Version 1.0)

The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.

Cisco SAFE Compliance(1.1b)

SAFE: A Security Blueprint for Enterprise Networks

Defence Information System Agency(Section NET0810 of Dec 2, 2005)

DISA Checklist, sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security.

Department of Homeland Security (DHS) Compliance(Section 3.2, Page 16 of Version 2.0)

This document is being distributed to provide Department of Homeland Security (DHS) Cisco Router systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of security when an existing Cisco Router is being installed or configured. All settings and parameters presented in this document are the baseline security which all Cisco Router systems must meet.

Center for Internet Security, Benchmark for Cisco IOS.(Section 1.2.4, Page: 31 of Version 2.2, Nov 2007)

CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system security. CIS benchmark IOS, contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All IOS devices should implement these settings.

Rule 1

Rule

Check device state as NTP server [IOS]

Description

All devices in the network should be configured to synchronize their times with an authoritative NTP Server. It is recommended that the border router be configured to synchronize time from at least two reliable NTP servers and all the devices in the protected network can be configured as clients to this border router.

Applicable Platforms

Cisco IOS Devices With NTP_SERVER Capability

Impact

Unless all the devices are properly configured to synchronize the time, the event logs coming from different devices would have different time stamps. This makes it very hard to analyze the logs in terms of intrusion detection and forensics.

Suggested Fix

Configure ntp server using the command

[no] ntp master

Rule
Description
Constraints

NTP server

Desired state of the NTP server configuration

Required: true     Default: false


Rule 2

Rule

Check device state as NTP/SNTP Client [IOS]

Description

All devices in the network should be configured to synchronize their times with an authoritative NTP Server. It is recommended that the border router be configured to synchronize time from at least two reliable NTP servers and all the devices in the protected network can be configured as clients to this border router.

Applicable Platforms

Cisco IOS Devices With NTP_CLIENT Capability

Cisco IOS Devices With SNTP Capability

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

Unless all the devices are properly configured to synchronize the time, the event logs coming from different devices would have different time stamps. This makes it very hard to analyze the logs in terms of intrusion detection and forensics.

Suggested Fix

Configure ntp client using the commands

[no] ntp server

Rule
Description
Constraints

NTP Client

Desired state of the NTP client configuration

Required: true     Default: true


Rule 3

Rule

Check to allow NTP only from these interfaces [IOS]

Description

This rule checks whether all the interfaces that should not participate in NTP communications, are blocked from receiving any NTP packets. Please note that it does not check whether given interfaces are enabled/disabled to receive NTP packets, but checks to make sure all other interfaces are blocked.

Applicable Platforms

Cisco IOS Devices With NTP_CLIENT Capability

Impact

Non-necessary interfaces will be participating in NTP communications and will act as NTP servers.

Suggested Fix

Disable NTP on the interface using the commands interface

<interface name>   ntp disable

Rule
Description
Constraints

Interface Groups

Desired list of interfaces to make sure all other interfaces are blocked from using NTP. (Empty list means all interfaces should be blocked from using NTP).

Using Interface Groups Editor option, you can add, or remove Interface Groups details. You can also change the order of the server details.

Required: false


Rule 4

Rule

Checkif NTP servers are configured [IOS, PIX, ASA]

Description

All devices in the network should be configured to synchronize their times with an authoritative NTP Server. It is recommended that the border router be configured to synchronize time from at least two reliable NTP servers and all the devices in the protected network can be configured as clients to this border router.

Applicable Platforms

Cisco IOS Devices With NTP_CLIENT Capability

Cisco IOS Devices With SNTP Capability

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

Unless all the devices are properly configured to synchronize the time, event logs coming from different devices would have different time stamps. This makes it very hard to analyze the logs in terms of intrusion detection and forensics.

Suggested Fix

Configure the device to synchronize clock from the desired NTP servers using the command

Rule
Description
Constraints

Servers

IP Address(es) of desired NTP Server(s).

Using Servers Editor option, you can add, remove or update Servers details. You can also change the order of the server details

Required: true


Rule 5

Rule

Checkif configured number of NTP servers is at least[IOS, PIX, ASA]

Description

All devices in the network should be configured to synchronize their times with an authoritative NTP Server. It is recommended that the border router be configured to synchronize time from at least two reliable NTP servers and all the devices in the protected network can be configured as clients to this border router.

Applicable Platforms

Cisco IOS Devices With NTP_CLIENT Capability

Cisco IOS Devices With SNTP Capability

Cisco PIX Devices Running >= 7.x and ASA devices

Impact

Unless all the devices are properly configured to synchronize the time, event logs coming from different devices would have different time stamps. This makes it very hard to analyze the logs in terms of intrusion detection and forensics.

Suggested Fix

Configure the device to synchronize clock from the desired NTP servers using the command

ntp server

Rule
Description
Constraints

Minimum number of NTP servers

Minumim number of NTP servers

Required: true     Min Value: 1     Max Value: 2147483647


Rule 6

Rule

Make sure NTP packets are authenticated[IOS, PIX, ASA]

Description

Whenever possible, all the packets should be configured to be authenticated.

Applicable Platforms

Cisco IOS Devices With NTP_CLIENT Capability Cisco PIX Devices Running >= 7.x and ASA devices

Impact

NTP packets are not authenticated

Suggested Fix

Configure the device to use authentication of NTP packets using the command ntp authenticate

Rule 7

Rule

Check NTP Server Access is restricted [IOS, PIX, ASA]

Description

Make sure that NTP server access is controlled.

Applicable Platforms

Cisco IOS Devices With NTP_SERVER Capability

Impact

NTP packets are not controlled.

Suggested Fix

Configure the device to control the NTP packets using the command

ntp access-group (peer | serve | server-only | query-only) <acl-number>


Note If you select a rule which checks for interface related configuration, compliance check will be done only for the interfaces which are administratively up and configured with an IP address.


Device Version Checks

Description

This policy verifies the operating system versions on the devices and make sure they are as per the defined requirements.

Applicable Platforms

NA

References

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.1.2, Page 57 of Version 1.1c)

The "Router Security Configuration Guide" provides technical guidance intended to help network administrators and security officers improve the security of their networks. It contains principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The information presented can be used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

Center for Internet Security, Benchmark for Cisco PIX/ASA.(Section 1.3.1.2, Page: 26 of Version 2.0, Nov 2007)

CIS PIX/ASA benchmark recommends the prudent level of minimum due care for operating system security. CIS PIX/ASA benchmark contains some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments. All PIX devices should implement these settings.

Rule 1

Rule

Check for Required OS Versions

Description

This rule checks that all selected devices are running accepted OS versions

Impact

No known impact.

Suggested Fix

Change the OS version of the device by loading one of the accepted versions.

Rule
Description
Constraints

Operating System Type

Type of Operating System.

Using Operating System Type Editor option, you can add, remove or update Operating System Type details. You can also change the order of the server details

Required: true


Rule
Description
Constraints

Match Condition Type

Select whether all the version expressions should match or at least one of the version expression should match in order for the validation to be successful.

Using Match Condition Type Editor option, you can add, remove or update Match Condition Type details. You can also change the order of the server details

Required: true     Default: false


Rule
Description
Constraints

Accepted Version Expressions

List of OS Version Expressions that are acceptable. A "Version Expression" is an operator followed by version string. Valid operators are "=" (equals), "!=" (Not Equals), ">" (Greater Than), ">=" (Greater Than Or Equals), "<" (Less Than), "<=" (Less Than Or Equals), "~" (Matches a regular expression), "!~" (Does not match a regular expression).

Using Accepted Version Expressions Editor option, you can add, remove or update Accepted Version Expressions details. You can also change the order of the server details

Required: true


Devices Running outdated OS Versions

Description

This policy verifies if any of the devices selected are running outdated operating systems as per the End Of Life/End Of Sales Announcements by vendors.

Applicable Platforms

Cisco IOS Devices Cisco PIX and ASA Firewalls Cisco CATOS Devices

References

Cisco End Of Life/End Of Sales Announcements

Products reach the end of their Product Life Cycle for a number of reasons. These reasons may be due to market demands, technology innovation and development driving changes in the product, or the products simply mature over time and are replaced by functionally richer technology.

Rule 1

Rule

Verify that software is not announced to be End Of Life [IOS, PIX, ASA, CatOS]

Description

Products reach the end of their Product Life Cycle for a number of reasons. These reasons may be due to market demands, technology innovation and development driving changes in the product, or the products simply mature over time and are replaced by functionally richer technology. It is important to make sure all the devices are still supported by the vendor to make sure they be serviced and upgraded whenever needed. Refer to Cisco End-Of-Life Policy for more details.

Applicable Platforms

Cisco IOS Devices

Cisco PIX and ASA Firewalls

Cisco CATOS Devices

Impact

If the device is not upgraded to the next version of operating system, the support of this device may end soon.

Suggested Fix

Upgrade to next available version of software as soon as possible

Rule 2

Rule

Verify that software has not reached End Of Sale [IOS, PIX, ASA, CatOS]

Description

Software running on this device has reached End of Sale milestone. The software release may no longer be ordered. Releases which reach this milestone are still available for customers under maintenance contract or for Customer Service Engineering (CSE) support until they reach the "End-of-Life" milestone. Products reach the end of their Product Life Cycle for a number of reasons. These reasons may be due to market demands, technology innovation and development driving changes in the product, or the products simply mature over time and are replaced by functionally richer technology. It is important to make sure all the devices are still supported by the vendor to make sure they be serviced and upgraded whenever needed. Refer to Cisco End-Of-Life Policy for more details.

Applicable Platforms

Cisco IOS Devices

Cisco PIX and ASA Firewalls

Cisco CATOS Devices

Impact

If the device is not upgraded to the next version of operating system, the support of this device may end soon.

Suggested Fix

Upgrade to next available version of software as soon as possible

Rule
Description
Constraints

Time

Time in years.

Required: true     Default: Right Now


Rule 3

Rule

Verify that software has not reached End Of Engineering Maintenance [IOS, PIX, ASA, CatOS]

Description

Software running on this device has reached End of Engineering milestone. After this milestone, no scheduled maintenance releases will be produced for the major release. Releases which reach this milestone are still available for customers under maintenance contract or for CSE support until they reach the "End-of-Life" milestone. Products reach the end of their Product Life Cycle for a number of reasons. These reasons may be due to market demands, technology innovation and development driving changes in the product, or the products simply mature over time and are replaced by functionally richer technology. It is important to make sure all the devices are still supported by the vendor to make sure they be serviced and upgraded whenever needed. Refer to Cisco End-Of-Life Policy for more details.

Applicable Platforms

Cisco IOS Devices Cisco PIX and ASA Firewalls Cisco CATOS Devices

Impact

If the device is not upgraded to the next version of operating system, the support of this device may end soon.

Suggested Fix

Upgrade to next available version of software as soon as possible

Rule
Description
Constraints

Time

Time in years.

Required: true     Default: Right Now


Rule 4

Rule

Verify that software has not reached End Of Contract Renewal Maintenance [IOS, PIX, ASA, CatOS]

Description

This software has reached End of Contract Renewal milestone. After this milestone, service contracts are no longer renewed

Applicable Platforms

Cisco IOS Devices

Cisco PIX and ASA Firewalls

Cisco CATOS Devices

Impact

If the device is not upgraded to the next family of devices, the support of this device may end soon.

Suggested Fix

Upgrade to next available family of devices as soon as possible

Rule
Description
Constraints

Time

Time in years.

Required: true     Default: Right Now


Rule 5

Rule

Verify that software has not reached End Of Life (Support) [IOS, PIX, ASA, CatOS]

Description

Software running on this device has reached End of Life milestone. After this milestone date, the software release is no longer officially supported by the vendor. Products reach the end of their Product Life Cycle for a number of reasons. These reasons may be due to market demands, technology innovation and development driving changes in the product, or the products simply mature over time and are replaced by functionally richer technology. It is important to make sure all the devices are still supported by the vendor to make sure they be serviced and upgraded whenever needed. Refer to Cisco End-Of-Life Policy for more details.

Applicable Platforms

Cisco IOS Devices

Cisco PIX and ASA Firewalls

Cisco CATOS Devices

Impact

If the device is not upgraded to the next version of operating system, the support of this device may end soon.

Suggested Fix

Upgrade to next available version of software as soon as possible

Rule
Description
Constraints

Tim e

Time in years.

Required: true     Default: Right Now


Devices with outdated modules

Description

This policy verifies if any of the devices selected are installed with outdated modules as per the End Of Life/End Of Sales Announcements by vendors.

Applicable Platforms

Cisco IOS Devices Cisco PIX and ASA Firewalls Cisco CATOS Devices

References

Cisco End Of Life/End Of Sales Announcements

Products reach the end of their Product Life Cycle for a number of reasons. These reasons may be due to market demands, technology innovation and development driving changes in the product, or the products simply mature over time and are replaced by functionally richer technology.

Rule 1

Rule

Verify that none of the modules are announced to be End Of Life [IOS, PIX, ASA, CatOS]

Description

Products reach the end of their Product Life Cycle for a number of reasons. These reasons may be due to market demands, technology innovation and development driving changes in the product, or the products simply mature over time and are replaced by functionally richer technology. It is important to make sure all the devices are still supported by the vendor to make sure they be serviced and upgraded whenever needed. Refer to Cisco End-Of-Life Policy for more details.

Applicable Platforms

Cisco IOS Devices

Cisco PIX and ASA Firewalls

Cisco CATOS Devices

Impact

If the device is not migrated to the prescribed modules, the support of these modules may end soon.

Suggested Fix

Migrate to the prescribed modules.

Rule 2

Rule

Verify that none of the modules have reached End Of Sale [IOS, PIX, ASA, CatOS]

Description

This device has modules that reached End of Sale milestone. The hardware may no longer be ordered. Modules which reach this milestone are still available for customers under maintenance contract or for Customer Service Engineering (CSE) support until they reach the "End-of-Life" milestone. Products reach the end of their Product Life Cycle for a number of reasons. These reasons may be due to market demands, technology innovation and development driving changes in the product, or the products simply mature over time and are replaced by functionally richer technology. It is important to make sure all the devices are still supported by the vendor to make sure they be serviced and upgraded whenever needed. Refer to Cisco End-Of-Life Policy for more details.

Applicable Platforms

Cisco IOS Devices

Cisco PIX and ASA Firewalls

Cisco CATOS Devices

Impact

If the device is not migrated to the prescribed modules, the support of these modules may end soon.

Suggested Fix

Migrate to the prescribed modules.

Rule
Description
Constraints

Time

Time in years.

Required: true     Default: Right Now


Rule 3

Rule

Verify that none of the modules have reached End Of Engineering Maintenance [IOS, PIX, ASA, CatOS]

Description

This device has modules that reached End of Engineering milestone. The hardware may no longer be ordered. After this milestone, no scheduled maintenance releases will be produced for the major release. Modules which reach this milestone are still available for customers under maintenance contract or for CSE support until they reach the "End-of-Life" milestone. Products reach the end of their Product Life Cycle for a number of reasons. These reasons may be due to market demands, technology innovation and development driving changes in the product, or the products simply mature over time and are replaced by functionally richer technology. It is important to make sure all the devices are still supported by the vendor to make sure they be serviced and upgraded whenever needed. Refer to Cisco End-Of-Life Policy for more details.

Applicable Platforms

Cisco IOS Devices

Cisco PIX and ASA Firewalls

Cisco CATOS Devices

Impact

If the device is not migrated to the prescribed modules, the support of these modules may end soon.

Suggested Fix

Migrate to the prescribed modules.

Rule
Description
Constraints

Time

Time in years.

Required: true     Default: Right Now


Rule 4

Rule

Verify that none of the modules have reached End Of Contract Renewal Maintenance [IOS, PIX, ASA, CatOS]

Description

This device has modules that have reached End of Contract Renewal milestone. After this milestone, service contracts are no longer renewed

Applicable Platforms

Cisco IOS Devices

Cisco PIX and ASA Firewalls

Cisco CATOS Devices

Impact

If the device is not upgraded to the prescribed modules, the support of these modules may end soon.

Suggested Fix

Upgrade to prescribed modules as soon as possible

Rule
Description
Constraints

Time

Time in years.

Required: true     Default: Right Now


Rule 5

Rule

Verify that none of the modules reached End Of Life (Support) [IOS, PIX, ASA, CatO]

Description

This device has modules that reached End of Life milestone. After this milestone date, the modules are no longer officially supported by the vendor. Products reach the end of their Product Life Cycle for a number of reasons. These reasons may be due to market demands, technology innovation and development driving changes in the product, or the products simply mature over time and are replaced by functionally richer technology. It is important to make sure all the devices are still supported by the vendor to make sure they be serviced and upgraded whenever needed. Refer to Cisco End-Of-Life Policy for more details.

Applicable Platforms

Cisco IOS Devices

Cisco PIX and ASA Firewalls

Cisco CATOS Devices

Impact

If the device is not upgraded to the prescribed modules, the support of these modules may end soon.

Suggested Fix

Upgrade to prescribed modules as soon as possible

Rule
Description
Constraints

Time

Time in years.

Required: true     Default: Right Now


Outdated Devices As Per Vendor Specific EOL/EOS Announcement

Description

This policy verifies if any of the devices selected are outdated as per the Cisco Hardware End Of Life/End Of Sales Announcements.

Applicable Platforms

Cisco IOS Devices

Cisco PIX and ASA Firewalls

Cisco CatOS Devices

References

Cisco End Of Life/End Of Sales Announcements

Products reach the end of their Product Life Cycle for a number of reasons. These reasons may be due to market demands, technology innovation and development driving changes in the product, or the products simply mature over time and are replaced by functionally richer technology.

Rule 1

Rule

Verify that device is announced to be End Of Life [IOS, PIX, ASA, CatOS]

Description

Products reach the end of their Product Life Cycle for a number of reasons. These reasons may be due to market demands, technology innovation and development driving changes in the product, or the products simply mature over time and are replaced by functionally richer technology. It is important to make sure all the devices are still supported by the vendor to make sure they be serviced and upgraded whenever needed. Refer to Cisco End-Of-Life Policy for more details.

Applicable Platforms

Cisco IOS Devices

Cisco PIX and ASA Firewalls

Cisco CatOS Devices

Impact

If the device is not upgraded to the next family of devices, the support of this device may end soon.

Suggested Fix

Upgrade to next available family of devices as soon as possible

Rule 2

Rule

Verify that device has not reached to be End Of Sale [IOS, PIX, ASA, CatOS]

Description

This device has reached End of Sale milestone. The hardware may no longer be ordered. Devices which reach this milestone are still available for customers under maintenance contract or for Customer Service Engineering (CSE) support until they reach the "End-of-Life" milestone. Products reach the end of their Product Life Cycle for a number of reasons. These reasons may be due to market demands, technology innovation and development driving changes in the product, or the products simply mature over time and are replaced by functionally richer technology. It is important to make sure all the devices are still supported by the vendor to make sure they be serviced and upgraded whenever needed. Refer to Cisco End-Of-Life Policy for more details.

Applicable Platforms

Cisco IOS Devices

Cisco PIX and ASA Firewalls

Cisco CatOS Devices

Impact

If the device is not upgraded to the next family of devices, the support of this device may end soon.

Suggested Fix

Upgrade to next available family of devices as soon as possible

Rule
Description
Constraints

Time

Time in years.

Required: true     Default: Right Now


Rule 3

Rule

Verify that device has not reached End Of Engineering Maintenance [IOS, PIX, ASA, CatOS]

Description

This device has reached End of Engineering milestone. After this milestone, no scheduled maintenance releases will be produced for the major release. Upgrades and releases for devices which reach this milestone are still available for customers under maintenance contract or for CSE support until they reach the "End-of-Life" milestone. Products reach the end of their Product Life Cycle for a number of reasons. These reasons may be due to market demands, technology innovation and development driving changes in the product, or the products simply mature over time and are replaced by functionally richer technology. It is important to make sure all the devices are still supported by the vendor to make sure they be serviced and upgraded whenever needed. Refer to Cisco End-Of-Life Policy for more details.

Applicable Platforms

Cisco IOS Devices

Cisco PIX and ASA Firewalls

Cisco CatOS Devices

Impact

If the device is not upgraded to the next family of devices, the support of this device may end soon.

Suggested Fix

Upgrade to next available family of devices as soon as possible

Rule
Description
Constraints

Time

Time in years.

Required: true     Default: Right Now


Rule 4

Rule

Verify that device has not reached End Of Contract Renewal Maintenance [IOS, PIX, ASA, CatOS]

Description

This device has reached End of Contract Renewal milestone. After this milestone, service contracts are no longer renewed

Applicable Platforms

Cisco IOS Devices Cisco PIX and ASA Firewalls Cisco CatOS Devices

Impact

If the device is not upgraded to the next family of devices, the support of this device may end soon.

Suggested Fix

Upgrade to next available family of devices as soon as possible

Rule
Description
Constraints

Time

Time in years.

Required: true     Default: Right Now


Rule 5

Rule

Verify that device has not reached End Of Life (Support)[IOS, PIX, ASA, CatOS]

Description

This device has reached End of Life milestone. After this milestone date, the device is no longer officially supported by the vendor. Products reach the end of their Product Life Cycle for a number of reasons. These reasons may be due to market demands, technology innovation and development driving changes in the product, or the products simply mature over time and are replaced by functionally richer technology. It is important to make sure all the devices are still supported by the vendor to make sure they be serviced and upgraded whenever needed. Refer to Cisco End-Of-Life Policy for more details.

Applicable Platforms

Cisco IOS Devices

Cisco PIX and ASA Firewalls

Cisco CatOS Devices

Impact

If the device is not upgraded to the next family of devices, the support of this device may end soon.

Suggested Fix

Upgrade to next available family of devices as soon as possible

Rule
Description
Constraints

Time

Time in years.

Required: true     Default: Right Now


IEEE 802.1X Port-Based Authentication

Description

The IEEE 802.1X standard defines a client-server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports. The authentication server authenticates each client connected to a switch port and assigns the port to a VLAN before making available any services offered by the switch or the LAN. Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.

Applicable Platforms

Cisco IOS Switches With DOT1X Capability

References

National Security Agency (NSA) Cisco Switch Configuration Guide (Section 13.2 Page 52 of Version 1.0)

The Cisco IOS Switch Security Configuration Guide from National Security Agency (NSA) provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented in this document, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (for example, switches) which are part of their computer networks.

Rule 1

Rule

Check global state of IEEE 802.1X Port-Based Authentication state [IOS]

Description

This check will make sure IEEE 802.1X Port-Based Authentication state on the device to required state as per the policy.

Applicable Platforms

Cisco IOS Switches With DOT1X Capability

Impact

Any device connected to an unused port on the switch can start receiving/transmitting packets from/to the switch.

Suggested Fix

Configure dot1x authentication on the device globally using the command:

[no] dot1x system-auth-control

Rule
Description
Constraints

Desired state of 802.1X Authentication

Desired state of 802.1X Authentication

Required: true Default: false


Rule 2

Rule

Check state of IEEE 802.1X Port-Based Authentication state on given interfaces [IOS].

Description

This check will make sure IEEE 802.1X Port-Based Authentication state on the given interfaces to required state as per the policy.

Applicable Platforms

Cisco IOS Switches With DOT1X Capability

Impact

Any device connected to an unused port on the switch can start receiving/transmitting packets from/to the switch.

Suggested Fix

Configure dot1x authentication on the device globally and/or on specific interfaces using the commands:

[no] dot1x system-auth-control

interface <interface name>

dot1x port-control


Note You can add or remove the interface group and authentication state. You can also change the order of the details.


Rule
Description

Interface Group

Shows the interface group.

802.1X Authentication State

Shows the 802.1X authentication state.



Note If you select a rule which checks for interface related configuration, compliance check will be done only for the interfaces which are administratively up and configured with an IP address.


IOS Software SIP DoS Vulnerability - 112248

Description

Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device or trigger memory leaks that may result in system instabilities. Affected devices would need to be configured to process SIP messages for these vulnerabilities to be exploitable.

Applicable Platforms

Cisco IOS Devices

References

CISCO PSIRT Advisories and Notices (112248 of 1.1)

Security Advisories for security issues that directly impact Cisco products and action is necessary to repair the Cisco product. Security Notices for issues that require a response to information posted to a public forum, or recommendations to mitigate general problems affecting network stability.

Rule 1

Rule

PSIRT - 112248: Verify IOS Software SIP DoS Vulnerability [IOS].

Description

Cisco devices are affected when they are running affected Cisco IOS Software and Cisco IOS XE Software versions that are configured to process SIP messages.

Recent versions of Cisco IOS Software do not process SIP messages by default. Creating a dial peer by issuing the dial-peer voice configuration command will start the SIP processes, causing the Cisco IOS device to process SIP messages. In addition, several features within Cisco Unified Communications Manager Express, such as ePhones, will also automatically start the SIP process when they are configured, causing the device to start processing SIP messages.

An example of an affected configuration follows:

dial-peer voice <Voice dial-peer tag> voip
...
!

In addition to inspecting the Cisco IOS device configuration for a dial-peer command that causes the device to process SIP messages, administrators can also use the show processes | include SIP command to determine whether Cisco IOS Software is running the processes that handle SIP messages. In the following example, the presence of the processes CCSIP_UDP_SOCKET or CCSIP_TCP_SOCKET indicates that the Cisco IOS device will process SIP messages:

Router# show processes | include SIP
       149 Mwe 40F48254            4          1    400023108/24000  0 CCSIP_UDP_SOCKET
       150 Mwe 40F48034            4          1    400023388/24000  0 CCSIP_TCP_SOCKET

Note Because there are several ways a device running Cisco IOS Software can start processing SIP messages, it is recommended that the show processes | include SIP command be used to determine whether the device is processing SIP messages instead of relying on the presence of specific configuration commands.


Cisco Unified Border Element images are also affected by two of these vulnerabilities.


Note The Cisco Unified Border Element feature (CUBE - previously known as the Cisco Multiservice IP-to-IP Gateway) is a special Cisco IOS Software image that runs on Cisco multiservice gateway platforms. It prov