Resilient Infrastructure

Fortifying Your Digital Foundation

Redefining Default Security for a Stronger Future

High-profile attacks relentlessly targeting critical infrastructure and network providers demand a new standard of defense. Building on our core principles of secure-by-default and secure-by-design, we’re committed to driving resilient infrastructure through proactive hardening and anticipating tomorrow's threats.

Overview

What this means for you

We will be delivering critical security enhancements across Cisco products, some of which may require our customers to take action. We're committed to making this transition as seamless and non-disruptive as possible and will continue to update this page for the latest guidance and resources. Here’s what else you need to know.

  • Proactive Security Enhancements: To increase the security posture of Cisco devices, we are making changes to default settings, deprecating and eventually removing insecure capabilities, and introducing new security features. These changes are designed to strengthen your network infrastructure and provide better visibility into threat actor activities.
  • Your Action is Key: We encourage all customers to adopt improved security practices now and discontinue the use of insecure features. This will strengthen your security posture and prepare you for these essential enhancements.
  • Comprehensive Guidance: This page provides up-to-date information on these changes, our strategy for phasing them in, and specific actions you should take now to be ready.

Infrastructure hardening

Reduce your attack surface today 

A core tenet of resilient infrastructure is disabling unused features by default (and requiring customers to explicitly enable features they desire), thereby reducing attack surfaces. Hardening guides provide detailed recommendations and best practices needed to implement these changes effectively. Our guides also include details on best practices for enabling key security features (to the extent they are not yet, or cannot fully be, enabled by default) that further help protect sensitive data and make devices more resilient to attacks.

These are actions that can and should be taken by customers today, protecting your network and preparing the network for changes being delivered as part of this effort.

Proactive security

Patching, updates, and LDOS readiness

Cisco strongly recommends running our latest software releases, as they offer the most robust security. It is critical to avoid running products approaching or past their End of Vulnerability Support (EoVSS). After this milestone, no new security fixes are issued, leaving your systems potentially exposed to significant, unmitigated risks. Cisco’s Last Day of Support (LDOS) marks the final date for any support or updates. Proactive patching and diligent management of your product lifecycles against these critical dates are essential for a protected and reliable environment.

Cisco provides transparent vulnerability disclosures following a well-defined policy. We urge customers to subscribe to security advisory notifications and apply patches promptly. Beyond advisories, proactively staying current on recommended releases is key to strengthening your security posture.

Feature deprecation

Phasing out insecure capabilities

To reduce your attack surface and protect sensitive data, insecure features and protocols will be systematically deprecated and eventually removed from identified Cisco products. Our phased removal strategy is planned to span three feature releases to minimize disruption:

  1. Warning: You will receive warnings when configuring key insecure features. We strongly recommend discontinuing their use immediately.
  2. Restriction: In subsequent releases, key insecure features will be disabled by default or require explicit administrator action to enable. Existing deployments will continue to function, but new installations will require intentional enablement. Some features on specific platforms may not have a restriction phase, with only warnings continuing for several releases before removal.
  3. Removal: Obsolete features are planned to be removed entirely from future software releases. The timing of removal will vary based on user impact and adoption (e.g., widely adopted features like SNMPv2 will phase out slower than less-used ones).

Secure defaults

Reducing risk, enhancing posture

We’re enforcing more secure-by-default settings to significantly reduce your attack surface and improve security posture. This includes disabling services like web servers, SNMP, and guest shell by default.

Understanding what’s changing and your role:

  • Enable Only What's Needed: As detailed in our hardening guides, enable only the services you truly need and apply appropriate safeguards, such as restricting management traffic to defined networks. Implementing these practices today is vital for immediate security and will streamline your upgrades when future releases enforce these secure defaults.
  • Best Practices Enforced: It is essential to generate strong cryptographic keys, use robust encryption for credentials, and disable exploitable features like proxy ARP. Future releases will enforce these and other critical best practices by default, with less secure options (e.g., weak ciphers) eventually removed.
  • Minimizing Disruption: Most default changes will apply primarily to new installations. Upgrade and downgrade considerations will be well documented, with communication plans informing you of impacts.
  • Prepare Today: The most effective way to prepare is to actively follow the guidance in Cisco’s hardening guides now.

This page will be updated as these changes are released across the product portfolio, giving you time to prepare for these developments.

 

Logging and monitoring

Enhanced visibility for rapid response 

To help customers detect and respond to threat actors, this effort significantly augments logging and monitoring capabilities across various products, generating richer telemetry for enhanced threat detection, forensic analysis, and compliance auditing.

Key enhancements include:

  • Default Logging Changes: Adjustments to default settings and new messages for security-significant events (e.g., critical configuration modifications like AAA or logging settings).

  • Best Practice Warnings: New logs to alert you when security best practices are not followed (e.g., insecure RADIUS/TACACS+ or unauthenticated NTP). 

  • Expanded Visibility: Increased insight into guest shell environments and low-level operating system events.

  • Secure Time Synchronization: Enhancements to secure NTP, including support for Network Time Security (NTS), for accurate timestamps critical to effective logging. 

Securing device authentication

Fortifying access management

Authentication protocols like TACACS+ and RADIUS are increasingly targeted by threat actors. Legacy implementations, relying on MD5 and pre-shared keys, are vulnerable. To counter this, Cisco is significantly enhancing device authentication security:

  • Modernizing Authentication Protocols: We plan to add support for TACACS+ over TLS 1.3 across the Cisco portfolio and promote the use of TLS or DTLS (RadSec) for secure RADIUS traffic. These advancements combat weaknesses and enhance operational security.

  • Enhanced Device Access: New features will include support for FIDO2 over SSH and the ability to use SSH public key authentication with TACACS+ to provide a way to use SSH public keys at scale.