CIS Cisco IOS 12 Benchmark

GNS3

Topology

Configure basic settings for each router.

  • R1

R1#configure terminal
R1(config)#int fa0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#int s1/0
R1(config-if)#ip address 10.0.0.1 255.255.255.252
R1(config-if)#clock rate 64000
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#router eigrp 1
R1(config-router)#network 192.168.1.0
R1(config-router)#network 10.0.0.0
R1(config-router)#no auto-summary
  • R2

R2#configure terminal
R2(config)#int s1/0
R2(config-if)#ip add 10.0.0.2 255.255.255.252
R2(config-if)#no shut
R2(config-if)#exit
R2(config)#int fa0/0
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shut
R2(config-if)#exit
R2(config)#int fa0/1
R2(config-if)#ip address 192.168.3.1 255.255.255.0
R2(config-if)#no shut
R2(config-if)#exit
R2(config)#router eigrp 1
R2(config-router)#network 10.0.0.0
R2(config-router)#network 192.168.2.0
R2(config-router)#network 192.168.3.0
R2(config-router)#no auto-summary
  • PC1


VPCS> ip 192.168.1.100 255.255.255.0 192.168.1.1
Checking for duplicate address...
PC1 : 192.168.1.100 255.255.255.0 gateway 192.168.1.1

VPCS> show ip

NAME        : VPCS[1]
IP/MASK     : 192.168.1.100/24
GATEWAY     : 192.168.1.1
DNS         :
MAC         : 00:50:79:66:68:00
LPORT       : 10005
RHOST:PORT  : 127.0.0.1:10006
MTU:        : 1500

VPCS> save
Saving startup configuration to startup.vpc
.  done

VPCS>
  • PC2

VPCS> ip 192.168.2.100 255.255.255.0 192.168.2.1
Checking for duplicate address...
PC1 : 192.168.2.100 255.255.255.0 gateway 192.168.2.1

VPCS> show ip

NAME        : VPCS[1]
IP/MASK     : 192.168.2.100/24
GATEWAY     : 192.168.2.1
DNS         :
MAC         : 00:50:79:66:68:01
LPORT       : 10003
RHOST:PORT  : 127.0.0.1:10004
MTU:        : 1500

VPCS> save
Saving startup configuration to startup.vpc
.  done

VPCS>
  • PC3

VPCS> ip 192.168.3.100 255.255.255.0 192.168.3.1
Checking for duplicate address...
PC1 : 192.168.3.100 255.255.255.0 gateway 192.168.3.1

VPCS> show ip

NAME        : VPCS[1]
IP/MASK     : 192.168.3.100/24
GATEWAY     : 192.168.3.1
DNS         :
MAC         : 00:50:79:66:68:02
LPORT       : 10007
RHOST:PORT  : 127.0.0.1:10008
MTU:        : 1500

VPCS> save
Saving startup configuration to startup.vpc
.  done

VPCS>

Overview

  • This document, provides prescriptive guidance for establishing a secure configuration posture for Cisco Router running Cisco IOS version 12.

Intended Audience

  • This benchmark is intended for :

    • system and application administrators

    • security specialists

    • auditors

    • help desk

    • and platform deployment personnel

Level 1

  • Items in this profile intend to:

    • be practical and prudent;

    • provide a clear security benefit;

    • and not inhibit the utility of the technology beyond acceptable means.

Level 2

  • This profile extends the "Level 1" profile.

  • Items in this profile exhibit one or more of the following characteristics:

    • are intended for environments or use cases where security is paramount.

    • acts as defense in depth measure.

    • may negatively inhibit the utility or performance of the technology.

Recommendations (3 majors and 11 minors)

  1. Management Plane

    • Access Rules

    • Banner Rules

    • Password Rules

    • SNMP Rules

  2. Control Plane

    • Global Service Rules

    • Logging Rules

    • NTP Rules

    • Loopback Rules

  3. Data Plane

    • Routing Rules

    • Border Router

    • Filtering Neighbor Authentication

1.2.1 Set 'privilege 1' for local users

Profile Applicability

  • Level 1

Description

  • Sets the privilege level for the user.

Rationale

  • Creating a local account with privilege level 1 permissions only allows the local user to access the device with EXEC-level permissions and will be unable to modify the device without using the enable password.

Audit

R1#show run | incl privilege
 privilege level 15
 privilege level 15
R1#

Remediation

R1(config)#username yaser privilege 1 password 123

1.2.2 Set 'transport input ssh' for 'line vty' connections

Profile Applicability

  • Level 1

Description

  • Selects the Secure Shell (SSH) protocol.

Rationale

  • Configuring VTY access control restricts remote access to only those authorized to manage the device and prevents unauthorized users from accessing the system.

Audit

R1#sh run | sec vty
line vty 0 4
 login
R1#

Remediation

R1#configure terminal
R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#

1.2.3 Set 'no exec' for 'line aux 0'

Profile Applicability

  • Level 1

Description

  • The 'no exec' command restricts a line to outgoing connections only.

Rationale

  • Unused ports should be disabled, if not required, since they provide a potential access path for attackers.

  • Some devices include both an auxiliary and console port that can be used to locally connect to and configure the device.

  • The console port is normally the primary port used to configure the device.

  • The auxiliary port is primarily used for dial-up administration via an external modem; instead, use other available methods.

Audit

R1#show run | sec aux
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
R1#

Remediation

R1(config)#line aux 0
R1(config-line)#no exec

1.2.4 Create 'access-list' for use with 'line vty'

Profile Applicability

  • Level 1

Description

  • Access lists control the transmission of packets on an interface, control Virtual Terminal Line (VTY) access, and restrict the contents of routing updates.

Rationale

  • VTY ACLs control what addresses may attempt to log in to the router.

Audit

R1#show ip access-lists

R1#

Remediation

R1(config)#ip access-list standard ADMIN-MGT
R1(config-std-nacl)#permit host 192.168.1.100
R1(config-std-nacl)#permit 192.168.2.0 0.0.0.255
R1(config-std-nacl)#exit
R1(config)#

1.2.5 Set 'access-class' for 'line vty'

Profile Applicability

  • Level 1

Description

  • The 'access-class' setting restricts incoming and outgoing connections between a particular vty (into a Cisco device) and the networking devices associated with addresses in an access list.

Rationale

  • Restricting the type of network devices, associated with the addresses on the access-list, further restricts remote access to those devices authorized to manage the device and reduces the risk of unauthorized access.

Audit

R1#show run | sec vty 0 4
line vty 0 4
 login
 transport input ssh
R1#

Remediation

R1(config)#line vty 0 4
R1(config-line)#access-class ADMIN-MGT in

1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'

Profile Applicability

  • Level 1

Description

  • If no input is detected during the interval, the EXEC facility resumes the current connection.

  • If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.

Rationale

  • This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible.

Audit

R1#sh run | sec line aux 0
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 no exec
R1#

Remediation

R1(config)#line aux 0
R1(config-line)#exec-timeout ?
  <0-35791>  Timeout in minutes

R1(config-line)#exec-timeout 3 ?
  <0-2147483>  Timeout in seconds
  <cr>

R1(config-line)#exec-timeout 3 30
R1(config-line)#

1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'

Profile Applicability

  • Level 1

Description

  • If no input is detected during the interval, the EXEC facility resumes the current connection.

  • If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.

Rationale

  • This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible.

Audit

R1#show run | sec line con 0
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
R1#

Remediation

R1(config)#line console 0
R1(config-line)#exec-t
R1(config-line)#exec-timeout 2 30
R1(config-line)#

1.4.1 Set 'password' for 'enable secret'

Profile Applicability

  • Level 1

Description

  • Use the enable secret command to provide an additional layer of security over the enable password.

Rationale

  • The enable password command causes the device to enforce use of a password to access privileged mode.

  • Enable secrets use a one-way cryptographic hash (MD5).

Audit

R1#show run | incl enable secret

Remediation

R1(config)#enable secret 123

1.4.2 Enable 'service password-encryption'

Profile Applicability

  • Level 1

Description

  • When password encryption is enabled, the encrypted form of the passwords is displayed when a more system:running-config command is entered.

Rationale

  • This requires passwords to be encrypted in the configuration file to prevent unauthorized users from learning the passwords just by reading the configuration.

Audit

R1#show run | incl service password-encryption
no service password-encryption
R1#

Remediation

R1(config)#service password-encryption

2.1.1.1.1 Set the 'hostname'

Profile Applicability

  • Level 1

Description

  • The hostname is used in prompts and default configuration filenames.

Rationale

  • The domain name is prerequisite for setting up SSH.

Audit

Router#show run | incl hostname
hostname Router
Router#

Remediation

Router(config)#hostname R1

2.1.1.1.2 Set the 'ip domain name'

Profile Applicability

  • Level 1

Description

  • Define a default domain name that the Cisco IOS software uses to complete unqualified hostnames.

Rationale

  • The domain name is prerequisite for setting up SSH.

Audit

R1#show run | incl domain name
R1#

Remediation

R1(config)#ip domain name yaser-rahmati.ir
R1(config)#

2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'

Profile Applicability

  • Level 1

Description

  • Use this command to generate RSA key pairs for your Cisco device.

  • RSA keys are generated in pairs--one public RSA key and one private RSA key.

Rationale

  • An RSA key pair is a prerequisite for setting up SSH and should be at least 2048 bits.

Audit

R1#sh crypto key ?
  mypubkey      Show public keys associated with this router
  pubkey-chain  Show peer public keys

R1#sh crypto key mypubkey rsa

R1#

Remediation

R1(config)#crypto key generate rsa general-keys modulus 2048
The name for the keys will be: R1.yaser-rahmati.ir

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

R1(config)#

2.1.1.1.4 Set 'seconds' for 'ip ssh timeout'

Profile Applicability

  • Level 1

Description

  • The time interval that the router waits for the SSH client to respond before disconnecting an uncompleted login attempt.

Rationale

  • This reduces the risk of an administrator leaving an authenticated session logged in for an extended period of time.

Audit

R1#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
R1#

Remediation

R1(config)#ip ssh time-out ?
  <1-120>  SSH time-out interval (secs)

R1(config)#ip ssh time-out 60
R1(config)#

2.1.1.1.5 Set maximimum value for 'ip ssh authentication-retries'

Profile Applicability

  • Level 1

Description

  • The number of retries before the SSH login session disconnects.

Rationale

  • This limits the number of times an unauthorized user can attempt a password without having to establish a new SSH login attempt.

  • This reduces the potential for success during online brute force attacks by limiting the number of login attempts per SSH connection.

Audit

R1#sh ip ssh
SSH Enabled - version 1.99
Authentication timeout: 60 secs; Authentication retries: 3
R1#

Remediation

R1(config)#ip ssh authentication-retries ?
  <0-5>  Number of authentication retries

R1(config)#ip ssh authentication-retries 3

2.1.1.2 Set version 2 for 'ip ssh version'

Profile Applicability

  • Level 1

Description

  • Specify the version of Secure Shell (SSH) to be run on a router

Rationale

  • SSH Version 1 has been subject to a number of serious vulnerabilities and is no longer considered to be a secure protocol, resulting in the adoption of SSH Version 2 as an Internet Standard in 2006.

  • Cisco routers support both versions, but due to the weakness of SSH Version 1 only the later standard should be used.

Audit

R1#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 60 secs; Authentication retries: 3
R1#

Remediation

R1(config)#ip ssh version ?
  <1-2>  Protocol version

R1(config)#ip ssh version 2
R1(config)#

2.1.2 Set 'no cdp run'

Profile Applicability

  • Level 1

Description

  • Disable Cisco Discovery Protocol (CDP) service at device level.

Rationale

  • The Cisco Discovery Protocol is a proprietary protocol that Cisco devices use to identify each other on a LAN segment.

  • It is useful only in network monitoring and troubleshooting situations but is considered a security risk because of the amount of information provided from queries.

  • In addition, there have been published denial-of-service (DoS) attacks that use CDP.

  • CDP should be completely disabled unless necessary.

Audit

R1#show cdp
Global CDP information:
        Sending CDP packets every 60 seconds
        Sending a holdtime value of 180 seconds
        Sending CDPv2 advertisements is  enabled
R1#

Remediation

R1(config)#no cdp run

Last updated