CIS Cisco IOS 12 Benchmark
GNS3
Topology
Configure basic settings for each router.
R1
R2
PC1
PC2
PC3
Overview
This document, provides prescriptive guidance for establishing a secure configuration posture for Cisco Router running Cisco IOS version 12.
Intended Audience
This benchmark is intended for :
system and application administrators
security specialists
auditors
help desk
and platform deployment personnel
Level 1
Items in this profile intend to:
be practical and prudent;
provide a clear security benefit;
and not inhibit the utility of the technology beyond acceptable means.
Level 2
This profile extends the "Level 1" profile.
Items in this profile exhibit one or more of the following characteristics:
are intended for environments or use cases where security is paramount.
acts as defense in depth measure.
may negatively inhibit the utility or performance of the technology.
Recommendations (3 majors
and 11 minors
)
majors
and 11 minors
)Management Plane
Access Rules
Banner Rules
Password Rules
SNMP Rules
Control Plane
Global Service Rules
Logging Rules
NTP Rules
Loopback Rules
Data Plane
Routing Rules
Border Router
Filtering Neighbor Authentication
1.2.1 Set 'privilege 1' for local users
Profile Applicability
Level 1
Description
Sets the
privilege level
for the user.
Rationale
Creating a local account with
privilege level 1
permissions only allows the local user to access the device withEXEC-level
permissions and will be unable to modify the device without using theenable password
.
Audit
Remediation
1.2.2 Set 'transport input ssh' for 'line vty' connections
Profile Applicability
Level 1
Description
Selects the Secure Shell (SSH) protocol.
Rationale
Configuring
VTY
access control restricts remote access to only those authorized to manage the device and prevents unauthorized users from accessing the system.
Audit
Remediation
1.2.3 Set 'no exec' for 'line aux 0'
Profile Applicability
Level 1
Description
The '
no exec
' command restricts a line to outgoing connections only.
Rationale
Unused ports
should be disabled
, if not required, since they provide a potential access path for attackers.Some devices include both an
auxiliary
andconsole
port that can be used to locally connect to and configure the device.The console port is normally the primary port used to configure the device.
The auxiliary port is primarily used for
dial-up administration
via an external modem; instead, use other available methods.
Audit
Remediation
1.2.4 Create 'access-list' for use with 'line vty'
Profile Applicability
Level 1
Description
Access lists
control the transmission of packets on an interface, control Virtual Terminal Line (VTY) access, and restrict the contents of routing updates.
Rationale
VTY ACLs control
what addresses may attempt to log in to the router.
Audit
Remediation
1.2.5 Set 'access-class' for 'line vty'
Profile Applicability
Level 1
Description
The '
access-class
' setting restricts incoming and outgoing connections between a particularvty
(into a Cisco device) and the networking devices associated with addresses in an access list.
Rationale
Restricting the type of network devices, associated with the addresses on the access-list, further restricts remote access to those devices authorized to manage the device and
reduces the risk of unauthorized access
.
Audit
Remediation
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'
Profile Applicability
Level 1
Description
If no input is detected during the interval, the EXEC facility resumes the current connection.
If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.
Rationale
This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible.
Audit
Remediation
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'
Profile Applicability
Level 1
Description
If no input is detected during the interval, the EXEC facility resumes the current connection.
If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.
Rationale
This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible.
Audit
Remediation
1.4.1 Set 'password' for 'enable secret'
Profile Applicability
Level 1
Description
Use the
enable secret
command to provide an additional layer of security over the enable password.
Rationale
The enable password command causes the device to enforce use of a password to access privileged mode.
Enable secrets use a one-way cryptographic hash (
MD5
).
Audit
Remediation
1.4.2 Enable 'service password-encryption'
Profile Applicability
Level 1
Description
When password encryption is enabled, the encrypted form of the passwords is displayed when a more system:
running-config
command is entered.
Rationale
This requires passwords to be encrypted in the configuration file to prevent unauthorized users from learning the passwords just by reading the configuration.
Audit
Remediation
2.1.1.1.1 Set the 'hostname'
Profile Applicability
Level 1
Description
The
hostname
is used in prompts and default configuration filenames.
Rationale
The domain name is prerequisite for setting up
SSH
.
Audit
Remediation
2.1.1.1.2 Set the 'ip domain name'
Profile Applicability
Level 1
Description
Define a default domain name that the Cisco IOS software uses to complete unqualified hostnames.
Rationale
The domain name is prerequisite for setting up
SSH
.
Audit
Remediation
2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'
Profile Applicability
Level 1
Description
Use this command to generate RSA key pairs for your Cisco device.
RSA keys are generated in pairs--one
public RSA key
and oneprivate RSA key
.
Rationale
An RSA key pair is a prerequisite for setting up SSH and should be at least 2048 bits.
Audit
Remediation
2.1.1.1.4 Set 'seconds' for 'ip ssh timeout'
Profile Applicability
Level 1
Description
The time interval that the router waits for the SSH client to respond before disconnecting an uncompleted login attempt.
Rationale
This reduces the risk of an administrator leaving an authenticated session logged in for an extended period of time.
Audit
Remediation
2.1.1.1.5 Set maximimum value for 'ip ssh authentication-retries'
Profile Applicability
Level 1
Description
The
number of retries
before the SSH login session disconnects.
Rationale
This limits the number of times an unauthorized user can attempt a password without having to establish a new SSH login attempt.
This reduces the potential for success during online
brute force attacks
by limiting the number of login attempts per SSH connection.
Audit
Remediation
2.1.1.2 Set version 2 for 'ip ssh version'
Profile Applicability
Level 1
Description
Specify the version of Secure Shell (SSH) to be run on a router
Rationale
SSH Version 1 has been subject to a number of serious vulnerabilities and is no longer considered to be a secure protocol, resulting in the adoption of SSH Version 2 as an Internet Standard in 2006.
Cisco routers
support both versions
, but due to the weakness of SSH Version 1 only the later standard should be used.
Audit
Remediation
2.1.2 Set 'no cdp run'
Profile Applicability
Level 1
Description
Disable Cisco Discovery Protocol (CDP) service at device level.
Rationale
The
Cisco Discovery Protocol
is a proprietary protocol that Cisco devices use to identify each other on a LAN segment.It is useful only in network
monitoring
andtroubleshooting
situations but is considered a security risk because of the amount of information provided from queries.In addition, there have been published denial-of-service (DoS) attacks that use CDP.
CDP should be
completely disabled
unless necessary.
Audit
Remediation
Last updated