Cisco Checklist Cisco Checklist

Prepared by Krishni Naidu

References:
Securing your Internet Access Router, Richard Langley, January 2001
Remote Access Security: A layered approach, Lane Melton, Noem!er 2000
"rotecting Net#or$ in%rastructure at the protocol leel, &urt 'ilson, (ecem!er 2000
Implementing and su!erting &isco)s port security, (aid J* +yger, July 2000
Securing your &isco router #hen using SNM", &harles &arter, (ecem!er 2000
Restricting commands on a &isco router #ith "riilege Leels, "eplin &* ,arrameda,
January 2001
Layered Security: An IS" case study #ith &isco and Solaris, Roc$ie ,roc$#ay,
-cto!er 2000
Net#or$ Insecurity #ith S#itches, Aaron .urner, August 2000
"ort Scanning is not al#ays #hat it seems, (arin '* "o#ell, March 2001
.op ten !loc$ing recommendations using A&L)s Securing the perimeter #ith &isco
I-S 12 Routers, Scott 'inters, August 2000
Introduction
.his chec$list is to !e used to audit an enironment that includes &isco routers* .he
chec$list proides the technical security considerations during an audit and e/cludes
manual considerations li$e physical security considerations*
.he chec$list e/cludes the security considerations %or &isco s#itches*
"rior to using this chec$list consideration should !e gien to the %ollo#ing:
Location o% the router: It is important to ascertain the location o% the router in
the net#or$ as this has an impact on certain security elements e*g* disa!ling
SSL serice is not appropriate #hen the router is routing tra%%ic to an e/ternal
#e! serer*
"racticality o% security recommendations: .he chec$list lists numerous
security considerations, #hich may not !e practical as it could hinder the
per%ormance o% the net#or$* It is important to ascertain the ris$ allocated to
not haing certain security elements and #hether management has decided
to accept the ris$ o% not haing these elements*
Mitigating controls: .he audit o% &isco routers cannot !e per%ormed in a
acuum* .he auditor needs to consider the impact o% security in other
elements e*g* %ire#alls, host operating system, etc* A #ea$ness in security at
the router leel may !e mitigated !y a strong control at the %ire#all leel e*g*
%iltering out ports #hich are not 00,21, etc*
Interopera!ility: In circumstances #hen the router uses the %unctionality o%
other elements in the enironment e*g* a syslog serer to log eents %rom
cisco routers or an SNM" management station, the auditor must reie# the
security oer the other elements* .his chec$list does not proide the security
considerations %or these other elements*
Applica!ility o% security considerations: .his chec$list attempts to proide a
complete listing o% all security elements to consider during an audit o% &isco
router, ho#eer in some enironments certain elements may not !e
applica!le e*g* in a #indo#s enironment it is not necessary to !e concerned
a!out %iltering out rlogin or ssh serices*
Net#or$ serers: .his chec$list does not include security considerations %or
the operating system running .A&A&S or RA(I2S*
"age 1 o% 3
Nice to haes 4 .he chec$list attempts to proide security considerations,
#hich may !e nice to hae !ut ho#eer may not !e applica!le to the
enironment and the circumstance in #hich the router is used*
Checklist
No. No. Control Item Control Item
1. 1.
5nsure that all maintenance on the router is done #hile logged on locally*
5nsure that in!ound .elnet is disa!led as #ell as the .elnet listener*
I% .elnet is used to maintain the router ensure that access is granted only to
speci%ic #or$stations on the internal net#or$ side o% the router*
5nsure that all maintenance serices that #ould allo# access %rom outside the
net#or$ are disa!led or restricted*
5nsure that pass#ords are used #here possi!le*
5nsure that the 6serice pass#ord encryption7 command is used on all type 8
pass#ords*
5nsure that M(9 encryption is used on the 6"riileged 5:5& Mode7 pass#ord*
5na!le secret command*
5nsure that the serice pass#ord;encryption command is ena!led such that
#hen pass#ords are displayed #ith the more system:running;con%ig command,
they appear in encrypted %orm*
5nsure that an 5:5& pass#ord is added to A2: and &onsole ports*
5nsure that RI" and -S"< protocol on the internet inter%ace !oth in!ound and
out!ound is stopped*
5nsure that &(" is disa!led on all inter%aces*
5nsure that a login !anner is ena!led #ith the appropriate legal notice* =!anner
login command> 5nsure that the !anner contains no in%ormation a!out the
router, it)s name, model, so%t#are it)s running, or #ho o#ns it*
5nsure that SNM" is disa!led i% possi!le*
2* 5nsure that any modem or net#or$ deice that gies access to the console
port must !e secured* <or a modem, user should proide a pass#ord %or dial
up access*
5nsure that the transport input none command is applied to any asynchronous
or modem line that shouldn)t !e receiing connections %rom net#or$ users*
5nsure that the same modem is not used %or !oth dial in and dial out and that
reerse telnet connections are not allo#ed on dial in lines*
<or ?.@ lines ensure that it is con%igured to only accept connections #ith
protocols actually needed* I% encryption is supported ensure that only the SSA
protocol is used*
5nsure that the ip access class command is used to restrict the ip)s %rom #hich
the ?.@ #ill accept connections*
5nsure that one ?.@)s ip access;class is restricted to only one administratie
#or$station to preent (oS attac$s*
5nsure that the ?.@ timeouts are con%igured using the e/ec;timeout command*
5nsure that .&" $eepalies on incoming connections are ena!led =serice tsp;
$eepalies;in command> to guard against malicious attac$s and orphaned
sessions*
5nsure that all non;ip !ased remote access protocols are disa!led and that
I"Sec is used %or remote connections to the router*
<or routers that support &5<=&isco 5/press <or#arding> ensure that the
R"<=Reerse path %or#arding chec$ is ena!led =ip eri%y unicast rp%>* .his
preents spoo%ing !y chec$ing the source address o% a pac$et against the
inter%ace through #hich the pac$et entered the router*
"age 2 o% 3
No. No. Control Item Control Item
3. 3.
.A&A&S =terminal access controller access control system>
5nsure that non priilege access pass#ords are stored on the .A&A&S serer*
5nsure that only authorised ip)s o% .A&A&S daemons are speci%ied in the
tacacs;serer host command*
I% the ena!le use;tacacs command is used, ensure that it is used #ith e/tended
.A&A&S* 'ithout the e/tended .A&A&S the ena!le use;tacacs command
allo#s anyone #ith a alid username and pass#ord to access the
priileged 5:5& mode*
5nsure that login tacacs command is ena!led to ena!le pass#ord chec$ing at
login*
5nsure that the tacacs;serer noti%y command is con%igured to send a message
#hen a user:
ma$es a .&" connection
enters the ena!le command
logs out
5nsure that the tacacs;serer attempts command is con%igured to accept three
attempted logins on a line set up %or .A&A&S*
5nsure that e/tended .A&A&S is ena!led 4 tacacs;serer e/tended command
B* 5nsure that the %ollo#ing serices are !loc$ed:
Service Port Type Port Number
(NS Cone .rans%ers
e/cept %rom e/ternal
secondary (NS serers
.&" 91
.<." (aemon 2(" 3D
Lin$ .&" 08
S2N R"& .&" E 2(" 111
,S( 2NI: .&" 912 4 91B
L"( .&" 919
22&"( .&" 9B0
-pen 'indo#s .&" E 2(" 2000
N<S .&" E 2(" 20BD
: 'indo#s .&" E 2(" 3000 4 3299
Small serices .&" E 2(" 20 and !elo#
<." .&" 21
SSA .&" 22
.elnet .&" 21
SM." =e/cept e/ternal
mail relays>
.&" 29
N." .&" E 2(" 18
<inger .&" 8D
A.." =e/cept to e/ternal
#e! serers>
.&" 00
"-" .&" 10D E110
NN." .&" 11D
N." .&" 121
Net,I-S in 'indo#s N. .&" E2(" 119
Net,I-S in 'indo#s N. 2(" 118 E 110
Net,I-S .&" 11D
IMA" .&" 1B1
SNM" .&" 131 E132
SNM" 2(" 131 E132
"age 1 o% 3
,F" .&" 18D
L(A" .&" E2(" 10D
SSL =e/cept to e/ternal
#e! serers>
.&" BB1
Net,I-S in 'in2$ .&" E2(" BB9
Syslog 2(" 91B
S-&+S .&" 1000
&isco A2: port .&" 2001
&isco A2: port =stream> .&" B001
Loc$d =Linu/ (oS
?ulnera!ility>
.&" E2(" B0B9
&isco A2: port =!inary> .&" 3001
&ommon high order
A.." ports
.&" 0000, 0000, 0000
9* 5nsure that the %ollo#ing types o% I&M" tra%%ic on the internet inter%ace is
!loc$ed:
incoming echo reGuest =ping and 'indo#s traceroute>
outgoing echo replies
time e/ceeded
unreacha!le messages
I&M" redirects
5nsure that in!ound pac$ets on the internal inter%ace haing a source address
o% the internal net#or$ or 128*0*0*/ or resered address spaces are dropped
and logged*
5nsure that out!ound pac$ets on the internal inter%ace hae a source address
o% only the internal net#or$ or 128*0*0*/ or a resered address are dropped
and logged*
5nsure that I" Source routing is disa!led*
5nsure that reGuests %or I" directed !roadcast at all inter%aces o% all routers is
dropped and logged* =no ip directed;!roadcast command>
5nsure that N." is con%igured to allo# updates %rom internal time serers only*
5nsure that N." is disa!led on the internet inter%ace in!ound and out!ound*
3* (etermine ho# o%ten port scanners are used to ascertain unneeded open
ports*
Ascertain i% there is a process to use pac$et sni%%ers to determine #hat pac$ets
ma$e it through the A&L)s*
8* Ascertain i% tools to detect anomalous !ehaiour are used =such as Jinao,
%dget*c and Agilent Adisor>*
0* Ascertain i% #ea$nesses are regularly determined using tools li$e ISS net#or$
scanner* (etermine #hat action is ta$en to %i/ the ulnera!ilities*
D* SNM"
5nsure that SNM" ersion 2 is in use %or the stronger M(9 digest
authentication scheme*
5nsure that string names such as pu!lic and priate are not used*
5nsure that there is a process to periodically change pass#ords %or the
community strings*
Ascertain i% the SNM" !rute %orce attac$ tool %rom Solar#inds or a similar tool
is used regularly to test the strength o% the strings*
5nsure that only authorised management hosts are allo#ed to access SNM"
ena!led routers* =access list>
5nsure that SNM" traps are ena!led and that it is con%igured to send a trap i%
the authentication o% the community string %ails as #ell as #hich host computer
should !e sent the trap*
"age B o% 3
No. No. Control Item Control Item
10. 10.
5nsure that commands on the router are restricted to the correct priilege leel*
11* 5nsure that tcp intercept is ena!led*=ip tcp intercept list command>
12* 5nsure that a Net#or$ I(S is in use such as &isco Secure I(S or Realsecure*
11* (etermine the amount o% processing po#er o% the router and ensure that this
appropriate*
1B* 5nsure that logging is ena!led on the router* Since there may not !e su%%icient
space to log on the router, ideally the log in%ormation should !e logged at a
syslog serer* I% this is not possi!le %or the net#or$ ensure that an I(S or sni%%er
is used to log tra%%ic*
5nsure that log entries are timestamped using serice timestamps log datetime
msecs*
5nsure that access list logging is ena!led*
19* 5nsure that return SSA tra%%ic is allo#ed*
13* I% <." is necessary ensure that passie <." outgoing tra%%ic is allo#ed*
18* &,A& =&onte/t !ased access control>
2se the sho# ip inspection inter%aces command to display the inspection rules
and access lists* Reie# the rules and access lists to ensure that:
Jaa inspection
Application protocols 4 2ni/ R commands, %tp, t%tp
.&"H2(" inspection
5nsure that the inspection rules hae !een applied to the
appropriate inter%aces*
5nsure that the access lists permits tra%%ic only %rom %riendly sites
and denies tra%%ic %rom hostile sites*
5nsure that the audit trail is ena!led 4 ip inspect audit trail*
10* 5nsure that there is a process to test any %ilters using tools li$e nmap prior to
rolling out to the #hole enironment*
1D* I% (NS is necessary ensure that (NS tra%%ic is only allo#ed to the (NS serer*
5nsure that only (NS responses are leaing the screened su!net*
20* I% A.." is necessary ensure that A.." tra%%ic is allo#ed only to the #e! serer*
21* A.." %or management
5nsure that access is restricted using the ip http access;class command to
only authorised addresses*
5nsure that .A&A&SI or RA(I2S serer is used %or authentication o%
interactie logins*
22* Management and interactie access ia untrusted net#or$s
5nsure that encrypted protocols li$e SSA or +er!eriJed .elnet is used %or login*
Alternatiely ensure that I"Sec is used %or all router management tra%%ic*
-r ensure that a one time pass#ord system li$e SH+ey or -"I5 #ith .A&A&SI
or RA(I2S serers is used to control interactie and priileged access to the
router*
5nsure that an alternatie management channel such as a modem is aaila!le
in the eent o% a (oS attac$*
21* 2pdates
Ascertain i% there is a process to test and roll out ne# updates to &isco
so%t#are as #ell as a process to $eep up to date #ith ne# ulnera!ilities and
notices and to ta$e correctie action i% necessary*
"age 9 o% 3
No. No. Control Item Control Item
24. 24.
AAA
5nsure that an authentication !anner has !een con%igured %or AAA =command
4 aaa authentication !anner>*
5nsure that the net#or$ access serer is con%igured to reGuest authorisation
in%ormation !e%ore allo#ing a user to esta!lish a reerse .elnet session*
=command 4 aaa authorisation reerse;access Kradius I tacacsIL>
5nsure that accounting has !een ena!led to log net#or$, 5:5&, commands,
connection and system* Ascertain ho# o%ten the sho# accounting command is
used to reie# the accounting in%ormation*
29* .ransit <looding
At a minimum ensure that the %ollo#ing Guality o% serice %eatures are used:
#eighted %air Gueueing ='<M>
committed access rate =&AR>
generalised tra%%ic shaping =F.S>
23* Router %looding
5nsure that &5< is ena!led*
5nsure that the scheduler interal is set to 900 or alternatiely on ne#er
plat%orms the scheduler allocate should !e set to 10000 2000* .his preents
the router %rom spending to much time handling interrupts %rom net#or$
inter%aces and not any #or$ done*
28* Neigh!our authentication
5nsure that M(9 authentication is used to authenticate the neigh!our router
prior to receiing routing ta!le updates*
5nsure that there is appropriate security %or the $eys e*g* during transit and
storage*
20* Internet +ey 5/change
Reie# the policy #ith the %ollo#ing command:
sho# crypto isa$amp policy
<or higher ris$ communications ensure that the stronger settings are applied as
%ollo#s:
Aash algorithm 4 SAA;1
Authentication method ; RSA signatures
(i%%ie hellman group identi%ier 4 102B !it
Security associations li%etime 4 I day 4 03B00 seconds =the shorter the
li%etime the more secure are the communications>
2D* 5nsure that the no pro/y;arp command is con%igured to preent internal
addresses %rom !eing reealed*
10* 5ncryption
2sing the %ollo#ing command 4 sho# crypto cisco algorithms 4 to determine
the type o% (5S algorithm that is in use* 5nsure that the insecure B0 !it
ariations are not used*
5nsure a !ac$up o% the encryption con%iguration is made*
11* &erti%icate Authority
5nsure that the &RL optional is set to no* &erti%icates #ill not !e accepted i% the
&A is unaaila!le*
5nsure that the copy system:running;con%ig nram:startup;con%ig command is
per%ormed to sae the con%iguration*
(etermine ho# o%ten the crypto ca crl reGuest command is run to do#nload the
latest certi%icate reocation list*
"age 3 o% 3