"Best Practice" Standard for Cisco IOS
This document describes minimum recommended configuration
settings for Cisco IOS (Internetwork Operating System) to reduce risk of
inadvertent or unauthorized access and configuration modification.
Get the latest copy from the
Best Practice Standards homepage.
Table of Contents
TBD
- This standard applies to all Cisco network devices with IOS
within the Organization.
- This standard applies to all employees, contractors, consultants,
temporaries, and other employees at the Organization.
- This standard applies to all Organization locations, divisions,
subsidiaries and affiliates.
The following processes and procedures are outside of the current document scope:
- Change Management process
- Account Management process
- Patch Management process
- Release Management process
- Physical Security
Any exceptions to this standard must be approved by the IT Manager and documented.
Control Objectives
- Controls provide reasonable assurance that logical access to the system (Cisco IOS devices) is only granted to properly authorized individuals.
- Controls provide reasonable assurance that logical access controls prevent inadvertent or unauthorized use of the system (Cisco IOS devices).
- Controls provide reasonable assurance that logical access to systems (Cisco IOS devices) is monitored and misbehavior activity will be detected and reported.
Software Version and Patches
Background/Description:
The latest Cisco IOS (Internetwork Operating System) contains necessary feature improvements
and security fixes. However, keeping the production network components
up-to-date with the latest non major release without proper testing
may affect network availability. Thus, it requires additional testing and owner's approval.
Expected result:
Latest IOS version is 12.4
(version checked on November 2006).
Related Risk:
Low
Impact:
Outdated IOS may contain "well-known" vulnerabilities or a security exposure which
could be used for unauthorized access and network settings modification.
Recommendations:
Review Cisco advisory notice about these IOS vulnerabilities. Consider to upgrade the IOS.
Account Management
Background/Description:
By default passwords in a Cisco configuration file are printed as clear text. IOS
software supports passwords encryption to prevent casual observers from reading passwords.
However, this encryption algorithm is not very strong. So, treat your configuration as a
confidential document even with encrypted passwords.
Expected result:
Password encryption is enabled.
Related Risk:
Medium
Impact:
Passwords are printed in the configuration as a clear text.
Unauthorized person may spot these passwords.
Recommendations:
Enable password encryption with the command:
#service password-encryption
Background/Description:
The enable secret command is used to set the password that grants privileged
administrative access to the IOS system and has better encryption algorithm than older enable password.
Expected result:
Secret password is enabled.
Related Risk:
Medium
Impact:
If no enable secret is set, and a password is configured for the console TTY line,
the console password may be used to get privileged access, even from a remote VTY session.
Recommendations:
Enable secret password with the command:
#enable secret
Background/Description:
The centralized control and management of remote access to the Cisco
network devices could be done using the Terminal Access Controller Access Control
System (TACACS) security protocol or RADIUS authentication. TACACS+ or RADIUS server
is a security application that provides centralized validation of users attempting
to gain access to network devices.
For better availability it is recommended to configure both primary and secondary
TACACS/RADIUS servers.
Expected result:
TACACS+ or RADIUS servers are configured.
Related Risk:
Housekeeping
Impact:
Centralized access management would not work without a properly configured TACACS or RADIUS server.
Recommendations:
Implement a central access and security management with configuring primary and secondary TACACS or RADIUS servers.
Check exact commands on the vendor's web site.
Access Management
No tests for this category.
Access Management - Files and Resource Access
No tests for this category.
Access Management - Network Access
Background/Description:
Some jurisdictions require explicit logging and monitoring notification even for an unauthorized access. Legal notification requirements are complex, and vary in each jurisdiction and situation. Thus, it is better to apply the warning to have stronger investigation and prosecution abilities.
Expected result:
Logon banner is specified.
Related Risk:
Low
Impact:
In some jurisdictions, civil and/or criminal prosecution of attackers will be affected by lack of a banner informing unauthorized users that about restrictions, logging and monitoring.
Recommendations:
Specify a logon banner with the command:
banner login.
Background/Description:
Remote virtual terminals, virtual TTYs or "VTYs", to the Cisco network device are used for remote management and should be restricted only to authorized persons. Password checking at login is one of such restrictions and should be enabled. By default virtual terminals require a password. If you do not set a password for a virtual terminal, it responds to attempted connections by displaying an error message and closing the connection.
Expected result:
VTY password is specified.
Related Risk:
Low
Impact:
By default virtual terminals require a password. If you do not set a password for a virtual terminal, remote management will be unavailable.
Recommendations:
Specify a password or other authentication such as AAA/TACACS+.
Background/Description:
Access Control List (ACL) restricts access to virtual terminals (VTYs) only to specific IP addresses and a good prevention of remote password guessing attacks.
Expected result:
VTY is protected with an ACL.
Related Risk:
Low
Impact:
Any device on a network could establish remote management connection to the Cisco device and launch a password hoping attack.
Recommendations:
Protect access to VTY with an ACL using the command:
access-class {name | number} in.
Background/Description:
It is a good practice to specify session timeout for virtual terminals (VTYs) to prevent unauthorized access from an unlock workstation with established connection.
Expected result:
VTY timeout is specified.
Related Risk:
Housekeeping
Impact:
An unauthorized person could obtain access to the Cisco device from an unlock workstation with established connection.
Recommendations:
Specify VTY timeout using the command:
exec-timeout minutes [seconds].
Background/Description:
Secure Shell (SSH) protocol provides point-to-point encryption and much better remote management protocol such as Telnet (supported in IOS 12.3(4)T and up). Restricting remote management only to SSH prevent management network traffic interception risks.
Expected result:
Only SSH is allowed for remote management.
Related Risk:
Low
Impact:
Other management protocols such as Telnet are clear text protocols.
Management network traffic could be intercepted with a network sniffer.
Recommendations:
Allow only SSH protocol using the command:
transport input ssh (supported in IOS 12.3(4)T and up).
Access Management - Network Services
Background/Description:
The HTTP service is used for remote management similar to interactive access.
It has basic HTTP authentication. However, with this type of authentication a password is sent
as a clear text over the network.
Expected result:
The HTTP service is disabled or access control list is used.
Related Risk:
Low
Impact:
HTTP service uses basic authentication. A password is send as a clear text over
the network and could be intercepted by an unauthorized person.
Recommendations:
Disable the HTTP service or apply a strict access control list with the
command: #ip http access-class
Background/Description:
Cisco devices provide an implementation of the "finger" service, which is used to find out which users are logged into a network device. This information could be used during the information gathering stage of an attack. The "finger" service is disabled by default. It should be serious business requirements to enable it back.
Expected result:
Finger service is disabled.
Related Risk:
Housekeeping
Impact:
Finger service informs which users are logged into a network device. This information could be used during the information gathering stage of an attack.
Recommendations:
Disable Finger service with the command:
#no service finger (IOS 11.2 and earlier)
no ip finger(IOS 11.3 and later).
Background/Description:
The Bootstrap Protocol (BOOTP) service on a Cisco device could be used for a centralized operating system upload.
However, the BOOTP protocol is seldom used, and it gives a hacker an opportunity to steal an IOS image. It is enabled by default.
Expected result:
Bootp service is disabled.
Related Risk:
Housekeeping
Impact:
Bootp is an insecure protocol that can be exploited for an attack or IOS could be accessed by an unauthorized person.
Recommendations:
Disable BOOTP service with the command:
no ip bootp server (IOS 11.2 and later).
Background/Description:
This command allows IP datagrams with source routing header options.
Option should be disabled unless there are known requirements for source routing on the network.
Expected result:
IP source routing is disabled.
Related Risk:
Low
Impact:
Well-known source routing attacks could be used.
Recommendations:
Disable IP source routing with the
command: #no ip source-route
Background/Description:
TCP and UDP small services are useful for diagnostics.
However, these services could be misused for number of attacks such as "Fraggle",
UDP DoS or firewall rule bypassing.
The small services are disabled by default in Cisco IOS 12.0 and later.
Expected result:
Both TCP and UDP small services are explicitly disabled.
Related Risk:
Low
Impact:
Small TCP/UDP services could be misused for number of attacks such as "Fraggle",
UDP DoS or firewall rule bypassing.
Recommendations:
Explicitly disable small TCP/UDP services with the command:
#no service tcp-small-servers
#no service udp-small-servers
Background/Description:
The Simple Network Management Protocol (SNMP) service is used for monitoring,
diagnostic and remote management. However, it requires a proper configuration.
Expected result:
SNMP is enabled.
Background/Description:
The SNMP service is used for diagnostic and remote management. It uses a "community name"
as a password. Default read-only (RO) and read-write (RW) community names are well known and could be misused.
Expected result:
Default SNMP RO and/or RW community names are not used.
Related Risk:
Low
Impact:
Read-only (RO) and read-write (RW) community names are well known and could be misused by
unauthorized person to obtain configuration information (RO) or change configuration (RW).
Recommendations:
Choose "hard-to-guess" community names or disable SNMP service if not used with the command:
#no snmp-server
Background/Description:
The SNMP service is used for diagnostic and remote management. SNMP version 1 sends
authentication information as a clear text over the network.
Expected result:
SNMP version 2, 2c or 3 should be used.
Related Risk:
Housekeeping
Impact:
SNMP v1 authentication information could be intercepted using a network sniffer.
This authentication information could be used to build further attacks.
Recommendations:
Consider using more advances versions of SNMP.
Background/Description:
The SNMP service is used for diagnostic and remote management.
SNMP contact/location information helps to identify the remote device.
Expected result:
SNMP contact/location information is updated.
Related Risk:
Housekeeping
Impact:
SNMP contact/location information helps to identify the remote device. No security risk.
Recommendations:
Update SNMP contact/location information with the command:
#snmp-server location XXX
#snmp-server contact XXX
Auditing/Logging
Background/Description:
The Cisco IOS supports logging of system messages and errors to the various destinations,
such as the logging buffer, terminal lines, or syslog server. This information could be used for early
availability or security incident detection and troubleshooting.
Expected result:
Logging is enabled.
Related Risk:
Medium
Impact:
No system information will be available for incident investigation or troubleshooting.
Recommendations:
Consider enabling some types of logging (see below for details). Logging could be explicitly disabled. Enable it with the command:
#logging on
Background/Description:
The Cisco IOS supports system messages and errors logging to an internal buffer.
The buffer is circular in nature, so newer messages overwrite older messages after the buffer is filled.
Many of these messages are important from security point of view.
Expected result:
Buffer logging is enabled.
Related Risk:
Low
Impact:
No system information will be available for incident investigation or troubleshooting.
However, could be compensated by other logging options.
Recommendations:
Consider enabling buffer logging with the command:
#logging buffered [buffer-size | severity-level]
Background/Description:
The Cisco IOS supports sending system messages and errors to all available TTY lines such as a console.
Many of these messages are important from security point of view.
Expected result:
Console logging is enabled.
Related Risk:
Housekeeping
Impact:
Console logging is optional and depends on accessibility of TTY lines for monitoring and
troubleshooting.
Recommendations:
Consider enabling console logging with the command:
#logging console [severity-level]
Background/Description:
The Cisco IOS supports sending system messages and errors to a remote syslog server.
This feature allows to build a centralized management and monitoring solution.
Also, many of these messages are important from security point of view. Storing these messages on a remote device improves integrity and reduces troubleshooting time.
Expected result:
Remote syslog server is configured.
Related Risk:
Low
Impact:
No centralized system information will be available for prompt incident investigation or troubleshooting.
Events could not be correlated easily.
However, could be compensated by other logging options.
Recommendations:
Consider to implement a remote syslog server. To enable messages sending from the Cisco device use the command:
#logging host {hostname | ip-address}(IOS 12.2 and up) or
#logging {hostname | ip-address}(IOS 10.0 and up)
Background/Description:
The SNMP trap sends notifications of significant changes in system status to the remote management station.
Expected result:
SNMP trap notification is configured.
Related Risk:
Low
Impact:
Lack of early system event notification through SNMP traps may slow down incident detection and
response. However, could be compensated by other logging and monitoring options.
Recommendations:
Consider to implement a remote SNMP trap collection station. To enable SNMP traps sending from the Cisco
device use the command:
#snmp-server host {hostname | ip-address}
Background/Description:
Time synchronization is used to synchronize device software clocks for better event correlation.
IOS supports Network Time Protocol (NTP) to obtain clock synchronization from a time server.
Expected result:
NTP server is configured.
Related Risk:
Housekeeping
Impact:
Without proper time synchronization it could be hard to perform an automated abnormal event correlation.
Recommendations:
Consider to synchronize software clocks with a trusted NTP server by using the command:
#ntp server {hostname | ip-address}
Scheduled Jobs
No tests for this category.
Other Security Settings
No tests for this category.