CIS Cisco IOS 12 Benchmark
GNS3
Last updated
Was this helpful?
GNS3
Last updated
Was this helpful?
R1
R2
PC1
PC2
PC3
This document, provides prescriptive guidance for establishing a secure configuration posture for Cisco Router running Cisco IOS version 12.
This benchmark is intended for :
system and application administrators
security specialists
auditors
help desk
and platform deployment personnel
Items in this profile intend to:
be practical and prudent;
provide a clear security benefit;
and not inhibit the utility of the technology beyond acceptable means.
This profile extends the "Level 1" profile.
Items in this profile exhibit one or more of the following characteristics:
are intended for environments or use cases where security is paramount.
acts as defense in depth measure.
may negatively inhibit the utility or performance of the technology.
majors and 11 minors)Management Plane
Access Rules
Banner Rules
Password Rules
SNMP Rules
Control Plane
Global Service Rules
Logging Rules
NTP Rules
Loopback Rules
Data Plane
Routing Rules
Border Router
Filtering Neighbor Authentication
Profile Applicability
Level 1
Description
Sets the privilege level for the user.
Creating a local account with privilege level 1 permissions only allows the local user to access the device with EXEC-level permissions and will be unable to modify the device without using the enable password.
Profile Applicability
Level 1
Description
Selects the Secure Shell (SSH) protocol.
Configuring VTY access control restricts remote access to only those authorized to manage the device and prevents unauthorized users from accessing the system.
Profile Applicability
Level 1
Description
The 'no exec' command restricts a line to outgoing connections only.
Unused ports should be disabled, if not required, since they provide a potential access path for attackers.
Some devices include both an auxiliary and console port that can be used to locally connect to and configure the device.
The console port is normally the primary port used to configure the device.
The auxiliary port is primarily used for dial-up administration via an external modem; instead, use other available methods.
Profile Applicability
Level 1
Description
Access lists control the transmission of packets on an interface, control Virtual Terminal Line (VTY) access, and restrict the contents of routing updates.
VTY ACLs control what addresses may attempt to log in to the router.
Profile Applicability
Level 1
Description
The 'access-class' setting restricts incoming and outgoing connections between a particular vty (into a Cisco device) and the networking devices associated with addresses in an access list.
Restricting the type of network devices, associated with the addresses on the access-list, further restricts remote access to those devices authorized to manage the device and reduces the risk of unauthorized access.
Profile Applicability
Level 1
Description
If no input is detected during the interval, the EXEC facility resumes the current connection.
If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.
This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible.
Profile Applicability
Level 1
Description
If no input is detected during the interval, the EXEC facility resumes the current connection.
If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.
This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible.
Profile Applicability
Level 1
Description
Use the enable secret command to provide an additional layer of security over the enable password.
The enable password command causes the device to enforce use of a password to access privileged mode.
Enable secrets use a one-way cryptographic hash (MD5).
Profile Applicability
Level 1
Description
When password encryption is enabled, the encrypted form of the passwords is displayed when a more system:running-config command is entered.
This requires passwords to be encrypted in the configuration file to prevent unauthorized users from learning the passwords just by reading the configuration.
Profile Applicability
Level 1
Description
The hostname is used in prompts and default configuration filenames.
The domain name is prerequisite for setting up SSH.
Profile Applicability
Level 1
Description
Define a default domain name that the Cisco IOS software uses to complete unqualified hostnames.
The domain name is prerequisite for setting up SSH.
Profile Applicability
Level 1
Description
Use this command to generate RSA key pairs for your Cisco device.
RSA keys are generated in pairs--one public RSA key and one private RSA key.
An RSA key pair is a prerequisite for setting up SSH and should be at least 2048 bits.
Level 1
Description
The time interval that the router waits for the SSH client to respond before disconnecting an uncompleted login attempt.
This reduces the risk of an administrator leaving an authenticated session logged in for an extended period of time.
Level 1
Description
The number of retries before the SSH login session disconnects.
This limits the number of times an unauthorized user can attempt a password without having to establish a new SSH login attempt.
This reduces the potential for success during online brute force attacks by limiting the number of login attempts per SSH connection.
Level 1
Description
Specify the version of Secure Shell (SSH) to be run on a router
SSH Version 1 has been subject to a number of serious vulnerabilities and is no longer considered to be a secure protocol, resulting in the adoption of SSH Version 2 as an Internet Standard in 2006.
Cisco routers support both versions, but due to the weakness of SSH Version 1 only the later standard should be used.
Level 1
Description
Disable Cisco Discovery Protocol (CDP) service at device level.
The Cisco Discovery Protocol is a proprietary protocol that Cisco devices use to identify each other on a LAN segment.
It is useful only in network monitoring and troubleshooting situations but is considered a security risk because of the amount of information provided from queries.
In addition, there have been published denial-of-service (DoS) attacks that use CDP.
CDP should be completely disabled unless necessary.
