1 No local user accounts are configured on the router Routers and switches must use TACACS+ for all user authentication • Router(config)#aaa new-model • Router(config)#aaa authentication enable default group tacacs+ enable • Router(config)#aaa authentication login default group tacacs+ enable • Router(config)#aaa authentication ppp default group tacacs+ enable The enable password on the router or switch must be kept in a secure encrypted form The router or switch must have the enable password set to the current production router/switch password from the device’s support organization • Router(config)#enable secret CISCO • Router(config)#service password-encryption The following services or features must be disabled: a IP directed broadcasts • R1(config-if)#no ip directed-broadcast b Incoming packets at the router/switch sourced with invalid addresses such as RFC1918 addresses • R1(config)#no ip source-route c TCP small services • R1(config)#no service tcp-small-server d UDP small services • R1(config)#no service udp-small-server e All source routing and switching • R1(config)#no ip source-route f All web services running on router • R1(config)#no ip http server • R1(config)#no ip bootp server g Cisco discovery protocol on Internet connected interfaces • • • • • • R1(config-if)#no R1(config-if)#no R1(config-if)#no R1(config-if)#no R1(config-if)#no R1(config-if)#no ip redirects ip proxy-arp ip unreachables ip directed-broadcast ip mask-reply mop enabled h Telnet, FTP, and HTTP services i Auto-configuration • R1#auto secure The following services should be disabled unless a business justification is provided: a Cisco discovery protocol and other discovery protocols • R1(config)#no cdp run b Dynamic trunking • Switch(config-if)#switchport mode access • Switch(config-if)#switchport nonegotiate c Scripting environments, such as the TCL shell • • • • • R1(config)#no scripting tcl encdir R1(config)#no scripting tcl init R1(config)# no scripting tcl low-memory R1(config)# no scripting tcl secure-mode R1(config)# no scripting tcl trustpoint name name • R1(config)# no scripting tcl trustpoint untrusted The following services must be configured: a Password-encryption • Router(config)#service password-encryption b NTP configured to a corporate standard source [Default] • config t • ntp server {ip-address | ipv6-address | dnsname} [prefer] [use-vrf vrf-name] • ntp peer {ip-address | ipv6-address | dnsname} [prefer] [use-vrf vrf-name] • show ntp peers • copy running-config startup-config [Non-Default] • • • • • • config t feature ntp ntp master ntp source-interface interface ntp source ip-address copy running-config startup-config All routing updates shall be done using secure routing updates • OSPF: interface Ethernet1 ip address 10.139.20.1 255.255.255.0 ip ospf message-digest-key 10 md5 cisco ! router ospf 20 network 10.139.20.0 0.0.0.255 area area authentication message-digest passive-interface default no passive-interface Serial0 • EIGRP: ! EIGRP authentication interface Ethernet ip authentication mode eigrp 10 md5 ip authentication key-chain eigrp 10 mychain ! router eigrp 10 network 10.0.0.0 no auto-summary passive-interface default no passive-interface Serial0 ! key chain mychain key key-string cisco ! • RIP: interface ethernet ip rip authentication key-chain mychain ip rip authentication mode md5 ! router rip network 10.0.0.0 no auto-summary passive-interface default no passive-interface Serial0 version ! key chain mychain key key-string cisco ! • BGP: router bgp 10 passive-interface default no passive-interface Serial0 no synchronization bgp log-neighbor-changes network 64.104.0.0 neighbor 198.133.219.10 remote-as 10 neighbor 198.133.219.10 password 05080F1C22431F5B4A ! Use corporate standardized SNMP community strings Default strings, such as public or private must be removed SNMP must be configured to use the most secure version of the protocol allowed for by the combination of the device and management systems • Simple Network Management Protocol (SNMP) uses the default UDP port161 for general SNMP messages and UDP port 162 for SNMP trap messages • Switch(config)# snmp-server host 10.0.0.2 traps g00d-5tr1n9-2 Switch(config)# snmp-server host 10.0.0.4 traps g00d-5tr1n9-2 Switch(config)# snmp-server trap-source Loopback0 Switch(config)# snmp-server enable traps • If SNMP is not being used, then executing the following commands will disable the service Switch(config)# no snmp-server community Switch(config)# no snmp-server enable traps Switch(config)# no snmp-server system-shutdown Switch(config)# no snmp-server • Switch(config)# no access-list 12 Switch(config)# access-list 12 permit 10.0.0.2 Switch(config)# access-list 12 permit 10.0.0.4 Switch(config)# snmp-server group admins v3 auth read adminview write adminview Switch(config)# snmp-server user root admins v3 auth md5 5ecret5TR1N access 12 • Switch(config)# snmp-server view adminview internet included Switch(config)# snmp-server view adminview ipAddrEntry excluded Switch(config)# snmp-server view adminview ipRouteEntry excluded Access control lists must be used to limit the source and type of traffic that can terminate on the device itself ! - Add anti-spoofing entries ! - Deny special-use address sources ! access-list 110 deny ip 127.0.0.0 0.255.255.255 any access-list 110 deny ip 192.0.2.0 0.0.0.255 any access-list 110 deny ip 224.0.0.0 31.255.255.255 any access-list 110 deny ip host 255.255.255.255 any ! - Deny your space as source (as noted in RFC 2827) access-list 110 deny ip your Internet-routable subnet any ! - Explicitly permit return traffic ! - Allow specific ICMP types access-list 110 permit icmp any any echo-reply access-list 110 permit icmp any any unreachable access-list 110 permit icmp any any time-exceeded access-list 110 deny icmp any any ! - These are outgoing DNS queries access-list 110 permit udp any eq 53 host primary DNS server gt 1023 ! - Permit older DNS queries and replies to primary DNS server access-list 110 permit udp any eq 53 host primary DNS server eq 53 ! - Permit legitimate business traffic access-list 110 permit tcp any Internet-routable subnet established access-list 110 permit udp any range 1023 Internet-routable subnet gt 1023 ! - Allow ftp data connections access-list 110 permit tcp any eq 20 Internet-routable subnet gt 1023 ! - Allow tftp data and multimedia connections access-list 110 permit udp any gt 1023 Internet-routable subnet gt 1023 Access control lists for transiting the device are to be added as business needs arise ! - Explicitly permit externally sourced traffic ! - These are incoming DNS queries access-list 110 permit udp any gt 1023 host eq 53 ! These are zone transfer DNS queries to primary DNS server access-list 110 permit tcp host secondary DNS server gt 1023 host primary DNS server eq 53 ! - Permit older DNS zone transfers access-list 110 permit tcp host secondary DNS server eq 53 host primary DNS server eq 53 ! - Deny all other DNS traffic access-list 110 deny udp any any eq 53 access-list 110 deny tcp any any eq 53 ! - Allow IPSec VPN traffic access-list 110 permit udp any host IPSec headend device eq 500 access-list 110 permit udp any host IPSec headend device eq 4500 access-list 110 permit 50 any host IPSec headend device access-list 110 permit 51 any host IPSec headend device access-list 110 deny ip any host IPSec headend device ! - These are Internet-sourced connections to ! - publicly accessible servers access-list 110 permit tcp any host public web server eq 80 access-list 110 permit tcp any host public web server eq 443 access-list 110 permit tcp any host public FTP server eq 21 ! - Data connections to the FTP server are allowed ! - by the permit established ACE ! - Allow PASV data connections to the FTP server access-list 110 permit tcp any gt 1023 host public FTP server gt 1023 access-list 110 permit tcp any host public SMTP server eq 25 ! - Explicitly deny all other traffic access-list 101 deny ip any any 10 The router must be included in the corporate enterprise management system with a designated point of contact 11 Each router must have the following statement presented for all forms of login whether remote or local: "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED You must have explicit permission to access or configure this device All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement There is no right to privacy on this device Use of this system shall constitute consent to monitoring." • Router(config)#banner motd #"UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED”# 12 Telnet may never be used across any network to manage a router, unless there is a secure tunnel protecting the entire communication path SSH version is the preferred management protocol enable configure terminal hostname hostname ip domain-name name crypto key generate rsa ip ssh [time-out seconds | authentication-retries integer] ip ssh version [1 | 2] 13 Dynamic routing protocols must use authentication in routing updates sent to neighbors Password hashing for the authentication string must be enabled when supported Routing protocols are used to facilitate the exchange of routing information between routers A routing protocol is a set of processes, algorithms, and messages that are used to exchange routing information and populate the routing table with the routing protocol’s choice of best paths The purpose of dynamic routing protocols includes: • • • • Discovery of remote networks Maintaining up-to-date routing information Choosing the best path to destination networks Ability to find a new best path if the current path is no longer available OSPF: Authentication—Contains the settings for OSPF area authentication – None—Choose this option to disable OSPF area authentication This is the default setting – Password—Choose this option to use a clear text password for area authentication This option is not recommended where security is a concern – MD5—Choose this option to use MD5 authentication RIP: Enable Authentication—Check this check box to enable RIP authentication Uncheck this check box to disable RIP broadcast authentication – Key—The key used by the authentication method Can contain up to 16 characters – Key ID—The key ID Valid values are from to 255 – Authentication Mode—You can select the following authentication modes: MD5—Uses MD5 for RIP message authentication Text—Uses cleartext for RIP message authentication (not recommended) EIGRP: Enable MD5 Authentication—Check this check box to enable MD5 authentication of EIGRP process messages – Key—Key to authenticate EIGRP updates The key can contain up to 16 characters – Key ID—Key identification value; valid values range from to 255 14 The corporate router configuration standard will define the category of sensitive routing and switching devices, and require additional services or configuration on sensitive devices including: a IP access list accounting enable configure terminal ip accounting-threshold threshold ip accounting-list ip-address wildcard ip accounting-transits count interface type number ip accounting [access-violations] [output-packets] ip accounting mac-address {input | output} b Device logging • routers log messages can handle in five different ways: • Console logging:By default, the router sends all log messages to its console port Hence only the users that are physically connected to the router console port can view these messages • Terminal logging:It is similar to console logging, but it displays log messages to the router's VTY lines instead This is not enabled by default Buffered logging:This type of logging uses router's RAM for storing log messages buffer has a fixed size to ensure that the log will not deplete valuable system memory The router accomplishes this by deleting old messages from the buffer as new messages are added • Syslog Server logging :The router can use syslog to forward log messages to external syslog servers for storage This type of logging is not enabled by default • SNMP trap logging:The router is able to use SNMP traps to send log messages to an external SNMP server c Incoming packets at the router sourced with invalid addresses, such as RFC1918 addresses, or those that could be used to spoof network traffic shall be dropped R1(config)#no ip source-route d Router console and modem access must be restricted by additional security controls Console: R1(config)#line console R1(config-line)#password cisco R1(config-line)#login R1(config-line)#exit Modem: R1(config)#line AUX R1(config-line)#password cisco R1(config-line)#login R1(config-line)#exit Policy for myself Cảnh báo đăng nhập Xét duyệt đăng nhập Trình tạo mã Mật Ứng Dụng Số liên lạc đáng tin cậy Trình duyệt ứng dụng Địa điểm bạn đăng nhập Liên hệ thừa kế Vô hiệu hóa tài khoản ... zone transfer DNS queries to primary DNS server access-list 110 permit tcp host secondary DNS server gt 1023 host primary DNS server eq 53 ! - Permit older DNS zone transfers access-list 110 permit... old messages from the buffer as new messages are added • Syslog Server logging :The router can use syslog to forward log messages to external syslog servers for storage This type of logging is not... ntp server {ip-address | ipv6-address | dnsname} [prefer] [use-vrf vrf-name] • ntp peer {ip-address | ipv6-address | dnsname} [prefer] [use-vrf vrf-name] • show ntp peers • copy running-config startup-config