The settings below are taken from Cisco Guide to Harden Cisco IOS Devices
A CSOC-XXXX ID is labeled for each setting.
CSCO-0000 Secure Operations
CSCO-1000 Management Plane
CSCO-2000 Management Plane
CSCO-3000 Control Plane
CSCO-4000 Data Plane
- - - - - - -
CSCO-0010 Use enable secret to protect passwords
enable
secret <password>
CSCO-0014 Use file prompt alert
CSCO-0015 Create username and secret password
username
<name> secret <password>
CSCO-0020 Enable password obfuscation
enable service
password-encryption
CSCO-0030 Login Password Retry Lockout
aaa new-model
aaa
local authentication attempts max-fail <max-attempts>
aaa
authentication login default local
CSCO-0040 No Service Password-Recovery
!
no service password-recovery
!
CSCO-0045 Share-key password
CSCO-0050 Disable Unused Services
no ip finger
no ip bootp server
ip dhcp bootp ignore
no service dhcp
no mop enabled
no ip domain-lookup
no service pad
no ip http server
no service config
!interface
no
cdp enable
!Global
no
cdp run
no lldp run global
CSCO-0060 Keepalives for TCP Sessions
service tcp-keepalive-in
service tcp-keepalive-out
CSCO-0070 Memory Threshold Notifications
memory free low-watermark processor
<threshold>
memory free low-watermark io <threshold>
memory reserve critical <value>
CSCO-0080 CPU Thresholding Notification
!
snmp-server
enable traps cpu threshold
!
snmp-server
host <host-address> <community-string> cpu
!
process
cpu threshold type <type> rising <percentage> interval
<seconds> [falling <percentage> interval <seconds>]
process
cpu statistics limit entry-percentage <number> [size <seconds>]
!
CSCO-0090 Reserve Memory for Console Access
memory reserve console 4096
CSCO-0100 Memory Leak Detector
show memory debug leaks
CSCO-0110 Chunk Validation During Scheduler Heapcheck
scheduler heapcheck process memory
CSCO-0120 Buffer Overflow: Detection and Correction of
Redzone Corruption
exception memory ignore overflow io
exception
memory ignore overflow processor
CSCO-0130 Enhanced Crashinfo File Collection
exception crashinfo maximum files 10
CSCO-0140 Limiting Access to the Network with Infrastructure
ACLs
!
ip access-list extended
ACL-INFRASTRUCTURE-IN
!--- Permit required
connections for routing protocols and
!--- network management
permit tcp host <trusted-ebgp-peer> host
<local-ebgp-address> eq 179
permit tcp host <trusted-ebgp-peer> eq
179 host <local-ebgp-address>
permit tcp host
<trusted-management-stations> any eq 22
permit udp host
<trusted-netmgmt-servers> any eq 161
!
!--- Deny all other IP
traffic to any network device
deny ip any
<infrastructure-address-space> <mask>
!--- Permit transit
traffic
permit ip any any
!
CSCO-0150 ICMP Packet Filtering
!
ip access-list extended
ACL-INFRASTRUCTURE-IN
!
!--- Permit ICMP Echo
(ping) from trusted management stations and servers
!
permit icmp host
<trusted-management-stations> any echo
permit icmp host
<trusted-netmgmt-servers> any echo
!
!--- Deny all other IP
traffic to any network device
!
deny ip any
<infrastructure-address-space> <mask>
!
!--- Permit transit
traffic
!
permit ip any any
!
CSCO-0150 Filtering IP Fragments
!
ip access-list extended
ACL-INFRASTRUCTURE-IN
!
!--- Deny IP fragments
using protocol-specific ACEs to aid in
!--- classification of
attack traffic
!
deny tcp any any fragments
deny udp any any fragments
deny icmp any any
fragments
deny ip any any fragments
!
!--- Deny all other IP
traffic to any network device
!
deny ip any
<infrastructure-address-space> <mask>
!
!--- Permit transit
traffic
!
permit ip any any
!
CSCO-0160 ACL support for Filtering IP Options
!
ip access-list
extended ACL-INFRASTRUCTURE-IN
!
!--- Deny IP
packets containing IP options
!
deny ip any any
option any-options
!
!--- Deny all
other IP traffic to any network device
!
deny ip any
<infrastructure-address-space> <mask>
!
!--- Permit transit
traffic
!
permit ip any any
CSCO-0170 ACL Support for Filtering on TTL Value
!
ip access-list
extended ACL-INFRASTRUCTURE-IN
!
!--- Deny IP
packets with TTL values insufficient to traverse the network
!
deny ip any any
ttl lt 6
!
!--- Deny all
other IP traffic to any network device
!
deny ip any
<infrastructure-address-space> <mask>
!
!--- Permit
transit traffic
!
permit ip any any
!
CSCO-0180 Management Plane Protection
!
control-plane host
management-interface GigabitEthernet 0/1 allow ssh https beep snmp
CSCO-0190 Control Plane Protection CPPr
CSCO-0200 SSH
!
crypto key
generate rsa modulus 2048
!
ip ssh time-out 60
ip ssh
authentication-retries 3
ip ssh
source-interface GigabitEthernet 0/1
!
line vty 0 4
transport input
ssh
!
! This configuration example enables SCP services:
!
ip scp server
enable
!
CSCO-0210 Console and AUX Ports
!
line aux 0
transport input
none
transport output
none
no exec
exec-timeout 0 1
no password
!
CSCO-0220 No service password-recovery
no service password-recovery
CSCO-0230 password min-length
security passwords
min-length 8
CSCO-0240 Logon messages
login block-for 60
attempts 3 within 60
login on-failure
log
login on-success
log
CSCO-0250 Image Verification
file verify auto
CSCO-0260 Exclusive Configuration Change Access
configuration
mode exclusive auto
CSCO-0270 Configuration Change Notification and Logging
archive
log config
logging enable
logging size 200
hidekeys
notify syslog
CSCO-0280 Control Plane Policing
!
access-list 152
deny tcp <trusted-addresses> <mask> any eq 22
access-list 152
permit tcp any any eq 22
access-list 152
deny ip any any
!
class-map
match-all COPP-KNOWN-UNDESIRABLE
match
access-group 152
!
policy-map
COPP-INPUT-POLICY
class
COPP-KNOWN-UNDESIRABLE
drop
!
control-plane
service-policy
input COPP-INPUT-POLICY
!
CSCO-0290 IP Options Selective Drop
ip options
drop
CSCO-0295 Disable IP Source Route
no ip
source route
CSCO-0300 IP ICMP
Redirects
no ip
redirects
CSCO-0310 ICMP unreachables
no ip
unreachable
CSCO-0320 Proxy ARP
no proxy
arp
CSCO-0400 Control Plane Policing
access-list 152 deny tcp <trusted-addresses>
<mask> any eq 22
access-list 152 permit tcp any any eq 22
access-list 152 deny ip any any
!
class-map match-all COPP-KNOWN-UNDESIRABLE
match access-group
152
!
policy-map COPP-INPUT-POLICY
class
COPP-KNOWN-UNDESIRABLE
drop
!
control-plane
service-policy input
COPP-INPUT-POLICY
CSCO-0410 Securing First Hop Redundancy Protocols
!
interface
FastEthernet 1
description *** GLBP
Authentication ***
glbp 1
authentication md5 key-string <glbp-secret>
glbp 1 ip
10.1.1.1
!
interface
FastEthernet 2
description ***
HSRP Authentication ***
standby 1
authentication md5 key-string <hsrp-secret>
standby 1 ip
10.2.2.1
!
interface
FastEthernet 3
description ***
VRRP Authentication ***
vrrp 1
authentication md5 key-string <vrrp-secret>
vrrp 1 ip
10.3.3.1
!
- - - - - - - - -
IPv6 Security
CSCO-0500 IPv6 ICMP (filtering)
CSCO-0520 IPv6 Multicast security (filtering)
CSCO-0530 Extension Headers (filtering)
CSCO-0540 Routing Headers
CSCO-0550 Fragmentation Headers
CSCO-0560 Unknown Option Headers
CSCO-0570 uRPF
ipv6 verify
unicast reverse-path
CSCO-0590 Bogon Filtering
RFC 5156 Special-Use IPv6 Addresses
CSCO-0600 RFC 3849 IPv6 Documentation IPv6 Address Prefix
The IPv6 unicast address block 2001:DB8::/32 is
reserved for documentation purposes. RFC 3849 describes is use and purpose. Packet filters should block this address block.
http://tools.ietf.org/html/rfc3849
CSCO-2001 BGP Authentication
Border Gateway Protocol authentication should be enabled with peers. The authentication between BGP peers assures routing updates are communicated from trusted sources.
This rule is related to the DISA Network Infrastructure STIG NET0408 "BGP must authenticate all peers".
neighbor 10.10.40.2 password 7 09181F221016241D4A5E57
