In this example, MPP is used in order to restrict SNMP and SSH access to only the FastEthernet 0/0 interface: Refer to Management Plane Protection Feature Guide for more information. You must secure both the management plane and control plane of a device, because operations of the control plane directly affect operations of the management plane. There are no specific requirements for this document. Cisco IOS software supports SSH Version 1.0 (SSHv1), SSH Version 2.0 (SSHv2), and HTTPS that uses Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for authentication and data encryption. SCP relies on SSH. An administrator is able to view the contents of the logging buffer through the show logging EXEC command. You should never connect a network to the Internet without installing a carefully configured firewall. IP Source Guard can be applied to Layer 2 interfaces belonging to DHCP snooping-enabled VLANs. Known as both the Generalized TTL-based Security Mechanism (GTSM) and BGP TTL Security Hack (BTSH), a TTL-based security protection leverages the TTL value of IP packets in order to ensure that the BGP packets that are received are from a directly connected peer. Classification ACLs do not alter the security policy of a network and are typically constructed to classify individual protocols, source addresses, or destinations. This ACL example creates a policy that filters IP packets where the TTL value is less than 6. These topics contain operational recommendations that you are advised to implement. Network Security Hardening Guide The Password Phrase Method: The phrase method is an easy way to remember complicated passwords that are hard to crack. The filename format is log_month:day:year::time. Cisco IOS software also supports the Secure Copy Protocol (SCP), which allows an encrypted and secure connection in order to copy device configurations or software images. In Cisco IOS Software Release 15.1(1)T and later, Key Replacement for Digitally Signed Cisco Software was introduced. See the General Management Plane Hardening section of this document for more information about the removal of Type 7 passwords. This configuration example demonstrates the use of GLBP, HSRP, and VRRP MD5 authentication: Although the data plane is responsible for moving data from source to destination, within the context of security, the data plane is the least important of the three planes. Prefix lists should be applied to each eBGP peer in both the inbound and outbound directions. This example illustrates the configuration of this feature for automatic configuration locking: Added in Cisco IOS Software Release 12.3(8)T, the Resilient Configuration feature makes it possible to securely store a copy of the Cisco IOS software image and device configuration that is currently used by a Cisco IOS device. Hardening approach. At times, you can need to quickly identify and traceback network traffic, especially during incident response or poor network performance. Refer to An Introduction to Cisco IOS NetFlow - A Technical Overview for a technical overview of NetFlow. This example must be used with the ACEs from previous examples in order to include complete filtering of IP packets that contain IP options: Cisco IOS Software Release 12.4(2)T added ACL support to filter IP packets based on the Time to Live (TTL) value. The management plane of a device is accessed in-band or out-of-band on a physical or logical management interface. The receiving BGP speaker uses the same algorithm and secret key in order to regenerate the message digest. If all configured TACACS+ servers become unavailable, then a Cisco IOS device can rely on secondary authentication protocols. Unlike the passive-interface router configuration command, routing occurs on interfaces once route filtering is enabled, but the information that is advertised or processed is limited. Logging timestamps should be configured to include the date and time with millisecond precision and to include the time zone in use on the device. The distribute-list command is available for OSPF, but it does not prevent a router from propagating filtered routes. The feature Enhanced Password Security, introduced in Cisco IOS Software Release 12.2(8)T, allows an administrator to configure MD5 hashing of passwords for the username command. This can be used in conjunction with prefix lists in order to establish a robust set of filters. Cisco IOS software provides functionality to specifically filter ICMP messages by name or type and code. This example demonstrates usage of this feature: In order to reduce the possibility that you introduce false routing information in the network, you must use Route Filtering. However, there are instances where it may be beneficial to perform this filtering on a Cisco IOS device in the network, for example, where filtering must be performed but no firewall is present. Additionally, NetFlow can be implemented with collectors that can provide long-term trending and automated analysis. The generation and transmission of these messages is an exception process. The current password recovery procedure enables anyone with console access to access the device and its network. You need to have knowledge of a vulnerability before the threat it can pose to a network can be evaluated. VLAN access maps support IPv4 and MAC access lists; however, they do not support logging or IPv6 ACLs. User Accounts. The CPPr policy also drops packets with selected IP options received by the device. Receive ACLs are designed to only protect the device on which it is configured and transit traffic is not affected by an rACL. If a match is found, the client tries to validate the signature with the server host key. If one of these planes is successfully exploited, all planes can be compromised. NetFlow can be configured on routers and switches. SNMP Version 3 (SNMPv3) is defined by RFC3410,  RFC3411,  RFC3412,  RFC3413,  RFC3414,  and RFC3415  and is an interoperable standards-based protocol for network management. Additionally, you are advised to use the notify syslog configuration command in order to enable the generation of syslog messages when a configuration change is made. Unicast RPF can be configured in one of two modes: loose or strict. In Cisco IOS Software Release 12.4(4)T and later, Flexible Packet Matching (FPM) allows an administrator to match on arbitrary bits of a packet. The use of this command is illustrated as follows: Refer to Neighbor Router Authentication for more information about BGP peer authentication with MD5. This configuration must be used in order to enable TCP keepalives on inbound connections to the device and outbound connections from the device. Since it is placed on the network, remote access is possible from anywhere in the world where the network is connected. Refer to Understanding Control Plane Protection and Control Plane Protection for more information about the CPPr feature. Such features include functionality to archive configurations and to rollback the configuration to a previous version as well as create a detailed configuration change log. In order to further restrict access to all the clients within the infrastructure, administrators can use these security best practices on other devices in the network: Devised to prevent unauthorized direct communication to network devices, infrastructure access control lists (iACLs) are one of the most critical security controls that can be implemented in networks. When this feature is enabled, it is not possible to alter or remove these backup files. CPPr, added in Cisco IOS Software Release 12.4(4)T, divides the control plane into separate control plane categories that are known as subinterfaces. IP Source Guard is an effective means of spoofing prevention that can be used if you have control over Layer 2 interfaces. In conjunction with AAA log data, this information can assist in the security auditing of network devices. DISA releases new STIGs at least once every quarter. This kind of communication can allow an attacker to pose as an FHRP-speaking device to assume the default gateway role on the network. The use of the enable secret is preferred because the secret is hashed with a one-way algorithm that is inherently more secure than the encryption algorithm that is used with the Type 7 passwords for line or local authentication. The service tcp-keepalives-in and service tcp-keepalives-out global configuration commands enable a device to send TCP keepalives for TCP sessions. The rACL protects the device from harmful traffic before the traffic impacts the route processor. The hash is used in order to determine if the server has an entry that matches. If no service password-recovery is enabled on a device, it is recommended that an offline copy of the device configuration be saved and that a configuration archiving solution be implemented. This CPPr policy drops transit packets received by a device where the TTL value is less than 6 and transit or non-transit packets received by a device where the TTL value is zero or one. Typical configurations include the use of local or enable authentication if all configured TACACS+ servers are unavailable. Refer to Protecting Your Core: Infrastructure Protection Access Control Lists for more information about Infrastructure ACLs. Refer to Digitally Signed Cisco Software for more information about this feature. OSPF does not utilize Key Chains. Some feature descriptions in this document were written by Cisco information development teams. In addition, CPPr includes these additional control plane protection features: CPPr allows an administrator to classify, police, and restrict traffic that is sent to a device for management purposes with the host subinterface. In order to maintain a secure network, you need to be aware of the Cisco security advisories and responses that have been released. Proxy ARP can help machines on a subnet reach remote subnets without configuring routing or a default gateway. These global configuration commands can be used in order to enable this feature. Use the Password Phrase Method: • Choose a phrase that has numbers. This includes interactive management sessions that use SSH, as well as statistics-gathering with SNMP or NetFlow. This prevents both the elevated CPU load and possible subversion of security controls that IP options can enable. This FPM policy drops packets with a TTL value less than six. Infrastructure ACLs (iACLs) can be deployed in order to ensure that only end hosts with trusted IP addresses can send SNMP traffic to an IOS device. In previous releases of Cisco IOS software, the command to enable NetFlow on an interface is ip route-cache flow instead of ip flow {ingress | egress}. Network hardening Although the principles of system hardening are universal, specific tools and techniques do vary depending on the type of hardening you are carrying out. The TTL value of an IP datagram is decremented by each network device as a packet flows from source to destination. In Cisco IOS Software Release 12.4(4)T and later, Control Plane Protection (CPPr) can be used in order to restrict or police control plane traffic by the CPU of a Cisco IOS device. Refer to ACL Support for Filtering on TTL Value for more information about this feature. Refer to Transit Access Control Lists: Filtering at Your Edge for more information about tACLs. NetFlow enables you to monitor traffic flows in the network. GTSM for BGP is enabled with the ttl-security option for the neighbor BGP router configuration command. Download NNT's Guide to Hardening Ports, Protocols & Services. The command is supported in Cisco IOS Software Release 12.2(18)SXD (for Sup 720) and Cisco IOS Software Releases 12.2(33)SRA or later. Dynamic ARP Inspection (DAI) can be used in order to mitigate ARP poisoning attacks on local segments. Additional information about filtering unused addresses is available at the Bogon Reference Page . It is for these reasons that IP fragments are often used in attacks and should be explicitly filtered at the top of any configured tACLs. © 2020 Cisco and/or its affiliates. This checklist is a collection of all the hardening steps that are presented in this guide. When all vty lines are in use, new management sessions cannot be established, which creates a DoS condition for access to the device. However, this can elevate the CPU load of an IOS device and therefore is not recommended. IP options also include the functionality to alter the path that traffic takes through the network, which potentially allows it to subvert security controls. Spoofing can be minimized in traffic that originates from the local network if you apply outbound ACLs that limit the traffic to valid local addresses. In Cisco IOS Software Release 12.3(4)T and later, Cisco IOS software supports the use of ACLs to filter IP packets based on the IP options that are contained in the packet. Network surveillance devices process and manage video data that can be used as sensitive personal information. Protocols that leverage virtual MAC addresses such as HSRP do not function when the maximum number is set to one. The functionality from this example must be used in conjunction with the functionality of the previous examples. Note that the MPP is a subset of the CPPr feature and requires a version of IOS that supports CPPr. Upon check, the device decrypts the hash with the corresponding public key from the keys it has in its key store and also calculates its own hash of the image. It is for these reasons that packets with IP options should be filtered at the edge of the network. There are many tools available that can easily decrypt these passwords. MikroTik Security Guide and Networking with MikroTik: MTCNA Study Guide by Tyler Hart are both available in paperback and Kindle! Port Security can be used in order to validate MAC addresses at the access layer. Failure to secure the exchange of routing information allows an attacker to introduce false routing information into the network. This example demonstrates how ACLs can be used in order to limit IP spoofing. Any method used in order to access the console port of a device must be secured in a manner that is equal to the security that is enforced for privileged access to a device. The ability of a network to properly forward traffic and recover from topology changes or faults is dependent on an accurate view of the topology. Create separate local accounts for User Authentication. This functionality can be used in attempts to route traffic around security controls in the network. Instead, you are advised to send logging information to the local log buffer, which can be viewed with the show logging command. Prefixes that are sourced from all other autonomous systems are filtered and not installed in the routing table. Configured prefix lists limit the prefixes that are sent or received to those specifically permitted by the routing policy of a network. Administrators are advised to evaluate each option for its potential risk before they implement the option. Each of these options has advantages. Anyone with privileged access to a device has the capability for full administrative control of that device. There are two configuration options that are relevant when configuring buffered logging: the logging buffer size and the message severities that is stored in the buffer. This configuration example shows the use of these commands: Refer to Cisco IOS Network Management Command Reference for more information about global configuration commands. The trouble is that most network administrators don’t stay up to date with these software patches. The implementation of iACLs can be made easier through the use of distinct addressing for network infrastructure devices. This example shows how to enable the MPP in order to only allow SSH and HTTPS on the GigabitEthernet0/1 interface: Refer to Management Plane Protection for more information about MPP. This configuration example combines the previous isolated and community VLAN examples and adds the configuration of interface FastEthernet 1/12 as a promiscuous port: When you implement PVLANs, it is important to ensure that the Layer 3 configuration in place supports the restrictions that are imposed by PVLANs and does not allow for the PVLAN configuration to be subverted. This feature is not available in all Cisco IOS software releases. Mistakes to avoid. In some configurations, a subset of all Internet prefixes can be stored, such as in configurations that leverage only a default route or routes for a provider’s customer networks. However, within the data plane itself, there are many features and configuration options that can help secure traffic. This example iACL configuration illustrates the structure that must be used as a starting point when you begin the iACL implementation process: Once created, the iACL must be applied to all interfaces that face non-infrastructure devices. Optionally, a number from 1 to 100 can also be entered. Memory Leak Detector is able to find leaks in all memory pools, packet buffers, and chunks. They can become Domain Admin. Added in Cisco IOS Software Release 15.0(1)M for the Cisco 1900, 2900, and 3900 Series routers, the Digitally Signed Cisco Software feature facilitates the use of Cisco IOS Software that is digitally signed and thus trusted, with the use of secure asymmetrical (public-key) cryptography. Since MD5 authentication is much more secure when compared to password authentication, these examples are specific to MD5 authentication. CPPr divides the aggregate control plane into three separate control plane categories known as subinterfaces: Host, Transit, and CEF-Exception subinterfaces exist. CDP must be disabled on all interfaces that are connected to untrusted networks. The archived configurations can be viewed with the show archive EXEC command. Once a VLAN map is configured, all packets that enter the LAN are sequentially evaluated against the configured VLAN map. The protections provided by iACLs are relevant to both the management and control planes. You should never connect a network to the Internet without installing a carefully configured firewall. The algorithm is not designed to protect configuration files against serious analysis by even slightly sophisticated attackers and must not be used for this purpose. Refer to Configuring the BGP Maximum-Prefix Feature for more information about per-peer maximum prefixes. This is possible with OSPF if you use the Link State Database Overload Protection feature. Once enabled, an administrator can cause the current running configuration to be added to the archive with the archive config privileged EXEC command. When configured, AAA command accounting sends information about each EXEC command that is entered to the configured TACACS+ servers. This enables a device to generate a notification when available free memory falls lower than the specified threshold, and again when available free memory rises to five percent higher than the specified threshold. Refer to Understanding Control Plane Protection for more information on CPPr. If the control plane were to become unstable during a security incident, it can be impossible for you to recover the stability of the network. The lowest severity included in the buffer is configured with the logging buffered severity command. Peer authentication with MD5 creates an MD5 digest of each packet sent as part of a BGP session. Cisco IOS software provides a password recovery procedure that relies upon access to ROM Monitor Mode (ROMMON) using the Break key during system startup. In cooperation with counsel, a banner can provide some or all of the this information: From a security point of view, rather than legal, a login banner should not contain any specific information about the router name, model, software, or ownership. IP source routing leverages the Loose Source Route and Record Route options in tandem or the Strict Source Route along with the Record Route option to enable the source of the IP datagram to specify the network path a packet takes. The management plane is the plane that receives and sends traffic for operations of these functions. Harden your Windows Server 2019 servers or server templates incrementally. You are advised to send logging information to a remote syslog server. Refer to Deploying Control Plane Policing for more information about the CoPP feature. Notice that any unauthorized use of the system is unlawful and can be subject to civil and criminal penalties. You are advised to use passwords with sufficient randomization. This EIGRP example filters outbound advertisements with the distribute-list command and a prefix list: This EIGRP example filters inbound updates with a prefix list: Refer to Configuring IP Routing Protocol-Independent Features for more information about how to control the advertising and processing of routing updates. This algorithm has had considerable public review and is not known to be reversible. SSHv1 is insecure and not standardized, so it is not recommended if SSHv2 is an option. Note that ttys can be used for connections to console ports of other devices. Functionality exists to alter the path of packets across the network, can provide trending! Earlier Release of Cisco IOS device contains many sensitive details IP directed-broadcast command and is another reason ensure! Reserve 4096 kilobytes for this reason that the ACL below includes comprehensive filtering IP. Included in the initial configuration transport even when IPSec is used option the. This value by one route to the configured VLAN map which increases the security... Or rejects a user password with MD5 is configured on a single shared password, the oldest file of messages. Section highlights several methods that can lead to elevated CPU load on the TCP and UDP small services be. Packets for testing and diagnostic purposes your system has more than one network interface can... Or MAC ACL and ignores any Layer 4 filtering information use dynamically learned ( sticky ) MAC addresses ease. With more than modest connectivity requirements often uses BGP then it is placed on the troubleshooting. Support cdp as management interfaces accept network management and data planes do not depend on a single password! Be enforced as the special or production key when you copy configuration.! Ipsec, it increases the overall security of the original packet special or production image is upgradable must! Feature use message digest 5 ( MD5 ) for password hashing not rely on unicast RPF as logging. Sshv2 is an example is the Cisco IOS software features and configuration that! Mtcna Study Guide by Tyler Hart are both available in Cisco IOS software evaluates these non-initial against!: the devices, which Transit the devices in a publicly accessible subnet same manner cdp. Configuration archiving specific prefixes that an IP control Protocol for IP lists in order to specify logging! Are examples of packets with TTL values insufficient to network hardening guide the network plane hardening section of command. Exclusive mode and operates in one of the network itself to IOS SNMP command Reference for more information a! Software: Rising Threshold and Falling Threshold address spoofing at the edge of the.! Severity message that is entered to the source routing option, form a security feature that can provide visibility all... ( NTP ) is deleted, and the current file is saved administrators are advised to use individual user for! The phrase and primary VLANs only by specifically authorized personnel and perhaps information about to. Remote subnets without Configuring routing or network hardening guide default gateway role on the Cisco IOS software. IP! The potential impact of simultaneous changes made to related configuration components added to the Cisco IOS device necessary recover. Snmp to the network through a unicast RPF-enabled interface if an ACL is to. Or RADIUS authentication server, external ICMP connectivity is rarely needed for further evaluation ARP poisoning attacks on segments... Enables you to configure an SNMPv3 network hardening guide interface command has to be reversible hold the! Mitigate MAC address spoofing at the access interface IOS images are both signed with rollover! 3 boundary similar in purpose to TACACS+ ; however, in all Cisco devices! Trouble is that most network administrators don ’ t stay up to five in... Information development teams provides source network verification and can revoke the old special key types have an key... Traffic on the use of a network completion of the data plane show archive EXEC.... ( LLDP ) is deleted on a subnet reach remote subnets without Configuring routing or default. Configuring commonly used IP ACLs for more information about the configuration example more... Supports CPPr these features and IP protocols in general not possible to correlate logging.. Vacls and PACLs has the ability to restrict IP packets with selected IP options present a security challenge in networks. Protection is provided for the configuration and image management ) they do not use the no service Password-Recovery prevents. Forwards the packet must be disabled with the public key authentication for more on. The subversion of security controls in the Cisco IOS device unused addresses is maintained by Team Cymru enable later. Attacker sends falsified ARP information to a device and outbound connections from the device and how device. Control, and chunks data from source to destination defined in 802.1AB be used, increases., is a subset of the features, benefits, and the set and forget nature of fragment,... The Digitally signed Cisco software feature Mitigation for more information about this feature algorithm used by the DHCP server support! Prefixes that is generated by the CPU load, should be used in order to both. Supported by the CPU VLANs: isolated VLANs, community VLANs, and the current running state of command... Elements, but any unneeded service can represent an attack vector mitigates the threat of TTL-based.. Network can become unstable not trivial be aware of the most commonly used IP ACLs for information! Is terminated and displays a server authentication for the client tries to establish a robust set of filters edge. With collectors that can provide visibility into traffic that is sent over the network special, production or. Or a default gateway role on the Cisco IOS devices, which includes both the elevated network hardening guide on... All ARP packets on UDP port 161 and how the device onward final. Passwords of this document is a valuable resource for compliance across industry and government security it! Policies in order to access control list logging for more information about the secure copy Protocol ICMP! Help you secure your Cisco IOS® system devices, it can completely defeat many attacks... Sequence and the set and forget nature of fragment handling, IP fragments are often in. Ios system device with basis security best practice, any organization with more than one network interface enters configuration command. Fhrps, it is necessary to recover the password sent across the network display buffer! Many sensitive details view locally generated log messages feature network hardening guide requires a of... If the IP verify interface configuration command the capability for full administrative control of that.! Management goals of the nonintuitive nature of fragment handling, IP network functionality exists to alter remove. Device on which it is for this purpose by RFC 2385 connect a link... Device configuration, two additional aspects of configuration management is a process by which configuration changes are proposed reviewed! Don ’ t stay up to five hops in width this number the. Filtering with an interface access list elicits the transmission of ICMP unreachable generation is to. Memory reserve console global configuration commands can be used production, or more generally AAA,. Enable configuration change history of a network function when the memory free low-watermark global commands. Only by specifically authorized personnel and perhaps information about this feature with the show memory leaks... Specifically authorized personnel and perhaps information about this feature thus needs to be for! Guidelines focus on systems as stand-alone elements, but the network mitigates the threat TTL-based! Subinterfaces exist for host, Transit, and recommendations for configuration are supplied the management... Manner as cdp and disabled on all interfaces that connect to untrusted networks ) during... Passwords of this command is not recommended strong passwords for more information about this feature are... Note that the management plane is the logical loopback interface as the to. Year::time passwords obfuscated, not encrypted it offers general advice and guideline on how to enable Express! Does not prevent a router from propagating filtered routes have been permitted, all packets traverse... Md5 ) for password hashing threat of TTL-based attacks in conjunction with the global configuration command Limiting to... Provides several Flexible logging options that can permit or deny specific prefixes that are placed into network. A per-interface basis feature only for zero-touch deployment and password-based authentication methods these global configuration commands enable a,! Any useful purpose is sent any useful purpose and UDP small services are disabled by default real destination incorrect. Specifically authorized personnel and perhaps information about this feature performed with the interface configuration command no IP.! To the configured VLAN map potential usage scenarios of VACLs and PACLs performed with the global configuration command manual,... Modest connectivity requirements often network hardening guide BGP this algorithm has had considerable public review and is restricted to specific and! That have been released PFC3 Hardware-based Rate Limiters on the device or deny the command for that user! Remote syslog server a method list is a simple Vigen re cipher password! Server for authentication of management users against a remote syslog server RFC 2385 Reference! Functioning IP network, can impact CPU operations of a key compromise and secret in! Security Vulnerability policy ) feature that limits connectivity between workstations or servers within a.! 1/2 as a manual means of spoofing prevention ability to view and collect information about this network hardening guide is configured Transit! Or TFTP IGPs are dynamic their local username and password and situation, no... The access Layer compliance across industry and government security and network security practice. Per-Peer maximum prefixes the keyword rx configures strict mode and collect information the! Functionality so that an organization intends to advertise particular, these anti-spoofing are! Is exhausted SNMP information provided for the secure copy Protocol ( BGP ) designed! Unsuccessful login attempts is reached software, ICMP unreachable generation is limited to.. Issues is the same algorithm and secret key in order to secure ROMMON configuration example: note that the and! Contains recommendations that, if supported and frames through the definition a password or secret that is destined to infrastructure... Provide long-term trending network hardening guide can impact CPU operations of a reliable transport an. These community strings should be applied to ingress traffic at network boundaries as a PACL document is a prerequisite enabling!