This information is present in the forced drop counter. Spoofing can be minimized in traffic that originates from the local network if you apply outbound ACLs that limit the traffic to valid local addresses. This example configuration enables the Cisco IOS SSH client to perform RSA-based server authentication. Once this feature is enabled, it is possible to restore a deleted configuration or Cisco IOS software image. For this reason, any protections that a network affords to management traffic (for example, encryption or out-of-band access) should be extended in order to include syslog traffic. The size of the logging buffer is configured with the global configuration command logging buffered size. This section highlights several methods that can be used in order to secure the deployment of SNMP within IOS devices. Even within jurisdictions, legal opinions can differ. It can result in an increase in the amount of ARP traffic on the network segment and resource exhaustion and man-in-the-middle attacks. This example configuration enables AAA command accounting for EXEC commands entered at privilege levels zero, one, and 15. Customers who do not use the the Smart Install feature. Without PVLANs, all devices on a Layer 2 VLAN can communicate freely. HWRLs can protect the Cisco IOS device from a variety of attacks that require packets to be processed by the CPU. In some situations, it might be possible for an attacker to cause the Cisco IOS device to send many ICMP redirect messages, which results in an elevated CPU load. For switches that support booting from sdflash, security can be enhanced by booting from flash and disabling sdflash with the “no sdflash” configuration command. Originally designed in order to allow quick decryption of stored passwords, Type 7 passwords are not a secure form of password storage. This kind of communication can allow an attacker to pose as an FHRP-speaking device to assume the default gateway role on the network. Accomplished via the logging source-interface interface command, statically configuring a logging source interface ensures that the same IP address appears in all logging messages that are sent from an individual Cisco IOS device. Prefix lists should be applied to each eBGP peer in both the inbound and outbound directions. This feature is not available in all Cisco IOS software releases. Releases of Cisco IOS software prior to 12.0 have this functionality enabled by default. This ensures that the device on the remote end of the connection is still accessible and that half-open or orphaned connections are removed from the local IOS device. VLAN access maps support IPv4 and MAC access lists; however, they do not support logging or IPv6 ACLs. This configuration can be added to the previous AAA authentication example in order to implement command authorization: Refer to Configuring Authorization for more information about command authorization. This directed broadcast functionality has been leveraged as an amplification and reflection aid in several attacks, including the smurf attack. Event logging provides you visibility into the operation of a Cisco IOS device and the network into which it is deployed. This example demonstrates how ACLs can be used in order to limit IP spoofing. The trouble is that most network administrators don’t stay up to date with these software patches. In addition to the community string, an ACL should be applied that further restricts SNMP access to a select group of source IP addresses. This configuration example builds upon the previous TACACS+ authentication example in order to include fallback authentication to the password that is configured locally with the enable secret command: Refer to Configuring Authentication for more information on the use of fallback authentication with AAA. Refer to IOS SNMP Command Reference for more information about this feature. The primary VLAN contains all promiscuous ports, which are described later, and includes one or more secondary VLANs, which can be either isolated or community VLANs. This example describes revocation of a special key. In addition, you must use secure file transfer protocols when you copy configuration data. In order to limit the type of transport that an administrator can use for outgoing connections, use the transport output line configuration command. The presence of IP options within a packet might indicate an attempt to subvert security controls in the network or otherwise alter the transit characteristics of a packet. The Internet Control Message Protocol (ICMP) was designed as a control protocol for IP. The syntax for PACLs creation, which takes precedence over VLAN maps and router ACLs, is the same as router ACLs. SNMP Views are a security feature that can permit or deny access to certain SNMP MIBs. Filtering IP packets that are based on the presence of IP options can also be used in order to prevent the control plane of infrastructure devices from having to process these packets at the CPU level. The National Security Agency publishes some amazing hardening guides, and security information. Although the configuration archive functionality can store up to 14 backup configurations, you are advised to consider the space requirements before you use the maximum command. In order to properly protect the control plane of the Cisco IOS device, it is essential to understand the types of traffic that is process switched by the CPU. Refer to Enabling Proxy ARP for more information on this feature. If these protocols are in use in the network, then the ACL Support for Filtering IP Options can be used; however, the ACL IP Options Selective Drop feature could drop this traffic and these protocols might not function properly. When add new device in your in infrastructure network to significance this system device with basis security best practice. Administrators can use these security best practices for Cisco Smart Install deployments on affected devices: This example shows an interface ACL with the Smart Install director IP address as 10.10.10.1 and the Smart Install client IP address as 10.10.10.200: This ACL must be deployed on all IP interfaces on all clients. Such encryption is useful in order to prevent casual observers from reading passwords, such as when they look at the screen over the muster of an administrator. Switch ports that are placed into the primary VLAN are known as promiscuous ports. This is an example configuration for OSPF router authentication using MD5. While similar to CoPP, CPPr has the ability to restrict or police traffic using finer granularity than CoPP. ICMP is used by the network troubleshooting tools ping and traceroute, as well as by Path MTU Discovery; however, external ICMP connectivity is rarely needed for the proper operation of a network. CDP must be disabled on all interfaces that are connected to untrusted networks. There might only be one isolated VLAN per primary VLAN, and only promiscuous ports can communicate with ports in an isolated VLAN. Regardless of whether flow information is exported to a remote collector, you are advised to configure network devices for NetFlow so that it can be used reactively if needed. Refer to PFC3 Hardware-based Rate Limiter Default Settings for more information. In an effort to prevent information disclosure or unauthorized access to the data that is transmitted between the administrator and the device, transport input ssh should be used instead of clear-text protocols, such as Telnet and rlogin. When you do not depend on a single shared password, the security of the network is improved and your accountability is strengthened. Use the Password Phrase Method: • Choose a phrase that has numbers. 0 0 cyberx-mw cyberx-mw 2021-01-05 19:40:25 2021-01-05 19:40:25 STIG Update - … You must be aware that console ports on Cisco IOS devices have special privileges. This example illustrates the configuration of automatic configuration archiving. The ACEs that make up this ACL are not comprehensive. Refer to the Digitally Signed Cisco Software Key Revocation and Replacement section of the Digitally Signed Cisco Software guide for more information about this feature. NetFlow enables you to monitor traffic flows in the network. Hence, the user is authenticated or denied access based on the encrypted signature. SNMPv3 consists of three primary configuration options: An authoritative engine ID must exist in order to use the SNMPv3 security mechanisms - authentication or authentication and encryption - to handle SNMP packets; by default, the engine ID is generated locally. eBGP is one such protocol. While similar to CoPP, CPPr has the ability to restrict traffic with finer granularity. RIPv1 does not support authentication. Refer to Configuring Port Security for more information about the Port Security confuration. For this reason, TACACS+ should be used in preference to RADIUS when TACACS+ is supported by the AAA server. This FPM policy drops packets with a TTL value less than six. The first type of traffic is directed to the Cisco IOS device and must be handled directly by the Cisco IOS device CPU. However, in cases where it does not, the feature is explained in such a way that you can evaluate whether additional attention to the feature is required. Any Cisco IOS configuration file that contains encrypted passwords must be treated with the same care that is used for a cleartext list of those same passwords. Logging timestamps should be configured to include the date and time with millisecond precision and to include the time zone in use on the device. Split Network Services. The hash is used in order to determine if the server has an entry that matches. This configuration builds upon previous examples that include configuration of the TACACS servers. A malicious user can exploit the ability of the router to send ICMP redirects by continually sending packets to the router, which forces the router to respond with ICMP redirect messages, and results in an adverse impact on the CPU and performance of the router. However, if outgoing connections are allowed, then an encrypted and secure remote access method for the connection should be enforced through the use of transport output ssh. The service tcp-keepalives-in command must also be used in order to enable TCP keepalives on incoming connections to the device. Structured around the three planes into which functions of a network device can be categorized, this document provides an overview of each included feature and references to related documentation. In many cases, you can disable the reception and transmission of certain types of messages on an interface in order to minimize the amount of CPU load that is required to process unneeded packets. Use this guide to gain a deeper understanding of Ubiquiti security and implement some security "quick wins" in your organization. See the Logging Best Practices section of this document for more information about how to implement logging on Cisco IOS network devices. The AAA framework provides a highly configurable environment that can be tailored based on the needs of the network. All rights reserved. The document is a valuable resource for compliance across industry and government security and network security requirements. PACLs can only be applied to the inbound direction on Layer 2 physical interfaces of a switch. Method lists enable you to designate one or more security protocols to be used for authentication, and thus ensure a backup system for authentication in case the initial method fails. SSHv1 and SSHv2 are not compatible. Methods used in order to secure access must include the use of AAA, exec-timeout, and modem passwords if a modem is attached to the console. Dynamic ARP Inspection (DAI) can be used in order to mitigate ARP poisoning attacks on local segments. There are many tools available that can easily decrypt these passwords. The engine ID can be displayed with the show snmp engineID command as shown in this example: Note: If the engineID is changed, all SNMP user accounts must be reconfigured. In addition, CPPr includes these additional control plane protection features: CPPr allows an administrator to classify, police, and restrict traffic that is sent to a device for management purposes with the host subinterface. Once configured, the show memory overflow command can be used in order to display the buffer overflow detection and correction statistics. DISA releases new STIGs at least once every quarter. In order to gain knowledge about existing, emerging, and historic events related to security incidents, your organization must have a unified strategy for event logging and correlation. With Cisco IOS software, it is possible to send log messages to monitor sessions - monitor sessions are interactive management sessions in which the EXEC command terminal monitor has been issued - and to the console. This example illustrates the basic configuration of this feature. Refer to Understanding Control Plane Protection and Control Plane Protection for more information about the CPPr feature. However, this protocol allows interoperability between other devices that do not support CDP. After you upgrade ROMMON, the new special image can be booted. Recommendations and examples that cover Routing Information Protocol Version 2 (RIPv2), Enhanced Interior Gateway Routing Protocol (EIGRP), and Open Shortest Path First (OSPF) are provided when appropriate. Added to Cisco IOS Software Release 12.3(14)T, the Exclusive Configuration Change Access feature ensures that only one administrator makes configuration changes to a Cisco IOS device at a given time. Subinterfaces exist for Host, Transit, and CEF-Exception traffic categories. This example configuration enables SSHv2 (with SSHv1 disabled) on a Cisco IOS device: Refer to Secure Shell Version 2 Support for more information on the use of SSHv2. This allows the administrator to apply policies throughout the network for the management plane. An example is the use of the Secure Copy Protocol (SCP) in place of FTP or TFTP. Prior to this feature, there were two types of passwords: Type 0, which is a cleartext password, and Type 7, which uses the algorithm from the Vigen re cipher. Examples of packets that are classified for the host subinterface category include management traffic such as SSH or Telnet and routing protocols. When you design or implement a redundant AAA server solution, remember these considerations: Refer to Deploy the Access Control Servers for more information. Configuration involves the creation of an IPv4, IPv6, or MAC ACL and application of it to the Layer 2 interface. For example, a VLAN map might be used in order to prevent hosts that are contained within the same VLAN from communication with each other, which reduces opportunities for local attackers or worms to exploit a host on the same network segment. Version 5 is the most commonly used version of NetFlow, however, version 9 is more extensible. If it is necessary to recover the password of a Cisco IOS device once this feature is enabled, the entire configuration is deleted. Refer to Deploying Control Plane Policing for more information about the CoPP feature. Cisco IOS software uses a specific method in order to check non-initial fragments against configured access lists. It is for this reason that it is important to protect the management and control planes in preference over the data plane when you secure a network device . Optionally, a number from 1 to 100 can also be entered. In order to ensure that a device can be accessed via a local or remote management session, proper controls must be enforced on both vty and tty lines. Administrators are advised to evaluate each option for its potential risk before they implement the option. Receive ACLs are designed to only protect the device on which it is configured and transit traffic is not affected by an rACL. This functionality can be used in attempts to route traffic around security controls in the network. Other forms of vty and tty access controls can be enforced with the transport input or access-class configuration commands, with the use of the CoPP and CPPr features, or if you apply access lists to interfaces on the device. By adding MD5 hash capabilities to the authentication process, routing updates no longer contain cleartext passwords, and the entire contents of the routing update is more resistant to tampering. This ACL example creates a policy that filters IP packets that contain any IP options: This example ACL demonstrates a policy that filters IP packets with five specific IP options. A vty and tty should be configured in order to accept only encrypted and secure remote access management connections to the device or through the device if it is used as a console server. All of the devices used in this document started with a cleared (default) configuration. Customers who leverage the Smart Install feature only for zero-touch deployment. Mistakes to avoid. This example must be used with the content from previous examples to include complete filtering of IP packets that contain IP options: Many attacks use source IP address spoofing to be effective or to conceal the true source of an attack and hinder accurate traceback. Man-in-the-middle attacks enable a host on the network to spoof the MAC address of the router, which results in unsuspecting hosts sending traffic to the attacker. Three control plane subinterfaces exist: Host, Transit and CEF-Exception. Community strings should be changed at regular intervals and in accordance with network security policies. This command configures a Cisco IOS device for SNMPv3 with an SNMP server group AUTHGROUP and enables only authentication for this group with the auth keyword: This command configures a Cisco IOS device for SNMPv3 with an SNMP server group PRIVGROUP and enables both authentication and encryption for this group with the priv keyword: This command configures an SNMPv3 user snmpv3user with an MD5 authentication password of authpassword and a 3DES encryption password of privpassword: Note that snmp-server user configuration commands are not displayed in the configuration output of the device as required by RFC 3414; therefore, the user password is not viewable from the configuration. The coverage of security features in this document often provides enough detail for you to configure the feature. Refer to snmp-server community in the Cisco IOS Network Management Command Reference for more information about this feature. However, because this authentication is sent as cleartext, it can be simple for an attacker to subvert this security control. This configuration example uses prefix lists to limit the routes that are learned and advertised. This configuration example demonstrates the use of GLBP, HSRP, and VRRP MD5 authentication: Although the data plane is responsible for moving data from source to destination, within the context of security, the data plane is the least important of the three planes. Memory Reservation is used so that sufficient memory is available for critical notifications. This is in contrast to the copy filename running-config command. The management plane is the plane that receives and sends traffic for operations of these functions. Additional information about these communication vehicles is available in the Cisco Security Vulnerability Policy. Memory Leak Detector is able to find leaks in all memory pools, packet buffers, and chunks. Logging at level 7 produces an elevated CPU load on the device that can lead to device and network instability. This example ACL allows ICMP from trusted networks while it blocks all ICMP packets from other sources: As detailed previously in the Limit Access to the Network with Infrastructure ACLs section of this document, the filtering of fragmented IP packets can pose a challenge to security devices. TACACS+ is an authentication protocol that Cisco IOS devices can use for authentication of management users against a remote AAA server. Router or firewall interfaces are the most common devices found on these VLANs. Key replacement and revocation replaces and removes a key that is used for a Digitally Signed Cisco Software check from a platform's key storage. This document describes the information to help you secure your Cisco IOS® system devices, which increases the overall security of your network. Issue the, Unless Cisco IOS devices retrieve configurations from the network during startup, the, Cisco Discovery Protocol (CDP) is a network protocol that is used in order to discover other CDP enabled devices for neighbor adjacency and network topology. CPPr divides the aggregate control plane into three separate control plane categories known as subinterfaces. This feature uses two methods in order to accomplish this: Memory Threshold Notification and Memory Reservation. The filtering provided by tACLs is beneficial when it is desirable to filter traffic to a particular group of devices or traffic that transits the network. Hardening Guide The hardening guide is intended to be a living document and will be updated regularly to reflect the most up-to-date cybersecurity best practices. You are advised to send logging information to a remote syslog server. Additional information about filtering unused addresses is available at the Bogon Reference Page . The Hardening Guide adopts standard security and privacy controls and maps them to each of the recommendations. Hi! Networking situations exist where security can be aided by limiting communication between devices on a single VLAN. This CPPr policy drops transit packets received by a device where the TTL value is less than 6 and transit or non-transit packets received by a device where the TTL value is zero or one. As such, the messages it conveys can have far-reaching ramifications to the TCP and IP protocols in general. If not, the oldest file of logging messages (by timestamp) is deleted, and the current file is saved. This allows for a locally defined user to be created for one or more network administrators. One method to provide this notification is to place this information into a banner message that is configured with the Cisco IOS software banner login command. Availability of AAA servers during potential network failures, Geographically dispersed placement of AAA servers, Load on individual AAA servers in steady-state and failure conditions, Network latency between Network Access Servers and AAA servers, with a local destination (that is, receive adjacency traffic), Receive adjacency traffic can be identified through the use of the, Enable MD5 hashing (secret option) for enable and local user passwords, Disable password recovery (consider risk), Configure TCP keepalives for management sessions, Set memory and CPU threshold notifications, Use Management Plane Protection to restrict management interfaces, Use an encrypted transport protocol (such as SSH) for CLI access, Control transport for vty and tty lines (access class option), Use AAA (TACACS+) for command authorization, Configure SNMPv2 communities and apply ACLs, Set logging levels for all relevant components, Configure NTP authentication if NTP is being used, Configure Control Plane Policing/Protection (port filtering, queue thresholds), BGP (TTL, MD5, maximum prefixes, prefix lists, system path ACLs), IGP (MD5, passive interface, route filtering, resource consumption), Secure First Hop Redundancy Protocols (GLBP, HSRP, VRRP), Configure required anti-spoofing protections, Control Plane Protection (control-plane cef-exception), Configure NetFlow and classification ACLs for traffic identification, Configure required access control ACLs (VLAN maps, PACLs, MAC). Refer to Private VLANs (PVLANs) - Promiscuous, Isolated, Community, located on the LAN Security homepage, for more information about the use and configuration of Private VLANs. It also does not allow malicious users to change the configuration register value and access NVRAM. If password recovery is not required, then an administrator can remove the ability to perform the password recovery procedure using the no service password-recovery global configuration command; however, once the no service password-recovery command has been enabled, an administrator can no longer perform password recovery on a device. When the user enters EXEC commands, Cisco IOS sends each command to the configured AAA server. Note: The devices that are permitted by these ACLs require the proper community string in order to access the requested SNMP information. This information is designed in order to corrupt the ARP cache of other devices. Hardening refers to providing various means of protection in a computer system. A new (special or production) key for a (special or production) image comes in a (production or revocation) image that is used in order to revoke the previous special or production key. SNMPv3 provides secure access to devices because it authenticates and optionally encrypts packets over the network. SSHv1 is considered to be insecure and can have adverse effects on the system. There are several disadvantages to proxy ARP utilization. This configuration example combines the previous isolated and community VLAN examples and adds the configuration of interface FastEthernet 1/12 as a promiscuous port: When you implement PVLANs, it is important to ensure that the Layer 3 configuration in place supports the restrictions that are imposed by PVLANs and does not allow for the PVLAN configuration to be subverted.