Home > Cisco, LAN, Security > Cisco IOS Hardening

Cisco IOS Hardening

I always wanted to bookmark this one 🙂 so doing this now with a short extract here to save me googling and scrolling on the original page next time:

Management Plane

  • Passwords
    • Enable MD5 hashing (secret option) for enable and local user passwords
    • Configure the password retry lockout
    • Disable password recovery (consider risk)
  • Disable unused services
  • Configure TCP keepalives for management sessions
  • Set memory and CPU threshold notifications
  • Configure
    • Memory and CPU threshold notifications
    • Reserve memory for console access
    • Memory leak detector
    • Buffer overflow detection
    • Enhanced crashinfo collection
  • Use iACLs to restrict management access
  • Filter (consider risk)
    • ICMP packets
    • IP fragments
    • IP options
    • TTL value in packets
  • Control Plane Protection
    • Configure port filtering
    • Configure queue thresholds
  • Management access
    • Use Management Plane Protection to restrict management interfaces
    • Set exec timeout
    • Use an encrypted transport protocol (such as SSH) for CLI access
    • Control transport for vty and tty lines (access class option)
    • Warn using banners
  • AAA
    • Use AAA for authentication and fallback
    • Use AAA (TACACS+) for command authorization
    • Use AAA for accounting
    • Use redundant AAA servers
  • SNMP
    • Configure SNMPv2 communities and apply ACLs
    • Configure SNMPv3
  • Logging
    • Configure centralized logging
    • Set logging levels for all relevant components
    • Set logging source-interface
    • Configure logging timestamp granularity
  • Configuration Management
    • Replace and rollback
    • Exclusive Configuration Change Access
    • Software resilience configuration
    • Configuration change notifications

Control Plane

  • Disable (consider risk)
    • ICMP redirects
    • ICMP unreachables
    • Proxy ARP
  • Configure NTP authentication if NTP is being used
  • Configure Control Plane Policing/Protection (port filtering, queue thresholds)
  • Secure routing protocols
    • BGP (TTL, MD5, maximum prefixes, prefix lists, system path ACLs)
    • IGP (MD5, passive interface, route filtering, resource consumption)
  • Configure hardware rate limiters
  • Secure First Hop Redundancy Protocols (GLBP, HSRP, VRRP)

Data Plane

  • Configure IP Options Selective Drop
  • Disable (consider risk)
    • IP source routing
    • IP Directed Broadcasts
    • ICMP redirects
  • Limit IP Directed Broadcasts
  • Configure tACLs (consider risk)
    • Filter ICMP
    • Filter IP fragments
    • Filter IP options
    • Filter TTL values
  • Configure required anti-spoofing protections
    • ACLs
    • IP Source Guard
    • Dynamic ARP Inspection
    • Unicast RPF
    • Port security
  • Control Plane Protection (control-plane cef-exception)
  • Configure NetFlow and classification ACLs for traffic identification
  • Configure required access control ACLs (VLAN maps, PACLs, MAC)
  • Configure Private VLANs
Categories: Cisco, LAN, Security Tags: ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: