04-05-2015 04:38 AM
Hi fellow engineers,
May I just ask for tips or guides or advice regarding the commands you enter in almost all of your devices. (i.e. routers,switches).
Like for `example, no http server, execute service password encryption, no telnet, etc.
I hope y'all get what i mean :)
Thanks in advance!
04-05-2015 05:30 AM
No one can give you this answer because this will depend entirely upon the organization you're working for.
We all have our own "favorite" configuration lines but we all have a legitimate reason when to use it and when not to use it.
If this was a job interview and you gave me a bunch of commands, I'll immediately respond with, "that's nice. Now DEFEND your responses and tell me WHY you have those commands".
04-05-2015 06:09 AM
oh. okay. got you.
But cmon, maybe there are like best practices to follow regarding setting up for the first time a router or switch. what are like the configs that should be there.
So far from my experience, here are the commands i always put, no question asked.
hostname
logging synchronous
exec timeout
enable secret
login local
transport input ssh telnet
banner
ip domain name
crypto key generate
ip ssh version 2
username secret
no ip http server
ntp server
clock
there... maybe there a few I can add?
Or this is REALLY a very BROAD question :D
04-05-2015 08:19 AM
I try to use the Cisco Validated Design template commands as a starting point (assuming there is one for the use case I am implementing). Any variation from that, I document and convey my reasoning to the customer.
For example, here's a link to the current Campus CVDs.
If it's a security review / audit I would supplement that with some standard, according to the environment. For general purpose, I'd use the Center for Internet Security (CIS) guides - they combine vendor and external (government and regulatory) guidelines.
If the environment is more specific (say needing to be PCI DSS, HIPAA, etc. compliant), I'd tailor it a bit more drawing from any available guides for the specific regime I need to comply with.
04-07-2015 07:46 AM
Hi Sir Marvin, thanks for the links, definitely checking them out.
04-05-2015 04:59 PM
Like I said, it depends on the organization you work for. For example:
transport input ssh telnet
For remote access, I will never enable telnet. Everything has to be SSH.
username secret
I don't care how "poor" an organization is. I will NEVER use a simple username/password login account like this. It's either TACACS or RADIUS.
The commands I will use in my generic configurations will include something like:
ip tftp blocksize 8192 ip device tracking service timestamps debug datetime localtime show-timezone year service timestamps log datetime localtime show-timezone year
04-07-2015 07:44 AM
yes, that's exactly what I'm talking about.
That's why I'm asking you guys what are your "generic" configurations, then I could pattern mine from yours.
ip tftp blocksize 8192 ip device tracking service timestamps debug datetime localtime show-timezone year service timestamps log datetime localtime show-timezone year
These commands are definitely new to me, so I'd study these and maybe I can use them.
Hope you can share more :D
Thanks sir.
04-06-2015 06:32 AM
While I echo both Leo and Marvin's posts - I've found the following IOS hardening guide to be helpful in establishing configuration standards for our Cisco devices:
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
I did not follow the guide command-for-command, but went through each recommendation one-by-one to determine whether it made sense for my environment or not. It was a long a process (a couple of weeks), but paid off with the end result of a standard config (that varies to some degree by device model due to different supported features, IOS, etc.) that is easily & quickly deployed.
We're currently looking at how Prime can help us deploy this even quicker with the 0- & 1-touch deployment options, though we're not very far along in our analysis yet.
04-06-2015 06:49 AM
Good point, Scott.
Actually the CIS Cisco router hardening guide I mentioned cites that very Cisco reference.
PI 2.2 broke the Compliance feature and it's supposed to be back with the next release. That would be really really useful to have it analyze all the supported devices' configurations and give you a report and remediation option specific to the devices and their OS revision.
People generally bad-mouth the old Cisco Configuration Professional (router GUI) but it did have the one touch hardening button that was quite useful. There's also the "autosecure" feature on some platforms although it doesn't seem to get much love from Cisco.
04-07-2015 07:48 AM
That's a looong guide. but thanks Sir.
I was just hoping for a sample configuration from you guys, then I'll just pick commands which I can use for my environment. :D
04-07-2015 09:21 AM
Here are some of the more general commands we use that are not necessarily platform-dependent:
Configure services & disable unused services - Obviously if you use your IOS devices as DHCP servers, you don't want to disable the DHCP service
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
service linenumber
no service dhcp
no service pad
no service config
Set Timezone & Daylight Savings Time, Show full date/time in logs/debugs w/timezone
clock timezone CST -6 !US Central Timezone
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 !Daylight Savings Time
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
Misc
no ip domain lookup
no ip http server
no ip http secure-server
ip dhcp bootp ignore
no logging console
04-08-2015 07:29 AM
Hey Sir Scott, thaanksss!!
Exactly what I need :D thanks sir!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide