10-17-2014 09:35 AM - edited 03-03-2019 07:37 AM
I am new to auditing cisco device (firewall,router, switch) configurations. I need to validate if the device settings comply with my company's Information Security hardening guidelines (NIST, CIS, DISA). I requested .config files from selected firewalls, routers, and switches. Is there something (an example) that translates the syntax in the .config files to compare to hardening guidelines, such as, "RSA Key Pair must be 2048 bits", or "SSH Access Control is enabled"?
Some of the syntax is intuitative such as trying to validate that "SSH must be version 2" which can be matched with the string "ssh version 2" in the .config file.
Here is a cleaned snippet of a firewall device .config file and where I found the version for SSH.
ASA Version X.X(X)
!
hostname AA-AAA-AA-A
domain-name AAA.org
enable password AAXXXXX7 encrypted
passwd AAXXXXX7 encrypted
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
interface TYPE0/0
nameif management
security-level 100
ip address 00.00.255.000 255.255.255.0
TYPE-only
!
.
.
.
.
.
.
service resetoutside
telnet timeout 10
ssh 00.00.0.0 255.255.255.0 TRUST-XXXX
ssh 00.00.000.0 255.255.255.0 TRUST-XXX
ssh 00.00.00.0 255.255.255.0 TRUST-XXX
ssh timeout 10
ssh version 2
console timeout 10
07-14-2015 08:21 AM
Unfortunately, there's no magic translator that can convert language used in Cisco's configuration into unknown language used in hardening guidelines used in your's organization.
Note that compliance verification is not only about content of current configuration, but also about the default values not expresses in configuration. They are model/firmware version specific.
Also, there may not be 1:1 mapping between a requirement and a configuration statement.
You need to understand the particular device to be able to analyze their's compliance with particular requirement in full.
08-12-2015 09:47 AM
This discussion has been reposted from Additional Communities to the Other Network Infrastructure Subjects community.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide