Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1968
Views
0
Helpful
2
Replies

How to read syntax of a cisco IOS .config file?

jade.tran11
Level 1
Level 1

‎10-17-2014 09:35 AM - edited ‎03-03-2019 07:37 AM

I am new to auditing cisco device (firewall,router, switch) configurations.  I need to validate if the device settings comply with my company's Information Security hardening guidelines (NIST, CIS, DISA).  I requested .config files from selected firewalls, routers, and switches.  Is there something (an example) that translates the syntax in the .config files to compare to hardening guidelines, such as,  "RSA Key Pair must be 2048 bits", or "SSH Access Control is enabled"?

Some of the syntax is intuitative such as trying to validate that "SSH must be version 2" which can be matched with the string "ssh version 2" in the .config file.

Here is a cleaned snippet of a firewall device .config file and where I found the version for SSH.

ASA Version X.X(X)
!
hostname AA-AAA-AA-A
domain-name AAA.org
enable password AAXXXXX7 encrypted
passwd AAXXXXX7 encrypted
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
interface TYPE0/0
nameif management
security-level 100
ip address 00.00.255.000 255.255.255.0
TYPE-only
!

.
.
.
.
.
.
service resetoutside
telnet timeout 10
ssh 00.00.0.0 255.255.255.0 TRUST-XXXX
ssh 00.00.000.0 255.255.255.0 TRUST-XXX
ssh 00.00.00.0 255.255.255.0 TRUST-XXX
ssh timeout 10
ssh version 2
console timeout 10

 

 

Labels:
0 Helpful
2 Replies 2

Dan Lukes
VIP Alumni
VIP Alumni

‎07-14-2015 08:21 AM

Unfortunately, there's no magic translator that can convert language used in Cisco's configuration into unknown language used in hardening guidelines used in your's organization.

Note that compliance verification is not only about content of current configuration, but also about the default values not expresses in configuration. They are model/firmware version specific.

Also, there may not be 1:1 mapping between a requirement and a configuration statement.

You need to understand the particular device to be able to analyze their's compliance with particular requirement in full.

 

 

 

0 Helpful

rosaho
Level 3
Level 3
In response to Dan Lukes

‎08-12-2015 09:47 AM

This discussion has been reposted from Additional Communities to the Other Network Infrastructure Subjects community.

0 Helpful
Customers Also Viewed These Support Documents