cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
635
Views
0
Helpful
3
Replies

Auditing Security Configuration through config file - 1

Hello All,

We need to audit various security parameters/configuration by looking at router config files. We do not have the ability to run any command on the routers.

And we need to audit routers to see if they are compliant or not.

What do I look for the config file to make sure they are compliant?

Below are the requirements (Most of these are CIS and/or DISA requirements):

#26 - Configure AAA authentication to enable user authentication for SSH.

#28 - Verify the device is configured to limit the number of SSH authentication attempts.

#33 - Verify the required syslog facility is configured and submitted when sending logging messages to a remote syslog server.

#34 - Ensure that syslog messages sent to the history table and to an SNMP network management station are limited based on severity.

#36 - Verify simple network management protocol (SNMP) trap and syslog are set to required severity level.

#44 - Current version of IOS and patch level

#45 - Verify timers are set so that the device closes connections after they become idle, to minimize impact to memory and resources available for new connections.

#47 - Verify unicast reverse-path forwarding (RPF) is enabled on all external or high risk interfaces. (Disabled)

#48 - Verify enhanced interior gateway routing protocol (EIGRP) authentication is enabled, if routing protocol is used, where feasible.

         Verify open shortest path first (OSPF) authentication is enabled, where feasible.

         Verify routing information protocol (RIP) version two authentication is enabled, if routing protocol is used, where feasible.

         Verify BGP Peer Authentication must be enabled.

#53 - Teredo Disabled (UDP 3544)

#56 - Verify AAA is enabled on all vty lines.

#60 - The password retry lockout feature is used to lock accounts after a configured number of specified login attempts.

#68 - IP Domain Lookup is disabled

#77 - AUX Port is disabled

#80 - Cisco IOS Software Resilient Configuration is enabled

#88 - The router must configure the maximum hop limit value to at least the value of X.

#113 - Disable LLDP on untrusted interfaces.

Thanking you in advance,

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Please refer to the document "Cisco Guide to Harden IOS Devices" at the following location:

http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

It has the explanation and associated necessary command syntax for most (if not all) of the requirements you listed.

Thank you Marvin, I will review this document/link.

I appreciate your help.

Hello Marvin,

This document did help however it does not have all my questions answered.

Once again, thanks for all the help.