01-15-2016 01:00 PM - edited 03-10-2019 12:34 AM
Hello All,
We need to audit various security parameters/configuration by looking at router config files. We do not have the ability to run any command on the routers.
And we need to audit routers to see if they are compliant or not.
What do I look for the config file to make sure they are compliant?
Below are the requirements (Most of these are CIS and/or DISA requirements):
#26 - Configure AAA authentication to enable user authentication for SSH.
#28 - Verify the device is configured to limit the number of SSH authentication attempts.
#33 - Verify the required syslog facility is configured and submitted when sending logging messages to a remote syslog server.
#34 - Ensure that syslog messages sent to the history table and to an SNMP network management station are limited based on severity.
#36 - Verify simple network management protocol (SNMP) trap and syslog are set to required severity level.
#44 - Current version of IOS and patch level
#45 - Verify timers are set so that the device closes connections after they become idle, to minimize impact to memory and resources available for new connections.
#47 - Verify unicast reverse-path forwarding (RPF) is enabled on all external or high risk interfaces. (Disabled)
#48 - Verify enhanced interior gateway routing protocol (EIGRP) authentication is enabled, if routing protocol is used, where feasible.
Verify open shortest path first (OSPF) authentication is enabled, where feasible.
Verify routing information protocol (RIP) version two authentication is enabled, if routing protocol is used, where feasible.
Verify BGP Peer Authentication must be enabled.
#53 - Teredo Disabled (UDP 3544)
#56 - Verify AAA is enabled on all vty lines.
#60 - The password retry lockout feature is used to lock accounts after a configured number of specified login attempts.
#68 - IP Domain Lookup is disabled
#77 - AUX Port is disabled
#80 - Cisco IOS Software Resilient Configuration is enabled
#88 - The router must configure the maximum hop limit value to at least the value of X.
#113 - Disable LLDP on untrusted interfaces.
Thanking you in advance,
01-18-2016 07:22 AM
Please refer to the document "Cisco Guide to Harden IOS Devices" at the following location:
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
It has the explanation and associated necessary command syntax for most (if not all) of the requirements you listed.
01-18-2016 12:55 PM
Thank you Marvin, I will review this document/link.
I appreciate your help.
01-18-2016 03:55 PM
Hello Marvin,
This document did help however it does not have all my questions answered.
Once again, thanks for all the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide