I am trying to find a command that will show me currently configuration ciphers on ASA 9.3 Firewall.
Also a command to configure ASA 9.3 firewall to enable FIPS compliant ciphers for SSH.
Thanks in advance.
... View more
I am trying to assess security configuration (through running config file) of Wireless LAN Controller.
1. The network element must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions. 2. Configure 'an authorized IP Address' for 'Logging Syslog Host' 3. If the SSID is broadcast, the SSID Beacon Interval should be set to its maximum setting. 4. Ensure ' Rogue Location Discovery Protocol ' is enabled 5. Ensure ' Control Path Rate Limiting ' is enabled 6. No more than 5 concurrent SSH sesisons should be allowed.
... View more
We need to audit various security parameters/configuration by looking at router config files. We do not have the ability to run any command on the routers.
And we need to audit routers to see if they are compliant or not.
What do I look for the config file to make sure they are compliant?
Below are the requirements (Most of these are CIS and/or DISA requirements):
#26 - Configure AAA authentication to enable user authentication for SSH.
#28 - Verify the device is configured to limit the number of SSH authentication attempts.
#33 - Verify the required syslog facility is configured and submitted when sending logging messages to a remote syslog server.
#34 - Ensure that syslog messages sent to the history table and to an SNMP network management station are limited based on severity.
#36 - Verify simple network management protocol (SNMP) trap and syslog are set to required severity level.
#44 - Current version of IOS and patch level
#45 - Verify timers are set so that the device closes connections after they become idle, to minimize impact to memory and resources available for new connections.
#47 - Verify unicast reverse-path forwarding (RPF) is enabled on all external or high risk interfaces. (Disabled)
#48 - Verify enhanced interior gateway routing protocol (EIGRP) authentication is enabled, if routing protocol is used, where feasible.
Verify open shortest path first (OSPF) authentication is enabled, where feasible.
Verify routing information protocol (RIP) version two authentication is enabled, if routing protocol is used, where feasible.
Verify BGP Peer Authentication must be enabled.
#53 - Teredo Disabled (UDP 3544)
#56 - Verify AAA is enabled on all vty lines.
#60 - The password retry lockout feature is used to lock accounts after a configured number of specified login attempts.
#68 - IP Domain Lookup is disabled
#77 - AUX Port is disabled
#80 - Cisco IOS Software Resilient Configuration is enabled
#88 - The router must configure the maximum hop limit value to at least the value of X.
#113 - Disable LLDP on untrusted interfaces.
Thanking you in advance,
... View more