cisco router mbss

Node Name Cisco Router

__________________________________________________________________________________________________________________

Uninor Internal

Minimum Baseline Security Standard (MBSS) Cisco Router

Applicability: Cisco 6509, Cisco 7609 and Cisco 7200

Unitech Wireless TamilNadu (P) Ltd.

Node Name: Cisco Router Minimum Baseline Security Standard

Uninor Internal 2

Copyright All rights reserved. No part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without prior written permission of Unitech Wireless TamilNadu (P) Ltd. The information contained in this document is confidential and proprietary to Unitech Wireless TamilNadu (P) Ltd. and may not be used or disclosed except as expressly authorized in writing by Unitech Wireless TamilNadu (P) Ltd. Trademarks Other product names mentioned in this document may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.


Uninor Internal 3

Table of Contents

Introduction ......................................................................................................................................................................................... 4

Use of the Document ........................................................................................................................................................................... 4

WARNING ............................................................................................................................................................................................. 4

Purpose .................................................................................................................................................................................................. 5

General Security Controls.................................................................................................................................................................. 6

Control Categories ............................................................................................................................................................................... 7

Detailed security controls:................................................................................................................................................................. 8


Uninor Internal 4

Introduction This document is to assist operations team to deploy minimum baseline security configuration on the node. These configuration standard, detail many important items such as user account management, password management, interfaces, ports, audit logging, monitoring or node specific security configuration etc. However, due to the constant changes and variations in operating system security issues and configurations, this document should be considered a general guideline and starting point.

Use of the Document The MBSS document is for INTERNAL USE ONLY. They should be kept within the organizations and to be treated as Uninor Internal as per the Information Classification Guidelines mentioned in Uninor Information Security Policy ver 3.0. Not to be distributed to the Original Equipment Manufacturers and/or to Managed Service Partners. WARNING This MBSS document and the accompanying guidance material is technically complex and is designed for use by trained security specialists performing the work under the direction of either a security partner or manager. Operations teams wishing to have these services performed for an organization should contact the designated security support staff within their office or territory. Partners or managers should ensure that staff assigned to perform the work have the necessary technical training and have the appropriate technical reference materials and specialist support. Staff should, therefore, obtain partner approval before using this material


Uninor Internal 5

Purpose This MBSS document relates to the routers of Cisco. It is intended for use by technical security practitioners for implementation of minimum General Security Controls. A technical environment is comprised of a number of inter-related elements that include:

Applications;

Databases;

Communications infrastructure elements; and

Hardware. The primary focus of this technical practice aid is to provide minimum baseline security standard for Cisco Routers that includes properties, features and operating system of the respective product.


Uninor Internal 6

General Security Controls General Security Controls work requires the examination of both technology-specific and technology independent controls. For example, configuration parameter, program and data file security controls will normally be specific to the underlying technical environment, whereas, security process review controls will largely be independent of the technical environment in use. Often, it is a combination of these two types of controls that provide the most robust approach to the implementation of an effective control environment. For example, whilst a number of technology-specific auditing controls can be implemented, unless a procedure exists for reviewing and acting upon the logged information, the technical control is ineffective. To complete a comprehensive general security controls, in addition to the MBSS document, the operations team will require an understanding of the following platform independent areas:

Uninor Information security policy and procedures;

Change and Problem Management;

Incident Management;

System Development;

Disaster Recovery and Contingency Planning; and

Physical Security.


Uninor Internal 7

Control Categories The following control categories are included in the MBSS document.

Control Category 1: User Accounts and Groups A control that restricts user access to the platform; this includes account permissions, sensitive system user interfaces, and related items.

Control Category 2: Password Management A control that must be enabled/implemented to ensure true and authorized users to gain access on a system; this includes password complexity, aging, account locking, etc. parameters.

Control Category 3: Interface, Ports and Services A control that must be performed either manually or automated on a regular basis to disable or delete unused ports and services and restrict services that transfer data in clear text.

Control Category 4: System Updates A control that must be performed either manually or automated on a regular basis. This includes any procedure that a security administrator or system administrator would continually or periodically perform such as installation of hot fixes, security patches, etc.

Control Category 5: File Access Control A control that restricts access to critical configuration files, operating systems, etc

Control Category 6: Audit logging and Monitoring Any control that assists in, or performs, system event logging or the monitoring of the security of the system

Control Category 7: Node properties and feature configurations A control that must be enabled/implemented via a system-level parameter, or upon installation of the node/device that affects the technology at an overall system level; this includes network services enabling/disabling, boot sequence parameters, system interface, etc.


Uninor Internal 8

Detailed security controls:

SN Control Area

Control Description

Control Objective/Rationale

Implementation Guidance Mitigating Control, If any

Implementation Status

1. User Accounts and Groups

1.1 Unique User ID

Individual users should be assigned with a separate user-id for router authentication in accordance with Uninor Information Security Policy.

Generic accounts provide no accountability for actions taken using the account. This could result in abuse of access and potential malfunction of the network. In addition, if the default login account is used, it becomes very easy to use a brute force crack utility to get the password. A username/password pair makes brute force techniques harder, but not impossible.

1.2 Privileged accounts

User IDs which disclose the privileges associated with it should not be created. (For e.g. ADMINISTRATOR, monitor, config, etc.)

Knowing the name of an account on a machine can be valuable information to an attacker. Enforcing this security control makes it more difficult for unauthorized users to guess and gain access to the accounts such as ADMINISTRATOR, monitor, config, etc. and ultimately the system.


Uninor Internal 9

SN Control Area

Control Description




1.3 Default Accounts

Factory default user accounts and guest user accounts on routers must be removed.

Disabling the factory default user accounts will prevent unknown users being authenticated. Disabling these accounts will reduce the system's remote unauthenticated attack surface and ensure that only specific security principals can access resources on the system.

1.4 Dormant Accounts

Dormant user accounts should be deactivated after the number of days that is specified in the Uninor Information Security Policy guidelines for inactive accounts.

Dormant user accounts increase the risk that unauthorized users could potentially use these accounts to gain access to the system.

2. Password Management

2.1 Password levels

Strong system passwords should be used for the EXEC and PRIV EXEC levels.

If a weak password is used, unauthorized users may be able to guess the router's password and obtain access to the router.

2.2 Password Encryption

All routers in the environment should require

If passwords are not encrypted they are visible in clear text in the router configuration file.


Uninor Internal 10

SN Control Area

Control Description




CON, VTY and AUX passwords to be encrypted in the configuration file.

2.3 Encryption Algorithm

Passwords should be protected using an encryption algorithm.

Weak passwords increase the risk that unauthorized individuals may comprise the router and sensitive network information may be revealed.

2.4 Administrator Password

The Administrative password should be protected using an encryption algorithm in accordance with Uninor Information Security policy.

Weak password encryption increases the risk that unauthorized individuals may comprise the router and sensitive network information may be revealed.

2.5 Default Passwords

Default passwords on the Router should be changed upon installation. In addition these passwords should be complex and conform to Uninor Security Policy.

Application default passwords are widely known and typically initial targets for attacks. The risk that unauthorized access will be obtained is increased if these passwords are not changed.


Uninor Internal 11

SN Control Area

Control Description




2.6 Account Lock

The account lockout feature, disabling an account after a number of failed login attempts, should be enabled and the related parameters should be set in accordance with the Uninor security policy and guidelines.

Unauthorized users may gain access to a system by running a program which guesses user passwords through brute force attacks. Without the lockout feature enabled the chance of successful compromise of system resources through brute force password guessing attacks increases.

3. Interface, Ports and Services

3.1 Cisco hardware Services

Mission critical routers should utilize hardware support programs.

Support programs can provide immediate assistance in case of a hardware disaster. For example, in case of a fire, an emergency router may need to be shipped to the premises.

Shashilendra to check and confirm if hardware available or not

3.2 Cisco fail over Services

Mission critical routers should take advantage of Ciscos fail-over capabilities.

Cisco IOS and hardware offers advanced fail-over capabilities, in case of hardware or software failure. Mission critical routers (typically core routers) may be


Uninor Internal 12

SN Control Area

Control Description




good candidates to take advantage of the Cisco fail-over capabilities.

3.3 System Services

Disable unauthorized services/daemon from the router based on Uninor Information security policy. Identify authorized services running on the device via vulnerability assessment and disable unauthorized services. Only those services that serve a documented operational or business need should be listening on the node.

Unauthorized services/daemon allows unauthenticated access to a system and lets users to transfer files, manipulate with the system functioning, etc. A system with services such as ftp enabled can be used as a depot for the unauthorized transfer of information. A system with Telnet service enabled can be used to run a spurious process (e.g.) in the system leading to dead weight on processor load.

The services which will be considered for this point are FTP, TELNET, HTTP and TFTP. TFTP is allowed for config/firmware copy If TELNET is required an exception should be raised for the same

4. System Updates


Uninor Internal 13

SN Control Area

Control Description




4.1 Patch Upgrades

Routers should be running a recent version of Cisco IOS and all appropriate patches should be applied.

Patches are released to correct known problems with the system and may include patches that address technical security vulnerabilities and weaknesses that may lead to the compromise of access on the system. If an operating system is not kept current then the device may be susceptible to information gathering and network attacks. Attackers find weaknesses in versions of an operating system over time. New security features are added to each new version of an operating system.

IOS upgrade only done if any new feature need to add or recommended by wipro Escare/Cisco TAC. We also not having test pad. Network team will keep track of this upgrade which will share as artifact with auditor if required.

4.2 Vulnerability Check

Before deploying the device into production environment as well as on regular basis post deployment, the device must be

The device should be scanned with a vulnerability scanner. Most vendors have major known vulnerabilities detailed on their websites. Any vulnerability identified should be immediately closed


Uninor Internal 14

SN Control Area

Control Description




scanned and cleaned of vulnerabilities.

by upgrades/patches or vendor detailed recommendations. Patches should be deployed in accordance with the Uninor Patch Management Procedure.

5. File Access Control

5.1 Restrict file access

All network file servers containing router configuration files should be properly restricted.

If configuration files are downloaded from servers via TFTP, anyone who can access the network file server can modify the router configuration file.

5.2 Configuration backup

Perform backups of the running configuration to the routers Flash/NVRAM memory Fault tolerance, backup, and recovery procedures should be documented in accordance with Uninor Information Security Policy.

Fault tolerance, backup, and recovery procedures promote network availability and recoverability. Without such procedures, unexpected downtime could have a severe impact on the business. Create fault tolerance, backup, and recovery procedures in accordance with Uninor Information Security Policy


Uninor Internal 15

SN Control Area

Control Description




5.3 Restrict file access

Accesses (Read/Write/Modify) to sensitive Router configuration file should be restricted from unauthorized personnel.

An unrestricted access may let the unauthorized users to modify/delete the sensitive system and configuration files which may further lead to an unstable performance of the Cisco router.

5.4 Legal notice banner

A legal notice and warning should be implemented in order to provide adequate protection and awareness of legal issues. Configure Uninor authorized login banner on the router as specified in the Uninor Information Security Policy.

Displaying a legal warning ensures that users are aware of the consequences of unauthorized access and assists in conveying the protection of corporate assets.

6. Audit , Logging and Monitoring


Uninor Internal 16

SN Control Area

Control Description




6.1 Audit, Logging and monitoring

Policies and procedures should exist to review audit logs.

Proper polices for reviewing router security logs and activity is crucial for preventing and monitoring unauthorized access to the networking environment.

User access to device s is configured through TACACS and logs are maintained. For logging for other parameters feasibility check for integration with SIEM tool with appropriate logging level needs to be done needs to be done


Wherever possible, SNMPv3 should be deployed to provide for enhanced authentication and data encryption. SNMPv2C should be used if SNMPv3 is not a supported feature on the Cisco device.

SNMPv3 includes support for either MD5/SHA or DES encrypted communications. This will help protect sensitive system information from traversing the network in the clear. SNMPv2C and SNMPv3 also take advantage of GET BULK transactions, in which multiple pieces of information can be queried and retrieved without having to make additional

Need to check with Tools team Owner is Neeraj Raina


Uninor Internal 17

SN Control Area

Control Description




The following devices support SNMPv3: Cisco 700 series Cisco 1000 series Cisco 1600 series Cisco 2500 series Cisco 2500 series access servers Cisco 3600 series Cisco 3800 series Cisco 4000 series Cisco 4500 series Cisco AS5100 access server Cisco AS5200 universal access server Cisco AS5300 access server Cisco 7000 series Cisco 7200 series Cisco 7500 series

requests. This control is for routers conntected to untrusted networks.


Routers should log system events such as interface status changes, changes to the system configuration, and

If logging is not enabled on system events, there is an increased risk that unauthorized access to the router will go undetected. Additionally, there will be no ability to identify the

User access to device s is configured through TACACS and logs are maintained.


Uninor Internal 18

SN Control Area

Control Description




access list matches.

source of the intrusion. For logging for other parameters feasibility check for integration with SIEM tool with appropriate logging level needs to be done needs to be done


Log messages generated through AAA or syslog should be archived for at least 6 months or as required by corporate standards.

Audit logs must be maintained and kept for legal and audit purposes. Removal of these logs could expose the company to unnecessary liability and loss of litigation authorities.

Need to check with SIEM team


Logging should be sent to a central syslog server to consolidate log entries and act as an archival mechanism. This should be done to complement

A central logging server can act as a central repository for log messages. Without this, log messages may be lost in the event the router is disabled by technical glitches or a directed attack.

Need to check with SIEM team


Uninor Internal 19

SN Control Area

Control Description




console logging.


All routers being monitored via SNMP should have non-default SNMP community strings. Routers not being monitored via SNMP should have SNMP disabled. In addition, only specific management stations should be allowed to poll the device through SNMP.

Read-only and read-write SNMP access to a Cisco router can allow an intruder to gain unauthorized access to the Cisco router. Default SNMP strings, such as public and private or read and write, are easily guessed by potential intruders. Access lists will mitigate the chances of unauthorized hosts making queries to the SNMP device.


All routers in the environment should require user login for terminal access (terminal line

By default, access to these ports is not password protected. If the login directive is not given in the Cisco configuration, anyone with network visibility to the router can gain command


Uninor Internal 20

SN Control Area

Control Description




ports). prompt access.


Routers should not have modems connected to them.

Modems represent a potential point of access for unauthorized users. Discovering a modem can be easily done if the phone number lies within a prefix normally associated with the corporate voice numbers. If a password is not required to access this device over dial-up, then it could lead to the disclosure of sensitive network information and the compromise of additional devices.

6.9 Secure Console Access

Console access must be protected by using adequate controls like strong passwords.

Any method used in order to access the console port of a device must be secured in a manner that is equal to the security that is enforced for privileged access to a device. A Cisco device's console port is the most important port on the device. Password recovery on the device can only be done using the console port. Cisco devices are vulnerable if there is physical access to the


Uninor Internal 21

SN Control Area

Control Description




devices. However, if someone is trying to access the console port of the router remotely, an additional layer of security should be applied by prompting the user for a password.

6.10 Reserve memory for Console Access

If applicable, reserve memory for console access to ensure access for administrative and troubleshooting purposes.

The Reserve Memory for Console Access feature can be used in order to reserve enough memory to ensure console access to a Cisco IOS device for administrative and troubleshooting purposes. This feature is especially beneficial when the device runs low on memory. The memory reserve console global configuration command can be used in order to enable this feature.

6.11 Disable AUX port

The AUX port of a device must be disabled to prevent unauthorized access.

The auxiliary ports primary purpose is to provide remote administration capability. It can allow a remote administrator to use a modem to dial into the Cisco device. The aux port should be disabled if there is no business need for the same. Any specific business requirement


Uninor Internal 22

SN Control Area

Control Description




for enabling it should be properly documented. Additionally, if the auxiliary port is required for remote administration, the callback feature should be configured to dial a specific preconfigured telephone number for additional security.

7. Node properties and feature configurations

7.1 System Configuration

Access lists should prevent IP spoofing attacks.

If IP spoofing is allowed it is possible that unauthorized traffic may bypass access control lists on the router by claiming that the traffic came from the internal network.


Routers should use access lists to restrict which hosts can access remote terminal sessions.

Allowing anyone on the network access to the login prompt increases the risk of unauthorized access to the router.


Where appropriate, Cisco access lists should be used to filter inbound and outbound traffic.

By only allowing a subset of network traffic to enter or exit business critical networks, security risks can be greatly minimized. For example, if the majority of a


Uninor Internal 23

SN Control Area

Control Description




corporation only needs access to the HTTP port on a particular machine, access lists can be used to restrict all traffic, except HTTP, to that machine, minimizing the opportunities for attack. It is important to note, however, that enabling access lists has a significant performance impact. While the impact is negligible on border routers, enabling access lists on core routers should be carefully reviewed for performance impact before proceeding.


Remote access routers should use CHAP authentication for PPP connections.

If CHAP is not used, an eavesdropper could obtain remote access authentication information through wiretapping. CHAP provides an encrypted challenge and response before full PPP encapsulation is initiated.


Uninor Internal 24

SN Control Area

Control Description





Route authentication should be used in environments utilizing protocols such as RIPv2, OSPF, BGP, and EIGRP

If a router receives a fraudulent update, the router could be tricked into forwarding traffic to the wrong destination. This could cause sensitive data to be exposed, or could cause network communications to be interrupted.


The Network Time Protocol (NTP) should be used and enabled with authentication. Additionally, specific NTP hosts should be configured for the router to synchronize to.

NTP provides administrators with the ability to request time synchronization using a key phrase as authentication. This will help lower the risk of an intruder corrupting the devices internal clocks, which may further corrupt log timestamps and weaken forensic capabilities. A synchronized time enables to associate syslog and Cisco IOS debug output to specific events across multiple devices. Configure NTP only on required interfaces, and configure NTP to listen only to certain specified peers. If the NTP service is not enabled, there may not be clock synchronization between networking devices and a consistent time would not be


Uninor Internal 25

SN Control Area

Control Description




maintained, which is essential for diagnostic and security alerts and log data. Also, if configured insecurely, it could be used to corrupt the time clock of the network devices. To prevent this, restrict which devices have access to NTP.


Where possible, access to the router should be governed by AAA authentication and authorization.

AAA (Authentication, Authorization, and Accounting) provides for more granular levels of accounting and access privileges. These can be helpful in complex environments where resources are being accessed by different users in multiple ways.


Access lists should log activity not explicitly allowed in the access list.

Logging can exist on any access list, however providing logging on the access list that denies all traffic can be used to examine unwarranted attempts to access the network.


TCP and UDP small services should be disabled.

The small-servers services run by default on Cisco routers through IOS version 11.3 and are intended for diagnostics. However, these services are typically not used and can be exploited for Denial of Service (DOS) attacks.


Uninor Internal 26

SN Control Area

Control Description





The Maintenance Operation Protocol (MOP) should be disabled.

Unauthorized users can use MOP to manage the routers. The protocol has minimal built-in security.


IP Directed Broadcasts should be disabled.

IP Directed Broadcasts allow one host a LAN segment to send a broadcast message to separate LAN segment. IP Directed Broadcasts are commonly used in Denial-of-Service based attacks.


Route caching should be disabled.

Cached addresses may be utilized to bypass current routing tables and ACLs.


IP Unreachable messages should be disabled.

If enabled, this feature can aid an attacker in mapping network topologies and architectures.


Proxy ARP should be disabled.

Address Resolution Protocol (ARP) is used to translate network addresses into media addresses. These translations are generally restricted to local area network segments. This enforces security across LAN segments. Proxy ARP allows for a Cisco device to act as an intermediary for ARP requests, responding to inquiries. This


Uninor Internal 27

SN Control Area

Control Description




creates a transparent access between multiple LAN segments and can lead to a security compromise.


The IP Alias command should be disabled.

Administrators can use the ip alias command to assign multiple IP addresses to the router. For example, in addition to the primary alias address, addresses can be specified that correspond to lines or rotary groups. Using the ip alias command in this way makes the process of connecting to a specific rotary group transparent to the user. If the ip alias command is enabled on Cisco products, TCP connections to any destination port are considered valid connections.


Illegal UDP packets should not be allowed to be sent to the syslog port.

If not securely configured, illegal UDP packets may be sent to the syslog port, causing a denial of service on the router.


Uninor Internal 28

SN Control Area

Control Description





IP Source Routing should be disabled.

IP Source Routing is a feature that allows individual IP data packets to specify routes. If IP Source Routing is enabled, the router will merely act as a store and forward device. When a router receives a data packet, it will simply forward it on to its destination. This feature is rarely used and can be helpful in attacks.


CDP (Cisco Discovery Protocol) should be disabled on all external interfaces.

CDP is typically not used and provides administrators with a means for accessing information on the routers IOS, hardware status, throughput, and other network-related information.

We require CDP for troubleshooting purpose. Exception can be raised if required (network team)


Passive interfaces should be used to prevent interfaces from sending routing updates.

OSPF routing updates sent by a router may advertise internal network topologies to untrusted third parties connected to that router. Interfaces that routinely advertise routing information may impede network efficiency, especially if neighboring routers


Uninor Internal 29

SN Control Area

Control Description




are using other routing protocols or using static routes.


IPSec should be implemented where sensitive data traverses untrusted or semi-trusted internal networks.

Sensitive information may be the target of sniffing attacks by intruders. If transactions are occurring that contain highly confidential information, it may be vulnerable to sniffing if it is not encrypted. Hash algorithms will help mitigate against a loss of data integrity should the data be manipulated in transit.


Configurations should be implemented to reduce the likelihood of a TCP SYN attack.

TCP SYN attacks are used to fill router queues degrading performance, and potentially creating a Denial of Service.


IP Redirects should be disabled

In a properly functioning network, a router will send ICMP redirects only to hosts on its own local subnets, no end node will ever send a redirect, and no redirect will ever be traversed more than one network hop.


Uninor Internal 30

SN Control Area

Control Description




However, if ICMP Redirects are enabled, a router will send redirects to more than one network hop. An attacker may use this functionality to violate these rules and use this to dictate a false path. Also, this can help an attacker in mapping the physical topology of the targeted network


Where necessary, border routers should utilize Network Address Translation (NAT) to protect the IP addresses of the internal network.

Generally applied to routers connecting networks to the Internet, using NAT provides an additional level of security when combined with the non-routable IP address ranges on the Internet (RFC 1018). Without using NAT, client networks are exposed to an increased danger of unauthorized traffic, which may allow external sources to target and gain information about the network.


Uninor Internal 31

SN Control Area

Control Description





The finger service should be disabled.

The finger service is a user lookup service that can be used by attackers to enumerate user account information.


Web-based router administration (HTTP) should be disabled.

New versions of the Cisco IOS support web-based router administration. This administration is accomplished via the HTTP protocol. An attacker can launch focused web-based attacks over ports 80 and 443 For example, a vulnerability exists that allows an attacker to view the router configuration using an HTTP exploit. If an attacker is able to view this configuration he/she will also be able to view encrypted passwords for enable and vty, aux and con sessions.


The Bootp Server option should be disabled.

Bootp is used to load operating systems over the network. In the case of Cisco routers, the capability exists for a router to act as a bootp server for other


Uninor Internal 32

SN Control Area

Control Description




Cisco devices. Bootp is rarely needed and may open a security hole, If a Cisco router acting as a Bootp server, were to be compromised, an alterative version of Cisco IOS could be installed on all listening Cisco devices.


The Auto-Loading option should be disabled.

Auto-Loading allows a Cisco router configuration to be loaded at startup from either local memory or from the network. Loading the router configuration from a network source is not secure and should be avoided as an attacker could load alterative router configurations.


IP Classless Behavior should be disabled.

When Classless Routing Behavior is enabled a router will forward data packets even if the packets do not have a defined path. This can aid an attacker in reaching otherwise protected targets.


Uninor Internal 33

SN Control Area

Control Description





IP Mask reply messages should be disabled.

Not restricting IP Mask Reply messages, can aid an attacker in mapping the physical topology of the targeted network.


Restrict Domain Name Resolution to valid hosts.

Cisco IOS supports looking up host names using Domain Name Resolution (DNS). Not restricting DNS requests allows for an attacker to enumerate additional systems know by the DNS server. This type of attack is known as a DNS Zone Transfer.


The Unicast Reverse option should be enabled.

Not disabling this service creates the risk that an internal system could be used in a Distributed Denial of Service attack.


All routers in the environment should have appropriate session timeout values assigned.

Timeout sessions provide additional security against consoles that are left unattended. If a user can gain access to a console left unattended they can modify the routers configuration.


Remove all unnecessary transports on

VTY connections allow interactive router sessions and if compromised, could allow an


Uninor Internal 34

SN Control Area

Control Description




virtual terminals authorized user to make changes to a router configuration. Users of VTY only require character access to the router and nothing else. Other transports should be restricted such as pad, rlogin, and V120.


All routers in the environment should have appropriate login banners.

Without appropriate login banners notifying users that unauthorized access to a system is prohibited, legal prosecution of intruders may be difficult or impossible.


Routers should be configured to abort vty interactive sessions that were terminated in an abnormal way.

Enabling TCP keep alives on incoming connections will provide reasonable assurance that any sessions left hanging by a remote system crash or disconnection will not block or use up the available router vty ports.


Interfaces should have an appropriate description assigned to them and unused interfaces should be shut down.

Detailed descriptions of connections will make it easier for administrators to review what type of connections is being made to the router. Also, unused interfaces may be may leave a network open to attack.


Uninor Internal 35

SN Control Area

Control Description





In networks that rely on several network administrators with varying responsibilities, different levels of PRIV EXEC access should be defined to restrict what commands each user can execute on the router.

It may not be necessary for all administrators or users to have full privileged access to the router. Administrators that do not require this functionality may make unauthorized changes to the configuration.


SSH should be used to remotely access a router.

Telnet sessions transmit information, including usernames and passwords, in clear text. If an unauthorized user were to capture this information, it may place critical network devices at risk of compromise.


Enable accounting to send information about each command that is entered to the configured TACACS+/RADIUS server.

The information sent to the TACACS+/RADIUS server includes the command executed, the date it was executed, and the username of the user entering the command.


Uninor Internal 36

Author & Reviewer

Created by Information Security Team Reviewed by Vishal Gupta Date 18 Dec 2012 Date 24th Dec 2012

Approvals

Head - Operations Head NOC Date Date

Head Managed Services Head - Information Security: Saurabh Agarwal Date Date 29th Jan 2013

cisco router mbss

Documents