draft
XCCDF Sample for Cisco IOS
This document defines a small set of rules for securing Cisco
IOS routers. The set of rules constitute a benchmark.
A benchmark usually represents an industry consensus of best
practices. It lists steps to be taken as well as rationale for
them. This example benchmark is merely a small subset of the
rules that would be necessary for securing an IOS router.
This document may be copied and used subject to the
subject to the NIST terms of use
(http://www.nist.gov/public_affairs/disclaim.htm)
and the NSA Legal Notices
(http://www.nsa.gov/notices/notic00004.cfm?Address=/).
This benchmark assumes that you are running IOS 11.3 or later.
NSA Router Security Configuration Guide, Version 1.1c
Hardening Cisco Routers
Thomas Akin
O'Reilly and Associates
http://www.ora.com/
Cisco Internet Operating System (tm)
0.1.15
0.0
1000
Sample Profile No. 1
30
Sample Profile No. 2
10
IOS - line exec timeout value
The length of time, in minutes, that an interactive session
should be allowed to stay idle before being terminated.
Session exec timeout time (in minutes)
10
15
1
60
Management Plane Rules
Services, settings, and data streams related tosetting up
and examining the static configuration of the router, and the
authentication and authorization of administrators/operators.
IOS - no IP finger service
Disable the finger service, it can reveal information
about logged in users to unauthorized parties.
(For version 11.3 and later.)
Prohibit the finger service
Turn off the finger service altogether,
it is very rarely used.
IOS 11 - no IP finger service
no service finger
IOS 12 - no IP finger service
no ip finger
Require exec timeout on admin sessions
Configure each administrative access line to terminate idle
sessions after a fixed period of time determined by local policy
Require admin session idle timeout
Half an hour
Ten minutes or less
line vty 0 4
exec-timeout
Control Plane Rules
Services, settings, and data streams that support the
operation and dynamic status of the router.
Check rules related to system control
Logging level for buffered logging
Logging level for buffered logging; this setting is
a severity level. Every audit message of this
severity or more (worse) will be logged.
Select a buffered logging level
informational
warning
notification
warning
notification
informational
Disable tcp-small-servers
Disable unnecessary services such as echo, chargen, etc.
Prohibit TCP small services
Disable TCP small servers in IOS global config mode.
no service tcp-small-servers
Disable udp-small-servers
Disable unnecessary UDP services such as echo, chargen, etc.
Forbid UDP small services
Disable UDP small servers in IOS global config mode.
no service udp-small-servers
Ensure buffered logging enabled at proper level
Make sure that buffered logging is enabled, and that
the buffered logging level to one of the appropriate
levels, Warning or higher.
Check buffered logging and level
logging on
logging buffered
Data Plane Level 1
Services and settings related to the data passing through
the router (as opposed to directed to it). Basically, the
data plane is for everything not in control or mgmt planes.
Check rules related to data flow
Routing Rules
Rules in this group affect traffic forwarded through the
router, including router actions taken on receipt of
special data traffic.
Apply standard forwarding protections
IOS - no directed broadcasts
Disable IP directed broadcast on each interface.
Forbid IP directed broadcast
Disable IP directed broadcast on each interface
using IOS interface configuration mode.
interface
no ip directed-broadcast
Sample Results Block
Test run by Bob on Sept 25
lower.test.net
192.168.248.1
2001:8::1
02:50:e6:c0:14:39
1
1
1
1
12.3(14)T
10
pass
pass
fail
pass
Test override
console
line console
exec-timeout 10 0
notselected
67.5
157.5