draft
XCCDF Sample for Cisco IOS
This document defines a small set of rules for securing Cisco
IOS routers. The set of rules constitute a benchmark.
A benchmark usually represents an industry consensus of best
practices. It lists steps to be taken as well as rationale for
them. This example benchmark is merely a small subset of the
rules that would be necessary for securing an IOS router.
This sample may be freely copied and used, at least for now.
This benchmark assumes that you are running IOS 11.3 or later.
NSA Router Security Configuration Guide, Version 1.1b
Hardening Cisco Routers
Thomas Akin
O'Reilly and Associates
http://www.ora.com/
Cisco IOS 12.x
All IOS up through 12.3
Cisco Systems
IOS
12
12.3.1
12.3.8
Cisco routers
Cisco Systems
router
Cisco IOS version 12 for Routers
0.1.12
IOS - line exec timeout value
The length of time, in minutes, that an interactive session
should be allowed to stay idle before being terminated.
Session exec timeout time (in minutes)
10
15
1
60
Management Plane Rules
Services, settings, and data streams related tosetting up
and examining the static configuration of the router, and the
authentication and authorization of administrators/operators.
IOS - no IP finger service
Disable the finger service, it can reveal information
about logged in users to unauthorized parties.
Prohibit the finger service
IOS 11 - no IP finger service
no service finger
IOS 12 - no IP finger service
no ip finger
Require exec timeout on admin sessions
Configure each administrative access line to terminate idle
sessions after a fixed period of time determined by local policy
Require admin session idle timeout
line vty 0 4
exec-timeout
Control Plane Rules
Services, settings, and data streams that support the
operation and dynamic status of the router.
Check rules related to system control
Logging level for buffered logging
Logging level for buffered logging; this setting is
a severity level. Every audit message of this
severity or more (worse) will be logged.
Select a buffered logging level
informational
warning
notification
warning
notification
informational
Disable tcp-small-servers
Disable unnecessary services such as echo, chargen, etc.
Prohibit TCP small services
Disable TCP small servers in IOS global config mode.
no service tcp-small-servers
Disable udp-small-servers
Disable unnecessary UDP services such as echo, chargen, etc.
Forbid UDP small services
Disable UDP small servers in IOS global config mode.
no service udp-small-servers
Set the buffered logging level
Set the buffered logging level to one of the appropriate
levels, Warning or higher. Log level should be set explicitly.
Check the buffered logging level
logging buffered
Data Plane Level 1
Services and settings related to the data passing through
the router (as opposed to directed to it). Basically, the
data plane is for everything not in control or mgmt planes.
Check rules related to data flow
Routing Rules
Rules in this group affect traffic forwarded through the
router, including router actions taken on receipt of
special data traffic.
Apply standard forwarding protections
IOS - no directed broadcasts
Disable IP directed broadcast on each interface.
Forbid IP directed broadcast
Disable IP directed broadcast on each interface
using IOS interface configuration mode.
interface
no ip directed-broadcast
Sample Profile No. 1
30
Sample Profile No. 1