draft
XCCDF Sample for Cisco IOS
This document defines a small set of rules for securing Cisco
IOS routers. The set of rules constitute a benchmark.
A benchmark usually represents an industry consensus of best
practices. It lists steps to be taken as well as rationale for
them. This particular benchmark is merely a small subset of the
rules that would be necessary for securing an IOS router.
This sample may be freely copied and used, at least for now.
This benchmark assumes that you are running IOS 11.3 or later.
NSA Router Security Configuration Guide, Version 1.1b
SANS Securing Cisco Routers Step-by-Step
Cisco IOS 12.x
Cisco Systems
IOS
12
12.0.0
12.3.10
Cisco IOS 11.3
Cisco Systems
IOS
11.3.0
11.3.99
Cisco routers
Cisco Systems
router
Cisco IOS Routers version 12+
Cisco IOS Routers version 11.x
0.12.1
IOS - line exec timeout value
The length of time that an interactive session should
be allowed to stay idle before being terminated.
Expressed in minutes.
Session exec timeout time (in minutes)
10
10
30
1
60
Management Plane Rules
Services, settings, and data streams related to\
setting up and examining the static configuration of the router, and\
the authentication and authorization of administrators/operators.
IOS 11 - no IP finger service
Disable the finger service, it can reveal information
about logged in users to unauthorized parties.
Prohibit the finger service
no service finger
IOS 12 - no IP finger service
Disable the finger service, it can reveal information
about logged in users to unauthorized parties.
Prohibit the finger service
no ip finger
Require exec session timeout on admin sessions
Configure each administrative access line to terminate idle
sessions after a fixed period of time (determined by local
policy).
Require administrative session idle timeout
If an exec session is left unattended, an unauthorized
party may join the session and execute commands with elevated
privileges. A timeout helps to reduce the likelihood of this,
by shortening the window of opportunity for an attacker.
In addition to setting a timeout, TCP keep-alives should be enabled
for incoming sessions using the command service tcp-keepalives in.
Control Plane Rules
Services, settings, and data streams that support and
document the operation, traffic handling, and dynamic status
of the router.
Check rules related to system control
Logging level for buffered logging
Logging level for buffered logging; this setting is
a severity level. Every audit message of this
severity or more (worse) will be logged.
Select a buffered logging level
informational
warning
notification
warning
notification
informational
debug
Disable tcp-small-servers
Disable unnecessary services such as echo, chargen, etc.
Prohibit TCP small services
Disable TCP small servers in IOS global config mode.
no service tcp-small-servers
Disable udp-small-servers
Disable unnecessary datagram services such as echo, chargen, etc.
Forbid UDP small services
Disable UDP small servers in IOS global config mode.
no service udp-small-servers
Set the buffered logging level
Set the buffered logging level to one of the appropriate
levels, Warning or higher. The logging level should be
set explicitly.
Check the buffered logging level
logging buffered
Data Plane Level 1
Services and settings related to the data passing through
the router (as opposed to directed to it). Basically, the
data plane is for everything not in control or management planes.
Check rules and data related to data flow
Routing Rules
Rules in this group affect traffic forwarded through the
router, including router actions taken on receipt of
special data traffic.
Apply standard forwarding protections
IOS - no directed broadcasts
Disable IP directed broadcast on each interface.
Forbid IP directed broadcast
Disable IP directed broadcast on each interface
using IOS interface configuration mode.
no ip directed-broadcast
Sample Profile No. 1
30
Sample Profile No. 2
30