Checklist Summary:

This guide provides technical guidance intended to help network administrators and security officers improve the security of their networks. Using the information presented here, administrators can configure their routers to control access, resist attacks, shield other network components, and protect the integrity and confidentiality of network traffic. This guide gives an in-depth view on securing Cisco-based routers. After security has been implemented on the routers itself, a section within this guide gives guidance to administrators on how to test and validate the security measures. This guide is broken into three main sections: 1) a high-level view of router security, 2) detailed instructions for locking down a router, and 3) detailed advice and direction for trying to improve the security posture of a network. This guide was developed in response to numerous questions and requests for assistance received by the NSA Systems and Network Attack Center (SNAC). The topics covered in the guide were selected on the basis of customer interest, community consensus, and the SNAC's background in securing networks. The goal for this guide is a simple one: improve the security provided by routers in U.S. Government operational networks.

Checklist Role:

• Border and Gateway Router

Known Issues:

Do not attempt to implement any of the settings in this guide without first testing in a non-operational environment. This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Care must be taken when implementing the security steps specified in this guide. Ensure that all security steps and procedures chosen from this guide are thoroughly tested and reviewed prior to imposing them on an operational network.

Target Audience:

Network administrators and network security officers are the primary audience for this configuration guide throughout the text the familiar pronoun you is used for guidance directed specifically to them. Most network administrators are responsible for managing the connections within their networks, and between their network and various other networks. Network security officers are usually responsible for selecting and deploying the assurance measures applied to their networks. For this audience, this guide provides security goals and guidance, along with specific examples of configuring Cisco routers to meet those goals. Firewall administrators are another intended audience for this guide. Often, firewalls are employed in conjunction with filtering routers the overall perimeter security of an enclave benefits when the configurations of the firewall and router are complementary. While this guide does not discuss general firewall topics in any depth, it does provide information that firewall administrators need to configure their routers to actively support their perimeter security policies. Section 5 includes information on using the firewall features of the Cisco Integrated Security facility. Information System Security Engineers (ISSEs) may also find this guide useful. Using it, an ISSE can gain greater familiarity with security services that routers can provide, and use that knowledge to incorporate routers more effectively into the secure network configurations that they design. Sections 4, 5, and 6 of this guide are designed for use with routers made by Cisco Systems, and running Cisco's IOS software. The descriptions and examples in those sections were written with the assumption that the reader is familiar with basic Cisco router operations and command syntax.

Target Operational Environment:

• Managed

Testing Information:

The security configuration guide has been extensively tested in a lab and operational environment.

Regulatory Compliance:

Not provided.

Comments/Warnings/Miscellaneous:

This document is only a guide to recommended security settings for Internet Protocol (IP) routers, particularly routers running Cisco Systems Internetwork Operating System (IOS) versions 11.3 through 12.3.

Disclaimer:

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. Security configuration guides are provided for the Department of Defense and other government agencies requiring security configuration guidelines. The guides contain recommended security settings. They are not intended to replace well-structured policy or sound judgment. The guides do not address site-specific configuration issues. Care must be taken when implementing the guides to address local operational and policy concerns. All security changes described in the guides are applicable only to specifically identified operating systems or architecture components and should not be applied to any other operating system or architecture components.

Product Support:

Not provided.

Point of Contact:

SNAC.Guides@nsa.gov

Sponsor:

Not provided.

Licensing:

Refer to the legal statement provided at: http://www.nsa.gov/notices/notic00004.cfm?Address= /snac/routers/cisco_scg-1.1b.pdf

Change History:

v1.0, 2000-09
v1.0b, 2000-10
v1.0f, 2001-03
v1.0g, 2001-04
v1.0h, 2001-08
v1.0j, 2001-11
v1.0k, 2002-03
v1.1, 2002-09
v1.1b, 2003-12-05
V1.1c, 12/15/2005
null
Changing status to UNDER REVIEW - 4/12/18
corrected reference links - 8/8/18
Updated status to Archive - 10/24/18

Dependency/Requirements:

URL	Description
http://www.ciscopress.com	At the web site of Cisco's publishing arm, you can order a wide variety of books about Cisco routers and related networking technologies.
https://support.microsoft.com/en-us	Microsoft Corporation Support homepage
https://www.sei.cmu.edu/about/divisions/cert/index.cfm	The Carnegie Mellon University Computer Emergency Response Team (CERT) maintains a web site about network vulnerabilities.

References:

Reference URL	Description

NIST checklist record last modified on 10/24/2018