Cisco Checklist

Prepared by Krishni Naidu

References:
Securing your Internet Access Router, Richard Langley, January 2001
Remote Access Security: A layered approach, Lane Melton, November 2000
Protecting Network infrastructure at the protocol level, Curt Wilson, December 2000
Implementing and subverting Ciscos port security, David J. Kyger, July 2000
Securing your Cisco router when using SNMP, Charles Carter, December 2000
Restricting commands on a Cisco router with Privilege Levels, Peplin C. Barrameda,
January 2001
Layered Security: An ISP case study with Cisco and Solaris, Rockie Brockway,
October 2000
Network Insecurity with Switches, Aaron Turner, August 2000
Port Scanning is not always what it seems, Darin W. Powell, March 2001
Top ten blocking recommendations using ACLs Securing the perimeter with Cisco
IOS 12 Routers, Scott Winters, August 2000
Introduction
This checklist is to be used to audit an environment that includes Cisco routers. The
checklist provides the technical security considerations during an audit and excludes
manual considerations like physical security considerations.
The checklist excludes the security considerations for Cisco switches.
Prior to using this checklist consideration should be given to the following:
Location of the router: It is important to ascertain the location of the router in
the network as this has an impact on certain security elements e.g. disabling
SSL service is not appropriate when the router is routing traffic to an external
web server.
Practicality of security recommendations: The checklist lists numerous
security considerations, which may not be practical as it could hinder the
performance of the network. It is important to ascertain the risk allocated to
not having certain security elements and whether management has decided
to accept the risk of not having these elements.
Mitigating controls: The audit of Cisco routers cannot be performed in a
vacuum. The auditor needs to consider the impact of security in other
elements e.g. firewalls, host operating system, etc. A weakness in security at
the router level may be mitigated by a strong control at the firewall level e.g.
filtering out ports which are not 80,23, etc.
Interoperability: In circumstances when the router uses the functionality of
other elements in the environment e.g. a syslog server to log events from
cisco routers or an SNMP management station, the auditor must review the
security over the other elements. This checklist does not provide the security
considerations for these other elements.
Applicability of security considerations: This checklist attempts to provide a
complete listing of all security elements to consider during an audit of Cisco
router, however in some environments certain elements may not be
applicable e.g. in a windows environment it is not necessary to be concerned
about filtering out rlogin or ssh services.
Network servers: This checklist does not include security considerations for
the operating system running TACACS or RADIUS.

Page 1 of 6

Nice to haves The checklist attempts to provide security considerations,

which may be nice to have but however may not be applicable to the
environment and the circumstance in which the router is used.

Checklist
No.
1.

2.

Control Item
Ensure that all maintenance on the router is done while logged on locally.
Ensure that inbound Telnet is disabled as well as the Telnet listener.
If Telnet is used to maintain the router ensure that access is granted only to
specific workstations on the internal network side of the router.
Ensure that all maintenance services that would allow access from outside the
network are disabled or restricted.
Ensure that passwords are used where possible.
Ensure that the service password encryption command is used on all type 7
passwords.
Ensure that MD5 encryption is used on the Privileged EXEC Mode password.
Enable secret command.
Ensure that the service password-encryption command is enabled such that
when passwords are displayed with the more system:running-config command,
they appear in encrypted form.
Ensure that an EXEC password is added to AUX and Console ports.
Ensure that RIP and OSPF protocol on the internet interface both inbound and
outbound is stopped.
Ensure that CDP is disabled on all interfaces.
Ensure that a login banner is enabled with the appropriate legal notice. (banner
login command) Ensure that the banner contains no information about the
router, its name, model, software its running, or who owns it.
Ensure that SNMP is disabled if possible.
Ensure that any modem or network device that gives access to the console
port must be secured. For a modem, user should provide a password for dial
up access.
Ensure that the transport input none command is applied to any asynchronous
or modem line that shouldnt be receiving connections from network users.
Ensure that the same modem is not used for both dial in and dial out and that
reverse telnet connections are not allowed on dial in lines.
For VTY lines ensure that it is configured to only accept connections with
protocols actually needed. If encryption is supported ensure that only the SSH
protocol is used.
Ensure that the ip access class command is used to restrict the ips from which
the VTY will accept connections.
Ensure that one VTYs ip access-class is restricted to only one administrative
workstation to prevent DoS attacks.
Ensure that the VTY timeouts are configured using the exec-timeout command.
Ensure that TCP keepalives on incoming connections are enabled (service tspkeepalives-in command) to guard against malicious attacks and orphaned
sessions.
Ensure that all non-ip based remote access protocols are disabled and that
IPSec is used for remote connections to the router.
For routers that support CEF(Cisco Express Forwarding) ensure that the
RPF(Reverse path forwarding check is enabled (ip verify unicast rpf). This
prevents spoofing by checking the source address of a packet against the
interface through which the packet entered the router.

Page 2 of 6

No.
3.

4.

Control Item
TACACS (terminal access controller access control system)
Ensure that non privilege access passwords are stored on the TACACS server.
Ensure that only authorised ips of TACACS daemons are specified in the
tacacs-server host command.
If the enable use-tacacs command is used, ensure that it is used with extended
TACACS. Without the extended TACACS the enable use-tacacs command
allows anyone with a valid username and password to access the
privileged EXEC mode.
Ensure that login tacacs command is enabled to enable password checking at
login.
Ensure that the tacacs-server notify command is configured to send a message
when a user:
makes a TCP connection
enters the enable command
logs out
Ensure that the tacacs-server attempts command is configured to accept three
attempted logins on a line set up for TACACS.
Ensure that extended TACACS is enabled tacacs-server extended command
Ensure that the following services are blocked:
Service
Port Type
Port Number
DNS Zone Transfers
TCP
53
except from external
secondary DNS servers
TFTP Daemon
UDP
69
Link
TCP
87
SUN RPC
TCP & UDP
111
BSD UNIX
TCP
512 514
LPD
TCP
515
UUCPD
TCP
540
Open Windows
TCP & UDP
2000
NFS
TCP & UDP
2049
X Windows
TCP & UDP
6000 6255
Small services
TCP & UDP
20 and below
FTP
TCP
21
SSH
TCP
22
Telnet
TCP
23
SMTP (except external
TCP
25
mail relays)
NTP
TCP & UDP
37
Finger
TCP
79
HTTP (except to external
TCP
80
web servers)
POP
TCP
109 &110
NNTP
TCP
119
NTP
TCP
123
NetBIOS in Windows NT
TCP &UDP
135
NetBIOS in Windows NT
UDP
137 & 138
NetBIOS
TCP
139
IMAP
TCP
143
SNMP
TCP
161 &162
SNMP
UDP
161 &162

Page 3 of 6

5.

6.

7.
8.
9.

BGP
TCP
179
LDAP
TCP &UDP
389
SSL (except to external
TCP
443
web servers)
NetBIOS in Win2k
TCP &UDP
445
Syslog
UDP
514
SOCKS
TCP
1080
Cisco AUX port
TCP
2001
Cisco AUX port (stream)
TCP
4001
Lockd (Linux DoS
TCP &UDP
4045
Vulnerability)
Cisco AUX port (binary)
TCP
6001
Common high order
TCP
8000, 8080, 8888
HTTP ports
Ensure that the following types of ICMP traffic on the internet interface is
blocked:
incoming echo request (ping and Windows traceroute)
outgoing echo replies
time exceeded
unreachable messages
ICMP redirects
Ensure that inbound packets on the internal interface having a source address
of the internal network or 127.0.0.x or reserved address spaces are dropped
and logged.
Ensure that outbound packets on the internal interface have a source address
of only the internal network or 127.0.0.x or a reserved address are dropped
and logged.
Ensure that IP Source routing is disabled.
Ensure that requests for IP directed broadcast at all interfaces of all routers is
dropped and logged. (no ip directed-broadcast command)
Ensure that NTP is configured to allow updates from internal time servers only.
Ensure that NTP is disabled on the internet interface inbound and outbound.
Determine how often port scanners are used to ascertain unneeded open
ports.
Ascertain if there is a process to use packet sniffers to determine what packets
make it through the ACLs.
Ascertain if tools to detect anomalous behaviour are used (such as Jinao,
fdget.c and Agilent Advisor).
Ascertain if weaknesses are regularly determined using tools like ISS network
scanner. Determine what action is taken to fix the vulnerabilities.
SNMP
Ensure that SNMP version 2 is in use for the stronger MD5 digest
authentication scheme.
Ensure that string names such as public and private are not used.
Ensure that there is a process to periodically change passwords for the
community strings.
Ascertain if the SNMP brute force attack tool from Solarwinds or a similar tool
is used regularly to test the strength of the strings.
Ensure that only authorised management hosts are allowed to access SNMP
enabled routers. (access list)
Ensure that SNMP traps are enabled and that it is configured to send a trap if
the authentication of the community string fails as well as which host computer
should be sent the trap.

Page 4 of 6

No.
10.
11.
12.
13.
14.

15.
16.
17.

18.
19.
20.
21.

22.

23.

Control Item
Ensure that commands on the router are restricted to the correct privilege level.
Ensure that tcp intercept is enabled.(ip tcp intercept list command)
Ensure that a Network IDS is in use such as Cisco Secure IDS or Realsecure.
Determine the amount of processing power of the router and ensure that this
appropriate.
Ensure that logging is enabled on the router. Since there may not be sufficient
space to log on the router, ideally the log information should be logged at a
syslog server. If this is not possible for the network ensure that an IDS or sniffer
is used to log traffic.
Ensure that log entries are timestamped using service timestamps log datetime
msecs.
Ensure that access list logging is enabled.
Ensure that return SSH traffic is allowed.
If FTP is necessary ensure that passive FTP outgoing traffic is allowed.
CBAC (Context based access control)
Use the show ip inspection interfaces command to display the inspection rules
and access lists. Review the rules and access lists to ensure that:
Java inspection
Application protocols Unix R commands, ftp, tftp
TCP/UDP inspection
Ensure that the inspection rules have been applied to the
appropriate interfaces.
Ensure that the access lists permits traffic only from friendly sites
and denies traffic from hostile sites.
Ensure that the audit trail is enabled ip inspect audit trail.
Ensure that there is a process to test any filters using tools like nmap prior to
rolling out to the whole environment.
If DNS is necessary ensure that DNS traffic is only allowed to the DNS server.
Ensure that only DNS responses are leaving the screened subnet.
If HTTP is necessary ensure that HTTP traffic is allowed only to the web server.
HTTP for management
Ensure that access is restricted using the ip http access-class command to
only authorised addresses.
Ensure that TACACS+ or RADIUS server is used for authentication of
interactive logins.
Management and interactive access via untrusted networks
Ensure that encrypted protocols like SSH or Kerberized Telnet is used for login.
Alternatively ensure that IPSec is used for all router management traffic.
Or ensure that a one time password system like S/Key or OPIE with TACACS+
or RADIUS servers is used to control interactive and privileged access to the
router.
Ensure that an alternative management channel such as a modem is available
in the event of a DoS attack.
Updates
Ascertain if there is a process to test and roll out new updates to Cisco
software as well as a process to keep up to date with new vulnerabilities and
notices and to take corrective action if necessary.

Page 5 of 6

No.
24.

25.

26.

27.

28.

29.
30.

31.

Control Item
AAA
Ensure that an authentication banner has been configured for AAA (command
aaa authentication banner).
Ensure that the network access server is configured to request authorisation
information before allowing a user to establish a reverse Telnet session.
(command aaa authorisation reverse-access {radius I tacacs+})
Ensure that accounting has been enabled to log network, EXEC, commands,
connection and system. Ascertain how often the show accounting command is
used to review the accounting information.
Transit Flooding
At a minimum ensure that the following quality of service features are used:
weighted fair queueing (WFQ)
committed access rate (CAR)
generalised traffic shaping (GTS)
Router flooding
Ensure that CEF is enabled.
Ensure that the scheduler interval is set to 500 or alternatively on newer
platforms the scheduler allocate should be set to 30000 2000. This prevents
the router from spending to much time handling interrupts from network
interfaces and not any work done.
Neighbour authentication
Ensure that MD5 authentication is used to authenticate the neighbour router
prior to receiving routing table updates.
Ensure that there is appropriate security for the keys e.g. during transit and
storage.
Internet Key Exchange
Review the policy with the following command:
show crypto isakamp policy
For higher risk communications ensure that the stronger settings are applied as
follows:
Hash algorithm SHA-1
Authentication method - RSA signatures
Diffie hellman group identifier 1024 bit
Security associations lifetime I day 86400 seconds (the shorter the
lifetime the more secure are the communications)
Ensure that the no proxy-arp command is configured to prevent internal
addresses from being revealed.
Encryption
Using the following command show crypto cisco algorithms to determine
the type of DES algorithm that is in use. Ensure that the insecure 40 bit
variations are not used.
Ensure a backup of the encryption configuration is made.
Certificate Authority
Ensure that the CRL optional is set to no. Certificates will not be accepted if the
CA is unavailable.
Ensure that the copy system:running-config nvram:startup-config command is
performed to save the configuration.
Determine how often the crypto ca crl request command is run to download the
latest certificate revocation list.

Page 6 of 6