Gold Standard Benchmark For Cisco IOS Routers. Gold Standard Benchmark Version 3.0.1

24/4/2018 Gold Standard Benchmark For Cisco IOS Routers. Gold Standard Benchmark version 3.0.
Center for Internet Security

Benchmark Summary
For Cisco IOS Routers
Version 3.0.1
Introduction
This file lists rules that were used by the Router Assessment Tool, a free tool for checking security configurations of Cisco IOS routers published
by The Center for Internet Security (CIS).
This file is automatically generated each time the Router Assessment Tool is run and may reflect local configuration of the rules.
For a full description of the rules defined by the CIS benchmark, see the benchmark document which is distributed with the Router Assessment
Tool.
Document Info
This document was generated by lgarcia at Wed Mar 14 14:14:05 2018 GMT using the following config files:
C:\CIS\RAT/etc/configs/cisco-default/common.conf
C:\CIS\RAT/etc/configs/cisco-default/cis-level-1.conf
C:\CIS\RAT/etc/configs/cisco-default/cis-level-2.conf
The Benchmark Summary

CIS Level 1
Full Name CIS Level 1

description CIS Level 1 Config Class is the root for all Level 1 configurations.
question Apply some or all of CIS level 1 rules?
1.1 - Management Plane Level 1
Full Name CIS Level 1:1.1 - Management Plane Level 1

Services, settings, and data streams related to setting up and examining the static configuration of
the router, and the authentication and authorization of router administrators. Examples of
description
management plane services include: administrative telnet or ssh, SNMP, TFTP for image file
upload, and security protocols like RADIUS and TACACS+.
question Check rules and data related to system management?
1.1.1 - Local AAA Rules
Full Name CIS Level 1:1.1 - Management Plane Level 1:1.1.1 - Local AAA Rules
Rules in the Local AAA Rules Configuration class implement local authentication. Only one set
description
of authentication rules (local, TACACS+) may be selected.
question Use local authentication?
1.1.1.1 - Require AAA Service
CIS Level 1:1.1 - Management Plane Level 1:1.1.1 - Local AAA Rules:1.1.1.1 - Require AAA
Full Name
Service
Verify centralized authentication, authorization and accounting (AAA) service (new-model) is
description
enabled.
question Globally enable authentication, authorization and accounting (AAA) using new-model command?
fix router(config)# aaa new-model
warning Be sure that local users are created and an enable secret is set before applying this rule.
Authentication, authorization and accounting (AAA) systems provide an authoritative source for
managing and monitoring access for devices. Centralizing control improves consistency of access
control, the services that may be accessed once authenticated and accountability by tracking
reason
services accessed. Additionally, centralizing access control simplifies and reduces administrative
costs of account provisioning and de-provisioning, especially when managing a large number of
devices.
file:///C:/Users/lgarcia/Documents/rules.html 1/37
24/4/2018 Gold Standard Benchmark For Cisco IOS Routers. Gold Standard Benchmark version 3.0.1
discussion Cisco IOS Security Configuration Guide: Securing User Services, Release 15.0 Cisco IOS
Security Command Reference, Release 15.0, and NSA Router Security Configuration Guide.
type Required
match aaa new-model
1.1.1.2 - Require AAA Authentication for Login
Full Name
Authentication for Login
Verify authentication, authorization and accounting (AAA) method(s) configuration for case-
description
sensitive, local user login authentication.
question Configure AAA authentication method(s) for login authentication?
fix router(config)# aaa authentication login $(AAA_LIST_NAME) local
reason
devices.
ConfigRuleDiscussion:Cisco IOS Security Configuration Guide: Securing User Services, Release
discussion 15.0 Cisco IOS Security Command Reference, Release 15.0, and NSA Router Security
Configuration Guide.
type Required
match aaa authentication login $(AAA_LIST_NAME) local
Full Name
Authentication for Login:1.1.1.1 - Require AAA Service
description
enabled.
reason
devices.
Cisco IOS Security Configuration Guide: Securing User Services, Release 15.0 Cisco IOS
discussion
type Required
match aaa new-model
1.1.1.3 - Require AAA Authentication for Enable Mode
Full Name
Authentication for Enable Mode
Verify authentication, authorization and accounting (AAA) method(s) for enable mode
description
authentication.
question Configure AAA authentication method(s) for enable authentication?
fix router(config)# aaa authentication enable $(AAA_LIST_NAME) enable
reason
devices.
discussion Cisco IOS Security Command Reference and NSA Router Security Configuration Guide
type Required
match aaa authentication enable default \S+ enable
Full Name
Authentication for Enable Mode:1.1.1.1 - Require AAA Service
description
enabled.
reason
devices.
discussion
type Required
match aaa new-model
1.1.1.4 - Require AAA Authentication for Local Console and VTY Lines
Full Name
Authentication for Local Console and VTY Lines
Verify configurations for all management lines require login using the default or a named
description authentication, authorization and accounting (AAA) method list. If selected, this rule applies for
both local and network AAA.
Configure management lines to require login using the default or a named AAA authentication
question
list?
router(config)# line { aux | console | tty | vty } { line-number } [ ending-line-number ]
fix router(config-line)# login authentication { default | aaa_list_name }
Only the default method list is automatically applied to all interfaces except those that have a
warning named method list explicitly defined. A defined method list overrides the default method list.¿
(Cisco IOS Security Guide v12.3)
Using AAA authentication for line access to the device provides consistent, centralized control of
your network. The default under AAA (local or network) is to require users to log in using a valid
reason user name and password. This rule applies for both local and network AAA. If a named AAA
authentication list, other than default, is required then authentication must be configured explicitly
on each IOS line.
Cisco IOS Security Command Reference, NSA Router Security Configuration Guide, and Cisco
discussion
AutoSecure
type Required
match login authentication (default|$(AAA_LIST_NAME))
Full Name
Authentication for Local Console and VTY Lines:1.1.1.1 - Require AAA Service
description
enabled.
reason
devices.
discussion
type Required
match aaa new-model
1.1.2 - Access Rules
Full Name CIS Level 1:1.1 - Management Plane Level 1:1.1.2 - Access Rules
description Apply standard checks to control access to the router.
question Apply standard checks to control access to the router?
1.1.2.1 - Require Privilege Level 1 for Local Users
CIS Level 1:1.1 - Management Plane Level 1:1.1.2 - Access Rules:1.1.2.1 - Require Privilege
Full Name
Level 1 for Local Users
description Verify all locally defined users are set to the lowest level permissions as possible.
question Create a local user with an encrypted, complex (not easily guessed) password?
fix hostname(config)#username {username} privilege 1
Default device configuration does not require strong user authentication potentially enabling
unfettered access to an attacker that is able to reach the device. Creatingalocal account with
privilege level 1 permissions only allows the local user to access the device with EXEC-level
reason
permissions and will be unable to modify the device without using the enablepassword. In
addition,require the use of an encrypted password as well(see Section 1.1.4.4 - Require Encrypted
User Passwords).
Center for Internet Security Gold Standard Benchmark for Cisco IOS Version 2.1, and NSA
discussion
Router Security Configuration Guide.
type Required
match username \S+ privilege 1
1.1.2.2 - Require VTY Transport SSH
CIS Level 1:1.1 - Management Plane Level 1:1.1.2 - Access Rules:1.1.2.2 - Require VTY
Full Name
Transport SSH
description Verify secure shell (SSH) access is configured on all vty management lines.
question Apply VTY transport SSH on all management lines?
router(config)# line { tty | vty } { line-number } [ ending-line-number ]
fix router(config)# transport input ssh
Configuring VTY access control restricts remote access to only those authorized to manage the
reason
device and prevents unauthorized users from accessing the system.
Cisco IOS Terminal Services Command Reference Release 15.0 and NSA Router Security
discussion
Configuration Guide
type Required
match transport input ssh
1.1.2.3 - Require Timeout for Login Sessions
CIS Level 1:1.1 - Management Plane Level 1:1.1.2 - Access Rules:1.1.2.3 - Require Timeout for
Full Name
Login Sessions
description Verify device is configured to automatically disconnect sessions after a fixed idle time.
question Configure device timeout (10 minutes) to disconnect sessions after a fixed idle time?
router(config)# line {aux | console | tty | vty} {line-number} [ending-line-number]
fix exec-timeout {timeout_in_minutes} [ timeout_in_seconds ]
This prevents unauthorized users from misusing abandoned sessions. Example, if the
administrator goes on vacation and leaves an enabled login session active on his desktop system.
reason There is a trade-off here between security (shorter timeouts) and usability (longer timeouts).
Check your local policies and operational needs to determine the best value. In most cases, this
should be no more than 10 minutes.
Cisco IOS Security Command Reference, Release 15.0M, NSA Router Security Configuration
discussion
Guide, and Cisco AutoSecure
type Required
match exec-timeout $(EXEC_TIMEOUT)
EXEC_TIMEOUT
CIS Level 1:1.1 - Management Plane Level 1:1.1.2 - Access Rules:1.1.2.3 - Require Timeout for
Full Name
Login Sessions:EXEC_TIMEOUT
description Timeout values (minutes and seconds) for interactive sessions.
question Exec timeout value?
howtoget Choose timeout values (minutes and seconds).
defaultvalue 10 0
1.1.2.4 - Forbid Auxiliary Port
Full Name CIS Level 1:1.1 - Management Plane Level 1:1.1.2 - Access Rules:1.1.2.4 - Forbid Auxiliary Port
description Verify that the EXEC process is disabled on the auxiliary (aux) port.
question Disable exec on the auxiliary port?
router(config)# line aux 0
fix router(config-line)# no exec
router(config-line)# transport input none
Unused ports should be disabled, if not required, since they provide a potential access path for
attackers. Some devices include both an auxiliary and console port that can be used to locally
connect to and configure the device. The console port is normally the primary port used to
reason
configure the device; even when remote, backup administration is required via console server or
Keyboard, Video, Mouse (KVM) hardware. The auxiliary port is primarily used for dial-up
administration, which is rarely used, via an external modem.
discussion NSA Router Security Configuration Guide
type Required
match no exec$
1.1.2.5 - Require VTY ACL
Full Name CIS Level 1:1.1 - Management Plane Level 1:1.1.2 - Access Rules:1.1.2.5 - Require VTY ACL
Verify that the required VTY access control list (ACL) exists to restrict inbound management
description
sessions for all VTY lines.
question Configure the VTY ACL that will be used to restrict management access to the device?
router(config)#access-list {vty_acl_number} permit {vty_acl_block_with_mask} any
fix router(config)#access-list {vty_acl_number} deny any log
VTY ACLs control what addresses may attempt to log in to your router. Configuring VTY lines to
use an ACL, restricts the sources a user can manage the device from. You should limit the specific
host(s) and or network(s) authorized to connect to and configure the device, via an approved
reason protocol, to those individuals or systems authorized to administrate the device. Example, you
could limit access to specify hosts, so that your network managers can configure the devices only
by using specific network management workstations. Make sure you configure all VTY lines to
use the same ACL.
Cisco IOS Security Command Reference, Release 15.0M and NSA Router Security Configuration
discussion
Guide
type Required
access-list $(VTY_ACL_NUMBER) permit $(VTY_ACL_BLOCK_WITH_MASK)
match access-list $(VTY_ACL_NUMBER) deny any log
VTY_ACL_BLOCK_WITH_MASK
Full Name
ACL:VTY_ACL_BLOCK_WITH_MASK
description The IP address and netmask for the hosts permitted to connect via telnet or ssh to the router.
question Address block and mask for administrative hosts?
howtoget Choose an address block that is allowed to access the router.
defaultvalue 192.168.1.0 0.0.0.255
VTY_ACL_NUMBER
Full Name
ACL:VTY_ACL_NUMBER
description The number of the IP access list used to protect the VTY lines (telnet or ssh).
question Specify ACL number to be used for telnet or ssh?
howtoget Choose an ACL number between 100 and 199.
defaultvalue 182
1.1.2.6 - Require VTY ACL
Full Name CIS Level 1:1.1 - Management Plane Level 1:1.1.2 - Access Rules:1.1.2.6 - Require VTY ACL
description Verify that management access to the device is restricted to appropriate management subnets.
question Configure remote management access control restrictions for all VTY lines.?
router(config)#access-list {vty_acl_number} permit {vty_acl_block_with_mask} any
fix router(config)#access-list {vty_acl_number} deny any log
Configuring access control to restrict remote access to those systems authorized to manage the
reason
device prevents unauthorized users from accessing the system.
discussion
Guide
type Required
access-list $(VTY_ACL_NUMBER) permit $(VTY_ACL_BLOCK_WITH_MASK)
match access-list $(VTY_ACL_NUMBER) deny any log
VTY_ACL_BLOCK_WITH_MASK
Full Name
ACL:VTY_ACL_BLOCK_WITH_MASK
description The IP address and netmask for the hosts permitted to connect via telnet or ssh to the router.
question Address block and mask for administrative hosts?
howtoget Choose an address block that is allowed to access the router.
defaultvalue 192.168.1.0 0.0.0.255
VTY_ACL_NUMBER
Full Name
ACL:VTY_ACL_NUMBER
description The number of the IP access list used to protect the VTY lines (telnet or ssh).
question Specify ACL number to be used for telnet or ssh?
defaultvalue 182
1.1.3 - Banner Rules
Full Name CIS Level 1:1.1 - Management Plane Level 1:1.1.3 - Banner Rules
description Verify an authorized EXEC banner is defined.
question Configure legal banners?
1.1.3.1 - Require EXEC Banner
CIS Level 1:1.1 - Management Plane Level 1:1.1.3 - Banner Rules:1.1.3.1 - Require EXEC
Full Name
Banner
description Verify an authorized EXEC banner is defined.
question Configure the exec banner presented to a user when accessing the device's enable prompt?
fix router(config)# banner exec { banner-text }
Presentation of an EXEC banner occurs before displaying the enable prompt, after starting an
EXEC process, normally after displaying the message of the day and login banners and after the
user logs into the device. ÒNetwork banners are electronic messages that provide notice of legal
rights to users of computernetworks. From a legal standpoint, banners have four primary
functions. 1. Banners may eliminate any Fourth Amendment"reasonable expectation of privacy"
reason that government employees or other users might otherwise retain in their use of networks 2.
Banners may be used to generate consent to real-time monitoring under Title III 3. Banners may
be used to generate consent to the retrieval of stored files and records pursuant to the SCA 4. In
the case of a non-government network, banners may establish the network ownerÕs common
authority to consent to a law enforcement searchÓ ConfigRuleDiscussion:Cisco IOS Security
Command Reference, Release 15.0M and NSA Router Security Configuration Guide.
type Required
match ^banner exec \S+
1.1.3.2 - Require Login Banner
Full Name CIS Level 1:1.1 - Management Plane Level 1:1.1.3 - Banner Rules:1.1.3.2 - Require Login Banner
description Verify an authorized login banner is defined.
question Configure the login banner presented to a user attempting to access the device?
fix router(config)# banner login { banner-text }
reason Presentation of a login banner, to a user attempting to access the device, occurs before the display
of login prompts and usually appears after the message of the day banner. Network banners are
electronic messages that provide notice of legal rights to users of computernetworks. From a legal
standpoint, banners have four primary functions. 1. Banners may eliminate any Fourth
Amendment"reasonable expectation of privacy" that government employees or other users might
otherwise retain in their use of networks 2. Banners may be used to generate consent to real-time
monitoring under Title III 3. Banners may be used to generate consent to the retrieval of stored
files and records pursuant to the SCA 4. In the case of a non-government network, banners may
establish the network ownerÕs common authority to consent to a law enforcement searchÓ
ConfigRuleDiscussion:Cisco IOS Security Command Reference, Release 15.0M and NSA Router
Security Configuration Guide
type Required
match ^banner login \S+
1.1.3.3 - Require MOTD Banner
CIS Level 1:1.1 - Management Plane Level 1:1.1.3 - Banner Rules:1.1.3.3 - Require MOTD
Full Name
Banner
description Verify an authorized message of the day (MOTD) banner is defined.
Configure the message of the day (MOTD) banner presented when a user first connects to the
question
device?
fix router(config)# banner motd { banner-text }
Presentation of a MOTD banner occurs when a user first connects to the device, normally before
displaying the login banner and login prompts. ÒNetwork banners are electronic messages that
provide notice of legal rights to users of computernetworks. From a legal standpoint, banners have
four primary functions. 1. Banners may eliminate any Fourth Amendment"reasonable expectation
of privacy" that government employees or other users might otherwise retain in their use of
reason
networks 2. Banners may be used to generate consent to real-time monitoring under Title III 3.
Banners may be used to generate consent to the retrieval of stored files and records pursuant to the
SCA 4. In the case of a non-government network, banners may establish the network ownerÕs
common authority to consent to a law enforcement searchÓ ConfigRuleDiscussion:Cisco IOS
Security Command Reference, Release 15.0M and NSA Router Security Configuration Guide
type Required
match ^banner motd \S+
1.1.4 - Password Rules
Full Name CIS Level 1:1.1 - Management Plane Level 1:1.1.4 - Password Rules
description Rules in the password class enforce secure, local device authentication credentials.
question Enforce secure, local device authentication credentials?
1.1.4.1 - Require Enable Secret
CIS Level 1:1.1 - Management Plane Level 1:1.1.4 - Password Rules:1.1.4.1 - Require Enable
Full Name
Secret
Verify an enable secret password is defined using strong encryption to protect access to privileged
description
EXEC mode (enable mode) which is used to configure the device.
question Configure a strong enable secret password?
! This fix is commented out because you have to supply a sensitive value.
! To apply this rule, uncomment (remove the leading "!" on the commands below)
! and replace "ENABLE SECRET" with the value you have chosen.
fix ! Do not use "ENABLE SECRET".
!
! hostname(config)#enable secret {ENABLE_SECRET}
This should be different than line passwords, local username passwords or SNMP community
warning
strings. If passwords are written, be sure to properly secure the written copies.
Requiring enable secret setting protects privileged EXEC mode. By default, a strong password is
not required, a user can just press the Enter key at the Password prompt to start privileged mode.
reason The enable password command causes the device to enforce use of a password to access
privileged mode. Enable secrets use a strong, one-way cryptographic hash (MD5). This is
preferred to enable passwords that use a weak, well-known and reversible encryption algorithm.
discussion
Guide
type Required
match ênable secret \d \S+
1.1.4.2 - Require Password Encryption Service
Full Name CIS Level 1:1.1 - Management Plane Level 1:1.1.4 - Password Rules:1.1.4.2 - Require Password
Encryption Service
description Verify encryption of passwords in device configuration is enabled.
Enable password encryption service to protect sensitive access passwords in the device
question
configuration?
fix hostname(config)#service password-encryption
This requires passwords to be encrypted in the configuration file to prevent unauthorized users
from learning the passwords by reading the configuration. If this service is not enabled then many
reason of the devices passwords will be rendered in plain text in its configuration file. This service
ensures passwords are rendered as encrypted strings preventing an attacker from easily
determining the configured value.
Cisco IOS Security Command Reference, Release 15.0M, NSA Router Security Configuration
discussion
Guide, Cisco Guide to Harden Cisco IOS Devices, and Cisco AutoSecure
type Required
match ^service password-encryption
1.1.4.3 - Require Encrypted Line Passwords
CIS Level 1:1.1 - Management Plane Level 1:1.1.4 - Password Rules:1.1.4.3 - Require Encrypted
Full Name
Line Passwords
description Verify an access password with strong encryption is configured on all management lines / VTY.
question Configure each line with a strong, encrypted password?
! and replace "LINE PASSWORD" with the value you have chosen.
! Do not use "LINE PASSWORD". Instead, choose a value that is longer
fix ! than seven characters, and contains upper- and lower-case letters,
! digits, and punctuation.
!
! hostname(config)# line {aux | console | tty | vty} {line-number} [ending-line-number]
! hostname(config-line)#password LINE_PASSWORD
This requires a password to be set on each line. Note, that given the use of local usernames (level
1) or TACACS+ (level 2) line passwords will not be used for authentication. There they are
reason included as a fail-safe to ensure that some password is required for access to the router in case
other AAA options are not configured. Low quality passwords are easily guessed possibly
providing unauthorized access to the router.
discussion
Guide
type Required
match password 7 \S+
1.1.4.4 - Require Encrypted User Passwords
CIS Level 1:1.1 - Management Plane Level 1:1.1.4 - Password Rules:1.1.4.4 - Require Encrypted
Full Name
User Passwords
Default device configuration does not require strong user authentication potentially enabling
unfettered access to an attacker that is able to reach the device. Creating a local account with an
description encrypted password enforces login authentication and provides a fallback authentication
mechanism for configuration in a named method list in a situation where centralized
authentication, authorization, and accounting services are unavailable.
question Create a local user with an encrypted, complex (not easily guessed) password.?
! and replace "LOCAL_PASSWORD" with the value you have chosen.
! Do not use "LOCAL_PASSWORD". Instead, choose a value that is longer
! than seven characters, and contains upper- and lower-case letters,
! digits, and punctuation.
fix !
! hostname(config)#username { LOCAL_USERNAME } password { LOCAL_PASSWORD }
!
! Use the following syntax for version after 12.0(18)S, 12.1(8a)E, 12.2(8)T
!
! hostname(config)#username { LOCAL_USERNAME } secret { LOCAL_PASSWORD }
discussion
Guide
type Required
match user.*(privilege \d+|secret 5|password 7) \S+
1.1.5 - SNMP Rules

Full Name CIS Level 1:1.1 - Management Plane Level 1:1.1.5 - SNMP Rules
Rules in the simple network management protocol class (SNMP) enforce secure network
description
management and monitoring of the device.
question Apply standard SNMP checks?
1.1.5.1 - Forbid SNMP Read and Write Access
CIS Level 1:1.1 - Management Plane Level 1:1.1.5 - SNMP Rules:1.1.5.1 - Forbid SNMP Read
Full Name
and Write Access
description If not in use, disable simple network management protocol (SNMP), read and write access.
question Disable SNMP read and write access if not in used to monitor and/or manage device.?
fix hostname(config)#no snmp-server
reason SNMP read access allows remote monitoring and management of the device.
Cisco IOS Network Management Command Reference, Release 15.0M, NSA Router Security
discussion
Configuration Guide, and Cisco Guide to Harden Cisco IOS Devices
type Forbidden
match snmp-server community.*
1.1.5.2 - Forbid SNMP Community String private
CIS Level 1:1.1 - Management Plane Level 1:1.1.5 - SNMP Rules:1.1.5.2 - Forbid SNMP
Full Name
Community String private
Verify configuration does not contain default simple network management protocol (SNMP)
description community strings. The configuration cannot include snmp-server community commands with
prohibited community strings.
question Disable the default SNMP community string ÒprivateÓ?
fix hostname(config)#no snmp-server community {private}
The default community string "private" is wellknown. Using easy to guess, well known
reason community string poses a threat that an attacker can effortlessly gain unauthorized acc ess to the
device.
discussion
type Forbidden
match snmp-server community private
1.1.5.3 - Forbid SNMP Community String public
CIS Level 1:1.1 - Management Plane Level 1:1.1.5 - SNMP Rules:1.1.5.3 - Forbid SNMP
Full Name
Community String public
Verify configuration does not contain default simple network management protocol (SNMP)
description community strings. The configuration cannot include snmp-server community commands with
prohibited community strings.
question Disable default or prohibited SNMP community strings?
fix code>hostname(config)#no snmp-server community {public}
The default community string "public" is well known. Using easy to guess, well known
reason community string poses a threat that an attacker can effortlessly gain unauthorized access to the
device.
discussion
type Forbidden
match snmp-server community public
1.1.5.4 - Forbid SNMP Write Access
CIS Level 1:1.1 - Management Plane Level 1:1.1.5 - SNMP Rules:1.1.5.4 - Forbid SNMP Write
Full Name
Access
Unless absolutely necessary, verify the device does not allow simple network management
description
protocol (SNMP) write access.
question Disable SNMP read and write access if not in used to monitor and or manage device?
fix hostname(config)#no snmp-server community {write_community_string}
reason Enabling SNMP read-write enables remote (mis)management of the device.
ConfigRuleDiscussion:Center for Internet Security Gold Standard Benchmark for Cisco IOS
Version 2.1, NSA Router Security Configuration Guide, Improving Security on Cisco Routers.
discussion
type Forbidden
match snmp-server community.*RW
1.1.5.5 - Forbid SNMP without ACL
CIS Level 1:1.1 - Management Plane Level 1:1.1.5 - SNMP Rules:1.1.5.5 - Forbid SNMP without
Full Name
ACL
Verify all simple network management protocol (SNMP) access is restricted using an access control list
description
(ACL.)
question Configure authorized SNMP community string and restrict access to authorized management systems.?
fix hostname(config)#snmp-server community {community_string} {ro | rw} {snmp_access-list_number}
If ACLs are not applied, then anyone with a valid SNMP community string can potentially monitor and
reason manage the router. An ACL should be defined and applied for all SNMP access to limit access to a
small number of authorized management stations segmented in a trusted management zone.
discussion
type Forbidden
match snmp-server community.*(RW|RO)$
SNMP_ACL_NUMBER
CIS Level 1:1.1 - Management Plane Level 1:1.1.5 - SNMP Rules:1.1.5.5 - Forbid SNMP without
Full Name
ACL:SNMP_ACL_NUMBER
description The number of the IP access list used to protect the SNMP access.
question Specify ACL number to be used for filtering SNMP requests?
howtoget Choose an ACL number between 1 and 99
defaultvalue 99
1.1.5.6 - Require a Defined SNMP ACL
CIS Level 1:1.1 - Management Plane Level 1:1.1.5 - SNMP Rules:1.1.5.6 - Require a Defined
Full Name
SNMP ACL
Verify a defined simple network management protocol (SNMP) access control list (ACL) exists
description
with rules for restricting SNMP access to the device.
Configure SNMP ACL for restricting access to the device from authorized management stations
question
segmented in a trusted management zone?
hostname(config)#access-list {snmp_access-list_number}permit {snmp_access-list}
fix hostname(config)#access-list deny any log
SNMP ACLs control what addresses are authorized to manage and monitor the device via SNMP.
If ACLs are not applied, then anyone with a valid SNMP community string may monitor and
reason manage the router. An ACL should be defined and applied for all SNMP community strings to
limit access to a small number of authorized management stations segmented in a trusted
management zone.
discussion
type Required
access-list $(SNMP_ACL_NUMBER) permit $(SNMP_ACL_BLOCK_WITH_MASK)
match access-list $(SNMP_ACL_NUMBER) deny any log
SNMP_ACL_BLOCK_WITH_MASK
Full Name
SNMP ACL:SNMP_ACL_BLOCK_WITH_MASK
description The IP address and netmask for the hosts permitted to connect via SNMP.
question Address block and mask for SNMP access?
howtoget Choose an address block in which all permitted SNMP monitoring systems exist.
defaultvalue 192.168.1.0 0.0.0.255
SNMP_ACL_NUMBER
Full Name
SNMP ACL:SNMP_ACL_NUMBER
description The number of the IP access list used to protect the SNMP access.
question Specify ACL number to be used for filtering SNMP requests?
howtoget Choose an ACL number between 1 and 99
defaultvalue 99
1.1.5.7 - Forbid SNMP Traps
Full Name CIS Level 1:1.1 - Management Plane Level 1:1.1.5 - SNMP Rules:1.1.5.7 - Forbid SNMP Traps
description Verify the device is not configured to send SNMP traps.
question Disable SNMP traps.?
fix hostname(config)#no snmp-server enable traps [notification-type]
reason SNMP has the ability to submit traps.

discussion
type Required
match no snmp-server enable traps \S+
1.1.5.8 - Require SNMP Trap Server When Using SNMP
CIS Level 1:1.1 - Management Plane Level 1:1.1.5 - SNMP Rules:1.1.5.8 - Require SNMP Trap
Full Name
Server When Using SNMP
Verify the device is configured to submit SNMP traps only to authorized systems required to
description
manage the device.
Configure authorized SNMP trap community string and restrict sending messages to authorized
question
management systems.?
fix hostname(config)#snmp-server host {ip_address} {trap_community_string} snmp
If SNMP is enabled for device management and device alerts are required, then ensure the device
reason
is configured to submit traps to authorize management systems.
discussion
type Required
match snmp-server host \S+
1.1.5.9 - Allow SNMP Traps on When SNMP Trap Server Defined
CIS Level 1:1.1 - Management Plane Level 1:1.1.5 - SNMP Rules:1.1.5.9 - Allow SNMP Traps
Full Name
on When SNMP Trap Server Defined
description Verify the device is not configured to send SNMP traps.
question Disable SNMP traps.?
fix snmp-server enable traps snmp authentication linkup linkdown coldstart
reason SNMP has the ability to submit traps.

discussion Cisco IOS Network Management Command Reference, Release 15.0M
type Required
match snmp-server enable traps snmp authentication linkup linkdown coldstart
1.1.5.10 - Require Group for SNMPv3 Access
CIS Level 1:1.1 - Management Plane Level 1:1.1.5 - SNMP Rules:1.1.5.10 - Require Group for
Full Name
SNMPv3 Access
description Do not allow plaintext SNMPv3 access.
For each SNMPv3 group created on your router add privacy options by issuing the following
question
command.?
fix hostname(config)#snmp-server group v3 priv
SNMPv3 provides much improved security over previous versions by offering options for
Authentication and Encryption of messages. When configuring a user for SNMPv3 you have the
reason
option of using a range of encryption schemes,or no encryption at all,to protect messages in
transit. AES128 is the minimum strength encryption method that should be deployed.
discussion Cisco IOS Network Management Command Reference, Release 15.0M, NSA Router Security
type Required
match snmp-server group \S+ v3 priv
1.1.5.11 - Require AES128 or Better Encryption for SNMPv3 Access
CIS Level 1:1.1 - Management Plane Level 1:1.1.5 - SNMP Rules:1.1.5.11 - Require AES128 or
Full Name
Better Encryption for SNMPv3 Access
description Do not allow plaintext SNMPv3 access.
For each SNMPv3 user created on your router add privacy options by issuing the following
question
command.?
fix snmp-server user v3 auth sha priv aes 256
SNMPv3 provides much improved security over previous versions by offering options for
Authentication and Encryption of messages. When configuring a user for SNMPv3 you have the
reason
option of using a range of encryption schemes,or no encryption at all,to protect messages in
transit. AES128 is the minimum strength encryption method that should be deployed.
discussion
type Required
match snmp-server user \S+ v3 auth sha \S+ priv aes 256 \S+
1.2 - Control Plane
Full Name CIS Level 1:1.2 - Control Plane

Services, settings, and data streams that support and document the operation, traffic handling, and
dynamic status of the router. Examples of control plane services include: logging (e.g. Syslog),
description routing protocols, status protocols like CDP and HSRP, network topology protocols like STP, and
traffic security control protocols like IKE. Network control protocols like ICMP, NTP, ARP, and
IGMP directed to or sent by the router itself also fall into this area.
question Check rules and data related to system control?
1.2.1 - Clock Rules
Full Name CIS Level 1:1.2 - Control Plane:1.2.1 - Clock Rules

Use GMT for logging, etc. Not compatible with localtime. This should be selected if you manage
description
devices in several timezones
question Use GMT for logging instead of localtime?
1.2.1.1 - Require Clock Timezone - UTC
Full Name CIS Level 1:1.2 - Control Plane:1.2.1 - Clock Rules:1.2.1.1 - Require Clock Timezone - UTC
Verify the timezone for the device clock is configured to coordinated universal time (UTC)
description
explicitly.
question Configure the devices clock time zone to coordinated universal time (UTC) explicitly?
fix hostname(config)#clock timezone UTC 0
warning If you manage devices in more than one timezone, consider using UTC.
Configuring devices with a universal time zone eliminates difficulty troubleshooting issues across
reason different time zones and correlating time stamps for disparate log files across multiple devices. Set
the clock to UTC 0 (no offset) to aid in root cause analysis of attacks and network issues.
discussion
type Required
match clock timezone UTC 0
1.2.1.2 - Forbid Daylight Savings Time Clock Adjustments
CIS Level 1:1.2 - Control Plane:1.2.1 - Clock Rules:1.2.1.2 - Forbid Daylight Savings Time Clock
Full Name
Adjustments
description Verify the clock is not configured to adjust the device clock for daylight saving time.
question Disable clock summer-time adjustments?
fix hostname(config)#no clock summer-time
reason The difficulty of troubleshooting and correlating issues across different time zones increases if the
time stamps of individual logs need to be adjusted for summer time clock settings. Timestamp
adjustments can lead to errors when correlating logs a cross multiple devices. Employ coordinated
universal time(UTC) instead of local timezones and do not use summer-time, daylight saving,
clock adjustments.
discussion
type Forbidden
match clock summer-time
1.2.1.3.1 - Setup Local Time Zone
Full Name CIS Level 1:1.2 - Control Plane:1.2.1 - Clock Rules:1.2.1.3.1 - Setup Local Time Zone
description Verify the clock is configured for the local time zone.
question Configure the local time zone.?
fix hostname(config)#clock timezone [- ]hours [minutes]
Only configure daylight savings time if your organizationÕs policy requires configuring devices
for localtime. Timezone and daylight savings adjustment settings should be consistent across all
reason
devices to eliminate difficulty troubleshooting issues and correlating time stamps for disparate log
files across multiple devices.
type Forbidden
match clock timezone \S+
1.2.1.3.2 - Set Daylight Savings Dates
Full Name CIS Level 1:1.2 - Control Plane:1.2.1 - Clock Rules:1.2.1.3.2 - Set Daylight Savings Dates
description Verify the clock is configured for the appropriate daylight savings dates for the local time zone.
question Configure the appropriate daylight savings dates for the local time zone.?
fix hostname(config)#clock summer-time zone date {day month | month day} year hh:mm {day month | month day} yy:mm [offset]
Only configure daylight savings time if your organizationÕs policy requires configuring devices for localtime. Timezone and
reason daylight savings adjustment settings should be consistent across all devices to eliminate difficulty troubleshooting issues and
correlating time stamps for disparate log files across multiple devices.
type Forbidden
match clock summer-time \S+ date \S+
1.2.1.3.3 - Set Daylight Savings Recurrence
Full Name CIS Level 1:1.2 - Control Plane:1.2.1 - Clock Rules:1.2.1.3.3 - Set Daylight Savings Recurrence
description Verify the clock is configured for the appropriate daylight savings recurrence for the local time zone.
question Configure the appropriate daylight savings recurrence for the local time zone.?
fix hostname(config)#clock summer-time zone recurring {week weekday month hh:mm week weekday month hh:mm [offset]
Only configure daylight savings time if your organizationÕs policy requires configuring devices for localtime. Timezone
reason and daylight savings adjustment settings should be consistent across all devices to eliminate difficulty troubleshooting
issues and correlating time stamps for disparate log files across multiple devices.
type Forbidden
match clock summer-timezone zone \S+ recurring \S+
1.2.2 - Global Service Rules
Full Name CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules
description Disable unneeded control services.
question Disable unneeded control services?
1.2.2.1.1.1 - Configure the Host Name
CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.1.1.1 - Configure the Host
Full Name
Name
description Configure the routerÕs host name
question The host name is prerequisite for setting up SSH.?
fix hostname(config)#hostname [router_name]
SSH provides administrators with a remote console session on the router in a similar fashion to
reason Telnet. Unlike Telnet, SSH encrypts all data as it transits the network and ensures the identity of
the remote host.Due to this extra protection, all remote console sessions should use SSH.
type Required
match hostname \S+
1.2.2.1.1.2 - Configure the Domain Name
CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.1.1.2 - Configure the Domain
Full Name
Name
description Configure the routerÕs domain name
question Configure an appropriate domain name for the router.?
fix hostname(config)#ip domain name [domain_name]
type Required
match ip domain name \S+
1.2.2.1.1.3 - Generate the RSA Key Pair
CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.1.1.3 - Generate the RSA Key
Full Name
Pair
description Generate an RSA ket pair.
question Generate an RSA key pair for the router.?
fix crypto key generate rsa general-keys modulus {2048}
type Required
match crypto key \S+
1.2.2.1.1.4 - Generate the SSH Timeout
CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.1.1.4 - Generate the SSH
Full Name
Timeout
description Verify that an idle timeout has been configured for SSH sessions.
question Configure the SSH timeout?
fix hostname(config)#ip ssh timeout [60]
This reduces the risk of an administrator leaving an authenticated session logged in for an
reason
extended period of time.
type Required
match ip ssh timeout \S+
1.2.2.1.1.5 - Limit the Number of SSH Authentication Tries
CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.1.1.5 - Limit the Number of
Full Name
SSH Authentication Tries
description Verify the device is configured to limit the number of SSH authentication attempts.
question Configure SSH authentication retries?
fix hostname(config)#ip ssh authentication-retries [3]
This limits the number of times an unauthorized user can attempt a password without having to
reason
establish a new SSH login attempt.
type Required
match ip ssh authentication-retries \S+
1.2.2.1.2 - Require SSH version 2
Full Name CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.1.2 - Require SSH version 2
description Verify the device is configured to limit the number of SSH authentication attempts.
question Configure the router to use SSH version 2?
fix hostname(config)#ip ssh version 2
SSH Version 1 has been subject to a number of serious vulnerabilities and is no longer considered
to be a secure protocol, resulting in the adoption of SSH Version 2 as an Internet Standard in 2006.
reason
Cisco routers support both versions, but due to the weakness of SSH Version 1 only the later
standard should be used.
type Required
match ip ssh version 2
1.2.2.2 - Forbid CDP Run Globally
Full Name CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.2 - Forbid CDP Run Globally
description Disable Cisco Discovery Protocol (CDP) service at device level.
question Disable Cisco Discovery Protocol (CDP) service globally?
fix hostname(config)#no cdp run
The Cisco Discovery Protocol is a proprietary protocol that Cisco devices use to identify each
other on a LAN segment. It is useful only in specialized situations, and is considered a security
reason
risk. There have been published denial-of-service (DoS) attacks that use CDP. CDP should be
completely disabled unless there is a need for it.
NSA Router Security Configuration Guide, Cisco IOS Network Management Command
discussion
Reference, Release 15.0M, Cisco Guide to Harden Cisco IOS Devices, and Cisco AutoSecure
type Required
match no cdp run
1.2.2.3 - Forbid Finger Service - IOS 12.1,2,3,4
CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.3 - Forbid Finger Service - IOS
Full Name
12.1,2,3,4
description Disable finger server.
question Disable finger server (on IOS 12.1,2,3,4)?
fix hostname(config)#no service finger
Finger is used to find out which users are logged into a device. This service is rarely used in
practical environments and can potentially provide an attacker with useful information.
Additionally, the finger service can exposed the device Finger of Death denial-of-service (DoS)
reason attack. From Cisco IOS documentation: "As with all minor services, the Finger service should be
disabled on your system if you do not have a need for it in your network. Any network device that
has UDP, TCP, BOOTP, or Finger services should be protected by a firewall or have the services
disabled to protect against Denial of Service attacks."
Center for Internet Security Gold Standard Benchmark for Cisco IOS Version 2.1, NSA Router
discussion
Security Configuration Guide.
type Forbidden
match îp finger
1.2.2.3 - Forbid Finger Service - IOS 12.0
CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.3 - Forbid Finger Service - IOS
Full Name
12.0
Disable finger server. For IOS 12.0, this rule is designed to "fail" every time. This forces the fix to
be applied with each run of RAT. The reason for this behavior is that it appears that the default for
finger changed in some versions of 12.0 but not others. This makes it impossible, by looking at the
description
configuration, to determine if finger has been turned off. Because of this, it is always assumed to
be turned on and the fix to turn it off is applied every time. The score for this rule has been set to
"0", so it will be possible to get a "perfect" score.
question Disable finger server (on IOS 12.0)?
fix hostname(config)#no ip finger
reason Finger is used to find out which users are logged into a device. This service is rarely used in
practical environments and can potentially provide an attacker with useful information.
Additionally, the finger service can exposed the device Finger of Death denial-of-service (DoS)
attack. From Cisco IOS documentation: "As with all minor services, the Finger service should be
disabled on your system if you do not have a need for it in your network. Any network device that
has UDP, TCP, BOOTP, or Finger services should be protected by a firewall or have the services
disabled to protect against Denial of Service attacks."
discussion
type Required
match ^This will always fail
1.2.2.4 - Forbid IP BOOTP server
Full Name CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.4 - Forbid IP BOOTP server
description Disable bootstrap protocol (BOOTP) server.
question Disable bootstrap protocol (BOOTP) server?
fix hostname(config)#no ip bootp server
From Cisco IOS documentation: "As with all minor services, the async line BOOTP service
should be disabled on your system if you do not have a need for it in your network. Any network
reason
device that has UDP, TCP, BOOTP, or Finger services should be protected by a firewall or have
the services disabled to protect against Denial of Service attacks."
discussion
type Required
match ^no ip bootp server
1.2.2.5 - Forbid IP HTTP Server
Full Name CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.5 - Forbid IP HTTP Server
description Disable HTTP server.
question Disable http server?
fix hostname(config)#no ip http server
The HTTP server allows remote management of routers. Unfortunately, it uses simple HTTP
reason authentication which sends passwords in the clear. This could allow unauthorized access to, and
[mis]management of the router. The http server should be disabled.
discussion
type Forbidden
match îp http server
1.2.2.6 - Forbid Identification Service
CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.6 - Forbid Identification
Full Name
Service
description Disable identification (identd) server.
question Disable ident server?
fix hostname(config)#no identd
Identification protocol enables identifying a users transmission control protocol (TCP) session.
This information disclosure could potentially provide an attacker with information about users.
reason
Services that are not needed should be turned off because they present potential avenues of attack
and may provide information that could be useful for gaining unauthorized access.
discussion
type Forbidden
match ip identd
1.2.2.7 - Forbid HTTP Services
Full Name CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.7 - Forbid HTTP Services
description Disable the native HTTP services.
question Disable the HTTP services.?
fix hostname(config)#no ip http { server | secure-server }
HTTP services allow remote management of routers. However,when using simpleHTTP,

authentication sends passwords in the clear. This could allow unauthorized access to and mis-
reason
management of the router. HTTP services should be disabled. If you require a web management
interface, ensure use of the HTTPS server functionality.
discussion
type Forbidden
match no ip http (server|secure-server)
1.2.2.8 - Forbid Remote Startup Configuration
CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.8 - Forbid Remote Startup
Full Name
Configuration
description Disable autoloading of remote configuration files from a network server.
question Disable auto loading of remote configurations files from a network server?
hostname(config)#no boot network
fix hostname(config)#no service config
Service config allows the device to autoload its startup configuration from a remote device (e.g. a
tftp server). The protocols used to transfer configurations files, such as trivial file transfer protocol
reason (TFTP) and file transfer protocol (FTP), are not secure. Since these methods are insecure, an
attacker could potentially compromise or spoof the remote configuration service enabling
malicious reconfiguration of the device.
discussion
type Forbidden
match (boot network|service config)
1.2.2.9 - Require TCP keepalives-in Service
CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.9 - Require TCP keepalives-in
Full Name
Service
Verify transmission control protocol (TCP) keepalives-in service is enabled to kill abnormally
description
terminated sessions.
question Enable TCP keepalives-in service to kill sessions where the remote side has died?
fix hostname(config)#service tcp-keepalives-in
Stale connections use resources and could potentially be hijacked to gain illegitimate access. The
TCP keepalives-in service generates keepalive packets on idle incoming network connections
(initiated by remote host.) This service allows the device to detect when the remote host fails and
reason
drop the session. If enabled, keepalives are sent once per minute on idle connections. The closes
connection is closed within five minutes if no keepalives are received or immediately if the host
replies with a reset packet.
discussion
type Required
match ^service tcp-keepalives-in
1.2.2.10 - Require TCP keepalives-out Service
CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.10 - Require TCP keepalives-
Full Name
out Service
Use transmission control protocol (TCP) keepalives-out service to kill abnormally terminated
description
sessions.
question Enable TCP keepalives-out service to kill sessions where the remote side has died?
fix hostname(config)#service tcp-keepalives-out
Stale connections use resources and could potentially be hijacked to gain illegitimate access. The
TCP keepalives-out service generates keepalive packets on idle outgoing network connections
(initiated by remote host.) This service allows the device to detect when the remote host fails and
reason
drop the session. If enabled, keepalives are sent once per minute on idle connections. The
connection is closed within five minutes if no keepalives are received or immediately if the host
replies with a reset packet.
discussion
type Required
match ^service tcp-keepalives-out
1.2.2.11 - Forbid tcp-small-servers
Full Name CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.11 - Forbid tcp-small-servers
description Disable unnecessary services such as echo, discard, chargen, etc.
question Disable unnecessary services such as echo, discard, chargen, etc.?
fix hostname(config)#no service tcp-small-servers
TCP small services: echo, chargen and daytime (including UDP versions) are rarely used. These
services can be leveraged by attackers to launch denial-of-service (DoS) and other attacks that
reason would be prevented by packet inspection filters provided these services are disabled. Services that
are not needed should be turned off because they present potential avenues of attack and may
provide information that could be useful for gaining unauthorized access.
discussion
type Forbidden
match ^service tcp-small-servers
1.2.2.12 - Forbid udp-small-servers
Full Name CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.12 - Forbid udp-small-servers
description Disable unnecessary TCP services such as echo, discard, chargen, etc.
question Disable unnecessary UDP services such as echo, discard, chargen, etc.?
fix hostname(config)#no service udp-small-servers
TCP small services: echo, chargen and daytime (including UDP versions) are rarely used. These
services can be leveraged by attackers to launch denial-of-service (DoS) and other attacks that
reason would be prevented by packet inspection filters provided these services are disabled. Services that
are not needed should be turned off because they present potential avenues of attack and may
provide information that could be useful for gaining unauthorized access.
discussion
type Forbidden
match ^service udp-small-servers
1.2.2.13 - Forbid TFTP Server
Full Name CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.13 - Forbid TFTP Server
description Disable trivial file transfer protocol (TFTP) server service.
question Disable tftp-server service?
fix hostname(config)#no tftp-server
Trivial file transfer protocol (TFTP) is not a secure service. It allows anyone who can connect to
reason
the device to transfer files, such as access control lists, router configurations and system images.
discussion
type Forbidden
match tftp-server
1.2.2.14 - Forbid PAD Service
Full Name CIS Level 1:1.2 - Control Plane:1.2.2 - Global Service Rules:1.2.2.14 - Forbid PAD Service
description Disable X.25 Packet Assembler/Disassembler (PAD) service.
question Disable the PAD service.?
fix hostname(config)#no service pad
reason If the PAD service is not necessary, disable the service.

discussion
type Forbidden
match no service pad
1.2.3 - Logging Rules
Full Name CIS Level 1:1.2 - Control Plane:1.2.3 - Logging Rules
description Apply standard logging rules.
question Apply standard logging rules?
1.2.3.1 - Require System Logging
Full Name CIS Level 1:1.2 - Control Plane:1.2.3 - Logging Rules:1.2.3.1 - Require System Logging
description Verify logging is enabled.
question Enable logging?
fix hostname(config)#logging on
Logging should be enabled to allow monitoring of both operational and security related events.
reason Logs are critical for responding to general as well as security incidents. Additionally, device
logging is highly recommended or required by most security regulations.
discussion
Reference, Release 15.0M, and Cisco Guide to Harden Cisco IOS Devices.
type Required
match ^logging
1.2.3.2 - Require Logging Buffer
Full Name CIS Level 1:1.2 - Control Plane:1.2.3 - Logging Rules:1.2.3.2 - Require Logging Buffer
Verify buffered logging (with minimum size) is configured to enable logging to internal device
description
memory buffer.
question Configure buffered logging (with minimum size). Recommended size is 16000?
fix hostname(config)#logging buffered log_buffer_size
The buffered data is cleared when the router boots. So while the data is useful, it does not offer
enough long-term protection for the logs. Also, be aware that space reserved for buffering log
warning messages reduces memory available for other router functions. Also note that if you choose the
default IOS size for buffers (currently 4096), RAT will report a rule failure since IOS does not
display settings for some default values.
The device can copy and store log messages to an internal memory buffer. The buffered data is
reason available only from a router exec or enabled exec session. This form of logging is useful for
debugging and monitoring when logged in to a router.
discussion
type Required
match ^logging buffered \d+
LOG_BUFFER_SIZE
CIS Level 1:1.2 - Control Plane:1.2.3 - Logging Rules:1.2.3.2 - Require Logging

Full Name
Buffer:LOG_BUFFER_SIZE
description This is the size of the local buffer for storing log messages.
question Local log buffer size?
howtoget Select a local log buffer size
defaultvalue 16000
1.2.3.3 - Require Logging to Device Console
CIS Level 1:1.2 - Control Plane:1.2.3 - Logging Rules:1.2.3.3 - Require Logging to Device
Full Name
Console
Verify logging to device console is enabled and limited to a rational severity level to avoid
description
impacting system performance and management.
question Configure console logging level?
fix hostname(config)#logging console critical
It is possible that misconfiguring the logging level to be excessively verbose or excessive log
warning
messages on the console could make it impossible to manage the device, even on the console.
This configuration determines the severity of messages that will generate console messages.
Logging to console should be limited only to those messages required for immediate
reason troubleshooting while logged into the device. This form of logging is not persistent; messages
printed to the console are not stored by the router. Console logging is handy for operators when
they use the console.
discussion NSA Router Security Configuration Guide, Cisco IOS Network Management Command
type Required
match logging console critical
1.2.3.4 - Require Logging to Syslog Server
Full Name CIS Level 1:1.2 - Control Plane:1.2.3 - Logging Rules:1.2.3.4 - Require Logging to Syslog Server
description Designate one or more syslog servers to centrally record system logs.
question Designate one or more syslog servers by IP address?
fix hostname(config)#logging host syslog_server
Cisco routers can send their log messages to a Unix-style syslog service. A syslog service simply
accepts messages, and stores them in files or prints them according to a simple configuration file.
reason This form of logging is best because it can provide protected long-term storage for logs (the
devices internal logging buffer has limited capacity to store events.) Additionally, logging to an
external system is highly recommended or required by most security standards.
discussion
type Required
match logging $(SYSLOG_HOST)
SYSLOG_HOST
CIS Level 1:1.2 - Control Plane:1.2.3 - Logging Rules:1.2.3.4 - Require Logging to Syslog
Full Name
Server:SYSLOG_HOST
description The IP address of this system that will receive syslog messages.
question Address of syslog server?
howtoget Choose a system to receive syslog messages
defaultvalue 13.14.15.16
1.2.3.5 - Require Logging Trap Severity Level
CIS Level 1:1.2 - Control Plane:1.2.3 - Logging Rules:1.2.3.5 - Require Logging Trap Severity
Full Name
Level
description Verify simple network mangement protocol (SNMP) trap and syslog are set to required level.
question Configure SNMP trap and syslog logging level?
fix hostname(config)#logging trap informational
This determines the severity of messages that will generate simple network management protocol
reason (SNMP) trap and or syslog messages. this setting should be set to either "debugging" (7) or
"informational" (6), but no lower. The default, in IOS 11.3 and later is [informational].
discussion
type Forbidden
match logging trap ((informational)|(debugging)|([0-5]))
1.2.3.6 - Require Service Timestamps for Debug Messages
CIS Level 1:1.2 - Control Plane:1.2.3 - Logging Rules:1.2.3.6 - Require Service Timestamps for
Full Name
Debug Messages
description Configure debug message to include timestamps.
question Configure debug message to include timestamps?
fix hostname(config)#service timestamps debug datetime { msec } { show-timezone }
Including timestamps in log messages allows correlating events and tracing network attacks across
reason multiple devices. Enabling service timestamp to mark the time log messages were generated
simplifies obtaining a holistic view of events enabling faster troubleshooting of issues or attacks.
discussion
Reference, Release 15.0M, and Cisco Guide to Harden Cisco IOS Devices, and Cisco AutoSecure
type Required
match service timestamps debug datetime( msec)?( localtime)? show-timezone( year)?
1.2.3.7 - Require Service Timestamps in Log Messages
Full Name CIS Level 1:1.2 - Control Plane:1.2.3 - Logging Rules:1.2.3.7 - Require Service Timestamps in
Log Messages
description Configure logging to include message timestamps.
question Configure logging to include message timestamps?
fix hostname(config)#service timestamps log datetime { msec } { show-timezone }
Including timestamps in log messages allows correlating events and tracing network attacks across
reason multiple devices. Enabling service timestamp to mark the time log messages were generated
simplifies obtaining a holistic view of events enabling faster troubleshooting of issues or attacks.
discussion
Reference, Release 15.0M, and Cisco Guide to Harden Cisco IOS Devices, and Cisco AutoSecure
type Required
match service timestamps log datetime( msec)?( localtime)? show-timezone( year)?
1.2.3.8 - Require Binding Logging Service to Loopback Interface
CIS Level 1:1.2 - Control Plane:1.2.3 - Logging Rules:1.2.3.8 - Require Binding Logging Service
Full Name
to Loopback Interface
description Verify logging messages are bound to the loopback interface.
question Bind logging to the loopback interface.?
fix hostname(config)#logging source-interface lookback [0]
This is required so that the router sends log messages to the logging server from a consistent IP
reason
address.
NSA Router Security Configuration Guide and Cisco IOS Network Management Command
discussion
Reference, Release 15.0M
type Required
match logging source-interface loopback \d+
1.2.4 - NTP Rules
Full Name CIS Level 1:1.2 - Control Plane:1.2.4 - NTP Rules

description Apply standard NTP checks.
question Synchronize router time via NTP?
1.2.4.1 - Require External Time Source
Full Name CIS Level 1:1.2 - Control Plane:1.2.4 - NTP Rules:1.2.4.1 - Require External Time Source
Verify configuration of at least two external (NTP) timeservers used to synchronize the device
description
clock.
question Configure at least one or more external NTP Server using the following commands?
fix hostname(config)#ntp { server | peer } {ntp_server_2}
To ensure that the time on your Cisco router is consistent with other devices in your network, at
reason
least two (and preferably at least three) NTP Server/s external to the router should be configured.
discussion
type Required
match ntp (server|peer) $(NTP_HOST_2)
NTP_HOST_2
CIS Level 1:1.2 - Control Plane:1.2.4 - NTP Rules:1.2.4.1 - Require External Time
Full Name
Source:NTP_HOST_2
description The IP address of this router's 2nd NTP server.
question Address of second NTP server?
howtoget Choose an external NTP server. See http://support.ntp.org/bin/view/Servers/WebHome
1.2.4.2.1 - Enable NTP Authentication
Full Name CIS Level 1:1.2 - Control Plane:1.2.4 - NTP Rules:1.2.4.2.1 - Enable NTP Authentication
description Enable NTP authentication.
question Configure NTP authentication?
fix hostname(config)#ntp authenticate
reason Enable NTP authentication.

discussion
type Required
match ntp authenticate
1.2.4.2.2 - Define NTP Key Ring and Encryption Key
CIS Level 1:1.2 - Control Plane:1.2.4 - NTP Rules:1.2.4.2.2 - Define NTP Key Ring and
Full Name
Encryption Key
Keys are configured on a key ring and identified by an ID number. To add a key enter the
description
following command
question Configure at the NTP key ring and encryption key using the following command?
fix hostname(config)#ntp authentication-key {ntp_key_id} md5 {ntp_key}
Keys are configured on a key ring and identified by an ID number. To add a key enter the
reason
following command
discussion
type Required
match ntp authentication-key \S+ md5 \S+
1.2.4.2.3 - Define the NTP Trusted Key
Full Name CIS Level 1:1.2 - Control Plane:1.2.4 - NTP Rules:1.2.4.2.3 - Define the NTP Trusted Key
Configure the key as trusted so that the router will accept NTP traffic encryp ted using it. This
description
mechanism provides an easy method to retire keys in the event of compromise
question Configure the NTP trusted key using the following command?
fix ntp trusted-key {ntp_key_id}
Configure the key as trusted so that the router will accept NTP traffic encryp ted using it. This
reason
mechanism provides an easy method to retire keys in the event of compromise
discussion
type Required
match ntp trusted-key \S+ md5 \S+
1.2.4.2.4 - Bind the NTP Key Ring to each NTP server
CIS Level 1:1.2 - Control Plane:1.2.4 - NTP Rules:1.2.4.2.4 - Bind the NTP Key Ring to each
Full Name
NTP server
Set the keys for all configured NTP servers using the following commands under the [edit system]
description
hierarchy, this sets the key that the router will use to encrypt and decrypt traffic for this server.
question Configure each NTP Server to use a key ring using the following command.?
fix ntp server {ntp-server_ip_address}{key ntp_key_id} [source interface_name] [prefer]
Set the keys for all configured NTP servers using the following commands under the [edit system]
reason
hierarchy, this sets the key that the router will use to encrypt and decrypt traffic for this server.
discussion
type Required
match ntp server \S+ key \S+
1.3 - Data Plane Level 1
Full Name CIS Level 1:1.3 - Data Plane Level 1

Services and settings related to the data passing through the router (as opposed to directed to it).
Basically, the data plane is for everything not in control or management planes. Settings on a
description router concerned with the data plane include interface access lists, firewall functionality (e.g.
CBAC), NAT, and IPSec. Settings for traffic-affecting services like unicast RPF verification and
CAR/QoS also fall into this area.
question Check rules and data related to data flow?
1.3.1 - Routing Rules
Full Name CIS Level 1:1.3 - Data Plane Level 1:1.3.1 - Routing Rules
description Unneeded services should be disabled.
question Apply standard routing protections?
1.3.1.1 - Forbid Directed Broadcast
Full Name CIS Level 1:1.3 - Data Plane Level 1:1.3.1 - Routing Rules:1.3.1.1 - Forbid Directed Broadcast
description Disallow IP directed broadcast on each interface.
question Disable directed broadcast on each interface?
hostname(config)#interface interface-id
fix hostname(config-if)#no ip directed-broadcast
Directed broadcasts permit hosts to send broadcasts across local area network (LAN) segments.
reason Device interfaces that allow directed broadcasts can be used for "smurf" denial-of-service (DoS)
attacks.
discussion
Reference, Release 15.0M, and Cisco AutoSecure
type Forbidden
match îp directed-broadcast
1.3.1.2 - Forbid IP source-route
Full Name CIS Level 1:1.3 - Data Plane Level 1:1.3.1 - Routing Rules:1.3.1.2 - Forbid IP source-route
description Disable source routing.
question Disable source routing?
fix hostname(config)#no ip source-route
There may be legitimate operational reasons for leaving source routing enabled, particularly in
warning
larger networks as an aid to diagnosing routing problems.
Source routing is a feature of IP whereby individual packets can specify routes. This feature is
reason used in several kinds of attacks. Cisco routers normally accept and process source routes. Unless a
network depends on source routing, it should be disabled.
discussion
Reference, Release 15.0M, and Cisco AutoSecure
type Required
match no ip source-route
CIS Level 2
Full Name CIS Level 2

description CIS Level 2 Config Class is the root for Level 2 configurations.
question Apply some or all of CIS Level 2 rules?
2.1 - Management Plane
Full Name CIS Level 2:2.1 - Management Plane

Services, settings, and data streams related to setting up and examining the static configuration of
the router, and the authentication and authorization of router administrators. Examples of
description
management plane services include: administrative telnet, SNMP, TFTP for image file upload, and
security protocols like RADIUS and TACACS+.
question Check rules and data related to system management?
2.1.1 - Centralized AAA Rules
Full Name CIS Level 2:2.1 - Management Plane:2.1.1 - Centralized AAA Rules
Rules in the authentication, authorization and accounting (AAA) configuration class enforce
description
centralized device access control.
question Use centralized AAA?
2.1.1.1 - Require AAA Authentication Enable
CIS Level 2:2.1 - Management Plane:2.1.1 - Centralized AAA Rules:2.1.1.1 - Require AAA
Full Name
Authentication Enable
description Verify authentication, authorization and accounting (AAA) methods for enable mode
authentication (with fall-back) is configured.
question Configure AAA authentication method(s) for enable authentication (with fall-back)?
fix hostname(config)#aaa authentication enable { default } group tacacs+ [ enable ...]
reason
devices.
Cisco IOS Security Command Reference, Release 15.0 and NSA Router Security Configuration
discussion
Guide
type Required
match aaa authentication enable (default |)(group |)tacacs\+ enable
AAA_LIST_NAME
Full Name
Authentication Enable:AAA_LIST_NAME
This is the name of AAA method list that will be used for login authentication and other purposes.
Choose 'default' if you want to use the default AAA list, otherwise choose another name, like
description
'local_auth'. (Note: if you applied the IOS 12.3 auto_secure feature, then 'local_auth' is the name
to use.)
question Name for login AAA list?
howtoget Select a AAA list name
defaultvalue default
2.1.1.2 - Require AAA Authentication Login
CIS Level 2:2.1 - Management Plane:2.1.1 - Centralized AAA Rules:2.1.1.2 - Require AAA Authentication
Full Name
Login
Verify authentication, authorization and accounting (AAA) methods for user login authentication (with fall-
description
back) is configured.
question Configure AAA authentication method(s) for login authentication (with fall-back)?
fix hostname(config)#aaa authentication login { default | aaa_list_name } group tacacs+ [ local-case ...]
Authentication, authorization and accounting (AAA) systems provide an authoritative source for managing and
monitoring access for devices. Centralizing control improves consistency of access control, the services that
reason may be accessed once authenticated and accountability by tracking services accessed. Additionally, centralizing
access control simplifies and reduces administrative costs of account provisioning and de-provisioning,
especially when managing a large number of devices.
discussion Cisco IOS Security Command Reference, Release 15.0 and NSA Router Security Configuration Guide
type Required
match aaa authentication login ($(AAA_LIST_NAME) |)(group |)tacacs\+ local enable
AAA_LIST_NAME
Full Name
Authentication Login:AAA_LIST_NAME
This is the name of AAA method list that will be used for login authentication and other purposes.
Choose 'default' if you want to use the default AAA list, otherwise choose another name, like
description
'local_auth'. (Note: if you applied the IOS 12.3 auto_secure feature, then 'local_auth' is the name
to use.)
question Name for login AAA list?
howtoget Select a AAA list name
defaultvalue default
2.1.1.3 - Require AAA Accounting Commands
CIS Level 2:2.1 - Management Plane:2.1.1 - Centralized AAA Rules:2.1.1.3 - Require AAA Accounting
Full Name
Commands
description Verify authentication, authorization and accounting (AAA) for commands is configured.
question Configure AAA accounting for commands?
fix hostname(config)#aaa accounting {commands 15} {default} {start-stop} {group-tacacs+} [local-case â€¦]
reason Authentication, authorization and accounting (AAA) systems provide an authoritative source for managing and
monitoring accounting for devices. Centralizing control improves consistency of access control, the services that
may be accessed once authenticated and accountability by tracking services accessed. Additionally, centralizing
access control simplifies and reduces administrative costs of account provisioning and de-provisioning,
especially when managing a large number of devices.
type Required
match aaa accounting commands 15 (default |)start-stop (group |)tacacs\+
2.1.1.4 - Require AAA Accounting Connection
Full Name
Connection
description Verify authentication, authorization and accounting (AAA) accounting for connections is configured.
question Configured AAA accounting for connections?
fix hostname(config)#aaa accounting {connection} {default} {start-stop} {group-tacacs+} [local-case â€¦]
Authentication, authorization and accounting (AAA) systems provide an authoritative source for managing and
monitoring accounting for devices. Centralizing control improves consistency of access control, the services
reason that may be accessed once authenticated and accountability by tracking services accessed. Additionally,
centralizing access control simplifies and reduces administrative costs of account provisioning and de-
provisioning, especially when managing a large number of devices.
type Required
match aaa accounting connection (default |)start-stop (group |)tacacs\+
2.1.1.5 - Require AAA Accounting Exec
Full Name
Exec
description Verify authentication, authorization and accounting (AAA) accounting for exec is configured.
question Configure AAA accounting for exec?
fix hostname(config)#aaa accounting {exec} {default} {start-stop} {group-tacacs+} [local-case â€¦]
managing and monitoring accounting for devices. Centralizing control improves consistency of access
reason control, the services that may be accessed once authenticated and accountability by tracking services
accessed. Additionally, centralizing access control simplifies and reduces administrative costs of account
provisioning and de-provisioning, especially when managing a large number of devices.
type Required
aaa accounting exec ((default |)start-stop (group |)tacacs\+ |default
match action-type start-stop
group tacacs\+)
2.1.1.6 - Require AAA Accounting Network
Full Name
Network
description Verify authentication, authorization and accounting (AAA) accounting for network events is configured.
question Configure AAA accounting for network events?
fix hostname(config)#aaa accounting {network} {default} {start-stop} {group-tacacs+} [local-case â€¦]
Authentication, authorization and accounting (AAA) systems provide an authoritative source for managing
and monitoring accounting for devices. Centralizing control improves consistency of access control, the
reason services that may be accessed once authenticated and accountability by tracking services accessed.
Additionally, centralizing access control simplifies and reduces administrative costs of account provisioning
and de-provisioning, especially when managing a large number of devices.
type Required
match aaa accounting network (default |)start-stop (group |)tacacs\+
2.1.1.7 - Require AAA Accounting System
Full Name
System
description Verify authentication, authorization and accounting (AAA) accounting for system events is configured.
question Configure AAA accounting for system events?
fix hostname(config)#aaa accounting {system} {default} {start-stop} {group-tacacs+} [local-case â€¦]
Authentication, authorization and accounting (AAA) systems provide an authoritative source for managing
and monitoring accounting for devices. Centralizing control improves consistency of access control, the
reason services that may be accessed once authenticated and accountability by tracking services accessed.
Additionally, centralizing access control simplifies and reduces administrative costs of account
provisioning and de-provisioning, especially when managing a large number of devices.
type Required
match aaa accounting system (default |)start-stop (group |)tacacs\+
2.2 - Control Plane
Full Name CIS Level 2:2.2 - Control Plane

Services, settings, and data streams that support and document the operation, traffic handling, and
dynamic status of the router. Examples of control plane services include: logging (e.g. Syslog),
description routing protocols, status protocols like CDP and HSRP, network topology protocols like STP, and
traffic security control protocols like IKE. Network control protocols like ICMP, NTP, ARP, and
IGMP directed to or sent by the router itself also fall into this area.
question Check rules and data related to system control?
2.2.1 - Loopback Rules
Full Name CIS Level 2:2.2 - Control Plane:2.2.1 - Loopback Rules

Rules in the loopback class enforce virtual interfaces source address standardization to enhance
security, consistency of device identification and stability. Note that addresses that are assigned
description
loopback interfaces on device must have routes to communicate with management devices
(syslog, Telnet, TACACS+, SNMP.)
question Apply loopback checks?
LOOPBACK_NUMBER
Full Name CIS Level 2:2.2 - Control Plane:2.2.1 - Loopback Rules:LOOPBACK_NUMBER

The number of the local loopback interface to use as the router's source address (almost always
description
Loopback0).
question What is the local loopback interface number?
howtoget show ip interface brief
defaultvalue 0
2.2.1.1 - Require Loopback Interface
Full Name CIS Level 2:2.2 - Control Plane:2.2.1 - Loopback Rules:2.2.1.1 - Require Loopback Interface
description Define and configure one loopback interface.
question Define and configure one loopback interface.?
hostname(config)#interface loopback {0}
fix hostname(config-if)#ip address {loopback_ip_address}
The loopback interface provides a standard interface to be used in logging, time, routing
reason
protocols, and for ACLs limiting administrative access.
Cisco IOS Interface and Hardware Component Command Reference, Release 15.0 and NSA
discussion
Router Security Configuration Guide
type Required
match interface Loopback$(LOOPBACK_NUMBER)
LOOPBACK_NUMBER
CIS Level 2:2.2 - Control Plane:2.2.1 - Loopback Rules:2.2.1.1 - Require Loopback

Full Name
Interface:LOOPBACK_NUMBER
description
Loopback0).
defaultvalue 0
LOOPBACK_ADDRESS
CIS Level 2:2.2 - Control Plane:2.2.1 - Loopback Rules:2.2.1.1 - Require Loopback

Full Name
Interface:LOOPBACK_ADDRESS
description The IP address of this router's loopback interface (if any).
question What is the local loopback address?
howtoget Consult local topology maps, your ISP or network administrators.
2.2.1.2 - Forbid Multiple Loopback Interfaces
CIS Level 2:2.2 - Control Plane:2.2.1 - Loopback Rules:2.2.1.2 - Forbid Multiple Loopback
Full Name
Interfaces
description Define no more than one loopback interface.
question Define no more than one loopback interface?
fix hostname(config)#no loopback {instance}
Alternate loopback addresses create a potential for abuse, mis-configuration, and inconsistency-
reason cies. Additional loopback interfaces must be documented and approved prior to use by local
security personnel.
discussion
type Forbidden
match interface Loopback(?!$(LOOPBACK_NUMBER))
LOOPBACK_NUMBER
CIS Level 2:2.2 - Control Plane:2.2.1 - Loopback Rules:2.2.1.2 - Forbid Multiple Loopback
Full Name
Interfaces:LOOPBACK_NUMBER
description
Loopback0).
defaultvalue 0
2.2.1.3 - Require Binding AAA Service to Loopback Interface
CIS Level 2:2.2 - Control Plane:2.2.1 - Loopback Rules:2.2.1.3 - Require Binding AAA Service
Full Name
Verify authentication, authorization and accounting (AAA) services are bound to the loopback
description
interface.
question Bind AAA services to the loopback interface?
fix router(config)# ip tacacs source-interface Loopback$(LOOPBACK_NUMBER)
This is required so that the AAA server (radius or TACACS+) can easily identify routers and
reason
authenticate requests by their IP address.
Cisco IOS Security Command Reference, Release 15.0 and NSA Router Security Configuration
discussion
Guide
type Required
match ip tacacs.? source-interface Loopback$(LOOPBACK_NUMBER)
LOOPBACK_NUMBER
Full Name
to Loopback Interface:LOOPBACK_NUMBER
description
Loopback0).
defaultvalue 0
Full Name CIS Level 2:2.2 - Control Plane:2.2.1 - Loopback Rules:2.2.1.3 - Require Binding AAA Service
to Loopback Interface:2.2.1.1 - Require Loopback Interface
reason
discussion
type Required
LOOPBACK_NUMBER
Full Name
to Loopback Interface:2.2.1.1 - Require Loopback Interface:LOOPBACK_NUMBER
description
Loopback0).
defaultvalue 0
LOOPBACK_ADDRESS
Full Name
to Loopback Interface:2.2.1.1 - Require Loopback Interface:LOOPBACK_ADDRESS
2.2.1.4 - Require Binding NTP Service to Loopback Interface
CIS Level 2:2.2 - Control Plane:2.2.1 - Loopback Rules:2.2.1.4 - Require Binding NTP Service to
Full Name
Loopback Interface
description Verify the network time protocol (NTP) service is bound to the loopback interface.
question Bind the NTP service to the loopback interface?
fix hostname(config)#ntp source loopback {0}
Set the source address to be used when sending NTP traffic. This may be required if the NTP
reason
servers you peer with filter based on IP address.
Cisco IOS Network Management Command Reference, Release 12.4 and NSA Router Security
discussion
Configuration Guide
type Required
match ntp source Loopback$(LOOPBACK_NUMBER)
LOOPBACK_NUMBER
Full Name
Loopback Interface:LOOPBACK_NUMBER
description
Loopback0).
defaultvalue 0
Full Name
Loopback Interface:2.2.1.1 - Require Loopback Interface
reason
discussion
type Required
LOOPBACK_NUMBER
Full Name
Loopback Interface:2.2.1.1 - Require Loopback Interface:LOOPBACK_NUMBER
description
Loopback0).
defaultvalue 0
LOOPBACK_ADDRESS
Full Name
Loopback Interface:2.2.1.1 - Require Loopback Interface:LOOPBACK_ADDRESS
2.2.1.5 - Require Binding TFTP Service to Loopback Interface
CIS Level 2:2.2 - Control Plane:2.2.1 - Loopback Rules:2.2.1.5 - Require Binding TFTP Service
Full Name
description Verify the trivial file transfer protocol (TCTP) client is bound to the loopback interface.
question Bind the TFTP client to the loopback interface?
fix hostname(config)#ip tftp source-interface loopback {0}
This is required so that the TFTP servers can easily identify routers and authenticate requests by
reason
their IP address.
Cisco IOS Configuration Fundamentals Command Reference, Release 15.0M and NSA Router
discussion
Security Configuration Guide
type Required
match ip tftp source-interface Loopback$(LOOPBACK_NUMBER)
LOOPBACK_NUMBER
Full Name
to Loopback Interface:LOOPBACK_NUMBER
description
Loopback0).
defaultvalue 0
Full Name
to Loopback Interface:2.2.1.1 - Require Loopback Interface
reason The loopback interface provides a standard interface to be used in logging, time, routing
discussion
type Required
LOOPBACK_NUMBER
Full Name
to Loopback Interface:2.2.1.1 - Require Loopback Interface:LOOPBACK_NUMBER
description
Loopback0).
defaultvalue 0
LOOPBACK_ADDRESS
Full Name
to Loopback Interface:2.2.1.1 - Require Loopback Interface:LOOPBACK_ADDRESS
2.3 - Data Plane
Full Name CIS Level 2:2.3 - Data Plane

Services and settings related to the data passing through the router (as opposed to directed to it).
Basically, the data plane is for everything not in control or management planes. Settings on a
description router concerned with the data plane include interface access lists, firewall functionality (e.g.
CBAC), NAT, and IPSec. Settings for traffic-affecting services like unicast RPF verification and
CAR/QoS also fall into this area.
question Check rules and data related to data flow?
2.3.1 - Border Router Filtering
Full Name CIS Level 2:2.3 - Data Plane:2.3.1 - Border Router Filtering
A border router is a router that connects "internal" networks such as desktop networks, DMZ
networks, etc., to "external" networks such as the Internet. If this group is chosen, then ingress and
description
egress filter rules will be required. "Building Internet Firewalls" by Zwicky, Cooper and
Chapman, O'Reilly and Associates.
question Apply border router filtering rules?
EXTERNAL_INTERFACE
Full Name CIS Level 2:2.3 - Data Plane:2.3.1 - Border Router Filtering:EXTERNAL_INTERFACE
The router interface that attached to an external or untrusted network (e.g. the Internet). This
description should be the full name as it appears in the configuration file (e.g. "Ethernet0"), not an
abbreviation (e.g. "eth0").
question What is the primary external interface?
defaultvalue Ethernet0
2.3.1.1 - Forbid Private Source Addresses from External Networks
CIS Level 2:2.3 - Data Plane:2.3.1 - Border Router Filtering:2.3.1.1 - Forbid Private Source
Full Name
Addresses from External Networks
Verify the device is configured to restrict access for traffic from external networks that have
description
source address that should only appear from internal networks.
question Configure ACL for private source address restrictions from external networks?
fix hostname(config)#access-list {access-list} deny ip {internal_networks} any log
hostname(config)#access-list {access-list} deny ip 127.0.0.0 0.255.255.255 any log
hostname(config)#access-list {access-list} deny ip host 255.255.255.255 any log
hostname(config)#access-group {access-list} in interface {interface}
This rule requires extensive customization in order to properly audit your ACLs. Manual auditing
warning
of ACLs is strongly recommended.
Configuring access controls can help prevent spoofing attacks. To reduce the effectiveness of IP
spoofing, configure access control to deny any traffic from the external network that has a source
reason
address that should reside on the internal network. Include local host address or any reserved
private addresses (RFC 1918).
NSA Router Security Configuration Guide, Cisco IOS Security Command Reference, Release
discussion
15.0, RFC 3704 - Ingress Filtering for Multi-homed Networks
type Required
access-list $(INGRESS_ACL_NUMBER) deny ip $(INTERNAL_NETBLOCK_WITH_MASK) any log
access-list $(INGRESS_ACL_NUMBER) deny ip 127.0.0.0 0.255.255.255 any log
match access-list $(INGRESS_ACL_NUMBER) deny ip 192.168.0.0 0.0.255.255 any log
access-list $(INGRESS_ACL_NUMBER) deny ip host 255.255.255.255 any log
access-list $(INGRESS_ACL_NUMBER) permit ip any any
EXTERNAL_INTERFACE
Full Name
Addresses from External Networks:EXTERNAL_INTERFACE
The router interface that attached to an external or untrusted network (e.g. the Internet). This
description should be the full name as it appears in the configuration file (e.g. "Ethernet0"), not an
abbreviation (e.g. "eth0").
question What is the primary external interface?
defaultvalue Ethernet0
INTERNAL_NETBLOCK_WITH_MASK
Full Name
Addresses from External Networks:INTERNAL_NETBLOCK_WITH_MASK
description The LAN address and netmask of your internal (trusted) network.
question What is the the internal netblock and mask?
defaultvalue 192.168.1.0 0.0.0.255
INGRESS_ACL_NUMBER
Full Name
Addresses from External Networks:INGRESS_ACL_NUMBER
The number of the IP access list used for RFC2827 filtering on packets incoming from the
description
untrusted network.
question What ACL number (100-199) should be used for ingress filtering?
defaultvalue 180
2.3.1.1.1 - Apply Inbound Border ACL on External Interface
CIS Level 2:2.3 - Data Plane:2.3.1 - Border Router Filtering:2.3.1.1.1 - Apply Inbound Border
Full Name
ACL on External Interface
description Verify outbound traffic from your network includes only valid internal source addresses.
question Configure ACL to only disallow non-routable unnecessary networks to ingress.?
fix hostname(config)#access-group {access-list} in
reason Verify outbound traffic from your network includes only valid internal source addresses .
discussion NSA Router Security Configuration Guide, Cisco IOS Security Command Reference, Release
15.0, RFC 3704 - Ingress Filtering for Multi-homed Networks, RFC 3300 - Special-Use IPv4
Addresses, RFC 3171 - IANA Guidelines for IPv4 Multicast Address Assignments, and RFC
1918 - Address Allocation for Private Internets
type Required
match access-group $(INGRESS_ACL_NUMBER) in
EGRESS_ACL_NUMBER
CIS Level 2:2.3 - Data Plane:2.3.1 - Border Router Filtering:2.3.1.1.1 - Apply Inbound Border
Full Name
ACL on External Interface:EGRESS_ACL_NUMBER
The number of the IP access list used for RFC2827 filtering on packets being sent to the untrusted
description
network.
question What ACL number (100-199) should be used for egress filtering?
defaultvalue 181
2.3.1.2 - Forbid External Source Addresses on Outbound Traffic
CIS Level 2:2.3 - Data Plane:2.3.1 - Border Router Filtering:2.3.1.2 - Forbid External Source
Full Name
Addresses on Outbound Traffic
question Configure ACL to only allow internal networks to egress.?
fix hostname(config)#access-group {access-list} out
reason Verify outbound traffic from your network includes only valid internal source addresses.
NSA Router Security Configuration Guide and Cisco IOS Security Command Reference, Release
discussion
15.0
type Required
match access-group $(EGRESS_ACL_NUMBER) out
EGRESS_ACL_NUMBER
CIS Level 2:2.3 - Data Plane:2.3.1 - Border Router Filtering:2.3.1.2 - Forbid External Source
Full Name
Addresses on Outbound Traffic:EGRESS_ACL_NUMBER
description
network.
defaultvalue 181
2.3.1.2.1 - Forbid External Source Addresses on Outbound Traffic
CIS Level 2:2.3 - Data Plane:2.3.1 - Border Router Filtering:2.3.1.2.1 - Forbid External Source
Full Name
Addresses on Outbound Traffic
question Configure ACL to only allow internal networks to egress.?
fix hostname(config)#access-group {access-list} out
reason Verify outbound traffic from your network includes only valid internal source addresses.
NSA Router Security Configuration Guide and Cisco IOS Security Command Reference, Release
discussion
15.0
type Required
match access-group $(EGRESS_ACL_NUMBER) out
EGRESS_ACL_NUMBER
CIS Level 2:2.3 - Data Plane:2.3.1 - Border Router Filtering:2.3.1.2.1 - Forbid External Source
Full Name
Addresses on Outbound Traffic:EGRESS_ACL_NUMBER
description
network.
defaultvalue 181
2.3.2 - Neighbor Authentication
Full Name CIS Level 2:2.3 - Data Plane:2.3.2 - Neighbor Authentication

description Default Description
question Apply routing protocol neighbor authentication?
2.3.2.2 - Require BGP Authentication if Protocol is Used
CIS Level 2:2.3 - Data Plane:2.3.2 - Neighbor Authentication:2.3.2.2 - Require BGP Authentication if
Full Name
Protocol is Used
Verify border gateway protocol (BGP) authentication is enabled, if routing protocol is used, where
description
feasible.
question Configure BGP neighbor authentication where feasible?
hostname(config)#router bgp { bgp_as-number }
fix hostname(config-router)#neighbor { bgp_neighbor-ip | peer-group-name } password { bgp_md5_key }
Verifying routing update packets using neighbor authentication reduces the possibility of the device
reason receiving false route updates that could potentially allow an attacker to corrupt route tables, compromise
network availability or redirect network traffic.
Cisco IOS Security Command Reference, Release 15.0, Cisco IOS IP Routing:BGP Configuration
discussion Guide,Release15.0, Cisco IOS Security Configuration Guide: Securing the Control Plane, Release 15.0,
and NSA Router Security Configuration Guide
type Required
match neighbor (\d+\.\d+\.\d+\.\d+|\S+) password \S+
2.3.2.3 - Require EIGRP Authentication if Protocol is Used
CIS Level 2:2.3 - Data Plane:2.3.2 - Neighbor Authentication:2.3.2.3 - Require EIGRP Authentication if
Full Name
Protocol is Used
Verify enhanced interior gateway routing protocol (EIGRP) authentication is enabled, if routing protocol is
description
used, where feasible.
question Configure EIGRP neighbor authentication where feasible?
hostname(config)# key chain { eigrp_key-chain_name }
hostname(config)# key { eigrp_key-number }
hostname(config)# key-string { eigrp_key-string }
fix hostname(config)# interface { interface_name }
hostname(config-if)# ip authentication mode eigrp { eigrp_as-number } md5
hostname(config-if)# ip authentication key-chain eigrp { eigrp_as-number } { eigrp_key-chain_name }
Verifying routing update packets using neighbor authentication reduces the possibility of the device receiving
reason false route updates that could potentially allow an attacker to corrupt route tables, compromise network
availability or redirect network traffic.
discussion Guide,Release15.0, Cisco IOS Security Configuration Guide: Securing the Control Plane, Release 15.0, and
NSA Router Security Configuration Guide
type Required
match ip authentication mode eigrp \S+ md5 ip authentication key-chain eigrp \S+ \S+
2.3.2.3.1 - Establish the EIGRP Address Family
CIS Level 2:2.3 - Data Plane:2.3.2 - Neighbor Authentication:2.3.2.3.1 - Establish the EIGRP
Full Name
Address Family
description Configure the EIGRP address family.
question Configure the EIGRP address family?
hostname(config)#router eigrp {virtual-instance-name}
hostname(config)# key { eigrp_key-number }
fix hostname(config-router)#address-family ipv4 autonomous-system {eigrp_as-number}
hostname(config-router-af)#af-interface default
reason Configure the EIGRP address family.
discussion Guide,Release15.0, Cisco IOS Security Configuration Guide: Securing the Control Plane, Release
15.0, and NSA Router Security Configuration Guide
type Required
match af-interface default
2.3.2.3.2 - Establish the EIGRP Address Family Key Chain
Full Name
Address Family Key Chain
description Configure the EIGRP address family key chain.
question Configure the EIGRP address family key chain.?
fix hostname(config-router-af-interface)#authentication key-chain {eigrp_key-chain_name}
reason Configure the EIGRP address family key chain.

type Required
match authentication key-chain \S+
2.3.2.3.3 - Establish the EIGRP Address Family Authentication Mode
Full Name
Address Family Authentication Mode
description Configure the EIGRP address family authentication mode.
question Configure the EIGRP address family authentication mode.?
fix hostname(config-router-af-interface)#authentication mode md5
reason Configure the EIGRP address family authentication mode.

type Required
match authentication mode md5
2.3.2.3.4 - Configure the Interface with the EIGRP Key Chain
CIS Level 2:2.3 - Data Plane:2.3.2 - Neighbor Authentication:2.3.2.3.4 - Configure the Interface with
Full Name
the EIGRP Key Chain
description Configure the Interface with the EIGRP Key Chain
question Configure the Interface with the EIGRP Key Chain?
hostname(config)#interface {interface_name}
fix hostname(config-if)#ip authentication key-chain eigrp {eigrp_as-number} {eigrp_key-chain_name}
reason Configure the Interface with the EIGRP Key Chain
discussion Guide,Release15.0, Cisco IOS Security Configuration Guide: Securing the Control Plane, Release 15.0,
and NSA Router Security Configuration Guide
type Required
match ip authentication key-chain eigrp \S+
2.3.2.3.5 - Configure the Interface with the EIGRP Authentication Mode
CIS Level 2:2.3 - Data Plane:2.3.2 - Neighbor Authentication:2.3.2.3.5 - Configure the Interface
Full Name
with the EIGRP Authentication Mode
description Configure the interface with the EIGRP authentication mode.
question Configure the interface with the EIGRP authentication mode.?
fix hostname(config-if)#ip authentication mode eigrp {eigrp_as-number} md5
reason Configure the interface with the EIGRP authentication mode.

type Required
match ip authentication mode eigrp \S+ md5
2.3.2.4.1 - Require the Message Digest for OSPF
CIS Level 2:2.3 - Data Plane:2.3.2 - Neighbor Authentication:2.3.2.4.1 - Require the Message
Full Name
Digest for OSPF
description Configure the message Digest option for OSPF
question Configure OSPF area authentication?
hostname(config)# router ospf { ospf_process-id }
hostname(config-router)# area { ospf_area-id } authentication message-digest
hostname(config-if)# ip ospf message-digest-key { ospf_md5_key-id } md5 { ospf_md5_key }
warning This rule only verifies that authentication is enabled for all OSPF areas.
reason Configure the message Digest option for OSPF
Cisco IOS IP Routing: OSPF Configuration Guide, Release 15.0, Cisco IOS Security
discussion Configuration Guide: Securing the Control Plane, Release 15.0, and NSA Router Security
Configuration Guide
type Required
match area \S+ authentication message-digest
2.3.2.4.2 - Configure the Interface for Message Digest Authentication
Full Name
for Message Digest Authentication
description Configure the appropriate interface(s) for Message Digest authentication
question Configure OSPF interface neighbor authentication?
hostname(config)# router ospf { ospf_process-id }
hostname(config-router)# area { ospf_area-id } authentication message-digest
hostname(config-if)# ip ospf message-digest-key { ospf_md5_key-id } md5 { ospf_md5_key }
warning This rule only verifies that authentication is enabled on all interfaces.
reason Configure the appropriate interface(s) for Message Digest authentication
Configuration Guide
type Required
ip ospf authentication message-digest
match ip ospf message-digest-key \d+ md5 \d+ \S+
2.3.2.5.1 - Configure the Interface with the RIPv2 Key Chain
Full Name
with the RIPv2 Key Chain
description Configure the Interface with the RIPv2 Key Chain
question Configure the Interface with the RIPv2 Key Chain?
fix hostname(config-if)#ip rip authentication key-chain {rip_key-chain_name}
reason Configure the Interface with the RIPv2 Key Chain
Configuration Guide
type Required
match ip rip authentication key-chain \S+
2.3.2.5.2 - Configure the Interface with the RIPv2 Authentication Mode
Full Name
with the RIPv2 Authentication Mode
description Configure the Interface with the RIPv2 key chain.
question Configure the Interface with the RIPv2 key chain.?
fix hostname(config-if)#ip rip authentication mode md5
reason Configure the Interface with the RIPv2 key chain.
Configuration Guide
type Required
match ip rip authentication mode md5
2.3.3 - Routing Rules
Full Name CIS Level 2:2.3 - Data Plane:2.3.3 - Routing Rules

description Unneeded services should be disabled.
question Apply extra routing protections?
2.3.3.1.1 - Enable Cisco Express Forwarding CEF
CIS Level 2:2.3 - Data Plane:2.3.3 - Routing Rules:2.3.3.1.1 - Enable Cisco Express Forwarding
Full Name
CEF
description Enable Cisco Express Forwarding (CEF)
question Enable Cisco Express Forwarding (CEF)?
fix hostname(config)#ip cef
reason Enable Cisco Express Forwarding (CEF)

discussion Cisco IOS IP Switching Configuration Guide, Release 15.0
type Required
match ip cef
2.3.3.1.2 - Enable Unicast Reverse-Path Forwarding uRPF
CIS Level 2:2.3 - Data Plane:2.3.3 - Routing Rules:2.3.3.1.2 - Enable Unicast Reverse-Path
Full Name
Forwarding uRPF
description Configure unicast reverse-path forwarding (uRPF) on all external or high risk interfaces.
question Configure unicast reverse-path forwarding (uRPF) on all external or high risk interfaces.?
fix hostname(config-if)#ip verify unicast source reachable-via rx
reason Configure unicast reverse-path forwarding (uRPF) on all external or high risk interfaces.
NSA Router Security Configuration Guide, RFC 2267 - Network Ingress Filtering, Cisco IOS
Security Configuration Guide:Securing the Control Plane, Release 15.0, Cisco IOS Security
discussion
Command Reference, Release 15.0, Cisco IOS IP Switching Configuration Guide, Release 15.0,
and Cisco AutoSecure
type Required
match ip verify unicast source \S+
2.3.3.2 - Forbid IP Proxy ARP
Full Name CIS Level 2:2.3 - Data Plane:2.3.3 - Routing Rules:2.3.3.2 - Forbid IP Proxy ARP
description Verify proxy ARP is disabled on all interfaces.
question Disable proxy ARP on all interfaces?
fix hostname(config-if)#no ip proxy-arp
Proxy ARP breaks the LAN security perimeter, effectively extending a LAN at layer 2 across
reason
multiple segments.
NSA Router Security Configuration Guide, Cisco IOS IP Addressing Services Command
discussion
Reference, and Cisco AutoSecure
type Required
match no ip proxy-arp
2.3.3.3 - Forbid Tunnel Interfaces
Full Name CIS Level 2:2.3 - Data Plane:2.3.3 - Routing Rules:2.3.3.3 - Forbid Tunnel Interfaces
description Verify no tunnel interfaces are defined.
question Forbid tunnel interfaces?
fix Hostname(config)#no interface tunnel {instance}
Tunnel interfaces should not exist in general. They can be used for malicious purposes. If they do
reason
exist, the network admins should be well aware of them and what their purpose is.
discussion
type Forbidden
match interface Tunnel\d+
Send feedback about the Router Assessment Tool and Benchmark to rat-feedback@cisecurity.org.

Gold Standard Benchmark For Cisco IOS Routers. Gold Standard Benchmark Version 3.0.1

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Gold Standard Benchmark For Cisco IOS Routers. Gold Standard Benchmark Version 3.0.1

Încărcat de

Drepturi de autor:

Formate disponibile

24/4/2018 Gold Standard Benchmark For Cisco IOS Routers. Gold Standard Benchmark version 3.0.

Center for Internet Security

The Benchmark Summary

Full Name CIS Level 1

1.1 - Management Plane Level 1

Full Name CIS Level 1:1.1 - Management Plane Level 1

1.1.1 - Local AAA Rules

1.1.1.1 - Require AAA Service

1.1.1.2 - Require AAA Authentication for Login

1.1.1.1 - Require AAA Service

1.1.1.3 - Require AAA Authentication for Enable Mode

1.1.1.1 - Require AAA Service

1.1.2.1 - Require Privilege Level 1 for Local Users

1.1.2.2 - Require VTY Transport SSH

1.1.2.3 - Require Timeout for Login Sessions

1.1.2.4 - Forbid Auxiliary Port

1.1.2.5 - Require VTY ACL

1.1.2.6 - Require VTY ACL

1.1.3 - Banner Rules

1.1.3.1 - Require EXEC Banner

1.1.3.2 - Require Login Banner

1.1.3.3 - Require MOTD Banner

1.1.4 - Password Rules

1.1.4.1 - Require Enable Secret

1.1.4.2 - Require Password Encryption Service

1.1.4.3 - Require Encrypted Line Passwords

1.1.4.4 - Require Encrypted User Passwords

1.1.5 - SNMP Rules

1.1.5.1 - Forbid SNMP Read and Write Access

1.1.5.2 - Forbid SNMP Community String private

1.1.5.3 - Forbid SNMP Community String public

1.1.5.4 - Forbid SNMP Write Access

reason Enabling SNMP read-write enables remote (mis)management of the device.

1.1.5.5 - Forbid SNMP without ACL

1.1.5.6 - Require a Defined SNMP ACL

1.1.5.7 - Forbid SNMP Traps

reason SNMP has the ability to submit traps.

1.1.5.8 - Require SNMP Trap Server When Using SNMP

1.1.5.9 - Allow SNMP Traps on When SNMP Trap Server Defined

reason SNMP has the ability to submit traps.

1.1.5.10 - Require Group for SNMPv3 Access

1.1.5.11 - Require AES128 or Better Encryption for SNMPv3 Access

1.2 - Control Plane

Full Name CIS Level 1:1.2 - Control Plane

1.2.1 - Clock Rules

Full Name CIS Level 1:1.2 - Control Plane:1.2.1 - Clock Rules

1.2.1.1 - Require Clock Timezone - UTC

1.2.1.2 - Forbid Daylight Savings Time Clock Adjustments

1.2.1.3.1 - Setup Local Time Zone

1.2.1.3.2 - Set Daylight Savings Dates

1.2.1.3.3 - Set Daylight Savings Recurrence

1.2.2 - Global Service Rules

1.2.2.1.1.1 - Configure the Host Name

1.2.2.1.1.2 - Configure the Domain Name

1.2.2.1.1.3 - Generate the RSA Key Pair

1.2.2.1.1.4 - Generate the SSH Timeout

1.2.2.1.1.5 - Limit the Number of SSH Authentication Tries

1.2.2.1.2 - Require SSH version 2

1.2.2.2 - Forbid CDP Run Globally

1.2.2.3 - Forbid Finger Service - IOS 12.1,2,3,4

1.2.2.3 - Forbid Finger Service - IOS 12.0

1.2.2.4 - Forbid IP BOOTP server

1.2.2.5 - Forbid IP HTTP Server