Network Devices Configuration Standard

A-1. ENHANCED PASSWORD SECURITY

The feature Enhanced Password Security, introduced in Cisco IOS Software Release 12.2(8) T, allows an
administrator to configure MD5 hashing of passwords for the username command. In order to encrypt a user
password with MD5 hashing, issue the username secret global configuration command.

Username <irctc> secret <password>

Username <irctc1> secret <password>

A-2. ENABLE PASSWORD

The enable password command uses a weak encryption algorithm & should not be used. The enable secret
command and the Enhanced Password Security feature use Message Digest 5 (MD5) for password hashing.

A-3. ENABLE SECRET PASSWORD

The enable secret command is used in order to set the password that grants privileged administrative access to the
Cisco IOS system. The enable secret command must be used, rather than the older enable password command.
The enable password command uses a weak encryption algorithm. The enable secret command and the Enhanced
Password Security feature use Message Digest 5 (MD5) for password hashing.

A-4. SERVICE PASSWORD ENCRYPTION

The service password-encryption global configuration command directs the Cisco IOS software to encrypt the
passwords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its
configuration file.

Such encryption is useful in order to prevent casual observers from reading passwords, such as when they look at the
screen over the muster of an administrator. However, the algorithm used by the service password-encryption
command is a simple Vigenère cipher.

A-5. RESTRICT FREQUENCY OF LOGIN ATTEMPTS

In the event of a dictionary attack, introducing a delay between login attempts slows down the attack,
increasing the time required for the attack to succeed and the timeframe available for the anomaly to be identified
and addressed.

In Cisco IOS, the introduction of a delay between successive login attempts can be achieved using the global
configuration login delay command. The default is a 1 second delay.

Number of seconds between each login attempt. Valid values range from 1 to 10 seconds.

We configure delay of 10 Seconds.

Router (config) # login delay 10

A-6. ENFORCE THE USE OF STRONG PASSWORDS

Cisco IOS offers the ability to enforce a minimum password length for user passwords, enable passwords,
enable secrets, and line passwords. This feature is enabled with the global configuration command:

Router (config) # security passwords min-length 8

Once this command is enabled, any password that is less than the specified number of characters will fail.

A-7. EXEC TIMEOUT

In order to set the interval that the EXEC command interpreter waits for user input before it terminates a session,
issue the exec-timeout line configuration command. The exec-timeout command must be used in order to logout
sessions on Console Port & VTY or TTY lines that are left idle.

Router (config-line) # exec-timeout 3 0

A-8. HUNG SESSION

If a remote system crashes while a management session is in progress, the session may remain open and vulnerable
to attack. Consequently, hung sessions should be detected and closed in order to preserve the availability of terminal
and management ports and reduce the exposure to session hijacking.

Router (config) # service tcp-keepalives-in

A-9. SECURE SHELL (SSH) & A-11. TELNET & OTHER MODE OF ACCESS.

SSH is a protocol that provides secure remote access, remote command execution, and file transfer. SSH implements
strong authentication and encryption, making it a better option over insecure protocols such as rlogin and Telnet.

The following steps are required to enable SSH support on an IOS device:

Step 1 Configure a hostname and DNS domain for the router.

Router (config) # hostname router

Router (config) # ip domain-name xyzlocal.com

Step 2 Generate an RSA key pair.

Router (config) # cry key generate rsa 1024

Step 3 Optionally, configure time-out and number of authentication retries. By default, the authentication timeout
is set to 120 seconds and authentication retries to three attempts.

Router (config) # ip ssh time-out 30

Router (config) # ip ssh authentication-retries 3

Step 4 Limit VTYs to SSH only & disabled other mode of access (Highly recommended).

Router (config) # line vty 0 4

Router (config-line) # transport input ssh

Step 5 Restrict SSH access to trusted hosts or subnets.

Router (config) # access-list 80 remark ACL for SSH

Router (config) # access-list 80 permit A.B.C.D

Router (config) # access-list 80 deny any log

Router (config) # line vty 0 4

Router (config-line) # access-class 80 in

A-10. CONSOLE PORT ACCESS

 Router (config) # line con 0

Router (config-line) # exec-timeout 3 0

Router (config-line) # password <Password>

Router (config-line) # logging synchronous

Router (config-line) # login local

A-11. LOGIN BANNERS

In some legal jurisdictions it can be impossible to prosecute and illegal to monitor malicious users unless
they have been notified that they are not permitted to use the system. One method to provide this notification is to
place this information into a banner message that is configured with the Cisco IOS software banner login command.

A banner can provide some or all of the information:

Notice that the system is to be logged into or used only by specifically authorized personnel and perhaps
information about who can authorize use.
Notice that any unauthorized use of the system is unlawful and can be subject to civil and criminal
penalties.
Notice that any use of the system can be logged or monitored without further notice and that the resulting
logs can be used as evidence in court.
Specific notices required by local laws.
Should not contain any specific information about the router name, model, software, or ownership.

From a security point of view, rather than legal, a login banner should not contain any specific information about the
router name, model, software, or ownership. This information can be abused by malicious users.

A-12. DEVICE MANAGEMENT IP ADDRESS

INT Data VLAN or Physical Interface IP Would be used as Management IP Address

Switch(config) # int vlan 20

Switch(config-int) # ip address X.Y.Z.W

A-13. LINE VTY ACCESS CONTROL

Please refer the point A-9.

A-14. RESTRICT NUMBER OF LOGIN FAILURES PERMITTED WITHIN SPECIFIED TIME PERIOD

In the event of a dictionary attack, restricting the maximum number of failed access attempts within a specified
period can slow down the attack, increasing the time required to succeed and the timeframe available for the
anomaly to be identified and addressed.

Router (config) # login block-for 15 attempts 5 within 5

B-1. TCP & UDP SMALL SERVERS

Cisco IOS software provides an implementation of UDP and TCP small servers that enables echo, chargen,
daytime, and discard services. Unless strictly necessary, these services should be disabled because they can be used
by a potential attacker to gather information, or to directly attack the Cisco IOS software device.

Router (config) # no service tcp-small-servers

 Router (config) # no service udp-small-servers

B-2. FINGER SERVICE

Finger is a protocol that can be used to obtain information about users logged into a remote host or network
device. It is recommended that you disable this service.

Router (config) # no service finger

OR
Router (config) # no ip finger

B-3. DNS RESOLUTION SERVICES

Router (config) # no ip domain-lookup

C-1. NTP Authentication

The first step in enabling NTP authentication is to define an MD5 key to be used for NTP transactions:

Router (config) # ntp authentication-key 15 md5 <Password>

The keys to be accepted for NTP authentication are subsequently defined with the following command:

Router (config) # ntp trusted-key 15

NTP authentication is enforced with the following global configuration command:

Router (config) # ntp authenticate

C-2. NTP Time Zone

Router (config) # clock timezone IST 5 30

C-3. NTP Servers

Router (config) # ntp server A.B.C.D key 15
Router (config) # ntp server X.Y.Z.W key 15

C-4. NTP ACLs

Router (config) # access-list 10 remark ** ACL FOR NTP **
Router (config) # access-list 10 permit A.B.C.D
Router (config) # access-list 10 permit X.Y.Z.W
Router (config) # access-list 10 deny any log
Router (config) # ntp access-group peer 10
D1. PER VLAN SPANNING TREE (PVST)
Per-VLAN Spanning Tree (PVST) is a feature that implements a separate instance of spanning tree for each VLAN
configured in the network. Having a separate instance of STP per VLAN makes the network more resilient to attacks
against spanning tree. If a problem occurs in one VLAN, the effects are contained in that VLAN, shielding the rest
of the network.
PVST is enabled by default in Cisco IOS and it is recommended that PVST is always enabled.
In Cisco IOS, the Spanning Tree mode can be modified using the spanning-tree mode command.
Router (config) # spanning-tree mode rapid-pvst
D2. DYNAMIC TRUNK

Dynamic trunk negotiation is a feature that facilitates the deployment of switches by an interface automatically
configuring itself as a trunk according to the interface type of its neighboring. Dynamic trunking should be disabled
on all ports connecting to end users.
Router (config) # interface type slot/port
Router (config-if) # switchport mode access
The configuration makes the port a non-trunking, non-tagged single VLAN Layer 2 interface.

D3. VLAN BEST COMMON PRACTICES

VLAN hopping is an attack vector which provides a client with unauthorized access to other VLANs on a switch.
This type of attack can be easily mitigated by applying the following best common practices:
Always use a dedicated VLAN ID for all trunk ports
Disable all unused ports and put them in an unused VLAN
Do not use VLAN 1 for anything
Configure all user-facing ports as non-trunking (DTP off)
Explicitly configure trunking on infrastructure ports
Use all tagged mode for the native VLAN on trunks and drop untagged frames
Set the default port status to "disable".