1. No local user accounts are configured on the
router. Routers and switches must use TACACS+ for
all user authentication.
• Router(config)#aaa new-model
• Router(config)#aaa authentication enable
default group tacacs+ enable
• Router(config)#aaa authentication login default
group tacacs+ enable
• Router(config)#aaa authentication ppp default
group tacacs+ enable
2. The enable password on the router or switch must
be kept in a secure encrypted form. The router or
switch must have the enable password set to the
current production router/switch password from the
device’s support organization.
• Router(config)#enable secret CISCO
• Router(config)#service password-encryption
3. The following services or features must be
disabled:
a. IP directed broadcasts
• R1(config-if)#no ip directed-broadcast
b. Incoming packets at the router/switch sourced with
invalid addresses such as RFC1918 addresses
• R1(config)#no ip source-route


c. TCP small services
• R1(config)#no service tcp-small-server
d. UDP small services
• R1(config)#no service udp-small-server
e. All source routing and switching

• R1(config)#no ip source-route
f. All web services running on router
• R1(config)#no ip http server
• R1(config)#no ip bootp server
g. Cisco discovery protocol on Internet connected
interfaces
•
•
•
•
•
•

R1(config-if)#no
R1(config-if)#no
R1(config-if)#no
R1(config-if)#no
R1(config-if)#no
R1(config-if)#no

ip redirects
ip proxy-arp
ip unreachables
ip directed-broadcast
ip mask-reply
mop enabled

h. Telnet, FTP, and HTTP services
i. Auto-configuration



• R1#auto secure
4. The following services should be disabled unless a
business justification is provided:
a. Cisco discovery protocol and other discovery
protocols
• R1(config)#no cdp run
b. Dynamic trunking
• Switch(config-if)#switchport mode access
• Switch(config-if)#switchport nonegotiate
c. Scripting environments, such as the TCL shell
•
•
•
•
•

R1(config)#no scripting tcl encdir
R1(config)#no scripting tcl init
R1(config)# no scripting tcl low-memory
R1(config)# no scripting tcl secure-mode
R1(config)# no scripting tcl trustpoint name
name
• R1(config)# no scripting tcl trustpoint untrusted
5. The following services must be configured:
a. Password-encryption
• Router(config)#service password-encryption
b. NTP configured to a corporate standard source
[Default]
• config t



• ntp server {ip-address | ipv6-address | dnsname} [prefer] [use-vrf vrf-name]
• ntp peer {ip-address | ipv6-address | dnsname} [prefer] [use-vrf vrf-name]
• show ntp peers
• copy running-config startup-config
[Non-Default]
•
•
•
•
•
•

config t
feature ntp
ntp master
ntp source-interface interface
ntp source ip-address
copy running-config startup-config

6. All routing updates shall be done using secure
routing updates.
• OSPF:
interface Ethernet1
ip address 10.139.20.1 255.255.255.0
ip ospf message-digest-key 10 md5 cisco
!
router ospf 20
network 10.139.20.0 0.0.0.255 area 0

area 0 authentication message-digest
passive-interface default
no passive-interface Serial0

• EIGRP:
! EIGRP authentication
interface Ethernet 1


ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 mychain

!
router eigrp 10
network 10.0.0.0
no auto-summary
passive-interface default
no passive-interface Serial0
!
key chain mychain
key 1
key-string cisco
!
• RIP:

interface ethernet 0
ip rip authentication key-chain mychain
ip rip authentication mode md5
!
router rip

network 10.0.0.0
no auto-summary
passive-interface default
no passive-interface Serial0
version 2
!
key chain mychain
key 1
key-string cisco
!
• BGP:
router bgp 10
passive-interface default


no passive-interface Serial0
no synchronization
bgp log-neighbor-changes
network 64.104.0.0
neighbor 198.133.219.10 remote-as 10
neighbor 198.133.219.10 password 7
05080F1C22431F5B4A
!
7. Use corporate standardized SNMP community strings. Default
strings, such as public or private must be removed. SNMP must be
configured to use the most secure version of the protocol allowed
for by the combination of the device and management systems.
• Simple Network Management Protocol (SNMP) uses the
default UDP port161 for general SNMP messages and
UDP port 162 for SNMP trap messages.

• Switch(config)# snmp-server host 10.0.0.2 traps g00d-5tr1n9-2
Switch(config)# snmp-server host 10.0.0.4 traps g00d-5tr1n9-2
Switch(config)# snmp-server trap-source Loopback0
Switch(config)# snmp-server enable traps.
• If SNMP is not being used, then executing the following commands
will disable the service.
Switch(config)# no snmp-server community
Switch(config)# no snmp-server enable traps
Switch(config)# no snmp-server system-shutdown
Switch(config)# no snmp-server

• Switch(config)# no access-list 12
Switch(config)# access-list 12 permit 10.0.0.2
Switch(config)# access-list 12 permit 10.0.0.4
Switch(config)# snmp-server group admins v3 auth read adminview
write adminview
Switch(config)# snmp-server user root admins v3 auth md5 5ecret5TR1N access 12


• Switch(config)# snmp-server view adminview internet included
Switch(config)# snmp-server view adminview ipAddrEntry excluded
Switch(config)# snmp-server view adminview ipRouteEntry excluded

8. Access control lists must be used to limit the
source and type of traffic that can terminate on the
device itself.
!--- Add anti-spoofing entries. !--- Deny special-use address sources. !
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
access-list 110 deny ip 224.0.0.0 31.255.255.255 any

access-list 110 deny ip host 255.255.255.255 any
!--- Deny your space as source (as noted in RFC 2827).
access-list 110 deny ip your Internet-routable subnet any
!--- Explicitly permit return traffic. !--- Allow specific ICMP types.
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any time-exceeded
access-list 110 deny icmp any any
!--- These are outgoing DNS queries.
access-list 110 permit udp any eq 53 host primary DNS server gt 1023
!--- Permit older DNS queries and replies to primary DNS server.
access-list 110 permit udp any eq 53 host primary DNS server eq 53
!--- Permit legitimate business traffic.


access-list 110 permit tcp any Internet-routable subnet established
access-list 110 permit udp any range 1 1023 Internet-routable subnet gt 1023
!--- Allow ftp data connections.
access-list 110 permit tcp any eq 20 Internet-routable subnet gt 1023
!--- Allow tftp data and multimedia connections.
access-list 110 permit udp any gt 1023 Internet-routable subnet gt 1023

9. Access control lists for transiting the device are to
be added as business needs arise.

!--- Explicitly permit externally sourced traffic. !--- These are incoming
DNS queries.
access-list 110 permit udp any gt 1023 host eq 53
!-- These are zone transfer DNS queries to primary DNS server.
access-list 110 permit tcp host secondary DNS server gt 1023 host primary

DNS server eq 53
!--- Permit older DNS zone transfers.
access-list 110 permit tcp host secondary DNS server eq 53 host primary
DNS server eq 53
!--- Deny all other DNS traffic.
access-list 110 deny udp any any eq 53


access-list 110 deny tcp any any eq 53
!--- Allow IPSec VPN traffic.
access-list 110 permit udp any host IPSec headend device eq 500
access-list 110 permit udp any host IPSec headend device eq 4500
access-list 110 permit 50 any host IPSec headend device
access-list 110 permit 51 any host IPSec headend device
access-list 110 deny ip any host IPSec headend device
!--- These are Internet-sourced connections to !--- publicly accessible
servers.
access-list 110 permit tcp any host public web server eq 80
access-list 110 permit tcp any host public web server eq 443
access-list 110 permit tcp any host public FTP server eq 21
!--- Data connections to the FTP server are allowed !--- by the permit
established ACE. !--- Allow PASV data connections to the FTP server.
access-list 110 permit tcp any gt 1023 host public FTP server gt 1023
access-list 110 permit tcp any host public SMTP server eq 25
!--- Explicitly deny all other traffic.
access-list 101 deny ip any any

10. The router must be included in the corporate
enterprise management system with a designated
point of contact.

11. Each router must have the following statement
presented for all forms of login whether remote or
local: "UNAUTHORIZED ACCESS TO THIS NETWORK


DEVICE IS PROHIBITED. You must have explicit
permission to access or configure this device. All
activities performed on this device may be logged,
and violations of this policy may result in disciplinary
action, and may be reported to law enforcement.
There is no right to privacy on this device. Use of this
system shall constitute consent to monitoring."
• Router(config)#banner motd #"UNAUTHORIZED
ACCESS TO THIS NETWORK DEVICE IS
PROHIBITED”#
12. Telnet may never be used across any network to
manage a router, unless there is a secure tunnel
protecting the entire communication path. SSH
version 2 is the preferred management protocol.
enable
configure terminal
hostname hostname
ip domain-name name
crypto key generate rsa
ip ssh [time-out seconds | authentication-retries integer]
ip ssh version [1 | 2]

13. Dynamic routing protocols must use
authentication in routing updates sent to neighbors.

Password hashing for the authentication string must
be enabled when supported.
Routing protocols are used to facilitate the exchange of routing information
between routers. A routing protocol is a set of processes, algorithms, and
messages that are used to exchange routing information and populate the
routing table with the routing protocol’s choice of best paths. The purpose of
dynamic routing protocols includes:


•
•
•
•

Discovery of remote networks
Maintaining up-to-date routing information
Choosing the best path to destination networks
Ability to find a new best path if the current path is no longer
available

OSPF:
Authentication—Contains the settings for OSPF area authentication.
– None—Choose this option to disable OSPF area authentication. This
is the default setting.
– Password—Choose this option to use a clear text password for area
authentication. This option is not recommended where security is a
concern.
– MD5—Choose this option to use MD5 authentication.
RIP:
Enable Authentication—Check this check box to enable RIP authentication.

Uncheck this check box to disable RIP broadcast authentication.
– Key—The key used by the authentication method. Can contain up to
16 characters.
– Key ID—The key ID. Valid values are from 0 to 255.
– Authentication Mode—You can select the following authentication
modes:
MD5—Uses MD5 for RIP message authentication.
Text—Uses cleartext for RIP message authentication (not
recommended).
EIGRP:
Enable MD5 Authentication—Check this check box to enable MD5
authentication of EIGRP process messages.


– Key—Key to authenticate EIGRP updates. The key can contain up to
16 characters.
– Key ID—Key identification value; valid values range from 1 to 255.

14. The corporate router configuration standard will
define the category of sensitive routing and
switching devices, and require additional services or
configuration on sensitive devices including: a. IP
access list accounting
enable
2.

configure terminal

3.

ip accounting-threshold threshold

4.

ip accounting-list ip-address wildcard

5.

ip accounting-transits count

6.

interface type number

7.

ip accounting [access-violations] [output-packets]


8.

ip accounting mac-address {input | output}

b. Device logging
• routers log messages can handle in five different ways:
• Console logging:By default, the router sends all log messages to its
console port. Hence only the users that are physically connected to the
router console port can view these messages.
• Terminal logging:It is similar to console logging, but it displays log
messages to the router's VTY lines instead. This is not enabled by

default
Buffered logging:This type of logging uses router's RAM for storing
log messages. buffer has a fixed size to ensure that the log will not
deplete valuable system memory. The router accomplishes this by
deleting old messages from the buffer as new messages are added.
• Syslog Server logging :The router can use syslog to forward log
messages to external syslog servers for storage. This type of logging is
not enabled by default.
• SNMP trap logging:The router is able to use SNMP traps to send log
messages to an external SNMP server.

c. Incoming packets at the router sourced with invalid
addresses, such as RFC1918 addresses, or those that
could be used to spoof network traffic shall be
dropped
R1(config)#no ip source-route
d. Router console and modem access must be
restricted by additional security controls.
Console:
R1(config)#line console 0
R1(config-line)#password cisco


R1(config-line)#login
R1(config-line)#exit
Modem:
R1(config)#line AUX 0
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#exit

Policy for myself

1. Cảnh báo đăng nhập
2. Xét duyệt đăng nhập
3. Trình tạo mã
4. Mật khẩu Ứng Dụng
5. Số liên lạc đáng tin cậy
6. Trình duyệt và ứng dụng.
7. Địa điểm bạn đăng nhập
8. Liên hệ thừa kế
9. Vô hiệu hóa tài khoản