Hardening Guidelines
for Cisco 3000 Series
VPN Concentrators
1-800-COURSES
www.globalknowledge.com
Expert Reference Series of White Papers
Introduction
Cisco’s 3000 series VPN Concentrators continue to be one of its most popular security product offerings. Due
to their reliability, fault tolerance, ease of setup, management, and monitoring, they scale well from small
remote sites to large enterprise solutions. The default policies shipped with the units allow an administrator to
quickly and easily place a unit into production within an hour of unpacking. But, like any sophisticated security
appliance, one must carefully review the default policies and be prepared to make an informed decision about
what features should remain active and which to disable.
The purpose of this paper is to highlight some of the most important areas where one can increase the overall
security posture of the VPN Concentrator through hardening common features such as Administrative Access,
User Access, Network Management Access and Interface Policies. This paper assumes the reader has experi-
ence configuring the 3000 series concentrators and is familiar with navigating the menu structure in the web-
based GUI and the CLI. For reference, this paper was written assuming a Cisco 3005 VPN Concentrator running
version 4.7 of the VPN OS is used.
Securing Administrative Access
The first area of focus is securing console and remote administration access to the concentrator. If an intruder
can “sniff” your username and password with a protocol analyzer, your network can be easily compromised by
the eavesdropper.
T
here are two areas in the configuration tree that concern the control of local and remote access to the con
-
centrator:
Administration | Access Rights and Configuration | System | Management.
Securing Access Rights
On your concentrator, navigate to Administration | Access Rights as shown in figure 1.
David W. Chapman, Jr., Global Knowledge Instructor, CISSP-ISSAP, CCSI,

CCNP, CCDP, CCSP
Hardening Guidelines for
Cisco 3000 Series VPN Concentrators
Copyright ©2005 Global Knowledge Network, Inc. All rights reserved.
Page 2
Figure 1 – Configure Administrator Access
Click on the Administrator
s
link and you will be presented with a list of default user accounts. The only
account that should be enabled is “admin”. Click on the
Modify button to the right of the admin user.
Because attackers have easy access to lists of default usernames and passwords, it is important to change not
only the default password, but the username as well. Half of the difficulty of remotely cracking a password is
knowing a v
alid username. Use this screen to change the default username to a non-obvious value. The use of
“admin”, “administrator”, “root”, or “cisco” as usernames is strongly discouraged, as attackers will surely use
these. The concentrator allows usernames and passwords of up to 31 characters.
Note: Unfortunately, the concentrator does not directly support an account lockout threshold. This can only
be set if TACACS+ is used to authenticate administrative users. To determine if an attacker is targeting the
administrator account, navigate to
Monitoring | Filterable Event Log. Select the “Auth” Event Class
and “Newest to Oldest” in the Direction drop-down menu, and then click the Get Log button. A
popup window will show any authentication failures
.
The following URL will take you to a security site that lists default username/password combinations for popu-
lar network equipment, including the 3000 series concentrators:
http://www
.governmentsecurity
.org/articles/DefaultLoginsandP
asswordsforNetwork

edDevices
.php
Once you have changed the default username and password, click the apply button to return to
Administration | Access Rights. Click the Access Settings link. On this page, you will modify the idle
timeout, max sessions, and configuration file encryption settings. The default idle timer terminates an adminis-
Copyright ©2005 Global Knowledge Network, Inc. All rights reserved.
Page 3
t
rator session after 10 minutes of inactivity. If your security policy dictates a smaller value, it can be modified
from 1 to 1800 seconds. The default session limit of 10 simultaneous administrators is excessive. Typically,
there should be no need for more than 2 or 3 simultaneous sessions to the administration interface.
The
Config File Encryption setting determines whether sensitive fields such as passwords and pre-shared
key values are stored in clear text or encrypted. The difference between RC4 and DES is that with DES selected,
the config file is non-portable between concentrators. RC4 encryption allows a config file to be installed into
another 3000 series concentrator of the same model. In the unlikely event of a hardware failure, it is useful to
be able to quickly configure the replacement unit.
Securing Management Protocols
The Cisco 3000 Series VPN Concentrators offer a wide array of protocols to manage, monitor, and maintain
your VPN perimeter. The defaults are in place to give you the most flexible solution right out of the box.
However, many of the default management protocols transfer authentication data in clear text over the wire.
This presents a serious risk to the confidentiality of usernames and passwords used to access the concentrator.
T
able 1 lists the available management protocols and their default settings.
Table 1 – 3000 Series Management Protocols
Copyright ©2005 Global Knowledge Network, Inc. All rights reserved.
Page 4
Management
Protocol
Enabled By

Default
Encrypted
Transport
Transport
Protocol
Service Port
TFTP No No UDP 69
FTP Yes No TCP 21
HTTP Yes No TCP 80
Telnet Yes No TCP 23
SNMP Y
es
No UDP 161
HTTPS Yes Yes TCP 443
SSH Yes Yes TCP 22
O
nce you have successfully made a connection via HTTPS, it is highly recommended you disable all protocols
that do not use encryption. Cisco has grouped all of the non-encrypted protocols in the same section for easy
access. You can access this section by navigating to
Configuration | System | Management Protocols in
the GUI interface as shown in figure 2.
Figure 2 – Management Protocols
For each protocol you decide to disable, click on its link and de-select the Enable checkbox, then click the
Apply button.
Be sure to save your configuration by clicking the
Save Needed floppy disk icon in the upper
-
right corner of the page.
Securing Network Management Access
Cisco offers two methods to centrally manage the 3000 Series Concentrators SNMP and XML. Although SNMP

is enabled by default,
no community strings
,
such as the ubiquitous
“public” and “private” are configured.
Because SNMP is inherently insecure, if you must run SNMP, the best practice is to send messages over the
External interface to an out-of-band network. For more information on the design of an out-of-band manage-
ment network, please refer to the Management Module of Cisco’s White Paper “SAFE: A Security Blueprint for
Enterprise Networks” at: />Unless you are using an XML-based network management system,
XML management should be disabled. There
is a risk that an internal attacker could exploit the XML interface to gain information about its configuration.
Copyright ©2005 Global Knowledge Network, Inc. All rights reserved.
Page 5
T
o monitor the normal operation of your concentrator, it is essential that you configure logging services and
define a syslog server. Begin by navigating to Configuration | System | Events | General.
The default logging configuration uses the concentrator-specific logging format, allows logging of event levels 1 – 5
to enter the logging system, and event levels 1 – 5 to the console. For ease of reading and consistency with other
Cisco syslog messages, change the Syslog Format to Cisco IOS Compatible. To reduce the logging load on the con-
centrator CPU, disable console logging and send messages to a syslog server instead, as shown in figure 3.
Figure 3 – Logging Event Configuration
Next, click on the Apply button to return to Configuration | System | Events | General. Select the Syslog
Servers
link, click on the Add button and enter the IP address of your syslog server. Click on the Add button
to complete the transaction and return to the previous menu. Because logging information is sent in clear text,
it is best to send events to a syslog server on an out of band network via the External interface.
Securing User Access
W
e will now turn our attention to the policies that control user access through the concentrator
.

T
he first step
is to examine the policies in the
Base Group. The Base Group exists to set global defaults for all groups cre-
ated later. Because all new groups automatically inherit the settings of the Base Group, you can save time by
availing yourself of this feature. To access the Base Group, navigate to Configuration | User Management
| Base Group
. Many of the settings in this group will depend on your security policy, so only the most general
will be examined here.
Copyright ©2005 Global Knowledge Network, Inc. All rights reserved.
Page 6
A
lthough the 3000 Series VPN Concentrators support PPTP, L2TP, L2TP over IPSec, and WebVPN, most compa-
nies use only IPSec. If this is the case in your organization, then uncheck all of the Tunneling Protocols except
IPSec. This will effectively disable any tunneling protocols not in use.
IKE (Phase I) Policies
Another area of concern is the large number of default IKE Policies. Navigate to Configuration | Tunneling
and Security | IPSec | IKE Proposals as illustrated in figure 4.
Figure 4 – Default IKE Policies
Because IKE policies are evaluated in the order they appear in the list, it is probable an IPSec client might
negotiate an IKE policy you did not intend.
There are also policies that are not appropriate in most environ-
ments, such as
IKE-DES-MD5 and IKE-3DES-MD5-DH7. The 56-bit DES is no longer considered strong
enough for production use and should be deactiv
ated.
T
he DH7 policy refers to Diffie-Hellman group 7 to sup
-
port Certicom IPSec clients running on PDA’s such as Palm and HP iPaq. It is recommended that all IKE policies

that are not required to meet the dictates of your security policy be deactivated or deleted altogether.
Copyright ©2005 Global Knowledge Network, Inc. All rights reserved.
Page 7
IPSec (Phase II) SAs
The default IKE phase II policies are located in Configuration | Policy Management | Traffic
Management | Security Associations
as shown in figure 5.
Figure 5 – Default SAs
Just like the IKE policies, Cisco provides a number of default policies to allow administrators to get their sys-
tems up and running quickly. Once you have selected the appropriate policy or policies for your network,
delete any un-needed SA’s by highlighting the SA and clicking the
Delete button.
Securing Interfaces
Many administrators are unaware that the default filters on the Public interface may allow unwanted traffic to
enter their network. The filter for the Public interface is accessed through Configuration | Policy
Management |
T
r
affic Management | Filter
s
.
Highlight the filter
Public (default) and click on the
Assign Rules to Filter button to display the default protocol filters for the Public interface as shown in
figure 6.
Copyright ©2005 Global Knowledge Network, Inc. All rights reserved.
Page 8
Figure 6 – Default Public Filters
Once again, Cisco has created defaults to ease initial configuration. But now that you are ready to place your
concentrator into production, it is important to remove all filters not required by your security policy. In many

cases, the only filters you will require are IPSec-ESP, IKE, and NAT-T. Be certain you understand the function of
any filter before you remove it.
Conclusion
Hopefully
,
you now have an increased awareness as to your responsibilities for the secure administration of
Cisco 3000 Series Concentrators. Every security appliance and software application has defaults, and it is criti-
cal to understand how the defaults may impact performance and security posture of your network. Although
this paper is not a complete reference to all potential risks in your configuration, examining the areas present-
ed will help you secure your perimeter networks.
Learn More
Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge.
Check out the following Global Knowledge courses:
SNPA (Securing Networks with PIX and ASA)
SND (Securing Cisco Network Devices)
SNRS (Securing Networks with Cisco Routers and Switches)
CSVPN (Cisco Secure Virtual Private Networks)
Copyright ©2005 Global Knowledge Network, Inc. All rights reserved.
Page 9
F
or more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a
sales representative.
Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use.
Our expert instructors draw upon their experiences to help you understand key concepts and how to apply
them to your specific work situation. Choose from our more than 700 courses, delivered through Classrooms,
e-Learning, and On-site sessions, to meet your IT and management training needs.
About the Author
David W. Chapman, Jr. has more than 15 years of experience in the IT industry. He has been designing and
building enterprise network infrastructures with Cisco equipment since 1994, and began specializing in Cisco
security products in 1999.

David teaches CSVPN, CSPFA, CSIDS, SECUR, and CCSP Boot Camp courses for Global Knowledge. He holds
numerous professional certifications including CISSP-ISSAP, CCSI, CCNP, CCDP, CSSP, and INFOSEC Professional.
He is also a Senior Member of the IEEE.
David is co-editor/author of the 2002 Cisco Press title, “Cisco Secure PIX Firewalls” and has authored numer-
ous white papers for Global Knowledge and InformIT.
Email:

References
Cisco Systems
. (2005). VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 4.7. Retrieved
3 July 2005, from
/>Convery
, S., Trudel,
B.,
et al.
(2004). SAFE: A Security Blueprint for Enterprise Networks. Retrieved 2 July 2005,
from />Unknown. (2005). Default Logins and Passwords for Networked Devices. GovernmentSecurity.org. Retrieved 4
July 2005,
from
/>Copyright ©2005 Global Knowledge Network, Inc. All rights reserved.
Page 10