Router/Switch Security

Download Report

Transcript Router/Switch Security

Configuring AAA requires four basic steps:
1. Enable AAA (new-model).
2. Configure security server network parameters.
3. Define one or more method lists for AAA
authentication.
4. Apply the method lists to a particular interface or line.
•
•
•
•
•
Verify that SSH access is configured.
Verify that HTTP access is disabled
Verify that explicitly defined protocols allowed for
incoming and outgoing sessions.
Verify that access-class ACLs are used to control
the sources from which sessions are going to be
permitted.
Verify idle session timeout
•
As a security best practice, any unnecessary
service must be disabled.
•
By default, TCP and UDP small services are
disabled in IOS software releases 12.0 and later.
•
See reference material for full listing service that
should be disabled.
•
Review configuration files to verify that
unnecessary services have been disabled.
•
The commands tcp−keepalives−in and
tcp−keepalives−out enable a device to
send/receive TCP keep alives for TCP sessions.
•
This ensures that the device on the remote end
of the connection is still accessible and that
half−open or orphaned connections are removed
from the local Cisco device.
•
Review the config file to verify that keepalives
have been configured.
•
If NTP is used, it is important to explicitly configure
a trusted time source.
•
Accurate and reliable time is required for syslog
purposes, such as during forensic investigations of
potential attacks.
•
Review the configuration to verify the following:
• Router has been configured to be a NTP client
• The NTP source interface has been configured
• One or more NTP servers have been configured.
• ACL has been established to permit NTP to device.
•
SNMP provides information on that status or
condition of network devices.
•
SNMPv3 provides secure access to devices by
authenticating and optionally encrypting packets
over the network.
•
Community strings are passwords that are applied
to an IOS device to restrict access.
• Default community string for read−only “public”
• Default community string for read-write “private”
•
Community strings should be treated like a
password, chose carefully and change at regular
intervals.
•
An ACL can be applied that further restricts SNMP
access to a select group of source IP addresses
•
Verify that SNMPv3 is implemented with
encryption.
•
Verify that ACLs are used to restrict access
•
Event logging provides visibility into the operation
of a Cisco IOS device and the network into which it
is deployed.
•
Each log message generated by Cisco device is
assigned a severity level, 0 (emergency) –
7(debug).