router eigrp 10 network 10.0.0.0 no auto-summary passive-interface default no passive-interface Serial0!. Switchconfig# no snmp-server community Switchconfig# no snmp-server enable t
Trang 11 No local user accounts are configured on the
router Routers and switches must use TACACS+ for all user authentication
• Router(config)#aaa new-model
• Router(config)#aaa authentication enable
default group tacacs+ enable
• Router(config)#aaa authentication login default group tacacs+ enable
• Router(config)#aaa authentication ppp default group tacacs+ enable
2 The enable password on the router or switch must
be kept in a secure encrypted form The router or switch must have the enable password set to the current production router/switch password from the device’s support organization
• Router(config)#enable secret CISCO
• Router(config)#service password-encryption
3 The following services or features must be
disabled:
a IP directed broadcasts
• R1(config-if)#no ip directed-broadcast
b Incoming packets at the router/switch sourced with invalid addresses such as RFC1918 addresses
• R1(config)#no ip source-route
Trang 2c TCP small services
• R1(config)#no service tcp-small-server
d UDP small services
• R1(config)#no service udp-small-server
e All source routing and switching
• R1(config)#no ip source-route
f All web services running on router
• R1(config)#no ip http server
• R1(config)#no ip bootp server
g Cisco discovery protocol on Internet connected interfaces
• R1(config-if)#no ip redirects
• R1(config-if)#no ip proxy-arp
• R1(config-if)#no ip unreachables
• R1(config-if)#no ip directed-broadcast
• R1(config-if)#no ip mask-reply
• R1(config-if)#no mop enabled
h Telnet, FTP, and HTTP services
i Auto-configuration
Trang 3• R1#auto secure
4 The following services should be disabled unless a business justification is provided:
a Cisco discovery protocol and other discovery
protocols
• R1(config)#no cdp run
b Dynamic trunking
• Switch(config-if)#switchport mode access
• Switch(config-if)#switchport nonegotiate
c Scripting environments, such as the TCL shell
• R1(config)#no scripting tcl encdir
• R1(config)#no scripting tcl init
• R1(config)# no scripting tcl low-memory
• R1(config)# no scripting tcl secure-mode
• R1(config)# no scripting tcl trustpoint name
name
• R1(config)# no scripting tcl trustpoint untrusted
5 The following services must be configured:
a Password-encryption
• Router(config)#service password-encryption
b NTP configured to a corporate standard source [Default]
• config t
Trang 4• ntp server {ip-address | ipv6-address | dns-name} [prefer] [use-vrf vrf-name]
• ntp peer {ip-address | ipv6-address | dns-name} [prefer] [use-vrf vrf-name]
• show ntp peers
• copy running-config startup-config
[Non-Default]
• config t
• feature ntp
• ntp master
• ntp source-interface interface
• ntp source ip-address
• copy running-config startup-config
6 All routing updates shall be done using secure routing updates
• OSPF:
interface Ethernet1
ip address 10.139.20.1 255.255.255.0
ip ospf message-digest-key 10 md5 cisco
!
router ospf 20
network 10.139.20.0 0.0.0.255 area 0
area 0 authentication message-digest
passive-interface default
no passive-interface Serial0
• EIGRP:
! EIGRP authentication
interface Ethernet 1
Trang 5ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 mychain
!
router eigrp 10
network 10.0.0.0
no auto-summary
passive-interface default
no passive-interface Serial0
!
key chain mychain
key 1
key-string cisco
!
• RIP:
interface ethernet 0
ip rip authentication key-chain mychain
ip rip authentication mode md5
!
router rip
network 10.0.0.0
no auto-summary
passive-interface default
no passive-interface Serial0
version 2
!
key chain mychain
key 1
key-string cisco
!
• BGP:
router bgp 10
passive-interface default
Trang 6no passive-interface Serial0
no synchronization
bgp log-neighbor-changes
network 64.104.0.0
neighbor 198.133.219.10 remote-as 10
neighbor 198.133.219.10 password 7
05080F1C22431F5B4A
!
7 Use corporate standardized SNMP community strings Default strings, such as public or private must be removed SNMP must be configured to use the most secure version of the protocol allowed for by the combination of the device and management systems
• Simple Network Management Protocol (SNMP) uses the default UDP port161 for general SNMP messages and
UDP port 162 for SNMP trap messages
• Switch(config)# snmp-server host 10.0.0.2 traps g00d-5tr1n9-2
Switch(config)# snmp-server host 10.0.0.4 traps g00d-5tr1n9-2
Switch(config)# snmp-server trap-source Loopback0
Switch(config)# snmp-server enable traps.
• If SNMP is not being used, then executing the following commands will disable the service.
Switch(config)# no snmp-server community
Switch(config)# no snmp-server enable traps
Switch(config)# no snmp-server system-shutdown
Switch(config)# no snmp-server
• Switch(config)# no access-list 12
Switch(config)# access-list 12 permit 10.0.0.2
Switch(config)# access-list 12 permit 10.0.0.4
Switch(config)# snmp-server group admins v3 auth read adminview write adminview
Switch(config)# snmp-server user root admins v3 auth md5 5ecret-5TR1N access 12
Trang 7• Switch(config)# snmp-server view adminview internet included
Switch(config)# snmp-server view adminview ipAddrEntry excluded Switch(config)# snmp-server view adminview ipRouteEntry excluded
8 Access control lists must be used to limit the
source and type of traffic that can terminate on the device itself
! - Add anti-spoofing entries ! - Deny special-use address sources !
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
access-list 110 deny ip 224.0.0.0 31.255.255.255 any
access-list 110 deny ip host 255.255.255.255 any
! - Deny your space as source (as noted in RFC 2827).
access-list 110 deny ip your Internet-routable subnet any
! - Explicitly permit return traffic ! - Allow specific ICMP types.
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any time-exceeded
access-list 110 deny icmp any any
! - These are outgoing DNS queries.
access-list 110 permit udp any eq 53 host primary DNS server gt 1023
! - Permit older DNS queries and replies to primary DNS server.
access-list 110 permit udp any eq 53 host primary DNS server eq 53
! - Permit legitimate business traffic.
Trang 8access-list 110 permit tcp any Internet-routable subnet established
access-list 110 permit udp any range 1 1023 Internet-routable subnet gt 1023
! - Allow ftp data connections.
access-list 110 permit tcp any eq 20 Internet-routable subnet gt 1023
! - Allow tftp data and multimedia connections.
access-list 110 permit udp any gt 1023 Internet-routable subnet gt 1023
9 Access control lists for transiting the device are to
be added as business needs arise
! - Explicitly permit externally sourced traffic ! - These are incoming
DNS queries.
access-list 110 permit udp any gt 1023 host <primary DNS server> eq 53
! These are zone transfer DNS queries to primary DNS server.
access-list 110 permit tcp host secondary DNS server gt 1023 host primary
DNS server eq 53
! - Permit older DNS zone transfers.
access-list 110 permit tcp host secondary DNS server eq 53 host primary
DNS server eq 53
! - Deny all other DNS traffic.
access-list 110 deny udp any any eq 53
Trang 9access-list 110 deny tcp any any eq 53
! - Allow IPSec VPN traffic.
access-list 110 permit udp any host IPSec headend device eq 500
access-list 110 permit udp any host IPSec headend device eq 4500
access-list 110 permit 50 any host IPSec headend device
access-list 110 permit 51 any host IPSec headend device
access-list 110 deny ip any host IPSec headend device
! - These are Internet-sourced connections to ! - publicly accessible servers.
access-list 110 permit tcp any host public web server eq 80
access-list 110 permit tcp any host public web server eq 443
access-list 110 permit tcp any host public FTP server eq 21
! - Data connections to the FTP server are allowed ! - by the permit
established ACE ! - Allow PASV data connections to the FTP server.
access-list 110 permit tcp any gt 1023 host public FTP server gt 1023 access-list 110 permit tcp any host public SMTP server eq 25
! - Explicitly deny all other traffic
access-list 101 deny ip any any
10 The router must be included in the corporate enterprise management system with a designated point of contact
11 Each router must have the following statement presented for all forms of login whether remote or local: "UNAUTHORIZED ACCESS TO THIS NETWORK
Trang 10DEVICE IS PROHIBITED You must have explicit
permission to access or configure this device All
activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement There is no right to privacy on this device Use of this system shall constitute consent to monitoring."
• Router(config)#banner motd #"UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS
PROHIBITED”#
12 Telnet may never be used across any network to manage a router, unless there is a secure tunnel
protecting the entire communication path SSH
version 2 is the preferred management protocol
enable
configure terminal
hostname hostname
ip domain-name name
crypto key generate rsa
ip ssh [time-out seconds | authentication-retries integer]
ip ssh version [1 | 2]
13 Dynamic routing protocols must use
authentication in routing updates sent to neighbors Password hashing for the authentication string must
be enabled when supported
Routing protocols are used to facilitate the exchange of routing information between routers A routing protocol is a set of processes, algorithms, and messages that are used to exchange routing information and populate the routing table with the routing protocol’s choice of best paths The purpose of dynamic routing protocols includes:
Trang 11• Discovery of remote networks
• Maintaining up-to-date routing information
• Choosing the best path to destination networks
• Ability to find a new best path if the current path is no longer
available
OSPF:
Authentication—Contains the settings for OSPF area authentication.
– None—Choose this option to disable OSPF area authentication This
is the default setting.
– Password—Choose this option to use a clear text password for area authentication This option is not recommended where security is a concern.
– MD5—Choose this option to use MD5 authentication.
RIP:
Enable Authentication—Check this check box to enable RIP authentication Uncheck this check box to disable RIP broadcast authentication.
– Key—The key used by the authentication method Can contain up to
16 characters.
– Key ID—The key ID Valid values are from 0 to 255.
– Authentication Mode—You can select the following authentication modes:
MD5—Uses MD5 for RIP message authentication.
Text—Uses cleartext for RIP message authentication (not
recommended).
EIGRP:
Enable MD5 Authentication—Check this check box to enable MD5
authentication of EIGRP process messages.
Trang 12– Key—Key to authenticate EIGRP updates The key can contain up to
16 characters.
– Key ID—Key identification value; valid values range from 1 to 255.
14 The corporate router configuration standard will define the category of sensitive routing and
switching devices, and require additional services or configuration on sensitive devices including: a IP access list accounting
enable
2 configure terminal
3 ip accounting-threshold threshold
4 ip accounting-list ip-address wildcard
5 ip accounting-transits count
6 interface type number
7 ip accounting [access-violations] [output-packets]
Trang 138 ip accounting mac-address {input | output}
b Device logging
• routers log messages can handle in five different ways:
console port Hence only the users that are physically connected to the router console port can view these messages.
messages to the router's VTY lines instead This is not enabled by default
Buffered logging:This type of logging uses router's RAM for storing
log messages buffer has a fixed size to ensure that the log will not deplete valuable system memory The router accomplishes this by deleting old messages from the buffer as new messages are added.
messages to external syslog servers for storage This type of logging is not enabled by default.
messages to an external SNMP server.
c Incoming packets at the router sourced with invalid addresses, such as RFC1918 addresses, or those that could be used to spoof network traffic shall be
dropped
R1(config)#no ip source-route
d Router console and modem access must be
restricted by additional security controls
Console:
R1(config)#line console 0
R1(config-line)#password cisco
Trang 14R1(config-line)#exit
Modem:
R1(config)#line AUX 0
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#exit
Policy for myself
1 Cảnh báo đăng nhập
2 Xét duyệt đăng nhập
3 Trình tạo mã
4 Mật khẩu Ứng Dụng
5 Số liên lạc đáng tin cậy
6 Trình duyệt và ứng dụng
7 Địa điểm bạn đăng nhập
8 Liên hệ thừa kế
9 Vô hiệu hóa tài khoản