Cisco MSBS Controls

Level
Level 1
2 (L1)
(L2) :Items in thisextends
:This profile profile intend to: 1"
the "Level beprofile.
practical and in
Items prudent; provide
this profile exh
performance of the technology.
Sr No Domain
1 1. Management Plane
42 2. Control Plane
43 2. Control Plane
44 2. Control Plane
45 2. Control Plane
46 2. Control Plane
47 2. Control Plane
48 2. Control Plane
49 2. Control Plane
50 2. Control Plane
51 2. Control Plane
52 2. Control Plane
53 2. Control Plane
54 2. Control Plane
55 2. Control Plane
56 2. Control Plane
57 2. Control Plane
58 2. Control Plane
59 2. Control Plane
60 2. Control Plane
61 2. Control Plane
62 2. Control Plane
63 2. Control Plane
64 2. Control Plane
65 2. Control Plane
66 2. Control Plane
67 2. Control Plane
68 2. Control Plane
69 2. Control Plane
70 2. Control Plane
71 2. Control Plane
72 2. Control Plane
73 2. Control Plane
74 2. Control Plane
75 3. Data Plane
76 3. Data Plane
77 3. Data Plane
78 3. Data Plane
79 3. Data Plane
80 3. Data Plane
81 3. Data Plane
82 3. Data Plane
83 3. Data Plane
84 3. Data Plane
85 3. Data Plane
86 3. Data Plane
87 3. Data Plane
88 3. Data Plane
89 3. Data Plane
90 3. Data Plane
91 3. Data Plane
92 3. Data Plane
93 3. Data Plane
94 3. Data Plane
95 3. Data Plane
96 3. Data Plane
97 3. Data Plane
98
99 3. Data Plane
100 3. Data Plane

be practical
" profile. and in
this profile a clear
exhibit one security
or morebenefit; and not inhibit
of the following the utilityare
characteristics: of
Sub-Domain
1.1 Local Authentication, Authorization and

Accounting (AAA) Rules
1.1.1 Local Authentication, Authorization

and Accounting (AAA) Rules








1.2 Access Rules
1.2.1 Access Rules
1.2.2 Access Rules

1.2.3 Access Rules
1.2.4 Access Rules
1.2.5 Access Rules
1.2.6 Access Rules
1.2.7 Access Rules

1.2.8 Access Rules
1.2.9 Access Rules
1.3 Banner Rules

1.3.1 Banner Rules
1.3.2 Banner Rules
1.3.3 Banner Rules

1.4 Password Rules
1.4.1 Password Rules
1.5 SNMP Rules

1.5.1 SNMP Rules
1.5.2 SNMP Rules
1.5.3 SNMP Rules

1.5.4 SNMP Rules
1.5.5 SNMP Rules
1.5.6 SNMP Rules

1.5.7 SNMP Rules
1.5.8 SNMP Rules
1.5.9 SNMP Rules

1.5.10 SNMP Rules
2.1 Global Service Rules
2.1.1 Setup SSH

2.1.1.1 Configure Prerequisites for the SSH
Service

Service

Service
Service
2.1.2 Setup SSH

2.1.3 Setup SSH
2.1.4 Setup SSH
2.1.5 Setup SSH

2.1.6 Setup SSH
2.1.7 Setup SSH
2.1.8 Setup SSH

2.2 Logging Rules
2.2.1 Logging Rules
2.2.2 Logging Rules

2.2.3 Logging Rules
2.2.4 Logging Rules
2.2.5 Logging Rules

2.2.6 Logging Rules
2.2.7 Logging Rules
2.3 NTP Rules

2.3.1 Require Encryption Keys for NTP

2.4 Loopback Rules

2.4.1 Loopback Rules

3.1 Routing Rules
3.1.1 Routing Rules

3.1.2 Routing Rules
3.1.3 Routing Rules
3.1.4 Routing Rules

3.2 Neighbor Authentication
3.2.1 Require EIGRP Authentication if

Protocol is Used

Protocol is Used
Protocol is Used

Protocol is Used

Protocol is Used
Protocol is Used

Protocol is Used

Protocol is Used
Protocol is Used
3.2.2 Require OSPF Authentication if

Protocol is Used

Protocol is Used
Protocol is Used
3.2.3 Require RIPv2 Authentication if

Protocol is Used

Protocol is Used
Protocol is Used

Protocol is Used

Protocol is Used
Protocol is Used
3.2.4 Require BGP Authentication if

Protocol is Used

Protocol is Used
urity benefit;
more and not inhibit
characteristics: of intended
the technology beyond acceptable
for environments means.
or use cases wh
Sub Sub Domain

2.1.1.1 Configure Prerequisites for the
SSH Service
2.1.1.1.1 Configure Prerequisites for
the SSH Service

the SSH Service

the SSH Service
the SSH Service

SSH Service
2.3.1.1 Require Encryption Keys for
NTP

NTP

NTP
NTP
3.2.1.1 Require EIGRP Authentication
if Protocol is Used

if Protocol is Used
if Protocol is Used

if Protocol is Used

if Protocol is Used
if Protocol is Used

if Protocol is Used

if Protocol is Used
if Protocol is Used
3.2.2.1 Require OSPF Authentication if

Protocol is Used
Protocol is Used
3.2.3.1 Require RIPv2 Authentication if

Protocol is Used
Protocol is Used

Protocol is Used

Protocol is Used
Protocol is Used
3.2.4.1 Require BGP Authentication if

Protocol is Used
of intended
re the technology beyond acceptable
or use cases where security is paramount. acts as defen
Description
Enable 'aaa new-model'
Enable 'aaa authentication login'
Enable 'aaa authentication enable default'
Set 'login authentication for 'line con 0'

Set 'login authentication for 'line tty'
Set 'login authentication for 'line vty'
Set 'aaa accounting' to log all privileged use

commands using
'commands 15'
Set 'aaa accounting connection'
Set 'aaa accounting exec'

Set 'aaa accounting network'
Set 'aaa accounting system'
Set 'privilege 1' for local users
Set 'transport input ssh' for 'line vty'

connections
Set 'no exec' for 'line aux 0'
Set 'access-class' for 'line vty'
Set 'exec-timeout' to less than or equal to

10 minutes for 'line aux 0'

10 minutes 'line console 0'
Set 'exec-timeout' less than or equal to 10

minutes 'line tty'
10 minutes 'line vty'
Set 'transport input none' for 'line aux 0'

Set the 'banner-text' for 'banner exec'
Set the 'banner-text' for 'banner login'
Set the 'banner-text' for 'banner motd'

Set 'password' for 'enable secret'
Enable 'service password-encryption'
Set 'username secret' for all local users

Set 'no snmp-server' to disable SNMP
when unused
Unset 'private' for 'snmp-server

community'
Unset 'public' for 'snmp-server community'

Do not set 'RW' for any 'snmp-server
community'
Set the ACL for each 'snmp-server

community'
Create an 'access-list' for use with SNMP

Set 'snmp-server host' when using SNMP
Set 'snmp-server enable traps snmp'
Set 'priv' for each 'snmp-server group'

using SNMPv3
Require 'aes 128' as minimum for 'snmp-
server user' when using
SNMPv3
2.1.1 Setup SSH

Set the 'hostname'
Set the 'ip domain name'
Set 'seconds' for 'ip ssh timeout'

Set maximimum value for 'ip ssh
authentication-retries'
Set version 2 for 'ip ssh version'
Set 'no cdp run'

Set 'no ip bootp server'
Set 'no service dhcp'
Set 'no ip identd'

Set 'service tcp-keepalives-in'
Set 'service tcp-keepalives-out'
Set 'no service pad'

Set 'logging on'
Set 'buffer size' for 'logging buffered'

Set 'logging console critical'
Set IP address for 'logging host'
Set 'logging trap informational'

Set 'service timestamps debug datetime'
Set 'logging source interface'

Set 'ntp authenticate'
Set 'ntp authentication-key'
Set the 'ntp trusted-key'

Set 'key' for each 'ntp server'
Set 'ip address' for 'ntp server'

Create a single 'interface loopback'
Set AAA 'source-interface'
Set 'ntp source' to Loopback Interface

Set 'ip tftp source-interface' to the
Loopback Interface
Set 'no ip source-route'

Set 'no ip proxy-arp'
Set 'no interface tunnel'
Set 'ip verify unicast source reachable-via'

Protocol is Used
Set 'key chain'
Set 'key'
Set 'key-string'
Set 'address-family ipv4 autonomous-

system'
Set 'af-interface default'

Set 'authentication key-chain'
Set 'authentication mode md5'
Set 'ip authentication key-chain eigrp'

Set 'ip authentication mode eigrp'
Set 'authentication message-digest' for

OSPF area
Set 'ip ospf message-digest-key md5'
Set 'key chain'

Set 'key'
Set 'key-string'
Set 'ip rip authentication key-chain'

Set 'ip rip authentication mode' to 'md5'
Set 'neighbor password'

s.here security is paramount. acts as defense in depth measure.may negatively inhibit
Applicability
L1
L1
L1
L1
L1
L1
L2
L2
L2
L2
L2
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L2
L2
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L2
L2
L2
L2
L1
L2
L2
L2
L2
L1
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
ts as defense in depth measure.may negatively inhibit the utility or
Recommandation
Globally enable authentication, authorization and accounting

(AAA) using the new-model command.
hostname(config)#aaa new-model
Configure AAA authentication method(s) for login

authentication.
hostname(config)#aaa authentication login {default |
aaa_list_name} [passwd-expiry] method1 [method2]
Configure AAA authentication method(s) for enable

authentication.
hostname(config)#aaa authentication enable default
{method1} enable
Configure management lines to require login using the
default or a named AAA authentication list. This
configuration must be set individually for all line types.
hostname(config)#line console 0
hostname(config-line)#login authentication {default |
aaa_list_name}
hostname(config)#line tty {line-number} [ending-line-
number] hostname(config-line)#login authentication
{default | aaa_list_name}
Configure management lines to require login using the default
or a named AAA authentication list. This configuration must be
set individually for all line types.
hostname(config)#line vty {line-number} [ending-line-
Configure AAA accounting for commands.
hostname(config)#aaa accounting commands 15 {default |

list-name | guarantee-first} {start-stop | stop-only | none}
{radius | group group-name}
Configure AAA accounting for connections.

hostname(config)#aaa accounting connection {default | list-
name | guarantee-first} {start-stop | stop-only | none}
Configure AAA accounting for EXEC shell session.

hostname(config)#aaa accounting exec {default | list-name |
guarantee-first} {start-stop | stop-only | none} {radius |
group group-name}
hostname(config)#aaa accounting network {default | list-
Configure AAA accounting system.

hostname(config)#aaa accounting system {default | list-name
| guarantee-first} {start-stop | stop-only | none} {radius |
group group-name}
Set the local user to privilege level 1.

hostname(config)#username <LOCAL_USERNAME> privilege
1
Apply SSH to transport input on all VTY management lines

hostname(config)#line vty <line-number> <ending-line-
number>
hostname(config-line)#transport input ssh
Disable the EXEC process on the auxiliary port.
hostname(config)#line aux 0 hostname(config-line)#no exec
Configure remote management access control restrictions for

all VTY lines.
number> hostname(config-line)# access-class
<vty_acl_number> in
Configure device timeout (10 minutes or less) to disconnect

sessions after a fixed idle time.
hostname(config)#line aux 0
hostname(config-line)#exec-timeout <timeout_in_minutes>
<timeout_in_seconds>

hostname(config)#line con 0 hostname(config-line)#exec-
timeout <timeout_in_minutes> <timeout_in_seconds>

hostname(config)#line tty {line_number}
[ending_line_number] hostname(config-line)#exec-timeout
<timeout_in_minutes> <timeout_in_seconds>
hostname(config)#line vty {line_number}
Disable the inbound connections on the auxiliary port.

hostname(config)#line aux 0 hostname(config-
line)#transport input none
Configure the EXEC banner presented to a user when
accessing the devices enable prompt.
hostname(config)#banner exec c
Enter TEXT message. End with the character 'c'.
<banner-text> c
Configure the device so a login banner presented to a user

attempting to access the device.
hostname(config)#banner login c
<banner-text> c
Configure the message of the day (MOTD) banner presented

when a user first connects to the device.
hostname(config)#banner motd c
<banner-text> c
Configure a strong, enable secret password.
hostname(config)#enable secret
<ENABLE_SECRET_PASSWORD>
Enable password encryption service to protect sensitive access

passwords in the device configuration.
hostname(config)#service password-encryption
Create a local user with an encrypted, complex (not easily

guessed) password.
hostname(config)#username <LOCAL_USERNAME> secret
<LOCAL_PASSWORD>
Disable SNMP read and write access if not in used to monitor
and/or manage device.
hostname(config)#no snmp-server
Disable the default SNMP community string "private"

hostname(config)#no snmp-server community {private}
Disable the default SNMP community string "public"

hostname(config)#no snmp-server community {public}
Disable SNMP write access.
hostname(config)#no snmp-server community
{write_community_string}
Configure authorized SNMP community string and restrict

access to authorized management systems.
hostname(config)#snmp-server community
<community_string> ro {snmp_access-list_number
| snmp_access-list_name}
Configure SNMP ACL for restricting access to the device from

authorized management stations segmented in a trusted
management zone.
hostname(config)#access-list <snmp_acl_number> permit
<snmp_access-list> hostname(config)#access-list deny any
log
Configure authorized SNMP trap community string and restrict
sending messages to authorized management systems.
hostname(config)#snmp-server host {ip_address}
{trap_community_string} snmp
Enable SNMP traps.

hostname(config)#snmp-server enable traps snmp
authentication linkup linkdown coldstart
For each SNMPv3 group created on your router add privacy

options by issuing the following command...
hostname(config)#snmp-server group {group_name} v3 priv
For each SNMPv3 user created on your router add privacy
options by issuing the following command.
hostname(config)#snmp-server user {user_name}
{group_name} v3 encrypted auth sha {auth_password} priv
aes 128 {priv_password} {acl_name_or_number}
Configure an appropriate host name for the router.
hostname(config)#hostname {router_name}
Configure an appropriate domain name for the router.

hostname (config)#ip domain name {domain-name}
Configure the SSH timeout

hostname(config)#ip ssh time-out [60]
Configure the SSH timeout:
hostname(config)#ip ssh authentication-retries [3]
Configure the router to use SSH version 2

hostname(config)#ip ssh version 2
Disable Cisco Discovery Protocol (CDP) service globally.

hostname(config)#no cdp run
:
Disable the bootp server.
hostname(config)#no ip bootp server
Disable the DHCP server. hostname(config)

#no service dhcp
Disable the ident server.

hostname(config)#no ip identd
Enable TCP keepalives-in service: hostname(config)
#service tcp-keepalives-in
Enable TCP keepalives-out service:

hostname(config)#service tcp-keepalives-out
Disable the PAD service.

hostname(config)#no service pad
Enable system logging.
hostname(config)#logging on
Configure buffered logging (with minimum size).

Recommended size is 64000.
hostname(config)#logging buffered [log_buffer_size]
Configure console logging level.
hostname(config)#logging console critical
Designate one or more syslog servers by IP address.

hostname(config)#logging host syslog_server
Configure SNMP trap and syslog logging level.

hostname(config)#logging trap informational
Configure debug messages to include timestamps.
hostname(config)#service timestamps debug datetime
{msec} show-timezone
Bind logging to the loopback interface.

hostname(config)#logging source-interface loopback
{loopback_interface_number}
Configure NTP authentication:
hostname(config)#ntp authenticate
Configure at the NTP key ring and encryption key using the
following command
hostname(config)#ntp authentication-key {ntp_key_id} md5
{ntp_key}
Configure the NTP trusted key using the following command

hostname(config)#ntp trusted-key {ntp_key_id}
Configure each NTP Server to use a key ring using the
following command.
hostname(config)#ntp server {ntp-server_ip_address}{key
ntp_key_id}
Configure at least one external NTP Server using the following

commands
hostname(config)#ntp server {ip address}
Define and configure one loopback interface.
hostname(config)#interface loopback <number>
hostname(config-if)#ip address <loopback_ip_address>
<loopback_subnet_mask>
Bind AAA services to the loopback interface.

Hostname(config)#ip {tacacs|radius} source-interface
loopback {loopback_interface_number)
Bind the NTP service to the loopback interface.

hostname(config)#ntp source loopback
Bind the TFTP client to the loopback interface.
hostname(config)#ip tftp source-interface loopback
{loobpback_interface_number}
Disable source routing.

hostname(config)#no ip source-route
Disable proxy ARP on all interfaces.
hostname(config)#interface {interface} hostname(config-
if)#no ip proxy-arp
Remove any tunnel interfaces.

hostname(config)#no interface tunnel {instance}
Configure uRPF.
hostname(config)#interface {interface_name}
hostname(config-if)#ip verify unicast source reachable-via rx
Establish the key chain.
hostname(config)#key chain {key-chain_name}
Configure the key number.

hostname(config-keychain)#key {key-number}
Configure the key string.
hostname(config-keychain-key)#key-string <key-string>
Configure the EIGRP address family.

hostname(config)#router eigrp <virtual-instance-name>
hostname(config-router)#address-family ipv4 autonomous-
system {eigrp_as-number}

system {eigrp_as-number} hostname(config-router-af)#af-
interface default
Configure the EIGRP address family key chain.

interface {interface-name}
Configure the EIGRP address family authentication mode.

interface {interface-name} hostname(config-router-af-
interface)#authentication mode md5
Configure the interface with the EIGRP key chain.

hostname(config-if)#ip authentication key-chain eigrp
{eigrp_as-number} {eigrp_keychain_name}
Configure the interface with the EIGRP authentication mode.
hostname(config-if)#ip authentication mode eigrp {eigrp_as-
number} md5
Configure the Message Digest option for OSPF.

hostname(config)#router ospf <ospf_process-id>
hostname(config-router)#area <ospf_area-id> authentication
message-digest
Configure the appropriate interface(s) for Message Digest
authentication
hostname(config-if)#ip ospf message-digest-key
{ospf_md5_key-id} md5 {ospf_md5_key}

hostname(config)#key chain {rip_key-chain_name}

Configure the Interface with the RIPv2 key chain.

hostname(config-if)#ip rip authentication key-chain {rip_key-
chain_name}
Configure the RIPv2 authentication mode on the necessary
interface(s)
hostname(config)#interface <interface_name>
hostname(config-if)#ip rip authentication mode md5
Configure BGP neighbor authentication where feasible.

hostname(config)#router bgp <bgp_as-number>
hostname(config-router)#neighbor <bgp_neighbor-ip | peer-
group-name> password <password>
Level
Level 1
2 (L1)
practical and in
this profile exh
Sr No Domain
42 2. Control Plane
43 2. Control Plane
44 2. Control Plane
45 2. Control Plane
46 2. Control Plane
47 2. Control Plane
48 2. Control Plane
49 2. Control Plane
50 2. Control Plane
51 2. Control Plane
52 2. Control Plane
53 2. Control Plane
54 2. Control Plane
55 2. Control Plane
56 2. Control Plane
57 2. Control Plane
58 2. Control Plane
59 2. Control Plane
60 2. Control Plane
61 2. Control Plane
62 2. Control Plane
63 2. Control Plane
64 2. Control Plane
65 2. Control Plane
66 2. Control Plane
67 2. Control Plane
68 2. Control Plane
69 2. Control Plane
70 2. Control Plane
71 2. Control Plane
72 2. Control Plane
73 2. Control Plane
74 2. Control Plane
75 3. Data Plane
76 3. Data Plane
77 3. Data Plane
78 3. Data Plane
79 3. Data Plane
80 3. Data Plane
81 3. Data Plane
82 3. Data Plane
83 3. Data Plane
84 3. Data Plane
85 3. Data Plane
86 3. Data Plane
87 3. Data Plane
88 3. Data Plane
89 3. Data Plane
90 3. Data Plane
91 3. Data Plane
92 3. Data Plane
93 3. Data Plane
94 3. Data Plane
95 3. Data Plane
96 3. Data Plane
97 3. Data Plane
98 3. Data Plane
99 3. Data Plane
100 3. Data Plane

be practical
" profile. and in
characteristics: of
Sub-Domain
1.1 Local Authentication, Authorization and

Accounting (AAA) Rules









1.2 Access Rules
1.2.1 Access Rules
1.2.2 Access Rules

1.2.3 Access Rules
1.2.4 Access Rules
1.2.5 Access Rules
1.2.6 Access Rules
1.2.7 Access Rules

1.2.8 Access Rules
1.2.9 Access Rules
1.3 Banner Rules

1.3.1 Banner Rules
1.3.2 Banner Rules
1.3.3 Banner Rules

1.4 Password Rules
1.5 SNMP Rules

1.5.1 SNMP Rules
1.5.2 SNMP Rules
1.5.3 SNMP Rules

1.5.4 SNMP Rules
1.5.5 SNMP Rules
1.5.6 SNMP Rules

1.5.7 SNMP Rules
1.5.8 SNMP Rules
1.5.9 SNMP Rules

1.5.10 SNMP Rules
2.1 Global Service Rules
2.1.1 Setup SSH

Service

Service

Service
Service
2.1.2 Setup SSH

2.1.3 Setup SSH
2.1.4 Setup SSH
2.1.5 Setup SSH

2.1.6 Setup SSH
2.1.7 Setup SSH
2.1.8 Setup SSH

2.2 Logging Rules
2.2.1 Logging Rules
2.2.2 Logging Rules

2.2.3 Logging Rules
2.2.4 Logging Rules
2.2.5 Logging Rules

2.2.6 Logging Rules
2.2.7 Logging Rules
2.3 NTP Rules


2.4 Loopback Rules


3.1 Routing Rules
3.1.1 Routing Rules

3.1.2 Routing Rules
3.1.3 Routing Rules
3.1.4 Routing Rules

3.2 Neighbor Authentication

Protocol is Used

Protocol is Used
Protocol is Used

Protocol is Used

Protocol is Used
Protocol is Used

Protocol is Used

Protocol is Used
Protocol is Used

Protocol is Used

Protocol is Used
Protocol is Used

Protocol is Used

Protocol is Used
Protocol is Used

Protocol is Used

Protocol is Used
Protocol is Used

Protocol is Used

Protocol is Used
urity benefit;
or use cases wh
Sub Sub Domain

SSH Service
the SSH Service

the SSH Service

the SSH Service
the SSH Service

SSH Service
NTP

NTP

NTP
NTP
if Protocol is Used

if Protocol is Used
if Protocol is Used

if Protocol is Used

if Protocol is Used
if Protocol is Used

if Protocol is Used

if Protocol is Used
if Protocol is Used

Protocol is Used
Protocol is Used

Protocol is Used
Protocol is Used

Protocol is Used

Protocol is Used
Protocol is Used
3.2.4.1 Require BGP Authentication if

Protocol is Used
of intended
re the technology beyond acceptable
or use cases where security is paramount. acts as defen
Description
Enable 'aaa new-model'
Enable 'aaa authentication login'
Enable 'aaa authentication enable default'
Set 'login authentication for 'line con 0'

Set 'login authentication for 'line tty'
Set 'login authentication for 'line vty'
Set 'aaa accounting' to log all privileged use

commands using
'commands 15'
Set 'aaa accounting connection'
Set 'aaa accounting exec'

Set 'aaa accounting network'
Set 'aaa accounting system'
Set 'privilege 1' for local users
Set 'transport input ssh' for 'line vty'

connections
Set 'no exec' for 'line aux 0'
Set 'access-class' for 'line vty'

10 minutes for 'line aux 0'

10 minutes 'line console 0'
Set 'exec-timeout' less than or equal to 10

minutes 'line tty'
10 minutes 'line vty'
Set 'transport input none' for 'line aux 0'

Set the 'banner-text' for 'banner exec'
Set the 'banner-text' for 'banner login'
Set the 'banner-text' for 'banner motd'

Set 'password' for 'enable secret'
Enable 'service password-encryption'
Set 'username secret' for all local users

Set 'no snmp-server' to disable SNMP
when unused
Unset 'private' for 'snmp-server

community'
Unset 'public' for 'snmp-server community'

Do not set 'RW' for any 'snmp-server
community'
Set the ACL for each 'snmp-server

community'
Create an 'access-list' for use with SNMP

Set 'snmp-server host' when using SNMP
Set 'snmp-server enable traps snmp'
Set 'priv' for each 'snmp-server group'

using SNMPv3
Require 'aes 128' as minimum for 'snmp-
server user' when using
SNMPv3
2.1.1 Setup SSH

Set the 'hostname'
Set the 'ip domain name'
Set 'seconds' for 'ip ssh timeout'

Set maximimum value for 'ip ssh
authentication-retries'
Set version 2 for 'ip ssh version'
Set 'no cdp run'

Set 'no ip bootp server'
Set 'no service dhcp'
Set 'no ip identd'

Set 'service tcp-keepalives-in'
Set 'service tcp-keepalives-out'
Set 'no service pad'

Set 'logging on'
Set 'buffer size' for 'logging buffered'

Set 'logging console critical'
Set IP address for 'logging host'
Set 'logging trap informational'

Set 'service timestamps debug datetime'
Set 'logging source interface'

Set 'ntp authenticate'
Set 'ntp authentication-key'
Set the 'ntp trusted-key'

Set 'key' for each 'ntp server'
Set 'ip address' for 'ntp server'

Create a single 'interface loopback'
Set AAA 'source-interface'
Set 'ntp source' to Loopback Interface

Set 'ip tftp source-interface' to the
Loopback Interface
Set 'no ip source-route'

Set 'no ip proxy-arp'
Set 'no interface tunnel'
Set 'ip verify unicast source reachable-via'

Protocol is Used
Set 'key chain'
Set 'key'
Set 'key-string'
Set 'address-family ipv4 autonomous-

system'
Set 'af-interface default'

Set 'authentication key-chain'
Set 'authentication mode md5'
Set 'ip authentication key-chain eigrp'

Set 'ip authentication mode eigrp'
Set 'authentication message-digest' for

OSPF area
Set 'ip ospf message-digest-key md5'
Set 'key chain'

Set 'key'
Set 'key-string'
Set 'ip rip authentication key-chain'

Set 'ip rip authentication mode' to 'md5'
Set 'neighbor password'

s.here security is paramount. acts as defense in depth measure.may negatively inhibit
Applicability
L1
L1
L1
L1
L1
L1
L2
L2
L2
L2
L2
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L2
L2
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L1
L2
L2
L2
L2
L1
L2
L2
L2
L2
L1
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
ts as defense in depth measure.may negatively inhibit the utility or
Recommandation
Globally enable authentication, authorization and accounting

(AAA) using the new-model command.
hostname(config)#aaa new-model
Configure AAA authentication method(s) for login

authentication.
hostname(config)#aaa authentication login {default |
aaa_list_name} [passwd-expiry] method1 [method2]
Configure AAA authentication method(s) for enable

authentication.
hostname(config)#aaa authentication enable default
{method1} enable
hostname(config)#line console 0
hostname(config-line)#login authentication {default |
aaa_list_name}
hostname(config)#line tty {line-number} [ending-line-
Configure management lines to require login using the default
or a named AAA authentication list. This configuration must be
set individually for all line types.
hostname(config)#line vty {line-number} [ending-line-
Configure AAA accounting for commands.
hostname(config)#aaa accounting commands 15 {default |

list-name | guarantee-first} {start-stop | stop-only | none}

hostname(config)#aaa accounting connection {default | list-
Configure AAA accounting for EXEC shell session.

hostname(config)#aaa accounting exec {default | list-name |
guarantee-first} {start-stop | stop-only | none} {radius |
group group-name}
hostname(config)#aaa accounting network {default | list-
Configure AAA accounting system.

hostname(config)#aaa accounting system {default | list-name
| guarantee-first} {start-stop | stop-only | none} {radius |
group group-name}
Set the local user to privilege level 1.

hostname(config)#username <LOCAL_USERNAME> privilege
1
Apply SSH to transport input on all VTY management lines

number>
hostname(config-line)#transport input ssh
Disable the EXEC process on the auxiliary port.
hostname(config)#line aux 0 hostname(config-line)#no exec
Configure remote management access control restrictions for

all VTY lines.
number> hostname(config-line)# access-class
<vty_acl_number> in

hostname(config)#line aux 0
hostname(config-line)#exec-timeout <timeout_in_minutes>
<timeout_in_seconds>

hostname(config)#line con 0 hostname(config-line)#exec-
timeout <timeout_in_minutes> <timeout_in_seconds>

hostname(config)#line tty {line_number}
hostname(config)#line vty {line_number}
Disable the inbound connections on the auxiliary port.

hostname(config)#line aux 0 hostname(config-
line)#transport input none
Configure the EXEC banner presented to a user when
accessing the devices enable prompt.
hostname(config)#banner exec c
<banner-text> c
Configure the device so a login banner presented to a user

attempting to access the device.
hostname(config)#banner login c
<banner-text> c
Configure the message of the day (MOTD) banner presented

when a user first connects to the device.
hostname(config)#banner motd c
<banner-text> c
Configure a strong, enable secret password.
hostname(config)#enable secret
<ENABLE_SECRET_PASSWORD>
Enable password encryption service to protect sensitive access

passwords in the device configuration.
hostname(config)#service password-encryption
Create a local user with an encrypted, complex (not easily

guessed) password.
hostname(config)#username <LOCAL_USERNAME> secret
<LOCAL_PASSWORD>
Disable SNMP read and write access if not in used to monitor
and/or manage device.
hostname(config)#no snmp-server
Disable the default SNMP community string "private"

hostname(config)#no snmp-server community {private}
Disable the default SNMP community string "public"

hostname(config)#no snmp-server community {public}
Disable SNMP write access.
hostname(config)#no snmp-server community
{write_community_string}
Configure authorized SNMP community string and restrict

access to authorized management systems.
hostname(config)#snmp-server community
<community_string> ro {snmp_access-list_number
| snmp_access-list_name}
Configure SNMP ACL for restricting access to the device from

authorized management stations segmented in a trusted
management zone.
hostname(config)#access-list <snmp_acl_number> permit
<snmp_access-list> hostname(config)#access-list deny any
log
Configure authorized SNMP trap community string and restrict
sending messages to authorized management systems.
hostname(config)#snmp-server host {ip_address}
{trap_community_string} snmp
Enable SNMP traps.

hostname(config)#snmp-server enable traps snmp
authentication linkup linkdown coldstart
For each SNMPv3 group created on your router add privacy

options by issuing the following command...
hostname(config)#snmp-server group {group_name} v3 priv
For each SNMPv3 user created on your router add privacy
options by issuing the following command.
hostname(config)#snmp-server user {user_name}
{group_name} v3 encrypted auth sha {auth_password} priv
aes 128 {priv_password} {acl_name_or_number}
Configure an appropriate host name for the router.
hostname(config)#hostname {router_name}
Configure an appropriate domain name for the router.

hostname (config)#ip domain name {domain-name}
Configure the SSH timeout

hostname(config)#ip ssh time-out [60]
Configure the SSH timeout:
hostname(config)#ip ssh authentication-retries [3]
Configure the router to use SSH version 2

hostname(config)#ip ssh version 2
Disable Cisco Discovery Protocol (CDP) service globally.

hostname(config)#no cdp run
:
Disable the bootp server.
hostname(config)#no ip bootp server
Disable the DHCP server. hostname(config)

#no service dhcp
Disable the ident server.

hostname(config)#no ip identd
Enable TCP keepalives-in service: hostname(config)
#service tcp-keepalives-in
Enable TCP keepalives-out service:

hostname(config)#service tcp-keepalives-out
Disable the PAD service.

hostname(config)#no service pad
Enable system logging.
hostname(config)#logging on
Configure buffered logging (with minimum size).

Recommended size is 64000.
hostname(config)#logging buffered [log_buffer_size]
Configure console logging level.
hostname(config)#logging console critical
Designate one or more syslog servers by IP address.

hostname(config)#logging host syslog_server
Configure SNMP trap and syslog logging level.

hostname(config)#logging trap informational
Configure debug messages to include timestamps.
hostname(config)#service timestamps debug datetime
{msec} show-timezone
Bind logging to the loopback interface.

hostname(config)#logging source-interface loopback
Configure NTP authentication:
Configure at the NTP key ring and encryption key using the
following command
hostname(config)#ntp authentication-key {ntp_key_id} md5
{ntp_key}
Configure the NTP trusted key using the following command

hostname(config)#ntp trusted-key {ntp_key_id}
Configure each NTP Server to use a key ring using the
following command.
hostname(config)#ntp server {ntp-server_ip_address}{key
ntp_key_id}
Configure at least one external NTP Server using the following

commands
hostname(config)#ntp server {ip address}
Define and configure one loopback interface.
hostname(config)#interface loopback <number>
hostname(config-if)#ip address <loopback_ip_address>
<loopback_subnet_mask>
Bind AAA services to the loopback interface.

Hostname(config)#ip {tacacs|radius} source-interface
loopback {loopback_interface_number)
Bind the NTP service to the loopback interface.

hostname(config)#ntp source loopback
Bind the TFTP client to the loopback interface.
hostname(config)#ip tftp source-interface loopback
{loobpback_interface_number}
Disable source routing.

hostname(config)#no ip source-route
Disable proxy ARP on all interfaces.
hostname(config)#interface {interface} hostname(config-
if)#no ip proxy-arp
Remove any tunnel interfaces.

hostname(config)#no interface tunnel {instance}
Configure uRPF.
hostname(config-if)#ip verify unicast source reachable-via rx
hostname(config)#key chain {key-chain_name}


system {eigrp_as-number}

interface default
Configure the EIGRP address family key chain.

interface {interface-name}
Configure the EIGRP address family authentication mode.

interface {interface-name} hostname(config-router-af-
interface)#authentication mode md5
Configure the interface with the EIGRP key chain.

hostname(config-if)#ip authentication key-chain eigrp
{eigrp_as-number} {eigrp_keychain_name}
Configure the interface with the EIGRP authentication mode.
hostname(config-if)#ip authentication mode eigrp {eigrp_as-
number} md5
Configure the Message Digest option for OSPF.

hostname(config)#router ospf <ospf_process-id>
hostname(config-router)#area <ospf_area-id> authentication
message-digest
Configure the appropriate interface(s) for Message Digest
authentication
hostname(config-if)#ip ospf message-digest-key
{ospf_md5_key-id} md5 {ospf_md5_key}

hostname(config)#key chain {rip_key-chain_name}

Configure the Interface with the RIPv2 key chain.

hostname(config-if)#ip rip authentication key-chain {rip_key-
chain_name}
Configure the RIPv2 authentication mode on the necessary
interface(s)
hostname(config-if)#ip rip authentication mode md5
Configure BGP neighbor authentication where feasible.

hostname(config)#router bgp <bgp_as-number>
hostname(config-router)#neighbor <bgp_neighbor-ip | peer-
group-name> password <password>
Level
Level 1
2 (L1)
practical and in
this profile exh
measure.may negatively inhibit the utility or performance of the technology.
Sr No Domain
1 1. Wireless LAN Controller



2. Wireless Local Area Network

17 (LAN) Configurations


be practical
" profile. and in
characteristics: of
Sub-Domain
urity benefit;
or use cases wh
Description
Install the Latest Firmware
Ensure 'Password Strength' is Strong for

configured 'User Names'
Delete the 'User Name' admin
Ensure 'Telnet' is disabled

Ensure 'Webmode' is disabled
Disable 'Management via Wireless

Interface'
Ensure the 'CLI Login Timeout (minutes)' is

less than or equal to 5
Ensure 'SNMP v1 Mode' is disabled
Ensure 'SNMP v2c Mode' is disabled

Delete the 'SNMP v3 User Name' default
Configure 'an authorized IP Address' for

'Logging Syslog Host'
Configure 'an authorized IP Address' for

'NTP Server'
Ensure 'Signature Processing' is enabled.
Enable 'all' Policies for 'wps client-exclusion'

Ensure 'Rogue Location Discovery Protocol'
is enabled
Ensure 'Control Path Rate Limiting' is

enabled
Ensure 'Broadcast SSID' is disabled
Ensure 'WPA2-Enterprise' is Enabled for

configured 'Wireless LAN identifiers'
Ensure 'Peer-to-Peer Blocking Action' is set

to 'Drop' for All 'Wireless LAN Identifiers'
eended
technology beyond acceptable
or use cases where security is paramount. acts as defense in
Applicability
L1
L1
L1
L1
L1
L1
L2
L1
L1
L1
L1
L2
L1
L2
L2
L1
L1
L1
L1
ecases
means.
where security is paramount. acts as defense in depth
Recommandation
Download the latest firmware from the Cisco Website and

apply it to the Wireless LAN Controller.
Change the management user's password to one that meets

the strong password requirements. The Wireless LAN
Controller determines a password is strong if it meets the
following requirements:
• It is at least eight characters long.
• It contains a combination of upper- and lowercase letters,
numbers, and symbols. • It is not a word in any language.
The new password can be applied using:
(Cisco Controller) >config mgmtuser password <username>
<password>
New management users can be configured using the following
command.
(Cisco Controller) >config mgmtuser add <username>
<password> <privilege level>
After the creation of a new administrative username with the
appropriate privileges the default one can be removed.
(Cisco Controller) >config mgmtuser delete admin
1. Disable command-line administration through telnet.

(Cisco Controller) >config network telnet disable
2. Enable command-line administration through Secure
Shell Version 2 (SSHv2).
(Cisco Controller) >config network ssh enable
Disable administration through webmode.
(Cisco Controller) >config network webmode disable
Disable access to the admin interface from wireless clients

using the following command.
(Cisco Controller) >config network mgmt-via-wireless
disable
Reset the default authentication timeout value to 5 minutes.

(Cisco Controller) >config sessions timeout 5
Disable SNMP version v1

(Cisco Controller) >config snmp version v1 disable
Disable SNMP version v2c

(Cisco Controller) >config snmp version v2c disable
Delete the default Simple Network Management Protocol
Version 3 user.
(Cisco Controller) >config snmp v3user delete default
If Simple Network Management Protocol Version 3 is to be
used for network management, create a new Simple Network
Management Protocol Version 3 user:
(Cisco Controller) >config snmp v3user create <username>
<ro/rw> <authentication type>
<encryption type> <authentication key> <encryption key>
To enable external logging to a syslog server execute the

following command:
(Cisco Controller) >config logging syslog host <IP Address>
Configure an authorized IP address for time NTP Server.

(Cisco Controller) >config time ntp server <index> <IP
Address>
Enable all Wireless Protection Policies.

(Cisco Controller) > config wps signature enable
Enable the Client Exclusion Policies:

(Cisco Controller) >config wps client-exclusion all
Enable the Rogue Location Discovery Protocol:
(Cisco Controller) >config rogue ap rldp enable {alarm-only |
auto-contain}
Enable control plane policing on the controller.

(Cisco Controller) >config advanced rate enable
1. Determine the WLANs to which the change will be made:

(Cisco Controller) >show wlan summary
2. Disable broadcast SSID on all WLANs using:
(Cisco Controller) >config wlan broadcast-ssid disable <WLAN
ID>
Run the following command for each WLAN ID when WPA2 is

not enabled.
(Cisco Controller) >config wlan security wpa2 enable <WLAN
ID>
1. Determine which WLANs will be changed:
(Cisco Controller) >show wlan summary
2. Enable client isolation or Publicly Secure Packet Forwarding
on WLANs:
(Cisco Controller) >config wlan peer-blocking drop <WLAN
ID>
Sr
Domain Sub-Domain
No
1 1. Management Plane 1.1 Password Management
6 1. Management Plane 1.2 Device Management

9 1. Management Plane 1.3 Image Security
10 1. Management Plane 1.4 AAA


28 1. Management Plane 1.5 Banner Rules
31 1. Management Plane 1.6 SSH Rules

36 1. Management Plane 1.7 HTTP Rules
37 1. Management Plane 1.7 HTTP Rules
38 1. Management Plane 1.8 Session Timeout
41 1. Management Plane 1.9 Clock Rules

45 1. Management Plane 1.10 Logging Rules

56 1. Management Plane 1.11 SNMP Rules
2.1 Routing Protocol

61 2. Control Plane
Authentication
62 2. Control Plane
Authentication

63 2. Control Plane
Authentication
64 2. Control Plane 2.2 Non-Proxy-ARP
65 2. Control Plane 2.3 DNS-Guard
66 2. Control Plane 2.4 DHCP-Services
67 2. Control Plane 2.5 ICMP

68 3. Data Plane 3.1 DNS Services
69 3. Data Plane 3.2 IPS
70 3. Data Plane 3.3 Packet Fragmentation
71 3. Data Plane 3.4 DDOS

72 3. Data Plane 3.5 Threat Detection
73 3. Data Plane 3.6 IP verify
74 3. Data Plane 3.7 Security Level
75 3. Data Plane 3.8 Botnet
76 3. Data Plane 3.9 Active X

77 3. Data Plane 3.10 Java Applet
78 3. Data Plane 3.11 Access List

Description
Ensure Logon Password is set
Ensure Enable Password is set
Ensure Master Key Passphrase is

set
Ensure 'Password Recovery' is

disabled
Ensure Password Policy is

enabled.
Ensure Domain Name is set

Ensure 'Failover' is enabled
Ensure 'Unused Interfaces' is

disable
Ensure 'Image Authenticity' is

correct
Ensure 'aaa local authentication

max failed attempts' is set to less
than or equal to '3'
Ensure 'local username and

password' is set
Ensure known default accounts
do not exist
Ensure 'TACACS+/RADIUS' is
configured correctly
Ensure 'aaa authentication enable

console' is configured correctly
Ensure 'aaa authentication http

console' is configured correct
Ensure 'aaa authentication

secure-http-client' is configured
correctly
Ensure 'aaa authentication serial

Ensure 'aaa authentication ssh

Ensure 'aaa authentication telnet

Ensure 'aaa command

authorization' is configured
correctly
Ensure 'aaa authorization exec' is
Ensure 'aaa command

accounting' is configure
Ensure 'aaa accounting for SSH' is

Ensure 'aaa accounting for Serial

Ensure 'aaa accounting for EXEC

mode' is configured correctly
Ensure 'aaa command

accounting' is configured
correctly
Ensure 'aaa accounting for SSH' is

Ensure 'ASDM banner' is set
Ensure 'EXEC banner' is set
Ensure 'LOGIN banner' is set
Ensure 'SSH source restriction' is

set to an authorized IP address
Ensure 'SSH version 2' is enabled

Ensure 'RSA key pair' is greater
than or equal to 2048 bits
Ensure 'SCP protocol' is set to

Enable for files transfers
Ensure 'Telnet' is disabled
Ensure 'HTTP source restriction' is

set to an authorized IP address
Ensure 'SSL AES 256 encryption'

is set for HTTPS access
Ensure 'console session timeout'

is less than or equal to '5'
minutes
Ensure 'SSH session timeout' is

less than or equal to '5' minutes
Ensure 'HTTP session timeout' is

less than or equal to '5' minutes
Ensure 'NTP authentication' is enab
Ensure 'NTP authentication key' is

Ensure 'trusted NTP server' exists
Ensure 'local timezone' is properly

configured
Ensure 'logging' is enabled
Ensure 'logging to Serial console'

is disabled
Ensure 'logging to monitor' is

disabled
Ensure 'syslog hosts' is configured
Ensure 'logging with the device

ID' is configured correctly
Ensure 'logging history severity

level' is set to greater than or
equal to '5'
Ensure 'logging with timestamps'

is enabled
Ensure 'syslog logging facility' is

equal to '23'
Ensure 'logging buffer size' is

greater than or equal to '524288'
bytes (512kb)
Ensure 'logging buffered severity
level' is greater than or equal to
'3'
Ensure 'logging trap severity

level' is greater than or equal to
'5'
Ensure 'snmp-server group' is set to
Ensure 'snmp-server user' is set

to 'v3 auth SHA'
Ensure 'snmp-server host' is set

to 'version 3'
Ensure 'SNMP traps' is enabled
Ensure 'SNMP community string' is n
Ensure 'RIP authentication' is enab

Ensure 'OSPF authentication' is
enabled
Ensure 'EIGRP authentication' is en
Ensure 'noproxyarp' is enabled for
Ensure 'DNS Guard' is enabled
Ensure DHCP services are disabled
Ensure ICMP is restricted for untrus

Ensure DNS services are configured
Ensure intrusion prevention is enab
Ensure packet fragments are restric
Ensure DOS protection is enabled fo

Ensure 'threat-detection statistics'
is set to 'tcp-intercept'
Ensure 'ip verify' is set to

'reverse-path' for untrusted
interfaces
Ensure 'security-level' is set to '0'

for Internet-facing interface
Ensure Botnet protection is enabled
Ensure ActiveX filtering is enabled

Ensure Java applet filtering is enab
Ensure explicit deny in access lists

Recommendation (8.X and 9.X)
Run the following to set the login password.
hostname(config)#passwd <login_password>
Run the following to set the enable password.

hostname(config)#enable password <enable_password> level
<privilege_level>
• Step 1: Set the master key passphrase with the following command:
hostname (config)# key config-key password-encryption <passphrase>
The passphrase is between 8 and 128 characters long

• Step 2: Enable the AES encryption of existing keys of the running-configuration
hostname(config)# password encryption aes
• Step 3: Run the following for the encryption of keys in the startup-configuration
hostname(config)# write memory
Run the following to disable the password recovery:

hostname (config)# no service password-recovery
• Step 1: Run the following to set the password lifetime in days to less than or equal
to 180
hostname(config)#password-policy lifetime 30
• Step 2: Run the following to set the minimum number of characters that must be
changed between the old and the new passwords, to be to be greater than or equal
to 14
hostname(config)#password-policy minimum-changes 14
• Step 3: Run the following to set the minimum number of upper case characters in
the password, to be to be greater than or equal to 1
hostname(config)#password-policy minimum-uppercase 1
• Step 4: Run the following to set the minimum number of lower case characters in
the password, to be to be greater than or equal to 1
hostname(config)#password-policy minimum-lowercase 1
• Step 5: Run the following to set the minimum number of numeric characters in the
password, to be greater than or equal to 1
hostname(config)#password-policy minimum-numeric 1
• Step 6: Run the following to set the minimum number of special characters in the
password, to be greater than or equal to 1
hostname(config)#password-policy minimum-special 1
• Step 7: Run the following to set the password minimum length, to be greater than
or equal to 14
hostname(config)#password-policy minimum-length 14
• Step 1: Acquire the enterprise domain name (enterprise_domain)

• Step 2: Run the following to configure the domain name
hostname(config)#domain-name <enterprise_domain>
Follow the steps below to enable active/standby failover. The commands are run in
the system execution space
• Step 1: For each appliance, identify the failover link physical interface
<failover_interface_physical> and assign it a name <failover_interface_name> and
IP address <failover_interface_ip> and subnet mask <failover_interface_mask>.
Identify the other device IP address for each appliance as <peer_failover_ip>
• Step 2: For each appliance, identify the state link physical interface
<state_interface_physical> and assign it a name <state_interface_name> and IP
address <state_interface_ip> and subnet mask <state_interface_mask>. Identify the
other device IP address for each appliance as <peer_state_ip>
• Step 3: Run the following on the Active device to set it as primary node
hostname(config)#failover lan unit primary

• Step 4: Run the following on the Standby device to set it as secondary node
hostname(config)#failover lan unit secondary
• Step 5: Run the following on both security appliances
hostname(config)#failover lan interface <failover_interface_name>
<failover_interface_physical>
hostname(config)#failover interface ip <failover_interface_name>
<failover_interface_ip> <failover_interface_mask> standby
<peer_failover_ip>
hostname(config)#interface <failover_interface_physical>
hostname(config-if)#no shutdown
hostname(config)#failover link <state_interface_name>
<state_interface_physical>
hostname(config)#failover interface ip <state_interface_name>
<state_interface_ip> <state_interface_mask> standby <peer_state_ip>
hostname(config)#interface
<state_interface_physical>
hostname(config)#failover
hostname(config)#write memory
• Step 1: Identify the physical name
hostname(config)#failover <interface_physical_name>
interface of the unused
ip <state_interface_name>
interfaces that are not disabled
<state_interface_ip> <state_interface_mask> standby <peer_state_ip>
• Step 2: For each of the identified interfaces, run the following command
hostname(config)#interface
Hostname(config)#interface
<state_interface_physical> <interface_physical_name>
Hostname(config-if)#shutdown
Run the followinghostname(config)#failover
command to verify the authenticity of the image currently running
on the security appliance hostname(config)#write memory
hostname#show software authenticity running | in CiscoSystems$
Run the following to configure the maximum number of consecutive local login
failures to be less than or equal to 3
hostname(config)# aaa local authentication attempts max-fail 3
Run the following to set a local username and password.

hostname(config)#username <local_username> password
<local_password> privilege <level>
The privilege level is chosen between 0 and 15. If the privilege is not configured, the
default one is 2.
• Step 1: Acquire the Enterprise customized administrative account
<customized_admin_account> and password <admin_password>
• Step 2: Run the following to create the customized administrative account as well
as the required privilege level <privilege_level>
hostname(config)#username <customized_admin_account> password
<admin_password> privilege <privilege_level>
• Step 1: Acquire the enterprise standard protocol (protocol_name) for authentication

(TACACS+ or RADIUS)
• Step 2: Run the following to configure the AAA server-group for the required
protocol
hostname(config)#aaa-server <server-group_name> protocol
<protocol_name>
• Step 3: Run the following to configure the AAA server:
hostname(config)#aaa-server <server-group_name> (<interface_name>)
host <aaaserver_ip> <shared_key>
Configure the aaa authentication for enable access using the TACACS+ server-group
as primary method and the local database as backup method
hostname(config)# aaa authentication enable console <server-
group_name> local
Configure the aaa authentication for http using the TACACS+ server-group as primary
method and the local database as backup method.
hostname(config)#aaa authentication http console <server-group_name>
local
Configure the secure aaa authentication for http
hostname(config)#aaa authentication secure-http-client
Configure the aaa authentication serial using the TACACS+ server-group as primary
hostname(config)#aaa authentication serial console <server-group_name>
local
Configure the aaa authentication ssh using the TACACS+ server-group as primary
hostname(config)#aaa authentication ssh console <server-group_name>
local
Configure the aaa authentication Telnet using the TACACS+ server-group as primary
hostname(config)#aaa authentication telnet console <server-group_name>
local
Run the following to determine the remote the TACACS+/RADIUS servers
(server_group_name) as source of authorization and the local database (LOCAL) as
fallback method if the remote servers are not available.
hostname(config)# aaa authorization command <server-group_name>
LOCAL
This implies that locally, each privilege has its sets of commands configured and
username associated just in accordance with the privilege and command definition in
the remote servers
Run the following to enable the AAA authorization exec
hostname(config)# aaa authorization exec authentication-server
Run the following in order to record all the commands entered at all the privilege
levels and to send them to the AAA servers
hostname(config)# aaa accounting command <server-group_name>
Run the following in order to record ssh session start and stop and to send them to
the AAA servers
hostname(config)#aaa accounting ssh console <server-group_name>
Run the following in order to record serial console session start and stop and to send
them to the AAA servers
hostname(config)#aaa accounting serial console <server-group_name>
Run the following in order to record exec mode session start and stop and to send
them to the AAA servers
hostname(config)# aaa accounting enable console <server-group_name>
Run the following in order to record all the commands entered at all the privilege
levels and to send them to the AAA servers
hostname(config)# aaa accounting command <server-group_name>
Run the following in order to record ssh session start and stop and to send them to
the AAA servers
hostname(config)#aaa accounting ssh console <server-group_name>
Run the following command to set the ASDM banner where <line_of_message> is a
line of the banner text.
hostname(config)#banner asdm <line_of_message>
Run the following command to set the EXEC banner where <line_of_message> is a
hostname(config)#banner exec <line_of_message>
Repeat the command for each line if the banner text has several lines.
Run the following command to set the LOGIN banner where <line_of_message> is a
hostname(config)#banner login <line_of_message>
Repeat the command for each line if the banner text has several lines.
Run the following to enable SSH access source restriction

hostname(config)#ssh <source_ip> <source_netmask> <interface_name>
Run the following to enable SSH version 2

hostname(config)# ssh version 2
• Step 1: Acquire the enterprise standard RSA key size greater or equal than 2048
bits
• Step 2: If the audit procedure revealed existing non-compliant key pairs, run the
following to remove them:
hostname(config)#crypto key zeroize rsa
• Step 3: Run the following to generate compliant RSA key pair:
hostname(config)# crypto key generate rsa modulus
<enterprise_RSA_key_size>
• Step 4: Run the following to save the RSA keys to persistent Flash memory
hostname(config)#write memory
Run the following command to enable secure copy
hostname(config)# ssh scopy enable
• Step 1: Run the following to remove the telnet access
hostname(config)#no telnet 0.0.0.0 0.0.0.0 <interface_name>

• Step 2: Run the following to remove the configured telnet timeout
hostname(config)#no telnet timeout <configured_timeout>
Run the following to enable HTTP access source restriction

hostname(config)#http <source_ip> <source_netmask> <interface_name>
For version 8.x, run the following command to enable AES 256 algorithm
hostname(config)# ssl encryption aes256-sha1
For version 9.x, run the following command to enable AES 256 algorithm
hostname(config)# ssl cipher tlsv1 custom AES256-SHA
• Step 1: Run the following command to set the console timeout to less than or equal
to 5 minutes
hostname(config)# console timeout 5
• Step 1: Run the following to set the SSH timeout to 5 minutes
hostname(config)# ssh timeout 5
• Step 1: Run the following to set the HTTP timeout to less than or equal to 5 minutes
hostname(config)# http server session-timeout 5
Run the following command to enable NTP authentication

• Step 1: Run the following to set the authentication key ID <key_id>

hostname(config)# ntp trusted-key <key_id>
• Step 2: Run the following to configure the authentication key <authentication_key>
hostname(config)# ntp authentication-key <key_id> md5
<authentication_key>
• Step 1: Acquire the authentication key ID <key_id>, the IP address of the NTP
server <ip_address> and the interface <interface_name> used by the appliance to
communicate with the NTP server.
• Step 2: Run the following to configure the trusted NTP server
hostname(config)# ntp server <ip_address> key <key_id> source
<interface_name>
• Step 1: Acquire standard zone name (enterprise_zone_name) used by the
enterprise (GMT, UTC, EDT, PST)
• Step 2: Run the following to configure the required value
hostname(config)# clock timezone <enterprise_zone_name> <local_offset>
Run the following to enable logging

hostname(config)#logging enable>
Run the following command to disable the logging to console

hostname(config)#no logging console
Run the following command to disable the logging monitor

hostname(config)#no logging monitor
Run the following to configure the Syslog server

hostname(config)# logging host <interface_name> <host_ip_address>
Run the following to enable logging with the device hostname:

hostname(config)#logging device-id hostname
In a multi-context security appliance, run the following command:

hostname(config)#logging device-id context-name
• Step 1: Run the following command to set the logging level to 5:

hostname(config)# logging history 5
The severity level can be chosen between 0 and 7
Run the following command to enable the logging timestamp

hostname(config)#logging timestamp
• Step 1: Run the following command to set the logging facility to 23
hostname(config)# logging facility 23
Step 1: Run the following command to set the logging buffer-size to 524288
The size is in bytes and is to be chosen between 4096 and 1048576 bytes
hostname(config)# logging buffer-size 524288
Step 1: Run the following command to set the Logging Buffered to greater than or
equal to 3:
hostname(config)# logging buffered 3
The severity level can be chosen between 0 through 7

Step 1: Run the following command to verify logging trap is equal to 5:
hostname(config)# logging trap 5
The severity level can be chosen between 0 and 7
Run the following to configure the SNMP v3 group.

hostname(config)# snmp-server group <group_name> v3 priv
Run the following:

hostname(config)#snmp-server user <snmp_username> <group-name> v3
auth SHA
<authentication_password> priv AES 256 <encryption_password>
Run the following to configure the SNMP v3 host
hostname(config)# snmp-server host <interface_name> <host_ip_address>
version
3 <snmp_user>
Run the following command to enable SNMP traps
hostname(config)# snmp-server enable traps snmp authentication
hostname(config)# snmp-server enable traps snmp coldstart
hostname(config)# snmp-server enable traps
snmp linkdown hostname(config)# snmp-server
enable traps snmp linkup
Default Value:
By default, only syslog traps are enabled
Run the following command to configure the SNMP community string

hostname(config)#snmp-server community <snmp_community_string>
• Step 1: Acquire the interface <interface_name> used by the firewall to receive RIP
routing updates
• Step 2: Agree with the neighbor device on the authencation key <key_value> and
determine an authentication key ID <key_id>
• Step 3: Run the following to enable RIP authentication
hostname(config-if)#rip authentication mode md5
hostname(config-if)#rip authentication key<key_value> key_id <key_id>
• Step 1: Acquire the interface <interface_name> used by the firewall to receive
OSPF routing updates and the area ID <area_id>
• Step 3: Run the following to enable OSPF authentication
hostname(config-if)#ospf authentication message-digest
hostname(config-if)#ospf message-
digest-key <key_id> md5 <key_value> hostname(config-
if)#exit
hostname(config)#area <area_id> authentication message-digest
• Step 1: Acquire the interface <interface_name> used by the firewall to receive

EIGRP routing updates and the EIGRP Autonomous System number <as_number>
• Step 3: Run the following to enable RIP authentication
hostname(config-if)#authentication mode eigrp <as_number> md5
hostname(config-if)#authentication key eigrp <as_number> <key_value>
key-id
<key_id>
• Step 1: Acquire the name of the untrusted interface <untrusted_interface_name>

• Step 2: Run the following command to disable the Proxy-ARP on the untrusted
interface.
hostname(config)# sysopt noproxyarp <untrusted_interface_name>
Run the following command to enable the DNS Guard function.
hostname(config)# dns-guard
• Step 1: Acquire the name of the untrusted interface <untrusted_interface_name>

• Step 2: Run the following command to disable DHCP service on the untrusted
interface
hostname(config)# no dhcpd enable <untrusted_interface_name>
• Step 3: Run the following command to disable DHCP Relay service on the untrusted
interface
hostname(config)# no dhcprelay enable <untrusted_interface_name>
• Step 1: Acquire the untrusted interface name <untrusted_interface_name>, the
trusted subnet and corresponding subnet mask
• Step 2: Run the following command to allow ICMP from the trusted subnet to the
untrusted interface. Repeat the command if there are more than one trusted subnets
identified.
hostname(config)# icmp permit <subnet> <mask>
<untrusted_interface_name>
• Step 3: Run the following command to deny ICMP from all other sources to the
untrusted interface.
hostname(config)# icmp deny any<untrusted_interface_name>
• Step 1: Run the following to enable the DNS lookup
hostname(config)# dns domain-lookup <interface_name>
<interface_name> is the name of the interface connected to the DNS server

• Step 2: Configure the group of DNS servers
hostname(config)# dns server-group DefaultDNS
• Step 3: Acquire the enterprise authorized DNS servers' IP addresses

<dns_ip_address> and for each of them, run the following command to configure the
DNS server in the DNS server group
hostname(config-dns-server-group)#name-server <dns_ip_address>
• Step 1: Acquire the Enterprise standard action <prevention_action> to be

performed when an attack signature is matched. It is to be chosen between 'drop'
(The packet is dropped) and 'reset' (The packet is dropped and the connection
closed)
• Step 2: Run the following to enable the audit policy against the attack signatures
with the Enterprise standard action
hostname(config)# ip audit name <audit_name> attack action alarm
<prevention_action>
• Step 3: Identify the untrusted interface <interface_name>
• Step 4: Run the following to enable the intrusion prevention on the untrusted
interface
hostname(config)# ip audit
• Step 1: Acquire the name interface
of the <interface_name>
untrusted <audit_name>
interface <interface_name>
• Step 2: Run the following command to deny fragments on the interface.
hostname(config)#fragment chain 1 <interface_name>
• Step 1: Acquire the enterprise standard values for maximum connections,

maximum embryonic connections, maximum connections per client and maximum
embryonic connections per client
• Step 2: Run the following to configure the class to identify the traffic on which DOS
protection should be performed.
hostname(config)# class-map <class_name> hostname(config-cmap)#
match any
Step 3: Run the following to configure the policy that will determine the maximum
connections to be applied on the class previously configured
hostname(config)# policy-map <policy_name> hostname(config-pmap)#
class <class_name>
hostname(config-pmap-c)# set connection conn-max
<enterprise_max_number> hostname(config-pmap-c)# set
connection embryonic-conn-max <enterprise_max_number>
hostname(config-pmap-c)# set connection per-client-embryonic-max
<enterprise_max_number>
hostname(config-pmap-c)# set connection per-client-max
<enterprise_max_number>
The enterprise_max_number parameter is to be taken between 0 and 65535.

• Step 4: Run the following to apply the policy previously configured on the untrusted
hostname(config-pmap-c)# service-policy <policy_name> interface
Run the following to enable threat detection statistics for TCP Intercept
hostname(config)# threat-detection statistics tcp-intercept
• Step 1: Acquire the name of the untrusted interface <interface_name>

• Step 2: Run the following command to enable protection against IP spoofing
hostname(config)# ip verify reverse-path interface <interface_name>
• Step 1: Acquire the physical name of the Internet facing interface

<interface_physical_name>
• Step 2: Run the following command assigned the security-level 0
hostname(config)#interface <interface_physical_name> hostname(config-
if)#security-level 0
• Step 1: Run the following command to ensure that the DNS server is available.
hostname#sh run | i name-server
If there is no DNS server, configure the DNS server according to the related
recommendation.
• Step 2: Run the following commands to enable the security appliance to download
and use for inspection the lists of known malware websites
hostname(config)#dynamic-filter updater-client enable
hostname(config)#dynamic-filter use-database
• Step 3: Run the following command to create a class map for the security appliance
to match the DNS traffic
hostname(config)#class-map <dns_class_map_name>
hostname(config-cmap)#match port udp eq domain
• Step 4: Run the following to create the policy-map in order to ask the appliance to
inspect the matched DNS traffic and to compare the domain name in the DNS traffic
with the list of known malware related domain names.
hostname(config)#policy-map <dns_policy_map_name>
hostname(config-pmap)# class <dns_class_map_name>
hostname(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-
snoop
• Step 5: Run the following for the inspection to be applied on the untrusted interface
hostname(config)# service-policy <dns_policy_map_name> interface
• Step 6: Run the following to monitor the Botnet traffic crossing the untrusted
interface
hostname(config)# dynamic-filter enable interface
• Step 7: Run the following to drop any identified Botnet traffic on the untrusted
interface
hostname(config)# dynamic-filter drop blacklist interface
• Step 1: Acquire the TCP port used for the HTTP traffic containing ActiveX objects,
the IP address <internal_users_ip> and mask <internal_users_mask> of internal
users generating the HTTP traffic, and the IP address <external_servers_ip> and
mask <external_servers_mask> of the external servers to which the internal users
connect and that are source of ActiveX objects.
• Step 2: Run the following command to filter ActiveX applets.
hostname(config)# filter activex <port> <internal_users_ip>
<internal_users_mask> <external_servers_ip> <external_servers_mask>
• Step 1: Acquire the TCP port used for the HTTP traffic containing Java objects, the IP
address <internal_users_ip> and mask <internal_users_mask> of internal users
generating the HTTP traffic, and the IP address <external_servers_ip> and mask
<external_servers_mask> of the external servers to which the internal users connect
and that are source of Java objects.
• Step 2: Run the following command to filter Java applets.
hostname(config)# filter java <port> <internal_users_ip>
<internal_users_mask> <external_servers_ip> <external_servers_mask>
• Step 1: Acquire the name <access-list_name> of the access-list that is not

compliant from the audit procedure
• Step 2: Run the following to configure the explicit deny.
hostname(config)#<access-list_name> extended deny ip any any log
The statement will be placed at the end of the access-list

Cisco MSBS Controls

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco MSBS Controls

Uploaded by

Copyright:

Available Formats

Level

100 3. Data Plane

1.1 Local Authentication, Authorization and

1.1.1 Local Authentication, Authorization

1.1.2 Local Authentication, Authorization

1.1.3 Local Authentication, Authorization

1.1.4 Local Authentication, Authorization

1.1.6 Local Authentication, Authorization

1.1.7 Local Authentication, Authorization

1.1.8 Local Authentication, Authorization

1.1.9 Local Authentication, Authorization

1.1.11 Local Authentication, Authorization

1.2 Access Rules

1.2.1 Access Rules

1.2.2 Access Rules

1.2.4 Access Rules

1.2.5 Access Rules

1.2.6 Access Rules

1.2.7 Access Rules

1.2.9 Access Rules

1.3 Banner Rules

1.3.2 Banner Rules

1.3.3 Banner Rules

1.4.1 Password Rules

1.4.2 Password Rules

1.4.3 Password Rules

1.5 SNMP Rules

1.5.2 SNMP Rules

1.5.3 SNMP Rules

1.5.5 SNMP Rules

1.5.6 SNMP Rules

1.5.8 SNMP Rules

1.5.9 SNMP Rules

2.1 Global Service Rules

2.1.1 Setup SSH

2.1.1.1 Configure Prerequisites for the SSH

2.1.1.1 Configure Prerequisites for the SSH

2.1.2 Setup SSH

2.1.4 Setup SSH

2.1.5 Setup SSH

2.1.7 Setup SSH

2.1.8 Setup SSH

2.2.1 Logging Rules

2.2.2 Logging Rules

2.2.4 Logging Rules

2.2.5 Logging Rules

2.2.7 Logging Rules

2.3 NTP Rules

2.3.1 Require Encryption Keys for NTP

2.3.1 Require Encryption Keys for NTP

2.3.2 Require Encryption Keys for NTP

2.4 Loopback Rules

2.4.2 Loopback Rules

2.4.3 Loopback Rules

3.1 Routing Rules

3.1.1 Routing Rules

3.1.3 Routing Rules

3.1.4 Routing Rules

3.2.1 Require EIGRP Authentication if

3.2.1 Require EIGRP Authentication if

3.2.1 Require EIGRP Authentication if

3.2.1 Require EIGRP Authentication if

3.2.1 Require EIGRP Authentication if

3.2.1 Require EIGRP Authentication if