Network Devices configuration
standers & Hardening guidelines
March 2021
By
Yusuf Almahmeed
Administrator, Infrastructure / Network Support & security
Bahrain Electronic Network for Financial Transactions
March 2021
�Table of Contents
Introduction 1
Interface Description 1
Warn using banners 2
NTP mode 6 4
Auxiliary Port 4
Unnecessary Services 4
Shutdown unused interfaces 5
TACACS configuration with ISE 5
RADIUS configuration with ISE 6
Disable Network Time Protocol (NTP) Mode 6 Scanner 7
SSH Server CBC Mode Ciphers Hardening 7
SSH MAC Algorithms Hardening 8
General SNMP Config 8
ReadOnly Access 8
1
�Introduction
This document is intended to provide guidance to administrators to secure Cisco IOS devices
through deployment of minimum-security baseline control.
Interface Description
Interface’s description should be simple and easy to understand, without the stares “***” sample
at the beginning\end and without the “Connected to”.
The below is a bad example:
The below is a good example:
(config)# Configure Terminal
(config)# Interface < Interface Name & Number>
(config)# description < description>
1
�Warn using banners
Configure Terminal
!
banner motd <banner> #
Enter TEXT message. End with the character '#'.
!
banner login <banner> #
Enter TEXT message. End with the character '#'
!
banner exec <banner> #
Enter TEXT message. End with the character '#'.
!
AAA authentication banner <banner>
################################ PRE-Login CLI ################################
=====================================================================
========
| The BENEFIT Company |
| Authorized Access Only |
| This system is the property of Benefit Company |
| All activity on this system is logged. |
=====================================================================
========
| LEGAL NOTICE WARNING: ONLY AUTHORIZED USERS ARE ALLOWED TO
ACCESS THIS |
| SYSTEM. The programs and data stored in this system are licensed, private |
| property of The Benefit Company. All login attempts, access and system |
| activities are recorded. |
|
|
| This System is for the use of Authorized users only. Individuals using this|
| System without authority, or in excess of their authority are subject to |
| having all of their activities on this system monitored and recorded by |
| system personnel. In the course of monitoring individuals improperly using|
| this system, or in course of system maintenance, the activities of |
| authorized users may also be monitored. |
| |
| Anyone using this system expressly consents to such monitoring and |
| is advised that if such monitoring reveals possible evidence of criminal |
| activity, system personnel may provide the evidence of such monitoring to |
| law enforcement officials. |
2
�=====================================================================
========
* *
############################### POST-Login CLI ###############################
=====================================================================
========
| Authorized Access Only |
| This system is the property of Benefit Company |
| All activity on this system is logged. |
| Disconnect IMMEDIATELY if you are not an Authorized user! |
=====================================================================
========
| This System is for the use of Authorized users only. Individuals using this|
| System without authority, or in excess of their authority are subject to |
| having all of their activities on this system monitored and recorded by |
| system personnel. In the course of monitoring individuals improperly using|
| this system, or in course of system maintenance, the activities of |
| authorized users may also be monitored. |
| Anyone using this system expressly consents to such monitoring and |
| is advised that if such monitoring reveals possible evidence of criminal |
| activity, system personnel may provide the evidence of such monitoring to |
| law enforcement officials. |
=====================================================================
========
* *
3
�NTP mode 6
Avoid using NTP mode 6. By doing this only query to IOS NTP server via mode 6 packet is
denied, rest of the functionality of the NTP.
Configure Terminal
!
no NTP allows mode control
ntp allow mode control 3
Auxiliary Port
Disable the EXEC process on the auxiliary port.
line aux 0
no exec
Unnecessary Services
Disable Unnecessary services if not used
Configure Terminal
!
no service tcp-small-servers (TCP small services)
!
no service udp-small-servers (UDP small services)
!
no service finger (Finger)
!
no ip bootp server (BOOTP)
!
no service pad (X.25 PAD)
!
no ip domain-lookup (DNS)
!
no service dhcp (DHCP)
!
no ip http server (HTTP)
!
no mop enabled (MOP)
!
no IP identd (IDENTD)
4
�Shutdown unused interfaces
Configure Terminal
Interface <Interface Name & Number>
shutdown
TACACS configuration with ISE
aaa new-model
!
aaa group server tacacs+ BNFT-ISE-TACACS
server name BNFT-PRODISE-PSN1
server name BNFT-DRISE-PSN1
!
aaa authentication login BNFT_TACACS group BNFT-ISE-TACACS local
aaa authentication login BNFT_CONSOLE local
aaa authentication enable default group BNFT-ISE-TACACS enable
aaa authorization config-commands
aaa authorization exec BNFT_TACACS group BNFT-ISE-TACACS local
aaa authorization commands 1 BNFT_TACACS group BNFT-ISE-TACACS local if-
authenticated
aaa authorization commands 15 BNFT_TACACS group BNFT-ISE-TACACS local if-
authenticated
aaa accounting send stop-record authentication failure
aaa accounting delay-start all
aaa accounting update periodic 5
aaa accounting exec default start-stop group BNFT-ISE-TACACS
aaa accounting commands 1 default start-stop group BNFT-ISE-TACACS
aaa accounting commands 15 default start-stop group BNFT-ISE-TACACS
!
ip tacacs source-interface <Interface Name & Number>
!
tacacs-server timeout 10
tacacs-server directed-request
tacacs server BNFT-PRODISE-PSN1
address ipv4 172.21.38.152
key <ISE TACACS KEY>
tacacs server BNFT-DRISE-PSN1
address ipv4 172.22.38.152
key <ISE TACACS KEY>
!
line con 0
login authentication BNFT_CONSOLE
line vty 0 15
authorization commands 1 BNFT_TACACS
5
�authorization commands 15 BNFT_TACACS
authorization exec BNFT_TACACS
login authentication BNFT_TACACS
loggin sync
transport input ssh
RADIUS configuration with ISE
lldp run
cdp run
!
aaa new-model
!
aaa group server radius BNFT-ISE-RADIUS
server name BNFT-DRISE-PSN1
server name BNFT-PRODISE-PSN1
!
aaa authentication dot1x default group BNFT-ISE-RADIUS
aaa authorization network default group BNFT-ISE-RADIUS
aaa authorization auth-proxy default group BNFT-ISE-RADIUS
aaa accounting send stop-record authentication failure
aaa accounting delay-start all
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group BNFT-ISE-RADIUS
aaa accounting dot1x default start-stop group BNFT-ISE-RADIUS
aaa accounting network default start-stop group BNFT-ISE-RADIUS
!
aaa server radius dynamic-author
client 172.21.38.152 server-key <ISE TACACS KEY>
client 172.22.38.152 server-key <ISE TACACS KEY>
server-key <ISE TACACS KEY>
!
aaa session-id common
!
device-sensor filter-list lldp list BNFT_LLDP_LIST
tlv name system-name
tlv name system-description
!
device-sensor filter-list cdp list BNFT_CDP_LIST
tlv name device-name
tlv name platform-type
device-sensor filter-spec lldp include list BNFT_LLDP_LIST
device-sensor filter-spec cdp include list BNFT_CDP_LIST
device-sensor accounting
device-sensor notify all-changes
6
�!
ip device tracking probe count 10
ip device tracking probe use-svi
ip device tracking probe delay 5
ip device tracking
login on-success log
!
authentication mac-move permit
!
dot1x system-auth-control
dot1x critical eapol
!
ip radius source-interface Vlan < Vlan Number>
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server dead-criteria time 10 tries 3
radius-server deadtime 15
radius-server timeout 10
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server BNFT-PRODISE-PSN1
address ipv4 172.21.38.152 auth-port 1812 acct-port 1813
key <ISE TACACS KEY>
!
radius server BNFT-DRISE-PSN1
address ipv4 172.22.38.152 auth-port 1812 acct-port 1813
key <ISE TACACS KEY>
!
Disable Network Time Protocol (NTP) Mode 6 Scanner
Configure Terminal
no ntp allow mode control
ntp allow mode control 3
SSH Server CBC Mode Ciphers Hardening
Configure Terminal
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
7
�SSH MAC Algorithms Hardening
Configure Terminal
ip ssh server algorithm mac hmac-sha1
General SNMP Config
Configure Terminal
snmp-server enable traps
Read-Only Access
Configure Terminal
snmp-server view Solar@Benefit iso included
snmp-server group BenefitROGroup v3 priv read Solar@Benefit
snmp-server user BenefitROUser BenefitROGroup v3 auth SHA <SNMP KEY> priv
aes 128 <SNMP KEY>
snmp-server host 10.0.5.177 version 3 priv BenefitROUser
Syslog and Logs
Configure Terminal
Logging console 7
Logging monitor 6
Logging traps 7
logging host 10.0.5.177
logging host 10.0.5.186
service timestamps log datetime localtime show-timezone
