WIXLIB

Network Security BaselineAmericas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000800 553-NETS (6387)Fax: 408 527-0883Text Part Number: OL-17300-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALLSTATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THATSHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSEOR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s publicdomain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITHALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUTLIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OFDEALING, USAGE, OR TRADE PRACTICE.IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCOOR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, the Cisco logo, DCE, and Welcome to the Human Network aretrademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You,Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems,Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing,FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo,LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels,ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and theWebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationshipbetween Cisco and any other company. (0807R)Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in thedocument are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.Network Security Baseline 2008 Cisco Systems, Inc. All rights reserved.

C O N T E N T SCHAPTER1Introduction1-1Security Baseline Overview 1-1Preliminary Network Design AssessmentCisco Security Framework OverviewCHAPTER2Infrastructure Device Access1-21-22-1CSF Methodology AssessmentTotal Visibility 2-2Complete Control 2-32-2Restrict Infrastructure Device Management Accessibility 2-3Cisco IOS Device Interactive Terminal and Management Access Lines 2-4AUX Port 2-5Console Port 2-5VTY Line 2-5Disable Unnecessary Device Terminal and Management Access Ports 2-5Restrict Device Access to Authorized Services and Protocols Only 2-6Restrict Device Access Attempts To Authorized Services By Authorized Originators OnlyStandard ACLs 2-7Extended ACLs 2-7Enforce Device Login Authentication Using AAA 2-8Enforce Device Login Authorization Using AAA 2-8Enforce Privileged Level Authentication Using AAA 2-9Enforce Session Management 2-9Idle Sessions 2-9Hung Sessions 2-10Restrict Login Vulnerability to Dictionary and DoS Attacks 2-10Enforce The Use of Strong Passwords 2-11Cisco IOS Minimum Password Length Feature 2-12Restrict Frequency of Login Attempts 2-12Restrict Number of Login Failures Permitted Within Specified Time Period 2-12Reserve a Terminal or Management Port 2-13Legal Notification BannersAAA Services2-72-132-14Network Security BaselineOL-17300-01i

ContentsAAA Overview 2-14Centralized AAA 2-15AAA Server Groups 2-15AAA Method Lists 2-16AAA Server Communication Security 2-17AAA Server Based Accounting Services 2-17Secure Shell (SSH)2-18Web-based GUI AccessHTTP 2-20HTTPS 2-21SNMP Access2-202-21Locally Stored Information Protection 2-23Global Password Encryption 2-23Local User Password Encryption 2-24Enable Secret 2-24Infrastructure Device Management Access Logging 2-25AAA EXEC Accounting 2-25AAA Failed Authentication Accounting 2-26AAA Command Accounting 2-26AAA System Accounting 2-27Syslog Login Success and Failure Notifications 2-28Configuration Change Notification and Logging 2-28Displaying Configuration Change Log Entries 2-29General Device Access and Configuration Change Logging Best Common PracticesFile Transfer 2-30File Transfer Protocol (FTP) 2-30Trivial File Transfer Program (TFTP)Secure Copy (SCP) 2-312-302-31Device Software Image Verification 2-32IOS Software Image Verification 2-32Infrastructure Management Network2-32Device Management Best Common PracticesCHAPTER3Routing Infrastructure2-343-1CSF Methodology AssessmentTotal Visibility 3-2Complete Control 3-23-1Restricted Routing Protocol Membership3-2Network Security BaselineiiOL-17300-01

ContentsNeighbor Authentication 3-3Routing Peer Definition 3-4Default Passive Interface 3-5BGP TTL Security Check 3-6iACLs 3-7rACLs 3-7Control Plane Policing and Protection3-8Route Filtering 3-8Route Maps 3-8Prefix List 3-9Distribute List 3-10Peer Prefix Filtering 3-10IGP Prefix Filtering 3-11BGP Prefix Filtering 3-12Maximum Prefix Filtering 3-15EIGRP Stub Routing 3-15Route Redistribution Filtering 3-16Logging3-18Secure Routing Plane SummaryCHAPTER43-18Device Resiliency and SurvivabilityCSF Methodology AssessmentTotal Visibility 4-1Complete Control 4-24-14-1Disabling Unnecessary Services 4-2Cisco Discovery Protocol (CDP) 4-3Directed Broadcast 4-3Finger 4-4Maintenance Operations Protocol (MOP)IP BOOTP Server 4-4IP Redirects 4-5IP Source Routing 4-5PAD 4-6Proxy ARP 4-6Ident 4-6TCP and UDP Small Servers 4-74-4Infrastructure Protection Access Control Lists (iACLs) 4-7iACL Structure 4-9iACL Recommended Deployment Methodology 4-10Network Security BaselineOL-17300-01iii

ContentsReceive Access Control Lists 4-11rACL Recommended Deployment Methodology4-12Control Plane Policing (CoPP) 4-14CoPP Traffic Classification 4-15Border Gateway Protocol (BGP) 4-15Interior Gateway Protocol (IGP) 4-15Interactive Management 4-16File Management 4-16Reporting 4-16Monitoring 4-16Critical Applications 4-16Layer 2 Protocols 4-16Undesirable 4-16Default 4-17CoPP Recommended Deployment Methodology4-17Control Plane Protection (CPP) 4-18Control Plane Protection Recommended Deployment Methodology4-20Port Security 4-20Port Security Configuration 4-22Port Security Logging 4-23Redundancy 4-23Backup Interfaces 4-23Element Redundancy 4-24Standby Devices 4-26Topological Redundancy 4-28Device Resiliency and Survivability SummaryCHAPTER5Network Telemetry4-295-1CSF Methodology Assessment 5-1Visibility and Awareness 5-2Control and Containment 5-2Time Synchronization 5-2Timestamps and NTP ConfigurationLocal Device Traffic Statistics 5-4Per-Interface Statistics 5-4Per-Interface IP Feature InformationGlobal IP Traffic Statistics 5-7System Status Information 5-7Memory, CPU and Processes5-35-65-7Network Security BaselineivOL-17300-01

ContentsMemory Threshold Notifications by Syslog 5-8Reserving Memory for Critical Notifications 5-9CPU Threshold SNMP Trap Notification 5-9MAC Address Table Status 5-10Open Ports and Sockets 5-11CDP Best Common Practices 5-12CDP Neighbor Information 5-12Syslog 5-13Syslog Best Common Practices 5-13Syslog to a Central Server 5-14Syslog Named Facilities 5-14Syslog Rate-Limiting 5-15Common Syslog Servers 5-15SNMP 5-16Common SNMP ServersACL LoggingAccounting5-165-165-16Configuration Change Notification and LoggingPacket Capture 5-17SPAN/RSPAN 5-17Copy/Capture VLAN ACLs5-17General Network Telemetry IndicatorsCHAPTER6Network Policy EnforcementCSF Methodology AssessmentTotal Visibility 6-1Complete Control 6-2Access Edge FilteringIP Spoofing Protection5-175-186-16-16-26-2Unicast Reverse Path Forwarding (uRPF) 6-4Access Layer First Routed Hop 6-5Deployment Considerations 6-6Enterprise Internet Edge 6-6Deployment Considerations 6-7CHAPTER7Switching Infrastructure7-1CSF Methodology AssessmentTotal Visibility 7-17-1Network Security BaselineOL-17300-01v

ContentsComplete Control7-2Restrict Broadcast Domains7-2Spanning Tree Protocol Security 7-3Disable Dynamic Trunking 7-4Per VLAN Spanning Tree (PVST) 7-5BPDU Guard 7-6STP Root Guard 7-7VLAN Best Common PracticesCHAPTER87-7Getting Started with Security Baseline8-1Infrastructure Device Access 8-1Protect Local Passwords 8-1Implement Notification Banners 8-2AAA Services 8-2Administrative Access 8-3Restricting Access Lines and ProtocolsRouting Infrastructure 8-5Restrict Routing Protocol MembershipRoute Filtering 8-6Device Resiliency and Survivability 8-7Disabling Unnecessary Services 8-7Infrastructure Protection ACLs (iACLs)Port Security 8-128-48-58-9Network Telemetry 8-14Time Synchronization (NTP) 8-14NTP Design for Remote Offices 8-14NTP Design at the Headquarters 8-15Local Device Traffic Statistics 8-17System Status Information 8-17CDP Best Common Practices 8-18System Logging (Syslog) 8-18SNMP 8-19Network Policy Enforcement 8-22Access Edge Filtering 8-22uRPF 8-22Internet Edge 8-22Access Edges 8-22Switching Infrastructure8-22Network Security BaselineviOL-17300-01

ContentsSample ConfigurationsA-1Sample TTY Ports ConfigurationAUX Port A-1Console Port A-1A-1Sample VTY Lines Configuration A-2Sample Telnet Configuration A-2Sample SSH Configuration A-3Sample Legal Banner Notification ConfigurationSample AAA Services ConfigurationA-3A-4Sample Web-Based GUI Configuration A-6Sample HTTP Configuration A-6Sample HTTPS Configuration A-7Sample SNMP ConfigurationA-7Sample Timestamps and NTP Configuration A-9NTP Server Configured as Master Stratus 3 A-9Example NTP Client (Stratus 4) A-10Sample Syslog ConfigurationA-10Disabling Unnecessary ServicesA-11Sample iACL Configurations A-11iACL at Internet Edge A-11iACL at WAN Edge A-12Sample rACL ConfigurationsCoPP Sample ConfigurationA-13A-15Control Plane Protection Sample ConfigurationCommonly Used Protocols in the InfrastructureRelated DocumentsA-19B-1C-1Infrastructure Device Access ChecklistD-1Network Security BaselineOL-17300-01vii

ContentsNetwork Security BaselineviiiOL-17300-01