U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

Computer Security Resource Center

Computer Security Resource Center

This is an archive
(replace .gov by .rip)
    Projects Security Content Automation Protocol SCAP Specifications Extensible Configuration Checklist Description Format (XCCDF)

Security Content Automation Protocol SCAP

CISCO IOS Example

XCCDF Benchmark: XCCDF Sample for Cisco IOS

XCCDF Sample for Cisco IOS

Status: draft (as of 2004-10-07)

Version: 0.12.1

Applies to:

  • Cisco IOS Routers version 11.x
  • Cisco IOS Routers version 12+

 

Contents

1. Introduction

2. Tailoring Values

2.1. IOS - line exec timeout value

2.2. Logging level for buffered logging

3. Rules

3.1. Management Plane Rules

3.1.1. IOS 11 - no IP finger service

3.1.2. IOS 12 - no IP finger service

3.1.3. Require exec session timeout on admin sessions

3.2. Control Plane Rules

3.2.1. Disable tcp-small-servers

3.2.2. Disable udp-small-servers

3.2.3. Set the buffered logging level

3.3. Data Plane Level 1

3.3.1. Routing Rules

3.3.1.1. IOS - no directed broadcasts

4. Profiles

4.1. Sample Profile No. 1

4.2. Sample Profile No. 2

5. References

1. Introduction

This benchmark assumes that you are running IOS 11.3 or later.

Description

This document defines a small set of rules for securing Cisco IOS routers. The set of rules constitute a benchmark. A benchmark usually represents an industry consensus of best practices. It lists steps to be taken as well as rationale for them. This particular benchmark is merely a small subset of the rules that would be necessary for securing an IOS router.

Legal Notice

This sample may be freely copied and used, at least for now.

2. Tailoring Values

2.1. Value: IOS - line exec timeout value

Type: number

Operator: less than or equal

Value and value contraints:

Property Selector Value
value * 10
default strict 10
default lenient 30
lower-bound * 1
upper-bound * 60

 

Description

The length of time that an interactive session should be allowed to stay idle before being terminated. Expressed in minutes.

2.2. Value: Logging level for buffered logging

Type: string

Operator: equals

Value and value contraints:

Property Selector Value
value strict informational
value lenient warning
value * notification
choices * Exclusive values:

 

Description

Logging level for buffered logging; this setting is a severity level. Every audit message of this severity or more (worse) will be logged.

3. Rules

3.1. Group: Management Plane Rules

Services, settings, and data streams related to\ setting up and examining the static configuration of the router, and\ the authentication and authorization of administrators/operators.

Dependencies

3.1.1. Rule: IOS 11 - no IP finger service

Applies only to:

 

Disable the finger service, it can reveal information about logged in users to unauthorized parties.

Remediation

Fix: 

no service finger

 

3.1.2. Rule: IOS 12 - no IP finger service

Applies only to:

 

Disable the finger service, it can reveal information about logged in users to unauthorized parties.

Remediation

Fix: 

no ip finger

 

3.1.3. Rule: Require exec session timeout on admin sessions

Configure each administrative access line to terminate idle sessions after a fixed period of time (determined by local policy).

Rationale

If an exec session is left unattended, an unauthorized party may join the session and execute commands with elevated privileges. A timeout helps to reduce the likelihood of this, by shortening the window of opportunity for an attacker. In addition to setting a timeout, TCP keep-alives should be enabled for incoming sessions using the command service tcp-keepalives in.

3.2. Group: Control Plane Rules

Services, settings, and data streams that support and document the operation, traffic handling, and dynamic status of the router.

3.2.1. Rule: Disable tcp-small-servers

Disable unnecessary services such as echo, chargen, etc.

Remediation

Disable TCP small servers in IOS global config mode.

Fix: 

no service tcp-small-servers

 

3.2.2. Rule: Disable udp-small-servers

Disable unnecessary datagram services such as echo, chargen, etc.

Remediation

Disable UDP small servers in IOS global config mode.

Fix: 

no service udp-small-servers

 

3.2.3. Rule: Set the buffered logging level

Set the buffered logging level to one of the appropriate levels, Warning or higher. The logging level should be set explicitly.

Remediation

Fix: 


          logging buffered 
informational

 

3.3. Group: Data Plane Level 1

Services and settings related to the data passing through the router (as opposed to directed to it). Basically, the data plane is for everything not in control or management planes.

3.3.1. Group: Routing Rules

Rules in this group affect traffic forwarded through the router, including router actions taken on receipt of special data traffic.

4. Profiles

4.1. Profile: Sample Profile No. 1

Item Selections

Rules and Groups explicitly selected and deselected for this profile.

Value Settings

Tailoring value adjustments explicitly set for this profile:

4.2. Profile: Sample Profile No. 2

Item Selections

Rules and Groups explicitly selected and deselected for this profile.

Value Settings

Tailoring value adjustments explicitly set for this profile:

5. References

  1. NSA Router Security Configuration Guide, Version 1.1b [link]
  2. SANS Securing Cisco Routers Step-by-Step

Contacts

SCAP Inquiries
scap@nist.gov

Created December 07, 2016, Updated October 26, 2021