• Tidak ada hasil yang ditemukan

Buku CIS Cisco IOS 12 Benchmark v4.0.0

N/A
N/A
Info
Unduh - Bebas
Chiến Vũ

Academic year: 2024

Membagikan "Buku CIS Cisco IOS 12 Benchmark v4.0.0"

Copied!
107
0
0

Memuat.... (Lihat teks lengkap sekarang)

Unduh sekarang ( 107 Halaman )

Teks penuh

Downloading or using SB Products in any way indicates and confirms your acceptance of and your binding agreement to these CIS Security Measures Terms of Use. All rights to the SB Products not expressly granted in these Terms of Use are hereby reserved.

Local Authentication, Authorization and Accounting (AAA) Rules

Enabling aaa accounting management creates accounting records for the EXEC terminal sessions on the network access server. Implementing an aaa accounting network creates accounting records for a method list that includes ARA, PPP, SLIP, and NCPs sessions.

Access Rules

Enabling 'exec-timeout' with an appropriate length reduces the risk of unauthorized access to aborted sessions. Enabling 'exec-timeout' with an appropriate length reduces the risk of unauthorized access to aborted sessions.

Banner Rules

After the user has successfully logged into the router, the EXEC banner or incoming banner will be displayed depending on the type of connection. After the user logs in to the router, the EXEC banner or incoming banner will be displayed depending on the type of connection.

Password Rules

When password encryption is enabled, the encrypted form of the passwords is displayed when a more system:running-config command is entered. If this is not enabled, many of the device passwords will be displayed in plain text in the configuration file. 37 | P a g e Organizations that implement "service password encryption" reduce the risk of unauthorized users learning plaintext passwords for Cisco IOS configuration files.

However, the algorithm used is not designed to withstand serious analysis and should be treated as plain text. MD5 encryption is a strong encryption method that cannot be recovered; thus, you cannot use MD5 encryption with protocols that require clear-text passwords, such as the Challenge Handshake Authentication Protocol (CHAP). It also provides better security by encrypting the password using irreversible MD5 encryption and storing ciphertext.

The added layer of MD5 encryption is useful in environments where the password traverses the network or is stored on a TFTP server.

SNMP Rules

Organizations that do not use SNMP should require all SNMP services to be disabled by running the 'no snmp-server' command. To reduce the risk of unauthorized access, organizations should disable default settings that are easy to guess, such as the 'private' setting for the snmp server community. 41 | PAGE To reduce the risk of unauthorized access, organizations should disable easy-to-guess default settings, such as the 'public' setting for the snmp-server community.

To reduce the risk of unauthorized access, organizations should disable SNMP write access for the snmp server community. To reduce the risk of unauthorized access, organizations should enable access control lists for all snmp server communities and restrict access to appropriate trusted individuals. Organizations using SNMP can significantly reduce the risks of unauthorized access by using the 'snmp-server group v3 priv' setting to encrypt messages in transit.

Organizations using SNMP can significantly reduce the risk of unauthorized access by using the 'snmp-server-user' option with appropriate authentication and privacy protocols to encrypt messages in transit.

Global Service Rules

To reduce the risk of unauthorized access, organizations should implement a security policy that restricts network protocols and explicitly requires that all unsafe or unnecessary protocols be disabled. To reduce the risk of unauthorized access, organizations should implement a security policy that restricts network protocols and explicitly requires that all unsafe or unnecessary protocols such as 'ip bootp server' be disabled. To reduce the risk of unauthorized access, organizations should implement a security policy that restricts network protocols and explicitly requires that all unsafe or unnecessary protocols such as the Dynamic Host Configuration Protocol (DHCP) be disabled.

To reduce the risk of unauthorized access, organizations should implement a security policy that limits network protocols and explicitly require the disabling of all insecure or unnecessary protocols, such as the identified protocol. To reduce the risk of unauthorized access, organizations should implement a security policy that limits the length of time sessions are allowed to expire and enforce this policy through the use of the 'tcp-keepalives-in' command. To reduce the risk of unauthorized access, organizations should implement a security policy that limits how long sessions are allowed to expire and enforce this policy through the use of the 'tcp-keepalives-out' command.

To reduce the risk of unauthorized access, organizations should implement a security policy that restricts unnecessary services such as the 'PAD' service.

Logging Rules

This form of logging is useful for debugging and monitoring when logged into a router. Data forensics is effective for managing technology risks and an organization can enforce such policies by enabling the 'logging buffered' command. This form of logging is best because it can provide protected long-term storage for logs (the devices internal log buffer has limited capacity to store events.) Additionally, logging to an external system is highly recommended or required by most.

The 'log-host' command sets the IP address of the logging host and forces the logging process. The 'service timestamps' command sets the date and time on entries sent to the log host and forces the logging process. This is required so that the router sends log messages from a consistent IP address to the logging server.

The 'logging source interface loopback' command sets a stable IP address to send messages to the logging host and implements the logging process.

NTP Rules

Organizations should establish three Network Time Protocol (NTP) hosts to set consistent time across the enterprise. Using an authentication key provides a higher level of security as only authenticated NTP servers will be able to update time for the Cisco device. This authentication feature provides protection against accidental synchronization of the system to another untrusted system because the other system must know the correct authentication key.

This authentication feature provides protection against an ntp system accidentally synchronizing with another untrusted system because the other system must know the correct authentication key. Use this command to enable the system to synchronize the system software clock with the specified NTP server. To ensure that the time on your Cisco router is consistent with other devices on your network, you must configure at least two (preferably at least three) NTP servers outside the router.

73 | Organizations should establish three Network Time Protocol (NTP) hosts to establish consistent time across the enterprise.

Loopback Rules

This is necessary so that the AAA server (RADIUS or TACACS+) can easily identify the routers and authenticate requests by their IP address. This may be necessary if the NTP servers you are monitoring filter based on IP address. Organizations should plan and implement Network Time Protocol (NTP) services to establish the official time for all enterprise network devices.

This is required so that the TFTP servers can easily identify routers and authenticate requests by their IP address. Organizations should plan and implement Trivial File Transfer Protocol (TFTP) services in the enterprise by configuring tftp source-interface loopback, which enables the TFTP servers to identify routers and authenticate requests by IP address. The address of the closest interface to the destination is chosen as the source address.

Services and settings related to data passing through the router (as opposed to being directly transmitted to it).

Routing Rules

The 'ip source-route' feature has been used in several attacks and should be disabled. 79 | P a g e Proxy ARP is a service in which a device connected to one network (in this case the Cisco router) answers ARP requests addressed to a host on another network, responds with its own MAC address and traffic forwards to the intended host. Sometimes used to extend broadcast domains over WAN links, Proxy ARP on corporate networks is most often used to enable communication for wrongly connected hosts.

Using proxy ARP can also allow other security controls such as PVLAN to be bypassed. If they are needed, network administrators should be well aware of them and their purpose. Organizations should design and implement enterprise network security policies that disable dangerous and unnecessary features that increase attack surfaces, such as "tunnel interfaces."

Organizations should design and implement enterprise security policies that protect the confidentiality, integrity, and availability of network devices.

Border Router Filtering

Organizations should plan and implement enterprise security policies that explicitly separate internal and external networks. Adding "ip access list" that explicitly allows and denies internal and external networks enforces these policies. This command puts the router into access-list configuration mode, where you must define conditions for denied or permitted access using the deny and permit commands.

To reduce the effectiveness of IP spoofing, configure access control to deny any traffic from the external network that has a source address that should be on the internal network. Organizations must plan and implement enterprise security policies that clearly allow and deny access based on access lists. Using the 'ip access-group' command enforces these policies by explicitly identifying the allowed access groups.

Neighbor Authentication

Using 'address family' for EIGRP enforces these policies by restricting the exchange between predefined network entities. Using the address family 'key chain' for EIGRP enforces these policies by restricting the exchange between predefined network entities. Using 'authentication mode' for EIGRP address family or service family packets enforces these policies by limiting the type of authentication between network devices.

Configuring EIGRP authentication keychain number and name to restrict packet exchanges between network devices. Configuring the correct authentication 'keyring (name)' for RIPv2 protocols enforces these policies by limiting acceptable. Using 'ip rip authentication mode md5' enforces these policies by restricting the type of authentication between network devices.

Using 'password neighbor' for BGP enforces these policies by limiting the type of authentication between network devices.

Referensi

Unduh sekarang ( PDF - 107 Halaman - 1.46 MB )

Garis besar

Banner Rules SNMP Rules Global Service Rules Logging Rules Neighbor Authentication

Dokumen terkait