XCCDF Sample for Cisco IOS

Status: draft (as of 2004-10-07)

Version: 0.12.1

Applies to:

Contents

1. Introduction

2. Tailoring Values

2.1. IOS - line exec timeout value

2.2. Logging level for buffered logging

3. Rules

3.1. Management Plane Rules

3.1.1. IOS 11 - no IP finger service

3.1.2. IOS 12 - no IP finger service

3.1.3. Require exec session timeout on admin sessions

3.2. Control Plane Rules

3.2.1. Disable tcp-small-servers

3.2.2. Disable udp-small-servers

3.2.3. Set the buffered logging level

3.3. Data Plane Level 1

3.3.1. Routing Rules

3.3.1.1. IOS - no directed broadcasts

4. Profiles

4.1. Sample Profile No. 1

4.2. Sample Profile No. 2

5. References

1. Introduction

This benchmark assumes that you are running IOS 11.3 or later.

Description

This document defines a small set of rules for securing Cisco IOS routers. The set of rules constitute a benchmark. A benchmark usually represents an industry consensus of best practices. It lists steps to be taken as well as rationale for them. This particular benchmark is merely a small subset of the rules that would be necessary for securing an IOS router.

Legal Notice

This sample may be freely copied and used, at least for now.

2. Tailoring Values

2.1. Value: IOS - line exec timeout value

Type: number

Operator: less than or equal

Value and value contraints:
Property Selector Value
value * 10
default strict 10
default lenient 30
lower-bound * 1
upper-bound * 60

Description

The length of time that an interactive session should be allowed to stay idle before being terminated. Expressed in minutes.

2.2. Value: Logging level for buffered logging

Type: string

Operator: equals

Value and value contraints:
Property Selector Value
value strict informational
value lenient warning
value * notification
choices * Exclusive values:
  • warning
  • notification
  • informational
  • debug

Description

Logging level for buffered logging; this setting is a severity level. Every audit message of this severity or more (worse) will be logged.

3. Rules

3.1. Group: Management Plane Rules

Services, settings, and data streams related to\ setting up and examining the static configuration of the router, and\ the authentication and authorization of administrators/operators.

Dependencies

3.1.1. Rule: IOS 11 - no IP finger service

Applies only to:

  • Cisco IOS Routers version 11.x

Disable the finger service, it can reveal information about logged in users to unauthorized parties.

Remediation

Fix: 

no service finger

3.1.2. Rule: IOS 12 - no IP finger service

Applies only to:

  • Cisco IOS Routers version 12+

Disable the finger service, it can reveal information about logged in users to unauthorized parties.

Remediation

Fix: 

no ip finger

3.1.3. Rule: Require exec session timeout on admin sessions

Configure each administrative access line to terminate idle sessions after a fixed period of time (determined by local policy).

Rationale

If an exec session is left unattended, an unauthorized party may join the session and execute commands with elevated privileges. A timeout helps to reduce the likelihood of this, by shortening the window of opportunity for an attacker. In addition to setting a timeout, TCP keep-alives should be enabled for incoming sessions using the command service tcp-keepalives in.

3.2. Group: Control Plane Rules

Services, settings, and data streams that support and document the operation, traffic handling, and dynamic status of the router.

3.2.1. Rule: Disable tcp-small-servers

Disable unnecessary services such as echo, chargen, etc.

Remediation

Disable TCP small servers in IOS global config mode.

Fix: 

no service tcp-small-servers

3.2.2. Rule: Disable udp-small-servers

Disable unnecessary datagram services such as echo, chargen, etc.

Remediation

Disable UDP small servers in IOS global config mode.

Fix: 

no service udp-small-servers

3.2.3. Rule: Set the buffered logging level

Set the buffered logging level to one of the appropriate levels, Warning or higher. The logging level should be set explicitly.

Remediation

Fix: 

          logging buffered 
informational

3.3. Group: Data Plane Level 1

Services and settings related to the data passing through the router (as opposed to directed to it). Basically, the data plane is for everything not in control or management planes.

3.3.1. Group: Routing Rules

Rules in this group affect traffic forwarded through the router, including router actions taken on receipt of special data traffic.

3.3.1.1. Rule: IOS - no directed broadcasts

Disable IP directed broadcast on each interface.

Remediation

Disable IP directed broadcast on each interface using IOS interface configuration mode.

Fix: 

no ip directed-broadcast

4. Profiles

4.1. Profile: Sample Profile No. 1

Item Selections

Rules and Groups explicitly selected and deselected for this profile.

Value Settings

Tailoring value adjustments explicitly set for this profile:

4.2. Profile: Sample Profile No. 2

Item Selections

Rules and Groups explicitly selected and deselected for this profile.

Value Settings

Tailoring value adjustments explicitly set for this profile:

5. References

  1. NSA Router Security Configuration Guide, Version 1.1b [link]
  2. SANS Securing Cisco Routers Step-by-Step