Date post: | 23-Dec-2015 |
Category: |
Documents |
Upload: | tamsin-malone |
View: | 232 times |
Download: | 0 times |
• Cisco IOS provides for 16 different privilege levels ranging from 0 to 15.
• Cisco IOS comes with 2 predefined user levels. User mode privilege level 1 and “enabled” mode (privileged mode) runs at level 15.
• Every IOS command is pre-assigned to either level 1 or level 15.
• Security best practice is to have passwords managed with a TACACS+ or RADIUS.
• Locally configured passwords required in the event of failure of TACACS+ or RADIUS services.
• Cisco IOS, two password protection schemes,• Type 7 uses the Cisco-defined encryption algorithm, weak.
• Type 5 uses an iterated MD5 hash which is much stronger.
• Cisco recommends removing all Type 7 passwords and using Type 5 encryption
• To prevent passwords from showing up as plain text when viewing the configuration files use the service password-encryption command.
• Review configuration to verify:
• Line and enable passwords are configured.
• Service password-encryption command has been configured.
• Verify that policy establishes sound password guidelines for network devices.
• Complexity
• Minimum length
• Max age
• The console (con) and auxiliary (aux) ports on Cisco routers are used for serial connections.
• The console (con) port is the default location for performing router management and configuration.
• The con port provides out-of-band access to a router as no networking services are needed.
• VTY port used for remote access, network services must be available.
• In general, the auxiliary port should be disabled.• Review configuration to verify
• Each authorized user is required to log in using their own account.
• Console line time out has been configured.• Verify that the computer attached to the con port is a
standalone and protected from unauthorized access.
• Primary mechanism for remote administration of Cisco routers is logging in via Telnet, SSH on virtual terminal lines (vty).
• Telnet - anyone with a network sniffer and access to the right LAN segment can acquire the router account and password
• SSH – should be used to provide confidentiality and integrity
• AAA is the mechanism Cisco recommends for remote administration authentication, authorization and accounting.
• AAA authentication is set up using method lists.
• The authentication method list defines the types of authentication to be performed and the sequence in which to apply them.
• Lists are applied to the appropriate lines and interfaces.