• Cisco IOS provides for 16 different privilege levels ranging from 0 to 15.

• Cisco IOS comes with 2 predefined user levels. User mode privilege level 1 and “enabled” mode (privileged mode) runs at level 15.

• Every IOS command is pre-assigned to either level 1 or level 15.

• Security best practice is to have passwords managed with a TACACS+ or RADIUS.

• Locally configured passwords required in the event of failure of TACACS+ or RADIUS services.

• Cisco IOS, two password protection schemes,• Type 7 uses the Cisco-defined encryption algorithm, weak.

• Type 5 uses an iterated MD5 hash which is much stronger.

• Cisco recommends removing all Type 7 passwords and using Type 5 encryption

• To prevent passwords from showing up as plain text when viewing the configuration files use the service password-encryption command.

• Review configuration to verify:

• Line and enable passwords are configured.

• Service password-encryption command has been configured.

• Verify that policy establishes sound password guidelines for network devices.

• Complexity

• Minimum length

• Max age

• The console (con) and auxiliary (aux) ports on Cisco routers are used for serial connections.

• The console (con) port is the default location for performing router management and configuration.

• The con port provides out-of-band access to a router as no networking services are needed.

• VTY port used for remote access, network services must be available.

• In general, the auxiliary port should be disabled.• Review configuration to verify

• Each authorized user is required to log in using their own account.

• Console line time out has been configured.• Verify that the computer attached to the con port is a

standalone and protected from unauthorized access.

• Primary mechanism for remote administration of Cisco routers is logging in via Telnet, SSH on virtual terminal lines (vty).

• Telnet - anyone with a network sniffer and access to the right LAN segment can acquire the router account and password

• SSH – should be used to provide confidentiality and integrity

• AAA is the mechanism Cisco recommends for remote administration authentication, authorization and accounting.

• AAA authentication is set up using method lists.

• The authentication method list defines the types of authentication to be performed and the sequence in which to apply them.

• Lists are applied to the appropriate lines and interfaces.