Configuring AAA requires four basic steps:1. Enable AAA (new-model).

2. Configure security server network parameters.

3. Define one or more method lists for AAA authentication.

4. Apply the method lists to a particular interface or line.

• Verify that SSH access is configured.• Verify that HTTP access is disabled • Verify that explicitly defined protocols allowed for

incoming and outgoing sessions. • Verify that access-class ACLs are used to control

the sources from which sessions are going to be permitted.

• Verify idle session timeout

• As a security best practice, any unnecessary service must be disabled.

• By default, TCP and UDP small services are disabled in IOS software releases 12.0 and later.

• See reference material for full listing service that should be disabled.

• Review configuration files to verify that unnecessary services have been disabled.

• The commands tcp−keepalives−in and tcp−keepalives−out enable a device to send/receive TCP keep alives for TCP sessions.

• This ensures that the device on the remote end of the connection is still accessible and that half−open or orphaned connections are removed from the local Cisco device.

• Review the config file to verify that keepalives have been configured.

• If NTP is used, it is important to explicitly configure a trusted time source.

• Accurate and reliable time is required for syslog purposes, such as during forensic investigations of potential attacks.

• Review the configuration to verify the following:

• Router has been configured to be a NTP client

• The NTP source interface has been configured

• One or more NTP servers have been configured.

• ACL has been established to permit NTP to device.

• SNMP provides information on that status or condition of network devices.

• SNMPv3 provides secure access to devices by authenticating and optionally encrypting packets over the network.

• Community strings are passwords that are applied to an IOS device to restrict access.

• Default community string for read−only “public”

• Default community string for read-write “private”

• Community strings should be treated like a password, chose carefully and change at regular intervals.

• An ACL can be applied that further restricts SNMP access to a select group of source IP addresses

• Verify that SNMPv3 is implemented with encryption.

• Verify that ACLs are used to restrict access

• Event logging provides visibility into the operation of a Cisco IOS device and the network into which it is deployed.

• Each log message generated by Cisco device is assigned a severity level, 0 (emergency) – 7(debug).