Configuring AAA requires four basic steps:1. Enable AAA (new-model).
2. Configure security server network parameters.
3. Define one or more method lists for AAA authentication.
4. Apply the method lists to a particular interface or line.
• Verify that SSH access is configured.• Verify that HTTP access is disabled • Verify that explicitly defined protocols allowed for
incoming and outgoing sessions. • Verify that access-class ACLs are used to control
the sources from which sessions are going to be permitted.
• Verify idle session timeout
• As a security best practice, any unnecessary service must be disabled.
• By default, TCP and UDP small services are disabled in IOS software releases 12.0 and later.
• See reference material for full listing service that should be disabled.
• Review configuration files to verify that unnecessary services have been disabled.
• The commands tcp−keepalives−in and tcp−keepalives−out enable a device to send/receive TCP keep alives for TCP sessions.
• This ensures that the device on the remote end of the connection is still accessible and that half−open or orphaned connections are removed from the local Cisco device.
• Review the config file to verify that keepalives have been configured.
• If NTP is used, it is important to explicitly configure a trusted time source.
• Accurate and reliable time is required for syslog purposes, such as during forensic investigations of potential attacks.
• Review the configuration to verify the following:
• Router has been configured to be a NTP client
• The NTP source interface has been configured
• One or more NTP servers have been configured.
• ACL has been established to permit NTP to device.
• SNMP provides information on that status or condition of network devices.
• SNMPv3 provides secure access to devices by authenticating and optionally encrypting packets over the network.
• Community strings are passwords that are applied to an IOS device to restrict access.
• Default community string for read−only “public”
• Default community string for read-write “private”
• Community strings should be treated like a password, chose carefully and change at regular intervals.
• An ACL can be applied that further restricts SNMP access to a select group of source IP addresses
• Verify that SNMPv3 is implemented with encryption.
• Verify that ACLs are used to restrict access
• Event logging provides visibility into the operation of a Cisco IOS device and the network into which it is deployed.
• Each log message generated by Cisco device is assigned a severity level, 0 (emergency) – 7(debug).