1© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public

• Remote access typically involves allowing telnet, SSH connections to the router

• Remote requires that the device have enough networking services installed to be accessed across the network.

• More to follow.

Electronic Access Controls

2© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public

• Cisco issues new IOS versions and upgrades fairly frequently.

• If the IOS is not kept current then the device may be susceptible to information gathering and network attacks.

• The Cisco Product Security Incident Response Team (PSIRT) creates and maintains publications, commonly referred to as PSIRT Advisories, for security−related issues in Cisco products.

• Security advisories and responses are available at http://www.cisco.com/go/psirt

Cisco IOS

3© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public

Cisco – PSIRT

4© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public

• Loopback Address

• Banner

• Accounts

• Command Privilege Levels

• Passwords

• Management Ports

• AAA

• Network Services

• NTP

• SNMP

Static Configuration Controls

5© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public

• Network devices communicate using various management protocols, such as OSPF, EIGRP, STP, VTP, SNMP, TACACS.

• An internal virtual interface called a loopback interface should be defined and designated as the source interface for most traffic generated by the router itself.

Loopback Address

6© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public

• A login banner should be set up on each operational network device.

Banner

banner motd ******************Warning! Warning! Warning!*********************** This system is restricted to authorized users for business purposes only. Unauthorized access is a violation of the law. This service may be monitored for administrative and security reasons. By proceeding you consent to this monitoring. *******************Warning! Warning! Warning! ***********************

7© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public

• By default, no accounts established.

• Accounts can be established:

•On device (Login local)

•On AAA server.

• Cisco IOS releases support the RADIUS and TACACS+

• Using AAA with a security server, access to network devices and network services can be controlled from a centralized location.

Accounts

8© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public

• Each administrator should have their own unique login user name for the router.

• User name is included in log messages.

• Only allow accounts that are required on the router.

• Review the running –config and verify that unique user-ids have been created for administrators and any users.

• Verify that the privilege level for the accounts is based on a need to know, least privilege basis.

Accounts – Audit Steps