Escolar Documentos
Profissional Documentos
Cultura Documentos
Uninor Internal
Copyright All rights reserved. No part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without prior written permission of Unitech Wireless TamilNadu (P) Ltd. The information contained in this document is confidential and proprietary to Unitech Wireless TamilNadu (P) Ltd. and may not be used or disclosed except as expressly authorized in writing by Unitech Wireless TamilNadu (P) Ltd. Trademarks Other product names mentioned in this document may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.
Uninor Internal
Table of Contents
Introduction .........................................................................................................................................................................................4 Use of the Document ...........................................................................................................................................................................4 WARNING .............................................................................................................................................................................................4 Purpose ..................................................................................................................................................................................................5 General Security Controls..................................................................................................................................................................6 Control Categories ...............................................................................................................................................................................7 Detailed security controls:.................................................................................................................................................................8
Uninor Internal
Introduction This document is to assist operations team to deploy minimum baseline security configuration on the node. These configuration standard, detail many important items such as user account management, password management, interfaces, ports, audit logging, monitoring or node specific security configuration etc. However, due to the constant changes and variations in operating system security issues and configurations, this document should be considered a general guideline and starting point.
Use of the Document The MBSS document is for INTERNAL USE ONLY. They should be kept within the organizations and to be treated as Uninor Internal as per the Information Classification Guidelines mentioned in Uninor Information Security Policy ver 3.0. Not to be distributed to the Original Equipment Manufacturers and/or to Managed Service Partners.
WARNING This MBSS document and the accompanying guidance material is technically complex and is designed for use by trained security specialists performing the work under the direction of either a security partner or manager. Operations teams wishing to have these services performed for an organization should contact the designated security support staff within their office or territory. Partners or managers should ensure that staff assigned to perform the work have the necessary technical training and have the appropriate technical reference materials and specialist support. Staff should, therefore, obtain partner approval before using this material
Uninor Internal
Purpose This MBSS document relates to the routers of Cisco. It is intended for use by technical security practitioners for implementation of minimum General Security Controls. A technical environment is comprised of a number of inter-related elements that include: Applications; Databases; Communications infrastructure elements; and Hardware.
The primary focus of this technical practice aid is to provide minimum baseline security standard for Cisco Routers that includes properties, features and operating system of the respective product.
Uninor Internal
General Security Controls General Security Controls work requires the examination of both technology-specific and technology independent controls. For example, configuration parameter, program and data file security controls will normally be specific to the underlying technical environment, whereas, security process review controls will largely be independent of the technical environment in use. Often, it is a combination of these two types of controls that provide the most robust approach to the implementation of an effective control environment. For example, whilst a number of technology-specific auditing controls can be implemented, unless a procedure exists for reviewing and acting upon the logged information, the technical control is ineffective. To complete a comprehensive general security controls, in addition to the MBSS document, the operations team will require an understanding of the following platform independent areas: Uninor Information security policy and procedures; Change and Problem Management; Incident Management; System Development; Disaster Recovery and Contingency Planning; and Physical Security.
Uninor Internal
Control Categories The following control categories are included in the MBSS document. Control Category 1: User Accounts and Groups A control that restricts user access to the platform; this includes account permissions, sensitive system user interfaces, and related items. Control Category 2: Password Management A control that must be enabled/implemented to ensure true and authorized users to gain access on a system; this includes password complexity, aging, account locking, etc. parameters. Interface, Ports and Services A control that must be performed either manually or automated on a regular basis to disable or delete unused ports and services and restrict services that transfer data in clear text. System Updates A control that must be performed either manually or automated on a regular basis. This includes any procedure that a security administrator or system administrator would continually or periodically perform such as installation of hot fixes, security patches, etc. File Access Control A control that restricts access to critical configuration files, operating systems, etc Audit logging and Monitoring Any control that assists in, or performs, system event logging or the monitoring of the security of the system Node properties and feature configurations A control that must be enabled/implemented via a system-level parameter, or upon installation of the node/device that affects the technology at an overall system level; this includes network services enabling/disabling, boot sequence parameters, system interface, etc.
Control Category 3:
Control Category 4:
Control Category 5:
Control Category 6:
Control Category 7:
Uninor Internal
Detailed security controls: SN Control Area Control Description Control Objective/Rationale Implementation Guidance Mitigating Control, If any Implementation Status
1. User Accounts and Groups 1.1 Unique Individual users User ID should be assigned with a separate user-id for router authentication in accordance with Uninor Information Security Policy.
1.2
Privileged accounts
User IDs which disclose the privileges associated with it should not be created. (For e.g. ADMINISTRATOR , monitor, config, etc.)
Generic accounts provide no accountability for actions taken using the account. This could result in abuse of access and potential malfunction of the network. In addition, if the default login account is used, it becomes very easy to use a brute force crack utility to get the password. A username/password pair makes brute force techniques harder, but not impossible. Knowing the name of an account on a machine can be valuable information to an attacker. Enforcing this security control makes it more difficult for unauthorized users to guess and gain access to the accounts such as ADMINISTRATOR, monitor, config, etc. and ultimately the system.
Uninor Internal
SN 1.3
Control Description Factory default user accounts and guest user accounts on routers must be removed.
Control Objective/Rationale Disabling the factory default user accounts will prevent unknown users being authenticated. Disabling these accounts will reduce the system's remote unauthenticated attack surface and ensure that only specific security principals can access resources on the system. Dormant user accounts increase the risk that unauthorized users could potentially use these accounts to gain access to the system.
Implementation Guidance
Implementation Status
1.4
Dormant user accounts should be deactivated after the number of days that is specified in the Uninor Information Security Policy guidelines for inactive accounts. 2. Password Management 2.1 Password levels Strong system passwords should be used for the EXEC and PRIV EXEC levels. All routers in the environment should require
Dormant Accounts
If a weak password is used, unauthorized users may be able to guess the router's password and obtain access to the router. If passwords are not encrypted they are visible in clear text in the router configuration file.
2.2
Password Encryption
Uninor Internal
SN
Control Area
Control Description CON, VTY and AUX passwords to be encrypted in the configuration file. Passwords should be protected using an encryption algorithm.
Control Objective/Rationale
Implementation Guidance
Implementation Status
2.3
Encryption Algorithm
2.4
Weak passwords increase the risk that unauthorized individuals may comprise the router and sensitive network information may be revealed. The Administrative Weak password encryption password should increases the risk that be protected using unauthorized individuals may an encryption comprise the router and algorithm in sensitive network information accordance with may be revealed. Uninor Information Security policy. Default passwords on the Router should be changed upon installation. In addition these passwords should be complex and conform to Uninor Security Policy. Application default passwords are widely known and typically initial targets for attacks. The risk that unauthorized access will be obtained is increased if these passwords are not changed.
2.5
Default Passwords
Uninor Internal
10
SN 2.6
Control Description
Control Objective/Rationale Unauthorized users may gain access to a system by running a program which guesses user passwords through brute force attacks. Without the lockout feature enabled the chance of successful compromise of system resources through brute force password guessing attacks increases.
Implementation Guidance
Implementation Status
The account lockout feature, disabling an account after a number of failed login attempts, should be enabled and the related parameters should be set in accordance with the Uninor security policy and guidelines. 3. Interface, Ports and Services 3.1 Cisco hardware Services Mission critical routers should utilize hardware support programs.
Support programs can provide immediate assistance in case of a hardware disaster. For example, in case of a fire, an emergency router may need to be shipped to the premises. Cisco IOS and hardware offers advanced fail-over capabilities, in case of hardware or software failure. Mission critical routers (typically core routers) may be
3.2
Uninor Internal
11
SN
Control Area
Control Description
Control Objective/Rationale good candidates to take advantage of the Cisco fail-over capabilities. Unauthorized services/daemon allows unauthenticated access to a system and lets users to transfer files, manipulate with the system functioning, etc. A system with services such as ftp enabled can be used as a depot for the unauthorized transfer of information. A system with Telnet service enabled can be used to run a spurious process (e.g.) in the system leading to dead weight on processor load.
Implementation Guidance
Implementation Status
3.3
System Services
Disable unauthorized services/daemon from the router based on Uninor Information security policy. Identify authorized services running on the device via vulnerability assessment and disable unauthorized services. Only those services that serve a documented operational or business need should be listening on the node.
The services which will be considered for this point are FTP, TELNET, HTTP and TFTP. TFTP is allowed for config/firmware copy If TELNET is required an exception should be raised for the same
4. System Updates
Uninor Internal
12
SN 4.1
Control Description Routers should be running a recent version of Cisco IOS and all appropriate patches should be applied.
Control Objective/Rationale Patches are released to correct known problems with the system and may include patches that address technical security vulnerabilities and weaknesses that may lead to the compromise of access on the system. If an operating system is not kept current then the device may be susceptible to information gathering and network attacks. Attackers find weaknesses in versions of an operating system over time. New security features are added to each new version of an operating system.
Implementation Guidance
Implementation Status
IOS upgrade only done if any new feature need to add or recommended by wipro Escare/Cisco TAC. We also not having test pad. Network team will keep track of this upgrade which will share as artifact with auditor if required.
4.2
Vulnerabili ty Check
Before deploying the device into production environment as well as on regular basis post deployment, the device must be
The device should be scanned with a vulnerability scanner. Most vendors have major known vulnerabilities detailed on their websites. Any vulnerability identified should be immediately closed
Uninor Internal
13
SN
Control Area
Control Objective/Rationale by upgrades/patches or vendor detailed recommendations. Patches should be deployed in accordance with the Uninor Patch Management Procedure. If configuration files are downloaded from servers via TFTP, anyone who can access the network file server can modify the router configuration file. Fault tolerance, backup, and recovery procedures promote network availability and recoverability. Without such procedures, unexpected downtime could have a severe impact on the business. Create fault tolerance, backup, and recovery procedures in accordance with Uninor Information Security Policy
Implementation Guidance
Implementation Status
5. File Access Control 5.1 Restrict file access All network file servers containing router configuration files should be properly restricted. Perform backups of the running configuration to the routers Flash/NVRAM memory Fault tolerance, backup, and recovery procedures should be documented in accordance with Uninor Information Security Policy.
5.2
Configurati on backup
Uninor Internal
14
SN 5.3
Control Description
Control Objective/Rationale An unrestricted access may let the unauthorized users to modify/delete the sensitive system and configuration files which may further lead to an unstable performance of the Cisco router. Displaying a legal warning ensures that users are aware of the consequences of unauthorized access and assists in conveying the protection of corporate assets.
Implementation Guidance
Implementation Status
Accesses (Read/Write/Modi fy) to sensitive Router configuration file should be restricted from unauthorized personnel. 5.4 Legal A legal notice and notice warning should be banner implemented in order to provide adequate protection and awareness of legal issues. Configure Uninor authorized login banner on the router as specified in the Uninor Information Security Policy. 6. Audit , Logging and Monitoring
Uninor Internal
15
SN 6.1
Control Description Policies and procedures should exist to review audit logs.
Control Objective/Rationale Proper polices for reviewing router security logs and activity is crucial for preventing and monitoring unauthorized access to the networking environment.
Implementation Guidance
Implementation Status User access to device s is configured through TACACS and logs are maintained. For logging for other parameters feasibility check for integration with SIEM tool with appropriate logging level needs to be done needs to be done Need to check with Tools team Owner is Neeraj Raina
6.2
Wherever possible, SNMPv3 should be deployed to provide for enhanced authentication and data encryption. SNMPv2C should be used if SNMPv3 is not a supported feature on the Cisco device.
SNMPv3 includes support for either MD5/SHA or DES encrypted communications. This will help protect sensitive system information from traversing the network in the clear. SNMPv2C and SNMPv3 also take advantage of GET BULK transactions, in which multiple pieces of information can be queried and retrieved without having to make additional
Uninor Internal
16
SN
Control Area
Control Description The following devices support SNMPv3: Cisco 700 series Cisco 1000 series Cisco 1600 series Cisco 2500 series Cisco 2500 series access servers Cisco 3600 series Cisco 3800 series Cisco 4000 series Cisco 4500 series Cisco AS5100 access server Cisco AS5200 universal access server Cisco AS5300 access server Cisco 7000 series Cisco 7200 series Cisco 7500 series Routers should log system events such as interface status changes, changes to the system configuration, and
Control Objective/Rationale requests. This control is for routers conntected to untrusted networks.
Implementation Guidance
Implementation Status
6.3
If logging is not enabled on system events, there is an increased risk that unauthorized access to the router will go undetected. Additionally, there will be no ability to identify the
User access to device s is configured through TACACS and logs are maintained.
Uninor Internal
17
SN
Control Area
Implementation Guidance
Implementation Status For logging for other parameters feasibility check for integration with SIEM tool with appropriate logging level needs to be done needs to be done Need to check with SIEM team
6.4
6.5
Log messages generated through AAA or syslog should be archived for at least 6 months or as required by corporate standards. Logging should be sent to a central syslog server to consolidate log entries and act as an archival mechanism. This should be done to complement
Audit logs must be maintained and kept for legal and audit purposes. Removal of these logs could expose the company to unnecessary liability and loss of litigation authorities.
A central logging server can act as a central repository for log messages. Without this, log messages may be lost in the event the router is disabled by technical glitches or a directed attack.
Uninor Internal
18
SN
Control Area
Control Objective/Rationale
Implementation Guidance
Implementation Status
6.6
All routers being monitored via SNMP should have non-default SNMP community strings. Routers not being monitored via SNMP should have SNMP disabled. In addition, only specific management stations should be allowed to poll the device through SNMP. All routers in the environment should require user login for terminal access (terminal line
Read-only and read-write SNMP access to a Cisco router can allow an intruder to gain unauthorized access to the Cisco router. Default SNMP strings, such as public and private or read and write, are easily guessed by potential intruders. Access lists will mitigate the chances of unauthorized hosts making queries to the SNMP device.
6.7
By default, access to these ports is not password protected. If the login directive is not given in the Cisco configuration, anyone with network visibility to the router can gain command
Uninor Internal
19
SN
Control Area
Control Objective/Rationale prompt access. Modems represent a potential point of access for unauthorized users. Discovering a modem can be easily done if the phone number lies within a prefix normally associated with the corporate voice numbers. If a password is not required to access this device over dial-up, then it could lead to the disclosure of sensitive network information and the compromise of additional devices. Any method used in order to access the console port of a device must be secured in a manner that is equal to the security that is enforced for privileged access to a device. A Cisco device's console port is the most important port on the device. Password recovery on the device can only be done using the console port. Cisco devices are vulnerable if there is physical access to the
Implementation Guidance
Implementation Status
6.8
6.9
Console access must be protected by using adequate controls like strong passwords.
Uninor Internal
20
SN
Control Area
Control Description
Control Objective/Rationale devices. However, if someone is trying to access the console port of the router remotely, an additional layer of security should be applied by prompting the user for a password. The Reserve Memory for Console Access feature can be used in order to reserve enough memory to ensure console access to a Cisco IOS device for administrative and troubleshooting purposes. This feature is especially beneficial when the device runs low on memory. The memory reserve console global configuration command can be used in order to enable this feature. The auxiliary ports primary purpose is to provide remote administration capability. It can allow a remote administrator to use a modem to dial into the Cisco device. The aux port should be disabled if there is no business need for the same. Any specific business requirement
Implementation Guidance
Implementation Status
6.10
If applicable, reserve memory for console access to ensure access for administrative and troubleshooting purposes.
6.11
Uninor Internal
21
SN
Control Area
Control Description
Control Objective/Rationale
Implementation Guidance
Implementation Status
for enabling it should be properly documented. Additionally, if the auxiliary port is required for remote administration, the callback feature should be configured to dial a specific preconfigured telephone number for additional security. 7. Node properties and feature configurations 7.1 System Configurati on Access lists should prevent IP spoofing attacks. If IP spoofing is allowed it is possible that unauthorized traffic may bypass access control lists on the router by claiming that the traffic came from the internal network. Allowing anyone on the network access to the login prompt increases the risk of unauthorized access to the router. By only allowing a subset of network traffic to enter or exit business critical networks, security risks can be greatly minimized. For example, if the majority of a
7.2
System Configurati on
7.3
System Configurati on
Routers should use access lists to restrict which hosts can access remote terminal sessions. Where appropriate, Cisco access lists should be used to filter inbound and outbound traffic.
Uninor Internal
22
SN
Control Area
Control Description
Control Objective/Rationale corporation only needs access to the HTTP port on a particular machine, access lists can be used to restrict all traffic, except HTTP, to that machine, minimizing the opportunities for attack. It is important to note, however, that enabling access lists has a significant performance impact. While the impact is negligible on border routers, enabling access lists on core routers should be carefully reviewed for performance impact before proceeding.
Implementation Guidance
Implementation Status
7.4
System Configurati on
Remote access routers should use CHAP authentication for PPP connections.
If CHAP is not used, an eavesdropper could obtain remote access authentication information through wiretapping. CHAP provides an encrypted challenge and response before full PPP encapsulation is initiated.
Uninor Internal
23
SN 7.5
Control Description Route authentication should be used in environments utilizing protocols such as RIPv2, OSPF, BGP, and EIGRP The Network Time Protocol (NTP) should be used and enabled with authentication. Additionally, specific NTP hosts should be configured for the router to synchronize to.
Control Objective/Rationale If a router receives a fraudulent update, the router could be tricked into forwarding traffic to the wrong destination. This could cause sensitive data to be exposed, or could cause network communications to be interrupted. NTP provides administrators with the ability to request time synchronization using a key phrase as authentication. This will help lower the risk of an intruder corrupting the devices internal clocks, which may further corrupt log timestamps and weaken forensic capabilities. A synchronized time enables to associate syslog and Cisco IOS debug output to specific events across multiple devices. Configure NTP only on required interfaces, and configure NTP to listen only to certain specified peers. If the NTP service is not enabled, there may not be clock synchronization between networking devices and a consistent time would not be
Implementation Guidance
Implementation Status
7.6
System Configurati on
Uninor Internal
24
SN
Control Area
Control Description
Control Objective/Rationale
Implementation Guidance
Implementation Status
7.7
System Configurati on
7.8
System Configurati on
7.9
System Configurati on
maintained, which is essential for diagnostic and security alerts and log data. Also, if configured insecurely, it could be used to corrupt the time clock of the network devices. To prevent this, restrict which devices have access to NTP. Where possible, AAA (Authentication, access to the router Authorization, and Accounting) should be provides for more granular governed by AAA levels of accounting and access authentication and privileges. These can be helpful authorization. in complex environments where resources are being accessed by different users in multiple ways. Access lists should Logging can exist on any access log activity not list, however providing logging explicitly allowed on the access list that denies all in the access list. traffic can be used to examine unwarranted attempts to access the network. TCP and UDP The small-servers services run small services by default on Cisco routers should be disabled. through IOS version 11.3 and are intended for diagnostics. However, these services are typically not used and can be exploited for Denial of Service (DOS) attacks.
Uninor Internal
25
SN 7.10
Control Description The Maintenance Operation Protocol (MOP) should be disabled. IP Directed Broadcasts should be disabled.
Control Objective/Rationale Unauthorized users can use MOP to manage the routers. The protocol has minimal builtin security. IP Directed Broadcasts allow one host a LAN segment to send a broadcast message to separate LAN segment. IP Directed Broadcasts are commonly used in Denial-of-Service based attacks. Cached addresses may be utilized to bypass current routing tables and ACLs. If enabled, this feature can aid an attacker in mapping network topologies and architectures. Address Resolution Protocol (ARP) is used to translate network addresses into media addresses. These translations are generally restricted to local area network segments. This enforces security across LAN segments. Proxy ARP allows for a Cisco device to act as an intermediary for ARP requests, responding to inquiries. This
Implementation Guidance
Implementation Status
7.11
7.12
Route caching should be disabled. IP Unreachable messages should be disabled. Proxy ARP should be disabled.
7.13
7.14
Uninor Internal
26
SN
Control Area
Control Description
Control Objective/Rationale creates a transparent access between multiple LAN segments and can lead to a security compromise.
Implementation Guidance
Implementation Status
7.15
System Configurati on
Administrators can use the ip alias command to assign multiple IP addresses to the router. For example, in addition to the primary alias address, addresses can be specified that correspond to lines or rotary groups. Using the ip alias command in this way makes the process of connecting to a specific rotary group transparent to the user. If the ip alias command is enabled on Cisco products, TCP connections to any destination port are considered valid connections.
7.16
System Configurati on
Illegal UDP packets should not be allowed to be sent to the syslog port.
If not securely configured, illegal UDP packets may be sent to the syslog port, causing a denial of service on the router.
Uninor Internal
27
SN 7.17
Control Objective/Rationale IP Source Routing is a feature that allows individual IP data packets to specify routes. If IP Source Routing is enabled, the router will merely act as a store and forward device. When a router receives a data packet, it will simply forward it on to its destination. This feature is rarely used and can be helpful in attacks.
Implementation Guidance
Implementation Status
7.18
System Configurati on
CDP (Cisco Discovery Protocol) should be disabled on all external interfaces. Passive interfaces should be used to prevent interfaces from sending routing updates.
7.19
System Configurati on
CDP is typically not used and provides administrators with a means for accessing information on the routers IOS, hardware status, throughput, and other network-related information. OSPF routing updates sent by a router may advertise internal network topologies to untrusted third parties connected to that router. Interfaces that routinely advertise routing information may impede network efficiency, especially if neighboring routers
We require CDP for troubleshooting purpose. Exception can be raised if required (network team)
Uninor Internal
28
SN
Control Area
Control Description
Control Objective/Rationale are using other routing protocols or using static routes.
Implementation Guidance
Implementation Status
IPSec should be implemented where sensitive data traverses untrusted or semitrusted internal networks.
Sensitive information may be the target of sniffing attacks by intruders. If transactions are occurring that contain highly confidential information, it may be vulnerable to sniffing if it is not encrypted. Hash algorithms will help mitigate against a loss of data integrity should the data be manipulated in transit. TCP SYN attacks are used to fill router queues degrading performance, and potentially creating a Denial of Service. In a properly functioning network, a router will send ICMP redirects only to hosts on its own local subnets, no end node will ever send a redirect, and no redirect will ever be traversed more than one network hop.
7.21
System Configurati on
7.22
System Configurati on
Configurations should be implemented to reduce the likelihood of a TCP SYN attack. IP Redirects should be disabled
Uninor Internal
29
SN
Control Area
Control Description
Control Objective/Rationale However, if ICMP Redirects are enabled, a router will send redirects to more than one network hop. An attacker may use this functionality to violate these rules and use this to dictate a false path. Also, this can help an attacker in mapping the physical topology of the targeted network
Implementation Guidance
Implementation Status
7.23
System Configurati on
Where necessary, border routers should utilize Network Address Translation (NAT) to protect the IP addresses of the internal network.
Generally applied to routers connecting networks to the Internet, using NAT provides an additional level of security when combined with the non-routable IP address ranges on the Internet (RFC 1018). Without using NAT, client networks are exposed to an increased danger of unauthorized traffic, which may allow external sources to target and gain information about the network.
Uninor Internal
30
SN 7.24
Control Objective/Rationale The finger service is a user lookup service that can be used by attackers to enumerate user account information. New versions of the Cisco IOS support web-based router administration. This administration is accomplished via the HTTP protocol. An attacker can launch focused web-based attacks over ports 80 and 443 For example, a vulnerability exists that allows an attacker to view the router configuration using an HTTP exploit. If an attacker is able to view this configuration he/she will also be able to view encrypted passwords for enable and vty, aux and con sessions.
Implementation Guidance
Implementation Status
7.25
7.26
System Configurati on
Bootp is used to load operating systems over the network. In the case of Cisco routers, the capability exists for a router to act as a bootp server for other
Uninor Internal
31
SN
Control Area
Control Description
Control Objective/Rationale Cisco devices. Bootp is rarely needed and may open a security hole, If a Cisco router acting as a Bootp server, were to be compromised, an alterative version of Cisco IOS could be installed on all listening Cisco devices. Auto-Loading allows a Cisco router configuration to be loaded at startup from either local memory or from the network. Loading the router configuration from a network source is not secure and should be avoided as an attacker could load alterative router configurations. When Classless Routing Behavior is enabled a router will forward data packets even if the packets do not have a defined path. This can aid an attacker in reaching otherwise protected targets.
Implementation Guidance
Implementation Status
7.27
System Configurati on
Uninor Internal
32
SN 7.29
Control Description IP Mask reply messages should be disabled. Restrict Domain Name Resolution to valid hosts.
Control Objective/Rationale Not restricting IP Mask Reply messages, can aid an attacker in mapping the physical topology of the targeted network. Cisco IOS supports looking up host names using Domain Name Resolution (DNS). Not restricting DNS requests allows for an attacker to enumerate additional systems know by the DNS server. This type of attack is known as a DNS Zone Transfer. Not disabling this service creates the risk that an internal system could be used in a Distributed Denial of Service attack. Timeout sessions provide additional security against consoles that are left unattended. If a user can gain access to a console left unattended they can modify the routers configuration. VTY connections allow interactive router sessions and if compromised, could allow an
Implementation Guidance
Implementation Status
7.31
The Unicast Reverse option should be enabled. All routers in the environment should have appropriate session timeout values assigned. Remove all unnecessary transports on
7.32
7.33
System Configurati on
Uninor Internal
33
SN
Control Area
Control Objective/Rationale authorized user to make changes to a router configuration. Users of VTY only require character access to the router and nothing else. Other transports should be restricted such as pad, rlogin, and V120. Without appropriate login banners notifying users that unauthorized access to a system is prohibited, legal prosecution of intruders may be difficult or impossible. Enabling TCP keep alives on incoming connections will provide reasonable assurance that any sessions left hanging by a remote system crash or disconnection will not block or use up the available router vty ports. Detailed descriptions of connections will make it easier for administrators to review what type of connections is being made to the router. Also, unused interfaces may be may leave a network open to attack.
Implementation Guidance
Implementation Status
7.34
System Configurati on
All routers in the environment should have appropriate login banners. Routers should be configured to abort vty interactive sessions that were terminated in an abnormal way. Interfaces should have an appropriate description assigned to them and unused interfaces should be shut down.
7.35
System Configurati on
7.36
System Configurati on
Uninor Internal
34
SN 7.37
Control Description In networks that rely on several network administrators with varying responsibilities, different levels of PRIV EXEC access should be defined to restrict what commands each user can execute on the router. SSH should be used to remotely access a router.
Control Objective/Rationale It may not be necessary for all administrators or users to have full privileged access to the router. Administrators that do not require this functionality may make unauthorized changes to the configuration.
Implementation Guidance
Implementation Status
7.39
System Configurati on
Enable accounting to send information about each command that is entered to the configured TACACS+/RADIU S server.
Telnet sessions transmit information, including usernames and passwords, in clear text. If an unauthorized user were to capture this information, it may place critical network devices at risk of compromise. The information sent to the TACACS+/RADIUS server includes the command executed, the date it was executed, and the username of the user entering the command.
Uninor Internal
35
Approvals
Head - Operations
Date
Head NOC
Date
Uninor Internal
36