1.

1 Local Authentication, Authorization and Accounting (AAA) Settings

CIS Reference Control Name Security Implications Recommended Configuration/Setting

1.1.1 Enable 'aaa new-model' Authentication, Authorization, and Accounting (AAA) TACACS+ service should be enabled in the network configuration.
framework is critical in order to secure interactive access
Level–1 (Scored)
to network devices. Absence of AAA may lead to
weaknesses that can be exploited by an adversary to
obtain unauthorized access to critical network
equipment, view and even alter the configuration.

1.1.2 Enable 'aaa Using AAA authentication for interactive management Use TACACS+ service for authentication while keeping local
authentication login' access to the device provides consistent, centralized authentication for emergency situations when TACACS+ is not
Level-1 (Scored)
control of network. The default under AAA (local or available. The passwords for local users must be strong and secured
network) is to require users to log in using a valid user to prevent unauthorized usage.
name and password.

1.1.3 Enable 'aaa Using AAA authentication for interactive management Configure TACACS+ authentication method(s) for enable
authentication enable access to the device provides consistent, centralized authentication.
Level-1 (Scored)
default' control of network devices and helps minimize
Users who access privileged EXEC mode when they use the enable
unauthorized activities.
command.

1.1.4 Set 'login Using AAA authentication for interactive management Configure management lines to require login using the default or a
authentication for 'line access to the device provides consistent, centralized named AAA (TACACS+) authentication list. This configuration must
Level-1 (Scored)
con 0' control of network devices and helps minimize be set individually for all line types.
unauthorized activities.

1.1.5 Set 'login Using AAA authentication for interactive management Configure management lines to require login using the default or a
authentication for 'line access to the device provides consistent, centralized named AAA (TACACS+) authentication list. This configuration must
Level-1 (Scored)
tty' control of network devices and helps minimize be set individually for all line types.
unauthorized activities.

1.1.6 Set 'login Using AAA authentication for interactive management Configure management lines to require login using the default or a
authentication for 'line access to the device provides consistent, centralized named AAA (TACACS+) authentication list. This configuration must
Level-1(Scored)
vty' control of network devices and helps minimize be set individually for all line types.
unauthorized activities.

1.1.7 Set 'aaa accounting' to AAA Accounting provides a management and audit trail Enabling 'aaa accounting' for privileged commands records and
log all privileged use for user and administrative sessions through RADIUS and sends activity to the accounting (log) servers and enables monitoring
Level-2(Scored)
commands using TACACS+. It enhances visibility into operations of network and analysis of privileged activity.
'commands 15' devices and aids capturing and storing important security
events for investigations of incidents.

1.1.9 Set 'aaa accounting AAA Accounting provides a management and audit trail Configure AAA accounting for EXEC shell session.
exec' for user and administrative sessions through RADIUS and
Level-1(Scored)
TACACS+. It enhances visibility into operations of network
devices and aids capturing and storing important security
events for investigations of incidents.

1.2 Access Settings

CIS Reference Control Name Security Implications Recommended Configuration/Setting

1.2.1 Set 'privilege 1' for local IOS devices by default are not configured to require Set the local user to privilege level 1.
users strong user authentication potentially enabling
Level-1(Scored)
unrestricted to an adversary who is able to reach the
device.

1.2.2 Set 'transport input ssh' Prevents unauthorized access by restricting remote Apply SSH to transport input on all VTY management lines
for 'line vty' access only to users authorized to manage the device.
Level-1(Scored)
connections

1.2.3 Set 'no exec' for 'line Some devices include both an auxiliary and console port Disable the EXEC process on the auxiliary port.
aux 0' that can be used to locally connect to and configure the
Level-1(Scored)
device. Unused ports provide potential channels for
attackers to gain unauthorized access. Ports that are not
used should be disabled.

1.2.4 Create 'access-list' for Configuring VTY lines to use an ACL, restricts which Configure the VTY ACL that will be used to restrict management
use with 'line vty' source IP's can be used to manage the device. It should access to the device such that only authorized workstations have
Level-1(Scored)
be restricted to specific hosts and or networks authorized access.
to connect to and configure the device, via an approved
protocol, to those individuals or systems authorized to
administer the device.

1.2.5 Set 'access-class' for Setting access class restricts the type of network devices, Configure remote management access control restrictions for all VTY
'line vty' associated with the addresses on the access-list thereby lines to allow only authorized types of devices from authorized
Level-1(Scored)
further restricting remote access to those devices workstations.
 CIS Reference Control Name Security Implications Recommended Configuration/Setting

authorized to manage the device. This reduces the risk of Caution: Using VTY lines with 'access class' restrictions increases the
unauthorized access. risks of unauthorized access.

1.2.6 Set 'exec-timeout' to Setting ‘exec-timeout’ prevents unauthorized users from Configure device timeout (10 minutes or less) to disconnect sessions
less than or equal to 10 misusing abandoned sessions. after a fixed idle time.
Level-1(Scored)
minutes for 'line aux 0'
This setting is applicable only where 1.2.3 is not implemented. (if
“Set 'no exec' for 'line aux 0” is not done). This will be reported as
FAILED by the verification tool if 1.2.3 is implemented.

1.2.7 Set 'exec-timeout' to Setting ‘exec-timeout’ prevents unauthorized users from Configure device timeout (10 minutes or less) to disconnect sessions
less than or equal to 10 misusing abandoned sessions. after a fixed idle time.
Level-1(Scored)
minutes 'line console 0'
Set a timeout that strikes a balance between security and usability.

1.2.8 Set 'exec-timeout' less Setting ‘exec-timeout’ prevents unauthorized users from Configure device timeout (10 minutes or less) to disconnect sessions
than or equal to 10 misusing abandoned sessions. after a fixed idle time.
Level-1(Scored)
minutes 'line tty'
Set a timeout that strikes a balance between security and usability.

1.2.9 Set 'exec-timeout' to Setting ‘exec-timeout’ prevents unauthorized users from Configure device timeout (10 minutes or less) to disconnect sessions
less than or equal to 10 misusing abandoned sessions. after a fixed idle time.
Level-1(Scored)
minutes 'line vty'
Set a timeout that strikes a balance between security and usability.

1.2.10 Set 'transport input Unused ports provide potential channels for attackers to Disable the inbound connections on the auxiliary port.
none' for 'line aux 0' gain unauthorized access. Ports that are not used should
Level-1(Scored)
be disabled.

1.3 Banner Settings

CIS Reference Control Name Security Implications Recommended Configuration/Setting

1.3.1 Set the 'banner-text' for Network banners are electronic messages that provide Configure the EXEC banner with ITC’s Standard Text for login
'banner exec' notice of legal rights to users of computer networks. banners presented to a user when accessing the devices enable
Level-1(Scored)
prompt.

1.3.2 Set the 'banner-text' for Network banners are electronic messages that provide Configure the device so a login banner (with ITC’s Standard Text for
'banner login' notice of legal rights to users of computer networks. login banners) presented to a user attempting to access the device.
Level-1(Scored)

1.3.3 Set the 'banner-text' for "Network banners are electronic messages that provide Configure the device to present MOTD banner (with ITC’s Standard
'banner motd' notice of legal rights to users of computer networks. Text for login banners) presented to a user attempting to access the
Level-1(Scored)
device.

1.4 Password Settings

CIS Reference Control Name Security Implications Recommended Configuration/Setting

1.4.1 Set 'password' for Enable secret setting provides protection from Configure a strong, enable secret password.
'enable secret' unauthorized access to privileged EXEC mode. The enable
Level-1(Scored) Enforcement of strong passwords shall be enabled at all times. If the
password command causes the device to enforce use of a
devices are configured to use external authentication such as Active
password to access privileged mode. Trivial, guessable,
Directory or other LDAP, this setting enforces strong password local
weak passwords are prone to password guessing /
account if any.
cracking attacks such as brute force or password spray
attacks.

1.4.2 Enable 'service This setting if not enabled, passwords for many devices Enable password encryption service to protect sensitive access
password-encryption' will be rendered in plain text in the configuration file. This passwords in the device configuration.
Level-1(Scored)
setting ensures passwords are rendered as encrypted
strings preventing an adversary from easily determining
the configured value.

1.4.3 Set 'username secret' IOS devices by default are not configured to require Create a local user with an encrypted, complex (not easily guessed)
for all local users strong user authentication potentially enabling password.
Level-1(Scored) unauthorized access to an adversary who is able to reach
the device.

A local account with an encrypted password enforces

login authentication and provides a fallback
authentication mechanism for situations where
centralized TACACS+ (AAA) services are not available.

1.5 SNMP Settings

CIS Reference Control Name Security Implications Recommended Configuration/Setting

1.5.1 Set 'no snmp-server' to SNMP read access allows remote monitoring and Disable SNMP read and write access if not in used to monitor and/or
disable SNMP when management of the device. Unwanted SNMP Service manage device.
Level-1(Scored)
unused may help an adversary to obtain information about the
Additional settings prescribed below to secure SNMP shall be
device and do planned attacks.
 CIS Reference Control Name Security Implications Recommended Configuration/Setting

configured if SNMP is required for managing and monitoring.

1.5.2 Unset 'private' for SNMP has default community string "private" which is Disable the default SNMP community string "private".
'snmp-server well known. It allows an attacker to gain unauthorized
Level-1(Scored) If it is required, default string should be changed to a non-guessable
community' access to the device easily.
(complex, non-dictionary) one.

1.5.3 Unset 'public' for SNMP has default community string (read-only) "public" Disable the default SNMP community string "public".
'snmp-server which is well known. It allows an attacker to gain
Level-1(Scored) If it is required, default string should be changed to a non-guessable
community' unauthorized access to the device easily.
(complex, non-dictionary) one.

1.5.4 Do not set 'RW' for any SNMP read-write when enabled, allows remote Disable SNMP write access.
'snmp-server management of the device. An attacker may perform
Level-1(Scored)
community' unauthorized activities on the device (using SNMP RW).
Do not allow ‘RW’ unless absolutely required.

1.5.5 Set the ACL for each An adversary with a valid SNMP community string can Configure authorized SNMP community string and restrict access to
'snmp-server potentially monitor and manage the network devices, if authorized management systems.
Level-1(Scored)
community' ACLs are not applied for SNMP server community.

1.5.6 Create an 'access-list' SNMP ACLs restrict addresses that are not explicitly Configure SNMP ACL for restricting access to the device from
for use with SNMP authorized to manage and monitor the device via SNMP. authorized management stations segmented in a secure/trusted
Level-1(Scored)
This reduces risk of unauthorized access by guessing valid management zone.
community strings.

1.5.7 Set 'snmp-server host' Allow network device to submit SNMP traps (alerts) only Configure authorized SNMP trap community string and restrict
when using SNMP to authorize management systems by configuring sending messages to authorized management systems.
Level-1(Scored)
authorized hosts.

1.5.8 Set 'snmp-server enable SNMP traps (logs) provide important information about Enable SNMP traps.
traps snmp' network devices that helps monitoring and management.
Level-1(Scored)

1.6 Global Service Settings

CIS Reference Control Name Security Implications Recommended Configuration/Setting

2.1.1.1.1 Set the 'hostname' It is required to have a domain name for setting up SSH. Configure an appropriate host name for the network device.

Level-1(Scored)

2.1.1.1.2 Set the 'ip domain It is required to have a domain name for setting up SSH. Configure an appropriate domain name for the network device.
name'
Level-1(Scored)

2.1.1.1.3 Set 'modulus' to greater An RSA key pair is required to setup SSH. Key size should Generate an RSA key pair for the network device with 2048 bits.
than or equal to 2048 be at least 2048 bits.
Level-1(Not Scored)
for 'crypto key generate
rsa'

2.1.1.1.4 Set 'seconds' for 'ip ssh Reduces the risk of unauthorized access when Configure the SSH timeout to 60 seconds.
timeout' administrator leaves an authenticated session logged in
Level-1(Scored)
for an extended period of time.

2.1.1.1.5 Set maximum value for This setting reduces the Brute force attacks that continue Configure the SSH timeout to 3 retries.
'ip ssh authentication- to try different password combinations by limiting the
Level-1(Scored)
retries' number of login attempts per SSH connection.

2.1.1.2 Set version 2 for 'ip ssh A number of serious vulnerabilities have been discovered Configure the device to use SSH version 2
version' for SSH version 1. It is no longer considered to be a
Level-1(Scored)
secure protocol. From 2006, SSH version 2 has been
standardized.

2.1.2 Set 'no cdp run' CDP (Cisco Discovery Protocol) is considered a security Disable Cisco Discovery Protocol (CDP) service globally.
risk because it provides good amount of information
Level-1(Scored)
from queries. There are publicly known denial-of-service
(DoS) attacks that use CDP. CDP should be completely
disabled unless necessary.

2.1.3 Set 'no ip bootp server' BootP should be disabled unless there is a specific Disable the bootp server unless there is specific requirement.
requirement. It allows device to provide IP Addresses.
Level-1(Scored)

2.1.4 'no service dhcp' Attackers can potentially use DHCP server for denial-of- Disable the DHCP server unless there is specific requirement.
service (DoS) attacks.
Level-1(Scored)

2.1.5 Set 'no ip identd' Identification protocol allows identifying a user's TCP Disable the ident server.
 CIS Reference Control Name Security Implications Recommended Configuration/Setting

Level-1(Scored) session which could be potentially be used by an

adversary to obtain information about users.

2.1.6 Set 'service tcp- Old connections use resources and could potentially be Enable TCP keepalives-in service
keepalives-in' hijacked to gain illegitimate access. Keepalives are sent
Level-1(Scored)
when enabled, once per minute on idle connections. The
connection is closed within five minutes if no keepalives
are received.

2.1.7 Set 'service tcp- This setting generate keepalive packets on idle outgoing Enable TCP keepalives-out service
keepalives-out' network connections.
Level-1(Scored)

2.1.8 Set 'no service pad' The PAD service should be disabled to prevent intruders Disable the PAD service.
from accessing the X.25 PAD command set on the device
Level-1(Scored)

1.7 Logging Settings

CIS Reference Control Name Security Implications Recommended Configuration/Setting

2.2.1 Set 'logging on' Logging when enabled, allows monitoring of operational Enable system logging.
and security related events on Cisco devices. It helps
Level-1(Scored)
investigation of security incidents.

2.2.2 Set 'buffer size' for Cisco devices can copy and store logs to an internal Configure buffered logging (with minimum size). Recommended size
'logging buffered' memory buffer. It helps debugging and monitoring when is 64000.
Level-1(Scored)
logged in to the device.

2.2.3 Set 'logging console Determines the severity of messages that will generate Configure console logging level to “critical”.
critical' console messages. Logging to console should be limited
Level-1(Scored)
only to those messages required for immediate
troubleshooting while logged into the device.

2.2.4 Set IP address for Local logs can be wiped by an attacker who gains Configure one or more syslog servers by IP address.
'logging host' unauthorized access to device. Cisco routers can send
Level-1(Scored)
their log messages to a remote Syslog server

2.2.5 Set 'logging trap This determines the severity of messages that will Set “logging trap” to either "debugging" (7) or "informational" (6), at
informational' generate simple network management protocol (SNMP) the least.
Level-1(Scored)
trap and or syslog messages.

2.2.6 Set 'service timestamps Timestamps in log messages allow correlating security Configure debug messages to include timestamps.
debug datetime' events and investigating network attacks across multiple
Level-1(Scored)
devices.

2.2.7 2.2.7 Set 'logging Required to make device send log messages to the Bind logging to a specific interface.
source interface' logging server from a consistent IP address. Multiple IP’s
Level-1(Scored)
may create confusions while investigating incidents.

1.8 NTP Settings

CIS Reference Control Name Security Implications Recommended Configuration/Setting

2.3.2 Set 'ip address' for 'ntp Time on Cisco devices shall be consistent with other Configure at least one external (organization’s) NTP Server.
server' devices in the network.
Level-1(Scored)

1.9 Data Plane Settings

CIS Reference Control Name Security Implications Recommended Configuration/Setting

3.1.1 Set 'no ip source-route' Source routing feature is used for various kinds of attacks Disable source routing.
because it allows individual packets to specify routes.
Level-1(Scored)

3.1.2 Set 'no ip proxy-arp' Proxy ARP effectively breaks the LAN Security Perimeter, Disable proxy ARP on all interfaces.
extending a network across multiple Layer 2 segments.
Level-2(Scored)
Using Proxy ARP can also allow other security controls
such as PVLAN to be bypassed.

1.10 Border Router Filtering Settings (Applicable only for devices directly connected to Internet)
CIS Reference Control Name Security Implications Recommended Configuration/Setting

3.2.1 Set 'ip access-list Configuring access controls can help prevent spoofing Configure ACL for private source address restrictions from external
extended' to Forbid
 CIS Reference Control Name Security Implications Recommended Configuration/Setting

Level-2(Not Scored) Private Source attacks. networks.

Addresses from
External Networks

3.2.2 Set inbound 'ip access- Configuring access controls can help prevent spoofing Apply the access-group for the external (untrusted) interface
group' on the External attacks.
Level-2(Not Scored)
Interface