NETWORKS TRAINING

HOME Cisco Networking  Cisco ASA  Certifications Training  General  Cisco Routers
ABOUT RECOMMENDED SOFTWARE MY BOOKS TRAINING
Cisco Switches

You are here: Home / Network Security / Security Hardening Checklist Guide for Cisco Routers/Switches in 10 Steps

Security Hardening Checklist Guide for Cisco

Routers/Switches in 10 Steps
Written By Harris Andrea
Network infrastructure devices (routers, switches, load balancers, firewalls etc) are among the
assets of an enterprise that play an important role in security and thus need to be protected
and configured accordingly.

Many enterprises focus on protecting their data, servers, applications, databases etc but they
forget about security of network devices which are sometimes installed with out-of-the-box
configurations.

A compromised router for example can be devastating to the whole security of the enterprise
since it can be used to gain access to data, reconfigured to route traffic to other destinations,
used to launch attacks to other networks, used to gain access to other internal resources etc.

Therefore, hardening the network devices themselves is essential for enhancing the whole
security of the enterprise.
Cisco separates a network device in 3 functional elements called “Planes”. These are the
NETWORKS
following: TRAINING

Management Plane: This is about theABOUT

management of a network
RECOMMENDED device. MY
SOFTWARE TheBOOKS TRAINING
management plane is used to access, configure, manage and monitor a network device.
The security of the management plane is discussed in this article.
Control Plane: Control plane consists of the protocols and processes that communicate
between network devices in order to move data from source to destination. This includes
routing protocols such as the BGP, OSPF, signaling protocols etc.
Data Plane: The data plane is responsible for moving data from source to destination.
This is where most data packets are flowing within the network device (usually hardware
accelerated as well).

From the three Planes above, the Management Plane first and the Control Plane second are
the most important to secure.

In this article we will focus on Management Plane security and discuss the 10 most important
steps to harden a Cisco IOS network device.

The security checklist below is not exhaustive but it includes the most important commands
and configurations that will lock down a Cisco IOS network device and enhance its security and
that of the whole network as well. The checklist below applies to both Cisco Routers and
Switches as well.

Table of Contents

1) Create an Enable Secret Password

In order to grant privileged administrative access to the IOS device, you should create a strong
“Enable Secret” Password. I suggest to use a password with at least 10 characters long
consisting of alphanumeric and special symbols.

Make sure to use the “enable secret” command which creates a password with strong
encryption.

Router# config terminal

Router(config)# enable secret strongpassword
2) Encrypt Passwords on the device
NETWORKS TRAINING
All the passwords configured on the Cisco device (except the “enable secret”) are shown as
clear text in the configuration file. In order to encrypt the clear text passwords and obscure
ABOUT RECOMMENDED SOFTWARE MY BOOKS TRAINING
them from showing in the configuration file, use the global command “service password-
encryption”.

Router# config terminal

Router(config)# service password-encryption

The command above uses a fairly weak Vigenere cipher which can be decrypted with software
tools. It is used mainly to prevent casual observers from reading passwords, such as when
they look at the screen over the shoulder of an administrator.

MORE READING: NMAP Commands Cheat Sheet and Tutorial with Examples
(Download PDF)

3) Use an external AAA server for User Authentication

Instead of using local user accounts on each device for administrator access, it’s much more
secure, flexible and scalable to use an external AAA server (TACACS+ or RADIUS) to handle
the Authentication, Authorization and Accounting of users’ access to the devices.

With a centralized AAA server you can easily change/enable/disable account passwords,
enforce strong password policies, monitor account usage and user access etc.

Here we will see how to configure both TACACS+ and RADIUS AAA servers with “enable
secret” password as fallback if the AAA server is not available.
NETWORKS TRAINING

ABOUT RECOMMENDED SOFTWARE MY BOOKS TRAINING

TACACS+

Router# config terminal

Router(config)# enable secret K6dn!#scfw35 <- Create first an “enable secret”
password
Router(config)# aaa new-model <- Enable the AAA service
Router(config)# aaa authentication login default group tacacs+ enable <-Use TACACS
for authentication with “enable” password as fallback
Router(config)# tacacs-server host 192.168.1.10 <- assign the internal AAA server
Router(config)# tacacs-server key ‘secret-key’ <- secret key configured on AAA server
Router(config)# line vty 0 4
Router(config-line)# login authentication default <- Apply AAA authentication to VTY
lines (Telnet, SSH etc)
Router(config-line)# exit
Router(config)# line con 0 <- Apply AAA authentication to console port
Router(config-line)# login authentication default

RADIUS
Router# config terminal
NETWORKS TRAINING
Router(config)# enable secret K6dn!#scfw35 <- Create first an “enable secret”
password
Router(config)# aaa new-model <- Enable the AAA
ABOUT service SOFTWARE
RECOMMENDED MY BOOKS TRAINING
Router(config)# aaa authentication login default group radius enable <- Use RADIUS for
authentication with “enable” password as fallback
Router(config)# radius-server host 192.168.1.10 <- assign the internal AAA server
Router(config)# radius-server key ‘secret-key’ <- secret key configured on AAA server
Router(config)# line vty 0 4
Router(config-line)# login authentication default <- Apply AAA authentication to VTY
lines (Telnet, SSH etc)
Router(config-line)# exit
Router(config)# line con 0 <- Apply AAA authentication to console port
Router(config-line)# login authentication default

4) Create separate local accounts for User Authentication

If you can’t install and use an external AAA server as discussed in the previous section, at a
bare minimum create separate local accounts for anyone that you will give access to your
devices.

If you have for example 3 network administrators and you have to use local device accounts for
them, then create a personalized user account for each administrator. This accomplishes
accountability for each different administrator about the actions performed on the device.

Moreover, from IOS version 12.2(8)T and later you can configure “Enhanced Password
Security” for local accounts created on the device. This means that local accounts will be
encrypted with MD5 hash.

Let’s configure 3 different local administrator accounts with “Enhanced Password Security”.

Router# config terminal

Router(config)# username john-admin secret Lms!a2eZSf*%
Router(config)# username david-admin secret d4N3$6&%sf
Router(config)# username mary-admin secret 54sxSFT*&(zsd

5) Configure Maximum Failed Authentication Attempts

To avoid brute force password attacks to the devices, you can configure maximum number of
NETWORKS TRAINING
failed login attempts so that a user will be locked out after this threshold.

This works for local user accounts on the devices.

ABOUT RECOMMENDED SOFTWARE MY BOOKS TRAINING

Router# config terminal

Router(config)# username john-admin secret Lms!a2eZSf*%
Router(config)# aaa new-model
Router(config)# aaa local authentication attempts max-fail 5 <- max 5 failed login
attempts
Router(config)# aaa authentication login default local

6) Restrict Management Access to the devices to specific IPs only

This is probably one of the most important security configurations on Cisco network devices.
You should restrict what IP addresses can Telnet or SSH to your devices. This should be
limited to a few management systems that administrators will be using to manage the network.

MORE READING: Comparison and Differences Between IPS vs IDS vs Firewall vs

WAF

Assume that the administrators’ subnet is 192.168.1.0/28

Router# config terminal

Router(config)# access-list 10 permit 192.168.1.0 0.0.0.15
Router(config)# line vty 0 15
Router(config)# access-class 10 in <- Apply IP restrictions to all VTY lines (for Telnet or
SSH)

7) Enable Logging
Logging is very useful for monitoring, incident response and auditing. You can enable logging
to an internal buffer of the device or to an external Log server. The latter is much more flexible
and helpful since you can store much more log data and perform analysis on logs much easier
than local logging.

There are 8 different logging levels (from 0 to 7) each one giving progressively more log data
details. You should avoid logging level 7 (debug) since it will overload the device.
Here we will discuss both buffered logging (internal to the device) and Logging to an external
NETWORKS
Server. You canTRAINING
have both if you want as shown below.

Router# config terminal ABOUT RECOMMENDED SOFTWARE MY BOOKS TRAINING

Router(config)# logging trap 6 <- Enable logging level 6 for logs sent to external server
Router(config)# logging buffered 5 <- Enable logging level 5 for logs stored locally in
buffer
Router(config)# service timestamps log datetime msec show-timezone <- Include
timestamps in logs with millisecond precision
Router(config)# logging host 192.168.1.2 <- Send logs to external log server
Router(config)# logging source-interface ethernet 1/0 <- Use Eth1/0 to send log
messages

8) Enable Network Time Protocol (NTP)

This step is essential for the previous section about logging. You must have accurate and
uniform clock settings on all network devices in order for log data to be stamped with the
correct time and timezone. This will help tremendously in incident handling and proper log
monitoring and correlation.

You can either configure an internal or external NTP server (there are several public NTP
servers that you can use as well).

Router# config terminal

Router(config)# ntp server 1.1.1.1
Router(config)# ntp server 2.2.2.2

9) Use Secure Management Protocols if possible

Telnet is the default management protocol for Command Line access to Cisco devices.
However, all management traffic is clear-text with Telnet. For security reasons, prefer SSH for
management instead of Telnet.

Let’s see how to configure SSH access to a Cisco device.

Router# config terminal

Router(config)# hostname London
London(config)# ip domain-name mydomain.com
London(config)# ip ssh version 2
London(config)# crypto key generate rsa modulus 2048
NETWORKS TRAINING
London(config)# ip ssh time-out 60
London(config)# ip ssh authentication-retries 3
London(config)# line vty 0 15 ABOUT RECOMMENDED SOFTWARE MY BOOKS TRAINING
London(config-line)# transport input ssh

SSH requires to have a hostname and domain-name configured and also to generate SSH
keys. Also, on VTY lines allow SSH protocol only.

10) Restrict and Secure SNMP Access

The Simple Network Management Protocol (SNMP) can be very useful to collect information
from network devices but can also pose a security risk if not configured properly.

SNMP protocol uses a “Community String” which acts as password for restricting access (Read
Only or Read/Write) to the SNMP data on the device. In addition to configuring a strong
Community String, IP filtering must also be applied to allow SNMP access only from few
management workstations.

Let’s configure two Community strings (one “READ ONLY” and another one “READ/WRITE”)
and also apply IP address control with ACLs.

Router# config terminal

Router(config)# access-list 11 permit 192.168.1.0 0.0.0.15
Router(config)# access-list 12 permit 192.168.1.1
Router(config)# snmp-server community Cbd43@#w5SDF RO 11 <- Create Read Only
(RO) community string and use ACL 11 to allow SNMP access
Router(config)# snmp-server community Xcv4#56&454sdS RW 12 <- Create Read Write
(RW) community string and use ACL 12 to allow SNMP access

The above commands allow the administrators subnet 192.168.1.0/28 to have Read Only
SNMP access to devices and also allows host 192.168.1.1 to have full Read/Write SNMP
access to devices.

In a different post I will discuss security of the Control Plane so stay tuned.

Related Posts
5 Best Practices to Keep Rogue Devices at Bay
 Cisco Talos Year in Review – Top Cyber Security Threats in 2023 and Beyond
NETWORKS TRAINING
How to Scan an IP Network Range with NMAP (and Zenmap)
What is Cisco Identity Services Engine (ISE)? Use Cases, How it is Used etc
What is Cisco Umbrella Security Service?
ABOUTDiscussion – Use SOFTWARE
RECOMMENDED Cases – Features
MY BOOKS TRAINING

Filed Under: Network Security

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and
ASA Firewalls.

Email

Please enter your email address

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the
information you provide will be transferred to Elastic Email for processing in accordance with their Terms of
Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

I'm not a robot

reCAPTCHA
Privacy - Terms

SUBSCRIBE

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in
the fields of TCP/IP Networks, Information Security and I.T. Over the years he has
acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.
He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN
Configuration Guide") which are available at Amazon and on this website as well.

Comments

Chuck says
July 18, 2016 at 5:00 pm
 This is so beautifully presented. Thank you Andrea for your kindness.
NETWORKS TRAINING

ABOUT RECOMMENDED SOFTWARE MY BOOKS TRAINING

Robert Takac says

July 19, 2016 at 2:12 am

Hey Andrea!
Is there a particular AAA server you would recommend? I have all Cisco switches and
an ASA5506
Thanks – live your books and the tips you send out
Bob

TK says
July 19, 2016 at 4:28 am

Good Topic !
But, What is TACACS+ or RADIUS software that you are using in this topic for AAA
Server?

Harris Andrea says

July 19, 2016 at 4:55 am

Hi Robert,

For commercial AAA server, I recommend the Cisco ACS (Access Control System)
which supports both RADIUS and TACACS+ with lots of features.

Also, if you have an internal Microsoft server environment, you can configure Windows
servers as RADIUS
 For free options, many people use the popular freeradius (http://freeradius.org/) but
NETWORKS TRAINING
there are many other free AAA servers out there as well.

Harris ABOUT RECOMMENDED SOFTWARE MY BOOKS TRAINING

Harris Andrea says

July 19, 2016 at 4:57 am

TK,

Please see my other comment above for AAA server options. It doesn’t matter what
brand or software of AAA server you use. The configuration on the Cisco devices will
be the same.

Harris

TK says
July 19, 2016 at 8:14 am

Hi Andrea!

Thanks for your recommends and info.

Ravi says
July 28, 2016 at 9:13 pm

Hello Andrea,

Really appreciate your effort to provide a good information.

 We are using ACS server for TACACS+ server devices access, but didn’t implement
NETWORKS TRAINING
any access-list for control devices access. how can use access list configuration in my
case.
ABOUT RECOMMENDED SOFTWARE MY BOOKS TRAINING

Harris Andrea says

July 29, 2016 at 11:11 am

Ravi,

Take a look at downloadable ACLs using ACS:

Anurath says
August 27, 2017 at 1:38 pm

Hello Harris Andrea

Do you have any article about Security Hardening Checklist for Cisco ASA Firewall?
As part of security, what are the main things we need to configure on ASA?

Thank You
Anurath

Harris Andrea says

August 27, 2017 at 6:56 pm

ASA is pretty much hardened out of the box. You need to take care of configuration for
managing the ASA and create strict rules on SSH or HTTPs access to the ASA for
management. You should allow access only from specific management workstations
 etc. Other than that, you must be very careful regarding ACLs and what traffic you
NETWORKS TRAINING
allow to pass through the ASA. Many security weaknesses come from human errors :)

ABOUT RECOMMENDED SOFTWARE MY BOOKS TRAINING

Anurath says
August 28, 2017 at 5:53 am

Hi Harris

Thanks!!! Can you please share any sample configuration :)

Anurath

Harris Andrea says

August 28, 2017 at 7:48 am

Sorry, I don’t have something ready for now.

Leave a Reply
Your email address will not be published. Required fields are marked *

Comment *

Name *
NETWORKS TRAINING

Email * ABOUT RECOMMENDED SOFTWARE MY BOOKS TRAINING

POST COMMENT

This site uses Akismet to reduce spam. Learn how your comment data is processed.

SEARCH THIS SITE

Search this website

ABOUT NETWORKS TRAINING AMAZON DISCLOSURE

We Provide Technical Tutorials and Configuration As an Amazon Associate I earn from qualifying
Examples about TCP/IP Networks with focus on Cisco purchases.
Products and Technologies. This blog entails my own Amazon and the Amazon logo are trademarks of
thoughts and ideas, which may not represent the Amazon.com, Inc. or its affiliates.
thoughts of Cisco Systems Inc. This blog is NOT
affiliated or endorsed by Cisco Systems Inc. All product
SEARCH
names, logos and artwork are copyrights/trademarks of
their respective owners.
Search this website

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2024 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy