CCNP Security: SENSS Part 1-3

1.3 Configure device hardening per best practices

1.3.a Routers
Source:http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

Management Plane

• Passwords
  
  • Enable MD5 hashing (secret option) for enable and local user passwords
  • Configure the password retry lockout
  • Disable password recovery (consider risk)
• Disable unused services
• Configure TCP keepalives for management sessions
• Set memory and CPU threshold notifications
• Configure
  
  • Memory and CPU threshold notifications
  • Reserve memory for console access
  • Memory leak detector
  • Buffer overflow detection
  • Enhanced crashinfo collection
• Use iACLs to restrict management access
• Filter (consider risk)
  
  • ICMP packets
  • IP fragments
  • IP options
  • TTL value in packets
• Control Plane Protection
  
  • Configure port filtering
  • Configure queue thresholds
• Management access
  
  • Use Management Plane Protection to restrict management interfaces
  • Set exec timeout
  • Use an encrypted transport protocol (such as SSH) for CLI access
  • Control transport for vty and tty lines (access class option)
  • Warn using banners
• AAA
  
  • Use AAA for authentication and fallback
  • Use AAA (TACACS+) for command authorization
  • Use AAA for accounting
  • Use redundant AAA servers
• SNMP
  
  • Configure SNMPv2 communities and apply ACLs
  • Configure SNMPv3
• Logging
  
  • Configure centralized logging
  • Set logging levels for all relevant components
  • Set logging source-interface
  • Configure logging timestamp granularity
• Configuration Management
  
  • Replace and rollback
  • Exclusive Configuration Change Access
  • Software resilience configuration
  • Configuration change notifications

Control Plane

• Disable (consider risk)
  
  • ICMP redirects
  • ICMP unreachables
  • Proxy ARP
• Configure NTP authentication if NTP is being used
• Configure Control Plane Policing/Protection (port filtering, queue thresholds)
• Secure routing protocols
  
  • BGP (TTL, MD5, maximum prefixes, prefix lists, system path ACLs)
  • IGP (MD5, passive interface, route filtering, resource consumption)
• Configure hardware rate limiters
• Secure First Hop Redundancy Protocols (GLBP, HSRP, VRRP)

Data Plane

• Configure IP Options Selective Drop
• Disable (consider risk)
  
  • IP source routing
  • IP Directed Broadcasts
  • ICMP redirects
• Limit IP Directed Broadcasts
• Configure tACLs (consider risk)
  
  • Filter ICMP
  • Filter IP fragments
  • Filter IP options
  • Filter TTL values
• Configure required anti-spoofing protections
  
  • ACLs
  • IP Source Guard
  • Dynamic ARP Inspection
  • Unicast RPF
  • Port security
• Control Plane Protection (control-plane cef-exception)
• Configure NetFlow and classification ACLs for traffic identification
• Configure required access control ACLs (VLAN maps, PACLs, MAC)
• Configure Private VLANs

1.3.b Switches
See above, there applicable

1.3.c Firewalls 
Source: http://www.cisco.com/web/about/security/intelligence/firewall-best-practices.html

Best Practices Checklist

Management Plane Checks

Disable Console Logging - Firewall
Requirement	Severity	Comments
Disable Console Logging	Low	Best practice: Ensure console logging is disabled or set to critical. Although useful for troubleshooting from the console port, it is possible that excessive log messages on the console could make it impossible to manage the device, even from the console. Command:  no logging console - or - logging console critical

Enable Logging - Firewall
Requirement	Severity	Comments
Enable Logging	Info	Best practice: Check if state of event logging on the firewall is enabled. Logging a firewall's activities and status offers several benefits. Using the information in a log, the administrator can tell whether the firewall is working properly or whether it has been compromised. In some cases, it can show what types of probes or attacks are being attempted against the firewall or the protected network. If the logging is disabled, the events that happen on the firewall are not logged anywhere. This may make it harder to troubleshoot any network issues. This may also cause some of the problems, including attempted attacks, to go unnoticed, as well as prevent collection of evidence about any unauthorized activity. If logging is enabled, ensure the logging messages are sent to only trusted hosts on a protected network so the logs cannot be compromised and cannot be viewed by anyone who is not authorized to view them. Command:  logging on | logging enable
Enable Logging Timestamp	Low	Best practice: Timestamps should be enabled for log messages, which will facilitate interpretation of the messages for troubleshooting and investigating network attacks. Ensure that the date/time is correctly set (if NTP is not configured) so that the timestamps provide the proper day/time of the log messages. If the timestamps are not shown in the log messages, it may not be possible to sense the order of events occurring in the network. Command:  logging timestamp
Enable Logging to Buffer	Low	Best practice: Cisco devices can store log messages in memory. The buffered data is available only from an exec or enabled exec session, and it is cleared when the device reboots. This form of logging is useful, even though it does not offer enough long-term protection for the logs. Buffered logging keeps the log messages in RAM on the device. A logging buffer must be configured on the device, and this buffer is circular, meaning that when it fills up, the oldest log message is deleted to make room for the new message. If buffer logging is not enabled, it will not be possible to view the most recent log messages on the device for troubleshooting or monitoring purposes. Command:  logging buffered <level>
Log Messages to a Syslog Server	Info	Best practice: Cisco devices can be configured to forward log messages to an external Syslog service. It is highly recommended that networks implement a logging structure based on a Syslog infrastructure. Proactive monitoring of firewall logs is an integral part of Security Admin duties. The firewall syslogs are useful for forensics, network troubleshooting, security evaluation, worm and virus attack mitigation, and so on. This is a scalable solution, which provides long-term storage capabilities and a central location for all device messages Command:  logging host <interface-name> <ipAddress>

Secure Device Access - Firewall
Requirement	Severity	Comments
Restrict HTTP Access to Certain Addresses	Info	Best practice: To specify hosts that can access the HTTP server internal to the FWSM. The addresses allowed to access the firewall using HTTP can be restricted. Any undefined IP address will not see the prompt at all. Command:  http <ip-address> <net-mask> <interface name>
Restrict SSH Access to Certain Addresses	Medium	Best practice: The addresses allowed to access the firewall using SSH can be restricted. Any undefined IP address will not see the prompt at all. Command:  ssh <ip-address> <net-mask> <interface name>
Restrict Telnet Access to Certain Addresses	Medium	Best practice: The addresses allowed to access the firewall using Telnet can be restricted. Any undefined IP address will not see the prompt at all. Command:  telnet <ip-address> <net-mask> <interface name>
Set Enable Password	Info	Best practice: Set enable password to secure access to privilege level. Access to the privileged EXEC mode (enable mode) should be protected by requiring a password else user logged in to user mode can access enable mode. Command:  enable password <password>
Set Password	Info	Best practice: To set the login password, use the passwd command in global configuration mode. You are prompted for the login password when you access the CLI as the default user using Telnet or SSH. After you enter the login password, you are in user EXEC mode. Command:  passwd <password>
Set Suitable Console Timeout	Low	Best practice: For console connections the idle timeout must be configured to avoid undesirable open and unattended console connection to the firewall. Command:  console timeout <timeout value in minutes>
Set Suitable SSH Timeout	Low	Best practice: For ssh connections the idle timeout must be configured to avoid undesirable and unattended open ssh connections to the firewall. Command:  ssh timeout <timeout in minutes>
Set Suitable Telnet Timeout	Low	Best practice: For telnet connections the idle timeout must be configured to avoid undesirable open unattended telnet connection to the firewall. Command:  telnet timeout <timeout in minutes>
Use Warning Banner Messages	Low	Best practice: Use of configurable, personalized login and failed-login banners is recommended. This feature lets you change the default message for login and failed-login. You can configure message banners that will be displayed when a user logs in to the system Command:  banner <banner-message>

Secure Interactive Access Using AAA - Firewall
Requirement	Severity	Comments
Define AAA Server with Key	Medium	Best practice: An Authentication Authorization and Accounting Server (AAA) is recommended to store all the username / password and privilege levels in one single repository. AAA server should be configured with a key for authentication and encryption. Command:  aaa-server TACACS+ <interface> host <ipAddress> <key>
Use AAA Accounting	Low	Best practice: When you configure the aaa accounting command, each command other than show commands entered by an administrator is recorded and sent to the accounting server or servers. Command:  aaa accounting command EXAUTH LOCAL
Use AAA Authentication for Enable Mode	Medium	Best practice: Authenticates users who access privileged EXEC mode when they use the enable command. For authentication an external server may be used and also supports fallback to local database if external authentication server is down. Command:  aaa authentication enable console RADIUS LOCAL
Use AAA Authentication for HTTP	Medium	Best practice: If aaa authentication http console command is not defined, you can gain access to the FWSM (via ASDM) with no username and the FWSM enable password (set with the enable password command). Command:  aaa authentication http console RADIUS LOCAL
Use AAA Authentication for SSH	Info	Best practice: Before the firewall can authenticate a Telnet or SSH user, we must first configure access to the firewall using the telnet or ssh commands. These commands identify the IP addresses that are allowed to communicate with the firewall. Command:  aaa authentication ssh console RADIUS LOCAL
Use AAA Authentication for Telnet	Medium	Best practice: Before the firewall can authenticate a Telnet or SSH user, we must first configure access to the firewall using the telnet or ssh commands. These commands identify the IP addresses that are allowed to communicate with the firewall. Command:  aaa authentication telnet console RADIUS LOCAL
Use AAA Authorization	Low	Best practice: The aaa authorization command specifies whether command execution at the CLI is subject to authorization. If you enable TACACS+ command authorization, and a user enters a command at the CLI, the FWSM sends the command and username to the TACACS+ server to determine if the command is authorized. When configuring command authorization with a TACACS+ server, do not save your configuration until you are sure it works the way you want. If you get locked out because of a mistake, you can usually recover access by restarting the FWSM. Command:  aaa authorization command TACACS LOCAL
Use Local Login as Backup to AAA	Info	Best practice: While configuring external authentication it is advisable to keep the local database check as fallback option. Command:  aaa authentication http console RADIUS LOCAL

Secure Management Protocols - Firewall
Requirement	Severity	Comments
Authenticate NTP Updates	Medium	Best practice: Network Time Protocol (NTP) is a UDP based protocol used to synchronize time clocks amongst network devices. NTP is especially useful to ensure that timestamps on log messages are consistent throughout the entire network. It is recommended to authenticate NTP updates so that time is synchronized with approved servers only. Command:  ntp authentication-key <key-id> md5 <key>
Change Default Community String	High	Best practice: The default community string of "public" and "private" are well known. These should always be changed to more secure strings. Command:  snmp-server community <non-default-string>
Define SNMP Server Host	Low	Best practice: SNMP is an application-layer communication protocol that allows ONS 15454 network devices to exchange management information among these systems and with other devices outside the network. SNMP is used in network management systems to monitor network-attached devices for conditions that warrant administrative attention. Command:  snmp-server host
Disable SNMP if not used	Low	Best practice: SNMP Protocol should be disabled if not used in the network. If used, access to SNMP service should be protected using appropriate mechanisms like ACLs. Command:  no snmp-server
Enable SNMP Trap Logging	Low	Best practice: SNMP traps are used to report an alert or other asynchronous event about a managed firewall. Command:  snmp server enable traps
Use NTP to Synch Network Clocks	Medium	Best practice: Network Time Protocol (NTP) is a UDP based protocol used to synchronize time clocks amongst network devices. NTP is especially useful to ensure that timestamps on log messages are consistent throughout the entire network. Command:  ntp server <ntp server name> source <interface>

Control Plane Checks

Disable Unneeded Services - Firewall
Requirement	Severity	Comments
Check if Failover is used	Info	Best practice: This rule checks if failover is configured in the firewall devices Command:  failover
Disable HTTP session replication	Info	Best practice: The replication of http session data to the failover firewall should be disabled unless the firewall is not expected to be under extreme load and the http session data is highly critical. Given the short duration of http sessions, low probably of firewall failure and the design of most applications, this is not likely to be needed. This rule checks only firewalls with failover configured. Command:  no failover replication http
Disable Proxy ARPs	Low	Best practice: Proxy ARP allows a firewall to extend the network at layer 2 across multiple interfaces (i.e. LAN segments). Hence proxy ARP allows hosts from different segments to function as if they were on the same subnet, and is only safe when used between trusted LAN segments. Attackers can use the trusting nature of proxy ARP by spoofing a trusted host and intercepting packets. Because of this inherent security weakness, proxy ARP should be disabled on interfaces that do not require it, especially those interfaces that connect to untrusted networks. Command:  sysopt noproxyarp <interface>
Limit ICMP responses on interfaces	Low	Best practice: Preferable to disable ICMP on outside interfaces at a minimum. The default (i.e. no ICMP control list is configured), is for the PIX/ASA/FWSM to accept all ICMP traffic that terminates at any interface (including the outside interface). This will depend on the customer policy. Command:  icmp permit <acl> <interface>

Data Plane Checks

Data Plane - Firewall
Requirement	Severity	Comments
Enable uRPF anti-spoofing	Info	Best practice: Anti-spoofing should be configured on all outside interfaces. This rule checks if uRFP is enabled on any one interface.  Command:  ip verify reverse-path interface <interface-name>