http://www.checklist20.com/bestpractices.htmlRouters direct and control much of the data flowing across computer networks. This guide provides technical guidance intended to help IT auditors, network administrators and security officers improve the security and implement best practices of Cisco Routers.http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=272&tn=Monitor Cisco Security Advisories and ResponsesThe Cisco Product Security Incident Response Team (PSIRT) creates and maintains publications, commonly referred to as PSIRT Advisories, for security-related issues in Cisco products. Subscribe to Cisco Security Advisory RSS feeds at http:ewsr ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=301&tn=Develop Network Security Policy ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=278&tn=Implement Password Management ControlsAs a security best practice, passwords must be managed with a TACACS+ or RADIUS authentication server. However, note that a locally configured password for privileged access is still be needed in the event of failure of the TACACS+ or RADIUS servi ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=274&tn=Centralize Log Collection and MonitoringIn order to track existing, emerging, and historic events related to security incidents, a unified strategy is required for event logging and correlation. This unified approach must leverage logging from all network devices and use pre-packaged an ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=273&tn=Leverage Authentication, Authorization, and AccountingThe Authentication, Authorization, and Accounting (AAA) framework is vital to securing network devices. The AAA framework provides authentication of management sessions and can also limit users to specific, administrator-defined commands and log a ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=335&tn=Access Control with MACMAC access control lists or extended lists can be applied on IP network with the use of this command in interface configuration mode:Cat6K-IOS(config-if)#mac packet-classify ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=334&tn=Access Control with PACLsPACLs can only be applied to the inbound direction on Layer 2 physical interfaces of a switch. Similar to VLAN maps, PACLs provide access control on non-routed or Layer 2 traffic. The syntax for creating PACLs, which take precedence over VLAN maps ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=333&tn=Access Control with VLAN MapsVACLs, or VLAN maps that apply to all packets that enter the VLAN, provide the capability to enforce access control on intra-VLAN traffic. This is not possible using ACLs on routed interfaces. For example, a VLAN map may be used in order to preven ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=332&tn=Classification ACLsClassification ACLs provide visibility into traffic that traverses an interface. Classification ACLs do not alter the security policy of a network and are typically constructed to classify individual protocols, source addresses, or destinations. F ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=331&tn=Anti-Spoofing ACLsManually configured ACLs can provide static anti-spoofing protection against attacks that utilize known unused and untrusted address space. Commonly, these anti-spoofing ACLs are applied to ingress traffic at network boundaries as a component of a ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=330&tn=Dynamic ARP InspectionDynamic ARP Inspection (DAI) can be utilized to mitigate ARP poisoning attacks on local segments. An ARP poisoning attack is a method in which an attacker sends falsified ARP information to a local segment. This information is designed to corrupt ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=329&tn=Port SecurityPort Security is used in order to mitigate MAC address spoofing at the access interface. Port Security can use dynamically learned (sticky) MAC addresses to ease in the initial configuration. Once port security has determined a MAC violation, it c ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=328&tn=IP Source GuardIP Source Guard is an effective means of spoofing prevention that can be used if you have control over Layer 2 interfaces. IP Source Guard uses information from DHCP snooping to dynamically configure a port access control list (PACL) on the Layer ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=327&tn=Configure Unicast RPFUnicast RPF enables a device to verify that the source address of a forwarded packet can be reached through the interface that received the packet. You must not rely on Unicast RPF as the only protection against spoofing. Spoofed packets could ent ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=326&tn=Disable IP Source RoutingIP source routing leverages the Loose Source Route and Record Route options in tandem or the Strict Source Route along with the Record Route option to enable the source of the IP datagram to specify the network path a packet takes. This functional ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=325&tn=IP Options Selective DropThere are two security concerns presented by IP options. Traffic that contains IP options must be process-switched by Cisco IOS devices, which can lead to elevated CPU load. IP options also include the functionality to alter the path that traffic ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=324&tn=Securing First Hop Redundancy ProtocolsFirst Hop Redundancy Protocols (FHRPs) provide resiliency and redundancy for devices that are acting as default gateways. This situation and these protocols are commonplace in environments where a pair of Layer 3 devices provides default gateway f ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=323&tn=Routing Process Resource ConsumptionRouting Protocol prefixes are stored by a router in memory, and resource consumption increases with additional prefixes that a router must hold. In order to prevent resource exhaustion, it is important to configure the routing protocol to limit re ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=322&tn=Route FilteringIn order to reduce the possibility of introducing false routing information in the network, route filtering must be used. Unlike the passive-interface router configuration command, routing occurs on interfaces once route filtering is enabled, but ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=321&tn=Passive-Interface CommandsInformation leaks, or the introduction of false information into an IGP, can be mitigated through use of the passive-interface command that assists in controlling the advertisement of routing information. You are advised not to advertise any infor ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=320&tn=Routing Protocol Authentication and Verification with Message Digest 5Failure to secure the exchange of routing information allows an attacker to introduce false routing information into the network. By using password authentication with routing protocols between routers, you can aid the security of the network. How ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=319&tn=Disable or Limit IP Directed BroadcastsIP Directed Broadcasts make it possible to send an IP broadcast packet to a remote IP subnet. Once it reaches the remote network, the forwarding IP device sends the packet as a Layer 2 broadcast to all stations on the subnet. This directed broadca ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=318&tn=Filtering BGP Prefixes with Autonomous System Path Access ListsBGP autonomous system (AS) path access lists allows the user to filter received and advertised prefixes based on the AS-path attribute of a prefix. This can be used in conjunction with prefix lists to establish a robust set of filters.This configu ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=317&tn=Filtering BGP Prefixes with Prefix ListsPrefix lists allow a network administrator to permit or deny specific prefixes that are sent or received via BGP. Prefix lists should be used where possible to ensure network traffic is sent over the intended paths. Prefix lists should be applied ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=316&tn=Configuring Maximum PrefixesBGP prefixes are stored by a router in memory. The more prefixes that a router must hold results in BGP consuming more memory. In some configurations, a subset of all Internet prefixes can be stored, such as in configurations that leverage only a ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=315&tn=BGP Peer Authentication with MD5Peer authentication using MD5 creates an MD5 digest of each packet sent as part of a BGP session. Specifically, portions of the IP and TCP headers, TCP payload, and a secret key are used in order to generate the digest.Peer authentication with MD5 ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=314&tn=Secure Simple Network Management Protocol(SNMP) ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=313&tn=TTL-based Security ProtectionsKnown as both the Generalized TTL-based Security Mechanism (GTSM) and BGP TTL Security Hack (BTSH), a TTL-based security protection leverages the TTL value of IP packets to ensure that the BGP packets that are received are from a directly connecte ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=312&tn=Hardware Rate LimitersHardware rate limiters are referred to as special-case rate limiters because they cover a specific predefined set of IPv4, IPv6, unicast, and multicast DoS scenarios. HWRLs can protect the Cisco IOS device from a variety of attacks that require pa ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=311&tn=Control Plane ProtectionControl Plane Protection (CPPr) can be used in order to restrict or police control plane traffic that is destined to the CPU of the Cisco IOS device. While similar to CoPP, CPPr has the ability to restrict traffic with finer granularity. CPPr divi ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=310&tn=Control Plane PolicingThe Control Plane Policing (CoPP) feature can also be used in order to restrict IP packets that are destined to the infrastructure device. For example, enabling this feature only SSH traffic from trusted hosts is permitted to reach the Cisco IOS d ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=309&tn=Configure Receive ACLs(rACL)The rACL protects the device from harmful traffic before the traffic impacts the route processor. Receive ACLs are designed to only protect the device on which it is configured and transit traffic is not affected by an rACL. As a result, the desti ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=308&tn=Configure trusted time source for network time protocolThe Network Time Protocol (NTP) is not an especially dangerous service, but any unneeded service can represent an attack vector. If NTP is used, it is important to explicitly configure a trusted time source and to use proper authentication. Accura ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=307&tn=No Proxy ARPProxy ARP is the technique in which one device, usually a router, answers ARP requests that are intended for another device. By "faking" its identity, the router accepts responsibility for routing packets to the real destination. Proxy ARP can hel ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=306&tn=Limit ICMP UnreachablesFiltering with an interface access list elicits the transmission of ICMP unreachable messages back to the source of the filtered traffic. Generating these messages can increase CPU utilization on the device. In Cisco IOS software, ICMP unreachable ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=305&tn=No IP ICMP RedirectsAn ICMP redirect message can be generated by a router when a packet is received and transmitted on the same interface. In this situation, the router forwards the packet and sends an ICMP redirect message back to the sender of the original packet. ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=304&tn=Configuration Change Notification and Logging The Configuration Change Notification and Logging feature, added in Cisco IOS Software Release 12.3(4)T, makes it possible to log the configuration changes made to a Cisco IOS device. The log is maintained on the Cisco IOS device and contains the ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=303&tn=Cisco IOS Software Resilient ConfigurationThe Resilient Configuration feature makes it possible to securely store a copy of the Cisco IOS software image and device configuration that is currently being used by a Cisco IOS device. When this feature is enabled, it is not possible to alter o ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=302&tn=Enable exclusive configuration change access modeThe Exclusive Configuration Change Access feature ensures that only one administrator makes configuration changes to a Cisco IOS device at a given time. This feature helps eliminate the undesirable impact of simultaneous changes made to related co ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=300&tn=Do not include router information in warning bannersIn some legal jurisdictions it can be impossible to prosecute and illegal to monitor malicious users unless they have been notified that they are not permitted to use the system. One method to provide this notification is to place this information ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=299&tn=Control transport for vty and tty LinesIn an effort to prevent information disclosure or unauthorized access to the data that is transmitted between the administrator and the device, transport input ssh should be used instead of clear-text protocols, such as Telnet and rlogin. The tran ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=298&tn=Use authentication to control vty and tty linesThe simplest form of access control to a vty or tty of a device is through the use of authentication on all lines regardless of the device location within the network. This is critical for vty lines because they are accessible via the network. A t ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=297&tn=Secure console port accessAny method used in order to access the console port of a device must be secured in a manner that is equal to the security that is enforced for privileged access to a device. Methods used in order to secure access must include the use of AAA, exec- ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=296&tn=Encrypt management SessionsBecause information can be disclosed during an interactive management session, this traffic must be encrypted so that a malicious user cannot gain access to the data being transmitted. Encrypting the traffic allows a secure remote access connectio ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=295&tn=Enable Control Plane Protection(CPPr)Control Plane Protection (CPPr) builds on the functionality of Control Plane Policing in order to restrict and police control plane traffic that is destined to the route processor of the IOS device. CPPr, added in Cisco IOS Software Release 12.4(4 ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=294&tn=Enable Management Plane Protection(MPP)The feature Management Plane Protection (MPP) allows an administrator to restrict on which interfaces management traffic can be received by a device. This allows the administrator additional control over a device and how the device is accessed. ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=293&tn=ACL Support for Filtering on TTL ValueEnable ACL support for filtering IP packets based on the Time to Live (TTL) value. The TTL value of an IP datagram is decremented by each network device as a packet flows from source to destination. Although initial values vary by operating system ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=292&tn=ACL Support for Filtering IP OptionsUse of ACLs to filter IP packets based on the IP options that are contained in the packet. IP options present a security challenge for network devices because these options must be processed as exception packets. This requires a level of CPU effor ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=291&tn=Filter IP FragmentsThe filtering of fragmented IP packets can pose a challenge to security devices. This is because the Layer 4 information that is used in order to filter TCP and UDP packets is only present in the initial fragment. Cisco IOS software uses a specifi ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=290&tn=ICMP Packet FilteringThe Internet Control Message Protocol (ICMP) is designed as an IP control protocol. As such, the messages it conveys can have far-reaching ramifications to the TCP and IP protocols in general. While the network troubleshooting tools ping and trace ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=289&tn=Configure Infrastructure ACLs(iACL)Infrastructure access control lists (iACLs) are one of the most critical security controls that can be implemented in networks. Infrastructure ACLs leverage the idea that nearly all network traffic traverses the network and is not destined to the ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=288&tn=Enhanced Crashinfo File CollectionThe Enhanced Crashinfo File Collection feature automatically deletes old crashinfo files. This feature. allows a device to reclaim space to create new crashinfo files when the device crashes. This feature also allows configuration of the number of ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=287&tn=Detect and Correct Redzone CorruptionThe Buffer Overflow: Detection and Correction of Redzone Corruption feature can be enabled by on a device in order to detect and correct a memory block overflow and to continue operations.These global configuration commands can be used in order to ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=286&tn=Memory Leak DetectorThe Memory Leak Detector feature allows you to detect memory leaks on a device. Memory Leak Detector is able to find leaks in all memory pools, packet buffers, and chunks. Memory leaks are static or dynamic allocations of memory that do not serve ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=285&tn=Reserve Memory for Console AccessThe Reserve Memory for Console Access feature can be used in order to reserve enough memory to ensure console access to a Cisco IOS device for administrative and troubleshooting purposes. This feature is especially beneficial when the device runs ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=284&tn=CPU Thresholding NotificationIntroduced in Cisco IOS Software Release 12.3(4)T, the CPU Thresholding Notification feature allows you to detect and be notified when the CPU load on a device crosses a configured threshold. When the threshold is crossed, the device generates and ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=283&tn=Memory Threshold NotificationsThe feature Memory Threshold Notification, added in Cisco IOS Software Release 12.3(4)T, allows you to mitigate low-memory conditions on a device. This feature uses two methods to accomplish this: Memory Threshold Notification and Memory Reservati ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=282&tn=Loopback Management InterfacesThe management plane of a device is accessed in-band or out-of-band on a physical or logical management interface. Ideally, both in-band and out-of-band management access exists for each network device so that the management plane can be accessed ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=281&tn=Keepalives for TCP SessionsThe service tcp-keepalive-in and service tcp-keepalive-out global configuration commands enable a device to send TCP keepalives for TCP sessions. This configuration must be used in order to enable TCP keepalives on inbound connections to the devic ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=280&tn=Set EXEC timeout intervalIn order to set the interval that the EXEC command interpreter waits for user input before it terminates a session, issue the exec-timeout line configuration command. The exec-timeout command must be used in order to logout sessions on vty or tty ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=279&tn=Disable Unused ServicesAny unnecessary service must be disabled. These unneeded services, especially those that use UDP (User Datagram Protocol), are infrequently used for legitimate purposes, but can be used in order to launch DoS and other attacks that are otherwise p ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=277&tn=Secure and archive configuration settingsConfiguration management is a process by which configuration changes are proposed, reviewed, approved, and deployed. Within the context of a Cisco IOS device configuration, two additional aspects of configuration management are critical: configura ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=276&tn=Enable traffic monitoring using NetFlowNetFlow monitors traffic flows in the network. Originally intended to export traffic information to network management applications, NetFlow can also be used in order to show flow information on a router. This capability allows to see what traffic ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=164&cn=Cisco Routers&tid=275&tn=Use Secure ProtocolsMany protocols are used in order to carry sensitive network management data. Use secure protocols whenever possible. A secure protocol choice includes the use of SSH instead of Telnet so that both authentication data and management information are ...  View More]]>