|
|
|
|
 |
|
Router
Security Configuration Guide
|
Name |
Router
Security Configuration Guide |
| Version
|
v1.1b
|
|
Status |
Final |
| Creation
Date |
2000-09 |
| Revision
Date |
2003-12-05 |
| Product
Category |
Network
Router |
| Vendor |
Cisco
Systems |
| Product |
Cisco
Internetwork Operating System v11.3 through
12.3 |
| Product
Version |
v11.3
through 12.3 |
| Product
Role |
Border
and gateway router |
|
Checklist
Summary |
This
guide provides technical guidance intended to
help network administrators and security officers
improve the security of their networks. Using
the information presented here, administrators
can configure their routers to control access,
resist attacks, shield other network components,
and protect the integrity and confidentiality
of network traffic. This guide gives an in-depth
view on securing Cisco-based routers. After
security has been implemented on the routers
itself, a section within this guide gives guidance
to administrators on how to test and validate
the security measures. This guide is broken
into three main sections: 1) a high-level view
of router security, 2) detailed instructions
for locking down a router, and 3) detailed advice
and direction for trying to improve the security
posture of a network. This guide was developed
in response to numerous questions and requests
for assistance received by the NSA Systems and
Network Attack Center (SNAC). The topics covered
in the guide were selected on the basis of customer
interest, community consensus, and the SNAC's
background in securing networks. The goal for
this guide is a simple one: improve the security
provided by routers in U.S. Government operational
networks. |
| Known
Issues |
Do
not attempt to implement any of the settings
in this guide without first testing in a non-operational
environment. This document is only a guide containing
recommended security settings. It is not meant
to replace well-structured policy or sound judgment.
Care must be taken when implementing the security
steps specified in this guide. Ensure that all
security steps and procedures chosen from this
guide are thoroughly tested and reviewed prior
to imposing them on an operational network. |
| Target
Audience |
Network
administrators and network security officers
are the primary audience for this configuration
guide; throughout the text the familiar pronoun
"you" is used for guidance directed
specifically to them. Most network administrators
are responsible for managing the connections
within their networks, and between their network
and various other networks. Network security
officers are usually responsible for selecting
and deploying the assurance measures applied
to their networks. For this audience, this guide
provides security goals and guidance, along
with specific examples of configuring Cisco
routers to meet those goals.
Firewall
administrators are another intended audience
for this guide. Often, firewalls are employed
in conjunction with filtering routers; the
overall perimeter security of an enclave benefits
when the configurations of the firewall and
router are complementary. While this guide
does not discuss general firewall topics in
any depth, it does provide information that
firewall administrators need to configure
their routers to actively support their perimeter
security policies. Section 5 includes information
on using the firewall features of the Cisco
Integrated Security facility.
Information
System Security Engineers (ISSEs) may also
find this guide useful. Using it, an ISSE
can gain greater familiarity with security
services that routers can provide, and use
that knowledge to incorporate routers more
effectively into the secure network configurations
that they design.
Sections
4, 5, and 6 of this guide are designed for
use with routers made by Cisco Systems, and
running Cisco's IOS software. The descriptions
and examples in those sections were written
with the assumption that the reader is familiar
with basic Cisco router operations and command
syntax.
|
| Target
Operational Environment |
Enterprise
wide distribution. |
| Checklist
Installation Tools |
|
| Rollback
Capability |
Not
Available. |
| Testing
Information |
The
security configuration guide has been extensively
tested in a lab and operational environment. |
| NIAP/CMVP
Status |
|
| Regulatory
Compliance |
|
Comments,
Warnings, Disclaimer, Miscellaneous
|
This
document is only a guide to recommended security
settings for Internet Protocol (IP) routers,
particularly routers running Cisco Systems Internetwork
Operating System (IOS) versions 11.3 through
12.3. |
| Disclaimer |
Do
not attempt to implement any of the settings
in this guide without first testing them in
a non-operational environment. Security configuration
guides are provided for the Department of Defense
and other government agencies requiring security
configuration guidelines. The guides contain
recommended security settings. They are not
intended to replace well-structured policy or
sound judgment. The guides do not address site-specific
configuration issues. Care must be taken when
implementing the guides to address local operational
and policy concerns. All security changes described
in the guides are applicable only to specifically
identified operating systems or architecture
components and should not be applied to any
other operating system or architecture components. |
| Product
Support |
|
| Submitting
Organization/Authors |
National
Security Agency |
| Point
of Contact |
SNAC.Guides@nsa.gov |
| Sponsor |
|
| Licensing |
Refer
to the legal statement provided at:
http://www.nsa.gov/notices/notic00004.cfm?Address=
/snac/routers/cisco_scg-1.1b.pdf
|
| Checklist
Homepage |
http://www.nsa.gov/ia/ |
| Download
Package |
cisco_scg-1.1b.pdf |
| Integrity |
SHA1
(cisco_scg-1.1b.pdf) =
a60997b01a7e22ee1900a9d2ba8c750fde2f866d
SHA256 (cisco_scg-1.1b.pdf) =
7fef495aac0188e958c144645eb7a8da853e8923
e2e348783e3b41e6bffdcf4f
|
| Change
History |
v1.0,
2000-09
v1.0b, 2000-10
v1.0f, 2001-03
v1.0g, 2001-04
v1.0h, 2001-08
v1.0j, 2001-11
v1.0k, 2002-03
v1.1, 2002-09
v1.1b, 2003-12-05
|
| Dependency/Requirement |
|
| References |
CERT
(http://www.cert.org/). The Carnegie Mellon
University Computer Emergency Response Team
(CERT) maintains a web site about network vulnerabilities.
Many of the incident reports, advisories, and
tips are relevant to router security.
Cisco
Documentation (http://www.cisco.com/univercd/home/home.htm).
This is the root of the Cisco documentation
tree. From this page, you can find IOS software
documentation, tutorials, case studies, and
more.
Cisco
Press (http://www.ciscopress.com/). At the
web site of Cisco's publishing arm, you can
order a wide variety of books about Cisco
routers and related networking technologies.
Cisco
Security Technical Tips (http://www.cisco.com/warp/public/707/).
This page is the root of Cisco's security
area. From here, you can find Cisco security
advisories, information about security technologies
and more.
IETF
(http://www.ietf.org/, http://www.rfc-editor.org/).
The IETF is the standards body that defines
and maintains the protocol standards for the
Internet. Use these sites to look up protocol
standards and track emerging technologies
that are becoming standards.
Microsoft
(http://www.microsoft.com/, http://support.microsoft.com/support/).
Microsoft's site offers extensive information
about networking their products, and about
product vulnerabilities. This information
can often be helpful in configuring routers
that protect Microsoft-based networks.
|
| NIST
Identifier |
1010 |
|
|
|
NIST and the checklist submitter do not guarantee or warrant the checklist's
accuracy or completeness. NIST is not responsible for loss, damage, or
problems that may be caused by using the checklist.
|
