NIST Checklist Logo
NIST Security Configuration Checklists Repository
BETA
Browse Repository by
   Product Category
   Vendor
   Submitting
Organization

Our Sponsor
white space white space

Gold Standard Benchmark for Cisco IOS, Level 1 and 2 Benchmarks

Name Gold Standard Benchmark for Cisco IOS, Level 1 and 2 Benchmarks
Version Version 2.
Status Final
Creation Date 2002-02-08
Revision Date 2003-09-02
Product Category Network Routers
Vendor Cisco Systems
Product Cisco IOS
Product Version Cisco IOS version 11 and later
Product Role Router
Checklist Summary This document defines a set of benchmarks or standards for securing Cisco IOS routers. The benchmark is an industry consensus of current best practices. It lists actions to be taken as well as reasons for those actions. It is intended to provide step-by-step guidance to front line system and network administrators. It may be used manually by itself or in conjunction with automated scoring tools. It contains Level-I and Level-II benchmark settings/actions. Level-I benchmarks specify the prudent level of minimum due care, and are unlikely to cause an interruption of service to the operating system or the applications that run on it. Level-II benchmarks provide prudent security beyond the minimum level, and are of the greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the operating systems and applications running in their particular environments.
Known Issues Sections 3.2 and 4.2 contain warnings and explanations of the possible effects of particular settings. Readers should study this information, as well as completing the Audit Checklist in section 2, before implementing any of the actions in sections 3.1 and 4.1. Many security actions can disable or otherwise interfere with the function or performance of software on your system, particularly applications. Note also that many of the actions in sections 3.1 and 4.1 are conditional. They only apply in certain situations.
Target Audience This benchmark assumes that the person applying the recommendations o May or may not be an IOS/network expert. o Is able to log in to the router and enable. o Is able to enter basic IOS commands. o Understands the business critical functions of the routers being secured. o Understands local policies. o Is capable of evaluating the potential impact of recommended changes on both function and policy.
Target Operational Environment Enterprise
Checklist Installation Tools Not Available.
Rollback Capability Not Available.
Testing Information Not Available.
NIAP/CMVP Status  
Regulatory Compliance   
Comments, Warnings, Disclaimer, Miscellaneous
 Refer to Known Issues.
Disclaimer Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations "as is" and "as available" without representations, warranties or covenants of any kind.
Product Support  
Submitting Organization/Authors The Center for Internet Security (CIS)
Point of Contact rat-feedback@cisecurity.org
Sponsor  
Licensing

Commercial use license

EDUCAUSE Member license

US Federal, state and local government agency license
Checklist Homepage http://www.cisecurity.org/
Download Package http://www.cisecurity.org/sub_form.html
Integrity sha1 (cisco-ios-router-benchmark.pdf) =
7d1a2984be8a8be02d5ee32449edc895403fef6f

sha256 (cisco-ios-router-benchmark.pdf) =
314f948d6197fa9e2261623e974f035453ee6e18
63ee29823efd462875f9cef0
Change History

Version 2.1: 2003-09-02
Version 2.0: 2003-05-03
Version 1.0: 2002-02-08

Dependency/Requirement  
References National Security Agency, NSA Router Security Configuration Guide, 2002. http://www.nsa.gov/snac/cisco/download.htm

Thomas Akin, Hardening Cisco Routers, O'Reilly and Associates, 2002. http://www.oreilly.com/catalog/hardcisco/ Cisco

Systems, Improving Security on Cisco Routers, Cisco Systems, 2002. http://www.cisco.com/warp/public/707/21.html

George M. Jones et al., The Router Audit Tool and Benchmark, Center for Internet Security, 2002. http://www.cisecurity.org/ John Stewart and Joshua

Wright, Securing Cisco Routers Step-by-Step, The SANS Institute, 2002. http://www.sans.org/ Rob Thomas, Guides to Securing IOS, JunOS, BGP, DoS tracking, etc., 2002. http://www.cymru.com/robt/Docs/Articles/

Elizabeth D. Zwicky, Simon Cooper and D. Brent Chapman, Building Internet Firewalls, O'Reilly and Associates, 2000. http://www.ora.com/catalog/fire2/
NIST Identifier 1044


NIST and the checklist submitter do not guarantee or warrant the checklist's accuracy or completeness. NIST is not responsible for loss, damage, or problems that may be caused by using the checklist.

Last updated: May 31, 2005
Page created: October 28, 2004
Disclaimer Notice & Privacy Statement / Security Notice
Send comments or suggestions to checklists@nist.gov
NIST is an Agency of the U.S. Commerce Department's Technology Administration