Cisco IOS XE Router NDM Security Technical Implementation Guide

  • Version/Release: V1R3
  • Published: 2021-09-22
  • Severity:
  • Sort:
View

Select any old version/release of this SCAP to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The Cisco router must be configured to automatically audit account creation.
RMF Control
AC-2
Severity
Medium
CCI
CCI-000018
Version
CISC-ND-000090
Vuln IDs
V-215808
Rule IDs
SV-215808r531083_rule
Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.
Fix: F-17045r287464_fix

Configure the router to log account creation using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end

b
The Cisco router must be configured to automatically audit account modification.
RMF Control
AC-2
Severity
Medium
CCI
CCI-001403
Version
CISC-ND-000100
Vuln IDs
V-215809
Rule IDs
SV-215809r531083_rule
Since the accounts in the network device are privileged or system-level accounts, account management is vital to the security of the network device. Account management by a designated authority ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel with the appropriate and necessary privileges. Auditing account modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed. If modifications to management accounts are not audited, reconciliation of account management procedures cannot be tracked.
Fix: F-17046r287467_fix

Configure the router to log account modification using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end

b
The Cisco router must be configured to automatically audit account disabling actions.
RMF Control
AC-2
Severity
Medium
CCI
CCI-001404
Version
CISC-ND-000110
Vuln IDs
V-215810
Rule IDs
SV-215810r531083_rule
Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account disabling actions will support account management procedures. When device management accounts are disabled, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.
Fix: F-17047r287470_fix

Configure the router to log account disabling using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end

b
The Cisco router must be configured to automatically audit account removal actions.
RMF Control
AC-2
Severity
Medium
CCI
CCI-001405
Version
CISC-ND-000120
Vuln IDs
V-215811
Rule IDs
SV-215811r531083_rule
Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account removal actions will support account management procedures. When device management accounts are terminated, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.
Fix: F-17048r287473_fix

Configure the router to log account removal using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end

b
The Cisco router must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
CISC-ND-000150
Vuln IDs
V-215813
Rule IDs
SV-215813r531083_rule
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
Fix: F-17050r287479_fix

Configure the Cisco router to enforce the limit of three consecutive invalid logon attempts as shown in the example below. R2(config)#login block-for 900 attempts 3 within 120

b
The Cisco router must be configured to protect against an individual falsely denying having performed organization-defined actions to be covered by non-repudiation.
RMF Control
AU-10
Severity
Medium
CCI
CCI-000166
Version
CISC-ND-000210
Vuln IDs
V-215815
Rule IDs
SV-215815r531083_rule
This requirement supports non-repudiation of actions taken by an administrator and is required in order to maintain the integrity of the configuration management process. All configuration changes to the network device are logged, and administrators authenticate with two-factor authentication before gaining administrative access. Together, these processes will ensure the administrators can be held accountable for the configuration changes they implement. To meet this requirement, the network device must log administrator access and activity.
Fix: F-17052r287485_fix

Configure the router to log administrator activity as shown in the example below. R1(config)#logging userinfo R1(config)#archive R1(config-archive)#log config R1(config-archive-log-cfg)#logging enable R1(config-archive-log-cfg)#end

b
The Cisco router must be configured to generate audit records when successful/unsuccessful attempts to log on with access privileges occur.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
CISC-ND-000250
Vuln IDs
V-215816
Rule IDs
SV-215816r531083_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-17053r287488_fix

Configure the Cisco router to log all logon attempts as shown in the example below. R1(config)#login on-failure log R1(config)#login on-success log R1(config)#end

b
The Cisco router must produce audit records containing information to establish when (date and time) the events occurred.
RMF Control
AU-3
Severity
Medium
CCI
CCI-000131
Version
CISC-ND-000280
Vuln IDs
V-215817
Rule IDs
SV-215817r531083_rule
It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment. Logging the date and time of each detected event provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured network device. In order to establish and correlate the series of events leading up to an outage or attack, it is imperative the date and time are recorded in all log records.
Fix: F-17054r287491_fix

Configure the router to include the date and time on all log records as shown in the example below. R1(config)#service timestamps log datetime localtime

b
The Cisco router must be configured to generate audit records containing the full-text recording of privileged commands.
RMF Control
AU-3
Severity
Medium
CCI
CCI-000135
Version
CISC-ND-000330
Vuln IDs
V-215819
Rule IDs
SV-215819r531083_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. The additional information required is dependent on the type of information (i.e., sensitivity of the data and the environment within which it resides). At a minimum, the organization must audit full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
Fix: F-17056r287497_fix

Configure the Cisco router to log all configuration changes as shown in the example below. R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end

b
The Cisco router must be configured to protect audit information from unauthorized modification.
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
CISC-ND-000380
Vuln IDs
V-215820
Rule IDs
SV-215820r531083_rule
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit network device activity. If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the network device must protect audit information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions and limiting log data locations. Network devices providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data.
Fix: F-17057r287500_fix

If persistent logging is enabled, configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below. R4(config)#file privilege 15

b
The Cisco router must be configured to protect audit information from unauthorized deletion.
RMF Control
AU-9
Severity
Medium
CCI
CCI-000164
Version
CISC-ND-000390
Vuln IDs
V-215821
Rule IDs
SV-215821r531083_rule
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the network device must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include: ensuring log files receive the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained. Network devices providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order to make access decisions regarding the deletion of audit data.
Fix: F-17058r287503_fix

If persistent logging is enabled, configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below. R4(config)#file privilege 15

b
The Cisco router must be configured to limit privileges to change the software resident within software libraries.
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
CISC-ND-000460
Vuln IDs
V-215822
Rule IDs
SV-215822r531083_rule
Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. If the network device were to enable non-authorized users to make changes to software libraries, those changes could be implemented without undergoing testing, validation, and approval.
Fix: F-17059r287506_fix

Configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below. R4(config)#file privilege 15

c
The Cisco router must be configured to prohibit the use of all unnecessary and nonsecure functions and services.
RMF Control
CM-7
Severity
High
CCI
CCI-000382
Version
CISC-ND-000470
Vuln IDs
V-215823
Rule IDs
SV-215823r531083_rule
Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved.
Fix: F-17060r287509_fix

Disable the following services if enabled as shown in the example below. R2(config)#no boot network R2(config)#no ip boot server R2(config)#no ip bootp server R2(config)#no ip dns server R2(config)#no ip identd R2(config)#no ip finger R2(config)#no ip http server R2(config)#no ip rcmd rcp-enable R2(config)#no ip rcmd rsh-enable R2(config)#no service config R2(config)#no service finger R2(config)#no service tcp-small-servers R2(config)#no service udp-small-servers R2(config)#no service pad R2(config)#end

b
The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.
RMF Control
IA-2
Severity
Medium
CCI
CCI-001941
Version
CISC-ND-000530
Vuln IDs
V-215825
Rule IDs
SV-215825r802424_rule
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
Fix: F-17062r802423_fix

Configure SSH to use FIPS-140-2 compliant HMACs as shown in the example below. R1(config)#ip ssh version 2 R1(config)#ip ssh server algorithm encryption aes256-cbc aes256-ctr Note: An SSH configuration enables a server and client to authorize the negotiation of only those algorithms that are configured from the allowed list. If a user tries to negotiate using an algorithm that is not part of the allowed list, the request is rejected and the session is not established.

c
The Cisco router must only store cryptographic representations of passwords.
RMF Control
IA-5
Severity
High
CCI
CCI-000196
Version
CISC-ND-000620
Vuln IDs
V-215832
Rule IDs
SV-215832r531083_rule
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Network devices must enforce cryptographic representations of passwords when storing passwords in databases, configuration files, and log files. Passwords must be protected at all times; using a strong one-way hashing encryption algorithm with a salt is the standard method for providing a means to validate a password without having to store the actual password. Performance and time required to access are factors that must be considered, and the one way hash is the most feasible means of securing the password and providing an acceptable measure of password security. If passwords are stored in clear text, they can be plainly read and easily compromised. In many instances, verifying the user knows a password is performed using a password verifier. In its simplest form, a password verifier is a computational function that is capable of creating a hash of a password and determining if the value provided by the user matches the stored hash.
Fix: F-17069r287536_fix

Configure the router to encrypt all passwords. R4(config)#service password-encryption R4(config)#end

b
The Cisco router must be configured to automatically audit account enabling actions.
RMF Control
AC-2
Severity
Medium
CCI
CCI-002130
Version
CISC-ND-000880
Vuln IDs
V-215834
Rule IDs
SV-215834r531083_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSO). Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.
Fix: F-17071r287542_fix

Configure the router to log account enabling using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end

b
The Cisco router must be configured to audit the execution of privileged functions.
RMF Control
AC-6
Severity
Medium
CCI
CCI-002234
Version
CISC-ND-000940
Vuln IDs
V-215835
Rule IDs
SV-215835r531083_rule
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
Fix: F-17072r287545_fix

Configure the Cisco router to log all commands entered from the command line interface as well as log all configuration changes as shown in the following example: R1(config)#logging userinfo R1(config)#archive R1(config-archive)#log config R1(config-archive-log-cfg)#logging enable R1(config-archive-log-cfg)#end

b
The Cisco router must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CISC-ND-001030
Vuln IDs
V-215838
Rule IDs
SV-215838r531083_rule
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
Fix: F-17075r287554_fix

Configure the Cisco router to synchronize its clock with redundant authoritative time sources as shown in the example below. R2(config)#ntp server x.x.x.x R2(config)#ntp server y.y.y.y

b
The Cisco router must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
RMF Control
AU-8
Severity
Medium
CCI
CCI-001889
Version
CISC-ND-001040
Vuln IDs
V-215839
Rule IDs
SV-215839r531083_rule
Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the application include date and time. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks.
Fix: F-17076r287557_fix

Configure the Cisco router to record time stamps that meet a granularity of one second as shown in the example below. R2(config)#service timestamps log datetime localtime

c
The Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.
RMF Control
MA-4
Severity
High
CCI
CCI-002890
Version
CISC-ND-001200
Vuln IDs
V-215844
Rule IDs
SV-215844r802427_rule
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules.
Fix: F-17081r802426_fix

The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured. Configure SSH and HTTPs to use FIPS-validated HMAC for remote maintenance sessions as shown in the following examples: SSH Example R1(config)#ip ssh version 2 R1(config)#ip ssh server algorithm mac hmac-sha2-256 HTTPS Example R2(config)#ip http secure-ciphersuite aes-256-cbc-sha

c
The Cisco router must be configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions.
RMF Control
MA-4
Severity
High
CCI
CCI-003123
Version
CISC-ND-001210
Vuln IDs
V-215845
Rule IDs
SV-215845r802918_rule
This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions.
Fix: F-17082r802917_fix

Configure the Cisco router to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm as shown in the examples below. SSH Example R1(config)#ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr

b
The Cisco router must be configured to generate log records when administrator privileges are modified.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
CISC-ND-001240
Vuln IDs
V-215847
Rule IDs
SV-215847r531083_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).
Fix: F-17084r287581_fix

Configure the Cisco router to generate log records when account privileges are modified as shown in the example below. R4(config)#logging userinfo R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end

b
The Cisco router must be configured to generate log records when administrator privileges are deleted.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
CISC-ND-001250
Vuln IDs
V-215848
Rule IDs
SV-215848r531083_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).
Fix: F-17085r287584_fix

Configure the Cisco router to generate log records when administrator privileges are deleted as shown in the example below. R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end

b
The Cisco router must be configured to generate audit records when successful/unsuccessful logon attempts occur.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
CISC-ND-001260
Vuln IDs
V-215849
Rule IDs
SV-215849r531083_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).
Fix: F-17086r287587_fix

Configure the Cisco router to generate audit records when successful/unsuccessful logon attempts occur as shown in the example below. R5(config)#login on-failure log R5(config)#login on-success log

b
The Cisco router must be configured to generate log records for privileged activities.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
CISC-ND-001270
Vuln IDs
V-215850
Rule IDs
SV-215850r531083_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).
Fix: F-17087r287590_fix

Configure the Cisco router to generate log records for privileged activities as shown in the example below. R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#end

b
The Cisco router must be configured to generate log records when concurrent logons from different workstations occur.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
CISC-ND-001290
Vuln IDs
V-215852
Rule IDs
SV-215852r531083_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).
Fix: F-17089r287596_fix

Configure the Cisco router to generate log records when concurrent logons from different workstations occur as shown in the example below. R5(config)#login on-success log

b
The Cisco router must be configured to off-load log records onto a different system than the system being audited.
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
CISC-ND-001310
Vuln IDs
V-215853
Rule IDs
SV-215853r531083_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Fix: F-17090r287599_fix

Configure the Cisco router to send log records to a syslog server as shown in the example below. R4(config)#logging host x.x.x.x R4(config)#logging trap notifications