Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Note: This requirement is not applicable to file transfer actions such as FTP, SCP and SFTP. Review the router configuration to determine if concurrent management sessions are limited as show in the example below: ssh server session-limit 2 If the router is not configured to limit the number of concurrent management sessions, this is a finding.
Configure the router to limit the number of concurrent management sessions to an organization-defined number as shown in the example below. RP/0/0/CPU0:R3(config)#ssh server session-limit 2
Review the Cisco router configuration to verify that it is compliant with this requirement. Step 1: Verify that the line vty has an ACL inbound applied as shown in the example below. line default access-class ingress MANAGEMENT_NET transport input ssh ! vty-pool default 0 4 Step 2: Verify that the ACL permits only hosts from the management network to access the router. ipv4 access-list MANAGEMENT_NET 10 permit ipv4 10.1.1.0 255.255.255.0 any 20 deny ipv4 any any log-input If the Cisco router is not configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies, this is a finding.
Configure the Cisco router to restrict management access to specific IP addresses via SSH as shown in the example below. RP/0/0/CPU0:ios(config)#ipv4 access-list MANAGEMENT_NET RP/0/0/CPU0:ios(config-ipv4-acl)#permit ipv4 10.1.1.0 255.255.255.0 any RP/0/0/CPU0:ios(config-ipv4-acl)#deny ipv4 any any log-input RP/0/0/CPU0:ios(config-ipv4-acl)#exit RP/0/0/CPU0:R3(config)#vty default 0 4 RP/0/0/CPU0:R3(config)#line default RP/0/0/CPU0:R3(config-line)#transport input ssh RP/0/0/CPU0:R3(config-line)#access-class MANAGEMENT_NET in RP/0/0/CPU0:R3(config-line)#end
The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured to utilize an authentication server to authenticate and authorize users for administrative access. Review the router configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example: radius-server host 10.1.3.16 auth-port 1645 acct-port 1646 key xxxxxxxxxx … … … aaa authentication login LOGIN_AUTHENTICATION group radius local line console login authentication LOGIN_AUTHENTICATION ! line default login authentication LOGIN_AUTHENTICATION transport input ssh If the router is not configured to use an authentication server to authenticate and authorize users for administrative access, this is a finding.
Step 1: Configure the router to use an authentication server as shown in the following example: RP/0/0/CPU0:R3(config)#radius-server host 10.1.3.16 key xxxxxxxx Step 2: Configure the authentication order to use the authentication server as primary source for authentication as shown in the following example: RP/0/0/CPU0:R3(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local Step 3: Configure all network connections associated with a device management to use an authentication server for the purpose of login authentication as shown in the following example: RP/0/0/CPU0:R3(config)#line default RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION RP/0/0/CPU0:R3(config-line)#exit RP/0/0/CPU0:R3(config)#line console RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. banner login ^C You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ^C If the Cisco router is not configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device, this is a finding.
Configure the Cisco router to display the Standard Mandatory DoD Notice and Consent Banner before granting access as shown in the following example: RP/0/0/CPU0:R3(config)#banner login # Enter TEXT message. End with the character '#'. You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. # RP/0/0/CPU0:R3(config)#end
Review the Cisco router configuration to verify that it is compliant with this requirement. The configuration example below will log all logon attempts. logging buffered informational logging 10.1.22.2 vrf default severity info If the Cisco router is not configured to generate audit records when successful/unsuccessful attempts to logon, this is a finding.
Configure the Cisco router to log all logon attempts as shown in the example below. RP/0/0/CPU0:R3(config)#logging buffered informational RP/0/0/CPU0:R3(config)#logging 10.1.22.2 severity info
Verify that the router is configured to include the date and time on all log records as shown in the configuration example below. service timestamps log datetime localtime If time stamps are not configured, this is a finding.
Configure the router to include the date and time on all log records as shown in the example below. RP/0/0/CPU0:R3(config)#service timestamps log datetime localtime
Review the deny statements in all interface ACLs to determine if the log-input parameter has been configured as shown in the example below. Note: log-input can only apply to interface bound ACLs. ipv4 access-list BLOCK_INBOUND 10 deny icmp any any log-input If the router is not configured with the log-input parameter after any deny statements to note where packets have been dropped via an ACL, this is a finding.
Configure the log-input parameter after any deny statements to provide the location as to where packets have been dropped via an ACL. RP/0/0/CPU0:R3(config)#ipv4 access-list BLOCK_INBOUND RP/0/0/CPU0:R3(config-ipv4-acl)#deny icmp any any log-input
Verify that the router does not have any unnecessary or nonsecure ports, protocols, and services enabled. For example, the following commands should not be in the configuration: service ipv4 tcp-small-servers max-servers 10 service ipv4 udp-small-servers max-servers 10 http client vrf xxxxx telnet vrf default ipv4 server max-servers 1 service call-home Note: Certain legacy devices may require 'service call-home' be enabled to support Smart Licensing as they do not support the newer smart transport configuration. Those devices do not incur a finding for having call-home enabled for Smart Licensing. If any unnecessary or nonsecure ports, protocols, or services are enabled, this is a finding.
Disable the following services if enabled as shown in the example below. RP/0/0/CPU0:R3(config)#no service ipv4 tcp-small-servers RP/0/0/CPU0:R3(config)#no service ipv4 udp-small-servers RP/0/0/CPU0:R3(config)#no http client vrf xxxxx RP/0/0/CPU0:R3(config)#no telnet ipv4 server RP/0/0/CPU0:R3(config)#no service call-home
Step 1: Review the Cisco router configuration to verify that a local account for last resort has been configured. username xxxxxxxxxxxx group netadmin secret 5 xxxxxxxxxxxxxxxxxxxx Note: The following groups should not be assigned to this local account: root-system and root-lr. A custom group that provides appropriate tasks can be used. Step 2: Verify that local is defined after radius or tacas+ in the authentication order as shown in the example below. aaa authentication login default group tacacs+ local If the Cisco router is not configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable, this is a finding.
Step 1: Configure a local account with the necessary privilege level to troubleshoot network outage and restore operations as shown in the following example: RP/0/0/CPU0:R3(config)#username xxxxxxxxx group netadmin RP/0/0/CPU0:R3(config)#username xxxxxxxxx secret xxxxxx Step 2: Configure the authentication order to use the local account if the authentication server is not reachable as shown in the following example: RP/0/0/CPU0:R3(config)#aaa authentication login default group tacacs+ local
Review the router configuration to verify that SSH version 2 is configured as shown in the example below. ssh server v2 Note: IOS XR supports SSHv1 and SSHv2. SSHv1 uses Rivest, Shamir, and Adelman (RSA) keys while SSHv2 uses Digital Signature Algorithm (DSA) keys. If the router is not configured to implement replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.
Configure the router to use SSH version 2 as shown in the example below. RP/0/0/CPU0:R3(config)#ssh server v2
Review the Cisco router configuration to verify that all network connections associated with a device management have an idle timeout value set to five minutes or less as shown in the following example: line console … … … exec-timeout 5 0 ! line default … … … exec-timeout 5 0 transport input ssh If the Cisco router is not configured to terminate all network connections associated with a device management after five minutes of inactivity, this is a finding.
Set the idle timeout value to five minutes or less on all configured login classes as shown in the example below. RP/0/0/CPU0:R3(config)#line con RP/0/0/CPU0:R3(config-line)#exec-timeout RP/0/0/CPU0:R3(config)#line default RP/0/0/CPU0:R3(config-line)#exec-timeout 5 0
Verify that the Cisco router is configured with a logging buffer size as well as on the hard drive. The configuration should look like the example below: logging archive device harddisk severity notifications file-size 10 archive-size 100 … … … logging buffered 8888888 If a logging buffer size and the archive size is not configured, this is a finding. If the Cisco router is not configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements, this is a finding.
Configure the logging buffer size as well as the active log file size and the amount of storage to be reserved for archive log files as shown in the example below. RP/0/0/CPU0:R3(config)#logging buffered 8888888 RP/0/0/CPU0:R3(config)#logging archive RP/0/0/CPU0:R3(config-logging-arch)#severity notifications RP/0/0/CPU0:R3(config-logging-arch)#device harddisk RP/0/0/CPU0:R3(config-logging-arch)#archive-size 100 RP/0/0/CPU0:R3(config-logging-arch)#file-size 10 RP/0/0/CPU0:R3(config-logging-arch)#end
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. logging 10.1.12.7 vrf default severity critical Note: The parameter "critical" can be replaced with a lesser severity level (i.e., error, warning, notice, informational). If the Cisco router is not configured to generate an alert for all audit failure events, this is a finding.
Configure the Cisco router to send critical to emergency log messages to the syslog server as shown in the example below. RP/0/0/CPU0:R3(config)#logging 10.1.12.7 severity critical Note: The parameter "critical" can replaced with a lesser severity level (i.e., error, warning, notice, informational).
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the configuration example below. ntp server x.x.x.x ntp server y.y.y.y If the Cisco router is not configured to synchronize its clock with redundant authoritative time sources, this is a finding.
Configure the Cisco router to synchronize its clock with redundant authoritative time sources as shown in the example below. RP/0/0/CPU0:R3 (config)#ntp server x.x.x.x RP/0/0/CPU0:R3 (config)#ntp server y.y.y.y
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. hostname R3 service timestamps log datetime localtime If the router is not configured to record time stamps that meet a granularity of one second, this is a finding.
Configure the Cisco router to record time stamps that meet a granularity of one second as shown in the example below. RP/0/0/CPU0:R3(config)#service timestamps log datetime localtime
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. hostname R3 clock timezone EST -5 service timestamps log datetime localtime Note: UTC is the default; hence, the command set time-zone may not be seen in the configuration. This can be verified using the show system uptime command. If the router is not configured to record time stamps for audit records that can be mapped to UTC or GMT, this is a finding.
Configure the Cisco router to record time stamps for audit records that can be mapped to UTC or GMT as shown in the example below. RP/0/0/CPU0:R3(config)#clock timezone EST -5 RP/0/0/CPU0:R3(config)#service timestamps log datetime localtime
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. snmp-server host x.x.x.x traps version 3 auth V3USER snmp-server user V3USER V3GROUP v3 auth sha snmp-server view V3READ iso included snmp-server view V3WRITE iso included snmp-server group V3GROUP v3 auth read V3READ write V3WRITE If the Cisco router is not configured to authenticate SNMP messages using a FIPS-validated HMAC, this is a finding.
Configure the Cisco router to authenticate SNMP messages as shown in the example below. RP/0/0/CPU0:R3(config)#snmp-server group V3GROUP v3 auth read V3READ write V3WRITE RP/0/0/CPU0:R3(config)#snmp-server user V3USER V3GROUP v3 auth sha xxxxxx RP/0/0/CPU0:R3(config)#snmp-server view V3READ iso included RP/0/0/CPU0:R3(config)#snmp-server view V3WRITE iso included RP/0/0/CPU0:R3(config)#snmp-server host x.x.x.x version 3 auth V3USER
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. snmp-server host x.x.x.x traps version 3 auth V3USER snmp-server user V3USER V3GROUP v3 auth sha encrypted 110B1607150B snmp-server view V3READ iso included snmp-server view V3WRITE iso included snmp-server group V3GROUP v3 auth read V3READ write V3WRITE If the Cisco router is not configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm, this is a finding.
Configure the Cisco router to encrypt SNMP messages using a FIPS 140-2 approved algorithm as shown in the example below. RP/0/0/CPU0:R3(config)#snmp-server group V3GROUP v3 auth read V3READ write V3WRITE RP/0/0/CPU0:R3(config)#snmp-server user V3USER V3GROUP v3 auth sha xxxxxx priv aes 256 xxxxxx RP/0/0/CPU0:R3(config)#snmp-server view V3READ iso included RP/0/0/CPU0:R3(config)#snmp-server view V3WRITE iso included RP/0/0/CPU0:R3(config)#snmp-server host x.x.x.x version 3 auth V3USER
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the configuration example below. ntp authentication-key 1 md5 encrypted 030654090416 trusted-key 1 server x.x.x.x key 1 server y.y.y.y key 1 If the Cisco router is not configured to authenticate NTP sources using authentication that is cryptographically based, this is a finding.
Configure the Cisco router to authenticate NTP sources using authentication that is cryptographically based as shown in the example below. RP/0/0/CPU0:R4#ntp authenticate RP/0/0/CPU0:R4#ntp authentication-key 1 md5 xxxxxx RP/0/0/CPU0:R4#ntp trusted-key RP/0/0/CPU0:R4#ntp server x.x.x.x key 1 RP/0/0/CPU0:R4#ntp server y.y.y.y key 1
Review the router configuration to verify that SSH version 2 is configured as shown in the example below. ssh server v2 Note: IOS XR supports SSHv1 and SSHv2. SSHv1 uses Rivest, Shamir, and Adelman (RSA) keys while SSHv2 uses Digital Signature Algorithm (DSA) keys which is FIPS 186-4. If the Cisco router is not configured to use FIPS-validated HMAC to protect the integrity of remote maintenance sessions, this is a finding.
Configure the router to use SSH version 2 as shown in the example below. RP/0/0/CPU0:R3(config)#ssh server v2
Review the router configuration to verify that SSH version 2 is configured as shown in the example below. ssh server v2 Note: IOS XR supports SSHv1 and SSHv2. The AES encryption algorithm is supported on the SSHv2 server and client, but not on the SSHv1 server and client. Any requests for an AES cipher sent by an SSHv2 client to an SSHv1 server are ignored, with the server using 3DES instead. The cipher preference for the SSH server follows the order AES128, AES192, AES256, and, finally, 3DES. The server rejects any requests by the client for an unsupported cipher, and the SSH session does not proceed. If the router is configured to implement SSH version 1, this is a finding.
Configure the router to use SSH version 2 as shown in the example below. RP/0/0/CPU0:R3(config)#ssh server v2
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. logging 10.1.12.7 vrf default severity info If the Cisco router is not configured to off-load log records onto a different system than the system being audited, this is a finding.
Configure the Cisco router to send log records to a syslog server as shown in the example below. RP/0/0/CPU0:R3(config)#logging 10.1.12.7 severity info
Review the Cisco router configuration to verify that the device is configured to use at least two authentication servers as primary source for authentication as shown in the following example: radius-server host 10.1.3.16 auth-port 1645 acct-port 1646 key xxxxxxxxxx radius-server host 10.1.3.17 auth-port 1645 acct-port 1646 key xxxxxxxxxx… … … aaa authentication login LOGIN_AUTHENTICATION group radius local line console login authentication LOGIN_AUTHENTICATION ! line default login authentication LOGIN_AUTHENTICATION transport input ssh If the Cisco router is not configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access, this is a finding.
Step 1: Configure the router to use at least two authentication servers as shown in the following example: RP/0/0/CPU0:R3(config)#radius-server host 10.1.3.16 key xxxxxxxx RP/0/0/CPU0:R3(config)#radius-server host 10.1.3.17 key xxxxxxxx Step 2: Configure the authentication order to use the authentication servers as primary source for authentication as shown in the following example: RP/0/0/CPU0:R3(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local Step 3: Configure all network connections associated with a device management to use the authentication servers for the purpose of login authentication as shown in the following example: RP/0/0/CPU0:R3(config)#line default RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION RP/0/0/CPU0:R3(config-line)#exit RP/0/0/CPU0:R3(config)#line console RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION
Review the Cisco router configuration to verify that it is compliant with this requirement. The example configuration below will send the configuration to an TFTP server when a configuration change occurs. configuration commit auto-save filename tftp://10.1.3.18 If the Cisco router is not configured to conduct backups of the configuration when changes occur, this is a finding.
Configure the Cisco router to send the configuration to an TFTP or FTP server when a configuration change occurs as shown in the example below. RP/0/0/CPU0:R3(config)#configuration commit auto-save filename tftp:// 10.1.3.18
Review the router configuration to determine if a CA trust point has been configured. The CA trust point will contain the URL of the CA in which the router has enrolled with. Verify this is a DoD or DoD-approved CA. This will ensure the router has enrolled and received a certificate from a trusted CA. The CA trust point configuration would look similar to the example below. crypto pki trustpoint CA_X enrollment url http://trustpoint1.example.com Note: A remote end-point's certificate will always be validated by the router by verifying the signature of the CA on the certificate using the CA's public key, which is contained in the router's certificate it received at enrollment. Note: This requirement is not applicable if the router does not have any public key certificates. If the Cisco router is not configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.
Configure the router to obtain its public key certificates from an appropriate certificate policy through an approved service provider as show in the example below. RP/0/0/CPU0:R3(config)#crypto ca trustpoint CA_X RP/0/0/CPU0:R3(config-trustp)#enrollment url http://trustpoint1.example.com
Verify that the router is configured to send logs to at least two syslog servers. The configuration should look similar to the example below: logging 10.1.3.22 vrf default severity info logging 10.1.3.23 vrf default severity info If the router is not configured to send log data to the syslog server, this is a finding.
Configure the router to send log messages to the syslog servers as shown in the example below. RP/0/0/CPU0:R3(config)#logging 10.1.3.22 severity info RP/0/0/CPU0:R3(config)#logging 10.1.3.23 severity info
Verify that the router is in compliance with this requirement by having the router administrator enter the following command: show version Verify that the release is still supported by Cisco. All releases supported by Cisco can be found on the following URL: www.cisco.com/c/en/us/support/ios-nx-os-software If the router is not running a supported release, this is a finding.
Upgrade the router to a supported release.