Security and Config questions for 7140 & 2561

[Phylum]

I have a number of questions regarding improving security on our Cisco
7140's and 2561's. I've been working with another coworker here and we
haven't really been able to find the information we're looking for. Based
on our research (or mostly her as I was assigned to this at the tail end
of the day), it appears as though certain options were implemented in X
verion of the IOS however they were removed a few versions later. For the
first set of questions, I need to know as of what version was that option
available (if any) and what version it was removed (i.e. Introduced in
version 11.7 removed in 12.2.17). We have a 2610 at our disposal but it's
not setup nor do we know exactly how to approach it.
If someone has a PDF or website they recommend I look through, it would be
appreciated. My coworker searched through the Cisco site and had a
dificult time locating information that was be helpful to us. Today is my
first real day on this task and maybe she just needed another pair of eyes
as they say.

Here we go:

* - Is it possible to lock out a session after a specified period of
inactivity?

* - Are there any options that exist on the router which will ensure that
system-level passwords are changed at least monthly/quaterly/bi-yearly?

* - Is it possible to ensure that a user changes their password every X
days/months and does not use the same password within a 12 month period?

* - Is there an automated technical process that exists to ensure that
password 'policies' are followed whenever possible?

* - Does an option exist to esure that all user's accounts are locked
after X failed login attempts?

* - How can I determine if a technical process or procedure exists to
mask, suppress or obscure passwods displayed onscreen?

* - Determine if network traffic is routed properly on the network device
(all routers will prohibit the passage of all inbound network traffic that
is not explicitly permitted)

* - Determine if network traffic is routed properly on the network device
(all routers will permit the passage of all outbound network traffic that
is not explicitly prohibited)

* - Determine if network traffic is routed properly on the network device
(all routers will prohibit the passage of all outbound network traffic
that is known to expose any information regarding the configuration of the
network or any of its components)

* - Determine if network traffic is routed properly on the network device
if it is a WAN (a wan must only accept inbount network traffic that
originates from a LAN or DMZ)

* - Determine if network traffic is routed properly on the network device
if it is a WAN (a wan must only permit outbound network trafic that is
destined for a LAN or DMZ)

* - Determine if network traffic is routed properly on the network device
if it is a DMZ (a dmz accepts all inbound and outbound network traffic but
must only permit the passage of authorized network traffic, as determined
by it's routers and firewalls)

* - Determine if netwrk traffic is routed properly on the network device
(ICMP Message Types to Allow Outbound at the Perimeter/Boundary Router
Number --- Name
4 --- source quench
8 --- echo request (ping)
12 --- paramater problem

ICMP Message Types to Allow Inbound at the Perimeter/Boundary Router
Number --- Name
0 --- echo reply
4 --- source quench
11 --- time exceeded
12 --- parameter problem)

 

[lgarner]

Password and login issues are addressed by your authentication mechanism (RADIUS or TACACS+ server). Passwords which are written directly into the configuration file aren't required to change and there's no automated mechanism to do so.

I don't know where passwords would be displayed onscreen. Use service password-encryption to encrypt them in the configuration file, but this isn't highly secure.

http://www.cisco.com/warp/public/701/64.html

might have information that you can use.

The rest of this seems to pertain to the use of access-lists. Routers can't determine whether they're routing how you want them to; they do what they're told. After setting up proper access lists, you can "sh access-list" to see what entries are getting used. An IDS is probably what you need in order to audit traffic, especially for the one about blocking traffic "that is known to expose any information regarding the configuration of the network".

 

[Phylum]

SYN/ACK
lgarner - Thank you for your reply. I've been doing a lot of reading on the cisco site (since 8am) and that certainly helped give me a better understanding of the security side of things. Based on what I've read, by default there is an idle timeout of 10 minutes but that can be changed. Via the task command, we can also control the number of login attempts that can be name on a line set for TACACS verification.

I'll need to check with the rest of the people here (thisis my second day at this site) to see if we have an AAA server or not. Sounds like AAA would be the way to go in the area of account privileges mgmt. & in combianation with logging & notification of certain commands that users try to or do issue when logged on the device, you can really stay on top of things!

I appreciate the prompt response. I'm going to take a break for a while and come back to this later. Is there a fast and easy way of determing when something was introduced to the IOS? While looking through several pages I found one nifty area that detailed all the commands and for a few of them included when they were first implemented into the IOS. I guess I'll have to try to find that page again (arg) but I was hoping there would be some repository of commands that included a short description of what it does and when it was implemented.

I'm probably asking for too much but hey you never know.

J