IOS/NX-OS Hardening:

1. Management Plane
1.0 AAA security

1.0.1 Enable 'aaa new-model'

1.0.2 Enable 'aaa authentication login' (for authentication fallback)
1.0.3 Enable 'aaa authentication enable default'
1.0.4 Set 'login authentication for 'line con 0'
1.0.5 Set 'login authentication for 'line tty'
1.0.6 Set 'login authentication for 'line vty'

1.1 Password Security

1.1.1 Set 'password' for 'enable secret'
1.1.2 Enable 'service password-encryption'
1.1.3 Set 'username secret' for all local users

1.2 Device Access Rules

1.2.1 Set 'privilege 1' for local users
1.2.2 Set 'transport input ssh' for 'line vty' connections (remove telnet unless it is absolutely needed)
1.2.3 Set 'no exec' for 'line aux 0'
1.2.4 Create 'access-list' for use with 'line vty'
1.2.5 Set 'access-class' for 'line vty'
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'
1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'
1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'
1.2.1.10 Set 'transport input none' for 'line aux 0'
1.2.1.11 Set the 'banner-text' for 'banner exec'
1.2.1.12 Set the 'banner-text' for 'banner login'
1.2.1.13 Set the 'banner-text' for 'banner motd'
1.2.1.14 Filter http/https access to the management interface

1.3 Disable unnecessary TCP/UDP Small Services

1.3.1 Disable small-services such as echo, discard, daytime, chargen
1.3.2 Set "no mop enabled" to disable MOP services
1.3.3 Set "no service pad" to disable PAD services
1.3.4 Set "no service config" in global mode (unless the device gets its config from a TFTP server)
1.3.5 Set 'no service dhcp" if DHCP relay services are not needed on the device
1.3.6 Set "no ip bootp server" if device is not running bootp services
1.3.7 Set 'no ip identd' on all devices

1.4 Keepalives for TCP sessions

1.4.1 Set "service tcp-keepalives-in"
1.4.2 Set "service tcp-keepalives-out"
1.5. Management Plane Protection (MPP)
1.5.1 Enable MPP to restrict ssh access to the management interface only (where possible)
1.5.2 Encrypt Management Sessions
1.5.3 Set 'no cdp run' on all internet facing devices

1.6. SNMP security

1.6.1 Set 'no snmp-server' to disable SNMP when unused
1.6.2 Unset 'private' for 'snmp-server community'
1.6.3 Unset 'public' for 'snmp-server community'
1.6.4 Do not set 'RW' for any 'snmp-server community'
1.6.5 Set the ACL for each 'snmp-server community'
1.6.6 Create an 'access-list' for use with SNMP
1.6.7 Set 'snmp-server host' when using SNMP
1.6.8 Set 'snmp-server enable traps snmp'

1.7 Setup SSH and configure Prerequisites for the SSH Service
1.7.1 Set the 'hostname'
1.7.2 Set the 'ip domain name'
1.7.3 Set a value (in secs) for 'ip ssh timeout'
1.7.4 Set a maximum value for 'ip ssh authentication-retries'
1.7.5 Set version 2 for 'ip ssh version'

1.8. Logging Best Practices

1.8.1 Set 'logging on'
1.8.2 Set a 'buffer size' value for 'logging buffered'
1.8.3 Set 'logging console critical'
1.8.4 Set "no logging console" to disable logging to the console
1.8.5 Set "no logging monitor" to disable logging to monitor sessions
1.8.6 Set IP address for 'logging host' (this IP should be the Alienvault SIEM)
1.8.7 Set 'logging trap informational'
1.8.8 Set 'service timestamps debug datetime'
1.8.9 Set 'logging source interface' (the use of a globally unique loopback interface is advised)
1.8.10 Set "service timestamps log" to configure Logging timestamps
1.8.11 Enable the logging of configuration changes made to the device locally
1.8.12 If AAA accounting not possible, set "notify syslog" to generate syslog message when a config
change is made

1.9 Memory Configuration Best Practices

1.9.1 Set a value for "memory reserve console" to reserve memory for Console access (minimum 4096)
1.9.2 Enable memory buffer overflow detection

1.10 Setup NTP

1.10.1 Set NTP servers on all devices (at least 3 NTP servers is recommended)
1.10.2 Set NTP Authentication with encryption keys
1.10.3 Set the correct NTP zone with the device's local time zone
2. Data Plane
2.0 General Data Plane Hardening
2.0.1 Set "no ip source-route" to disable IP source routing on all access/core switches
2.0.2 Disable ip redirects
2.0.3 Disable/control via ACLs IP directed broadcasts
2.0.4 Enable ICMP packet filtering

2.1 Anti-Spoofing Protections

2.1.1 Enable DHCP snooping on all access switches
2.1.2 Enable IP source guard on all access switches to prevent IP spoofing (dependency on DHCP
snooping)
2.1.3 Enable Dynamic ARP Inspection (DAI) on al access switches (dependency on DHCP snooping)
2.1.4 Apply Anti-Spoofing ACLs on edge internet gateways that will block RFC1918 IPs ingress into the
edge network from internet

2.2 - Limit Data Plane types of traffic which require special CPU processing and process switching by
CPU

Although not exhaustive, this list includes types of data plane traffic that require special CPU processing
and are process switched by the CPU:

 ACL Logging - ACL logging traffic consists of any packets that are generated due to a match (permit or deny) of an ACE
on which the log keyword is used.
 Unicast RPF - Unicast RPF used in conjunction with an ACL might result in the process switching of certain packets.
 IP Options - Any IP packets with options included must be processed by the CPU.
 *Fragmentation - Any IP packet that requires fragmentation must be passed to the CPU for processing.
 Time-to-Live (TTL) Expiry - Packets that have a TTL value less than or equal to 1 require Internet Control Message
Protocol Time Exceeded (ICMP Type 11, Code 0) messages to be sent, which results in CPU processing.
 ICMP Unreachables - Packets that result in ICMP unreachable messages due to routing, MTU or filtering are processed
by the CPU.
 Traffic Requiring an ARP Request - Destinations for which an ARP entry does not exist require processing by the CPU.
 Non-IP Traffic - All non-IP traffic is processed by the CPU.

2.3 Microsegmentation of Vlans (securing Layer 2 networks)

2.3.1 Set Protected Ports (PVLAN edge) on all users access switches
2.3.2 Configure PVLANs (to isolate traffic between 2 protected ports located on different switches)
3. Control Plane
3.0 General Control Plane Hardening
3.0.1 Disable IP redirects on edge routers/gateways
3.0.2 Disable or rate-limit the sending of ICMP Unreachables
3.0.3 Disable Proxy ARP

3.1 Control Plane Protection

3.1.1 Enable control-plane policing (CoPP) on the core switches and edge/internet gateways

3.2 Routing Protocols Security

3.2.1 Require EIGRP Authentication if Protocol is Used
3.2.2 Require OSPF Authentication if Protocol is Used
3.2.3 Require RIPv2 Authentication if Protocol is Used
3.2.4 Require BGP Authentication if Protocol is Used

3.3 Spanning-Tree Security

3.3.1 Enable BPDUGuard on all switches running spanning-tree
3.3.2 Enable RootGuard on all switches running spanning-tree which are designated root switches
3.3.3 Enable LoopGuard on all switches running spanning-tree