Router Technical Audit Checklist

Findings
ISO 27001
Questions Yes No Control Standard/Best Practice
Router Policy
Is a router security policy A.5.1.1
in place? A.11.4.1
Disable Unneeded Services
Are unused interfaces Unused interfaces on the router
disabled? A.11.4.4 should be disabled.
Router(config-if)# shutdown
Is DNS lookups for the This client service is enabled by
router turned off? default and is not required on most
A.11.5.4 routers.
A.12.6.1 The following command is used to
turn DNS lookup off.
Router(config)#no ip domain-lookup
These services are rarely used and
hence can be disabled. This is
Is TCP small servers and
disabled by default after Cisco IOS
UDP small servers service
11.3
disabled on the router? A.12.6.1
Router(config)#no service tcp-small-
{applicable before Cisco
servers
IOS 11.3}
Router(config)#no service udp-
small-servers
CDP which is used to obtain
information such as the ip address,
platform type of the neighboring
Is Cisco Discovery Protocol A.11.4.4 Cisco devices should be disabled on
disabled on the router? A.12.6.1. the router if not used by any
application.
Router(config)# no cdp run OR
Router(config-if)# no cdp enable
Unauthorized persons can use the
Is the finger service information obtained through this
A.11.4.4
disabled on the router? command for reconnaissance
A.11.5.4
{applicable before Cisco attacks. This service should be
A.12.6.1
IOS 11.3} disabled.
Router(config)#no service finger
The Bootp server service which is
enabled by default allows other
routers to boot from this router.
A.11.4.4 This feature should be disabled on
Is Bootp server disabled
A.11.5.4 the router as it is rarely used on
on the routers?
A.12.6.1 today’s networks.
The following command is used to
disable the service.
Router(config)#no ip bootp server
Is directed broadcast A.12.6.1 Directed broadcasts permit a host
disabled on all interfaces? on one LAN segment to initiate a
{applicable before Cisco physical broadcast on a different
IOS 11.3} LAN segment. This feature should
be disabled on the router as it could
be used in denial-of-service attacks.
The following command is used to
disable the service.
Router(config-if)#no ip directed-
 Router Technical Audit Checklist

broadcast
Is source routing disabled Source routing is a feature that
on the router? allows individual packets to specify
routes. This is used in various
attacks.
A.12.6.1 This feature should be disabled on
the router.
The following command is used to
disable the service.
Router(config)#no ip source-route
Proxy ARP helps in extending a LAN
at layer 2 across multiple segments
thereby breaking the LAN security
perimeter.
Is Proxy ARP disabled on This feature should be disabled on
A.12.6.1
the router? the router.
The following command is used to
disable the service on individual
interfaces.
Router(config-if)#no ip proxy-arp
The three ICMP messages that are
commonly used by attackers for
network mapping and diagnosis are:
Host unreachable, ‘Redirect’ and
‘Mask Reply’. Automatic generation
of these messages should be
disabled on all interfaces, especially
Is ICMP redirects disabled
A.12.6.1 those connected to untrusted
on the router?
networks.
The following command is used to
disable the service.
Router(config-if)#no ip redirects
Router(config-if)#no ip
unreachables
Router(config-if)#no ip-mask reply
Password Encryption
Passwords should appear encrypted
when viewed through the
Do passwords appear in
configuration file.
encrypted form when
A.11.5.3 The following command is used to
viewed at the
implement the same.
configuration file?
Router(config)#service password-
encryption
Authentication Settings
The enable secret command should
be enabled to implement MD5
Is enable secret used for
A.11.5.3 hashed password on enable mode.
the router enable mode?
Router(config)#enable secret
password
Does the enable secret A.11.5.3 The enable secret password should
password match any other be unique across each router. If the
username password; routers are too many, instead of
enable password, or the keeping a single enable secret
enable secret password of password for all, the password could
another router in the be different for routers in different
 Router Technical Audit Checklist

network? zones.
Login banners should be used as a
preventive measure against
Is a Message of the Day unauthorized access to the routers.
(MOTD) banner defined? A.11.5.1 Use the following command to
enable a MOTD banner:
Router# config t
Router(config)# banner motd ^
These parameters should be defined
on the console port to reduce the
chance of an unauthorized access on
Is the following defined on the console port.
the console port: The following commands can be
A.11.5.1
1. Exec-timeout used to implement the same:
A.11.3.1
2. Password Cisco(config)#line con 0
Cisco(config-line)#exec-timeout 5 0
Cisco(config-line)#password
password
Cisco(config-line)#login
The aux port should be disabled if
there is no business need for the
same.
Is the aux port disabled? A.11.4.4 Use the following command to
disable the aux port:
Router(config)#line aux 0
Router(config-line)#no exec
These parameter should be defined
on the vty port to reduce the chance
of an unauthorized access.
Use the following to enable these
Is the following defined on parameters on the vty lines:
the vty lines: Router(config)#line vty 0 4
A.11.5.1
1. Exec-timeout (Yes/No) Router(config-line)#exec timeout 5
A.11.3.1
0
2. Password Router(config-line)#password
password
Router(config-line)#login
Router(config-line)#transport input
protocol
Is the vty lines restricted A.11.4.3 If the vty lines use telnet as the
to certain IP Addresses transport protocol, it is advisable to
only? restrict access to certain IP
Addresses only since telnet
transmits data in clear text.
Use the following command to
restrict vty access to certain ip
addresses:
Router(config)#access-list 50 permit
192.168.1.x (x represents the IP
address of the administrator’s
machine)
Router(config)#access-list 50 deny
any log
Router(config)#line vty 0 4
Router(config-line)#access-class 50
 Router Technical Audit Checklist

in
According to policy, how Router passwords need to be
often do router passwords changed periodically, typically once
A.11.5.3
(telnet, username, enable) every 4-6 months depending on the
have to be changed? functionality of the router.
All password defined on the router
should meet the following criteria:
Do the router passwords
 Minimum 8 characters in length
meet with the required
A.11.3.1  Should be alphanumeric along
complexity as defined by
with special characters (@#$%)
the policy?
 Should not include
organization’s name in it
SSH is a preferred protocol over
Is SSH used for the vty Telnet for vty access since it
A.12.3.1
lines? encrypts the data while in transit on
the network.
The Telnet protocol transfers data in
clear text thereby allowing an
intruder to sniff valuable data such
Do any applications use as passwords.
telnet to perform As a remedy the following can be
management activities A.10.6.1 done:
such as backing up  Using secure protocols such as
configuration? SSH wherever possible
 Restricting access from certain
workstations only
 Maintaining strong passwords
Administrator Authentication
Is authentication on the
router done through:
 Locally configured
usernames and
passwords
 TACACS+/RADUIS
server
A documented procedure for
creation of administrators on the
router should exist.
Is there a documented The procedure should address:
A.10.1.1
procedure for creation of  Approval from the department
A.11.2.1
users? head
 Recording the authorization
level given to the new
administrator and the duration
Each router administrator should
have a unique account for him/her
to maintain accountability.
Does each router The following commands can be
administrator have a executed to create unique local
A.11.2.1
unique account for usernames on the router:
himself/herself? Router(config)#username
username password password
Router(config)#line vty 0 4
Router(config-line)#login local
 Router Technical Audit Checklist

A detailed log of every command

typed on the router as well as when
Is login and logout an administrator logged in or out
tracking/command logging can be recorded for audit purposes.
A.10.10.1
for the router Router(config)#aaa accounting exec
A.10.10.4
administrators through the default start-stop group tacacs+
TACACS+ system enabled? Router(config)aaa accounting
commands 15 default start-stop
group tacacs+
All user accounts should be
assigned the lowest privilege level
Are all user accounts that allows them to perform their
assigned the lowest duties.
privilege level that allows
A.11.2.2
them to perform their If multiple administrators exist on
duties? (Principle of Least the router, each administrator
Privilege) should be given an individual
username and password and
assigned the lowest privilege levels.
Management Access
This service allows the router to be
monitored or have its configuration
modified from the web browser.
If not used, this service should be
disabled.
Router(config)#no ip http server
Is the http/https Server If this service is required, restrict
used for router A.10.6.1 access to the http/https service
management? using access control lists.
Router(config)#ip http access-class
22
Router(config)#access-list 22 permit
host mgmt ip
Router(config)#access-list 22 deny
any log
Ideally SNMP version 3 should be
used on the router since it
introduces authentication in the
Which version of SNMP is
form of a username and password
used to manage the
A.10.6.1 and offers encryption as well.
router?
Since the SNMP process is enabled
by default, it should be disabled if
not used.
Router(config)# no snmp-server
Is the SNMP process A.10.6.1 If SNMP v1 or v2c is used, ACL’s
restricted to certain range A.11.4.3 should be configured to limit the
of IP Addresses only? addresses that can send SNMP
commands to the device. SNMP v1
or v2c uses the community string as
the only form of authentication and
is sent in clear text across the
network.
Router(config)#access-list 67 permit
host snmp-server
Router(config)#access-list 67 deny
 Router Technical Audit Checklist

any log
Default community strings such as
Is the default community
‘public’ and ‘private’ should be
strings such as ‘public’ A.11.2.3
changed immediately before bring
and ‘private’ changed?
the router on the network.
If SNMP v1 or v2c is being used, the
How often is the SNMP SNMP community strings should be
community string A.11.3.1 treated like root passwords by
changed? changing them often and
introducing complexity in them.
Is any access list defined
restricting the syslog host
to receive log messages
from the routers only and A.11.4.6
only administrators’
systems to connect to the
log host?
The NTP service which is disabled
by default helps to synchronize
clocks between networking devices
thereby maintaining a consistent
time which is essential for
Is the NTP server service diagnostic and security alerts and
used to synchronize the A.10.10.6 log data. However if configured
clocks of all the routers? insecurely, it could used to corrupt
the time clock of the network
devices. To prevent this, restrict
which devices have access to NTP.
The service should also be disabled
if not used.
Ingress/Egress Filtering
RFC 1918 addresses are meant to
be used for internal networks only
and have no reason to be seen on
the Internet.
The following access-lists should be
implemented on the Internet router:
Is RFC 1918 filtering Router(config)#access-list 101 deny
A.11.4.7
implemented? ip [Link] [Link] any log
Router(config)#access-list 101 deny
ip [Link] [Link] any log
Router(config)#access-list 101 deny
ip [Link] [Link] any log
Router(config)#access-list 101
permit ip any any
Unicast Reverse Path Forwarding is
an alternative to RFC 2827 filtering.
Is uRPF enabled on the It can enabled using the following
A.11.4.7
Cisco router? commands:
Router(config-if)#ip verify unicast
reverse-path
Route Protocol Security
Is routing protocol Message authentication helps
message authentication A.11.4.7 prevent the spoofing or modification
enabled? of a valid routing protocol message.
 Router Technical Audit Checklist

Configuration Maintenance
Router configurations should be
How often is the router
backed up periodically depending
configurations backed up? A.10.5.1
on importance and frequency of
changes made to the configuration.
Backup copies should be maintained
Is the backup moved to an
A.10.5.1 off-site for quick recovery during a
off-site/DR site?
disaster.
On the system where the
configuration files are
stored, is the local
operating system’s
security mechanisms used If a file server is used to store
for restricting access to configuration files, the files should
A.10.5.1
the files (i.e., the machine be restricted to authorized
should be password personnel only.
enabled and prevent
unauthorized individuals
from accessing the
machine.)?
Is the TFTP protocol used
The TFTP protocol which is disabled
to transfer configuration
by default transfers files in clear
or image files to and from
text and hence is unsafe to use.
the router?
The TFTP process should be
If yes,
restricted to certain addresses only
 Is the TFTP process A.10.6.1
(management workstations) to
restricted to certain
reduce the risk. The service should
addresses only?
also be disabled when not in use
 Is the TFTP service because it allows access to certain
disabled when not in
files in the router flash.
use?
Is there a documented
procedure for backup of A.10.5.1
router configurations?
Router Change Management
Are all router changes and
updates documented in a
manner suitable for review A.10.1.2
according to a change
management procedure?
Router Redundancy
Is there a router
redundancy in cold A.14.1.3
standby or hot standby?
Are disaster recovery
procedures for the
A.14.1.3
router/network
A.14.1.5
documented and are they
tested?
Log monitoring and Incident Handling
Are all attempts to any
port, protocol, or service A.13.1.1
that is denied logged?
Is the CPU A.10.10.2
 Router Technical Audit Checklist

utilization/memory of the
router monitored?
Syslog messages allows for easy
troubleshooting of the network.
Use the following commands to
Is logging to a syslog enable syslog
A.10.10.1
server enabled on the Router(config)#logging syslog-ip-
A.13.1.1
router? address
Router(config)#service timestamps
log datetime localtime msec show-
timezone
Are procedures for audit
log review generated by
A.10.1.1
the router documented
and followed?
How often is the router
A.10.10.1
logs (covering
A.10.10.2
administrator access
A.10.10.5
/access control) reviewed?
Are reports and analyses
carried out based on the A.13.2.2
log messages?
What is the course of
action to be followed if any
A.13.2.1
malicious incident is
noticed?
Security Updates
Is the network engineer The network engineer should
aware of the latest A.6.1.7 receive periodic updates on the
vulnerabilities that could A.12.6.1 vulnerabilities and patches affecting
affect the router? the router.

This work is copyright © 2007, ISO27k implementers' forum, some

rights reserved. It is licensed under the Creative Commons Attribution-
Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate,
use and create derivative works from this provided that (a) it is not sold or
incorporated into a commercial product, (b) it is properly attributed to the ISO27k
implementers' forum ([Link]), and (c) derivative works are
shared under the same terms as this.