Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Hardening CiscoWorks LMS 2.5 box

Does anyone have any experience of hardening a solaris 9 box with the CIS (www.cis.org) scripts? They involve closing off protocols and certain processes and boot procedures.

Im interested to know if anyone has customised these scripts to harden their servers to a decent standard that still allows LMS 2.5 full capability.

TIA

2 REPLIES
Silver

Re: Hardening CiscoWorks LMS 2.5 box

Hall of Fame Super Silver

Re: Hardening CiscoWorks LMS 2.5 box

The CIS-type scripts are pretty restrictive, by design. CiscoWorks server requires a good number of ports and protocols, depending on how many of the components you are using and whether or not they are all on a single server (e.g., interprocess communications don't need to be allowed outside of the box). We used a similar hardening protocol developed in-house at my old job.

You can see the list of ports and protocols used by the various releases of CW server at the following location: http://www.cisco.com/en/US/customer/products/sw/cscowork/ps563/tsd_products_support_design_technotes_list.html

Personally I'd advocate a less restrictive approach for the actual server combined with more of a defense in depth setup for the entire system - for instance putting your management devices on a dedicated VLAN with ACLs on the perimeter router(s) to allow only management protocols and logins from internal users.

The restrictiveness of the CIS regime appears to assume the host is sitting otherwise 'naked' on the public internet.

139
Views
0
Helpful
2
Replies