Thank you for pointing this document out to me. Unfortunately, I have read the document, and it still does not answer the question, "Why should we do that?" to a satisfactory degree. I am in a position where my customers would like to apply these architectures as they make sense. In order to determine whether they make sense in their own particular network, we need to find a more in depth explanation than what is offered here. Some of the configurations, such as the "no ip domain-lookup," are not explained at all.
Also, I forgot to include the access lists for NTP as an issue. If NTP is configured only to use one or two servers, what extra protection does the access list limiting it to those servers give?
The document you indicated has been helpful in some areas, so I am not discouraging people from reading it. It gives a decent overview of what the architecture is, but I would like to know more of the thinking behind it.
Maybe it would be better to manage these issues one at a time with more specific questions.
We all know that no ip domain-lookup saves us some misery when we fat-finger a command. But since it is a SAFE guideline, I would assume that having domain-lookup enabled is some kind of security risk. What is the risk involved, and how does turning off domain-lookup ameliorate that risk?
I was just browsing around and saw your question. Domain Lookup doesn't have any security vulnerabilities that I'm aware of. We put it in the config as something we're doing on all our boxes. I didn't mean to imply that there are specific security risks.
CDP, however, could be a security risk as a user would be able to determine the basic configuration of a Cisco device he was direclty connected to.
The AAA config is just giving us the ability to track what users are able to do on a box.
Service password encryption gives you some weak encryption to mitigate against password "shoulder surfing". The enable secret is a very strong encryption just for the enable password.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :