Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Rationale for SAFE router config guidelines

What is the rationale for the following guidelines from the SAFE architecture? (What are the security risks associated with them, and how does this configuration impede those risks?)

no ip domain-lookup

no cdp run

no ip source-route

aaa authentication login default tacacs+ (and associated line commands)

aaa authorization exec tacacs+

aaa authorization network tacacs+

aaa accounting network start-stop tacacs+

aaa accounting exec start-stop tacacs+

enable secret (what advantage does this have over enable password with the "service password-encryption" command.

Thank you,

Mark Freivald

4 REPLIES
New Member

Re: Rationale for SAFE router config guidelines

New Member

Re: Rationale for SAFE router config guidelines

Thank you for pointing this document out to me. Unfortunately, I have read the document, and it still does not answer the question, "Why should we do that?" to a satisfactory degree. I am in a position where my customers would like to apply these architectures as they make sense. In order to determine whether they make sense in their own particular network, we need to find a more in depth explanation than what is offered here. Some of the configurations, such as the "no ip domain-lookup," are not explained at all.

Also, I forgot to include the access lists for NTP as an issue. If NTP is configured only to use one or two servers, what extra protection does the access list limiting it to those servers give?

The document you indicated has been helpful in some areas, so I am not discouraging people from reading it. It gives a decent overview of what the architecture is, but I would like to know more of the thinking behind it.

Thank you,

Mark

New Member

Re: Rationale for SAFE router config guidelines

Maybe it would be better to manage these issues one at a time with more specific questions.

We all know that no ip domain-lookup saves us some misery when we fat-finger a command. But since it is a SAFE guideline, I would assume that having domain-lookup enabled is some kind of security risk. What is the risk involved, and how does turning off domain-lookup ameliorate that risk?

Any ideas?

Thanks,

Mark

New Member

Re: Rationale for SAFE router config guidelines

Hi Mark,

I was just browsing around and saw your question. Domain Lookup doesn't have any security vulnerabilities that I'm aware of. We put it in the config as something we're doing on all our boxes. I didn't mean to imply that there are specific security risks.

CDP, however, could be a security risk as a user would be able to determine the basic configuration of a Cisco device he was direclty connected to.

The AAA config is just giving us the ability to track what users are able to do on a box.

Service password encryption gives you some weak encryption to mitigate against password "shoulder surfing". The enable secret is a very strong encryption just for the enable password.

Thanks,

Sean

241
Views
0
Helpful
4
Replies
CreatePlease to create content