Este apartado, va referido a las recomendaciones que hace Cisco en cuanto a las mejores prácticas en cuanto a las configuraciones de equipamiento Cisco.
| Categoria | Riesgo | Excepción | OS |
|---|---|---|---|
| BGP | Medio | BGP Consistency Check not enabled | IOS |
| EIGRP | Alto | EIGRP auto summarization enabled (default enabled) | IOS |
| EIGRP | Medio | Default EIGRP Passive Interface not configured. | IOS |
| EIGRP | Medio | EIGRP MD5 Disabled on Interface | IOS |
| EIGRP | Medio | No EIGRP router-id configured | IOS |
| EIGRP | Medio | No Redistribution Metrics Defined for EIGRP | IOS |
| IP Applications | Medio | HSRP Preempt delay not configured | IOS |
| IP Applications | Medio | NTP not protected by ACL | IOS |
| IP Applications | Medio | Standby delay minimum reload not configured | IOS |
| IP Applications | Bajo | NTP Update Calendar Disabled | IOS |
| IP Applications | Bajo | NTP authentication not enabled | IOS |
| IP Applications | Bajo | NTP enabled without time zone | IOS |
| IP Applications | Bajo | NTP source interface not defined | IOS |
| IP Applications | Bajo | NTP summertime not enabled | IOS |
| IP Applications | Bajo | No redundant NTP server | IOS |
| IP Routing | Medio | IOS Static Route Missing Parameters | IOS |
| IP Routing | Medio | Recursive static routes are present | IOS |
| IP Routing | Bajo | IP Classless disabled | IOS |
| IP Routing | Bajo | Name Parameter Missing from Static Routes | IOS |
| IP Routing | Bajo | NetBIOS UDP broadcasts enabled | IOS |
| Infrastructure | Alto | Cisco IOS Image Verification | IOS |
| Infrastructure | Low | Exec enabled on line aux | IOS |
| LAN | Alto | Spanning-tree disabled on one or more VLANs | IOS |
| LAN | Medio | BPDU Guard Not Enabled | IOS |
| LAN | Medio | Loopguard not configured | IOS |
| LAN | Medio | MAC address move notification not enabled | IOS |
| LAN | Medio | Portfast not enabled on access or edge port | IOS |
| LAN | Medio | UDLD Globally Disabled | IOS |
| LAN | Medio | VLANs not cleared from trunk | IOS |
| LAN | Medio | VTP domain name not set | IOS |
| LAN | Bajo | Complete Power-on Diagnostics Disabled | IOS |
| LAN | Bajo | Dynamic trunking is enabled on a static access port | IOS |
| LAN | Bajo | StackWise SNMP Traps Not Enabled | IOS |
| Management | Medio | CDP disabled on an interface | IOS |
| Management | Medio | Logging to the console is enabled | IOS |
| Management | Medio | Loopback interface not used | IOS |
| Management | Medio | SNMP server memory traps not enabled | IOS |
| Management | Medio | Syslog level not set to informational | IOS |
| Management | Medio | WarmStart SNMP Traps Not Enabled | IOS |
| Management | Bajo | CPU Thresholding Notification is not enabled. | IOS |
| Management | Bajo | ColdStart SNMP Traps Not Enabled | IOS |
| Management | Bajo | Configuration Management SNMP Traps Not Enabled | IOS |
| Management | Bajo | Interface level syslog events not disabled | IOS |
| Management | Bajo | Interface traps not disabled on at least one interface | IOS |
| Management | Bajo | Linkup and Linkdown SNMP Traps Not Enabled | IOS |
| Management | Bajo | Memory Threshold Notifications (I-O) Not Enabled | IOS |
| Management | Bajo | Memory Threshold Notifications (Processor) Not Enabled | IOS |
| Management | Bajo | Nagle service disabled | IOS |
| Management | Bajo | No interface description | IOS |
| Management | Bajo | No redundant SNMP trap receiver | IOS |
| Management | Bajo | No redundant syslog server | IOS |
| Management | Bajo | SNMP Interface Index Persistence not enabled | IOS |
| Management | Bajo | SNMP contact not defined | IOS |
| Management | Bajo | SNMP location not defined | IOS |
| Management | Bajo | SNMP trap source not defined | IOS |
| Management | Bajo | SNMP traps not enabled | IOS |
| Management | Bajo | Syslog source interface not defined | IOS |
| Management | Bajo | The Call Home feature is not configured | IOS |
| Management | Bajo | The Enhanced Crashinfo File Collection feature is not configured. | IOS |
| Management | Bajo | Timestamping for debugging not set for datetime | IOS |
| Management | Bajo | Timestamping for logging not set for datetime | IOS |
| Management | Bajo | Unnecessary Syslog SNMP trap configured | IOS |
| Security | Alto | Enable password not adequately protected | IOS |
| Security | Alto | SNMP access for IPv4 is not protected with an access-list. | IOS |
| Security | Alto | The aaa authentication login command(s) is/are not configured optimally. | IOS |
| Security | Alto | Vlan 1 interface used | IOS |
| Security | Medio | AAA connection accounting disabled | IOS |
| Security | Medio | AAA system accounting disabled | IOS |
| Security | Medio | DHCP server enabled | IOS |
| Security | Medio | HSRP Updates not authenticated | IOS |
| Security | Medio | HSRP Virtual MAC Address not modified | IOS |
| Security | Medio | HTTP secure-server is enabled. | IOS |
| Security | Medio | HTTP server enabled | IOS |
| Security | Medio | ICMP redirects not disabled on an Interface | IOS |
| Security | Medio | IOS Software Resilient Configuration secure boot-config disabled | IOS |
| Security | Medio | Local user account is not protected against potential brute-force attacks | IOS |
| Security | Medio | PAD service enabled | IOS |
| Security | Medio | SNMPv3 not used | IOS |
| Security | Medio | SSH Not Used or Not Used Exclusively for Remote Access. | IOS |
| Security | Medio | SSH V2 not used for device Access | IOS |
| Security | Medio | Security Password Minimum Length Less Than 8 | IOS |
| Security | Medio | Unicast reverse path disabled | IOS |
| Security | Medio | VTY line timeout disabled | IOS |
| Security | Medio | VTY line timeout is longer than 30 mins | IOS |
| Security | Medio | VTY lines not protected with an access list | IOS |
| Security | Bajo | A user account is not protected with MD5 | IOS |
| Security | Bajo | Authentication SNMP Traps Not Enabled | IOS |
| Security | Bajo | BOOTP server enabled | IOS |
| Security | Bajo | CDP is enabled globally and active on all interfaces. | IOS |
| Security | Bajo | DHCP lease time low or infinite | IOS |
| Security | Bajo | ICMP unreachables enabled on all interfaces of this device. | IOS |
| Security | Bajo | IP Source Routing enabled | IOS |
| Security | Bajo | IP options allowed | IOS |
| Security | Bajo | Incorrectly entered commands will generate a DNS lookup. | IOS |
| Security | Bajo | Password recovery is Enabled | IOS |
| Security | Bajo | Proxy ARP is enabled | IOS |
| Security | Bajo | Redundant AAA server unavailable | IOS |
| Security | Bajo | Security authentication failure rate disabled | IOS |
| Security | Bajo | Service sequence-numbers not enabled | IOS |
| Security | Bajo | TACACS+ packets not being sourced from a specifically defined interface | IOS |
| Security | Bajo | TCP keepalives not enabled in both directions | IOS |
No hay comentarios:
Publicar un comentario