Cisco IPSec VPN Gateway Security Procedures v1.0 (final) · Cisco IPSec VPN Gateway ... and optional integrated call processing and voice mail. ISR G2 routers run Cisco IOS ... When

January 2017 Issue No: 1.0

Security Procedures

Cisco IPSec VPN Gateway – ISR G2 and ASR 1000 Series Devices

Page 2

Security Procedures


Issue No: 1.0 January 2017

The copyright of this document is reserved and vested in the Crown.

Document history

Version Date Comment 1.0 January 2017 First public issue

Page 3


About this document These Security Procedures provide guidance for the secure operation of Cisco IPSec VPN Gateway – ISR G2 and ASR 1000 Series Devices with regard to their ability to provide IPsec VPN tunnels for CPA Foundation Grade. This document is intended for System Designers, Risk Managers and Accreditors. CESG1 recommends that you establish whether any departmental or local standards, which may be more rigorous than national policy, should be followed in preference to those given in these Security Procedures. The Security Procedures come from detailed technical assessment carried out by CESG. They do not replace tailored technical or legal advice on

specific systems or issues. CESG and its advisors accept no liability whatsoever for any expense, liability, loss, claim or proceedings arising from reliance placed on this guidance. Cisco IPSec VPN Gateway – ISR G2 and ASR 1000 Series Devices should be deployed in accordance with your Risk Management and Accreditation Documentation Set (RMADS).

Related documents The documents listed in the References section are also relevant to the secure deployment of this product. For detailed information about device operation, refer to the product documentation for Cisco IPSec VPN Gateway – ISR G2 and ASR 1000 Series Devices.

Points of contact For enquiries regarding CPA or this document, please see https://www.ncsc.gov.uk/contact 1

1 These Security Procedures were written before, but published after, CESG was subsumed into the UK’s National Cyber Security Centre (NCSC) in October 2016.


Page 4

Contents Chapter 1 - Outline Description ................... ............................................................. 5

Introduction ............................................................................................................... 5

Certification ............................................................................................................... 5

Chapter 2 - Security Functionality ................ ........................................................... 6

Chapter 3 - Secure Operation ...................... ............................................................. 8

Introduction ............................................................................................................... 8

Pre-installation .......................................................................................................... 8

Initial Configuration ................................................................................................... 9

Interface Configuration ........................................................................................... 11

Secure Configuration Tool ...................................................................................... 12

User Authentication and Device Administration ...................................................... 12

Cryptographic Configuration and Operation ........................................................... 13

Certificate Enrolment .............................................................................................. 14

Example VPN Tunnel Setup ................................................................................... 14

Maintenance and updates ...................................................................................... 15

System logs ............................................................................................................ 16

Anti-Hammer .......................................................................................................... 17

User education ....................................................................................................... 17

Chapter 4 - Security Incidents .................... ............................................................ 18

Incident management ............................................................................................. 18

Chapter 5 - Disposal and Destruction .............. ...................................................... 19

Key Erasure ............................................................................................................ 19

Disposal and Destruction ........................................................................................ 19

Emergency Destruction .......................................................................................... 19

References ........................................ ....................................................................... 20

Page 5


Chapter 1 - Outline Description

Introduction

1. The Cisco ISR G2 family of routers offers secure, wire-speed delivery of concurrent data, voice and video services, and includes features such as hardware-based VPN encryption acceleration using IPsec, intrusion-protection and firewall functions, and optional integrated call processing and voice mail. ISR G2 routers run Cisco IOS software.

2. The Cisco ASR 1000 family of routers provides secure WAN aggregation services, integrated threat and defence services at the WAN or Internet edge, data centre interconnect routing, equipment services at managed customer premises, or deliver complex residential or business services from the provider edge. ASR 1000 routers run Cisco IOS-XE software.

3. The products’ non-IPsec VPN features, and alternative deployment scenarios, are outside the scope of this document.

4. This document details the security procedures for Cisco ISR 800, 1900, 2900, 3900, 4000 Series routers and Cisco ASR 1000 Series routers. General guidance documentation is offered by Cisco through its website (www.cisco.com).

Certification

5. Cisco IPSec VPN Gateway – ISR G2 and ASR 1000 Series Devices2 have undergone CPA assessment as a Hardware Gateway and have been certified as meeting the Foundation Grade requirements described in the IPsec Security Gateway Security Characteristic, Version 2.3 [SC]. Later versions of the product(s) are automatically covered by this certification until the certificate expires or is revoked, as stated on the product’s certificate and on the CPA website.

6. It is recommended that the devices are used in an environment that is accredited to the international standard ISO 27001:2014 Information Security Management System, taking into consideration ISO 27005:2011 Information Security Risk Management; see [ISO27K].

2 In this document, any reference to “product” or “device” is a reference to one, some or all of the Cisco IPSec VPN Gateway – ISR G2 and ASR 1000 Series Devices.


Page 6

Chapter 2 - Security Functionality 7. Cisco IPSec VPN Gateway – ISR G2 and ASR 1000 Series Devices are

configurable to provide IPsec VPN tunnels, in accordance with the requirements of the PSN End-State IPsec Profile detailed below. The remainder of this document is concerned with deploying these devices to provide this functionality in a secure manner in accordance with CESG’s CPA Scheme requirements.

8. Note that any other functionality of Cisco IPSec VPN Gateway – ISR G2 and ASR 1000 Series Devices is outside the scope of CPA certification and hence outside the scope of this document.

9. The PSN End-State IPsec Profile is summarised in [SC] as follows:

Module / Algorithm Type Algorithm Details

ESP

Encryption AES-128 in GCM-128

IKEv2

Encryption Pseudo-Random Function Diffie-Hellman Group Authentication

AES-128 in GCM-128 (and optionally CBC3) HMAC-SHA256-128 256-bit random ECP (RFC5903), Group 19 ECDSA-256 with SHA256 on P256 curve

10. The PSN Interim IPsec Profile4 is summarised in [SC] as follows:

Algorithm Description

Encryption PRF Diffie-Hellman group Signature

AES128_CBC SHA-1 Group 5 (1536 bits) RSA with X.509 certificates

3 If supporting CBC for IKEv2 encryption, the integrity algorithm that must be used is HMACSHA256-128. 4 PSN Interim IPsec Profile was formally supported until 2015.

Page 7


11. [IOSHG] provides guidance on hardening Cisco IOS devices. In addition:

• [IKE1G] and [IKE2G] provide IKE1 and IKE2 configuration guidance;

• [IPSecG] provides IPsec configuration guidance;

• [PKIG] provides PKI configuration guidance.


Page 8

Chapter 3 - Secure Operation

Introduction

12. These recommendations outline a configuration for Cisco IPSec VPN Gateway – ISR G2 and ASR 1000 Series Devices that is in line with the IPsec Security Gateway Security Characteristic [SC]. These requirements should be followed unless there is a strong business requirement not to do so. Any such instances and associated risks should be discussed with the relevant Accreditor.

13. These recommendations cover the secure configuration and operation of the product families. Generally, all commands referenced in this section are entered in configuration mode. Some commands may additionally further change the mode, which can be exited with the ‘exit’ command to return to configuration mode. When commands are entered in a sub-configuration mode, they are shown as indented in command lists. To enter global configuration mode the following commands should be used:

Device> enable Device# configure terminal Device(config)#

14. In general, CESG recommends using the Cisco feature navigator http://www.cisco.com/go/cfn where further support is required. Further advice, that is specific to the ISR G2 and ASR 1000 product families, is documented in [ASRCG] and [ISRCG], and is available online at [ASROCG] and [ISROCG].

Pre-installation

15. Before installing Cisco IPSec VPN Gateway – ISR G2 and ASR 1000 Series Devices, CESG recommends that you take the following pre-installation actions.

16. Devices should be placed in a secure facility, with suitable physical access controls, accredited to the level commensurate with the level of classified material that will traverse the device.

17. Tamper evident seals and opacity shields should be installed, and regular physical inspection of devices - to look for evidence of tampering - should be performed. Discovered signs of device tampering should be reported as soon as possible to the appropriate incident response contact, who will take appropriate steps (see Chapter 4 Security Incidents). Devices with evidence of tampering must be removed from service and must not be returned to service under any circumstances (also see Chapter 5 Disposal and Destruction).

18. A trusted non-public certificate authority should be configured to enable provisioning and revocation of certificates for use with the IPsec VPN functionality of the device, and to prevent use of fraudulent certificates. Device

Page 9


certificates should be renewed every 12 months and any non-expired certificates should be revoked. All certificate management should be performed by trusted personnel in an appropriately accredited, secure environment. Setting up a non-public certificate authority is specific to the enterprise infrastructure and is therefore outside the scope of this document. Management of device specific certificates is detailed in the section below on Cryptographic Configuration and Operation.

19. A trusted NTP server should be set up, which the device can connect to in order to ensure accurate log time-stamping and certificate validity timeframes. Configuration of such a server is not product specific and is therefore outside the scope of this document.

20. If it is intended to transfer downloaded image updates to the device by TFTP, then a TFTP server should be set up for this purpose. Its communication with the device should be such that there is no possibility of modification to the image while in transit to the device. (For example, this could be done by temporarily connecting the TFTP server directly to an Ethernet port on the device for the sole purpose of transferring a trusted update image.) Setup of a TFTP server is outside the scope of this document, but knowledge of such a setup is assumed in the following section.

21. All other devices which are to form endpoints of an IPsec VPN tunnel with the product families must have CPA Foundation Grade certification.

Initial Configuration

22. Initial configuration should be performed over the local console port interface. [CICFCR] provides Cisco guidance for configuring and encrypting passwords. [CPP] provides further Cisco detail on configuring passwords and privileges.

23. The software must be updated to the latest available version, using a trusted image, from: https://software.cisco.com/download/navigator.html

24. Verification of Cisco's image download site should be performed, by checking the validity of the certificate presented during an HTTPS connection to the site. When the site has been verified, then the MD5 signature of the downloaded image should also be verified. Only if both of those two checks are successful can the image be trusted.

25. To move trusted images to the device, a standard method is to use a TFTP server hosting the file. If this method is used, it should be done in a manner such that there is no possibility of an image being modified in transit to the device (e.g. by temporary direct cable access between the TFTP server and the device). Once the TFTP server is available, the interactive copy command may be used to place the image on the device using the TFTP protocol.


Page 10

26. ASR 1000 Series:

copy tftp bootflash:

27. ISR G2 Series:

copy tftp flash:

28. Other protocols compatible with the copy command are listed in the copy section of [CICFCR] and may be used to transfer the trusted image to the device, bearing in mind the potential for image modification in transit.

29. For ASR 1000 Series devices, once the trusted image is copied to the bootflash: file system - that is not storing any previously installed sub-packages or consolidated packages - it may be installed using the following commands:

config-register 0x2102 boot system flash bootflash: <image> copy run start reload

30. For the ISR G2 Series, once the trusted image is copied to the device flash0: memory:

no boot system boot system flash0: <image> config-register 0x2102 copy run start reload

31. The local username database should be configured to ensure that only administrative users are able to authenticate via a local management interface and that an appropriate password is used. Similarly, if secure remote administration is used, an appropriate password must be used for user authentication. At a minimum, the password complexity should meet the following requirements:

• No default or blank passwords.

• Minimum length of 8 characters: o This is a minimum, for further guidance see [PSMCC].

• At least three different character types: o E.g. upper and lower case letters, numbers and special characters.

• Commonly used words and dictionary words should be avoided: o E.g. avoid “password”, the user’s username, the user’s email

address, the company name and the company website address.

• New or reset passwords should be configured to require the user to change them when they are first used.

Page 11


32. Passwords should be encrypted to prevent exposure in configuration output. The following commands cause the local username database to be used for authentication and prevent passwords being displayed in plain text in configuration output:

aaa new-model aaa authentication login default local service password-encryption username <user> password <password> enable secret password <password>

33. Further hardening can be performed by administrators to reduce the risk of brute force attacks, by increasing the delay between login attempts (see the section below on Anti-Hammer).

34. A post login banner should be enabled, to ensure that users check logs for unauthorised access attempts and that users change default or weak passwords once they have logged in:

banner exec <message delimiter> <post-login message> <message delimiter>

35. The message delimiter value should be any printable character and it should not be used in the message. The message should contain text as follows:

1) Upon logging in, all users must manually view logs to check for failed login attempts 2) The procedures to follow in the event of the discovery of unexpected failed logins is <insert policy here> 3) If a default password, or password that does not meet the password complexity requirements is in use, it must be immediately changed to conform to the password policy <insert policy here>

36. To configure the device to connect to a trusted NTP server that has been set up in the pre-installation phase, the following commands may be used:

ntp authentication-key 1 md5 <password> ntp authenticate ntp trusted-key 1 ntp server <ip address> key 1 access-list 1 permit <ip address> ntp access-group peer 1

37. Verification of time synchronisation and NTP server IP can be verified using the following command:

show ntp status

Interface Configuration

38. Remote administration protocols should only be made available on dedicated red interfaces where no non-administration related traffic is present.


Page 12

39. Administration protocols should not be available on black interfaces unless a connection is made through an established IPsec VPN tunnel between the device and another CPA Foundation Grade approved endpoint.

40. The following command can be used on the product to indicate which services are listening, and their associated ports and interfaces:

show control-plane host open-ports

41. [CCPACG] states: "As per Cisco best practice, secure protocols should be used for monitoring and management access. If the device is to be managed in-band then only HTTPS, SSH and SNMPv3 should be used."

42. To apply an Access Control List to an interface to restrict administration protocols on that interface, the following commands can be used (with telnet replaced by the appropriate protocol):

ip access-list extended telnetting deny tcp any host eq telnet permit end interface <interface e.g. fastethernet 0/0/0> ip access-group telnetting in

43. All unused interfaces should be disabled, by using the commands:

interface FastEthernet 0/1 shutdown

Secure Configuration Tool

44. Cisco has produced a tool - configurator.py - [TOOL] that automates the production of a secure configuration Python script for the evaluated products. (Some manual steps are still required, as they cannot easily be automated, but most of the secure configuration procedure has been automated by the script.) The tool must be obtained via recognised suppliers, namely Cisco or the NCSC. Contact Cisco CPA support at [email protected] for further guidance.

45. That script includes questions to the user (e.g. to identify hostname, domain-name, required profile). The user’s responses are used as parameters to produce the secure configuration script. The script also includes commands that do not require any user input, but which ensure a secure configuration.

46. In the following sections, reference to “[TOOL]” indicates that the associated configuration step is performed by the Secure Configuration Tool.

User Authentication and Device Administration

47. Devices must be configured such that local administration via console port connections requires users to authenticate with a username and password.

Page 13


48. Similarly, remote administration must use a secure protocol with authentication such as SSHv2, HTTPS, or SNMPv3. If additional authentication infrastructure is in use (e.g. TACACS+ or RADIUS), then communication between the device and the server must be cryptographically secured (e.g. with TLS).

49. [CCPACG] states: "As per Cisco best practice, secure protocols should be used for monitoring and management access. If the device is to be managed in-band then only HTTPS, SSH and SNMPv3 should be used."

50. It also provides steps to enable these services and to disable insecure ones.

51. The commands used to set up SSH on the device are covered by the Secure Configuration Tool [TOOL]. Note that SSH versions beyond 2 are not supported.

52. The following commands should be issued on the configuration terminal, to ensure that SNMPv3 is used:

snmp-server group <group-name> v3 priv snmp-server user <username> <group-name> v3 auth sha <auth-password> priv aes 128 <priv-password> access SNMP

53. An SSL enabled management web server can be configured using:

ip http secure-server

54. The Secure Configuration Tool [TOOL] disables all unused administrative protocols and insecure services.

Cryptographic Configuration and Operation

55. An approved IPsec VPN profile must be used for all VPN connections, and X.509 certificates must be used to mutually authenticate all IPsec VPN connections. Cisco’s [CCPACG] provides further guidance, and states that certificate verification should include the entire chain of trust and should check the current CRL or OCSP.

56. Cisco’s [DCPKI] and [CCPACG] provide details for key generation, installing certificate authority (CA) certificates, generating signing requests, and importing certificates. Key generation guidelines are relevant to the end-state profile.

57. Configuration of the VPN and installation of the device certificates must be performed by trusted personnel in an appropriately accredited, secure environment. Standard users must not be permitted to manage the certificate installation for the VPN product. When a replacement certificate is provisioned for a gateway, any old, non-expired certificates must be revoked.

58. The steps in the following sections may be used to configure the cryptographic operation of the product.


Page 14

Certificate Enrolment

59. The Secure Configuration Tool [TOOL] covers:

• generation of the keypair required for the PRIME profile;

• installation of the CA certificate, provided that it is passed as a PEM formatted file to the configurator.py script:

python configurator.py <CA Cert File.pem>5

• installation of the CA in the router;

• generation of a certificate signing request to the terminal.

60. Once the CA issues the signed certificate, it is imported by the following command which guides the administrator through the import process:

crypto pki import <trustpoint label, e.g. CPAPRIME> certificate

61. Note that the script does not generate the actual CSR. Once the administrator has pasted the output of the script into the router, they can perform:

crypto pki enrol cpa_ca

62. That generates a PEM formatted CSR, which can then be processed by the CA. That aspect of the configuration is outside the scope of this document, because the actual details will depend on the particular CA vendor.

63. The following optional command causes ca-certificate-map mode to be entered, where certificate fields together with match criteria and value can be entered. Using this command, multiple certificate fields can be used to determine whether a device or user is authorised to connect to the VPN. For example the following specifies that subject-name fields must contain the value ‘prime’:

crypto pki certificate map <label, e.g. CPAPRIME-map> <sequence-number, e.g. 10> subject-name co prime

64. For further details on the fields and criteria that can be specified, see [CPKI].

Example VPN Tunnel Setup

65. This example associates the certificate-based ACL (defined with the crypto pki certificate map command) to the IKEv2 profile with the ‘match certificate CPAPRIME-map’.

5 The device’s identity certificate, which is bound to the device keypair, is still a manual step and requires the administrator to generate the Certificate Signing Request (CSR) on the device and to manually copy/paste this into the organisation CA, where it will then need to be signed. The resulting identity certificate then needs to be manually copied/pasted back into the router CLI.

Page 15


66. First create the IKEv2 proposal, policy, and profile:

crypto ikev2 proposal <label, e.g. CPA PRIME-IKEv2-Proposal> encryption aes-gcm-128 prf sha256 group 19 crypto ikev2 policy <label, e.g. CPAPRIME-IKEv2-Policy> proposal <label, e.g. CPAPRIME-IKEv2-Proposal> crypto ikev2 profile <label, e.g. CPAPRIME-IKEv2-Profile> match certificate <previously defined label, e.g. CPAPRIME-Map> identity local fqdn <endpoint fully qualified domain name> authentication remote ecdsa-sig authentication local ecdsa-sig pki trustpoint <trustpoint label, e.g. CPAPRIME>

67. Then the IPsec profile itself can then be created:

crypto ipsec transform-set <label, e.g. CPAPRIME-Set> esp-gcm mode tunnel crypto ipsec profile <label, e.g. CPAPRIME-IPsec-Profile> set transform-set <label from previous command, e.g. CPAPRIME-Set> set ikev2-profile <label from previously set IKEv2 profile, e.g. CPAPRIME-IKEv2-Profile

68. Then a tunnel endpoint is configured on an existing interface. These commands create a tunnel interface, protected by the VPN configuration previously set up:

Interface <label, e.g. Tunnel1> description <As required, e.g. CPAPRIME Tunnel endpoint 1> ip address <As required> tunnel source <Interface label, e.g. GigabitEthernet0/0/0> tunnel mode ipsec ipv4 tunnel destination <Destination Ipv4 address as required> tunnel protection ipsec profile <IPSec profile label, e.g. CPAPRIME-IPsec-Profile>

69. To verify that the security association with the remote CPA approved product is active, enter the following commands:

show crypto ikev2 sa detail show crypto ipsec sa

Maintenance and updates

70. Where possible, software should be updated as soon as practicable after the release of a new revision. Critical security patches must be applied without undue delay. Product Security Incident Response Team (PSIRT) advisory emails will identify those patches and updates that must be considered critical.


Page 16

71. Updates should be obtained directly from Cisco’s image download site at https://software.cisco.com/download/navigator.html and verification of that site should be performed by checking the validity of the certificate presented during an HTTPS connection to the site

72. Once the site has been verified, then the MD5 signature of the downloaded image should also be verified. Only if both of those two checks are successful can the image be trusted and applied to the device. See the previous section Initial Configuration for further details on installing an updated image.

System logs

73. Logs with accurate timestamps must be kept and must be reviewed at least monthly by an authorised administrator. Log data should be sufficiently detailed to allow detailed forensic analysis if a security incident occurs; typically such events are captured by setting the threshold to ‘Informational’. Logging should be configured to capture details of unsuccessful login attempts, users invoking privileged enable mode, and users changing their privilege level.

74. Logs should be automatically exported to an external syslog server. Sufficient space must be available to store logs, both locally and on any external syslog server, such that logs are not overwritten before monthly review by the administrator. The space available for logs must be regularly reviewed, to ensure that unusually large sets of logged events do not trigger an overwrite.

75. The Secure Configuration Tool [TOOL] will set up a local log buffer for Notifications. The threshold value may be set to one of ‘Emergencies’, ‘Alerts’, ‘Critical’, ‘Errors’, ‘Warnings’, ‘Notifications’, ‘Informational’ or ‘Debugging’, and should be set to capture all events deemed of interest. Typically, such events will be captured by setting the threshold to ‘Informational’.

76. The Secure Configuration Tool [TOOL] will produce a script that will:

• set up log entries when the threshold (e.g. default is ‘3’ 6) of unsuccessful authentication attempts is reached;

• log when users invoke privileged enable mode or change the privilege level;

• enable time-stamping on log entries.

77. Log data should be set to automatically send data to a remote syslog server. This can be enabled with the following commands (where the threshold default is as above):

logging host <hostname or IP> transport tcp port <port number> logging trap <threshold>

6 If ‘3’ is not appropriate, the threshold should be manually changed.

Page 17


78. Log data may subsequently be viewed with the following command:

show logs

79. If a security event is identified in the log data, it should be raised with the appropriate incident response manager; see next chapter Security Incidents for details.

Anti-Hammer

80. The product is required to counter brute force attack by limiting the number of possible consecutive failed login attempts to fewer than 30 per minute. This is achieved by default; further hardening is configured by the Secure Configuration Tool [TOOL]. IOS login enhancements are detailed in [CSUSG].

User education

81. Administrative users of the Cisco IPSec VPN Gateway – ISR G2 and ASR 1000 Series Devices must have appropriate training, education and certification. Non-administrative or standard users do not require any specific training or education because they have no need to directly access the product.


Page 18

Chapter 4 - Security Incidents

Incident management

82. In the event of a security incident that actually or could potentially result in the compromise of information protected by the product, the local IT security incident management policy should:

• Ensure that the Department Security Officer (DSO) is informed.

• Determine whether (and when, if necessary) the product should be withdrawn from service (pending further investigation of the incident).

• Determine whether (and when, if necessary) the product’s certificate should be revoked.

• If the incident indicates that a client device that is currently connected to the product has been compromised, determine whether an administrator should manually terminate that connection and revoke the client’s certificate.

83. Contact the NCSC if a compromise occurs that is suspected to have resulted from a failure of Cisco IPSec VPN Gateway – ISR G2 and ASR 1000 Series Devices.

Page 19


Chapter 5 - Disposal and Destruction

Key Erasure

84. Before disposal or destruction of the physical device, all sensitive data and configuration details must be removed from the device, and all PKI certificates used by the device must be revoked:

no crypto pki trustpoint <label, e.g. CPAPRIME> crypto key zeroize write erase

85. Then the device should be reset to Factory Defaults.

Disposal and Destruction

86. Physical disposal or destruction procedures must be commensurate with the security classification of material which has traversed the device during its use.

87. The procedures for Disposal (including Re-Purposing) should be determined by reference to Annex A of HMG IA Standard No. 5 Secure Sanitisation [IAS5].

88. The procedures for Destruction should be determined by reference to Annex A of [IAS5].

Emergency Destruction

89. [IAS5] does not include any procedures for Emergency Destruction.

90. Therefore, if the environment of a specific deployment of the product requires such procedures, they should be defined for the product in that deployment.


Page 20

References

Unless stated otherwise, the following documents are available from the Cisco website.

[ASRCG] Cisco ASR 1000 Series Aggregation Services Routers Software Configuration Guide, 30 July 2014, OL-16506-17

[ASROCG] Cisco online ASR 1000 Series Configuration Guidance: http://www.cisco.com/c/en/us/td/docs/routers/asr1000/configuration/guide/chassis/asrswcfg.html

[CCPACG] Guide to configuring a Virtual Private Network using Cisco ISR & ASR to conform to Commercial Product Assurance guidance, 2013

[CICFCR] Cisco IOS Configuration Fundamentals Command Reference (Release 12.2)

[CKPI] Cisco Configuring PKI [guidance]: http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/vspa/configuration/guide/ivmsw_book/ivmvpn4.html

[CPP] Chapter: Configuring Passwords and Privileges: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html#wp1000877

[CSUSG] Security Configuration Guide: Securing User Services 5 June 2009

[DCPKI] Digital Certificates/PKI for IPSec VPNs, OL-9029-0

[IAS5] HMG IA Standard No. 5, Secure Sanitisation, Issue No. 5.1, December 2014. For enquiries regarding that document, please see https://www.ncsc.gov.uk/contact

[IKE1G] Cisco IKEv1 Configuration Guidance (Internet Key Exchange for IPsec VPNs Configuration Guide, Cisco IOS Release 15M&T): http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-mt/sec-ike-for-ipsec-vpns-15-mt-book.html

[IKE2G] Cisco IKEv2 Configuration Guidance (FlexVPN and Internet Key Exchange Version 2 Configuration Guide, Cisco IOS Release 15M&T): http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-mt/sec-flex-vpn-15-mt-book.html

[IOSHG] Cisco Guide to Harden Cisco IOS Devices, Ref:13608, 6 January 2016 http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

Page 21


[IPSecG] Cisco IPsec Configuration Guidance (IPsec Data Plane Configuration Guide, Cisco IOS Release 15M&T): http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/15-mt/sec-ipsec-data-plane-15-mt-book.html

[ISO27K] ISO 27000 series for Information Technology – Security Techniques, particularly:

• ISO/IEC 27001:2013 Information Security Management Systems – Requirements

• ISO/IEC 27005:2011 Information Security Risk Management (CESG announced in 2014 that IS1 and IS2 would be withdrawn from 1st January 2015.)

[ISRCG] Cisco 3900 Series, Cisco 2900 Series, and Cisco 1900 Series Integrated Services Routers Generation 2 Software Configuration Guide, 25 July 2014, OL-20696-04

[ISROCG] Cisco online ISR G2 Series Configuration Guidance (Cisco 3900 Series, 2900 Series, and 1900 Series Software Configuration Guide): http://www.cisco.com/c/en/us/td/docs/routers/access/1900/software/configuration/guide/Software_Configuration.html

[PKIG] Cisco PKI Configuration guidance: http://www.cisco.com/cisco/web/UK/public_sector/cyber_security_solutions/assets/Guide_to_configuring_a_Virtual_Private_Network_using_Cisco_ISR__ASR.pdf

[PSMCC] Cisco password strength guidance (Authentication, Authorization, and Accounting Configuration Guide, Cisco IOS Release 15SY): http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-aaa-comm-criteria-pwd.html

[SC] IPsec Security Gateway Security Characteristic, Version 2.3, April 2013, 27467650, available from the NCSC archive at: https://www.ncsc.gov.uk/articles/security-characteristics-archive

[TOOL] Secure Configuration Tool, provided as a Python script in file configurator.py which is available from Cisco.

For enquiries regarding CPA or this document, please see https://www.ncsc.gov.uk/contact © Crown Copyright 2017.

Documents

Cisco IPSec VPN Gateway Security Procedures v1.0 (final) · Cisco IPSec VPN Gateway ... and optional integrated call processing and voice mail. ISR G2 routers run Cisco IOS ... When