Acknowledgements

HRD Division
Department of Electronics and Information Technology
Ministry of Communications and Information Technology
Government of India
ROUTER AUDITING

1
 TABLE OF CONTENTS:

SL.NO. POLICIES PAGE NO.

1. LATEST STABLE SOFTWARE VERSION SHALL BE SELECTED.

2. HOSTNAME SHALL NOT REVEAL MAKE / MODEL OF THE DEVICE.

3. EACH USER SHALL BE ALLOCATED A SEPARATE LOGIN ACCOUNT.
4. SEPARATE LOGIN ACCOUNT SHALL BE USED FOR OPERATING AT
DIFFERENT PRIVILEGE LEVELS AND NETWORK SECURITY DEVICES
SHOULD HAVE AT LEAST TWO ADMINISTRATORS.
5. PASSWORD SHALL BE MANAGED AS PER THE PASSWORD
MANAGEMENT GUIDELINES AND ALSO PASSWORD SHALL BE STORED
IN ENCRYPTED FORM.
6. NETWORK TIME PROTOCOL (NTP) SHALL BE CONFIGURED ON THE
DEVICES. (REFER: TIME SYNCHRONIZATION GUIDELINES)
7. FOR CHECKING THE TIME SETTINGS IN ROUTER.
8. BANNER MESSAGE WARNING MESSAGE SHOULD BE DISPLAYED BEFORE
LOGIN AS A CAUTION
9. PROTOCOLS / SERVICES USING ENCRYPTED CHANNEL (SUCH AS, SSH,
SSL, IPSEC, RDP) SHALL BE USED FOR REMOTE ADMINISTRATION.
10. FOR CHECKING UNUSED NETWORK INTERFACES SHALL BE DISABLED.
11. AUTHENTICATION SHOULD BE USED FOR DYNAMIC ROUTING
PROTOCOLS.
12.
INGRESS AND EGRESS FILTERING SHALL BE CONFIGURED.
13. UNUSED ADDRESS SPACE SHOULD BE ROUTED TO NULL INTERFACE.
14. ANTI-SPOOFING SHOULD BE CONFIGURED ON ALL INTERFACES
15 BACK UP OF THE DEVICE
16. LOG MAINTENANCE
17. FOR CHECKING CONSOLE AND OTHER DIRECT ACCESS PORT
CONNECTIONS OF THE ROUTER.
18. FOR CHECKING WHAT ARE THE VARIOUS NETWORKS ALLOWED IN
ROUTER.
19. FOR CHECKING THE ROUTER NETWORK TRAFFIC FLOW AND LOOPBACK
INTERFACE.
20. FOR CHECKING THE ROUTER TIMEOUT OPTION.
21. FOR CHECKING FOR ANY VIRTUAL TERMINAL UNIT I.E. VTY’S ENABLED
ON DEVICE.
22. FOR CHECKING THE ROUTER REMOTE ADMINISTRATION ACCESS
PROCESS.
23. FOR CHECKING ACL WRITTEN WITH RESPECT TO ACCESS TO VTY OR
REMOTE ADMINISTRATION MECHANISM FOR ROUTER

2
24. FOR CHECKING ANY PRIVILEGED EXEC MODE IN ROUTER SETTINGS

25. FOR CHECKING THE ROUTER IS CONFIGURED WITH LOCAL OR AAA

ENCRYPTION MECHANISM

26. FOR CHECKING THE STATIC AND DYNAMIC ROUTING

27. FOR CHECKING RADIUS & TACACS+ METHODS IN ROUTER

3
1. Latest stable software version shall be selected.

CDAC-R09R06-C01-R-2#show version

2. Hostname shall not reveal make / model of the device.

CDAC-R09R06-C01-R-2#show run | i hostname

3. Each user shall be allocated a separate login account.

CDAC-R09R06-C01-R-2#show user all

CDAC-R09R06-C01-R-2#show users

Note: All the users who are authenticated can be viewed only by login

through the tacacs server.

4. Separate login account shall be used for operating at different privilege

level and Network Security Devices should have at least two

administrators.

CDAC-R09R06-C01-R-2#show run | b user

Note: All the users/admin who are authenticated can be viewed only by login

through the tacacs server and different privilege levels can also be seen by the

using the same tacacs server.

5. Password shall be managed as per the Password Management Guidelines

and also Password shall be stored in encrypted form.

4
CDAC-R09R06-C01-R-2#show run | i password

Note: All the users/admin password shall be managed as per the Password

Management Guidelines only by login through the tacacs server and different

privilege levels can also be seen by the using the same tacacs server.

6. Network Time Protocol (NTP) shall be configured on the devices. (refer: As

Per the cyber security policies for NICNET Information Infrastructure - Time

Synchronization Guidelines)

CDAC-R09R06-C01-R-2#show ntp status

CDAC-R09R06-C01-R-2#show ntp assotiations

7. For checking the time settings in router.

CDAC-R09R06-C01-R-2#show clock

8. Banner Message Warning message should be displayed before login as a

caution.

A sample banner message follows:

--------------------- W A R N I N G ----------------------
Unauthorized access is prohibited. Disconnect IMMEDIATELY if you are not
an authorized user!!! All activities are benign monitored.
Any unauthorized access may subject the user to disciplinary / legal action.

CDAC-R09R06-C01-R-2#show run | b banner

9. Protocols / Services using encrypted channel (such as, SSH, SSL, IPSec, RDP)

shall be used for Remote administration.

5
CDAC-R09R06-C01-R-2#show run | i line

10. For checking Unused network interfaces shall be disabled.

CDAC-R09R06-C01-R-2#show interface des | Include Gi

11. Authentication should be used for dynamic routing protocols.

SUMMARY STEPS
• configure
• router ospf process-name
• router-id {router-id}
• authentication [message-digest [keychain keychain] | null]
• message-digest-key key-id md5 {key | clear key | encrypted key}
• area area-id
• interface type instance
• Repeat Step 7 for each interface that must communicate, using the same
authentication.
• exit
• area area-id
• authentication [message-digest [keychain keychain] | null]
• interface type instance
• Repeat Step 12 for each interface that must communicate, using the same
authentication.
• interface type instance
• authentication [message-digest [keychain keychain] | null]
• end Or commit

DETAILED STEPS:

Command Purpose
configure Enters global configuration mode.
Step 1 Example:
RP/0/RSP0/CPU0:router# configure

router ospf process-name Enables OSPF routing for the specified

Step 2 Example: routing process and places the router
RP/0/RSP0/CPU0:router(config)# router ospf 1 in router configuration mode.

6
 Note The process-name argument is
any alphanumeric string no longer
than 40 characters.

router-id {router-id} Configures a router ID for the OSPF

Example: process.
Step 3
RP/0/RSP0/CPU0:router(config-ospf)# router-i
d 192.168.4.3

authentication [message-digest[keychain keyc Enables MD5 authentication for the

hain] | null] OSPF process.
Example: This authentication type applies to
Step 4
RP/0/RSP0/CPU0:router(config-ospf)# the entire router process unless
authentication message-digest overridden by a lower hierarchical
level such as the area or interface.

message-digest-key key-id md5 {key |clear key Specifies the MD5 authentication key
| encrypted key} for the OSPF process.
Step 5 Example: The neighbor routers must have the
RP/0/RSP0/CPU0:router(config-ospf)# same key identifier.
message-digest-key 4 md5 yourkey

area area-id Enters area configuration mode and

Step 6 Example: configures a backbone area for the
RP/0/RSP0/CPU0:router(config-ospf)# area 0 OSPF process.

interface type instance Enters interface configuration mode

Example: and associates one or more interfaces
RP/0/RSP0/CPU0:router(config-ospf-ar)# interf to the backbone area.
Step 7 ac e GigabitEthernet 0/1/0/3 All interfaces inherit the
authentication parameter values
specified for the OSPF process (Step
4, Step 5, and Step 6).

Repeat Step 7 for each interface that must —

Step 8
communicate, using the same authentication.

exit Enters area OSPF configuration mode.

Step 9 Example:
RP/0/RSP0/CPU0:router(config-ospf-ar)# exit

area area-id Enters area configuration mode and

Example: configures a nonbackbone area 1 for
RP/0/RSP0/CPU0:router(config-ospf)# area 1 the OSPF process.
Step 10
The area-id argument can be entered
in dotted-decimal or IPv4 address
notation, such as area 1000 or

7
 area 0.0.3.232. However, you must
choose one form or the other for an
area. We recommend using the IPv4
address notation.

authentication [message-digest[keychain keyc Enables Type 1 (plain text)

hain] | null] authentication that provides no
Example: security.
RP/0/RSP0/CPU0:router(config-ospf-ar)# The example specifies plain text
Step 11 authentication authentication (by not specifying a
keyword). Use
the authentication-keycommand in
interface configuration mode to
specify the plain text password.

interface type instance Enters interface configuration mode

Example: and associates one or more interfaces
RP/0/RSP0/CPU0:router(config-ospf-ar)# to the nonbackbone area 1 specified
Step 12 interface GigabitEthernet 0/1/0/0 in Step 10.
All interfaces configured inherit the
authentication parameter values
configured for area 1.

Repeat Step 12 for each interface that must —

Step 13
communicate using the same authentication.

interface type instance Enters interface configuration mode

Example: and associates one or more interfaces
Step 14
RP/0/RSP0/CPU0:router(config-ospf-ar)# to a different authentication type.
interface GigabitEthernet 0/3/0/0

authentication [message-digest[keychain keyc Specifies no authentication on

hain] | null] GigabitEthernet interface 0/3/0/0,
Example: overriding the plain text
RP/0/RSP0/CPU0:router(config-ospf-ar-if)# authentication specified for area 1.
Step 15
authentication null By default, all of the interfaces
configured in the same area inherit
the same authentication parameter
values of the area.

end Saves configuration changes.

or When you issue the end command,
commit the system prompts you to commit
Step 16
Example: changes:
RP/0/RSP0/CPU0:router(config-ospf-ar-if)# end Uncommitted changes found, commit
or them before

8
 RP/0/RSP0/CPU0:router(config-ospf-ar-if)# exiting(yes/no/cancel)?
commit [cancel]:

Entering yes saves configuration

changes to the running configuration
file, exits the configuration session,
and returns the router to EXEC mode.
Entering no exits the configuration
session and returns the router to
EXEC mode without committing the
configuration changes.
Entering cancel leaves the router in
the current configuration session
without exiting or committing the
configuration changes.
Use the commit command to save
the configuration changes to the
running configuration file and remain
within the configuration session.

CDAC-R09R06-C01-R-2#show run | b router ospf

12. Ingress and Egress filtering shall be configured.

SUMMARY STEPS
• 1. configure
• 2. ethernet egress-filter strict
• 3. interface {GigabitEthernet | TenGigE | FastEthernet |
Bundle-Ether} instance.subinterface
• 4. ethernet egress-filter {strict | disabled}
• 5. exit

DETAILED STEPS:

Command or Action Purpose

Step 1 configure Enters global configuration

RP/0/RSP0/CPU0:PE44_ASR-9010# config mode.
Thu Jun 4 07:50:02.660 PST
RP/0/RSP0/CPU0:PE44_ASR-9010(config)#

9
 Step 2 ethernet egress-filter strict Enables strict egress filtering
on all subinterfaces on the
RP/0/RSP0/CPU0:PE44_ASR-9010(config)# ethernet device by default.
egress-filter strict

Step 3 interface {GigabitEthernet | TenGigE | FastEthernet | Creates an L2 subinterface.

Bundle-Ether} instance.subinterface

RP/0/RSP0/CPU0:PE44_ASR-9010(config)# interface
GigabitEthernet 0/1/0/1.1
RP/0/RSP0/CPU0:PE44_ASR-9010(config-subif)#
Step 4 ethernet egress-filter {strict | disabled} Allows egress filtering to be
explicitly enabled or
RP/0/RSP0/CPU0:PE44_ASR-9010(config-subif)# disabled on any L2
ethernet egress-filter strict subinterface. It can also be
used to override global
settings.
Step 5 exit Exit from the configuration
RP/0/RSP0/CPU0:PE44_ASR-9010(config-subif)# exit mode.
RP/0/RSP0/CPU0:PE44_ASR-9010(config)# exit

CDAC-R09R06-C01-R-2#show access-lists BLOCK-UDP pfilter location all

CDAC-R09R06-C01-R-2#show run | include ingress

CDAC-R09R06-C01-R-2#show run | include engress

13. Unused address space should be routed to null interface.

FOR EXAMPLE:
• R2# conf t
• Enter configuration commands, one per line. End with CNTL/Z.
• R2(config)# ip route 192.168.0.0 255.255.0.0 Null0
• R2(config)# end
CDAC-R09R06-C01-R-2#show run | i Null

10
14. Anti-spoofing should be configured on all interfaces

• To configure Unicast RPF loose mode, perform the following steps.

SUMMARY STEPS

1. enable
2. configure terminal
3. ip cef
4. interface type slot / port-adapter / port
5. ip verify unicast source reachable-via any
DETAILED STEPS:

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.

Example: • Enter your password if
Router> enable prompted.

Step 2 configure terminal Enters global configuration mode.

Example:
Router# configure terminal

Step 3 ip cef Enables CEF on the route processor

Example: card.
Router (config)# ip cef

Step 4 interface type slot / port-adapter / port Configures an interface type and
Example: enters interface configuration mode.
Router (config)# interface serial5/0/0

Step 5 ip verify unicast source reachable-via any Enables Unicast RPF using loose
Example: mode.
Router (config-if)# ip verify unicast
source reachable-via any

11
Note: Anti-Spoofing feature is not configured so that’s why screen shot is not

attached.

15. Back up of the current operating system and the running configuration

shall be taken prior to upgrade with SNMP Protocol .check for the

following:
• Enable SNMP if required and check SNMPv3 or higher should be used.
CDAC-R09R06-C01-R-2#show snmp host

• Default community string (for example, "public") shall not be used.

• Community string security shall be treated at per with Administrator
account passwords.
• Community string should be set for Read Only mode.
• SNMP access should be permitted from specific IP addresses of trusted
networks.
• Same or similar community strings should not be used across devices.

CDAC-R09R06-C01-R-2#show run | i snmp

16. Log Maintenance

• Logs should be sent to a centralized log server.

CDAC-R09R06-C01-R-2#show log

• Logs should be archived in read-only format.

CDAC-R09R06-C01-R-2#show log location

CDAC-R09R06-C01-R-2#show run | i log

12
17. For checking console and other direct access port connections of the

router.

CDAC-R09R06-C01-R-2#show run | b line

18. For checking what are the various networks allowed in router.

CDAC-R09R06-C01-R-2#show access-lists BlOCK-UDP usage pfilter location all

19. For checking the router network traffic flow and loopback interface.

CDAC-R09R06-C01-R-2#show monitor-session counters

20. For checking the router timeout option.

CDAC-R09R06-C01-R-2#show run | i timeout

21. For checking for any virtual terminal unit i.e. VTY’s enabled on device.

CDAC-R09R06-C01-R-2#show run | b vty

22. For checking the router remote administration access process.

CDAC-R09R06-C01-R-2#show run | i line

13
23. For checking ACL written with respect to access to VTY or remote

administration mechanism for router.

CDAC-R09R06-C01-R-2#show access-lists MANAGEMENT

24. For checking any privileged exec mode in router settings.

CDAC-R09R06-C01-R-2#show run | i exec

25. For checking the router is configured with local or AAA encryption

mechanism.

CDAC-R09R06-C01-R-2#show tacacs

Note: AAA encryption mechanism managed as per the Cyber Security Policies

NICNET Information Infrastructure only by login through the tacacs server and

different privilege levels can also be seen by the using the same tacacs server.

The above command shows the information about tacacs server.

26. For checking the static and dynamic routing.

• For checking the routing and routed protocols

CDAC-R09R06-C01-R-2#show protocols bgp

CDAC-R09R06-C01-R-2#show protocols ospf

CDAC-R09R06-C01-R-2#show route static

For checking bgp summary.

CDAC-R09R06-C01-R-2#show bgp summary

14
 • For checking the ospf neighbor.

CDAC-R09R06-C01-R-2#show ospf neighbor

• For checking OSPF route.

CDAC-R09R06-C01-R-2#show route ospf

• For checking RIP.

• For checking EIGRP.

Note: Organization is not using RIP and EIRGP routing.

27. For checking radius & tacacs+ methods in router.

CDAC-R09R06-C01-R-2#show tacacs

CDAC-R09R06-C01-R-2#show run | i tacacs

CONTRIBUTED BY:

1. Mr Ch A.S Murty
2. Mr Tyeb Naushad
3. Mr Devi Satish
4. Mr Shrinath Rusia
5. Ms Vertika Singh
6. Mr Vinay Kumar

C-DAC, Hyderabad

15