Cisco ISR 4000 series User Manual

Cisco ISR 4000 series

66 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Page #18 background image

Cisco ISR 4000 Family Routers Administrator Guidance

Page 18 of 66

In addition, configure your ssh client for dh-group-14. In Putty, configure the SSH client

to support only diffie-hellman-group14-sha1 key exchange. To configure Putty, do the

following:

 Go into Putty Configuration Select > Connection > SSH > Kex;

 Under Algorithm selection policy: move Diffie-Hellman group 14 to the top of the

list;

Move the “warn below here” option to right below DH group14

6. Configure vty lines to accept ‘ssh’ login services

TOE-common-criteria(config-line)# transport input ssh

7. Configure a SSH client to support only the following specific encryption algorithms:

 AES-CBC-128

 AES-CBC-256

peer#ssh -l cisco -c aes128-cbc 1.1.1.1

peer#ssh -l cisco -c aes256-cbc 1.1.1.1

8. Configure a SSH client to support message authentication. Only the following MACs are

allowed and “None” for MAC is not allowed:

a. hmac-sha1

b. hmac-sha1-96

peer#ssh -l cisco -m hmac-sha1-160 1.1.1.1

peer#ssh -l cisco -m hmac-sha1-96 1.1.1.1

9. To verify the proper encryption algorithms are used for established connections, use the

show ssh sessions command:

TOE-common-criteria# show ssh sessions

Note: To disconnect SSH sessions, use the ssh disconnect command:

TOE-common-criteria# ssh disconnect

10. Configure the SSH rekey time-based rekey and volume-based rekey values (values can be

configured to be lower than the default values if a shorter interval is desired):

a. ip ssh rekey time 60

b. ip ssh rekey volume 1000000

11. HTTP and HTTPS servers were not evaluated and must be disabled:

TOE-common-criteria(config)# no ip http server

TOE-common-criteria(config)# no ip http secure-server

12. SNMP server was not evaluated and must be disabled:

TOE-common-criteria(config)# no snmp-server

Table of Contents

Need help?

Do you have a question about the Cisco ISR 4000 series and is the answer not in the manual?

Cisco ISR 4000 series Specifications

General

Routing Performance	Up to 2 Gbps
Switching Capacity	Varies by model
Operating System	Cisco IOS XE
Dimensions	Varies by model
Weight	Varies by model
Series	ISR 4000
WAN Ports	Varies by model
LAN Ports	Varies by model
Redundancy	Yes
Type	Modular
Routing Throughput	Up to 2 Gbps
Memory	Up to 16 GB
Modular Slots	Varies by model
Power Supply	AC or DC options
Product Family	ISR (Integrated Services Router)
Models	ISR 4321, ISR 4331, ISR 4351, ISR 4431, ISR 4451-X
Storage	SSD options
Network Interfaces	Gigabit Ethernet, SFP
Security Features	Firewall, VPN
Virtualization Support	Yes
Modularity	Yes
Operating Temperature	0 to 40°C
Humidity	5% to 95% noncondensing

Summary

Secure Acceptance and Initial Setup Procedures

Secure Acceptance of TOE

Initial Setup via Console

Basic configuration via console connection before network connection.

Enabling FIPS Mode

Details configuration steps to enable FIPS mode for the crypto engine.

Administrator Configuration and Credentials

Configuring usernames, passwords, and AAA authentication for administrators.

Network Configuration and Security Settings

Network Protocols and Cryptography

Covers protocols, crypto settings, and secure administration.

Remote Administration (SSH)

Logging Configuration

Enabling command execution logging, timestamps, and buffer settings.

Base Firewall Rule Configuration

Defines base packet filtering rules for the TOE.

Secure Management and Operations

Password Complexity and Management

Enforces password complexity requirements like minimum length and character types.

VPN Configuration (IPsec)

Information Flow Policies

Security Events, Services, and Modes of Operation

Security Relevant Events

Related product manuals

Preview: Cisco 4451 ISR

Cisco ISR G2 Series

Preview: Cisco 1000 ISR Series

Cisco 1000 ISR Series

Preview: Cisco IE 4000

Preview: Cisco 4000 Series

Cisco 4000 Series

Cisco IOS Router