Device Hardening
Network infrastructure remains one of the most targeted attack surfaces in enterprise environments. Cisco IOS XE devices—routers, switches, and firewalls—form the backbone of countless organizations, making their security posture a critical concern for network administrators and security teams alike. This comprehensive guide distills the essential hardening practices that transform a default Cisco deployment into a fortified, production-ready system.
Whether you're preparing for a security audit, responding to a vulnerability disclosure, or building out new infrastructure, these battle-tested configurations address the most common attack vectors while maintaining operational stability.
Management Plane Security: Your First Line of Defense
The management plane handles all administrative access to your devices. A compromised management plane means complete device takeover—attackers can modify configurations, intercept traffic, or pivot deeper into your network.
Password Architecture That Actually Protects
Not all Cisco password types offer equal protection. The distinction matters enormously:
- Type-8 (PBKDF2-SHA-256) — The gold standard. Uses thousands of iterations to resist brute-force attacks. Always use this for local accounts and enable secrets.
- Type-5 (MD5) — Deprecated. MD5's weaknesses make these passwords vulnerable to modern cracking techniques.
- Type-7 (Vigenère) — Essentially plaintext. Reversible in seconds with freely available tools. Use only where legacy protocols demand it.
Critical Configuration:
enable algorithm-type sha256 secret YourStrongPassword username admin privilege 15 algorithm-type sha256 secret AdminPassword no enable password
SSH Hardening: Eliminating Telnet Forever
Telnet transmits credentials in cleartext. There's no scenario in 2024 where Telnet belongs in a production environment. SSH version 2 with strong cryptographic parameters is the only acceptable remote management protocol.
Key configuration elements include:
- RSA keys of at least 2048 bits (4096 recommended for sensitive environments)
- Explicit SSHv2-only enforcement—SSHv1 has known cryptographic weaknesses
- Removal of weak ciphers like 3DES-CBC
- Strong MAC algorithms (HMAC-SHA2-256 or SHA2-512)
- Session timeouts to clear idle connections
ip domain-name corp.example.com crypto key generate rsa modulus 4096 ip ssh version 2 ip ssh time-out 60 ip ssh authentication-retries 3 no ip ssh server algorithm encryption 3des-cbc ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512 line vty 0 15 transport input ssh transport output none exec-timeout 10 0 access-class ACL-MGMT in vrf-also
Services You Should Disable Immediately
Default IOS XE installations enable numerous services that expand your attack surface without providing production value. Several deserve immediate attention:
| Service | Risk | Disable Command |
|---|---|---|
| Smart Install (vstack) | Critical — actively exploited in the wild | no vstack |
| HTTP Server | Cleartext management interface | no ip http server |
| TCP/UDP Small Servers | Legacy services with no modern use | no service tcp-small-servers no service udp-small-servers |
| CDP/LLDP | Information disclosure to adjacent devices | no cdp run no lldp run |
| IP Source Routing | Allows attackers to specify packet paths | no ip source-route |
⚠️ Smart Install Warning: Cisco Smart Install has been weaponized in multiple attack campaigns. If you haven't already disabled it, do so immediately with no vstack. Verify with nmap -p 4786 from an external host.
AAA: The Authentication Foundation
Authentication, Authorization, and Accounting (AAA) provides centralized identity management for network devices. Without it, you're managing credentials device-by-device—an operational nightmare that inevitably leads to security gaps.
TACACS+ vs RADIUS: Making the Right Choice
For device administration, TACACS+ offers significant advantages over RADIUS:
- Full packet encryption — RADIUS only encrypts the password field; TACACS+ encrypts the entire payload
- Per-command authorization — Control exactly which commands each user or group can execute
- Granular accounting — Log every command entered, not just session start/stop
RADIUS remains appropriate for 802.1X network access control, but TACACS+ should be your default for managing network equipment.
Production TACACS+ Configuration:
aaa new-model tacacs server TACACS-PRIMARY address ipv4 10.0.0.100 key 7 <encrypted-key> timeout 5 tacacs server TACACS-SECONDARY address ipv4 10.0.0.101 key 7 <encrypted-key> aaa group server tacacs+ TACACS-GROUP server name TACACS-PRIMARY server name TACACS-SECONDARY ip tacacs source-interface Loopback0 aaa authentication login VTY-AUTH group TACACS-GROUP local aaa authentication login CON-AUTH local aaa authorization exec default group TACACS-GROUP local if-authenticated aaa authorization commands 15 default group TACACS-GROUP local aaa accounting exec default start-stop group TACACS-GROUP aaa accounting commands 15 default start-stop group TACACS-GROUP
Note the console line uses local authentication only. This provides a break-glass mechanism when TACACS+ servers are unreachable—but it requires physical access to the device.
Control Plane Protection: Guarding the Brain
The control plane manages routing protocols, device management, and protocol exchanges that keep your network functioning. Unlike data plane traffic that flows through the device, control plane traffic terminates on the device's CPU—making it vulnerable to resource exhaustion attacks.
Control Plane Policing (CoPP)
CoPP is arguably the single most impactful control plane protection you can implement. It rate-limits traffic destined to the route processor, preventing CPU exhaustion even under attack conditions.
The strategy involves classifying traffic by importance:
- Critical — Routing protocols (BGP, OSPF, EIGRP). High rate limits, rarely dropped.
- Important — Management traffic (SSH, SNMP, NTP). Moderate limits.
- Normal — ICMP for troubleshooting. Lower limits.
- Undesirable — Known attack vectors. Severely limited or dropped entirely.
class-map match-any CoPP-CRITICAL match access-group name ACL-COPP-BGPIGP class-map match-any CoPP-IMPORTANT match access-group name ACL-COPP-MGMT class-map match-any CoPP-UNDESIRABLE match access-group name ACL-COPP-DENY policy-map COPP-POLICY class CoPP-CRITICAL police rate 4000 pps conform-action transmit exceed-action drop class CoPP-IMPORTANT police rate 1000 pps conform-action transmit exceed-action drop class CoPP-UNDESIRABLE police rate 10 pps conform-action drop exceed-action drop class class-default police rate 200 pps conform-action transmit exceed-action drop control-plane service-policy input COPP-POLICY
✓ Best Practice: Deploy CoPP in monitoring mode first. Use show policy-map control-plane to baseline normal traffic patterns before enabling drops. A misconfigured CoPP policy can disrupt routing protocols.
Infrastructure ACLs
Infrastructure ACLs (iACLs) filter traffic at the network edge before it reaches your infrastructure address space. They complement CoPP by blocking known-bad traffic patterns entirely.
Essential iACL elements include:
- Fragment filtering — IP fragments can bypass stateless ACLs and overwhelm reassembly buffers
- IP options denial — Packets with IP options often indicate reconnaissance or attacks
- Low TTL filtering — TTL expiry attacks generate ICMP responses that consume CPU
- Explicit permits for required protocols from trusted sources only
- Deny-all to infrastructure address space
Routing Protocol Security
Unsecured routing protocols represent a critical vulnerability. An attacker who can inject routes can redirect traffic through their systems, enabling interception, modification, or blackholing of communications.
BGP Security Essentials
For BGP deployments, implement these protections as baseline requirements:
| Protection | Purpose | Configuration |
|---|---|---|
| MD5 Authentication | Prevent unauthorized peer establishment | neighbor x.x.x.x password <key> |
| GTSM (TTL Security) | Accept BGP only from directly connected peers | neighbor x.x.x.x ttl-security hops 1 |
| Maximum Prefix | Prevent route table explosion attacks | neighbor x.x.x.x maximum-prefix 500000 80 |
| Prefix Filtering | Control which routes are accepted/advertised | neighbor x.x.x.x prefix-list PL-IN in |
IGP Authentication
Interior gateway protocols like OSPF and EIGRP require authentication on all routing interfaces. Modern implementations support HMAC-SHA-256, which should replace legacy MD5 authentication.
Equally important: configure passive-interface default on all routing processes. This prevents routing protocol injection through user-facing ports—only explicitly configured interfaces participate in routing exchanges.
Data Plane Hardening: Protecting Traffic in Transit
The data plane handles forwarding of user traffic. Hardening here focuses on preventing spoofing, blocking attack amplification, and securing Layer 2 switching environments.
Anti-Spoofing with uRPF
Unicast Reverse Path Forwarding (uRPF) validates that incoming packets have source addresses reachable via the receiving interface. This defeats many spoofed-source attacks.
- Strict mode — Source must be reachable via the specific interface the packet arrived on. Best for single-homed connections.
- Loose mode — Source must be reachable via any interface. Use on multi-homed connections where asymmetric routing is normal.
⚠️ Important: Strict mode will drop legitimate traffic in asymmetric routing scenarios. Test thoroughly before production deployment, particularly on Internet-facing interfaces with multiple upstream paths.
Layer 2 Security Controls
Switches require their own hardening focus. These controls prevent common Layer 2 attacks:
| Control | Prevents |
|---|---|
| DHCP Snooping | Rogue DHCP servers hijacking client configurations |
| Dynamic ARP Inspection (DAI) | ARP spoofing and man-in-the-middle attacks |
| IP Source Guard | IP address spoofing at the access layer |
| BPDU Guard | Rogue switches manipulating Spanning Tree |
| switchport nonegotiate | VLAN hopping via DTP exploitation |
| Port Security | MAC flooding attacks and unauthorized devices |
ICMP and Redirect Hardening
Several interface-level settings warrant attention:
no ip redirects— Prevents your device from helpfully telling attackers about better routesno ip unreachables— Stops ICMP unreachable messages that aid reconnaissanceno ip proxy-arp— Prevents the router from answering ARP requests on behalf of other hostsno ip directed-broadcast— Blocks Smurf amplification attacks
Logging and Monitoring: Visibility Is Everything
Security without visibility is incomplete. Proper logging enables incident detection, forensic investigation, and compliance demonstration.
Essential Logging Configuration
logging host 10.0.0.10 transport tcp port 6514 logging trap informational logging buffered 16384 informational logging source-interface Loopback0 service timestamps log datetime msec localtime show-timezone service timestamps debug datetime msec localtime show-timezone logging origin-id hostname logging userinfo archive log config logging enable notify syslog
Key points: TCP transport is more reliable than UDP for log delivery. Millisecond timestamps with timezone information are essential for correlating events across distributed systems. Config change logging captures who changed what and when.
SNMP: Upgrade or Disable
SNMPv1 and v2c transmit community strings in cleartext—effectively passwords visible to anyone capturing network traffic. The options are clear: upgrade to SNMPv3 with authentication and encryption, or disable SNMP entirely if not required for monitoring.
no snmp-server community public no snmp-server community private snmp-server group ADMINS v3 priv read READONLY-VIEW snmp-server user SNMPUSER ADMINS v3 auth sha <password> priv aes 256 <password> snmp-server host 10.0.0.5 version 3 priv SNMPUSER
NTP: Time Is a Security Control
Accurate, synchronized time isn't just convenient—it's a security requirement. Log correlation, certificate validation, and event reconstruction all depend on trustworthy timestamps. Authenticate your NTP sources and restrict which systems can synchronize with your devices.
Validation and Testing
Hardening without verification is wishful thinking. After implementing changes, validate from an external perspective:
| Test | Method | Expected Result |
|---|---|---|
| SSH v2 Only | ssh -v admin@device | Connected via SSHv2 |
| Telnet Blocked | telnet device | Connection refused |
| HTTP Blocked | curl [device](http://device) | Connection refused |
| Smart Install Off | nmap -p 4786 device | Port filtered/closed |
| SNMPv1/v2c Blocked | snmpget -v2c -c public device | Timeout or auth error |
Additionally, verify your IOS XE version against Cisco's Software Checker at sec.cloudapps.cisco.com to identify known vulnerabilities in your running software.
Production Deployment Strategy
Hardening a production device differs from configuring new equipment. Follow this sequence to minimize risk:
- Backup first. Archive the current configuration and verify your restore process works.
- Enable AAA incrementally. Start with local authentication to verify the framework functions before adding TACACS+.
- Test SSH access before removing Telnet. Confirm connectivity from your management station.
- Apply ACLs in permit-all/log mode first. Review logs to identify legitimate traffic before converting to deny rules.
- Deploy CoPP in monitoring mode. Baseline normal traffic volumes for at least 24 hours before enabling drops.
- Maintain console access. Keep a console connection available during remote hardening in case you lock yourself out.
Quick Reference Checklist
Use this condensed checklist for deployment verification:
Management Plane
- ☐ Type-8 passwords for all accounts
- ☐ AAA with TACACS+ and local fallback
- ☐ SSHv2 only, Telnet disabled
- ☐ VTY access-class restricting sources
- ☐ SNMPv3 authPriv, default communities removed
- ☐ Logging to central SIEM
- ☐ Smart Install (vstack) disabled
- ☐ HTTP/HTTPS servers disabled
Control Plane
- ☐ CoPP policy deployed and enforcing
- ☐ Infrastructure ACLs on external interfaces
- ☐ BGP authentication and GTSM
- ☐ IGP authentication on routing interfaces
- ☐ passive-interface default configured
Data Plane
- ☐ uRPF on edge interfaces
- ☐ DHCP snooping and DAI on access layer
- ☐ BPDU guard on access ports
- ☐ DTP disabled (switchport nonegotiate)
- ☐ ip redirects, unreachables, proxy-arp disabled
Device hardening isn't a one-time project—it's an ongoing discipline. New vulnerabilities emerge, configurations drift, and attack techniques evolve. Regular audits using tools like CIS benchmarks, Nipper, or Cisco's own assessment guides help maintain your security posture over time.
The configurations outlined here represent defensive depth in practice: multiple overlapping controls that ensure a single failure doesn't compromise the entire device. Start with the critical items, validate each change, and build toward comprehensive coverage. Your network's security depends on the details.
