You can do device hardening and test your router configuration by using the Security Audit Wizard. It'll help you locate potential security problems in your configuration. When it's done, the wizard will show you a screen that allows you to determine which security problems you want to fix. Once you determine that, the wizard will make the necessary changes in the router configuration and solve the problems with one-step lockdown. To do a security audit, from the feature bar, go to Configure > Security > Security Audit. Then click Perform Security Audit, the welcome page of the wizard will open.
Continuing with the audit, click Next. The Security audit interface configuration page will open. Then input the data that will identify the router interfaces that connect to your inside network and the router interfaces of your outside network. For each listed interface, check either Inside or Outside to indicate where it's connecting to. Then click Next, the wizard tests your configuration to look for security vulnerabilities. The vulnerabilities are determined by Cisco best practices. A screen showing the progress will open, it'll list all the configuration options being tested and whether the current router configuration passes those tests. If you want to save this report to a file, click Save Report. When you're done, click Close. The Security Audit report card screen opens showing a list of possible security issues.
Continuing on, check the Fix it checkbox next to any problems that you want the CCP to fix. To describe the problem and list the IOS commands that'd be added to configuration, click the problem description to display a help page, then click Next. The wizard may display one or more screens requiring input for certain problems. Enter the information as necessary. Then, click Next for each of those screens.
Finally, the Summary page of the wizard shows a list of all the configuration changes the security audit will make. Click Finish to implement those changes to your router. The CCP can't undo the security fix. If you wanted to remove the security configuration, run the Security Audit Wizard again. In the Report Card window, choose the option Undo security configurations and check the checkbox of any configuration that you want to undo. When you're done, click Next.
The One-step lockdown option tests your router configuration for potential security problems, and it'll automatically make the changes necessary to correct the problems that it discovers. This configuration is going to be compared against Cisco best practices similar to the Security Audit Wizard. However, this time, the changes are made automatically and without prompting you to choose the components to fix. To do this, navigate to Configure > Security > Security Audit > One-Step Lockdown.
The One-step lockdown feature simplifies the hardening of your router by using the AutoSecure feature with a one-click option. To confirm the process, assuming the confirmation window, click to deliver the new settings. You can see here how the confirmation popup also shows how to roll back the new settings with the Security Audit feature as previously mentioned. You can also see here how the wizard lists the settings that are modified before offering the option to deliver them.
Here we can see an example of the delta commands that are going to be delivered to our router after running the One-step lockdown feature:
aaa new-modelaaa authorization exec local_author localaaa authentication login local_authen localline vty 5 15login authentication local_authenauthorization exec local_authorexitline vty 0 4login authentication local_authenauthorization exec local_authorexitline con 0login authentication local_authenexitline aux 0login authentication local_authenexitno service padservice password-encryptionservice tcp-keepalives-inservice tcp-keepalives-outno ip bootp serverno ip source-routeservice sequence-numbersservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezonescheduler allocate 4000 1000ip tcp synwait-time 10no cdp runsecurity authentication failure rate 3 logsecurity passwords min-length 6ip ssh time-out 60ip ssh authentication-retries 2banner login ~Authorized access only!Disconnect IMMEDIATELY if you are not an authorized user!~logging console criticallogging trap debugginglogging buffered 51200 debugginginterface FastEthernet0/1no ip proxy-arpno ip redirectsno ip unreachablesip route-cache flowno mop enabledexitinterface Null0exitdefault interface Null0interface Null0no ip unreachablesexitinterface FastEthernet0/0no ip proxy-arpno ip redirectsno ip unreachablesip route-cache flowno mop enabledexit
Caveats and guidelines
Keep in mind that the CCP Wizard will not implement certain Cisco AutoSecure features. For example, it will not disable NTP, it won't configure AAA – authentication, authorization, and accounting, it will not set SPD values – Selective Packet Discard. It will not enable TCP intercepts, and it won't configure antispoofing ACLs on the outside interfaces. Also, CCP will implement certain AutoSecure features differently as well. It'll disable SNMP but it won't configure SNMPv3 on some routers. It also enables and configures Secure Shell on cryptographic IOS images, but it won't enable SCP or disable other access and file transfer services, such as FTP.