STIGQter: STIG Summary: Cisco IOS Switch NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to prohibit the use of all unnecessary and non-secure functions and services.

DISA Rule

SV-220586r521267_rule

Vulnerability Number

V-220586

Group Title

SRG-APP-000142-NDM-000245

Rule Version

CISC-ND-000470

Severity

CAT I

CCI(s)

CCI-000382 - The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.

Weight

Fix Recommendation

Disable the following services if enabled as shown in the example below:

SW2(config)#no boot network
SW2(config)#no ip boot server
SW2(config)#no ip bootp server
SW2(config)#no ip dns server
SW2(config)#no ip identd
SW2(config)#no ip finger
SW2(config)#no ip http server
SW2(config)#no ip rcmd rcp-enable
SW2(config)#no ip rcmd rsh-enable
SW2(config)#no service config
SW2(config)#no service finger
SW2(config)#no service tcp-small-servers
SW2(config)#no service udp-small-servers
SW2(config)#no service pad
SW2(config)#end

Check Contents

Verify that the switch does not have any unnecessary or non-secure ports, protocols, and services enabled.

For example, the following commands should not be in the configuration:

boot network
ip boot server
ip bootp server
ip dns server
ip identd
ip finger
ip http server
ip rcmd rcp-enable
ip rcmd rsh-enable
service config
service finger
service tcp-small-servers
service udp-small-servers

If any unnecessary or non-secure ports, protocols, or services are enabled, this is a finding.

The Cisco switch must be configured to prohibit the use of all unnecessary and non-secure functions and services.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments