This article describes ways to harden ScreenOS management.
The goal is to provide recommendations for securing ScreenOS against attacks.
Implement the recommendations below to help secure ScreenOS against attacks.
Change the default username and password.
Command:
set admin name <name>
Example:
set admin name a$df@d
Command:
set admin password <plain-text password>
Example:
set admin password abcdefgh123
Disable root user login except by direct console
- Device-wide
- This limits the root user to only be able to log in via the console port of the device. All other users can log in to configured services.
Command:
set admin root access console
Enable manager-ip.
- Device-wide.
- This limits the IP addresses that are allowed to manage the device. All other management requests are silently dropped.
Command:
set admin manager-ip <ip> <mask>
Example:
set admin manager-ip 10.1.1.30 255.255.255.255
Enable manage-ip.
- Per interface.
- This allows management requests to an IP address that is different from the physical IP.
Command:
set interface <interface> manage-ip <ip>
Example:
set interface ethernet0/0 manage-ip 10.1.1.5
Disable the physical interface management.
- Per interface.
- This allows managements to be accepted only for requests that are sent the manage-ip (see above).
Command:
unset interface <interface> manageable
Example:
unset interface ethernet0/0 manageable
Disable unused services.
- Per interface.
- This permits only the defined services to respond on the interface. Services: ident-reset, mtrace, ping, snmp, ssh, ssl, telnet, web.
- Recommendation: Permit secure protocols only on management/trusted interfaces (ssl, ssh).
Command:
unset interface <interface> manage
set interface <interface> manage <service>
Example:
unset interface ethernet0/0 manage
set interface ethernet0/0 manage ssh
Change default management port numbers.
Command:
set admin ssh port <1024-32767>
Example:
set admin ssh port 1024
Command:
set ssl port <1024-32767>
Example:
set ssl port 1026
2020-09-22: Removed telnet and http, as those are non-secure management.
2021-01-21: Content reviewed for accuracy, minor non technical changes.