Knowledge Search


×
 

Best Practices for hardening ScreenOS

  [KB29016] Show Article Properties


Summary:

This article describes ways to harden ScreenOS management.


Symptoms:

The goal is to provide recommendations for securing ScreenOS against attacks.


Cause:


Solution:

Implement the recommendations below to help secure ScreenOS against attacks.

Change the default username and password.

  • Username

Command:

set admin name <name>

Example: 

set admin name a$df@d

  • Password

Command:

set admin password <plain-text password>

Example:

set admin password abcdefgh123

Disable root user login except by direct console

  • Device-wide
  • This limits the root user to only be able to log in via the console port of the device.  All other users can log in to configured services.

Command:

set admin root access console

Enable manager-ip.

  • Device-wide.
  • This limits the IP addresses that are allowed to manage the device. All other management requests are silently dropped.

Command:

set admin manager-ip <ip> <mask>

Example:

set admin manager-ip 10.1.1.30 255.255.255.255


Enable manage-ip.

  • Per interface.
  • This allows management requests to an IP address that is different from the physical IP.

Command:

set interface <interface> manage-ip <ip>

Example:

set interface ethernet0/0 manage-ip 10.1.1.5


Disable the physical interface management.

  • Per interface.
  • This allows managements to be accepted only for requests that are sent the manage-ip (see above).

Command:

unset interface <interface> manageable

Example:

unset interface ethernet0/0 manageable


Disable unused services.

  • Per interface.
  • This permits only the defined services to respond on the interface. Services: ident-reset, mtrace, ping, snmp, ssh, ssl, telnet, web.
  • Recommendation: Permit secure protocols only on management/trusted interfaces (ssl, ssh).

Command:

unset interface <interface> manage
set interface <interface> manage <service>

Example:

unset interface ethernet0/0 manage
set interface ethernet0/0 manage ssh


Change default management port numbers.

  • Device-wide.
  • SSH:

Command:

set admin ssh port <1024-32767>

Example:

set admin ssh port 1024

  • HTTP:

Command:

set admin port <1024-32767>

Example:

set admin port 1025

  • HTTPS:

Command:

set ssl port <1024-32767>

Example:

set ssl port 1026

  • Telnet:

Command:

set admin telnet port <1024-32767>

Example:

set admin telnet port 1027


Related Links: