Cisco ISR 4000 Family Routers Administrator Guidance
Page 18 of 66
In addition, configure your ssh client for dh-group-14. In Putty, configure the SSH client
to support only diffie-hellman-group14-sha1 key exchange. To configure Putty, do the
following:
Go into Putty Configuration Select > Connection > SSH > Kex;
Under Algorithm selection policy: move Diffie-Hellman group 14 to the top of the
list;
Move the “warn below here” option to right below DH group14
6. Configure vty lines to accept ‘ssh’ login services
TOE-common-criteria(config-line)# transport input ssh
7. Configure a SSH client to support only the following specific encryption algorithms:
AES-CBC-128
AES-CBC-256
peer#ssh -l cisco -c aes128-cbc 1.1.1.1
peer#ssh -l cisco -c aes256-cbc 1.1.1.1
8. Configure a SSH client to support message authentication. Only the following MACs are
allowed and “None” for MAC is not allowed:
a. hmac-sha1
b. hmac-sha1-96
peer#ssh -l cisco -m hmac-sha1-160 1.1.1.1
peer#ssh -l cisco -m hmac-sha1-96 1.1.1.1
9. To verify the proper encryption algorithms are used for established connections, use the
show ssh sessions command:
TOE-common-criteria# show ssh sessions
Note: To disconnect SSH sessions, use the ssh disconnect command:
TOE-common-criteria# ssh disconnect
10. Configure the SSH rekey time-based rekey and volume-based rekey values (values can be
configured to be lower than the default values if a shorter interval is desired):
a. ip ssh rekey time 60
b. ip ssh rekey volume 1000000
11. HTTP and HTTPS servers were not evaluated and must be disabled:
TOE-common-criteria(config)# no ip http server
TOE-common-criteria(config)# no ip http secure-server
12. SNMP server was not evaluated and must be disabled:
TOE-common-criteria(config)# no snmp-server
To Next Page
Loading...
Need help?
General
