As a network admin or Data Center employee you know the importance of securing your network - Interestingly enough the following list is what we use as a starting point when auditing a network we go into - corporate or data-center... its amazing how many of these points are missed.
The Average CCNA knows about them - but just tends to skip at least 1 or more of them...
Keeping IOS Version up to date
Password and Priviledge levels
AUX, VTY, HTTP, and Console Access Control
Authentication, Authorization for Radius and Tacacs+
SNMP traps
RIP, OSPF, EIGRP and BGP Routing Security
Setting up logging for violations and manipulation of logging buggers as well as ACL violations
NTP Security settings
Disabling finger, CDP, chargen and echo (if not needed)
Setting up Antispoofing Filters
Physical Access ( be amazed how many janitors are night time tech students)
First thing is determine the IOS version your using -
login to the console and type
PHP Code:
show version
There are a few levels of IOS version - Cisco has done an excellent job @ setting up these classifications
Early Deployment (ED) - Alpha stage
CTED - Consolidated Tech Early Deployment: Feature rich but unstable.
STED - Specific Early Deployment: Feature rich but unstable and focused on a specific platform
SMED - Specific Market Early Deployment: Very much like a STED but focused on a specific market segment - (like an ISP, Datacenter, {us})
X- one time short lived releases adding features to the ED
Major Releases
LD- Limited Deployment: Normally the first major IOS release - having passed through the ED stage. Lasts around 9 - 14 months generally (BETA STAGE)
GD- General Deployment: (LIVE) Once an IOS reaches the GD Phase - normally no changes are made to the code - as its whole point is to remain as stable as possible.
As a checklist - generally you want to ensure that all routers are running a current IOS GD (General Deployment) release, Check the IOS against Cisco's Security Advisories and have a plan to recheck it on a regular basis.
Points of Access: there are many ways to access a Cisco router.
Console Port
Perhaps one of the more safe ways unless your in a datacenter where your equipment has shared access~ One of the ways we also see this as an issue is when a client has a computer connected and that computer has the hyperterminal session open but a poor password for remote desktop.... remember your only as secure as your weakest link.