Manualshelf

User`s guide

ManualsBrandsCisco ManualsComputer equipmentROUTER-SDM-CD
41424344454647484950
Chapter 1 Cisco SDM Express
Supplementary Help
1-40
Cisco SDM Express 2.4 User’s Guide
OL-7141-05
particular subnetwork in the internetwork. ICMP mask reply messages are sent to
the device requesting the information by devices that have the requested
information. These messages can be used by an attacker to gain network mapping
information.
The configuration that will be delivered to the router to disable ICMP mask reply
messages is as follows:
no ip mask-reply
You can undo this fix using the Cisco SDM Security Audit feature. To learn how,
see the Security Audit online help in Cisco SDM. For more information, click
Cisco Router and Security Device Manager.
Set Minimum Password Length to Less Than 6 Characters
Cisco SDM Express configures your router to require a minimum password
length of 6 characters whenever possible. One method attackers use to crack
passwords is to try all possible combinations of characters until the password is
discovered. Longer passwords have exponentially more possible combinations of
characters, making this method of attack much more difficult.
This configuration change will require every password on the router, including
the user, enable, secret, console, AUX, tty, and vty passwords, to be at least 6
characters in length. This configuration change will be made only if the Cisco IOS
version running on your router supports the minimum password length feature.
The configuration that will be delivered to the router is as follows:
security passwords min-length <6>
Set Authentication Failure Rate to Less Than 3 Retries
Cisco SDM Express configures your router to lock access after 3 unsuccessful
login attempts whenever possible. One method of cracking passwords, called the
“dictionary” attack, is to use software that attempts to log in using every word in
a dictionary. This configuration causes access to the router to be locked for a
period of 15 seconds after 3 unsuccessful login attempts, disabling the dictionary
method of attack. In addition to locking access to the router, this configuration
causes a log message to be generated after 3 unsuccessful login attempts, warning
the administrator of the unsuccessful login attempts.