GW1

Audit Date: Tue Oct 23 13:33:31 2001 GMT

Importance	Pass/Fail	Rule Name	Instance	Line Number.
3	pass	no ip http server
3	FAIL	no snmp-server	n/a	449
3	pass	no ip source-route
3	pass	forbid SNMP community public
3	pass	forbid SNMP community private
3	pass	enable secret
3	FAIL	Inbound antispoof ACL definition	n/a	1
3	FAIL	Define VTY ACL	n/a	1
3	pass	Apply inbound antispoof
2	pass	service password-encryption
2	pass	require line passwords
2	FAIL	ntp source	n/a	1
2	pass	ntp server
2	pass	no service udp-small-servers
2	pass	no service tcp-small-servers
2	pass	no service finger
2	pass	no service config
2	FAIL	no ip proxy-arp	POS6/0/0	84
2	FAIL	no ip proxy-arp	Hssi4/1/0	79
2	pass	no ip identd
2	FAIL	no ip directed broadcast	POS6/0/0	84
2	FAIL	no ip directed broadcast	Hssi4/1/0	79
2	pass	no ip bootp server
2	FAIL	no cdp run	n/a	1
2	pass	logging trap debugging
2	FAIL	logging console critical	n/a	1
2	pass	logging buffered
2	pass	vty transport telnet
2	FAIL	vty login	vty	464
2	FAIL	vty exec-timeout	vty	464
2	pass	enable logging
2	FAIL	console exec-timeout	con	459
2	FAIL	clock timezone GMT 0	n/a	1
2	pass	clock summer-time
2	FAIL	aux exec-timeout	aux	462
2	pass	set syslog server
2	FAIL	set syslog facility	n/a	1
2	FAIL	service timestamps	n/a	1
2	FAIL	Apply VTY ACL	vty	464
1	FAIL	aux no exec-timeout	aux	462
1	FAIL	aux no tranport	aux	462

Summary for GW1

#Rules #Passed #Failed %Passed

39 21 18 53

Perfect Weighted Score Actual Weighted Score %Weighted Score

89 48 53

Note: PerfectWeightedScore is the sum of the importance value of all rules. ActualWeightedScore is the sum of the importance value of all rules passed, minus the sum of the importance each instance of a rule failed.

Fix Script for GW1

! The following commands may be entered into the router to fix problems found.
! They must be entered in config mode (IOS).
! Fixes which require specific information (such as uplink interface device name or specific
! access list numbers) are listed bu commented out.  Examine them, edit and uncommment.
!
! THESE CHANGES ARE ONLY RECOMMENDATIONS.
! CHECK THESE COMMANDS BY HAND BEFORE EXECUTING.  THEY MAY BE WRONG.  THEY MAY BREAK YOUR ROUTER.
! YOU ASSUME FULL RESPONSIBILITY FOR THE APPLICATION OF THESE CHANGES.
!

no snmp-server
!no access-list 107
!access-list 107 deny   ip 10.0.0.0 0.255.255.255 any
!access-list 107 deny   ip 127.0.0.0 0.255.255.255 any
!access-list 107 deny   ip 172.16.0.0 0.15.255.255 any
!access-list 107 deny   ip 192.168.0.0 0.0.255.255 any
!access-list 107 deny   ip EDIT-BY-HAND any
! YOUR INTERNAL ADDRS HERE ^^^^^^^^^^^^
!access-list 107 deny   ip any 10.0.0.0 0.255.255.255
!access-list 107 deny   ip any 127.0.0.0 0.255.255.255
!access-list 107 deny   ip any 172.16.0.0 0.15.255.255
!access-list 107 deny   ip any 192.168.0.0 0.0.255.255
!access-list 107 permit ip any any
!
!no access-list 107
!access-list 92 permit ip 10.1.1.1
!access-list 92 permit ip EDIT-BY-HAND any
! YOUR INTERNAL ADDRS HERE ^^^^^^^^^^^^
!
!ntp source EDIT-BY-HAND

int POS6/0/0
no ip proxy-arp
exit


int Hssi4/1/0
no ip proxy-arp
exit


int POS6/0/0
no ip directed-broadcast
exit


int Hssi4/1/0
no ip directed-broadcast
exit

no cdp run
logging console critical

line vty 0 4
login
exit


line vty 0 4
exec-timeout 5 0
exit


line con 0
exec-timeout 5 0
exit

clock timezone GMT 0

line aux 0
exec-timeout 0 10
exit

logging facility local1
service timestamps log datetime show-timezone

line vty 0 4
access-class 92 in
exit


line aux 0
no exec
exit


line aux 0
transport input none
exit

Perfect Weighted Score	Actual Weighted Score	%Weighted Score
89	48	53