NETARMOR

Security Assessment Report

SAMPLE-RTR-01  |  router (Cisco)  |  Unknown
2026-03-05T18:27:33.549201 Report ID: 329d0978-9d33-4609-8267-00c8a64da76f NetArmor v2.1.0
CONFIDENTIAL
01

Executive Summary

Security Posture: HIGH RISK — Significant security gaps identified.
52Risk Score
Overall Risk
32%Compliance
Compliance
2
Critical
10
High
46 / 84
Failed / Total
6
Secrets Found
02

Risk Score Assessment

51.7
Overall Risk
26.2%
Compliance
High
Risk Level
0.0
CVSS Base Score

Risk by Category

Network Security
100%
03

Severity Distribution

2
Critical
10
High
25
Medium
9
Low
2
10
25
9
CIS Level 1
✓ 19 passed  |  ✗ 30 failed
CIS Level 2
✓ 3 passed  |  ✗ 16 failed
04

Compliance Score

32.4%Compliance
Overall Compliance
22
Passed
46
Failed
84
Total Checks
2
Manual Review
14
N/A
0
Errors
05

CIS Findings Details

84 controls evaluated
Control ID CIS Ref Title Level Severity Status Confidence Details Certainty
RTR-1.1 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.4.2 Service password-encryption enabled L1 HIGH FAIL HIGH
Service password-encryption is not configured.
 80
RTR-1.2 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.4.1 Enable secret set (not enable password) L1 CRITICAL FAIL HIGH
Enable password is also present alongside enable secret.
  • enable password SamplePass123
 95
RTR-1.3 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.1.1 No IP source-route L1 MEDIUM FAIL HIGH
'no ip source-route' not found in configuration.
 80
RTR-1.4 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.1.2 No IP directed-broadcast (per-interface) L1 HIGH PASS MEDIUM
No interfaces have ip directed-broadcast enabled.
 100
RTR-1.5 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.2.1 VTY transport input SSH only L1 CRITICAL FAIL HIGH
VTY lines without SSH-only transport: line vty 0 4, line vty 5 15.
  • line vty 0 4
  • line vty 5 15
 65
RTR-1.6 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.2.2 VTY access-class configured L1 HIGH FAIL HIGH
VTY lines without access-class: line vty 0 4, line vty 5 15.
  • line vty 0 4
  • line vty 5 15
 65
RTR-1.7 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.3.2 Login banner configured L1 LOW PASS HIGH
Login or MOTD banner is configured.
  • motd
 100
RTR-1.8 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.2.1 Logging enabled L1 HIGH PASS HIGH
Logging is enabled.
  • logging buffered
  • logging trap
  • logging host
 100
RTR-1.9 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.3.1.1 NTP configured with authentication L1 MEDIUM FAIL HIGH
NTP servers configured but authentication is not enabled.
  • ntp server
  • ntp server
 100
RTR-1.10 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.2 Disable unnecessary services L1 MEDIUM PASS HIGH
Unnecessary services are disabled.
 100
RTR-1.11 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.5 Console exec-timeout configured L1 MEDIUM PASS HIGH
Console exec-timeout is 5 minutes.
  • exec-timeout 5 0
 100
RTR-1.12 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.6 VTY exec-timeout configured L1 MEDIUM FAIL HIGH
VTY exec-timeout issues: line vty 0 4: exec-timeout 30 min; line vty 5 15: exec-timeout 30 min.
  • line vty 0 4: exec-timeout 30 min
  • line vty 5 15: exec-timeout 30 min
 65
RTR-1.13 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.3 CDP disabled on external interfaces L2 MEDIUM FAIL LOW
CDP is not explicitly disabled on any interface and 'no cdp run' is not configured. Manual review needed to determine external interfaces.
 35
RTR-1.14 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.1.5 No IP HTTP server L1 HIGH PASS HIGH
IP HTTP server is disabled.
  • no ip http server
 100
RTR-1.15 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.1.6 No IP HTTP secure-server L2 MEDIUM PASS HIGH
IP HTTPS server is disabled.
  • no ip http secure-server
 100
RTR-1.16 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.1.1 AAA new-model enabled L1 HIGH PASS HIGH
AAA new-model is enabled.
  • aaa new-model
 100
RTR-1.17 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.1.2 AAA authentication login configured L1 HIGH PASS HIGH
AAA authentication login is configured.
  • aaa authentication login
100
RTR-1.18 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.1.6 AAA accounting commands configured L2 MEDIUM FAIL HIGH
AAA accounting commands is not configured.
 80
RTR-2.1 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.5.1 SNMPv3 only (no v1/v2c communities) L1 HIGH FAIL HIGH
SNMPv1/v2c communities are configured. Migrate to SNMPv3.
  • snmp-server community public
  • snmp-server community private
 100
RTR-2.2 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.1.1.1 SSH version 2 L1 HIGH PASS HIGH
SSH version 2 is configured.
  • ip ssh version 2
 100
RTR-2.3 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.3.2.1 OSPF authentication configured L1 HIGH N/A HIGH
No OSPF configuration found.
 100
RTR-2.4 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.3.3.1 BGP neighbor authentication L1 HIGH N/A HIGH
No BGP configuration found.
 100
RTR-2.5 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.3.1.1 EIGRP authentication configured L1 HIGH N/A HIGH
No EIGRP configuration found.
 100
RTR-2.6 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.1.3 uRPF enabled on interfaces L2 MEDIUM FAIL MEDIUM
uRPF is not configured on any interface.
 60
RTR-2.7 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.2.1 IP unreachables disabled per-interface L1 MEDIUM FAIL MEDIUM
IP unreachables not disabled on: GigabitEthernet0/0, GigabitEthernet0/1, GigabitEthernet0/2.
  • GigabitEthernet0/0
  • GigabitEthernet0/1
  • GigabitEthernet0/2
 80
RTR-2.8 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.2.2 IP redirects disabled per-interface L1 MEDIUM FAIL MEDIUM
IP redirects not disabled on: GigabitEthernet0/0, GigabitEthernet0/1, GigabitEthernet0/2.
  • GigabitEthernet0/0
  • GigabitEthernet0/1
  • GigabitEthernet0/2
 80
RTR-2.9 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.1.2 Proxy ARP disabled per-interface L1 MEDIUM FAIL MEDIUM
Proxy ARP not disabled on: GigabitEthernet0/0, GigabitEthernet0/2.
  • GigabitEthernet0/0
  • GigabitEthernet0/2
 80
RTR-2.10 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.1 TCP keepalives enabled L1 LOW FAIL HIGH
Missing TCP keepalive configuration: service tcp-keepalives-in, service tcp-keepalives-out.
  • service tcp-keepalives-in
  • service tcp-keepalives-out
 100
RTR-2.11 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.7 Control plane policing configured L2 MEDIUM FAIL MEDIUM
No control-plane block found. CoPP is not configured.
 60
RTR-2.12 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.2.2 Service timestamps configured L1 LOW PASS HIGH
Service timestamps configured for both log and debug.
  • service timestamps
  • service timestamps
100
RTR-2.13 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.2.3 Aux port disabled L1 HIGH PASS HIGH
Aux port is disabled.
  • no exec
 100
RTR-2.14 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.2.8 Login block-for configured L1 MEDIUM FAIL HIGH
Login block-for is not configured.
 80
RTR-2.15 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.4.3 Password minimum length configured L1 MEDIUM FAIL HIGH
Password minimum length is not configured.
 80
RTR-2.16 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.4 IP finger disabled L1 LOW PASS HIGH
Finger service is disabled.
 100
RTR-2.17 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.6 Secure boot configured L2 MEDIUM MANUAL LOW
Cannot verify secure boot-image from running config alone. Run 'show secure bootset' to verify.
 100
RTR-2.18 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.2.3 Archive logging configured L2 MEDIUM FAIL MEDIUM
No archive block found in configuration.
 60
RTR-2.19 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.1.4 CEF enabled L1 LOW FAIL HIGH
CEF is not explicitly enabled.
 80
RTR-2.20 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.5 LLDP restricted L2 LOW PASS LOW
LLDP is not explicitly enabled (may be off by default).
 100
RTR-2.21 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.2.2 Gratuitous ARP control L2 LOW MANUAL LOW
Gratuitous ARP controls require manual review based on network topology.
 100
RTR-2.22 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.4.1 Management loopback interface L2 LOW FAIL MEDIUM
No loopback interface found. Configure one for management sourcing.
 60
RTR-2.23 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.2.4 Console password configured L1 HIGH FAIL HIGH
Console missing: password.
  • password
 95
RTR-2.24 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.4.3 Local users use secret not password L1 HIGH N/A HIGH
No local user accounts found.
 100
RTR-2.25 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.1.3 DTP disabled on access ports L2 MEDIUM N/A HIGH
No access-mode switchports found.
 100
RTR-3.1 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.1.3 AAA authentication enable default L1 HIGH FAIL HIGH
AAA authentication enable default is not configured.
 80
RTR-3.2 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.1.4 AAA authentication login method-list for local login L1 HIGH PASS HIGH
AAA authentication login is configured without sole 'none' method.
  • aaa authentication login default local
 100
RTR-3.3 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.1.5 AAA authentication login for HTTP L1 HIGH FAIL HIGH
IP HTTP authentication is not set to AAA.
 80
RTR-3.4 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.1.6 AAA accounting exec configured L2 MEDIUM FAIL HIGH
AAA accounting exec is not configured.
 80
RTR-3.5 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.1.7 AAA accounting connection configured L2 MEDIUM FAIL HIGH
AAA accounting connection is not configured.
 80
RTR-3.6 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.1.9 AAA accounting network configured L2 MEDIUM FAIL HIGH
AAA accounting network is not configured.
 80
RTR-3.7 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.1.10 AAA accounting system configured L2 MEDIUM FAIL HIGH
AAA accounting system is not configured.
 80
RTR-3.8 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.1.8 AAA session-id common L2 LOW FAIL HIGH
AAA session-id common is not configured.
 80
RTR-4.1 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.5.5 SNMP community strings restricted by ACL L1 HIGH FAIL HIGH
SNMP communities without ACL: 2 found.
  • snmp-server community public RO
  • snmp-server community private RW
 100
RTR-4.2 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.5.2 SNMPv3 group configured with privacy L1 HIGH N/A HIGH
No SNMPv3 groups configured.
 100
RTR-4.3 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.5.3 SNMPv3 user configured with auth and priv L1 HIGH N/A HIGH
No SNMPv3 users configured.
 100
RTR-4.4 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.5.6 SNMP traps authentication L1 MEDIUM FAIL HIGH
SNMP authentication trap is not enabled.
 80
RTR-5.1 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.1.1.2 SSH timeout configured L1 MEDIUM PASS HIGH
SSH timeout is set to 60 seconds.
  • ip ssh time-out 60
 100
RTR-5.2 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.1.1.4 SSH authentication retries L1 MEDIUM PASS HIGH
SSH authentication-retries is set to 3.
  • ip ssh authentication-retries 3
 100
RTR-5.3 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.1.1.3 SSH RSA key size >= 2048 L1 HIGH PASS MEDIUM
RSA key modulus is 2048 bits.
  • crypto key generate rsa modulus 2048
 100
RTR-5.4 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.1.1.5 SSH source-interface configured L2 LOW FAIL HIGH
SSH source-interface is not configured.
 80
RTR-5.5 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.1.2 SSH server algorithm encryption restricted L1 HIGH FAIL MEDIUM
SSH server encryption algorithms are not restricted (defaults include weak ciphers).
 60
RTR-5.6 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.1.2 SSH server algorithm MAC restricted L1 HIGH FAIL MEDIUM
SSH server MAC algorithms are not restricted (defaults include weak HMACs).
 60
RTR-5.7 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.1.2 SSH server algorithm key-exchange restricted L1 HIGH FAIL MEDIUM
SSH server key-exchange algorithms are not restricted.
 60
RTR-6.1 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.3.1.3 NTP trusted-key configured L1 MEDIUM FAIL HIGH
NTP trusted-key is not configured.
 80
RTR-6.2 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.3.1.4 NTP server key association L1 MEDIUM FAIL MEDIUM
NTP servers without key association: 2 found.
  • ntp server 192.168.1.20
  • ntp server 192.168.1.21
 80
RTR-6.3 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.3.2 NTP source interface configured L2 LOW FAIL HIGH
NTP source interface is not configured.
 80
RTR-6.4 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.3.2 NTP access-group restrict L2 MEDIUM FAIL MEDIUM
NTP access-group restriction is not configured.
 60
RTR-7.1 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.4.2 Logging source-interface loopback L1 MEDIUM FAIL HIGH
Logging source-interface is not configured.
 80
RTR-7.2 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.4.3 SNMP source-interface loopback L2 LOW FAIL HIGH
SNMP source-interface is not configured.
 80
RTR-7.3 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.4.4 TACACS source-interface loopback L2 LOW N/A HIGH
TACACS source-interface is not configured (TACACS may not be in use).
 100
RTR-8.1 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.3.1 EXEC banner configured L1 LOW FAIL HIGH
EXEC banner is not configured.
 80
RTR-8.2 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.3.3 MOTD banner configured L1 LOW PASS HIGH
MOTD banner is configured.
  • banner motd
100
RTR-9.1 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.7 No service pad L1 LOW PASS MEDIUM
Service pad is not explicitly enabled (disabled by default).
 100
RTR-9.2 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.1.4 No service DHCP L1 LOW FAIL HIGH
DHCP service is not explicitly disabled (enabled by default on IOS XE).
 80
RTR-9.5 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 2.2.1 Logging buffered configured L1 MEDIUM PASS HIGH
Logging buffered is configured.
  • logging buffered
100
RTR-10.1 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.3.1.2 EIGRP named-mode authentication L1 HIGH N/A HIGH
No EIGRP configuration found.
 100
RTR-10.2 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.3.1.3 EIGRP key-chain configured L1 HIGH N/A HIGH
No EIGRP configuration found.
 100
RTR-10.3 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.3.1.4 EIGRP HMAC-SHA-256 authentication L1 HIGH N/A HIGH
No EIGRP configuration found.
 100
RTR-11.1 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.3.2.2 OSPF interface message-digest authentication L1 HIGH N/A HIGH
No OSPF configuration found.
 100
RTR-11.2 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.3.2.2 OSPF area authentication message-digest L1 HIGH N/A HIGH
No OSPF configuration found.
 100
RTR-12.1 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.3.3.1 BGP all neighbors have password L1 HIGH N/A HIGH
No BGP configuration found.
 100
RTR-13.1 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 3.2.2 IP mask-reply disabled per-interface L2 LOW PASS MEDIUM
No active interfaces have ip mask-reply enabled.
 100
RTR-13.4 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.2.5 VTY transport output restricted L2 MEDIUM FAIL HIGH
VTY lines without transport output restriction: line vty 0 4, line vty 5 15.
  • line vty 0 4
  • line vty 5 15
 65
RTR-13.5 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.2.9 Login on-failure log L1 MEDIUM FAIL HIGH
Login on-failure logging is not configured.
 80
RTR-13.6 CIS Cisco IOS XE 17.x Benchmark v2.2.1 - 1.2.10 Login on-success log L1 MEDIUM FAIL HIGH
Login on-success logging is not configured.
 80
06

Vulnerability Summary

46 vulnerabilities detected
CRITICAL: 2HIGH: 10MEDIUM: 25LOW: 9

CRITICAL — 2 findings

Control ID Title Level Confidence Details
RTR-1.2 Enable secret set (not enable password) L1 HIGH
Enable password is also present alongside enable secret.
  • enable password SamplePass123
RTR-1.5 VTY transport input SSH only L1 HIGH
VTY lines without SSH-only transport: line vty 0 4, line vty 5 15.
  • line vty 0 4
  • line vty 5 15

HIGH — 10 findings

Control ID Title Level Confidence Details
RTR-1.1 Service password-encryption enabled L1 HIGH
Service password-encryption is not configured.
RTR-1.6 VTY access-class configured L1 HIGH
VTY lines without access-class: line vty 0 4, line vty 5 15.
  • line vty 0 4
  • line vty 5 15
RTR-2.1 SNMPv3 only (no v1/v2c communities) L1 HIGH
SNMPv1/v2c communities are configured. Migrate to SNMPv3.
  • snmp-server community public
  • snmp-server community private
RTR-2.23 Console password configured L1 HIGH
Console missing: password.
  • password
RTR-3.1 AAA authentication enable default L1 HIGH
AAA authentication enable default is not configured.
RTR-3.3 AAA authentication login for HTTP L1 HIGH
IP HTTP authentication is not set to AAA.
RTR-4.1 SNMP community strings restricted by ACL L1 HIGH
SNMP communities without ACL: 2 found.
  • snmp-server community public RO
  • snmp-server community private RW
RTR-5.5 SSH server algorithm encryption restricted L1 MEDIUM
SSH server encryption algorithms are not restricted (defaults include weak ciphers).
RTR-5.6 SSH server algorithm MAC restricted L1 MEDIUM
SSH server MAC algorithms are not restricted (defaults include weak HMACs).
RTR-5.7 SSH server algorithm key-exchange restricted L1 MEDIUM
SSH server key-exchange algorithms are not restricted.

MEDIUM — 25 findings

Control ID Title Level Confidence Details
RTR-1.3 No IP source-route L1 HIGH
'no ip source-route' not found in configuration.
RTR-1.9 NTP configured with authentication L1 HIGH
NTP servers configured but authentication is not enabled.
  • ntp server
  • ntp server
RTR-1.12 VTY exec-timeout configured L1 HIGH
VTY exec-timeout issues: line vty 0 4: exec-timeout 30 min; line vty 5 15: exec-timeout 30 min.
  • line vty 0 4: exec-timeout 30 min
  • line vty 5 15: exec-timeout 30 min
RTR-1.13 CDP disabled on external interfaces L2 LOW
CDP is not explicitly disabled on any interface and 'no cdp run' is not configured. Manual review needed to determine external interfaces.
RTR-1.18 AAA accounting commands configured L2 HIGH
AAA accounting commands is not configured.
RTR-2.6 uRPF enabled on interfaces L2 MEDIUM
uRPF is not configured on any interface.
RTR-2.7 IP unreachables disabled per-interface L1 MEDIUM
IP unreachables not disabled on: GigabitEthernet0/0, GigabitEthernet0/1, GigabitEthernet0/2.
  • GigabitEthernet0/0
  • GigabitEthernet0/1
  • GigabitEthernet0/2
RTR-2.8 IP redirects disabled per-interface L1 MEDIUM
IP redirects not disabled on: GigabitEthernet0/0, GigabitEthernet0/1, GigabitEthernet0/2.
  • GigabitEthernet0/0
  • GigabitEthernet0/1
  • GigabitEthernet0/2
RTR-2.9 Proxy ARP disabled per-interface L1 MEDIUM
Proxy ARP not disabled on: GigabitEthernet0/0, GigabitEthernet0/2.
  • GigabitEthernet0/0
  • GigabitEthernet0/2
RTR-2.11 Control plane policing configured L2 MEDIUM
No control-plane block found. CoPP is not configured.
RTR-2.14 Login block-for configured L1 HIGH
Login block-for is not configured.
RTR-2.15 Password minimum length configured L1 HIGH
Password minimum length is not configured.
RTR-2.18 Archive logging configured L2 MEDIUM
No archive block found in configuration.
RTR-3.4 AAA accounting exec configured L2 HIGH
AAA accounting exec is not configured.
RTR-3.5 AAA accounting connection configured L2 HIGH
AAA accounting connection is not configured.
RTR-3.6 AAA accounting network configured L2 HIGH
AAA accounting network is not configured.
RTR-3.7 AAA accounting system configured L2 HIGH
AAA accounting system is not configured.
RTR-4.4 SNMP traps authentication L1 HIGH
SNMP authentication trap is not enabled.
RTR-6.1 NTP trusted-key configured L1 HIGH
NTP trusted-key is not configured.
RTR-6.2 NTP server key association L1 MEDIUM
NTP servers without key association: 2 found.
  • ntp server 192.168.1.20
  • ntp server 192.168.1.21
RTR-6.4 NTP access-group restrict L2 MEDIUM
NTP access-group restriction is not configured.
RTR-7.1 Logging source-interface loopback L1 HIGH
Logging source-interface is not configured.
RTR-13.4 VTY transport output restricted L2 HIGH
VTY lines without transport output restriction: line vty 0 4, line vty 5 15.
  • line vty 0 4
  • line vty 5 15
RTR-13.5 Login on-failure log L1 HIGH
Login on-failure logging is not configured.
RTR-13.6 Login on-success log L1 HIGH
Login on-success logging is not configured.

LOW — 9 findings

Control ID Title Level Confidence Details
RTR-2.10 TCP keepalives enabled L1 HIGH
Missing TCP keepalive configuration: service tcp-keepalives-in, service tcp-keepalives-out.
  • service tcp-keepalives-in
  • service tcp-keepalives-out
RTR-2.19 CEF enabled L1 HIGH
CEF is not explicitly enabled.
RTR-2.22 Management loopback interface L2 MEDIUM
No loopback interface found. Configure one for management sourcing.
RTR-3.8 AAA session-id common L2 HIGH
AAA session-id common is not configured.
RTR-5.4 SSH source-interface configured L2 HIGH
SSH source-interface is not configured.
RTR-6.3 NTP source interface configured L2 HIGH
NTP source interface is not configured.
RTR-7.2 SNMP source-interface loopback L2 HIGH
SNMP source-interface is not configured.
RTR-8.1 EXEC banner configured L1 HIGH
EXEC banner is not configured.
RTR-9.2 No service DHCP L1 HIGH
DHCP service is not explicitly disabled (enabled by default on IOS XE).
07

Remediation Guide

46 controls requiring remediation
HIGH RTR-1.1: Service password-encryption enabled

Service password-encryption is not configured.

Configure 'service password-encryption'.
CRITICAL RTR-1.2: Enable secret set (not enable password)

Enable password is also present alongside enable secret.

Replace 'enable password' with 'enable secret'.
MEDIUM RTR-1.3: No IP source-route

'no ip source-route' not found in configuration.

Configure 'no ip source-route'.
CRITICAL RTR-1.5: VTY transport input SSH only

VTY lines without SSH-only transport: line vty 0 4, line vty 5 15.

Configure 'transport input ssh' under all line vty blocks.
HIGH RTR-1.6: VTY access-class configured

VTY lines without access-class: line vty 0 4, line vty 5 15.

Configure 'access-class <ACL> in' under all line vty blocks.
MEDIUM RTR-1.9: NTP configured with authentication

NTP servers configured but authentication is not enabled.

Configure NTP servers with 'ntp authenticate' and 'ntp authentication-key'.
MEDIUM RTR-1.12: VTY exec-timeout configured

VTY exec-timeout issues: line vty 0 4: exec-timeout 30 min; line vty 5 15: exec-timeout 30 min.

Configure 'exec-timeout 10 0' under all line vty blocks.
MEDIUM RTR-1.13: CDP disabled on external interfaces

CDP is not explicitly disabled on any interface and 'no cdp run' is not configured. Manual review needed to determine external interfaces.

Configure 'no cdp enable' on external interfaces.
MEDIUM RTR-1.18: AAA accounting commands configured

AAA accounting commands is not configured.

Configure 'aaa accounting commands'.
HIGH RTR-2.1: SNMPv3 only (no v1/v2c communities)

SNMPv1/v2c communities are configured. Migrate to SNMPv3.

Remove 'snmp-server community' lines and configure SNMPv3 users.
MEDIUM RTR-2.6: uRPF enabled on interfaces

uRPF is not configured on any interface.

Configure 'ip verify unicast source reachable-via rx' on interfaces.
MEDIUM RTR-2.7: IP unreachables disabled per-interface

IP unreachables not disabled on: GigabitEthernet0/0, GigabitEthernet0/1, GigabitEthernet0/2.

Configure 'no ip unreachables' on each interface.
MEDIUM RTR-2.8: IP redirects disabled per-interface

IP redirects not disabled on: GigabitEthernet0/0, GigabitEthernet0/1, GigabitEthernet0/2.

Configure 'no ip redirects' on each interface.
MEDIUM RTR-2.9: Proxy ARP disabled per-interface

Proxy ARP not disabled on: GigabitEthernet0/0, GigabitEthernet0/2.

Configure 'no ip proxy-arp' on each interface.
LOW RTR-2.10: TCP keepalives enabled

Missing TCP keepalive configuration: service tcp-keepalives-in, service tcp-keepalives-out.

Configure 'service tcp-keepalives-in' and 'service tcp-keepalives-out'.
MEDIUM RTR-2.11: Control plane policing configured

No control-plane block found. CoPP is not configured.

Configure a 'control-plane' block with service-policy.
MEDIUM RTR-2.14: Login block-for configured

Login block-for is not configured.

Configure 'login block-for <seconds> attempts <n> within <seconds>'.
MEDIUM RTR-2.15: Password minimum length configured

Password minimum length is not configured.

Configure 'security passwords min-length <length>'.
MEDIUM RTR-2.18: Archive logging configured

No archive block found in configuration.

Configure 'archive' with 'log config' and 'logging enable'.
LOW RTR-2.19: CEF enabled

CEF is not explicitly enabled.

Configure 'ip cef' or 'ipv6 cef'.
LOW RTR-2.22: Management loopback interface

No loopback interface found. Configure one for management sourcing.

Configure a Loopback interface and use it as source for management protocols.
HIGH RTR-2.23: Console password configured

Console missing: password.

Configure password and login under 'line con 0'.
HIGH RTR-3.1: AAA authentication enable default

AAA authentication enable default is not configured.

Configure 'aaa authentication enable default'.
HIGH RTR-3.3: AAA authentication login for HTTP

IP HTTP authentication is not set to AAA.

Configure 'ip http authentication aaa'.
MEDIUM RTR-3.4: AAA accounting exec configured

AAA accounting exec is not configured.

Configure 'aaa accounting exec default start-stop group tacacs+'.
MEDIUM RTR-3.5: AAA accounting connection configured

AAA accounting connection is not configured.

Configure 'aaa accounting connection default start-stop group tacacs+'.
MEDIUM RTR-3.6: AAA accounting network configured

AAA accounting network is not configured.

Configure 'aaa accounting network default start-stop group tacacs+'.
MEDIUM RTR-3.7: AAA accounting system configured

AAA accounting system is not configured.

Configure 'aaa accounting system default start-stop group tacacs+'.
LOW RTR-3.8: AAA session-id common

AAA session-id common is not configured.

Configure 'aaa session-id common'.
HIGH RTR-4.1: SNMP community strings restricted by ACL

SNMP communities without ACL: 2 found.

Configure 'snmp-server community <string> RO <ACL>'.
MEDIUM RTR-4.4: SNMP traps authentication

SNMP authentication trap is not enabled.

Configure 'snmp-server enable traps snmp authentication'.
LOW RTR-5.4: SSH source-interface configured

SSH source-interface is not configured.

Configure 'ip ssh source-interface Loopback0'.
HIGH RTR-5.5: SSH server algorithm encryption restricted

SSH server encryption algorithms are not restricted (defaults include weak ciphers).

Configure 'ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr'.
HIGH RTR-5.6: SSH server algorithm MAC restricted

SSH server MAC algorithms are not restricted (defaults include weak HMACs).

Configure 'ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512'.
HIGH RTR-5.7: SSH server algorithm key-exchange restricted

SSH server key-exchange algorithms are not restricted.

Configure 'ip ssh server algorithm kex diffie-hellman-group14-sha1'.
MEDIUM RTR-6.1: NTP trusted-key configured

NTP trusted-key is not configured.

Configure 'ntp trusted-key <key-id>'.
MEDIUM RTR-6.2: NTP server key association

NTP servers without key association: 2 found.

Configure 'ntp server <IP> key <key-id>'.
LOW RTR-6.3: NTP source interface configured

NTP source interface is not configured.

Configure 'ntp source Loopback0'.
MEDIUM RTR-6.4: NTP access-group restrict

NTP access-group restriction is not configured.

Configure 'ntp access-group peer <ACL>' or 'ntp access-group serve-only <ACL>'.
MEDIUM RTR-7.1: Logging source-interface loopback

Logging source-interface is not configured.

Configure 'logging source-interface Loopback0'.
LOW RTR-7.2: SNMP source-interface loopback

SNMP source-interface is not configured.

Configure 'snmp-server source-interface traps Loopback0'.
LOW RTR-8.1: EXEC banner configured

EXEC banner is not configured.

Configure 'banner exec'.
LOW RTR-9.2: No service DHCP

DHCP service is not explicitly disabled (enabled by default on IOS XE).

Configure 'no service dhcp'.
MEDIUM RTR-13.4: VTY transport output restricted

VTY lines without transport output restriction: line vty 0 4, line vty 5 15.

Configure 'transport output ssh' or 'transport output none' under VTY lines.
MEDIUM RTR-13.5: Login on-failure log

Login on-failure logging is not configured.

Configure 'login on-failure log'.
MEDIUM RTR-13.6: Login on-success log

Login on-success logging is not configured.

Configure 'login on-success log'.
08

Sensitive Data Findings

6 item(s) detected
Type Severity Location Line Masked Value Context
Password MEDIUM Line 19 19
Password MEDIUM Line 22 22
Password MEDIUM Line 23 23
Password MEDIUM Line 24 24
SNMP Community MEDIUM Line 70 70
SNMP Community MEDIUM Line 71 71
10

Assessment Methodology

This assessment was performed using automated configuration analysis against the CIS Benchmarks framework. Each control was evaluated by parsing the device configuration and comparing settings against CIS-recommended values. Findings are classified by CIS Level (L1 = essential baseline, L2 = defense-in-depth) and severity (Critical, High, Medium, Low). Risk scores are computed using a weighted model that considers severity, CIS level, and finding category.

Standards Referenced

  • CIS Benchmarks — Center for Internet Security Configuration Guidelines
  • NIST SP 800-115 — Technical Guide to Information Security Testing and Assessment
  • NIST SP 800-53 — Security and Privacy Controls for Information Systems