Hardening Configs with AI Review

The Scenario

Your organization needs to comply with CIS benchmarks for network devices. The benchmark document is 200 pages. You need to check if your router config meets the standard — and fix what does not.

---

The Prompt

Review this Cisco IOS-XE running configuration against CIS security benchmarks. For each check:
- PASS or FAIL
- The specific CIS recommendation
- The fix command if FAIL

Focus on the top 20 most critical checks:

[Paste your sanitized running config here - remove passwords first]

---

What AI Gives You

A checklist like:

• PASS: service password-encryption is configured
• FAIL: no ip http server is missing — HTTP server is enabled (CIS 1.1.3). Fix: no ip http server
• FAIL: SNMP v1/v2 community strings found — CIS requires SNMP v3 only. Fix: remove community strings, configure SNMP v3
• FAIL: no ip source-route is missing (CIS 1.3.1). Fix: no ip source-route
• PASS: login block-for is configured for brute force protection

---

Review and Validate

• Sanitize your config before pasting — remove actual passwords, IP addresses you want private
• CIS benchmarks update regularly — AI may reference older versions. Download the latest from cisecurity.org
• Not all checks apply — some CIS recommendations conflict with specific network requirements

---

Try It Yourself

Pull the running config from a router, sanitize it (replace real passwords with "REDACTED"), and paste into AI for a CIS review.