Skip to main content

Checklist for switch security

This is the switch security checklist published by NSA in Cisco IOS Switch Security Configuration Guide. (2004)
  • Include section on switches in network security policy.
  • Control physical access to the switch to only authorized personnel.
  • Install the latest stable version of the IOS on each switch.
  • Create an “enable secret” password.
  • Manage switches out-of-band (separated from data traffic). If out-of-band management is not feasible, then dedicate a separate VLAN number for in-band management.
  • Set timeouts for sessions and configure privilege levels.
  • Configure a banner to state that unauthorized access is prohibited.
  • Disable unnecessary network services (e.g., tcp small servers, HTTP).
  • Enable necessary network services and configure these services securely.
  • Utilize SSH instead of telnet and set a strong password for SSH.
  • If SNMP is necessary, set a strong community string for SNMP.
  • Implement port security to limit access based on MAC address. Disable auto-trunking on ports.
  • Utilize the switch’s port mirroring capability for IDS access.
  • Disable unused switch ports and assign them a VLAN number not in use.
  • Assign trunk ports a native VLAN number that is not use by any other port.
  • Limit the VLANs that can be transported over a trunk to only those that are necessary.
  • Utilize static VLAN configuration.
  • If possible, disable VTP. Otherwise, set the following for VTP: management domain, password and pruning. Then set VTP into transparent mode.
  • Use access control lists where appropriate.
  • Enable logging and send logs to a dedicated, secure log host.
  • Configure logging to include accurate time information, using NTP and timestamps.
  • Review logs for possible incidents and archive them in accordance with the security policy.
  • Use AAA features for local and remote access to switch.
  • Maintain the switch configuration file off-line and limit access to it to only authorized administrators. The configuration file should contain descriptive comments for the different settings to provide perspective.

     
    Above is a mindmap of the switch security checklist.

Comments

Popular posts from this blog

Why Madge Networks, the token-ring company, went titsup

There I was shooting the breeze with an old mate. The conversation turned to why Madge Networks which I wrote about here went titsup. My analysis is that Madge Networks had a solution and decided to go out and find a problem. They deferred to more incorrect strategic technology choices. The truth of the matter is that when something goes titsup, its not because of one reason only, but a myriad of them all contributing to the negative consequence. There are the immediate or visual ones, which are underpinned by intermediate ones and finally after digging right down, there are the root causes. There is never a singular root cause for anything but I'll present my opinion and encourage everyone else to chip in. All of them together are more likely the reason the company went titsup. As far as technology brainfarts go there is no better example than Kodak . They invented the digital camera that killed them. However, they were so focused on milking people in their leg

Flawed "ITIL aligned"​ Incident Management

Many "ITIL aligned" service desk tools have flawed incident management. The reason is that incidents are logged with a time association and some related fields to type in some gobbledygook. The expanded incident life cycle is not enforced and as a result trending and problem management is not possible. Here is a fictitious log of an incident at PFS, a financial services company, which uses CGTSD, an “ITIL-aligned” service desk tool. Here is the log of an incident record from this system: Monday, 12 August: 09:03am (Bob, the service desk guy): Alice (customer in retail banking) phoned in. Logged an issue. Unable to assist over the phone (there goes our FCR), will escalate to second line. 09:04am (Bob, the service desk guy): Escalate the incident to Charles in second line support. 09:05am (Charles, technical support): Open incident. 09:05am (Charles, technical support): Delayed incident by 1 day. Tuesday, 13 August: 10:11am (Charles, technical support): Phoned Alice.

Updated: Articles by Ron Bartels published on iot for all

  These are articles that I published during the course of the past year on one of the popular international Internet of Things publishing sites, iot for all .  These are articles that I published during the course of the past year on one of the popular international Internet of Things publishing sites, iot for all . Improving Data Center Reliability With IoT Reliability and availability are essential to data centers. IoT can enable better issue tracking and data collection, leading to greater stability. Doing the Work Right in Data Centers With Checklists Data centers are complex. Modern economies rely upon their continuous operation. IoT solutions paired with this data center checklist can help! IoT Optimi