Checklist for switch security

This is the switch security checklist published by NSA in Cisco IOS Switch Security Configuration Guide. (2004)
  • Include section on switches in network security policy.
  • Control physical access to the switch to only authorized personnel.
  • Install the latest stable version of the IOS on each switch.
  • Create an “enable secret” password.
  • Manage switches out-of-band (separated from data traffic). If out-of-band management is not feasible, then dedicate a separate VLAN number for in-band management.
  • Set timeouts for sessions and configure privilege levels.
  • Configure a banner to state that unauthorized access is prohibited.
  • Disable unnecessary network services (e.g., tcp small servers, HTTP).
  • Enable necessary network services and configure these services securely.
  • Utilize SSH instead of telnet and set a strong password for SSH.
  • If SNMP is necessary, set a strong community string for SNMP.
  • Implement port security to limit access based on MAC address. Disable auto-trunking on ports.
  • Utilize the switch’s port mirroring capability for IDS access.
  • Disable unused switch ports and assign them a VLAN number not in use.
  • Assign trunk ports a native VLAN number that is not use by any other port.
  • Limit the VLANs that can be transported over a trunk to only those that are necessary.
  • Utilize static VLAN configuration.
  • If possible, disable VTP. Otherwise, set the following for VTP: management domain, password and pruning. Then set VTP into transparent mode.
  • Use access control lists where appropriate.
  • Enable logging and send logs to a dedicated, secure log host.
  • Configure logging to include accurate time information, using NTP and timestamps.
  • Review logs for possible incidents and archive them in accordance with the security policy.
  • Use AAA features for local and remote access to switch.
  • Maintain the switch configuration file off-line and limit access to it to only authorized administrators. The configuration file should contain descriptive comments for the different settings to provide perspective.

    Above is a mindmap of the switch security checklist.