This is the switch security checklist published by NSA in Cisco IOS Switch Security Configuration Guide. (2004)
- Include section on switches in network security policy.
- Control physical access to the switch to only authorized personnel.
- Install the latest stable version of the IOS on each switch.
- Create an “enable secret” password.
- Manage switches out-of-band (separated from data traffic). If out-of-band management is not feasible, then dedicate a separate VLAN number for in-band management.
- Set timeouts for sessions and configure privilege levels.
- Configure a banner to state that unauthorized access is prohibited.
- Disable unnecessary network services (e.g., tcp small servers, HTTP).
- Enable necessary network services and configure these services securely.
- Utilize SSH instead of telnet and set a strong password for SSH.
- If SNMP is necessary, set a strong community string for SNMP.
- Implement port security to limit access based on MAC address. Disable auto-trunking on ports.
- Utilize the switch’s port mirroring capability for IDS access.
- Disable unused switch ports and assign them a VLAN number not in use.
- Assign trunk ports a native VLAN number that is not use by any other port.
- Limit the VLANs that can be transported over a trunk to only those that are necessary.
- Utilize static VLAN configuration.
- If possible, disable VTP. Otherwise, set the following for VTP: management domain, password and pruning. Then set VTP into transparent mode.
- Use access control lists where appropriate.
- Enable logging and send logs to a dedicated, secure log host.
- Configure logging to include accurate time information, using NTP and timestamps.
- Review logs for possible incidents and archive them in accordance with the security policy.
- Use AAA features for local and remote access to switch.
Post a Comment