8 Replies Latest reply on Aug 17, 2014 4:25 PM by sevier.toby

    "must haves" for hardening your switches

    donglee

      Hello folks

       

      I'm currently reviewing Cisco's best practices for device hardening and it's a long read!

      Whilst I work through it I'd like to ask your "must haves" for hardening your switches. I have a few obvious ones in mind such as disabling Telnet access but really I'd like to hear what everyone else does to harden their devices.

       

      The switch I'm really interested in hardening is the WS-C2960S-24TS-L and so I'd be especially interested in hearing from anyone who uses these ones.

       

      Thank you in advance

        • Re: "must haves" for hardening your switches
          dl-it-networkadmin

          no service pad
          service password-encryption
          enable secret xxxxxxx
          username xxxxxx secret xxxxxxx
          aaa new-model (user authentication and authorization based on your setup and policies)

          no ip domain-lookup

          login block-for 100 attempts 15 within 100
          login on-failure log every 3
          login on-success log
          vtp mode off  

          no ip http server
          no ip http secure-server

          access-list 99 remark SNMP ACL
          access-list 99 permit x.x.x.x   (replace with you snmp host)

          snmp-server community xxxxxxxxxxxxxx  RO 99
          snmp-server location xxxxxxxxxxxxxxxxxx
          snmp-server contact xxxxxxxxxxxxxxxxxxxx

          logging x.x.x.x 

          ntp server x.x.x.x

          banner exec


          banner login

          line con 0
          exec-timeout
          password

          line vty 0 15
          exec-timeout 15   (the default is 10minutes)
          password
          transport input ssh

           

          All the ports start with shut down and enable as needed.
          switchport mode access
          spanning-tree portfast
          spanning-tree bpduguard enable
          shut

          Do not use VLAN1 if possible.

            • Re: "must haves" for hardening your switches
              CourtesyIT

              Every switchport should have one of the following

               

              interface [type][X/X]

              description ### Unused Port ###

              switchport mode access

              switchport access vlan [null vlan like 1002]

              switchport port-security

              switchport port-security mac-address sticky

              switchport port-security maximum 1  [this is default and you should only allow one per port]

              shut

               

              or

               

              interface [type][X/X]

              description [try to make the name useful so when you have email alerts go out the admin has valuable info]

              switchport mode access

              switchport access vlan [vlan]

              switchport port-security

              switchport port-security mac-address sticky

              switchport port-security maximum 1  [this is default and you should only allow one per port]

               

              or

               

              interface [type][X/X]

              description [Trunking port]

              switchport mode trunk

              switchport trunk native vlan [## of vlan solely used for trunking ((1000 is a good one))]

              switchport trunk allowed vlan [only vlans needed separated by commas ((2,5,10-15,88))

              • Re: "must haves" for hardening your switches
                bigmclargehuge

                What's the difference between "login block-for 100 attempts 15 within 100"

                and "security authentication failure rate 3" ???

                  • Re: "must haves" for hardening your switches
                    jaimeaux

                    The "login block-for 100 attempts 15 within 100" is going to block anyone from attempting to remotely access that router (i.e. open a telnet/ssh/rmon whatever connection) for 100 seconds if they see 15 login attempts fail within a period of 100 seconds.

                     

                    the "security authentication failure rate 3" should have the word log appended to the end. It merely creates a syslog message if you fail to log in 3 times. Should you have it sending syslog messages out to an NMS (i.e. Solarwinds), it will hopefully trigger an alert so you know that somebody is attempting to get into your router.

                • Re: "must haves" for hardening your switches
                  sevier.toby

                  Standardize your configs