Cisco devices have many features that are good for something but they can be easily exploited. You must know that the Internet is full of people that want to exploit your network for different or no reasons. We will show you the best ways for thinking ahead and securing the layer 2 of the network – the switches. Let’s start…
▪ Secure password is a must
Whenever possible configure enable secret command to set the privileged-level password on a switch. There is also enable password command but is not strongly encrypted as secret. Next way and the best way to authenticate administrative users is by using external AAA servers. In that mode you are maintaining usernames and passwords externally and they are not stored or managed directly on the switch. This is better as well because of centralized administration of users. After securing the authentication you should use the service password-encryption configuration to automatically encrypt password that are stored in the switch configuration. It will prevent to store the passwords in the startup-config in the plain text.
▪ Set system banners
When users are accessing the switch you can help them or warn them by use of system banners. You should put system banners so that they display some information when users log in to a switch. The idea is to warn unauthorized users that they are not allowed to be here and that they are unwelcome. The banner motd command is used to define the text that is displayed to authenticated users.
▪ Secure the web interface
You already know that you can use the web interface to manage the switch using HTTP protocol. Some network administrators use the command line interface and they don’t need an HTTP access. Everything that you do not need on the network device you should disable. That is also valid for the HTTP access to the device. The command to do so is no ip http server.
▪ Use HTTPS
If you do decide to use the web interface, be sure to use the HTTPS interface, if it is supported on the switch platform. The standard HTTP web interface has some serious weaknesses because none of the traffic is encrypted. Enable the HTTPS interface with the ip http secure server command and skip the ip http server command. Next thing to do is limit the source addresses that can access the HTTPS interface. You will do this by adding an access list that permits only some defined source addresses and then you will apply the access list to the HTTPS interface with the ip http access-class configuration command.
▪ Switch console security
Switches are usually locked in wiring closets where only administrator can access and connect to the switch console. If your switch is not in the wiring closed or maybe it is but many people have the access to it, you should always configure authentication on any switch console. It is usually appropriate to use the same authentication configuration on the console as the virtual terminal (vty) lines.
▪ Secure virtual terminal access
You always should configure user authentication on all the vty lines on a switch. In addition, you should use access lists to limit the source IP addresses of potential administrative users who try to use Telnet or Secure Shell – SSH to access a switch. You can use a simple IP access list to permit inbound connections only from known source addresses
Switch1(config)# access-list 10 permit 192.168.1.10 Switch1(config)# access-list 10 permit 192.168.2.10 Switch1(config)# line vty 0 4 Switch1(config-line)# access-class 10 in You must be sure that you have applied the access list to all the line vty entries in the switch configuration. Vty lines are sometimes separated into. You can use the show user all command to see every possible line that can be used to access a switch.
▪ Use SSH over telnet
Although Telnet access is easy to configure and use, Telnet is not secure because the lack of encryption of communication. Every character you type in a Telnet session is sent to and echoed from a switch in clear text. Therefore, it is very easy to sniff on Telnet sessions to overhear usernames and passwords. Instead, you should use SSH whenever possible. Secure Shell uses strong encryption to secure session communication. One more important thing is to use the highest SSH version that is available on a switch. The early SSHv1 and SSHv1.5 have some weaknesses and problems, so you should choose SSHv2 if possible.
▪ Secure SNMP access
To prevent unauthorized users from making rouge changes to a switch configuration, you should disable any read-write SNMP access. These are commands of the form snmp-server community string RW. You should always have only read-only commands in the configuration. In addition, you should use access lists to limit the source addresses that have read-only access. Inportant thing to know is that SNMP community strings are not secure because these are passed in the clear in SNMP packets.
▪ Unused switch ports
Every unused switch port should be disabled so that unexpected users can’t connect and use them without your knowledge. You can do this with the shutdown interface configuration command. In addition, you should configure every user port as an access port with the switchport mode access interface configuration command. If you do not do this, you have made possible for attacker to start different layer 2 attacks negotiating the trunk on the port. You also should consider associating every unused access port with a isolated VLAN that is not used in any useful port. If an unexpected user does gain access to a port, he will have access only to a VLAN that is isolated from every other resource on your network. Smart way of doing this is using the switchport host interface configuration command as a quick way to force a port to support only a single PC. This command is actually a macro, as shown in the following example:
Switch1(config)# interface fastethernet 0/1 Switch1(config-if)# switchport host switchport mode will be set to access spanning-tree portfast will be enabled channel group will be disabled Switch1(config-if)#
▪ Secure STP operation
A malicious user can inject STP bridge protocol data units (BPDU) into switch ports or VLANs, and can disrupt a stable, loop-free topology. You always should enable the BPDU guard feature so that access switch ports automatically are disabled if unexpected BPDUs are received. BPDU guard is extensively described in layer 2 security section on this page.
▪ Secure the use of CDP
CDP advertisements can be useful and very useful in some cases when you are using VoIP technology or just doing some troubleshooting. We need to know that CDP advertisements are sent on every switch port every 60 second. Although CDP is a very handy tool for discovering neighboring Cisco devices, you shouldn’t allow CDP to advertise unnecessary information about your switch to listening attackers. CDP should be enabled only on switch ports that connect to other trusted Cisco devices. You can disable CDP on a specific port with the no cdp enable interface configuration command.