Hardening guide for Cisco device

 Overview

When announcing added Cisco switch in a server farm and interface it to a system foundation for an endeavor association, as a system director or a system design, it is significance to anchor this system gadget with the basic security best practices. In the event that a Cisco change is imperiled to programmers, the entire security of the system framework can be therefore horrible.

System structure devices (switches, switches, stack balances, firewalls and so forth) are among the benefits of an undertaking that assume an essential job in security and in this manner should be ensured and designed appropriately.

Numerous events CENTER around ensuring their servers, applications, databases and so forth yet they disregard security of system gadgets which are at times introduced without-of-the-crate arrangements.

1. Network Administrator shall ensure that an authorized login banner is defined

Banner login ^c

**WELCOME to NetSecAddict

^c

2. Network Administrator shall ensure that an username & enable secret password is defined using strong encryption with upper case, lower case, numbers and special characters

config t

username addide password **********

enable secret ********

exit

Show running-config | include username

show running-config | include enable

  1. Network Administrator shall ensure that encryption of passwords in device configuration is enabled

 

config ter

service password-encryption

exit

show running-config | include password

  1. Network Administrator shall ensure that at least one local user exists and ensure all have encrypted passwords.

 

  1. Network Administrator shall ensure that unless absolutely necessary, the device does not allow simple network management protocol (SNMP) write access.

config t

snmp-server community “String”  RO 10

snmp-server community “String”  RW 10

snmp-server group NetSecAddict v2c access 10

no snmp-server system-shutdown

exit

config t

access-list 10 permit x.x.x.x

access-list 10 deny any log

exit

show running-config | include snmp

  1. Network Administrator shall ensure that the clock is configured for the local time zone.

config ter

ntp server x.x.x.x

clock timezone IST 5 30

exit

config ter

service timestamps log datetime localtime  show-timezone year msec

service timestamps debug datetime localtime  show-timezone year msec

exit

show ntp status

  1. Network Administrator shall ensure that finger service is disabled

config ter

no service finger

exit

  1. Network Administrator shall ensure that bootstrap protocol (BOOTP) is disabled.

config ter

ip dhcp bootp ignore

exit

9. Network Administrator shall ensure that device is not configure as a Dynamic Host Configuration Protocol (DHCP) server

config ter

ip dhcp bootp ignore

no service dhcp

no ip domain lookup

exit

  1. Network Administrator shall ensure that native HTTP&HTTPS service is disabled

Config t

no ip http server

no ip http secure-server

exit

show running-config | include no

11. Network Administrator shall ensure that unnecessary services such as echo, discard, charge, etc. are disabled

config ter

Service tcp-keepalives-in

service tcp-keepalives-out

no service tcp-small-servers

no service udp-small-servers

exit

show running-config | include password

12. Network Administrator shall ensure that PAD service is disabled.

Config Ter

No service pad

exit

  1. Network Administrator shall ensure the disable telnet services and configure SSH services.

config t

line vty 0 15

transport input ssh

login local

transport preferred ssh

exit

  1. Network Administrator shall ensure to allow access from only those network hosts that require access

config t

ip access-list extended VTY_ACCESS

19 permit tcp host x.x.x.xany eq 22

20 permit tcp host x.x.x.x any eq 22

21 permit tcp host x.x.x.x any eq 22

35 deny ip any any log

exit

config t

line vty 0 15

no password

exec-timeout 5 0

access-class VTY_ACCESS in

exit

exit

  1. Network administrator shall ensure to disable RC4 cipher.

config t

ip http secure-ciphersuite 3des-ede-cbc-sha

exit

  1. Network Administrator shell ensure that does not configure web based access.

clear ip auth-proxy cache

 17. Network Administrator shell ensure that the create access control list for only specific authorize IP to get the SNMP trap.

  1. Network Administrator shell ensure that the latest firmware patch upgrade in network devices.

 19. Network Administrator shall ensure to configure SSH version 2 and communicate via SNMP string and SSH.

Config ter

ip domain name NetSecAddict.com

crypto key generate rsa

bits[2048]

ip ssh version 2

exit

show running-config | include ssh

  1. Network Administrator shell ensure that the non-use port should be disable.
  2. Network Administrator shall ensure that server client configuration enabled such that any configuration changes in server level switch, deploy same configuration to client level switch.

  3. Network Administrator shell ensure that disable CDP because it’s is used to get neighbors information such as OS version, neighbor host name and IP address information.

config t

no cdp run

exit

show cdp neighbors

  1. Network Administrator shell ensure that BPDU Guard feature enable to all non-bridging (Non-trunking interfaces) to prevent network loop

config t (non trunking port)

spanning-tree portfast

spanning-tree bpduguard enable

exit

  1. Network Administrator shell ensure that disable console password.

config t

line con 0

no password

exit

  1. Network Administrator shell ensure that disable IP source routing information contained in network packets.

config ter

no ip source-route

exit

  1. Network Administrator shell ensure that VTP mode off, we don’t use VTP features.

Config t

vtp mode off

exit

show vtp status

  1. Network Administrator shell ensure that port-security configuration on non-trunking protocol to unauthorized personal can’t access to our network.

config ter

switchport mode access

switchport port-security

switchport port-security mac-address sticky

switchport port-security violation restrict

exit

show running-config interface gigabitEthernet 1/0/1

show port-security interface gigabitEthernet 1/0/1

  1. The Smart Install client feature disable due to improper handling of image list parameters. An unauthenticated, remote attacker can exploit this issue, via crafted Smart Install packets, to cause the device to reload.

Config ter

No vstack

Exit

Config ter

no username admin

exit

  1. NTP configuration with authentication.

Config ter

ntp authentication-key 42 md5 aNiceKey

ntp trusted-key 42

ntp authenticate

ntp access-group peer 91

ntp server x.x.x.x key 42

ntp server x.x.x.x version 2

access-list 91 permit x.x.x.x

exit

 

Thanks for read articles if you like to share and comment on below message box or if any query.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: