Overview
When announcing added Cisco switch in a server farm and interface it to a system foundation for an endeavor association, as a system director or a system design, it is significance to anchor this system gadget with the basic security best practices. In the event that a Cisco change is imperiled to programmers, the entire security of the system framework can be therefore horrible.
System structure devices (switches, switches, stack balances, firewalls and so forth) are among the benefits of an undertaking that assume an essential job in security and in this manner should be ensured and designed appropriately.
Numerous events CENTER around ensuring their servers, applications, databases and so forth yet they disregard security of system gadgets which are at times introduced without-of-the-crate arrangements.
1. Network Administrator shall ensure that an authorized login banner is defined
Banner login ^c
**WELCOME to NetSecAddict
^c
2. Network Administrator shall ensure that an username & enable secret password is defined using strong encryption with upper case, lower case, numbers and special characters
config t
username addide password **********
enable secret ********
exit
Show running-config | include username
show running-config | include enable
- Network Administrator shall ensure that encryption of passwords in device configuration is enabled
config ter
service password-encryption
exit
show running-config | include password
- Network Administrator shall ensure that at least one local user exists and ensure all have encrypted passwords.
- Network Administrator shall ensure that unless absolutely necessary, the device does not allow simple network management protocol (SNMP) write access.
config t
snmp-server community “String” RO 10
snmp-server community “String” RW 10
snmp-server group NetSecAddict v2c access 10
no snmp-server system-shutdown
exit
config t
access-list 10 permit x.x.x.x
access-list 10 deny any log
exit
show running-config | include snmp
- Network Administrator shall ensure that the clock is configured for the local time zone.
config ter
ntp server x.x.x.x
clock timezone IST 5 30
exit
config ter
service timestamps log datetime localtime show-timezone year msec
service timestamps debug datetime localtime show-timezone year msec
exit
show ntp status
- Network Administrator shall ensure that finger service is disabled
config ter
no service finger
exit
- Network Administrator shall ensure that bootstrap protocol (BOOTP) is disabled.
config ter
ip dhcp bootp ignore
exit
9. Network Administrator shall ensure that device is not configure as a Dynamic Host Configuration Protocol (DHCP) server
config ter
ip dhcp bootp ignore
no service dhcp
no ip domain lookup
exit
- Network Administrator shall ensure that native HTTP&HTTPS service is disabled
Config t
no ip http server
no ip http secure-server
exit
show running-config | include no
11. Network Administrator shall ensure that unnecessary services such as echo, discard, charge, etc. are disabled
config ter
Service tcp-keepalives-in
service tcp-keepalives-out
no service tcp-small-servers
no service udp-small-servers
exit
show running-config | include password
12. Network Administrator shall ensure that PAD service is disabled.
Config Ter
No service pad
exit
- Network Administrator shall ensure the disable telnet services and configure SSH services.
config t
line vty 0 15
transport input ssh
login local
transport preferred ssh
exit
- Network Administrator shall ensure to allow access from only those network hosts that require access
config t
ip access-list extended VTY_ACCESS
19 permit tcp host x.x.x.xany eq 22
20 permit tcp host x.x.x.x any eq 22
21 permit tcp host x.x.x.x any eq 22
35 deny ip any any log
exit
config t
line vty 0 15
no password
exec-timeout 5 0
access-class VTY_ACCESS in
exit
exit
- Network administrator shall ensure to disable RC4 cipher.
config t
ip http secure-ciphersuite 3des-ede-cbc-sha
exit
- Network Administrator shell ensure that does not configure web based access.
clear ip auth-proxy cache
17. Network Administrator shell ensure that the create access control list for only specific authorize IP to get the SNMP trap.
- Network Administrator shell ensure that the latest firmware patch upgrade in network devices.
19. Network Administrator shall ensure to configure SSH version 2 and communicate via SNMP string and SSH.
Config ter
ip domain name NetSecAddict.com
crypto key generate rsa
bits[2048]
ip ssh version 2
exit
show running-config | include ssh
- Network Administrator shell ensure that the non-use port should be disable.
-
Network Administrator shall ensure that server client configuration enabled such that any configuration changes in server level switch, deploy same configuration to client level switch.
-
Network Administrator shell ensure that disable CDP because it’s is used to get neighbors information such as OS version, neighbor host name and IP address information.
config t
no cdp run
exit
show cdp neighbors
- Network Administrator shell ensure that BPDU Guard feature enable to all non-bridging (Non-trunking interfaces) to prevent network loop
config t (non trunking port)
spanning-tree portfast
spanning-tree bpduguard enable
exit
- Network Administrator shell ensure that disable console password.
config t
line con 0
no password
exit
- Network Administrator shell ensure that disable IP source routing information contained in network packets.
config ter
no ip source-route
exit
- Network Administrator shell ensure that VTP mode off, we don’t use VTP features.
Config t
vtp mode off
exit
show vtp status
- Network Administrator shell ensure that port-security configuration on non-trunking protocol to unauthorized personal can’t access to our network.
config ter
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security violation restrict
exit
show running-config interface gigabitEthernet 1/0/1
show port-security interface gigabitEthernet 1/0/1
- The Smart Install client feature disable due to improper handling of image list parameters. An unauthenticated, remote attacker can exploit this issue, via crafted Smart Install packets, to cause the device to reload.
Config ter
No vstack
Exit
Config ter
no username admin
exit
- NTP configuration with authentication.
Config ter
ntp authentication-key 42 md5 aNiceKey
ntp trusted-key 42
ntp authenticate
ntp access-group peer 91
ntp server x.x.x.x key 42
ntp server x.x.x.x version 2
access-list 91 permit x.x.x.x
exit
Thanks for read articles if you like to share and comment on below message box or if any query.
Leave a Reply