Professional Documents
Culture Documents
Hardening of Cisco Switches: by Mahendra Bhosale
Hardening of Cisco Switches: by Mahendra Bhosale
Hardening of Cisco Switches: by Mahendra Bhosale
SWITCHES
By Mahendra Bhosale
Hardening of Cisco Switches by Mahendra Bhosale
TABLE OF CONTENTS
IOS_SW_1. Open Vulnerabilities in the Current IOS
IOS_SW_2. Device Enable Secret Password Not Set
IOS_SW_3. Password Encryption is Not Enabled
IOS_SW_4. Unprotected Access to Console Terminal
IOS_SW_5. Unencrypted Remote Administration
IOS_SW_6. Unrestricted Remote Administration
IOS_SW_7. User Authentication Not Configured
IOS_SW_8. No time out for idle sessions
IOS_SW_9. Unsafe log generation and log collection
IOS_SW_10. Incorrect Time & Time zone setting
IOS_SW_11. Time server not designated
IOS_SW_12. No timestamp on logs and debug information
IOS_SW_13. SNMPv1 or SNMPv2 is being used for device management and monitoring
IOS_SW_14. Default SNMP Community Strings are used
IOS_SW_15. Unnecessary services running
IOS_SW_16. CDP is running
IOS_SW_17. Device accepts IP source routed packets
IOS_SW_18. Device processes directed broadcasts
IOS_SW_19. UDP broadcast forwarding is enabled
IOS_SW_20. Device sends IP unreachable messages
IOS_SW_21. Device sends ICMP mask-reply
IOS_SW_22. Device sends IP redirects
IOS_SW_23. Anti-Spoof access control lists are not configured
IOS_SW_24. System statutory warning not set
IOS_SW_25. Proxy ARP is not disabled
IOS_SW_26. Unrestricted SNMP management and monitoring
IOS_SW_27. Older vulnerable version of SSH being used
IOS_SW_28. Port Security is not enabled
IOS_SW_29. Management Interface is assigned to VLAN1
IOS_SW_30. VTP (Virtual Trunking Protocol) security is not enabled
IOS_SW_31. Trunk Auto-Negotiation is not disabled on non-trunking interfaces
IOS_SW_32. VLAN Hopping Prevention is not enabled
IOS_SW_33. Spanning Tree Protocol Security is Not Enabled
1
Hardening of Cisco Switches by Mahendra Bhosale
IOS_SW_1. Open Vulnerabilities in the Current IOS
Description
Like any other software, Cisco IOS has got the security vulnerabilities. These vulnerabilities
can be
exploited by attackers to compromise the devices. To avoid this, periodically, Cisco
Security
Advisories should be checked for presence of any vulnerability in the current version of
Cisco IOS.
And, if any vulnerability is found in the current IOS version, then IOS should be upgraded
to the
latest and stable version of IOS.
Impact
An attacker can use the known vulnerabilities and carry out malicious activities on the
device.
Risk Rating
High
Solution
Upgrade the Cisco device to the latest and stable IOS.
2
Hardening of Cisco Switches by Mahendra Bhosale
3
Hardening of Cisco Switches by Mahendra Bhosale
IOS_SW_5. Unencrypted Remote Administration
Description
Telnet protocol transmits all information, including login credentials in clear text. To prevent
password stealing, SSH should be used for remote administration, as SSH encrypts all the traffic
between the device and the SSH client.
Impact
A malicious user can sniff traffic on the wire and can steal user exec and privileged mode
passwords of the device.
Risk Rating
Medium
Solution
Configure the device to accept only SSH connection for remote administration by configuring
following commands.
Note: Following commands can be configured on the Cisco device only if the device is running
IOS,
which supports IPSEC and other cryptographic algorithms.
1. Generate RSA Keys for SSH:
(config)#crypto key generate rsa
2. Lower SSH Timeout for inactive session:
(config)#ip ssh time-out 60
3. Set number of SSH retries:
(config)#ip ssh authentication-retries 2
4. Specify SSH as only Transport input:
(config)#line vty 0 4
(config-line)#transport input ssh
4
Hardening of Cisco Switches by Mahendra Bhosale
5
Hardening of Cisco Switches by Mahendra Bhosale
suggest to use remote server like TACAS or TACAS+ for user authentication.
Note: If the vty/console/aux lines are disabled by any of the following commands
(config-line)#no exec
or
(config-line)#transport input none
This check is considered as safe, for that vty/console/aux line.
6
Hardening of Cisco Switches by Mahendra Bhosale
IOS_SW_9. Unsafe log generation and log collection
Description
All important device logs should be enabled and collected to monitor all critical information and
system level activity.
Impact
Malicious activities may go unnoticed in the absence of logs. No information available for
investigation and forensics in case any intrusion occurs.
Risk Rating
Medium
Solution
Configure the device to send the logs to the syslog server by configuring command following
command
(config)#logging <Syslog_Server_IP_Address>.
Level of logging should be specified using logging trap <level>.
The following table shows the severity level and the Cisco keyword used for logging:
Severity Level Keyword Description
0 Emergencies System unusable
1 Alerts Immediate action required
2 Critical Critical condition
3 Errors Error conditions
4 Warnings Warning conditions
5 Notifications Normal but significant conditions
6 Informational Informational messages
7 Debugging Debugging messages
For example, logging trap critical will forward the logs of emergencies, alerts and critical to the
specified syslog server.
We suggest configuring the trap value to 4
7
Hardening of Cisco Switches by Mahendra Bhosale
8
Hardening of Cisco Switches by Mahendra Bhosale
9
Hardening of Cisco Switches by Mahendra Bhosale
10
Hardening of Cisco Switches by Mahendra Bhosale
11
Hardening of Cisco Switches by Mahendra Bhosale
12
Hardening of Cisco Switches by Mahendra Bhosale
13
Hardening of Cisco Switches by Mahendra Bhosale
14
Hardening of Cisco Switches by Mahendra Bhosale
IOS_SW_24. System statutory warning not set
Description
Displaying appropriate warning messages when users access a system assists in prosecuting
computer crime cases and defending legal issues involving the system.
Impact
Absence of a statutory warning may lead to failure in the implication of an accused malicious
user.
Risk Rating
Low
Solution
Create an appropriate login warning message banner which shows that the system is for
authorized
use only and all the activities on the system are being monitored.
Use either of the commands:
(config)#banner login <message>
(config)#banner motd <message>
For AAA authentication:
(config)#AAA authentication banner <banner>
15
Hardening of Cisco Switches by Mahendra Bhosale
IOS_SW_25. Proxy ARP is not disabled
Description
Proxy ARP is a method by which routers may make themselves available to hosts. A Cisco
router
can act as intermediary for ARP, responding to ARP queries on selected interfaces and thus
enabling transparent access between multiple LAN segments.
Impact
It breaks the LAN security perimeter; effectively extending a LAN at layer 2 across multiple
segments. Security can be undermined. A machine can claim to be another in order to intercept
packets.
Risk Rating
Medium
Solution
Disable proxy ARP on all interfaces by issuing the following command.
(config)#interface {interface_name}
(config-if)#no ip proxy-arp
NOTE: - Not applicable for layer 2 switching
16
Hardening of Cisco Switches by Mahendra Bhosale
17
Hardening of Cisco Switches by Mahendra Bhosale
18
Hardening of Cisco Switches by Mahendra Bhosale
IOS_SW_30. VTP (Virtual Trunking Protocol) security is not enabled
Description
VTP is a Cisco-proprietary Layer 2 messaging protocol used to distribute VLAN configuration
information over trunks. VTP allows the addition, deletion and renaming of VLANs on a
networkwide
basis, which allows switches to have a consistent VLAN configuration within a VTP
management domain. All switches in the same management domain share their VLAN
information,
and a switch may participate in only one VTP management domain.
VTP Default Configuration as shown below
VTP domain name Null
VTP mode Server
VTP version Version 2 is disabled
VTP password None
VTP pruning Disabled
Impact
If VTP configurations are in default mode, an attacker can delete or modify local network's VLAN
structure by gaining knowledge of the local network's VLAN structure.
Risk Rating
Medium
Solution
If not required VTP, disable it by the following command
(config)# no vtp mode
(config)# no vtp password
(config)# no vtp pruning
If required change the default configurations by using the following command
(config)# vtp domain <A vtp domain name>
(config)# vtp password <strong password>
(config)# vtp pruning
(config)# vtp <mode> (modes can be server (by default) client or transparent. IF vtp mode is
server, all users having access to the switch can edit the vlan information.)
19
Hardening of Cisco Switches by Mahendra Bhosale
IOS_SW_32. VLAN Hopping Prevention is not enabled
Description
VLAN hopping is a computer security exploit, a method of attacking networked resources on a
VLAN. The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to
gain
access to traffic on other VLANs that would normally not be accessible. There are two primary
methods of VLAN hopping: switch spoofing and double tagging
Impact
Using VLAN hopping, a malicious intruder who has access to one local network might inject
packets
into another local network in order to attack machines on the target network.
Risk Rating
Low
Solution
Assign a shutdown VLAN as the 'native' VLAN of each of the trunks using the following
command.
To shut down local traffic on a specified VLAN, use the “shutdown vlan” command.
(config)# shutdown vlan <vlan-id>
Do not use this VLAN for any other purpose.
(config)# interface <trunking interfaces>
(config-if)# switchport trunk native vlan <shutdown vlan-id>
(config-if)# no cdp enable
20
Hardening of Cisco Switches by Mahendra Bhosale
21