Minimizing Service Loss and Data Theft in a Campus Network

Securing Network Switches

Describing Vulnerabilities in CDP
Describing Vulnerabilities in the Telnet
Protocol

The Telnet connection sends

text unencrypted and potentially
readable.
Describing the Secure Shell Protocol

SSH replaces the Telnet session

with an encrypted connection.
Describing vty ACLs

• Set up standard IP ACL.

• Use line configuration
mode to filter access with
the access-class command.
• Set identical restrictions on
every vty line.
 Describing Commands to Apply ACLs

Switch(config)#access-list access-list-number
{permit | deny | remark} source [mask]

• Configures a standard IP access list

Switch(config)#line vty {vty# | vty-range}

• Enters configuration mode for a vty or vty range

Switch(config-line)#access-class access-list-number in|out

• Restricts incoming or outgoing vty connections to addresses

in the ACL
Best Practices: Switch Security

Secure switch access:

• Set system passwords.
• Secure physical access to the console.
• Secure access via Telnet.
• Use SSH when possible.
• Configure system warning banners.
• Use Syslog if available.
Best Practices: Switch Security (Cont.)

Secure switch protocols:

• Trim CDP and use only as needed.
• Secure spanning tree.

Mitigate compromises through a switch:

• Take precautions for trunk links.
• Minimize physical port access.
• Establish standard access port configuration for both
unused and used ports.
Summary

• CDP packets can expose some network information.

• Authentication information and data carried in Telnet
sessions are vulnerable.
• SSH provides a more secure option for Telnet.
• vty ACLs should be used to limit Telnet access to
switch devices.
• vty ACL configuration commands use standard IP ACL lists.
• Sound security measures and trimming of unused
applications are the basis of best practices.