In this instruction will describes the best practices and security hardening configuration for a new cisco switch to secure it and also increases the overall security of a network infrastructure in an enterprise data center. Router hardening with the cisco router and security and device manager sdm now one of the reasons that we love cisco is that they are always trying to make it easy on us. Products sold prior to the november 1, 2015 separation of hewlettpackard company into hewlett packard enterprise company and hp inc. Cisco best practices to harden devices against cyber. Learn how to configure and manage a cisco switch step by step with this basic switch commands and configuration guide. Cisco guide to harden cisco ios devices contents introduction prerequisites requirements components used background information secure operations monitor cisco security advisories and responses leverage authentication, authorization, and accounting centralize log collection and monitoring use secure protocols when possible gain traffic.
When we did for cisco 2960 switch, the switch was not listening to any of the tcp ports. Network infrastructure devices routers, switches, load balancers, firewalls etc are among. Cisco smart install smi port 4786 cisco smart install is a legacy feature that provides zerotouch deployment for new switches, typically access layer switches, and incorporates no authentication by design. This guide provides technical recommendations intended to help network administrators improve the security of their networks. Cisco switch and router hardening created 09182018.
Hardening cisco routers is a reference for protecting the protectors. Cisco network hardening control descriptions, risks, vulnerabilities, and remediation are provided for network devices and cisco nexus switches using cisco ucs manager web ui andor cisco nxos cli shell. The threat lifecycle is important for risk assessment because it shows where you can mitigate threats. In this document of how to configure security hardening on a cisco switch, it is assumed that. Security hardening checklist for cisco routersswitches in 10 steps network infrastructure devices routers, switches, load balancers, firewalls etc are among the assets of an enterprise that play an important role in security and thus need to be protected and configured accordingly. Pdf designing a network is not just about placing routers, firewalls, intrusion detection system, etc in a network but it is about having good reasons. An objective, consensusdriven security guideline for the cisco network devices. Security features on switches securing layer 2 cisco press. If ip server or ip secureserver are essential, configure authentication and. It is important to note that most ios upgrades can only be accomplished by replacing the ios.
Router security,however,involves protecting the network itself by hardening or securing the routers. Get hardening cisco routers now with oreilly online learning. This policy was created by or for the sans institute for the internet community. Technical guide network video management system hardening guide 6 each stage in the threat lifecycle takes time. Ise security best practices hardening cisco community. Cisco press 201 west 103rd street indianapolis, in 46290 usa cisco router con. This checklist is a collection of all the hardening steps that are presented in this guide. Different router configurations for various versions of cisco. The benchmark is an industry consensus of current best practices listing actions to. Security hardening checklist guide for cisco routersswitches in 10 steps network infrastructure devices routers, switches, load balancers, firewalls etc are among the assets of an enterprise that play an important role in security and thus need to be protected and configured accordingly.
In my company we have cisco asa firewall as edge device on the internet. The network attacker configures a device to spoof a switch. Ccnp routing and switching portable command guide, 2e. The recently, tactical resources cisco ucs hardening guide cisco ios and nxos software reference guide. If an attacker manages to enter the network and find an unpatched server or switch the impact of. Security hardening checklist guide for cisco routers.
If you have any questions or suggestions you can always leave your. Configuration and commands explained in this tutorial are essential commands to manage a cisco switch effectively. Cisco ip phones, by default, accept garp messages and update their arp cache whenever they receive a garp packet. Pdf hardening cisco devices based on cryptography and. Device hardening and recommendations russ smoak on april th, 2015, cisco psirt was made aware of multiple instances of customer disruption in a specific region caused by a denial of service attack against cisco devices.
The rest of this book discusses what it takes to harden a cisco router. Important note the guide bellow instructs how to secure cisco router switch. Sans institute 2001, author retains full rights key f ingerprint af19 fa 27 2f94 998d fdb5 de3d f8b5 06 e4 a169 4e 46 ble ners, and 3700 cisco net. The importance of router security and where routers fit into an overall security plan different router configurations for. Achieving ccnp enterprise certification proves your skills with enterprise networking solutions. This tutorial explains basic switch configuration commands in detail with examples. Cisco hardening free download as powerpoint presentation. Standard ways to access a cisco router and the security implications of each. Layer 2 switch security technical implementation guide cisco. Authentication protocol over lan eapol, cisco discovery protocol cdp. For switches that support booting from sdflash, security can be enhanced by booting from.
This document contains information to help you secure, or harden, your cisco nxos software system devices, which increases the overall security of your network. Cisco router and switch security hardening guide 1. An attacker located in the vlan of the ip phone can repeatedly send out garp packets announcing its mac address to be the mac address of the default gateway of the ip phone. Vanessa antoine patricia bosmajian daniel duesterhaus michael dransfield brian eppinger james houser. It is highly recommended to test each setting in a test lab before implementing changes to production systems. Not all commands will work on every device series routerswitch or on every ios. Chapter 7 routers and routing protocol hardening 155 securing cisco routers according to recommended practices 156. Would like to know by default what is the security or ha. Modify the cisco nexus password description default accounts and passwords are. The hardening of routers and switches require the configuration of the.
Now we need to put cisco router in front of asa, so it would be between my isp and asa. Hardening cisco devices based on cryptography and security protocols part one. Cisco hardening ip address transmission control protocol. Chapter 7 routers and router protocol hardening 155 part ii. It provides an overview of each security feature included in cisco. Not all commands will work on every device series router switch or on every ios version. This document covers information regarding security, hardening and testing of cisco ise. Examples of hardening methods include acls on the routers and vlans. An upgrade can be beneficial for security, but if done improperly it can leave a switch vulnerable. That infrastructure includes routers, route modules, switches and hubs. Install the latest stable version of the ios on each cisco switch. Ncp checklist cisco ios switch security configuration guide. Administrators can use it as a reminder of all the hardening features used and considered for a cisco ios device, even if a feature was not implemented because it did not apply. Security hardening checklist guide for cisco routersswitches in.
Router and switch security policy free use disclaimer. Cisco hardening guides for ios, iosxr and nxos devices. Center for internet security benchmark for cisco ios version 2. In the graphical user interface for managing your perimeter routers, cisco provides a security audit feature. This document will focus on the current supported releases of ise. Cisco systems capital, the cisco systems logo, cisco unity, collaboration without limitation, etherfast, etherswitch, event center, fast step, follow me browsing. This would be the minimum configuration for cisco devices. The amount of time for each stage is particular to the threat, or combination of threats, and its actors and targets. In this instruction will describes the best practices and security hardening configuration for a new cisco switch to secure it and also increases. If the router protecting a network is exposed to hackers, then so is the network behind it. Disable ip server and ip secureserver unless absolutely necessary. So outside interface with public ip address and security level 0 and inside interfaces with higher security levels. As the nexus platform has become a staple in the data center environment, securing the environment begins with the nexus operating system nxos.
Security hardening checklist guide for cisco routersswitches in 10 steps. Sections 4, 5, and 6 of this guide are designed for use with routers made by cisco systems, and running ciscos ios software. Switches and switch modules only configure switchport portsecurity on host ports and consider it for trunk ports switches and switch modules only ensure spanningtree bpduguard is enabled on all host ports. The importance of router security and where routers fit into an overall security plan. Now you have just done the security hardening for the newly installed cisco router and it should be enough for it to be ready for any services and configuration such as routing protocols or other services. The descriptions and examples in those sections were written with the assumption that the reader is familiar with basic cisco router operations and command syntax. Most of these tips can be applied to noncisco routers as well, but and you should always consult your vendor to see if it has more specific information. Appendix a provides a checklist that summarizes the steps necessary to harden a router and protect the network. Ccnp routing and switching route 300101 official cert guide.
81 1446 681 1173 209 155 590 1248 223 1004 161 652 641 247 1443 757 962 1421 1524 587 962 1128 1142 147 75 40 1140 733 1485 1004 721 326 858 905 712 1341