|
|
|
|
 |
|
Cisco
IOS Switch Security Configuration Guide
|
Name |
Cisco
IOS Switch Security Configuration Guide |
|
Version |
v1.0 |
|
Status |
Final |
| Creation
Date |
2004-03-16 |
| Revision
Date |
2004-06-21 |
| Product
Category |
Network
Switch |
| Vendor |
Cisco
Systems |
| Product |
Cisco
Catalyst Switch Internetwork Operating System
v12.1 |
| Product
Version |
v1.0 |
| Product
Role |
Ethernet
LAN Switch |
|
Checklist
Summary |
This
guide provides technical recommendations intended
to help network administrators improve the security
of their networks. Using the information presented
here, administrators can configure switches
to control access, resist attacks, shield other
network systems and protect the integrity and
confidentiality of network traffic. Also, this
guide can assist information security officers
by describing the security issues related to
critical systems (e.g., switches) which are
part of their computer networks.
This guide was developed in response to numerous
questions and requests for assistance received
by the Systems and Network Attack Center (SNAC).
The topics covered in the guide were selected
on the basis of customer interest and on the
SNAC's background in securing networks. A major
goal for this guide is to improve the security
of the switches used on Department of Defense
operational networks.
This guide presents network security at Layer
2 (Data Link) of the Open Systems Interconnection
Reference Model (OSI RM). A network hierarchy
is introduced that explains the types of switches
used in a computer network. Then vulnerabilities
and corresponding countermeasures are described
for the following topics: operating systems;
passwords; management ports; network services;
port security; system availability; Virtual
Local Area Networks; Spanning Tree Protocol;
access control lists; logging and debugging;
and authentication, authorization and accounting.
Advanced topics are identified for future work
for this guide. A combined section of acronyms
and glossary for terms used throughout this
guide and a reference section are provided.
Sample configuration files for two different
models of Cisco switches are included that combine
most of the countermeasures in this guide. Finally,
a security checklist for Cisco switches summarizes
the countermeasures.
|
| Known
Issues |
|
| Target
Audience |
The
intended audience for this guide is those individuals
who administer these switches in their organization's
networks. The guide presumes that these administrators
have at least a basic knowledge of these switches.
The administrators should be familiar with configuring
the switches with the command line interface,
including using commands in the User Exec mode
and in the Privileged Exec mode. The authors
also assume that the administrator provides
physical security for each switch and allows
only authorized personnel to access the switch. |
| Target
Operational Environment |
Enterprise
wide distribution. |
| Checklist
Installation Tools |
|
| Rollback
Capability |
Not
Available |
| Testing
Information |
The
security configuration guide has been extensively
tested in a lab and operational environment. |
| NIAP/CMVP
Status |
|
| Regulatory
Compliance |
|
Comments,
Warnings, Disclaimer, Miscellaneous
|
Refer
to Known Issues. |
| Disclaimer |
Do
not attempt to implement any of the settings
in this guide without first testing them in
a non-operational environment. Security configuration
guides are provided for the Department of Defense
and other government agencies requiring security
configuration guidelines. The guides contain
recommended security settings. They are not
intended to replace well-structured policy or
sound judgment. The guides do not address site-specific
configuration issues. Care must be taken when
implementing the guides to address local operational
and policy concerns. All security changes described
in the guides are applicable only to specifically
identified operating systems or architecture
components and should not be applied to any
other operating system or architecture components. |
| Product
Support |
Not
Available |
| Submitting
Organization/Authors |
National
Security Agency |
| Point
of Contact |
SNAC.Guides@nsa.gov |
| Sponsor |
|
| Licensing |
Refer
to the legal statement provided at:
switch-guide-version1_01.pdf
|
| Checklist
Homepage |
http://www.nsa.gov/ia/ |
| Download
Package |
switch-guide-version1_01.pdf |
| Integrity |
SHA1
(switch-guide-version1_01.pdf) = cc8f70dc3e474a96b582f65d32bc1b38cfd140a5
SHA256 (switch-guide-version1_01.pdf) =
c18285997e0bca83d6d44167d725b348e2cbcc
81cfc39ff96858b0d31ccf1b44
|
| Change
History |
v0.9,
2004-03-16
v0.9a, 2004-05-07
v0.9b, 2004-05-14
v1.0, 2004-06-21
|
| Dependency/Requirement |
|
| References |
The
following references were cited throughout this
document:
@stake, Secure Use of VLANs: An @stake Security
Assessment, August 2002. http://www.cisco.com/warp/public/cc/pd/si
/casi/ca6000/tech/stake_wp.pdf
Cisco Systems, Catalyst 3550 Multilayer Switch
Command Reference, 12.1(19)EA1. http://www.cisco.com/en/US/
products/hw/switches/ps646/
products_command_reference_
book09186a00801cdef8.html
Cisco Systems, Cisco IOS Security Configuration
Guide, Release 12.2.
http://www.cisco.com/univercd/cc/td/doc/
product/software/ios122/122cgcr/fsecur_c/cc_ipsec.htm
Cisco Systems, Cisco Product Security Advisories
and Notices.
http://www.cisco.com/go/safe/
Cisco Systems, Cisco SAFE: A Security Blueprint
for Enterprise Networks.
http://www.cisco.com/go/psirt/
Cisco Systems, Firewall Services Module (FWSM).
http://www.cisco.com/warp/public/cc/pd/si/
casi/ca6000/ps4452/prodlit/fwsm_ds.htm
http://www.cisco.com/warp/public/cc/pd/si/
casi/ca6000/ps4452/index.shtml
Cisco Systems, Multi-Protocol Label Switching
(MPLS).
http://www.cisco.com/en/US/tech/tk436/tk428/
tech_protocol_family_home.html http://www.cisco.com/en/US/tech/tk436/tk428/
technologies_white_paper09186a00800a3e69.shtml
Cisco Systems, Understanding Cisco IOS ACL Support
- Cisco Catalyst 6500 Series Switches. http://www.cisco.com/en/US/products/
hw/switches/ps708/
products_configuration_guide_
chapter09186a00801609f6.html
Cisco Systems, Virtual LAN Security Best Practices.
http://www.cisco.com/warp/public/cc/pd/si/
casi/ca6000/prodlit/vlnwp_wp.htm
Cisco Systems, Virtual Private Network Services
Module (VPNSM).
http://www.cisco.com/warp/public/cc/pd/si/
casi/ca6000/ps4221/index.shtml
http://www.cisco.com/warp/public/cc/pd/si/
casi/ca6000/ps4221/prodlit/vpnsm_ds.htm
NSA, Router Security Configuration Guide, Version
1.1b, 5 December 2003.
http://www.nsa.gov/snac/routers/cisco_scg-1.1b.pdf
Passmore, David, and Freeman, John, The Virtual
LAN Technology Report, 1996. http://www.3com.com/nsc/200374.html
Taylor, David, "Are There Vulnerabilities in
VLAN Implementations?", SANS Institute, July
2000. http://www.sans.org/resources/idfaq/vlan.php
|
| NIST
Identifier |
1009 |
|
|
|
NIST and the checklist submitter do not guarantee or warrant the checklist's
accuracy or completeness. NIST is not responsible for loss, damage, or
problems that may be caused by using the checklist.
|
