[ppt]router/switch security - isaca · web viewtitle router/switch security author krawczyk, mark...
TRANSCRIPT
• Verify that management VLAN has been reassigned.
• Verify that operational VLANs do not have access to the management VLAN.
• Verify that the ports in the management VLAN are not configured as trunks.
• A trunk is a point-to-point link between two network devices that carries traffic for more than one VLAN.
• A trunk allows you to extend the VLANs across an entire network.
• A trunk does not belong to a specific VLAN, rather it is a conduit for VLANs between switches and routers.
• DTP is implemented by default on Cisco switches .• DTP automatically negotiates how the port will
operate, trunk or access mode. • By default, a Cisco Ethernet port's default DTP
mode is "dynamic desirable”, which enables a port to go to trunk mode automatically.
• Review the switch configuration to verify that DTP is disabled.
VTP is a Cisco-proprietary messaging protocol used to distribute VLAN configuration information over trunks.
A switch may be in one of three VTP modes: server, transparent and client.
In server mode administrators can create, modify and delete VLANs for the entire VTP management domain.
By default, VTP – no authentication and the switch is in VTP Server mode.
• If VTP is necessary, verify the following:• VTP management domain is established. • A strong password is assigned to the VTP
management domain.• Non-management switches are configured in
client mode.
• By auditing device for these basic hardening steps, overall security of the network can be improved.
• However, in all cases, a comprehensive review should be performed.
• Reference the works cited page for links to documented security configuration benchmarks and checklists.
Mark [email protected]
Router Security Guidance Activity of the System and Network Attack Center (SNAC), 2005 http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdfCisco IOS Switch Security Configuration Guide, http://www.nsa.gov/ia/Center for Internet Security, http://benchmarks.cisecurity.org/downloads/audit-tools/US-Cert, https://www.us-cert.gov/security-publicationsInformation Assurance Support Environment, http://iase.disa.mil/stigs/SANS Institute InfoSec Reading Room - Cisco Router Hardening Step-by-Step www.sans.orgCisco Checklist - www.sans.orgConfiguring a Cisco Router with TACACS+ Authentication. http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/13865-tacplus.htmlCisco Guide to Harden Cisco IOS Devices, Document ID: 13608 http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.htmlVarious Articles related to Cisco device security, http://www.ciscopress.com/articles/NIST – National Vulnerability Database http://web.nvd.nist.gov/ISACA – www.isaca.org