In this lesson we would talk about some of the security concerns regarding more than their network switches and what we can do to minimize the risk of our network from being compromised. We will learn some of the basic security features that we can implement to secure our Cisco network environment.
Overview of Switch Security
Many organizations erect firewall and sophisticated edge devices to stop security attacks from the outside world. Routers and switches that are internal to the organization have minimal-security configuration because they are designated to accommodate communications within the campus network.
These days, many employees are given notebook so that they can work from the home or in the office. But, with this mobility comes a very serious threat, because the user's home may not have the level of security protection as of that in the organization. The home users may get infected with viruses and Trojan horse programs, which they would then bring back to the office when they come into work. Because the viruses and Trojan horses are emanating from inside the network, the edge devices will not be able to stop this internal chaos. As such, we need to implement the necessary security features on the switches and internal routers to guard against potential malicious attacks from within the organization.
- These are some of the recommended practices that you should follow when placing new equipment and service.
- You should consider or establish organizational security policies, such as having a process for auditing your network devices, as well as a general security framework for securing your network devices. We also should have set of policies that govern usage of the network equipment.
- Secure the switch devices by securing switch access and switch protocols, and mitigating compromises launched through a switch.
- To secure access to the switch, we should set up system password, such as through the use of enable secret, which will make sure that the privilege mode is only given to authorized users.
- We should also secure access to the console port because the console port allows a user to bypass our security implementation by doing things like password recovery. So we have to make sure that the physical access to the console is restricted. This can be done by having the physical switches stored in a locked cabinet or a secure location, such as a data center.
- To stop remote logical connections, we have to make sure that we secure our telnet access so as to prevent unauthorized logical access to the switch. But, one of the weaknesses of telnet is that the data are still being passed in cleartext, so whenever possible we should replace telnet with using SSH.
- For ease of management, Cisco enables HTTP services on the network devices, but for security concerns, we should disable these HTTP services on the switch.
- We should also set up the necessary warning messages to deter potential hackers from wandering into our equipment.
- A lot of legacy services have been left running in the background over the years as a default option. But for security reasons, we should disable all these legacy services if we're not using it.
- We should implement some basic logging feature us for troubleshooting and security investigation.
- We should consider disabling CDP on ports that do not need CDP running.
- We should also secure our spanning tree to ensure that our network spanning tree protocol does not get compromised by an external unauthorized switch pretending to be the root device. To mitigate compromises through a switch, we should take precautions for our trunk links.
- For convenience, Cisco switches automatically negotiate trunk capabilities. But the hacker can forge this negotiation and become a trunk link, thereby gaining access to all VLANs. As such, we should disable automatic negotiation of trunking and manually enable trunk link as required for security concern.
- To minimize physical port access, we should shut down all unused ports. Furthermore, all unused ports should be assigned an unused VLAN so that even if the hacker managed to enable the port, it has been assigned to an isolated VLAN that goes nowhere. And for used ports, we should set up features like port security to ensure that only authorized devices are accessing the ports.
Port security restricts port access by identifying user's MAC address. One of the secondary capabilities of port security is that it can restrict the number of MAC addresses entering the port.
802.1X Port-Based Authentication
A more advanced security feature in the Cisco switch is that 802.1X port-based authentication. Clients have to pass a logical authentication before they can access the network through the switch ports.