When you receive your new Cisco switch, its inherently insecure out of the box so here’s a few things you might want to think about before you go ahead and use in a production environment.

1. Set an enable password “(config)#enable secret 0 cisco12345” using the secret will encrypt your password with a strong MD5 hash.

2. Encrypt any plain text passwords with “(config)#service password-encryption”

3. Use a range command on your interfaces, enable spanning-tree portfast and switchport mode access in one go with this handy command “(config-if)#switchport host” this also disables etherchannel capabilities.

4. Still inside the range command you could use “(config-if)#spanning-tree bpduguard enable” this will shut down the port should another bogus switch be plugged into any of the ports and start sending BPDU’s, you can also enable this globally with the command “(config)#spanning-tree bpduguard default”

5. A simple yet effective practice is to never use VLAN1 for anything unless you really need to!

6. Use a blackhole VLAN like some obscure unused VLAN 999, put all unused ports in there so should an attacker plug into an unused port they just aren’t going to get access to anything, or simply shut the unused port down until needed.

7. Use port-security to restrict the amount of MAC address’s you expect to see on a switch so for example on a normal data / voice port you’d expect to see 1 PC and 1 VoIP device. “(config)#switchport port-security maximum 2” next enable it on the port with “(config)#switchport port-security” So any more than 2 MAC address’s seen on the port and it will disable. There are other more granular options with this command so investigate them and use what suits you.

8. Create a local user with this command “(config)#username admin_cisco privilege 15 secret 0 cisco54321”

9. Secure your console and VTY lines with this command use under (line console 0 and vty 0 15) “(config)#login authentication local”

These steps are very simple and easy, and hopefully you will think about using them to secure your device. I will say that this list is not exhaustive so do some research.

RH

Advertisements