transport input ssh command. The default is
transport input all. SSH requires a local username
database, ip domain, and RSA key to be generated.
Switch(config)# username Joe password User
Switch(config)# ip domain-name sshtest.lab
Switch(config)# crypto key generate key
Switch(config)# line vty 0 15
Switch(config-line)#
login local
Switch(config-line)# transport input
ssh Now you will need an application on the workstation
that supports SSH, such as SecureCRT or PuTTY.
Content
8.6 Securing Network Switches 8.6.4
vty ACLs Cisco provides ACLs to permit or deny Telnet
access to the vty ports of a switch. Cisco devices vary in the
number of vty ports that are available by default. When
configuring vty ACLs, ensure that all default ports are removed
or have a specific vty ACL applied. Telnet filtering is
normally considered an extended IP ACL function because it is
filtering a higher level protocol. However, because the
access-class command filters incoming Telnet sessions by
source address and applies filtering to vty lines, you can use
standard IP ACL statements to control vty access. The
access-class command also applies standard IP ACL
filtering to vty lines for outgoing Telnet sessions originating
from the switch. You can apply vty ACLs to any combination of
vty lines. You can apply the same ACL to all vty lines or
specifically to each vty line. The most common practice is to
apply the same ACL to all vty lines.
Content 8.6
Securing Network Switches 8.6.5 Applying
ACLs to vty Lines To configure vty ACLs on a Cisco switch,
create a standard IP ACL and apply it to the vty interfaces.
Different from applying an ACL to a data interface, apply it to
a vty line or range of lines with the access-class
command.Consider this example. Permission is granted to any
device on network 192.168.1.0/24 to establish a virtual
terminal (Telnet) session with the switch. Of course, the user
must know the appropriate passwords to enter user mode and
privileged mode. Identical restrictions have been set on every
vty line, because the line on which the vty user connects
cannot be controlled. The implicit deny any statement at the
end of the access list still applies to the ACL when it is used
as an access-class entry. Switch(config)# access-list 12
permit 192.168.1.0 0.0.0.255
Switch(config)# line
vty 0 15
Switch (config-line)# access-class 12
in Note: The actual number of vty lines depends on
the platform and the Cisco IOS software being run.
Content 8.6 Securing Network Switches
8.6.6 Best Practices for Switch Security Network
security vulnerabilities include loss of privacy, data theft,
impersonation, and loss of integrity. Basic security measures
should be taken on every network to mitigate adverse effects of
user negligence or acts of malicious intent. The following
steps are required whenever placing new equipment in service:
Step 1 Consider or establish organizational security
policies. Step 2 Secure switch devices. Step 3
Secure switch protocols. Step 4 Mitigate compromises
launched through a switch. You should consider the policies of
an organization when determining which level and type of
security to implement. You must balance the goal of reasonable
network security with the administrative overhead of extremely
restrictive security measures. A well-established security
policy has these characteristics: - Provides a process
for auditing existing network security
- Provides a
general security framework for implementing network
security
- Defines disallowed behaviors toward
electronic data
- Determines which tools and procedures
are needed for the organization
- Communicates consensus
among a group of key decision-makers and defines the
responsibilities of users and administrators
- Defines a
process for handling network security incidents
- Enables an enterprise-wide, all-site security
implementation and enforcement plan
Follow these
best practices for secure switch access: - Set system
passwords: Use the enable secret command to set the
password that grants enabled access to the Cisco IOS system.
Because the enable secret command simply implements a
Message Digest 5 (MD5) hash on the configured password, that
password still remains vulnerable to dictionary attacks.
Therefore, apply standard practices in selecting a feasible
password. Try to pick passwords that contain letters, numbers,
and special characters, for example, “$pecia1$” instead of
“specials,” where the “s” has been replaced by “$,” and the “l”
has been replace with "1" (one).
- Secure
access to the console: Console access requires a minimum
level of security both physically and logically. An individual
who gains console access to a system can recover or reset the
system-enable password, thus allowing that person to bypass all
other security implemented on that system. Consequently, it is
imperative to secure access to the console.
- Secure
access to vty lines: The minimum recommended steps for
securing Telnet access are:
- Apply the basic ACL for
in-band access to all vty lines.
- Configure a line
password for all configured vty lines.
- Use SSH: The SSH protocol and application provide a
secure remote connection to a switch. It encrypts all traffic,
including passwords, between a remote console and a switch.
Because SSH sends no traffic in clear text, network
administrators can conduct remote access sessions that casual
observers cannot view. The SSH server in Cisco IOS software
works with publicly and commercially available SSH
clients.
- Configure system-warning banners: For
both legal and administrative purposes, displaying a
system-warning banner prior to login is a convenient and
effective way of reinforcing security and general usage
policies. By clearly stating the ownership, usage, access, and
protection policies before a login, you provide more solid
backing for potential future prosecution.
- Disable
unneeded services: By default, Cisco devices implement
multiple TCP and User Datagram Protocol (UDP) servers to
facilitate management and integration into existing
environments. For most installations, these services are
typically not required, and disabling them can greatly reduce
overall security exposure. These commands disable services not
typically used:
no service tcp-small-servers
no service udp-small-servers
no service finger
no
service config - Disable the integrated HTTP
daemon if not in use: Although Cisco IOS software provides
an integrated HTTP server for management, it is highly
recommended that it be disabled to minimize overall exposure.
If HTTP access to the switch is absolutely required, use basic
ACLs to permit access from only trusted subnets.
- Configure basic logging: To assist and simplify
problem troubleshooting and security investigations, monitor
the switch subsystem information received from the logging
facility. View the output in the on-system logging buffer
memory. To render the on-system logging useful, increase the
default buffer size.
Follow these best practices for
switch security : - Use CDP only as needed: CDP
does not reveal security-specific information, but it is
possible for an attacker to exploit this information in a
reconnaissance attack, whereby an attacker learns device and IP
address information for the purpose of launching other types of
attacks. Two practical guidelines should be followed for
CDP.
- If CDP is not required, or the device is located
in an unsecure environment, disable CDP globally on the
device.
- If CDP is required, disable CDP on a
per-interface basis on ports connected to untrusted networks.
Because CDP is a link-level protocol, it is not transient