5.7 Restricting Access to Switches

Throughout this chapter ways of securing access and core infrastructures have been discussed, and one common theme has emerged: The best way to secure switching infrastructure is to prevent attackers from gaining access.

The first step to prevent access to switches is to disable unused ports. If an attacker cannot pass traffic while plugged into a network jack, then it is hard to do damage. Sometimes it is difficult to leave unused ports disabled, as in the conference room example. In cases where a port cannot be disabled, restrict access to that port based on MAC address. To increase security in common areas, consider keeping those rooms locked when not in use. If you use key cards, or some other sort of automated security system to keep areas within your building secure, consider adding conference rooms to the list of secured area. This will require users to scan themselves into the room when they want to access it ”hopefully limiting access to authorized personnel, and it generates a log file for network administrators to follow if there is a security breach that originates from one of these common areas.

It is not enough to restrict access to the switch. As with routers, you have to restrict who can access the switch and the methods they can use. To maximize security, start by disabling any HTML interfaces to the switch, unless they allow configuration over an SSL connection (as of this writing there are no switch vendors that allow this). Enable SSH access to the switch, and disable telnet. Foundry and Extreme switches will allow you to use SSH, and Cisco will allow you to use SSH on the Catalyst 2900 and above series. Check with your switch vendor to determine the proper method for setting up SSH on the switches in your network.

Most switches do not have ACLs, like routers, but if you are using multilayer switches in the core of your network you can generally configure ACL-type restrictions on switch ports. Use these restrictions to allow administration of a switch from only a single port.

In fact, many companies use a combination of ACLs and VLANs to create a separate management network. This management network is used to share network updates and topology changes. By isolating this information you are adding an additional layer of security. It also makes it easier to track, log, and isolate network anomalies because you do not have to track every change in the network, only changes that occur within the management VLAN.

Finally, don't forget about passwords. Keep switch passwords secure, and restrict them to as few people as possible. Don't forget to set not only access and superuser passwords, but console passwords as well. If you lock your switches in a secure area, as recommended, it is unlikely that someone will access the switch directly. But, if someone manages to gain access, don't make it easy for them to get into it.