Switches

Switches are simpler to configure, in part because they are less sophisticated and have fewer functions to manage and secure. Nonetheless, again it is a case of securing access and securing services and management, plus the added task of securing ports.

Securing Access

As with your routers, all switches should use strong passwords and, wherever possible, require AAA for authentication and authorization (and use accounting to record who logs in and does what). One of the differences between the router and switch security settings is that, with switches, you can enable Telnet when (for instance) the user is authenticated by TACACS+, but you can disable Telnet when the user is authenticated against the switch's local database. You should also specify the addresses permitted to create a Telnet connection (along with the addresses permitted for any other type of management connection, for that matter).

Securing Services and Management

Fewer unneeded services run by default on a switch. Therefore, turning them off requires fewer commands: set cdp disable and set ip http server disable . The rationale is no different from that on the routers; there is simply no need for these devices to offer these services.

You do need to enable the management protocols that you intend to use: Again, these are NTP and (possibly) SNMPas always, with the latter, use a read-only community. The SNMP community name for your network management should follow the same rules as for a strong password: at least eight characters, mixed uppercase and lowercase alphabetic characters , and use of numbers and special characters. In this case, like all the others we have mentioned, specify the server's IP address to be sure that you are the one managing the switch and getting its reports .

You should turn on logging and specify the server's address, and include time stamping. Finally, as on your routers, you should create an opening banner designating the switch as your asset, for business use only.

Securing Ports

Of course, one of the big differences between a router and a switch is the number of ports. But if a hacker who gains physical access to a switch drops one more cable into an open port, would someone notice? Possibly not. That's why the SAFE Blueprint strongly advises disabling all unused ports in the switch configuration file.

Another very useful feature of switches is the capability to group ports into a virtual LAN, a VLAN. Conversation between hosts in the same VLAN occurs at Layer 2, whereas outside the VLAN it must go through decapsulation and recapsulation at Layer 3. However, traffic from multiple VLANs can share one port via trunking (for transit to a router, for instance, where Layer 3 filtering can take place). If so, that link (a trunk) now can carry many hosts ' traffic and is a prime candidate for sniffing or carrying injected traffic. Switch ports can be set to automatically respond to a request to trunk, which could defeat part of your security design. For security purposes, they should be set to have trunking off (instead of on automatic) unless you specifically need it enabled. This ensures that you carry only multiple VLAN traffic when you choose to do so.

Also, especially on every switch that attaches to servers, ensure that port redirection is prevented. Each VLAN can be protected via the no ip redirects command. We discussed using private VLANs in Chapter 6, "The SAFE Security Blueprint," if you need to review this.