This chapter is easily one of the largest chapters in this book; however, it is also the most important. As I said when we started, routers and switches are your network infrastructure, and if you want to have a secure network infrastructure, you have to harden those devices.
As with all your other network devices, management, and more important secure management, is critical to maintaining a secure environment. You can have the most complex passwords imaginable, but if you are managing your device using Telnet, any decent hacker can gain access to that protected data. The most secure management mechanism leverages AAA for authentication, authorization, and accounting and reinforces AAA through the use of secure protocols such as SSL to gain remote management access.
The next security task to tackle is to harden all services, processes, applications, protocols, and features running on your network device. Unfortunately, our network devices ship with a bevy of services that, in theory, are there to simplify their implementation and function, but in many cases they can be exploited with equal simplicity. Turn off any services you don t need, and for the services you do need, leverage whatever means of authentication and encryption is available to protect the device.
Once you have secured your routers, it is time to secure the functionality your routers provide through the use of HSRP redundancy, authentication of your routing protocols, and traffic management. In particular with your routing protocols, implement static routing only for any insecure network segments, such as DMZ and perimeter networks. You should also use your routers to control the flow of traffic throughout your network, making extensive use of ACLs and CBAC to filter unwanted traffic while granting permitted traffic in as secure a fashion as possible.
Working down the OSI model, the next device group to harden is your switches. You want to ensure that your VLAN implementation is implemented in a secure fashion. Do not use the same switch for VLANs of different security-level networks (such as the internal network and the DMZ). Do not use the default VLAN (VLAN 1) in production anywhere on your network. Configure all your trunk ports to have native VLAN memberships that are on a different VLAN from the rest of your network devices. Finally, ensure that all switch ports are configured as access ports, and configure only those ports that should be functioning as trunk ports as trunk ports. As with your routers, you also want to restrict any unnecessary services, disabling what you can and implementing authentication for all protocols and services that support authentication. Finally, disable any unnecessary ports, not only on your switches but on your routers as well. If something isn t plugged into the port right now, it should require change control to get you to enable the port.
By following these procedures, you can greatly reduce the risk and threats to your environment.