Cisco IOS Switch Hardening Template - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Thursday, October 15, 2015

Cisco IOS Switch Hardening Template

Here is my template for access layer switches in my environment. Some of blue color words will need to replace with your specific information. Red words will be the explanation for next commands. Some commands may only apply to certain devices. Not all commands will work on every device series (router/switch) or on every IOS version. Always test it first before apply them to your production devices.

version 15.0

!Without service nagle on a Cisco router, each character in a Telnet !session is a separate CPU interrupt. Hence, a command such as show !tech will force a large number of CPU interrupts, impacting the !performance of the router.
service nagle
!SERVICE PAD :The packet assembler/disassembler (PAD) service !supports X.25 links. This service is on by default, but it is not !needed unless your router is using X.25. Disable it from global !configuration mode as shown below.
no service pad
!TCP-KEEPALIVES-IN and TCP-KEEPALIVES-OUT: if you are going to !permit remote administration via Telnet, enable TCP keepalive !services. These services will cause the router to generate periodic !TCP keepalive messages, thus allowing it to detect and drop !orphaned (broken) TCP connections to/from remote systems. Using !this service does not remove the need for setting an exec-timeout !time as recommended above.
service tcp-keepalives-in
service tcp-keepalives-out
no service password-recovery
!Configure Service Timestamps for Debug and Log Messages:
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime
! Set and secure passwords:
service password-encryption
service sequence-numbers
!Disable DHCP server:
no service dhcp
ip dhcp bootp ignore
hostname SW-HW-DC-1
logging console critical
logging monitor informational
logging buffered 163840 debugging
!Set Enable and User Password with Secret:
enable secret 0 1qaz2wsx!.
username swadmin1 secret 0 1q2w3e4r!
! localit user only can show running configuration
username localit secret Cisco1234
username localit privilege 15 autocommand show running
! localadmin user can do more troubleshooting and run 'show config'
username localadmin privilege 7 secret Cisco1234
privilege exec level 7 show config
!Configure AAA service:
aaa new-model
!Configure AAA Authentication for Login
aaa authentication login default local group radius group tacacs+
aaa authentication login CONAUTH local group tacacs+
aaa authentication login VTYAUTH local group tacacs+
!Configure AAA Authentication for Enable Mode:
aaa authentication enable default enable group radius group tacacs+
aaa authorization console
aaa authorization exec default local group radius group tacacs+ 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 5 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
system mtu routing 1500
!Disable IP source-route:
no ip source-route
no ip gratuitous-arps
!Disable Router Name and DNS Name Resolution:
no ip domain-lookup
ip domain-name sw.hw
login block-for 120 attempts 5 within 60
login quiet-mode access-class 101
login on-failure log
login on-success log
vtp domain sw.hw
vtp mode transparent
!Catch crash dumps; very important with a "security switch."
ip ftp username switchftp
ip ftp password Cisco1234
! Give our core dump files a unique name.
exception core-file secure-switch01-core
exception protocol ftp

exception dump
!Logging and archive the commands 
  log config
  logging enable
  logging size 200
  notify syslog
  path flash:backup-
  maximum 8
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
spanning-tree vlan 1,10,100,1000 priority 28672
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
vlan internal allocation policy ascending
vlan 10
vlan 100
vlan 1000
 name NATIVE
!Configure SSH for Remote Access:
Crypto Key Generate RSA General-keys modulus 2048
ip ssh time-out 10
ip ssh authentication-retries 5
ip ssh logging events
ip ssh version 2
interface Port-channel1
 switchport trunk allowed vlan 1,10,100-1000
 switchport trunk native vlan 1000
 switchport mode trunk
 spanning-tree bpduguard disable
interface GigabitEthernet0/1
 switchport mode access
 spanning-tree portfast
!Configure switch port-security:
 switchport port-security
 switchport port-security violation shutdown
 switchport port-security maximum 1
 switchport port-security mac-address sticky
 no cdp enable
interface GigabitEthernet0/2
 no cdp enable
interface GigabitEthernet0/3
 description Connecting SW Core Layer
 switchport trunk allowed vlan 1,10,100-1000
 switchport trunk native vlan 1000
 switchport mode trunk
 channel-group 1 mode desirable
 spanning-tree bpduguard disable
 no cdp enable
interface Vlan1
 description DefaultVLAN-Do not use it.
 no ip route-cache
interface Vlan10
 description Management
 ip address
 no ip route-cache
interface Vlan100
 ip address
 standby 100 ip
 standby 100 priority 200
ip default-gateway
no ip http server
no ip http secure-server
ip http access-class 23
!ip access-list standard remark SNMP ACL
ip access-list standard snmp-Allow
 deny any log
logging esm config
logging trap debugging
access-list 101 remark VTY Access ACL
access-list 101 permit ip any log-input
access-list 101 deny ip any any log-input
!You also could use ip access-list command to edit 101 access-list
snmp-server group SNMPv3-RO v3 priv read ReadView-All access snmp-Allow
!Write SNMPv3 permission is not necessary. This is just for configuration example
!snmp-server group SNMPv3-RW v3 priv read ReadView-All write WriteView-All access snmp-Allow
snmp-server group NetService-RO v3 priv notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F 
snmp-server view ReadView-All iso included
snmp-server view ReadView-All internet included
snmp-server view ReadView-All system included
snmp-server view ReadView-All interfaces included
snmp-server view ReadView-All snmpUsmMIB excluded
snmp-server view ReadView-All snmpVacmMIB excluded
snmp-server view ReadView-All snmpCommunityMIB excluded
snmp-server view ReadView-All ip.21 excluded
snmp-server view ReadView-All ip.22 excluded
snmp-server view ReadView-All chassis included
snmp-server view WriteView-ALL iso included
snmp-server view WriteView-All iso included
snmp-server view WriteView-All internet included
snmp-server view WriteView-All system included
snmp-server view WriteView-All interfaces included
snmp-server view WriteView-All snmpUsmMIB excluded
snmp-server view WriteView-All snmpVacmMIB excluded
snmp-server view WriteView-All snmpCommunityMIB excluded
snmp-server view WriteView-All ip.21 excluded
snmp-server view WriteView-All ip.22 excluded
snmp-server view WriteView-All chassis included
snmp-server community SNMPCO RO
snmp-server location US-HW
snmp-server contact IT-HP
!It is best to define trap details here to reduce resource usage
snmp-server enable traps 
snmp-server host version 3 priv NetService-RO 
radius-server host auth-port 1812 key q1w2e3!
!tacacs server

! key 7 01300F175804575D7218
!If you do not have Tacacs server, please donot implement those above two commands since it will cause slow CLI responding issue.
banner motd #
* This is a private computing facility.                        *
* Unauthorized use of this device is strictly prohibited.      *
* Violators will be prosecuted to the maximum extent possible. *
*                                                              *
* TACACS+ Authentication and Accounting are in place.          *
* All actions/commands are monitored and recorded.             *
* By using the network you expressly consent to such           *
* monitoring and recording.                                    *
line con 0
!Configure AAA Authentication for Local Console Line:
 login authentication CONAUTH
 exec-timeout 5 0
 logging synchronous
line vty 0 4
 access-class 101 in
!Configure Timeout for Login Sessions:
 exec-timeout 5 0
 logging synchronous
!Configure SSH Access:
 transport input ssh
 login authentication VTYAUTH
monitor session 1 source vlan 100 - 1000
monitor session 1 destination interface Gi1/0/13
ntp logging
ntp master 3
ntp server

1 comment: