Cisco IOS Switch Hardening Template - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Thursday, October 15, 2015

Cisco IOS Switch Hardening Template

Here is my template for access layer switches in my environment. Some of blue color words will need to replace with your specific information. Red words will be the explanation for next commands. Some commands may only apply to certain devices. Not all commands will work on every device series (router/switch) or on every IOS version. Always test it first before apply them to your production devices.

version 15.0


!Without service nagle on a Cisco router, each character in a Telnet !session is a separate CPU interrupt. Hence, a command such as show !tech will force a large number of CPU interrupts, impacting the !performance of the router.
service nagle
!SERVICE PAD :The packet assembler/disassembler (PAD) service !supports X.25 links. This service is on by default, but it is not !needed unless your router is using X.25. Disable it from global !configuration mode as shown below.
no service pad
!TCP-KEEPALIVES-IN and TCP-KEEPALIVES-OUT: if you are going to !permit remote administration via Telnet, enable TCP keepalive !services. These services will cause the router to generate periodic !TCP keepalive messages, thus allowing it to detect and drop !orphaned (broken) TCP connections to/from remote systems. Using !this service does not remove the need for setting an exec-timeout !time as recommended above.
service tcp-keepalives-in
service tcp-keepalives-out
no service password-recovery
!Configure Service Timestamps for Debug and Log Messages:
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime
! Set and secure passwords:
service password-encryption
service sequence-numbers
!Disable DHCP server:
no service dhcp
ip dhcp bootp ignore
!
hostname SW-HW-DC-1
!
boot-start-marker
boot-end-marker
!
logging console critical
logging monitor informational
logging buffered 163840 debugging
!Set Enable and User Password with Secret:
enable secret 0 1qaz2wsx!.
username swadmin1 secret 0 1q2w3e4r!
! localit user only can show running configuration
username localit secret Cisco1234
username localit privilege 15 autocommand show running
! localadmin user can do more troubleshooting and run 'show config'
username localadmin privilege 7 secret Cisco1234
!
privilege exec level 7 show config
!
!Configure AAA service:
aaa new-model
!
!Configure AAA Authentication for Login
aaa authentication login default local group radius group tacacs+
aaa authentication login CONAUTH local group tacacs+
aaa authentication login VTYAUTH local group tacacs+
!Configure AAA Authentication for Enable Mode:
aaa authentication enable default enable group radius group tacacs+
aaa authorization console
aaa authorization exec default local group radius group tacacs+ 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 5 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting system default start-stop group tacacs+
!
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
system mtu routing 1500
!Disable IP source-route:
no ip source-route
no ip gratuitous-arps
!
!Disable Router Name and DNS Name Resolution:
no ip domain-lookup
ip domain-name sw.hw
login block-for 120 attempts 5 within 60
login quiet-mode access-class 101
login on-failure log
login on-success log
vtp domain sw.hw
vtp mode transparent
!
!Catch crash dumps; very important with a "security switch."
ip ftp username switchftp
ip ftp password Cisco1234
! Give our core dump files a unique name.
exception core-file secure-switch01-core
exception protocol ftp

exception dump 10.10.2.13
!Logging and archive the commands 
archive
  log config
  logging enable
  logging size 200
  notify syslog
  path flash:backup-
  write-memory
  maximum 8
!
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
spanning-tree vlan 1,10,100,1000 priority 28672
!
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
!
vlan internal allocation policy ascending
!
vlan 10
!
vlan 100
!
vlan 1000
 name NATIVE
!Configure SSH for Remote Access:
Crypto Key Generate RSA General-keys modulus 2048
ip ssh time-out 10
ip ssh authentication-retries 5
ip ssh logging events
ip ssh version 2
!
interface Port-channel1
 switchport trunk allowed vlan 1,10,100-1000
 switchport trunk native vlan 1000
 switchport mode trunk
 spanning-tree bpduguard disable
!
interface GigabitEthernet0/1
 switchport mode access
 spanning-tree portfast
!Configure switch port-security:
 switchport port-security
 switchport port-security violation shutdown
 switchport port-security maximum 1
 switchport port-security mac-address sticky
 no cdp enable
!
interface GigabitEthernet0/2
 shutdown
 no cdp enable
!
interface GigabitEthernet0/3
 description Connecting SW Core Layer
 switchport trunk allowed vlan 1,10,100-1000
 switchport trunk native vlan 1000
 switchport mode trunk
 channel-group 1 mode desirable
 spanning-tree bpduguard disable
 no cdp enable
!
......
!
interface Vlan1
 description DefaultVLAN-Do not use it.
 no ip route-cache
!
interface Vlan10
 description Management
 ip address 10.10.10.1
 no ip route-cache
!
interface Vlan100
 ip address 10.100.10.1 255.255.255.0
 standby 100 ip 10.100.10.3
 standby 100 priority 200
!
ip default-gateway 10.10.10.254
no ip http server
no ip http secure-server
ip http access-class 23
!
!ip access-list standard remark SNMP ACL
ip access-list standard snmp-Allow
 permit 10.0.0.0 0.255.255.255
 deny any log
!
logging esm config
logging trap debugging
logging 10.10.10.15
access-list 101 remark VTY Access ACL
access-list 101 permit ip 10.10.0.0 0.0.255.255 any log-input
access-list 101 deny ip any any log-input
!You also could use ip access-list command to edit 101 access-list
!
snmp-server group SNMPv3-RO v3 priv read ReadView-All access snmp-Allow
!Write SNMPv3 permission is not necessary. This is just for configuration example
!snmp-server group SNMPv3-RW v3 priv read ReadView-All write WriteView-All access snmp-Allow
snmp-server group NetService-RO v3 priv notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F 
snmp-server view ReadView-All iso included
snmp-server view ReadView-All internet included
snmp-server view ReadView-All system included
snmp-server view ReadView-All interfaces included
snmp-server view ReadView-All snmpUsmMIB excluded
snmp-server view ReadView-All snmpVacmMIB excluded
snmp-server view ReadView-All snmpCommunityMIB excluded
snmp-server view ReadView-All ip.21 excluded
snmp-server view ReadView-All ip.22 excluded
snmp-server view ReadView-All chassis included
snmp-server view WriteView-ALL iso included
snmp-server view WriteView-All iso included
snmp-server view WriteView-All internet included
snmp-server view WriteView-All system included
snmp-server view WriteView-All interfaces included
snmp-server view WriteView-All snmpUsmMIB excluded
snmp-server view WriteView-All snmpVacmMIB excluded
snmp-server view WriteView-All snmpCommunityMIB excluded
snmp-server view WriteView-All ip.21 excluded
snmp-server view WriteView-All ip.22 excluded
snmp-server view WriteView-All chassis included
!
!
snmp-server community SNMPCO RO
snmp-server location US-HW
snmp-server contact IT-HP
!
!It is best to define trap details here to reduce resource usage
snmp-server enable traps 
snmp-server host 10.10.10.25 version 3 priv NetService-RO 
!
radius-server host 10.10.10.35 auth-port 1812 key q1w2e3!
!
!tacacs server 10.10.1.8

! key 7 01300F175804575D7218
!If you do not have Tacacs server, please donot implement those above two commands since it will cause slow CLI responding issue.
!
banner motd #
****************************************************************
* This is a private computing facility.                        *
* Unauthorized use of this device is strictly prohibited.      *
* Violators will be prosecuted to the maximum extent possible. *
*                                                              *
* TACACS+ Authentication and Accounting are in place.          *
* All actions/commands are monitored and recorded.             *
* By using the network you expressly consent to such           *
* monitoring and recording.                                    *
****************************************************************
#
!
line con 0
!Configure AAA Authentication for Local Console Line:
 login authentication CONAUTH
 exec-timeout 5 0
 logging synchronous
line vty 0 4
 access-class 101 in
!Configure Timeout for Login Sessions:
 exec-timeout 5 0
 logging synchronous
!Configure SSH Access:
 transport input ssh
 login authentication VTYAUTH
!
!
monitor session 1 source vlan 100 - 1000
monitor session 1 destination interface Gi1/0/13
!
ntp logging
ntp master 3
ntp server 10.10.10.5

1 comment: