Cisco IOS Switch Security Configuration Guide
- network security, security architecture, switch security
Switches direct and control much of the data flowing across computer networks. This guide provides technical recommendations intended to help network administrators improve the security of their networks. Using the information presented here, the administrators can configure switches to control access, resist attacks, shield other network systems and protect the integrity and confidentiality of network traffic. Also, this guide can assist information security officers by describing the security issues related to critical systems (e.g., switches) which are part of their computer networks.
This guide was developed in response to numerous questions and requests for assistance received by the System and Network Attack Center (SNAC). The topics covered in the guide were selected on the basis of customer interest and on the SNAC’s background in securing networks. A major goal for this guide is to improve the security of the switches used on Department of Defense operational networks.
This guide presents network security at Layer 2 (Data Link) of the Open Systems Interconnection Reference Model (OSI RM). A network hierarchy is introduced that explains the types of switches used in a computer network. Then vulnerabilities and corresponding countermeasures are described for the following topics: operating system; passwords; management port; network services; port security; system availability; Virtual Local Area Networks; Spanning Tree Protocol; access control lists; logging and debugging; and authentication, authorization and accounting. Advanced topics are identified for future work for this guide.
A combined section of acronyms and glossary for terms used throughout this guide and a reference section are provided. Sample configuration files for two different models of Cisco switches are included that combine most of the countermeasures in this guide. Finally, a security checklist for Cisco switches summarizes the countermeasures.
Source: “Cisco IOS Switch Security Configuration Guide” developed by Switch Security Guidance Activity of the Systems and Network Attack Center – National Security Agency (SNAC-NSA) – June 21st, 2004 (Version 1)