This guide was developed in response to numerous questions and requests for assistance received by the System and Network Attack Center (SNAC).  The topics covered in the guide were selected on the basis of customer interest and on the SNAC’s background in securing networks.  A major goal for this guide is to improve the security of the switches used on Department of Defense operational networks.

This guide presents network security at Layer 2 (Data Link) of the Open Systems Interconnection Reference Model (OSI RM).  A network hierarchy is introduced that explains the types of switches used in a computer network.  Then vulnerabilities and corresponding countermeasures are described for the  following topics:  operating system; passwords; management port; network services; port security; system availability; Virtual Local Area Networks; Spanning Tree Protocol; access control lists; logging and debugging; and authentication, authorization and accounting.  Advanced topics are identified for future work for this guide.

A combined section of acronyms and glossary for terms used throughout this guide and a reference section are provided.  Sample configuration files for two different models of Cisco switches are included that combine most of the countermeasures in this guide.  Finally, a security checklist for Cisco switches summarizes the countermeasures.

Source: “Cisco IOS Switch Security Configuration Guide” developed by Switch Security Guidance Activity of the Systems and Network Attack Center – National Security Agency (SNAC-NSA) – June 21st, 2004 (Version 1)