CATCHY

Switch / Router Hardening Basics

There is no doubt that hardening any device or service is crucial for IT environment. Network device hardening is just a step to secure the whole IT environment. And it is important to follow guidelines carefully not to face with any security breach.

Jan 4, 2023 - 15:20
Jan 9, 2023 - 16:57
Switch / Router Hardening Basics
Network Security

Network infrastructure devices are among the assets of an enterprise that play an important role in security and thus need to be protected and configured accordingly. But many forget about security of network devices and sometimes they are just installed with out-of-box configurations. Instead of putting effort to securing network devices, they focus on servers, applications etc.

Firewalls, intrusion detection systems and servers are also part of network security elements but for this article is just going to focus on switches and routers.

Part 0 - Attack Types

 To design and keep your network environment secure network administrators should be aware of the attack types. Administrators should be aware of:

  1. VLAN hopping,
  2. CAM flooding,
  3. MAC address spoofing,
  4. STP spoofing,
  5. DHCP “starvation”,
  6. DHCP spooping,
  7. ARP spoofing,
  8. IP spoofing,
  9. Traffic flooding,
  10. Denial of Service,
  11. Routing protocol spoofing

Part 1 - Steps to Follow

 Create a hardening steps for your environment and update the guide as required. Here are hardening steps for network security:

  1. Place the network devices in a secure environment,
  2. Do not miss updates and patches for OS and services,
  3. Disable all unused router/switch interfaces, services and ports,
  4. Disable all unused management protocols,
  5. Disable the techniques for re-directing your traffic,
  6. Disable features to block reconnaissance attacks,
  7. Ensure security of terminal connections,
  8. Define a password policy and follow it all time,
  9. Create role base access control (RBAC),
  10. Disable IP-directed broadcast,
  11. Disable SNMP completely or run SNMPv3,
  12. Use HTTPs instead of HTTP,
  13. Remove TELNET and any service which already accepted as not secure,
  14. Enable logging and keep / check the logs,
  15. Create VLANs and secure them to avoid VLAN attacks,
  16. Enable SSHv3 or TLS to securely communicate to remote network devices,
  17. Disable Echo Protocol,
  18. Disable legacy protocols such as Chargen Protocol, Discard Protocol
  19. Disable FTP Protocol or be sure that is secure,
  20. Disable ICMP messages in order to block network mapping.

Part 2 - How To Do It?

     *** Following commands are for cisco devices. The information and opinions contained are provided "as is" and without any warranties or guarantees.

     1. Keep the passwords encrypted and create different accounts for users: 

    • username  secret 
      username  secret 
      username  secret

     2. Create enable secret password:

    • enable secret password

     3. Login password retry logout 

    • aaa new-model
      aaa local authentication attempts max-fail 
      aaa authentication login default local

     4. No service password-recovery

    • no service password-recovery

     5. Disable BOOTP (DHCP Enabled)

    • ip dhcp bootp ignore

     6. Disable DNS

    • no ip domain-lookup

     7. Disable HTTP

    • no ip http secure-server

     8. Block configuration from network

    • no service config

    9. Disable CDP

    • no cdp run

     10. Disable LLDP

    • no lldp run

     11. EXEC timeout 

    • line con 0
       exec-timeout  [seconds]
      line vty 0 4
       exec-timeout  [seconds]

     12. Management Interface Use 

    • interface Loopback0
      ip address 192.168.1.1 255.255.255.0

     13. Memory Reservation 

    • memory reserve critical

     14. Reserve Memory for Console Access 

    • memory reserve console 4096

     15. NTP Settings 

    • ntp authenticate
      ntp authentication-key 5 md5 ciscotime
      ntp trusted-key 5
      ntp server 172.16.1.5 key 5

     16. Port Security 

    • interface  
        switchport
        switchport mode access 
        switchport port-security
        switchport port-security mac-address sticky
        switchport port-security maximum 
        switchport port-security violation

     17. Restrict management access 

    • access-list 10 permit 192.168.1.0 0.0.0.15
      line vty 0 15
      access-class 10 in

     18. Enable Logging 

    • config terminal
      logging trap 6
      logging buffered 5
      service timestamps log datetime msec show-timezone
      logging host 192.168.1.105
      logging source-interface ethernet 1/0

     19. Secure SNMP 

    • access-list 11 permit 192.168.1.0 0.0.0.15
      access-list 12 permit 192.168.1.1
      snmp-server community stringtowrite RO 11
      snmp-server community stringtowrite2 RW 12


Referecences:

  • Cisco Press
  • Cisco Hardening Guides
  • NSA Cybersecurity Information
  • CBT Nuggets

Tags:

Previous Article

Python - Cheat Sheet (Beginner Level)

Next Article

Step by Step - Installing Microsoft Exchange Server 2019

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow

Related Posts

What is DHCP and How DHCP works?

What is DHCP and How DHCP works?

Jan 3, 2023

Understanding and Mitigating Cyber and Network Attacks

Understanding and Mitigating Cyber and Network Attacks

Jun 10, 2024

Access Control Concepts Explained

Access Control Concepts Explained

Apr 21, 2023