Transcript Slide #9

•
Verify that management VLAN has been
reassigned.
•
Verify that operational VLANs do not have
access to the management VLAN.
•
Verify that the ports in the management VLAN
are not configured as trunks.
•
•
•
A trunk is a point-to-point link between two
network devices that carries traffic for more than
one VLAN.
A trunk allows you to extend the VLANs across
an entire network.
A trunk does not belong to a specific VLAN,
rather it is a conduit for VLANs between switches
and routers.
•
•
•
•
DTP is implemented by default on Cisco switches .
DTP automatically negotiates how the port will
operate, trunk or access mode.
By default, a Cisco Ethernet port's default DTP
mode is "dynamic desirable”, which enables a port
to go to trunk mode automatically.
Review the switch configuration to verify that DTP is
disabled.




VTP is a Cisco-proprietary messaging protocol used
to distribute VLAN configuration information over
trunks.
A switch may be in one of three VTP modes: server,
transparent and client.
In server mode administrators can create, modify and
delete VLANs for the entire VTP management
domain.
By default, VTP – no authentication and the switch is
in VTP Server mode.
•
If VTP is necessary, verify the following:
• VTP management domain is established.
• A strong password is assigned to the VTP
management domain.
• Non-management switches are configured in
client mode.
•
•
•
By auditing device for these basic hardening steps,
overall security of the network can be improved.
However, in all cases, a comprehensive review
should be performed.
Reference the works cited page for links to
documented security configuration benchmarks
and checklists.
Mark Krawczyk
[email protected]
Router Security Guidance Activity of the System and Network Attack Center (SNAC),
2005
http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf
Cisco IOS Switch Security Configuration Guide, http://www.nsa.gov/ia/
Center for Internet Security, http://benchmarks.cisecurity.org/downloads/audit-tools/
US-Cert, https://www.us-cert.gov/security-publications
Information Assurance Support Environment, http://iase.disa.mil/stigs/
SANS Institute InfoSec Reading Room - Cisco Router Hardening Step-by-Step
www.sans.org
Cisco Checklist - www.sans.org
Configuring a Cisco Router with TACACS+ Authentication.
http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controlleraccess-control-system-tacacs-/13865-tacplus.html
Cisco Guide to Harden Cisco IOS Devices, Document ID: 13608
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
Various Articles related to Cisco device security, http://www.ciscopress.com/articles/
NIST – National Vulnerability Database http://web.nvd.nist.gov/
ISACA – www.isaca.org