161_CISCO-switch-guide-version1_01-[miner].pdf

(647 KB) Pobierz

UNCLASSIFIED

Report Number: I33-010R-2004

Cisco IOS Switch

Security Configuration Guide

Switch Security Guidance Activity

of the

Systems and Network Attack Center (SNAC)

Authors:

A. Borza

D. Duesterhaus

C. Grabczynski

J. Johnson

R. Kelly

T. Miller

Date:

21 June 2004

Version: 1.0

National Security Agency

9800 Savage Road, Suite 6704

Fort Meade, MD 20755-6704

snac.guides@nsa.gov

UNCLASSIFIED

2 of 86

Table of Contents

Introduction........................................................................3

Network Hierarchy ............................................................5

Operating System...............................................................7

Passwords..........................................................................12

Management Port.............................................................13

Network Services..............................................................16

Port Security.....................................................................24

System Availability ..........................................................29

Virtual Local Area Networks..........................................31

Spanning Tree Protocol...................................................38

Access Control Lists.........................................................40

Logging and Debugging...................................................44

Authentication, Authorization, and Accounting ...........48

Advanced Topics ..............................................................53

Sample Configuration Files.............................................54

Acronyms and Glossary ..................................................79

References.........................................................................85

Cisco IOS Switch Security Checklist..............................86

UNCLASSIFIED

3 of 86

1.1

Introduction

Overview

Switches direct and control much of the data flowing across computer networks. This guide provides

technical recommendations intended to help network administrators improve the security of their

networks. Using the information presented here, the administrators can configure switches to control

access, resist attacks, shield other network systems and protect the integrity and confidentiality of network

traffic. Also, this guide can assist information security officers by describing the security issues related to

critical systems (e.g., switches) which are part of their computer networks.

This guide was developed in response to numerous questions and requests for assistance received by the

System and Network Attack Center (SNAC). The topics covered in the guide were selected on the basis

of customer interest and on the SNAC’s background in securing networks. A major goal for this guide is

to improve the security of the switches used on Department of Defense operational networks.

This guide presents network security at Layer 2 (Data Link) of the Open Systems Interconnection

Reference Model (OSI RM). A network hierarchy is introduced that explains the types of switches used

in a computer network. Then vulnerabilities and corresponding countermeasures are described for the

following topics: operating system; passwords; management port; network services; port security; system

availability; Virtual Local Area Networks; Spanning Tree Protocol; access control lists; logging and

debugging; and authentication, authorization and accounting. Advanced topics are identified for future

work for this guide. A combined section of acronyms and glossary for terms used throughout this guide

and a reference section are provided. Sample configuration files for two different models of Cisco

switches are included that combine most of the countermeasures in this guide. Finally, a security

checklist for Cisco switches summarizes the countermeasures.

1.2

Caveats

The guide focuses only on Cisco switches that use the Internetworking Operating System (IOS).

Specifically, the authors of this guide used IOS version 12.1 for all of the examples. Note that IOS

versions for switches are not necessarily identical to IOS versions for routers. Also, it deals only with

Ethernet, Fast Ethernet and Gigabit Ethernet media technologies. The intended audience for this guide is

those individuals who administer these switches in their organization’s networks. The guide presumes

that these administrators have at least a basic knowledge of these switches. The administrators should be

familiar with configuring the switches with the command line interface, including using commands in the

User Exec mode and in the Privileged Exec mode. The guide agrees with some settings on Cisco

switches that are enabled or disabled by default; for completeness the guide presents these settings along

with the other recommended settings. Note that some default settings will not appear normally in a listing

of the switch configuration file. The authors also assume that the administrator provides physical security

for each switch and allows only authorized personnel to access the switch.

Following the recommendations in this guide does not guarantee a secure environment or that the

administrator will prevent all intrusions. However, the administrator can achieve reasonable security by

establishing a good security policy, following the recommendations in this guide, staying current on the

latest developments in the hacker and security communities, and maintaining and monitoring all systems

with sound system administration practices. This includes awareness of application security issues that

are not comprehensively addressed in this guide. Finally, use the following references as additional

sources of guidance: Cisco’s IOS switch command reference [2]; SAFE, Cisco’s security blueprint for

UNCLASSIFIED

UNCLASSIFIED

4 of 86

enterprise networks [5]; Cisco’s Product Security Advisories and Notices [4]; and NSA’s Cisco Router

Security Configuration Guide for more details on the principles for securing systems that are part of a

network [11].

1.3

Acknowledgements

The authors would like to acknowledge the following personnel for their support to the development of

this guide: Neal Ziring and James Houser for their technical reviews, and the office and division

management within the System and Network Attack Center for their guidance and patience.

1.4

Feedback

This guide was created by a team of individuals in the System and Network Attack Center (SNAC),

which is part of the NSA Information Assurance Directorate. The editor was Daniel Duesterhaus.

Feedback about this guide may be directed to either of the following addresses.

Mail:

SNAC (Attn: Daniel Duesterhaus)

National Security Agency

9800 Savage Road, Suite 6704

Fort Meade, MD 20755-6704

snac.guides@nsa.gov

E-Mail:

1.5

Revision History

Version

0.9

0.9a

0.9b

1.0

Date

16 Mar 2004

7 May 2004

14 May 2004

21 Jun 2004

Status

First complete draft by SNAC team

Draft updated from external review

Minor updates to draft

First public release

1.6

Trademark Information

Cisco, IOS and SAFE are registered trademarks of Cisco Systems, Inc. in the U.S.A. and other countries.

All other names are trademarks or registered trademarks of their respective companies.

1.7

Warnings

This document is only a guide to recommended security countermeasures for Cisco IOS switches. It is

not meant to replace well-designed policy or sound judgment. This guide does not address site-specific

configuration issues. Care must be taken when implementing the countermeasures described in this

guide. Ensure that all countermeasures chosen from this guide are thoroughly tested and reviewed prior

to imposing them on an operational network.

UNCLASSIFIED

5 of 86

Network Hierarchy

In a well-formed hierarchical network, there are three defined layers: access, distribution and core. In an

enterprise network, each layer provides different functions. Because these layers are not always

recognized by their traditional names, the names have been referred to as access or workgroup,

distribution or policy, and core or backbone.

The access or workgroup layer connects users. Other functions of this layer are shared bandwidth,

switched bandwidth, Media Access Control (MAC) address filtering, and micro segmentation. Local area

network (LAN) switches exist most commonly in the access layer.

The distribution or policy layer performs the complex, processor-intensive calculations such as filtering,

inter-Virtual LAN routing, multicast tree maintenance, broadcast and multicast domain definition, and

address or area aggregation. This layer might also contain the local servers. Routers, LAN switches and

switches with routing capability reside in the distribution layer.

The core or backbone layer is the backbone of the network. It is high-speed and concerned with quick

traffic switching. It does not get involved in extensive packet manipulation. The central servers might

also be attached to the high-speed backbone in the core. Switch routers, high-speed routers and

occasionally LAN switches can be found in the core layer.

The following network diagram serves as a reference point for this guide. The two Cisco 3550 switches

at the top of the diagram operate at the access layer. The two Cisco 6500 switches provide combined

functionality for the distribution layer and the core layer. All of the recommended security

countermeasures in this guide will refer to this diagram. This diagram represents just one recommended

network architecture; there are several other architectures that are possible.

UNCLASSIFIED

161_CISCO-switch-guide-version1_01-[miner].pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: