cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1291
Views
0
Helpful
1
Replies

WS-C2960S-24TS-S and WS-C2960X-24TS-L Basic Security configuration.

Parth Maniar
Level 1
Level 1

Greeting's, I would like to start by apologizing as I would require hand-holding, given my lack of experience in Cisco (or any other switches). I have absolutely no knowledge in switch security management but I've been tasked with it given the shortage of personnel. I have a WS-C2960S-24TS-S and WS-C2960X-24TS-L switch that needs to be securely configured. I've done the basics of upgrading the firmware to the latest. Given my lack of any experience whatsoever, please include complete procedures

 

I wanted step-by-step guidance of:

1. Locking down ports by MAC address.

2. DDoS protection.

3. Lock down login from all but 1 IP and only allow browser based SSL login. No TELNET, SSH or other method.

4. Shutting down any services on the switch.

5. Shutting down password recovery.

6. Enabling highest supported encryption for sensitive (passwords). While I'm posting this I've just read that level 7 encryption can be cracked.

 

Any other recommended security steps to secure the switch.

 

Thanking in advance,

Parth

1 Reply 1

AllertGen
Level 3
Level 3

Hello, .

1. look at the command "switchport port-security" inside interfaces (documentation: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.pdf ).

2. There is not much you can do for DDoS protection. Also it depend on IOS version (is your IOS lite or base). You can use a command from 1 point, also use a commands of "storm-control" (inside interface), "switchport block [type]" (inside interface), and if your IOS is not lite you can also use arp-spoofing protection and dhcp-spoofing protection.

3. To turn off ssh and telnet:

line vty 0 4
 transport input none
exit

line vty 5 15
 transport input none
exit

For turning off http access: no ip http server

To limit access only from 1 IP address to HTTPS server:

access-list 1 remark ------- ACL for HTTPS access ------------------------
access-list 1 permit [permited IP]
access-list 1 deny any log
access-list 1 remark ------- END of ACL for HTTPS access -----------------

ip http access-class 1

And for configuration HTTPS server: http://www.cisco.com/c/en/us/td/docs/ios/termserv/command/reference/tsv_book/tsv_s1.pdf

4. Use the command "service ?" to see all possible services for your swith. And with "no" before the command you can turn off all service that is no need for you (for example "no service dhcp").

5. You can't shut it down because you can recover password only by rebooting switch and pushing "mode" button after this. Here is procedure for recovery password: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2950-series-switches/12040-pswdrec-2900xl.html

After reading it you can undenstand why you can't turn it off.

6. Yes, level 7 encryption can be cracked. So you can store your passwords as md5. You can use commands:

enable secret [password]
username [name] secret [password]

After this cisco will encrypt your password by md5 hash and at configuration you'll see it as "username [name] secret 5 [md5 hash]"

What else you can use for securety matters:

- logging (command "login on-failure log every [numbers of fails]" must be!). Documentation: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swlog.html

Also you can use a configuration bellow to log all changes at configuration:

archive

  log config

 exit

exit

- turn off lldp and cdp protocols to the end users sides (you can google it).

- use SNMP for getting status of the switch and ports and analyse it for anomalies.

- use a command inside interfaces: "spanning-tree guard root" (don't use this connamd at the ports where is connected your another switches) and "spanning-tree bpduguard enable" (use a second command if you are not planing to connect another switch to this port).

- use a command " switchport nonegotiate" at the all ports.

- also you can use this commands:

no ip source-route

ip arp proxy disable

no ip icmp redirect

Review Cisco Networking for a $25 gift card