Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1617
Views
0
Helpful
6
Replies

Cisco 2960 + Hardening

RS19
Level 4
Level 4

‎05-05-2020 09:22 PM

We have deployed Cisco 2960 switch in environment & as general practice we used to do scanning of the network devices to check for any unwanted port open.

When we did for Cisco 2960 switch, the switch was not listening to any of the TCP ports.

Would like to know by default what is the security or hardening applied on Cisco 2960 switches ?

 

Any reference document if any please share.

Labels:
0 Helpful
6 Replies 6

Leo Laohoo
Hall of Fame
Hall of Fame

‎05-05-2020 09:30 PM

Cisco Guide to Harden Cisco IOS Devices

0 Helpful

RS19
Level 4
Level 4
In response to Leo Laohoo

‎05-05-2020 10:14 PM

Thanks. But it did not mention about what is the default hardening enabled in Cisco switches ?

Why there is no listening of TCP ports ?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to RS19

‎05-05-2020 10:28 PM

Switch come with Default configuraiton, based on Location of place where the switch installed required more security to protect device from attacks.  

 

you can view what ports open by issuing the command :

 

show control-plane host open-ports
show ip sockets
 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

RS19
Level 4
Level 4
In response to balaji.bandi

‎05-06-2020 05:57 PM

Thanks.

I checked the below command , but it is not accepting

show control-plane host open-ports

 

The below command worked.

show ip sockets

 

But it shows only UDP ports as per the below link.

https://packetlife.net/blog/2008/dec/3/listing-open-sockets-ios/

 

 

 

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎05-06-2020 10:08 AM

I don't recall running across a document that lists default security settings.

I have noticed, over the years, newer platforms/IOSs have more of the "recommended" security settings (like those noted in Leo's suggested document) configured by default. I've also noticed such later systems take advantage of "features" perhaps not described as recommendations in those security documents, like placing the management port into its own VRF.

On lower end switches, I recall (many years ago, Cisco Configuration Assistant or Cisco Network Assistant [last ver. 6.3.4 -12/18]) that some of these configuration utilities sometimes having a "security check" that will list what security settings are configured, or not, and offer to change non-configured to features to "on".
0 Helpful

johnlloyd_13
Level 9
Level 9

‎05-06-2020 08:12 PM

hi,

there's no 'default' device hardening per se.

you need to discuss this with your IT management and define what ports and protocols that needs to be secured/hardened and what would be its impact.

i used the CIS doc as a start but there are other vendor neutral docs out there:

https://www.cisecurity.org/wp-content/uploads/2017/04/CIS_Cisco_IOS_Benchmark_v2.2.pdf

 

0 Helpful
Customers Also Viewed These Support Documents