Cisco Guide to Harden Cisco IOS Devices

Daniel Perez · ‎06-16-2017

I have a C3560 switch that is internet facing.
It serves a very limited scope sitting between my routers and the ISP broadband connection.
Cisco recommended this model to the ISP as the best choice for this particular application.
It has been configured with 3 active ports. Port 10 is a singular broadband feed. Port 1 & 2 feed two redundant high availability routers.
The two routers require mirrored ISP feeds from the broadband modem so they can see the exact same (mirrored) traffic.
My ISP cannot provide mirrored ports on their equipment (well, they can but they rather use a switch to accomplish it, internal politics).
The ISP provided the 3560 switch but I must configure it.
Since it is directly internet facing I wanted to remove any exposure or attack surfaces. I basically want to dumb it down.
I have attached the config I have done thus far and removed Telnet or SSH access and disabled some other services.
I only require access to the device via a console cable. I do not have the need to remote access any equipment in front of my routers.
It has been quite some time since I have seen a CLI. I am afraid I have become quite rusty!
Could someone please look at the following config and tell me if I missed any opportunity to make this device hardened against Internet traffic?

Current configuration : 29196 bytes
!
! Last configuration change at 20:52:17 UTC Fri Jun 16 2017
! NVRAM config last updated at 20:52:32 UTC Fri Jun 16 2017
!
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CiscoSwitch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$xxxxxxxxxxyyyyyxxxxxxx
!
no aaa new-model
system mtu routing 1500
!
!
no ip domain-lookup
!
!
crypto pki certificate pool
certificate ca 18DAD19E267DE8BB4A2158CDCC6B3B4A
9268551A 89D25F2E 5A3FE843 0BE1EDF9 BC66738C 0DE71FAF 074DA16A 4F0787C8

****like 80 more lines of crypto hash******

C8512B51 C4EB117C 9A335344 7DCACC8F 11900715 9DD98AF8 3605A0F8 B4E2123B
CFD3D850 E31BB3CD 52FD2D80 F00E2B0D ADF7807E D5EBEB49 486A2435 3459FF5C
F6F91A2A 83EF5F8C
quit
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
no cdp run
!
ip tcp synwait-time 10
!
!
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
shutdown
!
interface GigabitEthernet0/4
shutdown
!
interface GigabitEthernet0/5
shutdown
!
interface GigabitEthernet0/6
shutdown
!
interface GigabitEthernet0/7
shutdown
!
interface GigabitEthernet0/8
shutdown
!
interface GigabitEthernet0/9
shutdown
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
shutdown
!
interface GigabitEthernet0/12
shutdown
!
interface Vlan1
ip address dhcp
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
no vstack
!
line con 0
line vty 0 4
login
transport input none
line vty 5 15
login
transport input none
!
ntp server pool.ntp.org
!
!
pnp profile pnp_cco_profile
transport https host devicehelper.cisco.com port 443
end

CiscoSwitch#

There is also one last question? This config file had an enormous amount of certificate hashes. It looked like multiple hashes.

Why are there so many and do I need them?

Thank you so much,

Dan

Leo Laohoo · ‎06-16-2017

A quick glance with the config shows me the following:

VLAN 1 is enabled; and
Password encryption is disabled; and
Telnet is enabled.

Not good, I must say.

Cisco Guide to Harden Cisco IOS Devices

Daniel Perez · ‎06-16-2017

Thanks for the reply.

I thought Telnet was disabled when "transport input none" is invoked. Is there another method?

Also isn't VLAN1 the default vlan that couples the few ports that I do have active?

I did not establish a password with "enable password". I only used "enable secret password". Doesn't that encrypt the password? This is what I read on the Cisco site:

<enable secret password> Specifies a secret password, saved using a non-reversible encryption method. (If enable password and enable secret are both set, users must enter the enable secret password.)

Thanks

Leo Laohoo · ‎06-16-2017

I thought Telnet was disabled when "transport input none" is invoked. Is there another method?

Me bad. I had a quick look and failed to read the next line down.

So the only way "in" is console? Which is OPEN?

Also isn't VLAN1 the default vlan that couples the few ports that I do have active?

Don't use VLAN 1 to drive traffic. Don't. Ever.

I did not establish a password with "enable password". I only used "enable secret password". Doesn't that encrypt the password?

Double up. I know the secret password is already encrypted but turn this on. Start with this "habit" of enabling this feature. This way, you won't forget when you cross over to routers.

Daniel Perez · ‎06-16-2017

So the only way "in" is console? Which is OPEN?

When you say "console which is open" are we talking about the physical console port on the switch? If that is what you mean, then yes, I want the only method to contact this switch is to be via a blue console cable. This switch is going to be set once and never touched again. In fact I don't own it, the ISP does so if we ever switch ISP's they will take it along with their other demarcation equipment. In the unlikely event the switch should lock up, the routers will realize it within 30 seconds and switch over to another backup ISP that is not connected to the Cisco switch.

Don't use VLAN 1 to drive traffic. Don't. Ever.

Okay, so if I attach the three active ports to say VLAN 10, do I just leave VLAN 1 dormant in the switch or should I actively do something to VLAN1 ?

Thank you

Leo Laohoo · ‎06-16-2017

Shut down VLAN 1.

I want to make my C3560 switch as simplified as possible with security in mind.

Cisco Guide to Harden Cisco IOS Devices